summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2017-04-10 20:13:17 -0400
committerAnthony G. Basile <blueness@gentoo.org>2017-04-10 20:13:17 -0400
commit150c755849a9bb4eeb15ac3c613df7525f3bdc48 (patch)
treeebd9571eb971df6fae44226423292cee47ba1274
parentgrsecurity-3.1-4.9.20-201703310823 (diff)
downloadhardened-patchset-150c755849a9bb4eeb15ac3c613df7525f3bdc48.tar.gz
hardened-patchset-150c755849a9bb4eeb15ac3c613df7525f3bdc48.tar.bz2
hardened-patchset-150c755849a9bb4eeb15ac3c613df7525f3bdc48.zip
grsecurity-3.1-4.9.21-20170409194820170409
-rw-r--r--4.9.21/0000_README (renamed from 4.9.20/0000_README)6
-rw-r--r--4.9.21/1020_linux-4.9.21.patch4658
-rw-r--r--4.9.21/4420_grsecurity-3.1-4.9.21-201704091948.patch (renamed from 4.9.20/4420_grsecurity-3.1-4.9.20-201703310823.patch)156
-rw-r--r--4.9.21/4425_grsec_remove_EI_PAX.patch (renamed from 4.9.20/4425_grsec_remove_EI_PAX.patch)0
-rw-r--r--4.9.21/4426_default_XATTR_PAX_FLAGS.patch (renamed from 4.9.20/4426_default_XATTR_PAX_FLAGS.patch)0
-rw-r--r--4.9.21/4427_force_XATTR_PAX_tmpfs.patch (renamed from 4.9.20/4427_force_XATTR_PAX_tmpfs.patch)0
-rw-r--r--4.9.21/4430_grsec-remove-localversion-grsec.patch (renamed from 4.9.20/4430_grsec-remove-localversion-grsec.patch)0
-rw-r--r--4.9.21/4435_grsec-mute-warnings.patch (renamed from 4.9.20/4435_grsec-mute-warnings.patch)0
-rw-r--r--4.9.21/4440_grsec-remove-protected-paths.patch (renamed from 4.9.20/4440_grsec-remove-protected-paths.patch)0
-rw-r--r--4.9.21/4450_grsec-kconfig-default-gids.patch (renamed from 4.9.20/4450_grsec-kconfig-default-gids.patch)0
-rw-r--r--4.9.21/4465_selinux-avc_audit-log-curr_ip.patch (renamed from 4.9.20/4465_selinux-avc_audit-log-curr_ip.patch)0
-rw-r--r--4.9.21/4470_disable-compat_vdso.patch (renamed from 4.9.20/4470_disable-compat_vdso.patch)0
-rw-r--r--4.9.21/4475_emutramp_default_on.patch (renamed from 4.9.20/4475_emutramp_default_on.patch)0
13 files changed, 4744 insertions, 76 deletions
diff --git a/4.9.20/0000_README b/4.9.21/0000_README
index a960856..40c05c0 100644
--- a/4.9.20/0000_README
+++ b/4.9.21/0000_README
@@ -2,10 +2,14 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.1-4.9.20-201703310823.patch
+Patch: 4420_grsecurity-3.1-4.9.21-201704091948.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
+Patch: 1020_linux-4.9.21.patch
+From: http://www.kernel.org
+Desc: Linux 4.9.21
+
Patch: 4425_grsec_remove_EI_PAX.patch
From: Anthony G. Basile <blueness@gentoo.org>
Desc: Remove EI_PAX option and force off
diff --git a/4.9.21/1020_linux-4.9.21.patch b/4.9.21/1020_linux-4.9.21.patch
new file mode 100644
index 0000000..42defb2
--- /dev/null
+++ b/4.9.21/1020_linux-4.9.21.patch
@@ -0,0 +1,4658 @@
+diff --git a/Makefile b/Makefile
+index 4496018..1523557 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 9
+-SUBLEVEL = 20
++SUBLEVEL = 21
+ EXTRAVERSION =
+ NAME = Roaring Lionus
+
+diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi
+index ae4b388..4616452 100644
+--- a/arch/arm/boot/dts/bcm5301x.dtsi
++++ b/arch/arm/boot/dts/bcm5301x.dtsi
+@@ -66,14 +66,14 @@
+ timer@20200 {
+ compatible = "arm,cortex-a9-global-timer";
+ reg = <0x20200 0x100>;
+- interrupts = <GIC_PPI 11 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 11 IRQ_TYPE_EDGE_RISING>;
+ clocks = <&periph_clk>;
+ };
+
+ local-timer@20600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0x20600 0x100>;
+- interrupts = <GIC_PPI 13 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_PPI 13 IRQ_TYPE_EDGE_RISING>;
+ clocks = <&periph_clk>;
+ };
+
+diff --git a/arch/arm/mach-bcm/bcm_5301x.c b/arch/arm/mach-bcm/bcm_5301x.c
+index c8830a2..fe067f6 100644
+--- a/arch/arm/mach-bcm/bcm_5301x.c
++++ b/arch/arm/mach-bcm/bcm_5301x.c
+@@ -9,14 +9,42 @@
+ #include <asm/hardware/cache-l2x0.h>
+
+ #include <asm/mach/arch.h>
++#include <asm/siginfo.h>
++#include <asm/signal.h>
++
++#define FSR_EXTERNAL (1 << 12)
++#define FSR_READ (0 << 10)
++#define FSR_IMPRECISE 0x0406
+
+ static const char *const bcm5301x_dt_compat[] __initconst = {
+ "brcm,bcm4708",
+ NULL,
+ };
+
++static int bcm5301x_abort_handler(unsigned long addr, unsigned int fsr,
++ struct pt_regs *regs)
++{
++ /*
++ * We want to ignore aborts forwarded from the PCIe bus that are
++ * expected and shouldn't really be passed by the PCIe controller.
++ * The biggest disadvantage is the same FSR code may be reported when
++ * reading non-existing APB register and we shouldn't ignore that.
++ */
++ if (fsr == (FSR_EXTERNAL | FSR_READ | FSR_IMPRECISE))
++ return 0;
++
++ return 1;
++}
++
++static void __init bcm5301x_init_early(void)
++{
++ hook_fault_code(16 + 6, bcm5301x_abort_handler, SIGBUS, BUS_OBJERR,
++ "imprecise external abort");
++}
++
+ DT_MACHINE_START(BCM5301X, "BCM5301X")
+ .l2c_aux_val = 0,
+ .l2c_aux_mask = ~0,
+ .dt_compat = bcm5301x_dt_compat,
++ .init_early = bcm5301x_init_early,
+ MACHINE_END
+diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c
+index 8ac0e59..0ddf369 100644
+--- a/arch/mips/lantiq/irq.c
++++ b/arch/mips/lantiq/irq.c
+@@ -269,6 +269,11 @@ static void ltq_hw5_irqdispatch(void)
+ DEFINE_HWx_IRQDISPATCH(5)
+ #endif
+
++static void ltq_hw_irq_handler(struct irq_desc *desc)
++{
++ ltq_hw_irqdispatch(irq_desc_get_irq(desc) - 2);
++}
++
+ #ifdef CONFIG_MIPS_MT_SMP
+ void __init arch_init_ipiirq(int irq, struct irqaction *action)
+ {
+@@ -313,23 +318,19 @@ static struct irqaction irq_call = {
+ asmlinkage void plat_irq_dispatch(void)
+ {
+ unsigned int pending = read_c0_status() & read_c0_cause() & ST0_IM;
+- unsigned int i;
+-
+- if ((MIPS_CPU_TIMER_IRQ == 7) && (pending & CAUSEF_IP7)) {
+- do_IRQ(MIPS_CPU_TIMER_IRQ);
+- goto out;
+- } else {
+- for (i = 0; i < MAX_IM; i++) {
+- if (pending & (CAUSEF_IP2 << i)) {
+- ltq_hw_irqdispatch(i);
+- goto out;
+- }
+- }
++ int irq;
++
++ if (!pending) {
++ spurious_interrupt();
++ return;
+ }
+- pr_alert("Spurious IRQ: CAUSE=0x%08x\n", read_c0_status());
+
+-out:
+- return;
++ pending >>= CAUSEB_IP;
++ while (pending) {
++ irq = fls(pending) - 1;
++ do_IRQ(MIPS_CPU_IRQ_BASE + irq);
++ pending &= ~BIT(irq);
++ }
+ }
+
+ static int icu_map(struct irq_domain *d, unsigned int irq, irq_hw_number_t hw)
+@@ -354,11 +355,6 @@ static const struct irq_domain_ops irq_domain_ops = {
+ .map = icu_map,
+ };
+
+-static struct irqaction cascade = {
+- .handler = no_action,
+- .name = "cascade",
+-};
+-
+ int __init icu_of_init(struct device_node *node, struct device_node *parent)
+ {
+ struct device_node *eiu_node;
+@@ -390,7 +386,7 @@ int __init icu_of_init(struct device_node *node, struct device_node *parent)
+ mips_cpu_irq_init();
+
+ for (i = 0; i < MAX_IM; i++)
+- setup_irq(i + 2, &cascade);
++ irq_set_chained_handler(i + 2, ltq_hw_irq_handler);
+
+ if (cpu_has_vint) {
+ pr_info("Setting up vectored interrupts\n");
+diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
+index 9a2aee1..7fcf512 100644
+--- a/arch/parisc/include/asm/uaccess.h
++++ b/arch/parisc/include/asm/uaccess.h
+@@ -68,6 +68,15 @@ struct exception_table_entry {
+ ".previous\n"
+
+ /*
++ * ASM_EXCEPTIONTABLE_ENTRY_EFAULT() creates a special exception table entry
++ * (with lowest bit set) for which the fault handler in fixup_exception() will
++ * load -EFAULT into %r8 for a read or write fault, and zeroes the target
++ * register in case of a read fault in get_user().
++ */
++#define ASM_EXCEPTIONTABLE_ENTRY_EFAULT( fault_addr, except_addr )\
++ ASM_EXCEPTIONTABLE_ENTRY( fault_addr, except_addr + 1)
++
++/*
+ * The page fault handler stores, in a per-cpu area, the following information
+ * if a fixup routine is available.
+ */
+@@ -94,7 +103,7 @@ struct exception_data {
+ #define __get_user(x, ptr) \
+ ({ \
+ register long __gu_err __asm__ ("r8") = 0; \
+- register long __gu_val __asm__ ("r9") = 0; \
++ register long __gu_val; \
+ \
+ load_sr2(); \
+ switch (sizeof(*(ptr))) { \
+@@ -110,22 +119,23 @@ struct exception_data {
+ })
+
+ #define __get_user_asm(ldx, ptr) \
+- __asm__("\n1:\t" ldx "\t0(%%sr2,%2),%0\n\t" \
+- ASM_EXCEPTIONTABLE_ENTRY(1b, fixup_get_user_skip_1)\
++ __asm__("1: " ldx " 0(%%sr2,%2),%0\n" \
++ "9:\n" \
++ ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b) \
+ : "=r"(__gu_val), "=r"(__gu_err) \
+- : "r"(ptr), "1"(__gu_err) \
+- : "r1");
++ : "r"(ptr), "1"(__gu_err));
+
+ #if !defined(CONFIG_64BIT)
+
+ #define __get_user_asm64(ptr) \
+- __asm__("\n1:\tldw 0(%%sr2,%2),%0" \
+- "\n2:\tldw 4(%%sr2,%2),%R0\n\t" \
+- ASM_EXCEPTIONTABLE_ENTRY(1b, fixup_get_user_skip_2)\
+- ASM_EXCEPTIONTABLE_ENTRY(2b, fixup_get_user_skip_1)\
++ __asm__(" copy %%r0,%R0\n" \
++ "1: ldw 0(%%sr2,%2),%0\n" \
++ "2: ldw 4(%%sr2,%2),%R0\n" \
++ "9:\n" \
++ ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b) \
++ ASM_EXCEPTIONTABLE_ENTRY_EFAULT(2b, 9b) \
+ : "=r"(__gu_val), "=r"(__gu_err) \
+- : "r"(ptr), "1"(__gu_err) \
+- : "r1");
++ : "r"(ptr), "1"(__gu_err));
+
+ #endif /* !defined(CONFIG_64BIT) */
+
+@@ -151,32 +161,31 @@ struct exception_data {
+ * The "__put_user/kernel_asm()" macros tell gcc they read from memory
+ * instead of writing. This is because they do not write to any memory
+ * gcc knows about, so there are no aliasing issues. These macros must
+- * also be aware that "fixup_put_user_skip_[12]" are executed in the
+- * context of the fault, and any registers used there must be listed
+- * as clobbers. In this case only "r1" is used by the current routines.
+- * r8/r9 are already listed as err/val.
++ * also be aware that fixups are executed in the context of the fault,
++ * and any registers used there must be listed as clobbers.
++ * r8 is already listed as err.
+ */
+
+ #define __put_user_asm(stx, x, ptr) \
+ __asm__ __volatile__ ( \
+- "\n1:\t" stx "\t%2,0(%%sr2,%1)\n\t" \
+- ASM_EXCEPTIONTABLE_ENTRY(1b, fixup_put_user_skip_1)\
++ "1: " stx " %2,0(%%sr2,%1)\n" \
++ "9:\n" \
++ ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b) \
+ : "=r"(__pu_err) \
+- : "r"(ptr), "r"(x), "0"(__pu_err) \
+- : "r1")
++ : "r"(ptr), "r"(x), "0"(__pu_err))
+
+
+ #if !defined(CONFIG_64BIT)
+
+ #define __put_user_asm64(__val, ptr) do { \
+ __asm__ __volatile__ ( \
+- "\n1:\tstw %2,0(%%sr2,%1)" \
+- "\n2:\tstw %R2,4(%%sr2,%1)\n\t" \
+- ASM_EXCEPTIONTABLE_ENTRY(1b, fixup_put_user_skip_2)\
+- ASM_EXCEPTIONTABLE_ENTRY(2b, fixup_put_user_skip_1)\
++ "1: stw %2,0(%%sr2,%1)\n" \
++ "2: stw %R2,4(%%sr2,%1)\n" \
++ "9:\n" \
++ ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b) \
++ ASM_EXCEPTIONTABLE_ENTRY_EFAULT(2b, 9b) \
+ : "=r"(__pu_err) \
+- : "r"(ptr), "r"(__val), "0"(__pu_err) \
+- : "r1"); \
++ : "r"(ptr), "r"(__val), "0"(__pu_err)); \
+ } while (0)
+
+ #endif /* !defined(CONFIG_64BIT) */
+diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c
+index 3cad8aa..4e6f0d9 100644
+--- a/arch/parisc/kernel/parisc_ksyms.c
++++ b/arch/parisc/kernel/parisc_ksyms.c
+@@ -47,16 +47,6 @@ EXPORT_SYMBOL(__cmpxchg_u64);
+ EXPORT_SYMBOL(lclear_user);
+ EXPORT_SYMBOL(lstrnlen_user);
+
+-/* Global fixups - defined as int to avoid creation of function pointers */
+-extern int fixup_get_user_skip_1;
+-extern int fixup_get_user_skip_2;
+-extern int fixup_put_user_skip_1;
+-extern int fixup_put_user_skip_2;
+-EXPORT_SYMBOL(fixup_get_user_skip_1);
+-EXPORT_SYMBOL(fixup_get_user_skip_2);
+-EXPORT_SYMBOL(fixup_put_user_skip_1);
+-EXPORT_SYMBOL(fixup_put_user_skip_2);
+-
+ #ifndef CONFIG_64BIT
+ /* Needed so insmod can set dp value */
+ extern int $global$;
+diff --git a/arch/parisc/kernel/process.c b/arch/parisc/kernel/process.c
+index e81afc37..e7ffde2 100644
+--- a/arch/parisc/kernel/process.c
++++ b/arch/parisc/kernel/process.c
+@@ -140,6 +140,8 @@ void machine_power_off(void)
+ printk(KERN_EMERG "System shut down completed.\n"
+ "Please power this system off now.");
+
++ /* prevent soft lockup/stalled CPU messages for endless loop. */
++ rcu_sysrq_start();
+ for (;;);
+ }
+
+diff --git a/arch/parisc/lib/Makefile b/arch/parisc/lib/Makefile
+index 8fa92b8..f2dac4d 100644
+--- a/arch/parisc/lib/Makefile
++++ b/arch/parisc/lib/Makefile
+@@ -2,7 +2,7 @@
+ # Makefile for parisc-specific library files
+ #
+
+-lib-y := lusercopy.o bitops.o checksum.o io.o memset.o fixup.o memcpy.o \
++lib-y := lusercopy.o bitops.o checksum.o io.o memset.o memcpy.o \
+ ucmpdi2.o delay.o
+
+ obj-y := iomap.o
+diff --git a/arch/parisc/lib/fixup.S b/arch/parisc/lib/fixup.S
+deleted file mode 100644
+index a5b72f2..0000000
+--- a/arch/parisc/lib/fixup.S
++++ /dev/null
+@@ -1,98 +0,0 @@
+-/*
+- * Linux/PA-RISC Project (http://www.parisc-linux.org/)
+- *
+- * Copyright (C) 2004 Randolph Chung <tausq@debian.org>
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2, or (at your option)
+- * any later version.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, write to the Free Software
+- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+- *
+- * Fixup routines for kernel exception handling.
+- */
+-#include <asm/asm-offsets.h>
+-#include <asm/assembly.h>
+-#include <asm/errno.h>
+-#include <linux/linkage.h>
+-
+-#ifdef CONFIG_SMP
+- .macro get_fault_ip t1 t2
+- loadgp
+- addil LT%__per_cpu_offset,%r27
+- LDREG RT%__per_cpu_offset(%r1),\t1
+- /* t2 = smp_processor_id() */
+- mfctl 30,\t2
+- ldw TI_CPU(\t2),\t2
+-#ifdef CONFIG_64BIT
+- extrd,u \t2,63,32,\t2
+-#endif
+- /* t2 = &__per_cpu_offset[smp_processor_id()]; */
+- LDREGX \t2(\t1),\t2
+- addil LT%exception_data,%r27
+- LDREG RT%exception_data(%r1),\t1
+- /* t1 = this_cpu_ptr(&exception_data) */
+- add,l \t1,\t2,\t1
+- /* %r27 = t1->fault_gp - restore gp */
+- LDREG EXCDATA_GP(\t1), %r27
+- /* t1 = t1->fault_ip */
+- LDREG EXCDATA_IP(\t1), \t1
+- .endm
+-#else
+- .macro get_fault_ip t1 t2
+- loadgp
+- /* t1 = this_cpu_ptr(&exception_data) */
+- addil LT%exception_data,%r27
+- LDREG RT%exception_data(%r1),\t2
+- /* %r27 = t2->fault_gp - restore gp */
+- LDREG EXCDATA_GP(\t2), %r27
+- /* t1 = t2->fault_ip */
+- LDREG EXCDATA_IP(\t2), \t1
+- .endm
+-#endif
+-
+- .level LEVEL
+-
+- .text
+- .section .fixup, "ax"
+-
+- /* get_user() fixups, store -EFAULT in r8, and 0 in r9 */
+-ENTRY_CFI(fixup_get_user_skip_1)
+- get_fault_ip %r1,%r8
+- ldo 4(%r1), %r1
+- ldi -EFAULT, %r8
+- bv %r0(%r1)
+- copy %r0, %r9
+-ENDPROC_CFI(fixup_get_user_skip_1)
+-
+-ENTRY_CFI(fixup_get_user_skip_2)
+- get_fault_ip %r1,%r8
+- ldo 8(%r1), %r1
+- ldi -EFAULT, %r8
+- bv %r0(%r1)
+- copy %r0, %r9
+-ENDPROC_CFI(fixup_get_user_skip_2)
+-
+- /* put_user() fixups, store -EFAULT in r8 */
+-ENTRY_CFI(fixup_put_user_skip_1)
+- get_fault_ip %r1,%r8
+- ldo 4(%r1), %r1
+- bv %r0(%r1)
+- ldi -EFAULT, %r8
+-ENDPROC_CFI(fixup_put_user_skip_1)
+-
+-ENTRY_CFI(fixup_put_user_skip_2)
+- get_fault_ip %r1,%r8
+- ldo 8(%r1), %r1
+- bv %r0(%r1)
+- ldi -EFAULT, %r8
+-ENDPROC_CFI(fixup_put_user_skip_2)
+-
+diff --git a/arch/parisc/lib/lusercopy.S b/arch/parisc/lib/lusercopy.S
+index 56845de..f01188c 100644
+--- a/arch/parisc/lib/lusercopy.S
++++ b/arch/parisc/lib/lusercopy.S
+@@ -5,6 +5,8 @@
+ * Copyright (C) 2000 Richard Hirst <rhirst with parisc-linux.org>
+ * Copyright (C) 2001 Matthieu Delahaye <delahaym at esiee.fr>
+ * Copyright (C) 2003 Randolph Chung <tausq with parisc-linux.org>
++ * Copyright (C) 2017 Helge Deller <deller@gmx.de>
++ * Copyright (C) 2017 John David Anglin <dave.anglin@bell.net>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+@@ -132,4 +134,320 @@ ENDPROC_CFI(lstrnlen_user)
+
+ .procend
+
++
++
++/*
++ * unsigned long pa_memcpy(void *dstp, const void *srcp, unsigned long len)
++ *
++ * Inputs:
++ * - sr1 already contains space of source region
++ * - sr2 already contains space of destination region
++ *
++ * Returns:
++ * - number of bytes that could not be copied.
++ * On success, this will be zero.
++ *
++ * This code is based on a C-implementation of a copy routine written by
++ * Randolph Chung, which in turn was derived from the glibc.
++ *
++ * Several strategies are tried to try to get the best performance for various
++ * conditions. In the optimal case, we copy by loops that copy 32- or 16-bytes
++ * at a time using general registers. Unaligned copies are handled either by
++ * aligning the destination and then using shift-and-write method, or in a few
++ * cases by falling back to a byte-at-a-time copy.
++ *
++ * Testing with various alignments and buffer sizes shows that this code is
++ * often >10x faster than a simple byte-at-a-time copy, even for strangely
++ * aligned operands. It is interesting to note that the glibc version of memcpy
++ * (written in C) is actually quite fast already. This routine is able to beat
++ * it by 30-40% for aligned copies because of the loop unrolling, but in some
++ * cases the glibc version is still slightly faster. This lends more
++ * credibility that gcc can generate very good code as long as we are careful.
++ *
++ * Possible optimizations:
++ * - add cache prefetching
++ * - try not to use the post-increment address modifiers; they may create
++ * additional interlocks. Assumption is that those were only efficient on old
++ * machines (pre PA8000 processors)
++ */
++
++ dst = arg0
++ src = arg1
++ len = arg2
++ end = arg3
++ t1 = r19
++ t2 = r20
++ t3 = r21
++ t4 = r22
++ srcspc = sr1
++ dstspc = sr2
++
++ t0 = r1
++ a1 = t1
++ a2 = t2
++ a3 = t3
++ a0 = t4
++
++ save_src = ret0
++ save_dst = ret1
++ save_len = r31
++
++ENTRY_CFI(pa_memcpy)
++ .proc
++ .callinfo NO_CALLS
++ .entry
++
++ /* Last destination address */
++ add dst,len,end
++
++ /* short copy with less than 16 bytes? */
++ cmpib,>>=,n 15,len,.Lbyte_loop
++
++ /* same alignment? */
++ xor src,dst,t0
++ extru t0,31,2,t1
++ cmpib,<>,n 0,t1,.Lunaligned_copy
++
++#ifdef CONFIG_64BIT
++ /* only do 64-bit copies if we can get aligned. */
++ extru t0,31,3,t1
++ cmpib,<>,n 0,t1,.Lalign_loop32
++
++ /* loop until we are 64-bit aligned */
++.Lalign_loop64:
++ extru dst,31,3,t1
++ cmpib,=,n 0,t1,.Lcopy_loop_16
++20: ldb,ma 1(srcspc,src),t1
++21: stb,ma t1,1(dstspc,dst)
++ b .Lalign_loop64
++ ldo -1(len),len
++
++ ASM_EXCEPTIONTABLE_ENTRY(20b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(21b,.Lcopy_done)
++
++ ldi 31,t0
++.Lcopy_loop_16:
++ cmpb,COND(>>=),n t0,len,.Lword_loop
++
++10: ldd 0(srcspc,src),t1
++11: ldd 8(srcspc,src),t2
++ ldo 16(src),src
++12: std,ma t1,8(dstspc,dst)
++13: std,ma t2,8(dstspc,dst)
++14: ldd 0(srcspc,src),t1
++15: ldd 8(srcspc,src),t2
++ ldo 16(src),src
++16: std,ma t1,8(dstspc,dst)
++17: std,ma t2,8(dstspc,dst)
++
++ ASM_EXCEPTIONTABLE_ENTRY(10b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(11b,.Lcopy16_fault)
++ ASM_EXCEPTIONTABLE_ENTRY(12b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(13b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(14b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(15b,.Lcopy16_fault)
++ ASM_EXCEPTIONTABLE_ENTRY(16b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(17b,.Lcopy_done)
++
++ b .Lcopy_loop_16
++ ldo -32(len),len
++
++.Lword_loop:
++ cmpib,COND(>>=),n 3,len,.Lbyte_loop
++20: ldw,ma 4(srcspc,src),t1
++21: stw,ma t1,4(dstspc,dst)
++ b .Lword_loop
++ ldo -4(len),len
++
++ ASM_EXCEPTIONTABLE_ENTRY(20b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(21b,.Lcopy_done)
++
++#endif /* CONFIG_64BIT */
++
++ /* loop until we are 32-bit aligned */
++.Lalign_loop32:
++ extru dst,31,2,t1
++ cmpib,=,n 0,t1,.Lcopy_loop_4
++20: ldb,ma 1(srcspc,src),t1
++21: stb,ma t1,1(dstspc,dst)
++ b .Lalign_loop32
++ ldo -1(len),len
++
++ ASM_EXCEPTIONTABLE_ENTRY(20b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(21b,.Lcopy_done)
++
++
++.Lcopy_loop_4:
++ cmpib,COND(>>=),n 15,len,.Lbyte_loop
++
++10: ldw 0(srcspc,src),t1
++11: ldw 4(srcspc,src),t2
++12: stw,ma t1,4(dstspc,dst)
++13: stw,ma t2,4(dstspc,dst)
++14: ldw 8(srcspc,src),t1
++15: ldw 12(srcspc,src),t2
++ ldo 16(src),src
++16: stw,ma t1,4(dstspc,dst)
++17: stw,ma t2,4(dstspc,dst)
++
++ ASM_EXCEPTIONTABLE_ENTRY(10b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(11b,.Lcopy8_fault)
++ ASM_EXCEPTIONTABLE_ENTRY(12b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(13b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(14b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(15b,.Lcopy8_fault)
++ ASM_EXCEPTIONTABLE_ENTRY(16b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(17b,.Lcopy_done)
++
++ b .Lcopy_loop_4
++ ldo -16(len),len
++
++.Lbyte_loop:
++ cmpclr,COND(<>) len,%r0,%r0
++ b,n .Lcopy_done
++20: ldb 0(srcspc,src),t1
++ ldo 1(src),src
++21: stb,ma t1,1(dstspc,dst)
++ b .Lbyte_loop
++ ldo -1(len),len
++
++ ASM_EXCEPTIONTABLE_ENTRY(20b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(21b,.Lcopy_done)
++
++.Lcopy_done:
++ bv %r0(%r2)
++ sub end,dst,ret0
++
++
++ /* src and dst are not aligned the same way. */
++ /* need to go the hard way */
++.Lunaligned_copy:
++ /* align until dst is 32bit-word-aligned */
++ extru dst,31,2,t1
++ cmpib,COND(=),n 0,t1,.Lcopy_dstaligned
++20: ldb 0(srcspc,src),t1
++ ldo 1(src),src
++21: stb,ma t1,1(dstspc,dst)
++ b .Lunaligned_copy
++ ldo -1(len),len
++
++ ASM_EXCEPTIONTABLE_ENTRY(20b,.Lcopy_done)
++ ASM_EXCEPTIONTABLE_ENTRY(21b,.Lcopy_done)
++
++.Lcopy_dstaligned:
++
++ /* store src, dst and len in safe place */
++ copy src,save_src
++ copy dst,save_dst
++ copy len,save_len
++
++ /* len now needs give number of words to copy */
++ SHRREG len,2,len
++
++ /*
++ * Copy from a not-aligned src to an aligned dst using shifts.
++ * Handles 4 words per loop.
++ */
++
++ depw,z src,28,2,t0
++ subi 32,t0,t0
++ mtsar t0
++ extru len,31,2,t0
++ cmpib,= 2,t0,.Lcase2
++ /* Make src aligned by rounding it down. */
++ depi 0,31,2,src
++
++ cmpiclr,<> 3,t0,%r0
++ b,n .Lcase3
++ cmpiclr,<> 1,t0,%r0
++ b,n .Lcase1
++.Lcase0:
++ cmpb,= %r0,len,.Lcda_finish
++ nop
++
++1: ldw,ma 4(srcspc,src), a3
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++1: ldw,ma 4(srcspc,src), a0
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++ b,n .Ldo3
++.Lcase1:
++1: ldw,ma 4(srcspc,src), a2
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++1: ldw,ma 4(srcspc,src), a3
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++ ldo -1(len),len
++ cmpb,=,n %r0,len,.Ldo0
++.Ldo4:
++1: ldw,ma 4(srcspc,src), a0
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++ shrpw a2, a3, %sar, t0
++1: stw,ma t0, 4(dstspc,dst)
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcopy_done)
++.Ldo3:
++1: ldw,ma 4(srcspc,src), a1
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++ shrpw a3, a0, %sar, t0
++1: stw,ma t0, 4(dstspc,dst)
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcopy_done)
++.Ldo2:
++1: ldw,ma 4(srcspc,src), a2
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++ shrpw a0, a1, %sar, t0
++1: stw,ma t0, 4(dstspc,dst)
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcopy_done)
++.Ldo1:
++1: ldw,ma 4(srcspc,src), a3
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++ shrpw a1, a2, %sar, t0
++1: stw,ma t0, 4(dstspc,dst)
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcopy_done)
++ ldo -4(len),len
++ cmpb,<> %r0,len,.Ldo4
++ nop
++.Ldo0:
++ shrpw a2, a3, %sar, t0
++1: stw,ma t0, 4(dstspc,dst)
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcopy_done)
++
++.Lcda_rdfault:
++.Lcda_finish:
++ /* calculate new src, dst and len and jump to byte-copy loop */
++ sub dst,save_dst,t0
++ add save_src,t0,src
++ b .Lbyte_loop
++ sub save_len,t0,len
++
++.Lcase3:
++1: ldw,ma 4(srcspc,src), a0
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++1: ldw,ma 4(srcspc,src), a1
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++ b .Ldo2
++ ldo 1(len),len
++.Lcase2:
++1: ldw,ma 4(srcspc,src), a1
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++1: ldw,ma 4(srcspc,src), a2
++ ASM_EXCEPTIONTABLE_ENTRY(1b,.Lcda_rdfault)
++ b .Ldo1
++ ldo 2(len),len
++
++
++ /* fault exception fixup handlers: */
++#ifdef CONFIG_64BIT
++.Lcopy16_fault:
++10: b .Lcopy_done
++ std,ma t1,8(dstspc,dst)
++ ASM_EXCEPTIONTABLE_ENTRY(10b,.Lcopy_done)
++#endif
++
++.Lcopy8_fault:
++10: b .Lcopy_done
++ stw,ma t1,4(dstspc,dst)
++ ASM_EXCEPTIONTABLE_ENTRY(10b,.Lcopy_done)
++
++ .exit
++ENDPROC_CFI(pa_memcpy)
++ .procend
++
+ .end
+diff --git a/arch/parisc/lib/memcpy.c b/arch/parisc/lib/memcpy.c
+index f82ff10..b3d47ec 100644
+--- a/arch/parisc/lib/memcpy.c
++++ b/arch/parisc/lib/memcpy.c
+@@ -2,7 +2,7 @@
+ * Optimized memory copy routines.
+ *
+ * Copyright (C) 2004 Randolph Chung <tausq@debian.org>
+- * Copyright (C) 2013 Helge Deller <deller@gmx.de>
++ * Copyright (C) 2013-2017 Helge Deller <deller@gmx.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -21,474 +21,21 @@
+ * Portions derived from the GNU C Library
+ * Copyright (C) 1991, 1997, 2003 Free Software Foundation, Inc.
+ *
+- * Several strategies are tried to try to get the best performance for various
+- * conditions. In the optimal case, we copy 64-bytes in an unrolled loop using
+- * fp regs. This is followed by loops that copy 32- or 16-bytes at a time using
+- * general registers. Unaligned copies are handled either by aligning the
+- * destination and then using shift-and-write method, or in a few cases by
+- * falling back to a byte-at-a-time copy.
+- *
+- * I chose to implement this in C because it is easier to maintain and debug,
+- * and in my experiments it appears that the C code generated by gcc (3.3/3.4
+- * at the time of writing) is fairly optimal. Unfortunately some of the
+- * semantics of the copy routine (exception handling) is difficult to express
+- * in C, so we have to play some tricks to get it to work.
+- *
+- * All the loads and stores are done via explicit asm() code in order to use
+- * the right space registers.
+- *
+- * Testing with various alignments and buffer sizes shows that this code is
+- * often >10x faster than a simple byte-at-a-time copy, even for strangely
+- * aligned operands. It is interesting to note that the glibc version
+- * of memcpy (written in C) is actually quite fast already. This routine is
+- * able to beat it by 30-40% for aligned copies because of the loop unrolling,
+- * but in some cases the glibc version is still slightly faster. This lends
+- * more credibility that gcc can generate very good code as long as we are
+- * careful.
+- *
+- * TODO:
+- * - cache prefetching needs more experimentation to get optimal settings
+- * - try not to use the post-increment address modifiers; they create additional
+- * interlocks
+- * - replace byte-copy loops with stybs sequences
+ */
+
+-#ifdef __KERNEL__
+ #include <linux/module.h>
+ #include <linux/compiler.h>
+ #include <linux/uaccess.h>
+-#define s_space "%%sr1"
+-#define d_space "%%sr2"
+-#else
+-#include "memcpy.h"
+-#define s_space "%%sr0"
+-#define d_space "%%sr0"
+-#define pa_memcpy new2_copy
+-#endif
+
+ DECLARE_PER_CPU(struct exception_data, exception_data);
+
+-#define preserve_branch(label) do { \
+- volatile int dummy = 0; \
+- /* The following branch is never taken, it's just here to */ \
+- /* prevent gcc from optimizing away our exception code. */ \
+- if (unlikely(dummy != dummy)) \
+- goto label; \
+-} while (0)
+-
+ #define get_user_space() (segment_eq(get_fs(), KERNEL_DS) ? 0 : mfsp(3))
+ #define get_kernel_space() (0)
+
+-#define MERGE(w0, sh_1, w1, sh_2) ({ \
+- unsigned int _r; \
+- asm volatile ( \
+- "mtsar %3\n" \
+- "shrpw %1, %2, %%sar, %0\n" \
+- : "=r"(_r) \
+- : "r"(w0), "r"(w1), "r"(sh_2) \
+- ); \
+- _r; \
+-})
+-#define THRESHOLD 16
+-
+-#ifdef DEBUG_MEMCPY
+-#define DPRINTF(fmt, args...) do { printk(KERN_DEBUG "%s:%d:%s ", __FILE__, __LINE__, __func__ ); printk(KERN_DEBUG fmt, ##args ); } while (0)
+-#else
+-#define DPRINTF(fmt, args...)
+-#endif
+-
+-#define def_load_ai_insn(_insn,_sz,_tt,_s,_a,_t,_e) \
+- __asm__ __volatile__ ( \
+- "1:\t" #_insn ",ma " #_sz "(" _s ",%1), %0\n\t" \
+- ASM_EXCEPTIONTABLE_ENTRY(1b,_e) \
+- : _tt(_t), "+r"(_a) \
+- : \
+- : "r8")
+-
+-#define def_store_ai_insn(_insn,_sz,_tt,_s,_a,_t,_e) \
+- __asm__ __volatile__ ( \
+- "1:\t" #_insn ",ma %1, " #_sz "(" _s ",%0)\n\t" \
+- ASM_EXCEPTIONTABLE_ENTRY(1b,_e) \
+- : "+r"(_a) \
+- : _tt(_t) \
+- : "r8")
+-
+-#define ldbma(_s, _a, _t, _e) def_load_ai_insn(ldbs,1,"=r",_s,_a,_t,_e)
+-#define stbma(_s, _t, _a, _e) def_store_ai_insn(stbs,1,"r",_s,_a,_t,_e)
+-#define ldwma(_s, _a, _t, _e) def_load_ai_insn(ldw,4,"=r",_s,_a,_t,_e)
+-#define stwma(_s, _t, _a, _e) def_store_ai_insn(stw,4,"r",_s,_a,_t,_e)
+-#define flddma(_s, _a, _t, _e) def_load_ai_insn(fldd,8,"=f",_s,_a,_t,_e)
+-#define fstdma(_s, _t, _a, _e) def_store_ai_insn(fstd,8,"f",_s,_a,_t,_e)
+-
+-#define def_load_insn(_insn,_tt,_s,_o,_a,_t,_e) \
+- __asm__ __volatile__ ( \
+- "1:\t" #_insn " " #_o "(" _s ",%1), %0\n\t" \
+- ASM_EXCEPTIONTABLE_ENTRY(1b,_e) \
+- : _tt(_t) \
+- : "r"(_a) \
+- : "r8")
+-
+-#define def_store_insn(_insn,_tt,_s,_t,_o,_a,_e) \
+- __asm__ __volatile__ ( \
+- "1:\t" #_insn " %0, " #_o "(" _s ",%1)\n\t" \
+- ASM_EXCEPTIONTABLE_ENTRY(1b,_e) \
+- : \
+- : _tt(_t), "r"(_a) \
+- : "r8")
+-
+-#define ldw(_s,_o,_a,_t,_e) def_load_insn(ldw,"=r",_s,_o,_a,_t,_e)
+-#define stw(_s,_t,_o,_a,_e) def_store_insn(stw,"r",_s,_t,_o,_a,_e)
+-
+-#ifdef CONFIG_PREFETCH
+-static inline void prefetch_src(const void *addr)
+-{
+- __asm__("ldw 0(" s_space ",%0), %%r0" : : "r" (addr));
+-}
+-
+-static inline void prefetch_dst(const void *addr)
+-{
+- __asm__("ldd 0(" d_space ",%0), %%r0" : : "r" (addr));
+-}
+-#else
+-#define prefetch_src(addr) do { } while(0)
+-#define prefetch_dst(addr) do { } while(0)
+-#endif
+-
+-#define PA_MEMCPY_OK 0
+-#define PA_MEMCPY_LOAD_ERROR 1
+-#define PA_MEMCPY_STORE_ERROR 2
+-
+-/* Copy from a not-aligned src to an aligned dst, using shifts. Handles 4 words
+- * per loop. This code is derived from glibc.
+- */
+-static noinline unsigned long copy_dstaligned(unsigned long dst,
+- unsigned long src, unsigned long len)
+-{
+- /* gcc complains that a2 and a3 may be uninitialized, but actually
+- * they cannot be. Initialize a2/a3 to shut gcc up.
+- */
+- register unsigned int a0, a1, a2 = 0, a3 = 0;
+- int sh_1, sh_2;
+-
+- /* prefetch_src((const void *)src); */
+-
+- /* Calculate how to shift a word read at the memory operation
+- aligned srcp to make it aligned for copy. */
+- sh_1 = 8 * (src % sizeof(unsigned int));
+- sh_2 = 8 * sizeof(unsigned int) - sh_1;
+-
+- /* Make src aligned by rounding it down. */
+- src &= -sizeof(unsigned int);
+-
+- switch (len % 4)
+- {
+- case 2:
+- /* a1 = ((unsigned int *) src)[0];
+- a2 = ((unsigned int *) src)[1]; */
+- ldw(s_space, 0, src, a1, cda_ldw_exc);
+- ldw(s_space, 4, src, a2, cda_ldw_exc);
+- src -= 1 * sizeof(unsigned int);
+- dst -= 3 * sizeof(unsigned int);
+- len += 2;
+- goto do1;
+- case 3:
+- /* a0 = ((unsigned int *) src)[0];
+- a1 = ((unsigned int *) src)[1]; */
+- ldw(s_space, 0, src, a0, cda_ldw_exc);
+- ldw(s_space, 4, src, a1, cda_ldw_exc);
+- src -= 0 * sizeof(unsigned int);
+- dst -= 2 * sizeof(unsigned int);
+- len += 1;
+- goto do2;
+- case 0:
+- if (len == 0)
+- return PA_MEMCPY_OK;
+- /* a3 = ((unsigned int *) src)[0];
+- a0 = ((unsigned int *) src)[1]; */
+- ldw(s_space, 0, src, a3, cda_ldw_exc);
+- ldw(s_space, 4, src, a0, cda_ldw_exc);
+- src -=-1 * sizeof(unsigned int);
+- dst -= 1 * sizeof(unsigned int);
+- len += 0;
+- goto do3;
+- case 1:
+- /* a2 = ((unsigned int *) src)[0];
+- a3 = ((unsigned int *) src)[1]; */
+- ldw(s_space, 0, src, a2, cda_ldw_exc);
+- ldw(s_space, 4, src, a3, cda_ldw_exc);
+- src -=-2 * sizeof(unsigned int);
+- dst -= 0 * sizeof(unsigned int);
+- len -= 1;
+- if (len == 0)
+- goto do0;
+- goto do4; /* No-op. */
+- }
+-
+- do
+- {
+- /* prefetch_src((const void *)(src + 4 * sizeof(unsigned int))); */
+-do4:
+- /* a0 = ((unsigned int *) src)[0]; */
+- ldw(s_space, 0, src, a0, cda_ldw_exc);
+- /* ((unsigned int *) dst)[0] = MERGE (a2, sh_1, a3, sh_2); */
+- stw(d_space, MERGE (a2, sh_1, a3, sh_2), 0, dst, cda_stw_exc);
+-do3:
+- /* a1 = ((unsigned int *) src)[1]; */
+- ldw(s_space, 4, src, a1, cda_ldw_exc);
+- /* ((unsigned int *) dst)[1] = MERGE (a3, sh_1, a0, sh_2); */
+- stw(d_space, MERGE (a3, sh_1, a0, sh_2), 4, dst, cda_stw_exc);
+-do2:
+- /* a2 = ((unsigned int *) src)[2]; */
+- ldw(s_space, 8, src, a2, cda_ldw_exc);
+- /* ((unsigned int *) dst)[2] = MERGE (a0, sh_1, a1, sh_2); */
+- stw(d_space, MERGE (a0, sh_1, a1, sh_2), 8, dst, cda_stw_exc);
+-do1:
+- /* a3 = ((unsigned int *) src)[3]; */
+- ldw(s_space, 12, src, a3, cda_ldw_exc);
+- /* ((unsigned int *) dst)[3] = MERGE (a1, sh_1, a2, sh_2); */
+- stw(d_space, MERGE (a1, sh_1, a2, sh_2), 12, dst, cda_stw_exc);
+-
+- src += 4 * sizeof(unsigned int);
+- dst += 4 * sizeof(unsigned int);
+- len -= 4;
+- }
+- while (len != 0);
+-
+-do0:
+- /* ((unsigned int *) dst)[0] = MERGE (a2, sh_1, a3, sh_2); */
+- stw(d_space, MERGE (a2, sh_1, a3, sh_2), 0, dst, cda_stw_exc);
+-
+- preserve_branch(handle_load_error);
+- preserve_branch(handle_store_error);
+-
+- return PA_MEMCPY_OK;
+-
+-handle_load_error:
+- __asm__ __volatile__ ("cda_ldw_exc:\n");
+- return PA_MEMCPY_LOAD_ERROR;
+-
+-handle_store_error:
+- __asm__ __volatile__ ("cda_stw_exc:\n");
+- return PA_MEMCPY_STORE_ERROR;
+-}
+-
+-
+-/* Returns PA_MEMCPY_OK, PA_MEMCPY_LOAD_ERROR or PA_MEMCPY_STORE_ERROR.
+- * In case of an access fault the faulty address can be read from the per_cpu
+- * exception data struct. */
+-static noinline unsigned long pa_memcpy_internal(void *dstp, const void *srcp,
+- unsigned long len)
+-{
+- register unsigned long src, dst, t1, t2, t3;
+- register unsigned char *pcs, *pcd;
+- register unsigned int *pws, *pwd;
+- register double *pds, *pdd;
+- unsigned long ret;
+-
+- src = (unsigned long)srcp;
+- dst = (unsigned long)dstp;
+- pcs = (unsigned char *)srcp;
+- pcd = (unsigned char *)dstp;
+-
+- /* prefetch_src((const void *)srcp); */
+-
+- if (len < THRESHOLD)
+- goto byte_copy;
+-
+- /* Check alignment */
+- t1 = (src ^ dst);
+- if (unlikely(t1 & (sizeof(double)-1)))
+- goto unaligned_copy;
+-
+- /* src and dst have same alignment. */
+-
+- /* Copy bytes till we are double-aligned. */
+- t2 = src & (sizeof(double) - 1);
+- if (unlikely(t2 != 0)) {
+- t2 = sizeof(double) - t2;
+- while (t2 && len) {
+- /* *pcd++ = *pcs++; */
+- ldbma(s_space, pcs, t3, pmc_load_exc);
+- len--;
+- stbma(d_space, t3, pcd, pmc_store_exc);
+- t2--;
+- }
+- }
+-
+- pds = (double *)pcs;
+- pdd = (double *)pcd;
+-
+-#if 0
+- /* Copy 8 doubles at a time */
+- while (len >= 8*sizeof(double)) {
+- register double r1, r2, r3, r4, r5, r6, r7, r8;
+- /* prefetch_src((char *)pds + L1_CACHE_BYTES); */
+- flddma(s_space, pds, r1, pmc_load_exc);
+- flddma(s_space, pds, r2, pmc_load_exc);
+- flddma(s_space, pds, r3, pmc_load_exc);
+- flddma(s_space, pds, r4, pmc_load_exc);
+- fstdma(d_space, r1, pdd, pmc_store_exc);
+- fstdma(d_space, r2, pdd, pmc_store_exc);
+- fstdma(d_space, r3, pdd, pmc_store_exc);
+- fstdma(d_space, r4, pdd, pmc_store_exc);
+-
+-#if 0
+- if (L1_CACHE_BYTES <= 32)
+- prefetch_src((char *)pds + L1_CACHE_BYTES);
+-#endif
+- flddma(s_space, pds, r5, pmc_load_exc);
+- flddma(s_space, pds, r6, pmc_load_exc);
+- flddma(s_space, pds, r7, pmc_load_exc);
+- flddma(s_space, pds, r8, pmc_load_exc);
+- fstdma(d_space, r5, pdd, pmc_store_exc);
+- fstdma(d_space, r6, pdd, pmc_store_exc);
+- fstdma(d_space, r7, pdd, pmc_store_exc);
+- fstdma(d_space, r8, pdd, pmc_store_exc);
+- len -= 8*sizeof(double);
+- }
+-#endif
+-
+- pws = (unsigned int *)pds;
+- pwd = (unsigned int *)pdd;
+-
+-word_copy:
+- while (len >= 8*sizeof(unsigned int)) {
+- register unsigned int r1,r2,r3,r4,r5,r6,r7,r8;
+- /* prefetch_src((char *)pws + L1_CACHE_BYTES); */
+- ldwma(s_space, pws, r1, pmc_load_exc);
+- ldwma(s_space, pws, r2, pmc_load_exc);
+- ldwma(s_space, pws, r3, pmc_load_exc);
+- ldwma(s_space, pws, r4, pmc_load_exc);
+- stwma(d_space, r1, pwd, pmc_store_exc);
+- stwma(d_space, r2, pwd, pmc_store_exc);
+- stwma(d_space, r3, pwd, pmc_store_exc);
+- stwma(d_space, r4, pwd, pmc_store_exc);
+-
+- ldwma(s_space, pws, r5, pmc_load_exc);
+- ldwma(s_space, pws, r6, pmc_load_exc);
+- ldwma(s_space, pws, r7, pmc_load_exc);
+- ldwma(s_space, pws, r8, pmc_load_exc);
+- stwma(d_space, r5, pwd, pmc_store_exc);
+- stwma(d_space, r6, pwd, pmc_store_exc);
+- stwma(d_space, r7, pwd, pmc_store_exc);
+- stwma(d_space, r8, pwd, pmc_store_exc);
+- len -= 8*sizeof(unsigned int);
+- }
+-
+- while (len >= 4*sizeof(unsigned int)) {
+- register unsigned int r1,r2,r3,r4;
+- ldwma(s_space, pws, r1, pmc_load_exc);
+- ldwma(s_space, pws, r2, pmc_load_exc);
+- ldwma(s_space, pws, r3, pmc_load_exc);
+- ldwma(s_space, pws, r4, pmc_load_exc);
+- stwma(d_space, r1, pwd, pmc_store_exc);
+- stwma(d_space, r2, pwd, pmc_store_exc);
+- stwma(d_space, r3, pwd, pmc_store_exc);
+- stwma(d_space, r4, pwd, pmc_store_exc);
+- len -= 4*sizeof(unsigned int);
+- }
+-
+- pcs = (unsigned char *)pws;
+- pcd = (unsigned char *)pwd;
+-
+-byte_copy:
+- while (len) {
+- /* *pcd++ = *pcs++; */
+- ldbma(s_space, pcs, t3, pmc_load_exc);
+- stbma(d_space, t3, pcd, pmc_store_exc);
+- len--;
+- }
+-
+- return PA_MEMCPY_OK;
+-
+-unaligned_copy:
+- /* possibly we are aligned on a word, but not on a double... */
+- if (likely((t1 & (sizeof(unsigned int)-1)) == 0)) {
+- t2 = src & (sizeof(unsigned int) - 1);
+-
+- if (unlikely(t2 != 0)) {
+- t2 = sizeof(unsigned int) - t2;
+- while (t2) {
+- /* *pcd++ = *pcs++; */
+- ldbma(s_space, pcs, t3, pmc_load_exc);
+- stbma(d_space, t3, pcd, pmc_store_exc);
+- len--;
+- t2--;
+- }
+- }
+-
+- pws = (unsigned int *)pcs;
+- pwd = (unsigned int *)pcd;
+- goto word_copy;
+- }
+-
+- /* Align the destination. */
+- if (unlikely((dst & (sizeof(unsigned int) - 1)) != 0)) {
+- t2 = sizeof(unsigned int) - (dst & (sizeof(unsigned int) - 1));
+- while (t2) {
+- /* *pcd++ = *pcs++; */
+- ldbma(s_space, pcs, t3, pmc_load_exc);
+- stbma(d_space, t3, pcd, pmc_store_exc);
+- len--;
+- t2--;
+- }
+- dst = (unsigned long)pcd;
+- src = (unsigned long)pcs;
+- }
+-
+- ret = copy_dstaligned(dst, src, len / sizeof(unsigned int));
+- if (ret)
+- return ret;
+-
+- pcs += (len & -sizeof(unsigned int));
+- pcd += (len & -sizeof(unsigned int));
+- len %= sizeof(unsigned int);
+-
+- preserve_branch(handle_load_error);
+- preserve_branch(handle_store_error);
+-
+- goto byte_copy;
+-
+-handle_load_error:
+- __asm__ __volatile__ ("pmc_load_exc:\n");
+- return PA_MEMCPY_LOAD_ERROR;
+-
+-handle_store_error:
+- __asm__ __volatile__ ("pmc_store_exc:\n");
+- return PA_MEMCPY_STORE_ERROR;
+-}
+-
+-
+ /* Returns 0 for success, otherwise, returns number of bytes not transferred. */
+-static unsigned long pa_memcpy(void *dstp, const void *srcp, unsigned long len)
+-{
+- unsigned long ret, fault_addr, reference;
+- struct exception_data *d;
+-
+- ret = pa_memcpy_internal(dstp, srcp, len);
+- if (likely(ret == PA_MEMCPY_OK))
+- return 0;
+-
+- /* if a load or store fault occured we can get the faulty addr */
+- d = this_cpu_ptr(&exception_data);
+- fault_addr = d->fault_addr;
+-
+- /* error in load or store? */
+- if (ret == PA_MEMCPY_LOAD_ERROR)
+- reference = (unsigned long) srcp;
+- else
+- reference = (unsigned long) dstp;
++extern unsigned long pa_memcpy(void *dst, const void *src,
++ unsigned long len);
+
+- DPRINTF("pa_memcpy: fault type = %lu, len=%lu fault_addr=%lu ref=%lu\n",
+- ret, len, fault_addr, reference);
+-
+- if (fault_addr >= reference)
+- return len - (fault_addr - reference);
+- else
+- return len;
+-}
+-
+-#ifdef __KERNEL__
+ unsigned long __copy_to_user(void __user *dst, const void *src,
+ unsigned long len)
+ {
+@@ -537,5 +84,3 @@ long probe_kernel_read(void *dst, const void *src, size_t size)
+
+ return __probe_kernel_read(dst, src, size);
+ }
+-
+-#endif
+diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
+index 1a0b4f6..040c48f 100644
+--- a/arch/parisc/mm/fault.c
++++ b/arch/parisc/mm/fault.c
+@@ -149,6 +149,23 @@ int fixup_exception(struct pt_regs *regs)
+ d->fault_space = regs->isr;
+ d->fault_addr = regs->ior;
+
++ /*
++ * Fix up get_user() and put_user().
++ * ASM_EXCEPTIONTABLE_ENTRY_EFAULT() sets the least-significant
++ * bit in the relative address of the fixup routine to indicate
++ * that %r8 should be loaded with -EFAULT to report a userspace
++ * access error.
++ */
++ if (fix->fixup & 1) {
++ regs->gr[8] = -EFAULT;
++
++ /* zero target register for get_user() */
++ if (parisc_acctyp(0, regs->iir) == VM_READ) {
++ int treg = regs->iir & 0x1f;
++ regs->gr[treg] = 0;
++ }
++ }
++
+ regs->iaoq[0] = (unsigned long)&fix->fixup + fix->fixup;
+ regs->iaoq[0] &= ~3;
+ /*
+diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
+index 779782f..9a53a06 100644
+--- a/arch/x86/lib/memcpy_64.S
++++ b/arch/x86/lib/memcpy_64.S
+@@ -290,7 +290,7 @@ EXPORT_SYMBOL_GPL(memcpy_mcsafe_unrolled)
+ _ASM_EXTABLE_FAULT(.L_copy_leading_bytes, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w0, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w1, .L_memcpy_mcsafe_fail)
+- _ASM_EXTABLE_FAULT(.L_cache_w3, .L_memcpy_mcsafe_fail)
++ _ASM_EXTABLE_FAULT(.L_cache_w2, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w3, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w4, .L_memcpy_mcsafe_fail)
+ _ASM_EXTABLE_FAULT(.L_cache_w5, .L_memcpy_mcsafe_fail)
+diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c
+index 887e571..aed2064 100644
+--- a/arch/x86/mm/kaslr.c
++++ b/arch/x86/mm/kaslr.c
+@@ -48,7 +48,7 @@ static const unsigned long vaddr_start = __PAGE_OFFSET_BASE;
+ #if defined(CONFIG_X86_ESPFIX64)
+ static const unsigned long vaddr_end = ESPFIX_BASE_ADDR;
+ #elif defined(CONFIG_EFI)
+-static const unsigned long vaddr_end = EFI_VA_START;
++static const unsigned long vaddr_end = EFI_VA_END;
+ #else
+ static const unsigned long vaddr_end = __START_KERNEL_map;
+ #endif
+@@ -105,7 +105,7 @@ void __init kernel_randomize_memory(void)
+ */
+ BUILD_BUG_ON(vaddr_start >= vaddr_end);
+ BUILD_BUG_ON(IS_ENABLED(CONFIG_X86_ESPFIX64) &&
+- vaddr_end >= EFI_VA_START);
++ vaddr_end >= EFI_VA_END);
+ BUILD_BUG_ON((IS_ENABLED(CONFIG_X86_ESPFIX64) ||
+ IS_ENABLED(CONFIG_EFI)) &&
+ vaddr_end >= __START_KERNEL_map);
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index f8960fc..9f21b0c 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -713,10 +713,9 @@ static void __init xen_reserve_xen_mfnlist(void)
+ size = PFN_PHYS(xen_start_info->nr_p2m_frames);
+ }
+
+- if (!xen_is_e820_reserved(start, size)) {
+- memblock_reserve(start, size);
++ memblock_reserve(start, size);
++ if (!xen_is_e820_reserved(start, size))
+ return;
+- }
+
+ #ifdef CONFIG_X86_32
+ /*
+@@ -727,6 +726,7 @@ static void __init xen_reserve_xen_mfnlist(void)
+ BUG();
+ #else
+ xen_relocate_p2m();
++ memblock_free(start, size);
+ #endif
+ }
+
+diff --git a/block/bio.c b/block/bio.c
+index db85c57..655c901 100644
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -372,10 +372,14 @@ static void punt_bios_to_rescuer(struct bio_set *bs)
+ bio_list_init(&punt);
+ bio_list_init(&nopunt);
+
+- while ((bio = bio_list_pop(current->bio_list)))
++ while ((bio = bio_list_pop(&current->bio_list[0])))
+ bio_list_add(bio->bi_pool == bs ? &punt : &nopunt, bio);
++ current->bio_list[0] = nopunt;
+
+- *current->bio_list = nopunt;
++ bio_list_init(&nopunt);
++ while ((bio = bio_list_pop(&current->bio_list[1])))
++ bio_list_add(bio->bi_pool == bs ? &punt : &nopunt, bio);
++ current->bio_list[1] = nopunt;
+
+ spin_lock(&bs->rescue_lock);
+ bio_list_merge(&bs->rescue_list, &punt);
+@@ -462,7 +466,9 @@ struct bio *bio_alloc_bioset(gfp_t gfp_mask, int nr_iovecs, struct bio_set *bs)
+ * we retry with the original gfp_flags.
+ */
+
+- if (current->bio_list && !bio_list_empty(current->bio_list))
++ if (current->bio_list &&
++ (!bio_list_empty(&current->bio_list[0]) ||
++ !bio_list_empty(&current->bio_list[1])))
+ gfp_mask &= ~__GFP_DIRECT_RECLAIM;
+
+ p = mempool_alloc(bs->bio_pool, gfp_mask);
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 14d7c07..d1f2801 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -1994,7 +1994,14 @@ generic_make_request_checks(struct bio *bio)
+ */
+ blk_qc_t generic_make_request(struct bio *bio)
+ {
+- struct bio_list bio_list_on_stack;
++ /*
++ * bio_list_on_stack[0] contains bios submitted by the current
++ * make_request_fn.
++ * bio_list_on_stack[1] contains bios that were submitted before
++ * the current make_request_fn, but that haven't been processed
++ * yet.
++ */
++ struct bio_list bio_list_on_stack[2];
+ blk_qc_t ret = BLK_QC_T_NONE;
+
+ if (!generic_make_request_checks(bio))
+@@ -2011,7 +2018,7 @@ blk_qc_t generic_make_request(struct bio *bio)
+ * should be added at the tail
+ */
+ if (current->bio_list) {
+- bio_list_add(current->bio_list, bio);
++ bio_list_add(&current->bio_list[0], bio);
+ goto out;
+ }
+
+@@ -2030,23 +2037,39 @@ blk_qc_t generic_make_request(struct bio *bio)
+ * bio_list, and call into ->make_request() again.
+ */
+ BUG_ON(bio->bi_next);
+- bio_list_init(&bio_list_on_stack);
+- current->bio_list = &bio_list_on_stack;
++ bio_list_init(&bio_list_on_stack[0]);
++ current->bio_list = bio_list_on_stack;
+ do {
+ struct request_queue *q = bdev_get_queue(bio->bi_bdev);
+
+ if (likely(blk_queue_enter(q, false) == 0)) {
++ struct bio_list lower, same;
++
++ /* Create a fresh bio_list for all subordinate requests */
++ bio_list_on_stack[1] = bio_list_on_stack[0];
++ bio_list_init(&bio_list_on_stack[0]);
+ ret = q->make_request_fn(q, bio);
+
+ blk_queue_exit(q);
+
+- bio = bio_list_pop(current->bio_list);
++ /* sort new bios into those for a lower level
++ * and those for the same level
++ */
++ bio_list_init(&lower);
++ bio_list_init(&same);
++ while ((bio = bio_list_pop(&bio_list_on_stack[0])) != NULL)
++ if (q == bdev_get_queue(bio->bi_bdev))
++ bio_list_add(&same, bio);
++ else
++ bio_list_add(&lower, bio);
++ /* now assemble so we handle the lowest level first */
++ bio_list_merge(&bio_list_on_stack[0], &lower);
++ bio_list_merge(&bio_list_on_stack[0], &same);
++ bio_list_merge(&bio_list_on_stack[0], &bio_list_on_stack[1]);
+ } else {
+- struct bio *bio_next = bio_list_pop(current->bio_list);
+-
+ bio_io_error(bio);
+- bio = bio_next;
+ }
++ bio = bio_list_pop(&bio_list_on_stack[0]);
+ } while (bio);
+ current->bio_list = NULL; /* deactivate */
+
+diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile
+index 9ed0878..4c5678c 100644
+--- a/drivers/acpi/Makefile
++++ b/drivers/acpi/Makefile
+@@ -2,7 +2,6 @@
+ # Makefile for the Linux ACPI interpreter
+ #
+
+-ccflags-y := -Os
+ ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
+
+ #
+diff --git a/drivers/acpi/acpi_platform.c b/drivers/acpi/acpi_platform.c
+index b4c1a6a..03250e1 100644
+--- a/drivers/acpi/acpi_platform.c
++++ b/drivers/acpi/acpi_platform.c
+@@ -25,9 +25,11 @@
+ ACPI_MODULE_NAME("platform");
+
+ static const struct acpi_device_id forbidden_id_list[] = {
+- {"PNP0000", 0}, /* PIC */
+- {"PNP0100", 0}, /* Timer */
+- {"PNP0200", 0}, /* AT DMA Controller */
++ {"PNP0000", 0}, /* PIC */
++ {"PNP0100", 0}, /* Timer */
++ {"PNP0200", 0}, /* AT DMA Controller */
++ {"ACPI0009", 0}, /* IOxAPIC */
++ {"ACPI000A", 0}, /* IOAPIC */
+ {"", 0},
+ };
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+index b1254f8..b87d278 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+@@ -1299,6 +1299,8 @@ int etnaviv_gpu_submit(struct etnaviv_gpu *gpu,
+ goto out_pm_put;
+ }
+
++ mutex_lock(&gpu->lock);
++
+ fence = etnaviv_gpu_fence_alloc(gpu);
+ if (!fence) {
+ event_free(gpu, event);
+@@ -1306,8 +1308,6 @@ int etnaviv_gpu_submit(struct etnaviv_gpu *gpu,
+ goto out_pm_put;
+ }
+
+- mutex_lock(&gpu->lock);
+-
+ gpu->event[event].fence = fence;
+ submit->fence = fence->seqno;
+ gpu->active_fence = submit->fence;
+diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
+index 3de5e6e..4ce04e0 100644
+--- a/drivers/gpu/drm/radeon/radeon_ttm.c
++++ b/drivers/gpu/drm/radeon/radeon_ttm.c
+@@ -213,8 +213,8 @@ static void radeon_evict_flags(struct ttm_buffer_object *bo,
+ rbo->placement.num_busy_placement = 0;
+ for (i = 0; i < rbo->placement.num_placement; i++) {
+ if (rbo->placements[i].flags & TTM_PL_FLAG_VRAM) {
+- if (rbo->placements[0].fpfn < fpfn)
+- rbo->placements[0].fpfn = fpfn;
++ if (rbo->placements[i].fpfn < fpfn)
++ rbo->placements[i].fpfn = fpfn;
+ } else {
+ rbo->placement.busy_placement =
+ &rbo->placements[i];
+diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c
+index 7aadce1..c7e6c98 100644
+--- a/drivers/gpu/drm/vc4/vc4_crtc.c
++++ b/drivers/gpu/drm/vc4/vc4_crtc.c
+@@ -842,6 +842,17 @@ static void vc4_crtc_destroy_state(struct drm_crtc *crtc,
+ drm_atomic_helper_crtc_destroy_state(crtc, state);
+ }
+
++static void
++vc4_crtc_reset(struct drm_crtc *crtc)
++{
++ if (crtc->state)
++ __drm_atomic_helper_crtc_destroy_state(crtc->state);
++
++ crtc->state = kzalloc(sizeof(struct vc4_crtc_state), GFP_KERNEL);
++ if (crtc->state)
++ crtc->state->crtc = crtc;
++}
++
+ static const struct drm_crtc_funcs vc4_crtc_funcs = {
+ .set_config = drm_atomic_helper_set_config,
+ .destroy = vc4_crtc_destroy,
+@@ -849,7 +860,7 @@ static const struct drm_crtc_funcs vc4_crtc_funcs = {
+ .set_property = NULL,
+ .cursor_set = NULL, /* handled by drm_mode_cursor_universal */
+ .cursor_move = NULL, /* handled by drm_mode_cursor_universal */
+- .reset = drm_atomic_helper_crtc_reset,
++ .reset = vc4_crtc_reset,
+ .atomic_duplicate_state = vc4_crtc_duplicate_state,
+ .atomic_destroy_state = vc4_crtc_destroy_state,
+ .gamma_set = vc4_crtc_gamma_set,
+diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
+index 5e7a564..0c535d0 100644
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2017,6 +2017,14 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless)
+
+ wacom_update_name(wacom, wireless ? " (WL)" : "");
+
++ /* pen only Bamboo neither support touch nor pad */
++ if ((features->type == BAMBOO_PEN) &&
++ ((features->device_type & WACOM_DEVICETYPE_TOUCH) ||
++ (features->device_type & WACOM_DEVICETYPE_PAD))) {
++ error = -ENODEV;
++ goto fail;
++ }
++
+ error = wacom_add_shared_data(hdev);
+ if (error)
+ goto fail;
+@@ -2064,14 +2072,6 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless)
+ goto fail_quirks;
+ }
+
+- /* pen only Bamboo neither support touch nor pad */
+- if ((features->type == BAMBOO_PEN) &&
+- ((features->device_type & WACOM_DEVICETYPE_TOUCH) ||
+- (features->device_type & WACOM_DEVICETYPE_PAD))) {
+- error = -ENODEV;
+- goto fail_quirks;
+- }
+-
+ if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR)
+ error = hid_hw_open(hdev);
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 628ba00..e66f404 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -986,26 +986,29 @@ static void flush_current_bio_list(struct blk_plug_cb *cb, bool from_schedule)
+ struct dm_offload *o = container_of(cb, struct dm_offload, cb);
+ struct bio_list list;
+ struct bio *bio;
++ int i;
+
+ INIT_LIST_HEAD(&o->cb.list);
+
+ if (unlikely(!current->bio_list))
+ return;
+
+- list = *current->bio_list;
+- bio_list_init(current->bio_list);
+-
+- while ((bio = bio_list_pop(&list))) {
+- struct bio_set *bs = bio->bi_pool;
+- if (unlikely(!bs) || bs == fs_bio_set) {
+- bio_list_add(current->bio_list, bio);
+- continue;
++ for (i = 0; i < 2; i++) {
++ list = current->bio_list[i];
++ bio_list_init(&current->bio_list[i]);
++
++ while ((bio = bio_list_pop(&list))) {
++ struct bio_set *bs = bio->bi_pool;
++ if (unlikely(!bs) || bs == fs_bio_set) {
++ bio_list_add(&current->bio_list[i], bio);
++ continue;
++ }
++
++ spin_lock(&bs->rescue_lock);
++ bio_list_add(&bs->rescue_list, bio);
++ queue_work(bs->rescue_workqueue, &bs->rescue_work);
++ spin_unlock(&bs->rescue_lock);
+ }
+-
+- spin_lock(&bs->rescue_lock);
+- bio_list_add(&bs->rescue_list, bio);
+- queue_work(bs->rescue_workqueue, &bs->rescue_work);
+- spin_unlock(&bs->rescue_lock);
+ }
+ }
+
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index 55b5e0e..4c4aab0 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -941,7 +941,8 @@ static void wait_barrier(struct r10conf *conf)
+ !conf->barrier ||
+ (atomic_read(&conf->nr_pending) &&
+ current->bio_list &&
+- !bio_list_empty(current->bio_list)),
++ (!bio_list_empty(&current->bio_list[0]) ||
++ !bio_list_empty(&current->bio_list[1]))),
+ conf->resync_lock);
+ conf->nr_waiting--;
+ if (!conf->nr_waiting)
+diff --git a/drivers/mmc/host/sdhci-of-at91.c b/drivers/mmc/host/sdhci-of-at91.c
+index 387ae1c..a8b430f 100644
+--- a/drivers/mmc/host/sdhci-of-at91.c
++++ b/drivers/mmc/host/sdhci-of-at91.c
+@@ -29,6 +29,8 @@
+
+ #include "sdhci-pltfm.h"
+
++#define SDMMC_MC1R 0x204
++#define SDMMC_MC1R_DDR BIT(3)
+ #define SDMMC_CACR 0x230
+ #define SDMMC_CACR_CAPWREN BIT(0)
+ #define SDMMC_CACR_KEY (0x46 << 8)
+@@ -103,11 +105,18 @@ static void sdhci_at91_set_power(struct sdhci_host *host, unsigned char mode,
+ sdhci_set_power_noreg(host, mode, vdd);
+ }
+
++void sdhci_at91_set_uhs_signaling(struct sdhci_host *host, unsigned int timing)
++{
++ if (timing == MMC_TIMING_MMC_DDR52)
++ sdhci_writeb(host, SDMMC_MC1R_DDR, SDMMC_MC1R);
++ sdhci_set_uhs_signaling(host, timing);
++}
++
+ static const struct sdhci_ops sdhci_at91_sama5d2_ops = {
+ .set_clock = sdhci_at91_set_clock,
+ .set_bus_width = sdhci_set_bus_width,
+ .reset = sdhci_reset,
+- .set_uhs_signaling = sdhci_set_uhs_signaling,
++ .set_uhs_signaling = sdhci_at91_set_uhs_signaling,
+ .set_power = sdhci_at91_set_power,
+ };
+
+diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
+index a983ba0..7d275e7 100644
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -1823,6 +1823,9 @@ static void sdhci_enable_sdio_irq(struct mmc_host *mmc, int enable)
+ struct sdhci_host *host = mmc_priv(mmc);
+ unsigned long flags;
+
++ if (enable)
++ pm_runtime_get_noresume(host->mmc->parent);
++
+ spin_lock_irqsave(&host->lock, flags);
+ if (enable)
+ host->flags |= SDHCI_SDIO_IRQ_ENABLED;
+@@ -1831,6 +1834,9 @@ static void sdhci_enable_sdio_irq(struct mmc_host *mmc, int enable)
+
+ sdhci_enable_sdio_irq_nolock(host, enable);
+ spin_unlock_irqrestore(&host->lock, flags);
++
++ if (!enable)
++ pm_runtime_put_noidle(host->mmc->parent);
+ }
+
+ static int sdhci_start_signal_voltage_switch(struct mmc_host *mmc,
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index da10b48..bde769b 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2057,9 +2057,9 @@ void nvme_kill_queues(struct nvme_ctrl *ctrl)
+ * Revalidating a dead namespace sets capacity to 0. This will
+ * end buffered writers dirtying pages that can't be synced.
+ */
+- if (ns->disk && !test_and_set_bit(NVME_NS_DEAD, &ns->flags))
+- revalidate_disk(ns->disk);
+-
++ if (!ns->disk || test_and_set_bit(NVME_NS_DEAD, &ns->flags))
++ continue;
++ revalidate_disk(ns->disk);
+ blk_set_queue_dying(ns->queue);
+ blk_mq_abort_requeue_list(ns->queue);
+ blk_mq_start_stopped_hw_queues(ns->queue, true);
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 5e52034..8a9c186 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1983,8 +1983,10 @@ static void nvme_remove(struct pci_dev *pdev)
+
+ pci_set_drvdata(pdev, NULL);
+
+- if (!pci_device_is_present(pdev))
++ if (!pci_device_is_present(pdev)) {
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD);
++ nvme_dev_disable(dev, false);
++ }
+
+ flush_work(&dev->reset_work);
+ nvme_uninit_ctrl(&dev->ctrl);
+diff --git a/drivers/pci/host/pcie-iproc-bcma.c b/drivers/pci/host/pcie-iproc-bcma.c
+index 8ce0890..46ca8ed 100644
+--- a/drivers/pci/host/pcie-iproc-bcma.c
++++ b/drivers/pci/host/pcie-iproc-bcma.c
+@@ -44,8 +44,7 @@ static int iproc_pcie_bcma_probe(struct bcma_device *bdev)
+ {
+ struct device *dev = &bdev->dev;
+ struct iproc_pcie *pcie;
+- LIST_HEAD(res);
+- struct resource res_mem;
++ LIST_HEAD(resources);
+ int ret;
+
+ pcie = devm_kzalloc(dev, sizeof(*pcie), GFP_KERNEL);
+@@ -62,22 +61,23 @@ static int iproc_pcie_bcma_probe(struct bcma_device *bdev)
+
+ pcie->base_addr = bdev->addr;
+
+- res_mem.start = bdev->addr_s[0];
+- res_mem.end = bdev->addr_s[0] + SZ_128M - 1;
+- res_mem.name = "PCIe MEM space";
+- res_mem.flags = IORESOURCE_MEM;
+- pci_add_resource(&res, &res_mem);
++ pcie->mem.start = bdev->addr_s[0];
++ pcie->mem.end = bdev->addr_s[0] + SZ_128M - 1;
++ pcie->mem.name = "PCIe MEM space";
++ pcie->mem.flags = IORESOURCE_MEM;
++ pci_add_resource(&resources, &pcie->mem);
+
+ pcie->map_irq = iproc_pcie_bcma_map_irq;
+
+- ret = iproc_pcie_setup(pcie, &res);
+- if (ret)
++ ret = iproc_pcie_setup(pcie, &resources);
++ if (ret) {
+ dev_err(dev, "PCIe controller setup failed\n");
+-
+- pci_free_resource_list(&res);
++ pci_free_resource_list(&resources);
++ return ret;
++ }
+
+ bcma_set_drvdata(bdev, pcie);
+- return ret;
++ return 0;
+ }
+
+ static void iproc_pcie_bcma_remove(struct bcma_device *bdev)
+diff --git a/drivers/pci/host/pcie-iproc-platform.c b/drivers/pci/host/pcie-iproc-platform.c
+index a3de087..7dcaddc 100644
+--- a/drivers/pci/host/pcie-iproc-platform.c
++++ b/drivers/pci/host/pcie-iproc-platform.c
+@@ -46,7 +46,7 @@ static int iproc_pcie_pltfm_probe(struct platform_device *pdev)
+ struct device_node *np = dev->of_node;
+ struct resource reg;
+ resource_size_t iobase = 0;
+- LIST_HEAD(res);
++ LIST_HEAD(resources);
+ int ret;
+
+ of_id = of_match_device(iproc_pcie_of_match_table, dev);
+@@ -108,23 +108,24 @@ static int iproc_pcie_pltfm_probe(struct platform_device *pdev)
+ pcie->phy = NULL;
+ }
+
+- ret = of_pci_get_host_bridge_resources(np, 0, 0xff, &res, &iobase);
++ ret = of_pci_get_host_bridge_resources(np, 0, 0xff, &resources,
++ &iobase);
+ if (ret) {
+- dev_err(dev,
+- "unable to get PCI host bridge resources\n");
++ dev_err(dev, "unable to get PCI host bridge resources\n");
+ return ret;
+ }
+
+ pcie->map_irq = of_irq_parse_and_map_pci;
+
+- ret = iproc_pcie_setup(pcie, &res);
+- if (ret)
++ ret = iproc_pcie_setup(pcie, &resources);
++ if (ret) {
+ dev_err(dev, "PCIe controller setup failed\n");
+-
+- pci_free_resource_list(&res);
++ pci_free_resource_list(&resources);
++ return ret;
++ }
+
+ platform_set_drvdata(pdev, pcie);
+- return ret;
++ return 0;
+ }
+
+ static int iproc_pcie_pltfm_remove(struct platform_device *pdev)
+diff --git a/drivers/pci/host/pcie-iproc.h b/drivers/pci/host/pcie-iproc.h
+index e84d93c..fa42267 100644
+--- a/drivers/pci/host/pcie-iproc.h
++++ b/drivers/pci/host/pcie-iproc.h
+@@ -68,6 +68,7 @@ struct iproc_pcie {
+ #ifdef CONFIG_ARM
+ struct pci_sys_data sysdata;
+ #endif
++ struct resource mem;
+ struct pci_bus *root_bus;
+ struct phy *phy;
+ int (*map_irq)(const struct pci_dev *, u8, u8);
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index 7bb2068..d314579 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -113,7 +113,7 @@ struct alua_queue_data {
+ #define ALUA_POLICY_SWITCH_ALL 1
+
+ static void alua_rtpg_work(struct work_struct *work);
+-static void alua_rtpg_queue(struct alua_port_group *pg,
++static bool alua_rtpg_queue(struct alua_port_group *pg,
+ struct scsi_device *sdev,
+ struct alua_queue_data *qdata, bool force);
+ static void alua_check(struct scsi_device *sdev, bool force);
+@@ -862,7 +862,13 @@ static void alua_rtpg_work(struct work_struct *work)
+ kref_put(&pg->kref, release_port_group);
+ }
+
+-static void alua_rtpg_queue(struct alua_port_group *pg,
++/**
++ * alua_rtpg_queue() - cause RTPG to be submitted asynchronously
++ *
++ * Returns true if and only if alua_rtpg_work() will be called asynchronously.
++ * That function is responsible for calling @qdata->fn().
++ */
++static bool alua_rtpg_queue(struct alua_port_group *pg,
+ struct scsi_device *sdev,
+ struct alua_queue_data *qdata, bool force)
+ {
+@@ -870,8 +876,8 @@ static void alua_rtpg_queue(struct alua_port_group *pg,
+ unsigned long flags;
+ struct workqueue_struct *alua_wq = kaluad_wq;
+
+- if (!pg)
+- return;
++ if (!pg || scsi_device_get(sdev))
++ return false;
+
+ spin_lock_irqsave(&pg->lock, flags);
+ if (qdata) {
+@@ -884,14 +890,12 @@ static void alua_rtpg_queue(struct alua_port_group *pg,
+ pg->flags |= ALUA_PG_RUN_RTPG;
+ kref_get(&pg->kref);
+ pg->rtpg_sdev = sdev;
+- scsi_device_get(sdev);
+ start_queue = 1;
+ } else if (!(pg->flags & ALUA_PG_RUN_RTPG) && force) {
+ pg->flags |= ALUA_PG_RUN_RTPG;
+ /* Do not queue if the worker is already running */
+ if (!(pg->flags & ALUA_PG_RUNNING)) {
+ kref_get(&pg->kref);
+- sdev = NULL;
+ start_queue = 1;
+ }
+ }
+@@ -900,13 +904,17 @@ static void alua_rtpg_queue(struct alua_port_group *pg,
+ alua_wq = kaluad_sync_wq;
+ spin_unlock_irqrestore(&pg->lock, flags);
+
+- if (start_queue &&
+- !queue_delayed_work(alua_wq, &pg->rtpg_work,
+- msecs_to_jiffies(ALUA_RTPG_DELAY_MSECS))) {
+- if (sdev)
+- scsi_device_put(sdev);
+- kref_put(&pg->kref, release_port_group);
++ if (start_queue) {
++ if (queue_delayed_work(alua_wq, &pg->rtpg_work,
++ msecs_to_jiffies(ALUA_RTPG_DELAY_MSECS)))
++ sdev = NULL;
++ else
++ kref_put(&pg->kref, release_port_group);
+ }
++ if (sdev)
++ scsi_device_put(sdev);
++
++ return true;
+ }
+
+ /*
+@@ -1007,11 +1015,13 @@ static int alua_activate(struct scsi_device *sdev,
+ mutex_unlock(&h->init_mutex);
+ goto out;
+ }
+- fn = NULL;
+ rcu_read_unlock();
+ mutex_unlock(&h->init_mutex);
+
+- alua_rtpg_queue(pg, sdev, qdata, true);
++ if (alua_rtpg_queue(pg, sdev, qdata, true))
++ fn = NULL;
++ else
++ err = SCSI_DH_DEV_OFFLINED;
+ kref_put(&pg->kref, release_port_group);
+ out:
+ if (fn)
+diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
+index 763f012..87f5e694 100644
+--- a/drivers/scsi/libsas/sas_ata.c
++++ b/drivers/scsi/libsas/sas_ata.c
+@@ -221,7 +221,7 @@ static unsigned int sas_ata_qc_issue(struct ata_queued_cmd *qc)
+ task->num_scatter = qc->n_elem;
+ } else {
+ for_each_sg(qc->sg, sg, qc->n_elem, si)
+- xfer += sg->length;
++ xfer += sg_dma_len(sg);
+
+ task->total_xfer_len = xfer;
+ task->num_scatter = si;
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index fe7469c..ad33238 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -2153,8 +2153,6 @@ qla24xx_vport_delete(struct fc_vport *fc_vport)
+ "Timer for the VP[%d] has stopped\n", vha->vp_idx);
+ }
+
+- BUG_ON(atomic_read(&vha->vref_count));
+-
+ qla2x00_free_fcports(vha);
+
+ mutex_lock(&ha->vport_lock);
+diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
+index 73b12e4..8e63a7b 100644
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -3742,6 +3742,7 @@ typedef struct scsi_qla_host {
+ struct qla8044_reset_template reset_tmplt;
+ struct qla_tgt_counters tgt_counters;
+ uint16_t bbcr;
++ wait_queue_head_t vref_waitq;
+ } scsi_qla_host_t;
+
+ struct qla27xx_image_status {
+@@ -3780,6 +3781,7 @@ struct qla_tgt_vp_map {
+ mb(); \
+ if (__vha->flags.delete_progress) { \
+ atomic_dec(&__vha->vref_count); \
++ wake_up(&__vha->vref_waitq); \
+ __bail = 1; \
+ } else { \
+ __bail = 0; \
+@@ -3788,6 +3790,7 @@ struct qla_tgt_vp_map {
+
+ #define QLA_VHA_MARK_NOT_BUSY(__vha) do { \
+ atomic_dec(&__vha->vref_count); \
++ wake_up(&__vha->vref_waitq); \
+ } while (0)
+
+ /*
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 5b09296..8f12f6b 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -4356,6 +4356,7 @@ qla2x00_update_fcports(scsi_qla_host_t *base_vha)
+ }
+ }
+ atomic_dec(&vha->vref_count);
++ wake_up(&vha->vref_waitq);
+ }
+ spin_unlock_irqrestore(&ha->vport_slock, flags);
+ }
+diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c
+index cf7ba52..3dfb54a 100644
+--- a/drivers/scsi/qla2xxx/qla_mid.c
++++ b/drivers/scsi/qla2xxx/qla_mid.c
+@@ -74,13 +74,14 @@ qla24xx_deallocate_vp_id(scsi_qla_host_t *vha)
+ * ensures no active vp_list traversal while the vport is removed
+ * from the queue)
+ */
+- spin_lock_irqsave(&ha->vport_slock, flags);
+- while (atomic_read(&vha->vref_count)) {
+- spin_unlock_irqrestore(&ha->vport_slock, flags);
+-
+- msleep(500);
++ wait_event_timeout(vha->vref_waitq, atomic_read(&vha->vref_count),
++ 10*HZ);
+
+- spin_lock_irqsave(&ha->vport_slock, flags);
++ spin_lock_irqsave(&ha->vport_slock, flags);
++ if (atomic_read(&vha->vref_count)) {
++ ql_dbg(ql_dbg_vport, vha, 0xfffa,
++ "vha->vref_count=%u timeout\n", vha->vref_count.counter);
++ vha->vref_count = (atomic_t)ATOMIC_INIT(0);
+ }
+ list_del(&vha->list);
+ qlt_update_vp_map(vha, RESET_VP_IDX);
+@@ -269,6 +270,7 @@ qla2x00_alert_all_vps(struct rsp_que *rsp, uint16_t *mb)
+
+ spin_lock_irqsave(&ha->vport_slock, flags);
+ atomic_dec(&vha->vref_count);
++ wake_up(&vha->vref_waitq);
+ }
+ i++;
+ }
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index bea819e..4f361d8 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -4045,6 +4045,7 @@ struct scsi_qla_host *qla2x00_create_host(struct scsi_host_template *sht,
+
+ spin_lock_init(&vha->work_lock);
+ spin_lock_init(&vha->cmd_list_lock);
++ init_waitqueue_head(&vha->vref_waitq);
+
+ sprintf(vha->host_str, "%s_%ld", QLA2XXX_DRIVER_NAME, vha->host_no);
+ ql_dbg(ql_dbg_init, vha, 0x0041,
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 121de0a..f753df2 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
+ result = get_user(val, ip);
+ if (result)
+ return result;
++ if (val > SG_MAX_CDB_SIZE)
++ return -ENOMEM;
+ sfp->next_cmd_len = (val > 0) ? val : 0;
+ return 0;
+ case SG_GET_VERSION_NUM:
+diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
+index fabbe76..4d079cd 100644
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -1938,6 +1938,11 @@ static void atmel_flush_buffer(struct uart_port *port)
+ atmel_uart_writel(port, ATMEL_PDC_TCR, 0);
+ atmel_port->pdc_tx.ofs = 0;
+ }
++ /*
++ * in uart_flush_buffer(), the xmit circular buffer has just
++ * been cleared, so we have to reset tx_len accordingly.
++ */
++ atmel_port->tx_len = 0;
+ }
+
+ /*
+@@ -2471,6 +2476,9 @@ static void atmel_console_write(struct console *co, const char *s, u_int count)
+ pdc_tx = atmel_uart_readl(port, ATMEL_PDC_PTSR) & ATMEL_PDC_TXTEN;
+ atmel_uart_writel(port, ATMEL_PDC_PTCR, ATMEL_PDC_TXTDIS);
+
++ /* Make sure that tx path is actually able to send characters */
++ atmel_uart_writel(port, ATMEL_US_CR, ATMEL_US_TXEN);
++
+ uart_console_write(port, s, count, atmel_console_putchar);
+
+ /*
+diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
+index 770454e..07390f8 100644
+--- a/drivers/tty/serial/mxs-auart.c
++++ b/drivers/tty/serial/mxs-auart.c
+@@ -1085,7 +1085,7 @@ static void mxs_auart_settermios(struct uart_port *u,
+ AUART_LINECTRL_BAUD_DIV_MAX);
+ baud_max = u->uartclk * 32 / AUART_LINECTRL_BAUD_DIV_MIN;
+ baud = uart_get_baud_rate(u, termios, old, baud_min, baud_max);
+- div = u->uartclk * 32 / baud;
++ div = DIV_ROUND_CLOSEST(u->uartclk * 32, baud);
+ }
+
+ ctrl |= AUART_LINECTRL_BAUD_DIVFRAC(div & 0x3F);
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index 479e223..f029aad 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -520,8 +520,10 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb)
+ */
+ tbuf_size = max_t(u16, sizeof(struct usb_hub_descriptor), wLength);
+ tbuf = kzalloc(tbuf_size, GFP_KERNEL);
+- if (!tbuf)
+- return -ENOMEM;
++ if (!tbuf) {
++ status = -ENOMEM;
++ goto err_alloc;
++ }
+
+ bufp = tbuf;
+
+@@ -734,6 +736,7 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb)
+ }
+
+ kfree(tbuf);
++ err_alloc:
+
+ /* any errors get returned through the urb completion */
+ spin_lock_irq(&hcd_root_hub_lock);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 1536aeb..4e894d3 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2532,17 +2532,14 @@ static void nfs41_check_delegation_stateid(struct nfs4_state *state)
+ }
+
+ nfs4_stateid_copy(&stateid, &delegation->stateid);
+- if (test_bit(NFS_DELEGATION_REVOKED, &delegation->flags)) {
++ if (test_bit(NFS_DELEGATION_REVOKED, &delegation->flags) ||
++ !test_and_clear_bit(NFS_DELEGATION_TEST_EXPIRED,
++ &delegation->flags)) {
+ rcu_read_unlock();
+ nfs_finish_clear_delegation_stateid(state, &stateid);
+ return;
+ }
+
+- if (!test_and_clear_bit(NFS_DELEGATION_TEST_EXPIRED, &delegation->flags)) {
+- rcu_read_unlock();
+- return;
+- }
+-
+ cred = get_rpccred(delegation->cred);
+ rcu_read_unlock();
+ status = nfs41_test_and_free_expired_stateid(server, &stateid, cred);
+diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
+index 010aff5..536009e 100644
+--- a/fs/nfsd/nfsproc.c
++++ b/fs/nfsd/nfsproc.c
+@@ -790,6 +790,7 @@ nfserrno (int errno)
+ { nfserr_serverfault, -ESERVERFAULT },
+ { nfserr_serverfault, -ENFILE },
+ { nfserr_io, -EUCLEAN },
++ { nfserr_perm, -ENOKEY },
+ };
+ int i;
+
+diff --git a/fs/xfs/libxfs/xfs_ag_resv.c b/fs/xfs/libxfs/xfs_ag_resv.c
+index d346d42..33db69b 100644
+--- a/fs/xfs/libxfs/xfs_ag_resv.c
++++ b/fs/xfs/libxfs/xfs_ag_resv.c
+@@ -39,6 +39,7 @@
+ #include "xfs_rmap_btree.h"
+ #include "xfs_btree.h"
+ #include "xfs_refcount_btree.h"
++#include "xfs_ialloc_btree.h"
+
+ /*
+ * Per-AG Block Reservations
+@@ -200,22 +201,30 @@ __xfs_ag_resv_init(
+ struct xfs_mount *mp = pag->pag_mount;
+ struct xfs_ag_resv *resv;
+ int error;
++ xfs_extlen_t reserved;
+
+- resv = xfs_perag_resv(pag, type);
+ if (used > ask)
+ ask = used;
+- resv->ar_asked = ask;
+- resv->ar_reserved = resv->ar_orig_reserved = ask - used;
+- mp->m_ag_max_usable -= ask;
++ reserved = ask - used;
+
+- trace_xfs_ag_resv_init(pag, type, ask);
+-
+- error = xfs_mod_fdblocks(mp, -(int64_t)resv->ar_reserved, true);
+- if (error)
++ error = xfs_mod_fdblocks(mp, -(int64_t)reserved, true);
++ if (error) {
+ trace_xfs_ag_resv_init_error(pag->pag_mount, pag->pag_agno,
+ error, _RET_IP_);
++ xfs_warn(mp,
++"Per-AG reservation for AG %u failed. Filesystem may run out of space.",
++ pag->pag_agno);
++ return error;
++ }
+
+- return error;
++ mp->m_ag_max_usable -= ask;
++
++ resv = xfs_perag_resv(pag, type);
++ resv->ar_asked = ask;
++ resv->ar_reserved = resv->ar_orig_reserved = reserved;
++
++ trace_xfs_ag_resv_init(pag, type, ask);
++ return 0;
+ }
+
+ /* Create a per-AG block reservation. */
+@@ -223,6 +232,8 @@ int
+ xfs_ag_resv_init(
+ struct xfs_perag *pag)
+ {
++ struct xfs_mount *mp = pag->pag_mount;
++ xfs_agnumber_t agno = pag->pag_agno;
+ xfs_extlen_t ask;
+ xfs_extlen_t used;
+ int error = 0;
+@@ -231,23 +242,45 @@ xfs_ag_resv_init(
+ if (pag->pag_meta_resv.ar_asked == 0) {
+ ask = used = 0;
+
+- error = xfs_refcountbt_calc_reserves(pag->pag_mount,
+- pag->pag_agno, &ask, &used);
++ error = xfs_refcountbt_calc_reserves(mp, agno, &ask, &used);
+ if (error)
+ goto out;
+
+- error = __xfs_ag_resv_init(pag, XFS_AG_RESV_METADATA,
+- ask, used);
++ error = xfs_finobt_calc_reserves(mp, agno, &ask, &used);
+ if (error)
+ goto out;
++
++ error = __xfs_ag_resv_init(pag, XFS_AG_RESV_METADATA,
++ ask, used);
++ if (error) {
++ /*
++ * Because we didn't have per-AG reservations when the
++ * finobt feature was added we might not be able to
++ * reserve all needed blocks. Warn and fall back to the
++ * old and potentially buggy code in that case, but
++ * ensure we do have the reservation for the refcountbt.
++ */
++ ask = used = 0;
++
++ mp->m_inotbt_nores = true;
++
++ error = xfs_refcountbt_calc_reserves(mp, agno, &ask,
++ &used);
++ if (error)
++ goto out;
++
++ error = __xfs_ag_resv_init(pag, XFS_AG_RESV_METADATA,
++ ask, used);
++ if (error)
++ goto out;
++ }
+ }
+
+ /* Create the AGFL metadata reservation */
+ if (pag->pag_agfl_resv.ar_asked == 0) {
+ ask = used = 0;
+
+- error = xfs_rmapbt_calc_reserves(pag->pag_mount, pag->pag_agno,
+- &ask, &used);
++ error = xfs_rmapbt_calc_reserves(mp, agno, &ask, &used);
+ if (error)
+ goto out;
+
+@@ -256,9 +289,16 @@ xfs_ag_resv_init(
+ goto out;
+ }
+
++#ifdef DEBUG
++ /* need to read in the AGF for the ASSERT below to work */
++ error = xfs_alloc_pagf_init(pag->pag_mount, NULL, pag->pag_agno, 0);
++ if (error)
++ return error;
++
+ ASSERT(xfs_perag_resv(pag, XFS_AG_RESV_METADATA)->ar_reserved +
+ xfs_perag_resv(pag, XFS_AG_RESV_AGFL)->ar_reserved <=
+ pag->pagf_freeblks + pag->pagf_flcount);
++#endif
+ out:
+ return error;
+ }
+diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
+index f52fd63..5a508b0 100644
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -769,8 +769,8 @@ xfs_bmap_extents_to_btree(
+ args.type = XFS_ALLOCTYPE_START_BNO;
+ args.fsbno = XFS_INO_TO_FSB(mp, ip->i_ino);
+ } else if (dfops->dop_low) {
+-try_another_ag:
+ args.type = XFS_ALLOCTYPE_START_BNO;
++try_another_ag:
+ args.fsbno = *firstblock;
+ } else {
+ args.type = XFS_ALLOCTYPE_NEAR_BNO;
+@@ -796,17 +796,19 @@ xfs_bmap_extents_to_btree(
+ if (xfs_sb_version_hasreflink(&cur->bc_mp->m_sb) &&
+ args.fsbno == NULLFSBLOCK &&
+ args.type == XFS_ALLOCTYPE_NEAR_BNO) {
+- dfops->dop_low = true;
++ args.type = XFS_ALLOCTYPE_FIRST_AG;
+ goto try_another_ag;
+ }
++ if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
++ xfs_iroot_realloc(ip, -1, whichfork);
++ xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
++ return -ENOSPC;
++ }
+ /*
+ * Allocation can't fail, the space was reserved.
+ */
+- ASSERT(args.fsbno != NULLFSBLOCK);
+ ASSERT(*firstblock == NULLFSBLOCK ||
+- args.agno == XFS_FSB_TO_AGNO(mp, *firstblock) ||
+- (dfops->dop_low &&
+- args.agno > XFS_FSB_TO_AGNO(mp, *firstblock)));
++ args.agno >= XFS_FSB_TO_AGNO(mp, *firstblock));
+ *firstblock = cur->bc_private.b.firstblock = args.fsbno;
+ cur->bc_private.b.allocated++;
+ ip->i_d.di_nblocks++;
+@@ -1278,7 +1280,6 @@ xfs_bmap_read_extents(
+ /* REFERENCED */
+ xfs_extnum_t room; /* number of entries there's room for */
+
+- bno = NULLFSBLOCK;
+ mp = ip->i_mount;
+ ifp = XFS_IFORK_PTR(ip, whichfork);
+ exntf = (whichfork != XFS_DATA_FORK) ? XFS_EXTFMT_NOSTATE :
+@@ -1291,9 +1292,7 @@ xfs_bmap_read_extents(
+ ASSERT(level > 0);
+ pp = XFS_BMAP_BROOT_PTR_ADDR(mp, block, 1, ifp->if_broot_bytes);
+ bno = be64_to_cpu(*pp);
+- ASSERT(bno != NULLFSBLOCK);
+- ASSERT(XFS_FSB_TO_AGNO(mp, bno) < mp->m_sb.sb_agcount);
+- ASSERT(XFS_FSB_TO_AGBNO(mp, bno) < mp->m_sb.sb_agblocks);
++
+ /*
+ * Go down the tree until leaf level is reached, following the first
+ * pointer (leftmost) at each level.
+@@ -1955,6 +1954,7 @@ xfs_bmap_add_extent_delay_real(
+ */
+ trace_xfs_bmap_pre_update(bma->ip, bma->idx, state, _THIS_IP_);
+ xfs_bmbt_set_startblock(ep, new->br_startblock);
++ xfs_bmbt_set_state(ep, new->br_state);
+ trace_xfs_bmap_post_update(bma->ip, bma->idx, state, _THIS_IP_);
+
+ (*nextents)++;
+@@ -2293,6 +2293,7 @@ STATIC int /* error */
+ xfs_bmap_add_extent_unwritten_real(
+ struct xfs_trans *tp,
+ xfs_inode_t *ip, /* incore inode pointer */
++ int whichfork,
+ xfs_extnum_t *idx, /* extent number to update/insert */
+ xfs_btree_cur_t **curp, /* if *curp is null, not a btree */
+ xfs_bmbt_irec_t *new, /* new data to add to file extents */
+@@ -2312,12 +2313,14 @@ xfs_bmap_add_extent_unwritten_real(
+ /* left is 0, right is 1, prev is 2 */
+ int rval=0; /* return value (logging flags) */
+ int state = 0;/* state bits, accessed thru macros */
+- struct xfs_mount *mp = tp->t_mountp;
++ struct xfs_mount *mp = ip->i_mount;
+
+ *logflagsp = 0;
+
+ cur = *curp;
+- ifp = XFS_IFORK_PTR(ip, XFS_DATA_FORK);
++ ifp = XFS_IFORK_PTR(ip, whichfork);
++ if (whichfork == XFS_COW_FORK)
++ state |= BMAP_COWFORK;
+
+ ASSERT(*idx >= 0);
+ ASSERT(*idx <= xfs_iext_count(ifp));
+@@ -2376,7 +2379,7 @@ xfs_bmap_add_extent_unwritten_real(
+ * Don't set contiguous if the combined extent would be too large.
+ * Also check for all-three-contiguous being too large.
+ */
+- if (*idx < xfs_iext_count(&ip->i_df) - 1) {
++ if (*idx < xfs_iext_count(ifp) - 1) {
+ state |= BMAP_RIGHT_VALID;
+ xfs_bmbt_get_all(xfs_iext_get_ext(ifp, *idx + 1), &RIGHT);
+ if (isnullstartblock(RIGHT.br_startblock))
+@@ -2416,7 +2419,8 @@ xfs_bmap_add_extent_unwritten_real(
+ trace_xfs_bmap_post_update(ip, *idx, state, _THIS_IP_);
+
+ xfs_iext_remove(ip, *idx + 1, 2, state);
+- ip->i_d.di_nextents -= 2;
++ XFS_IFORK_NEXT_SET(ip, whichfork,
++ XFS_IFORK_NEXTENTS(ip, whichfork) - 2);
+ if (cur == NULL)
+ rval = XFS_ILOG_CORE | XFS_ILOG_DEXT;
+ else {
+@@ -2459,7 +2463,8 @@ xfs_bmap_add_extent_unwritten_real(
+ trace_xfs_bmap_post_update(ip, *idx, state, _THIS_IP_);
+
+ xfs_iext_remove(ip, *idx + 1, 1, state);
+- ip->i_d.di_nextents--;
++ XFS_IFORK_NEXT_SET(ip, whichfork,
++ XFS_IFORK_NEXTENTS(ip, whichfork) - 1);
+ if (cur == NULL)
+ rval = XFS_ILOG_CORE | XFS_ILOG_DEXT;
+ else {
+@@ -2494,7 +2499,8 @@ xfs_bmap_add_extent_unwritten_real(
+ xfs_bmbt_set_state(ep, newext);
+ trace_xfs_bmap_post_update(ip, *idx, state, _THIS_IP_);
+ xfs_iext_remove(ip, *idx + 1, 1, state);
+- ip->i_d.di_nextents--;
++ XFS_IFORK_NEXT_SET(ip, whichfork,
++ XFS_IFORK_NEXTENTS(ip, whichfork) - 1);
+ if (cur == NULL)
+ rval = XFS_ILOG_CORE | XFS_ILOG_DEXT;
+ else {
+@@ -2606,7 +2612,8 @@ xfs_bmap_add_extent_unwritten_real(
+ trace_xfs_bmap_post_update(ip, *idx, state, _THIS_IP_);
+
+ xfs_iext_insert(ip, *idx, 1, new, state);
+- ip->i_d.di_nextents++;
++ XFS_IFORK_NEXT_SET(ip, whichfork,
++ XFS_IFORK_NEXTENTS(ip, whichfork) + 1);
+ if (cur == NULL)
+ rval = XFS_ILOG_CORE | XFS_ILOG_DEXT;
+ else {
+@@ -2684,7 +2691,8 @@ xfs_bmap_add_extent_unwritten_real(
+ ++*idx;
+ xfs_iext_insert(ip, *idx, 1, new, state);
+
+- ip->i_d.di_nextents++;
++ XFS_IFORK_NEXT_SET(ip, whichfork,
++ XFS_IFORK_NEXTENTS(ip, whichfork) + 1);
+ if (cur == NULL)
+ rval = XFS_ILOG_CORE | XFS_ILOG_DEXT;
+ else {
+@@ -2732,7 +2740,8 @@ xfs_bmap_add_extent_unwritten_real(
+ ++*idx;
+ xfs_iext_insert(ip, *idx, 2, &r[0], state);
+
+- ip->i_d.di_nextents += 2;
++ XFS_IFORK_NEXT_SET(ip, whichfork,
++ XFS_IFORK_NEXTENTS(ip, whichfork) + 2);
+ if (cur == NULL)
+ rval = XFS_ILOG_CORE | XFS_ILOG_DEXT;
+ else {
+@@ -2786,17 +2795,17 @@ xfs_bmap_add_extent_unwritten_real(
+ }
+
+ /* update reverse mappings */
+- error = xfs_rmap_convert_extent(mp, dfops, ip, XFS_DATA_FORK, new);
++ error = xfs_rmap_convert_extent(mp, dfops, ip, whichfork, new);
+ if (error)
+ goto done;
+
+ /* convert to a btree if necessary */
+- if (xfs_bmap_needs_btree(ip, XFS_DATA_FORK)) {
++ if (xfs_bmap_needs_btree(ip, whichfork)) {
+ int tmp_logflags; /* partial log flag return val */
+
+ ASSERT(cur == NULL);
+ error = xfs_bmap_extents_to_btree(tp, ip, first, dfops, &cur,
+- 0, &tmp_logflags, XFS_DATA_FORK);
++ 0, &tmp_logflags, whichfork);
+ *logflagsp |= tmp_logflags;
+ if (error)
+ goto done;
+@@ -2808,7 +2817,7 @@ xfs_bmap_add_extent_unwritten_real(
+ *curp = cur;
+ }
+
+- xfs_bmap_check_leaf_extents(*curp, ip, XFS_DATA_FORK);
++ xfs_bmap_check_leaf_extents(*curp, ip, whichfork);
+ done:
+ *logflagsp |= rval;
+ return error;
+@@ -2900,7 +2909,8 @@ xfs_bmap_add_extent_hole_delay(
+ oldlen = startblockval(left.br_startblock) +
+ startblockval(new->br_startblock) +
+ startblockval(right.br_startblock);
+- newlen = xfs_bmap_worst_indlen(ip, temp);
++ newlen = XFS_FILBLKS_MIN(xfs_bmap_worst_indlen(ip, temp),
++ oldlen);
+ xfs_bmbt_set_startblock(xfs_iext_get_ext(ifp, *idx),
+ nullstartblock((int)newlen));
+ trace_xfs_bmap_post_update(ip, *idx, state, _THIS_IP_);
+@@ -2921,7 +2931,8 @@ xfs_bmap_add_extent_hole_delay(
+ xfs_bmbt_set_blockcount(xfs_iext_get_ext(ifp, *idx), temp);
+ oldlen = startblockval(left.br_startblock) +
+ startblockval(new->br_startblock);
+- newlen = xfs_bmap_worst_indlen(ip, temp);
++ newlen = XFS_FILBLKS_MIN(xfs_bmap_worst_indlen(ip, temp),
++ oldlen);
+ xfs_bmbt_set_startblock(xfs_iext_get_ext(ifp, *idx),
+ nullstartblock((int)newlen));
+ trace_xfs_bmap_post_update(ip, *idx, state, _THIS_IP_);
+@@ -2937,7 +2948,8 @@ xfs_bmap_add_extent_hole_delay(
+ temp = new->br_blockcount + right.br_blockcount;
+ oldlen = startblockval(new->br_startblock) +
+ startblockval(right.br_startblock);
+- newlen = xfs_bmap_worst_indlen(ip, temp);
++ newlen = XFS_FILBLKS_MIN(xfs_bmap_worst_indlen(ip, temp),
++ oldlen);
+ xfs_bmbt_set_allf(xfs_iext_get_ext(ifp, *idx),
+ new->br_startoff,
+ nullstartblock((int)newlen), temp, right.br_state);
+@@ -3913,17 +3925,13 @@ xfs_bmap_btalloc(
+ * the first block that was allocated.
+ */
+ ASSERT(*ap->firstblock == NULLFSBLOCK ||
+- XFS_FSB_TO_AGNO(mp, *ap->firstblock) ==
+- XFS_FSB_TO_AGNO(mp, args.fsbno) ||
+- (ap->dfops->dop_low &&
+- XFS_FSB_TO_AGNO(mp, *ap->firstblock) <
+- XFS_FSB_TO_AGNO(mp, args.fsbno)));
++ XFS_FSB_TO_AGNO(mp, *ap->firstblock) <=
++ XFS_FSB_TO_AGNO(mp, args.fsbno));
+
+ ap->blkno = args.fsbno;
+ if (*ap->firstblock == NULLFSBLOCK)
+ *ap->firstblock = args.fsbno;
+- ASSERT(nullfb || fb_agno == args.agno ||
+- (ap->dfops->dop_low && fb_agno < args.agno));
++ ASSERT(nullfb || fb_agno <= args.agno);
+ ap->length = args.len;
+ if (!(ap->flags & XFS_BMAPI_COWFORK))
+ ap->ip->i_d.di_nblocks += args.len;
+@@ -4249,6 +4257,19 @@ xfs_bmapi_read(
+ return 0;
+ }
+
++/*
++ * Add a delayed allocation extent to an inode. Blocks are reserved from the
++ * global pool and the extent inserted into the inode in-core extent tree.
++ *
++ * On entry, got refers to the first extent beyond the offset of the extent to
++ * allocate or eof is specified if no such extent exists. On return, got refers
++ * to the extent record that was inserted to the inode fork.
++ *
++ * Note that the allocated extent may have been merged with contiguous extents
++ * during insertion into the inode fork. Thus, got does not reflect the current
++ * state of the inode fork on return. If necessary, the caller can use lastx to
++ * look up the updated record in the inode fork.
++ */
+ int
+ xfs_bmapi_reserve_delalloc(
+ struct xfs_inode *ip,
+@@ -4335,13 +4356,8 @@ xfs_bmapi_reserve_delalloc(
+ got->br_startblock = nullstartblock(indlen);
+ got->br_blockcount = alen;
+ got->br_state = XFS_EXT_NORM;
+- xfs_bmap_add_extent_hole_delay(ip, whichfork, lastx, got);
+
+- /*
+- * Update our extent pointer, given that xfs_bmap_add_extent_hole_delay
+- * might have merged it into one of the neighbouring ones.
+- */
+- xfs_bmbt_get_all(xfs_iext_get_ext(ifp, *lastx), got);
++ xfs_bmap_add_extent_hole_delay(ip, whichfork, lastx, got);
+
+ /*
+ * Tag the inode if blocks were preallocated. Note that COW fork
+@@ -4353,10 +4369,6 @@ xfs_bmapi_reserve_delalloc(
+ if (whichfork == XFS_COW_FORK && (prealloc || aoff < off || alen > len))
+ xfs_inode_set_cowblocks_tag(ip);
+
+- ASSERT(got->br_startoff <= aoff);
+- ASSERT(got->br_startoff + got->br_blockcount >= aoff + alen);
+- ASSERT(isnullstartblock(got->br_startblock));
+- ASSERT(got->br_state == XFS_EXT_NORM);
+ return 0;
+
+ out_unreserve_blocks:
+@@ -4461,10 +4473,16 @@ xfs_bmapi_allocate(
+ bma->got.br_state = XFS_EXT_NORM;
+
+ /*
+- * A wasdelay extent has been initialized, so shouldn't be flagged
+- * as unwritten.
++ * In the data fork, a wasdelay extent has been initialized, so
++ * shouldn't be flagged as unwritten.
++ *
++ * For the cow fork, however, we convert delalloc reservations
++ * (extents allocated for speculative preallocation) to
++ * allocated unwritten extents, and only convert the unwritten
++ * extents to real extents when we're about to write the data.
+ */
+- if (!bma->wasdel && (bma->flags & XFS_BMAPI_PREALLOC) &&
++ if ((!bma->wasdel || (bma->flags & XFS_BMAPI_COWFORK)) &&
++ (bma->flags & XFS_BMAPI_PREALLOC) &&
+ xfs_sb_version_hasextflgbit(&mp->m_sb))
+ bma->got.br_state = XFS_EXT_UNWRITTEN;
+
+@@ -4515,8 +4533,6 @@ xfs_bmapi_convert_unwritten(
+ (XFS_BMAPI_PREALLOC | XFS_BMAPI_CONVERT))
+ return 0;
+
+- ASSERT(whichfork != XFS_COW_FORK);
+-
+ /*
+ * Modify (by adding) the state flag, if writing.
+ */
+@@ -4541,8 +4557,8 @@ xfs_bmapi_convert_unwritten(
+ return error;
+ }
+
+- error = xfs_bmap_add_extent_unwritten_real(bma->tp, bma->ip, &bma->idx,
+- &bma->cur, mval, bma->firstblock, bma->dfops,
++ error = xfs_bmap_add_extent_unwritten_real(bma->tp, bma->ip, whichfork,
++ &bma->idx, &bma->cur, mval, bma->firstblock, bma->dfops,
+ &tmp_logflags);
+ /*
+ * Log the inode core unconditionally in the unwritten extent conversion
+@@ -4551,8 +4567,12 @@ xfs_bmapi_convert_unwritten(
+ * in the transaction for the sake of fsync(), even if nothing has
+ * changed, because fsync() will not force the log for this transaction
+ * unless it sees the inode pinned.
++ *
++ * Note: If we're only converting cow fork extents, there aren't
++ * any on-disk updates to make, so we don't need to log anything.
+ */
+- bma->logflags |= tmp_logflags | XFS_ILOG_CORE;
++ if (whichfork != XFS_COW_FORK)
++ bma->logflags |= tmp_logflags | XFS_ILOG_CORE;
+ if (error)
+ return error;
+
+@@ -4626,15 +4646,15 @@ xfs_bmapi_write(
+ ASSERT(*nmap >= 1);
+ ASSERT(*nmap <= XFS_BMAP_MAX_NMAP);
+ ASSERT(!(flags & XFS_BMAPI_IGSTATE));
+- ASSERT(tp != NULL);
++ ASSERT(tp != NULL ||
++ (flags & (XFS_BMAPI_CONVERT | XFS_BMAPI_COWFORK)) ==
++ (XFS_BMAPI_CONVERT | XFS_BMAPI_COWFORK));
+ ASSERT(len > 0);
+ ASSERT(XFS_IFORK_FORMAT(ip, whichfork) != XFS_DINODE_FMT_LOCAL);
+ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
+ ASSERT(!(flags & XFS_BMAPI_REMAP) || whichfork == XFS_DATA_FORK);
+ ASSERT(!(flags & XFS_BMAPI_PREALLOC) || !(flags & XFS_BMAPI_REMAP));
+ ASSERT(!(flags & XFS_BMAPI_CONVERT) || !(flags & XFS_BMAPI_REMAP));
+- ASSERT(!(flags & XFS_BMAPI_PREALLOC) || whichfork != XFS_COW_FORK);
+- ASSERT(!(flags & XFS_BMAPI_CONVERT) || whichfork != XFS_COW_FORK);
+
+ /* zeroing is for currently only for data extents, not metadata */
+ ASSERT((flags & (XFS_BMAPI_METADATA | XFS_BMAPI_ZERO)) !=
+@@ -4840,13 +4860,9 @@ xfs_bmapi_write(
+ if (bma.cur) {
+ if (!error) {
+ ASSERT(*firstblock == NULLFSBLOCK ||
+- XFS_FSB_TO_AGNO(mp, *firstblock) ==
++ XFS_FSB_TO_AGNO(mp, *firstblock) <=
+ XFS_FSB_TO_AGNO(mp,
+- bma.cur->bc_private.b.firstblock) ||
+- (dfops->dop_low &&
+- XFS_FSB_TO_AGNO(mp, *firstblock) <
+- XFS_FSB_TO_AGNO(mp,
+- bma.cur->bc_private.b.firstblock)));
++ bma.cur->bc_private.b.firstblock));
+ *firstblock = bma.cur->bc_private.b.firstblock;
+ }
+ xfs_btree_del_cursor(bma.cur,
+@@ -4881,34 +4897,59 @@ xfs_bmap_split_indlen(
+ xfs_filblks_t len2 = *indlen2;
+ xfs_filblks_t nres = len1 + len2; /* new total res. */
+ xfs_filblks_t stolen = 0;
++ xfs_filblks_t resfactor;
+
+ /*
+ * Steal as many blocks as we can to try and satisfy the worst case
+ * indlen for both new extents.
+ */
+- while (nres > ores && avail) {
+- nres--;
+- avail--;
+- stolen++;
+- }
++ if (ores < nres && avail)
++ stolen = XFS_FILBLKS_MIN(nres - ores, avail);
++ ores += stolen;
++
++ /* nothing else to do if we've satisfied the new reservation */
++ if (ores >= nres)
++ return stolen;
++
++ /*
++ * We can't meet the total required reservation for the two extents.
++ * Calculate the percent of the overall shortage between both extents
++ * and apply this percentage to each of the requested indlen values.
++ * This distributes the shortage fairly and reduces the chances that one
++ * of the two extents is left with nothing when extents are repeatedly
++ * split.
++ */
++ resfactor = (ores * 100);
++ do_div(resfactor, nres);
++ len1 *= resfactor;
++ do_div(len1, 100);
++ len2 *= resfactor;
++ do_div(len2, 100);
++ ASSERT(len1 + len2 <= ores);
++ ASSERT(len1 < *indlen1 && len2 < *indlen2);
+
+ /*
+- * The only blocks available are those reserved for the original
+- * extent and what we can steal from the extent being removed.
+- * If this still isn't enough to satisfy the combined
+- * requirements for the two new extents, skim blocks off of each
+- * of the new reservations until they match what is available.
++ * Hand out the remainder to each extent. If one of the two reservations
++ * is zero, we want to make sure that one gets a block first. The loop
++ * below starts with len1, so hand len2 a block right off the bat if it
++ * is zero.
+ */
+- while (nres > ores) {
+- if (len1) {
+- len1--;
+- nres--;
++ ores -= (len1 + len2);
++ ASSERT((*indlen1 - len1) + (*indlen2 - len2) >= ores);
++ if (ores && !len2 && *indlen2) {
++ len2++;
++ ores--;
++ }
++ while (ores) {
++ if (len1 < *indlen1) {
++ len1++;
++ ores--;
+ }
+- if (nres == ores)
++ if (!ores)
+ break;
+- if (len2) {
+- len2--;
+- nres--;
++ if (len2 < *indlen2) {
++ len2++;
++ ores--;
+ }
+ }
+
+@@ -5656,8 +5697,8 @@ __xfs_bunmapi(
+ }
+ del.br_state = XFS_EXT_UNWRITTEN;
+ error = xfs_bmap_add_extent_unwritten_real(tp, ip,
+- &lastx, &cur, &del, firstblock, dfops,
+- &logflags);
++ whichfork, &lastx, &cur, &del,
++ firstblock, dfops, &logflags);
+ if (error)
+ goto error0;
+ goto nodelete;
+@@ -5714,8 +5755,9 @@ __xfs_bunmapi(
+ prev.br_state = XFS_EXT_UNWRITTEN;
+ lastx--;
+ error = xfs_bmap_add_extent_unwritten_real(tp,
+- ip, &lastx, &cur, &prev,
+- firstblock, dfops, &logflags);
++ ip, whichfork, &lastx, &cur,
++ &prev, firstblock, dfops,
++ &logflags);
+ if (error)
+ goto error0;
+ goto nodelete;
+@@ -5723,8 +5765,9 @@ __xfs_bunmapi(
+ ASSERT(del.br_state == XFS_EXT_NORM);
+ del.br_state = XFS_EXT_UNWRITTEN;
+ error = xfs_bmap_add_extent_unwritten_real(tp,
+- ip, &lastx, &cur, &del,
+- firstblock, dfops, &logflags);
++ ip, whichfork, &lastx, &cur,
++ &del, firstblock, dfops,
++ &logflags);
+ if (error)
+ goto error0;
+ goto nodelete;
+diff --git a/fs/xfs/libxfs/xfs_bmap_btree.c b/fs/xfs/libxfs/xfs_bmap_btree.c
+index f76c169..5c39186 100644
+--- a/fs/xfs/libxfs/xfs_bmap_btree.c
++++ b/fs/xfs/libxfs/xfs_bmap_btree.c
+@@ -453,8 +453,8 @@ xfs_bmbt_alloc_block(
+
+ if (args.fsbno == NULLFSBLOCK) {
+ args.fsbno = be64_to_cpu(start->l);
+-try_another_ag:
+ args.type = XFS_ALLOCTYPE_START_BNO;
++try_another_ag:
+ /*
+ * Make sure there is sufficient room left in the AG to
+ * complete a full tree split for an extent insert. If
+@@ -494,8 +494,8 @@ xfs_bmbt_alloc_block(
+ if (xfs_sb_version_hasreflink(&cur->bc_mp->m_sb) &&
+ args.fsbno == NULLFSBLOCK &&
+ args.type == XFS_ALLOCTYPE_NEAR_BNO) {
+- cur->bc_private.b.dfops->dop_low = true;
+ args.fsbno = cur->bc_private.b.firstblock;
++ args.type = XFS_ALLOCTYPE_FIRST_AG;
+ goto try_another_ag;
+ }
+
+@@ -512,7 +512,7 @@ xfs_bmbt_alloc_block(
+ goto error0;
+ cur->bc_private.b.dfops->dop_low = true;
+ }
+- if (args.fsbno == NULLFSBLOCK) {
++ if (WARN_ON_ONCE(args.fsbno == NULLFSBLOCK)) {
+ XFS_BTREE_TRACE_CURSOR(cur, XBT_EXIT);
+ *stat = 0;
+ return 0;
+diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c
+index 21e6a6a..2849d3f 100644
+--- a/fs/xfs/libxfs/xfs_btree.c
++++ b/fs/xfs/libxfs/xfs_btree.c
+@@ -810,7 +810,8 @@ xfs_btree_read_bufl(
+ xfs_daddr_t d; /* real disk block address */
+ int error;
+
+- ASSERT(fsbno != NULLFSBLOCK);
++ if (!XFS_FSB_SANITY_CHECK(mp, fsbno))
++ return -EFSCORRUPTED;
+ d = XFS_FSB_TO_DADDR(mp, fsbno);
+ error = xfs_trans_read_buf(mp, tp, mp->m_ddev_targp, d,
+ mp->m_bsize, lock, &bp, ops);
+diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h
+index c2b01d1..3b0fc1a 100644
+--- a/fs/xfs/libxfs/xfs_btree.h
++++ b/fs/xfs/libxfs/xfs_btree.h
+@@ -491,7 +491,7 @@ static inline int xfs_btree_get_level(struct xfs_btree_block *block)
+ #define XFS_FILBLKS_MAX(a,b) max_t(xfs_filblks_t, (a), (b))
+
+ #define XFS_FSB_SANITY_CHECK(mp,fsb) \
+- (XFS_FSB_TO_AGNO(mp, fsb) < mp->m_sb.sb_agcount && \
++ (fsb && XFS_FSB_TO_AGNO(mp, fsb) < mp->m_sb.sb_agcount && \
+ XFS_FSB_TO_AGBNO(mp, fsb) < mp->m_sb.sb_agblocks)
+
+ /*
+diff --git a/fs/xfs/libxfs/xfs_da_btree.c b/fs/xfs/libxfs/xfs_da_btree.c
+index f2dc1a9..1bdf288 100644
+--- a/fs/xfs/libxfs/xfs_da_btree.c
++++ b/fs/xfs/libxfs/xfs_da_btree.c
+@@ -2633,7 +2633,7 @@ xfs_da_read_buf(
+ /*
+ * Readahead the dir/attr block.
+ */
+-xfs_daddr_t
++int
+ xfs_da_reada_buf(
+ struct xfs_inode *dp,
+ xfs_dablk_t bno,
+@@ -2664,7 +2664,5 @@ xfs_da_reada_buf(
+ if (mapp != &map)
+ kmem_free(mapp);
+
+- if (error)
+- return -1;
+- return mappedbno;
++ return error;
+ }
+diff --git a/fs/xfs/libxfs/xfs_da_btree.h b/fs/xfs/libxfs/xfs_da_btree.h
+index 98c75cb..4e29cb6 100644
+--- a/fs/xfs/libxfs/xfs_da_btree.h
++++ b/fs/xfs/libxfs/xfs_da_btree.h
+@@ -201,7 +201,7 @@ int xfs_da_read_buf(struct xfs_trans *trans, struct xfs_inode *dp,
+ xfs_dablk_t bno, xfs_daddr_t mappedbno,
+ struct xfs_buf **bpp, int whichfork,
+ const struct xfs_buf_ops *ops);
+-xfs_daddr_t xfs_da_reada_buf(struct xfs_inode *dp, xfs_dablk_t bno,
++int xfs_da_reada_buf(struct xfs_inode *dp, xfs_dablk_t bno,
+ xfs_daddr_t mapped_bno, int whichfork,
+ const struct xfs_buf_ops *ops);
+ int xfs_da_shrink_inode(xfs_da_args_t *args, xfs_dablk_t dead_blkno,
+diff --git a/fs/xfs/libxfs/xfs_dir2_node.c b/fs/xfs/libxfs/xfs_dir2_node.c
+index 75a5574..bbd1238 100644
+--- a/fs/xfs/libxfs/xfs_dir2_node.c
++++ b/fs/xfs/libxfs/xfs_dir2_node.c
+@@ -155,6 +155,42 @@ const struct xfs_buf_ops xfs_dir3_free_buf_ops = {
+ .verify_write = xfs_dir3_free_write_verify,
+ };
+
++/* Everything ok in the free block header? */
++static bool
++xfs_dir3_free_header_check(
++ struct xfs_inode *dp,
++ xfs_dablk_t fbno,
++ struct xfs_buf *bp)
++{
++ struct xfs_mount *mp = dp->i_mount;
++ unsigned int firstdb;
++ int maxbests;
++
++ maxbests = dp->d_ops->free_max_bests(mp->m_dir_geo);
++ firstdb = (xfs_dir2_da_to_db(mp->m_dir_geo, fbno) -
++ xfs_dir2_byte_to_db(mp->m_dir_geo, XFS_DIR2_FREE_OFFSET)) *
++ maxbests;
++ if (xfs_sb_version_hascrc(&mp->m_sb)) {
++ struct xfs_dir3_free_hdr *hdr3 = bp->b_addr;
++
++ if (be32_to_cpu(hdr3->firstdb) != firstdb)
++ return false;
++ if (be32_to_cpu(hdr3->nvalid) > maxbests)
++ return false;
++ if (be32_to_cpu(hdr3->nvalid) < be32_to_cpu(hdr3->nused))
++ return false;
++ } else {
++ struct xfs_dir2_free_hdr *hdr = bp->b_addr;
++
++ if (be32_to_cpu(hdr->firstdb) != firstdb)
++ return false;
++ if (be32_to_cpu(hdr->nvalid) > maxbests)
++ return false;
++ if (be32_to_cpu(hdr->nvalid) < be32_to_cpu(hdr->nused))
++ return false;
++ }
++ return true;
++}
+
+ static int
+ __xfs_dir3_free_read(
+@@ -168,11 +204,22 @@ __xfs_dir3_free_read(
+
+ err = xfs_da_read_buf(tp, dp, fbno, mappedbno, bpp,
+ XFS_DATA_FORK, &xfs_dir3_free_buf_ops);
++ if (err || !*bpp)
++ return err;
++
++ /* Check things that we can't do in the verifier. */
++ if (!xfs_dir3_free_header_check(dp, fbno, *bpp)) {
++ xfs_buf_ioerror(*bpp, -EFSCORRUPTED);
++ xfs_verifier_error(*bpp);
++ xfs_trans_brelse(tp, *bpp);
++ return -EFSCORRUPTED;
++ }
+
+ /* try read returns without an error or *bpp if it lands in a hole */
+- if (!err && tp && *bpp)
++ if (tp)
+ xfs_trans_buf_set_type(tp, *bpp, XFS_BLFT_DIR_FREE_BUF);
+- return err;
++
++ return 0;
+ }
+
+ int
+diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
+index d45c037..a2818f6 100644
+--- a/fs/xfs/libxfs/xfs_ialloc.c
++++ b/fs/xfs/libxfs/xfs_ialloc.c
+@@ -51,8 +51,7 @@ xfs_ialloc_cluster_alignment(
+ struct xfs_mount *mp)
+ {
+ if (xfs_sb_version_hasalign(&mp->m_sb) &&
+- mp->m_sb.sb_inoalignmt >=
+- XFS_B_TO_FSBT(mp, mp->m_inode_cluster_size))
++ mp->m_sb.sb_inoalignmt >= xfs_icluster_size_fsb(mp))
+ return mp->m_sb.sb_inoalignmt;
+ return 1;
+ }
+diff --git a/fs/xfs/libxfs/xfs_ialloc_btree.c b/fs/xfs/libxfs/xfs_ialloc_btree.c
+index 6c6b959..b9c351f 100644
+--- a/fs/xfs/libxfs/xfs_ialloc_btree.c
++++ b/fs/xfs/libxfs/xfs_ialloc_btree.c
+@@ -82,11 +82,12 @@ xfs_finobt_set_root(
+ }
+
+ STATIC int
+-xfs_inobt_alloc_block(
++__xfs_inobt_alloc_block(
+ struct xfs_btree_cur *cur,
+ union xfs_btree_ptr *start,
+ union xfs_btree_ptr *new,
+- int *stat)
++ int *stat,
++ enum xfs_ag_resv_type resv)
+ {
+ xfs_alloc_arg_t args; /* block allocation args */
+ int error; /* error return value */
+@@ -103,6 +104,7 @@ xfs_inobt_alloc_block(
+ args.maxlen = 1;
+ args.prod = 1;
+ args.type = XFS_ALLOCTYPE_NEAR_BNO;
++ args.resv = resv;
+
+ error = xfs_alloc_vextent(&args);
+ if (error) {
+@@ -123,6 +125,27 @@ xfs_inobt_alloc_block(
+ }
+
+ STATIC int
++xfs_inobt_alloc_block(
++ struct xfs_btree_cur *cur,
++ union xfs_btree_ptr *start,
++ union xfs_btree_ptr *new,
++ int *stat)
++{
++ return __xfs_inobt_alloc_block(cur, start, new, stat, XFS_AG_RESV_NONE);
++}
++
++STATIC int
++xfs_finobt_alloc_block(
++ struct xfs_btree_cur *cur,
++ union xfs_btree_ptr *start,
++ union xfs_btree_ptr *new,
++ int *stat)
++{
++ return __xfs_inobt_alloc_block(cur, start, new, stat,
++ XFS_AG_RESV_METADATA);
++}
++
++STATIC int
+ xfs_inobt_free_block(
+ struct xfs_btree_cur *cur,
+ struct xfs_buf *bp)
+@@ -328,7 +351,7 @@ static const struct xfs_btree_ops xfs_finobt_ops = {
+
+ .dup_cursor = xfs_inobt_dup_cursor,
+ .set_root = xfs_finobt_set_root,
+- .alloc_block = xfs_inobt_alloc_block,
++ .alloc_block = xfs_finobt_alloc_block,
+ .free_block = xfs_inobt_free_block,
+ .get_minrecs = xfs_inobt_get_minrecs,
+ .get_maxrecs = xfs_inobt_get_maxrecs,
+@@ -478,3 +501,64 @@ xfs_inobt_rec_check_count(
+ return 0;
+ }
+ #endif /* DEBUG */
++
++static xfs_extlen_t
++xfs_inobt_max_size(
++ struct xfs_mount *mp)
++{
++ /* Bail out if we're uninitialized, which can happen in mkfs. */
++ if (mp->m_inobt_mxr[0] == 0)
++ return 0;
++
++ return xfs_btree_calc_size(mp, mp->m_inobt_mnr,
++ (uint64_t)mp->m_sb.sb_agblocks * mp->m_sb.sb_inopblock /
++ XFS_INODES_PER_CHUNK);
++}
++
++static int
++xfs_inobt_count_blocks(
++ struct xfs_mount *mp,
++ xfs_agnumber_t agno,
++ xfs_btnum_t btnum,
++ xfs_extlen_t *tree_blocks)
++{
++ struct xfs_buf *agbp;
++ struct xfs_btree_cur *cur;
++ int error;
++
++ error = xfs_ialloc_read_agi(mp, NULL, agno, &agbp);
++ if (error)
++ return error;
++
++ cur = xfs_inobt_init_cursor(mp, NULL, agbp, agno, btnum);
++ error = xfs_btree_count_blocks(cur, tree_blocks);
++ xfs_btree_del_cursor(cur, error ? XFS_BTREE_ERROR : XFS_BTREE_NOERROR);
++ xfs_buf_relse(agbp);
++
++ return error;
++}
++
++/*
++ * Figure out how many blocks to reserve and how many are used by this btree.
++ */
++int
++xfs_finobt_calc_reserves(
++ struct xfs_mount *mp,
++ xfs_agnumber_t agno,
++ xfs_extlen_t *ask,
++ xfs_extlen_t *used)
++{
++ xfs_extlen_t tree_len = 0;
++ int error;
++
++ if (!xfs_sb_version_hasfinobt(&mp->m_sb))
++ return 0;
++
++ error = xfs_inobt_count_blocks(mp, agno, XFS_BTNUM_FINO, &tree_len);
++ if (error)
++ return error;
++
++ *ask += xfs_inobt_max_size(mp);
++ *used += tree_len;
++ return 0;
++}
+diff --git a/fs/xfs/libxfs/xfs_ialloc_btree.h b/fs/xfs/libxfs/xfs_ialloc_btree.h
+index bd88453..aa81e2e 100644
+--- a/fs/xfs/libxfs/xfs_ialloc_btree.h
++++ b/fs/xfs/libxfs/xfs_ialloc_btree.h
+@@ -72,4 +72,7 @@ int xfs_inobt_rec_check_count(struct xfs_mount *,
+ #define xfs_inobt_rec_check_count(mp, rec) 0
+ #endif /* DEBUG */
+
++int xfs_finobt_calc_reserves(struct xfs_mount *mp, xfs_agnumber_t agno,
++ xfs_extlen_t *ask, xfs_extlen_t *used);
++
+ #endif /* __XFS_IALLOC_BTREE_H__ */
+diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c
+index 222e103..25c1e07 100644
+--- a/fs/xfs/libxfs/xfs_inode_fork.c
++++ b/fs/xfs/libxfs/xfs_inode_fork.c
+@@ -26,6 +26,7 @@
+ #include "xfs_inode.h"
+ #include "xfs_trans.h"
+ #include "xfs_inode_item.h"
++#include "xfs_btree.h"
+ #include "xfs_bmap_btree.h"
+ #include "xfs_bmap.h"
+ #include "xfs_error.h"
+@@ -429,11 +430,13 @@ xfs_iformat_btree(
+ /* REFERENCED */
+ int nrecs;
+ int size;
++ int level;
+
+ ifp = XFS_IFORK_PTR(ip, whichfork);
+ dfp = (xfs_bmdr_block_t *)XFS_DFORK_PTR(dip, whichfork);
+ size = XFS_BMAP_BROOT_SPACE(mp, dfp);
+ nrecs = be16_to_cpu(dfp->bb_numrecs);
++ level = be16_to_cpu(dfp->bb_level);
+
+ /*
+ * blow out if -- fork has less extents than can fit in
+@@ -446,7 +449,8 @@ xfs_iformat_btree(
+ XFS_IFORK_MAXEXT(ip, whichfork) ||
+ XFS_BMDR_SPACE_CALC(nrecs) >
+ XFS_DFORK_SIZE(dip, mp, whichfork) ||
+- XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks)) {
++ XFS_IFORK_NEXTENTS(ip, whichfork) > ip->i_d.di_nblocks) ||
++ level == 0 || level > XFS_BTREE_MAXLEVELS) {
+ xfs_warn(mp, "corrupt inode %Lu (btree).",
+ (unsigned long long) ip->i_ino);
+ XFS_CORRUPTION_ERROR("xfs_iformat_btree", XFS_ERRLEVEL_LOW,
+@@ -497,15 +501,14 @@ xfs_iread_extents(
+ * We know that the size is valid (it's checked in iformat_btree)
+ */
+ ifp->if_bytes = ifp->if_real_bytes = 0;
+- ifp->if_flags |= XFS_IFEXTENTS;
+ xfs_iext_add(ifp, 0, nextents);
+ error = xfs_bmap_read_extents(tp, ip, whichfork);
+ if (error) {
+ xfs_iext_destroy(ifp);
+- ifp->if_flags &= ~XFS_IFEXTENTS;
+ return error;
+ }
+ xfs_validate_extents(ifp, nextents, XFS_EXTFMT_INODE(ip));
++ ifp->if_flags |= XFS_IFEXTENTS;
+ return 0;
+ }
+ /*
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index 06763f5..0457abe 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -279,54 +279,49 @@ xfs_end_io(
+ struct xfs_ioend *ioend =
+ container_of(work, struct xfs_ioend, io_work);
+ struct xfs_inode *ip = XFS_I(ioend->io_inode);
++ xfs_off_t offset = ioend->io_offset;
++ size_t size = ioend->io_size;
+ int error = ioend->io_bio->bi_error;
+
+ /*
+- * Set an error if the mount has shut down and proceed with end I/O
+- * processing so it can perform whatever cleanups are necessary.
++ * Just clean up the in-memory strutures if the fs has been shut down.
+ */
+- if (XFS_FORCED_SHUTDOWN(ip->i_mount))
++ if (XFS_FORCED_SHUTDOWN(ip->i_mount)) {
+ error = -EIO;
++ goto done;
++ }
+
+ /*
+- * For a CoW extent, we need to move the mapping from the CoW fork
+- * to the data fork. If instead an error happened, just dump the
+- * new blocks.
++ * Clean up any COW blocks on an I/O error.
+ */
+- if (ioend->io_type == XFS_IO_COW) {
+- if (error)
+- goto done;
+- if (ioend->io_bio->bi_error) {
+- error = xfs_reflink_cancel_cow_range(ip,
+- ioend->io_offset, ioend->io_size);
+- goto done;
++ if (unlikely(error)) {
++ switch (ioend->io_type) {
++ case XFS_IO_COW:
++ xfs_reflink_cancel_cow_range(ip, offset, size, true);
++ break;
+ }
+- error = xfs_reflink_end_cow(ip, ioend->io_offset,
+- ioend->io_size);
+- if (error)
+- goto done;
++
++ goto done;
+ }
+
+ /*
+- * For unwritten extents we need to issue transactions to convert a
+- * range to normal written extens after the data I/O has finished.
+- * Detecting and handling completion IO errors is done individually
+- * for each case as different cleanup operations need to be performed
+- * on error.
++ * Success: commit the COW or unwritten blocks if needed.
+ */
+- if (ioend->io_type == XFS_IO_UNWRITTEN) {
+- if (error)
+- goto done;
+- error = xfs_iomap_write_unwritten(ip, ioend->io_offset,
+- ioend->io_size);
+- } else if (ioend->io_append_trans) {
+- error = xfs_setfilesize_ioend(ioend, error);
+- } else {
+- ASSERT(!xfs_ioend_is_append(ioend) ||
+- ioend->io_type == XFS_IO_COW);
++ switch (ioend->io_type) {
++ case XFS_IO_COW:
++ error = xfs_reflink_end_cow(ip, offset, size);
++ break;
++ case XFS_IO_UNWRITTEN:
++ error = xfs_iomap_write_unwritten(ip, offset, size);
++ break;
++ default:
++ ASSERT(!xfs_ioend_is_append(ioend) || ioend->io_append_trans);
++ break;
+ }
+
+ done:
++ if (ioend->io_append_trans)
++ error = xfs_setfilesize_ioend(ioend, error);
+ xfs_destroy_ioend(ioend, error);
+ }
+
+@@ -486,6 +481,12 @@ xfs_submit_ioend(
+ struct xfs_ioend *ioend,
+ int status)
+ {
++ /* Convert CoW extents to regular */
++ if (!status && ioend->io_type == XFS_IO_COW) {
++ status = xfs_reflink_convert_cow(XFS_I(ioend->io_inode),
++ ioend->io_offset, ioend->io_size);
++ }
++
+ /* Reserve log space if we might write beyond the on-disk inode size. */
+ if (!status &&
+ ioend->io_type != XFS_IO_UNWRITTEN &&
+@@ -1257,44 +1258,6 @@ xfs_map_trim_size(
+ bh_result->b_size = mapping_size;
+ }
+
+-/* Bounce unaligned directio writes to the page cache. */
+-static int
+-xfs_bounce_unaligned_dio_write(
+- struct xfs_inode *ip,
+- xfs_fileoff_t offset_fsb,
+- struct xfs_bmbt_irec *imap)
+-{
+- struct xfs_bmbt_irec irec;
+- xfs_fileoff_t delta;
+- bool shared;
+- bool x;
+- int error;
+-
+- irec = *imap;
+- if (offset_fsb > irec.br_startoff) {
+- delta = offset_fsb - irec.br_startoff;
+- irec.br_blockcount -= delta;
+- irec.br_startblock += delta;
+- irec.br_startoff = offset_fsb;
+- }
+- error = xfs_reflink_trim_around_shared(ip, &irec, &shared, &x);
+- if (error)
+- return error;
+-
+- /*
+- * We're here because we're trying to do a directio write to a
+- * region that isn't aligned to a filesystem block. If any part
+- * of the extent is shared, fall back to buffered mode to handle
+- * the RMW. This is done by returning -EREMCHG ("remote addr
+- * changed"), which is caught further up the call stack.
+- */
+- if (shared) {
+- trace_xfs_reflink_bounce_dio_write(ip, imap);
+- return -EREMCHG;
+- }
+- return 0;
+-}
+-
+ STATIC int
+ __xfs_get_blocks(
+ struct inode *inode,
+@@ -1432,13 +1395,6 @@ __xfs_get_blocks(
+ if (imap.br_startblock != HOLESTARTBLOCK &&
+ imap.br_startblock != DELAYSTARTBLOCK &&
+ (create || !ISUNWRITTEN(&imap))) {
+- if (create && direct && !is_cow) {
+- error = xfs_bounce_unaligned_dio_write(ip, offset_fsb,
+- &imap);
+- if (error)
+- return error;
+- }
+-
+ xfs_map_buffer(inode, bh_result, &imap, offset);
+ if (ISUNWRITTEN(&imap))
+ set_buffer_unwritten(bh_result);
+diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
+index efb8ccd..5c395e4 100644
+--- a/fs/xfs/xfs_bmap_util.c
++++ b/fs/xfs/xfs_bmap_util.c
+@@ -917,17 +917,18 @@ xfs_can_free_eofblocks(struct xfs_inode *ip, bool force)
+ */
+ int
+ xfs_free_eofblocks(
+- xfs_mount_t *mp,
+- xfs_inode_t *ip,
+- bool need_iolock)
++ struct xfs_inode *ip)
+ {
+- xfs_trans_t *tp;
+- int error;
+- xfs_fileoff_t end_fsb;
+- xfs_fileoff_t last_fsb;
+- xfs_filblks_t map_len;
+- int nimaps;
+- xfs_bmbt_irec_t imap;
++ struct xfs_trans *tp;
++ int error;
++ xfs_fileoff_t end_fsb;
++ xfs_fileoff_t last_fsb;
++ xfs_filblks_t map_len;
++ int nimaps;
++ struct xfs_bmbt_irec imap;
++ struct xfs_mount *mp = ip->i_mount;
++
++ ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
+
+ /*
+ * Figure out if there are any blocks beyond the end
+@@ -944,6 +945,10 @@ xfs_free_eofblocks(
+ error = xfs_bmapi_read(ip, end_fsb, map_len, &imap, &nimaps, 0);
+ xfs_iunlock(ip, XFS_ILOCK_SHARED);
+
++ /*
++ * If there are blocks after the end of file, truncate the file to its
++ * current size to free them up.
++ */
+ if (!error && (nimaps != 0) &&
+ (imap.br_startblock != HOLESTARTBLOCK ||
+ ip->i_delayed_blks)) {
+@@ -954,22 +959,13 @@ xfs_free_eofblocks(
+ if (error)
+ return error;
+
+- /*
+- * There are blocks after the end of file.
+- * Free them up now by truncating the file to
+- * its current size.
+- */
+- if (need_iolock) {
+- if (!xfs_ilock_nowait(ip, XFS_IOLOCK_EXCL))
+- return -EAGAIN;
+- }
++ /* wait on dio to ensure i_size has settled */
++ inode_dio_wait(VFS_I(ip));
+
+ error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, 0, 0, 0,
+ &tp);
+ if (error) {
+ ASSERT(XFS_FORCED_SHUTDOWN(mp));
+- if (need_iolock)
+- xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+ return error;
+ }
+
+@@ -997,8 +993,6 @@ xfs_free_eofblocks(
+ }
+
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
+- if (need_iolock)
+- xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+ }
+ return error;
+ }
+@@ -1393,10 +1387,16 @@ xfs_shift_file_space(
+ xfs_fileoff_t stop_fsb;
+ xfs_fileoff_t next_fsb;
+ xfs_fileoff_t shift_fsb;
++ uint resblks;
+
+ ASSERT(direction == SHIFT_LEFT || direction == SHIFT_RIGHT);
+
+ if (direction == SHIFT_LEFT) {
++ /*
++ * Reserve blocks to cover potential extent merges after left
++ * shift operations.
++ */
++ resblks = XFS_DIOSTRAT_SPACE_RES(mp, 0);
+ next_fsb = XFS_B_TO_FSB(mp, offset + len);
+ stop_fsb = XFS_B_TO_FSB(mp, VFS_I(ip)->i_size);
+ } else {
+@@ -1404,6 +1404,7 @@ xfs_shift_file_space(
+ * If right shift, delegate the work of initialization of
+ * next_fsb to xfs_bmap_shift_extent as it has ilock held.
+ */
++ resblks = 0;
+ next_fsb = NULLFSBLOCK;
+ stop_fsb = XFS_B_TO_FSB(mp, offset);
+ }
+@@ -1415,7 +1416,7 @@ xfs_shift_file_space(
+ * into the accessible region of the file.
+ */
+ if (xfs_can_free_eofblocks(ip, true)) {
+- error = xfs_free_eofblocks(mp, ip, false);
++ error = xfs_free_eofblocks(ip);
+ if (error)
+ return error;
+ }
+@@ -1445,21 +1446,14 @@ xfs_shift_file_space(
+ }
+
+ while (!error && !done) {
+- /*
+- * We would need to reserve permanent block for transaction.
+- * This will come into picture when after shifting extent into
+- * hole we found that adjacent extents can be merged which
+- * may lead to freeing of a block during record update.
+- */
+- error = xfs_trans_alloc(mp, &M_RES(mp)->tr_write,
+- XFS_DIOSTRAT_SPACE_RES(mp, 0), 0, 0, &tp);
++ error = xfs_trans_alloc(mp, &M_RES(mp)->tr_write, resblks, 0, 0,
++ &tp);
+ if (error)
+ break;
+
+ xfs_ilock(ip, XFS_ILOCK_EXCL);
+ error = xfs_trans_reserve_quota(tp, mp, ip->i_udquot,
+- ip->i_gdquot, ip->i_pdquot,
+- XFS_DIOSTRAT_SPACE_RES(mp, 0), 0,
++ ip->i_gdquot, ip->i_pdquot, resblks, 0,
+ XFS_QMOPT_RES_REGBLKS);
+ if (error)
+ goto out_trans_cancel;
+diff --git a/fs/xfs/xfs_bmap_util.h b/fs/xfs/xfs_bmap_util.h
+index 68a621a..f100539 100644
+--- a/fs/xfs/xfs_bmap_util.h
++++ b/fs/xfs/xfs_bmap_util.h
+@@ -63,8 +63,7 @@ int xfs_insert_file_space(struct xfs_inode *, xfs_off_t offset,
+
+ /* EOF block manipulation functions */
+ bool xfs_can_free_eofblocks(struct xfs_inode *ip, bool force);
+-int xfs_free_eofblocks(struct xfs_mount *mp, struct xfs_inode *ip,
+- bool need_iolock);
++int xfs_free_eofblocks(struct xfs_inode *ip);
+
+ int xfs_swap_extents(struct xfs_inode *ip, struct xfs_inode *tip,
+ struct xfs_swapext *sx);
+diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
+index 2975cb2..0306168 100644
+--- a/fs/xfs/xfs_buf_item.c
++++ b/fs/xfs/xfs_buf_item.c
+@@ -1162,6 +1162,7 @@ xfs_buf_iodone_callbacks(
+ */
+ bp->b_last_error = 0;
+ bp->b_retries = 0;
++ bp->b_first_retry_time = 0;
+
+ xfs_buf_do_callbacks(bp);
+ bp->b_fspriv = NULL;
+diff --git a/fs/xfs/xfs_extent_busy.c b/fs/xfs/xfs_extent_busy.c
+index 162dc18..29c2f99 100644
+--- a/fs/xfs/xfs_extent_busy.c
++++ b/fs/xfs/xfs_extent_busy.c
+@@ -45,18 +45,7 @@ xfs_extent_busy_insert(
+ struct rb_node **rbp;
+ struct rb_node *parent = NULL;
+
+- new = kmem_zalloc(sizeof(struct xfs_extent_busy), KM_MAYFAIL);
+- if (!new) {
+- /*
+- * No Memory! Since it is now not possible to track the free
+- * block, make this a synchronous transaction to insure that
+- * the block is not reused before this transaction commits.
+- */
+- trace_xfs_extent_busy_enomem(tp->t_mountp, agno, bno, len);
+- xfs_trans_set_sync(tp);
+- return;
+- }
+-
++ new = kmem_zalloc(sizeof(struct xfs_extent_busy), KM_SLEEP);
+ new->agno = agno;
+ new->bno = bno;
+ new->length = len;
+diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
+index 9a5d64b..1209ad2 100644
+--- a/fs/xfs/xfs_file.c
++++ b/fs/xfs/xfs_file.c
+@@ -554,6 +554,15 @@ xfs_file_dio_aio_write(
+ if ((iocb->ki_pos & mp->m_blockmask) ||
+ ((iocb->ki_pos + count) & mp->m_blockmask)) {
+ unaligned_io = 1;
++
++ /*
++ * We can't properly handle unaligned direct I/O to reflink
++ * files yet, as we can't unshare a partial block.
++ */
++ if (xfs_is_reflink_inode(ip)) {
++ trace_xfs_reflink_bounce_dio_write(ip, iocb->ki_pos, count);
++ return -EREMCHG;
++ }
+ iolock = XFS_IOLOCK_EXCL;
+ } else {
+ iolock = XFS_IOLOCK_SHARED;
+@@ -675,8 +684,10 @@ xfs_file_buffered_aio_write(
+ struct xfs_inode *ip = XFS_I(inode);
+ ssize_t ret;
+ int enospc = 0;
+- int iolock = XFS_IOLOCK_EXCL;
++ int iolock;
+
++write_retry:
++ iolock = XFS_IOLOCK_EXCL;
+ xfs_rw_ilock(ip, iolock);
+
+ ret = xfs_file_aio_write_checks(iocb, from, &iolock);
+@@ -686,7 +697,6 @@ xfs_file_buffered_aio_write(
+ /* We can write back this queue in page reclaim */
+ current->backing_dev_info = inode_to_bdi(inode);
+
+-write_retry:
+ trace_xfs_file_buffered_write(ip, iov_iter_count(from), iocb->ki_pos);
+ ret = iomap_file_buffered_write(iocb, from, &xfs_iomap_ops);
+ if (likely(ret >= 0))
+@@ -702,18 +712,21 @@ xfs_file_buffered_aio_write(
+ * running at the same time.
+ */
+ if (ret == -EDQUOT && !enospc) {
++ xfs_rw_iunlock(ip, iolock);
+ enospc = xfs_inode_free_quota_eofblocks(ip);
+ if (enospc)
+ goto write_retry;
+ enospc = xfs_inode_free_quota_cowblocks(ip);
+ if (enospc)
+ goto write_retry;
++ iolock = 0;
+ } else if (ret == -ENOSPC && !enospc) {
+ struct xfs_eofblocks eofb = {0};
+
+ enospc = 1;
+ xfs_flush_inodes(ip->i_mount);
+- eofb.eof_scan_owner = ip->i_ino; /* for locking */
++
++ xfs_rw_iunlock(ip, iolock);
+ eofb.eof_flags = XFS_EOF_FLAGS_SYNC;
+ xfs_icache_free_eofblocks(ip->i_mount, &eofb);
+ goto write_retry;
+@@ -721,7 +734,8 @@ xfs_file_buffered_aio_write(
+
+ current->backing_dev_info = NULL;
+ out:
+- xfs_rw_iunlock(ip, iolock);
++ if (iolock)
++ xfs_rw_iunlock(ip, iolock);
+ return ret;
+ }
+
+@@ -987,9 +1001,9 @@ xfs_dir_open(
+ */
+ mode = xfs_ilock_data_map_shared(ip);
+ if (ip->i_d.di_nextents > 0)
+- xfs_dir3_data_readahead(ip, 0, -1);
++ error = xfs_dir3_data_readahead(ip, 0, -1);
+ xfs_iunlock(ip, mode);
+- return 0;
++ return error;
+ }
+
+ STATIC int
+diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
+index 29cc988..3fb1f3f 100644
+--- a/fs/xfs/xfs_icache.c
++++ b/fs/xfs/xfs_icache.c
+@@ -1324,13 +1324,10 @@ xfs_inode_free_eofblocks(
+ int flags,
+ void *args)
+ {
+- int ret;
++ int ret = 0;
+ struct xfs_eofblocks *eofb = args;
+- bool need_iolock = true;
+ int match;
+
+- ASSERT(!eofb || (eofb && eofb->eof_scan_owner != 0));
+-
+ if (!xfs_can_free_eofblocks(ip, false)) {
+ /* inode could be preallocated or append-only */
+ trace_xfs_inode_free_eofblocks_invalid(ip);
+@@ -1358,21 +1355,19 @@ xfs_inode_free_eofblocks(
+ if (eofb->eof_flags & XFS_EOF_FLAGS_MINFILESIZE &&
+ XFS_ISIZE(ip) < eofb->eof_min_file_size)
+ return 0;
+-
+- /*
+- * A scan owner implies we already hold the iolock. Skip it in
+- * xfs_free_eofblocks() to avoid deadlock. This also eliminates
+- * the possibility of EAGAIN being returned.
+- */
+- if (eofb->eof_scan_owner == ip->i_ino)
+- need_iolock = false;
+ }
+
+- ret = xfs_free_eofblocks(ip->i_mount, ip, need_iolock);
+-
+- /* don't revisit the inode if we're not waiting */
+- if (ret == -EAGAIN && !(flags & SYNC_WAIT))
+- ret = 0;
++ /*
++ * If the caller is waiting, return -EAGAIN to keep the background
++ * scanner moving and revisit the inode in a subsequent pass.
++ */
++ if (!xfs_ilock_nowait(ip, XFS_IOLOCK_EXCL)) {
++ if (flags & SYNC_WAIT)
++ ret = -EAGAIN;
++ return ret;
++ }
++ ret = xfs_free_eofblocks(ip);
++ xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+
+ return ret;
+ }
+@@ -1419,15 +1414,10 @@ __xfs_inode_free_quota_eofblocks(
+ struct xfs_eofblocks eofb = {0};
+ struct xfs_dquot *dq;
+
+- ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
+-
+ /*
+- * Set the scan owner to avoid a potential livelock. Otherwise, the scan
+- * can repeatedly trylock on the inode we're currently processing. We
+- * run a sync scan to increase effectiveness and use the union filter to
++ * Run a sync scan to increase effectiveness and use the union filter to
+ * cover all applicable quotas in a single scan.
+ */
+- eofb.eof_scan_owner = ip->i_ino;
+ eofb.eof_flags = XFS_EOF_FLAGS_UNION|XFS_EOF_FLAGS_SYNC;
+
+ if (XFS_IS_UQUOTA_ENFORCED(ip->i_mount)) {
+@@ -1579,12 +1569,9 @@ xfs_inode_free_cowblocks(
+ {
+ int ret;
+ struct xfs_eofblocks *eofb = args;
+- bool need_iolock = true;
+ int match;
+ struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, XFS_COW_FORK);
+
+- ASSERT(!eofb || (eofb && eofb->eof_scan_owner != 0));
+-
+ /*
+ * Just clear the tag if we have an empty cow fork or none at all. It's
+ * possible the inode was fully unshared since it was originally tagged.
+@@ -1617,28 +1604,16 @@ xfs_inode_free_cowblocks(
+ if (eofb->eof_flags & XFS_EOF_FLAGS_MINFILESIZE &&
+ XFS_ISIZE(ip) < eofb->eof_min_file_size)
+ return 0;
+-
+- /*
+- * A scan owner implies we already hold the iolock. Skip it in
+- * xfs_free_eofblocks() to avoid deadlock. This also eliminates
+- * the possibility of EAGAIN being returned.
+- */
+- if (eofb->eof_scan_owner == ip->i_ino)
+- need_iolock = false;
+ }
+
+ /* Free the CoW blocks */
+- if (need_iolock) {
+- xfs_ilock(ip, XFS_IOLOCK_EXCL);
+- xfs_ilock(ip, XFS_MMAPLOCK_EXCL);
+- }
++ xfs_ilock(ip, XFS_IOLOCK_EXCL);
++ xfs_ilock(ip, XFS_MMAPLOCK_EXCL);
+
+- ret = xfs_reflink_cancel_cow_range(ip, 0, NULLFILEOFF);
++ ret = xfs_reflink_cancel_cow_range(ip, 0, NULLFILEOFF, false);
+
+- if (need_iolock) {
+- xfs_iunlock(ip, XFS_MMAPLOCK_EXCL);
+- xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+- }
++ xfs_iunlock(ip, XFS_MMAPLOCK_EXCL);
++ xfs_iunlock(ip, XFS_IOLOCK_EXCL);
+
+ return ret;
+ }
+diff --git a/fs/xfs/xfs_icache.h b/fs/xfs/xfs_icache.h
+index a1e02f4..8a7c849 100644
+--- a/fs/xfs/xfs_icache.h
++++ b/fs/xfs/xfs_icache.h
+@@ -27,7 +27,6 @@ struct xfs_eofblocks {
+ kgid_t eof_gid;
+ prid_t eof_prid;
+ __u64 eof_min_file_size;
+- xfs_ino_t eof_scan_owner;
+ };
+
+ #define SYNC_WAIT 0x0001 /* wait for i/o to complete */
+@@ -102,7 +101,6 @@ xfs_fs_eofblocks_from_user(
+ dst->eof_flags = src->eof_flags;
+ dst->eof_prid = src->eof_prid;
+ dst->eof_min_file_size = src->eof_min_file_size;
+- dst->eof_scan_owner = NULLFSINO;
+
+ dst->eof_uid = INVALID_UID;
+ if (src->eof_flags & XFS_EOF_FLAGS_UID) {
+diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
+index 512ff13..e50636c 100644
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -1624,7 +1624,7 @@ xfs_itruncate_extents(
+
+ /* Remove all pending CoW reservations. */
+ error = xfs_reflink_cancel_cow_blocks(ip, &tp, first_unmap_block,
+- last_block);
++ last_block, true);
+ if (error)
+ goto out;
+
+@@ -1701,32 +1701,34 @@ xfs_release(
+ if (xfs_can_free_eofblocks(ip, false)) {
+
+ /*
++ * Check if the inode is being opened, written and closed
++ * frequently and we have delayed allocation blocks outstanding
++ * (e.g. streaming writes from the NFS server), truncating the
++ * blocks past EOF will cause fragmentation to occur.
++ *
++ * In this case don't do the truncation, but we have to be
++ * careful how we detect this case. Blocks beyond EOF show up as
++ * i_delayed_blks even when the inode is clean, so we need to
++ * truncate them away first before checking for a dirty release.
++ * Hence on the first dirty close we will still remove the
++ * speculative allocation, but after that we will leave it in
++ * place.
++ */
++ if (xfs_iflags_test(ip, XFS_IDIRTY_RELEASE))
++ return 0;
++ /*
+ * If we can't get the iolock just skip truncating the blocks
+ * past EOF because we could deadlock with the mmap_sem
+- * otherwise. We'll get another chance to drop them once the
++ * otherwise. We'll get another chance to drop them once the
+ * last reference to the inode is dropped, so we'll never leak
+ * blocks permanently.
+- *
+- * Further, check if the inode is being opened, written and
+- * closed frequently and we have delayed allocation blocks
+- * outstanding (e.g. streaming writes from the NFS server),
+- * truncating the blocks past EOF will cause fragmentation to
+- * occur.
+- *
+- * In this case don't do the truncation, either, but we have to
+- * be careful how we detect this case. Blocks beyond EOF show
+- * up as i_delayed_blks even when the inode is clean, so we
+- * need to truncate them away first before checking for a dirty
+- * release. Hence on the first dirty close we will still remove
+- * the speculative allocation, but after that we will leave it
+- * in place.
+ */
+- if (xfs_iflags_test(ip, XFS_IDIRTY_RELEASE))
+- return 0;
+-
+- error = xfs_free_eofblocks(mp, ip, true);
+- if (error && error != -EAGAIN)
+- return error;
++ if (xfs_ilock_nowait(ip, XFS_IOLOCK_EXCL)) {
++ error = xfs_free_eofblocks(ip);
++ xfs_iunlock(ip, XFS_IOLOCK_EXCL);
++ if (error)
++ return error;
++ }
+
+ /* delalloc blocks after truncation means it really is dirty */
+ if (ip->i_delayed_blks)
+@@ -1801,22 +1803,23 @@ xfs_inactive_ifree(
+ int error;
+
+ /*
+- * The ifree transaction might need to allocate blocks for record
+- * insertion to the finobt. We don't want to fail here at ENOSPC, so
+- * allow ifree to dip into the reserved block pool if necessary.
+- *
+- * Freeing large sets of inodes generally means freeing inode chunks,
+- * directory and file data blocks, so this should be relatively safe.
+- * Only under severe circumstances should it be possible to free enough
+- * inodes to exhaust the reserve block pool via finobt expansion while
+- * at the same time not creating free space in the filesystem.
++ * We try to use a per-AG reservation for any block needed by the finobt
++ * tree, but as the finobt feature predates the per-AG reservation
++ * support a degraded file system might not have enough space for the
++ * reservation at mount time. In that case try to dip into the reserved
++ * pool and pray.
+ *
+ * Send a warning if the reservation does happen to fail, as the inode
+ * now remains allocated and sits on the unlinked list until the fs is
+ * repaired.
+ */
+- error = xfs_trans_alloc(mp, &M_RES(mp)->tr_ifree,
+- XFS_IFREE_SPACE_RES(mp), 0, XFS_TRANS_RESERVE, &tp);
++ if (unlikely(mp->m_inotbt_nores)) {
++ error = xfs_trans_alloc(mp, &M_RES(mp)->tr_ifree,
++ XFS_IFREE_SPACE_RES(mp), 0, XFS_TRANS_RESERVE,
++ &tp);
++ } else {
++ error = xfs_trans_alloc(mp, &M_RES(mp)->tr_ifree, 0, 0, 0, &tp);
++ }
+ if (error) {
+ if (error == -ENOSPC) {
+ xfs_warn_ratelimited(mp,
+@@ -1912,8 +1915,11 @@ xfs_inactive(
+ * cache. Post-eof blocks must be freed, lest we end up with
+ * broken free space accounting.
+ */
+- if (xfs_can_free_eofblocks(ip, true))
+- xfs_free_eofblocks(mp, ip, false);
++ if (xfs_can_free_eofblocks(ip, true)) {
++ xfs_ilock(ip, XFS_IOLOCK_EXCL);
++ xfs_free_eofblocks(ip);
++ xfs_iunlock(ip, XFS_IOLOCK_EXCL);
++ }
+
+ return;
+ }
+diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c
+index e888961..3605624 100644
+--- a/fs/xfs/xfs_iomap.c
++++ b/fs/xfs/xfs_iomap.c
+@@ -637,6 +637,11 @@ xfs_file_iomap_begin_delay(
+ goto out_unlock;
+ }
+
++ /*
++ * Flag newly allocated delalloc blocks with IOMAP_F_NEW so we punch
++ * them out if the write happens to fail.
++ */
++ iomap->flags = IOMAP_F_NEW;
+ trace_xfs_iomap_alloc(ip, offset, count, 0, &got);
+ done:
+ if (isnullstartblock(got.br_startblock))
+@@ -685,7 +690,7 @@ xfs_iomap_write_allocate(
+ int nres;
+
+ if (whichfork == XFS_COW_FORK)
+- flags |= XFS_BMAPI_COWFORK;
++ flags |= XFS_BMAPI_COWFORK | XFS_BMAPI_PREALLOC;
+
+ /*
+ * Make sure that the dquots are there.
+@@ -1061,7 +1066,8 @@ xfs_file_iomap_end_delalloc(
+ struct xfs_inode *ip,
+ loff_t offset,
+ loff_t length,
+- ssize_t written)
++ ssize_t written,
++ struct iomap *iomap)
+ {
+ struct xfs_mount *mp = ip->i_mount;
+ xfs_fileoff_t start_fsb;
+@@ -1080,14 +1086,14 @@ xfs_file_iomap_end_delalloc(
+ end_fsb = XFS_B_TO_FSB(mp, offset + length);
+
+ /*
+- * Trim back delalloc blocks if we didn't manage to write the whole
+- * range reserved.
++ * Trim delalloc blocks if they were allocated by this write and we
++ * didn't manage to write the whole range.
+ *
+ * We don't need to care about racing delalloc as we hold i_mutex
+ * across the reserve/allocate/unreserve calls. If there are delalloc
+ * blocks in the range, they are ours.
+ */
+- if (start_fsb < end_fsb) {
++ if ((iomap->flags & IOMAP_F_NEW) && start_fsb < end_fsb) {
+ truncate_pagecache_range(VFS_I(ip), XFS_FSB_TO_B(mp, start_fsb),
+ XFS_FSB_TO_B(mp, end_fsb) - 1);
+
+@@ -1117,7 +1123,7 @@ xfs_file_iomap_end(
+ {
+ if ((flags & IOMAP_WRITE) && iomap->type == IOMAP_DELALLOC)
+ return xfs_file_iomap_end_delalloc(XFS_I(inode), offset,
+- length, written);
++ length, written, iomap);
+ return 0;
+ }
+
+diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
+index b341f10..13796f2 100644
+--- a/fs/xfs/xfs_mount.c
++++ b/fs/xfs/xfs_mount.c
+@@ -502,8 +502,7 @@ STATIC void
+ xfs_set_inoalignment(xfs_mount_t *mp)
+ {
+ if (xfs_sb_version_hasalign(&mp->m_sb) &&
+- mp->m_sb.sb_inoalignmt >=
+- XFS_B_TO_FSBT(mp, mp->m_inode_cluster_size))
++ mp->m_sb.sb_inoalignmt >= xfs_icluster_size_fsb(mp))
+ mp->m_inoalign_mask = mp->m_sb.sb_inoalignmt - 1;
+ else
+ mp->m_inoalign_mask = 0;
+diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h
+index 819b80b..1bf878b 100644
+--- a/fs/xfs/xfs_mount.h
++++ b/fs/xfs/xfs_mount.h
+@@ -140,6 +140,7 @@ typedef struct xfs_mount {
+ int m_fixedfsid[2]; /* unchanged for life of FS */
+ uint m_dmevmask; /* DMI events for this FS */
+ __uint64_t m_flags; /* global mount flags */
++ bool m_inotbt_nores; /* no per-AG finobt resv. */
+ int m_ialloc_inos; /* inodes in inode allocation */
+ int m_ialloc_blks; /* blocks in inode allocation */
+ int m_ialloc_min_blks;/* min blocks in sparse inode
+diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c
+index 4d3f74e..2252f16 100644
+--- a/fs/xfs/xfs_reflink.c
++++ b/fs/xfs/xfs_reflink.c
+@@ -82,11 +82,22 @@
+ * mappings are a reservation against the free space in the filesystem;
+ * adjacent mappings can also be combined into fewer larger mappings.
+ *
++ * As an optimization, the CoW extent size hint (cowextsz) creates
++ * outsized aligned delalloc reservations in the hope of landing out of
++ * order nearby CoW writes in a single extent on disk, thereby reducing
++ * fragmentation and improving future performance.
++ *
++ * D: --RRRRRRSSSRRRRRRRR--- (data fork)
++ * C: ------DDDDDDD--------- (CoW fork)
++ *
+ * When dirty pages are being written out (typically in writepage), the
+- * delalloc reservations are converted into real mappings by allocating
+- * blocks and replacing the delalloc mapping with real ones. A delalloc
+- * mapping can be replaced by several real ones if the free space is
+- * fragmented.
++ * delalloc reservations are converted into unwritten mappings by
++ * allocating blocks and replacing the delalloc mapping with real ones.
++ * A delalloc mapping can be replaced by several unwritten ones if the
++ * free space is fragmented.
++ *
++ * D: --RRRRRRSSSRRRRRRRR---
++ * C: ------UUUUUUU---------
+ *
+ * We want to adapt the delalloc mechanism for copy-on-write, since the
+ * write paths are similar. The first two steps (creating the reservation
+@@ -101,13 +112,29 @@
+ * Block-aligned directio writes will use the same mechanism as buffered
+ * writes.
+ *
++ * Just prior to submitting the actual disk write requests, we convert
++ * the extents representing the range of the file actually being written
++ * (as opposed to extra pieces created for the cowextsize hint) to real
++ * extents. This will become important in the next step:
++ *
++ * D: --RRRRRRSSSRRRRRRRR---
++ * C: ------UUrrUUU---------
++ *
+ * CoW remapping must be done after the data block write completes,
+ * because we don't want to destroy the old data fork map until we're sure
+ * the new block has been written. Since the new mappings are kept in a
+ * separate fork, we can simply iterate these mappings to find the ones
+ * that cover the file blocks that we just CoW'd. For each extent, simply
+ * unmap the corresponding range in the data fork, map the new range into
+- * the data fork, and remove the extent from the CoW fork.
++ * the data fork, and remove the extent from the CoW fork. Because of
++ * the presence of the cowextsize hint, however, we must be careful
++ * only to remap the blocks that we've actually written out -- we must
++ * never remap delalloc reservations nor CoW staging blocks that have
++ * yet to be written. This corresponds exactly to the real extents in
++ * the CoW fork:
++ *
++ * D: --RRRRRRrrSRRRRRRRR---
++ * C: ------UU--UUU---------
+ *
+ * Since the remapping operation can be applied to an arbitrary file
+ * range, we record the need for the remap step as a flag in the ioend
+@@ -296,6 +323,65 @@ xfs_reflink_reserve_cow(
+ return 0;
+ }
+
++/* Convert part of an unwritten CoW extent to a real one. */
++STATIC int
++xfs_reflink_convert_cow_extent(
++ struct xfs_inode *ip,
++ struct xfs_bmbt_irec *imap,
++ xfs_fileoff_t offset_fsb,
++ xfs_filblks_t count_fsb,
++ struct xfs_defer_ops *dfops)
++{
++ struct xfs_bmbt_irec irec = *imap;
++ xfs_fsblock_t first_block;
++ int nimaps = 1;
++
++ if (imap->br_state == XFS_EXT_NORM)
++ return 0;
++
++ xfs_trim_extent(&irec, offset_fsb, count_fsb);
++ trace_xfs_reflink_convert_cow(ip, &irec);
++ if (irec.br_blockcount == 0)
++ return 0;
++ return xfs_bmapi_write(NULL, ip, irec.br_startoff, irec.br_blockcount,
++ XFS_BMAPI_COWFORK | XFS_BMAPI_CONVERT, &first_block,
++ 0, &irec, &nimaps, dfops);
++}
++
++/* Convert all of the unwritten CoW extents in a file's range to real ones. */
++int
++xfs_reflink_convert_cow(
++ struct xfs_inode *ip,
++ xfs_off_t offset,
++ xfs_off_t count)
++{
++ struct xfs_bmbt_irec got;
++ struct xfs_defer_ops dfops;
++ struct xfs_mount *mp = ip->i_mount;
++ struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, XFS_COW_FORK);
++ xfs_fileoff_t offset_fsb = XFS_B_TO_FSBT(mp, offset);
++ xfs_fileoff_t end_fsb = XFS_B_TO_FSB(mp, offset + count);
++ xfs_extnum_t idx;
++ bool found;
++ int error = 0;
++
++ xfs_ilock(ip, XFS_ILOCK_EXCL);
++
++ /* Convert all the extents to real from unwritten. */
++ for (found = xfs_iext_lookup_extent(ip, ifp, offset_fsb, &idx, &got);
++ found && got.br_startoff < end_fsb;
++ found = xfs_iext_get_extent(ifp, ++idx, &got)) {
++ error = xfs_reflink_convert_cow_extent(ip, &got, offset_fsb,
++ end_fsb - offset_fsb, &dfops);
++ if (error)
++ break;
++ }
++
++ /* Finish up. */
++ xfs_iunlock(ip, XFS_ILOCK_EXCL);
++ return error;
++}
++
+ /* Allocate all CoW reservations covering a range of blocks in a file. */
+ static int
+ __xfs_reflink_allocate_cow(
+@@ -328,6 +414,7 @@ __xfs_reflink_allocate_cow(
+ goto out_unlock;
+ ASSERT(nimaps == 1);
+
++ /* Make sure there's a CoW reservation for it. */
+ error = xfs_reflink_reserve_cow(ip, &imap, &shared);
+ if (error)
+ goto out_trans_cancel;
+@@ -337,14 +424,16 @@ __xfs_reflink_allocate_cow(
+ goto out_trans_cancel;
+ }
+
++ /* Allocate the entire reservation as unwritten blocks. */
+ xfs_trans_ijoin(tp, ip, 0);
+ error = xfs_bmapi_write(tp, ip, imap.br_startoff, imap.br_blockcount,
+- XFS_BMAPI_COWFORK, &first_block,
++ XFS_BMAPI_COWFORK | XFS_BMAPI_PREALLOC, &first_block,
+ XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK),
+ &imap, &nimaps, &dfops);
+ if (error)
+ goto out_trans_cancel;
+
++ /* Finish up. */
+ error = xfs_defer_finish(&tp, &dfops, NULL);
+ if (error)
+ goto out_trans_cancel;
+@@ -389,11 +478,12 @@ xfs_reflink_allocate_cow_range(
+ if (error) {
+ trace_xfs_reflink_allocate_cow_range_error(ip, error,
+ _RET_IP_);
+- break;
++ return error;
+ }
+ }
+
+- return error;
++ /* Convert the CoW extents to regular. */
++ return xfs_reflink_convert_cow(ip, offset, count);
+ }
+
+ /*
+@@ -481,14 +571,18 @@ xfs_reflink_trim_irec_to_next_cow(
+ }
+
+ /*
+- * Cancel all pending CoW reservations for some block range of an inode.
++ * Cancel CoW reservations for some block range of an inode.
++ *
++ * If cancel_real is true this function cancels all COW fork extents for the
++ * inode; if cancel_real is false, real extents are not cleared.
+ */
+ int
+ xfs_reflink_cancel_cow_blocks(
+ struct xfs_inode *ip,
+ struct xfs_trans **tpp,
+ xfs_fileoff_t offset_fsb,
+- xfs_fileoff_t end_fsb)
++ xfs_fileoff_t end_fsb,
++ bool cancel_real)
+ {
+ struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, XFS_COW_FORK);
+ struct xfs_bmbt_irec got, prev, del;
+@@ -515,7 +609,7 @@ xfs_reflink_cancel_cow_blocks(
+ &idx, &got, &del);
+ if (error)
+ break;
+- } else {
++ } else if (del.br_state == XFS_EXT_UNWRITTEN || cancel_real) {
+ xfs_trans_ijoin(*tpp, ip, 0);
+ xfs_defer_init(&dfops, &firstfsb);
+
+@@ -558,13 +652,17 @@ xfs_reflink_cancel_cow_blocks(
+ }
+
+ /*
+- * Cancel all pending CoW reservations for some byte range of an inode.
++ * Cancel CoW reservations for some byte range of an inode.
++ *
++ * If cancel_real is true this function cancels all COW fork extents for the
++ * inode; if cancel_real is false, real extents are not cleared.
+ */
+ int
+ xfs_reflink_cancel_cow_range(
+ struct xfs_inode *ip,
+ xfs_off_t offset,
+- xfs_off_t count)
++ xfs_off_t count,
++ bool cancel_real)
+ {
+ struct xfs_trans *tp;
+ xfs_fileoff_t offset_fsb;
+@@ -590,7 +688,8 @@ xfs_reflink_cancel_cow_range(
+ xfs_trans_ijoin(tp, ip, 0);
+
+ /* Scrape out the old CoW reservations */
+- error = xfs_reflink_cancel_cow_blocks(ip, &tp, offset_fsb, end_fsb);
++ error = xfs_reflink_cancel_cow_blocks(ip, &tp, offset_fsb, end_fsb,
++ cancel_real);
+ if (error)
+ goto out_cancel;
+
+@@ -669,6 +768,16 @@ xfs_reflink_end_cow(
+
+ ASSERT(!isnullstartblock(got.br_startblock));
+
++ /*
++ * Don't remap unwritten extents; these are
++ * speculatively preallocated CoW extents that have been
++ * allocated but have not yet been involved in a write.
++ */
++ if (got.br_state == XFS_EXT_UNWRITTEN) {
++ idx--;
++ goto next_extent;
++ }
++
+ /* Unmap the old blocks in the data fork. */
+ xfs_defer_init(&dfops, &firstfsb);
+ rlen = del.br_blockcount;
+@@ -885,13 +994,14 @@ STATIC int
+ xfs_reflink_update_dest(
+ struct xfs_inode *dest,
+ xfs_off_t newlen,
+- xfs_extlen_t cowextsize)
++ xfs_extlen_t cowextsize,
++ bool is_dedupe)
+ {
+ struct xfs_mount *mp = dest->i_mount;
+ struct xfs_trans *tp;
+ int error;
+
+- if (newlen <= i_size_read(VFS_I(dest)) && cowextsize == 0)
++ if (is_dedupe && newlen <= i_size_read(VFS_I(dest)) && cowextsize == 0)
+ return 0;
+
+ error = xfs_trans_alloc(mp, &M_RES(mp)->tr_ichange, 0, 0, 0, &tp);
+@@ -912,6 +1022,10 @@ xfs_reflink_update_dest(
+ dest->i_d.di_flags2 |= XFS_DIFLAG2_COWEXTSIZE;
+ }
+
++ if (!is_dedupe) {
++ xfs_trans_ichgtime(tp, dest,
++ XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
++ }
+ xfs_trans_log_inode(tp, dest, XFS_ILOG_CORE);
+
+ error = xfs_trans_commit(tp);
+@@ -1428,7 +1542,8 @@ xfs_reflink_remap_range(
+ !(dest->i_d.di_flags2 & XFS_DIFLAG2_COWEXTSIZE))
+ cowextsize = src->i_d.di_cowextsize;
+
+- ret = xfs_reflink_update_dest(dest, pos_out + len, cowextsize);
++ ret = xfs_reflink_update_dest(dest, pos_out + len, cowextsize,
++ is_dedupe);
+
+ out_unlock:
+ xfs_iunlock(src, XFS_MMAPLOCK_EXCL);
+@@ -1580,7 +1695,7 @@ xfs_reflink_clear_inode_flag(
+ * We didn't find any shared blocks so turn off the reflink flag.
+ * First, get rid of any leftover CoW mappings.
+ */
+- error = xfs_reflink_cancel_cow_blocks(ip, tpp, 0, NULLFILEOFF);
++ error = xfs_reflink_cancel_cow_blocks(ip, tpp, 0, NULLFILEOFF, true);
+ if (error)
+ return error;
+
+diff --git a/fs/xfs/xfs_reflink.h b/fs/xfs/xfs_reflink.h
+index 97ea9b4..a57966f 100644
+--- a/fs/xfs/xfs_reflink.h
++++ b/fs/xfs/xfs_reflink.h
+@@ -30,6 +30,8 @@ extern int xfs_reflink_reserve_cow(struct xfs_inode *ip,
+ struct xfs_bmbt_irec *imap, bool *shared);
+ extern int xfs_reflink_allocate_cow_range(struct xfs_inode *ip,
+ xfs_off_t offset, xfs_off_t count);
++extern int xfs_reflink_convert_cow(struct xfs_inode *ip, xfs_off_t offset,
++ xfs_off_t count);
+ extern bool xfs_reflink_find_cow_mapping(struct xfs_inode *ip, xfs_off_t offset,
+ struct xfs_bmbt_irec *imap, bool *need_alloc);
+ extern int xfs_reflink_trim_irec_to_next_cow(struct xfs_inode *ip,
+@@ -37,9 +39,9 @@ extern int xfs_reflink_trim_irec_to_next_cow(struct xfs_inode *ip,
+
+ extern int xfs_reflink_cancel_cow_blocks(struct xfs_inode *ip,
+ struct xfs_trans **tpp, xfs_fileoff_t offset_fsb,
+- xfs_fileoff_t end_fsb);
++ xfs_fileoff_t end_fsb, bool cancel_real);
+ extern int xfs_reflink_cancel_cow_range(struct xfs_inode *ip, xfs_off_t offset,
+- xfs_off_t count);
++ xfs_off_t count, bool cancel_real);
+ extern int xfs_reflink_end_cow(struct xfs_inode *ip, xfs_off_t offset,
+ xfs_off_t count);
+ extern int xfs_reflink_recover_cow(struct xfs_mount *mp);
+diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
+index ade4691..dbbd3f1 100644
+--- a/fs/xfs/xfs_super.c
++++ b/fs/xfs/xfs_super.c
+@@ -948,7 +948,7 @@ xfs_fs_destroy_inode(
+ XFS_STATS_INC(ip->i_mount, vn_remove);
+
+ if (xfs_is_reflink_inode(ip)) {
+- error = xfs_reflink_cancel_cow_range(ip, 0, NULLFILEOFF);
++ error = xfs_reflink_cancel_cow_range(ip, 0, NULLFILEOFF, true);
+ if (error && !XFS_FORCED_SHUTDOWN(ip->i_mount))
+ xfs_warn(ip->i_mount,
+ "Error %d while evicting CoW blocks for inode %llu.",
+diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
+index 0907752..828f383 100644
+--- a/fs/xfs/xfs_trace.h
++++ b/fs/xfs/xfs_trace.h
+@@ -3183,6 +3183,7 @@ DECLARE_EVENT_CLASS(xfs_inode_irec_class,
+ __field(xfs_fileoff_t, lblk)
+ __field(xfs_extlen_t, len)
+ __field(xfs_fsblock_t, pblk)
++ __field(int, state)
+ ),
+ TP_fast_assign(
+ __entry->dev = VFS_I(ip)->i_sb->s_dev;
+@@ -3190,13 +3191,15 @@ DECLARE_EVENT_CLASS(xfs_inode_irec_class,
+ __entry->lblk = irec->br_startoff;
+ __entry->len = irec->br_blockcount;
+ __entry->pblk = irec->br_startblock;
++ __entry->state = irec->br_state;
+ ),
+- TP_printk("dev %d:%d ino 0x%llx lblk 0x%llx len 0x%x pblk %llu",
++ TP_printk("dev %d:%d ino 0x%llx lblk 0x%llx len 0x%x pblk %llu st %d",
+ MAJOR(__entry->dev), MINOR(__entry->dev),
+ __entry->ino,
+ __entry->lblk,
+ __entry->len,
+- __entry->pblk)
++ __entry->pblk,
++ __entry->state)
+ );
+ #define DEFINE_INODE_IREC_EVENT(name) \
+ DEFINE_EVENT(xfs_inode_irec_class, name, \
+@@ -3345,11 +3348,12 @@ DEFINE_INODE_IREC_EVENT(xfs_reflink_trim_around_shared);
+ DEFINE_INODE_IREC_EVENT(xfs_reflink_cow_alloc);
+ DEFINE_INODE_IREC_EVENT(xfs_reflink_cow_found);
+ DEFINE_INODE_IREC_EVENT(xfs_reflink_cow_enospc);
++DEFINE_INODE_IREC_EVENT(xfs_reflink_convert_cow);
+
+ DEFINE_RW_EVENT(xfs_reflink_reserve_cow);
+ DEFINE_RW_EVENT(xfs_reflink_allocate_cow_range);
+
+-DEFINE_INODE_IREC_EVENT(xfs_reflink_bounce_dio_write);
++DEFINE_SIMPLE_IO_EVENT(xfs_reflink_bounce_dio_write);
+ DEFINE_IOMAP_EVENT(xfs_reflink_find_cow_mapping);
+ DEFINE_INODE_IREC_EVENT(xfs_reflink_trim_irec);
+
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index 01c0b9c..8c58db2 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -162,8 +162,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
+ int len, void *val);
+ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
+ int len, struct kvm_io_device *dev);
+-int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+- struct kvm_io_device *dev);
++void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
++ struct kvm_io_device *dev);
+ struct kvm_io_device *kvm_io_bus_get_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+ gpa_t addr);
+
+diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
+index 2546988..8b35bdb 100644
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -739,6 +739,12 @@ static inline bool mem_cgroup_oom_synchronize(bool wait)
+ return false;
+ }
+
++static inline void mem_cgroup_update_page_stat(struct page *page,
++ enum mem_cgroup_stat_index idx,
++ int nr)
++{
++}
++
+ static inline void mem_cgroup_inc_page_stat(struct page *page,
+ enum mem_cgroup_stat_index idx)
+ {
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 7848f05..b4a3c0a 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -190,19 +190,20 @@ static struct padata_priv *padata_get_next(struct parallel_data *pd)
+
+ reorder = &next_queue->reorder;
+
++ spin_lock(&reorder->lock);
+ if (!list_empty(&reorder->list)) {
+ padata = list_entry(reorder->list.next,
+ struct padata_priv, list);
+
+- spin_lock(&reorder->lock);
+ list_del_init(&padata->list);
+ atomic_dec(&pd->reorder_objects);
+- spin_unlock(&reorder->lock);
+
+ pd->processed++;
+
++ spin_unlock(&reorder->lock);
+ goto out;
+ }
++ spin_unlock(&reorder->lock);
+
+ if (__this_cpu_read(pd->pqueue->cpu_index) == next_queue->cpu_index) {
+ padata = ERR_PTR(-ENODATA);
+diff --git a/lib/syscall.c b/lib/syscall.c
+index 63239e0..a72cd09 100644
+--- a/lib/syscall.c
++++ b/lib/syscall.c
+@@ -11,6 +11,7 @@ static int collect_syscall(struct task_struct *target, long *callno,
+
+ if (!try_get_task_stack(target)) {
+ /* Task has no stack, so the task isn't in a syscall. */
++ *sp = *pc = 0;
+ *callno = -1;
+ return 0;
+ }
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index b6adedb..65c36ac 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -4471,6 +4471,7 @@ follow_huge_pmd(struct mm_struct *mm, unsigned long address,
+ {
+ struct page *page = NULL;
+ spinlock_t *ptl;
++ pte_t pte;
+ retry:
+ ptl = pmd_lockptr(mm, pmd);
+ spin_lock(ptl);
+@@ -4480,12 +4481,13 @@ follow_huge_pmd(struct mm_struct *mm, unsigned long address,
+ */
+ if (!pmd_huge(*pmd))
+ goto out;
+- if (pmd_present(*pmd)) {
++ pte = huge_ptep_get((pte_t *)pmd);
++ if (pte_present(pte)) {
+ page = pmd_page(*pmd) + ((address & ~PMD_MASK) >> PAGE_SHIFT);
+ if (flags & FOLL_GET)
+ get_page(page);
+ } else {
+- if (is_hugetlb_entry_migration(huge_ptep_get((pte_t *)pmd))) {
++ if (is_hugetlb_entry_migration(pte)) {
+ spin_unlock(ptl);
+ __migration_entry_wait(mm, (pte_t *)pmd, ptl);
+ goto retry;
+diff --git a/mm/rmap.c b/mm/rmap.c
+index 1ef3640..cd37c1c 100644
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -1295,7 +1295,7 @@ void page_add_file_rmap(struct page *page, bool compound)
+ goto out;
+ }
+ __mod_node_page_state(page_pgdat(page), NR_FILE_MAPPED, nr);
+- mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_FILE_MAPPED);
++ mem_cgroup_update_page_stat(page, MEM_CGROUP_STAT_FILE_MAPPED, nr);
+ out:
+ unlock_page_memcg(page);
+ }
+@@ -1335,7 +1335,7 @@ static void page_remove_file_rmap(struct page *page, bool compound)
+ * pte lock(a spinlock) is held, which implies preemption disabled.
+ */
+ __mod_node_page_state(page_pgdat(page), NR_FILE_MAPPED, -nr);
+- mem_cgroup_dec_page_stat(page, MEM_CGROUP_STAT_FILE_MAPPED);
++ mem_cgroup_update_page_stat(page, MEM_CGROUP_STAT_FILE_MAPPED, -nr);
+
+ if (unlikely(PageMlocked(page)))
+ clear_page_mlock(page);
+diff --git a/mm/workingset.c b/mm/workingset.c
+index 33f6f4d..4c4f056 100644
+--- a/mm/workingset.c
++++ b/mm/workingset.c
+@@ -492,7 +492,7 @@ static int __init workingset_init(void)
+ pr_info("workingset: timestamp_bits=%d max_order=%d bucket_order=%u\n",
+ timestamp_bits, max_order, bucket_order);
+
+- ret = list_lru_init_key(&workingset_shadow_nodes, &shadow_nodes_key);
++ ret = __list_lru_init(&workingset_shadow_nodes, true, &shadow_nodes_key);
+ if (ret)
+ goto err;
+ ret = register_shrinker(&workingset_shadow_shrinker);
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 2efb335..25a30be 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -7,6 +7,7 @@
+ #include <linux/kthread.h>
+ #include <linux/net.h>
+ #include <linux/nsproxy.h>
++#include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/socket.h>
+ #include <linux/string.h>
+@@ -469,11 +470,16 @@ static int ceph_tcp_connect(struct ceph_connection *con)
+ {
+ struct sockaddr_storage *paddr = &con->peer_addr.in_addr;
+ struct socket *sock;
++ unsigned int noio_flag;
+ int ret;
+
+ BUG_ON(con->sock);
++
++ /* sock_create_kern() allocates with GFP_KERNEL */
++ noio_flag = memalloc_noio_save();
+ ret = sock_create_kern(read_pnet(&con->msgr->net), paddr->ss_family,
+ SOCK_STREAM, IPPROTO_TCP, &sock);
++ memalloc_noio_restore(noio_flag);
+ if (ret)
+ return ret;
+ sock->sk->sk_allocation = GFP_NOFS;
+diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c
+index 3f4efcb..3490d21 100644
+--- a/sound/core/seq/seq_fifo.c
++++ b/sound/core/seq/seq_fifo.c
+@@ -265,6 +265,10 @@ int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize)
+ /* NOTE: overflow flag is not cleared */
+ spin_unlock_irqrestore(&f->lock, flags);
+
++ /* close the old pool and wait until all users are gone */
++ snd_seq_pool_mark_closing(oldpool);
++ snd_use_lock_sync(&f->use_lock);
++
+ /* release cells in old pool */
+ for (cell = oldhead; cell; cell = next) {
+ next = cell->next;
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 112caa2..bb1aad3 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4846,6 +4846,7 @@ enum {
+ ALC292_FIXUP_DISABLE_AAMIX,
+ ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK,
+ ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
++ ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
+ ALC275_FIXUP_DELL_XPS,
+ ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE,
+ ALC293_FIXUP_LENOVO_SPK_NOISE,
+@@ -5446,6 +5447,15 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE
+ },
++ [ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x18, 0x01a1913c }, /* use as headset mic, without its own jack detect */
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC269_FIXUP_HEADSET_MODE
++ },
+ [ALC275_FIXUP_DELL_XPS] = {
+ .type = HDA_FIXUP_VERBS,
+ .v.verbs = (const struct hda_verb[]) {
+@@ -5518,7 +5528,7 @@ static const struct hda_fixup alc269_fixups[] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc298_fixup_speaker_volume,
+ .chained = true,
+- .chain_id = ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
++ .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
+ },
+ [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
+ .type = HDA_FIXUP_PINS,
+diff --git a/sound/soc/atmel/atmel-classd.c b/sound/soc/atmel/atmel-classd.c
+index 89ac5f5..7ae46c2 100644
+--- a/sound/soc/atmel/atmel-classd.c
++++ b/sound/soc/atmel/atmel-classd.c
+@@ -349,7 +349,7 @@ static int atmel_classd_codec_dai_digital_mute(struct snd_soc_dai *codec_dai,
+ }
+
+ #define CLASSD_ACLK_RATE_11M2896_MPY_8 (112896 * 100 * 8)
+-#define CLASSD_ACLK_RATE_12M288_MPY_8 (12228 * 1000 * 8)
++#define CLASSD_ACLK_RATE_12M288_MPY_8 (12288 * 1000 * 8)
+
+ static struct {
+ int rate;
+diff --git a/sound/soc/intel/skylake/skl-topology.c b/sound/soc/intel/skylake/skl-topology.c
+index b5b1934..bef8a45 100644
+--- a/sound/soc/intel/skylake/skl-topology.c
++++ b/sound/soc/intel/skylake/skl-topology.c
+@@ -448,7 +448,7 @@ static int skl_tplg_set_module_init_data(struct snd_soc_dapm_widget *w)
+ if (bc->set_params != SKL_PARAM_INIT)
+ continue;
+
+- mconfig->formats_config.caps = (u32 *)&bc->params;
++ mconfig->formats_config.caps = (u32 *)bc->params;
+ mconfig->formats_config.caps_size = bc->size;
+
+ break;
+diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
+index a29786d..4d28a9d 100644
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -870,7 +870,8 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx,
+ continue;
+
+ kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev);
+- kvm->buses[bus_idx]->ioeventfd_count--;
++ if (kvm->buses[bus_idx])
++ kvm->buses[bus_idx]->ioeventfd_count--;
+ ioeventfd_release(p);
+ ret = 0;
+ break;
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 7f9ee29..f4c6d4f 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -720,8 +720,11 @@ static void kvm_destroy_vm(struct kvm *kvm)
+ list_del(&kvm->vm_list);
+ spin_unlock(&kvm_lock);
+ kvm_free_irq_routing(kvm);
+- for (i = 0; i < KVM_NR_BUSES; i++)
+- kvm_io_bus_destroy(kvm->buses[i]);
++ for (i = 0; i < KVM_NR_BUSES; i++) {
++ if (kvm->buses[i])
++ kvm_io_bus_destroy(kvm->buses[i]);
++ kvm->buses[i] = NULL;
++ }
+ kvm_coalesced_mmio_free(kvm);
+ #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)
+ mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm);
+@@ -3463,6 +3466,8 @@ int kvm_io_bus_write(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
+ };
+
+ bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);
++ if (!bus)
++ return -ENOMEM;
+ r = __kvm_io_bus_write(vcpu, bus, &range, val);
+ return r < 0 ? r : 0;
+ }
+@@ -3480,6 +3485,8 @@ int kvm_io_bus_write_cookie(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx,
+ };
+
+ bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);
++ if (!bus)
++ return -ENOMEM;
+
+ /* First try the device referenced by cookie. */
+ if ((cookie >= 0) && (cookie < bus->dev_count) &&
+@@ -3530,6 +3537,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
+ };
+
+ bus = srcu_dereference(vcpu->kvm->buses[bus_idx], &vcpu->kvm->srcu);
++ if (!bus)
++ return -ENOMEM;
+ r = __kvm_io_bus_read(vcpu, bus, &range, val);
+ return r < 0 ? r : 0;
+ }
+@@ -3542,6 +3551,9 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
+ struct kvm_io_bus *new_bus, *bus;
+
+ bus = kvm->buses[bus_idx];
++ if (!bus)
++ return -ENOMEM;
++
+ /* exclude ioeventfd which is limited by maximum fd */
+ if (bus->dev_count - bus->ioeventfd_count > NR_IOBUS_DEVS - 1)
+ return -ENOSPC;
+@@ -3561,37 +3573,41 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
+ }
+
+ /* Caller must hold slots_lock. */
+-int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+- struct kvm_io_device *dev)
++void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
++ struct kvm_io_device *dev)
+ {
+- int i, r;
++ int i;
+ struct kvm_io_bus *new_bus, *bus;
+
+ bus = kvm->buses[bus_idx];
+- r = -ENOENT;
++ if (!bus)
++ return;
++
+ for (i = 0; i < bus->dev_count; i++)
+ if (bus->range[i].dev == dev) {
+- r = 0;
+ break;
+ }
+
+- if (r)
+- return r;
++ if (i == bus->dev_count)
++ return;
+
+ new_bus = kmalloc(sizeof(*bus) + ((bus->dev_count - 1) *
+ sizeof(struct kvm_io_range)), GFP_KERNEL);
+- if (!new_bus)
+- return -ENOMEM;
++ if (!new_bus) {
++ pr_err("kvm: failed to shrink bus, removing it completely\n");
++ goto broken;
++ }
+
+ memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
+ new_bus->dev_count--;
+ memcpy(new_bus->range + i, bus->range + i + 1,
+ (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
+
++broken:
+ rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
+ synchronize_srcu_expedited(&kvm->srcu);
+ kfree(bus);
+- return r;
++ return;
+ }
+
+ struct kvm_io_device *kvm_io_bus_get_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+@@ -3604,6 +3620,8 @@ struct kvm_io_device *kvm_io_bus_get_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+ srcu_idx = srcu_read_lock(&kvm->srcu);
+
+ bus = srcu_dereference(kvm->buses[bus_idx], &kvm->srcu);
++ if (!bus)
++ goto out_unlock;
+
+ dev_idx = kvm_io_bus_get_first_dev(bus, addr, 1);
+ if (dev_idx < 0)
diff --git a/4.9.20/4420_grsecurity-3.1-4.9.20-201703310823.patch b/4.9.21/4420_grsecurity-3.1-4.9.21-201704091948.patch
index f803149..b1e5afd 100644
--- a/4.9.20/4420_grsecurity-3.1-4.9.20-201703310823.patch
+++ b/4.9.21/4420_grsecurity-3.1-4.9.21-201704091948.patch
@@ -419,7 +419,7 @@ index 3d0ae15..84e5412 100644
cmd_syscalls = $(CONFIG_SHELL) $< $(CC) $(c_flags) $(missing_syscalls_flags)
diff --git a/Makefile b/Makefile
-index 4496018..3f9a080 100644
+index 1523557..8b62811 100644
--- a/Makefile
+++ b/Makefile
@@ -302,7 +302,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -7972,10 +7972,10 @@ index 3a4ed9f..29b7218 100644
#define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
#define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
-index 9a2aee1..a8e588f 100644
+index 7fcf512..37391e8 100644
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
-@@ -223,10 +223,10 @@ static inline void copy_user_overflow(int size, unsigned long count)
+@@ -232,10 +232,10 @@ static inline void copy_user_overflow(int size, unsigned long count)
static __always_inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long n)
{
@@ -7988,7 +7988,7 @@ index 9a2aee1..a8e588f 100644
check_object_size(to, n, false);
ret = __copy_from_user(to, from, n);
} else if (!__builtin_constant_p(n))
-@@ -234,7 +234,7 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
+@@ -243,7 +243,7 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
else
__bad_copy_user();
@@ -7997,7 +7997,7 @@ index 9a2aee1..a8e588f 100644
memset(to + (n - ret), 0, ret);
return ret;
-@@ -243,9 +243,9 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
+@@ -252,9 +252,9 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
static __always_inline unsigned long __must_check
copy_to_user(void __user *to, const void *from, unsigned long n)
{
@@ -8174,7 +8174,7 @@ index 378df92..9b2ab51 100644
fault_space = regs->iasq[0];
diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
-index 1a0b4f6..f9d326d 100644
+index 040c48f..d133dce 100644
--- a/arch/parisc/mm/fault.c
+++ b/arch/parisc/mm/fault.c
@@ -16,6 +16,7 @@
@@ -8311,7 +8311,7 @@ index 1a0b4f6..f9d326d 100644
int fixup_exception(struct pt_regs *regs)
{
const struct exception_table_entry *fix;
-@@ -281,8 +392,33 @@ void do_page_fault(struct pt_regs *regs, unsigned long code,
+@@ -298,8 +409,33 @@ void do_page_fault(struct pt_regs *regs, unsigned long code,
good_area:
@@ -37964,7 +37964,7 @@ index 33147fe..fb022d0 100644
+ pax_ret __iowrite32_copy
ENDPROC(__iowrite32_copy)
diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
-index 779782f..7aef7b9 100644
+index 9a53a06..275443c 100644
--- a/arch/x86/lib/memcpy_64.S
+++ b/arch/x86/lib/memcpy_64.S
@@ -38,7 +38,7 @@ ENTRY(memcpy)
@@ -45246,10 +45246,10 @@ index 2f33760..835e50a 100644
#define XCHAL_ICACHE_SIZE 8192 /* I-cache size in bytes or 0 */
#define XCHAL_DCACHE_SIZE 8192 /* D-cache size in bytes or 0 */
diff --git a/block/bio.c b/block/bio.c
-index db85c57..1044432 100644
+index 655c901..09ce39c 100644
--- a/block/bio.c
+++ b/block/bio.c
-@@ -1145,7 +1145,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
+@@ -1151,7 +1151,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
/*
* Overflow, abort
*/
@@ -45258,7 +45258,7 @@ index db85c57..1044432 100644
return ERR_PTR(-EINVAL);
nr_pages += end - start;
-@@ -1270,7 +1270,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
+@@ -1276,7 +1276,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
/*
* Overflow, abort
*/
@@ -45267,7 +45267,7 @@ index db85c57..1044432 100644
return ERR_PTR(-EINVAL);
nr_pages += end - start;
-@@ -1778,7 +1778,7 @@ EXPORT_SYMBOL(bio_endio);
+@@ -1784,7 +1784,7 @@ EXPORT_SYMBOL(bio_endio);
* to @bio's bi_io_vec; it is the caller's responsibility to ensure that
* @bio is not freed before the split.
*/
@@ -45331,10 +45331,10 @@ index b08ccbb..87fe492 100644
spin_unlock_irq(blkg->q->queue_lock);
diff --git a/block/blk-core.c b/block/blk-core.c
-index 14d7c07..fd7b832 100644
+index d1f2801..41bbb9a 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
-@@ -3539,8 +3539,11 @@ int __init blk_dev_init(void)
+@@ -3562,8 +3562,11 @@ int __init blk_dev_init(void)
if (!kblockd_workqueue)
panic("Failed to create kblockd\n");
@@ -49937,7 +49937,7 @@ index 3a1f49f..42a478e 100644
}
EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
-index 80fa656..fe055932 100644
+index 80fa656..fe05593 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -283,13 +283,13 @@ struct pstate_funcs {
@@ -54248,7 +54248,7 @@ index 4388dde..07a718c 100644
-int radeon_max_kms_ioctl = ARRAY_SIZE(radeon_ioctls_kms);
+const int radeon_max_kms_ioctl = ARRAY_SIZE(radeon_ioctls_kms);
diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
-index 3de5e6e..3072170 100644
+index 4ce04e0..db71634 100644
--- a/drivers/gpu/drm/radeon/radeon_ttm.c
+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
@@ -975,7 +975,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size)
@@ -59220,7 +59220,7 @@ index 1cd9aff..3775d52 100644
DAdapter.request((ENTITY *)&req);
if (req.didd_notify.e.Rc != 0xff)
diff --git a/drivers/isdn/hardware/mISDN/avmfritz.c b/drivers/isdn/hardware/mISDN/avmfritz.c
-index e3fa1cd..a57b04f 100644
+index e3fa1cd6..a57b04f 100644
--- a/drivers/isdn/hardware/mISDN/avmfritz.c
+++ b/drivers/isdn/hardware/mISDN/avmfritz.c
@@ -156,7 +156,7 @@ _set_debug(struct fritzcard *card)
@@ -61998,7 +61998,7 @@ index a15091a..2d20208 100644
pmd->bl_info.value_type.inc = data_block_inc;
pmd->bl_info.value_type.dec = data_block_dec;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 628ba00..5fd8b03 100644
+index e66f404..b4ad377 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -569,14 +569,16 @@ static void queue_io(struct mapped_device *md, struct bio *bio)
@@ -62038,7 +62038,7 @@ index 628ba00..5fd8b03 100644
{
rcu_read_unlock();
}
-@@ -1539,8 +1543,8 @@ static struct mapped_device *alloc_dev(int minor)
+@@ -1542,8 +1546,8 @@ static struct mapped_device *alloc_dev(int minor)
spin_lock_init(&md->deferred_lock);
atomic_set(&md->holders, 1);
atomic_set(&md->open_count, 0);
@@ -62049,7 +62049,7 @@ index 628ba00..5fd8b03 100644
INIT_LIST_HEAD(&md->uevent_list);
INIT_LIST_HEAD(&md->table_devices);
spin_lock_init(&md->uevent_lock);
-@@ -1679,7 +1683,7 @@ static void event_callback(void *context)
+@@ -1682,7 +1686,7 @@ static void event_callback(void *context)
dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
@@ -62058,7 +62058,7 @@ index 628ba00..5fd8b03 100644
wake_up(&md->eventq);
}
-@@ -2467,18 +2471,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
+@@ -2470,18 +2474,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
uint32_t dm_next_uevent_seq(struct mapped_device *md)
{
@@ -62356,10 +62356,10 @@ index 29e2df5..c367325 100644
"md/raid1:%s: read error corrected "
"(%d sectors at %llu on %s)\n",
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 55b5e0e..4969510 100644
+index 4c4aab0..a552681 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
-@@ -1063,7 +1063,7 @@ static void __make_request(struct mddev *mddev, struct bio *bio)
+@@ -1064,7 +1064,7 @@ static void __make_request(struct mddev *mddev, struct bio *bio)
struct md_rdev *blocked_rdev;
struct blk_plug_cb *cb;
struct raid10_plug_cb *plug = NULL;
@@ -62368,7 +62368,7 @@ index 55b5e0e..4969510 100644
int max_sectors;
int sectors;
-@@ -1441,7 +1441,7 @@ static void raid10_make_request(struct mddev *mddev, struct bio *bio)
+@@ -1442,7 +1442,7 @@ static void raid10_make_request(struct mddev *mddev, struct bio *bio)
{
struct r10conf *conf = mddev->private;
sector_t chunk_mask = (conf->geo.chunk_mask & conf->prev.chunk_mask);
@@ -62377,7 +62377,7 @@ index 55b5e0e..4969510 100644
struct bio *split;
-@@ -1847,7 +1847,7 @@ static void end_sync_read(struct bio *bio)
+@@ -1848,7 +1848,7 @@ static void end_sync_read(struct bio *bio)
/* The write handler will notice the lack of
* R10BIO_Uptodate and record any errors etc
*/
@@ -62386,7 +62386,7 @@ index 55b5e0e..4969510 100644
&conf->mirrors[d].rdev->corrected_errors);
/* for reconstruct, we always reschedule after a read.
-@@ -1996,7 +1996,7 @@ static void sync_request_write(struct mddev *mddev, struct r10bio *r10_bio)
+@@ -1997,7 +1997,7 @@ static void sync_request_write(struct mddev *mddev, struct r10bio *r10_bio)
}
if (j == vcnt)
continue;
@@ -62395,7 +62395,7 @@ index 55b5e0e..4969510 100644
if (test_bit(MD_RECOVERY_CHECK, &mddev->recovery))
/* Don't fix anything. */
continue;
-@@ -2195,7 +2195,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -2196,7 +2196,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
{
long cur_time_mon;
unsigned long hours_since_last;
@@ -62404,7 +62404,7 @@ index 55b5e0e..4969510 100644
cur_time_mon = ktime_get_seconds();
-@@ -2216,9 +2216,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
+@@ -2217,9 +2217,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
* overflowing the shift of read_errors by hours_since_last.
*/
if (hours_since_last >= 8 * sizeof(read_errors))
@@ -62416,7 +62416,7 @@ index 55b5e0e..4969510 100644
}
static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
-@@ -2272,8 +2272,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2273,8 +2273,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
return;
check_decay_read_errors(mddev, rdev);
@@ -62427,7 +62427,7 @@ index 55b5e0e..4969510 100644
char b[BDEVNAME_SIZE];
bdevname(rdev->bdev, b);
-@@ -2281,7 +2281,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2282,7 +2282,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
"md/raid10:%s: %s: Raid device exceeded "
"read_error threshold [cur %d:max %d]\n",
mdname(mddev), b,
@@ -62436,7 +62436,7 @@ index 55b5e0e..4969510 100644
printk(KERN_NOTICE
"md/raid10:%s: %s: Failing raid device\n",
mdname(mddev), b);
-@@ -2438,7 +2438,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
+@@ -2439,7 +2439,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
sect +
choose_data_offset(r10_bio, rdev)),
bdevname(rdev->bdev, b));
@@ -62445,7 +62445,7 @@ index 55b5e0e..4969510 100644
}
rdev_dec_pending(rdev, mddev);
-@@ -3209,6 +3209,7 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr,
+@@ -3210,6 +3210,7 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr,
} else {
/* resync. Schedule a read for every block at this virt offset */
int count = 0;
@@ -62453,7 +62453,7 @@ index 55b5e0e..4969510 100644
bitmap_cond_end_sync(mddev->bitmap, sector_nr, 0);
-@@ -3234,7 +3235,8 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr,
+@@ -3235,7 +3236,8 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr,
r10_bio->sector = sector_nr;
set_bit(R10BIO_IsSync, &r10_bio->state);
raid10_find_phys(conf, r10_bio);
@@ -74998,10 +74998,10 @@ index 4358611..e0cbb1a 100644
setup_timer(&pp->db_timer, pp_ping, (unsigned long)pp);
pp->db_delay = msecs_to_jiffies(delay_ms);
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
-index 5e52034..a57342e 100644
+index 8a9c186..117d53c 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
-@@ -2038,7 +2038,7 @@ static int nvme_resume(struct device *dev)
+@@ -2040,7 +2040,7 @@ static int nvme_resume(struct device *dev)
static SIMPLE_DEV_PM_OPS(nvme_dev_pm_ops, nvme_suspend, nvme_resume);
static pci_ers_result_t nvme_error_detected(struct pci_dev *pdev,
@@ -78987,7 +78987,7 @@ index 16ca31a..f5adf48 100644
}
EXPORT_SYMBOL(fc_exch_update_stats);
diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
-index 763f012..641a55a 100644
+index 87f5e694..934a151 100644
--- a/drivers/scsi/libsas/sas_ata.c
+++ b/drivers/scsi/libsas/sas_ata.c
@@ -532,7 +532,7 @@ static struct ata_port_operations sas_sata_ops = {
@@ -79431,10 +79431,10 @@ index e1d150f..6c6df44 100644
/* To indicate add/delete/modify during CCN */
u8 change_detected;
diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
-index fe7469c..91e0c0b 100644
+index ad33238..61286a2 100644
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
-@@ -2186,7 +2186,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable)
+@@ -2184,7 +2184,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable)
return 0;
}
@@ -79443,7 +79443,7 @@ index fe7469c..91e0c0b 100644
.show_host_node_name = 1,
.show_host_port_name = 1,
-@@ -2234,7 +2234,7 @@ struct fc_function_template qla2xxx_transport_functions = {
+@@ -2232,7 +2232,7 @@ struct fc_function_template qla2xxx_transport_functions = {
.bsg_timeout = qla24xx_bsg_timeout,
};
@@ -79479,7 +79479,7 @@ index 6ca0081..fbb9efd 100644
extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *, bool);
extern void qla2x00_init_host_attr(scsi_qla_host_t *);
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
-index bea819e..fb745e0 100644
+index 4f361d8..64d9741 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -301,12 +301,12 @@ struct scsi_transport_template *qla2xxx_transport_vport_template = NULL;
@@ -79510,7 +79510,7 @@ index bea819e..fb745e0 100644
return;
}
}
-@@ -5410,8 +5412,9 @@ qla2x00_rst_aen(scsi_qla_host_t *vha)
+@@ -5411,8 +5413,9 @@ qla2x00_rst_aen(scsi_qla_host_t *vha)
* Context: Interrupt
***************************************************************************/
void
@@ -79521,7 +79521,7 @@ index bea819e..fb745e0 100644
unsigned long cpu_flags = 0;
int start_dpc = 0;
int index;
-@@ -5673,7 +5676,7 @@ qla2x00_release_firmware(void)
+@@ -5674,7 +5677,7 @@ qla2x00_release_firmware(void)
}
static pci_ers_result_t
@@ -80012,10 +80012,10 @@ index 51e5629..caef5f7 100644
if (!sdp->request_queue->rq_timeout) {
if (sdp->type != TYPE_MOD)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 121de0a..f2ba1bb 100644
+index f753df2..2377b53 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
-@@ -1083,7 +1083,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
+@@ -1085,7 +1085,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
sdp->disk->disk_name,
MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
NULL,
@@ -86176,10 +86176,10 @@ index 4016dae..b4d3ad4 100644
(uurb->endpoint & USB_DIR_IN);
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
-index 479e223..ba82b75 100644
+index f029aad..288ba2a 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
-@@ -1631,7 +1631,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
+@@ -1634,7 +1634,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
*/
usb_get_urb(urb);
atomic_inc(&urb->use_count);
@@ -86188,7 +86188,7 @@ index 479e223..ba82b75 100644
usbmon_urb_submit(&hcd->self, urb);
/* NOTE requirements on root-hub callers (usbfs and the hub
-@@ -1658,7 +1658,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
+@@ -1661,7 +1661,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
urb->hcpriv = NULL;
INIT_LIST_HEAD(&urb->urb_list);
atomic_dec(&urb->use_count);
@@ -119134,7 +119134,7 @@ index 54cde9a..ff5756c 100644
break;
case RC_REPLBUFF:
diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
-index 010aff5..6471987 100644
+index 536009e..2ec9a83b 100644
--- a/fs/nfsd/nfsproc.c
+++ b/fs/nfsd/nfsproc.c
@@ -39,9 +39,11 @@ nfsd_return_dirop(__be32 err, struct nfsd_diropres *resp)
@@ -124505,7 +124505,7 @@ index 689f746..3e200fc 100644
kmem_zone_free(kmem_zone_t *zone, void *ptr)
{
diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
-index f52fd63..e6c7b8b 100644
+index 5a508b0..a734062 100644
--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
@@ -579,7 +579,7 @@ xfs_bmap_validate_ret(
@@ -124518,7 +124518,7 @@ index f52fd63..e6c7b8b 100644
/*
diff --git a/fs/xfs/libxfs/xfs_da_btree.c b/fs/xfs/libxfs/xfs_da_btree.c
-index f2dc1a9..5677aa5 100644
+index 1bdf288..91a91a1 100644
--- a/fs/xfs/libxfs/xfs_da_btree.c
+++ b/fs/xfs/libxfs/xfs_da_btree.c
@@ -2011,6 +2011,7 @@ xfs_da_grow_inode_int(
@@ -124601,7 +124601,7 @@ index 1455b2520..6f717f3 100644
__u32 mod;
diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
-index ade4691..0c6ea60 100644
+index dbbd3f1..767cb22 100644
--- a/fs/xfs/xfs_super.c
+++ b/fs/xfs/xfs_super.c
@@ -1812,9 +1812,11 @@ xfs_init_zones(void)
@@ -141101,7 +141101,7 @@ index 6e8b5b2..8e8a37d 100644
u32 remainder;
return div_u64_rem(dividend, divisor, &remainder);
diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
-index 2546988..ce9c14d 100644
+index 8b35bdb..a87beac 100644
--- a/include/linux/memcontrol.h
+++ b/include/linux/memcontrol.h
@@ -258,7 +258,7 @@ struct mem_cgroup {
@@ -151565,7 +151565,7 @@ index fd2c9ac..6263e05 100644
return -ENOENT;
}
diff --git a/kernel/padata.c b/kernel/padata.c
-index 7848f05..424c303 100644
+index b4a3c0a..47416e92 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -55,7 +55,7 @@ static int padata_cpu_hash(struct parallel_data *pd)
@@ -151577,7 +151577,7 @@ index 7848f05..424c303 100644
cpu_index = seq_nr % cpumask_weight(pd->cpumask.pcpu);
return padata_index_to_cpu(pd, cpu_index);
-@@ -429,7 +429,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_instance *pinst,
+@@ -430,7 +430,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_instance *pinst,
padata_init_pqueues(pd);
padata_init_squeues(pd);
setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
@@ -156896,7 +156896,7 @@ index 50b4ca6..cf64608 100644
pkmap_count[last_pkmap_nr] = 1;
set_page_address(page, (void *)vaddr);
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
-index b6adedb..6222175 100644
+index 65c36ac..daaa161 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -38,7 +38,72 @@ int hugepages_treat_as_movable;
@@ -160209,7 +160209,7 @@ index c8a955b..fad2128 100644
struct page *page;
int ret = 0;
diff --git a/mm/rmap.c b/mm/rmap.c
-index 1ef3640..88c345d 100644
+index cd37c1c..515080f 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -172,6 +172,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
@@ -163835,10 +163835,10 @@ index 464e885..1fbb9dc 100644
#include <linux/module.h>
#include <linux/mount.h>
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
-index 2efb335..e8a499d 100644
+index 25a30be..4de32e6 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
-@@ -187,7 +187,7 @@ static void con_fault(struct ceph_connection *con);
+@@ -188,7 +188,7 @@ static void con_fault(struct ceph_connection *con);
#define MAX_ADDR_STR_LEN 64 /* 54 is enough */
static char addr_str[ADDR_STR_COUNT][MAX_ADDR_STR_LEN];
@@ -163847,7 +163847,7 @@ index 2efb335..e8a499d 100644
static struct page *zero_page; /* used in certain error cases */
-@@ -198,7 +198,7 @@ const char *ceph_pr_addr(const struct sockaddr_storage *ss)
+@@ -199,7 +199,7 @@ const char *ceph_pr_addr(const struct sockaddr_storage *ss)
struct sockaddr_in *in4 = (struct sockaddr_in *) ss;
struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss;
@@ -209493,10 +209493,10 @@ index 0000000..0928e48
+size_mei_msg_data_65529_fields size mei_msg_data 0 65529 NULL
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fns.data b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data
new file mode 100644
-index 0000000..6dbe9b1
+index 0000000..06c363d
--- /dev/null
+++ b/scripts/gcc-plugins/size_overflow_plugin/e_fns.data
-@@ -0,0 +1,5035 @@
+@@ -0,0 +1,5041 @@
+logi_dj_recv_query_paired_devices_fndecl_13_fns logi_dj_recv_query_paired_devices fndecl 0 13 NULL
+response_length_ib_uverbs_ex_destroy_wq_resp_15_fns response_length ib_uverbs_ex_destroy_wq_resp 0 15 NULL
+kfd_wait_on_events_fndecl_19_fns kfd_wait_on_events fndecl 2 19 NULL
@@ -210000,6 +210000,7 @@ index 0000000..6dbe9b1
+max_vals_input_dev_6777_fns max_vals input_dev 0 6777 NULL
+mmc_send_bus_test_fndecl_6782_fns mmc_send_bus_test fndecl 4 6782 NULL
+csio_mem_read_fndecl_6812_fns csio_mem_read fndecl 3 6812 NULL
++debugfs_write_file_bool_fndecl_6814_fns debugfs_write_file_bool fndecl 3 6814 NULL
+pwr_power_save_off_read_fndecl_6816_fns pwr_power_save_off_read fndecl 3 6816 NULL
+minor_miscdevice_6818_fns minor miscdevice 0 6818 NULL
+xlbd_reserve_minors_fndecl_6830_fns xlbd_reserve_minors fndecl 2-1 6830 NULL
@@ -210744,7 +210745,8 @@ index 0000000..6dbe9b1
+of_dma_match_channel_fndecl_16675_fns of_dma_match_channel fndecl 3 16675 NULL
+cons_read_buffer_16688_fns cons read_buffer 0 16688 NULL
+rx_rate_rx_frames_per_rates_read_fndecl_16737_fns rx_rate_rx_frames_per_rates_read fndecl 3 16737 NULL
-+devlink_alloc_fndecl_16742_fns devlink_alloc fndecl 2 16742 NULL
++devlink_alloc_fndecl_16742_fns devlink_alloc fndecl 2 16742 NULL nohasharray
++fault_disconnect_write_fndecl_16742_fns fault_disconnect_write fndecl 3 16742 &devlink_alloc_fndecl_16742_fns
+num_q_csio_wrm_16770_fns num_q csio_wrm 0 16770 NULL
+max_iu_len_srp_target_port_16784_fns max_iu_len srp_target_port 0 16784 NULL
+ishtp_host_dma_tx_buf_size_ishtp_device_16798_fns ishtp_host_dma_tx_buf_size ishtp_device 0 16798 NULL
@@ -212783,6 +212785,7 @@ index 0000000..6dbe9b1
+pof_reclen_boot_data_42966_fns pof_reclen boot_data 0 42966 NULL
+ea_len_fndecl_42998_fns ea_len fndecl 0 42998 NULL
+obd_ioctl_popdata_fndecl_43014_fns obd_ioctl_popdata fndecl 3 43014 NULL
++quirk_simultaneous_discovery_write_fndecl_43076_fns quirk_simultaneous_discovery_write fndecl 3 43076 NULL
+rx_fcs_err_read_fndecl_43119_fns rx_fcs_err_read fndecl 3 43119 NULL
+ndev_init_isr_fndecl_43138_fns ndev_init_isr fndecl 3 43138 NULL
+kvm_vcpu_gfn_to_pfn_fndecl_43158_fns kvm_vcpu_gfn_to_pfn fndecl 2 43158 NULL
@@ -214022,6 +214025,7 @@ index 0000000..6dbe9b1
+nr_strip_zones_r0conf_59052_fns nr_strip_zones r0conf 0 59052 &posix_acl_alloc_fndecl_59052_fns
+axi_dmac_prep_slave_sg_fndecl_59073_fns axi_dmac_prep_slave_sg fndecl 3 59073 NULL
+buffer_mousedev_client_59098_fns buffer mousedev_client 0 59098 NULL
++wm_latency_write_fndecl_59118_fns wm_latency_write fndecl 3 59118 NULL
+mmc_alloc_host_fndecl_59122_fns mmc_alloc_host fndecl 1 59122 NULL
+tas571x_reg_write_multiword_fndecl_59156_fns tas571x_reg_write_multiword fndecl 4 59156 NULL
+copy_ucs2_from_user_len_fndecl_59162_fns copy_ucs2_from_user_len fndecl 3 59162 NULL
@@ -214119,6 +214123,7 @@ index 0000000..6dbe9b1
+string_escape_str_fndecl_60365_fns string_escape_str fndecl 0 60365 NULL
+num_counters_vardecl_sysfs_c_60371_fns num_counters vardecl_sysfs.c 0 60371 NULL
+shmem_pwrite_fast_fndecl_60393_fns shmem_pwrite_fast fndecl 3 60393 NULL
++quirk_strict_duplicate_filter_write_fndecl_60446_fns quirk_strict_duplicate_filter_write fndecl 3 60446 NULL
+sd_quota_slots_gfs2_sbd_60466_fns sd_quota_slots gfs2_sbd 0 60466 NULL
+ll_iocontrol_register_fndecl_60517_fns ll_iocontrol_register fndecl 2 60517 NULL
+iommu_dma_alloc_fndecl_60521_fns iommu_dma_alloc fndecl 2 60521 NULL
@@ -214531,7 +214536,8 @@ index 0000000..6dbe9b1
+squashfs_cache_init_fndecl_65451_fns squashfs_cache_init fndecl 3-2 65451 NULL
+raw_notifier_call_chain_fndecl_65500_fns raw_notifier_call_chain fndecl 0 65500 NULL
+sys_pwritev_fndecl_65513_fns sys_pwritev fndecl 3 65513 NULL
-+bcm2835_dma_prep_dma_memcpy_fndecl_65534_fns bcm2835_dma_prep_dma_memcpy fndecl 4 65534 NULL
++bcm2835_dma_prep_dma_memcpy_fndecl_65534_fns bcm2835_dma_prep_dma_memcpy fndecl 4 65534 NULL nohasharray
++connector_write_fndecl_65534_fns connector_write fndecl 3 65534 &bcm2835_dma_prep_dma_memcpy_fndecl_65534_fns
diff --git a/scripts/gcc-plugins/size_overflow_plugin/e_fptrs.data b/scripts/gcc-plugins/size_overflow_plugin/e_fptrs.data
new file mode 100644
index 0000000..ed95ec1
@@ -224644,7 +224650,7 @@ index f3b1d7f..6645b81 100644
}
#endif
diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c
-index 3f4efcb..da7bb45 100644
+index 3490d21..e336d83 100644
--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -50,7 +50,7 @@ struct snd_seq_fifo *snd_seq_fifo_new(int poolsize)
@@ -225790,7 +225796,7 @@ index 0a578fe..b81f62d 100644
})
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 7f9ee29..1dccca1 100644
+index f4c6d4f..07aea88 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -93,12 +93,17 @@ LIST_HEAD(vm_list);
@@ -225824,7 +225830,7 @@ index 7f9ee29..1dccca1 100644
if (!debugfs_initialized())
return 0;
-@@ -911,7 +920,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
+@@ -914,7 +923,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
/* We can read the guest memory with __xxx_user() later on. */
if ((id < KVM_USER_MEM_SLOTS) &&
((mem->userspace_addr & (PAGE_SIZE - 1)) ||
@@ -225833,7 +225839,7 @@ index 7f9ee29..1dccca1 100644
(void __user *)(unsigned long)mem->userspace_addr,
mem->memory_size)))
goto out;
-@@ -2025,9 +2034,17 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_cached);
+@@ -2028,9 +2037,17 @@ EXPORT_SYMBOL_GPL(kvm_read_guest_cached);
int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len)
{
@@ -225853,7 +225859,7 @@ index 7f9ee29..1dccca1 100644
}
EXPORT_SYMBOL_GPL(kvm_clear_guest_page);
-@@ -2379,7 +2396,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
+@@ -2382,7 +2399,7 @@ static int kvm_vcpu_release(struct inode *inode, struct file *filp)
return 0;
}
@@ -225862,7 +225868,7 @@ index 7f9ee29..1dccca1 100644
.release = kvm_vcpu_release,
.unlocked_ioctl = kvm_vcpu_ioctl,
#ifdef CONFIG_KVM_COMPAT
-@@ -3144,7 +3161,7 @@ static long kvm_vm_compat_ioctl(struct file *filp,
+@@ -3147,7 +3164,7 @@ static long kvm_vm_compat_ioctl(struct file *filp,
}
#endif
@@ -225871,7 +225877,7 @@ index 7f9ee29..1dccca1 100644
.release = kvm_vm_release,
.unlocked_ioctl = kvm_vm_ioctl,
#ifdef CONFIG_KVM_COMPAT
-@@ -3231,7 +3248,7 @@ static long kvm_dev_ioctl(struct file *filp,
+@@ -3234,7 +3251,7 @@ static long kvm_dev_ioctl(struct file *filp,
return r;
}
@@ -225880,7 +225886,7 @@ index 7f9ee29..1dccca1 100644
.unlocked_ioctl = kvm_dev_ioctl,
.compat_ioctl = kvm_dev_ioctl,
.llseek = noop_llseek,
-@@ -3257,7 +3274,7 @@ static void hardware_enable_nolock(void *junk)
+@@ -3260,7 +3277,7 @@ static void hardware_enable_nolock(void *junk)
if (r) {
cpumask_clear_cpu(cpu, cpus_hardware_enabled);
@@ -225889,7 +225895,7 @@ index 7f9ee29..1dccca1 100644
pr_info("kvm: enabling virtualization on CPU%d failed\n", cpu);
}
}
-@@ -3314,10 +3331,10 @@ static int hardware_enable_all(void)
+@@ -3317,10 +3334,10 @@ static int hardware_enable_all(void)
kvm_usage_count++;
if (kvm_usage_count == 1) {
@@ -225902,7 +225908,7 @@ index 7f9ee29..1dccca1 100644
hardware_disable_all_nolock();
r = -EBUSY;
}
-@@ -3877,8 +3894,9 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3895,8 +3912,9 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
/* A kmem cache lets us meet the alignment requirements of fx_save. */
if (!vcpu_align)
vcpu_align = __alignof__(struct kvm_vcpu);
@@ -225914,7 +225920,7 @@ index 7f9ee29..1dccca1 100644
if (!kvm_vcpu_cache) {
r = -ENOMEM;
goto out_free_3;
-@@ -3888,9 +3906,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3906,9 +3924,11 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
if (r)
goto out_free;
@@ -225926,7 +225932,7 @@ index 7f9ee29..1dccca1 100644
r = misc_register(&kvm_dev);
if (r) {
-@@ -3900,9 +3920,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+@@ -3918,9 +3938,6 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
register_syscore_ops(&kvm_syscore_ops);
diff --git a/4.9.20/4425_grsec_remove_EI_PAX.patch b/4.9.21/4425_grsec_remove_EI_PAX.patch
index 594598a..594598a 100644
--- a/4.9.20/4425_grsec_remove_EI_PAX.patch
+++ b/4.9.21/4425_grsec_remove_EI_PAX.patch
diff --git a/4.9.20/4426_default_XATTR_PAX_FLAGS.patch b/4.9.21/4426_default_XATTR_PAX_FLAGS.patch
index f7e97b5..f7e97b5 100644
--- a/4.9.20/4426_default_XATTR_PAX_FLAGS.patch
+++ b/4.9.21/4426_default_XATTR_PAX_FLAGS.patch
diff --git a/4.9.20/4427_force_XATTR_PAX_tmpfs.patch b/4.9.21/4427_force_XATTR_PAX_tmpfs.patch
index 3871139..3871139 100644
--- a/4.9.20/4427_force_XATTR_PAX_tmpfs.patch
+++ b/4.9.21/4427_force_XATTR_PAX_tmpfs.patch
diff --git a/4.9.20/4430_grsec-remove-localversion-grsec.patch b/4.9.21/4430_grsec-remove-localversion-grsec.patch
index 31cf878..31cf878 100644
--- a/4.9.20/4430_grsec-remove-localversion-grsec.patch
+++ b/4.9.21/4430_grsec-remove-localversion-grsec.patch
diff --git a/4.9.20/4435_grsec-mute-warnings.patch b/4.9.21/4435_grsec-mute-warnings.patch
index 8929222..8929222 100644
--- a/4.9.20/4435_grsec-mute-warnings.patch
+++ b/4.9.21/4435_grsec-mute-warnings.patch
diff --git a/4.9.20/4440_grsec-remove-protected-paths.patch b/4.9.21/4440_grsec-remove-protected-paths.patch
index 741546d..741546d 100644
--- a/4.9.20/4440_grsec-remove-protected-paths.patch
+++ b/4.9.21/4440_grsec-remove-protected-paths.patch
diff --git a/4.9.20/4450_grsec-kconfig-default-gids.patch b/4.9.21/4450_grsec-kconfig-default-gids.patch
index cee6e27..cee6e27 100644
--- a/4.9.20/4450_grsec-kconfig-default-gids.patch
+++ b/4.9.21/4450_grsec-kconfig-default-gids.patch
diff --git a/4.9.20/4465_selinux-avc_audit-log-curr_ip.patch b/4.9.21/4465_selinux-avc_audit-log-curr_ip.patch
index 06a5294..06a5294 100644
--- a/4.9.20/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/4.9.21/4465_selinux-avc_audit-log-curr_ip.patch
diff --git a/4.9.20/4470_disable-compat_vdso.patch b/4.9.21/4470_disable-compat_vdso.patch
index a1401d8..a1401d8 100644
--- a/4.9.20/4470_disable-compat_vdso.patch
+++ b/4.9.21/4470_disable-compat_vdso.patch
diff --git a/4.9.20/4475_emutramp_default_on.patch b/4.9.21/4475_emutramp_default_on.patch
index feb8c7b..feb8c7b 100644
--- a/4.9.20/4475_emutramp_default_on.patch
+++ b/4.9.21/4475_emutramp_default_on.patch