--- /dev/null
+From bb98e72adaf9d19719aba35f802d4836f5d5176c Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 2 Dec 2016 15:29:04 +0100
+Subject: drm/i915/dsi: Do not clear DPOUNIT_CLOCK_GATE_DISABLE from vlv_init_display_clock_gating
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit bb98e72adaf9d19719aba35f802d4836f5d5176c upstream.
+
+On my Cherrytrail CUBE iwork8 Air tablet PIPE-A would get stuck on loading
+i915 at boot 1 out of every 3 boots, resulting in a non functional LCD.
+Once the i915 driver has successfully loaded, the panel can be disabled /
+enabled without hitting this issue.
+
+The getting stuck is caused by vlv_init_display_clock_gating() clearing
+the DPOUNIT_CLOCK_GATE_DISABLE bit in DSPCLK_GATE_D when called from
+chv_pipe_power_well_ops.enable() on driver load, while a pipe is enabled
+driving the DSI LCD by the BIOS.
+
+Clearing this bit while DSI is in use is a known issue and
+intel_dsi_pre_enable() / intel_dsi_post_disable() already set / clear it
+as appropriate.
+
+This commit modifies vlv_init_display_clock_gating() to leave the
+DPOUNIT_CLOCK_GATE_DISABLE bit alone fixing the pipe getting stuck.
+
+Changes in v2:
+-Replace PIPE-A with "a pipe" or "the pipe" in the commit msg and
+comment
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97330
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20161202142904.25613-1-hdegoede@redhat.com
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+(cherry picked from commit 721d484563e1a51ada760089c490cbc47e909756)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_runtime_pm.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_runtime_pm.c
++++ b/drivers/gpu/drm/i915/intel_runtime_pm.c
+@@ -1062,7 +1062,18 @@ static bool vlv_power_well_enabled(struc
+
+ static void vlv_init_display_clock_gating(struct drm_i915_private *dev_priv)
+ {
+- I915_WRITE(DSPCLK_GATE_D, VRHUNIT_CLOCK_GATE_DISABLE);
++ u32 val;
++
++ /*
++ * On driver load, a pipe may be active and driving a DSI display.
++ * Preserve DPOUNIT_CLOCK_GATE_DISABLE to avoid the pipe getting stuck
++ * (and never recovering) in this case. intel_dsi_post_disable() will
++ * clear it when we turn off the display.
++ */
++ val = I915_READ(DSPCLK_GATE_D);
++ val &= DPOUNIT_CLOCK_GATE_DISABLE;
++ val |= VRHUNIT_CLOCK_GATE_DISABLE;
++ I915_WRITE(DSPCLK_GATE_D, val);
+
+ /*
+ * Disable trickle feed and enable pnd deadline calculation
--- /dev/null
+From 22ca0d4991169b76e753d767a45f1105c356bbb8 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 1 Dec 2016 21:29:09 +0100
+Subject: drm/i915/dsi: Fix chv_exec_gpio disabling the GPIOs it is setting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 22ca0d4991169b76e753d767a45f1105c356bbb8 upstream.
+
+Set the CHV_GPIO_GPIOEN bit when updating GPIOs from chv_exec_gpio.
+
+Fixes: a0a6d4ffd2ad ("drm/i915/dsi: add support for gpio elements on CHV")
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20161201202925.12220-3-hdegoede@redhat.com
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+(cherry picked from commit b2b45fcd921e864a5e9bbc7aa55dee96d5e11c06)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_dsi_panel_vbt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/intel_dsi_panel_vbt.c
++++ b/drivers/gpu/drm/i915/intel_dsi_panel_vbt.c
+@@ -296,7 +296,8 @@ static void chv_exec_gpio(struct drm_i91
+ mutex_lock(&dev_priv->sb_lock);
+ vlv_iosf_sb_write(dev_priv, port, cfg1, 0);
+ vlv_iosf_sb_write(dev_priv, port, cfg0,
+- CHV_GPIO_GPIOCFG_GPO | CHV_GPIO_GPIOTXSTATE(value));
++ CHV_GPIO_GPIOEN | CHV_GPIO_GPIOCFG_GPO |
++ CHV_GPIO_GPIOTXSTATE(value));
+ mutex_unlock(&dev_priv->sb_lock);
+ }
+
--- /dev/null
+From 91c42b72f8e8b45961ff05a05009b644e6316ca2 Mon Sep 17 00:00:00 2001
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+Date: Fri, 11 Nov 2016 10:55:41 -0600
+Subject: i40iw: Use correct src address in memcpy to rdma stats counters
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+commit 91c42b72f8e8b45961ff05a05009b644e6316ca2 upstream.
+
+hw_stats is a pointer to i40_iw_dev_stats struct in i40iw_get_hw_stats().
+Use hw_stats and not &hw_stats in the memcpy to copy the i40iw device stats
+data into rdma_hw_stats counters.
+
+Fixes: b40f4757daa1 ("IB/core: Make device counter infrastructure dynamic")
+
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Faisal Latif <faisal.latif@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/i40iw/i40iw_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+@@ -2501,7 +2501,7 @@ static int i40iw_get_hw_stats(struct ib_
+ return -ENOSYS;
+ }
+
+- memcpy(&stats->value[0], &hw_stats, sizeof(*hw_stats));
++ memcpy(&stats->value[0], hw_stats, sizeof(*hw_stats));
+
+ return stats->num_counters;
+ }
--- /dev/null
+From 79e51b5c2deea542b3bb8c66e0d502230b017dde Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Thu, 24 Nov 2016 22:10:23 +0000
+Subject: kconfig/nconf: Fix hang when editing symbol with a long prompt
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit 79e51b5c2deea542b3bb8c66e0d502230b017dde upstream.
+
+Currently it is impossible to edit the value of a config symbol with a
+prompt longer than (terminal width - 2) characters. dialog_inputbox()
+calculates a negative x-offset for the input window and newwin() fails
+as this is invalid. It also doesn't check for this failure, so it
+busy-loops calling wgetch(NULL) which immediately returns -1.
+
+The additions in the offset calculations also don't match the intended
+size of the window.
+
+Limit the window size and calculate the offset similarly to
+show_scroll_win().
+
+Fixes: 692d97c380c6 ("kconfig: new configuration interface (nconfig)")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/kconfig/nconf.gui.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/scripts/kconfig/nconf.gui.c
++++ b/scripts/kconfig/nconf.gui.c
+@@ -364,12 +364,14 @@ int dialog_inputbox(WINDOW *main_window,
+ WINDOW *prompt_win;
+ WINDOW *form_win;
+ PANEL *panel;
+- int i, x, y;
++ int i, x, y, lines, columns, win_lines, win_cols;
+ int res = -1;
+ int cursor_position = strlen(init);
+ int cursor_form_win;
+ char *result = *resultp;
+
++ getmaxyx(stdscr, lines, columns);
++
+ if (strlen(init)+1 > *result_len) {
+ *result_len = strlen(init)+1;
+ *resultp = result = realloc(result, *result_len);
+@@ -386,14 +388,19 @@ int dialog_inputbox(WINDOW *main_window,
+ if (title)
+ prompt_width = max(prompt_width, strlen(title));
+
++ win_lines = min(prompt_lines+6, lines-2);
++ win_cols = min(prompt_width+7, columns-2);
++ prompt_lines = max(win_lines-6, 0);
++ prompt_width = max(win_cols-7, 0);
++
+ /* place dialog in middle of screen */
+- y = (getmaxy(stdscr)-(prompt_lines+4))/2;
+- x = (getmaxx(stdscr)-(prompt_width+4))/2;
++ y = (lines-win_lines)/2;
++ x = (columns-win_cols)/2;
+
+ strncpy(result, init, *result_len);
+
+ /* create the windows */
+- win = newwin(prompt_lines+6, prompt_width+7, y, x);
++ win = newwin(win_lines, win_cols, y, x);
+ prompt_win = derwin(win, prompt_lines+1, prompt_width, 2, 2);
+ form_win = derwin(win, 1, prompt_width, prompt_lines+3, 2);
+ keypad(form_win, TRUE);
--- /dev/null
+From 5c056fdc5b474329037f2aa18401bd73033e0ce0 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Fri, 2 Dec 2016 16:35:09 +0100
+Subject: libceph: verify authorize reply on connect
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 5c056fdc5b474329037f2aa18401bd73033e0ce0 upstream.
+
+After sending an authorizer (ceph_x_authorize_a + ceph_x_authorize_b),
+the client gets back a ceph_x_authorize_reply, which it is supposed to
+verify to ensure the authenticity and protect against replay attacks.
+The code for doing this is there (ceph_x_verify_authorizer_reply(),
+ceph_auth_verify_authorizer_reply() + plumbing), but it is never
+invoked by the the messenger.
+
+AFAICT this goes back to 2009, when ceph authentication protocols
+support was added to the kernel client in 4e7a5dcd1bba ("ceph:
+negotiate authentication protocol; implement AUTH_NONE protocol").
+
+The second param of ceph_connection_operations::verify_authorizer_reply
+is unused all the way down. Pass 0 to facilitate backporting, and kill
+it in the next commit.
+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -2027,6 +2027,19 @@ static int process_connect(struct ceph_c
+
+ dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
+
++ if (con->auth_reply_buf) {
++ /*
++ * Any connection that defines ->get_authorizer()
++ * should also define ->verify_authorizer_reply().
++ * See get_connect_authorizer().
++ */
++ ret = con->ops->verify_authorizer_reply(con, 0);
++ if (ret < 0) {
++ con->error_msg = "bad authorize reply";
++ return ret;
++ }
++ }
++
+ switch (con->in_reply.tag) {
+ case CEPH_MSGR_TAG_FEATURES:
+ pr_err("%s%lld %s feature set mismatch,"
--- /dev/null
+From af7d9f0c57941b465043681cb5c3410f7f3f1a41 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sat, 10 Dec 2016 08:12:05 -0800
+Subject: libnvdimm, pfn: fix align attribute
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit af7d9f0c57941b465043681cb5c3410f7f3f1a41 upstream.
+
+Fix the format specifier so that the attribute can be parsed correctly.
+Currently it returns decimal 1000 for a 4096-byte alignment.
+
+Reported-by: Dave Jiang <dave.jiang@intel.com>
+Fixes: 315c562536c4 ("libnvdimm, pfn: add 'align' attribute, default to HPAGE_SIZE")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/pfn_devs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -108,7 +108,7 @@ static ssize_t align_show(struct device
+ {
+ struct nd_pfn *nd_pfn = to_nd_pfn_safe(dev);
+
+- return sprintf(buf, "%lx\n", nd_pfn->align);
++ return sprintf(buf, "%ld\n", nd_pfn->align);
+ }
+
+ static ssize_t __align_store(struct nd_pfn *nd_pfn, const char *buf)
--- /dev/null
+From 8354491c9d5b06709384cea91d13019bf5e61449 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Wed, 21 Dec 2016 11:28:49 +0100
+Subject: net: mvpp2: fix dma unmapping of TX buffers for fragments
+
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+commit 8354491c9d5b06709384cea91d13019bf5e61449 upstream.
+
+Since commit 71ce391dfb784 ("net: mvpp2: enable proper per-CPU TX
+buffers unmapping"), we are not correctly DMA unmapping TX buffers for
+fragments.
+
+Indeed, the mvpp2_txq_inc_put() function only stores in the
+txq_cpu->tx_buffs[] array the physical address of the buffer to be
+DMA-unmapped when skb != NULL. In addition, when DMA-unmapping, we use
+skb_headlen(skb) to get the size to be unmapped. Both of this works fine
+for TX descriptors that are associated directly to a SKB, but not the
+ones that are used for fragments, with a NULL pointer as skb:
+
+ - We have a NULL physical address when calling DMA unmap
+ - skb_headlen(skb) crashes because skb is NULL
+
+This causes random crashes when fragments are used.
+
+To solve this problem, we need to:
+
+ - Store the physical address of the buffer to be unmapped
+ unconditionally, regardless of whether it is tied to a SKB or not.
+
+ - Store the length of the buffer to be unmapped, which requires a new
+ field.
+
+Instead of adding a third array to store the length of the buffer to be
+unmapped, and as suggested by David Miller, this commit refactors the
+tx_buffs[] and tx_skb[] arrays of 'struct mvpp2_txq_pcpu' into a
+separate structure 'mvpp2_txq_pcpu_buf', to which a 'size' field is
+added. Therefore, instead of having three arrays to allocate/free, we
+have a single one, which also improve data locality, reducing the
+impact on the CPU cache.
+
+Fixes: 71ce391dfb784 ("net: mvpp2: enable proper per-CPU TX buffers unmapping")
+Reported-by: Raphael G <raphael.glon@corp.ovh.com>
+Cc: Raphael G <raphael.glon@corp.ovh.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/marvell/mvpp2.c | 59 +++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 29 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2.c
++++ b/drivers/net/ethernet/marvell/mvpp2.c
+@@ -770,6 +770,17 @@ struct mvpp2_rx_desc {
+ u32 reserved8;
+ };
+
++struct mvpp2_txq_pcpu_buf {
++ /* Transmitted SKB */
++ struct sk_buff *skb;
++
++ /* Physical address of transmitted buffer */
++ dma_addr_t phys;
++
++ /* Size transmitted */
++ size_t size;
++};
++
+ /* Per-CPU Tx queue control */
+ struct mvpp2_txq_pcpu {
+ int cpu;
+@@ -785,11 +796,8 @@ struct mvpp2_txq_pcpu {
+ /* Number of Tx DMA descriptors reserved for each CPU */
+ int reserved_num;
+
+- /* Array of transmitted skb */
+- struct sk_buff **tx_skb;
+-
+- /* Array of transmitted buffers' physical addresses */
+- dma_addr_t *tx_buffs;
++ /* Infos about transmitted buffers */
++ struct mvpp2_txq_pcpu_buf *buffs;
+
+ /* Index of last TX DMA descriptor that was inserted */
+ int txq_put_index;
+@@ -979,10 +987,11 @@ static void mvpp2_txq_inc_put(struct mvp
+ struct sk_buff *skb,
+ struct mvpp2_tx_desc *tx_desc)
+ {
+- txq_pcpu->tx_skb[txq_pcpu->txq_put_index] = skb;
+- if (skb)
+- txq_pcpu->tx_buffs[txq_pcpu->txq_put_index] =
+- tx_desc->buf_phys_addr;
++ struct mvpp2_txq_pcpu_buf *tx_buf =
++ txq_pcpu->buffs + txq_pcpu->txq_put_index;
++ tx_buf->skb = skb;
++ tx_buf->size = tx_desc->data_size;
++ tx_buf->phys = tx_desc->buf_phys_addr;
+ txq_pcpu->txq_put_index++;
+ if (txq_pcpu->txq_put_index == txq_pcpu->size)
+ txq_pcpu->txq_put_index = 0;
+@@ -4401,17 +4410,16 @@ static void mvpp2_txq_bufs_free(struct m
+ int i;
+
+ for (i = 0; i < num; i++) {
+- dma_addr_t buf_phys_addr =
+- txq_pcpu->tx_buffs[txq_pcpu->txq_get_index];
+- struct sk_buff *skb = txq_pcpu->tx_skb[txq_pcpu->txq_get_index];
++ struct mvpp2_txq_pcpu_buf *tx_buf =
++ txq_pcpu->buffs + txq_pcpu->txq_get_index;
+
+ mvpp2_txq_inc_get(txq_pcpu);
+
+- dma_unmap_single(port->dev->dev.parent, buf_phys_addr,
+- skb_headlen(skb), DMA_TO_DEVICE);
+- if (!skb)
++ dma_unmap_single(port->dev->dev.parent, tx_buf->phys,
++ tx_buf->size, DMA_TO_DEVICE);
++ if (!tx_buf->skb)
+ continue;
+- dev_kfree_skb_any(skb);
++ dev_kfree_skb_any(tx_buf->skb);
+ }
+ }
+
+@@ -4651,15 +4659,10 @@ static int mvpp2_txq_init(struct mvpp2_p
+ for_each_present_cpu(cpu) {
+ txq_pcpu = per_cpu_ptr(txq->pcpu, cpu);
+ txq_pcpu->size = txq->size;
+- txq_pcpu->tx_skb = kmalloc(txq_pcpu->size *
+- sizeof(*txq_pcpu->tx_skb),
+- GFP_KERNEL);
+- if (!txq_pcpu->tx_skb)
+- goto error;
+-
+- txq_pcpu->tx_buffs = kmalloc(txq_pcpu->size *
+- sizeof(dma_addr_t), GFP_KERNEL);
+- if (!txq_pcpu->tx_buffs)
++ txq_pcpu->buffs = kmalloc(txq_pcpu->size *
++ sizeof(struct mvpp2_txq_pcpu_buf),
++ GFP_KERNEL);
++ if (!txq_pcpu->buffs)
+ goto error;
+
+ txq_pcpu->count = 0;
+@@ -4673,8 +4676,7 @@ static int mvpp2_txq_init(struct mvpp2_p
+ error:
+ for_each_present_cpu(cpu) {
+ txq_pcpu = per_cpu_ptr(txq->pcpu, cpu);
+- kfree(txq_pcpu->tx_skb);
+- kfree(txq_pcpu->tx_buffs);
++ kfree(txq_pcpu->buffs);
+ }
+
+ dma_free_coherent(port->dev->dev.parent,
+@@ -4693,8 +4695,7 @@ static void mvpp2_txq_deinit(struct mvpp
+
+ for_each_present_cpu(cpu) {
+ txq_pcpu = per_cpu_ptr(txq->pcpu, cpu);
+- kfree(txq_pcpu->tx_skb);
+- kfree(txq_pcpu->tx_buffs);
++ kfree(txq_pcpu->buffs);
+ }
+
+ if (txq->descs)
--- /dev/null
+From c0cf3ef5e0f47e385920450b245d22bead93e7ad Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon, 5 Sep 2016 21:42:32 -0400
+Subject: nfs_write_end(): fix handling of short copies
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c0cf3ef5e0f47e385920450b245d22bead93e7ad upstream.
+
+What matters when deciding if we should make a page uptodate is
+not how much we _wanted_ to copy, but how much we actually have
+copied. As it is, on architectures that do not zero tail on
+short copy we can leave uninitialized data in page marked uptodate.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/file.c
++++ b/fs/nfs/file.c
+@@ -397,7 +397,7 @@ static int nfs_write_end(struct file *fi
+ */
+ if (!PageUptodate(page)) {
+ unsigned pglen = nfs_page_length(page);
+- unsigned end = offset + len;
++ unsigned end = offset + copied;
+
+ if (pglen == 0) {
+ zero_user_segments(page, 0, offset,
--- /dev/null
+From 6496ebd7edf446fccf8266a1a70ffcb64252593e Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 21 Oct 2016 16:45:38 -0400
+Subject: PCI: Check for PME in targeted sleep state
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 6496ebd7edf446fccf8266a1a70ffcb64252593e upstream.
+
+One some systems, the firmware does not allow certain PCI devices to be put
+in deep D-states. This can cause problems for wakeup signalling, if the
+device does not support PME# in the deepest allowed suspend state. For
+example, Pierre reports that on his system, ACPI does not permit his xHCI
+host controller to go into D3 during runtime suspend -- but D3 is the only
+state in which the controller can generate PME# signals. As a result, the
+controller goes into runtime suspend but never wakes up, so it doesn't work
+properly. USB devices plugged into the controller are never detected.
+
+If the device relies on PME# for wakeup signals but is not capable of
+generating PME# in the target state, the PCI core should accurately report
+that it cannot do wakeup from runtime suspend. This patch modifies the
+pci_dev_run_wake() routine to add this check.
+
+Reported-by: Pierre de Villemereuil <flyos@mailoo.org>
+Tested-by: Pierre de Villemereuil <flyos@mailoo.org>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+CC: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2064,6 +2064,10 @@ bool pci_dev_run_wake(struct pci_dev *de
+ if (!dev->pme_support)
+ return false;
+
++ /* PME-capable in principle, but not from the intended sleep state */
++ if (!pci_pme_capable(dev, pci_target_state(dev)))
++ return false;
++
+ while (bus->parent) {
+ struct pci_dev *bridge = bus->self;
+
--- /dev/null
+From ae5a459d5f65c3e83f3e14068dde5fb9c9d81807 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 14 Nov 2016 14:34:18 -0500
+Subject: pNFS: Clear NFS_LAYOUT_RETURN_REQUESTED when invalidating the layout stateid
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit ae5a459d5f65c3e83f3e14068dde5fb9c9d81807 upstream.
+
+We must ensure that we don't schedule a layoutreturn if the layout stateid
+has been marked as invalid.
+
+Fixes: 2a59a0411671e ("pNFS: Fix pnfs_set_layout_stateid() to clear...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -252,6 +252,14 @@ pnfs_put_layout_hdr(struct pnfs_layout_h
+ }
+ }
+
++static void
++pnfs_clear_layoutreturn_info(struct pnfs_layout_hdr *lo)
++{
++ lo->plh_return_iomode = 0;
++ lo->plh_return_seq = 0;
++ clear_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags);
++}
++
+ /*
+ * Mark a pnfs_layout_hdr and all associated layout segments as invalid
+ *
+@@ -270,6 +278,7 @@ pnfs_mark_layout_stateid_invalid(struct
+ };
+
+ set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags);
++ pnfs_clear_layoutreturn_info(lo);
+ return pnfs_mark_matching_lsegs_invalid(lo, lseg_list, &range, 0);
+ }
+
+@@ -771,14 +780,6 @@ pnfs_destroy_all_layouts(struct nfs_clie
+ pnfs_destroy_layouts_byclid(clp, false);
+ }
+
+-static void
+-pnfs_clear_layoutreturn_info(struct pnfs_layout_hdr *lo)
+-{
+- lo->plh_return_iomode = 0;
+- lo->plh_return_seq = 0;
+- clear_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags);
+-}
+-
+ /* update lo->plh_stateid with new if is more recent */
+ void
+ pnfs_set_layout_stateid(struct pnfs_layout_hdr *lo, const nfs4_stateid *new,
--- /dev/null
+From 7b650994ab07434ae58a247dc9ac87d2488ca75c Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 14 Nov 2016 13:10:48 -0500
+Subject: pNFS: Don't clear the layout stateid if a layout return is outstanding
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 7b650994ab07434ae58a247dc9ac87d2488ca75c upstream.
+
+If we no longer hold any layout segments, we're normally expected to
+consider the layout stateid to be invalid. However we cannot assume this
+if we're about to, or in the process of sending a layoutreturn.
+
+Fixes: 334a8f37115b ("pNFS: Don't forget the layout stateid if...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -364,7 +364,9 @@ pnfs_layout_remove_lseg(struct pnfs_layo
+ list_del_init(&lseg->pls_list);
+ /* Matched by pnfs_get_layout_hdr in pnfs_layout_insert_lseg */
+ atomic_dec(&lo->plh_refcount);
+- if (list_empty(&lo->plh_segs)) {
++ if (list_empty(&lo->plh_segs) &&
++ !test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags) &&
++ !test_bit(NFS_LAYOUT_RETURN, &lo->plh_flags)) {
+ if (atomic_read(&lo->plh_outstanding) == 0)
+ set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags);
+ clear_bit(NFS_LAYOUT_BULK_RECALL, &lo->plh_flags);
--- /dev/null
+From 54e4a0dfa25d9365c4e80a639e80d9213eb6edbe Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sun, 27 Nov 2016 15:12:39 -0500
+Subject: pNFS: Fix a deadlock between read resends and layoutreturn
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 54e4a0dfa25d9365c4e80a639e80d9213eb6edbe upstream.
+
+We must not call nfs_pageio_init_read() on a new nfs_pageio_descriptor
+while holding a reference to a layout segment, as that can deadlock
+pnfs_update_layout().
+
+Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 4 ++++
+ fs/nfs/pnfs.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -28,6 +28,9 @@
+
+ static struct group_info *ff_zero_group;
+
++static void ff_layout_read_record_layoutstats_done(struct rpc_task *task,
++ struct nfs_pgio_header *hdr);
++
+ static struct pnfs_layout_hdr *
+ ff_layout_alloc_layout_hdr(struct inode *inode, gfp_t gfp_flags)
+ {
+@@ -1293,6 +1296,7 @@ static int ff_layout_read_done_cb(struct
+ hdr->pgio_mirror_idx + 1,
+ &hdr->pgio_mirror_idx))
+ goto out_eagain;
++ ff_layout_read_record_layoutstats_done(task, hdr);
+ pnfs_read_resend_pnfs(hdr);
+ return task->tk_status;
+ case -NFS4ERR_RESET_TO_MDS:
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -2248,6 +2248,10 @@ void pnfs_read_resend_pnfs(struct nfs_pg
+ struct nfs_pageio_descriptor pgio;
+
+ if (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags)) {
++ /* Prevent deadlocks with layoutreturn! */
++ pnfs_put_lseg(hdr->lseg);
++ hdr->lseg = NULL;
++
+ nfs_pageio_init_read(&pgio, hdr->inode, false,
+ hdr->completion_ops);
+ hdr->task.tk_status = nfs_pageio_resend(&pgio, hdr);
--- /dev/null
+From 6604b203fb6394ed1f24c21bfa3c207e5ae8e461 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 17 Oct 2016 17:54:32 -0400
+Subject: pNFS: On error, do not send LAYOUTGET until the LAYOUTRETURN has completed
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 6604b203fb6394ed1f24c21bfa3c207e5ae8e461 upstream.
+
+If there is an I/O error, we should not call LAYOUTGET until the
+LAYOUTRETURN that reports the error is complete.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 6 +++++-
+ fs/nfs/pnfs.h | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -897,6 +897,7 @@ static void pnfs_clear_layoutcommit(stru
+ void pnfs_clear_layoutreturn_waitbit(struct pnfs_layout_hdr *lo)
+ {
+ clear_bit_unlock(NFS_LAYOUT_RETURN, &lo->plh_flags);
++ clear_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags);
+ smp_mb__after_atomic();
+ wake_up_bit(&lo->plh_flags, NFS_LAYOUT_RETURN);
+ rpc_wake_up(&NFS_SERVER(lo->plh_inode)->roc_rpcwaitq);
+@@ -910,8 +911,9 @@ pnfs_prepare_layoutreturn(struct pnfs_la
+ /* Serialise LAYOUTGET/LAYOUTRETURN */
+ if (atomic_read(&lo->plh_outstanding) != 0)
+ return false;
+- if (test_and_set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags))
++ if (test_and_set_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags))
+ return false;
++ set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags);
+ pnfs_get_layout_hdr(lo);
+ if (test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags)) {
+ if (stateid != NULL) {
+@@ -1903,6 +1905,8 @@ void pnfs_error_mark_layout_for_return(s
+
+ spin_lock(&inode->i_lock);
+ pnfs_set_plh_return_info(lo, range.iomode, 0);
++ /* Block LAYOUTGET */
++ set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags);
+ /*
+ * mark all matching lsegs so that we are sure to have no live
+ * segments at hand when sending layoutreturn. See pnfs_put_lseg()
+--- a/fs/nfs/pnfs.h
++++ b/fs/nfs/pnfs.h
+@@ -96,6 +96,7 @@ enum {
+ NFS_LAYOUT_RW_FAILED, /* get rw layout failed stop trying */
+ NFS_LAYOUT_BULK_RECALL, /* bulk recall affecting layout */
+ NFS_LAYOUT_RETURN, /* layoutreturn in progress */
++ NFS_LAYOUT_RETURN_LOCK, /* Serialise layoutreturn */
+ NFS_LAYOUT_RETURN_REQUESTED, /* Return this layout ASAP */
+ NFS_LAYOUT_INVALID_STID, /* layout stateid id is invalid */
+ NFS_LAYOUT_FIRST_LAYOUTGET, /* Serialize first layoutget */
--- /dev/null
+From f87f253bac3ce4a4eb2a60a1ae604d74e65f9042 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Thu, 24 Nov 2016 00:02:07 +1100
+Subject: powerpc/64e: Convert cmpi to cmpwi in head_64.S
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit f87f253bac3ce4a4eb2a60a1ae604d74e65f9042 upstream.
+
+From 80f23935cadb ("powerpc: Convert cmp to cmpd in idle enter sequence"):
+
+ PowerPC's "cmp" instruction has four operands. Normally people write
+ "cmpw" or "cmpd" for the second cmp operand 0 or 1. But, frequently
+ people forget, and write "cmp" with just three operands.
+
+ With older binutils this is silently accepted as if this was "cmpw",
+ while often "cmpd" is wanted. With newer binutils GAS will complain
+ about this for 64-bit code. For 32-bit code it still silently assumes
+ "cmpw" is what is meant.
+
+In this case, cmpwi is called for, so this is just a build fix for
+new toolchains.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/head_64.S | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/kernel/head_64.S
++++ b/arch/powerpc/kernel/head_64.S
+@@ -201,9 +201,9 @@ booting_thread_hwid:
+ */
+ _GLOBAL(book3e_start_thread)
+ LOAD_REG_IMMEDIATE(r5, MSR_KERNEL)
+- cmpi 0, r3, 0
++ cmpwi r3, 0
+ beq 10f
+- cmpi 0, r3, 1
++ cmpwi r3, 1
+ beq 11f
+ /* If the thread id is invalid, just exit. */
+ b 13f
+@@ -228,9 +228,9 @@ _GLOBAL(book3e_start_thread)
+ * r3 = the thread physical id
+ */
+ _GLOBAL(book3e_stop_thread)
+- cmpi 0, r3, 0
++ cmpwi r3, 0
+ beq 10f
+- cmpi 0, r3, 1
++ cmpwi r3, 1
+ beq 10f
+ /* If the thread id is invalid, just exit. */
+ b 13f
--- /dev/null
+From 6dff5b67054e17c91bd630bcdda17cfca5aa4215 Mon Sep 17 00:00:00 2001
+From: Geoff Levand <geoff@infradead.org>
+Date: Tue, 29 Nov 2016 10:47:32 -0800
+Subject: powerpc/ps3: Fix system hang with GCC 5 builds
+
+From: Geoff Levand <geoff@infradead.org>
+
+commit 6dff5b67054e17c91bd630bcdda17cfca5aa4215 upstream.
+
+GCC 5 generates different code for this bootwrapper null check that
+causes the PS3 to hang very early in its bootup. This check is of
+limited value, so just get rid of it.
+
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/boot/ps3-head.S | 5 -----
+ arch/powerpc/boot/ps3.c | 8 +-------
+ 2 files changed, 1 insertion(+), 12 deletions(-)
+
+--- a/arch/powerpc/boot/ps3-head.S
++++ b/arch/powerpc/boot/ps3-head.S
+@@ -57,11 +57,6 @@ __system_reset_overlay:
+ bctr
+
+ 1:
+- /* Save the value at addr zero for a null pointer write check later. */
+-
+- li r4, 0
+- lwz r3, 0(r4)
+-
+ /* Primary delays then goes to _zimage_start in wrapper. */
+
+ or 31, 31, 31 /* db16cyc */
+--- a/arch/powerpc/boot/ps3.c
++++ b/arch/powerpc/boot/ps3.c
+@@ -119,13 +119,12 @@ void ps3_copy_vectors(void)
+ flush_cache((void *)0x100, 512);
+ }
+
+-void platform_init(unsigned long null_check)
++void platform_init(void)
+ {
+ const u32 heapsize = 0x1000000 - (u32)_end; /* 16MiB */
+ void *chosen;
+ unsigned long ft_addr;
+ u64 rm_size;
+- unsigned long val;
+
+ console_ops.write = ps3_console_write;
+ platform_ops.exit = ps3_exit;
+@@ -153,11 +152,6 @@ void platform_init(unsigned long null_ch
+
+ printf(" flat tree at 0x%lx\n\r", ft_addr);
+
+- val = *(unsigned long *)0;
+-
+- if (val != null_check)
+- printf("null check failed: %lx != %lx\n\r", val, null_check);
+-
+ ((kernel_entry_t)0)(ft_addr, 0, NULL);
+
+ ps3_exit();
media-solo6x10-fix-lockup-by-avoiding-delayed-register-write.patch
v4l-tvp5150-add-missing-break-in-set-control-handler.patch
input-drv260x-fix-input-device-s-parent-assignment.patch
+i40iw-use-correct-src-address-in-memcpy-to-rdma-stats-counters.patch
+pci-check-for-pme-in-targeted-sleep-state.patch
+libceph-verify-authorize-reply-on-connect.patch
+nfs_write_end-fix-handling-of-short-copies.patch
+pnfs-on-error-do-not-send-layoutget-until-the-layoutreturn-has-completed.patch
+pnfs-don-t-clear-the-layout-stateid-if-a-layout-return-is-outstanding.patch
+pnfs-clear-nfs_layout_return_requested-when-invalidating-the-layout-stateid.patch
+pnfs-fix-a-deadlock-between-read-resends-and-layoutreturn.patch
+sunrpc-fix-refcounting-problems-with-auth_gss-messages.patch
+powerpc-64e-convert-cmpi-to-cmpwi-in-head_64.s.patch
+powerpc-ps3-fix-system-hang-with-gcc-5-builds.patch
+libnvdimm-pfn-fix-align-attribute.patch
+target-user-fix-use-after-free-of-tcmu_cmds-if-they-are-expired.patch
+kconfig-nconf-fix-hang-when-editing-symbol-with-a-long-prompt.patch
+sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch
+net-mvpp2-fix-dma-unmapping-of-tx-buffers-for-fragments.patch
+drm-i915-dsi-fix-chv_exec_gpio-disabling-the-gpios-it-is-setting.patch
+drm-i915-dsi-do-not-clear-dpounit_clock_gate_disable-from-vlv_init_display_clock_gating.patch
--- /dev/null
+From 128394eff343fc6d2f32172f03e24829539c5835 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 16 Dec 2016 13:42:06 -0500
+Subject: sg_write()/bsg_write() is not fit to be called under KERNEL_DS
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 128394eff343fc6d2f32172f03e24829539c5835 upstream.
+
+Both damn things interpret userland pointers embedded into the payload;
+worse, they are actually traversing those. Leaving aside the bad
+API design, this is very much _not_ safe to call with KERNEL_DS.
+Bail out early if that happens.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bsg.c | 3 +++
+ drivers/scsi/sg.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/block/bsg.c
++++ b/block/bsg.c
+@@ -655,6 +655,9 @@ bsg_write(struct file *file, const char
+
+ dprintk("%s: write %Zd bytes\n", bd->name, count);
+
++ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
++ return -EINVAL;
++
+ bsg_set_block(bd, file);
+
+ bytes_written = 0;
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -592,6 +592,9 @@ sg_write(struct file *filp, const char _
+ sg_io_hdr_t *hp;
+ unsigned char cmnd[SG_MAX_CDB_SIZE];
+
++ if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
++ return -EINVAL;
++
+ if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
+ return -ENXIO;
+ SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
--- /dev/null
+From 1cded9d2974fe4fe339fc0ccd6638b80d465ab2c Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Mon, 5 Dec 2016 15:10:11 +1100
+Subject: SUNRPC: fix refcounting problems with auth_gss messages.
+
+From: NeilBrown <neilb@suse.com>
+
+commit 1cded9d2974fe4fe339fc0ccd6638b80d465ab2c upstream.
+
+There are two problems with refcounting of auth_gss messages.
+
+First, the reference on the pipe->pipe list (taken by a call
+to rpc_queue_upcall()) is not counted. It seems to be
+assumed that a message in pipe->pipe will always also be in
+pipe->in_downcall, where it is correctly reference counted.
+
+However there is no guaranty of this. I have a report of a
+NULL dereferences in rpc_pipe_read() which suggests a msg
+that has been freed is still on the pipe->pipe list.
+
+One way I imagine this might happen is:
+- message is queued for uid=U and auth->service=S1
+- rpc.gssd reads this message and starts processing.
+ This removes the message from pipe->pipe
+- message is queued for uid=U and auth->service=S2
+- rpc.gssd replies to the first message. gss_pipe_downcall()
+ calls __gss_find_upcall(pipe, U, NULL) and it finds the
+ *second* message, as new messages are placed at the head
+ of ->in_downcall, and the service type is not checked.
+- This second message is removed from ->in_downcall and freed
+ by gss_release_msg() (even though it is still on pipe->pipe)
+- rpc.gssd tries to read another message, and dereferences a pointer
+ to this message that has just been freed.
+
+I fix this by incrementing the reference count before calling
+rpc_queue_upcall(), and decrementing it if that fails, or normally in
+gss_pipe_destroy_msg().
+
+It seems strange that the reply doesn't target the message more
+precisely, but I don't know all the details. In any case, I think the
+reference counting irregularity became a measureable bug when the
+extra arg was added to __gss_find_upcall(), hence the Fixes: line
+below.
+
+The second problem is that if rpc_queue_upcall() fails, the new
+message is not freed. gss_alloc_msg() set the ->count to 1,
+gss_add_msg() increments this to 2, gss_unhash_msg() decrements to 1,
+then the pointer is discarded so the memory never gets freed.
+
+Fixes: 9130b8dbc6ac ("SUNRPC: allow for upcalls for same uid but different gss service")
+Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1011250
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/auth_gss.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/auth_gss.c
++++ b/net/sunrpc/auth_gss/auth_gss.c
+@@ -541,9 +541,13 @@ gss_setup_upcall(struct gss_auth *gss_au
+ return gss_new;
+ gss_msg = gss_add_msg(gss_new);
+ if (gss_msg == gss_new) {
+- int res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg);
++ int res;
++ atomic_inc(&gss_msg->count);
++ res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg);
+ if (res) {
+ gss_unhash_msg(gss_new);
++ atomic_dec(&gss_msg->count);
++ gss_release_msg(gss_new);
+ gss_msg = ERR_PTR(res);
+ }
+ } else
+@@ -836,6 +840,7 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg
+ warn_gssd();
+ gss_release_msg(gss_msg);
+ }
++ gss_release_msg(gss_msg);
+ }
+
+ static void gss_pipe_dentry_destroy(struct dentry *dir,
--- /dev/null
+From d0905ca757bc40bd1ebc261a448a521b064777d7 Mon Sep 17 00:00:00 2001
+From: Andy Grover <agrover@redhat.com>
+Date: Mon, 21 Nov 2016 16:35:30 -0800
+Subject: target/user: Fix use-after-free of tcmu_cmds if they are expired
+
+From: Andy Grover <agrover@redhat.com>
+
+commit d0905ca757bc40bd1ebc261a448a521b064777d7 upstream.
+
+Don't free the cmd in tcmu_check_expired_cmd, it's still referenced by
+an entry in our cmd_id->cmd idr. If userspace ever resumes processing,
+tcmu_handle_completions() will use the now-invalid cmd pointer.
+
+Instead, don't free cmd. It will be freed by tcmu_handle_completion() if
+userspace ever recovers, or tcmu_free_device if not.
+
+Reported-by: Bryant G Ly <bgly@us.ibm.com>
+Tested-by: Bryant G Ly <bgly@us.ibm.com>
+Signed-off-by: Andy Grover <agrover@redhat.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_user.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/target/target_core_user.c
++++ b/drivers/target/target_core_user.c
+@@ -682,8 +682,6 @@ static int tcmu_check_expired_cmd(int id
+ target_complete_cmd(cmd->se_cmd, SAM_STAT_CHECK_CONDITION);
+ cmd->se_cmd = NULL;
+
+- kmem_cache_free(tcmu_cmd_cache, cmd);
+-
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
