--- /dev/null
+From 61ab0d403bbd9d5f6e000e3b5734049141b91f6f Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Date: Sun, 28 Aug 2016 21:10:04 +0200
+Subject: ASoC: Intel: Atom: add a missing star in a memcpy call
+
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+
+commit 61ab0d403bbd9d5f6e000e3b5734049141b91f6f upstream.
+
+In sst_prepare_and_post_msg(), when a response is received in "block",
+the following code gets executed:
+
+ *data = kzalloc(block->size, GFP_KERNEL);
+ memcpy(data, (void *) block->data, block->size);
+
+The memcpy() call overwrites the content of the *data pointer instead of
+filling the newly-allocated memory (which pointer is hold by *data).
+Fix this by merging kzalloc+memcpy into a single kmemdup() call.
+
+Thanks Joe Perches for suggesting using kmemdup()
+
+Fixes: 60dc8dbacb00 ("ASoC: Intel: sst: Add some helper functions")
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/intel/atom/sst/sst_pvt.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/sound/soc/intel/atom/sst/sst_pvt.c
++++ b/sound/soc/intel/atom/sst/sst_pvt.c
+@@ -279,17 +279,15 @@ int sst_prepare_and_post_msg(struct inte
+
+ if (response) {
+ ret = sst_wait_timeout(sst, block);
+- if (ret < 0) {
++ if (ret < 0)
+ goto out;
+- } else if(block->data) {
+- if (!data)
+- goto out;
+- *data = kzalloc(block->size, GFP_KERNEL);
+- if (!(*data)) {
++
++ if (data && block->data) {
++ *data = kmemdup(block->data, block->size, GFP_KERNEL);
++ if (!*data) {
+ ret = -ENOMEM;
+ goto out;
+- } else
+- memcpy(data, (void *) block->data, block->size);
++ }
+ }
+ }
+ out:
--- /dev/null
+From a8961cae29c38e225120c40c3340dbde2f552e60 Mon Sep 17 00:00:00 2001
+From: John Hsu <KCHSU0@nuvoton.com>
+Date: Tue, 13 Sep 2016 11:56:03 +0800
+Subject: ASoC: nau8825: fix bug in FLL parameter
+
+From: John Hsu <KCHSU0@nuvoton.com>
+
+commit a8961cae29c38e225120c40c3340dbde2f552e60 upstream.
+
+In the FLL parameter calculation, the FVCO should choose the maximum one.
+The patch is to fix the bug about the wrong FVCO chosen.
+
+Signed-off-by: John Hsu <KCHSU0@nuvoton.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/nau8825.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/nau8825.c
++++ b/sound/soc/codecs/nau8825.c
+@@ -916,7 +916,7 @@ static int nau8825_calc_fll_param(unsign
+ /* Calculate the FLL 10-bit integer input and the FLL 16-bit fractional
+ * input based on FDCO, FREF and FLL ratio.
+ */
+- fvco = div_u64(fvco << 16, fref * fll_param->ratio);
++ fvco = div_u64(fvco_max << 16, fref * fll_param->ratio);
+ fll_param->fll_int = (fvco >> 16) & 0x3FF;
+ fll_param->fll_frac = fvco & 0xFFFF;
+ return 0;
--- /dev/null
+From c84750906b4818d4929fbf73a4ae6c113b94f52b Mon Sep 17 00:00:00 2001
+From: Justin Maggard <jmaggard10@gmail.com>
+Date: Tue, 4 Oct 2016 13:17:58 -0700
+Subject: async_pq_val: fix DMA memory leak
+
+From: Justin Maggard <jmaggard10@gmail.com>
+
+commit c84750906b4818d4929fbf73a4ae6c113b94f52b upstream.
+
+Add missing dmaengine_unmap_put(), so we don't OOM during RAID6 sync.
+
+Fixes: 1786b943dad0 ("async_pq_val: convert to dmaengine_unmap_data")
+Signed-off-by: Justin Maggard <jmaggard@netgear.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/async_tx/async_pq.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/crypto/async_tx/async_pq.c
++++ b/crypto/async_tx/async_pq.c
+@@ -368,8 +368,6 @@ async_syndrome_val(struct page **blocks,
+
+ dma_set_unmap(tx, unmap);
+ async_tx_submit(chan, tx, submit);
+-
+- return tx;
+ } else {
+ struct page *p_src = P(blocks, disks);
+ struct page *q_src = Q(blocks, disks);
+@@ -424,9 +422,11 @@ async_syndrome_val(struct page **blocks,
+ submit->cb_param = cb_param_orig;
+ submit->flags = flags_orig;
+ async_tx_sync_epilog(submit);
+-
+- return NULL;
++ tx = NULL;
+ }
++ dmaengine_unmap_put(unmap);
++
++ return tx;
+ }
+ EXPORT_SYMBOL_GPL(async_syndrome_val);
+
--- /dev/null
+From 23e9c128adb2038c27a424a5f91136e7fa3e0dc6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Wed, 21 Sep 2016 08:23:24 +0200
+Subject: brcmfmac: fix memory leak in brcmf_fill_bss_param
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit 23e9c128adb2038c27a424a5f91136e7fa3e0dc6 upstream.
+
+This function is called from get_station callback which means that every
+time user space was getting/dumping station(s) we were leaking 2 KiB.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+@@ -2408,7 +2408,7 @@ static void brcmf_fill_bss_param(struct
+ WL_BSS_INFO_MAX);
+ if (err) {
+ brcmf_err("Failed to get bss info (%d)\n", err);
+- return;
++ goto out_kfree;
+ }
+ si->filled |= BIT(NL80211_STA_INFO_BSS_PARAM);
+ si->bss_param.beacon_interval = le16_to_cpu(buf->bss_le.beacon_period);
+@@ -2420,6 +2420,9 @@ static void brcmf_fill_bss_param(struct
+ si->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_PREAMBLE;
+ if (capability & WLAN_CAPABILITY_SHORT_SLOT_TIME)
+ si->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_SLOT_TIME;
++
++out_kfree:
++ kfree(buf);
+ }
+
+ static s32
--- /dev/null
+From 14155cafeadda946376260e2ad5d39a0528a332f Mon Sep 17 00:00:00 2001
+From: Junjie Mao <junjie.mao@enight.me>
+Date: Mon, 17 Oct 2016 09:20:25 +0800
+Subject: btrfs: assign error values to the correct bio structs
+
+From: Junjie Mao <junjie.mao@enight.me>
+
+commit 14155cafeadda946376260e2ad5d39a0528a332f upstream.
+
+Fixes: 4246a0b63bd8 ("block: add a bi_error field to struct bio")
+Signed-off-by: Junjie Mao <junjie.mao@enight.me>
+Acked-by: David Sterba <dsterba@suse.cz>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/compression.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/compression.c
++++ b/fs/btrfs/compression.c
+@@ -694,7 +694,7 @@ int btrfs_submit_compressed_read(struct
+ ret = btrfs_map_bio(root, READ, comp_bio,
+ mirror_num, 0);
+ if (ret) {
+- bio->bi_error = ret;
++ comp_bio->bi_error = ret;
+ bio_endio(comp_bio);
+ }
+
+@@ -723,7 +723,7 @@ int btrfs_submit_compressed_read(struct
+
+ ret = btrfs_map_bio(root, READ, comp_bio, mirror_num, 0);
+ if (ret) {
+- bio->bi_error = ret;
++ comp_bio->bi_error = ret;
+ bio_endio(comp_bio);
+ }
+
--- /dev/null
+From 85714108e673cdebf1b96abfd50fb02a29e37577 Mon Sep 17 00:00:00 2001
+From: Peng Fan <van.freenix@gmail.com>
+Date: Thu, 21 Jul 2016 16:04:21 +0800
+Subject: drivers: base: dma-mapping: page align the size when unmap_kernel_range
+
+From: Peng Fan <van.freenix@gmail.com>
+
+commit 85714108e673cdebf1b96abfd50fb02a29e37577 upstream.
+
+When dma_common_free_remap, the input parameter 'size' may not
+be page aligned. And, met kernel warning when doing iommu dma
+for usb on i.MX8 platform:
+"
+WARNING: CPU: 0 PID: 869 at mm/vmalloc.c:70 vunmap_page_range+0x1cc/0x1d0()
+Modules linked in:
+CPU: 0 PID: 869 Comm: kworker/u8:2 Not tainted 4.1.12-00444-gc5f9d1d-dirty #147
+Hardware name: Freescale i.MX8DV Sabreauto (DT)
+Workqueue: ci_otg ci_otg_work
+Call trace:
+[<ffffffc000089920>] dump_backtrace+0x0/0x124
+[<ffffffc000089a54>] show_stack+0x10/0x1c
+[<ffffffc0006d1e6c>] dump_stack+0x84/0xc8
+[<ffffffc0000b4568>] warn_slowpath_common+0x98/0xd0
+[<ffffffc0000b4664>] warn_slowpath_null+0x14/0x20
+[<ffffffc000170348>] vunmap_page_range+0x1c8/0x1d0
+[<ffffffc000170388>] unmap_kernel_range+0x20/0x88
+[<ffffffc000460ad0>] dma_common_free_remap+0x74/0x84
+[<ffffffc0000940d8>] __iommu_free_attrs+0x9c/0x178
+[<ffffffc0005032bc>] ehci_mem_cleanup+0x140/0x194
+[<ffffffc000503548>] ehci_stop+0x8c/0xdc
+[<ffffffc0004e8258>] usb_remove_hcd+0xf0/0x1cc
+[<ffffffc000516bc0>] host_stop+0x1c/0x58
+[<ffffffc000514240>] ci_otg_work+0xdc/0x120
+[<ffffffc0000c9c34>] process_one_work+0x134/0x33c
+[<ffffffc0000c9f78>] worker_thread+0x13c/0x47c
+[<ffffffc0000cf43c>] kthread+0xd8/0xf0
+"
+
+For dma_common_pages_remap:
+dma_common_pages_remap
+ |->get_vm_area_caller
+ |->__get_vm_area_node
+ |->size = PAGE_ALIGN(size); Round up to page aligned
+
+So, in dma_common_free_remap, we also need a page aligned size,
+pass 'PAGE_ALIGN(size)' to unmap_kernel_range.
+
+Signed-off-by: Peng Fan <van.freenix@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/dma-mapping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/dma-mapping.c
++++ b/drivers/base/dma-mapping.c
+@@ -335,7 +335,7 @@ void dma_common_free_remap(void *cpu_add
+ return;
+ }
+
+- unmap_kernel_range((unsigned long)cpu_addr, size);
++ unmap_kernel_range((unsigned long)cpu_addr, PAGE_ALIGN(size));
+ vunmap(cpu_addr);
+ }
+ #endif
--- /dev/null
+From a09f99eddef44035ec764075a37bace8181bec38 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Sat, 1 Oct 2016 07:32:32 +0200
+Subject: fuse: fix killing s[ug]id in setattr
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit a09f99eddef44035ec764075a37bace8181bec38 upstream.
+
+Fuse allowed VFS to set mode in setattr in order to clear suid/sgid on
+chown and truncate, and (since writeback_cache) write. The problem with
+this is that it'll potentially restore a stale mode.
+
+The poper fix would be to let the filesystems do the suid/sgid clearing on
+the relevant operations. Possibly some are already doing it but there's no
+way we can detect this.
+
+So fix this by refreshing and recalculating the mode. Do this only if
+ATTR_KILL_S[UG]ID is set to not destroy performance for writes. This is
+still racy but the size of the window is reduced.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1697,16 +1697,40 @@ error:
+ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
+ {
+ struct inode *inode = d_inode(entry);
++ struct file *file = (attr->ia_valid & ATTR_FILE) ? attr->ia_file : NULL;
+ int ret;
+
+ if (!fuse_allow_current_process(get_fuse_conn(inode)))
+ return -EACCES;
+
+- if (attr->ia_valid & ATTR_FILE)
+- ret = fuse_do_setattr(inode, attr, attr->ia_file);
+- else
+- ret = fuse_do_setattr(inode, attr, NULL);
++ if (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID)) {
++ int kill;
+
++ attr->ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID |
++ ATTR_MODE);
++ /*
++ * ia_mode calculation may have used stale i_mode. Refresh and
++ * recalculate.
++ */
++ ret = fuse_do_getattr(inode, NULL, file);
++ if (ret)
++ return ret;
++
++ attr->ia_mode = inode->i_mode;
++ kill = should_remove_suid(entry);
++ if (kill & ATTR_KILL_SUID) {
++ attr->ia_valid |= ATTR_MODE;
++ attr->ia_mode &= ~S_ISUID;
++ }
++ if (kill & ATTR_KILL_SGID) {
++ attr->ia_valid |= ATTR_MODE;
++ attr->ia_mode &= ~S_ISGID;
++ }
++ }
++ if (!attr->ia_valid)
++ return 0;
++
++ ret = fuse_do_setattr(inode, attr, file);
+ if (!ret) {
+ /* Directory mode changed, may need to revalidate access */
+ if (d_is_dir(entry) && (attr->ia_valid & ATTR_MODE))
--- /dev/null
+From 5e2b8828ff3d79aca8c3a1730652758753205b61 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Sat, 1 Oct 2016 07:32:32 +0200
+Subject: fuse: invalidate dir dentry after chmod
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 5e2b8828ff3d79aca8c3a1730652758753205b61 upstream.
+
+Without "default_permissions" the userspace filesystem's lookup operation
+needs to perform the check for search permission on the directory.
+
+If directory does not allow search for everyone (this is quite rare) then
+userspace filesystem has to set entry timeout to zero to make sure
+permissions are always performed.
+
+Changing the mode bits of the directory should also invalidate the
+(previously cached) dentry to make sure the next lookup will have a chance
+of updating the timeout, if needed.
+
+Reported-by: Jean-Pierre André <jean-pierre.andre@wanadoo.fr>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1697,14 +1697,22 @@ error:
+ static int fuse_setattr(struct dentry *entry, struct iattr *attr)
+ {
+ struct inode *inode = d_inode(entry);
++ int ret;
+
+ if (!fuse_allow_current_process(get_fuse_conn(inode)))
+ return -EACCES;
+
+ if (attr->ia_valid & ATTR_FILE)
+- return fuse_do_setattr(inode, attr, attr->ia_file);
++ ret = fuse_do_setattr(inode, attr, attr->ia_file);
+ else
+- return fuse_do_setattr(inode, attr, NULL);
++ ret = fuse_do_setattr(inode, attr, NULL);
++
++ if (!ret) {
++ /* Directory mode changed, may need to revalidate access */
++ if (d_is_dir(entry) && (attr->ia_valid & ATTR_MODE))
++ fuse_invalidate_entry_cache(entry);
++ }
++ return ret;
+ }
+
+ static int fuse_getattr(struct vfsmount *mnt, struct dentry *entry,
--- /dev/null
+From cb3ae6d25a5471be62bfe6ac1fccc0e91edeaba0 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Sat, 1 Oct 2016 07:32:32 +0200
+Subject: fuse: listxattr: verify xattr list
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit cb3ae6d25a5471be62bfe6ac1fccc0e91edeaba0 upstream.
+
+Make sure userspace filesystem is returning a well formed list of xattr
+names (zero or more nonzero length, null terminated strings).
+
+[Michael Theall: only verify in the nonzero size case]
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1797,6 +1797,23 @@ static ssize_t fuse_getxattr(struct dent
+ return ret;
+ }
+
++static int fuse_verify_xattr_list(char *list, size_t size)
++{
++ size_t origsize = size;
++
++ while (size) {
++ size_t thislen = strnlen(list, size);
++
++ if (!thislen || thislen == size)
++ return -EIO;
++
++ size -= thislen + 1;
++ list += thislen + 1;
++ }
++
++ return origsize;
++}
++
+ static ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size)
+ {
+ struct inode *inode = d_inode(entry);
+@@ -1832,6 +1849,8 @@ static ssize_t fuse_listxattr(struct den
+ ret = fuse_simple_request(fc, &args);
+ if (!ret && !size)
+ ret = outarg.size;
++ if (ret > 0 && size)
++ ret = fuse_verify_xattr_list(list, ret);
+ if (ret == -ENOSYS) {
+ fc->no_listxattr = 1;
+ ret = -EOPNOTSUPP;
--- /dev/null
+From edfc23ee3e0ebbb6713d7574ab1b00abff178f6c Mon Sep 17 00:00:00 2001
+From: Guilherme G Piccoli <gpiccoli@linux.vnet.ibm.com>
+Date: Mon, 3 Oct 2016 00:31:12 -0700
+Subject: i40e: avoid NULL pointer dereference and recursive errors on early PCI error
+
+From: Guilherme G Piccoli <gpiccoli@linux.vnet.ibm.com>
+
+commit edfc23ee3e0ebbb6713d7574ab1b00abff178f6c upstream.
+
+Although rare, it's possible to hit PCI error early on device
+probe, meaning possibly some structs are not entirely initialized,
+and some might even be completely uninitialized, leading to NULL
+pointer dereference.
+
+The i40e driver currently presents a "bad" behavior if device hits
+such early PCI error: firstly, the struct i40e_pf might not be
+attached to pci_dev yet, leading to a NULL pointer dereference on
+access to pf->state.
+
+Even checking if the struct is NULL and avoiding the access in that
+case isn't enough, since the driver cannot recover from PCI error
+that early; in our experiments we saw multiple failures on kernel
+log, like:
+
+ [549.664] i40e 0007:01:00.1: Initial pf_reset failed: -15
+ [549.664] i40e: probe of 0007:01:00.1 failed with error -15
+ [...]
+ [871.644] i40e 0007:01:00.1: The driver for the device stopped because the
+ device firmware failed to init. Try updating your NVM image.
+ [871.644] i40e: probe of 0007:01:00.1 failed with error -32
+ [...]
+ [872.516] i40e 0007:01:00.0: ARQ: Unknown event 0x0000 ignored
+
+Between the first probe failure (error -15) and the second (error -32)
+another PCI error happened due to the first bad probe. Also, driver
+started to flood console with those ARQ event messages.
+
+This patch will prevent these issues by allowing error recovery
+mechanism to remove the failed device from the system instead of
+trying to recover from early PCI errors during device probe.
+
+Signed-off-by: Guilherme G Piccoli <gpiccoli@linux.vnet.ibm.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -10853,6 +10853,12 @@ static pci_ers_result_t i40e_pci_error_d
+
+ dev_info(&pdev->dev, "%s: error %d\n", __func__, error);
+
++ if (!pf) {
++ dev_info(&pdev->dev,
++ "Cannot recover - error happened during device probe\n");
++ return PCI_ERS_RESULT_DISCONNECT;
++ }
++
+ /* shutdown all operations */
+ if (!test_bit(__I40E_SUSPENDED, &pf->state)) {
+ rtnl_lock();
--- /dev/null
+From 79a628d14ec7ee9adfdc3ce04343d5ff7ec20c18 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 10 Apr 2016 18:50:48 -0400
+Subject: reiserfs: switch to generic_{get,set,remove}xattr()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 79a628d14ec7ee9adfdc3ce04343d5ff7ec20c18 upstream.
+
+reiserfs_xattr_[sg]et() will fail with -EOPNOTSUPP for V1 inodes anyway,
+and all reiserfs instances of ->[sg]et() call it and so does ->set_acl().
+
+Checks for name length in the instances had been bogus; they should've
+been "bugger off if it's _exactly_ the prefix" (as generic would
+do on its own) and not "bugger off if it's shorter than the prefix" -
+that can't happen.
+
+xattr_full_name() is needed to adjust for the fact that generic instances
+will skip the prefix in the name passed to ->[gs]et(); reiserfs homegrown
+analogues didn't.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[jeffm: Backported to v4.4: adjust context]
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/file.c | 6 ++--
+ fs/reiserfs/namei.c | 18 +++++++-------
+ fs/reiserfs/xattr.c | 54 -------------------------------------------
+ fs/reiserfs/xattr.h | 9 -------
+ fs/reiserfs/xattr_security.c | 14 ++++-------
+ fs/reiserfs/xattr_trusted.c | 14 ++++-------
+ fs/reiserfs/xattr_user.c | 14 ++++-------
+ 7 files changed, 31 insertions(+), 98 deletions(-)
+
+--- a/fs/reiserfs/file.c
++++ b/fs/reiserfs/file.c
+@@ -260,10 +260,10 @@ const struct file_operations reiserfs_fi
+
+ const struct inode_operations reiserfs_file_inode_operations = {
+ .setattr = reiserfs_setattr,
+- .setxattr = reiserfs_setxattr,
+- .getxattr = reiserfs_getxattr,
++ .setxattr = generic_setxattr,
++ .getxattr = generic_getxattr,
+ .listxattr = reiserfs_listxattr,
+- .removexattr = reiserfs_removexattr,
++ .removexattr = generic_removexattr,
+ .permission = reiserfs_permission,
+ .get_acl = reiserfs_get_acl,
+ .set_acl = reiserfs_set_acl,
+--- a/fs/reiserfs/namei.c
++++ b/fs/reiserfs/namei.c
+@@ -1649,10 +1649,10 @@ const struct inode_operations reiserfs_d
+ .mknod = reiserfs_mknod,
+ .rename = reiserfs_rename,
+ .setattr = reiserfs_setattr,
+- .setxattr = reiserfs_setxattr,
+- .getxattr = reiserfs_getxattr,
++ .setxattr = generic_setxattr,
++ .getxattr = generic_getxattr,
+ .listxattr = reiserfs_listxattr,
+- .removexattr = reiserfs_removexattr,
++ .removexattr = generic_removexattr,
+ .permission = reiserfs_permission,
+ .get_acl = reiserfs_get_acl,
+ .set_acl = reiserfs_set_acl,
+@@ -1667,10 +1667,10 @@ const struct inode_operations reiserfs_s
+ .follow_link = page_follow_link_light,
+ .put_link = page_put_link,
+ .setattr = reiserfs_setattr,
+- .setxattr = reiserfs_setxattr,
+- .getxattr = reiserfs_getxattr,
++ .setxattr = generic_setxattr,
++ .getxattr = generic_getxattr,
+ .listxattr = reiserfs_listxattr,
+- .removexattr = reiserfs_removexattr,
++ .removexattr = generic_removexattr,
+ .permission = reiserfs_permission,
+ };
+
+@@ -1679,10 +1679,10 @@ const struct inode_operations reiserfs_s
+ */
+ const struct inode_operations reiserfs_special_inode_operations = {
+ .setattr = reiserfs_setattr,
+- .setxattr = reiserfs_setxattr,
+- .getxattr = reiserfs_getxattr,
++ .setxattr = generic_setxattr,
++ .getxattr = generic_getxattr,
+ .listxattr = reiserfs_listxattr,
+- .removexattr = reiserfs_removexattr,
++ .removexattr = generic_removexattr,
+ .permission = reiserfs_permission,
+ .get_acl = reiserfs_get_acl,
+ .set_acl = reiserfs_set_acl,
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -763,60 +763,6 @@ find_xattr_handler_prefix(const struct x
+ return xah;
+ }
+
+-
+-/*
+- * Inode operation getxattr()
+- */
+-ssize_t
+-reiserfs_getxattr(struct dentry * dentry, const char *name, void *buffer,
+- size_t size)
+-{
+- const struct xattr_handler *handler;
+-
+- handler = find_xattr_handler_prefix(dentry->d_sb->s_xattr, name);
+-
+- if (!handler || get_inode_sd_version(d_inode(dentry)) == STAT_DATA_V1)
+- return -EOPNOTSUPP;
+-
+- return handler->get(handler, dentry, name, buffer, size);
+-}
+-
+-/*
+- * Inode operation setxattr()
+- *
+- * d_inode(dentry)->i_mutex down
+- */
+-int
+-reiserfs_setxattr(struct dentry *dentry, const char *name, const void *value,
+- size_t size, int flags)
+-{
+- const struct xattr_handler *handler;
+-
+- handler = find_xattr_handler_prefix(dentry->d_sb->s_xattr, name);
+-
+- if (!handler || get_inode_sd_version(d_inode(dentry)) == STAT_DATA_V1)
+- return -EOPNOTSUPP;
+-
+- return handler->set(handler, dentry, name, value, size, flags);
+-}
+-
+-/*
+- * Inode operation removexattr()
+- *
+- * d_inode(dentry)->i_mutex down
+- */
+-int reiserfs_removexattr(struct dentry *dentry, const char *name)
+-{
+- const struct xattr_handler *handler;
+-
+- handler = find_xattr_handler_prefix(dentry->d_sb->s_xattr, name);
+-
+- if (!handler || get_inode_sd_version(d_inode(dentry)) == STAT_DATA_V1)
+- return -EOPNOTSUPP;
+-
+- return handler->set(handler, dentry, name, NULL, 0, XATTR_REPLACE);
+-}
+-
+ struct listxattr_buf {
+ struct dir_context ctx;
+ size_t size;
+--- a/fs/reiserfs/xattr.h
++++ b/fs/reiserfs/xattr.h
+@@ -2,6 +2,7 @@
+ #include <linux/init.h>
+ #include <linux/list.h>
+ #include <linux/rwsem.h>
++#include <linux/xattr.h>
+
+ struct inode;
+ struct dentry;
+@@ -18,12 +19,7 @@ int reiserfs_permission(struct inode *in
+
+ #ifdef CONFIG_REISERFS_FS_XATTR
+ #define has_xattr_dir(inode) (REISERFS_I(inode)->i_flags & i_has_xattr_dir)
+-ssize_t reiserfs_getxattr(struct dentry *dentry, const char *name,
+- void *buffer, size_t size);
+-int reiserfs_setxattr(struct dentry *dentry, const char *name,
+- const void *value, size_t size, int flags);
+ ssize_t reiserfs_listxattr(struct dentry *dentry, char *buffer, size_t size);
+-int reiserfs_removexattr(struct dentry *dentry, const char *name);
+
+ int reiserfs_xattr_get(struct inode *, const char *, void *, size_t);
+ int reiserfs_xattr_set(struct inode *, const char *, const void *, size_t, int);
+@@ -92,10 +88,7 @@ static inline void reiserfs_init_xattr_r
+
+ #else
+
+-#define reiserfs_getxattr NULL
+-#define reiserfs_setxattr NULL
+ #define reiserfs_listxattr NULL
+-#define reiserfs_removexattr NULL
+
+ static inline void reiserfs_init_xattr_rwsem(struct inode *inode)
+ {
+--- a/fs/reiserfs/xattr_security.c
++++ b/fs/reiserfs/xattr_security.c
+@@ -12,26 +12,24 @@ static int
+ security_get(const struct xattr_handler *handler, struct dentry *dentry,
+ const char *name, void *buffer, size_t size)
+ {
+- if (strlen(name) < sizeof(XATTR_SECURITY_PREFIX))
+- return -EINVAL;
+-
+ if (IS_PRIVATE(d_inode(dentry)))
+ return -EPERM;
+
+- return reiserfs_xattr_get(d_inode(dentry), name, buffer, size);
++ return reiserfs_xattr_get(d_inode(dentry),
++ xattr_full_name(handler, name),
++ buffer, size);
+ }
+
+ static int
+ security_set(const struct xattr_handler *handler, struct dentry *dentry,
+ const char *name, const void *buffer, size_t size, int flags)
+ {
+- if (strlen(name) < sizeof(XATTR_SECURITY_PREFIX))
+- return -EINVAL;
+-
+ if (IS_PRIVATE(d_inode(dentry)))
+ return -EPERM;
+
+- return reiserfs_xattr_set(d_inode(dentry), name, buffer, size, flags);
++ return reiserfs_xattr_set(d_inode(dentry),
++ xattr_full_name(handler, name),
++ buffer, size, flags);
+ }
+
+ static size_t security_list(const struct xattr_handler *handler,
+--- a/fs/reiserfs/xattr_trusted.c
++++ b/fs/reiserfs/xattr_trusted.c
+@@ -11,26 +11,24 @@ static int
+ trusted_get(const struct xattr_handler *handler, struct dentry *dentry,
+ const char *name, void *buffer, size_t size)
+ {
+- if (strlen(name) < sizeof(XATTR_TRUSTED_PREFIX))
+- return -EINVAL;
+-
+ if (!capable(CAP_SYS_ADMIN) || IS_PRIVATE(d_inode(dentry)))
+ return -EPERM;
+
+- return reiserfs_xattr_get(d_inode(dentry), name, buffer, size);
++ return reiserfs_xattr_get(d_inode(dentry),
++ xattr_full_name(handler, name),
++ buffer, size);
+ }
+
+ static int
+ trusted_set(const struct xattr_handler *handler, struct dentry *dentry,
+ const char *name, const void *buffer, size_t size, int flags)
+ {
+- if (strlen(name) < sizeof(XATTR_TRUSTED_PREFIX))
+- return -EINVAL;
+-
+ if (!capable(CAP_SYS_ADMIN) || IS_PRIVATE(d_inode(dentry)))
+ return -EPERM;
+
+- return reiserfs_xattr_set(d_inode(dentry), name, buffer, size, flags);
++ return reiserfs_xattr_set(d_inode(dentry),
++ xattr_full_name(handler, name),
++ buffer, size, flags);
+ }
+
+ static size_t trusted_list(const struct xattr_handler *handler,
+--- a/fs/reiserfs/xattr_user.c
++++ b/fs/reiserfs/xattr_user.c
+@@ -10,24 +10,22 @@ static int
+ user_get(const struct xattr_handler *handler, struct dentry *dentry,
+ const char *name, void *buffer, size_t size)
+ {
+-
+- if (strlen(name) < sizeof(XATTR_USER_PREFIX))
+- return -EINVAL;
+ if (!reiserfs_xattrs_user(dentry->d_sb))
+ return -EOPNOTSUPP;
+- return reiserfs_xattr_get(d_inode(dentry), name, buffer, size);
++ return reiserfs_xattr_get(d_inode(dentry),
++ xattr_full_name(handler, name),
++ buffer, size);
+ }
+
+ static int
+ user_set(const struct xattr_handler *handler, struct dentry *dentry,
+ const char *name, const void *buffer, size_t size, int flags)
+ {
+- if (strlen(name) < sizeof(XATTR_USER_PREFIX))
+- return -EINVAL;
+-
+ if (!reiserfs_xattrs_user(dentry->d_sb))
+ return -EOPNOTSUPP;
+- return reiserfs_xattr_set(d_inode(dentry), name, buffer, size, flags);
++ return reiserfs_xattr_set(d_inode(dentry),
++ xattr_full_name(handler, name),
++ buffer, size, flags);
+ }
+
+ static size_t user_list(const struct xattr_handler *handler,
--- /dev/null
+From 420902c9d086848a7548c83e0a49021514bd71b7 Mon Sep 17 00:00:00 2001
+From: Mike Galbraith <efault@gmx.de>
+Date: Mon, 13 Aug 2012 15:21:23 +0200
+Subject: reiserfs: Unlock superblock before calling reiserfs_quota_on_mount()
+
+From: Mike Galbraith <efault@gmx.de>
+
+commit 420902c9d086848a7548c83e0a49021514bd71b7 upstream.
+
+If we hold the superblock lock while calling reiserfs_quota_on_mount(), we can
+deadlock our own worker - mount blocks kworker/3:2, sleeps forever more.
+
+crash> ps|grep UN
+ 715 2 3 ffff880220734d30 UN 0.0 0 0 [kworker/3:2]
+ 9369 9341 2 ffff88021ffb7560 UN 1.3 493404 123184 Xorg
+ 9665 9664 3 ffff880225b92ab0 UN 0.0 47368 812 udisks-daemon
+ 10635 10403 3 ffff880222f22c70 UN 0.0 14904 936 mount
+crash> bt ffff880220734d30
+PID: 715 TASK: ffff880220734d30 CPU: 3 COMMAND: "kworker/3:2"
+ #0 [ffff8802244c3c20] schedule at ffffffff8144584b
+ #1 [ffff8802244c3cc8] __rt_mutex_slowlock at ffffffff814472b3
+ #2 [ffff8802244c3d28] rt_mutex_slowlock at ffffffff814473f5
+ #3 [ffff8802244c3dc8] reiserfs_write_lock at ffffffffa05f28fd [reiserfs]
+ #4 [ffff8802244c3de8] flush_async_commits at ffffffffa05ec91d [reiserfs]
+ #5 [ffff8802244c3e08] process_one_work at ffffffff81073726
+ #6 [ffff8802244c3e68] worker_thread at ffffffff81073eba
+ #7 [ffff8802244c3ec8] kthread at ffffffff810782e0
+ #8 [ffff8802244c3f48] kernel_thread_helper at ffffffff81450064
+crash> rd ffff8802244c3cc8 10
+ffff8802244c3cc8: ffffffff814472b3 ffff880222f23250 .rD.....P2."....
+ffff8802244c3cd8: 0000000000000000 0000000000000286 ................
+ffff8802244c3ce8: ffff8802244c3d30 ffff880220734d80 0=L$.....Ms ....
+ffff8802244c3cf8: ffff880222e8f628 0000000000000000 (.."............
+ffff8802244c3d08: 0000000000000000 0000000000000002 ................
+crash> struct rt_mutex ffff880222e8f628
+struct rt_mutex {
+ wait_lock = {
+ raw_lock = {
+ slock = 65537
+ }
+ },
+ wait_list = {
+ node_list = {
+ next = 0xffff8802244c3d48,
+ prev = 0xffff8802244c3d48
+ }
+ },
+ owner = 0xffff880222f22c71,
+ save_state = 0
+}
+crash> bt 0xffff880222f22c70
+PID: 10635 TASK: ffff880222f22c70 CPU: 3 COMMAND: "mount"
+ #0 [ffff8802216a9868] schedule at ffffffff8144584b
+ #1 [ffff8802216a9910] schedule_timeout at ffffffff81446865
+ #2 [ffff8802216a99a0] wait_for_common at ffffffff81445f74
+ #3 [ffff8802216a9a30] flush_work at ffffffff810712d3
+ #4 [ffff8802216a9ab0] schedule_on_each_cpu at ffffffff81074463
+ #5 [ffff8802216a9ae0] invalidate_bdev at ffffffff81178aba
+ #6 [ffff8802216a9af0] vfs_load_quota_inode at ffffffff811a3632
+ #7 [ffff8802216a9b50] dquot_quota_on_mount at ffffffff811a375c
+ #8 [ffff8802216a9b80] finish_unfinished at ffffffffa05dd8b0 [reiserfs]
+ #9 [ffff8802216a9cc0] reiserfs_fill_super at ffffffffa05de825 [reiserfs]
+ RIP: 00007f7b9303997a RSP: 00007ffff443c7a8 RFLAGS: 00010202
+ RAX: 00000000000000a5 RBX: ffffffff8144ef12 RCX: 00007f7b932e9ee0
+ RDX: 00007f7b93d9a400 RSI: 00007f7b93d9a3e0 RDI: 00007f7b93d9a3c0
+ RBP: 00007f7b93d9a2c0 R8: 00007f7b93d9a550 R9: 0000000000000001
+ R10: ffffffffc0ed040e R11: 0000000000000202 R12: 000000000000040e
+ R13: 0000000000000000 R14: 00000000c0ed040e R15: 00007ffff443ca20
+ ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b
+
+Signed-off-by: Mike Galbraith <efault@gmx.de>
+Acked-by: Frederic Weisbecker <fweisbec@gmail.com>
+Acked-by: Mike Galbraith <mgalbraith@suse.de>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/super.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -190,7 +190,15 @@ static int remove_save_link_only(struct
+ static int reiserfs_quota_on_mount(struct super_block *, int);
+ #endif
+
+-/* look for uncompleted unlinks and truncates and complete them */
++/*
++ * Look for uncompleted unlinks and truncates and complete them
++ *
++ * Called with superblock write locked. If quotas are enabled, we have to
++ * release/retake lest we call dquot_quota_on_mount(), proceed to
++ * schedule_on_each_cpu() in invalidate_bdev() and deadlock waiting for the per
++ * cpu worklets to complete flush_async_commits() that in turn wait for the
++ * superblock write lock.
++ */
+ static int finish_unfinished(struct super_block *s)
+ {
+ INITIALIZE_PATH(path);
+@@ -237,7 +245,9 @@ static int finish_unfinished(struct supe
+ quota_enabled[i] = 0;
+ continue;
+ }
++ reiserfs_write_unlock(s);
+ ret = reiserfs_quota_on_mount(s, i);
++ reiserfs_write_lock(s);
+ if (ret < 0)
+ reiserfs_warning(s, "reiserfs-2500",
+ "cannot turn on journaled "
serial-8250_dw-check-the-data-pclk-when-get-apb_pclk.patch
+btrfs-assign-error-values-to-the-correct-bio-structs.patch
+drivers-base-dma-mapping-page-align-the-size-when-unmap_kernel_range.patch
+fuse-listxattr-verify-xattr-list.patch
+fuse-invalidate-dir-dentry-after-chmod.patch
+fuse-fix-killing-sid-in-setattr.patch
+i40e-avoid-null-pointer-dereference-and-recursive-errors-on-early-pci-error.patch
+brcmfmac-fix-memory-leak-in-brcmf_fill_bss_param.patch
+asoc-nau8825-fix-bug-in-fll-parameter.patch
+asoc-intel-atom-add-a-missing-star-in-a-memcpy-call.patch
+reiserfs-unlock-superblock-before-calling-reiserfs_quota_on_mount.patch
+reiserfs-switch-to-generic_-get-set-remove-xattr.patch
+async_pq_val-fix-dma-memory-leak.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
