--- /dev/null
+From 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 3 May 2019 14:22:08 -0700
+Subject: clk: rockchip: Don't yell about bad mmc phases when getting
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 upstream.
+
+At boot time, my rk3288-veyron devices yell with 8 lines that look
+like this:
+ [ 0.000000] rockchip_mmc_get_phase: invalid clk rate
+
+This is because the clock framework at clk_register() time tries to
+get the phase but we don't have a parent yet.
+
+While the errors appear to be harmless they are still ugly and, in
+general, we don't want yells like this in the log unless they are
+important.
+
+There's no real reason to be yelling here. We can still return
+-EINVAL to indicate that the phase makes no sense without a parent.
+If someone really tries to do tuning and the clock is reported as 0
+then we'll see the yells in rockchip_mmc_set_phase().
+
+Fixes: 4bf59902b500 ("clk: rockchip: Prevent calculating mmc phase if clock rate is zero")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/rockchip/clk-mmc-phase.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/clk/rockchip/clk-mmc-phase.c
++++ b/drivers/clk/rockchip/clk-mmc-phase.c
+@@ -61,10 +61,8 @@ static int rockchip_mmc_get_phase(struct
+ u32 delay_num = 0;
+
+ /* See the comment for rockchip_mmc_set_phase below */
+- if (!rate) {
+- pr_err("%s: invalid clk rate\n", __func__);
++ if (!rate)
+ return -EINVAL;
+- }
+
+ raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift);
+
--- /dev/null
+From ac43432cb1f5c2950408534987e57c2071e24d8f Mon Sep 17 00:00:00 2001
+From: Muchun Song <smuchun@gmail.com>
+Date: Sat, 27 Jul 2019 11:21:22 +0800
+Subject: driver core: Fix use-after-free and double free on glue directory
+
+From: Muchun Song <smuchun@gmail.com>
+
+commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream.
+
+There is a race condition between removing glue directory and adding a new
+device under the glue dir. It can be reproduced in following test:
+
+CPU1: CPU2:
+
+device_add()
+ get_device_parent()
+ class_dir_create_and_add()
+ kobject_add_internal()
+ create_dir() // create glue_dir
+
+ device_add()
+ get_device_parent()
+ kobject_get() // get glue_dir
+
+device_del()
+ cleanup_glue_dir()
+ kobject_del(glue_dir)
+
+ kobject_add()
+ kobject_add_internal()
+ create_dir() // in glue_dir
+ sysfs_create_dir_ns()
+ kernfs_create_dir_ns(sd)
+
+ sysfs_remove_dir() // glue_dir->sd=NULL
+ sysfs_put() // free glue_dir->sd
+
+ // sd is freed
+ kernfs_new_node(sd)
+ kernfs_get(glue_dir)
+ kernfs_add_one()
+ kernfs_put()
+
+Before CPU1 remove last child device under glue dir, if CPU2 add a new
+device under glue dir, the glue_dir kobject reference count will be
+increase to 2 via kobject_get() in get_device_parent(). And CPU2 has
+been called kernfs_create_dir_ns(), but not call kernfs_new_node().
+Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in
+glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call
+kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase
+it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next
+call kernfs_add_one() by CPU2 will fail(This is also use-after-free)
+and call kernfs_put() to decrease reference count. Because the reference
+count is decremented to 0, it will also call kmem_cache_free() to free
+the glue_dir->sd again. This will result in double free.
+
+In order to avoid this happening, we also should make sure that kernfs_node
+for glue_dir is released in CPU1 only when refcount for glue_dir kobj is
+1 to fix this race.
+
+The following calltrace is captured in kernel 4.14 with the following patch
+applied:
+
+commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+
+--------------------------------------------------------------------------
+[ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494
+ Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get().
+....
+[ 3.633986] Call trace:
+[ 3.633991] kernfs_create_dir_ns+0xa8/0xb0
+[ 3.633994] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634001] kobject_add_internal+0x22c/0x3f0
+[ 3.634005] kobject_add+0xe4/0x118
+[ 3.634011] device_add+0x200/0x870
+[ 3.634017] _request_firmware+0x958/0xc38
+[ 3.634020] request_firmware_into_buf+0x4c/0x70
+....
+[ 3.634064] kernel BUG at .../mm/slub.c:294!
+ Here is BUG_ON(object == fp) in set_freepointer().
+....
+[ 3.634346] Call trace:
+[ 3.634351] kmem_cache_free+0x504/0x6b8
+[ 3.634355] kernfs_put+0x14c/0x1d8
+[ 3.634359] kernfs_create_dir_ns+0x88/0xb0
+[ 3.634362] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634366] kobject_add_internal+0x22c/0x3f0
+[ 3.634370] kobject_add+0xe4/0x118
+[ 3.634374] device_add+0x200/0x870
+[ 3.634378] _request_firmware+0x958/0xc38
+[ 3.634381] request_firmware_into_buf+0x4c/0x70
+--------------------------------------------------------------------------
+
+Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+Signed-off-by: Muchun Song <smuchun@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Prateek Sood <prsood@codeaurora.org>
+Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/core.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -1648,12 +1648,63 @@ static inline struct kobject *get_glue_d
+ */
+ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
+ {
++ unsigned int ref;
++
+ /* see if we live in a "glue" directory */
+ if (!live_in_glue_dir(glue_dir, dev))
+ return;
+
+ mutex_lock(&gdp_mutex);
+- if (!kobject_has_children(glue_dir))
++ /**
++ * There is a race condition between removing glue directory
++ * and adding a new device under the glue directory.
++ *
++ * CPU1: CPU2:
++ *
++ * device_add()
++ * get_device_parent()
++ * class_dir_create_and_add()
++ * kobject_add_internal()
++ * create_dir() // create glue_dir
++ *
++ * device_add()
++ * get_device_parent()
++ * kobject_get() // get glue_dir
++ *
++ * device_del()
++ * cleanup_glue_dir()
++ * kobject_del(glue_dir)
++ *
++ * kobject_add()
++ * kobject_add_internal()
++ * create_dir() // in glue_dir
++ * sysfs_create_dir_ns()
++ * kernfs_create_dir_ns(sd)
++ *
++ * sysfs_remove_dir() // glue_dir->sd=NULL
++ * sysfs_put() // free glue_dir->sd
++ *
++ * // sd is freed
++ * kernfs_new_node(sd)
++ * kernfs_get(glue_dir)
++ * kernfs_add_one()
++ * kernfs_put()
++ *
++ * Before CPU1 remove last child device under glue dir, if CPU2 add
++ * a new device under glue dir, the glue_dir kobject reference count
++ * will be increase to 2 in kobject_get(k). And CPU2 has been called
++ * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
++ * and sysfs_put(). This result in glue_dir->sd is freed.
++ *
++ * Then the CPU2 will see a stale "empty" but still potentially used
++ * glue dir around in kernfs_new_node().
++ *
++ * In order to avoid this happening, we also should make sure that
++ * kernfs_node for glue_dir is released in CPU1 only when refcount
++ * for glue_dir kobj is 1.
++ */
++ ref = kref_read(&glue_dir->kref);
++ if (!kobject_has_children(glue_dir) && !--ref)
+ kobject_del(glue_dir);
+ kobject_put(glue_dir);
+ mutex_unlock(&gdp_mutex);
--- /dev/null
+From 5ffff4415f9eeae834960226770963e2947e17eb Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Mon, 29 Apr 2019 09:52:38 +0200
+Subject: drm/meson: Add support for XBGR8888 & ABGR8888 formats
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+commit 5ffff4415f9eeae834960226770963e2947e17eb upstream.
+
+Add missing XBGR8888 & ABGR8888 formats variants from the primary plane.
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Reviewed-by: Kevin Hilman <khilman@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190429075238.7884-1-narmstrong@baylibre.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/meson/meson_plane.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/gpu/drm/meson/meson_plane.c
++++ b/drivers/gpu/drm/meson/meson_plane.c
+@@ -120,6 +120,13 @@ static void meson_plane_atomic_update(st
+ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 |
+ OSD_COLOR_MATRIX_32_ARGB;
+ break;
++ case DRM_FORMAT_XBGR8888:
++ /* For XRGB, replace the pixel's alpha by 0xFF */
++ writel_bits_relaxed(OSD_REPLACE_EN, OSD_REPLACE_EN,
++ priv->io_base + _REG(VIU_OSD1_CTRL_STAT2));
++ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 |
++ OSD_COLOR_MATRIX_32_ABGR;
++ break;
+ case DRM_FORMAT_ARGB8888:
+ /* For ARGB, use the pixel's alpha */
+ writel_bits_relaxed(OSD_REPLACE_EN, 0,
+@@ -127,6 +134,13 @@ static void meson_plane_atomic_update(st
+ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 |
+ OSD_COLOR_MATRIX_32_ARGB;
+ break;
++ case DRM_FORMAT_ABGR8888:
++ /* For ARGB, use the pixel's alpha */
++ writel_bits_relaxed(OSD_REPLACE_EN, 0,
++ priv->io_base + _REG(VIU_OSD1_CTRL_STAT2));
++ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_32 |
++ OSD_COLOR_MATRIX_32_ABGR;
++ break;
+ case DRM_FORMAT_RGB888:
+ priv->viu.osd1_blk0_cfg[0] |= OSD_BLK_MODE_24 |
+ OSD_COLOR_MATRIX_24_RGB;
+@@ -196,7 +210,9 @@ static const struct drm_plane_funcs meso
+
+ static const uint32_t supported_drm_formats[] = {
+ DRM_FORMAT_ARGB8888,
++ DRM_FORMAT_ABGR8888,
+ DRM_FORMAT_XRGB8888,
++ DRM_FORMAT_XBGR8888,
+ DRM_FORMAT_RGB888,
+ DRM_FORMAT_RGB565,
+ };
--- /dev/null
+From 336d4b138be2dad372b67a2388e42805c48aaa38 Mon Sep 17 00:00:00 2001
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+Date: Tue, 7 May 2019 18:25:41 +0800
+Subject: mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue
+
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+
+commit 336d4b138be2dad372b67a2388e42805c48aaa38 upstream.
+
+One main goal of the function mtk_nfc_update_ecc_stats is to check
+whether sectors are all empty. If they are empty, set these sectors's
+data buffer and OOB buffer as 0xff.
+
+But now, the sector OOB buffer pointer is wrongly assigned. We always
+do memset from sector 0.
+
+To fix this issue, pass start sector number to make OOB buffer pointer
+be properly assigned.
+
+Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device")
+Signed-off-by: Xiaolei Li <xiaolei.li@mediatek.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/mtk_nand.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/drivers/mtd/nand/raw/mtk_nand.c
++++ b/drivers/mtd/nand/raw/mtk_nand.c
+@@ -863,19 +863,21 @@ static int mtk_nfc_write_oob_std(struct
+ return mtk_nfc_write_page_raw(mtd, chip, NULL, 1, page);
+ }
+
+-static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 sectors)
++static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 start,
++ u32 sectors)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
+ struct mtk_nfc *nfc = nand_get_controller_data(chip);
+ struct mtk_nfc_nand_chip *mtk_nand = to_mtk_nand(chip);
+ struct mtk_ecc_stats stats;
++ u32 reg_size = mtk_nand->fdm.reg_size;
+ int rc, i;
+
+ rc = nfi_readl(nfc, NFI_STA) & STA_EMP_PAGE;
+ if (rc) {
+ memset(buf, 0xff, sectors * chip->ecc.size);
+ for (i = 0; i < sectors; i++)
+- memset(oob_ptr(chip, i), 0xff, mtk_nand->fdm.reg_size);
++ memset(oob_ptr(chip, start + i), 0xff, reg_size);
+ return 0;
+ }
+
+@@ -895,7 +897,7 @@ static int mtk_nfc_read_subpage(struct m
+ u32 spare = mtk_nand->spare_per_sector;
+ u32 column, sectors, start, end, reg;
+ dma_addr_t addr;
+- int bitflips;
++ int bitflips = 0;
+ size_t len;
+ u8 *buf;
+ int rc;
+@@ -962,14 +964,11 @@ static int mtk_nfc_read_subpage(struct m
+ if (rc < 0) {
+ dev_err(nfc->dev, "subpage done timeout\n");
+ bitflips = -EIO;
+- } else {
+- bitflips = 0;
+- if (!raw) {
+- rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE);
+- bitflips = rc < 0 ? -ETIMEDOUT :
+- mtk_nfc_update_ecc_stats(mtd, buf, sectors);
+- mtk_nfc_read_fdm(chip, start, sectors);
+- }
++ } else if (!raw) {
++ rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE);
++ bitflips = rc < 0 ? -ETIMEDOUT :
++ mtk_nfc_update_ecc_stats(mtd, buf, start, sectors);
++ mtk_nfc_read_fdm(chip, start, sectors);
+ }
+
+ dma_unmap_single(nfc->dev, addr, len, DMA_FROM_DEVICE);
--- /dev/null
+From 2d2f4273cbe9058d1f5a518e5e880d27d7b3b30f Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 9 May 2019 13:27:22 -0600
+Subject: PCI: Always allow probing with driver_override
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 2d2f4273cbe9058d1f5a518e5e880d27d7b3b30f upstream.
+
+Commit 0e7df22401a3 ("PCI: Add sysfs sriov_drivers_autoprobe to control
+VF driver binding") introduced the sriov_drivers_autoprobe attribute
+which allows users to prevent the kernel from automatically probing a
+driver for new VFs as they are created. This allows VFs to be spawned
+without automatically binding the new device to a host driver, such as
+in cases where the user intends to use the device only with a meta
+driver like vfio-pci. However, the current implementation prevents any
+use of drivers_probe with the VF while sriov_drivers_autoprobe=0. This
+blocks the now current general practice of setting driver_override
+followed by using drivers_probe to bind a device to a specified driver.
+
+The kernel never automatically sets a driver_override therefore it seems
+we can assume a driver_override reflects the intent of the user. Also,
+probing a device using a driver_override match seems outside the scope
+of the 'auto' part of sriov_drivers_autoprobe. Therefore, let's allow
+driver_override matches regardless of sriov_drivers_autoprobe, which we
+can do by simply testing if a driver_override is set for a device as a
+'can probe' condition.
+
+Fixes: 0e7df22401a3 ("PCI: Add sysfs sriov_drivers_autoprobe to control VF driver binding")
+Link: https://lore.kernel.org/lkml/155742996741.21878.569845487290798703.stgit@gimli.home
+Link: https://lore.kernel.org/linux-pci/155672991496.20698.4279330795743262888.stgit@gimli.home/T/#u
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-driver.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -399,7 +399,8 @@ void __weak pcibios_free_irq(struct pci_
+ #ifdef CONFIG_PCI_IOV
+ static inline bool pci_device_can_probe(struct pci_dev *pdev)
+ {
+- return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe);
++ return (!pdev->is_virtfn || pdev->physfn->sriov->drivers_autoprobe ||
++ pdev->driver_override);
+ }
+ #else
+ static inline bool pci_device_can_probe(struct pci_dev *pdev)
--- /dev/null
+From 6fbcdd59094ade30db63f32316e9502425d7b256 Mon Sep 17 00:00:00 2001
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Date: Wed, 6 Mar 2019 12:10:38 +1100
+Subject: powerpc: Add barrier_nospec to raw_copy_in_user()
+
+From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+
+commit 6fbcdd59094ade30db63f32316e9502425d7b256 upstream.
+
+Commit ddf35cf3764b ("powerpc: Use barrier_nospec in copy_from_user()")
+Added barrier_nospec before loading from user-controlled pointers. The
+intention was to order the load from the potentially user-controlled
+pointer vs a previous branch based on an access_ok() check or similar.
+
+In order to achieve the same result, add a barrier_nospec to the
+raw_copy_in_user() function before loading from such a user-controlled
+pointer.
+
+Fixes: ddf35cf3764b ("powerpc: Use barrier_nospec in copy_from_user()")
+Signed-off-by: Suraj Jitindar Singh <sjitindarsingh@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/uaccess.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -306,6 +306,7 @@ extern unsigned long __copy_tofrom_user(
+ static inline unsigned long
+ raw_copy_in_user(void __user *to, const void __user *from, unsigned long n)
+ {
++ barrier_nospec();
+ return __copy_tofrom_user(to, from, n);
+ }
+ #endif /* __powerpc64__ */
kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch
kvm-nvmx-handle-page-fault-in-vmread.patch
x86-purgatory-change-compiler-flags-from-mcmodel-kernel-to-mcmodel-large-to-fix-kexec-relocation-errors.patch
+powerpc-add-barrier_nospec-to-raw_copy_in_user.patch
+drm-meson-add-support-for-xbgr8888-abgr8888-formats.patch
+clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch
+mtd-rawnand-mtk-fix-wrongly-assigned-oob-buffer-pointer-issue.patch
+pci-always-allow-probing-with-driver_override.patch
gpio-fix-line-flag-validation-in-lineevent_create.patch
+ubifs-correctly-use-tnc_next-in-search_dh_cookie.patch
+driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch
--- /dev/null
+From bacfa94b08027b9f66ede7044972e3b066766b3e Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 14 May 2019 22:31:08 +0200
+Subject: ubifs: Correctly use tnc_next() in search_dh_cookie()
+
+From: Richard Weinberger <richard@nod.at>
+
+commit bacfa94b08027b9f66ede7044972e3b066766b3e upstream.
+
+Commit c877154d307f fixed an uninitialized variable and optimized
+the function to not call tnc_next() in the first iteration of the
+loop. While this seemed perfectly legit and wise, it turned out to
+be illegal.
+If the lookup function does not find an exact match it will rewind
+the cursor by 1.
+The rewinded cursor will not match the name hash we are looking for
+and this results in a spurious -ENOENT.
+So we need to move to the next entry in case of an non-exact match,
+but not if the match was exact.
+
+While we are here, update the documentation to avoid further confusion.
+
+Cc: Hyunchul Lee <hyc.lee@gmail.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Fixes: c877154d307f ("ubifs: Fix uninitialized variable in search_dh_cookie()")
+Fixes: 781f675e2d7e ("ubifs: Fix unlink code wrt. double hash lookups")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/tnc.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/fs/ubifs/tnc.c
++++ b/fs/ubifs/tnc.c
+@@ -1165,8 +1165,8 @@ static struct ubifs_znode *dirty_cow_bot
+ * o exact match, i.e. the found zero-level znode contains key @key, then %1
+ * is returned and slot number of the matched branch is stored in @n;
+ * o not exact match, which means that zero-level znode does not contain
+- * @key, then %0 is returned and slot number of the closest branch is stored
+- * in @n;
++ * @key, then %0 is returned and slot number of the closest branch or %-1
++ * is stored in @n; In this case calling tnc_next() is mandatory.
+ * o @key is so small that it is even less than the lowest key of the
+ * leftmost zero-level node, then %0 is returned and %0 is stored in @n.
+ *
+@@ -1883,13 +1883,19 @@ int ubifs_tnc_lookup_nm(struct ubifs_inf
+
+ static int search_dh_cookie(struct ubifs_info *c, const union ubifs_key *key,
+ struct ubifs_dent_node *dent, uint32_t cookie,
+- struct ubifs_znode **zn, int *n)
++ struct ubifs_znode **zn, int *n, int exact)
+ {
+ int err;
+ struct ubifs_znode *znode = *zn;
+ struct ubifs_zbranch *zbr;
+ union ubifs_key *dkey;
+
++ if (!exact) {
++ err = tnc_next(c, &znode, n);
++ if (err)
++ return err;
++ }
++
+ for (;;) {
+ zbr = &znode->zbranch[*n];
+ dkey = &zbr->key;
+@@ -1931,7 +1937,7 @@ static int do_lookup_dh(struct ubifs_inf
+ if (unlikely(err < 0))
+ goto out_unlock;
+
+- err = search_dh_cookie(c, key, dent, cookie, &znode, &n);
++ err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err);
+
+ out_unlock:
+ mutex_unlock(&c->tnc_mutex);
+@@ -2718,7 +2724,7 @@ int ubifs_tnc_remove_dh(struct ubifs_inf
+ if (unlikely(err < 0))
+ goto out_free;
+
+- err = search_dh_cookie(c, key, dent, cookie, &znode, &n);
++ err = search_dh_cookie(c, key, dent, cookie, &znode, &n, err);
+ if (err)
+ goto out_free;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
