--- /dev/null
+From eeca958dce0a9231d1969f86196653eb50fcc9b3 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 28 Apr 2017 11:14:04 +0100
+Subject: ceph: fix memory leak in __ceph_setxattr()
+
+From: Luis Henriques <lhenriques@suse.com>
+
+commit eeca958dce0a9231d1969f86196653eb50fcc9b3 upstream.
+
+The ceph_inode_xattr needs to be released when removing an xattr. Easily
+reproducible running the 'generic/020' test from xfstests or simply by
+doing:
+
+ attr -s attr0 -V 0 /mnt/test && attr -r attr0 /mnt/test
+
+While there, also fix the error path.
+
+Here's the kmemleak splat:
+
+unreferenced object 0xffff88001f86fbc0 (size 64):
+ comm "attr", pid 244, jiffies 4294904246 (age 98.464s)
+ hex dump (first 32 bytes):
+ 40 fa 86 1f 00 88 ff ff 80 32 38 1f 00 88 ff ff @........28.....
+ 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................
+ backtrace:
+ [<ffffffff81560199>] kmemleak_alloc+0x49/0xa0
+ [<ffffffff810f3e5b>] kmem_cache_alloc+0x9b/0xf0
+ [<ffffffff812b157e>] __ceph_setxattr+0x17e/0x820
+ [<ffffffff812b1c57>] ceph_set_xattr_handler+0x37/0x40
+ [<ffffffff8111fb4b>] __vfs_removexattr+0x4b/0x60
+ [<ffffffff8111fd37>] vfs_removexattr+0x77/0xd0
+ [<ffffffff8111fdd1>] removexattr+0x41/0x60
+ [<ffffffff8111fe65>] path_removexattr+0x75/0xa0
+ [<ffffffff81120aeb>] SyS_lremovexattr+0xb/0x10
+ [<ffffffff81564b20>] entry_SYSCALL_64_fastpath+0x13/0x94
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/xattr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -369,6 +369,7 @@ static int __set_xattr(struct ceph_inode
+
+ if (update_xattr) {
+ int err = 0;
++
+ if (xattr && (flags & XATTR_CREATE))
+ err = -EEXIST;
+ else if (!xattr && (flags & XATTR_REPLACE))
+@@ -376,12 +377,14 @@ static int __set_xattr(struct ceph_inode
+ if (err) {
+ kfree(name);
+ kfree(val);
++ kfree(*newxattr);
+ return err;
+ }
+ if (update_xattr < 0) {
+ if (xattr)
+ __remove_xattr(ci, xattr);
+ kfree(name);
++ kfree(*newxattr);
+ return 0;
+ }
+ }
--- /dev/null
+From 85435d7a15294f9f7ef23469e6aaf7c5dfcc54f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de>
+Date: Fri, 5 May 2017 04:36:16 +0200
+Subject: CIFS: add misssing SFM mapping for doublequote
+
+From: Björn Jacke <bj@sernet.de>
+
+commit 85435d7a15294f9f7ef23469e6aaf7c5dfcc54f0 upstream.
+
+SFM is mapping doublequote to 0xF020
+
+Without this patch creating files with doublequote fails to Windows/Mac
+
+Signed-off-by: Bjoern Jacke <bjacke@samba.org>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_unicode.c | 6 ++++++
+ fs/cifs/cifs_unicode.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+--- a/fs/cifs/cifs_unicode.c
++++ b/fs/cifs/cifs_unicode.c
+@@ -83,6 +83,9 @@ convert_sfm_char(const __u16 src_char, c
+ case SFM_COLON:
+ *target = ':';
+ break;
++ case SFM_DOUBLEQUOTE:
++ *target = '"';
++ break;
+ case SFM_ASTERISK:
+ *target = '*';
+ break;
+@@ -418,6 +421,9 @@ static __le16 convert_to_sfm_char(char s
+ case ':':
+ dest_char = cpu_to_le16(SFM_COLON);
+ break;
++ case '"':
++ dest_char = cpu_to_le16(SFM_DOUBLEQUOTE);
++ break;
+ case '*':
+ dest_char = cpu_to_le16(SFM_ASTERISK);
+ break;
+--- a/fs/cifs/cifs_unicode.h
++++ b/fs/cifs/cifs_unicode.h
+@@ -57,6 +57,7 @@
+ * not conflict (although almost does) with the mapping above.
+ */
+
++#define SFM_DOUBLEQUOTE ((__u16) 0xF020)
+ #define SFM_ASTERISK ((__u16) 0xF021)
+ #define SFM_QUESTION ((__u16) 0xF025)
+ #define SFM_COLON ((__u16) 0xF022)
--- /dev/null
+From d8a6e505d6bba2250852fbc1c1c86fe68aaf9af3 Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Thu, 4 May 2017 00:41:13 +0200
+Subject: cifs: fix CIFS_IOC_GET_MNT_INFO oops
+
+From: David Disseldorp <ddiss@suse.de>
+
+commit d8a6e505d6bba2250852fbc1c1c86fe68aaf9af3 upstream.
+
+An open directory may have a NULL private_data pointer prior to readdir.
+
+Fixes: 0de1f4c6f6c0 ("Add way to query server fs info for smb3")
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/cifs/ioctl.c
++++ b/fs/cifs/ioctl.c
+@@ -272,6 +272,8 @@ long cifs_ioctl(struct file *filep, unsi
+ rc = -EOPNOTSUPP;
+ break;
+ case CIFS_IOC_GET_MNT_INFO:
++ if (pSMBFile == NULL)
++ break;
+ tcon = tlink_tcon(pSMBFile->tlink);
+ rc = smb_mnt_get_fsinfo(xid, tcon, (void __user *)arg);
+ break;
--- /dev/null
+From b704e70b7cf48f9b67c07d585168e102dfa30bb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bj@sernet.de>
+Date: Wed, 3 May 2017 23:47:44 +0200
+Subject: CIFS: fix mapping of SFM_SPACE and SFM_PERIOD
+
+From: Björn Jacke <bj@sernet.de>
+
+commit b704e70b7cf48f9b67c07d585168e102dfa30bb4 upstream.
+
+- trailing space maps to 0xF028
+- trailing period maps to 0xF029
+
+This fix corrects the mapping of file names which have a trailing character
+that would otherwise be illegal (period or space) but is allowed by POSIX.
+
+Signed-off-by: Bjoern Jacke <bjacke@samba.org>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_unicode.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifs_unicode.h
++++ b/fs/cifs/cifs_unicode.h
+@@ -64,8 +64,8 @@
+ #define SFM_LESSTHAN ((__u16) 0xF023)
+ #define SFM_PIPE ((__u16) 0xF027)
+ #define SFM_SLASH ((__u16) 0xF026)
+-#define SFM_PERIOD ((__u16) 0xF028)
+-#define SFM_SPACE ((__u16) 0xF029)
++#define SFM_SPACE ((__u16) 0xF028)
++#define SFM_PERIOD ((__u16) 0xF029)
+
+ /*
+ * Mapping mechanism to use when one of the seven reserved characters is
--- /dev/null
+From 7b4cc9787fe35b3ee2dfb1c35e22eafc32e00c33 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 30 Apr 2017 00:10:50 -0400
+Subject: ext4: evict inline data when writing to memory map
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 7b4cc9787fe35b3ee2dfb1c35e22eafc32e00c33 upstream.
+
+Currently the case of writing via mmap to a file with inline data is not
+handled. This is maybe a rare case since it requires a writable memory
+map of a very small file, but it is trivial to trigger with on
+inline_data filesystem, and it causes the
+'BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA));' in
+ext4_writepages() to be hit:
+
+ mkfs.ext4 -O inline_data /dev/vdb
+ mount /dev/vdb /mnt
+ xfs_io -f /mnt/file \
+ -c 'pwrite 0 1' \
+ -c 'mmap -w 0 1m' \
+ -c 'mwrite 0 1' \
+ -c 'fsync'
+
+ kernel BUG at fs/ext4/inode.c:2723!
+ invalid opcode: 0000 [#1] SMP
+ CPU: 1 PID: 2532 Comm: xfs_io Not tainted 4.11.0-rc1-xfstests-00301-g071d9acf3d1f #633
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
+ task: ffff88003d3a8040 task.stack: ffffc90000300000
+ RIP: 0010:ext4_writepages+0xc89/0xf8a
+ RSP: 0018:ffffc90000303ca0 EFLAGS: 00010283
+ RAX: 0000028410000000 RBX: ffff8800383fa3b0 RCX: ffffffff812afcdc
+ RDX: 00000a9d00000246 RSI: ffffffff81e660e0 RDI: 0000000000000246
+ RBP: ffffc90000303dc0 R08: 0000000000000002 R09: 869618e8f99b4fa5
+ R10: 00000000852287a2 R11: 00000000a03b49f4 R12: ffff88003808e698
+ R13: 0000000000000000 R14: 7fffffffffffffff R15: 7fffffffffffffff
+ FS: 00007fd3e53094c0(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fd3e4c51000 CR3: 000000003d554000 CR4: 00000000003406e0
+ Call Trace:
+ ? _raw_spin_unlock+0x27/0x2a
+ ? kvm_clock_read+0x1e/0x20
+ do_writepages+0x23/0x2c
+ ? do_writepages+0x23/0x2c
+ __filemap_fdatawrite_range+0x80/0x87
+ filemap_write_and_wait_range+0x67/0x8c
+ ext4_sync_file+0x20e/0x472
+ vfs_fsync_range+0x8e/0x9f
+ ? syscall_trace_enter+0x25b/0x2d0
+ vfs_fsync+0x1c/0x1e
+ do_fsync+0x31/0x4a
+ SyS_fsync+0x10/0x14
+ do_syscall_64+0x69/0x131
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+We could try to be smart and keep the inline data in this case, or at
+least support delayed allocation when allocating the block, but these
+solutions would be more complicated and don't seem worthwhile given how
+rare this case seems to be. So just fix the bug by calling
+ext4_convert_inline_data() when we're asked to make a page writable, so
+that any inline data gets evicted, with the block allocated immediately.
+
+Reported-by: Nick Alcock <nick.alcock@oracle.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5393,6 +5393,11 @@ int ext4_page_mkwrite(struct vm_area_str
+ file_update_time(vma->vm_file);
+
+ down_read(&EXT4_I(inode)->i_mmap_sem);
++
++ ret = ext4_convert_inline_data(inode);
++ if (ret)
++ goto out_ret;
++
+ /* Delalloc case is easy... */
+ if (test_opt(inode->i_sb, DELALLOC) &&
+ !ext4_should_journal_data(inode) &&
--- /dev/null
+From a5f6a6a9c72eac38a7fadd1a038532bc8516337c Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Wed, 3 May 2017 14:56:02 -0700
+Subject: fs/block_dev: always invalidate cleancache in invalidate_bdev()
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit a5f6a6a9c72eac38a7fadd1a038532bc8516337c upstream.
+
+invalidate_bdev() calls cleancache_invalidate_inode() iff ->nrpages != 0
+which doen't make any sense.
+
+Make sure that invalidate_bdev() always calls cleancache_invalidate_inode()
+regardless of mapping->nrpages value.
+
+Fixes: c515e1fd361c ("mm/fs: add hooks to support cleancache")
+Link: http://lkml.kernel.org/r/20170424164135.22350-3-aryabinin@virtuozzo.com
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Alexey Kuznetsov <kuznet@virtuozzo.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Nikolay Borisov <n.borisov.lkml@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/block_dev.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -88,12 +88,11 @@ void invalidate_bdev(struct block_device
+ {
+ struct address_space *mapping = bdev->bd_inode->i_mapping;
+
+- if (mapping->nrpages == 0)
+- return;
+-
+- invalidate_bh_lrus();
+- lru_add_drain_all(); /* make sure all lru add caches are flushed */
+- invalidate_mapping_pages(mapping, 0, -1);
++ if (mapping->nrpages) {
++ invalidate_bh_lrus();
++ lru_add_drain_all(); /* make sure all lru add caches are flushed */
++ invalidate_mapping_pages(mapping, 0, -1);
++ }
+ /* 99% of the time, we don't need to flush the cleancache on the bdev.
+ * But, for the strange corners, lets be cautious
+ */
--- /dev/null
+From 81be3dee96346fbe08c31be5ef74f03f6b63cf68 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Mon, 8 May 2017 15:57:24 -0700
+Subject: fs/xattr.c: zero out memory copied to userspace in getxattr
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit 81be3dee96346fbe08c31be5ef74f03f6b63cf68 upstream.
+
+getxattr uses vmalloc to allocate memory if kzalloc fails. This is
+filled by vfs_getxattr and then copied to the userspace. vmalloc,
+however, doesn't zero out the memory so if the specific implementation
+of the xattr handler is sloppy we can theoretically expose a kernel
+memory. There is no real sign this is really the case but let's make
+sure this will not happen and use vzalloc instead.
+
+Fixes: 779302e67835 ("fs/xattr.c:getxattr(): improve handling of allocation failures")
+Link: http://lkml.kernel.org/r/20170306103327.2766-1-mhocko@kernel.org
+Acked-by: Kees Cook <keescook@chromium.org>
+Reported-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -442,7 +442,7 @@ getxattr(struct dentry *d, const char __
+ size = XATTR_SIZE_MAX;
+ kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
+ if (!kvalue) {
+- vvalue = vmalloc(size);
++ vvalue = vzalloc(size);
+ if (!vvalue)
+ return -ENOMEM;
+ kvalue = vvalue;
--- /dev/null
+From b312be3d87e4c80872cbea869e569175c5eb0f9a Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Sun, 19 Mar 2017 10:55:57 +0200
+Subject: IB/core: Fix sysfs registration error flow
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit b312be3d87e4c80872cbea869e569175c5eb0f9a upstream.
+
+The kernel commit cited below restructured ib device management
+so that the device kobject is initialized in ib_alloc_device.
+
+As part of the restructuring, the kobject is now initialized in
+procedure ib_alloc_device, and is later added to the device hierarchy
+in the ib_register_device call stack, in procedure
+ib_device_register_sysfs (which calls device_add).
+
+However, in the ib_device_register_sysfs error flow, if an error
+occurs following the call to device_add, the cleanup procedure
+device_unregister is called. This call results in the device object
+being deleted -- which results in various use-after-free crashes.
+
+The correct cleanup call is device_del -- which undoes device_add
+without deleting the device object.
+
+The device object will then (correctly) be deleted in the
+ib_register_device caller's error cleanup flow, when the caller invokes
+ib_dealloc_device.
+
+Fixes: 55aeed06544f6 ("IB/core: Make ib_alloc_device init the kobject")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/sysfs.c
++++ b/drivers/infiniband/core/sysfs.c
+@@ -863,7 +863,7 @@ err_put:
+ free_port_list_attributes(device);
+
+ err_unregister:
+- device_unregister(class_dev);
++ device_del(class_dev);
+
+ err:
+ return ret;
--- /dev/null
+From 8561eae60ff9417a50fa1fb2b83ae950dc5c1e21 Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Sun, 9 Apr 2017 10:15:51 -0700
+Subject: IB/core: For multicast functions, verify that LIDs are multicast LIDs
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit 8561eae60ff9417a50fa1fb2b83ae950dc5c1e21 upstream.
+
+The Infiniband spec defines "A multicast address is defined by a
+MGID and a MLID" (section 10.5). Currently the MLID value is not
+validated.
+
+Add check to verify that the MLID value is in the correct address
+range.
+
+Fixes: 0c33aeedb2cf ("[IB] Add checks to multicast attach and detach")
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Dasaratharaman Chandramouli <dasaratharaman.chandramouli@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/verbs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -1372,7 +1372,9 @@ int ib_attach_mcast(struct ib_qp *qp, un
+
+ if (!qp->device->attach_mcast)
+ return -ENOSYS;
+- if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD)
++ if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD ||
++ lid < be16_to_cpu(IB_MULTICAST_LID_BASE) ||
++ lid == be16_to_cpu(IB_LID_PERMISSIVE))
+ return -EINVAL;
+
+ ret = qp->device->attach_mcast(qp, gid, lid);
+@@ -1388,7 +1390,9 @@ int ib_detach_mcast(struct ib_qp *qp, un
+
+ if (!qp->device->detach_mcast)
+ return -ENOSYS;
+- if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD)
++ if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD ||
++ lid < be16_to_cpu(IB_MULTICAST_LID_BASE) ||
++ lid == be16_to_cpu(IB_LID_PERMISSIVE))
+ return -EINVAL;
+
+ ret = qp->device->detach_mcast(qp, gid, lid);
--- /dev/null
+From 771a52584096c45e4565e8aabb596eece9d73d61 Mon Sep 17 00:00:00 2001
+From: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
+Date: Wed, 29 Mar 2017 06:21:59 -0400
+Subject: IB/IPoIB: ibX: failed to create mcg debug file
+
+From: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
+
+commit 771a52584096c45e4565e8aabb596eece9d73d61 upstream.
+
+When udev renames the netdev devices, ipoib debugfs entries does not
+get renamed. As a result, if subsequent probe of ipoib device reuse the
+name then creating a debugfs entry for the new device would fail.
+
+Also, moved ipoib_create_debug_files and ipoib_delete_debug_files as part
+of ipoib event handling in order to avoid any race condition between these.
+
+Fixes: 1732b0ef3b3a ([IPoIB] add path record information in debugfs)
+Signed-off-by: Vijay Kumar <vijay.ac.kumar@oracle.com>
+Signed-off-by: Shamir Rabinovitch <shamir.rabinovitch@oracle.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/ipoib/ipoib_fs.c | 3 ++
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 44 ++++++++++++++++++++++++++----
+ drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 3 --
+ 3 files changed, 42 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+@@ -281,8 +281,11 @@ void ipoib_delete_debug_files(struct net
+ {
+ struct ipoib_dev_priv *priv = netdev_priv(dev);
+
++ WARN_ONCE(!priv->mcg_dentry, "null mcg debug file\n");
++ WARN_ONCE(!priv->path_dentry, "null path debug file\n");
+ debugfs_remove(priv->mcg_dentry);
+ debugfs_remove(priv->path_dentry);
++ priv->mcg_dentry = priv->path_dentry = NULL;
+ }
+
+ int ipoib_register_debugfs(void)
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -106,6 +106,33 @@ static struct ib_client ipoib_client = {
+ .get_net_dev_by_params = ipoib_get_net_dev_by_params,
+ };
+
++#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
++static int ipoib_netdev_event(struct notifier_block *this,
++ unsigned long event, void *ptr)
++{
++ struct netdev_notifier_info *ni = ptr;
++ struct net_device *dev = ni->dev;
++
++ if (dev->netdev_ops->ndo_open != ipoib_open)
++ return NOTIFY_DONE;
++
++ switch (event) {
++ case NETDEV_REGISTER:
++ ipoib_create_debug_files(dev);
++ break;
++ case NETDEV_CHANGENAME:
++ ipoib_delete_debug_files(dev);
++ ipoib_create_debug_files(dev);
++ break;
++ case NETDEV_UNREGISTER:
++ ipoib_delete_debug_files(dev);
++ break;
++ }
++
++ return NOTIFY_DONE;
++}
++#endif
++
+ int ipoib_open(struct net_device *dev)
+ {
+ struct ipoib_dev_priv *priv = netdev_priv(dev);
+@@ -1595,8 +1622,6 @@ void ipoib_dev_cleanup(struct net_device
+
+ ASSERT_RTNL();
+
+- ipoib_delete_debug_files(dev);
+-
+ /* Delete any child interfaces first */
+ list_for_each_entry_safe(cpriv, tcpriv, &priv->child_intfs, list) {
+ /* Stop GC on child */
+@@ -1908,8 +1933,6 @@ static struct net_device *ipoib_add_port
+ goto register_failed;
+ }
+
+- ipoib_create_debug_files(priv->dev);
+-
+ if (ipoib_cm_add_mode_attr(priv->dev))
+ goto sysfs_failed;
+ if (ipoib_add_pkey_attr(priv->dev))
+@@ -1924,7 +1947,6 @@ static struct net_device *ipoib_add_port
+ return priv->dev;
+
+ sysfs_failed:
+- ipoib_delete_debug_files(priv->dev);
+ unregister_netdev(priv->dev);
+
+ register_failed:
+@@ -2006,6 +2028,12 @@ static void ipoib_remove_one(struct ib_d
+ kfree(dev_list);
+ }
+
++#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
++static struct notifier_block ipoib_netdev_notifier = {
++ .notifier_call = ipoib_netdev_event,
++};
++#endif
++
+ static int __init ipoib_init_module(void)
+ {
+ int ret;
+@@ -2057,6 +2085,9 @@ static int __init ipoib_init_module(void
+ if (ret)
+ goto err_client;
+
++#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
++ register_netdevice_notifier(&ipoib_netdev_notifier);
++#endif
+ return 0;
+
+ err_client:
+@@ -2074,6 +2105,9 @@ err_fs:
+
+ static void __exit ipoib_cleanup_module(void)
+ {
++#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
++ unregister_netdevice_notifier(&ipoib_netdev_notifier);
++#endif
+ ipoib_netlink_fini();
+ ib_unregister_client(&ipoib_client);
+ ib_sa_unregister_client(&ipoib_sa_client);
+--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+@@ -85,8 +85,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr
+ goto register_failed;
+ }
+
+- ipoib_create_debug_files(priv->dev);
+-
+ /* RTNL childs don't need proprietary sysfs entries */
+ if (type == IPOIB_LEGACY_CHILD) {
+ if (ipoib_cm_add_mode_attr(priv->dev))
+@@ -107,7 +105,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr
+
+ sysfs_failed:
+ result = -ENOMEM;
+- ipoib_delete_debug_files(priv->dev);
+ unregister_netdevice(priv->dev);
+
+ register_failed:
--- /dev/null
+From 99e68909d5aba1861897fe7afc3306c3c81b6de0 Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Tue, 21 Mar 2017 12:57:05 +0200
+Subject: IB/mlx4: Fix ib device initialization error flow
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit 99e68909d5aba1861897fe7afc3306c3c81b6de0 upstream.
+
+In mlx4_ib_add, procedure mlx4_ib_alloc_eqs is called to allocate EQs.
+
+However, in the mlx4_ib_add error flow, procedure mlx4_ib_free_eqs is not
+called to free the allocated EQs.
+
+Fixes: e605b743f33d ("IB/mlx4: Increase the number of vectors (EQs) available for ULPs")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -2491,6 +2491,7 @@ err_counter:
+ mlx4_ib_delete_counters_table(ibdev, &ibdev->counters_table[i]);
+
+ err_map:
++ mlx4_ib_free_eqs(dev, ibdev);
+ iounmap(ibdev->uar_map);
+
+ err_uar:
--- /dev/null
+From fb7a91746af18b2ebf596778b38a709cdbc488d3 Mon Sep 17 00:00:00 2001
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Tue, 21 Mar 2017 12:57:06 +0200
+Subject: IB/mlx4: Reduce SRIOV multicast cleanup warning message to debug level
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+commit fb7a91746af18b2ebf596778b38a709cdbc488d3 upstream.
+
+A warning message during SRIOV multicast cleanup should have actually been
+a debug level message. The condition generating the warning does no harm
+and can fill the message log.
+
+In some cases, during testing, some tests were so intense as to swamp the
+message log with these warning messages, causing a stall in the console
+message log output task. This stall caused an NMI to be sent to all CPUs
+(so that they all dumped their stacks into the message log).
+Aside from the message flood causing an NMI, the tests all passed.
+
+Once the message flood which caused the NMI is removed (by reducing the
+warning message to debug level), the NMI no longer occurs.
+
+Sample message log (console log) output illustrating the flood and
+resultant NMI (snippets with comments and modified with ... instead
+of hex digits, to satisfy checkpatch.pl):
+
+ <mlx4_ib> _mlx4_ib_mcg_port_cleanup: ... WARNING: group refcount 1!!!...
+ *** About 4000 almost identical lines in less than one second ***
+ <mlx4_ib> _mlx4_ib_mcg_port_cleanup: ... WARNING: group refcount 1!!!...
+ INFO: rcu_sched detected stalls on CPUs/tasks: { 17} (...)
+ *** { 17} above indicates that CPU 17 was the one that stalled ***
+ sending NMI to all CPUs:
+ ...
+ NMI backtrace for cpu 17
+ CPU: 17 PID: 45909 Comm: kworker/17:2
+ Hardware name: HP ProLiant DL360p Gen8, BIOS P71 09/08/2013
+ Workqueue: events fb_flashcursor
+ task: ffff880478...... ti: ffff88064e...... task.ti: ffff88064e......
+ RIP: 0010:[ffffffff81......] [ffffffff81......] io_serial_in+0x15/0x20
+ RSP: 0018:ffff88064e257cb0 EFLAGS: 00000002
+ RAX: 0000000000...... RBX: ffffffff81...... RCX: 0000000000......
+ RDX: 0000000000...... RSI: 0000000000...... RDI: ffffffff81......
+ RBP: ffff88064e...... R08: ffffffff81...... R09: 0000000000......
+ R10: 0000000000...... R11: ffff88064e...... R12: 0000000000......
+ R13: 0000000000...... R14: ffffffff81...... R15: 0000000000......
+ FS: 0000000000......(0000) GS:ffff8804af......(0000) knlGS:000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080......
+ CR2: 00007f2a2f...... CR3: 0000000001...... CR4: 0000000000......
+ DR0: 0000000000...... DR1: 0000000000...... DR2: 0000000000......
+ DR3: 0000000000...... DR6: 00000000ff...... DR7: 0000000000......
+ Stack:
+ ffff88064e...... ffffffff81...... ffffffff81...... 0000000000......
+ ffffffff81...... ffff88064e...... ffffffff81...... ffffffff81......
+ ffffffff81...... ffff88064e...... ffffffff81...... 0000000000......
+ Call Trace:
+[<ffffffff813d099b>] wait_for_xmitr+0x3b/0xa0
+[<ffffffff813d0b5c>] serial8250_console_putchar+0x1c/0x30
+[<ffffffff813d0b40>] ? serial8250_console_write+0x140/0x140
+[<ffffffff813cb5fa>] uart_console_write+0x3a/0x80
+[<ffffffff813d0aae>] serial8250_console_write+0xae/0x140
+[<ffffffff8107c4d1>] call_console_drivers.constprop.15+0x91/0xf0
+[<ffffffff8107d6cf>] console_unlock+0x3bf/0x400
+[<ffffffff813503cd>] fb_flashcursor+0x5d/0x140
+[<ffffffff81355c30>] ? bit_clear+0x120/0x120
+[<ffffffff8109d5fb>] process_one_work+0x17b/0x470
+[<ffffffff8109e3cb>] worker_thread+0x11b/0x400
+[<ffffffff8109e2b0>] ? rescuer_thread+0x400/0x400
+[<ffffffff810a5aef>] kthread+0xcf/0xe0
+[<ffffffff810a5a20>] ? kthread_create_on_node+0x140/0x140
+[<ffffffff81645858>] ret_from_fork+0x58/0x90
+[<ffffffff810a5a20>] ? kthread_create_on_node+0x140/0x140
+Code: 48 89 e5 d3 e6 48 63 f6 48 03 77 10 8b 06 5d c3 66 0f 1f 44 00 00 66 66 66 6
+
+As indicated in the stack trace above, the console output task got swamped.
+
+Fixes: b9c5d6a64358 ("IB/mlx4: Add multicast group (MCG) paravirtualization for SR-IOV")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/mcg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/mcg.c
++++ b/drivers/infiniband/hw/mlx4/mcg.c
+@@ -1105,7 +1105,8 @@ static void _mlx4_ib_mcg_port_cleanup(st
+ while ((p = rb_first(&ctx->mcg_table)) != NULL) {
+ group = rb_entry(p, struct mcast_group, node);
+ if (atomic_read(&group->refcount))
+- mcg_warn_group(group, "group refcount %d!!! (pointer %p)\n", atomic_read(&group->refcount), group);
++ mcg_debug_group(group, "group refcount %d!!! (pointer %p)\n",
++ atomic_read(&group->refcount), group);
+
+ force_clean_group(group);
+ }
--- /dev/null
+From 07a77929ba672d93642a56dc2255dd21e6e2290b Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 7 Apr 2017 02:33:30 +0200
+Subject: padata: free correct variable
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 07a77929ba672d93642a56dc2255dd21e6e2290b upstream.
+
+The author meant to free the variable that was just allocated, instead
+of the one that failed to be allocated, but made a simple typo. This
+patch rectifies that.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/padata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -357,7 +357,7 @@ static int padata_setup_cpumasks(struct
+
+ cpumask_and(pd->cpumask.pcpu, pcpumask, cpu_online_mask);
+ if (!alloc_cpumask_var(&pd->cpumask.cbcpu, GFP_KERNEL)) {
+- free_cpumask_var(pd->cpumask.cbcpu);
++ free_cpumask_var(pd->cpumask.pcpu);
+ return -ENOMEM;
+ }
+
crypto-algif_aead-require-setkey-before-accept-2.patch
dm-era-save-spacemap-metadata-root-after-the-pre-commit.patch
vfio-type1-remove-locked-page-accounting-workqueue.patch
+ib-core-fix-sysfs-registration-error-flow.patch
+ib-core-for-multicast-functions-verify-that-lids-are-multicast-lids.patch
+ib-ipoib-ibx-failed-to-create-mcg-debug-file.patch
+ib-mlx4-fix-ib-device-initialization-error-flow.patch
+ib-mlx4-reduce-sriov-multicast-cleanup-warning-message-to-debug-level.patch
+ext4-evict-inline-data-when-writing-to-memory-map.patch
+fs-xattr.c-zero-out-memory-copied-to-userspace-in-getxattr.patch
+ceph-fix-memory-leak-in-__ceph_setxattr.patch
+fs-block_dev-always-invalidate-cleancache-in-invalidate_bdev.patch
+set-unicode-flag-on-cifs-echo-request-to-avoid-mac-error.patch
+smb3-work-around-mount-failure-when-using-smb3-dialect-to-macs.patch
+cifs-fix-mapping-of-sfm_space-and-sfm_period.patch
+cifs-fix-cifs_ioc_get_mnt_info-oops.patch
+cifs-add-misssing-sfm-mapping-for-doublequote.patch
+padata-free-correct-variable.patch
--- /dev/null
+From 26c9cb668c7fbf9830516b75d8bee70b699ed449 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Tue, 2 May 2017 13:35:20 -0500
+Subject: Set unicode flag on cifs echo request to avoid Mac error
+
+From: Steve French <smfrench@gmail.com>
+
+commit 26c9cb668c7fbf9830516b75d8bee70b699ed449 upstream.
+
+Mac requires the unicode flag to be set for cifs, even for the smb
+echo request (which doesn't have strings).
+
+Without this Mac rejects the periodic echo requests (when mounting
+with cifs) that we use to check if server is down
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifssmb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -717,6 +717,9 @@ CIFSSMBEcho(struct TCP_Server_Info *serv
+ if (rc)
+ return rc;
+
++ if (server->capabilities & CAP_UNICODE)
++ smb->hdr.Flags2 |= SMBFLG2_UNICODE;
++
+ /* set up echo request */
+ smb->hdr.Tid = 0xffff;
+ smb->hdr.WordCount = 1;
--- /dev/null
+From 7db0a6efdc3e990cdfd4b24820d010e9eb7890ad Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Wed, 3 May 2017 21:12:20 -0500
+Subject: SMB3: Work around mount failure when using SMB3 dialect to Macs
+
+From: Steve French <smfrench@gmail.com>
+
+commit 7db0a6efdc3e990cdfd4b24820d010e9eb7890ad upstream.
+
+Macs send the maximum buffer size in response on ioctl to validate
+negotiate security information, which causes us to fail the mount
+as the response buffer is larger than the expected response.
+
+Changed ioctl response processing to allow for padding of validate
+negotiate ioctl response and limit the maximum response size to
+maximum buffer size.
+
+Signed-off-by: Steve French <steve.french@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -564,8 +564,12 @@ int smb3_validate_negotiate(const unsign
+ }
+
+ if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
+- cifs_dbg(VFS, "invalid size of protocol negotiate response\n");
+- return -EIO;
++ cifs_dbg(VFS, "invalid protocol negotiate response size: %d\n",
++ rsplen);
++
++ /* relax check since Mac returns max bufsize allowed on ioctl */
++ if (rsplen > CIFSMaxBufSize)
++ return -EIO;
+ }
+
+ /* check validate negotiate info response matches what we got earlier */
+@@ -1518,8 +1522,12 @@ SMB2_ioctl(const unsigned int xid, struc
+ * than one credit. Windows typically sets this smaller, but for some
+ * ioctls it may be useful to allow server to send more. No point
+ * limiting what the server can send as long as fits in one credit
++ * Unfortunately - we can not handle more than CIFS_MAX_MSG_SIZE
++ * (by default, note that it can be overridden to make max larger)
++ * in responses (except for read responses which can be bigger.
++ * We may want to bump this limit up
+ */
+- req->MaxOutputResponse = cpu_to_le32(0xFF00); /* < 64K uses 1 credit */
++ req->MaxOutputResponse = cpu_to_le32(CIFSMaxBufSize);
+
+ if (is_fsctl)
+ req->Flags = cpu_to_le32(SMB2_0_IOCTL_IS_FSCTL);
projects / thirdparty / kernel / stable-queue.git / commitdiff
