--- /dev/null
+From 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 18 Nov 2015 11:41:05 -0800
+Subject: apparmor: fix ref count leak when profile sha1 hash is read
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 upstream.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Seth Arnold <seth.arnold@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/apparmorfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct se
+ seq_printf(seq, "%.2x", profile->hash[i]);
+ seq_puts(seq, "\n");
+ }
++ aa_put_profile(profile);
+
+ return 0;
+ }
--- /dev/null
+From 7de249964f5578e67b99699c5f0b405738d820a2 Mon Sep 17 00:00:00 2001
+From: Dave Weinstein <olorin@google.com>
+Date: Thu, 28 Jul 2016 11:55:41 -0700
+Subject: arm: oabi compat: add missing access checks
+
+From: Dave Weinstein <olorin@google.com>
+
+commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream.
+
+Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
+This fixes CVE-2016-3857, a local privilege escalation under
+CONFIG_OABI_COMPAT.
+
+Reported-by: Chiachih Wu <wuchiachih@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Dave Weinstein <olorin@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/sys_oabi-compat.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int
+ mm_segment_t fs;
+ long ret, err, i;
+
+- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
++ if (maxevents <= 0 ||
++ maxevents > (INT_MAX/sizeof(*kbuf)) ||
++ maxevents > (INT_MAX/sizeof(*events)))
+ return -EINVAL;
++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
++ return -EFAULT;
+ kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
+ if (!kbuf)
+ return -ENOMEM;
+@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int
+
+ if (nsops < 1 || nsops > SEMOPM)
+ return -EINVAL;
++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
++ return -EFAULT;
+ sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ if (!sops)
+ return -ENOMEM;
--- /dev/null
+From 4d06dd537f95683aba3651098ae288b7cbff8274 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Mon, 7 Mar 2016 21:15:36 +0100
+Subject: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit 4d06dd537f95683aba3651098ae288b7cbff8274 upstream.
+
+usbnet_link_change will call schedule_work and should be
+avoided if bind is failing. Otherwise we will end up with
+scheduled work referring to a netdev which has gone away.
+
+Instead of making the call conditional, we can just defer
+it to usbnet_probe, using the driver_info flag made for
+this purpose.
+
+Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
+Reported-by: Andrey Konovalov <andreyknvl@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[ciwillia@brocade.com: backported to 3.14: adjusted context]
+Signed-off-by: Charles (Chas) Williams <ciwillia@brocade.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c | 20 +++++---------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -571,24 +571,13 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsett
+
+ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+- int ret;
+-
+ /* MBIM backwards compatible function? */
+ cdc_ncm_select_altsetting(dev, intf);
+ if (cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting))
+ return -ENODEV;
+
+ /* NCM data altsetting is always 1 */
+- ret = cdc_ncm_bind_common(dev, intf, 1);
+-
+- /*
+- * We should get an event when network connection is "connected" or
+- * "disconnected". Set network connection in "disconnected" state
+- * (carrier is OFF) during attach, so the IP network stack does not
+- * start IPv6 negotiation and more.
+- */
+- usbnet_link_change(dev, 0, 0);
+- return ret;
++ return cdc_ncm_bind_common(dev, intf, 1);
+ }
+
+ static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
+@@ -1117,7 +1106,8 @@ static int cdc_ncm_check_connect(struct
+
+ static const struct driver_info cdc_ncm_info = {
+ .description = "CDC NCM",
+- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
++ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
++ | FLAG_LINK_INTR,
+ .bind = cdc_ncm_bind,
+ .unbind = cdc_ncm_unbind,
+ .check_connect = cdc_ncm_check_connect,
+@@ -1131,7 +1121,7 @@ static const struct driver_info cdc_ncm_
+ static const struct driver_info wwan_info = {
+ .description = "Mobile Broadband Network Device",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+- | FLAG_WWAN,
++ | FLAG_LINK_INTR | FLAG_WWAN,
+ .bind = cdc_ncm_bind,
+ .unbind = cdc_ncm_unbind,
+ .check_connect = cdc_ncm_check_connect,
+@@ -1145,7 +1135,7 @@ static const struct driver_info wwan_inf
+ static const struct driver_info wwan_noarp_info = {
+ .description = "Mobile Broadband Network Device (NO ARP)",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+- | FLAG_WWAN | FLAG_NOARP,
++ | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
+ .bind = cdc_ncm_bind,
+ .unbind = cdc_ncm_unbind,
+ .check_connect = cdc_ncm_check_connect,
--- /dev/null
+From ben@decadent.org.uk Sun Aug 14 17:34:33 2016
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 31 May 2016 03:40:50 +0100
+Subject: IB/security: Restrict use of the write() interface
+To: stable@vger.kernel.org
+Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>, Doug Ledford <dledford@redhat.com>, linux-rdma@vger.kernel.org
+Message-ID: <20160531024050.GL7555@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+Commit e6bd18f57aad ("IB/security: Restrict use of the write()
+interface") fixed a security problem with various write()
+implementations in the Infiniband subsystem. In older kernel versions
+the ipath_write() function has the same problem and needs the same
+restriction. (The ipath driver has been completely removed upstream.)
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/ipath/ipath_file_ops.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/infiniband/hw/ipath/ipath_file_ops.c
++++ b/drivers/infiniband/hw/ipath/ipath_file_ops.c
+@@ -45,6 +45,8 @@
+ #include <linux/cpu.h>
+ #include <asm/pgtable.h>
+
++#include <rdma/ib.h>
++
+ #include "ipath_kernel.h"
+ #include "ipath_common.h"
+ #include "ipath_user_sdma.h"
+@@ -2240,6 +2242,9 @@ static ssize_t ipath_write(struct file *
+ ssize_t ret = 0;
+ void *dest;
+
++ if (WARN_ON_ONCE(!ib_safe_file_access(fp)))
++ return -EACCES;
++
+ if (count < sizeof(cmd.type)) {
+ ret = -EINVAL;
+ goto bail;
--- /dev/null
+From 20f06ed9f61a185c6dabd662c310bed6189470df Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 27 Jul 2016 11:43:37 +0100
+Subject: KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
+
+From: David Howells <dhowells@redhat.com>
+
+commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream.
+
+MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than
+calling sys_keyctl. The latter will work in a lot of cases, thereby hiding
+the issue.
+
+Reported-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-security-module@vger.kernel.org
+Cc: keyrings@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/13832/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -350,7 +350,7 @@ EXPORT(sysn32_call_table)
+ PTR sys_ni_syscall /* available, was setaltroot */
+ PTR sys_add_key
+ PTR sys_request_key
+- PTR sys_keyctl /* 6245 */
++ PTR compat_sys_keyctl /* 6245 */
+ PTR sys_set_thread_area
+ PTR sys_inotify_init
+ PTR sys_inotify_add_watch
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -474,7 +474,7 @@ EXPORT(sys32_call_table)
+ PTR sys_ni_syscall /* available, was setaltroot */
+ PTR sys_add_key /* 4280 */
+ PTR sys_request_key
+- PTR sys_keyctl
++ PTR compat_sys_keyctl
+ PTR sys_set_thread_area
+ PTR sys_inotify_init
+ PTR sys_inotify_add_watch /* 4285 */
--- /dev/null
+From 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 3 Jul 2016 17:01:26 -0400
+Subject: random: strengthen input validation for RNDADDTOENTCNT
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec upstream.
+
+Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative
+entropy value. It doesn't make any sense to subtract from the entropy
+counter, and it can trigger a warning:
+
+random: negative entropy/overflow: pool input count -40000
+------------[ cut here ]------------
+WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[< none
+ >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
+Modules linked in:
+CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40
+ fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40
+ ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f
+Call Trace:
+ [< inline >] __dump_stack lib/dump_stack.c:15
+ [<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51
+ [<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516
+ [<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551
+ [<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670
+ [< inline >] credit_entropy_bits_safe drivers/char/random.c:734
+ [<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546
+ [< inline >] vfs_ioctl fs/ioctl.c:43
+ [<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674
+ [< inline >] SYSC_ioctl fs/ioctl.c:689
+ [<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
+ [<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
+arch/x86/entry/entry_64.S:207
+---[ end trace 5d4902b2ba842f1f ]---
+
+This was triggered using the test program:
+
+// autogenerated by syzkaller (http://github.com/google/syzkaller)
+
+int main() {
+ int fd = open("/dev/random", O_RDWR);
+ int val = -5000;
+ ioctl(fd, RNDADDTOENTCNT, &val);
+ return 0;
+}
+
+It's harmless in that (a) only root can trigger it, and (b) after
+complaining the code never does let the entropy count go negative, but
+it's better to simply not allow this userspace from passing in a
+negative entropy value altogether.
+
+Google-Bug-Id: #29575089
+Reported-By: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -698,15 +698,18 @@ retry:
+ }
+ }
+
+-static void credit_entropy_bits_safe(struct entropy_store *r, int nbits)
++static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
+ {
+ const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
+
++ if (nbits < 0)
++ return -EINVAL;
++
+ /* Cap the value to avoid overflows */
+ nbits = min(nbits, nbits_max);
+- nbits = max(nbits, -nbits_max);
+
+ credit_entropy_bits(r, nbits);
++ return 0;
+ }
+
+ /*********************************************************************
+@@ -1420,8 +1423,7 @@ static long random_ioctl(struct file *f,
+ return -EPERM;
+ if (get_user(ent_count, p))
+ return -EFAULT;
+- credit_entropy_bits_safe(&input_pool, ent_count);
+- return 0;
++ return credit_entropy_bits_safe(&input_pool, ent_count);
+ case RNDADDENTROPY:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+@@ -1435,8 +1437,7 @@ static long random_ioctl(struct file *f,
+ size);
+ if (retval < 0)
+ return retval;
+- credit_entropy_bits_safe(&input_pool, ent_count);
+- return 0;
++ return credit_entropy_bits_safe(&input_pool, ent_count);
+ case RNDZAPENTCNT:
+ case RNDCLEARPOOL:
+ /*
--- /dev/null
+From bc85dc500f9df9b2eec15077e5046672c46adeaa Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 1 May 2014 16:51:03 +0200
+Subject: scsi: remove scsi_end_request
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit bc85dc500f9df9b2eec15077e5046672c46adeaa upstream.
+
+By folding scsi_end_request into its only caller we can significantly clean
+up the completion logic. We can use simple goto labels now to only have
+a single place to finish or requeue command there instead of the previous
+convoluted logic.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+[jwang: backport to 3.12]
+Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_lib.c | 113 +++++++++++++-----------------------------------
+ 1 file changed, 31 insertions(+), 82 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -540,66 +540,6 @@ void scsi_run_host_queues(struct Scsi_Ho
+
+ static void __scsi_release_buffers(struct scsi_cmnd *, int);
+
+-/*
+- * Function: scsi_end_request()
+- *
+- * Purpose: Post-processing of completed commands (usually invoked at end
+- * of upper level post-processing and scsi_io_completion).
+- *
+- * Arguments: cmd - command that is complete.
+- * error - 0 if I/O indicates success, < 0 for I/O error.
+- * bytes - number of bytes of completed I/O
+- * requeue - indicates whether we should requeue leftovers.
+- *
+- * Lock status: Assumed that lock is not held upon entry.
+- *
+- * Returns: cmd if requeue required, NULL otherwise.
+- *
+- * Notes: This is called for block device requests in order to
+- * mark some number of sectors as complete.
+- *
+- * We are guaranteeing that the request queue will be goosed
+- * at some point during this call.
+- * Notes: If cmd was requeued, upon return it will be a stale pointer.
+- */
+-static struct scsi_cmnd *scsi_end_request(struct scsi_cmnd *cmd, int error,
+- int bytes, int requeue)
+-{
+- struct request_queue *q = cmd->device->request_queue;
+- struct request *req = cmd->request;
+-
+- /*
+- * If there are blocks left over at the end, set up the command
+- * to queue the remainder of them.
+- */
+- if (blk_end_request(req, error, bytes)) {
+- /* kill remainder if no retrys */
+- if (error && scsi_noretry_cmd(cmd))
+- blk_end_request_all(req, error);
+- else {
+- if (requeue) {
+- /*
+- * Bleah. Leftovers again. Stick the
+- * leftovers in the front of the
+- * queue, and goose the queue again.
+- */
+- scsi_release_buffers(cmd);
+- scsi_requeue_command(q, cmd);
+- cmd = NULL;
+- }
+- return cmd;
+- }
+- }
+-
+- /*
+- * This will goose the queue request function at the end, so we don't
+- * need to worry about launching another command.
+- */
+- __scsi_release_buffers(cmd, 0);
+- scsi_next_command(cmd);
+- return NULL;
+-}
+-
+ static inline unsigned int scsi_sgtable_index(unsigned short nents)
+ {
+ unsigned int index;
+@@ -751,16 +691,9 @@ static int __scsi_error_from_host_byte(s
+ *
+ * Returns: Nothing
+ *
+- * Notes: This function is matched in terms of capabilities to
+- * the function that created the scatter-gather list.
+- * In other words, if there are no bounce buffers
+- * (the normal case for most drivers), we don't need
+- * the logic to deal with cleaning up afterwards.
+- *
+- * We must call scsi_end_request(). This will finish off
+- * the specified number of sectors. If we are done, the
+- * command block will be released and the queue function
+- * will be goosed. If we are not done then we have to
++ * Notes: We will finish off the specified number of sectors. If we
++ * are done, the command block will be released and the queue
++ * function will be goosed. If we are not done then we have to
+ * figure out what to do next:
+ *
+ * a) We can call scsi_requeue_command(). The request
+@@ -769,7 +702,7 @@ static int __scsi_error_from_host_byte(s
+ * be used if we made forward progress, or if we want
+ * to switch from READ(10) to READ(6) for example.
+ *
+- * b) We can call scsi_queue_insert(). The request will
++ * b) We can call __scsi_queue_insert(). The request will
+ * be put back on the queue and retried using the same
+ * command as before, possibly after a delay.
+ *
+@@ -873,12 +806,25 @@ void scsi_io_completion(struct scsi_cmnd
+ }
+
+ /*
+- * A number of bytes were successfully read. If there
+- * are leftovers and there is some kind of error
+- * (result != 0), retry the rest.
++ * If we finished all bytes in the request we are done now.
+ */
+- if (scsi_end_request(cmd, error, good_bytes, result == 0) == NULL)
+- return;
++ if (!blk_end_request(req, error, good_bytes))
++ goto next_command;
++
++ /*
++ * Kill remainder if no retrys.
++ */
++ if (error && scsi_noretry_cmd(cmd)) {
++ blk_end_request_all(req, error);
++ goto next_command;
++ }
++
++ /*
++ * If there had been no error, but we have leftover bytes in the
++ * requeues just queue the command up again.
++ */
++ if (result == 0)
++ goto requeue;
+
+ error = __scsi_error_from_host_byte(cmd, result);
+
+@@ -1000,7 +946,6 @@ void scsi_io_completion(struct scsi_cmnd
+ switch (action) {
+ case ACTION_FAIL:
+ /* Give up and fail the remainder of the request */
+- scsi_release_buffers(cmd);
+ if (!(req->cmd_flags & REQ_QUIET)) {
+ if (description)
+ scmd_printk(KERN_INFO, cmd, "%s\n",
+@@ -1010,12 +955,11 @@ void scsi_io_completion(struct scsi_cmnd
+ scsi_print_sense("", cmd);
+ scsi_print_command(cmd);
+ }
+- if (blk_end_request_err(req, error))
+- scsi_requeue_command(q, cmd);
+- else
+- scsi_next_command(cmd);
+- break;
++ if (!blk_end_request_err(req, error))
++ goto next_command;
++ /*FALLTHRU*/
+ case ACTION_REPREP:
++ requeue:
+ /* Unprep the request and put it back at the head of the queue.
+ * A new command will be prepared and issued.
+ */
+@@ -1031,6 +975,11 @@ void scsi_io_completion(struct scsi_cmnd
+ __scsi_queue_insert(cmd, SCSI_MLQUEUE_DEVICE_BUSY, 0);
+ break;
+ }
++ return;
++
++next_command:
++ __scsi_release_buffers(cmd, 0);
++ scsi_next_command(cmd);
+ }
+
+ static int scsi_init_sgtable(struct request *req, struct scsi_data_buffer *sdb,
--- /dev/null
+From a621bac3044ed6f7ec5fa0326491b2d4838bfa93 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 13 May 2016 12:04:06 -0700
+Subject: scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit a621bac3044ed6f7ec5fa0326491b2d4838bfa93 upstream.
+
+When SCSI was written, all commands coming from the filesystem
+(REQ_TYPE_FS commands) had data. This meant that our signal for needing
+to complete the command was the number of bytes completed being equal to
+the number of bytes in the request. Unfortunately, with the advent of
+flush barriers, we can now get zero length REQ_TYPE_FS commands, which
+confuse this logic because they satisfy the condition every time. This
+means they never get retried even for retryable conditions, like UNIT
+ATTENTION because we complete them early assuming they're done. Fix
+this by special casing the early completion condition to recognise zero
+length commands with errors and let them drop through to the retry code.
+
+Reported-by: Sebastian Parschauer <s.parschauer@gmx.de>
+Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
+Tested-by: Jack Wang <jinpu.wang@profitbricks.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ jwang: backport from upstream 4.7 to fix scsi resize issue ]
+Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_lib.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -806,9 +806,12 @@ void scsi_io_completion(struct scsi_cmnd
+ }
+
+ /*
+- * If we finished all bytes in the request we are done now.
++ * special case: failed zero length commands always need to
++ * drop down into the retry code. Otherwise, if we finished
++ * all bytes in the request we are done now.
+ */
+- if (!blk_end_request(req, error, good_bytes))
++ if (!(blk_rq_bytes(req) == 0 && error) &&
++ !blk_end_request(req, error, good_bytes))
+ goto next_command;
+
+ /*
x86-mm-add-barriers-and-document-switch_mm-vs-flush-synchronization.patch
sctp-prevent-soft-lockup-when-sctp_accept-is-called-during-a-timeout-event.patch
x86-mm-improve-switch_mm-barrier-comments.patch
+cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_bind.patch
+usb-quirk-fix.patch
+arm-oabi-compat-add-missing-access-checks.patch
+keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch
+apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch
+random-strengthen-input-validation-for-rndaddtoentcnt.patch
+scsi-remove-scsi_end_request.patch
+scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch
+ib-security-restrict-use-of-the-write-interface.patch
--- /dev/null
+From foo@baz Sun Aug 14 17:09:16 CEST 2016
+Date: Sun, 14 Aug 2016 17:09:16 +0200
+To: Greg KH <gregkh@linuxfoundation.org>
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Subject: USB: fix up incorrect quirk
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Ben Hutchings reported that commit ddbe1fca0bcb ("USB: Add device quirk
+for ASUS T100 Base Station keyboard") was incorrectly ported.
+
+This patch fixes up the quirk by putting it in the correct table.
+
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -164,6 +164,10 @@ static const struct usb_device_id usb_qu
+ /* MAYA44USB sound device */
+ { USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* ASUS Base Station(T100) */
++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
++ USB_QUIRK_IGNORE_REMOTE_WAKEUP },
++
+ /* Action Semiconductor flash disk */
+ { USB_DEVICE(0x10d6, 0x2200), .driver_info =
+ USB_QUIRK_STRING_FETCH_255 },
+@@ -186,10 +190,6 @@ static const struct usb_device_id usb_in
+ { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0),
+ .driver_info = USB_QUIRK_RESET_RESUME },
+
+- /* ASUS Base Station(T100) */
+- { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
+- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+-
+ { } /* terminating entry must be last */
+ };
+