--- /dev/null
+From 850540351bb1a4fa5f192e5ce55b89928cc57f42 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Mon, 17 Oct 2016 13:47:34 +0100
+Subject: arm64: kernel: Init MDCR_EL2 even in the absence of a PMU
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 850540351bb1a4fa5f192e5ce55b89928cc57f42 upstream.
+
+Commit f436b2ac90a0 ("arm64: kernel: fix architected PMU registers
+unconditional access") made sure we wouldn't access unimplemented
+PMU registers, but also left MDCR_EL2 uninitialized in that case,
+leading to trap bits being potentially left set.
+
+Make sure we always write something in that register.
+
+Fixes: f436b2ac90a0 ("arm64: kernel: fix architected PMU registers unconditional access")
+Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/head.S | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -518,8 +518,9 @@ CPU_LE( movk x0, #0x30d0, lsl #16 ) // C
+ b.lt 4f // Skip if no PMU present
+ mrs x0, pmcr_el0 // Disable debug access traps
+ ubfx x0, x0, #11, #5 // to EL2 and allow access to
+- msr mdcr_el2, x0 // all PMU counters from EL1
+ 4:
++ csel x0, xzr, x0, lt // all PMU counters from EL1
++ msr mdcr_el2, x0 // (if they exist)
+
+ /* Stage-2 translation */
+ msr vttbr_el2, xzr
--- /dev/null
+From 1e6e57d9b34a9075d5f9e2048ea7b09756590d11 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 4 Jul 2016 17:44:48 +0100
+Subject: arm64: percpu: rewrite ll/sc loops in assembly
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 1e6e57d9b34a9075d5f9e2048ea7b09756590d11 upstream.
+
+Writing the outer loop of an LL/SC sequence using do {...} while
+constructs potentially allows the compiler to hoist memory accesses
+between the STXR and the branch back to the LDXR. On CPUs that do not
+guarantee forward progress of LL/SC loops when faced with memory
+accesses to the same ERG (up to 2k) between the failed STXR and the
+branch back, we may end up livelocking.
+
+This patch avoids this issue in our percpu atomics by rewriting the
+outer loop as part of the LL/SC inline assembly block.
+
+Fixes: f97fc810798c ("arm64: percpu: Implement this_cpu operations")
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Tested-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/percpu.h | 120 ++++++++++++++++++----------------------
+ 1 file changed, 56 insertions(+), 64 deletions(-)
+
+--- a/arch/arm64/include/asm/percpu.h
++++ b/arch/arm64/include/asm/percpu.h
+@@ -44,48 +44,44 @@ static inline unsigned long __percpu_##o
+ \
+ switch (size) { \
+ case 1: \
+- do { \
+- asm ("//__per_cpu_" #op "_1\n" \
+- "ldxrb %w[ret], %[ptr]\n" \
++ asm ("//__per_cpu_" #op "_1\n" \
++ "1: ldxrb %w[ret], %[ptr]\n" \
+ #asm_op " %w[ret], %w[ret], %w[val]\n" \
+- "stxrb %w[loop], %w[ret], %[ptr]\n" \
+- : [loop] "=&r" (loop), [ret] "=&r" (ret), \
+- [ptr] "+Q"(*(u8 *)ptr) \
+- : [val] "Ir" (val)); \
+- } while (loop); \
++ " stxrb %w[loop], %w[ret], %[ptr]\n" \
++ " cbnz %w[loop], 1b" \
++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \
++ [ptr] "+Q"(*(u8 *)ptr) \
++ : [val] "Ir" (val)); \
+ break; \
+ case 2: \
+- do { \
+- asm ("//__per_cpu_" #op "_2\n" \
+- "ldxrh %w[ret], %[ptr]\n" \
++ asm ("//__per_cpu_" #op "_2\n" \
++ "1: ldxrh %w[ret], %[ptr]\n" \
+ #asm_op " %w[ret], %w[ret], %w[val]\n" \
+- "stxrh %w[loop], %w[ret], %[ptr]\n" \
+- : [loop] "=&r" (loop), [ret] "=&r" (ret), \
+- [ptr] "+Q"(*(u16 *)ptr) \
+- : [val] "Ir" (val)); \
+- } while (loop); \
++ " stxrh %w[loop], %w[ret], %[ptr]\n" \
++ " cbnz %w[loop], 1b" \
++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \
++ [ptr] "+Q"(*(u16 *)ptr) \
++ : [val] "Ir" (val)); \
+ break; \
+ case 4: \
+- do { \
+- asm ("//__per_cpu_" #op "_4\n" \
+- "ldxr %w[ret], %[ptr]\n" \
++ asm ("//__per_cpu_" #op "_4\n" \
++ "1: ldxr %w[ret], %[ptr]\n" \
+ #asm_op " %w[ret], %w[ret], %w[val]\n" \
+- "stxr %w[loop], %w[ret], %[ptr]\n" \
+- : [loop] "=&r" (loop), [ret] "=&r" (ret), \
+- [ptr] "+Q"(*(u32 *)ptr) \
+- : [val] "Ir" (val)); \
+- } while (loop); \
++ " stxr %w[loop], %w[ret], %[ptr]\n" \
++ " cbnz %w[loop], 1b" \
++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \
++ [ptr] "+Q"(*(u32 *)ptr) \
++ : [val] "Ir" (val)); \
+ break; \
+ case 8: \
+- do { \
+- asm ("//__per_cpu_" #op "_8\n" \
+- "ldxr %[ret], %[ptr]\n" \
++ asm ("//__per_cpu_" #op "_8\n" \
++ "1: ldxr %[ret], %[ptr]\n" \
+ #asm_op " %[ret], %[ret], %[val]\n" \
+- "stxr %w[loop], %[ret], %[ptr]\n" \
+- : [loop] "=&r" (loop), [ret] "=&r" (ret), \
+- [ptr] "+Q"(*(u64 *)ptr) \
+- : [val] "Ir" (val)); \
+- } while (loop); \
++ " stxr %w[loop], %[ret], %[ptr]\n" \
++ " cbnz %w[loop], 1b" \
++ : [loop] "=&r" (loop), [ret] "=&r" (ret), \
++ [ptr] "+Q"(*(u64 *)ptr) \
++ : [val] "Ir" (val)); \
+ break; \
+ default: \
+ BUILD_BUG(); \
+@@ -150,44 +146,40 @@ static inline unsigned long __percpu_xch
+
+ switch (size) {
+ case 1:
+- do {
+- asm ("//__percpu_xchg_1\n"
+- "ldxrb %w[ret], %[ptr]\n"
+- "stxrb %w[loop], %w[val], %[ptr]\n"
+- : [loop] "=&r"(loop), [ret] "=&r"(ret),
+- [ptr] "+Q"(*(u8 *)ptr)
+- : [val] "r" (val));
+- } while (loop);
++ asm ("//__percpu_xchg_1\n"
++ "1: ldxrb %w[ret], %[ptr]\n"
++ " stxrb %w[loop], %w[val], %[ptr]\n"
++ " cbnz %w[loop], 1b"
++ : [loop] "=&r"(loop), [ret] "=&r"(ret),
++ [ptr] "+Q"(*(u8 *)ptr)
++ : [val] "r" (val));
+ break;
+ case 2:
+- do {
+- asm ("//__percpu_xchg_2\n"
+- "ldxrh %w[ret], %[ptr]\n"
+- "stxrh %w[loop], %w[val], %[ptr]\n"
+- : [loop] "=&r"(loop), [ret] "=&r"(ret),
+- [ptr] "+Q"(*(u16 *)ptr)
+- : [val] "r" (val));
+- } while (loop);
++ asm ("//__percpu_xchg_2\n"
++ "1: ldxrh %w[ret], %[ptr]\n"
++ " stxrh %w[loop], %w[val], %[ptr]\n"
++ " cbnz %w[loop], 1b"
++ : [loop] "=&r"(loop), [ret] "=&r"(ret),
++ [ptr] "+Q"(*(u16 *)ptr)
++ : [val] "r" (val));
+ break;
+ case 4:
+- do {
+- asm ("//__percpu_xchg_4\n"
+- "ldxr %w[ret], %[ptr]\n"
+- "stxr %w[loop], %w[val], %[ptr]\n"
+- : [loop] "=&r"(loop), [ret] "=&r"(ret),
+- [ptr] "+Q"(*(u32 *)ptr)
+- : [val] "r" (val));
+- } while (loop);
++ asm ("//__percpu_xchg_4\n"
++ "1: ldxr %w[ret], %[ptr]\n"
++ " stxr %w[loop], %w[val], %[ptr]\n"
++ " cbnz %w[loop], 1b"
++ : [loop] "=&r"(loop), [ret] "=&r"(ret),
++ [ptr] "+Q"(*(u32 *)ptr)
++ : [val] "r" (val));
+ break;
+ case 8:
+- do {
+- asm ("//__percpu_xchg_8\n"
+- "ldxr %[ret], %[ptr]\n"
+- "stxr %w[loop], %[val], %[ptr]\n"
+- : [loop] "=&r"(loop), [ret] "=&r"(ret),
+- [ptr] "+Q"(*(u64 *)ptr)
+- : [val] "r" (val));
+- } while (loop);
++ asm ("//__percpu_xchg_8\n"
++ "1: ldxr %[ret], %[ptr]\n"
++ " stxr %w[loop], %[val], %[ptr]\n"
++ " cbnz %w[loop], 1b"
++ : [loop] "=&r"(loop), [ret] "=&r"(ret),
++ [ptr] "+Q"(*(u64 *)ptr)
++ : [val] "r" (val));
+ break;
+ default:
+ BUILD_BUG();
--- /dev/null
+From 0d7718f666be181fda1ba2d08f137d87c1419347 Mon Sep 17 00:00:00 2001
+From: Nikolay Borisov <kernel@kyup.com>
+Date: Mon, 10 Oct 2016 15:38:18 +0300
+Subject: ceph: fix error handling in ceph_read_iter
+
+From: Nikolay Borisov <kernel@kyup.com>
+
+commit 0d7718f666be181fda1ba2d08f137d87c1419347 upstream.
+
+In case __ceph_do_getattr returns an error and the retry_op in
+ceph_read_iter is not READ_INLINE, then it's possible to invoke
+__free_page on a page which is NULL, this naturally leads to a crash.
+This can happen when, for example, a process waiting on a MDS reply
+receives sigterm.
+
+Fix this by explicitly checking whether the page is set or not.
+
+Signed-off-by: Nikolay Borisov <kernel@kyup.com>
+Reviewed-by: Yan, Zheng <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -929,7 +929,8 @@ again:
+ statret = __ceph_do_getattr(inode, page,
+ CEPH_STAT_CAP_INLINE_DATA, !!page);
+ if (statret < 0) {
+- __free_page(page);
++ if (page)
++ __free_page(page);
+ if (statret == -ENODATA) {
+ BUG_ON(retry_op != READ_INLINE);
+ goto again;
--- /dev/null
+From c4704a4fbe834eee4109ca064131d440941f6235 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 12 Oct 2016 23:24:51 -0400
+Subject: ext4: do not advertise encryption support when disabled
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit c4704a4fbe834eee4109ca064131d440941f6235 upstream.
+
+The sysfs file /sys/fs/ext4/features/encryption was present on kernels
+compiled with CONFIG_EXT4_FS_ENCRYPTION=n. This was misleading because
+such kernels do not actually support ext4 encryption. Therefore, only
+provide this file on kernels compiled with CONFIG_EXT4_FS_ENCRYPTION=y.
+
+Note: since the ext4 feature files are all hardcoded to have a contents
+of "supported", it really is the presence or absence of the file that is
+significant, not the contents (and this change reflects that).
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/sysfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/sysfs.c
++++ b/fs/ext4/sysfs.c
+@@ -223,14 +223,18 @@ static struct attribute *ext4_attrs[] =
+ EXT4_ATTR_FEATURE(lazy_itable_init);
+ EXT4_ATTR_FEATURE(batched_discard);
+ EXT4_ATTR_FEATURE(meta_bg_resize);
++#ifdef CONFIG_EXT4_FS_ENCRYPTION
+ EXT4_ATTR_FEATURE(encryption);
++#endif
+ EXT4_ATTR_FEATURE(metadata_csum_seed);
+
+ static struct attribute *ext4_feat_attrs[] = {
+ ATTR_LIST(lazy_itable_init),
+ ATTR_LIST(batched_discard),
+ ATTR_LIST(meta_bg_resize),
++#ifdef CONFIG_EXT4_FS_ENCRYPTION
+ ATTR_LIST(encryption),
++#endif
+ ATTR_LIST(metadata_csum_seed),
+ NULL,
+ };
--- /dev/null
+From a2ed0b391dd9c3ef1d64c7c3e370f4a5ffcd324a Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 4 Oct 2016 13:44:06 +0200
+Subject: isofs: Do not return EACCES for unknown filesystems
+
+From: Jan Kara <jack@suse.cz>
+
+commit a2ed0b391dd9c3ef1d64c7c3e370f4a5ffcd324a upstream.
+
+When isofs_mount() is called to mount a device read-write, it returns
+EACCES even before it checks that the device actually contains an isofs
+filesystem. This may confuse mount(8) which then tries to mount all
+subsequent filesystem types in read-only mode.
+
+Fix the problem by returning EACCES only once we verify that the device
+indeed contains an iso9660 filesystem.
+
+Fixes: 17b7f7cf58926844e1dd40f5eb5348d481deca6a
+Reported-by: Kent Overstreet <kent.overstreet@gmail.com>
+Reported-by: Karel Zak <kzak@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/inode.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/isofs/inode.c
++++ b/fs/isofs/inode.c
+@@ -690,6 +690,11 @@ static int isofs_fill_super(struct super
+ pri_bh = NULL;
+
+ root_found:
++ /* We don't support read-write mounts */
++ if (!(s->s_flags & MS_RDONLY)) {
++ error = -EACCES;
++ goto out_freebh;
++ }
+
+ if (joliet_level && (pri == NULL || !opt.rock)) {
+ /* This is the case of Joliet with the norock mount flag.
+@@ -1503,9 +1508,6 @@ struct inode *__isofs_iget(struct super_
+ static struct dentry *isofs_mount(struct file_system_type *fs_type,
+ int flags, const char *dev_name, void *data)
+ {
+- /* We don't support read-write mounts */
+- if (!(flags & MS_RDONLY))
+- return ERR_PTR(-EACCES);
+ return mount_bdev(fs_type, flags, dev_name, data, isofs_fill_super);
+ }
+
--- /dev/null
+From 559cce698eaf4ccecb2213b2519ea3a0413e5155 Mon Sep 17 00:00:00 2001
+From: Taesoo Kim <tsgatesv@gmail.com>
+Date: Wed, 12 Oct 2016 23:19:18 -0400
+Subject: jbd2: fix incorrect unlock on j_list_lock
+
+From: Taesoo Kim <tsgatesv@gmail.com>
+
+commit 559cce698eaf4ccecb2213b2519ea3a0413e5155 upstream.
+
+When 'jh->b_transaction == transaction' (asserted by below)
+
+ J_ASSERT_JH(jh, (jh->b_transaction == transaction || ...
+
+'journal->j_list_lock' will be incorrectly unlocked, since
+the the lock is aquired only at the end of if / else-if
+statements (missing the else case).
+
+Signed-off-by: Taesoo Kim <tsgatesv@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Fixes: 6e4862a5bb9d12be87e4ea5d9a60836ebed71d28
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1156,6 +1156,7 @@ int jbd2_journal_get_create_access(handl
+ JBUFFER_TRACE(jh, "file as BJ_Reserved");
+ spin_lock(&journal->j_list_lock);
+ __jbd2_journal_file_buffer(jh, transaction, BJ_Reserved);
++ spin_unlock(&journal->j_list_lock);
+ } else if (jh->b_transaction == journal->j_committing_transaction) {
+ /* first access by this transaction */
+ jh->b_modified = 0;
+@@ -1163,8 +1164,8 @@ int jbd2_journal_get_create_access(handl
+ JBUFFER_TRACE(jh, "set next transaction");
+ spin_lock(&journal->j_list_lock);
+ jh->b_next_transaction = transaction;
++ spin_unlock(&journal->j_list_lock);
+ }
+- spin_unlock(&journal->j_list_lock);
+ jbd_unlock_bh_state(bh);
+
+ /*
--- /dev/null
+From 9158cb29e7c2f10dd325eb1589f0fe745a271257 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 28 Sep 2016 11:33:28 -0700
+Subject: memstick: rtsx_usb_ms: Manage runtime PM when accessing the device
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 9158cb29e7c2f10dd325eb1589f0fe745a271257 upstream.
+
+Accesses to the rtsx usb device, which is the parent of the rtsx memstick
+device, must not be done unless it's runtime resumed. This is currently not
+the case and it could trigger various errors.
+
+Fix this by properly deal with runtime PM in this regards. This means
+making sure the device is runtime resumed, when serving requests via the
+->request() callback or changing settings via the ->set_param() callbacks.
+
+Cc: Ritesh Raj Sarraf <rrs@researchut.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/memstick/host/rtsx_usb_ms.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/memstick/host/rtsx_usb_ms.c
++++ b/drivers/memstick/host/rtsx_usb_ms.c
+@@ -524,6 +524,7 @@ static void rtsx_usb_ms_handle_req(struc
+ int rc;
+
+ if (!host->req) {
++ pm_runtime_get_sync(ms_dev(host));
+ do {
+ rc = memstick_next_req(msh, &host->req);
+ dev_dbg(ms_dev(host), "next req %d\n", rc);
+@@ -544,6 +545,7 @@ static void rtsx_usb_ms_handle_req(struc
+ host->req->error);
+ }
+ } while (!rc);
++ pm_runtime_put(ms_dev(host));
+ }
+
+ }
+@@ -570,6 +572,7 @@ static int rtsx_usb_ms_set_param(struct
+ dev_dbg(ms_dev(host), "%s: param = %d, value = %d\n",
+ __func__, param, value);
+
++ pm_runtime_get_sync(ms_dev(host));
+ mutex_lock(&ucr->dev_mutex);
+
+ err = rtsx_usb_card_exclusive_check(ucr, RTSX_USB_MS_CARD);
+@@ -635,6 +638,7 @@ static int rtsx_usb_ms_set_param(struct
+ }
+ out:
+ mutex_unlock(&ucr->dev_mutex);
++ pm_runtime_put(ms_dev(host));
+
+ /* power-on delay */
+ if (param == MEMSTICK_POWER && value == MEMSTICK_POWER_ON)
--- /dev/null
+From 796aa46adf1d90eab36ae06a42e6d3f10b28a75c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 26 Sep 2016 15:45:41 -0700
+Subject: memstick: rtsx_usb_ms: Runtime resume the device when polling for cards
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 796aa46adf1d90eab36ae06a42e6d3f10b28a75c upstream.
+
+Accesses to the rtsx usb device, which is the parent of the rtsx memstick
+device, must not be done unless it's runtime resumed.
+
+Therefore when the rtsx_usb_ms driver polls for inserted memstick cards,
+let's add pm_runtime_get|put*() to make sure accesses is done when the
+rtsx usb device is runtime resumed.
+
+Reported-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Tested-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/memstick/host/rtsx_usb_ms.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/memstick/host/rtsx_usb_ms.c
++++ b/drivers/memstick/host/rtsx_usb_ms.c
+@@ -681,6 +681,7 @@ static int rtsx_usb_detect_ms_card(void
+ int err;
+
+ for (;;) {
++ pm_runtime_get_sync(ms_dev(host));
+ mutex_lock(&ucr->dev_mutex);
+
+ /* Check pending MS card changes */
+@@ -703,6 +704,7 @@ static int rtsx_usb_detect_ms_card(void
+ }
+
+ poll_again:
++ pm_runtime_put(ms_dev(host));
+ if (host->eject)
+ break;
+
--- /dev/null
+From 3f2d26643595973e835e8356ea90c7c15cb1b0f1 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Mon, 3 Oct 2016 10:58:28 +0200
+Subject: mmc: core: Annotate cmd_hdr as __le32
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 3f2d26643595973e835e8356ea90c7c15cb1b0f1 upstream.
+
+Commit f68381a70bb2 (mmc: block: fix packed command header endianness)
+correctly fixed endianness handling of packed_cmd_hdr in
+mmc_blk_packed_hdr_wrq_prep.
+
+But now, sparse complains about incorrect types:
+drivers/mmc/card/block.c:1613:27: sparse: incorrect type in assignment (different base types)
+drivers/mmc/card/block.c:1613:27: expected unsigned int [unsigned] [usertype] <noident>
+drivers/mmc/card/block.c:1613:27: got restricted __le32 [usertype] <noident>
+...
+
+So annotate cmd_hdr properly using __le32 to make everyone happy.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Fixes: f68381a70bb2 (mmc: block: fix packed command header endianness)
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/card/block.c | 2 +-
+ drivers/mmc/card/queue.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -1755,7 +1755,7 @@ static void mmc_blk_packed_hdr_wrq_prep(
+ struct mmc_blk_data *md = mq->data;
+ struct mmc_packed *packed = mqrq->packed;
+ bool do_rel_wr, do_data_tag;
+- u32 *packed_cmd_hdr;
++ __le32 *packed_cmd_hdr;
+ u8 hdr_blocks;
+ u8 i = 1;
+
+--- a/drivers/mmc/card/queue.h
++++ b/drivers/mmc/card/queue.h
+@@ -25,7 +25,7 @@ enum mmc_packed_type {
+
+ struct mmc_packed {
+ struct list_head list;
+- u32 cmd_hdr[1024];
++ __le32 cmd_hdr[1024];
+ unsigned int blocks;
+ u8 nr_entries;
+ u8 retries;
--- /dev/null
+From 31cf742f515c275d22843c4c756e048d2b6d716c Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Tue, 27 Sep 2016 08:44:33 -0700
+Subject: mmc: rtsx_usb_sdmmc: Avoid keeping the device runtime resumed when unused
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 31cf742f515c275d22843c4c756e048d2b6d716c upstream.
+
+The rtsx_usb_sdmmc driver may bail out in its ->set_ios() callback when no
+SD card is inserted. This is wrong, as it could cause the device to remain
+runtime resumed when it's unused. Fix this behaviour.
+
+Tested-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/rtsx_usb_sdmmc.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
+@@ -1138,11 +1138,6 @@ static void sdmmc_set_ios(struct mmc_hos
+ dev_dbg(sdmmc_dev(host), "%s\n", __func__);
+ mutex_lock(&ucr->dev_mutex);
+
+- if (rtsx_usb_card_exclusive_check(ucr, RTSX_USB_SD_CARD)) {
+- mutex_unlock(&ucr->dev_mutex);
+- return;
+- }
+-
+ sd_set_power_mode(host, ios->power_mode);
+ sd_set_bus_width(host, ios->bus_width);
+ sd_set_timing(host, ios->timing, &host->ddr_mode);
--- /dev/null
+From 4f48aa7a11bfed9502a7c85a5b68cd40ea827f73 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Thu, 15 Sep 2016 14:46:21 +0200
+Subject: mmc: rtsx_usb_sdmmc: Handle runtime PM while changing the led
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 4f48aa7a11bfed9502a7c85a5b68cd40ea827f73 upstream.
+
+Accesses of the rtsx sdmmc's parent device, which is the rtsx usb device,
+must be done when it's runtime resumed. Currently this isn't case when
+changing the led, so let's fix this by adding a pm_runtime_get_sync() and
+a pm_runtime_put() around those operations.
+
+Reported-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Tested-by: Ritesh Raj Sarraf <rrs@researchut.com>
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/rtsx_usb_sdmmc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
+@@ -1309,6 +1309,7 @@ static void rtsx_usb_update_led(struct w
+ container_of(work, struct rtsx_usb_sdmmc, led_work);
+ struct rtsx_ucr *ucr = host->ucr;
+
++ pm_runtime_get_sync(sdmmc_dev(host));
+ mutex_lock(&ucr->dev_mutex);
+
+ if (host->led.brightness == LED_OFF)
+@@ -1317,6 +1318,7 @@ static void rtsx_usb_update_led(struct w
+ rtsx_usb_turn_on_led(ucr);
+
+ mutex_unlock(&ucr->dev_mutex);
++ pm_runtime_put(sdmmc_dev(host));
+ }
+ #endif
+
--- /dev/null
+From d2cf909cda5f8c5609cb7ed6cda816c3e15528c7 Mon Sep 17 00:00:00 2001
+From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Date: Fri, 17 Jun 2016 18:53:28 +0200
+Subject: powerpc/mm: Prevent unlikely crash in copro_calculate_slb()
+
+From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+
+commit d2cf909cda5f8c5609cb7ed6cda816c3e15528c7 upstream.
+
+If a cxl adapter faults on an invalid address for a kernel context, we
+may enter copro_calculate_slb() with a NULL mm pointer (kernel
+context) and an effective address which looks like a user
+address. Which will cause a crash when dereferencing mm. It is clearly
+an AFU bug, but there's no reason to crash either. So return an error,
+so that cxl can ack the interrupt with an address error.
+
+Fixes: 73d16a6e0e51 ("powerpc/cell: Move data segment faulting code out of cell platform")
+Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Acked-by: Ian Munsie <imunsie@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/copro_fault.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/mm/copro_fault.c
++++ b/arch/powerpc/mm/copro_fault.c
+@@ -106,6 +106,8 @@ int copro_calculate_slb(struct mm_struct
+ switch (REGION_ID(ea)) {
+ case USER_REGION_ID:
+ pr_devel("%s: 0x%llx -- USER_REGION_ID\n", __func__, ea);
++ if (mm == NULL)
++ return 1;
+ psize = get_slice_psize(mm, ea);
+ ssize = user_segment_size(ea);
+ vsid = get_vsid(mm->context.id, ea, ssize);
using-bug_on-as-an-assert-is-_never_-acceptable.patch
s390-mm-fix-gmap-tlb-flush-issues.patch
irqchip-gic-v3-its-fix-entry-size-mask-for-gits_baser.patch
+isofs-do-not-return-eacces-for-unknown-filesystems.patch
+memstick-rtsx_usb_ms-runtime-resume-the-device-when-polling-for-cards.patch
+memstick-rtsx_usb_ms-manage-runtime-pm-when-accessing-the-device.patch
+arm64-percpu-rewrite-ll-sc-loops-in-assembly.patch
+arm64-kernel-init-mdcr_el2-even-in-the-absence-of-a-pmu.patch
+ceph-fix-error-handling-in-ceph_read_iter.patch
+powerpc-mm-prevent-unlikely-crash-in-copro_calculate_slb.patch
+mmc-core-annotate-cmd_hdr-as-__le32.patch
+mmc-rtsx_usb_sdmmc-avoid-keeping-the-device-runtime-resumed-when-unused.patch
+mmc-rtsx_usb_sdmmc-handle-runtime-pm-while-changing-the-led.patch
+ext4-do-not-advertise-encryption-support-when-disabled.patch
+jbd2-fix-incorrect-unlock-on-j_list_lock.patch
+ubifs-fix-xattr_names-length-in-exit-paths.patch
+ubifs-abort-readdir-upon-error.patch
+target-re-add-missing-scf_ack_kref-assignment-in-v4.1.y.patch
+target-make-extended_copy-0xe4-failure-return-copy-target-device-not-reachable.patch
+target-don-t-override-extended_copy-xcopy_pt_cmd-scsi-status-code.patch
--- /dev/null
+From 926317de33998c112c5510301868ea9aa34097e2 Mon Sep 17 00:00:00 2001
+From: Dinesh Israni <ddi@datera.io>
+Date: Mon, 10 Oct 2016 20:22:03 -0700
+Subject: target: Don't override EXTENDED_COPY xcopy_pt_cmd SCSI status code
+
+From: Dinesh Israni <ddi@datera.io>
+
+commit 926317de33998c112c5510301868ea9aa34097e2 upstream.
+
+This patch addresses a bug where a local EXTENDED_COPY WRITE or READ
+backend I/O request would always return SAM_STAT_CHECK_CONDITION,
+even if underlying xcopy_pt_cmd->se_cmd generated a different
+SCSI status code.
+
+ESX host environments expect to hit SAM_STAT_RESERVATION_CONFLICT
+for certain scenarios, and SAM_STAT_CHECK_CONDITION results in
+non-retriable status for these cases.
+
+Tested on v4.1.y with ESX v5.5u2+ with local IBLOCK backend copy.
+
+Reported-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Cc: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Dinesh Israni <ddi@datera.io>
+Signed-off-by: Dinesh Israni <ddi@datera.io>
+Cc: Dinesh Israni <ddi@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_xcopy.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/target/target_core_xcopy.c
++++ b/drivers/target/target_core_xcopy.c
+@@ -662,6 +662,7 @@ static int target_xcopy_read_source(
+ rc = target_xcopy_setup_pt_cmd(xpt_cmd, xop, src_dev, &cdb[0],
+ remote_port, true);
+ if (rc < 0) {
++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+ }
+@@ -673,6 +674,7 @@ static int target_xcopy_read_source(
+
+ rc = target_xcopy_issue_pt_cmd(xpt_cmd);
+ if (rc < 0) {
++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+ }
+@@ -723,6 +725,7 @@ static int target_xcopy_write_destinatio
+ remote_port, false);
+ if (rc < 0) {
+ struct se_cmd *src_cmd = &xop->src_pt_cmd->se_cmd;
++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ /*
+ * If the failure happened before the t_mem_list hand-off in
+ * target_xcopy_setup_pt_cmd(), Reset memory + clear flag so that
+@@ -738,6 +741,7 @@ static int target_xcopy_write_destinatio
+
+ rc = target_xcopy_issue_pt_cmd(xpt_cmd);
+ if (rc < 0) {
++ ec_cmd->scsi_status = xpt_cmd->se_cmd.scsi_status;
+ se_cmd->se_cmd_flags &= ~SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC;
+ transport_generic_free_cmd(se_cmd, 0);
+ return rc;
+@@ -824,10 +828,14 @@ static void target_xcopy_do_work(struct
+ out:
+ xcopy_pt_undepend_remotedev(xop);
+ kfree(xop);
+-
+- pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY CHECK_CONDITION"
+- " -> sending response\n", rc);
+- ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
++ /*
++ * Don't override an error scsi status if it has already been set
++ */
++ if (ec_cmd->scsi_status == SAM_STAT_GOOD) {
++ pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY"
++ " CHECK_CONDITION -> sending response\n", rc);
++ ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
++ }
+ target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION);
+ }
+
--- /dev/null
+From 449a137846c84829a328757cd21fd9ca65c08519 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sat, 8 Oct 2016 17:26:44 -0700
+Subject: target: Make EXTENDED_COPY 0xe4 failure return COPY TARGET DEVICE NOT REACHABLE
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 449a137846c84829a328757cd21fd9ca65c08519 upstream.
+
+This patch addresses a bug where EXTENDED_COPY across multiple LUNs
+results in a CHECK_CONDITION when the source + destination are not
+located on the same physical node.
+
+ESX Host environments expect sense COPY_ABORTED w/ COPY TARGET DEVICE
+NOT REACHABLE to be returned when this occurs, in order to signal
+fallback to local copy method.
+
+As described in section 6.3.3 of spc4r22:
+
+ "If it is not possible to complete processing of a segment because the
+ copy manager is unable to establish communications with a copy target
+ device, because the copy target device does not respond to INQUIRY,
+ or because the data returned in response to INQUIRY indicates
+ an unsupported logical unit, then the EXTENDED COPY command shall be
+ terminated with CHECK CONDITION status, with the sense key set to
+ COPY ABORTED, and the additional sense code set to COPY TARGET DEVICE
+ NOT REACHABLE."
+
+Tested on v4.1.y with ESX v5.5u2+ with BlockCopy across multiple nodes.
+
+Reported-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Cc: Nixon Vincent <nixon.vincent@calsoftinc.com>
+Tested-by: Dinesh Israni <ddi@datera.io>
+Signed-off-by: Dinesh Israni <ddi@datera.io>
+Cc: Dinesh Israni <ddi@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 7 +++++++
+ drivers/target/target_core_xcopy.c | 22 ++++++++++++++++------
+ include/target/target_core_base.h | 1 +
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1680,6 +1680,7 @@ void transport_generic_request_failure(s
+ case TCM_LOGICAL_BLOCK_GUARD_CHECK_FAILED:
+ case TCM_LOGICAL_BLOCK_APP_TAG_CHECK_FAILED:
+ case TCM_LOGICAL_BLOCK_REF_TAG_CHECK_FAILED:
++ case TCM_COPY_TARGET_DEVICE_NOT_REACHABLE:
+ break;
+ case TCM_OUT_OF_RESOURCES:
+ sense_reason = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+@@ -2835,6 +2836,12 @@ static const struct sense_info sense_inf
+ .ascq = 0x03, /* LOGICAL BLOCK REFERENCE TAG CHECK FAILED */
+ .add_sector_info = true,
+ },
++ [TCM_COPY_TARGET_DEVICE_NOT_REACHABLE] = {
++ .key = COPY_ABORTED,
++ .asc = 0x0d,
++ .ascq = 0x02, /* COPY TARGET DEVICE NOT REACHABLE */
++
++ },
+ [TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE] = {
+ /*
+ * Returning ILLEGAL REQUEST would cause immediate IO errors on
+--- a/drivers/target/target_core_xcopy.c
++++ b/drivers/target/target_core_xcopy.c
+@@ -104,7 +104,7 @@ static int target_xcopy_locate_se_dev_e4
+ }
+ mutex_unlock(&g_device_mutex);
+
+- pr_err("Unable to locate 0xe4 descriptor for EXTENDED_COPY\n");
++ pr_debug_ratelimited("Unable to locate 0xe4 descriptor for EXTENDED_COPY\n");
+ return -EINVAL;
+ }
+
+@@ -185,7 +185,7 @@ static int target_xcopy_parse_tiddesc_e4
+
+ static int target_xcopy_parse_target_descriptors(struct se_cmd *se_cmd,
+ struct xcopy_op *xop, unsigned char *p,
+- unsigned short tdll)
++ unsigned short tdll, sense_reason_t *sense_ret)
+ {
+ struct se_device *local_dev = se_cmd->se_dev;
+ unsigned char *desc = p;
+@@ -193,6 +193,8 @@ static int target_xcopy_parse_target_des
+ unsigned short start = 0;
+ bool src = true;
+
++ *sense_ret = TCM_INVALID_PARAMETER_LIST;
++
+ if (offset != 0) {
+ pr_err("XCOPY target descriptor list length is not"
+ " multiple of %d\n", XCOPY_TARGET_DESC_LEN);
+@@ -243,9 +245,16 @@ static int target_xcopy_parse_target_des
+ rc = target_xcopy_locate_se_dev_e4(se_cmd, xop, true);
+ else
+ rc = target_xcopy_locate_se_dev_e4(se_cmd, xop, false);
+-
+- if (rc < 0)
++ /*
++ * If a matching IEEE NAA 0x83 descriptor for the requested device
++ * is not located on this node, return COPY_ABORTED with ASQ/ASQC
++ * 0x0d/0x02 - COPY_TARGET_DEVICE_NOT_REACHABLE to request the
++ * initiator to fall back to normal copy method.
++ */
++ if (rc < 0) {
++ *sense_ret = TCM_COPY_TARGET_DEVICE_NOT_REACHABLE;
+ goto out;
++ }
+
+ pr_debug("XCOPY TGT desc: Source dev: %p NAA IEEE WWN: 0x%16phN\n",
+ xop->src_dev, &xop->src_tid_wwn[0]);
+@@ -816,7 +825,8 @@ out:
+ xcopy_pt_undepend_remotedev(xop);
+ kfree(xop);
+
+- pr_warn("target_xcopy_do_work: Setting X-COPY CHECK_CONDITION -> sending response\n");
++ pr_warn_ratelimited("target_xcopy_do_work: rc: %d, Setting X-COPY CHECK_CONDITION"
++ " -> sending response\n", rc);
+ ec_cmd->scsi_status = SAM_STAT_CHECK_CONDITION;
+ target_complete_cmd(ec_cmd, SAM_STAT_CHECK_CONDITION);
+ }
+@@ -875,7 +885,7 @@ sense_reason_t target_do_xcopy(struct se
+ " tdll: %hu sdll: %u inline_dl: %u\n", list_id, list_id_usage,
+ tdll, sdll, inline_dl);
+
+- rc = target_xcopy_parse_target_descriptors(se_cmd, xop, &p[16], tdll);
++ rc = target_xcopy_parse_target_descriptors(se_cmd, xop, &p[16], tdll, &ret);
+ if (rc <= 0)
+ goto out;
+
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -180,6 +180,7 @@ enum tcm_sense_reason_table {
+ TCM_LOGICAL_BLOCK_GUARD_CHECK_FAILED = R(0x15),
+ TCM_LOGICAL_BLOCK_APP_TAG_CHECK_FAILED = R(0x16),
+ TCM_LOGICAL_BLOCK_REF_TAG_CHECK_FAILED = R(0x17),
++ TCM_COPY_TARGET_DEVICE_NOT_REACHABLE = R(0x18),
+ #undef R
+ };
+
--- /dev/null
+From 527268df31e57cf2b6d417198717c6d6afdb1e3e Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Tue, 4 Oct 2016 16:37:05 -0700
+Subject: target: Re-add missing SCF_ACK_KREF assignment in v4.1.y
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 527268df31e57cf2b6d417198717c6d6afdb1e3e upstream.
+
+This patch fixes a regression in >= v4.1.y code where the original
+SCF_ACK_KREF assignment in target_get_sess_cmd() was dropped upstream
+in commit 054922bb, but the series for addressing TMR ABORT_TASK +
+LUN_RESET with fabric session reinstatement in commit febe562c20 still
+depends on this code in transport_cmd_finish_abort().
+
+The regression manifests itself as a se_cmd->cmd_kref +1 leak, where
+ABORT_TASK + LUN_RESET can hang indefinately for a specific I_T session
+for drivers using SCF_ACK_KREF, resulting in hung kthreads.
+
+This patch has been verified with v4.1.y code.
+
+Reported-by: Vaibhav Tandon <vst@datera.io>
+Tested-by: Vaibhav Tandon <vst@datera.io>
+Cc: Vaibhav Tandon <vst@datera.io>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -2509,8 +2509,10 @@ int target_get_sess_cmd(struct se_cmd *s
+ * fabric acknowledgement that requires two target_put_sess_cmd()
+ * invocations before se_cmd descriptor release.
+ */
+- if (ack_kref)
++ if (ack_kref) {
+ kref_get(&se_cmd->cmd_kref);
++ se_cmd->se_cmd_flags |= SCF_ACK_KREF;
++ }
+
+ spin_lock_irqsave(&se_sess->sess_cmd_lock, flags);
+ if (se_sess->sess_tearing_down) {
--- /dev/null
+From c83ed4c9dbb358b9e7707486e167e940d48bfeed Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 19 Oct 2016 12:43:07 +0200
+Subject: ubifs: Abort readdir upon error
+
+From: Richard Weinberger <richard@nod.at>
+
+commit c83ed4c9dbb358b9e7707486e167e940d48bfeed upstream.
+
+If UBIFS is facing an error while walking a directory, it reports this
+error and ubifs_readdir() returns the error code. But the VFS readdir
+logic does not make the getdents system call fail in all cases. When the
+readdir cursor indicates that more entries are present, the system call
+will just return and the libc wrapper will try again since it also
+knows that more entries are present.
+This causes the libc wrapper to busy loop for ever when a directory is
+corrupted on UBIFS.
+A common approach do deal with corrupted directory entries is
+skipping them by setting the cursor to the next entry. On UBIFS this
+approach is not possible since we cannot compute the next directory
+entry cursor position without reading the current entry. So all we can
+do is setting the cursor to the "no more entries" position and make
+getdents exit.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/dir.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -350,7 +350,7 @@ static unsigned int vfs_dent_type(uint8_
+ */
+ static int ubifs_readdir(struct file *file, struct dir_context *ctx)
+ {
+- int err;
++ int err = 0;
+ struct qstr nm;
+ union ubifs_key key;
+ struct ubifs_dent_node *dent;
+@@ -452,14 +452,12 @@ out:
+ kfree(file->private_data);
+ file->private_data = NULL;
+
+- if (err != -ENOENT) {
++ if (err != -ENOENT)
+ ubifs_err(c, "cannot find next direntry, error %d", err);
+- return err;
+- }
+
+ /* 2 is a special value indicating that there are no more direntries */
+ ctx->pos = 2;
+- return 0;
++ return err;
+ }
+
+ /* Free saved readdir() state when the directory is closed */
--- /dev/null
+From 843741c5778398ea67055067f4cc65ae6c80ca0e Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 20 Sep 2016 10:08:30 +0200
+Subject: ubifs: Fix xattr_names length in exit paths
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 843741c5778398ea67055067f4cc65ae6c80ca0e upstream.
+
+When the operation fails we also have to undo the changes
+we made to ->xattr_names. Otherwise listxattr() will report
+wrong lengths.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/xattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ubifs/xattr.c
++++ b/fs/ubifs/xattr.c
+@@ -173,6 +173,7 @@ out_cancel:
+ host_ui->xattr_cnt -= 1;
+ host_ui->xattr_size -= CALC_DENT_SIZE(nm->len);
+ host_ui->xattr_size -= CALC_XATTR_BYTES(size);
++ host_ui->xattr_names -= nm->len;
+ mutex_unlock(&host_ui->ui_mutex);
+ out_free:
+ make_bad_inode(inode);
+@@ -533,6 +534,7 @@ out_cancel:
+ host_ui->xattr_cnt += 1;
+ host_ui->xattr_size += CALC_DENT_SIZE(nm->len);
+ host_ui->xattr_size += CALC_XATTR_BYTES(ui->data_len);
++ host_ui->xattr_names += nm->len;
+ mutex_unlock(&host_ui->ui_mutex);
+ ubifs_release_budget(c, &req);
+ make_bad_inode(inode);
projects / thirdparty / kernel / stable-queue.git / commitdiff
