diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index cfa74e0..017ffec 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -186,10 +186,7 @@
     auto const current_path = get_ce_key_current_path(directory_path);
     if (to_fix != current_path) {
         LOG(DEBUG) << "Renaming " << to_fix << " to " << current_path;
-        if (rename(to_fix.c_str(), current_path.c_str()) != 0) {
-            PLOG(WARNING) << "Unable to rename " << to_fix << " to " << current_path;
-            return;
-        }
+        if (!android::vold::RenameKeyDir(to_fix, current_path)) return;
     }
     android::vold::FsyncDirectory(directory_path);
 }
@@ -569,9 +566,12 @@
     if (it != s_ephemeral_users.end()) {
         s_ephemeral_users.erase(it);
     } else {
-        for (auto const path : get_ce_key_paths(get_ce_key_directory_path(user_id))) {
+        auto ce_path = get_ce_key_directory_path(user_id);
+        for (auto const path : get_ce_key_paths(ce_path)) {
             success &= android::vold::destroyKey(path);
         }
+        success &= destroy_dir(ce_path);
+
         auto de_key_path = get_de_key_path(user_id);
         if (android::vold::pathExists(de_key_path)) {
             success &= android::vold::destroyKey(de_key_path);
@@ -730,6 +730,14 @@
     return true;
 }
 
+std::vector<int> fscrypt_get_unlocked_users() {
+    std::vector<int> user_ids;
+    for (const auto& it : s_ce_policies) {
+        user_ids.push_back(it.first);
+    }
+    return user_ids;
+}
+
 // TODO: rename to 'install' for consistency, and take flags to know which keys to install
 bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret_hex) {
     LOG(DEBUG) << "fscrypt_unlock_user_key " << user_id << " serial=" << serial;
diff --git a/FsCrypt.h b/FsCrypt.h
index 96159d5..2946be5 100644
--- a/FsCrypt.h
+++ b/FsCrypt.h
@@ -15,6 +15,7 @@
  */
 
 #include <string>
+#include <vector>
 
 #include <cutils/multiuser.h>
 
@@ -27,6 +28,7 @@
 bool fscrypt_clear_user_key_auth(userid_t user_id, int serial, const std::string& secret);
 bool fscrypt_fixate_newest_user_key_auth(userid_t user_id);
 
+std::vector<int> fscrypt_get_unlocked_users();
 bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret);
 bool fscrypt_lock_user_key(userid_t user_id);
 
diff --git a/KeyStorage.cpp b/KeyStorage.cpp
index 8d518de..64b413a 100644
--- a/KeyStorage.cpp
+++ b/KeyStorage.cpp
@@ -45,8 +45,6 @@
 
 #include <cutils/properties.h>
 
-#include <hardware/hw_auth_token.h>
-
 extern "C" {
 
 #include "crypto_scrypt.h"
@@ -60,24 +58,18 @@
 static constexpr size_t AES_KEY_BYTES = 32;
 static constexpr size_t GCM_NONCE_BYTES = 12;
 static constexpr size_t GCM_MAC_BYTES = 16;
-static constexpr size_t SALT_BYTES = 1 << 4;
 static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
-static constexpr size_t STRETCHED_BYTES = 1 << 6;
-
-static constexpr uint32_t AUTH_TIMEOUT = 30;  // Seconds
 
 static const char* kCurrentVersion = "1";
 static const char* kRmPath = "/system/bin/rm";
 static const char* kSecdiscardPath = "/system/bin/secdiscard";
 static const char* kStretch_none = "none";
 static const char* kStretch_nopassword = "nopassword";
-static const std::string kStretchPrefix_scrypt = "scrypt ";
 static const char* kHashPrefix_secdiscardable = "Android secdiscardable SHA512";
 static const char* kHashPrefix_keygen = "Android key wrapping key generation SHA512";
 static const char* kFn_encrypted_key = "encrypted_key";
 static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
 static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
-static const char* kFn_salt = "salt";
 static const char* kFn_secdiscardable = "secdiscardable";
 static const char* kFn_stretching = "stretching";
 static const char* kFn_version = "version";
@@ -154,7 +146,7 @@
                                 .GcmModeMinMacLen(GCM_MAC_BYTES * 8)
                                 .Authorization(km::TAG_APPLICATION_ID, appId)
                                 .Authorization(km::TAG_NO_AUTH_REQUIRED);
-    LOG(DEBUG) << "Generating \"key storage\" key that doesn't need auth token";
+    LOG(DEBUG) << "Generating \"key storage\" key";
     return generateKeymasterKey(keymaster, paramBuilder, key);
 }
 
@@ -224,6 +216,7 @@
 // List of key directories that have had their Keymaster key upgraded during
 // this boot and written to "keymaster_key_blob_upgraded", but replacing the old
 // key was delayed due to an active checkpoint.  Protected by key_upgrade_lock.
+// A directory can be in this list at most once.
 static std::vector<std::string> key_dirs_to_commit;
 
 // Replaces |dir|/keymaster_key_blob with |dir|/keymaster_key_blob_upgraded and
@@ -275,8 +268,9 @@
     return false;
 }
 
-// Schedules the upgraded Keymaster key in |dir| to be committed later.
-// Assumes that key_upgrade_lock is held.
+// Schedules the upgraded Keymaster key in |dir| to be committed later.  Assumes
+// that key_upgrade_lock is held and that a commit isn't already pending for the
+// directory.
 static void ScheduleKeyCommit(const std::string& dir) {
     if (key_dirs_to_commit.empty()) std::thread(DeferredCommitKeys).detach();
     key_dirs_to_commit.push_back(dir);
@@ -294,6 +288,28 @@
     }
 }
 
+bool RenameKeyDir(const std::string& old_name, const std::string& new_name) {
+    std::lock_guard<std::mutex> lock(key_upgrade_lock);
+
+    // Find the entry in key_dirs_to_commit (if any) for this directory so that
+    // we can update it if the rename succeeds.  We don't allow duplicates in
+    // this list, so there can be at most one such entry.
+    auto it = key_dirs_to_commit.begin();
+    for (; it != key_dirs_to_commit.end(); it++) {
+        if (IsSameFile(old_name, *it)) break;
+    }
+
+    if (rename(old_name.c_str(), new_name.c_str()) != 0) {
+        PLOG(ERROR) << "Failed to rename key directory \"" << old_name << "\" to \"" << new_name
+                    << "\"";
+        return false;
+    }
+
+    if (it != key_dirs_to_commit.end()) *it = new_name;
+
+    return true;
+}
+
 // Deletes a leftover upgraded key, if present.  An upgraded key can be left
 // over if an update failed, or if we rebooted before committing the key in a
 // freak accident.  Either way, we can re-upgrade the key if we need to.
@@ -415,7 +431,7 @@
 }
 
 static bool stretchSecret(const std::string& stretching, const std::string& secret,
-                          const std::string& salt, std::string* stretched) {
+                          std::string* stretched) {
     if (stretching == kStretch_nopassword) {
         if (!secret.empty()) {
             LOG(WARNING) << "Password present but stretching is nopassword";
@@ -432,10 +448,9 @@
 }
 
 static bool generateAppId(const KeyAuthentication& auth, const std::string& stretching,
-                          const std::string& salt, const std::string& secdiscardable_hash,
-                          std::string* appId) {
+                          const std::string& secdiscardable_hash, std::string* appId) {
     std::string stretched;
-    if (!stretchSecret(stretching, auth.secret, salt, &stretched)) return false;
+    if (!stretchSecret(stretching, auth.secret, &stretched)) return false;
     *appId = secdiscardable_hash + stretched;
 
     const std::lock_guard<std::mutex> scope_lock(storage_binding_info.guard);
@@ -560,7 +575,12 @@
     return true;
 }
 
-bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key) {
+// Creates a directory at the given path |dir| and stores |key| in it, in such a
+// way that it can only be retrieved via Keymaster (if no secret is given in
+// |auth|) or with the given secret (if a secret is given in |auth|), and can be
+// securely deleted.  If a storage binding seed has been set, then the storage
+// binding seed will be required to retrieve the key as well.
+static bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key) {
     if (TEMP_FAILURE_RETRY(mkdir(dir.c_str(), 0700)) == -1) {
         PLOG(ERROR) << "key mkdir " << dir;
         return false;
@@ -570,9 +590,8 @@
     if (!createSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
     std::string stretching = getStretching(auth);
     if (!writeStringToFile(stretching, dir + "/" + kFn_stretching)) return false;
-    std::string salt;
     std::string appId;
-    if (!generateAppId(auth, stretching, salt, secdiscardable_hash, &appId)) return false;
+    if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false;
     std::string encryptedKey;
     if (auth.usesKeymaster()) {
         Keymaster keymaster;
@@ -601,10 +620,9 @@
         destroyKey(tmp_path);  // May be partially created so ignore errors
     }
     if (!storeKey(tmp_path, auth, key)) return false;
-    if (rename(tmp_path.c_str(), key_path.c_str()) != 0) {
-        PLOG(ERROR) << "Unable to move new key to location: " << key_path;
-        return false;
-    }
+
+    if (!RenameKeyDir(tmp_path, key_path)) return false;
+
     if (!FsyncParentDirectory(key_path)) return false;
     LOG(DEBUG) << "Created key: " << key_path;
     return true;
@@ -621,9 +639,8 @@
     if (!readSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
     std::string stretching;
     if (!readFileToString(dir + "/" + kFn_stretching, &stretching)) return false;
-    std::string salt;
     std::string appId;
-    if (!generateAppId(auth, stretching, salt, secdiscardable_hash, &appId)) return false;
+    if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false;
     std::string encryptedMessage;
     if (!readFileToString(dir + "/" + kFn_encrypted_key, &encryptedMessage)) return false;
     if (auth.usesKeymaster()) {
diff --git a/KeyStorage.h b/KeyStorage.h
index 09d0aac..a7e694e 100644
--- a/KeyStorage.h
+++ b/KeyStorage.h
@@ -27,10 +27,6 @@
 namespace vold {
 
 // Represents the information needed to decrypt a disk encryption key.
-// If "token" is nonempty, it is passed in as a required Gatekeeper auth token.
-// If "token" and "secret" are nonempty, "secret" is appended to the application-specific
-// binary needed to unlock.
-// If only "secret" is nonempty, it is used to decrypt in a non-Keymaster process.
 class KeyAuthentication {
   public:
     KeyAuthentication(const std::string& s) : secret{s} {};
@@ -45,11 +41,9 @@
 bool createSecdiscardable(const std::string& path, std::string* hash);
 bool readSecdiscardable(const std::string& path, std::string* hash);
 
-// Create a directory at the named path, and store "key" in it,
-// in such a way that it can only be retrieved via Keymaster and
-// can be securely deleted.
-// It's safe to move/rename the directory after creation.
-bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key);
+// Renames a key directory while also managing deferred commits appropriately.
+// This method should be used whenever a key directory needs to be moved/renamed.
+bool RenameKeyDir(const std::string& old_name, const std::string& new_name);
 
 // Create a directory at the named path, and store "key" in it as storeKey
 // This version creates the key in "tmp_path" then atomically renames "tmp_path"
diff --git a/Keymaster.cpp b/Keymaster.cpp
index bb26b64..8038681 100644
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@@ -21,6 +21,7 @@
 #include <aidl/android/hardware/security/keymint/SecurityLevel.h>
 #include <aidl/android/security/maintenance/IKeystoreMaintenance.h>
 #include <aidl/android/system/keystore2/Domain.h>
+#include <aidl/android/system/keystore2/EphemeralStorageKeyResponse.h>
 #include <aidl/android/system/keystore2/KeyDescriptor.h>
 
 // Keep these in sync with system/security/keystore2/src/keystore2_main.rs
@@ -81,14 +82,7 @@
             ks2Operation = nullptr;
             return false;
         }
-
-        if (!output) {
-            LOG(ERROR) << "Keystore2 operation update didn't return output.";
-            ks2Operation = nullptr;
-            return false;
-        }
-
-        consumer((const char*)output->data(), output->size());
+        if (output) consumer((const char*)output->data(), output->size());
     }
     return true;
 }
@@ -110,7 +104,7 @@
 }
 
 Keymaster::Keymaster() {
-    ::ndk::SpAIBinder binder(AServiceManager_getService(keystore2_service_name));
+    ::ndk::SpAIBinder binder(AServiceManager_waitForService(keystore2_service_name));
     auto keystore2Service = ks2::IKeystoreService::fromBinder(binder);
 
     if (!keystore2Service) {
@@ -164,15 +158,19 @@
             .nspace = VOLD_NAMESPACE,
     };
     storageKey.blob = std::make_optional<std::vector<uint8_t>>(kmKey.begin(), kmKey.end());
-    std::vector<uint8_t> ephemeral_key;
-    auto rc = securityLevel->convertStorageKeyToEphemeral(storageKey, &ephemeral_key);
+    ks2::EphemeralStorageKeyResponse ephemeral_key_response;
+    auto rc = securityLevel->convertStorageKeyToEphemeral(storageKey, &ephemeral_key_response);
 
     if (logKeystore2ExceptionIfPresent(rc, "exportKey")) goto out;
-    if (key) *key = std::string(ephemeral_key.begin(), ephemeral_key.end());
+    if (key)
+        *key = std::string(ephemeral_key_response.ephemeralKey.begin(),
+                           ephemeral_key_response.ephemeralKey.end());
+
+    // TODO b/185811713 store the upgraded key blob if provided and delete the old key blob.
 
     ret = true;
 out:
-    zeroize_vector(ephemeral_key);
+    zeroize_vector(ephemeral_key_response.ephemeralKey);
     zeroize_vector(storageKey.blob.value());
     return ret;
 }
diff --git a/Process.cpp b/Process.cpp
index 62d51a2..c1d55ee 100644
--- a/Process.cpp
+++ b/Process.cpp
@@ -84,7 +84,7 @@
 }
 
 // TODO: Refactor the code with KillProcessesWithOpenFiles().
-int KillProcessesWithMounts(const std::string& prefix, int signal) {
+int KillProcessesWithTmpfsMounts(const std::string& prefix, int signal) {
     std::unordered_set<pid_t> pids;
 
     auto proc_d = std::unique_ptr<DIR, int (*)(DIR*)>(opendir("/proc"), closedir);
@@ -112,7 +112,8 @@
         // Check if obb directory is mounted, and get all packages of mounted app data directory.
         mntent* mentry;
         while ((mentry = getmntent(fp.get())) != nullptr) {
-            if (android::base::StartsWith(mentry->mnt_dir, prefix)) {
+            if (mentry->mnt_fsname != nullptr && strncmp(mentry->mnt_fsname, "tmpfs", 5) == 0
+                    && android::base::StartsWith(mentry->mnt_dir, prefix)) {
                 pids.insert(pid);
                 break;
             }
@@ -174,7 +175,15 @@
     }
     if (signal != 0) {
         for (const auto& pid : pids) {
-            LOG(WARNING) << "Sending " << strsignal(signal) << " to " << pid;
+            std::string comm;
+            android::base::ReadFileToString(StringPrintf("/proc/%d/comm", pid), &comm);
+            comm = android::base::Trim(comm);
+
+            std::string exe;
+            android::base::Readlink(StringPrintf("/proc/%d/exe", pid), &exe);
+
+            LOG(WARNING) << "Sending " << strsignal(signal) << " to pid " << pid << " (" << comm
+                         << ", " << exe << ")";
             kill(pid, signal);
         }
     }
diff --git a/Process.h b/Process.h
index a56b9ce..f3728b5 100644
--- a/Process.h
+++ b/Process.h
@@ -21,7 +21,7 @@
 namespace vold {
 
 int KillProcessesWithOpenFiles(const std::string& path, int signal, bool killFuseDaemon = true);
-int KillProcessesWithMounts(const std::string& path, int signal);
+int KillProcessesWithTmpfsMounts(const std::string& path, int signal);
 
 }  // namespace vold
 }  // namespace android
diff --git a/Utils.cpp b/Utils.cpp
index 9ff7920..4635975 100644
--- a/Utils.cpp
+++ b/Utils.cpp
@@ -240,7 +240,12 @@
     }
 
     fsx.fsx_projid = projectId;
-    return ioctl(fd, FS_IOC_FSSETXATTR, &fsx);
+    ret = ioctl(fd, FS_IOC_FSSETXATTR, &fsx);
+    if (ret == -1) {
+        PLOG(ERROR) << "Failed to set project id on " << path;
+        return ret;
+    }
+    return 0;
 }
 
 int PrepareDirWithProjectId(const std::string& path, mode_t mode, uid_t uid, gid_t gid,
@@ -499,25 +504,25 @@
     return -errno;
 }
 
-status_t KillProcessesWithMountPrefix(const std::string& path) {
-    if (KillProcessesWithMounts(path, SIGINT) == 0) {
+status_t KillProcessesWithTmpfsMountPrefix(const std::string& path) {
+    if (KillProcessesWithTmpfsMounts(path, SIGINT) == 0) {
         return OK;
     }
     if (sSleepOnUnmount) sleep(5);
 
-    if (KillProcessesWithMounts(path, SIGTERM) == 0) {
+    if (KillProcessesWithTmpfsMounts(path, SIGTERM) == 0) {
         return OK;
     }
     if (sSleepOnUnmount) sleep(5);
 
-    if (KillProcessesWithMounts(path, SIGKILL) == 0) {
+    if (KillProcessesWithTmpfsMounts(path, SIGKILL) == 0) {
         return OK;
     }
     if (sSleepOnUnmount) sleep(5);
 
     // Send SIGKILL a second time to determine if we've
     // actually killed everyone mount
-    if (KillProcessesWithMounts(path, SIGKILL) == 0) {
+    if (KillProcessesWithTmpfsMounts(path, SIGKILL) == 0) {
         return OK;
     }
     PLOG(ERROR) << "Failed to kill processes using " << path;
diff --git a/Utils.h b/Utils.h
index 4771593..a3316c3 100644
--- a/Utils.h
+++ b/Utils.h
@@ -78,8 +78,8 @@
 /* Kills any processes using given path */
 status_t KillProcessesUsingPath(const std::string& path);
 
-/* Kills any processes using given mount prifix */
-status_t KillProcessesWithMountPrefix(const std::string& path);
+/* Kills any processes using given tmpfs mount prifix */
+status_t KillProcessesWithTmpfsMountPrefix(const std::string& path);
 
 /* Creates bind mount from source to target */
 status_t BindMount(const std::string& source, const std::string& target);
diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index 938e7db..5ea72bb 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -764,6 +764,14 @@
     return translateBool(fscrypt_fixate_newest_user_key_auth(userId));
 }
 
+binder::Status VoldNativeService::getUnlockedUsers(std::vector<int>* _aidl_return) {
+    ENFORCE_SYSTEM_OR_ROOT;
+    ACQUIRE_CRYPT_LOCK;
+
+    *_aidl_return = fscrypt_get_unlocked_users();
+    return Ok();
+}
+
 binder::Status VoldNativeService::unlockUserKey(int32_t userId, int32_t userSerial,
                                                 const std::string& token,
                                                 const std::string& secret) {
diff --git a/VoldNativeService.h b/VoldNativeService.h
index 123f127..33d0f3a 100644
--- a/VoldNativeService.h
+++ b/VoldNativeService.h
@@ -127,6 +127,7 @@
                                     const std::string& secret);
     binder::Status fixateNewestUserKeyAuth(int32_t userId);
 
+    binder::Status getUnlockedUsers(std::vector<int>* _aidl_return);
     binder::Status unlockUserKey(int32_t userId, int32_t userSerial, const std::string& token,
                                  const std::string& secret);
     binder::Status lockUserKey(int32_t userId);
diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl
index fd134c5..62685e5 100644
--- a/binder/android/os/IVold.aidl
+++ b/binder/android/os/IVold.aidl
@@ -102,6 +102,7 @@
                         @utf8InCpp String secret);
     void fixateNewestUserKeyAuth(int userId);
 
+    int[] getUnlockedUsers();
     void unlockUserKey(int userId, int userSerial, @utf8InCpp String token,
                        @utf8InCpp String secret);
     void lockUserKey(int userId);
diff --git a/cryptfs.cpp b/cryptfs.cpp
index 5764b5d..622d1f4 100644
--- a/cryptfs.cpp
+++ b/cryptfs.cpp
@@ -256,8 +256,6 @@
     struct crypt_persist_entry persist_entry[0];
 };
 
-static int wait_and_unmount(const char* mountpoint, bool kill);
-
 typedef int (*kdf_func)(const char* passwd, const unsigned char* salt, unsigned char* ikey,
                         void* params);
 
@@ -1510,20 +1508,23 @@
         [](const std::string& s1, const std::string& s2) {return s1.length() > s2.length(); });
 
     for (std::string& mount_point : umount_points) {
-        umount(mount_point.c_str());
-        SLOGW("umount sub-directory mount %s\n", mount_point.c_str());
+        SLOGW("unmounting sub-directory mount %s\n", mount_point.c_str());
+        if (umount(mount_point.c_str()) != 0) {
+            SLOGE("unmounting %s failed: %s\n", mount_point.c_str(), strerror(errno));
+        }
     }
 }
 
-static int wait_and_unmount(const char* mountpoint, bool kill) {
+static int wait_and_unmount(const char* mountpoint) {
     int i, err, rc;
 
-    // Subdirectory mount will cause a failure of umount.
-    ensure_subdirectory_unmounted(mountpoint);
 #define WAIT_UNMOUNT_COUNT 20
 
     /*  Now umount the tmpfs filesystem */
     for (i = 0; i < WAIT_UNMOUNT_COUNT; i++) {
+        // Subdirectory mount will cause a failure of umount.
+        ensure_subdirectory_unmounted(mountpoint);
+
         if (umount(mountpoint) == 0) {
             break;
         }
@@ -1537,15 +1538,19 @@
 
         err = errno;
 
-        /* If allowed, be increasingly aggressive before the last two retries */
-        if (kill) {
-            if (i == (WAIT_UNMOUNT_COUNT - 3)) {
-                SLOGW("sending SIGHUP to processes with open files\n");
-                android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
-            } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
-                SLOGW("sending SIGKILL to processes with open files\n");
-                android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
-            }
+        // If it's taking too long, kill the processes with open files.
+        //
+        // Originally this logic was only a fail-safe, but now it's relied on to
+        // kill certain processes that aren't stopped by init because they
+        // aren't in the main or late_start classes.  So to avoid waiting for
+        // too long, we now are fairly aggressive in starting to kill processes.
+        static_assert(WAIT_UNMOUNT_COUNT >= 4);
+        if (i == 2) {
+            SLOGW("sending SIGTERM to processes with open files\n");
+            android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
+        } else if (i >= 3) {
+            SLOGW("sending SIGKILL to processes with open files\n");
+            android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
         }
 
         sleep(1);
@@ -1679,7 +1684,7 @@
         return -1;
     }
 
-    if (!(rc = wait_and_unmount(DATA_MNT_POINT, true))) {
+    if (!(rc = wait_and_unmount(DATA_MNT_POINT))) {
         /* If ro.crypto.readonly is set to 1, mount the decrypted
          * filesystem readonly.  This is used when /data is mounted by
          * recovery mode.
@@ -2238,7 +2243,7 @@
          * /data, set a property saying we're doing inplace encryption,
          * and restart the framework.
          */
-        wait_and_unmount(DATA_MNT_POINT, true);
+        wait_and_unmount(DATA_MNT_POINT);
         if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
             goto error_shutting_down;
         }
diff --git a/fs/F2fs.cpp b/fs/F2fs.cpp
index d6f3dab..f4a81ee 100644
--- a/fs/F2fs.cpp
+++ b/fs/F2fs.cpp
@@ -20,6 +20,7 @@
 #include <android-base/logging.h>
 #include <android-base/properties.h>
 #include <android-base/stringprintf.h>
+#include <logwrap/logwrap.h>
 #include <fscrypt/fscrypt.h>
 
 #include <string>
@@ -71,45 +72,46 @@
 }
 
 status_t Format(const std::string& source) {
-    std::vector<std::string> cmd;
-    cmd.push_back(kMkfsPath);
+    std::vector<char const*> cmd;
+    cmd.emplace_back(kMkfsPath);
 
-    cmd.push_back("-f");
-    cmd.push_back("-d1");
+    cmd.emplace_back("-f");
+    cmd.emplace_back("-d1");
 
     if (android::base::GetBoolProperty("vold.has_quota", false)) {
-        cmd.push_back("-O");
-        cmd.push_back("quota");
+        cmd.emplace_back("-O");
+        cmd.emplace_back("quota");
     }
     if (fscrypt_is_native()) {
-        cmd.push_back("-O");
-        cmd.push_back("encrypt");
+        cmd.emplace_back("-O");
+        cmd.emplace_back("encrypt");
     }
     if (android::base::GetBoolProperty("vold.has_compress", false)) {
-        cmd.push_back("-O");
-        cmd.push_back("compression");
-        cmd.push_back("-O");
-        cmd.push_back("extra_attr");
+        cmd.emplace_back("-O");
+        cmd.emplace_back("compression");
+        cmd.emplace_back("-O");
+        cmd.emplace_back("extra_attr");
     }
-    cmd.push_back("-O");
-    cmd.push_back("verity");
+    cmd.emplace_back("-O");
+    cmd.emplace_back("verity");
 
     const bool needs_casefold =
             android::base::GetBoolProperty("external_storage.casefold.enabled", false);
     const bool needs_projid =
             android::base::GetBoolProperty("external_storage.projid.enabled", false);
     if (needs_projid) {
-        cmd.push_back("-O");
-        cmd.push_back("project_quota,extra_attr");
+        cmd.emplace_back("-O");
+        cmd.emplace_back("project_quota,extra_attr");
     }
     if (needs_casefold) {
-        cmd.push_back("-O");
-        cmd.push_back("casefold");
-        cmd.push_back("-C");
-        cmd.push_back("utf8");
+        cmd.emplace_back("-O");
+        cmd.emplace_back("casefold");
+        cmd.emplace_back("-C");
+        cmd.emplace_back("utf8");
     }
-    cmd.push_back(source);
-    return ForkExecvp(cmd);
+    cmd.emplace_back(source.c_str());
+    return logwrap_fork_execvp(cmd.size(), cmd.data(), nullptr, false, LOG_KLOG,
+                             false, nullptr);
 }
 
 }  // namespace f2fs
diff --git a/model/EmulatedVolume.cpp b/model/EmulatedVolume.cpp
index 9431f95..6f21ff8 100644
--- a/model/EmulatedVolume.cpp
+++ b/model/EmulatedVolume.cpp
@@ -191,28 +191,31 @@
     // umount the whole Android/ dir.
     if (mAppDataIsolationEnabled) {
         std::string appObbDir(StringPrintf("%s/%d/Android/obb", getPath().c_str(), userId));
-        KillProcessesWithMountPrefix(appObbDir);
-    } else {
-        std::string androidDataTarget(
-                StringPrintf("/mnt/user/%d/%s/%d/Android/data", userId, label.c_str(), userId));
-
-        LOG(INFO) << "Unmounting " << androidDataTarget;
-        auto status = UnmountTree(androidDataTarget);
-        if (status != OK) {
-            return status;
-        }
-        LOG(INFO) << "Unmounted " << androidDataTarget;
-
-        std::string androidObbTarget(
-                StringPrintf("/mnt/user/%d/%s/%d/Android/obb", userId, label.c_str(), userId));
-
-        LOG(INFO) << "Unmounting " << androidObbTarget;
-        status = UnmountTree(androidObbTarget);
-        if (status != OK) {
-            return status;
-        }
-        LOG(INFO) << "Unmounted " << androidObbTarget;
+        // Here we assume obb/data dirs is mounted as tmpfs, then it must be caused by
+        // app data isolation.
+        KillProcessesWithTmpfsMountPrefix(appObbDir);
     }
+
+    // Always unmount data and obb dirs as they are mounted to lowerfs for speeding up access.
+    std::string androidDataTarget(
+            StringPrintf("/mnt/user/%d/%s/%d/Android/data", userId, label.c_str(), userId));
+
+    LOG(INFO) << "Unmounting " << androidDataTarget;
+    auto status = UnmountTree(androidDataTarget);
+    if (status != OK) {
+        return status;
+    }
+    LOG(INFO) << "Unmounted " << androidDataTarget;
+
+    std::string androidObbTarget(
+            StringPrintf("/mnt/user/%d/%s/%d/Android/obb", userId, label.c_str(), userId));
+
+    LOG(INFO) << "Unmounting " << androidObbTarget;
+    status = UnmountTree(androidObbTarget);
+    if (status != OK) {
+        return status;
+    }
+    LOG(INFO) << "Unmounted " << androidObbTarget;
     return OK;
 }