!513 Backport CVEs and bugfixes

	struct hid_device *hdev;

	struct work_struct work;

	unsigned int brightness;

	spinlock_t lock;

	bool removed;

};

	return ret;

}

static void asus_schedule_work(struct asus_kbd_leds *led)

{

	unsigned long flags;

	spin_lock_irqsave(&led->lock, flags);

	if (!led->removed)

		schedule_work(&led->work);

	spin_unlock_irqrestore(&led->lock, flags);

}

static void asus_kbd_backlight_set(struct led_classdev *led_cdev,

				   enum led_brightness brightness)

{

	struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds,

						 cdev);

	if (led->brightness == brightness)

		return;

	unsigned long flags;

	spin_lock_irqsave(&led->lock, flags);

	led->brightness = brightness;

	schedule_work(&led->work);

	spin_unlock_irqrestore(&led->lock, flags);

	asus_schedule_work(led);

}

static enum led_brightness asus_kbd_backlight_get(struct led_classdev *led_cdev)

{

	struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds,

						 cdev);

	enum led_brightness brightness;

	unsigned long flags;

	spin_lock_irqsave(&led->lock, flags);

	brightness = led->brightness;

	spin_unlock_irqrestore(&led->lock, flags);

	return led->brightness;

	return brightness;

}

static void asus_kbd_backlight_work(struct work_struct *work)

	struct asus_kbd_leds *led = container_of(work, struct asus_kbd_leds, work);

	u8 buf[] = { FEATURE_KBD_REPORT_ID, 0xba, 0xc5, 0xc4, 0x00 };

	int ret;

	unsigned long flags;

	if (led->removed)

		return;

	spin_lock_irqsave(&led->lock, flags);

	buf[4] = led->brightness;

	spin_unlock_irqrestore(&led->lock, flags);

	ret = asus_kbd_set_report(led->hdev, buf, sizeof(buf));

	if (ret < 0)

	drvdata->kbd_backlight->cdev.brightness_set = asus_kbd_backlight_set;

	drvdata->kbd_backlight->cdev.brightness_get = asus_kbd_backlight_get;

	INIT_WORK(&drvdata->kbd_backlight->work, asus_kbd_backlight_work);

	spin_lock_init(&drvdata->kbd_backlight->lock);

	ret = devm_led_classdev_register(&hdev->dev, &drvdata->kbd_backlight->cdev);

	if (ret < 0) {

static void asus_remove(struct hid_device *hdev)

{

	struct asus_drvdata *drvdata = hid_get_drvdata(hdev);

	unsigned long flags;

	if (drvdata->kbd_backlight) {

		spin_lock_irqsave(&drvdata->kbd_backlight->lock, flags);

		drvdata->kbd_backlight->removed = true;

		spin_unlock_irqrestore(&drvdata->kbd_backlight->lock, flags);

		cancel_work_sync(&drvdata->kbd_backlight->work);

	}

		if (msg[i].addr == 0x99) {

			req = 0xBE;

			index = 0;

			if (msg[i].len < 1) {

				i = -EOPNOTSUPP;

				break;

			}

			value = msg[i].buf[0] & 0x00ff;

			length = 1;

			az6027_usb_out_op(d, req, value, index, data, length);

		keys[0].fmr_physical = bofs;

	if (keys[1].fmr_physical >= eofs)

		keys[1].fmr_physical = eofs - 1;

	if (keys[1].fmr_physical < keys[0].fmr_physical)

		return 0;

	start_fsb = keys[0].fmr_physical;

	end_fsb = keys[1].fmr_physical;

	 * ie. locked but not dirty) or tune2fs (which may actually have

	 * the buffer dirtied, ugh.)  */

	if (buffer_dirty(bh)) {

		/*

		 * First question: is this buffer already part of the current

		 * transaction or the existing committing transaction?

		 */

		if (jh->b_transaction) {

			J_ASSERT_JH(jh,

				jh->b_transaction == transaction ||

				jh->b_transaction ==

					journal->j_committing_transaction);

			if (jh->b_next_transaction)

				J_ASSERT_JH(jh, jh->b_next_transaction ==

							transaction);

	if (buffer_dirty(bh) && jh->b_transaction) {

		warn_dirty_buffer(bh);

		}

		/*

		 * In any case we need to clean the dirty flag and we must

		 * do it under the buffer lock to be sure we don't race

		 * with running write-out.

		 * We need to clean the dirty flag and we must do it under the

		 * buffer lock to be sure we don't race with running write-out.

		 */

		JBUFFER_TRACE(jh, "Journalling dirty buffer");

		clear_buffer_dirty(bh);

		/*

		 * The buffer is going to be added to BJ_Reserved list now and

		 * nothing guarantees jbd2_journal_dirty_metadata() will be

		 * ever called for it. So we need to set jbddirty bit here to

		 * make sure the buffer is dirtied and written out when the

		 * journaling machinery is done with it.

		 */

		set_buffer_jbddirty(bh);

	}

	unlock_buffer(bh);

	error = -EROFS;

	if (is_handle_aborted(handle)) {

		spin_unlock(&jh->b_state_lock);

		unlock_buffer(bh);

		goto out;

	}

	error = 0;

	 * b_next_transaction points to it

	 */

	if (jh->b_transaction == transaction ||

	    jh->b_next_transaction == transaction)

	    jh->b_next_transaction == transaction) {

		unlock_buffer(bh);

		goto done;

	}

	/*

	 * this is the first time this transaction is touching this buffer,

		 */

		smp_wmb();

		spin_lock(&journal->j_list_lock);

		if (test_clear_buffer_dirty(bh)) {

			/*

			 * Execute buffer dirty clearing and jh->b_transaction

			 * assignment under journal->j_list_lock locked to

			 * prevent bh being removed from checkpoint list if

			 * the buffer is in an intermediate state (not dirty

			 * and jh->b_transaction is NULL).

			 */

			JBUFFER_TRACE(jh, "Journalling dirty buffer");

			set_buffer_jbddirty(bh);

		}

		__jbd2_journal_file_buffer(jh, transaction, BJ_Reserved);

		spin_unlock(&journal->j_list_lock);

		unlock_buffer(bh);

		goto done;

	}

	unlock_buffer(bh);

	/*

	 * If there is already a copy-out version of this buffer, then we don't

	 * need to make another one

void free_task(struct task_struct *tsk)

{

#ifdef CONFIG_SECCOMP

	WARN_ON_ONCE(tsk->seccomp.filter);

#endif

	scs_release(tsk);

#ifndef CONFIG_THREAD_INFO_IN_TASK

	spin_lock(&current->sighand->siglock);

	/*

	 * Copy seccomp details explicitly here, in case they were changed

	 * before holding sighand lock.

	 */

	copy_seccomp(p);

	rseq_fork(p, clone_flags);

	/* Don't start children in a dying pid namespace */

		goto bad_fork_cancel_cgroup;

	}

	/* No more failure paths after this point. */

	/*

	 * Copy seccomp details explicitly here, in case they were changed

	 * before holding sighand lock.

	 */

	copy_seccomp(p);

	init_task_pid_links(p);

	if (likely(p->pid)) {

		ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);