Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.9 commit in: /
Date: Sat, 08 Dec 2018 13:25:31
Message-Id: 1544275501.b1f78f15534b066a609efad147f4ff8c48575aea.mpagano@gentoo
1 commit: b1f78f15534b066a609efad147f4ff8c48575aea
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sat Dec 8 13:25:01 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sat Dec 8 13:25:01 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=b1f78f15
7
8 proj/linux-patches: Linux patch 4.9.144
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1143_linux-4.9.144.patch | 5729 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 5733 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index d4392f7..094617d 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -615,6 +615,10 @@ Patch: 1142_linux-4.9.143.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.9.143
23
24 +Patch: 1143_linux-4.9.144.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.9.144
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1143_linux-4.9.144.patch b/1143_linux-4.9.144.patch
33 new file mode 100644
34 index 0000000..9c35290
35 --- /dev/null
36 +++ b/1143_linux-4.9.144.patch
37 @@ -0,0 +1,5729 @@
38 +diff --git a/Makefile b/Makefile
39 +index 8ec52cd19526..c62b2b529724 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 9
45 +-SUBLEVEL = 143
46 ++SUBLEVEL = 144
47 + EXTRAVERSION =
48 + NAME = Roaring Lionus
49 +
50 +@@ -802,6 +802,9 @@ KBUILD_CFLAGS += $(call cc-option,-Wdeclaration-after-statement,)
51 + # disable pointer signed / unsigned warnings in gcc 4.0
52 + KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign)
53 +
54 ++# disable stringop warnings in gcc 8+
55 ++KBUILD_CFLAGS += $(call cc-disable-warning, stringop-truncation)
56 ++
57 + # disable invalid "can't wrap" optimizations for signed / pointers
58 + KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
59 +
60 +diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig
61 +index b7b78cb09a37..c7a081c583b9 100644
62 +--- a/arch/arc/Kconfig
63 ++++ b/arch/arc/Kconfig
64 +@@ -105,7 +105,7 @@ endmenu
65 +
66 + choice
67 + prompt "ARC Instruction Set"
68 +- default ISA_ARCOMPACT
69 ++ default ISA_ARCV2
70 +
71 + config ISA_ARCOMPACT
72 + bool "ARCompact ISA"
73 +diff --git a/arch/arc/Makefile b/arch/arc/Makefile
74 +index a3b456008201..fd79faab7892 100644
75 +--- a/arch/arc/Makefile
76 ++++ b/arch/arc/Makefile
77 +@@ -8,7 +8,7 @@
78 +
79 + UTS_MACHINE := arc
80 +
81 +-KBUILD_DEFCONFIG := nsim_700_defconfig
82 ++KBUILD_DEFCONFIG := nsim_hs_defconfig
83 +
84 + cflags-y += -fno-common -pipe -fno-builtin -mmedium-calls -D__linux__
85 + cflags-$(CONFIG_ISA_ARCOMPACT) += -mA7
86 +diff --git a/arch/arc/configs/axs101_defconfig b/arch/arc/configs/axs101_defconfig
87 +index dd623199bb48..cdb00af5aeac 100644
88 +--- a/arch/arc/configs/axs101_defconfig
89 ++++ b/arch/arc/configs/axs101_defconfig
90 +@@ -15,6 +15,7 @@ CONFIG_PERF_EVENTS=y
91 + # CONFIG_VM_EVENT_COUNTERS is not set
92 + # CONFIG_SLUB_DEBUG is not set
93 + # CONFIG_COMPAT_BRK is not set
94 ++CONFIG_ISA_ARCOMPACT=y
95 + CONFIG_MODULES=y
96 + CONFIG_MODULE_FORCE_LOAD=y
97 + CONFIG_MODULE_UNLOAD=y
98 +@@ -96,6 +97,7 @@ CONFIG_VFAT_FS=y
99 + CONFIG_NTFS_FS=y
100 + CONFIG_TMPFS=y
101 + CONFIG_NFS_FS=y
102 ++CONFIG_NFS_V3_ACL=y
103 + CONFIG_NLS_CODEPAGE_437=y
104 + CONFIG_NLS_ISO8859_1=y
105 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
106 +diff --git a/arch/arc/configs/axs103_defconfig b/arch/arc/configs/axs103_defconfig
107 +index 2e0d7d74b8ee..02c766d2c1e0 100644
108 +--- a/arch/arc/configs/axs103_defconfig
109 ++++ b/arch/arc/configs/axs103_defconfig
110 +@@ -97,6 +97,7 @@ CONFIG_VFAT_FS=y
111 + CONFIG_NTFS_FS=y
112 + CONFIG_TMPFS=y
113 + CONFIG_NFS_FS=y
114 ++CONFIG_NFS_V3_ACL=y
115 + CONFIG_NLS_CODEPAGE_437=y
116 + CONFIG_NLS_ISO8859_1=y
117 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
118 +diff --git a/arch/arc/configs/axs103_smp_defconfig b/arch/arc/configs/axs103_smp_defconfig
119 +index ec188fca2cc9..8c16093d639f 100644
120 +--- a/arch/arc/configs/axs103_smp_defconfig
121 ++++ b/arch/arc/configs/axs103_smp_defconfig
122 +@@ -98,6 +98,7 @@ CONFIG_VFAT_FS=y
123 + CONFIG_NTFS_FS=y
124 + CONFIG_TMPFS=y
125 + CONFIG_NFS_FS=y
126 ++CONFIG_NFS_V3_ACL=y
127 + CONFIG_NLS_CODEPAGE_437=y
128 + CONFIG_NLS_ISO8859_1=y
129 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
130 +diff --git a/arch/arc/configs/nps_defconfig b/arch/arc/configs/nps_defconfig
131 +index ede625c76216..397742c6c84e 100644
132 +--- a/arch/arc/configs/nps_defconfig
133 ++++ b/arch/arc/configs/nps_defconfig
134 +@@ -15,6 +15,7 @@ CONFIG_SYSCTL_SYSCALL=y
135 + CONFIG_EMBEDDED=y
136 + CONFIG_PERF_EVENTS=y
137 + # CONFIG_COMPAT_BRK is not set
138 ++CONFIG_ISA_ARCOMPACT=y
139 + CONFIG_KPROBES=y
140 + CONFIG_MODULES=y
141 + CONFIG_MODULE_FORCE_LOAD=y
142 +@@ -75,6 +76,7 @@ CONFIG_PROC_KCORE=y
143 + CONFIG_TMPFS=y
144 + # CONFIG_MISC_FILESYSTEMS is not set
145 + CONFIG_NFS_FS=y
146 ++CONFIG_NFS_V3_ACL=y
147 + CONFIG_ROOT_NFS=y
148 + CONFIG_DEBUG_INFO=y
149 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
150 +diff --git a/arch/arc/configs/nsim_700_defconfig b/arch/arc/configs/nsim_700_defconfig
151 +index df609fce999b..cbc6d068d1f4 100644
152 +--- a/arch/arc/configs/nsim_700_defconfig
153 ++++ b/arch/arc/configs/nsim_700_defconfig
154 +@@ -16,6 +16,7 @@ CONFIG_EMBEDDED=y
155 + CONFIG_PERF_EVENTS=y
156 + # CONFIG_SLUB_DEBUG is not set
157 + # CONFIG_COMPAT_BRK is not set
158 ++CONFIG_ISA_ARCOMPACT=y
159 + CONFIG_KPROBES=y
160 + CONFIG_MODULES=y
161 + # CONFIG_LBDAF is not set
162 +diff --git a/arch/arc/configs/nsimosci_defconfig b/arch/arc/configs/nsimosci_defconfig
163 +index 5680daa65471..d34b838a71c1 100644
164 +--- a/arch/arc/configs/nsimosci_defconfig
165 ++++ b/arch/arc/configs/nsimosci_defconfig
166 +@@ -16,6 +16,7 @@ CONFIG_EMBEDDED=y
167 + CONFIG_PERF_EVENTS=y
168 + # CONFIG_SLUB_DEBUG is not set
169 + # CONFIG_COMPAT_BRK is not set
170 ++CONFIG_ISA_ARCOMPACT=y
171 + CONFIG_KPROBES=y
172 + CONFIG_MODULES=y
173 + # CONFIG_LBDAF is not set
174 +@@ -70,5 +71,6 @@ CONFIG_EXT2_FS_XATTR=y
175 + CONFIG_TMPFS=y
176 + # CONFIG_MISC_FILESYSTEMS is not set
177 + CONFIG_NFS_FS=y
178 ++CONFIG_NFS_V3_ACL=y
179 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
180 + # CONFIG_ENABLE_MUST_CHECK is not set
181 +diff --git a/arch/arc/configs/nsimosci_hs_defconfig b/arch/arc/configs/nsimosci_hs_defconfig
182 +index 87decc491c58..e8c7dd703f13 100644
183 +--- a/arch/arc/configs/nsimosci_hs_defconfig
184 ++++ b/arch/arc/configs/nsimosci_hs_defconfig
185 +@@ -69,5 +69,6 @@ CONFIG_EXT2_FS_XATTR=y
186 + CONFIG_TMPFS=y
187 + # CONFIG_MISC_FILESYSTEMS is not set
188 + CONFIG_NFS_FS=y
189 ++CONFIG_NFS_V3_ACL=y
190 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
191 + # CONFIG_ENABLE_MUST_CHECK is not set
192 +diff --git a/arch/arc/configs/nsimosci_hs_smp_defconfig b/arch/arc/configs/nsimosci_hs_smp_defconfig
193 +index 4d14684dc74a..100d7bf0035b 100644
194 +--- a/arch/arc/configs/nsimosci_hs_smp_defconfig
195 ++++ b/arch/arc/configs/nsimosci_hs_smp_defconfig
196 +@@ -80,6 +80,7 @@ CONFIG_EXT2_FS_XATTR=y
197 + CONFIG_TMPFS=y
198 + # CONFIG_MISC_FILESYSTEMS is not set
199 + CONFIG_NFS_FS=y
200 ++CONFIG_NFS_V3_ACL=y
201 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
202 + # CONFIG_ENABLE_MUST_CHECK is not set
203 + CONFIG_FTRACE=y
204 +diff --git a/arch/arc/configs/tb10x_defconfig b/arch/arc/configs/tb10x_defconfig
205 +index 4c5118384eb5..493966c0dcbe 100644
206 +--- a/arch/arc/configs/tb10x_defconfig
207 ++++ b/arch/arc/configs/tb10x_defconfig
208 +@@ -19,6 +19,7 @@ CONFIG_KALLSYMS_ALL=y
209 + # CONFIG_AIO is not set
210 + CONFIG_EMBEDDED=y
211 + # CONFIG_COMPAT_BRK is not set
212 ++CONFIG_ISA_ARCOMPACT=y
213 + CONFIG_SLAB=y
214 + CONFIG_MODULES=y
215 + CONFIG_MODULE_FORCE_LOAD=y
216 +diff --git a/arch/arc/configs/vdk_hs38_defconfig b/arch/arc/configs/vdk_hs38_defconfig
217 +index c0d6a010751a..b1d38afeba70 100644
218 +--- a/arch/arc/configs/vdk_hs38_defconfig
219 ++++ b/arch/arc/configs/vdk_hs38_defconfig
220 +@@ -88,6 +88,7 @@ CONFIG_NTFS_FS=y
221 + CONFIG_TMPFS=y
222 + CONFIG_JFFS2_FS=y
223 + CONFIG_NFS_FS=y
224 ++CONFIG_NFS_V3_ACL=y
225 + CONFIG_NLS_CODEPAGE_437=y
226 + CONFIG_NLS_ISO8859_1=y
227 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
228 +diff --git a/arch/arc/configs/vdk_hs38_smp_defconfig b/arch/arc/configs/vdk_hs38_smp_defconfig
229 +index 969b206d6c67..2d103f73a265 100644
230 +--- a/arch/arc/configs/vdk_hs38_smp_defconfig
231 ++++ b/arch/arc/configs/vdk_hs38_smp_defconfig
232 +@@ -87,6 +87,7 @@ CONFIG_NTFS_FS=y
233 + CONFIG_TMPFS=y
234 + CONFIG_JFFS2_FS=y
235 + CONFIG_NFS_FS=y
236 ++CONFIG_NFS_V3_ACL=y
237 + CONFIG_NLS_CODEPAGE_437=y
238 + CONFIG_NLS_ISO8859_1=y
239 + # CONFIG_ENABLE_WARN_DEPRECATED is not set
240 +diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
241 +index d87882513ee3..deee3ac8c29f 100644
242 +--- a/arch/mips/include/asm/syscall.h
243 ++++ b/arch/mips/include/asm/syscall.h
244 +@@ -51,7 +51,7 @@ static inline unsigned long mips_get_syscall_arg(unsigned long *arg,
245 + #ifdef CONFIG_64BIT
246 + case 4: case 5: case 6: case 7:
247 + #ifdef CONFIG_MIPS32_O32
248 +- if (test_thread_flag(TIF_32BIT_REGS))
249 ++ if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
250 + return get_user(*arg, (int *)usp + n);
251 + else
252 + #endif
253 +diff --git a/arch/mips/ralink/mt7620.c b/arch/mips/ralink/mt7620.c
254 +index 0696142048d5..9194b04cb689 100644
255 +--- a/arch/mips/ralink/mt7620.c
256 ++++ b/arch/mips/ralink/mt7620.c
257 +@@ -81,7 +81,7 @@ static struct rt2880_pmx_func pcie_rst_grp[] = {
258 + };
259 + static struct rt2880_pmx_func nd_sd_grp[] = {
260 + FUNC("nand", MT7620_GPIO_MODE_NAND, 45, 15),
261 +- FUNC("sd", MT7620_GPIO_MODE_SD, 45, 15)
262 ++ FUNC("sd", MT7620_GPIO_MODE_SD, 47, 13)
263 + };
264 +
265 + static struct rt2880_pmx_group mt7620a_pinmux_data[] = {
266 +diff --git a/arch/x86/include/asm/suspend_64.h b/arch/x86/include/asm/suspend_64.h
267 +index 6136a18152af..2bd96b4df140 100644
268 +--- a/arch/x86/include/asm/suspend_64.h
269 ++++ b/arch/x86/include/asm/suspend_64.h
270 +@@ -42,8 +42,7 @@ struct saved_context {
271 + set_debugreg((thread)->debugreg##register, register)
272 +
273 + /* routines for saving/restoring kernel state */
274 +-extern int acpi_save_state_mem(void);
275 +-extern char core_restore_code;
276 +-extern char restore_registers;
277 ++extern char core_restore_code[];
278 ++extern char restore_registers[];
279 +
280 + #endif /* _ASM_X86_SUSPEND_64_H */
281 +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
282 +index 4bc35ac28d11..fa1b0e3c8a06 100644
283 +--- a/arch/x86/kvm/svm.c
284 ++++ b/arch/x86/kvm/svm.c
285 +@@ -1333,20 +1333,23 @@ static u64 *avic_get_physical_id_entry(struct kvm_vcpu *vcpu, int index)
286 + static int avic_init_access_page(struct kvm_vcpu *vcpu)
287 + {
288 + struct kvm *kvm = vcpu->kvm;
289 +- int ret;
290 ++ int ret = 0;
291 +
292 ++ mutex_lock(&kvm->slots_lock);
293 + if (kvm->arch.apic_access_page_done)
294 +- return 0;
295 ++ goto out;
296 +
297 +- ret = x86_set_memory_region(kvm,
298 +- APIC_ACCESS_PAGE_PRIVATE_MEMSLOT,
299 +- APIC_DEFAULT_PHYS_BASE,
300 +- PAGE_SIZE);
301 ++ ret = __x86_set_memory_region(kvm,
302 ++ APIC_ACCESS_PAGE_PRIVATE_MEMSLOT,
303 ++ APIC_DEFAULT_PHYS_BASE,
304 ++ PAGE_SIZE);
305 + if (ret)
306 +- return ret;
307 ++ goto out;
308 +
309 + kvm->arch.apic_access_page_done = true;
310 +- return 0;
311 ++out:
312 ++ mutex_unlock(&kvm->slots_lock);
313 ++ return ret;
314 + }
315 +
316 + static int avic_init_backing_page(struct kvm_vcpu *vcpu)
317 +diff --git a/arch/x86/power/hibernate_64.c b/arch/x86/power/hibernate_64.c
318 +index 0cb1dd461529..fef485b789ca 100644
319 +--- a/arch/x86/power/hibernate_64.c
320 ++++ b/arch/x86/power/hibernate_64.c
321 +@@ -126,7 +126,7 @@ static int relocate_restore_code(void)
322 + if (!relocated_restore_code)
323 + return -ENOMEM;
324 +
325 +- memcpy((void *)relocated_restore_code, &core_restore_code, PAGE_SIZE);
326 ++ memcpy((void *)relocated_restore_code, core_restore_code, PAGE_SIZE);
327 +
328 + /* Make the page containing the relocated code executable */
329 + pgd = (pgd_t *)__va(read_cr3()) + pgd_index(relocated_restore_code);
330 +@@ -197,8 +197,8 @@ int arch_hibernation_header_save(void *addr, unsigned int max_size)
331 +
332 + if (max_size < sizeof(struct restore_data_record))
333 + return -EOVERFLOW;
334 +- rdr->jump_address = (unsigned long)&restore_registers;
335 +- rdr->jump_address_phys = __pa_symbol(&restore_registers);
336 ++ rdr->jump_address = (unsigned long)restore_registers;
337 ++ rdr->jump_address_phys = __pa_symbol(restore_registers);
338 + rdr->cr3 = restore_cr3;
339 + rdr->magic = RESTORE_MAGIC;
340 + return 0;
341 +diff --git a/drivers/android/binder.c b/drivers/android/binder.c
342 +index 49199bd2ab93..80499f421a29 100644
343 +--- a/drivers/android/binder.c
344 ++++ b/drivers/android/binder.c
345 +@@ -302,6 +302,7 @@ struct binder_proc {
346 + struct mm_struct *vma_vm_mm;
347 + struct task_struct *tsk;
348 + struct files_struct *files;
349 ++ struct mutex files_lock;
350 + struct hlist_node deferred_work_node;
351 + int deferred_work;
352 + void *buffer;
353 +@@ -375,20 +376,26 @@ binder_defer_work(struct binder_proc *proc, enum binder_deferred_state defer);
354 +
355 + static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
356 + {
357 +- struct files_struct *files = proc->files;
358 + unsigned long rlim_cur;
359 + unsigned long irqs;
360 ++ int ret;
361 +
362 +- if (files == NULL)
363 +- return -ESRCH;
364 +-
365 +- if (!lock_task_sighand(proc->tsk, &irqs))
366 +- return -EMFILE;
367 +-
368 ++ mutex_lock(&proc->files_lock);
369 ++ if (proc->files == NULL) {
370 ++ ret = -ESRCH;
371 ++ goto err;
372 ++ }
373 ++ if (!lock_task_sighand(proc->tsk, &irqs)) {
374 ++ ret = -EMFILE;
375 ++ goto err;
376 ++ }
377 + rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
378 + unlock_task_sighand(proc->tsk, &irqs);
379 +
380 +- return __alloc_fd(files, 0, rlim_cur, flags);
381 ++ ret = __alloc_fd(proc->files, 0, rlim_cur, flags);
382 ++err:
383 ++ mutex_unlock(&proc->files_lock);
384 ++ return ret;
385 + }
386 +
387 + /*
388 +@@ -397,8 +404,10 @@ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
389 + static void task_fd_install(
390 + struct binder_proc *proc, unsigned int fd, struct file *file)
391 + {
392 ++ mutex_lock(&proc->files_lock);
393 + if (proc->files)
394 + __fd_install(proc->files, fd, file);
395 ++ mutex_unlock(&proc->files_lock);
396 + }
397 +
398 + /*
399 +@@ -408,9 +417,11 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd)
400 + {
401 + int retval;
402 +
403 +- if (proc->files == NULL)
404 +- return -ESRCH;
405 +-
406 ++ mutex_lock(&proc->files_lock);
407 ++ if (proc->files == NULL) {
408 ++ retval = -ESRCH;
409 ++ goto err;
410 ++ }
411 + retval = __close_fd(proc->files, fd);
412 + /* can't restart close syscall because file table entry was cleared */
413 + if (unlikely(retval == -ERESTARTSYS ||
414 +@@ -418,7 +429,8 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd)
415 + retval == -ERESTARTNOHAND ||
416 + retval == -ERESTART_RESTARTBLOCK))
417 + retval = -EINTR;
418 +-
419 ++err:
420 ++ mutex_unlock(&proc->files_lock);
421 + return retval;
422 + }
423 +
424 +@@ -2946,7 +2958,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
425 + binder_insert_free_buffer(proc, buffer);
426 + proc->free_async_space = proc->buffer_size / 2;
427 + barrier();
428 ++ mutex_lock(&proc->files_lock);
429 + proc->files = get_files_struct(current);
430 ++ mutex_unlock(&proc->files_lock);
431 + proc->vma = vma;
432 + proc->vma_vm_mm = vma->vm_mm;
433 +
434 +@@ -2982,6 +2996,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
435 + return -ENOMEM;
436 + get_task_struct(current->group_leader);
437 + proc->tsk = current->group_leader;
438 ++ mutex_init(&proc->files_lock);
439 + INIT_LIST_HEAD(&proc->todo);
440 + init_waitqueue_head(&proc->wait);
441 + proc->default_priority = task_nice(current);
442 +@@ -3220,9 +3235,11 @@ static void binder_deferred_func(struct work_struct *work)
443 +
444 + files = NULL;
445 + if (defer & BINDER_DEFERRED_PUT_FILES) {
446 ++ mutex_lock(&proc->files_lock);
447 + files = proc->files;
448 + if (files)
449 + proc->files = NULL;
450 ++ mutex_unlock(&proc->files_lock);
451 + }
452 +
453 + if (defer & BINDER_DEFERRED_FLUSH)
454 +diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c
455 +index fb9976254224..fabfeeb537ae 100644
456 +--- a/drivers/gpu/drm/ast/ast_main.c
457 ++++ b/drivers/gpu/drm/ast/ast_main.c
458 +@@ -556,7 +556,8 @@ int ast_driver_unload(struct drm_device *dev)
459 + drm_mode_config_cleanup(dev);
460 +
461 + ast_mm_fini(ast);
462 +- pci_iounmap(dev->pdev, ast->ioregs);
463 ++ if (ast->ioregs != ast->regs + AST_IO_MM_OFFSET)
464 ++ pci_iounmap(dev->pdev, ast->ioregs);
465 + pci_iounmap(dev->pdev, ast->regs);
466 + kfree(ast);
467 + return 0;
468 +diff --git a/drivers/gpu/drm/drm_auth.c b/drivers/gpu/drm/drm_auth.c
469 +index 6b143514a566..56b2dd9a5b68 100644
470 +--- a/drivers/gpu/drm/drm_auth.c
471 ++++ b/drivers/gpu/drm/drm_auth.c
472 +@@ -133,6 +133,7 @@ static int drm_new_set_master(struct drm_device *dev, struct drm_file *fpriv)
473 +
474 + lockdep_assert_held_once(&dev->master_mutex);
475 +
476 ++ WARN_ON(fpriv->is_master);
477 + old_master = fpriv->master;
478 + fpriv->master = drm_master_create(dev);
479 + if (!fpriv->master) {
480 +@@ -161,6 +162,7 @@ out_err:
481 + /* drop references and restore old master on failure */
482 + drm_master_put(&fpriv->master);
483 + fpriv->master = old_master;
484 ++ fpriv->is_master = 0;
485 +
486 + return ret;
487 + }
488 +diff --git a/drivers/gpu/drm/gma500/mdfld_intel_display.c b/drivers/gpu/drm/gma500/mdfld_intel_display.c
489 +index 92e3f93ee682..06d61e654f59 100644
490 +--- a/drivers/gpu/drm/gma500/mdfld_intel_display.c
491 ++++ b/drivers/gpu/drm/gma500/mdfld_intel_display.c
492 +@@ -99,7 +99,7 @@ void mdfldWaitForPipeEnable(struct drm_device *dev, int pipe)
493 + /* Wait for for the pipe enable to take effect. */
494 + for (count = 0; count < COUNT_MAX; count++) {
495 + temp = REG_READ(map->conf);
496 +- if ((temp & PIPEACONF_PIPE_STATE) == 1)
497 ++ if (temp & PIPEACONF_PIPE_STATE)
498 + break;
499 + }
500 + }
501 +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
502 +index e097780752f6..863d030786e5 100644
503 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
504 ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
505 +@@ -1446,8 +1446,7 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi,
506 + }
507 +
508 + /* The CEC module handles HDMI hotplug detection */
509 +- cec_np = of_find_compatible_node(np->parent, NULL,
510 +- "mediatek,mt8173-cec");
511 ++ cec_np = of_get_compatible_child(np->parent, "mediatek,mt8173-cec");
512 + if (!cec_np) {
513 + dev_err(dev, "Failed to find CEC node\n");
514 + return -EINVAL;
515 +@@ -1457,8 +1456,10 @@ static int mtk_hdmi_dt_parse_pdata(struct mtk_hdmi *hdmi,
516 + if (!cec_pdev) {
517 + dev_err(hdmi->dev, "Waiting for CEC device %s\n",
518 + cec_np->full_name);
519 ++ of_node_put(cec_np);
520 + return -EPROBE_DEFER;
521 + }
522 ++ of_node_put(cec_np);
523 + hdmi->cec_dev = &cec_pdev->dev;
524 +
525 + /*
526 +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
527 +index d7da1dca765f..b1daf5c16117 100644
528 +--- a/drivers/infiniband/hw/mlx5/main.c
529 ++++ b/drivers/infiniband/hw/mlx5/main.c
530 +@@ -710,31 +710,26 @@ enum mlx5_ib_width {
531 + MLX5_IB_WIDTH_12X = 1 << 4
532 + };
533 +
534 +-static int translate_active_width(struct ib_device *ibdev, u8 active_width,
535 ++static void translate_active_width(struct ib_device *ibdev, u8 active_width,
536 + u8 *ib_width)
537 + {
538 + struct mlx5_ib_dev *dev = to_mdev(ibdev);
539 +- int err = 0;
540 +
541 +- if (active_width & MLX5_IB_WIDTH_1X) {
542 ++ if (active_width & MLX5_IB_WIDTH_1X)
543 + *ib_width = IB_WIDTH_1X;
544 +- } else if (active_width & MLX5_IB_WIDTH_2X) {
545 +- mlx5_ib_dbg(dev, "active_width %d is not supported by IB spec\n",
546 +- (int)active_width);
547 +- err = -EINVAL;
548 +- } else if (active_width & MLX5_IB_WIDTH_4X) {
549 ++ else if (active_width & MLX5_IB_WIDTH_4X)
550 + *ib_width = IB_WIDTH_4X;
551 +- } else if (active_width & MLX5_IB_WIDTH_8X) {
552 ++ else if (active_width & MLX5_IB_WIDTH_8X)
553 + *ib_width = IB_WIDTH_8X;
554 +- } else if (active_width & MLX5_IB_WIDTH_12X) {
555 ++ else if (active_width & MLX5_IB_WIDTH_12X)
556 + *ib_width = IB_WIDTH_12X;
557 +- } else {
558 +- mlx5_ib_dbg(dev, "Invalid active_width %d\n",
559 ++ else {
560 ++ mlx5_ib_dbg(dev, "Invalid active_width %d, setting width to default value: 4x\n",
561 + (int)active_width);
562 +- err = -EINVAL;
563 ++ *ib_width = IB_WIDTH_4X;
564 + }
565 +
566 +- return err;
567 ++ return;
568 + }
569 +
570 + static int mlx5_mtu_to_ib_mtu(int mtu)
571 +@@ -842,10 +837,8 @@ static int mlx5_query_hca_port(struct ib_device *ibdev, u8 port,
572 + if (err)
573 + goto out;
574 +
575 +- err = translate_active_width(ibdev, ib_link_width_oper,
576 +- &props->active_width);
577 +- if (err)
578 +- goto out;
579 ++ translate_active_width(ibdev, ib_link_width_oper, &props->active_width);
580 ++
581 + err = mlx5_query_port_ib_proto_oper(mdev, &props->active_speed, port);
582 + if (err)
583 + goto out;
584 +diff --git a/drivers/infiniband/ulp/iser/iser_verbs.c b/drivers/infiniband/ulp/iser/iser_verbs.c
585 +index bc6f5bb6c524..d46424d4b71e 100644
586 +--- a/drivers/infiniband/ulp/iser/iser_verbs.c
587 ++++ b/drivers/infiniband/ulp/iser/iser_verbs.c
588 +@@ -1110,7 +1110,9 @@ u8 iser_check_task_pi_status(struct iscsi_iser_task *iser_task,
589 + IB_MR_CHECK_SIG_STATUS, &mr_status);
590 + if (ret) {
591 + pr_err("ib_check_mr_status failed, ret %d\n", ret);
592 +- goto err;
593 ++ /* Not a lot we can do, return ambiguous guard error */
594 ++ *sector = 0;
595 ++ return 0x1;
596 + }
597 +
598 + if (mr_status.fail_status & IB_MR_CHECK_SIG_STATUS) {
599 +@@ -1138,9 +1140,6 @@ u8 iser_check_task_pi_status(struct iscsi_iser_task *iser_task,
600 + }
601 +
602 + return 0;
603 +-err:
604 +- /* Not alot we can do here, return ambiguous guard error */
605 +- return 0x1;
606 + }
607 +
608 + void iser_err_comp(struct ib_wc *wc, const char *type)
609 +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
610 +index 2e52015634f9..f55dcdf99bc5 100644
611 +--- a/drivers/input/joystick/xpad.c
612 ++++ b/drivers/input/joystick/xpad.c
613 +@@ -483,18 +483,18 @@ static const u8 xboxone_hori_init[] = {
614 + };
615 +
616 + /*
617 +- * This packet is required for some of the PDP pads to start
618 ++ * This packet is required for most (all?) of the PDP pads to start
619 + * sending input reports. These pads include: (0x0e6f:0x02ab),
620 +- * (0x0e6f:0x02a4).
621 ++ * (0x0e6f:0x02a4), (0x0e6f:0x02a6).
622 + */
623 + static const u8 xboxone_pdp_init1[] = {
624 + 0x0a, 0x20, 0x00, 0x03, 0x00, 0x01, 0x14
625 + };
626 +
627 + /*
628 +- * This packet is required for some of the PDP pads to start
629 ++ * This packet is required for most (all?) of the PDP pads to start
630 + * sending input reports. These pads include: (0x0e6f:0x02ab),
631 +- * (0x0e6f:0x02a4).
632 ++ * (0x0e6f:0x02a4), (0x0e6f:0x02a6).
633 + */
634 + static const u8 xboxone_pdp_init2[] = {
635 + 0x06, 0x20, 0x00, 0x02, 0x01, 0x00
636 +@@ -530,12 +530,8 @@ static const struct xboxone_init_packet xboxone_init_packets[] = {
637 + XBOXONE_INIT_PKT(0x0e6f, 0x0165, xboxone_hori_init),
638 + XBOXONE_INIT_PKT(0x0f0d, 0x0067, xboxone_hori_init),
639 + XBOXONE_INIT_PKT(0x0000, 0x0000, xboxone_fw2015_init),
640 +- XBOXONE_INIT_PKT(0x0e6f, 0x02ab, xboxone_pdp_init1),
641 +- XBOXONE_INIT_PKT(0x0e6f, 0x02ab, xboxone_pdp_init2),
642 +- XBOXONE_INIT_PKT(0x0e6f, 0x02a4, xboxone_pdp_init1),
643 +- XBOXONE_INIT_PKT(0x0e6f, 0x02a4, xboxone_pdp_init2),
644 +- XBOXONE_INIT_PKT(0x0e6f, 0x02a6, xboxone_pdp_init1),
645 +- XBOXONE_INIT_PKT(0x0e6f, 0x02a6, xboxone_pdp_init2),
646 ++ XBOXONE_INIT_PKT(0x0e6f, 0x0000, xboxone_pdp_init1),
647 ++ XBOXONE_INIT_PKT(0x0e6f, 0x0000, xboxone_pdp_init2),
648 + XBOXONE_INIT_PKT(0x24c6, 0x541a, xboxone_rumblebegin_init),
649 + XBOXONE_INIT_PKT(0x24c6, 0x542a, xboxone_rumblebegin_init),
650 + XBOXONE_INIT_PKT(0x24c6, 0x543a, xboxone_rumblebegin_init),
651 +diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c
652 +index 795fa353de7c..c64d87442a62 100644
653 +--- a/drivers/input/keyboard/matrix_keypad.c
654 ++++ b/drivers/input/keyboard/matrix_keypad.c
655 +@@ -405,7 +405,7 @@ matrix_keypad_parse_dt(struct device *dev)
656 + struct matrix_keypad_platform_data *pdata;
657 + struct device_node *np = dev->of_node;
658 + unsigned int *gpios;
659 +- int i, nrow, ncol;
660 ++ int ret, i, nrow, ncol;
661 +
662 + if (!np) {
663 + dev_err(dev, "device lacks DT data\n");
664 +@@ -447,12 +447,19 @@ matrix_keypad_parse_dt(struct device *dev)
665 + return ERR_PTR(-ENOMEM);
666 + }
667 +
668 +- for (i = 0; i < pdata->num_row_gpios; i++)
669 +- gpios[i] = of_get_named_gpio(np, "row-gpios", i);
670 ++ for (i = 0; i < nrow; i++) {
671 ++ ret = of_get_named_gpio(np, "row-gpios", i);
672 ++ if (ret < 0)
673 ++ return ERR_PTR(ret);
674 ++ gpios[i] = ret;
675 ++ }
676 +
677 +- for (i = 0; i < pdata->num_col_gpios; i++)
678 +- gpios[pdata->num_row_gpios + i] =
679 +- of_get_named_gpio(np, "col-gpios", i);
680 ++ for (i = 0; i < ncol; i++) {
681 ++ ret = of_get_named_gpio(np, "col-gpios", i);
682 ++ if (ret < 0)
683 ++ return ERR_PTR(ret);
684 ++ gpios[nrow + i] = ret;
685 ++ }
686 +
687 + pdata->row_gpios = gpios;
688 + pdata->col_gpios = &gpios[pdata->num_row_gpios];
689 +@@ -479,10 +486,8 @@ static int matrix_keypad_probe(struct platform_device *pdev)
690 + pdata = dev_get_platdata(&pdev->dev);
691 + if (!pdata) {
692 + pdata = matrix_keypad_parse_dt(&pdev->dev);
693 +- if (IS_ERR(pdata)) {
694 +- dev_err(&pdev->dev, "no platform data defined\n");
695 ++ if (IS_ERR(pdata))
696 + return PTR_ERR(pdata);
697 +- }
698 + } else if (!pdata->keymap_data) {
699 + dev_err(&pdev->dev, "no keymap data defined\n");
700 + return -EINVAL;
701 +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
702 +index b3119589a444..471984ec2db0 100644
703 +--- a/drivers/input/mouse/elan_i2c_core.c
704 ++++ b/drivers/input/mouse/elan_i2c_core.c
705 +@@ -1253,6 +1253,9 @@ static const struct acpi_device_id elan_acpi_id[] = {
706 + { "ELAN0618", 0 },
707 + { "ELAN061C", 0 },
708 + { "ELAN061D", 0 },
709 ++ { "ELAN061E", 0 },
710 ++ { "ELAN0620", 0 },
711 ++ { "ELAN0621", 0 },
712 + { "ELAN0622", 0 },
713 + { "ELAN1000", 0 },
714 + { }
715 +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
716 +index 68f19ca57f96..245eb02d0c4e 100644
717 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
718 ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
719 +@@ -3039,10 +3039,10 @@ static u32 qed_grc_dump_big_ram(struct qed_hwfn *p_hwfn,
720 + s_big_ram_defs[big_ram_id].num_of_blocks[dev_data->chip_id];
721 + ram_size = total_blocks * BIG_RAM_BLOCK_SIZE_DWORDS;
722 +
723 +- strncpy(type_name, s_big_ram_defs[big_ram_id].instance_name,
724 +- strlen(s_big_ram_defs[big_ram_id].instance_name));
725 +- strncpy(mem_name, s_big_ram_defs[big_ram_id].instance_name,
726 +- strlen(s_big_ram_defs[big_ram_id].instance_name));
727 ++ strscpy(type_name, s_big_ram_defs[big_ram_id].instance_name,
728 ++ sizeof(type_name));
729 ++ strscpy(mem_name, s_big_ram_defs[big_ram_id].instance_name,
730 ++ sizeof(mem_name));
731 +
732 + /* Dump memory header */
733 + offset += qed_grc_dump_mem_hdr(p_hwfn,
734 +diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
735 +index 94a356bbb6b9..61419d1b4543 100644
736 +--- a/drivers/net/wireless/ath/wil6210/wmi.c
737 ++++ b/drivers/net/wireless/ath/wil6210/wmi.c
738 +@@ -1302,8 +1302,14 @@ int wmi_set_ie(struct wil6210_priv *wil, u8 type, u16 ie_len, const void *ie)
739 + };
740 + int rc;
741 + u16 len = sizeof(struct wmi_set_appie_cmd) + ie_len;
742 +- struct wmi_set_appie_cmd *cmd = kzalloc(len, GFP_KERNEL);
743 ++ struct wmi_set_appie_cmd *cmd;
744 +
745 ++ if (len < ie_len) {
746 ++ rc = -EINVAL;
747 ++ goto out;
748 ++ }
749 ++
750 ++ cmd = kzalloc(len, GFP_KERNEL);
751 + if (!cmd) {
752 + rc = -ENOMEM;
753 + goto out;
754 +diff --git a/drivers/reset/core.c b/drivers/reset/core.c
755 +index b8ae1dbd4c17..188205a55261 100644
756 +--- a/drivers/reset/core.c
757 ++++ b/drivers/reset/core.c
758 +@@ -135,11 +135,16 @@ EXPORT_SYMBOL_GPL(devm_reset_controller_register);
759 + * @rstc: reset controller
760 + *
761 + * Calling this on a shared reset controller is an error.
762 ++ *
763 ++ * If rstc is NULL it is an optional reset and the function will just
764 ++ * return 0.
765 + */
766 + int reset_control_reset(struct reset_control *rstc)
767 + {
768 +- if (WARN_ON(IS_ERR_OR_NULL(rstc)) ||
769 +- WARN_ON(rstc->shared))
770 ++ if (!rstc)
771 ++ return 0;
772 ++
773 ++ if (WARN_ON(IS_ERR(rstc)))
774 + return -EINVAL;
775 +
776 + if (rstc->rcdev->ops->reset)
777 +@@ -159,10 +164,16 @@ EXPORT_SYMBOL_GPL(reset_control_reset);
778 + *
779 + * For shared reset controls a driver cannot expect the hw's registers and
780 + * internal state to be reset, but must be prepared for this to happen.
781 ++ *
782 ++ * If rstc is NULL it is an optional reset and the function will just
783 ++ * return 0.
784 + */
785 + int reset_control_assert(struct reset_control *rstc)
786 + {
787 +- if (WARN_ON(IS_ERR_OR_NULL(rstc)))
788 ++ if (!rstc)
789 ++ return 0;
790 ++
791 ++ if (WARN_ON(IS_ERR(rstc)))
792 + return -EINVAL;
793 +
794 + if (!rstc->rcdev->ops->assert)
795 +@@ -185,10 +196,16 @@ EXPORT_SYMBOL_GPL(reset_control_assert);
796 + * @rstc: reset controller
797 + *
798 + * After calling this function, the reset is guaranteed to be deasserted.
799 ++ *
800 ++ * If rstc is NULL it is an optional reset and the function will just
801 ++ * return 0.
802 + */
803 + int reset_control_deassert(struct reset_control *rstc)
804 + {
805 +- if (WARN_ON(IS_ERR_OR_NULL(rstc)))
806 ++ if (!rstc)
807 ++ return 0;
808 ++
809 ++ if (WARN_ON(IS_ERR(rstc)))
810 + return -EINVAL;
811 +
812 + if (!rstc->rcdev->ops->deassert)
813 +@@ -206,12 +223,15 @@ EXPORT_SYMBOL_GPL(reset_control_deassert);
814 + /**
815 + * reset_control_status - returns a negative errno if not supported, a
816 + * positive value if the reset line is asserted, or zero if the reset
817 +- * line is not asserted.
818 ++ * line is not asserted or if the desc is NULL (optional reset).
819 + * @rstc: reset controller
820 + */
821 + int reset_control_status(struct reset_control *rstc)
822 + {
823 +- if (WARN_ON(IS_ERR_OR_NULL(rstc)))
824 ++ if (!rstc)
825 ++ return 0;
826 ++
827 ++ if (WARN_ON(IS_ERR(rstc)))
828 + return -EINVAL;
829 +
830 + if (rstc->rcdev->ops->status)
831 +@@ -221,7 +241,7 @@ int reset_control_status(struct reset_control *rstc)
832 + }
833 + EXPORT_SYMBOL_GPL(reset_control_status);
834 +
835 +-static struct reset_control *__reset_control_get(
836 ++static struct reset_control *__reset_control_get_internal(
837 + struct reset_controller_dev *rcdev,
838 + unsigned int index, int shared)
839 + {
840 +@@ -254,7 +274,7 @@ static struct reset_control *__reset_control_get(
841 + return rstc;
842 + }
843 +
844 +-static void __reset_control_put(struct reset_control *rstc)
845 ++static void __reset_control_put_internal(struct reset_control *rstc)
846 + {
847 + lockdep_assert_held(&reset_list_mutex);
848 +
849 +@@ -268,7 +288,8 @@ static void __reset_control_put(struct reset_control *rstc)
850 + }
851 +
852 + struct reset_control *__of_reset_control_get(struct device_node *node,
853 +- const char *id, int index, int shared)
854 ++ const char *id, int index, bool shared,
855 ++ bool optional)
856 + {
857 + struct reset_control *rstc;
858 + struct reset_controller_dev *r, *rcdev;
859 +@@ -282,14 +303,18 @@ struct reset_control *__of_reset_control_get(struct device_node *node,
860 + if (id) {
861 + index = of_property_match_string(node,
862 + "reset-names", id);
863 ++ if (index == -EILSEQ)
864 ++ return ERR_PTR(index);
865 + if (index < 0)
866 +- return ERR_PTR(-ENOENT);
867 ++ return optional ? NULL : ERR_PTR(-ENOENT);
868 + }
869 +
870 + ret = of_parse_phandle_with_args(node, "resets", "#reset-cells",
871 + index, &args);
872 +- if (ret)
873 ++ if (ret == -EINVAL)
874 + return ERR_PTR(ret);
875 ++ if (ret)
876 ++ return optional ? NULL : ERR_PTR(ret);
877 +
878 + mutex_lock(&reset_list_mutex);
879 + rcdev = NULL;
880 +@@ -318,7 +343,7 @@ struct reset_control *__of_reset_control_get(struct device_node *node,
881 + }
882 +
883 + /* reset_list_mutex also protects the rcdev's reset_control list */
884 +- rstc = __reset_control_get(rcdev, rstc_id, shared);
885 ++ rstc = __reset_control_get_internal(rcdev, rstc_id, shared);
886 +
887 + mutex_unlock(&reset_list_mutex);
888 +
889 +@@ -326,6 +351,17 @@ struct reset_control *__of_reset_control_get(struct device_node *node,
890 + }
891 + EXPORT_SYMBOL_GPL(__of_reset_control_get);
892 +
893 ++struct reset_control *__reset_control_get(struct device *dev, const char *id,
894 ++ int index, bool shared, bool optional)
895 ++{
896 ++ if (dev->of_node)
897 ++ return __of_reset_control_get(dev->of_node, id, index, shared,
898 ++ optional);
899 ++
900 ++ return optional ? NULL : ERR_PTR(-EINVAL);
901 ++}
902 ++EXPORT_SYMBOL_GPL(__reset_control_get);
903 ++
904 + /**
905 + * reset_control_put - free the reset controller
906 + * @rstc: reset controller
907 +@@ -333,11 +369,11 @@ EXPORT_SYMBOL_GPL(__of_reset_control_get);
908 +
909 + void reset_control_put(struct reset_control *rstc)
910 + {
911 +- if (IS_ERR(rstc))
912 ++ if (IS_ERR_OR_NULL(rstc))
913 + return;
914 +
915 + mutex_lock(&reset_list_mutex);
916 +- __reset_control_put(rstc);
917 ++ __reset_control_put_internal(rstc);
918 + mutex_unlock(&reset_list_mutex);
919 + }
920 + EXPORT_SYMBOL_GPL(reset_control_put);
921 +@@ -348,7 +384,8 @@ static void devm_reset_control_release(struct device *dev, void *res)
922 + }
923 +
924 + struct reset_control *__devm_reset_control_get(struct device *dev,
925 +- const char *id, int index, int shared)
926 ++ const char *id, int index, bool shared,
927 ++ bool optional)
928 + {
929 + struct reset_control **ptr, *rstc;
930 +
931 +@@ -357,8 +394,7 @@ struct reset_control *__devm_reset_control_get(struct device *dev,
932 + if (!ptr)
933 + return ERR_PTR(-ENOMEM);
934 +
935 +- rstc = __of_reset_control_get(dev ? dev->of_node : NULL,
936 +- id, index, shared);
937 ++ rstc = __reset_control_get(dev, id, index, shared, optional);
938 + if (!IS_ERR(rstc)) {
939 + *ptr = rstc;
940 + devres_add(dev, ptr);
941 +@@ -374,17 +410,18 @@ EXPORT_SYMBOL_GPL(__devm_reset_control_get);
942 + * device_reset - find reset controller associated with the device
943 + * and perform reset
944 + * @dev: device to be reset by the controller
945 ++ * @optional: whether it is optional to reset the device
946 + *
947 +- * Convenience wrapper for reset_control_get() and reset_control_reset().
948 ++ * Convenience wrapper for __reset_control_get() and reset_control_reset().
949 + * This is useful for the common case of devices with single, dedicated reset
950 + * lines.
951 + */
952 +-int device_reset(struct device *dev)
953 ++int __device_reset(struct device *dev, bool optional)
954 + {
955 + struct reset_control *rstc;
956 + int ret;
957 +
958 +- rstc = reset_control_get(dev, NULL);
959 ++ rstc = __reset_control_get(dev, NULL, 0, 0, optional);
960 + if (IS_ERR(rstc))
961 + return PTR_ERR(rstc);
962 +
963 +@@ -394,4 +431,4 @@ int device_reset(struct device *dev)
964 +
965 + return ret;
966 + }
967 +-EXPORT_SYMBOL_GPL(device_reset);
968 ++EXPORT_SYMBOL_GPL(__device_reset);
969 +diff --git a/drivers/scsi/bfa/bfa_fcbuild.c b/drivers/scsi/bfa/bfa_fcbuild.c
970 +index b8dadc9cc993..d3b00a475aeb 100644
971 +--- a/drivers/scsi/bfa/bfa_fcbuild.c
972 ++++ b/drivers/scsi/bfa/bfa_fcbuild.c
973 +@@ -1250,8 +1250,8 @@ fc_rspnid_build(struct fchs_s *fchs, void *pyld, u32 s_id, u16 ox_id,
974 + memset(rspnid, 0, sizeof(struct fcgs_rspnid_req_s));
975 +
976 + rspnid->dap = s_id;
977 +- rspnid->spn_len = (u8) strlen((char *)name);
978 +- strncpy((char *)rspnid->spn, (char *)name, rspnid->spn_len);
979 ++ strlcpy(rspnid->spn, name, sizeof(rspnid->spn));
980 ++ rspnid->spn_len = (u8) strlen(rspnid->spn);
981 +
982 + return sizeof(struct fcgs_rspnid_req_s) + sizeof(struct ct_hdr_s);
983 + }
984 +@@ -1271,8 +1271,8 @@ fc_rsnn_nn_build(struct fchs_s *fchs, void *pyld, u32 s_id,
985 + memset(rsnn_nn, 0, sizeof(struct fcgs_rsnn_nn_req_s));
986 +
987 + rsnn_nn->node_name = node_name;
988 +- rsnn_nn->snn_len = (u8) strlen((char *)name);
989 +- strncpy((char *)rsnn_nn->snn, (char *)name, rsnn_nn->snn_len);
990 ++ strlcpy(rsnn_nn->snn, name, sizeof(rsnn_nn->snn));
991 ++ rsnn_nn->snn_len = (u8) strlen(rsnn_nn->snn);
992 +
993 + return sizeof(struct fcgs_rsnn_nn_req_s) + sizeof(struct ct_hdr_s);
994 + }
995 +diff --git a/drivers/scsi/bfa/bfa_fcs.c b/drivers/scsi/bfa/bfa_fcs.c
996 +index 1e7e139d71ea..f602de047087 100644
997 +--- a/drivers/scsi/bfa/bfa_fcs.c
998 ++++ b/drivers/scsi/bfa/bfa_fcs.c
999 +@@ -832,23 +832,23 @@ bfa_fcs_fabric_psymb_init(struct bfa_fcs_fabric_s *fabric)
1000 + bfa_ioc_get_adapter_model(&fabric->fcs->bfa->ioc, model);
1001 +
1002 + /* Model name/number */
1003 +- strncpy((char *)&port_cfg->sym_name, model,
1004 +- BFA_FCS_PORT_SYMBNAME_MODEL_SZ);
1005 +- strncat((char *)&port_cfg->sym_name, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1006 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1007 ++ strlcpy(port_cfg->sym_name.symname, model,
1008 ++ BFA_SYMNAME_MAXLEN);
1009 ++ strlcat(port_cfg->sym_name.symname, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1010 ++ BFA_SYMNAME_MAXLEN);
1011 +
1012 + /* Driver Version */
1013 +- strncat((char *)&port_cfg->sym_name, (char *)driver_info->version,
1014 +- BFA_FCS_PORT_SYMBNAME_VERSION_SZ);
1015 +- strncat((char *)&port_cfg->sym_name, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1016 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1017 ++ strlcat(port_cfg->sym_name.symname, driver_info->version,
1018 ++ BFA_SYMNAME_MAXLEN);
1019 ++ strlcat(port_cfg->sym_name.symname, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1020 ++ BFA_SYMNAME_MAXLEN);
1021 +
1022 + /* Host machine name */
1023 +- strncat((char *)&port_cfg->sym_name,
1024 +- (char *)driver_info->host_machine_name,
1025 +- BFA_FCS_PORT_SYMBNAME_MACHINENAME_SZ);
1026 +- strncat((char *)&port_cfg->sym_name, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1027 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1028 ++ strlcat(port_cfg->sym_name.symname,
1029 ++ driver_info->host_machine_name,
1030 ++ BFA_SYMNAME_MAXLEN);
1031 ++ strlcat(port_cfg->sym_name.symname, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1032 ++ BFA_SYMNAME_MAXLEN);
1033 +
1034 + /*
1035 + * Host OS Info :
1036 +@@ -856,24 +856,24 @@ bfa_fcs_fabric_psymb_init(struct bfa_fcs_fabric_s *fabric)
1037 + * OS name string and instead copy the entire OS info string (64 bytes).
1038 + */
1039 + if (driver_info->host_os_patch[0] == '\0') {
1040 +- strncat((char *)&port_cfg->sym_name,
1041 +- (char *)driver_info->host_os_name,
1042 +- BFA_FCS_OS_STR_LEN);
1043 +- strncat((char *)&port_cfg->sym_name,
1044 ++ strlcat(port_cfg->sym_name.symname,
1045 ++ driver_info->host_os_name,
1046 ++ BFA_SYMNAME_MAXLEN);
1047 ++ strlcat(port_cfg->sym_name.symname,
1048 + BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1049 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1050 ++ BFA_SYMNAME_MAXLEN);
1051 + } else {
1052 +- strncat((char *)&port_cfg->sym_name,
1053 +- (char *)driver_info->host_os_name,
1054 +- BFA_FCS_PORT_SYMBNAME_OSINFO_SZ);
1055 +- strncat((char *)&port_cfg->sym_name,
1056 ++ strlcat(port_cfg->sym_name.symname,
1057 ++ driver_info->host_os_name,
1058 ++ BFA_SYMNAME_MAXLEN);
1059 ++ strlcat(port_cfg->sym_name.symname,
1060 + BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1061 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1062 ++ BFA_SYMNAME_MAXLEN);
1063 +
1064 + /* Append host OS Patch Info */
1065 +- strncat((char *)&port_cfg->sym_name,
1066 +- (char *)driver_info->host_os_patch,
1067 +- BFA_FCS_PORT_SYMBNAME_OSPATCH_SZ);
1068 ++ strlcat(port_cfg->sym_name.symname,
1069 ++ driver_info->host_os_patch,
1070 ++ BFA_SYMNAME_MAXLEN);
1071 + }
1072 +
1073 + /* null terminate */
1074 +@@ -893,26 +893,26 @@ bfa_fcs_fabric_nsymb_init(struct bfa_fcs_fabric_s *fabric)
1075 + bfa_ioc_get_adapter_model(&fabric->fcs->bfa->ioc, model);
1076 +
1077 + /* Model name/number */
1078 +- strncpy((char *)&port_cfg->node_sym_name, model,
1079 +- BFA_FCS_PORT_SYMBNAME_MODEL_SZ);
1080 +- strncat((char *)&port_cfg->node_sym_name,
1081 ++ strlcpy(port_cfg->node_sym_name.symname, model,
1082 ++ BFA_SYMNAME_MAXLEN);
1083 ++ strlcat(port_cfg->node_sym_name.symname,
1084 + BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1085 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1086 ++ BFA_SYMNAME_MAXLEN);
1087 +
1088 + /* Driver Version */
1089 +- strncat((char *)&port_cfg->node_sym_name, (char *)driver_info->version,
1090 +- BFA_FCS_PORT_SYMBNAME_VERSION_SZ);
1091 +- strncat((char *)&port_cfg->node_sym_name,
1092 ++ strlcat(port_cfg->node_sym_name.symname, (char *)driver_info->version,
1093 ++ BFA_SYMNAME_MAXLEN);
1094 ++ strlcat(port_cfg->node_sym_name.symname,
1095 + BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1096 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1097 ++ BFA_SYMNAME_MAXLEN);
1098 +
1099 + /* Host machine name */
1100 +- strncat((char *)&port_cfg->node_sym_name,
1101 +- (char *)driver_info->host_machine_name,
1102 +- BFA_FCS_PORT_SYMBNAME_MACHINENAME_SZ);
1103 +- strncat((char *)&port_cfg->node_sym_name,
1104 ++ strlcat(port_cfg->node_sym_name.symname,
1105 ++ driver_info->host_machine_name,
1106 ++ BFA_SYMNAME_MAXLEN);
1107 ++ strlcat(port_cfg->node_sym_name.symname,
1108 + BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1109 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1110 ++ BFA_SYMNAME_MAXLEN);
1111 +
1112 + /* null terminate */
1113 + port_cfg->node_sym_name.symname[BFA_SYMNAME_MAXLEN - 1] = 0;
1114 +diff --git a/drivers/scsi/bfa/bfa_fcs_lport.c b/drivers/scsi/bfa/bfa_fcs_lport.c
1115 +index 4ddda72f60e6..eb87949b00c1 100644
1116 +--- a/drivers/scsi/bfa/bfa_fcs_lport.c
1117 ++++ b/drivers/scsi/bfa/bfa_fcs_lport.c
1118 +@@ -2631,10 +2631,10 @@ bfa_fcs_fdmi_get_hbaattr(struct bfa_fcs_lport_fdmi_s *fdmi,
1119 + bfa_ioc_get_adapter_fw_ver(&port->fcs->bfa->ioc,
1120 + hba_attr->fw_version);
1121 +
1122 +- strncpy(hba_attr->driver_version, (char *)driver_info->version,
1123 ++ strlcpy(hba_attr->driver_version, (char *)driver_info->version,
1124 + sizeof(hba_attr->driver_version));
1125 +
1126 +- strncpy(hba_attr->os_name, driver_info->host_os_name,
1127 ++ strlcpy(hba_attr->os_name, driver_info->host_os_name,
1128 + sizeof(hba_attr->os_name));
1129 +
1130 + /*
1131 +@@ -2642,23 +2642,23 @@ bfa_fcs_fdmi_get_hbaattr(struct bfa_fcs_lport_fdmi_s *fdmi,
1132 + * to the os name along with a separator
1133 + */
1134 + if (driver_info->host_os_patch[0] != '\0') {
1135 +- strncat(hba_attr->os_name, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1136 +- sizeof(BFA_FCS_PORT_SYMBNAME_SEPARATOR));
1137 +- strncat(hba_attr->os_name, driver_info->host_os_patch,
1138 +- sizeof(driver_info->host_os_patch));
1139 ++ strlcat(hba_attr->os_name, BFA_FCS_PORT_SYMBNAME_SEPARATOR,
1140 ++ sizeof(hba_attr->os_name));
1141 ++ strlcat(hba_attr->os_name, driver_info->host_os_patch,
1142 ++ sizeof(hba_attr->os_name));
1143 + }
1144 +
1145 + /* Retrieve the max frame size from the port attr */
1146 + bfa_fcs_fdmi_get_portattr(fdmi, &fcs_port_attr);
1147 + hba_attr->max_ct_pyld = fcs_port_attr.max_frm_size;
1148 +
1149 +- strncpy(hba_attr->node_sym_name.symname,
1150 ++ strlcpy(hba_attr->node_sym_name.symname,
1151 + port->port_cfg.node_sym_name.symname, BFA_SYMNAME_MAXLEN);
1152 + strcpy(hba_attr->vendor_info, "QLogic");
1153 + hba_attr->num_ports =
1154 + cpu_to_be32(bfa_ioc_get_nports(&port->fcs->bfa->ioc));
1155 + hba_attr->fabric_name = port->fabric->lps->pr_nwwn;
1156 +- strncpy(hba_attr->bios_ver, hba_attr->option_rom_ver, BFA_VERSION_LEN);
1157 ++ strlcpy(hba_attr->bios_ver, hba_attr->option_rom_ver, BFA_VERSION_LEN);
1158 +
1159 + }
1160 +
1161 +@@ -2725,20 +2725,20 @@ bfa_fcs_fdmi_get_portattr(struct bfa_fcs_lport_fdmi_s *fdmi,
1162 + /*
1163 + * OS device Name
1164 + */
1165 +- strncpy(port_attr->os_device_name, (char *)driver_info->os_device_name,
1166 ++ strlcpy(port_attr->os_device_name, driver_info->os_device_name,
1167 + sizeof(port_attr->os_device_name));
1168 +
1169 + /*
1170 + * Host name
1171 + */
1172 +- strncpy(port_attr->host_name, (char *)driver_info->host_machine_name,
1173 ++ strlcpy(port_attr->host_name, driver_info->host_machine_name,
1174 + sizeof(port_attr->host_name));
1175 +
1176 + port_attr->node_name = bfa_fcs_lport_get_nwwn(port);
1177 + port_attr->port_name = bfa_fcs_lport_get_pwwn(port);
1178 +
1179 +- strncpy(port_attr->port_sym_name.symname,
1180 +- (char *)&bfa_fcs_lport_get_psym_name(port), BFA_SYMNAME_MAXLEN);
1181 ++ strlcpy(port_attr->port_sym_name.symname,
1182 ++ bfa_fcs_lport_get_psym_name(port).symname, BFA_SYMNAME_MAXLEN);
1183 + bfa_fcs_lport_get_attr(port, &lport_attr);
1184 + port_attr->port_type = cpu_to_be32(lport_attr.port_type);
1185 + port_attr->scos = pport_attr.cos_supported;
1186 +@@ -3218,7 +3218,7 @@ bfa_fcs_lport_ms_gmal_response(void *fcsarg, struct bfa_fcxp_s *fcxp,
1187 + rsp_str[gmal_entry->len-1] = 0;
1188 +
1189 + /* copy IP Address to fabric */
1190 +- strncpy(bfa_fcs_lport_get_fabric_ipaddr(port),
1191 ++ strlcpy(bfa_fcs_lport_get_fabric_ipaddr(port),
1192 + gmal_entry->ip_addr,
1193 + BFA_FCS_FABRIC_IPADDR_SZ);
1194 + break;
1195 +@@ -4656,21 +4656,13 @@ bfa_fcs_lport_ns_send_rspn_id(void *ns_cbarg, struct bfa_fcxp_s *fcxp_alloced)
1196 + * to that of the base port.
1197 + */
1198 +
1199 +- strncpy((char *)psymbl,
1200 +- (char *) &
1201 +- (bfa_fcs_lport_get_psym_name
1202 ++ strlcpy(symbl,
1203 ++ (char *)&(bfa_fcs_lport_get_psym_name
1204 + (bfa_fcs_get_base_port(port->fcs))),
1205 +- strlen((char *) &
1206 +- bfa_fcs_lport_get_psym_name(bfa_fcs_get_base_port
1207 +- (port->fcs))));
1208 +-
1209 +- /* Ensure we have a null terminating string. */
1210 +- ((char *)psymbl)[strlen((char *) &
1211 +- bfa_fcs_lport_get_psym_name(bfa_fcs_get_base_port
1212 +- (port->fcs)))] = 0;
1213 +- strncat((char *)psymbl,
1214 +- (char *) &(bfa_fcs_lport_get_psym_name(port)),
1215 +- strlen((char *) &bfa_fcs_lport_get_psym_name(port)));
1216 ++ sizeof(symbl));
1217 ++
1218 ++ strlcat(symbl, (char *)&(bfa_fcs_lport_get_psym_name(port)),
1219 ++ sizeof(symbl));
1220 + } else {
1221 + psymbl = (u8 *) &(bfa_fcs_lport_get_psym_name(port));
1222 + }
1223 +@@ -5162,7 +5154,6 @@ bfa_fcs_lport_ns_util_send_rspn_id(void *cbarg, struct bfa_fcxp_s *fcxp_alloced)
1224 + struct fchs_s fchs;
1225 + struct bfa_fcxp_s *fcxp;
1226 + u8 symbl[256];
1227 +- u8 *psymbl = &symbl[0];
1228 + int len;
1229 +
1230 + /* Avoid sending RSPN in the following states. */
1231 +@@ -5192,22 +5183,17 @@ bfa_fcs_lport_ns_util_send_rspn_id(void *cbarg, struct bfa_fcxp_s *fcxp_alloced)
1232 + * For Vports, we append the vport's port symbolic name
1233 + * to that of the base port.
1234 + */
1235 +- strncpy((char *)psymbl, (char *)&(bfa_fcs_lport_get_psym_name
1236 ++ strlcpy(symbl, (char *)&(bfa_fcs_lport_get_psym_name
1237 + (bfa_fcs_get_base_port(port->fcs))),
1238 +- strlen((char *)&bfa_fcs_lport_get_psym_name(
1239 +- bfa_fcs_get_base_port(port->fcs))));
1240 +-
1241 +- /* Ensure we have a null terminating string. */
1242 +- ((char *)psymbl)[strlen((char *)&bfa_fcs_lport_get_psym_name(
1243 +- bfa_fcs_get_base_port(port->fcs)))] = 0;
1244 ++ sizeof(symbl));
1245 +
1246 +- strncat((char *)psymbl,
1247 ++ strlcat(symbl,
1248 + (char *)&(bfa_fcs_lport_get_psym_name(port)),
1249 +- strlen((char *)&bfa_fcs_lport_get_psym_name(port)));
1250 ++ sizeof(symbl));
1251 + }
1252 +
1253 + len = fc_rspnid_build(&fchs, bfa_fcxp_get_reqbuf(fcxp),
1254 +- bfa_fcs_lport_get_fcid(port), 0, psymbl);
1255 ++ bfa_fcs_lport_get_fcid(port), 0, symbl);
1256 +
1257 + bfa_fcxp_send(fcxp, NULL, port->fabric->vf_id, port->lp_tag, BFA_FALSE,
1258 + FC_CLASS_3, len, &fchs, NULL, NULL, FC_MAX_PDUSZ, 0);
1259 +diff --git a/drivers/scsi/bfa/bfa_ioc.c b/drivers/scsi/bfa/bfa_ioc.c
1260 +index a1ada4a31c97..16750416d3c0 100644
1261 +--- a/drivers/scsi/bfa/bfa_ioc.c
1262 ++++ b/drivers/scsi/bfa/bfa_ioc.c
1263 +@@ -2803,7 +2803,7 @@ void
1264 + bfa_ioc_get_adapter_manufacturer(struct bfa_ioc_s *ioc, char *manufacturer)
1265 + {
1266 + memset((void *)manufacturer, 0, BFA_ADAPTER_MFG_NAME_LEN);
1267 +- strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
1268 ++ strlcpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN);
1269 + }
1270 +
1271 + void
1272 +diff --git a/drivers/scsi/bfa/bfa_svc.c b/drivers/scsi/bfa/bfa_svc.c
1273 +index 12de292175ef..225883d2aeef 100644
1274 +--- a/drivers/scsi/bfa/bfa_svc.c
1275 ++++ b/drivers/scsi/bfa/bfa_svc.c
1276 +@@ -366,8 +366,8 @@ bfa_plog_str(struct bfa_plog_s *plog, enum bfa_plog_mid mid,
1277 + lp.eid = event;
1278 + lp.log_type = BFA_PL_LOG_TYPE_STRING;
1279 + lp.misc = misc;
1280 +- strncpy(lp.log_entry.string_log, log_str,
1281 +- BFA_PL_STRING_LOG_SZ - 1);
1282 ++ strlcpy(lp.log_entry.string_log, log_str,
1283 ++ BFA_PL_STRING_LOG_SZ);
1284 + lp.log_entry.string_log[BFA_PL_STRING_LOG_SZ - 1] = '\0';
1285 + bfa_plog_add(plog, &lp);
1286 + }
1287 +diff --git a/drivers/scsi/bfa/bfad.c b/drivers/scsi/bfa/bfad.c
1288 +index e70410beb83a..389f8ef0b095 100644
1289 +--- a/drivers/scsi/bfa/bfad.c
1290 ++++ b/drivers/scsi/bfa/bfad.c
1291 +@@ -983,20 +983,20 @@ bfad_start_ops(struct bfad_s *bfad) {
1292 +
1293 + /* Fill the driver_info info to fcs*/
1294 + memset(&driver_info, 0, sizeof(driver_info));
1295 +- strncpy(driver_info.version, BFAD_DRIVER_VERSION,
1296 +- sizeof(driver_info.version) - 1);
1297 ++ strlcpy(driver_info.version, BFAD_DRIVER_VERSION,
1298 ++ sizeof(driver_info.version));
1299 + if (host_name)
1300 +- strncpy(driver_info.host_machine_name, host_name,
1301 +- sizeof(driver_info.host_machine_name) - 1);
1302 ++ strlcpy(driver_info.host_machine_name, host_name,
1303 ++ sizeof(driver_info.host_machine_name));
1304 + if (os_name)
1305 +- strncpy(driver_info.host_os_name, os_name,
1306 +- sizeof(driver_info.host_os_name) - 1);
1307 ++ strlcpy(driver_info.host_os_name, os_name,
1308 ++ sizeof(driver_info.host_os_name));
1309 + if (os_patch)
1310 +- strncpy(driver_info.host_os_patch, os_patch,
1311 +- sizeof(driver_info.host_os_patch) - 1);
1312 ++ strlcpy(driver_info.host_os_patch, os_patch,
1313 ++ sizeof(driver_info.host_os_patch));
1314 +
1315 +- strncpy(driver_info.os_device_name, bfad->pci_name,
1316 +- sizeof(driver_info.os_device_name) - 1);
1317 ++ strlcpy(driver_info.os_device_name, bfad->pci_name,
1318 ++ sizeof(driver_info.os_device_name));
1319 +
1320 + /* FCS driver info init */
1321 + spin_lock_irqsave(&bfad->bfad_lock, flags);
1322 +diff --git a/drivers/scsi/bfa/bfad_attr.c b/drivers/scsi/bfa/bfad_attr.c
1323 +index 13db3b7bc873..d0a504af5b4f 100644
1324 +--- a/drivers/scsi/bfa/bfad_attr.c
1325 ++++ b/drivers/scsi/bfa/bfad_attr.c
1326 +@@ -843,7 +843,7 @@ bfad_im_symbolic_name_show(struct device *dev, struct device_attribute *attr,
1327 + char symname[BFA_SYMNAME_MAXLEN];
1328 +
1329 + bfa_fcs_lport_get_attr(&bfad->bfa_fcs.fabric.bport, &port_attr);
1330 +- strncpy(symname, port_attr.port_cfg.sym_name.symname,
1331 ++ strlcpy(symname, port_attr.port_cfg.sym_name.symname,
1332 + BFA_SYMNAME_MAXLEN);
1333 + return snprintf(buf, PAGE_SIZE, "%s\n", symname);
1334 + }
1335 +diff --git a/drivers/scsi/bfa/bfad_bsg.c b/drivers/scsi/bfa/bfad_bsg.c
1336 +index d1ad0208dfe7..a3bd23685824 100644
1337 +--- a/drivers/scsi/bfa/bfad_bsg.c
1338 ++++ b/drivers/scsi/bfa/bfad_bsg.c
1339 +@@ -127,7 +127,7 @@ bfad_iocmd_ioc_get_attr(struct bfad_s *bfad, void *cmd)
1340 +
1341 + /* fill in driver attr info */
1342 + strcpy(iocmd->ioc_attr.driver_attr.driver, BFAD_DRIVER_NAME);
1343 +- strncpy(iocmd->ioc_attr.driver_attr.driver_ver,
1344 ++ strlcpy(iocmd->ioc_attr.driver_attr.driver_ver,
1345 + BFAD_DRIVER_VERSION, BFA_VERSION_LEN);
1346 + strcpy(iocmd->ioc_attr.driver_attr.fw_ver,
1347 + iocmd->ioc_attr.adapter_attr.fw_ver);
1348 +@@ -315,9 +315,9 @@ bfad_iocmd_port_get_attr(struct bfad_s *bfad, void *cmd)
1349 + iocmd->attr.port_type = port_attr.port_type;
1350 + iocmd->attr.loopback = port_attr.loopback;
1351 + iocmd->attr.authfail = port_attr.authfail;
1352 +- strncpy(iocmd->attr.port_symname.symname,
1353 ++ strlcpy(iocmd->attr.port_symname.symname,
1354 + port_attr.port_cfg.sym_name.symname,
1355 +- sizeof(port_attr.port_cfg.sym_name.symname));
1356 ++ sizeof(iocmd->attr.port_symname.symname));
1357 +
1358 + iocmd->status = BFA_STATUS_OK;
1359 + return 0;
1360 +diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c
1361 +index c00b2ff72b55..be5ee2d37815 100644
1362 +--- a/drivers/scsi/csiostor/csio_lnode.c
1363 ++++ b/drivers/scsi/csiostor/csio_lnode.c
1364 +@@ -238,14 +238,23 @@ csio_osname(uint8_t *buf, size_t buf_len)
1365 + }
1366 +
1367 + static inline void
1368 +-csio_append_attrib(uint8_t **ptr, uint16_t type, uint8_t *val, uint16_t len)
1369 ++csio_append_attrib(uint8_t **ptr, uint16_t type, void *val, size_t val_len)
1370 + {
1371 ++ uint16_t len;
1372 + struct fc_fdmi_attr_entry *ae = (struct fc_fdmi_attr_entry *)*ptr;
1373 ++
1374 ++ if (WARN_ON(val_len > U16_MAX))
1375 ++ return;
1376 ++
1377 ++ len = val_len;
1378 ++
1379 + ae->type = htons(type);
1380 + len += 4; /* includes attribute type and length */
1381 + len = (len + 3) & ~3; /* should be multiple of 4 bytes */
1382 + ae->len = htons(len);
1383 +- memcpy(ae->value, val, len);
1384 ++ memcpy(ae->value, val, val_len);
1385 ++ if (len > val_len)
1386 ++ memset(ae->value + val_len, 0, len - val_len);
1387 + *ptr += len;
1388 + }
1389 +
1390 +@@ -335,7 +344,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
1391 + numattrs++;
1392 + val = htonl(FC_PORTSPEED_1GBIT | FC_PORTSPEED_10GBIT);
1393 + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_SUPPORTEDSPEED,
1394 +- (uint8_t *)&val,
1395 ++ &val,
1396 + FC_FDMI_PORT_ATTR_SUPPORTEDSPEED_LEN);
1397 + numattrs++;
1398 +
1399 +@@ -346,23 +355,22 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
1400 + else
1401 + val = htonl(CSIO_HBA_PORTSPEED_UNKNOWN);
1402 + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_CURRENTPORTSPEED,
1403 +- (uint8_t *)&val,
1404 +- FC_FDMI_PORT_ATTR_CURRENTPORTSPEED_LEN);
1405 ++ &val, FC_FDMI_PORT_ATTR_CURRENTPORTSPEED_LEN);
1406 + numattrs++;
1407 +
1408 + mfs = ln->ln_sparm.csp.sp_bb_data;
1409 + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_MAXFRAMESIZE,
1410 +- (uint8_t *)&mfs, FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN);
1411 ++ &mfs, sizeof(mfs));
1412 + numattrs++;
1413 +
1414 + strcpy(buf, "csiostor");
1415 + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_OSDEVICENAME, buf,
1416 +- (uint16_t)strlen(buf));
1417 ++ strlen(buf));
1418 + numattrs++;
1419 +
1420 + if (!csio_hostname(buf, sizeof(buf))) {
1421 + csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_HOSTNAME,
1422 +- buf, (uint16_t)strlen(buf));
1423 ++ buf, strlen(buf));
1424 + numattrs++;
1425 + }
1426 + attrib_blk->numattrs = htonl(numattrs);
1427 +@@ -444,33 +452,32 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *hw, struct csio_ioreq *fdmi_req)
1428 +
1429 + strcpy(buf, "Chelsio Communications");
1430 + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MANUFACTURER, buf,
1431 +- (uint16_t)strlen(buf));
1432 ++ strlen(buf));
1433 + numattrs++;
1434 + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_SERIALNUMBER,
1435 +- hw->vpd.sn, (uint16_t)sizeof(hw->vpd.sn));
1436 ++ hw->vpd.sn, sizeof(hw->vpd.sn));
1437 + numattrs++;
1438 + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MODEL, hw->vpd.id,
1439 +- (uint16_t)sizeof(hw->vpd.id));
1440 ++ sizeof(hw->vpd.id));
1441 + numattrs++;
1442 + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MODELDESCRIPTION,
1443 +- hw->model_desc, (uint16_t)strlen(hw->model_desc));
1444 ++ hw->model_desc, strlen(hw->model_desc));
1445 + numattrs++;
1446 + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_HARDWAREVERSION,
1447 +- hw->hw_ver, (uint16_t)sizeof(hw->hw_ver));
1448 ++ hw->hw_ver, sizeof(hw->hw_ver));
1449 + numattrs++;
1450 + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_FIRMWAREVERSION,
1451 +- hw->fwrev_str, (uint16_t)strlen(hw->fwrev_str));
1452 ++ hw->fwrev_str, strlen(hw->fwrev_str));
1453 + numattrs++;
1454 +
1455 + if (!csio_osname(buf, sizeof(buf))) {
1456 + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_OSNAMEVERSION,
1457 +- buf, (uint16_t)strlen(buf));
1458 ++ buf, strlen(buf));
1459 + numattrs++;
1460 + }
1461 +
1462 + csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD,
1463 +- (uint8_t *)&maxpayload,
1464 +- FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN);
1465 ++ &maxpayload, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN);
1466 + len = (uint32_t)(pld - (uint8_t *)cmd);
1467 + numattrs++;
1468 + attrib_blk->numattrs = htonl(numattrs);
1469 +@@ -1794,6 +1801,8 @@ csio_ln_mgmt_submit_req(struct csio_ioreq *io_req,
1470 + struct csio_mgmtm *mgmtm = csio_hw_to_mgmtm(hw);
1471 + int rv;
1472 +
1473 ++ BUG_ON(pld_len > pld->len);
1474 ++
1475 + io_req->io_cbfn = io_cbfn; /* Upper layer callback handler */
1476 + io_req->fw_handle = (uintptr_t) (io_req);
1477 + io_req->eq_idx = mgmtm->eq_idx;
1478 +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
1479 +index 43d4b30cbf65..282ea00d0f87 100644
1480 +--- a/drivers/scsi/scsi_devinfo.c
1481 ++++ b/drivers/scsi/scsi_devinfo.c
1482 +@@ -33,7 +33,6 @@ struct scsi_dev_info_list_table {
1483 + };
1484 +
1485 +
1486 +-static const char spaces[] = " "; /* 16 of them */
1487 + static unsigned scsi_default_dev_flags;
1488 + static LIST_HEAD(scsi_dev_info_list);
1489 + static char scsi_dev_flags[256];
1490 +@@ -298,20 +297,13 @@ static void scsi_strcpy_devinfo(char *name, char *to, size_t to_length,
1491 + size_t from_length;
1492 +
1493 + from_length = strlen(from);
1494 +- strncpy(to, from, min(to_length, from_length));
1495 +- if (from_length < to_length) {
1496 +- if (compatible) {
1497 +- /*
1498 +- * NUL terminate the string if it is short.
1499 +- */
1500 +- to[from_length] = '\0';
1501 +- } else {
1502 +- /*
1503 +- * space pad the string if it is short.
1504 +- */
1505 +- strncpy(&to[from_length], spaces,
1506 +- to_length - from_length);
1507 +- }
1508 ++ /* this zero-pads the destination */
1509 ++ strncpy(to, from, to_length);
1510 ++ if (from_length < to_length && !compatible) {
1511 ++ /*
1512 ++ * space pad the string if it is short.
1513 ++ */
1514 ++ memset(&to[from_length], ' ', to_length - from_length);
1515 + }
1516 + if (from_length > to_length)
1517 + printk(KERN_WARNING "%s: %s string '%s' is too long\n",
1518 +diff --git a/drivers/staging/rts5208/sd.c b/drivers/staging/rts5208/sd.c
1519 +index 9e63bdf2afe7..4e233f3e7215 100644
1520 +--- a/drivers/staging/rts5208/sd.c
1521 ++++ b/drivers/staging/rts5208/sd.c
1522 +@@ -4110,12 +4110,6 @@ RTY_SEND_CMD:
1523 + rtsx_trace(chip);
1524 + return STATUS_FAIL;
1525 + }
1526 +-
1527 +- } else if (rsp_type == SD_RSP_TYPE_R0) {
1528 +- if ((ptr[3] & 0x1E) != 0x03) {
1529 +- rtsx_trace(chip);
1530 +- return STATUS_FAIL;
1531 +- }
1532 + }
1533 + }
1534 + }
1535 +diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
1536 +index 2db68dfe497d..c448225ef5ca 100644
1537 +--- a/drivers/tty/serial/kgdboc.c
1538 ++++ b/drivers/tty/serial/kgdboc.c
1539 +@@ -131,24 +131,6 @@ static void kgdboc_unregister_kbd(void)
1540 + #define kgdboc_restore_input()
1541 + #endif /* ! CONFIG_KDB_KEYBOARD */
1542 +
1543 +-static int kgdboc_option_setup(char *opt)
1544 +-{
1545 +- if (!opt) {
1546 +- pr_err("kgdboc: config string not provided\n");
1547 +- return -EINVAL;
1548 +- }
1549 +-
1550 +- if (strlen(opt) >= MAX_CONFIG_LEN) {
1551 +- printk(KERN_ERR "kgdboc: config string too long\n");
1552 +- return -ENOSPC;
1553 +- }
1554 +- strcpy(config, opt);
1555 +-
1556 +- return 0;
1557 +-}
1558 +-
1559 +-__setup("kgdboc=", kgdboc_option_setup);
1560 +-
1561 + static void cleanup_kgdboc(void)
1562 + {
1563 + if (kgdb_unregister_nmi_console())
1564 +@@ -162,15 +144,13 @@ static int configure_kgdboc(void)
1565 + {
1566 + struct tty_driver *p;
1567 + int tty_line = 0;
1568 +- int err;
1569 ++ int err = -ENODEV;
1570 + char *cptr = config;
1571 + struct console *cons;
1572 +
1573 +- err = kgdboc_option_setup(config);
1574 +- if (err || !strlen(config) || isspace(config[0]))
1575 ++ if (!strlen(config) || isspace(config[0]))
1576 + goto noconfig;
1577 +
1578 +- err = -ENODEV;
1579 + kgdboc_io_ops.is_console = 0;
1580 + kgdb_tty_driver = NULL;
1581 +
1582 +@@ -318,6 +298,25 @@ static struct kgdb_io kgdboc_io_ops = {
1583 + };
1584 +
1585 + #ifdef CONFIG_KGDB_SERIAL_CONSOLE
1586 ++static int kgdboc_option_setup(char *opt)
1587 ++{
1588 ++ if (!opt) {
1589 ++ pr_err("config string not provided\n");
1590 ++ return -EINVAL;
1591 ++ }
1592 ++
1593 ++ if (strlen(opt) >= MAX_CONFIG_LEN) {
1594 ++ pr_err("config string too long\n");
1595 ++ return -ENOSPC;
1596 ++ }
1597 ++ strcpy(config, opt);
1598 ++
1599 ++ return 0;
1600 ++}
1601 ++
1602 ++__setup("kgdboc=", kgdboc_option_setup);
1603 ++
1604 ++
1605 + /* This is only available if kgdboc is a built in for early debugging */
1606 + static int __init kgdboc_early_init(char *opt)
1607 + {
1608 +diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
1609 +index ff4d6cac7ac0..ab89fa3b4118 100644
1610 +--- a/drivers/usb/gadget/udc/dummy_hcd.c
1611 ++++ b/drivers/usb/gadget/udc/dummy_hcd.c
1612 +@@ -379,11 +379,10 @@ static void set_link_state_by_speed(struct dummy_hcd *dum_hcd)
1613 + USB_PORT_STAT_CONNECTION) == 0)
1614 + dum_hcd->port_status |=
1615 + (USB_PORT_STAT_C_CONNECTION << 16);
1616 +- if ((dum_hcd->port_status &
1617 +- USB_PORT_STAT_ENABLE) == 1 &&
1618 +- (dum_hcd->port_status &
1619 +- USB_SS_PORT_LS_U0) == 1 &&
1620 +- dum_hcd->rh_state != DUMMY_RH_SUSPENDED)
1621 ++ if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) &&
1622 ++ (dum_hcd->port_status &
1623 ++ USB_PORT_STAT_LINK_STATE) == USB_SS_PORT_LS_U0 &&
1624 ++ dum_hcd->rh_state != DUMMY_RH_SUSPENDED)
1625 + dum_hcd->active = 1;
1626 + }
1627 + } else {
1628 +diff --git a/fs/btrfs/Makefile b/fs/btrfs/Makefile
1629 +index 128ce17a80b0..076ccfb44c28 100644
1630 +--- a/fs/btrfs/Makefile
1631 ++++ b/fs/btrfs/Makefile
1632 +@@ -9,7 +9,7 @@ btrfs-y += super.o ctree.o extent-tree.o print-tree.o root-tree.o dir-item.o \
1633 + export.o tree-log.o free-space-cache.o zlib.o lzo.o \
1634 + compression.o delayed-ref.o relocation.o delayed-inode.o scrub.o \
1635 + reada.o backref.o ulist.o qgroup.o send.o dev-replace.o raid56.o \
1636 +- uuid-tree.o props.o hash.o free-space-tree.o
1637 ++ uuid-tree.o props.o hash.o free-space-tree.o tree-checker.o
1638 +
1639 + btrfs-$(CONFIG_BTRFS_FS_POSIX_ACL) += acl.o
1640 + btrfs-$(CONFIG_BTRFS_FS_CHECK_INTEGRITY) += check-integrity.o
1641 +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
1642 +index 86245b884fce..a423c36bcd72 100644
1643 +--- a/fs/btrfs/ctree.h
1644 ++++ b/fs/btrfs/ctree.h
1645 +@@ -1415,7 +1415,7 @@ do { \
1646 + #define BTRFS_INODE_ROOT_ITEM_INIT (1 << 31)
1647 +
1648 + struct btrfs_map_token {
1649 +- struct extent_buffer *eb;
1650 ++ const struct extent_buffer *eb;
1651 + char *kaddr;
1652 + unsigned long offset;
1653 + };
1654 +@@ -1449,18 +1449,19 @@ static inline void btrfs_init_map_token (struct btrfs_map_token *token)
1655 + sizeof(((type *)0)->member)))
1656 +
1657 + #define DECLARE_BTRFS_SETGET_BITS(bits) \
1658 +-u##bits btrfs_get_token_##bits(struct extent_buffer *eb, void *ptr, \
1659 +- unsigned long off, \
1660 +- struct btrfs_map_token *token); \
1661 +-void btrfs_set_token_##bits(struct extent_buffer *eb, void *ptr, \
1662 ++u##bits btrfs_get_token_##bits(const struct extent_buffer *eb, \
1663 ++ const void *ptr, unsigned long off, \
1664 ++ struct btrfs_map_token *token); \
1665 ++void btrfs_set_token_##bits(struct extent_buffer *eb, const void *ptr, \
1666 + unsigned long off, u##bits val, \
1667 + struct btrfs_map_token *token); \
1668 +-static inline u##bits btrfs_get_##bits(struct extent_buffer *eb, void *ptr, \
1669 ++static inline u##bits btrfs_get_##bits(const struct extent_buffer *eb, \
1670 ++ const void *ptr, \
1671 + unsigned long off) \
1672 + { \
1673 + return btrfs_get_token_##bits(eb, ptr, off, NULL); \
1674 + } \
1675 +-static inline void btrfs_set_##bits(struct extent_buffer *eb, void *ptr, \
1676 ++static inline void btrfs_set_##bits(struct extent_buffer *eb, void *ptr,\
1677 + unsigned long off, u##bits val) \
1678 + { \
1679 + btrfs_set_token_##bits(eb, ptr, off, val, NULL); \
1680 +@@ -1472,7 +1473,8 @@ DECLARE_BTRFS_SETGET_BITS(32)
1681 + DECLARE_BTRFS_SETGET_BITS(64)
1682 +
1683 + #define BTRFS_SETGET_FUNCS(name, type, member, bits) \
1684 +-static inline u##bits btrfs_##name(struct extent_buffer *eb, type *s) \
1685 ++static inline u##bits btrfs_##name(const struct extent_buffer *eb, \
1686 ++ const type *s) \
1687 + { \
1688 + BUILD_BUG_ON(sizeof(u##bits) != sizeof(((type *)0))->member); \
1689 + return btrfs_get_##bits(eb, s, offsetof(type, member)); \
1690 +@@ -1483,7 +1485,8 @@ static inline void btrfs_set_##name(struct extent_buffer *eb, type *s, \
1691 + BUILD_BUG_ON(sizeof(u##bits) != sizeof(((type *)0))->member); \
1692 + btrfs_set_##bits(eb, s, offsetof(type, member), val); \
1693 + } \
1694 +-static inline u##bits btrfs_token_##name(struct extent_buffer *eb, type *s, \
1695 ++static inline u##bits btrfs_token_##name(const struct extent_buffer *eb,\
1696 ++ const type *s, \
1697 + struct btrfs_map_token *token) \
1698 + { \
1699 + BUILD_BUG_ON(sizeof(u##bits) != sizeof(((type *)0))->member); \
1700 +@@ -1498,9 +1501,9 @@ static inline void btrfs_set_token_##name(struct extent_buffer *eb, \
1701 + }
1702 +
1703 + #define BTRFS_SETGET_HEADER_FUNCS(name, type, member, bits) \
1704 +-static inline u##bits btrfs_##name(struct extent_buffer *eb) \
1705 ++static inline u##bits btrfs_##name(const struct extent_buffer *eb) \
1706 + { \
1707 +- type *p = page_address(eb->pages[0]); \
1708 ++ const type *p = page_address(eb->pages[0]); \
1709 + u##bits res = le##bits##_to_cpu(p->member); \
1710 + return res; \
1711 + } \
1712 +@@ -1512,7 +1515,7 @@ static inline void btrfs_set_##name(struct extent_buffer *eb, \
1713 + }
1714 +
1715 + #define BTRFS_SETGET_STACK_FUNCS(name, type, member, bits) \
1716 +-static inline u##bits btrfs_##name(type *s) \
1717 ++static inline u##bits btrfs_##name(const type *s) \
1718 + { \
1719 + return le##bits##_to_cpu(s->member); \
1720 + } \
1721 +@@ -1818,7 +1821,7 @@ static inline unsigned long btrfs_node_key_ptr_offset(int nr)
1722 + sizeof(struct btrfs_key_ptr) * nr;
1723 + }
1724 +
1725 +-void btrfs_node_key(struct extent_buffer *eb,
1726 ++void btrfs_node_key(const struct extent_buffer *eb,
1727 + struct btrfs_disk_key *disk_key, int nr);
1728 +
1729 + static inline void btrfs_set_node_key(struct extent_buffer *eb,
1730 +@@ -1847,28 +1850,28 @@ static inline struct btrfs_item *btrfs_item_nr(int nr)
1731 + return (struct btrfs_item *)btrfs_item_nr_offset(nr);
1732 + }
1733 +
1734 +-static inline u32 btrfs_item_end(struct extent_buffer *eb,
1735 ++static inline u32 btrfs_item_end(const struct extent_buffer *eb,
1736 + struct btrfs_item *item)
1737 + {
1738 + return btrfs_item_offset(eb, item) + btrfs_item_size(eb, item);
1739 + }
1740 +
1741 +-static inline u32 btrfs_item_end_nr(struct extent_buffer *eb, int nr)
1742 ++static inline u32 btrfs_item_end_nr(const struct extent_buffer *eb, int nr)
1743 + {
1744 + return btrfs_item_end(eb, btrfs_item_nr(nr));
1745 + }
1746 +
1747 +-static inline u32 btrfs_item_offset_nr(struct extent_buffer *eb, int nr)
1748 ++static inline u32 btrfs_item_offset_nr(const struct extent_buffer *eb, int nr)
1749 + {
1750 + return btrfs_item_offset(eb, btrfs_item_nr(nr));
1751 + }
1752 +
1753 +-static inline u32 btrfs_item_size_nr(struct extent_buffer *eb, int nr)
1754 ++static inline u32 btrfs_item_size_nr(const struct extent_buffer *eb, int nr)
1755 + {
1756 + return btrfs_item_size(eb, btrfs_item_nr(nr));
1757 + }
1758 +
1759 +-static inline void btrfs_item_key(struct extent_buffer *eb,
1760 ++static inline void btrfs_item_key(const struct extent_buffer *eb,
1761 + struct btrfs_disk_key *disk_key, int nr)
1762 + {
1763 + struct btrfs_item *item = btrfs_item_nr(nr);
1764 +@@ -1904,8 +1907,8 @@ BTRFS_SETGET_STACK_FUNCS(stack_dir_name_len, struct btrfs_dir_item,
1765 + BTRFS_SETGET_STACK_FUNCS(stack_dir_transid, struct btrfs_dir_item,
1766 + transid, 64);
1767 +
1768 +-static inline void btrfs_dir_item_key(struct extent_buffer *eb,
1769 +- struct btrfs_dir_item *item,
1770 ++static inline void btrfs_dir_item_key(const struct extent_buffer *eb,
1771 ++ const struct btrfs_dir_item *item,
1772 + struct btrfs_disk_key *key)
1773 + {
1774 + read_eb_member(eb, item, struct btrfs_dir_item, location, key);
1775 +@@ -1913,7 +1916,7 @@ static inline void btrfs_dir_item_key(struct extent_buffer *eb,
1776 +
1777 + static inline void btrfs_set_dir_item_key(struct extent_buffer *eb,
1778 + struct btrfs_dir_item *item,
1779 +- struct btrfs_disk_key *key)
1780 ++ const struct btrfs_disk_key *key)
1781 + {
1782 + write_eb_member(eb, item, struct btrfs_dir_item, location, key);
1783 + }
1784 +@@ -1925,8 +1928,8 @@ BTRFS_SETGET_FUNCS(free_space_bitmaps, struct btrfs_free_space_header,
1785 + BTRFS_SETGET_FUNCS(free_space_generation, struct btrfs_free_space_header,
1786 + generation, 64);
1787 +
1788 +-static inline void btrfs_free_space_key(struct extent_buffer *eb,
1789 +- struct btrfs_free_space_header *h,
1790 ++static inline void btrfs_free_space_key(const struct extent_buffer *eb,
1791 ++ const struct btrfs_free_space_header *h,
1792 + struct btrfs_disk_key *key)
1793 + {
1794 + read_eb_member(eb, h, struct btrfs_free_space_header, location, key);
1795 +@@ -1934,7 +1937,7 @@ static inline void btrfs_free_space_key(struct extent_buffer *eb,
1796 +
1797 + static inline void btrfs_set_free_space_key(struct extent_buffer *eb,
1798 + struct btrfs_free_space_header *h,
1799 +- struct btrfs_disk_key *key)
1800 ++ const struct btrfs_disk_key *key)
1801 + {
1802 + write_eb_member(eb, h, struct btrfs_free_space_header, location, key);
1803 + }
1804 +@@ -1961,25 +1964,25 @@ static inline void btrfs_cpu_key_to_disk(struct btrfs_disk_key *disk,
1805 + disk->objectid = cpu_to_le64(cpu->objectid);
1806 + }
1807 +
1808 +-static inline void btrfs_node_key_to_cpu(struct extent_buffer *eb,
1809 +- struct btrfs_key *key, int nr)
1810 ++static inline void btrfs_node_key_to_cpu(const struct extent_buffer *eb,
1811 ++ struct btrfs_key *key, int nr)
1812 + {
1813 + struct btrfs_disk_key disk_key;
1814 + btrfs_node_key(eb, &disk_key, nr);
1815 + btrfs_disk_key_to_cpu(key, &disk_key);
1816 + }
1817 +
1818 +-static inline void btrfs_item_key_to_cpu(struct extent_buffer *eb,
1819 +- struct btrfs_key *key, int nr)
1820 ++static inline void btrfs_item_key_to_cpu(const struct extent_buffer *eb,
1821 ++ struct btrfs_key *key, int nr)
1822 + {
1823 + struct btrfs_disk_key disk_key;
1824 + btrfs_item_key(eb, &disk_key, nr);
1825 + btrfs_disk_key_to_cpu(key, &disk_key);
1826 + }
1827 +
1828 +-static inline void btrfs_dir_item_key_to_cpu(struct extent_buffer *eb,
1829 +- struct btrfs_dir_item *item,
1830 +- struct btrfs_key *key)
1831 ++static inline void btrfs_dir_item_key_to_cpu(const struct extent_buffer *eb,
1832 ++ const struct btrfs_dir_item *item,
1833 ++ struct btrfs_key *key)
1834 + {
1835 + struct btrfs_disk_key disk_key;
1836 + btrfs_dir_item_key(eb, item, &disk_key);
1837 +@@ -2012,7 +2015,7 @@ BTRFS_SETGET_STACK_FUNCS(stack_header_nritems, struct btrfs_header,
1838 + nritems, 32);
1839 + BTRFS_SETGET_STACK_FUNCS(stack_header_bytenr, struct btrfs_header, bytenr, 64);
1840 +
1841 +-static inline int btrfs_header_flag(struct extent_buffer *eb, u64 flag)
1842 ++static inline int btrfs_header_flag(const struct extent_buffer *eb, u64 flag)
1843 + {
1844 + return (btrfs_header_flags(eb) & flag) == flag;
1845 + }
1846 +@@ -2031,7 +2034,7 @@ static inline int btrfs_clear_header_flag(struct extent_buffer *eb, u64 flag)
1847 + return (flags & flag) == flag;
1848 + }
1849 +
1850 +-static inline int btrfs_header_backref_rev(struct extent_buffer *eb)
1851 ++static inline int btrfs_header_backref_rev(const struct extent_buffer *eb)
1852 + {
1853 + u64 flags = btrfs_header_flags(eb);
1854 + return flags >> BTRFS_BACKREF_REV_SHIFT;
1855 +@@ -2051,12 +2054,12 @@ static inline unsigned long btrfs_header_fsid(void)
1856 + return offsetof(struct btrfs_header, fsid);
1857 + }
1858 +
1859 +-static inline unsigned long btrfs_header_chunk_tree_uuid(struct extent_buffer *eb)
1860 ++static inline unsigned long btrfs_header_chunk_tree_uuid(const struct extent_buffer *eb)
1861 + {
1862 + return offsetof(struct btrfs_header, chunk_tree_uuid);
1863 + }
1864 +
1865 +-static inline int btrfs_is_leaf(struct extent_buffer *eb)
1866 ++static inline int btrfs_is_leaf(const struct extent_buffer *eb)
1867 + {
1868 + return btrfs_header_level(eb) == 0;
1869 + }
1870 +@@ -2090,12 +2093,12 @@ BTRFS_SETGET_STACK_FUNCS(root_stransid, struct btrfs_root_item,
1871 + BTRFS_SETGET_STACK_FUNCS(root_rtransid, struct btrfs_root_item,
1872 + rtransid, 64);
1873 +
1874 +-static inline bool btrfs_root_readonly(struct btrfs_root *root)
1875 ++static inline bool btrfs_root_readonly(const struct btrfs_root *root)
1876 + {
1877 + return (root->root_item.flags & cpu_to_le64(BTRFS_ROOT_SUBVOL_RDONLY)) != 0;
1878 + }
1879 +
1880 +-static inline bool btrfs_root_dead(struct btrfs_root *root)
1881 ++static inline bool btrfs_root_dead(const struct btrfs_root *root)
1882 + {
1883 + return (root->root_item.flags & cpu_to_le64(BTRFS_ROOT_SUBVOL_DEAD)) != 0;
1884 + }
1885 +@@ -2152,51 +2155,51 @@ BTRFS_SETGET_STACK_FUNCS(backup_num_devices, struct btrfs_root_backup,
1886 + /* struct btrfs_balance_item */
1887 + BTRFS_SETGET_FUNCS(balance_flags, struct btrfs_balance_item, flags, 64);
1888 +
1889 +-static inline void btrfs_balance_data(struct extent_buffer *eb,
1890 +- struct btrfs_balance_item *bi,
1891 ++static inline void btrfs_balance_data(const struct extent_buffer *eb,
1892 ++ const struct btrfs_balance_item *bi,
1893 + struct btrfs_disk_balance_args *ba)
1894 + {
1895 + read_eb_member(eb, bi, struct btrfs_balance_item, data, ba);
1896 + }
1897 +
1898 + static inline void btrfs_set_balance_data(struct extent_buffer *eb,
1899 +- struct btrfs_balance_item *bi,
1900 +- struct btrfs_disk_balance_args *ba)
1901 ++ struct btrfs_balance_item *bi,
1902 ++ const struct btrfs_disk_balance_args *ba)
1903 + {
1904 + write_eb_member(eb, bi, struct btrfs_balance_item, data, ba);
1905 + }
1906 +
1907 +-static inline void btrfs_balance_meta(struct extent_buffer *eb,
1908 +- struct btrfs_balance_item *bi,
1909 ++static inline void btrfs_balance_meta(const struct extent_buffer *eb,
1910 ++ const struct btrfs_balance_item *bi,
1911 + struct btrfs_disk_balance_args *ba)
1912 + {
1913 + read_eb_member(eb, bi, struct btrfs_balance_item, meta, ba);
1914 + }
1915 +
1916 + static inline void btrfs_set_balance_meta(struct extent_buffer *eb,
1917 +- struct btrfs_balance_item *bi,
1918 +- struct btrfs_disk_balance_args *ba)
1919 ++ struct btrfs_balance_item *bi,
1920 ++ const struct btrfs_disk_balance_args *ba)
1921 + {
1922 + write_eb_member(eb, bi, struct btrfs_balance_item, meta, ba);
1923 + }
1924 +
1925 +-static inline void btrfs_balance_sys(struct extent_buffer *eb,
1926 +- struct btrfs_balance_item *bi,
1927 ++static inline void btrfs_balance_sys(const struct extent_buffer *eb,
1928 ++ const struct btrfs_balance_item *bi,
1929 + struct btrfs_disk_balance_args *ba)
1930 + {
1931 + read_eb_member(eb, bi, struct btrfs_balance_item, sys, ba);
1932 + }
1933 +
1934 + static inline void btrfs_set_balance_sys(struct extent_buffer *eb,
1935 +- struct btrfs_balance_item *bi,
1936 +- struct btrfs_disk_balance_args *ba)
1937 ++ struct btrfs_balance_item *bi,
1938 ++ const struct btrfs_disk_balance_args *ba)
1939 + {
1940 + write_eb_member(eb, bi, struct btrfs_balance_item, sys, ba);
1941 + }
1942 +
1943 + static inline void
1944 + btrfs_disk_balance_args_to_cpu(struct btrfs_balance_args *cpu,
1945 +- struct btrfs_disk_balance_args *disk)
1946 ++ const struct btrfs_disk_balance_args *disk)
1947 + {
1948 + memset(cpu, 0, sizeof(*cpu));
1949 +
1950 +@@ -2216,7 +2219,7 @@ btrfs_disk_balance_args_to_cpu(struct btrfs_balance_args *cpu,
1951 +
1952 + static inline void
1953 + btrfs_cpu_balance_args_to_disk(struct btrfs_disk_balance_args *disk,
1954 +- struct btrfs_balance_args *cpu)
1955 ++ const struct btrfs_balance_args *cpu)
1956 + {
1957 + memset(disk, 0, sizeof(*disk));
1958 +
1959 +@@ -2284,7 +2287,7 @@ BTRFS_SETGET_STACK_FUNCS(super_magic, struct btrfs_super_block, magic, 64);
1960 + BTRFS_SETGET_STACK_FUNCS(super_uuid_tree_generation, struct btrfs_super_block,
1961 + uuid_tree_generation, 64);
1962 +
1963 +-static inline int btrfs_super_csum_size(struct btrfs_super_block *s)
1964 ++static inline int btrfs_super_csum_size(const struct btrfs_super_block *s)
1965 + {
1966 + u16 t = btrfs_super_csum_type(s);
1967 + /*
1968 +@@ -2303,8 +2306,8 @@ static inline unsigned long btrfs_leaf_data(struct extent_buffer *l)
1969 + * this returns the address of the start of the last item,
1970 + * which is the stop of the leaf data stack
1971 + */
1972 +-static inline unsigned int leaf_data_end(struct btrfs_root *root,
1973 +- struct extent_buffer *leaf)
1974 ++static inline unsigned int leaf_data_end(const struct btrfs_root *root,
1975 ++ const struct extent_buffer *leaf)
1976 + {
1977 + u32 nr = btrfs_header_nritems(leaf);
1978 +
1979 +@@ -2329,7 +2332,7 @@ BTRFS_SETGET_STACK_FUNCS(stack_file_extent_compression,
1980 + struct btrfs_file_extent_item, compression, 8);
1981 +
1982 + static inline unsigned long
1983 +-btrfs_file_extent_inline_start(struct btrfs_file_extent_item *e)
1984 ++btrfs_file_extent_inline_start(const struct btrfs_file_extent_item *e)
1985 + {
1986 + return (unsigned long)e + BTRFS_FILE_EXTENT_INLINE_DATA_START;
1987 + }
1988 +@@ -2363,8 +2366,9 @@ BTRFS_SETGET_FUNCS(file_extent_other_encoding, struct btrfs_file_extent_item,
1989 + * size of any extent headers. If a file is compressed on disk, this is
1990 + * the compressed size
1991 + */
1992 +-static inline u32 btrfs_file_extent_inline_item_len(struct extent_buffer *eb,
1993 +- struct btrfs_item *e)
1994 ++static inline u32 btrfs_file_extent_inline_item_len(
1995 ++ const struct extent_buffer *eb,
1996 ++ struct btrfs_item *e)
1997 + {
1998 + return btrfs_item_size(eb, e) - BTRFS_FILE_EXTENT_INLINE_DATA_START;
1999 + }
2000 +@@ -2372,9 +2376,9 @@ static inline u32 btrfs_file_extent_inline_item_len(struct extent_buffer *eb,
2001 + /* this returns the number of file bytes represented by the inline item.
2002 + * If an item is compressed, this is the uncompressed size
2003 + */
2004 +-static inline u32 btrfs_file_extent_inline_len(struct extent_buffer *eb,
2005 +- int slot,
2006 +- struct btrfs_file_extent_item *fi)
2007 ++static inline u32 btrfs_file_extent_inline_len(const struct extent_buffer *eb,
2008 ++ int slot,
2009 ++ const struct btrfs_file_extent_item *fi)
2010 + {
2011 + struct btrfs_map_token token;
2012 +
2013 +@@ -2396,8 +2400,8 @@ static inline u32 btrfs_file_extent_inline_len(struct extent_buffer *eb,
2014 +
2015 +
2016 + /* btrfs_dev_stats_item */
2017 +-static inline u64 btrfs_dev_stats_value(struct extent_buffer *eb,
2018 +- struct btrfs_dev_stats_item *ptr,
2019 ++static inline u64 btrfs_dev_stats_value(const struct extent_buffer *eb,
2020 ++ const struct btrfs_dev_stats_item *ptr,
2021 + int index)
2022 + {
2023 + u64 val;
2024 +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
2025 +index 57d375c68e46..77b32415d9f2 100644
2026 +--- a/fs/btrfs/disk-io.c
2027 ++++ b/fs/btrfs/disk-io.c
2028 +@@ -50,6 +50,7 @@
2029 + #include "sysfs.h"
2030 + #include "qgroup.h"
2031 + #include "compression.h"
2032 ++#include "tree-checker.h"
2033 +
2034 + #ifdef CONFIG_X86
2035 + #include <asm/cpufeature.h>
2036 +@@ -452,9 +453,9 @@ static int btree_read_extent_buffer_pages(struct btrfs_root *root,
2037 + int mirror_num = 0;
2038 + int failed_mirror = 0;
2039 +
2040 +- clear_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags);
2041 + io_tree = &BTRFS_I(root->fs_info->btree_inode)->io_tree;
2042 + while (1) {
2043 ++ clear_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags);
2044 + ret = read_extent_buffer_pages(io_tree, eb, WAIT_COMPLETE,
2045 + btree_get_extent, mirror_num);
2046 + if (!ret) {
2047 +@@ -465,14 +466,6 @@ static int btree_read_extent_buffer_pages(struct btrfs_root *root,
2048 + ret = -EIO;
2049 + }
2050 +
2051 +- /*
2052 +- * This buffer's crc is fine, but its contents are corrupted, so
2053 +- * there is no reason to read the other copies, they won't be
2054 +- * any less wrong.
2055 +- */
2056 +- if (test_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags))
2057 +- break;
2058 +-
2059 + num_copies = btrfs_num_copies(root->fs_info,
2060 + eb->start, eb->len);
2061 + if (num_copies == 1)
2062 +@@ -546,145 +539,6 @@ static int check_tree_block_fsid(struct btrfs_fs_info *fs_info,
2063 + return ret;
2064 + }
2065 +
2066 +-#define CORRUPT(reason, eb, root, slot) \
2067 +- btrfs_crit(root->fs_info, "corrupt %s, %s: block=%llu," \
2068 +- " root=%llu, slot=%d", \
2069 +- btrfs_header_level(eb) == 0 ? "leaf" : "node",\
2070 +- reason, btrfs_header_bytenr(eb), root->objectid, slot)
2071 +-
2072 +-static noinline int check_leaf(struct btrfs_root *root,
2073 +- struct extent_buffer *leaf)
2074 +-{
2075 +- struct btrfs_key key;
2076 +- struct btrfs_key leaf_key;
2077 +- u32 nritems = btrfs_header_nritems(leaf);
2078 +- int slot;
2079 +-
2080 +- /*
2081 +- * Extent buffers from a relocation tree have a owner field that
2082 +- * corresponds to the subvolume tree they are based on. So just from an
2083 +- * extent buffer alone we can not find out what is the id of the
2084 +- * corresponding subvolume tree, so we can not figure out if the extent
2085 +- * buffer corresponds to the root of the relocation tree or not. So skip
2086 +- * this check for relocation trees.
2087 +- */
2088 +- if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) {
2089 +- struct btrfs_root *check_root;
2090 +-
2091 +- key.objectid = btrfs_header_owner(leaf);
2092 +- key.type = BTRFS_ROOT_ITEM_KEY;
2093 +- key.offset = (u64)-1;
2094 +-
2095 +- check_root = btrfs_get_fs_root(root->fs_info, &key, false);
2096 +- /*
2097 +- * The only reason we also check NULL here is that during
2098 +- * open_ctree() some roots has not yet been set up.
2099 +- */
2100 +- if (!IS_ERR_OR_NULL(check_root)) {
2101 +- struct extent_buffer *eb;
2102 +-
2103 +- eb = btrfs_root_node(check_root);
2104 +- /* if leaf is the root, then it's fine */
2105 +- if (leaf != eb) {
2106 +- CORRUPT("non-root leaf's nritems is 0",
2107 +- leaf, check_root, 0);
2108 +- free_extent_buffer(eb);
2109 +- return -EIO;
2110 +- }
2111 +- free_extent_buffer(eb);
2112 +- }
2113 +- return 0;
2114 +- }
2115 +-
2116 +- if (nritems == 0)
2117 +- return 0;
2118 +-
2119 +- /* Check the 0 item */
2120 +- if (btrfs_item_offset_nr(leaf, 0) + btrfs_item_size_nr(leaf, 0) !=
2121 +- BTRFS_LEAF_DATA_SIZE(root)) {
2122 +- CORRUPT("invalid item offset size pair", leaf, root, 0);
2123 +- return -EIO;
2124 +- }
2125 +-
2126 +- /*
2127 +- * Check to make sure each items keys are in the correct order and their
2128 +- * offsets make sense. We only have to loop through nritems-1 because
2129 +- * we check the current slot against the next slot, which verifies the
2130 +- * next slot's offset+size makes sense and that the current's slot
2131 +- * offset is correct.
2132 +- */
2133 +- for (slot = 0; slot < nritems - 1; slot++) {
2134 +- btrfs_item_key_to_cpu(leaf, &leaf_key, slot);
2135 +- btrfs_item_key_to_cpu(leaf, &key, slot + 1);
2136 +-
2137 +- /* Make sure the keys are in the right order */
2138 +- if (btrfs_comp_cpu_keys(&leaf_key, &key) >= 0) {
2139 +- CORRUPT("bad key order", leaf, root, slot);
2140 +- return -EIO;
2141 +- }
2142 +-
2143 +- /*
2144 +- * Make sure the offset and ends are right, remember that the
2145 +- * item data starts at the end of the leaf and grows towards the
2146 +- * front.
2147 +- */
2148 +- if (btrfs_item_offset_nr(leaf, slot) !=
2149 +- btrfs_item_end_nr(leaf, slot + 1)) {
2150 +- CORRUPT("slot offset bad", leaf, root, slot);
2151 +- return -EIO;
2152 +- }
2153 +-
2154 +- /*
2155 +- * Check to make sure that we don't point outside of the leaf,
2156 +- * just in case all the items are consistent to each other, but
2157 +- * all point outside of the leaf.
2158 +- */
2159 +- if (btrfs_item_end_nr(leaf, slot) >
2160 +- BTRFS_LEAF_DATA_SIZE(root)) {
2161 +- CORRUPT("slot end outside of leaf", leaf, root, slot);
2162 +- return -EIO;
2163 +- }
2164 +- }
2165 +-
2166 +- return 0;
2167 +-}
2168 +-
2169 +-static int check_node(struct btrfs_root *root, struct extent_buffer *node)
2170 +-{
2171 +- unsigned long nr = btrfs_header_nritems(node);
2172 +- struct btrfs_key key, next_key;
2173 +- int slot;
2174 +- u64 bytenr;
2175 +- int ret = 0;
2176 +-
2177 +- if (nr == 0 || nr > BTRFS_NODEPTRS_PER_BLOCK(root)) {
2178 +- btrfs_crit(root->fs_info,
2179 +- "corrupt node: block %llu root %llu nritems %lu",
2180 +- node->start, root->objectid, nr);
2181 +- return -EIO;
2182 +- }
2183 +-
2184 +- for (slot = 0; slot < nr - 1; slot++) {
2185 +- bytenr = btrfs_node_blockptr(node, slot);
2186 +- btrfs_node_key_to_cpu(node, &key, slot);
2187 +- btrfs_node_key_to_cpu(node, &next_key, slot + 1);
2188 +-
2189 +- if (!bytenr) {
2190 +- CORRUPT("invalid item slot", node, root, slot);
2191 +- ret = -EIO;
2192 +- goto out;
2193 +- }
2194 +-
2195 +- if (btrfs_comp_cpu_keys(&key, &next_key) >= 0) {
2196 +- CORRUPT("bad key order", node, root, slot);
2197 +- ret = -EIO;
2198 +- goto out;
2199 +- }
2200 +- }
2201 +-out:
2202 +- return ret;
2203 +-}
2204 +-
2205 + static int btree_readpage_end_io_hook(struct btrfs_io_bio *io_bio,
2206 + u64 phy_offset, struct page *page,
2207 + u64 start, u64 end, int mirror)
2208 +@@ -750,12 +604,12 @@ static int btree_readpage_end_io_hook(struct btrfs_io_bio *io_bio,
2209 + * that we don't try and read the other copies of this block, just
2210 + * return -EIO.
2211 + */
2212 +- if (found_level == 0 && check_leaf(root, eb)) {
2213 ++ if (found_level == 0 && btrfs_check_leaf_full(root, eb)) {
2214 + set_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags);
2215 + ret = -EIO;
2216 + }
2217 +
2218 +- if (found_level > 0 && check_node(root, eb))
2219 ++ if (found_level > 0 && btrfs_check_node(root, eb))
2220 + ret = -EIO;
2221 +
2222 + if (!ret)
2223 +@@ -4086,7 +3940,13 @@ void btrfs_mark_buffer_dirty(struct extent_buffer *buf)
2224 + buf->len,
2225 + root->fs_info->dirty_metadata_batch);
2226 + #ifdef CONFIG_BTRFS_FS_CHECK_INTEGRITY
2227 +- if (btrfs_header_level(buf) == 0 && check_leaf(root, buf)) {
2228 ++ /*
2229 ++ * Since btrfs_mark_buffer_dirty() can be called with item pointer set
2230 ++ * but item data not updated.
2231 ++ * So here we should only check item pointers, not item data.
2232 ++ */
2233 ++ if (btrfs_header_level(buf) == 0 &&
2234 ++ btrfs_check_leaf_relaxed(root, buf)) {
2235 + btrfs_print_leaf(root, buf);
2236 + ASSERT(0);
2237 + }
2238 +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
2239 +index a775307f3b6b..7938c48c72ff 100644
2240 +--- a/fs/btrfs/extent-tree.c
2241 ++++ b/fs/btrfs/extent-tree.c
2242 +@@ -9896,6 +9896,8 @@ static int find_first_block_group(struct btrfs_root *root,
2243 + int ret = 0;
2244 + struct btrfs_key found_key;
2245 + struct extent_buffer *leaf;
2246 ++ struct btrfs_block_group_item bg;
2247 ++ u64 flags;
2248 + int slot;
2249 +
2250 + ret = btrfs_search_slot(NULL, root, key, path, 0, 0);
2251 +@@ -9930,8 +9932,32 @@ static int find_first_block_group(struct btrfs_root *root,
2252 + "logical %llu len %llu found bg but no related chunk",
2253 + found_key.objectid, found_key.offset);
2254 + ret = -ENOENT;
2255 ++ } else if (em->start != found_key.objectid ||
2256 ++ em->len != found_key.offset) {
2257 ++ btrfs_err(root->fs_info,
2258 ++ "block group %llu len %llu mismatch with chunk %llu len %llu",
2259 ++ found_key.objectid, found_key.offset,
2260 ++ em->start, em->len);
2261 ++ ret = -EUCLEAN;
2262 + } else {
2263 +- ret = 0;
2264 ++ read_extent_buffer(leaf, &bg,
2265 ++ btrfs_item_ptr_offset(leaf, slot),
2266 ++ sizeof(bg));
2267 ++ flags = btrfs_block_group_flags(&bg) &
2268 ++ BTRFS_BLOCK_GROUP_TYPE_MASK;
2269 ++
2270 ++ if (flags != (em->map_lookup->type &
2271 ++ BTRFS_BLOCK_GROUP_TYPE_MASK)) {
2272 ++ btrfs_err(root->fs_info,
2273 ++"block group %llu len %llu type flags 0x%llx mismatch with chunk type flags 0x%llx",
2274 ++ found_key.objectid,
2275 ++ found_key.offset, flags,
2276 ++ (BTRFS_BLOCK_GROUP_TYPE_MASK &
2277 ++ em->map_lookup->type));
2278 ++ ret = -EUCLEAN;
2279 ++ } else {
2280 ++ ret = 0;
2281 ++ }
2282 + }
2283 + free_extent_map(em);
2284 + goto out;
2285 +@@ -10159,6 +10185,62 @@ btrfs_create_block_group_cache(struct btrfs_root *root, u64 start, u64 size)
2286 + return cache;
2287 + }
2288 +
2289 ++
2290 ++/*
2291 ++ * Iterate all chunks and verify that each of them has the corresponding block
2292 ++ * group
2293 ++ */
2294 ++static int check_chunk_block_group_mappings(struct btrfs_fs_info *fs_info)
2295 ++{
2296 ++ struct btrfs_mapping_tree *map_tree = &fs_info->mapping_tree;
2297 ++ struct extent_map *em;
2298 ++ struct btrfs_block_group_cache *bg;
2299 ++ u64 start = 0;
2300 ++ int ret = 0;
2301 ++
2302 ++ while (1) {
2303 ++ read_lock(&map_tree->map_tree.lock);
2304 ++ /*
2305 ++ * lookup_extent_mapping will return the first extent map
2306 ++ * intersecting the range, so setting @len to 1 is enough to
2307 ++ * get the first chunk.
2308 ++ */
2309 ++ em = lookup_extent_mapping(&map_tree->map_tree, start, 1);
2310 ++ read_unlock(&map_tree->map_tree.lock);
2311 ++ if (!em)
2312 ++ break;
2313 ++
2314 ++ bg = btrfs_lookup_block_group(fs_info, em->start);
2315 ++ if (!bg) {
2316 ++ btrfs_err(fs_info,
2317 ++ "chunk start=%llu len=%llu doesn't have corresponding block group",
2318 ++ em->start, em->len);
2319 ++ ret = -EUCLEAN;
2320 ++ free_extent_map(em);
2321 ++ break;
2322 ++ }
2323 ++ if (bg->key.objectid != em->start ||
2324 ++ bg->key.offset != em->len ||
2325 ++ (bg->flags & BTRFS_BLOCK_GROUP_TYPE_MASK) !=
2326 ++ (em->map_lookup->type & BTRFS_BLOCK_GROUP_TYPE_MASK)) {
2327 ++ btrfs_err(fs_info,
2328 ++"chunk start=%llu len=%llu flags=0x%llx doesn't match block group start=%llu len=%llu flags=0x%llx",
2329 ++ em->start, em->len,
2330 ++ em->map_lookup->type & BTRFS_BLOCK_GROUP_TYPE_MASK,
2331 ++ bg->key.objectid, bg->key.offset,
2332 ++ bg->flags & BTRFS_BLOCK_GROUP_TYPE_MASK);
2333 ++ ret = -EUCLEAN;
2334 ++ free_extent_map(em);
2335 ++ btrfs_put_block_group(bg);
2336 ++ break;
2337 ++ }
2338 ++ start = em->start + em->len;
2339 ++ free_extent_map(em);
2340 ++ btrfs_put_block_group(bg);
2341 ++ }
2342 ++ return ret;
2343 ++}
2344 ++
2345 + int btrfs_read_block_groups(struct btrfs_root *root)
2346 + {
2347 + struct btrfs_path *path;
2348 +@@ -10343,7 +10425,7 @@ int btrfs_read_block_groups(struct btrfs_root *root)
2349 + }
2350 +
2351 + init_global_block_rsv(info);
2352 +- ret = 0;
2353 ++ ret = check_chunk_block_group_mappings(info);
2354 + error:
2355 + btrfs_free_path(path);
2356 + return ret;
2357 +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
2358 +index 5feaef9bcbda..793d4d571d8d 100644
2359 +--- a/fs/btrfs/extent_io.c
2360 ++++ b/fs/btrfs/extent_io.c
2361 +@@ -5442,9 +5442,8 @@ unlock_exit:
2362 + return ret;
2363 + }
2364 +
2365 +-void read_extent_buffer(struct extent_buffer *eb, void *dstv,
2366 +- unsigned long start,
2367 +- unsigned long len)
2368 ++void read_extent_buffer(const struct extent_buffer *eb, void *dstv,
2369 ++ unsigned long start, unsigned long len)
2370 + {
2371 + size_t cur;
2372 + size_t offset;
2373 +@@ -5473,9 +5472,9 @@ void read_extent_buffer(struct extent_buffer *eb, void *dstv,
2374 + }
2375 + }
2376 +
2377 +-int read_extent_buffer_to_user(struct extent_buffer *eb, void __user *dstv,
2378 +- unsigned long start,
2379 +- unsigned long len)
2380 ++int read_extent_buffer_to_user(const struct extent_buffer *eb,
2381 ++ void __user *dstv,
2382 ++ unsigned long start, unsigned long len)
2383 + {
2384 + size_t cur;
2385 + size_t offset;
2386 +@@ -5515,10 +5514,10 @@ int read_extent_buffer_to_user(struct extent_buffer *eb, void __user *dstv,
2387 + * return 1 if the item spans two pages.
2388 + * return -EINVAL otherwise.
2389 + */
2390 +-int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
2391 +- unsigned long min_len, char **map,
2392 +- unsigned long *map_start,
2393 +- unsigned long *map_len)
2394 ++int map_private_extent_buffer(const struct extent_buffer *eb,
2395 ++ unsigned long start, unsigned long min_len,
2396 ++ char **map, unsigned long *map_start,
2397 ++ unsigned long *map_len)
2398 + {
2399 + size_t offset = start & (PAGE_SIZE - 1);
2400 + char *kaddr;
2401 +@@ -5552,9 +5551,8 @@ int map_private_extent_buffer(struct extent_buffer *eb, unsigned long start,
2402 + return 0;
2403 + }
2404 +
2405 +-int memcmp_extent_buffer(struct extent_buffer *eb, const void *ptrv,
2406 +- unsigned long start,
2407 +- unsigned long len)
2408 ++int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
2409 ++ unsigned long start, unsigned long len)
2410 + {
2411 + size_t cur;
2412 + size_t offset;
2413 +diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h
2414 +index ab31d145227e..9ecdc9584df7 100644
2415 +--- a/fs/btrfs/extent_io.h
2416 ++++ b/fs/btrfs/extent_io.h
2417 +@@ -396,14 +396,13 @@ static inline void extent_buffer_get(struct extent_buffer *eb)
2418 + atomic_inc(&eb->refs);
2419 + }
2420 +
2421 +-int memcmp_extent_buffer(struct extent_buffer *eb, const void *ptrv,
2422 +- unsigned long start,
2423 +- unsigned long len);
2424 +-void read_extent_buffer(struct extent_buffer *eb, void *dst,
2425 ++int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
2426 ++ unsigned long start, unsigned long len);
2427 ++void read_extent_buffer(const struct extent_buffer *eb, void *dst,
2428 + unsigned long start,
2429 + unsigned long len);
2430 +-int read_extent_buffer_to_user(struct extent_buffer *eb, void __user *dst,
2431 +- unsigned long start,
2432 ++int read_extent_buffer_to_user(const struct extent_buffer *eb,
2433 ++ void __user *dst, unsigned long start,
2434 + unsigned long len);
2435 + void write_extent_buffer(struct extent_buffer *eb, const void *src,
2436 + unsigned long start, unsigned long len);
2437 +@@ -428,10 +427,10 @@ void set_extent_buffer_uptodate(struct extent_buffer *eb);
2438 + void clear_extent_buffer_uptodate(struct extent_buffer *eb);
2439 + int extent_buffer_uptodate(struct extent_buffer *eb);
2440 + int extent_buffer_under_io(struct extent_buffer *eb);
2441 +-int map_private_extent_buffer(struct extent_buffer *eb, unsigned long offset,
2442 +- unsigned long min_len, char **map,
2443 +- unsigned long *map_start,
2444 +- unsigned long *map_len);
2445 ++int map_private_extent_buffer(const struct extent_buffer *eb,
2446 ++ unsigned long offset, unsigned long min_len,
2447 ++ char **map, unsigned long *map_start,
2448 ++ unsigned long *map_len);
2449 + void extent_range_clear_dirty_for_io(struct inode *inode, u64 start, u64 end);
2450 + void extent_range_redirty_for_io(struct inode *inode, u64 start, u64 end);
2451 + void extent_clear_unlock_delalloc(struct inode *inode, u64 start, u64 end,
2452 +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
2453 +index 5ca0dbb9074d..69a3c11af9d4 100644
2454 +--- a/fs/btrfs/free-space-cache.c
2455 ++++ b/fs/btrfs/free-space-cache.c
2456 +@@ -2464,6 +2464,7 @@ void btrfs_dump_free_space(struct btrfs_block_group_cache *block_group,
2457 + struct rb_node *n;
2458 + int count = 0;
2459 +
2460 ++ spin_lock(&ctl->tree_lock);
2461 + for (n = rb_first(&ctl->free_space_offset); n; n = rb_next(n)) {
2462 + info = rb_entry(n, struct btrfs_free_space, offset_index);
2463 + if (info->bytes >= bytes && !block_group->ro)
2464 +@@ -2473,6 +2474,7 @@ void btrfs_dump_free_space(struct btrfs_block_group_cache *block_group,
2465 + info->offset, info->bytes,
2466 + (info->bitmap) ? "yes" : "no");
2467 + }
2468 ++ spin_unlock(&ctl->tree_lock);
2469 + btrfs_info(block_group->fs_info, "block group has cluster?: %s",
2470 + list_empty(&block_group->cluster_list) ? "no" : "yes");
2471 + btrfs_info(block_group->fs_info,
2472 +diff --git a/fs/btrfs/struct-funcs.c b/fs/btrfs/struct-funcs.c
2473 +index 875c757e73e2..5e2b92d83617 100644
2474 +--- a/fs/btrfs/struct-funcs.c
2475 ++++ b/fs/btrfs/struct-funcs.c
2476 +@@ -50,8 +50,8 @@ static inline void put_unaligned_le8(u8 val, void *p)
2477 + */
2478 +
2479 + #define DEFINE_BTRFS_SETGET_BITS(bits) \
2480 +-u##bits btrfs_get_token_##bits(struct extent_buffer *eb, void *ptr, \
2481 +- unsigned long off, \
2482 ++u##bits btrfs_get_token_##bits(const struct extent_buffer *eb, \
2483 ++ const void *ptr, unsigned long off, \
2484 + struct btrfs_map_token *token) \
2485 + { \
2486 + unsigned long part_offset = (unsigned long)ptr; \
2487 +@@ -90,7 +90,8 @@ u##bits btrfs_get_token_##bits(struct extent_buffer *eb, void *ptr, \
2488 + return res; \
2489 + } \
2490 + void btrfs_set_token_##bits(struct extent_buffer *eb, \
2491 +- void *ptr, unsigned long off, u##bits val, \
2492 ++ const void *ptr, unsigned long off, \
2493 ++ u##bits val, \
2494 + struct btrfs_map_token *token) \
2495 + { \
2496 + unsigned long part_offset = (unsigned long)ptr; \
2497 +@@ -133,7 +134,7 @@ DEFINE_BTRFS_SETGET_BITS(16)
2498 + DEFINE_BTRFS_SETGET_BITS(32)
2499 + DEFINE_BTRFS_SETGET_BITS(64)
2500 +
2501 +-void btrfs_node_key(struct extent_buffer *eb,
2502 ++void btrfs_node_key(const struct extent_buffer *eb,
2503 + struct btrfs_disk_key *disk_key, int nr)
2504 + {
2505 + unsigned long ptr = btrfs_node_key_ptr_offset(nr);
2506 +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
2507 +new file mode 100644
2508 +index 000000000000..7b69ba78e600
2509 +--- /dev/null
2510 ++++ b/fs/btrfs/tree-checker.c
2511 +@@ -0,0 +1,649 @@
2512 ++/*
2513 ++ * Copyright (C) Qu Wenruo 2017. All rights reserved.
2514 ++ *
2515 ++ * This program is free software; you can redistribute it and/or
2516 ++ * modify it under the terms of the GNU General Public
2517 ++ * License v2 as published by the Free Software Foundation.
2518 ++ *
2519 ++ * This program is distributed in the hope that it will be useful,
2520 ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
2521 ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
2522 ++ * General Public License for more details.
2523 ++ *
2524 ++ * You should have received a copy of the GNU General Public
2525 ++ * License along with this program.
2526 ++ */
2527 ++
2528 ++/*
2529 ++ * The module is used to catch unexpected/corrupted tree block data.
2530 ++ * Such behavior can be caused either by a fuzzed image or bugs.
2531 ++ *
2532 ++ * The objective is to do leaf/node validation checks when tree block is read
2533 ++ * from disk, and check *every* possible member, so other code won't
2534 ++ * need to checking them again.
2535 ++ *
2536 ++ * Due to the potential and unwanted damage, every checker needs to be
2537 ++ * carefully reviewed otherwise so it does not prevent mount of valid images.
2538 ++ */
2539 ++
2540 ++#include "ctree.h"
2541 ++#include "tree-checker.h"
2542 ++#include "disk-io.h"
2543 ++#include "compression.h"
2544 ++#include "hash.h"
2545 ++#include "volumes.h"
2546 ++
2547 ++#define CORRUPT(reason, eb, root, slot) \
2548 ++ btrfs_crit(root->fs_info, \
2549 ++ "corrupt %s, %s: block=%llu, root=%llu, slot=%d", \
2550 ++ btrfs_header_level(eb) == 0 ? "leaf" : "node", \
2551 ++ reason, btrfs_header_bytenr(eb), root->objectid, slot)
2552 ++
2553 ++/*
2554 ++ * Error message should follow the following format:
2555 ++ * corrupt <type>: <identifier>, <reason>[, <bad_value>]
2556 ++ *
2557 ++ * @type: leaf or node
2558 ++ * @identifier: the necessary info to locate the leaf/node.
2559 ++ * It's recommened to decode key.objecitd/offset if it's
2560 ++ * meaningful.
2561 ++ * @reason: describe the error
2562 ++ * @bad_value: optional, it's recommened to output bad value and its
2563 ++ * expected value (range).
2564 ++ *
2565 ++ * Since comma is used to separate the components, only space is allowed
2566 ++ * inside each component.
2567 ++ */
2568 ++
2569 ++/*
2570 ++ * Append generic "corrupt leaf/node root=%llu block=%llu slot=%d: " to @fmt.
2571 ++ * Allows callers to customize the output.
2572 ++ */
2573 ++__printf(4, 5)
2574 ++static void generic_err(const struct btrfs_root *root,
2575 ++ const struct extent_buffer *eb, int slot,
2576 ++ const char *fmt, ...)
2577 ++{
2578 ++ struct va_format vaf;
2579 ++ va_list args;
2580 ++
2581 ++ va_start(args, fmt);
2582 ++
2583 ++ vaf.fmt = fmt;
2584 ++ vaf.va = &args;
2585 ++
2586 ++ btrfs_crit(root->fs_info,
2587 ++ "corrupt %s: root=%llu block=%llu slot=%d, %pV",
2588 ++ btrfs_header_level(eb) == 0 ? "leaf" : "node",
2589 ++ root->objectid, btrfs_header_bytenr(eb), slot, &vaf);
2590 ++ va_end(args);
2591 ++}
2592 ++
2593 ++static int check_extent_data_item(struct btrfs_root *root,
2594 ++ struct extent_buffer *leaf,
2595 ++ struct btrfs_key *key, int slot)
2596 ++{
2597 ++ struct btrfs_file_extent_item *fi;
2598 ++ u32 sectorsize = root->sectorsize;
2599 ++ u32 item_size = btrfs_item_size_nr(leaf, slot);
2600 ++
2601 ++ if (!IS_ALIGNED(key->offset, sectorsize)) {
2602 ++ CORRUPT("unaligned key offset for file extent",
2603 ++ leaf, root, slot);
2604 ++ return -EUCLEAN;
2605 ++ }
2606 ++
2607 ++ fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
2608 ++
2609 ++ if (btrfs_file_extent_type(leaf, fi) > BTRFS_FILE_EXTENT_TYPES) {
2610 ++ CORRUPT("invalid file extent type", leaf, root, slot);
2611 ++ return -EUCLEAN;
2612 ++ }
2613 ++
2614 ++ /*
2615 ++ * Support for new compression/encrption must introduce incompat flag,
2616 ++ * and must be caught in open_ctree().
2617 ++ */
2618 ++ if (btrfs_file_extent_compression(leaf, fi) > BTRFS_COMPRESS_TYPES) {
2619 ++ CORRUPT("invalid file extent compression", leaf, root, slot);
2620 ++ return -EUCLEAN;
2621 ++ }
2622 ++ if (btrfs_file_extent_encryption(leaf, fi)) {
2623 ++ CORRUPT("invalid file extent encryption", leaf, root, slot);
2624 ++ return -EUCLEAN;
2625 ++ }
2626 ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) {
2627 ++ /* Inline extent must have 0 as key offset */
2628 ++ if (key->offset) {
2629 ++ CORRUPT("inline extent has non-zero key offset",
2630 ++ leaf, root, slot);
2631 ++ return -EUCLEAN;
2632 ++ }
2633 ++
2634 ++ /* Compressed inline extent has no on-disk size, skip it */
2635 ++ if (btrfs_file_extent_compression(leaf, fi) !=
2636 ++ BTRFS_COMPRESS_NONE)
2637 ++ return 0;
2638 ++
2639 ++ /* Uncompressed inline extent size must match item size */
2640 ++ if (item_size != BTRFS_FILE_EXTENT_INLINE_DATA_START +
2641 ++ btrfs_file_extent_ram_bytes(leaf, fi)) {
2642 ++ CORRUPT("plaintext inline extent has invalid size",
2643 ++ leaf, root, slot);
2644 ++ return -EUCLEAN;
2645 ++ }
2646 ++ return 0;
2647 ++ }
2648 ++
2649 ++ /* Regular or preallocated extent has fixed item size */
2650 ++ if (item_size != sizeof(*fi)) {
2651 ++ CORRUPT(
2652 ++ "regluar or preallocated extent data item size is invalid",
2653 ++ leaf, root, slot);
2654 ++ return -EUCLEAN;
2655 ++ }
2656 ++ if (!IS_ALIGNED(btrfs_file_extent_ram_bytes(leaf, fi), sectorsize) ||
2657 ++ !IS_ALIGNED(btrfs_file_extent_disk_bytenr(leaf, fi), sectorsize) ||
2658 ++ !IS_ALIGNED(btrfs_file_extent_disk_num_bytes(leaf, fi), sectorsize) ||
2659 ++ !IS_ALIGNED(btrfs_file_extent_offset(leaf, fi), sectorsize) ||
2660 ++ !IS_ALIGNED(btrfs_file_extent_num_bytes(leaf, fi), sectorsize)) {
2661 ++ CORRUPT(
2662 ++ "regular or preallocated extent data item has unaligned value",
2663 ++ leaf, root, slot);
2664 ++ return -EUCLEAN;
2665 ++ }
2666 ++
2667 ++ return 0;
2668 ++}
2669 ++
2670 ++static int check_csum_item(struct btrfs_root *root, struct extent_buffer *leaf,
2671 ++ struct btrfs_key *key, int slot)
2672 ++{
2673 ++ u32 sectorsize = root->sectorsize;
2674 ++ u32 csumsize = btrfs_super_csum_size(root->fs_info->super_copy);
2675 ++
2676 ++ if (key->objectid != BTRFS_EXTENT_CSUM_OBJECTID) {
2677 ++ CORRUPT("invalid objectid for csum item", leaf, root, slot);
2678 ++ return -EUCLEAN;
2679 ++ }
2680 ++ if (!IS_ALIGNED(key->offset, sectorsize)) {
2681 ++ CORRUPT("unaligned key offset for csum item", leaf, root, slot);
2682 ++ return -EUCLEAN;
2683 ++ }
2684 ++ if (!IS_ALIGNED(btrfs_item_size_nr(leaf, slot), csumsize)) {
2685 ++ CORRUPT("unaligned csum item size", leaf, root, slot);
2686 ++ return -EUCLEAN;
2687 ++ }
2688 ++ return 0;
2689 ++}
2690 ++
2691 ++/*
2692 ++ * Customized reported for dir_item, only important new info is key->objectid,
2693 ++ * which represents inode number
2694 ++ */
2695 ++__printf(4, 5)
2696 ++static void dir_item_err(const struct btrfs_root *root,
2697 ++ const struct extent_buffer *eb, int slot,
2698 ++ const char *fmt, ...)
2699 ++{
2700 ++ struct btrfs_key key;
2701 ++ struct va_format vaf;
2702 ++ va_list args;
2703 ++
2704 ++ btrfs_item_key_to_cpu(eb, &key, slot);
2705 ++ va_start(args, fmt);
2706 ++
2707 ++ vaf.fmt = fmt;
2708 ++ vaf.va = &args;
2709 ++
2710 ++ btrfs_crit(root->fs_info,
2711 ++ "corrupt %s: root=%llu block=%llu slot=%d ino=%llu, %pV",
2712 ++ btrfs_header_level(eb) == 0 ? "leaf" : "node", root->objectid,
2713 ++ btrfs_header_bytenr(eb), slot, key.objectid, &vaf);
2714 ++ va_end(args);
2715 ++}
2716 ++
2717 ++static int check_dir_item(struct btrfs_root *root,
2718 ++ struct extent_buffer *leaf,
2719 ++ struct btrfs_key *key, int slot)
2720 ++{
2721 ++ struct btrfs_dir_item *di;
2722 ++ u32 item_size = btrfs_item_size_nr(leaf, slot);
2723 ++ u32 cur = 0;
2724 ++
2725 ++ di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item);
2726 ++ while (cur < item_size) {
2727 ++ u32 name_len;
2728 ++ u32 data_len;
2729 ++ u32 max_name_len;
2730 ++ u32 total_size;
2731 ++ u32 name_hash;
2732 ++ u8 dir_type;
2733 ++
2734 ++ /* header itself should not cross item boundary */
2735 ++ if (cur + sizeof(*di) > item_size) {
2736 ++ dir_item_err(root, leaf, slot,
2737 ++ "dir item header crosses item boundary, have %zu boundary %u",
2738 ++ cur + sizeof(*di), item_size);
2739 ++ return -EUCLEAN;
2740 ++ }
2741 ++
2742 ++ /* dir type check */
2743 ++ dir_type = btrfs_dir_type(leaf, di);
2744 ++ if (dir_type >= BTRFS_FT_MAX) {
2745 ++ dir_item_err(root, leaf, slot,
2746 ++ "invalid dir item type, have %u expect [0, %u)",
2747 ++ dir_type, BTRFS_FT_MAX);
2748 ++ return -EUCLEAN;
2749 ++ }
2750 ++
2751 ++ if (key->type == BTRFS_XATTR_ITEM_KEY &&
2752 ++ dir_type != BTRFS_FT_XATTR) {
2753 ++ dir_item_err(root, leaf, slot,
2754 ++ "invalid dir item type for XATTR key, have %u expect %u",
2755 ++ dir_type, BTRFS_FT_XATTR);
2756 ++ return -EUCLEAN;
2757 ++ }
2758 ++ if (dir_type == BTRFS_FT_XATTR &&
2759 ++ key->type != BTRFS_XATTR_ITEM_KEY) {
2760 ++ dir_item_err(root, leaf, slot,
2761 ++ "xattr dir type found for non-XATTR key");
2762 ++ return -EUCLEAN;
2763 ++ }
2764 ++ if (dir_type == BTRFS_FT_XATTR)
2765 ++ max_name_len = XATTR_NAME_MAX;
2766 ++ else
2767 ++ max_name_len = BTRFS_NAME_LEN;
2768 ++
2769 ++ /* Name/data length check */
2770 ++ name_len = btrfs_dir_name_len(leaf, di);
2771 ++ data_len = btrfs_dir_data_len(leaf, di);
2772 ++ if (name_len > max_name_len) {
2773 ++ dir_item_err(root, leaf, slot,
2774 ++ "dir item name len too long, have %u max %u",
2775 ++ name_len, max_name_len);
2776 ++ return -EUCLEAN;
2777 ++ }
2778 ++ if (name_len + data_len > BTRFS_MAX_XATTR_SIZE(root)) {
2779 ++ dir_item_err(root, leaf, slot,
2780 ++ "dir item name and data len too long, have %u max %u",
2781 ++ name_len + data_len,
2782 ++ BTRFS_MAX_XATTR_SIZE(root));
2783 ++ return -EUCLEAN;
2784 ++ }
2785 ++
2786 ++ if (data_len && dir_type != BTRFS_FT_XATTR) {
2787 ++ dir_item_err(root, leaf, slot,
2788 ++ "dir item with invalid data len, have %u expect 0",
2789 ++ data_len);
2790 ++ return -EUCLEAN;
2791 ++ }
2792 ++
2793 ++ total_size = sizeof(*di) + name_len + data_len;
2794 ++
2795 ++ /* header and name/data should not cross item boundary */
2796 ++ if (cur + total_size > item_size) {
2797 ++ dir_item_err(root, leaf, slot,
2798 ++ "dir item data crosses item boundary, have %u boundary %u",
2799 ++ cur + total_size, item_size);
2800 ++ return -EUCLEAN;
2801 ++ }
2802 ++
2803 ++ /*
2804 ++ * Special check for XATTR/DIR_ITEM, as key->offset is name
2805 ++ * hash, should match its name
2806 ++ */
2807 ++ if (key->type == BTRFS_DIR_ITEM_KEY ||
2808 ++ key->type == BTRFS_XATTR_ITEM_KEY) {
2809 ++ char namebuf[max(BTRFS_NAME_LEN, XATTR_NAME_MAX)];
2810 ++
2811 ++ read_extent_buffer(leaf, namebuf,
2812 ++ (unsigned long)(di + 1), name_len);
2813 ++ name_hash = btrfs_name_hash(namebuf, name_len);
2814 ++ if (key->offset != name_hash) {
2815 ++ dir_item_err(root, leaf, slot,
2816 ++ "name hash mismatch with key, have 0x%016x expect 0x%016llx",
2817 ++ name_hash, key->offset);
2818 ++ return -EUCLEAN;
2819 ++ }
2820 ++ }
2821 ++ cur += total_size;
2822 ++ di = (struct btrfs_dir_item *)((void *)di + total_size);
2823 ++ }
2824 ++ return 0;
2825 ++}
2826 ++
2827 ++__printf(4, 5)
2828 ++__cold
2829 ++static void block_group_err(const struct btrfs_fs_info *fs_info,
2830 ++ const struct extent_buffer *eb, int slot,
2831 ++ const char *fmt, ...)
2832 ++{
2833 ++ struct btrfs_key key;
2834 ++ struct va_format vaf;
2835 ++ va_list args;
2836 ++
2837 ++ btrfs_item_key_to_cpu(eb, &key, slot);
2838 ++ va_start(args, fmt);
2839 ++
2840 ++ vaf.fmt = fmt;
2841 ++ vaf.va = &args;
2842 ++
2843 ++ btrfs_crit(fs_info,
2844 ++ "corrupt %s: root=%llu block=%llu slot=%d bg_start=%llu bg_len=%llu, %pV",
2845 ++ btrfs_header_level(eb) == 0 ? "leaf" : "node",
2846 ++ btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
2847 ++ key.objectid, key.offset, &vaf);
2848 ++ va_end(args);
2849 ++}
2850 ++
2851 ++static int check_block_group_item(struct btrfs_fs_info *fs_info,
2852 ++ struct extent_buffer *leaf,
2853 ++ struct btrfs_key *key, int slot)
2854 ++{
2855 ++ struct btrfs_block_group_item bgi;
2856 ++ u32 item_size = btrfs_item_size_nr(leaf, slot);
2857 ++ u64 flags;
2858 ++ u64 type;
2859 ++
2860 ++ /*
2861 ++ * Here we don't really care about alignment since extent allocator can
2862 ++ * handle it. We care more about the size, as if one block group is
2863 ++ * larger than maximum size, it's must be some obvious corruption.
2864 ++ */
2865 ++ if (key->offset > BTRFS_MAX_DATA_CHUNK_SIZE || key->offset == 0) {
2866 ++ block_group_err(fs_info, leaf, slot,
2867 ++ "invalid block group size, have %llu expect (0, %llu]",
2868 ++ key->offset, BTRFS_MAX_DATA_CHUNK_SIZE);
2869 ++ return -EUCLEAN;
2870 ++ }
2871 ++
2872 ++ if (item_size != sizeof(bgi)) {
2873 ++ block_group_err(fs_info, leaf, slot,
2874 ++ "invalid item size, have %u expect %zu",
2875 ++ item_size, sizeof(bgi));
2876 ++ return -EUCLEAN;
2877 ++ }
2878 ++
2879 ++ read_extent_buffer(leaf, &bgi, btrfs_item_ptr_offset(leaf, slot),
2880 ++ sizeof(bgi));
2881 ++ if (btrfs_block_group_chunk_objectid(&bgi) !=
2882 ++ BTRFS_FIRST_CHUNK_TREE_OBJECTID) {
2883 ++ block_group_err(fs_info, leaf, slot,
2884 ++ "invalid block group chunk objectid, have %llu expect %llu",
2885 ++ btrfs_block_group_chunk_objectid(&bgi),
2886 ++ BTRFS_FIRST_CHUNK_TREE_OBJECTID);
2887 ++ return -EUCLEAN;
2888 ++ }
2889 ++
2890 ++ if (btrfs_block_group_used(&bgi) > key->offset) {
2891 ++ block_group_err(fs_info, leaf, slot,
2892 ++ "invalid block group used, have %llu expect [0, %llu)",
2893 ++ btrfs_block_group_used(&bgi), key->offset);
2894 ++ return -EUCLEAN;
2895 ++ }
2896 ++
2897 ++ flags = btrfs_block_group_flags(&bgi);
2898 ++ if (hweight64(flags & BTRFS_BLOCK_GROUP_PROFILE_MASK) > 1) {
2899 ++ block_group_err(fs_info, leaf, slot,
2900 ++"invalid profile flags, have 0x%llx (%lu bits set) expect no more than 1 bit set",
2901 ++ flags & BTRFS_BLOCK_GROUP_PROFILE_MASK,
2902 ++ hweight64(flags & BTRFS_BLOCK_GROUP_PROFILE_MASK));
2903 ++ return -EUCLEAN;
2904 ++ }
2905 ++
2906 ++ type = flags & BTRFS_BLOCK_GROUP_TYPE_MASK;
2907 ++ if (type != BTRFS_BLOCK_GROUP_DATA &&
2908 ++ type != BTRFS_BLOCK_GROUP_METADATA &&
2909 ++ type != BTRFS_BLOCK_GROUP_SYSTEM &&
2910 ++ type != (BTRFS_BLOCK_GROUP_METADATA |
2911 ++ BTRFS_BLOCK_GROUP_DATA)) {
2912 ++ block_group_err(fs_info, leaf, slot,
2913 ++"invalid type, have 0x%llx (%lu bits set) expect either 0x%llx, 0x%llx, 0x%llx or 0x%llx",
2914 ++ type, hweight64(type),
2915 ++ BTRFS_BLOCK_GROUP_DATA, BTRFS_BLOCK_GROUP_METADATA,
2916 ++ BTRFS_BLOCK_GROUP_SYSTEM,
2917 ++ BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA);
2918 ++ return -EUCLEAN;
2919 ++ }
2920 ++ return 0;
2921 ++}
2922 ++
2923 ++/*
2924 ++ * Common point to switch the item-specific validation.
2925 ++ */
2926 ++static int check_leaf_item(struct btrfs_root *root,
2927 ++ struct extent_buffer *leaf,
2928 ++ struct btrfs_key *key, int slot)
2929 ++{
2930 ++ int ret = 0;
2931 ++
2932 ++ switch (key->type) {
2933 ++ case BTRFS_EXTENT_DATA_KEY:
2934 ++ ret = check_extent_data_item(root, leaf, key, slot);
2935 ++ break;
2936 ++ case BTRFS_EXTENT_CSUM_KEY:
2937 ++ ret = check_csum_item(root, leaf, key, slot);
2938 ++ break;
2939 ++ case BTRFS_DIR_ITEM_KEY:
2940 ++ case BTRFS_DIR_INDEX_KEY:
2941 ++ case BTRFS_XATTR_ITEM_KEY:
2942 ++ ret = check_dir_item(root, leaf, key, slot);
2943 ++ break;
2944 ++ case BTRFS_BLOCK_GROUP_ITEM_KEY:
2945 ++ ret = check_block_group_item(root->fs_info, leaf, key, slot);
2946 ++ break;
2947 ++ }
2948 ++ return ret;
2949 ++}
2950 ++
2951 ++static int check_leaf(struct btrfs_root *root, struct extent_buffer *leaf,
2952 ++ bool check_item_data)
2953 ++{
2954 ++ struct btrfs_fs_info *fs_info = root->fs_info;
2955 ++ /* No valid key type is 0, so all key should be larger than this key */
2956 ++ struct btrfs_key prev_key = {0, 0, 0};
2957 ++ struct btrfs_key key;
2958 ++ u32 nritems = btrfs_header_nritems(leaf);
2959 ++ int slot;
2960 ++
2961 ++ if (btrfs_header_level(leaf) != 0) {
2962 ++ generic_err(root, leaf, 0,
2963 ++ "invalid level for leaf, have %d expect 0",
2964 ++ btrfs_header_level(leaf));
2965 ++ return -EUCLEAN;
2966 ++ }
2967 ++
2968 ++ /*
2969 ++ * Extent buffers from a relocation tree have a owner field that
2970 ++ * corresponds to the subvolume tree they are based on. So just from an
2971 ++ * extent buffer alone we can not find out what is the id of the
2972 ++ * corresponding subvolume tree, so we can not figure out if the extent
2973 ++ * buffer corresponds to the root of the relocation tree or not. So
2974 ++ * skip this check for relocation trees.
2975 ++ */
2976 ++ if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) {
2977 ++ u64 owner = btrfs_header_owner(leaf);
2978 ++ struct btrfs_root *check_root;
2979 ++
2980 ++ /* These trees must never be empty */
2981 ++ if (owner == BTRFS_ROOT_TREE_OBJECTID ||
2982 ++ owner == BTRFS_CHUNK_TREE_OBJECTID ||
2983 ++ owner == BTRFS_EXTENT_TREE_OBJECTID ||
2984 ++ owner == BTRFS_DEV_TREE_OBJECTID ||
2985 ++ owner == BTRFS_FS_TREE_OBJECTID ||
2986 ++ owner == BTRFS_DATA_RELOC_TREE_OBJECTID) {
2987 ++ generic_err(root, leaf, 0,
2988 ++ "invalid root, root %llu must never be empty",
2989 ++ owner);
2990 ++ return -EUCLEAN;
2991 ++ }
2992 ++ key.objectid = owner;
2993 ++ key.type = BTRFS_ROOT_ITEM_KEY;
2994 ++ key.offset = (u64)-1;
2995 ++
2996 ++ check_root = btrfs_get_fs_root(fs_info, &key, false);
2997 ++ /*
2998 ++ * The only reason we also check NULL here is that during
2999 ++ * open_ctree() some roots has not yet been set up.
3000 ++ */
3001 ++ if (!IS_ERR_OR_NULL(check_root)) {
3002 ++ struct extent_buffer *eb;
3003 ++
3004 ++ eb = btrfs_root_node(check_root);
3005 ++ /* if leaf is the root, then it's fine */
3006 ++ if (leaf != eb) {
3007 ++ CORRUPT("non-root leaf's nritems is 0",
3008 ++ leaf, check_root, 0);
3009 ++ free_extent_buffer(eb);
3010 ++ return -EUCLEAN;
3011 ++ }
3012 ++ free_extent_buffer(eb);
3013 ++ }
3014 ++ return 0;
3015 ++ }
3016 ++
3017 ++ if (nritems == 0)
3018 ++ return 0;
3019 ++
3020 ++ /*
3021 ++ * Check the following things to make sure this is a good leaf, and
3022 ++ * leaf users won't need to bother with similar sanity checks:
3023 ++ *
3024 ++ * 1) key ordering
3025 ++ * 2) item offset and size
3026 ++ * No overlap, no hole, all inside the leaf.
3027 ++ * 3) item content
3028 ++ * If possible, do comprehensive sanity check.
3029 ++ * NOTE: All checks must only rely on the item data itself.
3030 ++ */
3031 ++ for (slot = 0; slot < nritems; slot++) {
3032 ++ u32 item_end_expected;
3033 ++ int ret;
3034 ++
3035 ++ btrfs_item_key_to_cpu(leaf, &key, slot);
3036 ++
3037 ++ /* Make sure the keys are in the right order */
3038 ++ if (btrfs_comp_cpu_keys(&prev_key, &key) >= 0) {
3039 ++ CORRUPT("bad key order", leaf, root, slot);
3040 ++ return -EUCLEAN;
3041 ++ }
3042 ++
3043 ++ /*
3044 ++ * Make sure the offset and ends are right, remember that the
3045 ++ * item data starts at the end of the leaf and grows towards the
3046 ++ * front.
3047 ++ */
3048 ++ if (slot == 0)
3049 ++ item_end_expected = BTRFS_LEAF_DATA_SIZE(root);
3050 ++ else
3051 ++ item_end_expected = btrfs_item_offset_nr(leaf,
3052 ++ slot - 1);
3053 ++ if (btrfs_item_end_nr(leaf, slot) != item_end_expected) {
3054 ++ CORRUPT("slot offset bad", leaf, root, slot);
3055 ++ return -EUCLEAN;
3056 ++ }
3057 ++
3058 ++ /*
3059 ++ * Check to make sure that we don't point outside of the leaf,
3060 ++ * just in case all the items are consistent to each other, but
3061 ++ * all point outside of the leaf.
3062 ++ */
3063 ++ if (btrfs_item_end_nr(leaf, slot) >
3064 ++ BTRFS_LEAF_DATA_SIZE(root)) {
3065 ++ CORRUPT("slot end outside of leaf", leaf, root, slot);
3066 ++ return -EUCLEAN;
3067 ++ }
3068 ++
3069 ++ /* Also check if the item pointer overlaps with btrfs item. */
3070 ++ if (btrfs_item_nr_offset(slot) + sizeof(struct btrfs_item) >
3071 ++ btrfs_item_ptr_offset(leaf, slot)) {
3072 ++ CORRUPT("slot overlap with its data", leaf, root, slot);
3073 ++ return -EUCLEAN;
3074 ++ }
3075 ++
3076 ++ if (check_item_data) {
3077 ++ /*
3078 ++ * Check if the item size and content meet other
3079 ++ * criteria
3080 ++ */
3081 ++ ret = check_leaf_item(root, leaf, &key, slot);
3082 ++ if (ret < 0)
3083 ++ return ret;
3084 ++ }
3085 ++
3086 ++ prev_key.objectid = key.objectid;
3087 ++ prev_key.type = key.type;
3088 ++ prev_key.offset = key.offset;
3089 ++ }
3090 ++
3091 ++ return 0;
3092 ++}
3093 ++
3094 ++int btrfs_check_leaf_full(struct btrfs_root *root, struct extent_buffer *leaf)
3095 ++{
3096 ++ return check_leaf(root, leaf, true);
3097 ++}
3098 ++
3099 ++int btrfs_check_leaf_relaxed(struct btrfs_root *root,
3100 ++ struct extent_buffer *leaf)
3101 ++{
3102 ++ return check_leaf(root, leaf, false);
3103 ++}
3104 ++
3105 ++int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node)
3106 ++{
3107 ++ unsigned long nr = btrfs_header_nritems(node);
3108 ++ struct btrfs_key key, next_key;
3109 ++ int slot;
3110 ++ int level = btrfs_header_level(node);
3111 ++ u64 bytenr;
3112 ++ int ret = 0;
3113 ++
3114 ++ if (level <= 0 || level >= BTRFS_MAX_LEVEL) {
3115 ++ generic_err(root, node, 0,
3116 ++ "invalid level for node, have %d expect [1, %d]",
3117 ++ level, BTRFS_MAX_LEVEL - 1);
3118 ++ return -EUCLEAN;
3119 ++ }
3120 ++ if (nr == 0 || nr > BTRFS_NODEPTRS_PER_BLOCK(root)) {
3121 ++ btrfs_crit(root->fs_info,
3122 ++"corrupt node: root=%llu block=%llu, nritems too %s, have %lu expect range [1,%u]",
3123 ++ root->objectid, node->start,
3124 ++ nr == 0 ? "small" : "large", nr,
3125 ++ BTRFS_NODEPTRS_PER_BLOCK(root));
3126 ++ return -EUCLEAN;
3127 ++ }
3128 ++
3129 ++ for (slot = 0; slot < nr - 1; slot++) {
3130 ++ bytenr = btrfs_node_blockptr(node, slot);
3131 ++ btrfs_node_key_to_cpu(node, &key, slot);
3132 ++ btrfs_node_key_to_cpu(node, &next_key, slot + 1);
3133 ++
3134 ++ if (!bytenr) {
3135 ++ generic_err(root, node, slot,
3136 ++ "invalid NULL node pointer");
3137 ++ ret = -EUCLEAN;
3138 ++ goto out;
3139 ++ }
3140 ++ if (!IS_ALIGNED(bytenr, root->sectorsize)) {
3141 ++ generic_err(root, node, slot,
3142 ++ "unaligned pointer, have %llu should be aligned to %u",
3143 ++ bytenr, root->sectorsize);
3144 ++ ret = -EUCLEAN;
3145 ++ goto out;
3146 ++ }
3147 ++
3148 ++ if (btrfs_comp_cpu_keys(&key, &next_key) >= 0) {
3149 ++ generic_err(root, node, slot,
3150 ++ "bad key order, current (%llu %u %llu) next (%llu %u %llu)",
3151 ++ key.objectid, key.type, key.offset,
3152 ++ next_key.objectid, next_key.type,
3153 ++ next_key.offset);
3154 ++ ret = -EUCLEAN;
3155 ++ goto out;
3156 ++ }
3157 ++ }
3158 ++out:
3159 ++ return ret;
3160 ++}
3161 +diff --git a/fs/btrfs/tree-checker.h b/fs/btrfs/tree-checker.h
3162 +new file mode 100644
3163 +index 000000000000..3d53e8d6fda0
3164 +--- /dev/null
3165 ++++ b/fs/btrfs/tree-checker.h
3166 +@@ -0,0 +1,38 @@
3167 ++/*
3168 ++ * Copyright (C) Qu Wenruo 2017. All rights reserved.
3169 ++ *
3170 ++ * This program is free software; you can redistribute it and/or
3171 ++ * modify it under the terms of the GNU General Public
3172 ++ * License v2 as published by the Free Software Foundation.
3173 ++ *
3174 ++ * This program is distributed in the hope that it will be useful,
3175 ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
3176 ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
3177 ++ * General Public License for more details.
3178 ++ *
3179 ++ * You should have received a copy of the GNU General Public
3180 ++ * License along with this program.
3181 ++ */
3182 ++
3183 ++#ifndef __BTRFS_TREE_CHECKER__
3184 ++#define __BTRFS_TREE_CHECKER__
3185 ++
3186 ++#include "ctree.h"
3187 ++#include "extent_io.h"
3188 ++
3189 ++/*
3190 ++ * Comprehensive leaf checker.
3191 ++ * Will check not only the item pointers, but also every possible member
3192 ++ * in item data.
3193 ++ */
3194 ++int btrfs_check_leaf_full(struct btrfs_root *root, struct extent_buffer *leaf);
3195 ++
3196 ++/*
3197 ++ * Less strict leaf checker.
3198 ++ * Will only check item pointers, not reading item data.
3199 ++ */
3200 ++int btrfs_check_leaf_relaxed(struct btrfs_root *root,
3201 ++ struct extent_buffer *leaf);
3202 ++int btrfs_check_node(struct btrfs_root *root, struct extent_buffer *node);
3203 ++
3204 ++#endif
3205 +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
3206 +index 76017e1b3c0f..5aa2749eaf42 100644
3207 +--- a/fs/btrfs/volumes.c
3208 ++++ b/fs/btrfs/volumes.c
3209 +@@ -4656,7 +4656,7 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans,
3210 +
3211 + if (type & BTRFS_BLOCK_GROUP_DATA) {
3212 + max_stripe_size = SZ_1G;
3213 +- max_chunk_size = 10 * max_stripe_size;
3214 ++ max_chunk_size = BTRFS_MAX_DATA_CHUNK_SIZE;
3215 + if (!devs_max)
3216 + devs_max = BTRFS_MAX_DEVS(info->chunk_root);
3217 + } else if (type & BTRFS_BLOCK_GROUP_METADATA) {
3218 +@@ -6370,6 +6370,8 @@ static int btrfs_check_chunk_valid(struct btrfs_root *root,
3219 + u16 num_stripes;
3220 + u16 sub_stripes;
3221 + u64 type;
3222 ++ u64 features;
3223 ++ bool mixed = false;
3224 +
3225 + length = btrfs_chunk_length(leaf, chunk);
3226 + stripe_len = btrfs_chunk_stripe_len(leaf, chunk);
3227 +@@ -6410,6 +6412,32 @@ static int btrfs_check_chunk_valid(struct btrfs_root *root,
3228 + btrfs_chunk_type(leaf, chunk));
3229 + return -EIO;
3230 + }
3231 ++
3232 ++ if ((type & BTRFS_BLOCK_GROUP_TYPE_MASK) == 0) {
3233 ++ btrfs_err(root->fs_info, "missing chunk type flag: 0x%llx", type);
3234 ++ return -EIO;
3235 ++ }
3236 ++
3237 ++ if ((type & BTRFS_BLOCK_GROUP_SYSTEM) &&
3238 ++ (type & (BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA))) {
3239 ++ btrfs_err(root->fs_info,
3240 ++ "system chunk with data or metadata type: 0x%llx", type);
3241 ++ return -EIO;
3242 ++ }
3243 ++
3244 ++ features = btrfs_super_incompat_flags(root->fs_info->super_copy);
3245 ++ if (features & BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS)
3246 ++ mixed = true;
3247 ++
3248 ++ if (!mixed) {
3249 ++ if ((type & BTRFS_BLOCK_GROUP_METADATA) &&
3250 ++ (type & BTRFS_BLOCK_GROUP_DATA)) {
3251 ++ btrfs_err(root->fs_info,
3252 ++ "mixed chunk type in non-mixed mode: 0x%llx", type);
3253 ++ return -EIO;
3254 ++ }
3255 ++ }
3256 ++
3257 + if ((type & BTRFS_BLOCK_GROUP_RAID10 && sub_stripes != 2) ||
3258 + (type & BTRFS_BLOCK_GROUP_RAID1 && num_stripes < 1) ||
3259 + (type & BTRFS_BLOCK_GROUP_RAID5 && num_stripes < 2) ||
3260 +diff --git a/fs/btrfs/volumes.h b/fs/btrfs/volumes.h
3261 +index 09ed29c67848..9c09aa29d6bd 100644
3262 +--- a/fs/btrfs/volumes.h
3263 ++++ b/fs/btrfs/volumes.h
3264 +@@ -24,6 +24,8 @@
3265 + #include <linux/btrfs.h>
3266 + #include "async-thread.h"
3267 +
3268 ++#define BTRFS_MAX_DATA_CHUNK_SIZE (10ULL * SZ_1G)
3269 ++
3270 + extern struct mutex uuid_mutex;
3271 +
3272 + #define BTRFS_STRIPE_LEN SZ_64K
3273 +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
3274 +index 3d2639c30018..6cbd0d805c9d 100644
3275 +--- a/fs/ceph/mds_client.c
3276 ++++ b/fs/ceph/mds_client.c
3277 +@@ -3983,14 +3983,24 @@ static struct ceph_auth_handshake *get_authorizer(struct ceph_connection *con,
3278 + return auth;
3279 + }
3280 +
3281 ++static int add_authorizer_challenge(struct ceph_connection *con,
3282 ++ void *challenge_buf, int challenge_buf_len)
3283 ++{
3284 ++ struct ceph_mds_session *s = con->private;
3285 ++ struct ceph_mds_client *mdsc = s->s_mdsc;
3286 ++ struct ceph_auth_client *ac = mdsc->fsc->client->monc.auth;
3287 ++
3288 ++ return ceph_auth_add_authorizer_challenge(ac, s->s_auth.authorizer,
3289 ++ challenge_buf, challenge_buf_len);
3290 ++}
3291 +
3292 +-static int verify_authorizer_reply(struct ceph_connection *con, int len)
3293 ++static int verify_authorizer_reply(struct ceph_connection *con)
3294 + {
3295 + struct ceph_mds_session *s = con->private;
3296 + struct ceph_mds_client *mdsc = s->s_mdsc;
3297 + struct ceph_auth_client *ac = mdsc->fsc->client->monc.auth;
3298 +
3299 +- return ceph_auth_verify_authorizer_reply(ac, s->s_auth.authorizer, len);
3300 ++ return ceph_auth_verify_authorizer_reply(ac, s->s_auth.authorizer);
3301 + }
3302 +
3303 + static int invalidate_authorizer(struct ceph_connection *con)
3304 +@@ -4046,6 +4056,7 @@ static const struct ceph_connection_operations mds_con_ops = {
3305 + .put = con_put,
3306 + .dispatch = dispatch,
3307 + .get_authorizer = get_authorizer,
3308 ++ .add_authorizer_challenge = add_authorizer_challenge,
3309 + .verify_authorizer_reply = verify_authorizer_reply,
3310 + .invalidate_authorizer = invalidate_authorizer,
3311 + .peer_reset = peer_reset,
3312 +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
3313 +index aee2a066a446..0b061bbf1639 100644
3314 +--- a/fs/f2fs/checkpoint.c
3315 ++++ b/fs/f2fs/checkpoint.c
3316 +@@ -69,6 +69,7 @@ static struct page *__get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index,
3317 + .old_blkaddr = index,
3318 + .new_blkaddr = index,
3319 + .encrypted_page = NULL,
3320 ++ .is_meta = is_meta,
3321 + };
3322 +
3323 + if (unlikely(!is_meta))
3324 +@@ -85,8 +86,10 @@ repeat:
3325 + fio.page = page;
3326 +
3327 + if (f2fs_submit_page_bio(&fio)) {
3328 +- f2fs_put_page(page, 1);
3329 +- goto repeat;
3330 ++ memset(page_address(page), 0, PAGE_SIZE);
3331 ++ f2fs_stop_checkpoint(sbi, false);
3332 ++ f2fs_bug_on(sbi, 1);
3333 ++ return page;
3334 + }
3335 +
3336 + lock_page(page);
3337 +@@ -117,7 +120,8 @@ struct page *get_tmp_page(struct f2fs_sb_info *sbi, pgoff_t index)
3338 + return __get_meta_page(sbi, index, false);
3339 + }
3340 +
3341 +-bool is_valid_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type)
3342 ++bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi,
3343 ++ block_t blkaddr, int type)
3344 + {
3345 + switch (type) {
3346 + case META_NAT:
3347 +@@ -137,8 +141,20 @@ bool is_valid_blkaddr(struct f2fs_sb_info *sbi, block_t blkaddr, int type)
3348 + return false;
3349 + break;
3350 + case META_POR:
3351 ++ case DATA_GENERIC:
3352 + if (unlikely(blkaddr >= MAX_BLKADDR(sbi) ||
3353 +- blkaddr < MAIN_BLKADDR(sbi)))
3354 ++ blkaddr < MAIN_BLKADDR(sbi))) {
3355 ++ if (type == DATA_GENERIC) {
3356 ++ f2fs_msg(sbi->sb, KERN_WARNING,
3357 ++ "access invalid blkaddr:%u", blkaddr);
3358 ++ WARN_ON(1);
3359 ++ }
3360 ++ return false;
3361 ++ }
3362 ++ break;
3363 ++ case META_GENERIC:
3364 ++ if (unlikely(blkaddr < SEG0_BLKADDR(sbi) ||
3365 ++ blkaddr >= MAIN_BLKADDR(sbi)))
3366 + return false;
3367 + break;
3368 + default:
3369 +@@ -162,6 +178,7 @@ int ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages,
3370 + .op = REQ_OP_READ,
3371 + .op_flags = sync ? (READ_SYNC | REQ_META | REQ_PRIO) : REQ_RAHEAD,
3372 + .encrypted_page = NULL,
3373 ++ .is_meta = (type != META_POR),
3374 + };
3375 + struct blk_plug plug;
3376 +
3377 +@@ -171,7 +188,7 @@ int ra_meta_pages(struct f2fs_sb_info *sbi, block_t start, int nrpages,
3378 + blk_start_plug(&plug);
3379 + for (; nrpages-- > 0; blkno++) {
3380 +
3381 +- if (!is_valid_blkaddr(sbi, blkno, type))
3382 ++ if (!f2fs_is_valid_blkaddr(sbi, blkno, type))
3383 + goto out;
3384 +
3385 + switch (type) {
3386 +@@ -706,6 +723,14 @@ static struct page *validate_checkpoint(struct f2fs_sb_info *sbi,
3387 + &cp_page_1, version);
3388 + if (err)
3389 + return NULL;
3390 ++
3391 ++ if (le32_to_cpu(cp_block->cp_pack_total_block_count) >
3392 ++ sbi->blocks_per_seg) {
3393 ++ f2fs_msg(sbi->sb, KERN_WARNING,
3394 ++ "invalid cp_pack_total_block_count:%u",
3395 ++ le32_to_cpu(cp_block->cp_pack_total_block_count));
3396 ++ goto invalid_cp;
3397 ++ }
3398 + pre_version = *version;
3399 +
3400 + cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1;
3401 +@@ -769,15 +794,15 @@ int get_valid_checkpoint(struct f2fs_sb_info *sbi)
3402 + cp_block = (struct f2fs_checkpoint *)page_address(cur_page);
3403 + memcpy(sbi->ckpt, cp_block, blk_size);
3404 +
3405 +- /* Sanity checking of checkpoint */
3406 +- if (sanity_check_ckpt(sbi))
3407 +- goto fail_no_cp;
3408 +-
3409 + if (cur_page == cp1)
3410 + sbi->cur_cp_pack = 1;
3411 + else
3412 + sbi->cur_cp_pack = 2;
3413 +
3414 ++ /* Sanity checking of checkpoint */
3415 ++ if (sanity_check_ckpt(sbi))
3416 ++ goto free_fail_no_cp;
3417 ++
3418 + if (cp_blks <= 1)
3419 + goto done;
3420 +
3421 +@@ -799,6 +824,9 @@ done:
3422 + f2fs_put_page(cp2, 1);
3423 + return 0;
3424 +
3425 ++free_fail_no_cp:
3426 ++ f2fs_put_page(cp1, 1);
3427 ++ f2fs_put_page(cp2, 1);
3428 + fail_no_cp:
3429 + kfree(sbi->ckpt);
3430 + return -EINVAL;
3431 +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
3432 +index ae354ac67da1..9041805096e0 100644
3433 +--- a/fs/f2fs/data.c
3434 ++++ b/fs/f2fs/data.c
3435 +@@ -240,6 +240,10 @@ int f2fs_submit_page_bio(struct f2fs_io_info *fio)
3436 + struct page *page = fio->encrypted_page ?
3437 + fio->encrypted_page : fio->page;
3438 +
3439 ++ if (!f2fs_is_valid_blkaddr(fio->sbi, fio->new_blkaddr,
3440 ++ __is_meta_io(fio) ? META_GENERIC : DATA_GENERIC))
3441 ++ return -EFAULT;
3442 ++
3443 + trace_f2fs_submit_page_bio(page, fio);
3444 + f2fs_trace_ios(fio, 0);
3445 +
3446 +@@ -266,9 +270,9 @@ void f2fs_submit_page_mbio(struct f2fs_io_info *fio)
3447 +
3448 + io = is_read ? &sbi->read_io : &sbi->write_io[btype];
3449 +
3450 +- if (fio->old_blkaddr != NEW_ADDR)
3451 +- verify_block_addr(sbi, fio->old_blkaddr);
3452 +- verify_block_addr(sbi, fio->new_blkaddr);
3453 ++ if (__is_valid_data_blkaddr(fio->old_blkaddr))
3454 ++ verify_block_addr(fio, fio->old_blkaddr);
3455 ++ verify_block_addr(fio, fio->new_blkaddr);
3456 +
3457 + down_write(&io->io_rwsem);
3458 +
3459 +@@ -722,7 +726,13 @@ next_dnode:
3460 + next_block:
3461 + blkaddr = datablock_addr(dn.node_page, dn.ofs_in_node);
3462 +
3463 +- if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR) {
3464 ++ if (__is_valid_data_blkaddr(blkaddr) &&
3465 ++ !f2fs_is_valid_blkaddr(sbi, blkaddr, DATA_GENERIC)) {
3466 ++ err = -EFAULT;
3467 ++ goto sync_out;
3468 ++ }
3469 ++
3470 ++ if (!is_valid_data_blkaddr(sbi, blkaddr)) {
3471 + if (create) {
3472 + if (unlikely(f2fs_cp_error(sbi))) {
3473 + err = -EIO;
3474 +@@ -985,6 +995,9 @@ static struct bio *f2fs_grab_bio(struct inode *inode, block_t blkaddr,
3475 + struct block_device *bdev = sbi->sb->s_bdev;
3476 + struct bio *bio;
3477 +
3478 ++ if (!f2fs_is_valid_blkaddr(sbi, blkaddr, DATA_GENERIC))
3479 ++ return ERR_PTR(-EFAULT);
3480 ++
3481 + if (f2fs_encrypted_inode(inode) && S_ISREG(inode->i_mode)) {
3482 + ctx = fscrypt_get_ctx(inode, GFP_NOFS);
3483 + if (IS_ERR(ctx))
3484 +@@ -1084,6 +1097,10 @@ got_it:
3485 + SetPageUptodate(page);
3486 + goto confused;
3487 + }
3488 ++
3489 ++ if (!f2fs_is_valid_blkaddr(F2FS_I_SB(inode), block_nr,
3490 ++ DATA_GENERIC))
3491 ++ goto set_error_page;
3492 + } else {
3493 + zero_user_segment(page, 0, PAGE_SIZE);
3494 + if (!PageUptodate(page))
3495 +@@ -1212,11 +1229,17 @@ retry_encrypt:
3496 +
3497 + set_page_writeback(page);
3498 +
3499 ++ if (__is_valid_data_blkaddr(fio->old_blkaddr) &&
3500 ++ !f2fs_is_valid_blkaddr(fio->sbi, fio->old_blkaddr,
3501 ++ DATA_GENERIC)) {
3502 ++ err = -EFAULT;
3503 ++ goto out_writepage;
3504 ++ }
3505 + /*
3506 + * If current allocation needs SSR,
3507 + * it had better in-place writes for updated data.
3508 + */
3509 +- if (unlikely(fio->old_blkaddr != NEW_ADDR &&
3510 ++ if (unlikely(is_valid_data_blkaddr(fio->sbi, fio->old_blkaddr) &&
3511 + !is_cold_data(page) &&
3512 + !IS_ATOMIC_WRITTEN_PAGE(page) &&
3513 + need_inplace_update(inode))) {
3514 +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
3515 +index 88e111ab068b..9c380885b0fc 100644
3516 +--- a/fs/f2fs/f2fs.h
3517 ++++ b/fs/f2fs/f2fs.h
3518 +@@ -145,7 +145,7 @@ struct cp_control {
3519 + };
3520 +
3521 + /*
3522 +- * For CP/NAT/SIT/SSA readahead
3523 ++ * indicate meta/data type
3524 + */
3525 + enum {
3526 + META_CP,
3527 +@@ -153,6 +153,8 @@ enum {
3528 + META_SIT,
3529 + META_SSA,
3530 + META_POR,
3531 ++ DATA_GENERIC,
3532 ++ META_GENERIC,
3533 + };
3534 +
3535 + /* for the list of ino */
3536 +@@ -694,6 +696,7 @@ struct f2fs_io_info {
3537 + block_t old_blkaddr; /* old block address before Cow */
3538 + struct page *page; /* page to be written */
3539 + struct page *encrypted_page; /* encrypted page */
3540 ++ bool is_meta; /* indicate borrow meta inode mapping or not */
3541 + };
3542 +
3543 + #define is_read_io(rw) (rw == READ)
3544 +@@ -1929,6 +1932,39 @@ static inline void *f2fs_kvzalloc(size_t size, gfp_t flags)
3545 + (pgofs - ADDRS_PER_INODE(inode) + ADDRS_PER_BLOCK) / \
3546 + ADDRS_PER_BLOCK * ADDRS_PER_BLOCK + ADDRS_PER_INODE(inode))
3547 +
3548 ++#define __is_meta_io(fio) (PAGE_TYPE_OF_BIO(fio->type) == META && \
3549 ++ (!is_read_io(fio->op) || fio->is_meta))
3550 ++
3551 ++bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi,
3552 ++ block_t blkaddr, int type);
3553 ++void f2fs_msg(struct super_block *sb, const char *level, const char *fmt, ...);
3554 ++static inline void verify_blkaddr(struct f2fs_sb_info *sbi,
3555 ++ block_t blkaddr, int type)
3556 ++{
3557 ++ if (!f2fs_is_valid_blkaddr(sbi, blkaddr, type)) {
3558 ++ f2fs_msg(sbi->sb, KERN_ERR,
3559 ++ "invalid blkaddr: %u, type: %d, run fsck to fix.",
3560 ++ blkaddr, type);
3561 ++ f2fs_bug_on(sbi, 1);
3562 ++ }
3563 ++}
3564 ++
3565 ++static inline bool __is_valid_data_blkaddr(block_t blkaddr)
3566 ++{
3567 ++ if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR)
3568 ++ return false;
3569 ++ return true;
3570 ++}
3571 ++
3572 ++static inline bool is_valid_data_blkaddr(struct f2fs_sb_info *sbi,
3573 ++ block_t blkaddr)
3574 ++{
3575 ++ if (!__is_valid_data_blkaddr(blkaddr))
3576 ++ return false;
3577 ++ verify_blkaddr(sbi, blkaddr, DATA_GENERIC);
3578 ++ return true;
3579 ++}
3580 ++
3581 + /*
3582 + * file.c
3583 + */
3584 +@@ -2114,7 +2150,8 @@ void f2fs_stop_checkpoint(struct f2fs_sb_info *, bool);
3585 + struct page *grab_meta_page(struct f2fs_sb_info *, pgoff_t);
3586 + struct page *get_meta_page(struct f2fs_sb_info *, pgoff_t);
3587 + struct page *get_tmp_page(struct f2fs_sb_info *, pgoff_t);
3588 +-bool is_valid_blkaddr(struct f2fs_sb_info *, block_t, int);
3589 ++bool f2fs_is_valid_blkaddr(struct f2fs_sb_info *sbi,
3590 ++ block_t blkaddr, int type);
3591 + int ra_meta_pages(struct f2fs_sb_info *, block_t, int, int, bool);
3592 + void ra_meta_pages_cond(struct f2fs_sb_info *, pgoff_t);
3593 + long sync_meta_pages(struct f2fs_sb_info *, enum page_type, long);
3594 +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
3595 +index 594e6e20d6dd..b768f495603e 100644
3596 +--- a/fs/f2fs/file.c
3597 ++++ b/fs/f2fs/file.c
3598 +@@ -310,13 +310,13 @@ static pgoff_t __get_first_dirty_index(struct address_space *mapping,
3599 + return pgofs;
3600 + }
3601 +
3602 +-static bool __found_offset(block_t blkaddr, pgoff_t dirty, pgoff_t pgofs,
3603 +- int whence)
3604 ++static bool __found_offset(struct f2fs_sb_info *sbi, block_t blkaddr,
3605 ++ pgoff_t dirty, pgoff_t pgofs, int whence)
3606 + {
3607 + switch (whence) {
3608 + case SEEK_DATA:
3609 + if ((blkaddr == NEW_ADDR && dirty == pgofs) ||
3610 +- (blkaddr != NEW_ADDR && blkaddr != NULL_ADDR))
3611 ++ is_valid_data_blkaddr(sbi, blkaddr))
3612 + return true;
3613 + break;
3614 + case SEEK_HOLE:
3615 +@@ -378,7 +378,15 @@ static loff_t f2fs_seek_block(struct file *file, loff_t offset, int whence)
3616 + block_t blkaddr;
3617 + blkaddr = datablock_addr(dn.node_page, dn.ofs_in_node);
3618 +
3619 +- if (__found_offset(blkaddr, dirty, pgofs, whence)) {
3620 ++ if (__is_valid_data_blkaddr(blkaddr) &&
3621 ++ !f2fs_is_valid_blkaddr(F2FS_I_SB(inode),
3622 ++ blkaddr, DATA_GENERIC)) {
3623 ++ f2fs_put_dnode(&dn);
3624 ++ goto fail;
3625 ++ }
3626 ++
3627 ++ if (__found_offset(F2FS_I_SB(inode), blkaddr, dirty,
3628 ++ pgofs, whence)) {
3629 + f2fs_put_dnode(&dn);
3630 + goto found;
3631 + }
3632 +@@ -481,6 +489,11 @@ int truncate_data_blocks_range(struct dnode_of_data *dn, int count)
3633 +
3634 + dn->data_blkaddr = NULL_ADDR;
3635 + set_data_blkaddr(dn);
3636 ++
3637 ++ if (__is_valid_data_blkaddr(blkaddr) &&
3638 ++ !f2fs_is_valid_blkaddr(sbi, blkaddr, DATA_GENERIC))
3639 ++ continue;
3640 ++
3641 + invalidate_blocks(sbi, blkaddr);
3642 + if (dn->ofs_in_node == 0 && IS_INODE(dn->node_page))
3643 + clear_inode_flag(dn->inode, FI_FIRST_BLOCK_WRITTEN);
3644 +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
3645 +index d7369895a78a..1de02c31756b 100644
3646 +--- a/fs/f2fs/inode.c
3647 ++++ b/fs/f2fs/inode.c
3648 +@@ -59,13 +59,16 @@ static void __get_inode_rdev(struct inode *inode, struct f2fs_inode *ri)
3649 + }
3650 + }
3651 +
3652 +-static bool __written_first_block(struct f2fs_inode *ri)
3653 ++static int __written_first_block(struct f2fs_sb_info *sbi,
3654 ++ struct f2fs_inode *ri)
3655 + {
3656 + block_t addr = le32_to_cpu(ri->i_addr[0]);
3657 +
3658 +- if (addr != NEW_ADDR && addr != NULL_ADDR)
3659 +- return true;
3660 +- return false;
3661 ++ if (!__is_valid_data_blkaddr(addr))
3662 ++ return 1;
3663 ++ if (!f2fs_is_valid_blkaddr(sbi, addr, DATA_GENERIC))
3664 ++ return -EFAULT;
3665 ++ return 0;
3666 + }
3667 +
3668 + static void __set_inode_rdev(struct inode *inode, struct f2fs_inode *ri)
3669 +@@ -103,12 +106,57 @@ static void __recover_inline_status(struct inode *inode, struct page *ipage)
3670 + return;
3671 + }
3672 +
3673 ++static bool sanity_check_inode(struct inode *inode, struct page *node_page)
3674 ++{
3675 ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
3676 ++ unsigned long long iblocks;
3677 ++
3678 ++ iblocks = le64_to_cpu(F2FS_INODE(node_page)->i_blocks);
3679 ++ if (!iblocks) {
3680 ++ set_sbi_flag(sbi, SBI_NEED_FSCK);
3681 ++ f2fs_msg(sbi->sb, KERN_WARNING,
3682 ++ "%s: corrupted inode i_blocks i_ino=%lx iblocks=%llu, "
3683 ++ "run fsck to fix.",
3684 ++ __func__, inode->i_ino, iblocks);
3685 ++ return false;
3686 ++ }
3687 ++
3688 ++ if (ino_of_node(node_page) != nid_of_node(node_page)) {
3689 ++ set_sbi_flag(sbi, SBI_NEED_FSCK);
3690 ++ f2fs_msg(sbi->sb, KERN_WARNING,
3691 ++ "%s: corrupted inode footer i_ino=%lx, ino,nid: "
3692 ++ "[%u, %u] run fsck to fix.",
3693 ++ __func__, inode->i_ino,
3694 ++ ino_of_node(node_page), nid_of_node(node_page));
3695 ++ return false;
3696 ++ }
3697 ++
3698 ++ if (F2FS_I(inode)->extent_tree) {
3699 ++ struct extent_info *ei = &F2FS_I(inode)->extent_tree->largest;
3700 ++
3701 ++ if (ei->len &&
3702 ++ (!f2fs_is_valid_blkaddr(sbi, ei->blk, DATA_GENERIC) ||
3703 ++ !f2fs_is_valid_blkaddr(sbi, ei->blk + ei->len - 1,
3704 ++ DATA_GENERIC))) {
3705 ++ set_sbi_flag(sbi, SBI_NEED_FSCK);
3706 ++ f2fs_msg(sbi->sb, KERN_WARNING,
3707 ++ "%s: inode (ino=%lx) extent info [%u, %u, %u] "
3708 ++ "is incorrect, run fsck to fix",
3709 ++ __func__, inode->i_ino,
3710 ++ ei->blk, ei->fofs, ei->len);
3711 ++ return false;
3712 ++ }
3713 ++ }
3714 ++ return true;
3715 ++}
3716 ++
3717 + static int do_read_inode(struct inode *inode)
3718 + {
3719 + struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
3720 + struct f2fs_inode_info *fi = F2FS_I(inode);
3721 + struct page *node_page;
3722 + struct f2fs_inode *ri;
3723 ++ int err;
3724 +
3725 + /* Check if ino is within scope */
3726 + if (check_nid_range(sbi, inode->i_ino)) {
3727 +@@ -152,6 +200,11 @@ static int do_read_inode(struct inode *inode)
3728 +
3729 + get_inline_info(inode, ri);
3730 +
3731 ++ if (!sanity_check_inode(inode, node_page)) {
3732 ++ f2fs_put_page(node_page, 1);
3733 ++ return -EINVAL;
3734 ++ }
3735 ++
3736 + /* check data exist */
3737 + if (f2fs_has_inline_data(inode) && !f2fs_exist_data(inode))
3738 + __recover_inline_status(inode, node_page);
3739 +@@ -159,7 +212,12 @@ static int do_read_inode(struct inode *inode)
3740 + /* get rdev by using inline_info */
3741 + __get_inode_rdev(inode, ri);
3742 +
3743 +- if (__written_first_block(ri))
3744 ++ err = __written_first_block(sbi, ri);
3745 ++ if (err < 0) {
3746 ++ f2fs_put_page(node_page, 1);
3747 ++ return err;
3748 ++ }
3749 ++ if (!err)
3750 + set_inode_flag(inode, FI_FIRST_BLOCK_WRITTEN);
3751 +
3752 + if (!need_inode_block_update(sbi, inode->i_ino))
3753 +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
3754 +index addff6a3b176..f4fe54047fb7 100644
3755 +--- a/fs/f2fs/node.c
3756 ++++ b/fs/f2fs/node.c
3757 +@@ -304,8 +304,7 @@ static void set_node_addr(struct f2fs_sb_info *sbi, struct node_info *ni,
3758 + new_blkaddr == NULL_ADDR);
3759 + f2fs_bug_on(sbi, nat_get_blkaddr(e) == NEW_ADDR &&
3760 + new_blkaddr == NEW_ADDR);
3761 +- f2fs_bug_on(sbi, nat_get_blkaddr(e) != NEW_ADDR &&
3762 +- nat_get_blkaddr(e) != NULL_ADDR &&
3763 ++ f2fs_bug_on(sbi, is_valid_data_blkaddr(sbi, nat_get_blkaddr(e)) &&
3764 + new_blkaddr == NEW_ADDR);
3765 +
3766 + /* increment version no as node is removed */
3767 +@@ -320,7 +319,7 @@ static void set_node_addr(struct f2fs_sb_info *sbi, struct node_info *ni,
3768 +
3769 + /* change address */
3770 + nat_set_blkaddr(e, new_blkaddr);
3771 +- if (new_blkaddr == NEW_ADDR || new_blkaddr == NULL_ADDR)
3772 ++ if (!is_valid_data_blkaddr(sbi, new_blkaddr))
3773 + set_nat_flag(e, IS_CHECKPOINTED, false);
3774 + __set_nat_cache_dirty(nm_i, e);
3775 +
3776 +@@ -1606,6 +1605,12 @@ static int f2fs_write_node_page(struct page *page,
3777 + return 0;
3778 + }
3779 +
3780 ++ if (__is_valid_data_blkaddr(ni.blk_addr) &&
3781 ++ !f2fs_is_valid_blkaddr(sbi, ni.blk_addr, DATA_GENERIC)) {
3782 ++ up_read(&sbi->node_write);
3783 ++ goto redirty_out;
3784 ++ }
3785 ++
3786 + set_page_writeback(page);
3787 + fio.old_blkaddr = ni.blk_addr;
3788 + write_node_page(nid, &fio);
3789 +@@ -1704,8 +1709,9 @@ static void __del_from_free_nid_list(struct f2fs_nm_info *nm_i,
3790 + static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)
3791 + {
3792 + struct f2fs_nm_info *nm_i = NM_I(sbi);
3793 +- struct free_nid *i;
3794 ++ struct free_nid *i, *e;
3795 + struct nat_entry *ne;
3796 ++ int err = -EINVAL;
3797 +
3798 + if (!available_free_memory(sbi, FREE_NIDS))
3799 + return -1;
3800 +@@ -1714,35 +1720,58 @@ static int add_free_nid(struct f2fs_sb_info *sbi, nid_t nid, bool build)
3801 + if (unlikely(nid == 0))
3802 + return 0;
3803 +
3804 +- if (build) {
3805 +- /* do not add allocated nids */
3806 +- ne = __lookup_nat_cache(nm_i, nid);
3807 +- if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) ||
3808 +- nat_get_blkaddr(ne) != NULL_ADDR))
3809 +- return 0;
3810 +- }
3811 +-
3812 + i = f2fs_kmem_cache_alloc(free_nid_slab, GFP_NOFS);
3813 + i->nid = nid;
3814 + i->state = NID_NEW;
3815 +
3816 +- if (radix_tree_preload(GFP_NOFS)) {
3817 +- kmem_cache_free(free_nid_slab, i);
3818 +- return 0;
3819 +- }
3820 ++ if (radix_tree_preload(GFP_NOFS))
3821 ++ goto err;
3822 +
3823 + spin_lock(&nm_i->free_nid_list_lock);
3824 +- if (radix_tree_insert(&nm_i->free_nid_root, i->nid, i)) {
3825 +- spin_unlock(&nm_i->free_nid_list_lock);
3826 +- radix_tree_preload_end();
3827 +- kmem_cache_free(free_nid_slab, i);
3828 +- return 0;
3829 ++
3830 ++ if (build) {
3831 ++ /*
3832 ++ * Thread A Thread B
3833 ++ * - f2fs_create
3834 ++ * - f2fs_new_inode
3835 ++ * - alloc_nid
3836 ++ * - __insert_nid_to_list(ALLOC_NID_LIST)
3837 ++ * - f2fs_balance_fs_bg
3838 ++ * - build_free_nids
3839 ++ * - __build_free_nids
3840 ++ * - scan_nat_page
3841 ++ * - add_free_nid
3842 ++ * - __lookup_nat_cache
3843 ++ * - f2fs_add_link
3844 ++ * - init_inode_metadata
3845 ++ * - new_inode_page
3846 ++ * - new_node_page
3847 ++ * - set_node_addr
3848 ++ * - alloc_nid_done
3849 ++ * - __remove_nid_from_list(ALLOC_NID_LIST)
3850 ++ * - __insert_nid_to_list(FREE_NID_LIST)
3851 ++ */
3852 ++ ne = __lookup_nat_cache(nm_i, nid);
3853 ++ if (ne && (!get_nat_flag(ne, IS_CHECKPOINTED) ||
3854 ++ nat_get_blkaddr(ne) != NULL_ADDR))
3855 ++ goto err_out;
3856 ++
3857 ++ e = __lookup_free_nid_list(nm_i, nid);
3858 ++ if (e)
3859 ++ goto err_out;
3860 + }
3861 ++ if (radix_tree_insert(&nm_i->free_nid_root, i->nid, i))
3862 ++ goto err_out;
3863 ++ err = 0;
3864 + list_add_tail(&i->list, &nm_i->free_nid_list);
3865 + nm_i->fcnt++;
3866 ++err_out:
3867 + spin_unlock(&nm_i->free_nid_list_lock);
3868 + radix_tree_preload_end();
3869 +- return 1;
3870 ++err:
3871 ++ if (err)
3872 ++ kmem_cache_free(free_nid_slab, i);
3873 ++ return !err;
3874 + }
3875 +
3876 + static void remove_free_nid(struct f2fs_nm_info *nm_i, nid_t nid)
3877 +diff --git a/fs/f2fs/recovery.c b/fs/f2fs/recovery.c
3878 +index 98c1a63a4614..ab4cbb4be423 100644
3879 +--- a/fs/f2fs/recovery.c
3880 ++++ b/fs/f2fs/recovery.c
3881 +@@ -236,7 +236,7 @@ static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head)
3882 + while (1) {
3883 + struct fsync_inode_entry *entry;
3884 +
3885 +- if (!is_valid_blkaddr(sbi, blkaddr, META_POR))
3886 ++ if (!f2fs_is_valid_blkaddr(sbi, blkaddr, META_POR))
3887 + return 0;
3888 +
3889 + page = get_tmp_page(sbi, blkaddr);
3890 +@@ -468,7 +468,7 @@ retry_dn:
3891 + }
3892 +
3893 + /* dest is valid block, try to recover from src to dest */
3894 +- if (is_valid_blkaddr(sbi, dest, META_POR)) {
3895 ++ if (f2fs_is_valid_blkaddr(sbi, dest, META_POR)) {
3896 +
3897 + if (src == NULL_ADDR) {
3898 + err = reserve_new_block(&dn);
3899 +@@ -527,7 +527,7 @@ static int recover_data(struct f2fs_sb_info *sbi, struct list_head *inode_list,
3900 + while (1) {
3901 + struct fsync_inode_entry *entry;
3902 +
3903 +- if (!is_valid_blkaddr(sbi, blkaddr, META_POR))
3904 ++ if (!f2fs_is_valid_blkaddr(sbi, blkaddr, META_POR))
3905 + break;
3906 +
3907 + ra_meta_pages_cond(sbi, blkaddr);
3908 +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
3909 +index 35d48ef0573c..2fb99a081de8 100644
3910 +--- a/fs/f2fs/segment.c
3911 ++++ b/fs/f2fs/segment.c
3912 +@@ -493,6 +493,9 @@ int create_flush_cmd_control(struct f2fs_sb_info *sbi)
3913 + init_waitqueue_head(&fcc->flush_wait_queue);
3914 + init_llist_head(&fcc->issue_list);
3915 + SM_I(sbi)->cmd_control_info = fcc;
3916 ++ if (!test_opt(sbi, FLUSH_MERGE))
3917 ++ return err;
3918 ++
3919 + fcc->f2fs_issue_flush = kthread_run(issue_flush_thread, sbi,
3920 + "f2fs_flush-%u:%u", MAJOR(dev), MINOR(dev));
3921 + if (IS_ERR(fcc->f2fs_issue_flush)) {
3922 +@@ -941,7 +944,7 @@ bool is_checkpointed_data(struct f2fs_sb_info *sbi, block_t blkaddr)
3923 + struct seg_entry *se;
3924 + bool is_cp = false;
3925 +
3926 +- if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR)
3927 ++ if (!is_valid_data_blkaddr(sbi, blkaddr))
3928 + return true;
3929 +
3930 + mutex_lock(&sit_i->sentry_lock);
3931 +@@ -1665,7 +1668,7 @@ void f2fs_wait_on_encrypted_page_writeback(struct f2fs_sb_info *sbi,
3932 + {
3933 + struct page *cpage;
3934 +
3935 +- if (blkaddr == NEW_ADDR || blkaddr == NULL_ADDR)
3936 ++ if (!is_valid_data_blkaddr(sbi, blkaddr))
3937 + return;
3938 +
3939 + cpage = find_lock_page(META_MAPPING(sbi), blkaddr);
3940 +@@ -2319,7 +2322,7 @@ static int build_curseg(struct f2fs_sb_info *sbi)
3941 + return restore_curseg_summaries(sbi);
3942 + }
3943 +
3944 +-static void build_sit_entries(struct f2fs_sb_info *sbi)
3945 ++static int build_sit_entries(struct f2fs_sb_info *sbi)
3946 + {
3947 + struct sit_info *sit_i = SIT_I(sbi);
3948 + struct curseg_info *curseg = CURSEG_I(sbi, CURSEG_COLD_DATA);
3949 +@@ -2330,6 +2333,7 @@ static void build_sit_entries(struct f2fs_sb_info *sbi)
3950 + unsigned int i, start, end;
3951 + unsigned int readed, start_blk = 0;
3952 + int nrpages = MAX_BIO_BLOCKS(sbi) * 8;
3953 ++ int err = 0;
3954 +
3955 + do {
3956 + readed = ra_meta_pages(sbi, start_blk, nrpages, META_SIT, true);
3957 +@@ -2347,7 +2351,9 @@ static void build_sit_entries(struct f2fs_sb_info *sbi)
3958 + sit = sit_blk->entries[SIT_ENTRY_OFFSET(sit_i, start)];
3959 + f2fs_put_page(page, 1);
3960 +
3961 +- check_block_count(sbi, start, &sit);
3962 ++ err = check_block_count(sbi, start, &sit);
3963 ++ if (err)
3964 ++ return err;
3965 + seg_info_from_raw_sit(se, &sit);
3966 +
3967 + /* build discard map only one time */
3968 +@@ -2370,12 +2376,23 @@ static void build_sit_entries(struct f2fs_sb_info *sbi)
3969 + unsigned int old_valid_blocks;
3970 +
3971 + start = le32_to_cpu(segno_in_journal(journal, i));
3972 ++ if (start >= MAIN_SEGS(sbi)) {
3973 ++ f2fs_msg(sbi->sb, KERN_ERR,
3974 ++ "Wrong journal entry on segno %u",
3975 ++ start);
3976 ++ set_sbi_flag(sbi, SBI_NEED_FSCK);
3977 ++ err = -EINVAL;
3978 ++ break;
3979 ++ }
3980 ++
3981 + se = &sit_i->sentries[start];
3982 + sit = sit_in_journal(journal, i);
3983 +
3984 + old_valid_blocks = se->valid_blocks;
3985 +
3986 +- check_block_count(sbi, start, &sit);
3987 ++ err = check_block_count(sbi, start, &sit);
3988 ++ if (err)
3989 ++ break;
3990 + seg_info_from_raw_sit(se, &sit);
3991 +
3992 + if (f2fs_discard_en(sbi)) {
3993 +@@ -2390,6 +2407,7 @@ static void build_sit_entries(struct f2fs_sb_info *sbi)
3994 + se->valid_blocks - old_valid_blocks;
3995 + }
3996 + up_read(&curseg->journal_rwsem);
3997 ++ return err;
3998 + }
3999 +
4000 + static void init_free_segmap(struct f2fs_sb_info *sbi)
4001 +@@ -2539,7 +2557,7 @@ int build_segment_manager(struct f2fs_sb_info *sbi)
4002 +
4003 + INIT_LIST_HEAD(&sm_info->sit_entry_set);
4004 +
4005 +- if (test_opt(sbi, FLUSH_MERGE) && !f2fs_readonly(sbi->sb)) {
4006 ++ if (!f2fs_readonly(sbi->sb)) {
4007 + err = create_flush_cmd_control(sbi);
4008 + if (err)
4009 + return err;
4010 +@@ -2556,7 +2574,9 @@ int build_segment_manager(struct f2fs_sb_info *sbi)
4011 + return err;
4012 +
4013 + /* reinit free segmap based on SIT */
4014 +- build_sit_entries(sbi);
4015 ++ err = build_sit_entries(sbi);
4016 ++ if (err)
4017 ++ return err;
4018 +
4019 + init_free_segmap(sbi);
4020 + err = build_dirty_segmap(sbi);
4021 +diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
4022 +index 3d9b9e98c4c2..893723978f5e 100644
4023 +--- a/fs/f2fs/segment.h
4024 ++++ b/fs/f2fs/segment.h
4025 +@@ -18,6 +18,8 @@
4026 + #define DEF_RECLAIM_PREFREE_SEGMENTS 5 /* 5% over total segments */
4027 + #define DEF_MAX_RECLAIM_PREFREE_SEGMENTS 4096 /* 8GB in maximum */
4028 +
4029 ++#define F2FS_MIN_SEGMENTS 9 /* SB + 2 (CP + SIT + NAT) + SSA + MAIN */
4030 ++
4031 + /* L: Logical segment # in volume, R: Relative segment # in main area */
4032 + #define GET_L2R_SEGNO(free_i, segno) (segno - free_i->start_segno)
4033 + #define GET_R2L_SEGNO(free_i, segno) (segno + free_i->start_segno)
4034 +@@ -47,13 +49,19 @@
4035 + (secno == CURSEG_I(sbi, CURSEG_COLD_NODE)->segno / \
4036 + sbi->segs_per_sec)) \
4037 +
4038 +-#define MAIN_BLKADDR(sbi) (SM_I(sbi)->main_blkaddr)
4039 +-#define SEG0_BLKADDR(sbi) (SM_I(sbi)->seg0_blkaddr)
4040 ++#define MAIN_BLKADDR(sbi) \
4041 ++ (SM_I(sbi) ? SM_I(sbi)->main_blkaddr : \
4042 ++ le32_to_cpu(F2FS_RAW_SUPER(sbi)->main_blkaddr))
4043 ++#define SEG0_BLKADDR(sbi) \
4044 ++ (SM_I(sbi) ? SM_I(sbi)->seg0_blkaddr : \
4045 ++ le32_to_cpu(F2FS_RAW_SUPER(sbi)->segment0_blkaddr))
4046 +
4047 + #define MAIN_SEGS(sbi) (SM_I(sbi)->main_segments)
4048 + #define MAIN_SECS(sbi) (sbi->total_sections)
4049 +
4050 +-#define TOTAL_SEGS(sbi) (SM_I(sbi)->segment_count)
4051 ++#define TOTAL_SEGS(sbi) \
4052 ++ (SM_I(sbi) ? SM_I(sbi)->segment_count : \
4053 ++ le32_to_cpu(F2FS_RAW_SUPER(sbi)->segment_count))
4054 + #define TOTAL_BLKS(sbi) (TOTAL_SEGS(sbi) << sbi->log_blocks_per_seg)
4055 +
4056 + #define MAX_BLKADDR(sbi) (SEG0_BLKADDR(sbi) + TOTAL_BLKS(sbi))
4057 +@@ -73,7 +81,7 @@
4058 + (GET_SEGOFF_FROM_SEG0(sbi, blk_addr) & (sbi->blocks_per_seg - 1))
4059 +
4060 + #define GET_SEGNO(sbi, blk_addr) \
4061 +- (((blk_addr == NULL_ADDR) || (blk_addr == NEW_ADDR)) ? \
4062 ++ ((!is_valid_data_blkaddr(sbi, blk_addr)) ? \
4063 + NULL_SEGNO : GET_L2R_SEGNO(FREE_I(sbi), \
4064 + GET_SEGNO_FROM_SEG0(sbi, blk_addr)))
4065 + #define GET_SECNO(sbi, segno) \
4066 +@@ -589,16 +597,20 @@ static inline void check_seg_range(struct f2fs_sb_info *sbi, unsigned int segno)
4067 + f2fs_bug_on(sbi, segno > TOTAL_SEGS(sbi) - 1);
4068 + }
4069 +
4070 +-static inline void verify_block_addr(struct f2fs_sb_info *sbi, block_t blk_addr)
4071 ++static inline void verify_block_addr(struct f2fs_io_info *fio, block_t blk_addr)
4072 + {
4073 +- BUG_ON(blk_addr < SEG0_BLKADDR(sbi)
4074 +- || blk_addr >= MAX_BLKADDR(sbi));
4075 ++ struct f2fs_sb_info *sbi = fio->sbi;
4076 ++
4077 ++ if (__is_meta_io(fio))
4078 ++ verify_blkaddr(sbi, blk_addr, META_GENERIC);
4079 ++ else
4080 ++ verify_blkaddr(sbi, blk_addr, DATA_GENERIC);
4081 + }
4082 +
4083 + /*
4084 + * Summary block is always treated as an invalid block
4085 + */
4086 +-static inline void check_block_count(struct f2fs_sb_info *sbi,
4087 ++static inline int check_block_count(struct f2fs_sb_info *sbi,
4088 + int segno, struct f2fs_sit_entry *raw_sit)
4089 + {
4090 + #ifdef CONFIG_F2FS_CHECK_FS
4091 +@@ -620,11 +632,25 @@ static inline void check_block_count(struct f2fs_sb_info *sbi,
4092 + cur_pos = next_pos;
4093 + is_valid = !is_valid;
4094 + } while (cur_pos < sbi->blocks_per_seg);
4095 +- BUG_ON(GET_SIT_VBLOCKS(raw_sit) != valid_blocks);
4096 ++
4097 ++ if (unlikely(GET_SIT_VBLOCKS(raw_sit) != valid_blocks)) {
4098 ++ f2fs_msg(sbi->sb, KERN_ERR,
4099 ++ "Mismatch valid blocks %d vs. %d",
4100 ++ GET_SIT_VBLOCKS(raw_sit), valid_blocks);
4101 ++ set_sbi_flag(sbi, SBI_NEED_FSCK);
4102 ++ return -EINVAL;
4103 ++ }
4104 + #endif
4105 + /* check segment usage, and check boundary of a given segment number */
4106 +- f2fs_bug_on(sbi, GET_SIT_VBLOCKS(raw_sit) > sbi->blocks_per_seg
4107 +- || segno > TOTAL_SEGS(sbi) - 1);
4108 ++ if (unlikely(GET_SIT_VBLOCKS(raw_sit) > sbi->blocks_per_seg
4109 ++ || segno > TOTAL_SEGS(sbi) - 1)) {
4110 ++ f2fs_msg(sbi->sb, KERN_ERR,
4111 ++ "Wrong valid blocks %d or segno %u",
4112 ++ GET_SIT_VBLOCKS(raw_sit), segno);
4113 ++ set_sbi_flag(sbi, SBI_NEED_FSCK);
4114 ++ return -EINVAL;
4115 ++ }
4116 ++ return 0;
4117 + }
4118 +
4119 + static inline pgoff_t current_sit_addr(struct f2fs_sb_info *sbi,
4120 +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
4121 +index 91bf72334722..c8f408d8a582 100644
4122 +--- a/fs/f2fs/super.c
4123 ++++ b/fs/f2fs/super.c
4124 +@@ -1337,6 +1337,8 @@ static inline bool sanity_check_area_boundary(struct f2fs_sb_info *sbi,
4125 + static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
4126 + struct buffer_head *bh)
4127 + {
4128 ++ block_t segment_count, segs_per_sec, secs_per_zone;
4129 ++ block_t total_sections, blocks_per_seg;
4130 + struct f2fs_super_block *raw_super = (struct f2fs_super_block *)
4131 + (bh->b_data + F2FS_SUPER_OFFSET);
4132 + struct super_block *sb = sbi->sb;
4133 +@@ -1393,6 +1395,68 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
4134 + return 1;
4135 + }
4136 +
4137 ++ segment_count = le32_to_cpu(raw_super->segment_count);
4138 ++ segs_per_sec = le32_to_cpu(raw_super->segs_per_sec);
4139 ++ secs_per_zone = le32_to_cpu(raw_super->secs_per_zone);
4140 ++ total_sections = le32_to_cpu(raw_super->section_count);
4141 ++
4142 ++ /* blocks_per_seg should be 512, given the above check */
4143 ++ blocks_per_seg = 1 << le32_to_cpu(raw_super->log_blocks_per_seg);
4144 ++
4145 ++ if (segment_count > F2FS_MAX_SEGMENT ||
4146 ++ segment_count < F2FS_MIN_SEGMENTS) {
4147 ++ f2fs_msg(sb, KERN_INFO,
4148 ++ "Invalid segment count (%u)",
4149 ++ segment_count);
4150 ++ return 1;
4151 ++ }
4152 ++
4153 ++ if (total_sections > segment_count ||
4154 ++ total_sections < F2FS_MIN_SEGMENTS ||
4155 ++ segs_per_sec > segment_count || !segs_per_sec) {
4156 ++ f2fs_msg(sb, KERN_INFO,
4157 ++ "Invalid segment/section count (%u, %u x %u)",
4158 ++ segment_count, total_sections, segs_per_sec);
4159 ++ return 1;
4160 ++ }
4161 ++
4162 ++ if ((segment_count / segs_per_sec) < total_sections) {
4163 ++ f2fs_msg(sb, KERN_INFO,
4164 ++ "Small segment_count (%u < %u * %u)",
4165 ++ segment_count, segs_per_sec, total_sections);
4166 ++ return 1;
4167 ++ }
4168 ++
4169 ++ if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
4170 ++ f2fs_msg(sb, KERN_INFO,
4171 ++ "Wrong segment_count / block_count (%u > %u)",
4172 ++ segment_count, le32_to_cpu(raw_super->block_count));
4173 ++ return 1;
4174 ++ }
4175 ++
4176 ++ if (secs_per_zone > total_sections || !secs_per_zone) {
4177 ++ f2fs_msg(sb, KERN_INFO,
4178 ++ "Wrong secs_per_zone / total_sections (%u, %u)",
4179 ++ secs_per_zone, total_sections);
4180 ++ return 1;
4181 ++ }
4182 ++ if (le32_to_cpu(raw_super->extension_count) > F2FS_MAX_EXTENSION) {
4183 ++ f2fs_msg(sb, KERN_INFO,
4184 ++ "Corrupted extension count (%u > %u)",
4185 ++ le32_to_cpu(raw_super->extension_count),
4186 ++ F2FS_MAX_EXTENSION);
4187 ++ return 1;
4188 ++ }
4189 ++
4190 ++ if (le32_to_cpu(raw_super->cp_payload) >
4191 ++ (blocks_per_seg - F2FS_CP_PACKS)) {
4192 ++ f2fs_msg(sb, KERN_INFO,
4193 ++ "Insane cp_payload (%u > %u)",
4194 ++ le32_to_cpu(raw_super->cp_payload),
4195 ++ blocks_per_seg - F2FS_CP_PACKS);
4196 ++ return 1;
4197 ++ }
4198 ++
4199 + /* check reserved ino info */
4200 + if (le32_to_cpu(raw_super->node_ino) != 1 ||
4201 + le32_to_cpu(raw_super->meta_ino) != 2 ||
4202 +@@ -1405,13 +1469,6 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
4203 + return 1;
4204 + }
4205 +
4206 +- if (le32_to_cpu(raw_super->segment_count) > F2FS_MAX_SEGMENT) {
4207 +- f2fs_msg(sb, KERN_INFO,
4208 +- "Invalid segment count (%u)",
4209 +- le32_to_cpu(raw_super->segment_count));
4210 +- return 1;
4211 +- }
4212 +-
4213 + /* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */
4214 + if (sanity_check_area_boundary(sbi, bh))
4215 + return 1;
4216 +@@ -1424,10 +1481,14 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
4217 + unsigned int total, fsmeta;
4218 + struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi);
4219 + struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
4220 ++ unsigned int ovp_segments, reserved_segments;
4221 + unsigned int main_segs, blocks_per_seg;
4222 + unsigned int sit_segs, nat_segs;
4223 + unsigned int sit_bitmap_size, nat_bitmap_size;
4224 + unsigned int log_blocks_per_seg;
4225 ++ unsigned int segment_count_main;
4226 ++ unsigned int cp_pack_start_sum, cp_payload;
4227 ++ block_t user_block_count;
4228 + int i;
4229 +
4230 + total = le32_to_cpu(raw_super->segment_count);
4231 +@@ -1442,6 +1503,26 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
4232 + if (unlikely(fsmeta >= total))
4233 + return 1;
4234 +
4235 ++ ovp_segments = le32_to_cpu(ckpt->overprov_segment_count);
4236 ++ reserved_segments = le32_to_cpu(ckpt->rsvd_segment_count);
4237 ++
4238 ++ if (unlikely(fsmeta < F2FS_MIN_SEGMENTS ||
4239 ++ ovp_segments == 0 || reserved_segments == 0)) {
4240 ++ f2fs_msg(sbi->sb, KERN_ERR,
4241 ++ "Wrong layout: check mkfs.f2fs version");
4242 ++ return 1;
4243 ++ }
4244 ++
4245 ++ user_block_count = le64_to_cpu(ckpt->user_block_count);
4246 ++ segment_count_main = le32_to_cpu(raw_super->segment_count_main);
4247 ++ log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
4248 ++ if (!user_block_count || user_block_count >=
4249 ++ segment_count_main << log_blocks_per_seg) {
4250 ++ f2fs_msg(sbi->sb, KERN_ERR,
4251 ++ "Wrong user_block_count: %u", user_block_count);
4252 ++ return 1;
4253 ++ }
4254 ++
4255 + main_segs = le32_to_cpu(raw_super->segment_count_main);
4256 + blocks_per_seg = sbi->blocks_per_seg;
4257 +
4258 +@@ -1458,7 +1539,6 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
4259 +
4260 + sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize);
4261 + nat_bitmap_size = le32_to_cpu(ckpt->nat_ver_bitmap_bytesize);
4262 +- log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
4263 +
4264 + if (sit_bitmap_size != ((sit_segs / 2) << log_blocks_per_seg) / 8 ||
4265 + nat_bitmap_size != ((nat_segs / 2) << log_blocks_per_seg) / 8) {
4266 +@@ -1468,6 +1548,17 @@ int sanity_check_ckpt(struct f2fs_sb_info *sbi)
4267 + return 1;
4268 + }
4269 +
4270 ++ cp_pack_start_sum = __start_sum_addr(sbi);
4271 ++ cp_payload = __cp_payload(sbi);
4272 ++ if (cp_pack_start_sum < cp_payload + 1 ||
4273 ++ cp_pack_start_sum > blocks_per_seg - 1 -
4274 ++ NR_CURSEG_TYPE) {
4275 ++ f2fs_msg(sbi->sb, KERN_ERR,
4276 ++ "Wrong cp_pack_start_sum: %u",
4277 ++ cp_pack_start_sum);
4278 ++ return 1;
4279 ++ }
4280 ++
4281 + if (unlikely(f2fs_cp_error(sbi))) {
4282 + f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck");
4283 + return 1;
4284 +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
4285 +index 2c2f182cde03..f53c139c312e 100644
4286 +--- a/fs/hugetlbfs/inode.c
4287 ++++ b/fs/hugetlbfs/inode.c
4288 +@@ -118,6 +118,16 @@ static void huge_pagevec_release(struct pagevec *pvec)
4289 + pagevec_reinit(pvec);
4290 + }
4291 +
4292 ++/*
4293 ++ * Mask used when checking the page offset value passed in via system
4294 ++ * calls. This value will be converted to a loff_t which is signed.
4295 ++ * Therefore, we want to check the upper PAGE_SHIFT + 1 bits of the
4296 ++ * value. The extra bit (- 1 in the shift value) is to take the sign
4297 ++ * bit into account.
4298 ++ */
4299 ++#define PGOFF_LOFFT_MAX \
4300 ++ (((1UL << (PAGE_SHIFT + 1)) - 1) << (BITS_PER_LONG - (PAGE_SHIFT + 1)))
4301 ++
4302 + static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
4303 + {
4304 + struct inode *inode = file_inode(file);
4305 +@@ -136,17 +146,31 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
4306 + vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
4307 + vma->vm_ops = &hugetlb_vm_ops;
4308 +
4309 ++ /*
4310 ++ * page based offset in vm_pgoff could be sufficiently large to
4311 ++ * overflow a loff_t when converted to byte offset. This can
4312 ++ * only happen on architectures where sizeof(loff_t) ==
4313 ++ * sizeof(unsigned long). So, only check in those instances.
4314 ++ */
4315 ++ if (sizeof(unsigned long) == sizeof(loff_t)) {
4316 ++ if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
4317 ++ return -EINVAL;
4318 ++ }
4319 ++
4320 ++ /* must be huge page aligned */
4321 + if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
4322 + return -EINVAL;
4323 +
4324 + vma_len = (loff_t)(vma->vm_end - vma->vm_start);
4325 ++ len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
4326 ++ /* check for overflow */
4327 ++ if (len < vma_len)
4328 ++ return -EINVAL;
4329 +
4330 + inode_lock(inode);
4331 + file_accessed(file);
4332 +
4333 + ret = -ENOMEM;
4334 +- len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
4335 +-
4336 + if (hugetlb_reserve_pages(inode,
4337 + vma->vm_pgoff >> huge_page_order(h),
4338 + len >> huge_page_shift(h), vma,
4339 +@@ -155,7 +179,7 @@ static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
4340 +
4341 + ret = 0;
4342 + if (vma->vm_flags & VM_WRITE && inode->i_size < len)
4343 +- inode->i_size = len;
4344 ++ i_size_write(inode, len);
4345 + out:
4346 + inode_unlock(inode);
4347 +
4348 +diff --git a/fs/kernfs/symlink.c b/fs/kernfs/symlink.c
4349 +index 9b43ca02b7ab..80317b04c84a 100644
4350 +--- a/fs/kernfs/symlink.c
4351 ++++ b/fs/kernfs/symlink.c
4352 +@@ -88,7 +88,7 @@ static int kernfs_get_target_path(struct kernfs_node *parent,
4353 + int slen = strlen(kn->name);
4354 +
4355 + len -= slen;
4356 +- strncpy(s + len, kn->name, slen);
4357 ++ memcpy(s + len, kn->name, slen);
4358 + if (len)
4359 + s[--len] = '/';
4360 +
4361 +diff --git a/fs/udf/super.c b/fs/udf/super.c
4362 +index 12467ad608cd..03369a89600e 100644
4363 +--- a/fs/udf/super.c
4364 ++++ b/fs/udf/super.c
4365 +@@ -929,16 +929,20 @@ static int udf_load_pvoldesc(struct super_block *sb, sector_t block)
4366 + }
4367 +
4368 + ret = udf_dstrCS0toUTF8(outstr, 31, pvoldesc->volIdent, 32);
4369 +- if (ret < 0)
4370 +- goto out_bh;
4371 +-
4372 +- strncpy(UDF_SB(sb)->s_volume_ident, outstr, ret);
4373 ++ if (ret < 0) {
4374 ++ strcpy(UDF_SB(sb)->s_volume_ident, "InvalidName");
4375 ++ pr_warn("incorrect volume identification, setting to "
4376 ++ "'InvalidName'\n");
4377 ++ } else {
4378 ++ strncpy(UDF_SB(sb)->s_volume_ident, outstr, ret);
4379 ++ }
4380 + udf_debug("volIdent[] = '%s'\n", UDF_SB(sb)->s_volume_ident);
4381 +
4382 + ret = udf_dstrCS0toUTF8(outstr, 127, pvoldesc->volSetIdent, 128);
4383 +- if (ret < 0)
4384 ++ if (ret < 0) {
4385 ++ ret = 0;
4386 + goto out_bh;
4387 +-
4388 ++ }
4389 + outstr[ret] = 0;
4390 + udf_debug("volSetIdent[] = '%s'\n", outstr);
4391 +
4392 +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
4393 +index 3a3be23689b3..61a1738895b7 100644
4394 +--- a/fs/udf/unicode.c
4395 ++++ b/fs/udf/unicode.c
4396 +@@ -341,6 +341,11 @@ try_again:
4397 + return u_len;
4398 + }
4399 +
4400 ++/*
4401 ++ * Convert CS0 dstring to output charset. Warning: This function may truncate
4402 ++ * input string if it is too long as it is used for informational strings only
4403 ++ * and it is better to truncate the string than to refuse mounting a media.
4404 ++ */
4405 + int udf_dstrCS0toUTF8(uint8_t *utf_o, int o_len,
4406 + const uint8_t *ocu_i, int i_len)
4407 + {
4408 +@@ -349,9 +354,12 @@ int udf_dstrCS0toUTF8(uint8_t *utf_o, int o_len,
4409 + if (i_len > 0) {
4410 + s_len = ocu_i[i_len - 1];
4411 + if (s_len >= i_len) {
4412 +- pr_err("incorrect dstring lengths (%d/%d)\n",
4413 +- s_len, i_len);
4414 +- return -EINVAL;
4415 ++ pr_warn("incorrect dstring lengths (%d/%d),"
4416 ++ " truncating\n", s_len, i_len);
4417 ++ s_len = i_len - 1;
4418 ++ /* 2-byte encoding? Need to round properly... */
4419 ++ if (ocu_i[0] == 16)
4420 ++ s_len -= (s_len - 1) & 2;
4421 + }
4422 + }
4423 +
4424 +diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c
4425 +index 6622d46ddec3..9687208c676f 100644
4426 +--- a/fs/xfs/libxfs/xfs_attr.c
4427 ++++ b/fs/xfs/libxfs/xfs_attr.c
4428 +@@ -487,7 +487,14 @@ xfs_attr_shortform_addname(xfs_da_args_t *args)
4429 + if (args->flags & ATTR_CREATE)
4430 + return retval;
4431 + retval = xfs_attr_shortform_remove(args);
4432 +- ASSERT(retval == 0);
4433 ++ if (retval)
4434 ++ return retval;
4435 ++ /*
4436 ++ * Since we have removed the old attr, clear ATTR_REPLACE so
4437 ++ * that the leaf format add routine won't trip over the attr
4438 ++ * not being around.
4439 ++ */
4440 ++ args->flags &= ~ATTR_REPLACE;
4441 + }
4442 +
4443 + if (args->namelen >= XFS_ATTR_SF_ENTSIZE_MAX ||
4444 +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
4445 +index 070fc49e39e2..5031defe59c5 100644
4446 +--- a/include/linux/bpf_verifier.h
4447 ++++ b/include/linux/bpf_verifier.h
4448 +@@ -71,6 +71,7 @@ struct bpf_insn_aux_data {
4449 + enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
4450 + struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */
4451 + };
4452 ++ int sanitize_stack_off; /* stack slot to be cleared */
4453 + bool seen; /* this insn was processed by the verifier */
4454 + };
4455 +
4456 +diff --git a/include/linux/ceph/auth.h b/include/linux/ceph/auth.h
4457 +index 374bb1c4ef52..035f26a04364 100644
4458 +--- a/include/linux/ceph/auth.h
4459 ++++ b/include/linux/ceph/auth.h
4460 +@@ -63,8 +63,12 @@ struct ceph_auth_client_ops {
4461 + /* ensure that an existing authorizer is up to date */
4462 + int (*update_authorizer)(struct ceph_auth_client *ac, int peer_type,
4463 + struct ceph_auth_handshake *auth);
4464 ++ int (*add_authorizer_challenge)(struct ceph_auth_client *ac,
4465 ++ struct ceph_authorizer *a,
4466 ++ void *challenge_buf,
4467 ++ int challenge_buf_len);
4468 + int (*verify_authorizer_reply)(struct ceph_auth_client *ac,
4469 +- struct ceph_authorizer *a, size_t len);
4470 ++ struct ceph_authorizer *a);
4471 + void (*invalidate_authorizer)(struct ceph_auth_client *ac,
4472 + int peer_type);
4473 +
4474 +@@ -117,9 +121,12 @@ void ceph_auth_destroy_authorizer(struct ceph_authorizer *a);
4475 + extern int ceph_auth_update_authorizer(struct ceph_auth_client *ac,
4476 + int peer_type,
4477 + struct ceph_auth_handshake *a);
4478 ++int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,
4479 ++ struct ceph_authorizer *a,
4480 ++ void *challenge_buf,
4481 ++ int challenge_buf_len);
4482 + extern int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
4483 +- struct ceph_authorizer *a,
4484 +- size_t len);
4485 ++ struct ceph_authorizer *a);
4486 + extern void ceph_auth_invalidate_authorizer(struct ceph_auth_client *ac,
4487 + int peer_type);
4488 +
4489 +diff --git a/include/linux/ceph/ceph_features.h b/include/linux/ceph/ceph_features.h
4490 +index ae2f66833762..cf765db39c95 100644
4491 +--- a/include/linux/ceph/ceph_features.h
4492 ++++ b/include/linux/ceph/ceph_features.h
4493 +@@ -76,6 +76,7 @@
4494 + // duplicated since it was introduced at the same time as CEPH_FEATURE_CRUSH_TUNABLES5
4495 + #define CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING (1ULL<<58) /* New, v7 encoding */
4496 + #define CEPH_FEATURE_FS_FILE_LAYOUT_V2 (1ULL<<58) /* file_layout_t */
4497 ++#define CEPH_FEATURE_CEPHX_V2 (1ULL<<61) // *do not share this bit*
4498 +
4499 + /*
4500 + * The introduction of CEPH_FEATURE_OSD_SNAPMAPPER caused the feature
4501 +@@ -124,7 +125,8 @@ static inline u64 ceph_sanitize_features(u64 features)
4502 + CEPH_FEATURE_MSGR_KEEPALIVE2 | \
4503 + CEPH_FEATURE_CRUSH_V4 | \
4504 + CEPH_FEATURE_CRUSH_TUNABLES5 | \
4505 +- CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING)
4506 ++ CEPH_FEATURE_NEW_OSDOPREPLY_ENCODING | \
4507 ++ CEPH_FEATURE_CEPHX_V2)
4508 +
4509 + #define CEPH_FEATURES_REQUIRED_DEFAULT \
4510 + (CEPH_FEATURE_NOSRCADDR | \
4511 +diff --git a/include/linux/ceph/messenger.h b/include/linux/ceph/messenger.h
4512 +index 8dbd7879fdc6..5e1c9c80d536 100644
4513 +--- a/include/linux/ceph/messenger.h
4514 ++++ b/include/linux/ceph/messenger.h
4515 +@@ -30,7 +30,10 @@ struct ceph_connection_operations {
4516 + struct ceph_auth_handshake *(*get_authorizer) (
4517 + struct ceph_connection *con,
4518 + int *proto, int force_new);
4519 +- int (*verify_authorizer_reply) (struct ceph_connection *con, int len);
4520 ++ int (*add_authorizer_challenge)(struct ceph_connection *con,
4521 ++ void *challenge_buf,
4522 ++ int challenge_buf_len);
4523 ++ int (*verify_authorizer_reply) (struct ceph_connection *con);
4524 + int (*invalidate_authorizer)(struct ceph_connection *con);
4525 +
4526 + /* there was some error on the socket (disconnect, whatever) */
4527 +@@ -200,9 +203,8 @@ struct ceph_connection {
4528 + attempt for this connection, client */
4529 + u32 peer_global_seq; /* peer's global seq for this connection */
4530 +
4531 ++ struct ceph_auth_handshake *auth;
4532 + int auth_retry; /* true if we need a newer authorizer */
4533 +- void *auth_reply_buf; /* where to put the authorizer reply */
4534 +- int auth_reply_buf_len;
4535 +
4536 + struct mutex mutex;
4537 +
4538 +diff --git a/include/linux/ceph/msgr.h b/include/linux/ceph/msgr.h
4539 +index 0fe2656ac415..063f9d7f1b74 100644
4540 +--- a/include/linux/ceph/msgr.h
4541 ++++ b/include/linux/ceph/msgr.h
4542 +@@ -90,7 +90,7 @@ struct ceph_entity_inst {
4543 + #define CEPH_MSGR_TAG_SEQ 13 /* 64-bit int follows with seen seq number */
4544 + #define CEPH_MSGR_TAG_KEEPALIVE2 14 /* keepalive2 byte + ceph_timespec */
4545 + #define CEPH_MSGR_TAG_KEEPALIVE2_ACK 15 /* keepalive2 reply */
4546 +-
4547 ++#define CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER 16 /* cephx v2 doing server challenge */
4548 +
4549 + /*
4550 + * connection negotiation
4551 +diff --git a/include/linux/reset.h b/include/linux/reset.h
4552 +index 5daff15722d3..7e99690dbc81 100644
4553 +--- a/include/linux/reset.h
4554 ++++ b/include/linux/reset.h
4555 +@@ -13,76 +13,82 @@ int reset_control_deassert(struct reset_control *rstc);
4556 + int reset_control_status(struct reset_control *rstc);
4557 +
4558 + struct reset_control *__of_reset_control_get(struct device_node *node,
4559 +- const char *id, int index, int shared);
4560 ++ const char *id, int index, bool shared,
4561 ++ bool optional);
4562 ++struct reset_control *__reset_control_get(struct device *dev, const char *id,
4563 ++ int index, bool shared,
4564 ++ bool optional);
4565 + void reset_control_put(struct reset_control *rstc);
4566 ++int __device_reset(struct device *dev, bool optional);
4567 + struct reset_control *__devm_reset_control_get(struct device *dev,
4568 +- const char *id, int index, int shared);
4569 +-
4570 +-int __must_check device_reset(struct device *dev);
4571 +-
4572 +-static inline int device_reset_optional(struct device *dev)
4573 +-{
4574 +- return device_reset(dev);
4575 +-}
4576 ++ const char *id, int index, bool shared,
4577 ++ bool optional);
4578 +
4579 + #else
4580 +
4581 + static inline int reset_control_reset(struct reset_control *rstc)
4582 + {
4583 +- WARN_ON(1);
4584 + return 0;
4585 + }
4586 +
4587 + static inline int reset_control_assert(struct reset_control *rstc)
4588 + {
4589 +- WARN_ON(1);
4590 + return 0;
4591 + }
4592 +
4593 + static inline int reset_control_deassert(struct reset_control *rstc)
4594 + {
4595 +- WARN_ON(1);
4596 + return 0;
4597 + }
4598 +
4599 + static inline int reset_control_status(struct reset_control *rstc)
4600 + {
4601 +- WARN_ON(1);
4602 + return 0;
4603 + }
4604 +
4605 + static inline void reset_control_put(struct reset_control *rstc)
4606 + {
4607 +- WARN_ON(1);
4608 + }
4609 +
4610 +-static inline int __must_check device_reset(struct device *dev)
4611 ++static inline int __device_reset(struct device *dev, bool optional)
4612 + {
4613 +- WARN_ON(1);
4614 +- return -ENOTSUPP;
4615 ++ return optional ? 0 : -ENOTSUPP;
4616 + }
4617 +
4618 +-static inline int device_reset_optional(struct device *dev)
4619 ++static inline struct reset_control *__of_reset_control_get(
4620 ++ struct device_node *node,
4621 ++ const char *id, int index, bool shared,
4622 ++ bool optional)
4623 + {
4624 +- return -ENOTSUPP;
4625 ++ return optional ? NULL : ERR_PTR(-ENOTSUPP);
4626 + }
4627 +
4628 +-static inline struct reset_control *__of_reset_control_get(
4629 +- struct device_node *node,
4630 +- const char *id, int index, int shared)
4631 ++static inline struct reset_control *__reset_control_get(
4632 ++ struct device *dev, const char *id,
4633 ++ int index, bool shared, bool optional)
4634 + {
4635 +- return ERR_PTR(-ENOTSUPP);
4636 ++ return optional ? NULL : ERR_PTR(-ENOTSUPP);
4637 + }
4638 +
4639 + static inline struct reset_control *__devm_reset_control_get(
4640 +- struct device *dev,
4641 +- const char *id, int index, int shared)
4642 ++ struct device *dev, const char *id,
4643 ++ int index, bool shared, bool optional)
4644 + {
4645 +- return ERR_PTR(-ENOTSUPP);
4646 ++ return optional ? NULL : ERR_PTR(-ENOTSUPP);
4647 + }
4648 +
4649 + #endif /* CONFIG_RESET_CONTROLLER */
4650 +
4651 ++static inline int __must_check device_reset(struct device *dev)
4652 ++{
4653 ++ return __device_reset(dev, false);
4654 ++}
4655 ++
4656 ++static inline int device_reset_optional(struct device *dev)
4657 ++{
4658 ++ return __device_reset(dev, true);
4659 ++}
4660 ++
4661 + /**
4662 + * reset_control_get_exclusive - Lookup and obtain an exclusive reference
4663 + * to a reset controller.
4664 +@@ -101,10 +107,7 @@ static inline struct reset_control *__devm_reset_control_get(
4665 + static inline struct reset_control *
4666 + __must_check reset_control_get_exclusive(struct device *dev, const char *id)
4667 + {
4668 +-#ifndef CONFIG_RESET_CONTROLLER
4669 +- WARN_ON(1);
4670 +-#endif
4671 +- return __of_reset_control_get(dev ? dev->of_node : NULL, id, 0, 0);
4672 ++ return __reset_control_get(dev, id, 0, false, false);
4673 + }
4674 +
4675 + /**
4676 +@@ -132,19 +135,19 @@ __must_check reset_control_get_exclusive(struct device *dev, const char *id)
4677 + static inline struct reset_control *reset_control_get_shared(
4678 + struct device *dev, const char *id)
4679 + {
4680 +- return __of_reset_control_get(dev ? dev->of_node : NULL, id, 0, 1);
4681 ++ return __reset_control_get(dev, id, 0, true, false);
4682 + }
4683 +
4684 + static inline struct reset_control *reset_control_get_optional_exclusive(
4685 + struct device *dev, const char *id)
4686 + {
4687 +- return __of_reset_control_get(dev ? dev->of_node : NULL, id, 0, 0);
4688 ++ return __reset_control_get(dev, id, 0, false, true);
4689 + }
4690 +
4691 + static inline struct reset_control *reset_control_get_optional_shared(
4692 + struct device *dev, const char *id)
4693 + {
4694 +- return __of_reset_control_get(dev ? dev->of_node : NULL, id, 0, 1);
4695 ++ return __reset_control_get(dev, id, 0, true, true);
4696 + }
4697 +
4698 + /**
4699 +@@ -160,7 +163,7 @@ static inline struct reset_control *reset_control_get_optional_shared(
4700 + static inline struct reset_control *of_reset_control_get_exclusive(
4701 + struct device_node *node, const char *id)
4702 + {
4703 +- return __of_reset_control_get(node, id, 0, 0);
4704 ++ return __of_reset_control_get(node, id, 0, false, false);
4705 + }
4706 +
4707 + /**
4708 +@@ -185,7 +188,7 @@ static inline struct reset_control *of_reset_control_get_exclusive(
4709 + static inline struct reset_control *of_reset_control_get_shared(
4710 + struct device_node *node, const char *id)
4711 + {
4712 +- return __of_reset_control_get(node, id, 0, 1);
4713 ++ return __of_reset_control_get(node, id, 0, true, false);
4714 + }
4715 +
4716 + /**
4717 +@@ -202,7 +205,7 @@ static inline struct reset_control *of_reset_control_get_shared(
4718 + static inline struct reset_control *of_reset_control_get_exclusive_by_index(
4719 + struct device_node *node, int index)
4720 + {
4721 +- return __of_reset_control_get(node, NULL, index, 0);
4722 ++ return __of_reset_control_get(node, NULL, index, false, false);
4723 + }
4724 +
4725 + /**
4726 +@@ -230,7 +233,7 @@ static inline struct reset_control *of_reset_control_get_exclusive_by_index(
4727 + static inline struct reset_control *of_reset_control_get_shared_by_index(
4728 + struct device_node *node, int index)
4729 + {
4730 +- return __of_reset_control_get(node, NULL, index, 1);
4731 ++ return __of_reset_control_get(node, NULL, index, true, false);
4732 + }
4733 +
4734 + /**
4735 +@@ -249,10 +252,7 @@ static inline struct reset_control *
4736 + __must_check devm_reset_control_get_exclusive(struct device *dev,
4737 + const char *id)
4738 + {
4739 +-#ifndef CONFIG_RESET_CONTROLLER
4740 +- WARN_ON(1);
4741 +-#endif
4742 +- return __devm_reset_control_get(dev, id, 0, 0);
4743 ++ return __devm_reset_control_get(dev, id, 0, false, false);
4744 + }
4745 +
4746 + /**
4747 +@@ -267,19 +267,19 @@ __must_check devm_reset_control_get_exclusive(struct device *dev,
4748 + static inline struct reset_control *devm_reset_control_get_shared(
4749 + struct device *dev, const char *id)
4750 + {
4751 +- return __devm_reset_control_get(dev, id, 0, 1);
4752 ++ return __devm_reset_control_get(dev, id, 0, true, false);
4753 + }
4754 +
4755 + static inline struct reset_control *devm_reset_control_get_optional_exclusive(
4756 + struct device *dev, const char *id)
4757 + {
4758 +- return __devm_reset_control_get(dev, id, 0, 0);
4759 ++ return __devm_reset_control_get(dev, id, 0, false, true);
4760 + }
4761 +
4762 + static inline struct reset_control *devm_reset_control_get_optional_shared(
4763 + struct device *dev, const char *id)
4764 + {
4765 +- return __devm_reset_control_get(dev, id, 0, 1);
4766 ++ return __devm_reset_control_get(dev, id, 0, true, true);
4767 + }
4768 +
4769 + /**
4770 +@@ -297,7 +297,7 @@ static inline struct reset_control *devm_reset_control_get_optional_shared(
4771 + static inline struct reset_control *
4772 + devm_reset_control_get_exclusive_by_index(struct device *dev, int index)
4773 + {
4774 +- return __devm_reset_control_get(dev, NULL, index, 0);
4775 ++ return __devm_reset_control_get(dev, NULL, index, false, false);
4776 + }
4777 +
4778 + /**
4779 +@@ -313,7 +313,7 @@ devm_reset_control_get_exclusive_by_index(struct device *dev, int index)
4780 + static inline struct reset_control *
4781 + devm_reset_control_get_shared_by_index(struct device *dev, int index)
4782 + {
4783 +- return __devm_reset_control_get(dev, NULL, index, 1);
4784 ++ return __devm_reset_control_get(dev, NULL, index, true, false);
4785 + }
4786 +
4787 + /*
4788 +diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h
4789 +index c794c9af6c0f..a1ded2a1bf1d 100644
4790 +--- a/include/uapi/linux/btrfs_tree.h
4791 ++++ b/include/uapi/linux/btrfs_tree.h
4792 +@@ -730,6 +730,7 @@ struct btrfs_balance_item {
4793 + #define BTRFS_FILE_EXTENT_INLINE 0
4794 + #define BTRFS_FILE_EXTENT_REG 1
4795 + #define BTRFS_FILE_EXTENT_PREALLOC 2
4796 ++#define BTRFS_FILE_EXTENT_TYPES 2
4797 +
4798 + struct btrfs_file_extent_item {
4799 + /*
4800 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
4801 +index dafa2708ce9e..1438b7396cb4 100644
4802 +--- a/kernel/bpf/verifier.c
4803 ++++ b/kernel/bpf/verifier.c
4804 +@@ -540,10 +540,11 @@ static bool is_spillable_regtype(enum bpf_reg_type type)
4805 + /* check_stack_read/write functions track spill/fill of registers,
4806 + * stack boundary and alignment are checked in check_mem_access()
4807 + */
4808 +-static int check_stack_write(struct bpf_verifier_state *state, int off,
4809 +- int size, int value_regno)
4810 ++static int check_stack_write(struct bpf_verifier_env *env,
4811 ++ struct bpf_verifier_state *state, int off,
4812 ++ int size, int value_regno, int insn_idx)
4813 + {
4814 +- int i;
4815 ++ int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE;
4816 + /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
4817 + * so it's aligned access and [off, off + size) are within stack limits
4818 + */
4819 +@@ -558,15 +559,37 @@ static int check_stack_write(struct bpf_verifier_state *state, int off,
4820 + }
4821 +
4822 + /* save register state */
4823 +- state->spilled_regs[(MAX_BPF_STACK + off) / BPF_REG_SIZE] =
4824 +- state->regs[value_regno];
4825 +-
4826 +- for (i = 0; i < BPF_REG_SIZE; i++)
4827 ++ state->spilled_regs[spi] = state->regs[value_regno];
4828 ++
4829 ++ for (i = 0; i < BPF_REG_SIZE; i++) {
4830 ++ if (state->stack_slot_type[MAX_BPF_STACK + off + i] == STACK_MISC &&
4831 ++ !env->allow_ptr_leaks) {
4832 ++ int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
4833 ++ int soff = (-spi - 1) * BPF_REG_SIZE;
4834 ++
4835 ++ /* detected reuse of integer stack slot with a pointer
4836 ++ * which means either llvm is reusing stack slot or
4837 ++ * an attacker is trying to exploit CVE-2018-3639
4838 ++ * (speculative store bypass)
4839 ++ * Have to sanitize that slot with preemptive
4840 ++ * store of zero.
4841 ++ */
4842 ++ if (*poff && *poff != soff) {
4843 ++ /* disallow programs where single insn stores
4844 ++ * into two different stack slots, since verifier
4845 ++ * cannot sanitize them
4846 ++ */
4847 ++ verbose("insn %d cannot access two stack slots fp%d and fp%d",
4848 ++ insn_idx, *poff, soff);
4849 ++ return -EINVAL;
4850 ++ }
4851 ++ *poff = soff;
4852 ++ }
4853 + state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL;
4854 ++ }
4855 + } else {
4856 + /* regular write of data into stack */
4857 +- state->spilled_regs[(MAX_BPF_STACK + off) / BPF_REG_SIZE] =
4858 +- (struct bpf_reg_state) {};
4859 ++ state->spilled_regs[spi] = (struct bpf_reg_state) {};
4860 +
4861 + for (i = 0; i < size; i++)
4862 + state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_MISC;
4863 +@@ -747,7 +770,7 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
4864 + * if t==write && value_regno==-1, some unknown value is stored into memory
4865 + * if t==read && value_regno==-1, don't care what we read from memory
4866 + */
4867 +-static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off,
4868 ++static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, int off,
4869 + int bpf_size, enum bpf_access_type t,
4870 + int value_regno)
4871 + {
4872 +@@ -843,7 +866,8 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off,
4873 + verbose("attempt to corrupt spilled pointer on stack\n");
4874 + return -EACCES;
4875 + }
4876 +- err = check_stack_write(state, off, size, value_regno);
4877 ++ err = check_stack_write(env, state, off, size,
4878 ++ value_regno, insn_idx);
4879 + } else {
4880 + err = check_stack_read(state, off, size, value_regno);
4881 + }
4882 +@@ -877,7 +901,7 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off,
4883 + return err;
4884 + }
4885 +
4886 +-static int check_xadd(struct bpf_verifier_env *env, struct bpf_insn *insn)
4887 ++static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn)
4888 + {
4889 + struct bpf_reg_state *regs = env->cur_state.regs;
4890 + int err;
4891 +@@ -910,13 +934,13 @@ static int check_xadd(struct bpf_verifier_env *env, struct bpf_insn *insn)
4892 + }
4893 +
4894 + /* check whether atomic_add can read the memory */
4895 +- err = check_mem_access(env, insn->dst_reg, insn->off,
4896 ++ err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
4897 + BPF_SIZE(insn->code), BPF_READ, -1);
4898 + if (err)
4899 + return err;
4900 +
4901 + /* check whether atomic_add can write into the same memory */
4902 +- return check_mem_access(env, insn->dst_reg, insn->off,
4903 ++ return check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
4904 + BPF_SIZE(insn->code), BPF_WRITE, -1);
4905 + }
4906 +
4907 +@@ -1272,7 +1296,7 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
4908 + * is inferred from register state.
4909 + */
4910 + for (i = 0; i < meta.access_size; i++) {
4911 +- err = check_mem_access(env, meta.regno, i, BPF_B, BPF_WRITE, -1);
4912 ++ err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, BPF_WRITE, -1);
4913 + if (err)
4914 + return err;
4915 + }
4916 +@@ -2938,7 +2962,7 @@ static int do_check(struct bpf_verifier_env *env)
4917 + /* check that memory (src_reg + off) is readable,
4918 + * the state of dst_reg will be updated by this func
4919 + */
4920 +- err = check_mem_access(env, insn->src_reg, insn->off,
4921 ++ err = check_mem_access(env, insn_idx, insn->src_reg, insn->off,
4922 + BPF_SIZE(insn->code), BPF_READ,
4923 + insn->dst_reg);
4924 + if (err)
4925 +@@ -2978,7 +3002,7 @@ static int do_check(struct bpf_verifier_env *env)
4926 + enum bpf_reg_type *prev_dst_type, dst_reg_type;
4927 +
4928 + if (BPF_MODE(insn->code) == BPF_XADD) {
4929 +- err = check_xadd(env, insn);
4930 ++ err = check_xadd(env, insn_idx, insn);
4931 + if (err)
4932 + return err;
4933 + insn_idx++;
4934 +@@ -2997,7 +3021,7 @@ static int do_check(struct bpf_verifier_env *env)
4935 + dst_reg_type = regs[insn->dst_reg].type;
4936 +
4937 + /* check that memory (dst_reg + off) is writeable */
4938 +- err = check_mem_access(env, insn->dst_reg, insn->off,
4939 ++ err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
4940 + BPF_SIZE(insn->code), BPF_WRITE,
4941 + insn->src_reg);
4942 + if (err)
4943 +@@ -3032,7 +3056,7 @@ static int do_check(struct bpf_verifier_env *env)
4944 + }
4945 +
4946 + /* check that memory (dst_reg + off) is writeable */
4947 +- err = check_mem_access(env, insn->dst_reg, insn->off,
4948 ++ err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
4949 + BPF_SIZE(insn->code), BPF_WRITE,
4950 + -1);
4951 + if (err)
4952 +@@ -3369,6 +3393,34 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env)
4953 + else
4954 + continue;
4955 +
4956 ++ if (type == BPF_WRITE &&
4957 ++ env->insn_aux_data[i + delta].sanitize_stack_off) {
4958 ++ struct bpf_insn patch[] = {
4959 ++ /* Sanitize suspicious stack slot with zero.
4960 ++ * There are no memory dependencies for this store,
4961 ++ * since it's only using frame pointer and immediate
4962 ++ * constant of zero
4963 ++ */
4964 ++ BPF_ST_MEM(BPF_DW, BPF_REG_FP,
4965 ++ env->insn_aux_data[i + delta].sanitize_stack_off,
4966 ++ 0),
4967 ++ /* the original STX instruction will immediately
4968 ++ * overwrite the same stack slot with appropriate value
4969 ++ */
4970 ++ *insn,
4971 ++ };
4972 ++
4973 ++ cnt = ARRAY_SIZE(patch);
4974 ++ new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);
4975 ++ if (!new_prog)
4976 ++ return -ENOMEM;
4977 ++
4978 ++ delta += cnt - 1;
4979 ++ env->prog = new_prog;
4980 ++ insn = new_prog->insnsi + i + delta;
4981 ++ continue;
4982 ++ }
4983 ++
4984 + if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
4985 + continue;
4986 +
4987 +diff --git a/kernel/debug/kdb/kdb_support.c b/kernel/debug/kdb/kdb_support.c
4988 +index 2aed4a33521b..61cd704a21c8 100644
4989 +--- a/kernel/debug/kdb/kdb_support.c
4990 ++++ b/kernel/debug/kdb/kdb_support.c
4991 +@@ -129,13 +129,13 @@ int kdbnearsym(unsigned long addr, kdb_symtab_t *symtab)
4992 + }
4993 + if (i >= ARRAY_SIZE(kdb_name_table)) {
4994 + debug_kfree(kdb_name_table[0]);
4995 +- memcpy(kdb_name_table, kdb_name_table+1,
4996 ++ memmove(kdb_name_table, kdb_name_table+1,
4997 + sizeof(kdb_name_table[0]) *
4998 + (ARRAY_SIZE(kdb_name_table)-1));
4999 + } else {
5000 + debug_kfree(knt1);
5001 + knt1 = kdb_name_table[i];
5002 +- memcpy(kdb_name_table+i, kdb_name_table+i+1,
5003 ++ memmove(kdb_name_table+i, kdb_name_table+i+1,
5004 + sizeof(kdb_name_table[0]) *
5005 + (ARRAY_SIZE(kdb_name_table)-i-1));
5006 + }
5007 +diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
5008 +index a1de021dccba..fbfab5722254 100644
5009 +--- a/kernel/events/uprobes.c
5010 ++++ b/kernel/events/uprobes.c
5011 +@@ -608,7 +608,7 @@ static int prepare_uprobe(struct uprobe *uprobe, struct file *file,
5012 + BUG_ON((uprobe->offset & ~PAGE_MASK) +
5013 + UPROBE_SWBP_INSN_SIZE > PAGE_SIZE);
5014 +
5015 +- smp_wmb(); /* pairs with rmb() in find_active_uprobe() */
5016 ++ smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
5017 + set_bit(UPROBE_COPY_INSN, &uprobe->flags);
5018 +
5019 + out:
5020 +@@ -1902,10 +1902,18 @@ static void handle_swbp(struct pt_regs *regs)
5021 + * After we hit the bp, _unregister + _register can install the
5022 + * new and not-yet-analyzed uprobe at the same address, restart.
5023 + */
5024 +- smp_rmb(); /* pairs with wmb() in install_breakpoint() */
5025 + if (unlikely(!test_bit(UPROBE_COPY_INSN, &uprobe->flags)))
5026 + goto out;
5027 +
5028 ++ /*
5029 ++ * Pairs with the smp_wmb() in prepare_uprobe().
5030 ++ *
5031 ++ * Guarantees that if we see the UPROBE_COPY_INSN bit set, then
5032 ++ * we must also see the stores to &uprobe->arch performed by the
5033 ++ * prepare_uprobe() call.
5034 ++ */
5035 ++ smp_rmb();
5036 ++
5037 + /* Tracing handlers use ->utask to communicate with fetch methods */
5038 + if (!get_utask())
5039 + goto out;
5040 +diff --git a/lib/kobject.c b/lib/kobject.c
5041 +index b733a83e5294..f58c7f2b229c 100644
5042 +--- a/lib/kobject.c
5043 ++++ b/lib/kobject.c
5044 +@@ -127,7 +127,7 @@ static void fill_kobj_path(struct kobject *kobj, char *path, int length)
5045 + int cur = strlen(kobject_name(parent));
5046 + /* back up enough to print this name with '/' */
5047 + length -= cur;
5048 +- strncpy(path + length, kobject_name(parent), cur);
5049 ++ memcpy(path + length, kobject_name(parent), cur);
5050 + *(path + --length) = '/';
5051 + }
5052 +
5053 +diff --git a/lib/test_hexdump.c b/lib/test_hexdump.c
5054 +index 3f415d8101f3..1c3c513add77 100644
5055 +--- a/lib/test_hexdump.c
5056 ++++ b/lib/test_hexdump.c
5057 +@@ -81,7 +81,7 @@ static void __init test_hexdump_prepare_test(size_t len, int rowsize,
5058 + const char *q = *result++;
5059 + size_t amount = strlen(q);
5060 +
5061 +- strncpy(p, q, amount);
5062 ++ memcpy(p, q, amount);
5063 + p += amount;
5064 +
5065 + *p++ = ' ';
5066 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
5067 +index 5e3a4db36310..3e50fcfe6ad8 100644
5068 +--- a/mm/hugetlb.c
5069 ++++ b/mm/hugetlb.c
5070 +@@ -4170,6 +4170,12 @@ int hugetlb_reserve_pages(struct inode *inode,
5071 + struct resv_map *resv_map;
5072 + long gbl_reserve;
5073 +
5074 ++ /* This should never happen */
5075 ++ if (from > to) {
5076 ++ VM_WARN(1, "%s called with a negative range\n", __func__);
5077 ++ return -EINVAL;
5078 ++ }
5079 ++
5080 + /*
5081 + * Only apply hugepage reservation if asked. At fault time, an
5082 + * attempt will be made for VM_NORESERVE to allocate a page
5083 +@@ -4259,7 +4265,9 @@ int hugetlb_reserve_pages(struct inode *inode,
5084 + return 0;
5085 + out_err:
5086 + if (!vma || vma->vm_flags & VM_MAYSHARE)
5087 +- region_abort(resv_map, from, to);
5088 ++ /* Don't call region_abort if region_chg failed */
5089 ++ if (chg >= 0)
5090 ++ region_abort(resv_map, from, to);
5091 + if (vma && is_vma_resv_set(vma, HPAGE_RESV_OWNER))
5092 + kref_put(&resv_map->refs, resv_map_release);
5093 + return ret;
5094 +diff --git a/mm/truncate.c b/mm/truncate.c
5095 +index 9c809e7d73c3..befdc6f575d2 100644
5096 +--- a/mm/truncate.c
5097 ++++ b/mm/truncate.c
5098 +@@ -443,9 +443,13 @@ void truncate_inode_pages_final(struct address_space *mapping)
5099 + */
5100 + spin_lock_irq(&mapping->tree_lock);
5101 + spin_unlock_irq(&mapping->tree_lock);
5102 +-
5103 +- truncate_inode_pages(mapping, 0);
5104 + }
5105 ++
5106 ++ /*
5107 ++ * Cleancache needs notification even if there are no pages or shadow
5108 ++ * entries.
5109 ++ */
5110 ++ truncate_inode_pages(mapping, 0);
5111 + }
5112 + EXPORT_SYMBOL(truncate_inode_pages_final);
5113 +
5114 +diff --git a/net/ceph/auth.c b/net/ceph/auth.c
5115 +index c822b3ae1bd3..8e79dca81748 100644
5116 +--- a/net/ceph/auth.c
5117 ++++ b/net/ceph/auth.c
5118 +@@ -314,14 +314,30 @@ int ceph_auth_update_authorizer(struct ceph_auth_client *ac,
5119 + }
5120 + EXPORT_SYMBOL(ceph_auth_update_authorizer);
5121 +
5122 ++int ceph_auth_add_authorizer_challenge(struct ceph_auth_client *ac,
5123 ++ struct ceph_authorizer *a,
5124 ++ void *challenge_buf,
5125 ++ int challenge_buf_len)
5126 ++{
5127 ++ int ret = 0;
5128 ++
5129 ++ mutex_lock(&ac->mutex);
5130 ++ if (ac->ops && ac->ops->add_authorizer_challenge)
5131 ++ ret = ac->ops->add_authorizer_challenge(ac, a, challenge_buf,
5132 ++ challenge_buf_len);
5133 ++ mutex_unlock(&ac->mutex);
5134 ++ return ret;
5135 ++}
5136 ++EXPORT_SYMBOL(ceph_auth_add_authorizer_challenge);
5137 ++
5138 + int ceph_auth_verify_authorizer_reply(struct ceph_auth_client *ac,
5139 +- struct ceph_authorizer *a, size_t len)
5140 ++ struct ceph_authorizer *a)
5141 + {
5142 + int ret = 0;
5143 +
5144 + mutex_lock(&ac->mutex);
5145 + if (ac->ops && ac->ops->verify_authorizer_reply)
5146 +- ret = ac->ops->verify_authorizer_reply(ac, a, len);
5147 ++ ret = ac->ops->verify_authorizer_reply(ac, a);
5148 + mutex_unlock(&ac->mutex);
5149 + return ret;
5150 + }
5151 +diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
5152 +index b216131915e7..29e23b5cb2ed 100644
5153 +--- a/net/ceph/auth_x.c
5154 ++++ b/net/ceph/auth_x.c
5155 +@@ -8,6 +8,7 @@
5156 +
5157 + #include <linux/ceph/decode.h>
5158 + #include <linux/ceph/auth.h>
5159 ++#include <linux/ceph/ceph_features.h>
5160 + #include <linux/ceph/libceph.h>
5161 + #include <linux/ceph/messenger.h>
5162 +
5163 +@@ -69,25 +70,40 @@ static int ceph_x_encrypt(struct ceph_crypto_key *secret, void *buf,
5164 + return sizeof(u32) + ciphertext_len;
5165 + }
5166 +
5167 ++static int __ceph_x_decrypt(struct ceph_crypto_key *secret, void *p,
5168 ++ int ciphertext_len)
5169 ++{
5170 ++ struct ceph_x_encrypt_header *hdr = p;
5171 ++ int plaintext_len;
5172 ++ int ret;
5173 ++
5174 ++ ret = ceph_crypt(secret, false, p, ciphertext_len, ciphertext_len,
5175 ++ &plaintext_len);
5176 ++ if (ret)
5177 ++ return ret;
5178 ++
5179 ++ if (le64_to_cpu(hdr->magic) != CEPHX_ENC_MAGIC) {
5180 ++ pr_err("%s bad magic\n", __func__);
5181 ++ return -EINVAL;
5182 ++ }
5183 ++
5184 ++ return plaintext_len - sizeof(*hdr);
5185 ++}
5186 ++
5187 + static int ceph_x_decrypt(struct ceph_crypto_key *secret, void **p, void *end)
5188 + {
5189 +- struct ceph_x_encrypt_header *hdr = *p + sizeof(u32);
5190 +- int ciphertext_len, plaintext_len;
5191 ++ int ciphertext_len;
5192 + int ret;
5193 +
5194 + ceph_decode_32_safe(p, end, ciphertext_len, e_inval);
5195 + ceph_decode_need(p, end, ciphertext_len, e_inval);
5196 +
5197 +- ret = ceph_crypt(secret, false, *p, end - *p, ciphertext_len,
5198 +- &plaintext_len);
5199 +- if (ret)
5200 ++ ret = __ceph_x_decrypt(secret, *p, ciphertext_len);
5201 ++ if (ret < 0)
5202 + return ret;
5203 +
5204 +- if (hdr->struct_v != 1 || le64_to_cpu(hdr->magic) != CEPHX_ENC_MAGIC)
5205 +- return -EPERM;
5206 +-
5207 + *p += ciphertext_len;
5208 +- return plaintext_len - sizeof(struct ceph_x_encrypt_header);
5209 ++ return ret;
5210 +
5211 + e_inval:
5212 + return -EINVAL;
5213 +@@ -271,6 +287,51 @@ bad:
5214 + return -EINVAL;
5215 + }
5216 +
5217 ++/*
5218 ++ * Encode and encrypt the second part (ceph_x_authorize_b) of the
5219 ++ * authorizer. The first part (ceph_x_authorize_a) should already be
5220 ++ * encoded.
5221 ++ */
5222 ++static int encrypt_authorizer(struct ceph_x_authorizer *au,
5223 ++ u64 *server_challenge)
5224 ++{
5225 ++ struct ceph_x_authorize_a *msg_a;
5226 ++ struct ceph_x_authorize_b *msg_b;
5227 ++ void *p, *end;
5228 ++ int ret;
5229 ++
5230 ++ msg_a = au->buf->vec.iov_base;
5231 ++ WARN_ON(msg_a->ticket_blob.secret_id != cpu_to_le64(au->secret_id));
5232 ++ p = (void *)(msg_a + 1) + le32_to_cpu(msg_a->ticket_blob.blob_len);
5233 ++ end = au->buf->vec.iov_base + au->buf->vec.iov_len;
5234 ++
5235 ++ msg_b = p + ceph_x_encrypt_offset();
5236 ++ msg_b->struct_v = 2;
5237 ++ msg_b->nonce = cpu_to_le64(au->nonce);
5238 ++ if (server_challenge) {
5239 ++ msg_b->have_challenge = 1;
5240 ++ msg_b->server_challenge_plus_one =
5241 ++ cpu_to_le64(*server_challenge + 1);
5242 ++ } else {
5243 ++ msg_b->have_challenge = 0;
5244 ++ msg_b->server_challenge_plus_one = 0;
5245 ++ }
5246 ++
5247 ++ ret = ceph_x_encrypt(&au->session_key, p, end - p, sizeof(*msg_b));
5248 ++ if (ret < 0)
5249 ++ return ret;
5250 ++
5251 ++ p += ret;
5252 ++ if (server_challenge) {
5253 ++ WARN_ON(p != end);
5254 ++ } else {
5255 ++ WARN_ON(p > end);
5256 ++ au->buf->vec.iov_len = p - au->buf->vec.iov_base;
5257 ++ }
5258 ++
5259 ++ return 0;
5260 ++}
5261 ++
5262 + static void ceph_x_authorizer_cleanup(struct ceph_x_authorizer *au)
5263 + {
5264 + ceph_crypto_key_destroy(&au->session_key);
5265 +@@ -287,7 +348,6 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
5266 + int maxlen;
5267 + struct ceph_x_authorize_a *msg_a;
5268 + struct ceph_x_authorize_b *msg_b;
5269 +- void *p, *end;
5270 + int ret;
5271 + int ticket_blob_len =
5272 + (th->ticket_blob ? th->ticket_blob->vec.iov_len : 0);
5273 +@@ -331,21 +391,13 @@ static int ceph_x_build_authorizer(struct ceph_auth_client *ac,
5274 + dout(" th %p secret_id %lld %lld\n", th, th->secret_id,
5275 + le64_to_cpu(msg_a->ticket_blob.secret_id));
5276 +
5277 +- p = msg_a + 1;
5278 +- p += ticket_blob_len;
5279 +- end = au->buf->vec.iov_base + au->buf->vec.iov_len;
5280 +-
5281 +- msg_b = p + ceph_x_encrypt_offset();
5282 +- msg_b->struct_v = 1;
5283 + get_random_bytes(&au->nonce, sizeof(au->nonce));
5284 +- msg_b->nonce = cpu_to_le64(au->nonce);
5285 +- ret = ceph_x_encrypt(&au->session_key, p, end - p, sizeof(*msg_b));
5286 +- if (ret < 0)
5287 ++ ret = encrypt_authorizer(au, NULL);
5288 ++ if (ret) {
5289 ++ pr_err("failed to encrypt authorizer: %d", ret);
5290 + goto out_au;
5291 ++ }
5292 +
5293 +- p += ret;
5294 +- WARN_ON(p > end);
5295 +- au->buf->vec.iov_len = p - au->buf->vec.iov_base;
5296 + dout(" built authorizer nonce %llx len %d\n", au->nonce,
5297 + (int)au->buf->vec.iov_len);
5298 + return 0;
5299 +@@ -622,8 +674,56 @@ static int ceph_x_update_authorizer(
5300 + return 0;
5301 + }
5302 +
5303 ++static int decrypt_authorize_challenge(struct ceph_x_authorizer *au,
5304 ++ void *challenge_buf,
5305 ++ int challenge_buf_len,
5306 ++ u64 *server_challenge)
5307 ++{
5308 ++ struct ceph_x_authorize_challenge *ch =
5309 ++ challenge_buf + sizeof(struct ceph_x_encrypt_header);
5310 ++ int ret;
5311 ++
5312 ++ /* no leading len */
5313 ++ ret = __ceph_x_decrypt(&au->session_key, challenge_buf,
5314 ++ challenge_buf_len);
5315 ++ if (ret < 0)
5316 ++ return ret;
5317 ++ if (ret < sizeof(*ch)) {
5318 ++ pr_err("bad size %d for ceph_x_authorize_challenge\n", ret);
5319 ++ return -EINVAL;
5320 ++ }
5321 ++
5322 ++ *server_challenge = le64_to_cpu(ch->server_challenge);
5323 ++ return 0;
5324 ++}
5325 ++
5326 ++static int ceph_x_add_authorizer_challenge(struct ceph_auth_client *ac,
5327 ++ struct ceph_authorizer *a,
5328 ++ void *challenge_buf,
5329 ++ int challenge_buf_len)
5330 ++{
5331 ++ struct ceph_x_authorizer *au = (void *)a;
5332 ++ u64 server_challenge;
5333 ++ int ret;
5334 ++
5335 ++ ret = decrypt_authorize_challenge(au, challenge_buf, challenge_buf_len,
5336 ++ &server_challenge);
5337 ++ if (ret) {
5338 ++ pr_err("failed to decrypt authorize challenge: %d", ret);
5339 ++ return ret;
5340 ++ }
5341 ++
5342 ++ ret = encrypt_authorizer(au, &server_challenge);
5343 ++ if (ret) {
5344 ++ pr_err("failed to encrypt authorizer w/ challenge: %d", ret);
5345 ++ return ret;
5346 ++ }
5347 ++
5348 ++ return 0;
5349 ++}
5350 ++
5351 + static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac,
5352 +- struct ceph_authorizer *a, size_t len)
5353 ++ struct ceph_authorizer *a)
5354 + {
5355 + struct ceph_x_authorizer *au = (void *)a;
5356 + void *p = au->enc_buf;
5357 +@@ -633,8 +733,10 @@ static int ceph_x_verify_authorizer_reply(struct ceph_auth_client *ac,
5358 + ret = ceph_x_decrypt(&au->session_key, &p, p + CEPHX_AU_ENC_BUF_LEN);
5359 + if (ret < 0)
5360 + return ret;
5361 +- if (ret != sizeof(*reply))
5362 +- return -EPERM;
5363 ++ if (ret < sizeof(*reply)) {
5364 ++ pr_err("bad size %d for ceph_x_authorize_reply\n", ret);
5365 ++ return -EINVAL;
5366 ++ }
5367 +
5368 + if (au->nonce + 1 != le64_to_cpu(reply->nonce_plus_one))
5369 + ret = -EPERM;
5370 +@@ -700,26 +802,64 @@ static int calc_signature(struct ceph_x_authorizer *au, struct ceph_msg *msg,
5371 + __le64 *psig)
5372 + {
5373 + void *enc_buf = au->enc_buf;
5374 +- struct {
5375 +- __le32 len;
5376 +- __le32 header_crc;
5377 +- __le32 front_crc;
5378 +- __le32 middle_crc;
5379 +- __le32 data_crc;
5380 +- } __packed *sigblock = enc_buf + ceph_x_encrypt_offset();
5381 + int ret;
5382 +
5383 +- sigblock->len = cpu_to_le32(4*sizeof(u32));
5384 +- sigblock->header_crc = msg->hdr.crc;
5385 +- sigblock->front_crc = msg->footer.front_crc;
5386 +- sigblock->middle_crc = msg->footer.middle_crc;
5387 +- sigblock->data_crc = msg->footer.data_crc;
5388 +- ret = ceph_x_encrypt(&au->session_key, enc_buf, CEPHX_AU_ENC_BUF_LEN,
5389 +- sizeof(*sigblock));
5390 +- if (ret < 0)
5391 +- return ret;
5392 ++ if (msg->con->peer_features & CEPH_FEATURE_CEPHX_V2) {
5393 ++ struct {
5394 ++ __le32 len;
5395 ++ __le32 header_crc;
5396 ++ __le32 front_crc;
5397 ++ __le32 middle_crc;
5398 ++ __le32 data_crc;
5399 ++ } __packed *sigblock = enc_buf + ceph_x_encrypt_offset();
5400 ++
5401 ++ sigblock->len = cpu_to_le32(4*sizeof(u32));
5402 ++ sigblock->header_crc = msg->hdr.crc;
5403 ++ sigblock->front_crc = msg->footer.front_crc;
5404 ++ sigblock->middle_crc = msg->footer.middle_crc;
5405 ++ sigblock->data_crc = msg->footer.data_crc;
5406 ++
5407 ++ ret = ceph_x_encrypt(&au->session_key, enc_buf,
5408 ++ CEPHX_AU_ENC_BUF_LEN, sizeof(*sigblock));
5409 ++ if (ret < 0)
5410 ++ return ret;
5411 ++
5412 ++ *psig = *(__le64 *)(enc_buf + sizeof(u32));
5413 ++ } else {
5414 ++ struct {
5415 ++ __le32 header_crc;
5416 ++ __le32 front_crc;
5417 ++ __le32 front_len;
5418 ++ __le32 middle_crc;
5419 ++ __le32 middle_len;
5420 ++ __le32 data_crc;
5421 ++ __le32 data_len;
5422 ++ __le32 seq_lower_word;
5423 ++ } __packed *sigblock = enc_buf;
5424 ++ struct {
5425 ++ __le64 a, b, c, d;
5426 ++ } __packed *penc = enc_buf;
5427 ++ int ciphertext_len;
5428 ++
5429 ++ sigblock->header_crc = msg->hdr.crc;
5430 ++ sigblock->front_crc = msg->footer.front_crc;
5431 ++ sigblock->front_len = msg->hdr.front_len;
5432 ++ sigblock->middle_crc = msg->footer.middle_crc;
5433 ++ sigblock->middle_len = msg->hdr.middle_len;
5434 ++ sigblock->data_crc = msg->footer.data_crc;
5435 ++ sigblock->data_len = msg->hdr.data_len;
5436 ++ sigblock->seq_lower_word = *(__le32 *)&msg->hdr.seq;
5437 ++
5438 ++ /* no leading len, no ceph_x_encrypt_header */
5439 ++ ret = ceph_crypt(&au->session_key, true, enc_buf,
5440 ++ CEPHX_AU_ENC_BUF_LEN, sizeof(*sigblock),
5441 ++ &ciphertext_len);
5442 ++ if (ret)
5443 ++ return ret;
5444 ++
5445 ++ *psig = penc->a ^ penc->b ^ penc->c ^ penc->d;
5446 ++ }
5447 +
5448 +- *psig = *(__le64 *)(enc_buf + sizeof(u32));
5449 + return 0;
5450 + }
5451 +
5452 +@@ -774,6 +914,7 @@ static const struct ceph_auth_client_ops ceph_x_ops = {
5453 + .handle_reply = ceph_x_handle_reply,
5454 + .create_authorizer = ceph_x_create_authorizer,
5455 + .update_authorizer = ceph_x_update_authorizer,
5456 ++ .add_authorizer_challenge = ceph_x_add_authorizer_challenge,
5457 + .verify_authorizer_reply = ceph_x_verify_authorizer_reply,
5458 + .invalidate_authorizer = ceph_x_invalidate_authorizer,
5459 + .reset = ceph_x_reset,
5460 +diff --git a/net/ceph/auth_x_protocol.h b/net/ceph/auth_x_protocol.h
5461 +index 671d30576c4f..a7cd203aacc2 100644
5462 +--- a/net/ceph/auth_x_protocol.h
5463 ++++ b/net/ceph/auth_x_protocol.h
5464 +@@ -69,6 +69,13 @@ struct ceph_x_authorize_a {
5465 + struct ceph_x_authorize_b {
5466 + __u8 struct_v;
5467 + __le64 nonce;
5468 ++ __u8 have_challenge;
5469 ++ __le64 server_challenge_plus_one;
5470 ++} __attribute__ ((packed));
5471 ++
5472 ++struct ceph_x_authorize_challenge {
5473 ++ __u8 struct_v;
5474 ++ __le64 server_challenge;
5475 + } __attribute__ ((packed));
5476 +
5477 + struct ceph_x_authorize_reply {
5478 +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
5479 +index 68acf94fae72..5a8075d9f2e7 100644
5480 +--- a/net/ceph/messenger.c
5481 ++++ b/net/ceph/messenger.c
5482 +@@ -1394,30 +1394,26 @@ static void prepare_write_keepalive(struct ceph_connection *con)
5483 + * Connection negotiation.
5484 + */
5485 +
5486 +-static struct ceph_auth_handshake *get_connect_authorizer(struct ceph_connection *con,
5487 +- int *auth_proto)
5488 ++static int get_connect_authorizer(struct ceph_connection *con)
5489 + {
5490 + struct ceph_auth_handshake *auth;
5491 ++ int auth_proto;
5492 +
5493 + if (!con->ops->get_authorizer) {
5494 ++ con->auth = NULL;
5495 + con->out_connect.authorizer_protocol = CEPH_AUTH_UNKNOWN;
5496 + con->out_connect.authorizer_len = 0;
5497 +- return NULL;
5498 ++ return 0;
5499 + }
5500 +
5501 +- /* Can't hold the mutex while getting authorizer */
5502 +- mutex_unlock(&con->mutex);
5503 +- auth = con->ops->get_authorizer(con, auth_proto, con->auth_retry);
5504 +- mutex_lock(&con->mutex);
5505 +-
5506 ++ auth = con->ops->get_authorizer(con, &auth_proto, con->auth_retry);
5507 + if (IS_ERR(auth))
5508 +- return auth;
5509 +- if (con->state != CON_STATE_NEGOTIATING)
5510 +- return ERR_PTR(-EAGAIN);
5511 ++ return PTR_ERR(auth);
5512 +
5513 +- con->auth_reply_buf = auth->authorizer_reply_buf;
5514 +- con->auth_reply_buf_len = auth->authorizer_reply_buf_len;
5515 +- return auth;
5516 ++ con->auth = auth;
5517 ++ con->out_connect.authorizer_protocol = cpu_to_le32(auth_proto);
5518 ++ con->out_connect.authorizer_len = cpu_to_le32(auth->authorizer_buf_len);
5519 ++ return 0;
5520 + }
5521 +
5522 + /*
5523 +@@ -1433,12 +1429,22 @@ static void prepare_write_banner(struct ceph_connection *con)
5524 + con_flag_set(con, CON_FLAG_WRITE_PENDING);
5525 + }
5526 +
5527 ++static void __prepare_write_connect(struct ceph_connection *con)
5528 ++{
5529 ++ con_out_kvec_add(con, sizeof(con->out_connect), &con->out_connect);
5530 ++ if (con->auth)
5531 ++ con_out_kvec_add(con, con->auth->authorizer_buf_len,
5532 ++ con->auth->authorizer_buf);
5533 ++
5534 ++ con->out_more = 0;
5535 ++ con_flag_set(con, CON_FLAG_WRITE_PENDING);
5536 ++}
5537 ++
5538 + static int prepare_write_connect(struct ceph_connection *con)
5539 + {
5540 + unsigned int global_seq = get_global_seq(con->msgr, 0);
5541 + int proto;
5542 +- int auth_proto;
5543 +- struct ceph_auth_handshake *auth;
5544 ++ int ret;
5545 +
5546 + switch (con->peer_name.type) {
5547 + case CEPH_ENTITY_TYPE_MON:
5548 +@@ -1465,24 +1471,11 @@ static int prepare_write_connect(struct ceph_connection *con)
5549 + con->out_connect.protocol_version = cpu_to_le32(proto);
5550 + con->out_connect.flags = 0;
5551 +
5552 +- auth_proto = CEPH_AUTH_UNKNOWN;
5553 +- auth = get_connect_authorizer(con, &auth_proto);
5554 +- if (IS_ERR(auth))
5555 +- return PTR_ERR(auth);
5556 +-
5557 +- con->out_connect.authorizer_protocol = cpu_to_le32(auth_proto);
5558 +- con->out_connect.authorizer_len = auth ?
5559 +- cpu_to_le32(auth->authorizer_buf_len) : 0;
5560 +-
5561 +- con_out_kvec_add(con, sizeof (con->out_connect),
5562 +- &con->out_connect);
5563 +- if (auth && auth->authorizer_buf_len)
5564 +- con_out_kvec_add(con, auth->authorizer_buf_len,
5565 +- auth->authorizer_buf);
5566 +-
5567 +- con->out_more = 0;
5568 +- con_flag_set(con, CON_FLAG_WRITE_PENDING);
5569 ++ ret = get_connect_authorizer(con);
5570 ++ if (ret)
5571 ++ return ret;
5572 +
5573 ++ __prepare_write_connect(con);
5574 + return 0;
5575 + }
5576 +
5577 +@@ -1743,11 +1736,21 @@ static int read_partial_connect(struct ceph_connection *con)
5578 + if (ret <= 0)
5579 + goto out;
5580 +
5581 +- size = le32_to_cpu(con->in_reply.authorizer_len);
5582 +- end += size;
5583 +- ret = read_partial(con, end, size, con->auth_reply_buf);
5584 +- if (ret <= 0)
5585 +- goto out;
5586 ++ if (con->auth) {
5587 ++ size = le32_to_cpu(con->in_reply.authorizer_len);
5588 ++ if (size > con->auth->authorizer_reply_buf_len) {
5589 ++ pr_err("authorizer reply too big: %d > %zu\n", size,
5590 ++ con->auth->authorizer_reply_buf_len);
5591 ++ ret = -EINVAL;
5592 ++ goto out;
5593 ++ }
5594 ++
5595 ++ end += size;
5596 ++ ret = read_partial(con, end, size,
5597 ++ con->auth->authorizer_reply_buf);
5598 ++ if (ret <= 0)
5599 ++ goto out;
5600 ++ }
5601 +
5602 + dout("read_partial_connect %p tag %d, con_seq = %u, g_seq = %u\n",
5603 + con, (int)con->in_reply.tag,
5604 +@@ -1755,7 +1758,6 @@ static int read_partial_connect(struct ceph_connection *con)
5605 + le32_to_cpu(con->in_reply.global_seq));
5606 + out:
5607 + return ret;
5608 +-
5609 + }
5610 +
5611 + /*
5612 +@@ -2039,13 +2041,28 @@ static int process_connect(struct ceph_connection *con)
5613 +
5614 + dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
5615 +
5616 +- if (con->auth_reply_buf) {
5617 ++ if (con->auth) {
5618 + /*
5619 + * Any connection that defines ->get_authorizer()
5620 +- * should also define ->verify_authorizer_reply().
5621 ++ * should also define ->add_authorizer_challenge() and
5622 ++ * ->verify_authorizer_reply().
5623 ++ *
5624 + * See get_connect_authorizer().
5625 + */
5626 +- ret = con->ops->verify_authorizer_reply(con, 0);
5627 ++ if (con->in_reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER) {
5628 ++ ret = con->ops->add_authorizer_challenge(
5629 ++ con, con->auth->authorizer_reply_buf,
5630 ++ le32_to_cpu(con->in_reply.authorizer_len));
5631 ++ if (ret < 0)
5632 ++ return ret;
5633 ++
5634 ++ con_out_kvec_reset(con);
5635 ++ __prepare_write_connect(con);
5636 ++ prepare_read_connect(con);
5637 ++ return 0;
5638 ++ }
5639 ++
5640 ++ ret = con->ops->verify_authorizer_reply(con);
5641 + if (ret < 0) {
5642 + con->error_msg = "bad authorize reply";
5643 + return ret;
5644 +diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
5645 +index 0ffeb60cfe67..70ccb0716fc5 100644
5646 +--- a/net/ceph/osd_client.c
5647 ++++ b/net/ceph/osd_client.c
5648 +@@ -4478,14 +4478,24 @@ static struct ceph_auth_handshake *get_authorizer(struct ceph_connection *con,
5649 + return auth;
5650 + }
5651 +
5652 ++static int add_authorizer_challenge(struct ceph_connection *con,
5653 ++ void *challenge_buf, int challenge_buf_len)
5654 ++{
5655 ++ struct ceph_osd *o = con->private;
5656 ++ struct ceph_osd_client *osdc = o->o_osdc;
5657 ++ struct ceph_auth_client *ac = osdc->client->monc.auth;
5658 ++
5659 ++ return ceph_auth_add_authorizer_challenge(ac, o->o_auth.authorizer,
5660 ++ challenge_buf, challenge_buf_len);
5661 ++}
5662 +
5663 +-static int verify_authorizer_reply(struct ceph_connection *con, int len)
5664 ++static int verify_authorizer_reply(struct ceph_connection *con)
5665 + {
5666 + struct ceph_osd *o = con->private;
5667 + struct ceph_osd_client *osdc = o->o_osdc;
5668 + struct ceph_auth_client *ac = osdc->client->monc.auth;
5669 +
5670 +- return ceph_auth_verify_authorizer_reply(ac, o->o_auth.authorizer, len);
5671 ++ return ceph_auth_verify_authorizer_reply(ac, o->o_auth.authorizer);
5672 + }
5673 +
5674 + static int invalidate_authorizer(struct ceph_connection *con)
5675 +@@ -4519,6 +4529,7 @@ static const struct ceph_connection_operations osd_con_ops = {
5676 + .put = put_osd_con,
5677 + .dispatch = dispatch,
5678 + .get_authorizer = get_authorizer,
5679 ++ .add_authorizer_challenge = add_authorizer_challenge,
5680 + .verify_authorizer_reply = verify_authorizer_reply,
5681 + .invalidate_authorizer = invalidate_authorizer,
5682 + .alloc_msg = alloc_msg,
5683 +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
5684 +index d8d99c21a9c1..e6ee6acac80c 100644
5685 +--- a/net/ipv4/ip_tunnel.c
5686 ++++ b/net/ipv4/ip_tunnel.c
5687 +@@ -261,8 +261,8 @@ static struct net_device *__ip_tunnel_create(struct net *net,
5688 + } else {
5689 + if (strlen(ops->kind) > (IFNAMSIZ - 3))
5690 + goto failed;
5691 +- strlcpy(name, ops->kind, IFNAMSIZ);
5692 +- strncat(name, "%d", 2);
5693 ++ strcpy(name, ops->kind);
5694 ++ strcat(name, "%d");
5695 + }
5696 +
5697 + ASSERT_RTNL();
5698 +diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
5699 +index c2646446e157..d62affeb2a38 100644
5700 +--- a/net/tipc/subscr.c
5701 ++++ b/net/tipc/subscr.c
5702 +@@ -389,7 +389,7 @@ int tipc_topsrv_start(struct net *net)
5703 + topsrv->tipc_conn_new = tipc_subscrb_connect_cb;
5704 + topsrv->tipc_conn_release = tipc_subscrb_release_cb;
5705 +
5706 +- strncpy(topsrv->name, name, strlen(name) + 1);
5707 ++ strscpy(topsrv->name, name, sizeof(topsrv->name));
5708 + tn->topsrv = topsrv;
5709 + atomic_set(&tn->subscription_count, 0);
5710 +
5711 +diff --git a/scripts/Makefile.extrawarn b/scripts/Makefile.extrawarn
5712 +index fb3522fd8702..d08b6fbdfa85 100644
5713 +--- a/scripts/Makefile.extrawarn
5714 ++++ b/scripts/Makefile.extrawarn
5715 +@@ -10,6 +10,8 @@
5716 + # are not supported by all versions of the compiler
5717 + # ==========================================================================
5718 +
5719 ++KBUILD_CFLAGS += $(call cc-disable-warning, packed-not-aligned)
5720 ++
5721 + ifeq ("$(origin W)", "command line")
5722 + export KBUILD_ENABLE_EXTRA_GCC_CHECKS := $(W)
5723 + endif
5724 +@@ -25,6 +27,7 @@ warning-1 += -Wold-style-definition
5725 + warning-1 += $(call cc-option, -Wmissing-include-dirs)
5726 + warning-1 += $(call cc-option, -Wunused-but-set-variable)
5727 + warning-1 += $(call cc-option, -Wunused-const-variable)
5728 ++warning-1 += $(call cc-option, -Wpacked-not-aligned)
5729 + warning-1 += $(call cc-disable-warning, missing-field-initializers)
5730 + warning-1 += $(call cc-disable-warning, sign-compare)
5731 +
5732 +diff --git a/scripts/unifdef.c b/scripts/unifdef.c
5733 +index 7493c0ee51cc..db00e3e30a59 100644
5734 +--- a/scripts/unifdef.c
5735 ++++ b/scripts/unifdef.c
5736 +@@ -395,7 +395,7 @@ usage(void)
5737 + * When we have processed a group that starts off with a known-false
5738 + * #if/#elif sequence (which has therefore been deleted) followed by a
5739 + * #elif that we don't understand and therefore must keep, we edit the
5740 +- * latter into a #if to keep the nesting correct. We use strncpy() to
5741 ++ * latter into a #if to keep the nesting correct. We use memcpy() to
5742 + * overwrite the 4 byte token "elif" with "if " without a '\0' byte.
5743 + *
5744 + * When we find a true #elif in a group, the following block will
5745 +@@ -450,7 +450,7 @@ static void Idrop (void) { Fdrop(); ignoreon(); }
5746 + static void Itrue (void) { Ftrue(); ignoreon(); }
5747 + static void Ifalse(void) { Ffalse(); ignoreon(); }
5748 + /* modify this line */
5749 +-static void Mpass (void) { strncpy(keyword, "if ", 4); Pelif(); }
5750 ++static void Mpass (void) { memcpy(keyword, "if ", 4); Pelif(); }
5751 + static void Mtrue (void) { keywordedit("else"); state(IS_TRUE_MIDDLE); }
5752 + static void Melif (void) { keywordedit("endif"); state(IS_FALSE_TRAILER); }
5753 + static void Melse (void) { keywordedit("endif"); state(IS_FALSE_ELSE); }
5754 +diff --git a/sound/pci/trident/trident.c b/sound/pci/trident/trident.c
5755 +index cedf13b64803..2f18b1cdc2cd 100644
5756 +--- a/sound/pci/trident/trident.c
5757 ++++ b/sound/pci/trident/trident.c
5758 +@@ -123,7 +123,7 @@ static int snd_trident_probe(struct pci_dev *pci,
5759 + } else {
5760 + strcpy(card->shortname, "Trident ");
5761 + }
5762 +- strcat(card->shortname, card->driver);
5763 ++ strcat(card->shortname, str);
5764 + sprintf(card->longname, "%s PCI Audio at 0x%lx, irq %d",
5765 + card->shortname, trident->port, trident->irq);
5766 +
Report Message
Find on MARC Find on Google Groups