--- /dev/null
+From 87261d19046aeaeed8eb3d2793fde850ae1b5c9e Mon Sep 17 00:00:00 2001
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Wed, 19 Oct 2016 14:40:54 +0100
+Subject: arm64: Cortex-A53 errata workaround: check for kernel addresses
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+commit 87261d19046aeaeed8eb3d2793fde850ae1b5c9e upstream.
+
+Commit 7dd01aef0557 ("arm64: trap userspace "dc cvau" cache operation on
+errata-affected core") adds code to execute cache maintenance instructions
+in the kernel on behalf of userland on CPUs with certain ARM CPU errata.
+It turns out that the address hasn't been checked to be a valid user
+space address, allowing userland to clean cache lines in kernel space.
+Fix this by introducing an address check before executing the
+instructions on behalf of userland.
+
+Since the address doesn't come via a syscall parameter, we can't just
+reject tagged pointers and instead have to remove the tag when checking
+against the user address limit.
+
+Fixes: 7dd01aef0557 ("arm64: trap userspace "dc cvau" cache operation on errata-affected core")
+Reported-by: Kristina Martsenko <kristina.martsenko@arm.com>
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+[will: rework commit message + replace access_ok with max_user_addr()]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/uaccess.h | 8 ++++++++
+ arch/arm64/kernel/traps.c | 27 +++++++++++++++------------
+ 2 files changed, 23 insertions(+), 12 deletions(-)
+
+--- a/arch/arm64/include/asm/uaccess.h
++++ b/arch/arm64/include/asm/uaccess.h
+@@ -21,6 +21,7 @@
+ /*
+ * User space memory access functions
+ */
++#include <linux/bitops.h>
+ #include <linux/kasan-checks.h>
+ #include <linux/string.h>
+ #include <linux/thread_info.h>
+@@ -102,6 +103,13 @@ static inline void set_fs(mm_segment_t f
+ flag; \
+ })
+
++/*
++ * When dealing with data aborts or instruction traps we may end up with
++ * a tagged userland pointer. Clear the tag to get a sane pointer to pass
++ * on to access_ok(), for instance.
++ */
++#define untagged_addr(addr) sign_extend64(addr, 55)
++
+ #define access_ok(type, addr, size) __range_ok(addr, size)
+ #define user_addr_max get_fs
+
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -434,18 +434,21 @@ void cpu_enable_cache_maint_trap(void *_
+ }
+
+ #define __user_cache_maint(insn, address, res) \
+- asm volatile ( \
+- "1: " insn ", %1\n" \
+- " mov %w0, #0\n" \
+- "2:\n" \
+- " .pushsection .fixup,\"ax\"\n" \
+- " .align 2\n" \
+- "3: mov %w0, %w2\n" \
+- " b 2b\n" \
+- " .popsection\n" \
+- _ASM_EXTABLE(1b, 3b) \
+- : "=r" (res) \
+- : "r" (address), "i" (-EFAULT) )
++ if (untagged_addr(address) >= user_addr_max()) \
++ res = -EFAULT; \
++ else \
++ asm volatile ( \
++ "1: " insn ", %1\n" \
++ " mov %w0, #0\n" \
++ "2:\n" \
++ " .pushsection .fixup,\"ax\"\n" \
++ " .align 2\n" \
++ "3: mov %w0, %w2\n" \
++ " b 2b\n" \
++ " .popsection\n" \
++ _ASM_EXTABLE(1b, 3b) \
++ : "=r" (res) \
++ : "r" (address), "i" (-EFAULT) )
+
+ asmlinkage void __exception do_sysinstr(unsigned int esr, struct pt_regs *regs)
+ {
--- /dev/null
+From 9c0e83c371cf4696926c95f9c8c77cd6ea803426 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 13 Oct 2016 17:42:09 +0100
+Subject: arm64: kaslr: fix breakage with CONFIG_MODVERSIONS=y
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 9c0e83c371cf4696926c95f9c8c77cd6ea803426 upstream.
+
+As it turns out, the KASLR code breaks CONFIG_MODVERSIONS, since the
+kcrctab has an absolute address field that is relocated at runtime
+when the kernel offset is randomized.
+
+This has been fixed already for PowerPC in the past, so simply wire up
+the existing code dealing with this issue.
+
+Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR")
+Tested-by: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/module.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/arm64/include/asm/module.h
++++ b/arch/arm64/include/asm/module.h
+@@ -17,6 +17,7 @@
+ #define __ASM_MODULE_H
+
+ #include <asm-generic/module.h>
++#include <asm/memory.h>
+
+ #define MODULE_ARCH_VERMAGIC "aarch64"
+
+@@ -32,6 +33,10 @@ u64 module_emit_plt_entry(struct module
+ Elf64_Sym *sym);
+
+ #ifdef CONFIG_RANDOMIZE_BASE
++#ifdef CONFIG_MODVERSIONS
++#define ARCH_RELOCATES_KCRCTAB
++#define reloc_start (kimage_vaddr - KIMAGE_VADDR)
++#endif
+ extern u64 module_alloc_base;
+ #else
+ #define module_alloc_base ((u64)_etext - MODULES_VSIZE)
--- /dev/null
+From 850540351bb1a4fa5f192e5ce55b89928cc57f42 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Mon, 17 Oct 2016 13:47:34 +0100
+Subject: arm64: kernel: Init MDCR_EL2 even in the absence of a PMU
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 850540351bb1a4fa5f192e5ce55b89928cc57f42 upstream.
+
+Commit f436b2ac90a0 ("arm64: kernel: fix architected PMU registers
+unconditional access") made sure we wouldn't access unimplemented
+PMU registers, but also left MDCR_EL2 uninitialized in that case,
+leading to trap bits being potentially left set.
+
+Make sure we always write something in that register.
+
+Fixes: f436b2ac90a0 ("arm64: kernel: fix architected PMU registers unconditional access")
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/head.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -578,8 +578,9 @@ CPU_LE( movk x0, #0x30d0, lsl #16 ) // C
+ b.lt 4f // Skip if no PMU present
+ mrs x0, pmcr_el0 // Disable debug access traps
+ ubfx x0, x0, #11, #5 // to EL2 and allow access to
+- msr mdcr_el2, x0 // all PMU counters from EL1
+ 4:
++ csel x0, xzr, x0, lt // all PMU counters from EL1
++ msr mdcr_el2, x0 // (if they exist)
+
+ /* Stage-2 translation */
+ msr vttbr_el2, xzr
--- /dev/null
+From 60e21a0ef54cd836b9eb22c7cb396989b5b11648 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Thu, 29 Sep 2016 12:37:01 +0100
+Subject: arm64: KVM: Take S1 walks into account when determining S2 write faults
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 60e21a0ef54cd836b9eb22c7cb396989b5b11648 upstream.
+
+The WnR bit in the HSR/ESR_EL2 indicates whether a data abort was
+generated by a read or a write instruction. For stage 2 data aborts
+generated by a stage 1 translation table walk (i.e. the actual page
+table access faults at EL2), the WnR bit therefore reports whether the
+instruction generating the walk was a load or a store, *not* whether the
+page table walker was reading or writing the entry.
+
+For page tables marked as read-only at stage 2 (e.g. due to KSM merging
+them with the tables from another guest), this could result in livelock,
+where a page table walk generated by a load instruction attempts to
+set the access flag in the stage 1 descriptor, but fails to trigger
+CoW in the host since only a read fault is reported.
+
+This patch modifies the arm64 kvm_vcpu_dabt_iswrite function to
+take into account stage 2 faults in stage 1 walks. Since DBM cannot be
+disabled at EL2 for CPUs that implement it, we assume that these faults
+are always causes by writes, avoiding the livelock situation at the
+expense of occasional, spurious CoWs.
+
+We could, in theory, do a bit better by checking the guest TCR
+configuration and inspecting the page table to see why the PTE faulted.
+However, I doubt this is measurable in practice, and the threat of
+livelock is real.
+
+Cc: Julien Grall <julien.grall@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_emulate.h | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -167,11 +167,6 @@ static inline bool kvm_vcpu_dabt_isvalid
+ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_ISV);
+ }
+
+-static inline bool kvm_vcpu_dabt_iswrite(const struct kvm_vcpu *vcpu)
+-{
+- return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_WNR);
+-}
+-
+ static inline bool kvm_vcpu_dabt_issext(const struct kvm_vcpu *vcpu)
+ {
+ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_SSE);
+@@ -192,6 +187,12 @@ static inline bool kvm_vcpu_dabt_iss1tw(
+ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_S1PTW);
+ }
+
++static inline bool kvm_vcpu_dabt_iswrite(const struct kvm_vcpu *vcpu)
++{
++ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_WNR) ||
++ kvm_vcpu_dabt_iss1tw(vcpu); /* AF/DBM update */
++}
++
+ static inline bool kvm_vcpu_dabt_is_cm(const struct kvm_vcpu *vcpu)
+ {
+ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_CM);
--- /dev/null
+From 1e6e57d9b34a9075d5f9e2048ea7b09756590d11 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 4 Jul 2016 17:44:48 +0100
+Subject: arm64: percpu: rewrite ll/sc loops in assembly
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 1e6e57d9b34a9075d5f9e2048ea7b09756590d11 upstream.
+
+Writing the outer loop of an LL/SC sequence using do {...} while
+constructs potentially allows the compiler to hoist memory accesses
+between the STXR and the branch back to the LDXR. On CPUs that do not
+guarantee forward progress of LL/SC loops when faced with memory
+accesses to the same ERG (up to 2k) between the failed STXR and the
+branch back, we may end up livelocking.
+
+This patch avoids this issue in our percpu atomics by rewriting the
+outer loop as part of the LL/SC inline assembly block.
+
+Fixes: f97fc810798c ("arm64: percpu: Implement this_cpu operations")
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/percpu.h | 120 ++++++++++++++++++----------------------
+ 1 file changed, 56 insertions(+), 64 deletions(-)
+
+--- a/arch/arm64/include/asm/percpu.h
++++ b/arch/arm64/include/asm/percpu.h
+@@ -44,48 +44,44 @@ static inline unsigned long __percpu_##o
+ \
+ switch (size) { \
+ case 1: \
+- do { \
+- asm ("//__per_cpu_" #op "_1\n" \
+- "ldxrb %w[ret], %[ptr]\n" \
++ asm ("//__per_cpu_" #op "_1\n" \
++ "1: ldxrb %w[ret], %[ptr]\n" \
+ #asm_op " %w[ret], %w[ret], %w[val]\n" \
+- "stxrb %w[loop], %w[ret], %[ptr]\n" \
+- : [loop] "=&r" (loop), [ret] "=&r" (ret), \
+- [ptr] "+Q"(*(u8 *)ptr) \
+- : [val] "Ir" (val)); \
+- } while (loop); \
++ " stxrb %w[loop], %w[ret], %[ptr]\n" \
++ " cbnz %w[loop], 1b" \
++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \
++ [ptr] "+Q"(*(u8 *)ptr) \
++ : [val] "Ir" (val)); \
+ break; \
+ case 2: \
+- do { \
+- asm ("//__per_cpu_" #op "_2\n" \
+- "ldxrh %w[ret], %[ptr]\n" \
++ asm ("//__per_cpu_" #op "_2\n" \
++ "1: ldxrh %w[ret], %[ptr]\n" \
+ #asm_op " %w[ret], %w[ret], %w[val]\n" \
+- "stxrh %w[loop], %w[ret], %[ptr]\n" \
+- : [loop] "=&r" (loop), [ret] "=&r" (ret), \
+- [ptr] "+Q"(*(u16 *)ptr) \
+- : [val] "Ir" (val)); \
+- } while (loop); \
++ " stxrh %w[loop], %w[ret], %[ptr]\n" \
++ " cbnz %w[loop], 1b" \
++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \
++ [ptr] "+Q"(*(u16 *)ptr) \
++ : [val] "Ir" (val)); \
+ break; \
+ case 4: \
+- do { \
+- asm ("//__per_cpu_" #op "_4\n" \
+- "ldxr %w[ret], %[ptr]\n" \
++ asm ("//__per_cpu_" #op "_4\n" \
++ "1: ldxr %w[ret], %[ptr]\n" \
+ #asm_op " %w[ret], %w[ret], %w[val]\n" \
+- "stxr %w[loop], %w[ret], %[ptr]\n" \
+- : [loop] "=&r" (loop), [ret] "=&r" (ret), \
+- [ptr] "+Q"(*(u32 *)ptr) \
+- : [val] "Ir" (val)); \
+- } while (loop); \
++ " stxr %w[loop], %w[ret], %[ptr]\n" \
++ " cbnz %w[loop], 1b" \
++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \
++ [ptr] "+Q"(*(u32 *)ptr) \
++ : [val] "Ir" (val)); \
+ break; \
+ case 8: \
+- do { \
+- asm ("//__per_cpu_" #op "_8\n" \
+- "ldxr %[ret], %[ptr]\n" \
++ asm ("//__per_cpu_" #op "_8\n" \
++ "1: ldxr %[ret], %[ptr]\n" \
+ #asm_op " %[ret], %[ret], %[val]\n" \
+- "stxr %w[loop], %[ret], %[ptr]\n" \
+- : [loop] "=&r" (loop), [ret] "=&r" (ret), \
+- [ptr] "+Q"(*(u64 *)ptr) \
+- : [val] "Ir" (val)); \
+- } while (loop); \
++ " stxr %w[loop], %[ret], %[ptr]\n" \
++ " cbnz %w[loop], 1b" \
++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \
++ [ptr] "+Q"(*(u64 *)ptr) \
++ : [val] "Ir" (val)); \
+ break; \
+ default: \
+ BUILD_BUG(); \
+@@ -150,44 +146,40 @@ static inline unsigned long __percpu_xch
+
+ switch (size) {
+ case 1:
+- do {
+- asm ("//__percpu_xchg_1\n"
+- "ldxrb %w[ret], %[ptr]\n"
+- "stxrb %w[loop], %w[val], %[ptr]\n"
+- : [loop] "=&r"(loop), [ret] "=&r"(ret),
+- [ptr] "+Q"(*(u8 *)ptr)
+- : [val] "r" (val));
+- } while (loop);
++ asm ("//__percpu_xchg_1\n"
++ "1: ldxrb %w[ret], %[ptr]\n"
++ " stxrb %w[loop], %w[val], %[ptr]\n"
++ " cbnz %w[loop], 1b"
++ : [loop] "=&r"(loop), [ret] "=&r"(ret),
++ [ptr] "+Q"(*(u8 *)ptr)
++ : [val] "r" (val));
+ break;
+ case 2:
+- do {
+- asm ("//__percpu_xchg_2\n"
+- "ldxrh %w[ret], %[ptr]\n"
+- "stxrh %w[loop], %w[val], %[ptr]\n"
+- : [loop] "=&r"(loop), [ret] "=&r"(ret),
+- [ptr] "+Q"(*(u16 *)ptr)
+- : [val] "r" (val));
+- } while (loop);
++ asm ("//__percpu_xchg_2\n"
++ "1: ldxrh %w[ret], %[ptr]\n"
++ " stxrh %w[loop], %w[val], %[ptr]\n"
++ " cbnz %w[loop], 1b"
++ : [loop] "=&r"(loop), [ret] "=&r"(ret),
++ [ptr] "+Q"(*(u16 *)ptr)
++ : [val] "r" (val));
+ break;
+ case 4:
+- do {
+- asm ("//__percpu_xchg_4\n"
+- "ldxr %w[ret], %[ptr]\n"
+- "stxr %w[loop], %w[val], %[ptr]\n"
+- : [loop] "=&r"(loop), [ret] "=&r"(ret),
+- [ptr] "+Q"(*(u32 *)ptr)
+- : [val] "r" (val));
+- } while (loop);
++ asm ("//__percpu_xchg_4\n"
++ "1: ldxr %w[ret], %[ptr]\n"
++ " stxr %w[loop], %w[val], %[ptr]\n"
++ " cbnz %w[loop], 1b"
++ : [loop] "=&r"(loop), [ret] "=&r"(ret),
++ [ptr] "+Q"(*(u32 *)ptr)
++ : [val] "r" (val));
+ break;
+ case 8:
+- do {
+- asm ("//__percpu_xchg_8\n"
+- "ldxr %[ret], %[ptr]\n"
+- "stxr %w[loop], %[val], %[ptr]\n"
+- : [loop] "=&r"(loop), [ret] "=&r"(ret),
+- [ptr] "+Q"(*(u64 *)ptr)
+- : [val] "r" (val));
+- } while (loop);
++ asm ("//__percpu_xchg_8\n"
++ "1: ldxr %[ret], %[ptr]\n"
++ " stxr %w[loop], %[val], %[ptr]\n"
++ " cbnz %w[loop], 1b"
++ : [loop] "=&r"(loop), [ret] "=&r"(ret),
++ [ptr] "+Q"(*(u64 *)ptr)
++ : [val] "r" (val));
+ break;
+ default:
+ BUILD_BUG();
--- /dev/null
+From 1c5b51dfb7b4564008e0cadec5381a69e88b0d21 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 4 Jul 2016 16:59:43 +0100
+Subject: arm64: swp emulation: bound LL/SC retries before rescheduling
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 1c5b51dfb7b4564008e0cadec5381a69e88b0d21 upstream.
+
+If a CPU does not implement a global monitor for certain memory types,
+then userspace can attempt a kernel DoS by issuing SWP instructions
+targetting the problematic memory (for example, a framebuffer mapped
+with non-cacheable attributes).
+
+The SWP emulation code protects against these sorts of attacks by
+checking for pending signals and potentially rescheduling when the STXR
+instruction fails during the emulation. Whilst this is good for avoiding
+livelock, it harms emulation of legitimate SWP instructions on CPUs
+where forward progress is not guaranteed if there are memory accesses to
+the same reservation granule (up to 2k) between the failing STXR and
+the retry of the LDXR.
+
+This patch solves the problem by retrying the STXR a bounded number of
+times (4) before breaking out of the LL/SC loop and looking for
+something else to do.
+
+Fixes: bd35a4adc413 ("arm64: Port SWP/SWPB emulation support from arm")
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/armv8_deprecated.c | 36 +++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+--- a/arch/arm64/kernel/armv8_deprecated.c
++++ b/arch/arm64/kernel/armv8_deprecated.c
+@@ -280,35 +280,43 @@ static void __init register_insn_emulati
+ /*
+ * Error-checking SWP macros implemented using ldxr{b}/stxr{b}
+ */
+-#define __user_swpX_asm(data, addr, res, temp, B) \
++
++/* Arbitrary constant to ensure forward-progress of the LL/SC loop */
++#define __SWP_LL_SC_LOOPS 4
++
++#define __user_swpX_asm(data, addr, res, temp, temp2, B) \
+ __asm__ __volatile__( \
++ " mov %w3, %w7\n" \
+ ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, \
+ CONFIG_ARM64_PAN) \
+- "0: ldxr"B" %w2, [%3]\n" \
+- "1: stxr"B" %w0, %w1, [%3]\n" \
++ "0: ldxr"B" %w2, [%4]\n" \
++ "1: stxr"B" %w0, %w1, [%4]\n" \
+ " cbz %w0, 2f\n" \
+- " mov %w0, %w4\n" \
++ " sub %w3, %w3, #1\n" \
++ " cbnz %w3, 0b\n" \
++ " mov %w0, %w5\n" \
+ " b 3f\n" \
+ "2:\n" \
+ " mov %w1, %w2\n" \
+ "3:\n" \
+ " .pushsection .fixup,\"ax\"\n" \
+ " .align 2\n" \
+- "4: mov %w0, %w5\n" \
++ "4: mov %w0, %w6\n" \
+ " b 3b\n" \
+ " .popsection" \
+ _ASM_EXTABLE(0b, 4b) \
+ _ASM_EXTABLE(1b, 4b) \
+ ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN, \
+ CONFIG_ARM64_PAN) \
+- : "=&r" (res), "+r" (data), "=&r" (temp) \
+- : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT) \
++ : "=&r" (res), "+r" (data), "=&r" (temp), "=&r" (temp2) \
++ : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT), \
++ "i" (__SWP_LL_SC_LOOPS) \
+ : "memory")
+
+-#define __user_swp_asm(data, addr, res, temp) \
+- __user_swpX_asm(data, addr, res, temp, "")
+-#define __user_swpb_asm(data, addr, res, temp) \
+- __user_swpX_asm(data, addr, res, temp, "b")
++#define __user_swp_asm(data, addr, res, temp, temp2) \
++ __user_swpX_asm(data, addr, res, temp, temp2, "")
++#define __user_swpb_asm(data, addr, res, temp, temp2) \
++ __user_swpX_asm(data, addr, res, temp, temp2, "b")
+
+ /*
+ * Bit 22 of the instruction encoding distinguishes between
+@@ -328,12 +336,12 @@ static int emulate_swpX(unsigned int add
+ }
+
+ while (1) {
+- unsigned long temp;
++ unsigned long temp, temp2;
+
+ if (type == TYPE_SWPB)
+- __user_swpb_asm(*data, address, res, temp);
++ __user_swpb_asm(*data, address, res, temp, temp2);
+ else
+- __user_swp_asm(*data, address, res, temp);
++ __user_swp_asm(*data, address, res, temp, temp2);
+
+ if (likely(res != -EAGAIN) || signal_pending(current))
+ break;
--- /dev/null
+From 0d7718f666be181fda1ba2d08f137d87c1419347 Mon Sep 17 00:00:00 2001
+From: Nikolay Borisov <kernel@kyup.com>
+Date: Mon, 10 Oct 2016 15:38:18 +0300
+Subject: ceph: fix error handling in ceph_read_iter
+
+From: Nikolay Borisov <kernel@kyup.com>
+
+commit 0d7718f666be181fda1ba2d08f137d87c1419347 upstream.
+
+In case __ceph_do_getattr returns an error and the retry_op in
+ceph_read_iter is not READ_INLINE, then it's possible to invoke
+__free_page on a page which is NULL, this naturally leads to a crash.
+This can happen when, for example, a process waiting on a MDS reply
+receives sigterm.
+
+Fix this by explicitly checking whether the page is set or not.
+
+Signed-off-by: Nikolay Borisov <kernel@kyup.com>
+Reviewed-by: Yan, Zheng <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -1272,7 +1272,8 @@ again:
+ statret = __ceph_do_getattr(inode, page,
+ CEPH_STAT_CAP_INLINE_DATA, !!page);
+ if (statret < 0) {
+- __free_page(page);
++ if (page)
++ __free_page(page);
+ if (statret == -ENODATA) {
+ BUG_ON(retry_op != READ_INLINE);
+ goto again;
--- /dev/null
+From c4704a4fbe834eee4109ca064131d440941f6235 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 12 Oct 2016 23:24:51 -0400
+Subject: ext4: do not advertise encryption support when disabled
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit c4704a4fbe834eee4109ca064131d440941f6235 upstream.
+
+The sysfs file /sys/fs/ext4/features/encryption was present on kernels
+compiled with CONFIG_EXT4_FS_ENCRYPTION=n. This was misleading because
+such kernels do not actually support ext4 encryption. Therefore, only
+provide this file on kernels compiled with CONFIG_EXT4_FS_ENCRYPTION=y.
+
+Note: since the ext4 feature files are all hardcoded to have a contents
+of "supported", it really is the presence or absence of the file that is
+significant, not the contents (and this change reflects that).
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/sysfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/sysfs.c
++++ b/fs/ext4/sysfs.c
+@@ -223,14 +223,18 @@ static struct attribute *ext4_attrs[] =
+ EXT4_ATTR_FEATURE(lazy_itable_init);
+ EXT4_ATTR_FEATURE(batched_discard);
+ EXT4_ATTR_FEATURE(meta_bg_resize);
++#ifdef CONFIG_EXT4_FS_ENCRYPTION
+ EXT4_ATTR_FEATURE(encryption);
++#endif
+ EXT4_ATTR_FEATURE(metadata_csum_seed);
+
+ static struct attribute *ext4_feat_attrs[] = {
+ ATTR_LIST(lazy_itable_init),
+ ATTR_LIST(batched_discard),
+ ATTR_LIST(meta_bg_resize),
++#ifdef CONFIG_EXT4_FS_ENCRYPTION
+ ATTR_LIST(encryption),
++#endif
+ ATTR_LIST(metadata_csum_seed),
+ NULL,
+ };
--- /dev/null
+From 8906a8223ad4909b391c5628f7991ebceda30e52 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sat, 15 Oct 2016 09:48:50 -0400
+Subject: fscrypto: lock inode while setting encryption policy
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 8906a8223ad4909b391c5628f7991ebceda30e52 upstream.
+
+i_rwsem needs to be acquired while setting an encryption policy so that
+concurrent calls to FS_IOC_SET_ENCRYPTION_POLICY are correctly
+serialized (especially the ->get_context() + ->set_context() pair), and
+so that new files cannot be created in the directory during or after the
+->empty_dir() check.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/crypto/policy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/crypto/policy.c
++++ b/fs/crypto/policy.c
+@@ -109,6 +109,8 @@ int fscrypt_process_policy(struct file *
+ if (ret)
+ return ret;
+
++ inode_lock(inode);
++
+ if (!inode_has_encryption_context(inode)) {
+ if (!S_ISDIR(inode->i_mode))
+ ret = -EINVAL;
+@@ -127,6 +129,8 @@ int fscrypt_process_policy(struct file *
+ ret = -EINVAL;
+ }
+
++ inode_unlock(inode);
++
+ mnt_drop_write_file(filp);
+ return ret;
+ }
--- /dev/null
+From fb4454376df9d820d95452d71dd83da6971f9338 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 12 Oct 2016 23:30:16 -0400
+Subject: fscrypto: make XTS tweak initialization endian-independent
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit fb4454376df9d820d95452d71dd83da6971f9338 upstream.
+
+The XTS tweak (or IV) was initialized differently on little endian and
+big endian systems. Because the ciphertext depends on the XTS tweak, it
+was not possible to use an encrypted filesystem created by a little
+endian system on a big endian system and vice versa, even if they shared
+the same PAGE_SIZE. Fix this by always using little endian.
+
+This will break hypothetical big endian users of ext4 or f2fs
+encryption. However, all users we are aware of are little endian, and
+it's believed that "real" big endian users are unlikely to exist yet.
+So this might as well be fixed now before it's too late.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/crypto/crypto.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/fs/crypto/crypto.c
++++ b/fs/crypto/crypto.c
+@@ -152,7 +152,10 @@ static int do_page_crypto(struct inode *
+ struct page *src_page, struct page *dest_page,
+ gfp_t gfp_flags)
+ {
+- u8 xts_tweak[FS_XTS_TWEAK_SIZE];
++ struct {
++ __le64 index;
++ u8 padding[FS_XTS_TWEAK_SIZE - sizeof(__le64)];
++ } xts_tweak;
+ struct skcipher_request *req = NULL;
+ DECLARE_FS_COMPLETION_RESULT(ecr);
+ struct scatterlist dst, src;
+@@ -172,17 +175,15 @@ static int do_page_crypto(struct inode *
+ req, CRYPTO_TFM_REQ_MAY_BACKLOG | CRYPTO_TFM_REQ_MAY_SLEEP,
+ fscrypt_complete, &ecr);
+
+- BUILD_BUG_ON(FS_XTS_TWEAK_SIZE < sizeof(index));
+- memcpy(xts_tweak, &index, sizeof(index));
+- memset(&xts_tweak[sizeof(index)], 0,
+- FS_XTS_TWEAK_SIZE - sizeof(index));
++ BUILD_BUG_ON(sizeof(xts_tweak) != FS_XTS_TWEAK_SIZE);
++ xts_tweak.index = cpu_to_le64(index);
++ memset(xts_tweak.padding, 0, sizeof(xts_tweak.padding));
+
+ sg_init_table(&dst, 1);
+ sg_set_page(&dst, dest_page, PAGE_SIZE, 0);
+ sg_init_table(&src, 1);
+ sg_set_page(&src, src_page, PAGE_SIZE, 0);
+- skcipher_request_set_crypt(req, &src, &dst, PAGE_SIZE,
+- xts_tweak);
++ skcipher_request_set_crypt(req, &src, &dst, PAGE_SIZE, &xts_tweak);
+ if (rw == FS_DECRYPT)
+ res = crypto_skcipher_decrypt(req);
+ else
--- /dev/null
+From a2ed0b391dd9c3ef1d64c7c3e370f4a5ffcd324a Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 4 Oct 2016 13:44:06 +0200
+Subject: isofs: Do not return EACCES for unknown filesystems
+
+From: Jan Kara <jack@suse.cz>
+
+commit a2ed0b391dd9c3ef1d64c7c3e370f4a5ffcd324a upstream.
+
+When isofs_mount() is called to mount a device read-write, it returns
+EACCES even before it checks that the device actually contains an isofs
+filesystem. This may confuse mount(8) which then tries to mount all
+subsequent filesystem types in read-only mode.
+
+Fix the problem by returning EACCES only once we verify that the device
+indeed contains an iso9660 filesystem.
+
+Fixes: 17b7f7cf58926844e1dd40f5eb5348d481deca6a
+Reported-by: Kent Overstreet <kent.overstreet@gmail.com>
+Reported-by: Karel Zak <kzak@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/inode.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -687,6 +687,11 @@ static int isofs_fill_super(struct super
+ pri_bh = NULL;
+
+ root_found:
++ /* We don't support read-write mounts */
++ if (!(s->s_flags & MS_RDONLY)) {
++ error = -EACCES;
++ goto out_freebh;
++ }
+
+ if (joliet_level && (pri == NULL || !opt.rock)) {
+ /* This is the case of Joliet with the norock mount flag.
+@@ -1501,9 +1506,6 @@ struct inode *__isofs_iget(struct super_
+ static struct dentry *isofs_mount(struct file_system_type *fs_type,
+ int flags, const char *dev_name, void *data)
+ {
+- /* We don't support read-write mounts */
+- if (!(flags & MS_RDONLY))
+- return ERR_PTR(-EACCES);
+ return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super);
+ }
+
--- /dev/null
+From 559cce698eaf4ccecb2213b2519ea3a0413e5155 Mon Sep 17 00:00:00 2001
+From: Taesoo Kim <tsgatesv@gmail.com>
+Date: Wed, 12 Oct 2016 23:19:18 -0400
+Subject: jbd2: fix incorrect unlock on j_list_lock
+
+From: Taesoo Kim <tsgatesv@gmail.com>
+
+commit 559cce698eaf4ccecb2213b2519ea3a0413e5155 upstream.
+
+When 'jh->b_transaction == transaction' (asserted by below)
+
+ J_ASSERT_JH(jh, (jh->b_transaction == transaction || ...
+
+'journal->j_list_lock' will be incorrectly unlocked, since
+the the lock is aquired only at the end of if / else-if
+statements (missing the else case).
+
+Signed-off-by: Taesoo Kim <tsgatesv@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Fixes: 6e4862a5bb9d12be87e4ea5d9a60836ebed71d28
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1149,6 +1149,7 @@ int jbd2_journal_get_create_access(handl
+ JBUFFER_TRACE(jh, "file as BJ_Reserved");
+ spin_lock(&journal->j_list_lock);
+ __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved);
++ spin_unlock(&journal->j_list_lock);
+ } else if (jh->b_transaction == journal->j_committing_transaction) {
+ /* first access by this transaction */
+ jh->b_modified = 0;
+@@ -1156,8 +1157,8 @@ int jbd2_journal_get_create_access(handl
+ JBUFFER_TRACE(jh, "set next transaction");
+ spin_lock(&journal->j_list_lock);
+ jh->b_next_transaction = transaction;
++ spin_unlock(&journal->j_list_lock);
+ }
+- spin_unlock(&journal->j_list_lock);
+ jbd_unlock_bh_state(bh);
+
+ /*
--- /dev/null
+From a5efb6b6c99a3a6dc4330f51d8066f638bdea0ac Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Wed, 28 Sep 2016 16:18:47 +0200
+Subject: KVM: s390: reject invalid modes for runtime instrumentation
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit a5efb6b6c99a3a6dc4330f51d8066f638bdea0ac upstream.
+
+Usually a validity intercept is a programming error of the host
+because of invalid entries in the state description.
+We can get a validity intercept if the mode of the runtime
+instrumentation control block is wrong. As the host does not know
+which modes are valid, this can be used by userspace to trigger
+a WARN.
+Instead of printing a WARN let's return an error to userspace as
+this can only happen if userspace provides a malformed initial
+value (e.g. on migration). The kernel should never warn on bogus
+input. Instead let's log it into the s390 debug feature.
+
+While at it, let's return -EINVAL for all validity intercepts as
+this will trigger an error in QEMU like
+
+error: kvm run failed Invalid argument
+PSW=mask 0404c00180000000 addr 000000000063c226 cc 00
+R00=000000000000004f R01=0000000000000004 R02=0000000000760005 R03=000000007fe0a000
+R04=000000000064ba2a R05=000000049db73dd0 R06=000000000082c4b0 R07=0000000000000041
+R08=0000000000000002 R09=000003e0804042a8 R10=0000000496152c42 R11=000000007fe0afb0
+[...]
+
+This will avoid an endless loop of validity intercepts.
+
+Fixes: c6e5f166373a ("KVM: s390: implement the RI support of guest")
+Acked-by: Fan Zhang <zhangfan@linux.vnet.ibm.com>
+Reviewed-by: Pierre Morel <pmorel@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/intercept.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/intercept.c
++++ b/arch/s390/kvm/intercept.c
+@@ -118,8 +118,13 @@ static int handle_validity(struct kvm_vc
+
+ vcpu->stat.exit_validity++;
+ trace_kvm_s390_intercept_validity(vcpu, viwhy);
+- WARN_ONCE(true, "kvm: unhandled validity intercept 0x%x\n", viwhy);
+- return -EOPNOTSUPP;
++ KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%pK)", viwhy,
++ current->pid, vcpu->kvm);
++
++ /* do not warn on invalid runtime instrumentation mode */
++ WARN_ONCE(viwhy != 0x44, "kvm: unhandled validity intercept 0x%x\n",
++ viwhy);
++ return -EINVAL;
+ }
+
+ static int handle_instruction(struct kvm_vcpu *vcpu)
--- /dev/null
+From 9158cb29e7c2f10dd325eb1589f0fe745a271257 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 28 Sep 2016 11:33:28 -0700
+Subject: memstick: rtsx_usb_ms: Manage runtime PM when accessing the device
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 9158cb29e7c2f10dd325eb1589f0fe745a271257 upstream.
+
+Accesses to the rtsx usb device, which is the parent of the rtsx memstick
+device, must not be done unless it's runtime resumed. This is currently not
+the case and it could trigger various errors.
+
+Fix this by properly deal with runtime PM in this regards. This means
+making sure the device is runtime resumed, when serving requests via the
+->request() callback or changing settings via the ->set_param() callbacks.
+
+Cc: Ritesh Raj Sarraf <rrs@researchut.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/memstick/host/rtsx_usb_ms.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/memstick/host/rtsx_usb_ms.c
++++ b/drivers/memstick/host/rtsx_usb_ms.c
+@@ -524,6 +524,7 @@ static void rtsx_usb_ms_handle_req(struc
+ int rc;
+
+ if (!host->req) {
++ pm_runtime_get_sync(ms_dev(host));
+ do {
+ rc = memstick_next_req(msh, &host->req);
+ dev_dbg(ms_dev(host), "next req %d\n", rc);
+@@ -544,6 +545,7 @@ static void rtsx_usb_ms_handle_req(struc
+ host->req->error);
+ }
+ } while (!rc);
++ pm_runtime_put(ms_dev(host));
+ }
+
+ }
+@@ -570,6 +572,7 @@ static int rtsx_usb_ms_set_param(struct
+ dev_dbg(ms_dev(host), "%s: param = %d, value = %d\n",
+ __func__, param, value);
+
++ pm_runtime_get_sync(ms_dev(host));
+ mutex_lock(&ucr->dev_mutex);
+
+ err = rtsx_usb_card_exclusive_check(ucr, RTSX_USB_MS_CARD);
+@@ -635,6 +638,7 @@ static int rtsx_usb_ms_set_param(struct
+ }
+ out:
+ mutex_unlock(&ucr->dev_mutex);
++ pm_runtime_put(ms_dev(host));
+
+ /* power-on delay */
+ if (param == MEMSTICK_POWER && value == MEMSTICK_POWER_ON)
--- /dev/null
+From 796aa46adf1d90eab36ae06a42e6d3f10b28a75c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 26 Sep 2016 15:45:41 -0700
+Subject: memstick: rtsx_usb_ms: Runtime resume the device when polling for cards
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 796aa46adf1d90eab36ae06a42e6d3f10b28a75c upstream.
+
+Accesses to the rtsx usb device, which is the parent of the rtsx memstick
+device, must not be done unless it's runtime resumed.
+
+Therefore when the rtsx_usb_ms driver polls for inserted memstick cards,
+let's add pm_runtime_get|put*() to make sure accesses is done when the
+rtsx usb device is runtime resumed.
+
+Reported-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Tested-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/memstick/host/rtsx_usb_ms.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/memstick/host/rtsx_usb_ms.c
++++ b/drivers/memstick/host/rtsx_usb_ms.c
+@@ -681,6 +681,7 @@ static int rtsx_usb_detect_ms_card(void
+ int err;
+
+ for (;;) {
++ pm_runtime_get_sync(ms_dev(host));
+ mutex_lock(&ucr->dev_mutex);
+
+ /* Check pending MS card changes */
+@@ -703,6 +704,7 @@ static int rtsx_usb_detect_ms_card(void
+ }
+
+ poll_again:
++ pm_runtime_put(ms_dev(host));
+ if (host->eject)
+ break;
+
--- /dev/null
+From 3f2d26643595973e835e8356ea90c7c15cb1b0f1 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 3 Oct 2016 10:58:28 +0200
+Subject: mmc: core: Annotate cmd_hdr as __le32
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 3f2d26643595973e835e8356ea90c7c15cb1b0f1 upstream.
+
+Commit f68381a70bb2 (mmc: block: fix packed command header endianness)
+correctly fixed endianness handling of packed_cmd_hdr in
+mmc_blk_packed_hdr_wrq_prep.
+
+But now, sparse complains about incorrect types:
+drivers/mmc/card/block.c:1613:27: sparse: incorrect type in assignment (different base types)
+drivers/mmc/card/block.c:1613:27: expected unsigned int [unsigned] [usertype] <noident>
+drivers/mmc/card/block.c:1613:27: got restricted __le32 [usertype] <noident>
+...
+
+So annotate cmd_hdr properly using __le32 to make everyone happy.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Fixes: f68381a70bb2 (mmc: block: fix packed command header endianness)
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/card/block.c | 2 +-
+ drivers/mmc/card/queue.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -1778,7 +1778,7 @@ static void mmc_blk_packed_hdr_wrq_prep(
+ struct mmc_blk_data *md = mq->data;
+ struct mmc_packed *packed = mqrq->packed;
+ bool do_rel_wr, do_data_tag;
+- u32 *packed_cmd_hdr;
++ __le32 *packed_cmd_hdr;
+ u8 hdr_blocks;
+ u8 i = 1;
+
+--- a/drivers/mmc/card/queue.h
++++ b/drivers/mmc/card/queue.h
+@@ -31,7 +31,7 @@ enum mmc_packed_type {
+
+ struct mmc_packed {
+ struct list_head list;
+- u32 cmd_hdr[1024];
++ __le32 cmd_hdr[1024];
+ unsigned int blocks;
+ u8 nr_entries;
+ u8 retries;
--- /dev/null
+From 1720d3545b772c49b2975eeb3b8f4d3f56dc2085 Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Fri, 30 Sep 2016 14:18:58 +0800
+Subject: mmc: core: switch to 1V8 or 1V2 for hs400es mode
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit 1720d3545b772c49b2975eeb3b8f4d3f56dc2085 upstream.
+
+When introducing hs400es, I didn't notice that we haven't
+switched voltage to 1V2 or 1V8 for it. That happens to work
+as the first controller claiming to support hs400es, arasan(5.1),
+which is designed to only support 1V8. So the voltage is fixed to 1V8.
+But it actually is wrong, and will not fit for other host controllers.
+Let's fix it.
+
+Fixes: commit 81ac2af65793ecf ("mmc: core: implement enhanced strobe support")
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/mmc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1259,6 +1259,16 @@ static int mmc_select_hs400es(struct mmc
+ goto out_err;
+ }
+
++ if (card->mmc_avail_type & EXT_CSD_CARD_TYPE_HS400_1_2V)
++ err = __mmc_set_signal_voltage(host, MMC_SIGNAL_VOLTAGE_120);
++
++ if (err && card->mmc_avail_type & EXT_CSD_CARD_TYPE_HS400_1_8V)
++ err = __mmc_set_signal_voltage(host, MMC_SIGNAL_VOLTAGE_180);
++
++ /* If fails try again during next card power cycle */
++ if (err)
++ goto out_err;
++
+ err = mmc_select_bus_width(card);
+ if (err < 0)
+ goto out_err;
--- /dev/null
+From 31cf742f515c275d22843c4c756e048d2b6d716c Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Tue, 27 Sep 2016 08:44:33 -0700
+Subject: mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 31cf742f515c275d22843c4c756e048d2b6d716c upstream.
+
+The rtsx_usb_sdmmc driver may bail out in its ->set_ios() callback when no
+SD card is inserted. This is wrong, as it could cause the device to remain
+runtime resumed when it's unused. Fix this behaviour.
+
+Tested-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/rtsx_usb_sdmmc.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
+@@ -1138,11 +1138,6 @@ static void sdmmc_set_ios(struct mmc_hos
+ dev_dbg(sdmmc_dev(host), "%s\n", __func__);
+ mutex_lock(&ucr->dev_mutex);
+
+- if (rtsx_usb_card_exclusive_check(ucr, RTSX_USB_SD_CARD)) {
+- mutex_unlock(&ucr->dev_mutex);
+- return;
+- }
+-
+ sd_set_power_mode(host, ios->power_mode);
+ sd_set_bus_width(host, ios->bus_width);
+ sd_set_timing(host, ios->timing, &host->ddr_mode);
--- /dev/null
+From 4f48aa7a11bfed9502a7c85a5b68cd40ea827f73 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Thu, 15 Sep 2016 14:46:21 +0200
+Subject: mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 4f48aa7a11bfed9502a7c85a5b68cd40ea827f73 upstream.
+
+Accesses of the rtsx sdmmc's parent device, which is the rtsx usb device,
+must be done when it's runtime resumed. Currently this isn't case when
+changing the led, so let's fix this by adding a pm_runtime_get_sync() and
+a pm_runtime_put() around those operations.
+
+Reported-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Tested-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/rtsx_usb_sdmmc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
+@@ -1309,6 +1309,7 @@ static void rtsx_usb_update_led(struct w
+ container_of(work, struct rtsx_usb_sdmmc, led_work);
+ struct rtsx_ucr *ucr = host->ucr;
+
++ pm_runtime_get_sync(sdmmc_dev(host));
+ mutex_lock(&ucr->dev_mutex);
+
+ if (host->led.brightness == LED_OFF)
+@@ -1317,6 +1318,7 @@ static void rtsx_usb_update_led(struct w
+ rtsx_usb_turn_on_led(ucr);
+
+ mutex_unlock(&ucr->dev_mutex);
++ pm_runtime_put(sdmmc_dev(host));
+ }
+ #endif
+
--- /dev/null
+From d2cf909cda5f8c5609cb7ed6cda816c3e15528c7 Mon Sep 17 00:00:00 2001
+From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Date: Fri, 17 Jun 2016 18:53:28 +0200
+Subject: powerpc/mm: Prevent unlikely crash in copro_calculate_slb()
+
+From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+
+commit d2cf909cda5f8c5609cb7ed6cda816c3e15528c7 upstream.
+
+If a cxl adapter faults on an invalid address for a kernel context, we
+may enter copro_calculate_slb() with a NULL mm pointer (kernel
+context) and an effective address which looks like a user
+address. Which will cause a crash when dereferencing mm. It is clearly
+an AFU bug, but there's no reason to crash either. So return an error,
+so that cxl can ack the interrupt with an address error.
+
+Fixes: 73d16a6e0e51 ("powerpc/cell: Move data segment faulting code out of cell platform")
+Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/copro_fault.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/mm/copro_fault.c
++++ b/arch/powerpc/mm/copro_fault.c
+@@ -106,6 +106,8 @@ int copro_calculate_slb(struct mm_struct
+ switch (REGION_ID(ea)) {
+ case USER_REGION_ID:
+ pr_devel("%s: 0x%llx -- USER_REGION_ID\n", __func__, ea);
++ if (mm == NULL)
++ return 1;
+ psize = get_slice_psize(mm, ea);
+ ssize = user_segment_size(ea);
+ vsid = get_vsid(mm->context.id, ea, ssize);
--- /dev/null
+From 61f36166c245e563c7a2b624f4c78c5ce0f680d6 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 16 Oct 2016 00:27:42 -0700
+Subject: Revert "target: Fix residual overflow handling in target_complete_cmd_with_length"
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 61f36166c245e563c7a2b624f4c78c5ce0f680d6 upstream.
+
+This reverts commit c1ccbfe0311e2380a6d2dcb0714b36904f5d586f.
+
+Reverting this patch, as it incorrectly assumes the additional length
+for INQUIRY in target_complete_cmd_with_length() is SCSI allocation
+length, which breaks existing user-space code when SCSI allocation
+length is smaller than additional length.
+
+ root@scsi-mq:~# sg_inq --len=4 -vvvv /dev/sdb
+ found bsg_major=253
+ open /dev/sdb with flags=0x800
+ inquiry cdb: 12 00 00 00 04 00
+ duration=0 ms
+ inquiry: pass-through requested 4 bytes (data-in) but got -28 bytes
+ inquiry: pass-through can't get negative bytes, say it got none
+ inquiry: got too few bytes (0)
+ INQUIRY resid (32) should never exceed requested len=4
+ inquiry: failed requesting 4 byte response: Malformed response to
+ SCSI command [resid=32]
+
+AFAICT the original change was not to address a specific host issue,
+so go ahead and revert to original logic for now.
+
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Sumit Rai <sumitrai96@gmail.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -754,15 +754,7 @@ EXPORT_SYMBOL(target_complete_cmd);
+
+ void target_complete_cmd_with_length(struct se_cmd *cmd, u8 scsi_status, int length)
+ {
+- if (scsi_status != SAM_STAT_GOOD) {
+- return;
+- }
+-
+- /*
+- * Calculate new residual count based upon length of SCSI data
+- * transferred.
+- */
+- if (length < cmd->data_length) {
++ if (scsi_status == SAM_STAT_GOOD && length < cmd->data_length) {
+ if (cmd->se_cmd_flags & SCF_UNDERFLOW_BIT) {
+ cmd->residual_count += cmd->data_length - length;
+ } else {
+@@ -771,12 +763,6 @@ void target_complete_cmd_with_length(str
+ }
+
+ cmd->data_length = length;
+- } else if (length > cmd->data_length) {
+- cmd->se_cmd_flags |= SCF_OVERFLOW_BIT;
+- cmd->residual_count = length - cmd->data_length;
+- } else {
+- cmd->se_cmd_flags &= ~(SCF_OVERFLOW_BIT | SCF_UNDERFLOW_BIT);
+- cmd->residual_count = 0;
+ }
+
+ target_complete_cmd(cmd, scsi_status);
irqchip-eznps-acknowledge-nps_ipi-before-calling-the-handler.patch
irqchip-gic-v3-its-fix-entry-size-mask-for-gits_baser.patch
cxl-prevent-adapter-reset-if-an-active-context-exists.patch
+isofs-do-not-return-eacces-for-unknown-filesystems.patch
+memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch
+memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch
+arm64-swp-emulation-bound-ll-sc-retries-before-rescheduling.patch
+arm64-kaslr-fix-breakage-with-config_modversions-y.patch
+arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch
+arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch
+arm64-cortex-a53-errata-workaround-check-for-kernel-addresses.patch
+arm64-kvm-take-s1-walks-into-account-when-determining-s2-write-faults.patch
+ceph-fix-error-handling-in-ceph_read_iter.patch
+powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch
+mmc-core-annotate-cmd_hdr-as-__le32.patch
+mmc-core-switch-to-1v8-or-1v2-for-hs400es-mode.patch
+mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch
+mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch
+kvm-s390-reject-invalid-modes-for-runtime-instrumentation.patch
+fscrypto-make-xts-tweak-initialization-endian-independent.patch
+fscrypto-lock-inode-while-setting-encryption-policy.patch
+ext4-do-not-advertise-encryption-support-when-disabled.patch
+jbd2-fix-incorrect-unlock-on-j_list_lock.patch
+ubifs-fix-xattr_names-length-in-exit-paths.patch
+ubifs-abort-readdir-upon-error.patch
+target-tcm_fc-use-cpu-affinity-for-responses.patch
+target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch
+target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch
+target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch
+revert-target-fix-residual-overflow-handling-in-target_complete_cmd_with_length.patch
--- /dev/null
+From 926317de33998c112c5510301868ea9aa34097e2 Mon Sep 17 00:00:00 2001
+From: Dinesh Israni <ddi@datera.io>
+Date: Mon, 10 Oct 2016 20:22:03 -0700
+Subject: target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code
+
+From: Dinesh Israni <ddi@datera.io>
+
+commit 926317de33998c112c5510301868ea9aa34097e2 upstream.
+
+This patch addresses a bug where a local EXTENDED_COPY WRITE or READ
+backend I/O request would always return SAM_STAT_CHECK_CONDITION,
+even if underlying xcopy_pt_cmd->se_cmd generated a different
+SCSI status code.
+
+ESX host environments expect to hit SAM_STAT_RESERVATION_CONFLICT
+for certain scenarios, and SAM_STAT_CHECK_CONDITION results in
+non-retriable status for these cases.
+
+Tested on v4.1.y with ESX v5.5u2+ with local IBLOCK backend copy.
+
+Reported-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Cc: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Dinesh Israni <ddi@datera.io>
+Signed-off-by: Dinesh Israni <ddi@datera.io>
+Cc: Dinesh Israni <ddi@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_xcopy.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/target/target_core_xcopy.c
++++ b/drivers/target/target_core_xcopy.c
+@@ -662,6 +662,7 @@ static int target_xcopy_read_source(
+ rc = target_xcopy_setup_pt_cmd(xpt_cmd, xop, src_dev, &cdb[0],
+ remote_port, true);
+ if (rc < 0) {
++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+ }
+@@ -673,6 +674,7 @@ static int target_xcopy_read_source(
+
+ rc = target_xcopy_issue_pt_cmd(xpt_cmd);
+ if (rc < 0) {
++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+ }
+@@ -723,6 +725,7 @@ static int target_xcopy_write_destinatio
+ remote_port, false);
+ if (rc < 0) {
+ struct se_cmd *src_cmd = &xop->src_pt_cmd->se_cmd;
++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ /*
+ * If the failure happened before the t_mem_list hand-off in
+ * target_xcopy_setup_pt_cmd(), Reset memory + clear flag so that
+@@ -738,6 +741,7 @@ static int target_xcopy_write_destinatio
+
+ rc = target_xcopy_issue_pt_cmd(xpt_cmd);
+ if (rc < 0) {
++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ se_cmd->se_cmd_flags &= ~SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC;
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+@@ -824,10 +828,14 @@ static void target_xcopy_do_work(struct
+ out:
+ xcopy_pt_undepend_remotedev(xop);
+ kfree(xop);
+-
+- pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY CHECK_CONDITION"
+- " -> sending response\n", rc);
+- ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
++ /*
++ * Don't override an error scsi status if it has already been set
++ */
++ if (ec_cmd->scsi_status == SAM_STAT_GOOD) {
++ pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY"
++ " CHECK_CONDITION -> sending response\n", rc);
++ ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
++ }
+ target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION);
+ }
+
--- /dev/null
+From 449a137846c84829a328757cd21fd9ca65c08519 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sat, 8 Oct 2016 17:26:44 -0700
+Subject: target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT REACHABLE
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 449a137846c84829a328757cd21fd9ca65c08519 upstream.
+
+This patch addresses a bug where EXTENDED_COPY across multiple LUNs
+results in a CHECK_CONDITION when the source + destination are not
+located on the same physical node.
+
+ESX Host environments expect sense COPY_ABORTED w/ COPY TARGET DEVICE
+NOT REACHABLE to be returned when this occurs, in order to signal
+fallback to local copy method.
+
+As described in section 6.3.3 of spc4r22:
+
+ "If it is not possible to complete processing of a segment because the
+ copy manager is unable to establish communications with a copy target
+ device, because the copy target device does not respond to INQUIRY,
+ or because the data returned in response to INQUIRY indicates
+ an unsupported logical unit, then the EXTENDED COPY command shall be
+ terminated with CHECK CONDITION status, with the sense key set to
+ COPY ABORTED, and the additional sense code set to COPY TARGET DEVICE
+ NOT REACHABLE."
+
+Tested on v4.1.y with ESX v5.5u2+ with BlockCopy across multiple nodes.
+
+Reported-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Cc: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Dinesh Israni <ddi@datera.io>
+Signed-off-by: Dinesh Israni <ddi@datera.io>
+Cc: Dinesh Israni <ddi@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 7 +++++++
+ drivers/target/target_core_xcopy.c | 22 ++++++++++++++++------
+ include/target/target_core_base.h | 1 +
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1706,6 +1706,7 @@ void transport_generic_request_failure(s
+ case TCM_LOGICAL_BLOCK_GUARD_CHECK_FAILED:
+ case TCM_LOGICAL_BLOCK_APP_TAG_CHECK_FAILED:
+ case TCM_LOGICAL_BLOCK_REF_TAG_CHECK_FAILED:
++ case TCM_COPY_TARGET_DEVICE_NOT_REACHABLE:
+ break;
+ case TCM_OUT_OF_RESOURCES:
+ sense_reason = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+@@ -2873,6 +2874,12 @@ static const struct sense_info sense_inf
+ .ascq = 0x03, /* LOGICAL BLOCK REFERENCE TAG CHECK FAILED */
+ .add_sector_info = true,
+ },
++ [TCM_COPY_TARGET_DEVICE_NOT_REACHABLE] = {
++ .key = COPY_ABORTED,
++ .asc = 0x0d,
++ .ascq = 0x02, /* COPY TARGET DEVICE NOT REACHABLE */
++
++ },
+ [TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE] = {
+ /*
+ * Returning ILLEGAL REQUEST would cause immediate IO errors on
+--- a/drivers/target/target_core_xcopy.c
++++ b/drivers/target/target_core_xcopy.c
+@@ -104,7 +104,7 @@ static int target_xcopy_locate_se_dev_e4
+ }
+ mutex_unlock(&g_device_mutex);
+
+- pr_err("Unable to locate 0xe4 descriptor for EXTENDED_COPY\n");
++ pr_debug_ratelimited("Unable to locate 0xe4 descriptor for EXTENDED_COPY\n");
+ return -EINVAL;
+ }
+
+@@ -185,7 +185,7 @@ static int target_xcopy_parse_tiddesc_e4
+
+ static int target_xcopy_parse_target_descriptors(struct se_cmd *se_cmd,
+ struct xcopy_op *xop, unsigned char *p,
+- unsigned short tdll)
++ unsigned short tdll, sense_reason_t *sense_ret)
+ {
+ struct se_device *local_dev = se_cmd->se_dev;
+ unsigned char *desc = p;
+@@ -193,6 +193,8 @@ static int target_xcopy_parse_target_des
+ unsigned short start = 0;
+ bool src = true;
+
++ *sense_ret = TCM_INVALID_PARAMETER_LIST;
++
+ if (offset != 0) {
+ pr_err("XCOPY target descriptor list length is not"
+ " multiple of %d\n", XCOPY_TARGET_DESC_LEN);
+@@ -243,9 +245,16 @@ static int target_xcopy_parse_target_des
+ rc = target_xcopy_locate_se_dev_e4(se_cmd, xop, true);
+ else
+ rc = target_xcopy_locate_se_dev_e4(se_cmd, xop, false);
+-
+- if (rc < 0)
++ /*
++ * If a matching IEEE NAA 0x83 descriptor for the requested device
++ * is not located on this node, return COPY_ABORTED with ASQ/ASQC
++ * 0x0d/0x02 - COPY_TARGET_DEVICE_NOT_REACHABLE to request the
++ * initiator to fall back to normal copy method.
++ */
++ if (rc < 0) {
++ *sense_ret = TCM_COPY_TARGET_DEVICE_NOT_REACHABLE;
+ goto out;
++ }
+
+ pr_debug("XCOPY TGT desc: Source dev: %p NAA IEEE WWN: 0x%16phN\n",
+ xop->src_dev, &xop->src_tid_wwn[0]);
+@@ -816,7 +825,8 @@ out:
+ xcopy_pt_undepend_remotedev(xop);
+ kfree(xop);
+
+- pr_warn("target_xcopy_do_work: Setting X-COPY CHECK_CONDITION -> sending response\n");
++ pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY CHECK_CONDITION"
++ " -> sending response\n", rc);
+ ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
+ target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION);
+ }
+@@ -875,7 +885,7 @@ sense_reason_t target_do_xcopy(struct se
+ " tdll: %hu sdll: %u inline_dl: %u\n", list_id, list_id_usage,
+ tdll, sdll, inline_dl);
+
+- rc = target_xcopy_parse_target_descriptors(se_cmd, xop, &p[16], tdll);
++ rc = target_xcopy_parse_target_descriptors(se_cmd, xop, &p[16], tdll, &ret);
+ if (rc <= 0)
+ goto out;
+
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -177,6 +177,7 @@ enum tcm_sense_reason_table {
+ TCM_LOGICAL_BLOCK_GUARD_CHECK_FAILED = R(0x15),
+ TCM_LOGICAL_BLOCK_APP_TAG_CHECK_FAILED = R(0x16),
+ TCM_LOGICAL_BLOCK_REF_TAG_CHECK_FAILED = R(0x17),
++ TCM_COPY_TARGET_DEVICE_NOT_REACHABLE = R(0x18),
+ #undef R
+ };
+
--- /dev/null
+From 527268df31e57cf2b6d417198717c6d6afdb1e3e Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Tue, 4 Oct 2016 16:37:05 -0700
+Subject: target: Re-add missing SCF_ACK_KREF assignment in v4.1.y
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 527268df31e57cf2b6d417198717c6d6afdb1e3e upstream.
+
+This patch fixes a regression in >= v4.1.y code where the original
+SCF_ACK_KREF assignment in target_get_sess_cmd() was dropped upstream
+in commit 054922bb, but the series for addressing TMR ABORT_TASK +
+LUN_RESET with fabric session reinstatement in commit febe562c20 still
+depends on this code in transport_cmd_finish_abort().
+
+The regression manifests itself as a se_cmd->cmd_kref +1 leak, where
+ABORT_TASK + LUN_RESET can hang indefinately for a specific I_T session
+for drivers using SCF_ACK_KREF, resulting in hung kthreads.
+
+This patch has been verified with v4.1.y code.
+
+Reported-by: Vaibhav Tandon <vst@datera.io>
+Tested-by: Vaibhav Tandon <vst@datera.io>
+Cc: Vaibhav Tandon <vst@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2547,8 +2547,10 @@ int target_get_sess_cmd(struct se_cmd *s
+ * fabric acknowledgement that requires two target_put_sess_cmd()
+ * invocations before se_cmd descriptor release.
+ */
+- if (ack_kref)
++ if (ack_kref) {
+ kref_get(&se_cmd->cmd_kref);
++ se_cmd->se_cmd_flags |= SCF_ACK_KREF;
++ }
+
+ spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
+ if (se_sess->sess_tearing_down) {
--- /dev/null
+From 1ba0158fa66b5b2c597a748f87be1650c9960ccc Mon Sep 17 00:00:00 2001
+From: Hannes Reinecke <hare@suse.de>
+Date: Mon, 22 Aug 2016 10:54:11 +0200
+Subject: target/tcm_fc: use CPU affinity for responses
+
+From: Hannes Reinecke <hare@suse.de>
+
+commit 1ba0158fa66b5b2c597a748f87be1650c9960ccc upstream.
+
+The libfc stack assigns exchange IDs based on the CPU the request
+was received on, so we need to send the responses via the same CPU.
+Otherwise the send logic gets confuses and responses will be delayed,
+causing exchange timeouts on the initiator side.
+
+Signed-off-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/tcm_fc/tfc_cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/tcm_fc/tfc_cmd.c
++++ b/drivers/target/tcm_fc/tfc_cmd.c
+@@ -572,7 +572,7 @@ static void ft_send_work(struct work_str
+ if (target_submit_cmd(&cmd->se_cmd, cmd->sess->se_sess, fcp->fc_cdb,
+ &cmd->ft_sense_buffer[0], scsilun_to_int(&fcp->fc_lun),
+ ntohl(fcp->fc_dl), task_attr, data_dir,
+- TARGET_SCF_ACK_KREF))
++ TARGET_SCF_ACK_KREF | TARGET_SCF_USE_CPUID))
+ goto err;
+
+ pr_debug("r_ctl %x alloc target_submit_cmd\n", fh->fh_r_ctl);
--- /dev/null
+From c83ed4c9dbb358b9e7707486e167e940d48bfeed Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 19 Oct 2016 12:43:07 +0200
+Subject: ubifs: Abort readdir upon error
+
+From: Richard Weinberger <richard@nod.at>
+
+commit c83ed4c9dbb358b9e7707486e167e940d48bfeed upstream.
+
+If UBIFS is facing an error while walking a directory, it reports this
+error and ubifs_readdir() returns the error code. But the VFS readdir
+logic does not make the getdents system call fail in all cases. When the
+readdir cursor indicates that more entries are present, the system call
+will just return and the libc wrapper will try again since it also
+knows that more entries are present.
+This causes the libc wrapper to busy loop for ever when a directory is
+corrupted on UBIFS.
+A common approach do deal with corrupted directory entries is
+skipping them by setting the cursor to the next entry. On UBIFS this
+approach is not possible since we cannot compute the next directory
+entry cursor position without reading the current entry. So all we can
+do is setting the cursor to the "no more entries" position and make
+getdents exit.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/dir.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -350,7 +350,7 @@ static unsigned int vfs_dent_type(uint8_
+ */
+ static int ubifs_readdir(struct file *file, struct dir_context *ctx)
+ {
+- int err;
++ int err = 0;
+ struct qstr nm;
+ union ubifs_key key;
+ struct ubifs_dent_node *dent;
+@@ -452,14 +452,12 @@ out:
+ kfree(file->private_data);
+ file->private_data = NULL;
+
+- if (err != -ENOENT) {
++ if (err != -ENOENT)
+ ubifs_err(c, "cannot find next direntry, error %d", err);
+- return err;
+- }
+
+ /* 2 is a special value indicating that there are no more direntries */
+ ctx->pos = 2;
+- return 0;
++ return err;
+ }
+
+ /* Free saved readdir() state when the directory is closed */
--- /dev/null
+From 843741c5778398ea67055067f4cc65ae6c80ca0e Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 20 Sep 2016 10:08:30 +0200
+Subject: ubifs: Fix xattr_names length in exit paths
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 843741c5778398ea67055067f4cc65ae6c80ca0e upstream.
+
+When the operation fails we also have to undo the changes
+we made to ->xattr_names. Otherwise listxattr() will report
+wrong lengths.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/xattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ubifs/xattr.c
++++ b/fs/ubifs/xattr.c
+@@ -172,6 +172,7 @@ out_cancel:
+ host_ui->xattr_cnt -= 1;
+ host_ui->xattr_size -= CALC_DENT_SIZE(nm->len);
+ host_ui->xattr_size -= CALC_XATTR_BYTES(size);
++ host_ui->xattr_names -= nm->len;
+ mutex_unlock(&host_ui->ui_mutex);
+ out_free:
+ make_bad_inode(inode);
+@@ -476,6 +477,7 @@ out_cancel:
+ host_ui->xattr_cnt += 1;
+ host_ui->xattr_size += CALC_DENT_SIZE(nm->len);
+ host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len);
++ host_ui->xattr_names += nm->len;
+ mutex_unlock(&host_ui->ui_mutex);
+ ubifs_release_budget(c, &req);
+ make_bad_inode(inode);
projects / thirdparty / kernel / stable-queue.git / commitdiff
