--- /dev/null
+From a397ba829d7f8aff4c90af3704573a28ccd61a59 Mon Sep 17 00:00:00 2001
+From: Marcelo Cerri <marcelo.cerri@canonical.com>
+Date: Wed, 28 Sep 2016 13:42:09 -0300
+Subject: crypto: ghash-generic - move common definitions to a new header file
+
+From: Marcelo Cerri <marcelo.cerri@canonical.com>
+
+commit a397ba829d7f8aff4c90af3704573a28ccd61a59 upstream.
+
+Move common values and types used by ghash-generic to a new header file
+so drivers can directly use ghash-generic as a fallback implementation.
+
+Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module")
+Signed-off-by: Marcelo Cerri <marcelo.cerri@canonical.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ghash-generic.c | 13 +------------
+ include/crypto/ghash.h | 23 +++++++++++++++++++++++
+ 2 files changed, 24 insertions(+), 12 deletions(-)
+
+--- a/crypto/ghash-generic.c
++++ b/crypto/ghash-generic.c
+@@ -14,24 +14,13 @@
+
+ #include <crypto/algapi.h>
+ #include <crypto/gf128mul.h>
++#include <crypto/ghash.h>
+ #include <crypto/internal/hash.h>
+ #include <linux/crypto.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+
+-#define GHASH_BLOCK_SIZE 16
+-#define GHASH_DIGEST_SIZE 16
+-
+-struct ghash_ctx {
+- struct gf128mul_4k *gf128;
+-};
+-
+-struct ghash_desc_ctx {
+- u8 buffer[GHASH_BLOCK_SIZE];
+- u32 bytes;
+-};
+-
+ static int ghash_init(struct shash_desc *desc)
+ {
+ struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+--- /dev/null
++++ b/include/crypto/ghash.h
+@@ -0,0 +1,23 @@
++/*
++ * Common values for GHASH algorithms
++ */
++
++#ifndef __CRYPTO_GHASH_H__
++#define __CRYPTO_GHASH_H__
++
++#include <linux/types.h>
++#include <crypto/gf128mul.h>
++
++#define GHASH_BLOCK_SIZE 16
++#define GHASH_DIGEST_SIZE 16
++
++struct ghash_ctx {
++ struct gf128mul_4k *gf128;
++};
++
++struct ghash_desc_ctx {
++ u8 buffer[GHASH_BLOCK_SIZE];
++ u32 bytes;
++};
++
++#endif
--- /dev/null
+From 80da44c29d997e28c4442825f35f4ac339813877 Mon Sep 17 00:00:00 2001
+From: Marcelo Cerri <marcelo.cerri@canonical.com>
+Date: Wed, 28 Sep 2016 13:42:10 -0300
+Subject: crypto: vmx - Fix memory corruption caused by p8_ghash
+
+From: Marcelo Cerri <marcelo.cerri@canonical.com>
+
+commit 80da44c29d997e28c4442825f35f4ac339813877 upstream.
+
+This patch changes the p8_ghash driver to use ghash-generic as a fixed
+fallback implementation. This allows the correct value of descsize to be
+defined directly in its shash_alg structure and avoids problems with
+incorrect buffer sizes when its state is exported or imported.
+
+Reported-by: Jan Stancek <jstancek@redhat.com>
+Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module")
+Signed-off-by: Marcelo Cerri <marcelo.cerri@canonical.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/vmx/ghash.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+--- a/drivers/crypto/vmx/ghash.c
++++ b/drivers/crypto/vmx/ghash.c
+@@ -26,16 +26,13 @@
+ #include <linux/hardirq.h>
+ #include <asm/switch_to.h>
+ #include <crypto/aes.h>
++#include <crypto/ghash.h>
+ #include <crypto/scatterwalk.h>
+ #include <crypto/internal/hash.h>
+ #include <crypto/b128ops.h>
+
+ #define IN_INTERRUPT in_interrupt()
+
+-#define GHASH_BLOCK_SIZE (16)
+-#define GHASH_DIGEST_SIZE (16)
+-#define GHASH_KEY_LEN (16)
+-
+ void gcm_init_p8(u128 htable[16], const u64 Xi[2]);
+ void gcm_gmult_p8(u64 Xi[2], const u128 htable[16]);
+ void gcm_ghash_p8(u64 Xi[2], const u128 htable[16],
+@@ -55,16 +52,11 @@ struct p8_ghash_desc_ctx {
+
+ static int p8_ghash_init_tfm(struct crypto_tfm *tfm)
+ {
+- const char *alg;
++ const char *alg = "ghash-generic";
+ struct crypto_shash *fallback;
+ struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm);
+ struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm);
+
+- if (!(alg = crypto_tfm_alg_name(tfm))) {
+- printk(KERN_ERR "Failed to get algorithm name.\n");
+- return -ENOENT;
+- }
+-
+ fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK);
+ if (IS_ERR(fallback)) {
+ printk(KERN_ERR
+@@ -78,10 +70,18 @@ static int p8_ghash_init_tfm(struct cryp
+ crypto_shash_set_flags(fallback,
+ crypto_shash_get_flags((struct crypto_shash
+ *) tfm));
+- ctx->fallback = fallback;
+
+- shash_tfm->descsize = sizeof(struct p8_ghash_desc_ctx)
+- + crypto_shash_descsize(fallback);
++ /* Check if the descsize defined in the algorithm is still enough. */
++ if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx)
++ + crypto_shash_descsize(fallback)) {
++ printk(KERN_ERR
++ "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n",
++ alg,
++ shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx),
++ crypto_shash_descsize(fallback));
++ return -EINVAL;
++ }
++ ctx->fallback = fallback;
+
+ return 0;
+ }
+@@ -113,7 +113,7 @@ static int p8_ghash_setkey(struct crypto
+ {
+ struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(tfm));
+
+- if (keylen != GHASH_KEY_LEN)
++ if (keylen != GHASH_BLOCK_SIZE)
+ return -EINVAL;
+
+ preempt_disable();
+@@ -215,7 +215,8 @@ struct shash_alg p8_ghash_alg = {
+ .update = p8_ghash_update,
+ .final = p8_ghash_final,
+ .setkey = p8_ghash_setkey,
+- .descsize = sizeof(struct p8_ghash_desc_ctx),
++ .descsize = sizeof(struct p8_ghash_desc_ctx)
++ + sizeof(struct ghash_desc_ctx),
+ .base = {
+ .cra_name = "ghash",
+ .cra_driver_name = "p8_ghash",
--- /dev/null
+From 3a8db79889ce16930aff19b818f5b09651bb7644 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Sat, 8 Oct 2016 10:14:37 -0300
+Subject: dlm: free workqueues after the connections
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+commit 3a8db79889ce16930aff19b818f5b09651bb7644 upstream.
+
+After backporting commit ee44b4bc054a ("dlm: use sctp 1-to-1 API")
+series to a kernel with an older workqueue which didn't use RCU yet, it
+was noticed that we are freeing the workqueues in dlm_lowcomms_stop()
+too early as free_conn() will try to access that memory for canceling
+the queued works if any.
+
+This issue was introduced by commit 0d737a8cfd83 as before it such
+attempt to cancel the queued works wasn't performed, so the issue was
+not present.
+
+This patch fixes it by simply inverting the free order.
+
+Fixes: 0d737a8cfd83 ("dlm: fix race while closing connections")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lowcomms.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -1607,16 +1607,12 @@ void dlm_lowcomms_stop(void)
+ mutex_lock(&connections_lock);
+ dlm_allow_conn = 0;
+ foreach_conn(stop_conn);
++ clean_writequeues();
++ foreach_conn(free_conn);
+ mutex_unlock(&connections_lock);
+
+ work_stop();
+
+- mutex_lock(&connections_lock);
+- clean_writequeues();
+-
+- foreach_conn(free_conn);
+-
+- mutex_unlock(&connections_lock);
+ kmem_cache_destroy(con_cache);
+ }
+
--- /dev/null
+From cca32b7eeb4ea24fa6596650e06279ad9130af98 Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Thu, 22 Sep 2016 11:49:38 -0400
+Subject: ext4: allow DAX writeback for hole punch
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit cca32b7eeb4ea24fa6596650e06279ad9130af98 upstream.
+
+Currently when doing a DAX hole punch with ext4 we fail to do a writeback.
+This is because the logic around filemap_write_and_wait_range() in
+ext4_punch_hole() only looks for dirty page cache pages in the radix tree,
+not for dirty DAX exceptional entries.
+
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -3645,7 +3645,7 @@ int ext4_update_disksize_before_punch(st
+ }
+
+ /*
+- * ext4_punch_hole: punches a hole in a file by releaseing the blocks
++ * ext4_punch_hole: punches a hole in a file by releasing the blocks
+ * associated with the given offset and length
+ *
+ * @inode: File inode
+@@ -3674,7 +3674,7 @@ int ext4_punch_hole(struct inode *inode,
+ * Write out all dirty pages to avoid race conditions
+ * Then release them.
+ */
+- if (mapping->nrpages && mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
++ if (mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
+ ret = filemap_write_and_wait_range(mapping, offset,
+ offset + length - 1);
+ if (ret)
--- /dev/null
+From 14fbd4aa613bd5110556c281799ce36dc6f3ba97 Mon Sep 17 00:00:00 2001
+From: Eric Whitney <enwlinux@gmail.com>
+Date: Mon, 29 Aug 2016 15:45:11 -0400
+Subject: ext4: enforce online defrag restriction for encrypted files
+
+From: Eric Whitney <enwlinux@gmail.com>
+
+commit 14fbd4aa613bd5110556c281799ce36dc6f3ba97 upstream.
+
+Online defragging of encrypted files is not currently implemented.
+However, the move extent ioctl can still return successfully when
+called. For example, this occurs when xfstest ext4/020 is run on an
+encrypted file system, resulting in a corrupted test file and a
+corresponding test failure.
+
+Until the proper functionality is implemented, fail the move extent
+ioctl if either the original or donor file is encrypted.
+
+Signed-off-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/move_extent.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ext4/move_extent.c
++++ b/fs/ext4/move_extent.c
+@@ -598,6 +598,13 @@ ext4_move_extents(struct file *o_filp, s
+ return -EOPNOTSUPP;
+ }
+
++ if (ext4_encrypted_inode(orig_inode) ||
++ ext4_encrypted_inode(donor_inode)) {
++ ext4_msg(orig_inode->i_sb, KERN_ERR,
++ "Online defrag not supported for encrypted files");
++ return -EOPNOTSUPP;
++ }
++
+ /* Protect orig and donor inodes against a truncate */
+ lock_two_nondirectories(orig_inode, donor_inode);
+
--- /dev/null
+From edf15aa180d7b98fe16bd3eda42f9dd0e60dee20 Mon Sep 17 00:00:00 2001
+From: Fabian Frederick <fabf@skynet.be>
+Date: Thu, 15 Sep 2016 11:39:52 -0400
+Subject: ext4: fix memory leak in ext4_insert_range()
+
+From: Fabian Frederick <fabf@skynet.be>
+
+commit edf15aa180d7b98fe16bd3eda42f9dd0e60dee20 upstream.
+
+Running xfstests generic/013 with kmemleak gives the following:
+
+unreferenced object 0xffff8801d3d27de0 (size 96):
+ comm "fsstress", pid 4941, jiffies 4294860168 (age 53.485s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff818eaaf3>] kmemleak_alloc+0x23/0x40
+ [<ffffffff81179805>] __kmalloc+0xf5/0x1d0
+ [<ffffffff8122ef5c>] ext4_find_extent+0x1ec/0x2f0
+ [<ffffffff8123530c>] ext4_insert_range+0x34c/0x4a0
+ [<ffffffff81235942>] ext4_fallocate+0x4e2/0x8b0
+ [<ffffffff81181334>] vfs_fallocate+0x134/0x210
+ [<ffffffff8118203f>] SyS_fallocate+0x3f/0x60
+ [<ffffffff818efa9b>] entry_SYSCALL_64_fastpath+0x13/0x8f
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+Problem seems mitigated by dropping refs and freeing path
+when there's no path[depth].p_ext
+
+Signed-off-by: Fabian Frederick <fabf@skynet.be>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -5738,6 +5738,9 @@ int ext4_insert_range(struct inode *inod
+ up_write(&EXT4_I(inode)->i_data_sem);
+ goto out_stop;
+ }
++ } else {
++ ext4_ext_drop_refs(path);
++ kfree(path);
+ }
+
+ ret = ext4_es_remove_extent(inode, offset_lblk,
--- /dev/null
+From 93e3b4e6631d2a74a8cf7429138096862ff9f452 Mon Sep 17 00:00:00 2001
+From: Daeho Jeong <daeho.jeong@samsung.com>
+Date: Mon, 5 Sep 2016 22:56:10 -0400
+Subject: ext4: reinforce check of i_dtime when clearing high fields of uid and gid
+
+From: Daeho Jeong <daeho.jeong@samsung.com>
+
+commit 93e3b4e6631d2a74a8cf7429138096862ff9f452 upstream.
+
+Now, ext4_do_update_inode() clears high 16-bit fields of uid/gid
+of deleted and evicted inode to fix up interoperability with old
+kernels. However, it checks only i_dtime of an inode to determine
+whether the inode was deleted and evicted, and this is very risky,
+because i_dtime can be used for the pointer maintaining orphan inode
+list, too. We need to further check whether the i_dtime is being
+used for the orphan inode list even if the i_dtime is not NULL.
+
+We found that high 16-bit fields of uid/gid of inode are unintentionally
+and permanently cleared when the inode truncation is just triggered,
+but not finished, and the inode metadata, whose high uid/gid bits are
+cleared, is written on disk, and the sudden power-off follows that
+in order.
+
+Signed-off-by: Daeho Jeong <daeho.jeong@samsung.com>
+Signed-off-by: Hobin Woo <hobin.woo@samsung.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4549,14 +4549,14 @@ static int ext4_do_update_inode(handle_t
+ * Fix up interoperability with old kernels. Otherwise, old inodes get
+ * re-used with the upper 16 bits of the uid/gid intact
+ */
+- if (!ei->i_dtime) {
++ if (ei->i_dtime && list_empty(&ei->i_orphan)) {
++ raw_inode->i_uid_high = 0;
++ raw_inode->i_gid_high = 0;
++ } else {
+ raw_inode->i_uid_high =
+ cpu_to_le16(high_16_bits(i_uid));
+ raw_inode->i_gid_high =
+ cpu_to_le16(high_16_bits(i_gid));
+- } else {
+- raw_inode->i_uid_high = 0;
+- raw_inode->i_gid_high = 0;
+ }
+ } else {
+ raw_inode->i_uid_low = cpu_to_le16(fs_high2lowuid(i_uid));
--- /dev/null
+From e81d44778d1d57bbaef9e24c4eac7c8a7a401d40 Mon Sep 17 00:00:00 2001
+From: gmail <yngsion@gmail.com>
+Date: Fri, 30 Sep 2016 01:33:37 -0400
+Subject: ext4: release bh in make_indexed_dir
+
+From: gmail <yngsion@gmail.com>
+
+commit e81d44778d1d57bbaef9e24c4eac7c8a7a401d40 upstream.
+
+The commit 6050d47adcad: "ext4: bail out from make_indexed_dir() on
+first error" could end up leaking bh2 in the error path.
+
+[ Also avoid renaming bh2 to bh, which just confuses things --tytso ]
+
+Signed-off-by: yangsheng <yngsion@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2017,33 +2017,31 @@ static int make_indexed_dir(handle_t *ha
+ frame->entries = entries;
+ frame->at = entries;
+ frame->bh = bh;
+- bh = bh2;
+
+ retval = ext4_handle_dirty_dx_node(handle, dir, frame->bh);
+ if (retval)
+ goto out_frames;
+- retval = ext4_handle_dirty_dirent_node(handle, dir, bh);
++ retval = ext4_handle_dirty_dirent_node(handle, dir, bh2);
+ if (retval)
+ goto out_frames;
+
+- de = do_split(handle,dir, &bh, frame, &fname->hinfo);
++ de = do_split(handle,dir, &bh2, frame, &fname->hinfo);
+ if (IS_ERR(de)) {
+ retval = PTR_ERR(de);
+ goto out_frames;
+ }
+- dx_release(frames);
+
+- retval = add_dirent_to_buf(handle, fname, dir, inode, de, bh);
+- brelse(bh);
+- return retval;
++ retval = add_dirent_to_buf(handle, fname, dir, inode, de, bh2);
+ out_frames:
+ /*
+ * Even if the block split failed, we have to properly write
+ * out all the changes we did so far. Otherwise we can end up
+ * with corrupted filesystem.
+ */
+- ext4_mark_inode_dirty(handle, dir);
++ if (retval)
++ ext4_mark_inode_dirty(handle, dir);
+ dx_release(frames);
++ brelse(bh2);
+ return retval;
+ }
+
--- /dev/null
+From 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 15 Sep 2016 16:44:56 +0300
+Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 upstream.
+
+We need to put an upper bound on "user_len" so the memcpy() doesn't
+overflow.
+
+Reported-by: Marco Grassi <marco.gra@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/arcmsr/arcmsr_hba.c
++++ b/drivers/scsi/arcmsr/arcmsr_hba.c
+@@ -2297,7 +2297,8 @@ static int arcmsr_iop_message_xfer(struc
+ }
+ case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
+ unsigned char *ver_addr;
+- int32_t user_len, cnt2end;
++ uint32_t user_len;
++ int32_t cnt2end;
+ uint8_t *pQbuffer, *ptmpuserbuffer;
+ ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
+ if (!ver_addr) {
+@@ -2306,6 +2307,11 @@ static int arcmsr_iop_message_xfer(struc
+ }
+ ptmpuserbuffer = ver_addr;
+ user_len = pcmdmessagefld->cmdmessage.Length;
++ if (user_len > ARCMSR_API_DATA_BUFLEN) {
++ retvalue = ARCMSR_MESSAGE_FAIL;
++ kfree(ver_addr);
++ goto message_out;
++ }
+ memcpy(ptmpuserbuffer,
+ pcmdmessagefld->messagedatabuffer, user_len);
+ spin_lock_irqsave(&acb->wqbuffer_lock, flags);
--- /dev/null
+From 4bd173c30792791a6daca8c64793ec0a4ae8324f Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@alien8.de>
+Date: Fri, 23 Sep 2016 13:22:26 +0200
+Subject: scsi: arcmsr: Simplify user_len checking
+
+From: Borislav Petkov <bp@alien8.de>
+
+commit 4bd173c30792791a6daca8c64793ec0a4ae8324f upstream.
+
+Do the user_len check first and then the ver_addr allocation so that we
+can save us the kfree() on the error path when user_len is >
+ARCMSR_API_DATA_BUFLEN.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Marco Grassi <marco.gra@gmail.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Tomas Henzl <thenzl@redhat.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/arcmsr/arcmsr_hba.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/arcmsr/arcmsr_hba.c
++++ b/drivers/scsi/arcmsr/arcmsr_hba.c
+@@ -2300,18 +2300,20 @@ static int arcmsr_iop_message_xfer(struc
+ uint32_t user_len;
+ int32_t cnt2end;
+ uint8_t *pQbuffer, *ptmpuserbuffer;
+- ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
+- if (!ver_addr) {
++
++ user_len = pcmdmessagefld->cmdmessage.Length;
++ if (user_len > ARCMSR_API_DATA_BUFLEN) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+ goto message_out;
+ }
+- ptmpuserbuffer = ver_addr;
+- user_len = pcmdmessagefld->cmdmessage.Length;
+- if (user_len > ARCMSR_API_DATA_BUFLEN) {
++
++ ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
++ if (!ver_addr) {
+ retvalue = ARCMSR_MESSAGE_FAIL;
+- kfree(ver_addr);
+ goto message_out;
+ }
++ ptmpuserbuffer = ver_addr;
++
+ memcpy(ptmpuserbuffer,
+ pcmdmessagefld->messagedatabuffer, user_len);
+ spin_lock_irqsave(&acb->wqbuffer_lock, flags);
--- /dev/null
+From 07d0e9a847401ffd2f09bd450d41644cd090e81d Mon Sep 17 00:00:00 2001
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Mon, 19 Sep 2016 08:59:19 -0500
+Subject: scsi: ibmvfc: Fix I/O hang when port is not mapped
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+commit 07d0e9a847401ffd2f09bd450d41644cd090e81d upstream.
+
+If a VFC port gets unmapped in the VIOS, it may not respond with a CRQ
+init complete following H_REG_CRQ. If this occurs, we can end up having
+called scsi_block_requests and not a resulting unblock until the init
+complete happens, which may never occur, and we end up hanging I/O
+requests. This patch ensures the host action stay set to
+IBMVFC_HOST_ACTION_TGT_DEL so we move all rports into devloss state and
+unblock unless we receive an init complete.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Acked-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ibmvscsi/ibmvfc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/ibmvscsi/ibmvfc.c
++++ b/drivers/scsi/ibmvscsi/ibmvfc.c
+@@ -717,7 +717,6 @@ static int ibmvfc_reset_crq(struct ibmvf
+ spin_lock_irqsave(vhost->host->host_lock, flags);
+ vhost->state = IBMVFC_NO_CRQ;
+ vhost->logged_in = 0;
+- ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_NONE);
+
+ /* Clean out the queue */
+ memset(crq->msgs, 0, PAGE_SIZE);
reiserfs-unlock-superblock-before-calling-reiserfs_quota_on_mount.patch
reiserfs-switch-to-generic_-get-set-remove-xattr.patch
async_pq_val-fix-dma-memory-leak.patch
+scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch
+scsi-arcmsr-simplify-user_len-checking.patch
+scsi-ibmvfc-fix-i-o-hang-when-port-is-not-mapped.patch
+ext4-enforce-online-defrag-restriction-for-encrypted-files.patch
+ext4-reinforce-check-of-i_dtime-when-clearing-high-fields-of-uid-and-gid.patch
+ext4-fix-memory-leak-in-ext4_insert_range.patch
+ext4-allow-dax-writeback-for-hole-punch.patch
+ext4-release-bh-in-make_indexed_dir.patch
+crypto-ghash-generic-move-common-definitions-to-a-new-header-file.patch
+crypto-vmx-fix-memory-corruption-caused-by-p8_ghash.patch
+dlm-free-workqueues-after-the-connections.patch
+vfs-move-permission-checking-into-notify_change-for-utimes-null.patch
--- /dev/null
+From f2b20f6ee842313a0d681dbbf7f87b70291a6a3b Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Fri, 16 Sep 2016 12:44:20 +0200
+Subject: vfs: move permission checking into notify_change() for utimes(NULL)
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit f2b20f6ee842313a0d681dbbf7f87b70291a6a3b upstream.
+
+This fixes a bug where the permission was not properly checked in
+overlayfs. The testcase is ltp/utimensat01.
+
+It is also cleaner and safer to do the permission checking in the vfs
+helper instead of the caller.
+
+This patch introduces an additional ia_valid flag ATTR_TOUCH (since
+touch(1) is the most obvious user of utimes(NULL)) that is passed into
+notify_change whenever the conditions for this special permission checking
+mode are met.
+
+Reported-by: Aihua Zhang <zhangaihua1@huawei.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Tested-by: Aihua Zhang <zhangaihua1@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/attr.c | 15 +++++++++++++++
+ fs/utimes.c | 16 +---------------
+ include/linux/fs.h | 1 +
+ 3 files changed, 17 insertions(+), 15 deletions(-)
+
+--- a/fs/attr.c
++++ b/fs/attr.c
+@@ -202,6 +202,21 @@ int notify_change(struct dentry * dentry
+ return -EPERM;
+ }
+
++ /*
++ * If utimes(2) and friends are called with times == NULL (or both
++ * times are UTIME_NOW), then we need to check for write permission
++ */
++ if (ia_valid & ATTR_TOUCH) {
++ if (IS_IMMUTABLE(inode))
++ return -EPERM;
++
++ if (!inode_owner_or_capable(inode)) {
++ error = inode_permission(inode, MAY_WRITE);
++ if (error)
++ return error;
++ }
++ }
++
+ if ((ia_valid & ATTR_MODE)) {
+ umode_t amode = attr->ia_mode;
+ /* Flag setting protected by i_mutex */
+--- a/fs/utimes.c
++++ b/fs/utimes.c
+@@ -87,20 +87,7 @@ static int utimes_common(struct path *pa
+ */
+ newattrs.ia_valid |= ATTR_TIMES_SET;
+ } else {
+- /*
+- * If times is NULL (or both times are UTIME_NOW),
+- * then we need to check permissions, because
+- * inode_change_ok() won't do it.
+- */
+- error = -EACCES;
+- if (IS_IMMUTABLE(inode))
+- goto mnt_drop_write_and_out;
+-
+- if (!inode_owner_or_capable(inode)) {
+- error = inode_permission(inode, MAY_WRITE);
+- if (error)
+- goto mnt_drop_write_and_out;
+- }
++ newattrs.ia_valid |= ATTR_TOUCH;
+ }
+ retry_deleg:
+ mutex_lock(&inode->i_mutex);
+@@ -112,7 +99,6 @@ retry_deleg:
+ goto retry_deleg;
+ }
+
+-mnt_drop_write_and_out:
+ mnt_drop_write(path->mnt);
+ out:
+ return error;
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -226,6 +226,7 @@ typedef void (dax_iodone_t)(struct buffe
+ #define ATTR_KILL_PRIV (1 << 14)
+ #define ATTR_OPEN (1 << 15) /* Truncating from open(O_TRUNC) */
+ #define ATTR_TIMES_SET (1 << 16)
++#define ATTR_TOUCH (1 << 17)
+
+ /*
+ * Whiteout is represented by a char device. The following constants define the
projects / thirdparty / kernel / stable-queue.git / commitdiff
