--- /dev/null
+From 02a4843618fb35f847cf8c31cd3893873aa0edde Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 13 Sep 2017 09:17:57 -0400
+Subject: brd: fix overflow in __brd_direct_access
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 02a4843618fb35f847cf8c31cd3893873aa0edde upstream.
+
+The code in __brd_direct_access multiplies the pgoff variable by page size
+and divides it by 512. It can cause overflow on 32-bit architectures. The
+overflow happens if we create ramdisk larger than 4G and use it as a
+sparse device.
+
+This patch replaces multiplication and division with multiplication by the
+number of sectors per page.
+
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Fixes: 1647b9b959c7 ("brd: add dax_operations support")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/brd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/brd.c
++++ b/drivers/block/brd.c
+@@ -339,7 +339,7 @@ static long __brd_direct_access(struct b
+
+ if (!brd)
+ return -ENODEV;
+- page = brd_insert_page(brd, PFN_PHYS(pgoff) / 512);
++ page = brd_insert_page(brd, (sector_t)pgoff << PAGE_SECTORS_SHIFT);
+ if (!page)
+ return -ENOSPC;
+ *kaddr = page_address(page);
--- /dev/null
+From f507b54dccfd8000c517d740bc45f20c74532d18 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 7 Sep 2017 13:54:35 +0200
+Subject: bsg-lib: don't free job in bsg_prepare_job
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit f507b54dccfd8000c517d740bc45f20c74532d18 upstream.
+
+The job structure is allocated as part of the request, so we should not
+free it in the error path of bsg_prepare_job.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bsg-lib.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/block/bsg-lib.c
++++ b/block/bsg-lib.c
+@@ -154,7 +154,6 @@ static int bsg_prepare_job(struct device
+ failjob_rls_rqst_payload:
+ kfree(job->request_payload.sg_list);
+ failjob_rls_job:
+- kfree(job);
+ return -ENOMEM;
+ }
+
--- /dev/null
+From 23586b66d84ba3184b8820277f3fc42761640f87 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Mon, 18 Sep 2017 18:18:45 -0500
+Subject: Fix SMB3.1.1 guest authentication to Samba
+
+From: Steve French <smfrench@gmail.com>
+
+commit 23586b66d84ba3184b8820277f3fc42761640f87 upstream.
+
+Samba rejects SMB3.1.1 dialect (vers=3.1.1) negotiate requests from
+the kernel client due to the two byte pad at the end of the negotiate
+contexts.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -427,7 +427,7 @@ assemble_neg_contexts(struct smb2_negoti
+ build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt);
+ req->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT);
+ req->NegotiateContextCount = cpu_to_le16(2);
+- inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + 2
++ inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context)
+ + sizeof(struct smb2_encryption_neg_context)); /* calculate hash */
+ }
+ #else
--- /dev/null
+From 10201655b085df8e000822e496e5d4016a167a36 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 19 Sep 2017 07:15:35 -0500
+Subject: gfs2: Fix debugfs glocks dump
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 10201655b085df8e000822e496e5d4016a167a36 upstream.
+
+The switch to rhashtables (commit 88ffbf3e03) broke the debugfs glock
+dump (/sys/kernel/debug/gfs2/<device>/glocks) for dumps bigger than a
+single buffer: the right function for restarting an rhashtable iteration
+from the beginning of the hash table is rhashtable_walk_enter;
+rhashtable_walk_stop + rhashtable_walk_start will just resume from the
+current position.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/glock.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -1863,13 +1863,9 @@ static void *gfs2_glock_seq_start(struct
+ {
+ struct gfs2_glock_iter *gi = seq->private;
+ loff_t n = *pos;
+- int ret;
+
+- if (gi->last_pos <= *pos)
+- n = (*pos - gi->last_pos);
+-
+- ret = rhashtable_walk_start(&gi->hti);
+- if (ret)
++ rhashtable_walk_enter(&gl_hash_table, &gi->hti);
++ if (rhashtable_walk_start(&gi->hti) != 0)
+ return NULL;
+
+ do {
+@@ -1877,6 +1873,7 @@ static void *gfs2_glock_seq_start(struct
+ } while (gi->gl && n--);
+
+ gi->last_pos = *pos;
++
+ return gi->gl;
+ }
+
+@@ -1888,6 +1885,7 @@ static void *gfs2_glock_seq_next(struct
+ (*pos)++;
+ gi->last_pos = *pos;
+ gfs2_glock_iter_next(gi);
++
+ return gi->gl;
+ }
+
+@@ -1897,6 +1895,7 @@ static void gfs2_glock_seq_stop(struct s
+
+ gi->gl = NULL;
+ rhashtable_walk_stop(&gi->hti);
++ rhashtable_walk_exit(&gi->hti);
+ }
+
+ static int gfs2_glock_seq_show(struct seq_file *seq, void *iter_ptr)
+@@ -1959,12 +1958,10 @@ static int __gfs2_glocks_open(struct ino
+ struct gfs2_glock_iter *gi = seq->private;
+
+ gi->sdp = inode->i_private;
+- gi->last_pos = 0;
+ seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
+ if (seq->buf)
+ seq->size = GFS2_SEQ_GOODSIZE;
+ gi->gl = NULL;
+- rhashtable_walk_enter(&gl_hash_table, &gi->hti);
+ }
+ return ret;
+ }
+@@ -1980,7 +1977,6 @@ static int gfs2_glocks_release(struct in
+ struct gfs2_glock_iter *gi = seq->private;
+
+ gi->gl = NULL;
+- rhashtable_walk_exit(&gi->hti);
+ return seq_release_private(inode, file);
+ }
+
--- /dev/null
+From 29a0cfbf91ba997591535a4f7246835ce8328141 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 18 Sep 2017 12:21:37 +0200
+Subject: libceph: don't allow bidirectional swap of pg-upmap-items
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 29a0cfbf91ba997591535a4f7246835ce8328141 upstream.
+
+This reverts most of commit f53b7665c8ce ("libceph: upmap semantic
+changes").
+
+We need to prevent duplicates in the final result. For example, we
+can currently take
+
+ [1,2,3] and apply [(1,2)] and get [2,2,3]
+
+or
+
+ [1,2,3] and apply [(3,2)] and get [1,2,2]
+
+The rest of the system is not prepared to handle duplicates in the
+result set like this.
+
+The reverted piece was intended to allow
+
+ [1,2,3] and [(1,2),(2,1)] to get [2,1,3]
+
+to reorder primaries. First, this bidirectional swap is hard to
+implement in a way that also prevents dups. For example, [1,2,3] and
+[(1,4),(2,3),(3,4)] would give [4,3,4] but would we just drop the last
+step we'd have [4,3,3] which is also invalid, etc. Simpler to just not
+handle bidirectional swaps. In practice, they are not needed: if you
+just want to choose a different primary then use primary_affinity, or
+pg_upmap (not pg_upmap_items).
+
+Link: http://tracker.ceph.com/issues/21410
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/osdmap.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -2445,19 +2445,34 @@ static void apply_upmap(struct ceph_osdm
+
+ pg = lookup_pg_mapping(&osdmap->pg_upmap_items, pgid);
+ if (pg) {
+- for (i = 0; i < raw->size; i++) {
+- for (j = 0; j < pg->pg_upmap_items.len; j++) {
+- int from = pg->pg_upmap_items.from_to[j][0];
+- int to = pg->pg_upmap_items.from_to[j][1];
++ /*
++ * Note: this approach does not allow a bidirectional swap,
++ * e.g., [[1,2],[2,1]] applied to [0,1,2] -> [0,2,1].
++ */
++ for (i = 0; i < pg->pg_upmap_items.len; i++) {
++ int from = pg->pg_upmap_items.from_to[i][0];
++ int to = pg->pg_upmap_items.from_to[i][1];
++ int pos = -1;
++ bool exists = false;
+
+- if (from == raw->osds[i]) {
+- if (!(to != CRUSH_ITEM_NONE &&
+- to < osdmap->max_osd &&
+- osdmap->osd_weight[to] == 0))
+- raw->osds[i] = to;
++ /* make sure replacement doesn't already appear */
++ for (j = 0; j < raw->size; j++) {
++ int osd = raw->osds[j];
++
++ if (osd == to) {
++ exists = true;
+ break;
+ }
++ /* ignore mapping if target is marked out */
++ if (osd == from && pos < 0 &&
++ !(to != CRUSH_ITEM_NONE &&
++ to < osdmap->max_osd &&
++ osdmap->osd_weight[to] == 0)) {
++ pos = j;
++ }
+ }
++ if (!exists && pos >= 0)
++ raw->osds[pos] = to;
+ }
+ }
+ }
--- /dev/null
+From 33a56086712561b8b9cdc881e0317f4c36861f72 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 18 Sep 2017 14:48:58 -0700
+Subject: libnvdimm, namespace: fix btt claim class crash
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 33a56086712561b8b9cdc881e0317f4c36861f72 upstream.
+
+Maurice reports:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+ IP: holder_class_store+0x253/0x2b0 [libnvdimm]
+
+...while trying to reconfigure an NVDIMM-N namespace into 'sector' /
+'btt' mode. The crash points to this line:
+
+ (gdb) li *(holder_class_store+0x253)
+ 0x7773 is in holder_class_store (drivers/nvdimm/namespace_devs.c:1420).
+ 1415 for (i = 0; i < nd_region->ndr_mappings; i++) {
+ 1416 struct nd_mapping *nd_mapping = &nd_region->mapping[i];
+ 1417 struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
+ 1418 struct nd_namespace_index *nsindex;
+ 1419
+ 1420 nsindex = to_namespace_index(ndd, ndd->ns_current);
+
+...where we are failing because ndd is NULL due to NVDIMM-N dimms not
+supporting labels.
+
+Long story short, default to the BTTv1 format in the label-less /
+NVDIMM-N case.
+
+Fixes: 14e494542636 ("libnvdimm, btt: BTT updates for UEFI 2.7 format")
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Reported-by: Maurice A. Saldivar <maurice.a.saldivar@hpe.com>
+Tested-by: Maurice A. Saldivar <maurice.a.saldivar@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/namespace_devs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -1417,6 +1417,15 @@ static int btt_claim_class(struct device
+ struct nvdimm_drvdata *ndd = to_ndd(nd_mapping);
+ struct nd_namespace_index *nsindex;
+
++ /*
++ * If any of the DIMMs do not support labels the only
++ * possible BTT format is v1.
++ */
++ if (!ndd) {
++ loop_bitmask = 0;
++ break;
++ }
++
+ nsindex = to_namespace_index(ndd, ndd->ns_current);
+ if (nsindex == NULL)
+ loop_bitmask |= 1;
--- /dev/null
+From fd0b19ed5389187829b854900511c9195875bb42 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Tue, 19 Sep 2017 22:07:18 -0700
+Subject: MIPS: Fix perf event init
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit fd0b19ed5389187829b854900511c9195875bb42 upstream.
+
+Commit c311c797998c ("cpumask: make "nr_cpumask_bits" unsigned")
+modified mipspmu_event_init() to cast the struct perf_event cpu field to
+an unsigned integer before it is compared with nr_cpumask_bits (and
+*ahem* did so without copying the linux-mips mailing list or any MIPS
+developers...). This is broken because the cpu field may be -1 for
+events which follow a process rather than being affine to a particular
+CPU. When this is the case the cast to an unsigned int results in a
+value equal to ULONG_MAX, which is always greater than nr_cpumask_bits
+so we always fail mipspmu_event_init() and return -ENODEV.
+
+The check against nr_cpumask_bits seems nonsensical anyway, so this
+patch simply removes it. The cpu field is going to either be -1 or a
+valid CPU number. Comparing it with nr_cpumask_bits is effectively
+checking that it's a valid cpu number, but it seems safe to rely on the
+core perf events code to ensure that's the case.
+
+The end result is that this fixes use of perf on MIPS when not
+constraining events to a particular CPU, and fixes the "perf list hw"
+command which fails to list any events without this.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Fixes: c311c797998c ("cpumask: make "nr_cpumask_bits" unsigned")
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17323/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/perf_event_mipsxx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/perf_event_mipsxx.c
++++ b/arch/mips/kernel/perf_event_mipsxx.c
+@@ -618,8 +618,7 @@ static int mipspmu_event_init(struct per
+ return -ENOENT;
+ }
+
+- if ((unsigned int)event->cpu >= nr_cpumask_bits ||
+- (event->cpu >= 0 && !cpu_online(event->cpu)))
++ if (event->cpu >= 0 && !cpu_online(event->cpu))
+ return -ENODEV;
+
+ if (!atomic_inc_not_zero(&active_events)) {
--- /dev/null
+From e785fa0a164aa11001cba931367c7f94ffaff888 Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Wed, 13 Sep 2017 00:21:21 +0200
+Subject: nl80211: check for the required netlink attributes presence
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.
+
+nl80211_set_rekey_data() does not check if the required attributes
+NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
+NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
+users with CAP_NET_ADMIN privilege and may result in NULL dereference
+and a system crash. Add a check for the required attributes presence.
+This patch is based on the patch by bo Zhang.
+
+This fixes CVE-2017-12153.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
+Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
+Reported-by: bo Zhang <zhangbo5891001@gmail.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10903,6 +10903,9 @@ static int nl80211_set_rekey_data(struct
+ if (err)
+ return err;
+
++ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
++ !tb[NL80211_REKEY_DATA_KCK])
++ return -EINVAL;
+ if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
+ return -ERANGE;
+ if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
--- /dev/null
+From 157c460e10cb6eca29ccbd0f023db159d0c55ec7 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 19 Sep 2017 02:22:39 +0200
+Subject: PM: core: Fix device_pm_check_callbacks()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 157c460e10cb6eca29ccbd0f023db159d0c55ec7 upstream.
+
+The device_pm_check_callbacks() function doesn't check legacy
+->suspend and ->resume callback pointers under the device's
+bus type, class and driver, so in some cases it may set the
+no_pm_callbacks flag for the device incorrectly and then the
+callbacks may be skipped during system suspend/resume, which
+shouldn't happen.
+
+Fixes: aa8e54b55947 (PM / sleep: Go direct_complete if driver has no callbacks)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1835,10 +1835,13 @@ void device_pm_check_callbacks(struct de
+ {
+ spin_lock_irq(&dev->power.lock);
+ dev->power.no_pm_callbacks =
+- (!dev->bus || pm_ops_is_empty(dev->bus->pm)) &&
+- (!dev->class || pm_ops_is_empty(dev->class->pm)) &&
++ (!dev->bus || (pm_ops_is_empty(dev->bus->pm) &&
++ !dev->bus->suspend && !dev->bus->resume)) &&
++ (!dev->class || (pm_ops_is_empty(dev->class->pm) &&
++ !dev->class->suspend && !dev->class->resume)) &&
+ (!dev->type || pm_ops_is_empty(dev->type->pm)) &&
+ (!dev->pm_domain || pm_ops_is_empty(&dev->pm_domain->ops)) &&
+- (!dev->driver || pm_ops_is_empty(dev->driver->pm));
++ (!dev->driver || (pm_ops_is_empty(dev->driver->pm) &&
++ !dev->driver->suspend && !dev->driver->resume));
+ spin_unlock_irq(&dev->power.lock);
+ }
--- /dev/null
+From 3e77adeea3c5393c9b624832f65441e92867f618 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Thu, 7 Sep 2017 16:35:40 +1000
+Subject: powerpc/eeh: Create PHB PEs after EEH is initialized
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit 3e77adeea3c5393c9b624832f65441e92867f618 upstream.
+
+Otherwise we end up not yet having computed the right diag data size
+on powernv where EEH initialization is delayed, thus causing memory
+corruption later on when calling OPAL.
+
+Fixes: 5cb1f8fdddb7 ("powerpc/powernv/pci: Dynamically allocate PHB diag data")
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Russell Currey <ruscur@russell.cc>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/eeh.c | 4 ++++
+ arch/powerpc/kernel/eeh_dev.c | 18 ------------------
+ 2 files changed, 4 insertions(+), 18 deletions(-)
+
+--- a/arch/powerpc/kernel/eeh.c
++++ b/arch/powerpc/kernel/eeh.c
+@@ -1018,6 +1018,10 @@ int eeh_init(void)
+ } else if ((ret = eeh_ops->init()))
+ return ret;
+
++ /* Initialize PHB PEs */
++ list_for_each_entry_safe(hose, tmp, &hose_list, list_node)
++ eeh_dev_phb_init_dynamic(hose);
++
+ /* Initialize EEH event */
+ ret = eeh_event_init();
+ if (ret)
+--- a/arch/powerpc/kernel/eeh_dev.c
++++ b/arch/powerpc/kernel/eeh_dev.c
+@@ -83,21 +83,3 @@ void eeh_dev_phb_init_dynamic(struct pci
+ /* EEH PE for PHB */
+ eeh_phb_pe_create(phb);
+ }
+-
+-/**
+- * eeh_dev_phb_init - Create EEH devices for devices included in existing PHBs
+- *
+- * Scan all the existing PHBs and create EEH devices for their OF
+- * nodes and their children OF nodes
+- */
+-static int __init eeh_dev_phb_init(void)
+-{
+- struct pci_controller *phb, *tmp;
+-
+- list_for_each_entry_safe(phb, tmp, &hose_list, list_node)
+- eeh_dev_phb_init_dynamic(phb);
+-
+- return 0;
+-}
+-
+-core_initcall(eeh_dev_phb_init);
--- /dev/null
+From b537ca6fede69a281dc524983e5e633d79a10a08 Mon Sep 17 00:00:00 2001
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Date: Wed, 20 Sep 2017 17:02:52 -0400
+Subject: powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
+
+From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+
+commit b537ca6fede69a281dc524983e5e633d79a10a08 upstream.
+
+A reference to the parent device node is held by add_dt_node() for the
+node to be added. If the call to dlpar_configure_connector() fails
+add_dt_node() returns ENOENT and that reference is not freed.
+
+Add a call to of_node_put(parent_dn) prior to bailing out after a
+failed dlpar_configure_connector() call.
+
+Fixes: 8d5ff320766f ("powerpc/pseries: Make dlpar_configure_connector parent node aware")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/mobility.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/mobility.c
++++ b/arch/powerpc/platforms/pseries/mobility.c
+@@ -226,8 +226,10 @@ static int add_dt_node(__be32 parent_pha
+ return -ENOENT;
+
+ dn = dlpar_configure_connector(drc_index, parent_dn);
+- if (!dn)
++ if (!dn) {
++ of_node_put(parent_dn);
+ return -ENOENT;
++ }
+
+ rc = dlpar_attach_node(dn);
+ if (rc)
--- /dev/null
+From c1fa0768a8713b135848f78fd43ffc208d8ded70 Mon Sep 17 00:00:00 2001
+From: Gustavo Romero <gromero@linux.vnet.ibm.com>
+Date: Wed, 13 Sep 2017 22:13:48 -0400
+Subject: powerpc/tm: Flush TM only if CPU has TM feature
+
+From: Gustavo Romero <gromero@linux.vnet.ibm.com>
+
+commit c1fa0768a8713b135848f78fd43ffc208d8ded70 upstream.
+
+Commit cd63f3c ("powerpc/tm: Fix saving of TM SPRs in core dump")
+added code to access TM SPRs in flush_tmregs_to_thread(). However
+flush_tmregs_to_thread() does not check if TM feature is available on
+CPU before trying to access TM SPRs in order to copy live state to
+thread structures. flush_tmregs_to_thread() is indeed guarded by
+CONFIG_PPC_TRANSACTIONAL_MEM but it might be the case that kernel
+was compiled with CONFIG_PPC_TRANSACTIONAL_MEM enabled and ran on
+a CPU without TM feature available, thus rendering the execution
+of TM instructions that are treated by the CPU as illegal instructions.
+
+The fix is just to add proper checking in flush_tmregs_to_thread()
+if CPU has the TM feature before accessing any TM-specific resource,
+returning immediately if TM is no available on the CPU. Adding
+that checking in flush_tmregs_to_thread() instead of in places
+where it is called, like in vsr_get() and vsr_set(), is better because
+avoids the same problem cropping up elsewhere.
+
+Fixes: cd63f3c ("powerpc/tm: Fix saving of TM SPRs in core dump")
+Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
+Reviewed-by: Cyril Bur <cyrilbur@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/ptrace.c
++++ b/arch/powerpc/kernel/ptrace.c
+@@ -131,7 +131,7 @@ static void flush_tmregs_to_thread(struc
+ * in the appropriate thread structures from live.
+ */
+
+- if (tsk != current)
++ if ((!cpu_has_feature(CPU_FTR_TM)) || (tsk != current))
+ return;
+
+ if (MSR_TM_SUSPENDED(mfmsr())) {
--- /dev/null
+From 612601d0013f03de9dc134809f242ba6da9ca252 Mon Sep 17 00:00:00 2001
+From: Alex Estrin <alex.estrin@intel.com>
+Date: Tue, 26 Sep 2017 06:06:22 -0700
+Subject: Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0"
+
+From: Alex Estrin <alex.estrin@intel.com>
+
+commit 612601d0013f03de9dc134809f242ba6da9ca252 upstream.
+
+commit 9a9b8112699d will cause core to fail UD QP from being destroyed
+on ipoib unload, therefore cause resources leakage.
+On pkey change event above patch modifies mgid before calling underlying
+driver to detach it from QP. Drivers' detach_mcast() will fail to find
+modified mgid it was never given to attach in a first place.
+Core qp->usecnt will never go down, so ib_destroy_qp() will fail.
+
+IPoIB driver actually does take care of new broadcast mgid based on new
+pkey by destroying an old mcast object in ipoib_mcast_dev_flush())
+....
+ if (priv->broadcast) {
+ rb_erase(&priv->broadcast->rb_node, &priv->multicast_tree);
+ list_add_tail(&priv->broadcast->list, &remove_list);
+ priv->broadcast = NULL;
+ }
+...
+
+then in restarted ipoib_macst_join_task() creating a new broadcast mcast
+object, sending join request and on completion tells the driver to attach
+to reinitialized QP:
+...
+if (!priv->broadcast) {
+...
+ broadcast = ipoib_mcast_alloc(dev, 0);
+...
+ memcpy(broadcast->mcmember.mgid.raw, priv->dev->broadcast + 4,
+ sizeof (union ib_gid));
+ priv->broadcast = broadcast;
+...
+
+Fixes: 9a9b8112699d ("IB/ipoib: Update broadcast object if PKey value was changed in index 0")
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Alex Estrin <alex.estrin@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Reviewed-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -1000,19 +1000,6 @@ static inline int update_parent_pkey(str
+ */
+ priv->dev->broadcast[8] = priv->pkey >> 8;
+ priv->dev->broadcast[9] = priv->pkey & 0xff;
+-
+- /*
+- * Update the broadcast address in the priv->broadcast object,
+- * in case it already exists, otherwise no one will do that.
+- */
+- if (priv->broadcast) {
+- spin_lock_irq(&priv->lock);
+- memcpy(priv->broadcast->mcmember.mgid.raw,
+- priv->dev->broadcast + 4,
+- sizeof(union ib_gid));
+- spin_unlock_irq(&priv->lock);
+- }
+-
+ return 0;
+ }
+
--- /dev/null
+From ba385c0594e723d41790ecfb12c610e6f90c7785 Mon Sep 17 00:00:00 2001
+From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Date: Mon, 18 Sep 2017 16:51:51 +0200
+Subject: s390/mm: fix write access check in gup_huge_pmd()
+
+From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+
+commit ba385c0594e723d41790ecfb12c610e6f90c7785 upstream.
+
+The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
+wrong way around. It must not be set for write==1, and not be checked for
+write==0. Fix this similar to how it was fixed for ptes long time ago in
+commit 25591b070336 ("[S390] fix get_user_pages_fast").
+
+One impact of this bug would be unnecessarily using the gup slow path for
+write==0 on r/w mappings. A potentially more severe impact would be that
+gup_huge_pmd() will succeed for write==1 on r/o mappings.
+
+Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/mm/gup.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/mm/gup.c
++++ b/arch/s390/mm/gup.c
+@@ -56,13 +56,12 @@ static inline int gup_pte_range(pmd_t *p
+ static inline int gup_huge_pmd(pmd_t *pmdp, pmd_t pmd, unsigned long addr,
+ unsigned long end, int write, struct page **pages, int *nr)
+ {
+- unsigned long mask, result;
+ struct page *head, *page;
++ unsigned long mask;
+ int refs;
+
+- result = write ? 0 : _SEGMENT_ENTRY_PROTECT;
+- mask = result | _SEGMENT_ENTRY_INVALID;
+- if ((pmd_val(pmd) & mask) != result)
++ mask = (write ? _SEGMENT_ENTRY_PROTECT : 0) | _SEGMENT_ENTRY_INVALID;
++ if ((pmd_val(pmd) & mask) != 0)
+ return 0;
+ VM_BUG_ON(!pfn_valid(pmd_val(pmd) >> PAGE_SHIFT));
+
--- /dev/null
+From 91c575b335766effa6103eba42a82aea560c365f Mon Sep 17 00:00:00 2001
+From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Date: Mon, 18 Sep 2017 16:10:35 +0200
+Subject: s390/mm: make pmdp_invalidate() do invalidation only
+
+From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+
+commit 91c575b335766effa6103eba42a82aea560c365f upstream.
+
+Commit 227be799c39a ("s390/mm: uninline pmdp_xxx functions from pgtable.h")
+inadvertently changed the behavior of pmdp_invalidate(), so that it now
+clears the pmd instead of just marking it as invalid. Fix this by restoring
+the original behavior.
+
+A possible impact of the misbehaving pmdp_invalidate() would be the
+MADV_DONTNEED races (see commits ced10803 and 58ceeb6b), although we
+should not have any negative impact on the related dirty/young flags,
+since those flags are not set by the hardware on s390.
+
+Fixes: 227be799c39a ("s390/mm: uninline pmdp_xxx functions from pgtable.h")
+Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/pgtable.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/pgtable.h
++++ b/arch/s390/include/asm/pgtable.h
+@@ -1462,7 +1462,9 @@ static inline pmd_t pmdp_huge_clear_flus
+ static inline void pmdp_invalidate(struct vm_area_struct *vma,
+ unsigned long addr, pmd_t *pmdp)
+ {
+- pmdp_xchg_direct(vma->vm_mm, addr, pmdp, __pmd(_SEGMENT_ENTRY_EMPTY));
++ pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID);
++
++ pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd);
+ }
+
+ #define __HAVE_ARCH_PMDP_SET_WRPROTECT
--- /dev/null
+From fc3100d64f0ae383ae8d845989103da06d62763b Mon Sep 17 00:00:00 2001
+From: Pu Hou <bjhoupu@linux.vnet.ibm.com>
+Date: Tue, 5 Sep 2017 05:17:24 +0200
+Subject: s390/perf: fix bug when creating per-thread event
+
+From: Pu Hou <bjhoupu@linux.vnet.ibm.com>
+
+commit fc3100d64f0ae383ae8d845989103da06d62763b upstream.
+
+A per-thread event could not be created correctly like below:
+
+ perf record --per-thread -e rB0000 -- sleep 1
+ Error:
+ The sys_perf_event_open() syscall returned with 19 (No such device) for event (rB0000).
+ /bin/dmesg may provide additional information.
+ No CONFIG_PERF_EVENTS=y kernel support configured?
+
+This bug was introduced by:
+
+ commit c311c797998c1e70eade463dd60b843da4f1a203
+ Author: Alexey Dobriyan <adobriyan@gmail.com>
+ Date: Mon May 8 15:56:15 2017 -0700
+
+ cpumask: make "nr_cpumask_bits" unsigned
+
+If a per-thread event is not attached to any CPU, the cpu field
+in struct perf_event is -1. The above commit converts the CPU number
+to unsigned int, which result in an illegal CPU number.
+
+Fixes: c311c797998c ("cpumask: make "nr_cpumask_bits" unsigned")
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Pu Hou <bjhoupu@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/perf_cpum_sf.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -823,9 +823,12 @@ static int cpumsf_pmu_event_init(struct
+ }
+
+ /* Check online status of the CPU to which the event is pinned */
+- if ((unsigned int)event->cpu >= nr_cpumask_bits ||
+- (event->cpu >= 0 && !cpu_online(event->cpu)))
+- return -ENODEV;
++ if (event->cpu >= 0) {
++ if ((unsigned int)event->cpu >= nr_cpumask_bits)
++ return -ENODEV;
++ if (!cpu_online(event->cpu))
++ return -ENODEV;
++ }
+
+ /* Force reset of idle/hv excludes regardless of what the
+ * user requested.
keys-fix-writing-past-end-of-user-supplied-buffer-in-keyring_read.patch
keys-prevent-creating-a-different-user-s-keyrings.patch
keys-prevent-keyctl_read-on-negative-key.patch
+libnvdimm-namespace-fix-btt-claim-class-crash.patch
+powerpc-eeh-create-phb-pes-after-eeh-is-initialized.patch
+powerpc-pseries-fix-parent_dn-reference-leak-in-add_dt_node.patch
+powerpc-tm-flush-tm-only-if-cpu-has-tm-feature.patch
+mips-fix-perf-event-init.patch
+s390-perf-fix-bug-when-creating-per-thread-event.patch
+s390-mm-make-pmdp_invalidate-do-invalidation-only.patch
+s390-mm-fix-write-access-check-in-gup_huge_pmd.patch
+pm-core-fix-device_pm_check_callbacks.patch
+revert-ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch
+fix-smb3.1.1-guest-authentication-to-samba.patch
+smb3-fix-endian-warning.patch
+smb3-warn-user-if-trying-to-sign-connection-that-authenticated-as-guest.patch
+smb-validate-negotiate-to-protect-against-downgrade-even-if-signing-off.patch
+smb3-handle-new-statx-fields.patch
+smb3-don-t-ignore-o_sync-o_dsync-and-o_direct-flags.patch
+vfs-return-enxio-for-negative-seek_hole-seek_data-offsets.patch
+libceph-don-t-allow-bidirectional-swap-of-pg-upmap-items.patch
+nl80211-check-for-the-required-netlink-attributes-presence.patch
+brd-fix-overflow-in-__brd_direct_access.patch
+gfs2-fix-debugfs-glocks-dump.patch
+bsg-lib-don-t-free-job-in-bsg_prepare_job.patch
--- /dev/null
+From 0603c96f3af50e2f9299fa410c224ab1d465e0f9 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Wed, 20 Sep 2017 19:57:18 -0500
+Subject: SMB: Validate negotiate (to protect against downgrade) even if signing off
+
+From: Steve French <smfrench@gmail.com>
+
+commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream.
+
+As long as signing is supported (ie not a guest user connection) and
+connection is SMB3 or SMB3.02, then validate negotiate (protect
+against man in the middle downgrade attacks). We had been doing this
+only when signing was required, not when signing was just enabled,
+but this more closely matches recommended SMB3 behavior and is
+better security. Suggested by Metze.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Acked-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -644,15 +644,22 @@ int smb3_validate_negotiate(const unsign
+
+ /*
+ * validation ioctl must be signed, so no point sending this if we
+- * can not sign it. We could eventually change this to selectively
++ * can not sign it (ie are not known user). Even if signing is not
++ * required (enabled but not negotiated), in those cases we selectively
+ * sign just this, the first and only signed request on a connection.
+- * This is good enough for now since a user who wants better security
+- * would also enable signing on the mount. Having validation of
+- * negotiate info for signed connections helps reduce attack vectors
++ * Having validation of negotiate info helps reduce attack vectors.
+ */
+- if (tcon->ses->server->sign == false)
++ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST)
+ return 0; /* validation requires signing */
+
++ if (tcon->ses->user_name == NULL) {
++ cifs_dbg(FYI, "Can't validate negotiate: null user mount\n");
++ return 0; /* validation requires signing */
++ }
++
++ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
++ cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
++
+ vneg_inbuf.Capabilities =
+ cpu_to_le32(tcon->ses->server->vals->req_capabilities);
+ memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
--- /dev/null
+From 1013e760d10e614dc10b5624ce9fc41563ba2e65 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Fri, 22 Sep 2017 01:40:27 -0500
+Subject: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
+
+From: Steve French <smfrench@gmail.com>
+
+commit 1013e760d10e614dc10b5624ce9fc41563ba2e65 upstream.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -224,6 +224,13 @@ cifs_nt_open(char *full_path, struct ino
+ if (backup_cred(cifs_sb))
+ create_options |= CREATE_OPEN_BACKUP_INTENT;
+
++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */
++ if (f_flags & O_SYNC)
++ create_options |= CREATE_WRITE_THROUGH;
++
++ if (f_flags & O_DIRECT)
++ create_options |= CREATE_NO_BUFFER;
++
+ oparms.tcon = tcon;
+ oparms.cifs_sb = cifs_sb;
+ oparms.desired_access = desired_access;
--- /dev/null
+From 590d08d3da45e9fed423b08ab38d71886c07abc8 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Tue, 19 Sep 2017 11:43:47 -0500
+Subject: SMB3: Fix endian warning
+
+From: Steve French <smfrench@gmail.com>
+
+commit 590d08d3da45e9fed423b08ab38d71886c07abc8 upstream.
+
+Multi-dialect negotiate patch had a minor endian error.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -558,10 +558,11 @@ SMB2_negotiate(const unsigned int xid, s
+ /* ops set to 3.0 by default for default so update */
+ ses->server->ops = &smb21_operations;
+ }
+- } else if (rsp->DialectRevision != ses->server->vals->protocol_id) {
++ } else if (le16_to_cpu(rsp->DialectRevision) !=
++ ses->server->vals->protocol_id) {
+ /* if requested single dialect ensure returned dialect matched */
+ cifs_dbg(VFS, "Illegal 0x%x dialect returned: not requested\n",
+- cpu_to_le16(rsp->DialectRevision));
++ le16_to_cpu(rsp->DialectRevision));
+ return -EIO;
+ }
+
--- /dev/null
+From 6e70e26dc52be62c1f39f81b5f71fa5e643677aa Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Thu, 21 Sep 2017 21:32:29 -0500
+Subject: SMB3: handle new statx fields
+
+From: Steve French <smfrench@gmail.com>
+
+commit 6e70e26dc52be62c1f39f81b5f71fa5e643677aa upstream.
+
+We weren't returning the creation time or the two easily supported
+attributes (ENCRYPTED or COMPRESSED) for the getattr call to
+allow statx to return these fields.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>\
+Acked-by: Jeff Layton <jlayton@poochiereds.net>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -234,6 +234,8 @@ cifs_unix_basic_to_fattr(struct cifs_fat
+ fattr->cf_atime = cifs_NTtimeToUnix(info->LastAccessTime);
+ fattr->cf_mtime = cifs_NTtimeToUnix(info->LastModificationTime);
+ fattr->cf_ctime = cifs_NTtimeToUnix(info->LastStatusChange);
++ /* old POSIX extensions don't get create time */
++
+ fattr->cf_mode = le64_to_cpu(info->Permissions);
+
+ /*
+@@ -2024,6 +2026,19 @@ int cifs_getattr(const struct path *path
+ stat->blksize = CIFS_MAX_MSGSIZE;
+ stat->ino = CIFS_I(inode)->uniqueid;
+
++ /* old CIFS Unix Extensions doesn't return create time */
++ if (CIFS_I(inode)->createtime) {
++ stat->result_mask |= STATX_BTIME;
++ stat->btime =
++ cifs_NTtimeToUnix(cpu_to_le64(CIFS_I(inode)->createtime));
++ }
++
++ stat->attributes_mask |= (STATX_ATTR_COMPRESSED | STATX_ATTR_ENCRYPTED);
++ if (CIFS_I(inode)->cifsAttrs & FILE_ATTRIBUTE_COMPRESSED)
++ stat->attributes |= STATX_ATTR_COMPRESSED;
++ if (CIFS_I(inode)->cifsAttrs & FILE_ATTRIBUTE_ENCRYPTED)
++ stat->attributes |= STATX_ATTR_ENCRYPTED;
++
+ /*
+ * If on a multiuser mount without unix extensions or cifsacl being
+ * enabled, and the admin hasn't overridden them, set the ownership
--- /dev/null
+From c721c38957fb19982416f6be71aae7b30630d83b Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Tue, 19 Sep 2017 18:40:03 -0500
+Subject: SMB3: Warn user if trying to sign connection that authenticated as guest
+
+From: Steve French <smfrench@gmail.com>
+
+commit c721c38957fb19982416f6be71aae7b30630d83b upstream.
+
+It can be confusing if user ends up authenticated as guest but they
+requested signing (server will return error validating signed packets)
+so add log message for this.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1164,6 +1164,8 @@ SMB2_sess_setup(const unsigned int xid,
+ while (sess_data->func)
+ sess_data->func(sess_data);
+
++ if ((ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST) && (ses->sign))
++ cifs_dbg(VFS, "signing requested but authenticated as guest\n");
+ rc = sess_data->result;
+ out:
+ kfree(sess_data);
--- /dev/null
+From fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 25 Sep 2017 12:23:03 +0200
+Subject: vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 upstream.
+
+In generic_file_llseek_size, return -ENXIO for negative offsets as well
+as offsets beyond EOF. This affects filesystems which don't implement
+SEEK_HOLE / SEEK_DATA internally, possibly because they don't support
+holes.
+
+Fixes xfstest generic/448.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/read_write.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -112,7 +112,7 @@ generic_file_llseek_size(struct file *fi
+ * In the generic case the entire file is data, so as long as
+ * offset isn't at the end of the file then the offset is data.
+ */
+- if (offset >= eof)
++ if ((unsigned long long)offset >= eof)
+ return -ENXIO;
+ break;
+ case SEEK_HOLE:
+@@ -120,7 +120,7 @@ generic_file_llseek_size(struct file *fi
+ * There is a virtual hole at the end of the file, so as long as
+ * offset isn't i_size or larger, return i_size.
+ */
+- if (offset >= eof)
++ if ((unsigned long long)offset >= eof)
+ return -ENXIO;
+ offset = eof;
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
