--- /dev/null
+From acc9cf8c66c66b2cbbdb4a375537edee72be64df Mon Sep 17 00:00:00 2001
+From: Kent Overstreet <kent.overstreet@gmail.com>
+Date: Wed, 17 Aug 2016 18:21:24 -0700
+Subject: bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two.
+
+From: Kent Overstreet <kent.overstreet@gmail.com>
+
+commit acc9cf8c66c66b2cbbdb4a375537edee72be64df upstream.
+
+This patch fixes a cachedev registration-time allocation deadlock.
+This can deadlock on boot if your initrd auto-registeres bcache devices:
+
+Allocator thread:
+[ 720.727614] INFO: task bcache_allocato:3833 blocked for more than 120 seconds.
+[ 720.732361] [<ffffffff816eeac7>] schedule+0x37/0x90
+[ 720.732963] [<ffffffffa05192b8>] bch_bucket_alloc+0x188/0x360 [bcache]
+[ 720.733538] [<ffffffff810e6950>] ? prepare_to_wait_event+0xf0/0xf0
+[ 720.734137] [<ffffffffa05302bd>] bch_prio_write+0x19d/0x340 [bcache]
+[ 720.734715] [<ffffffffa05190bf>] bch_allocator_thread+0x3ff/0x470 [bcache]
+[ 720.735311] [<ffffffff816ee41c>] ? __schedule+0x2dc/0x950
+[ 720.735884] [<ffffffffa0518cc0>] ? invalidate_buckets+0x980/0x980 [bcache]
+
+Registration thread:
+[ 720.710403] INFO: task bash:3531 blocked for more than 120 seconds.
+[ 720.715226] [<ffffffff816eeac7>] schedule+0x37/0x90
+[ 720.715805] [<ffffffffa05235cd>] __bch_btree_map_nodes+0x12d/0x150 [bcache]
+[ 720.716409] [<ffffffffa0522d30>] ? bch_btree_insert_check_key+0x1c0/0x1c0 [bcache]
+[ 720.717008] [<ffffffffa05236e4>] bch_btree_insert+0xf4/0x170 [bcache]
+[ 720.717586] [<ffffffff810e6950>] ? prepare_to_wait_event+0xf0/0xf0
+[ 720.718191] [<ffffffffa0527d9a>] bch_journal_replay+0x14a/0x290 [bcache]
+[ 720.718766] [<ffffffff810cc90d>] ? ttwu_do_activate.constprop.94+0x5d/0x70
+[ 720.719369] [<ffffffff810cf684>] ? try_to_wake_up+0x1d4/0x350
+[ 720.719968] [<ffffffffa05317d0>] run_cache_set+0x580/0x8e0 [bcache]
+[ 720.720553] [<ffffffffa053302e>] register_bcache+0xe2e/0x13b0 [bcache]
+[ 720.721153] [<ffffffff81354cef>] kobj_attr_store+0xf/0x20
+[ 720.721730] [<ffffffff812a2dad>] sysfs_kf_write+0x3d/0x50
+[ 720.722327] [<ffffffff812a225a>] kernfs_fop_write+0x12a/0x180
+[ 720.722904] [<ffffffff81225177>] __vfs_write+0x37/0x110
+[ 720.723503] [<ffffffff81228048>] ? __sb_start_write+0x58/0x110
+[ 720.724100] [<ffffffff812cedb3>] ? security_file_permission+0x23/0xa0
+[ 720.724675] [<ffffffff812258a9>] vfs_write+0xa9/0x1b0
+[ 720.725275] [<ffffffff8102479c>] ? do_audit_syscall_entry+0x6c/0x70
+[ 720.725849] [<ffffffff81226755>] SyS_write+0x55/0xd0
+[ 720.726451] [<ffffffff8106a390>] ? do_page_fault+0x30/0x80
+[ 720.727045] [<ffffffff816f2cae>] system_call_fastpath+0x12/0x71
+
+The fifo code in upstream bcache can't use the last element in the buffer,
+which was the cause of the bug: if you asked for a power of two size,
+it'd give you a fifo that could hold one less than what you asked for
+rather than allocating a buffer twice as big.
+
+Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
+Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1818,7 +1818,7 @@ static int cache_alloc(struct cache_sb *
+ free = roundup_pow_of_two(ca->sb.nbuckets) >> 10;
+
+ if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) ||
+- !init_fifo(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) ||
++ !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) ||
+ !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) ||
+ !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) ||
+ !init_fifo(&ca->free_inc, free << 2, GFP_KERNEL) ||
--- /dev/null
+From e9e5e3fae8da7e237049e00e0bfc9e32fd808fe8 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 22 Aug 2016 12:47:43 +0200
+Subject: bdev: fix NULL pointer dereference
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit e9e5e3fae8da7e237049e00e0bfc9e32fd808fe8 upstream.
+
+I got this:
+
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] PREEMPT SMP KASAN
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ CPU: 0 PID: 5505 Comm: syz-executor Not tainted 4.8.0-rc2+ #161
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+ task: ffff880113415940 task.stack: ffff880118350000
+ RIP: 0010:[<ffffffff8172cb32>] [<ffffffff8172cb32>] bd_mount+0x52/0xa0
+ RSP: 0018:ffff880118357ca0 EFLAGS: 00010207
+ RAX: dffffc0000000000 RBX: ffffffffffffffff RCX: ffffc90000bb6000
+ RDX: 0000000000000018 RSI: ffffffff846d6b20 RDI: 00000000000000c7
+ RBP: ffff880118357cb0 R08: ffff880115967c68 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801188211e8
+ R13: ffffffff847baa20 R14: ffff8801139cb000 R15: 0000000000000080
+ FS: 00007fa3ff6c0700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fc1d8cc7e78 CR3: 0000000109f20000 CR4: 00000000000006f0
+ DR0: 000000000000001e DR1: 000000000000001e DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
+ Stack:
+ ffff880112cfd6c0 ffff8801188211e8 ffff880118357cf0 ffffffff8167f207
+ ffffffff816d7a1e ffff880112a413c0 ffffffff847baa20 ffff8801188211e8
+ 0000000000000080 ffff880112cfd6c0 ffff880118357d38 ffffffff816dce0a
+ Call Trace:
+ [<ffffffff8167f207>] mount_fs+0x97/0x2e0
+ [<ffffffff816d7a1e>] ? alloc_vfsmnt+0x55e/0x760
+ [<ffffffff816dce0a>] vfs_kern_mount+0x7a/0x300
+ [<ffffffff83c3247c>] ? _raw_read_unlock+0x2c/0x50
+ [<ffffffff816dfc87>] do_mount+0x3d7/0x2730
+ [<ffffffff81235fd4>] ? trace_do_page_fault+0x1f4/0x3a0
+ [<ffffffff816df8b0>] ? copy_mount_string+0x40/0x40
+ [<ffffffff8161ea81>] ? memset+0x31/0x40
+ [<ffffffff816df73e>] ? copy_mount_options+0x1ee/0x320
+ [<ffffffff816e2a02>] SyS_mount+0xb2/0x120
+ [<ffffffff816e2950>] ? copy_mnt_ns+0x970/0x970
+ [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
+ [<ffffffff83c3282a>] entry_SYSCALL64_slow_path+0x25/0x25
+ Code: 83 e8 63 1b fc ff 48 85 c0 48 89 c3 74 4c e8 56 35 d1 ff 48 8d bb c8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 36 4c 8b a3 c8 00 00 00 48 b8 00 00 00 00 00 fc
+ RIP [<ffffffff8172cb32>] bd_mount+0x52/0xa0
+ RSP <ffff880118357ca0>
+ ---[ end trace 13690ad962168b98 ]---
+
+mount_pseudo() returns ERR_PTR(), not NULL, on error.
+
+Fixes: 3684aa7099e0 ("block-dev: enable writeback cgroup support")
+Cc: Shaohua Li <shli@fb.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Jens Axboe <axboe@fb.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/block_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/block_dev.c
++++ b/fs/block_dev.c
+@@ -659,7 +659,7 @@ static struct dentry *bd_mount(struct fi
+ {
+ struct dentry *dent;
+ dent = mount_pseudo(fs_type, "bdev:", &bdev_sops, NULL, BDEVFS_MAGIC);
+- if (dent)
++ if (!IS_ERR(dent))
+ dent->d_sb->s_iflags |= SB_I_CGROUPWB;
+ return dent;
+ }
--- /dev/null
+From 6a33fa2b87513fee44cb8f0cd17b1acd6316bc6b Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Fri, 19 Aug 2016 18:07:14 +0100
+Subject: irqchip/mips-gic: Cleanup chip and handler setup
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit 6a33fa2b87513fee44cb8f0cd17b1acd6316bc6b upstream.
+
+gic_shared_irq_domain_map() is called from gic_irq_domain_alloc() where
+the wrong chip has been set, and is then overwritten. Tidy this up by
+setting the correct chip the first time, and setting the
+handle_level_irq handler from gic_irq_domain_alloc() too.
+
+gic_shared_irq_domain_map() is also called from gic_irq_domain_map(),
+which now calls irq_set_chip_and_handler() to retain its previous
+behaviour.
+
+This patch prepares for a follow-on which will call
+gic_shared_irq_domain_map() from a callback where the lock on the struct
+irq_desc is held, which without this change would cause the call to
+irq_set_chip_and_handler() to lead to a deadlock.
+
+Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain")
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Link: http://lkml.kernel.org/r/20160819170715.27820-1-paul.burton@imgtec.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-mips-gic.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-mips-gic.c
++++ b/drivers/irqchip/irq-mips-gic.c
+@@ -713,9 +713,6 @@ static int gic_shared_irq_domain_map(str
+ unsigned long flags;
+ int i;
+
+- irq_set_chip_and_handler(virq, &gic_level_irq_controller,
+- handle_level_irq);
+-
+ spin_lock_irqsave(&gic_lock, flags);
+ gic_map_to_pin(intr, gic_cpu_pin);
+ gic_map_to_vpe(intr, mips_cm_vp_id(vpe));
+@@ -732,6 +729,10 @@ static int gic_irq_domain_map(struct irq
+ {
+ if (GIC_HWIRQ_TO_LOCAL(hw) < GIC_NUM_LOCAL_INTRS)
+ return gic_local_irq_domain_map(d, virq, hw);
++
++ irq_set_chip_and_handler(virq, &gic_level_irq_controller,
++ handle_level_irq);
++
+ return gic_shared_irq_domain_map(d, virq, hw, 0);
+ }
+
+@@ -771,11 +772,13 @@ static int gic_irq_domain_alloc(struct i
+ hwirq = GIC_SHARED_TO_HWIRQ(base_hwirq + i);
+
+ ret = irq_domain_set_hwirq_and_chip(d, virq + i, hwirq,
+- &gic_edge_irq_controller,
++ &gic_level_irq_controller,
+ NULL);
+ if (ret)
+ goto error;
+
++ irq_set_handler(virq + i, handle_level_irq);
++
+ ret = gic_shared_irq_domain_map(d, virq + i, hwirq, cpu);
+ if (ret)
+ goto error;
--- /dev/null
+From 2564970a381651865364974ea414384b569cb9c0 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Fri, 19 Aug 2016 18:07:15 +0100
+Subject: irqchip/mips-gic: Implement activate op for device domain
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+commit 2564970a381651865364974ea414384b569cb9c0 upstream.
+
+If an IRQ is setup using __setup_irq(), which is used by the
+request_irq() family of functions, and we are using an SMP kernel then
+the affinity of the IRQ will be set via setup_affinity() immediately
+after the IRQ is enabled. This call to gic_set_affinity() will lead to
+the interrupt being mapped to a VPE. However there are other ways to use
+IRQs which don't cause affinity to be set, for example if it is used to
+chain to another IRQ controller with irq_set_chained_handler_and_data().
+The irq_set_chained_handler_and_data() code path will enable the IRQ,
+but will not trigger a call to gic_set_affinity() and in this case
+nothing will map the interrupt to a VPE, meaning that the interrupt is
+never received.
+
+Fix this by implementing the activate operation for the GIC device IRQ
+domain, using gic_shared_irq_domain_map() to map the interrupt to the
+correct pin of cpu 0.
+
+Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain")
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Link: http://lkml.kernel.org/r/20160819170715.27820-2-paul.burton@imgtec.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-mips-gic.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/irqchip/irq-mips-gic.c
++++ b/drivers/irqchip/irq-mips-gic.c
+@@ -893,10 +893,17 @@ void gic_dev_domain_free(struct irq_doma
+ return;
+ }
+
++static void gic_dev_domain_activate(struct irq_domain *domain,
++ struct irq_data *d)
++{
++ gic_shared_irq_domain_map(domain, d->irq, d->hwirq, 0);
++}
++
+ static struct irq_domain_ops gic_dev_domain_ops = {
+ .xlate = gic_dev_domain_xlate,
+ .alloc = gic_dev_domain_alloc,
+ .free = gic_dev_domain_free,
++ .activate = gic_dev_domain_activate,
+ };
+
+ static int gic_ipi_domain_xlate(struct irq_domain *d, struct device_node *ctrlr,
--- /dev/null
+From 8c57cac1457f3125a5d13dc03635c0708c61bff0 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Wed, 20 Jul 2016 10:24:02 +0300
+Subject: mei: me: disable driver on SPT SPS firmware
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 8c57cac1457f3125a5d13dc03635c0708c61bff0 upstream.
+
+Sunrise Point PCH with SPS Firmware doesn't expose working
+MEI interface, we need to quirk it out.
+The SPS Firmware is identifiable only on the first PCI function
+of the device.
+
+Tested-by: Sujith Pandel <sujith_pandel@dell.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hw-me.c | 10 ++++++++--
+ drivers/misc/mei/pci-me.c | 4 ++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/misc/mei/hw-me.c
++++ b/drivers/misc/mei/hw-me.c
+@@ -1263,8 +1263,14 @@ static bool mei_me_fw_type_nm(struct pci
+ static bool mei_me_fw_type_sps(struct pci_dev *pdev)
+ {
+ u32 reg;
+- /* Read ME FW Status check for SPS Firmware */
+- pci_read_config_dword(pdev, PCI_CFG_HFS_1, ®);
++ unsigned int devfn;
++
++ /*
++ * Read ME FW Status register to check for SPS Firmware
++ * The SPS FW is only signaled in pci function 0
++ */
++ devfn = PCI_DEVFN(PCI_SLOT(pdev->devfn), 0);
++ pci_bus_read_config_dword(pdev->bus, devfn, PCI_CFG_HFS_1, ®);
+ trace_mei_pci_cfg_read(&pdev->dev, "PCI_CFG_HFS_1", PCI_CFG_HFS_1, reg);
+ /* if bits [19:16] = 15, running SPS Firmware */
+ return (reg & 0xf0000) == 0xf0000;
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -85,8 +85,8 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_SPT, mei_me_pch8_cfg)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_2, mei_me_pch8_cfg)},
+- {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H, mei_me_pch8_cfg)},
+- {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H_2, mei_me_pch8_cfg)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H, mei_me_pch8_sps_cfg)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H_2, mei_me_pch8_sps_cfg)},
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_BXT_M, mei_me_pch8_cfg)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_APL_I, mei_me_pch8_cfg)},
--- /dev/null
+From 0956254a2d5b9e2141385514553aeef694dfe3b5 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 8 Aug 2016 15:08:49 +0200
+Subject: ovl: don't copy up opaqueness
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 0956254a2d5b9e2141385514553aeef694dfe3b5 upstream.
+
+When a copy up of a directory occurs which has the opaque xattr set, the
+xattr remains in the upper directory. The immediate behavior with overlayfs
+is that the upper directory is not treated as opaque, however after a
+remount the opaque flag is used and upper directory is treated as opaque.
+This causes files created in the lower layer to be hidden when using
+multiple lower directories.
+
+Fix by not copying up the opaque flag.
+
+To reproduce:
+
+ ----8<---------8<---------8<---------8<---------8<---------8<----
+mkdir -p l/d/s u v w mnt
+mount -t overlay overlay -olowerdir=l,upperdir=u,workdir=w mnt
+rm -rf mnt/d/
+mkdir -p mnt/d/n
+umount mnt
+mount -t overlay overlay -olowerdir=u:l,upperdir=v,workdir=w mnt
+touch mnt/d/foo
+umount mnt
+mount -t overlay overlay -olowerdir=u:l,upperdir=v,workdir=w mnt
+ls mnt/d
+ ----8<---------8<---------8<---------8<---------8<---------8<----
+
+output should be: "foo n"
+
+Reported-by: Derek McGowan <dmcg@drizz.net>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=151291
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/copy_up.c | 2 ++
+ fs/overlayfs/inode.c | 2 +-
+ fs/overlayfs/overlayfs.h | 1 +
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -80,6 +80,8 @@ int ovl_copy_xattr(struct dentry *old, s
+ }
+
+ for (name = buf; name < (buf + list_size); name += strlen(name) + 1) {
++ if (ovl_is_private_xattr(name))
++ continue;
+ retry:
+ size = vfs_getxattr(old, name, value, value_size);
+ if (size == -ERANGE)
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -231,7 +231,7 @@ static int ovl_readlink(struct dentry *d
+ }
+
+
+-static bool ovl_is_private_xattr(const char *name)
++bool ovl_is_private_xattr(const char *name)
+ {
+ return strncmp(name, OVL_XATTR_PRE_NAME, OVL_XATTR_PRE_LEN) == 0;
+ }
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -182,6 +182,7 @@ ssize_t ovl_getxattr(struct dentry *dent
+ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size);
+ int ovl_removexattr(struct dentry *dentry, const char *name);
+ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags);
++bool ovl_is_private_xattr(const char *name);
+
+ struct inode *ovl_new_inode(struct super_block *sb, umode_t mode,
+ struct ovl_entry *oe);
--- /dev/null
+From e1ff3dd1ae52cef5b5373c8cc4ad949c2c25a71c Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 5 Sep 2016 13:55:20 +0200
+Subject: ovl: fix workdir creation
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit e1ff3dd1ae52cef5b5373c8cc4ad949c2c25a71c upstream.
+
+Workdir creation fails in latest kernel.
+
+Fix by allowing EOPNOTSUPP as a valid return value from
+vfs_removexattr(XATTR_NAME_POSIX_ACL_*). Upper filesystem may not support
+ACL and still be perfectly able to support overlayfs.
+
+Reported-by: Martin Ziegler <ziegler@uni-freiburg.de>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: c11b9fdd6a61 ("ovl: remove posix_acl_default from workdir")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -819,11 +819,11 @@ retry:
+ goto out_dput;
+
+ err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_DEFAULT);
+- if (err && err != -ENODATA)
++ if (err && err != -ENODATA && err != -EOPNOTSUPP)
+ goto out_dput;
+
+ err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_ACCESS);
+- if (err && err != -ENODATA)
++ if (err && err != -ENODATA && err != -EOPNOTSUPP)
+ goto out_dput;
+
+ /* Clear any inherited mode bits */
--- /dev/null
+From 7cb35119d067191ce9ebc380a599db0b03cbd9d9 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 1 Sep 2016 11:12:00 +0200
+Subject: ovl: listxattr: use strnlen()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 7cb35119d067191ce9ebc380a599db0b03cbd9d9 upstream.
+
+Be defensive about what underlying fs provides us in the returned xattr
+list buffer. If it's not properly null terminated, bail out with a warning
+insead of BUG.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/inode.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -279,24 +279,27 @@ ssize_t ovl_listxattr(struct dentry *den
+ {
+ struct dentry *realdentry = ovl_dentry_real(dentry);
+ ssize_t res;
+- int off;
++ size_t len;
++ char *s;
+
+ res = vfs_listxattr(realdentry, list, size);
+ if (res <= 0 || size == 0)
+ return res;
+
+ /* filter out private xattrs */
+- for (off = 0; off < res;) {
+- char *s = list + off;
+- size_t slen = strlen(s) + 1;
++ for (s = list, len = res; len;) {
++ size_t slen = strnlen(s, len) + 1;
+
+- BUG_ON(off + slen > res);
++ /* underlying fs providing us with an broken xattr list? */
++ if (WARN_ON(slen > len))
++ return -EIO;
+
++ len -= slen;
+ if (ovl_is_private_xattr(s)) {
+ res -= slen;
+- memmove(s, s + slen, res - off);
++ memmove(s, s + slen, len);
+ } else {
+- off += slen;
++ s += slen;
+ }
+ }
+
--- /dev/null
+From eea2fb4851e9dcbab6b991aaf47e2e024f1f55a0 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 1 Sep 2016 11:11:59 +0200
+Subject: ovl: proper cleanup of workdir
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit eea2fb4851e9dcbab6b991aaf47e2e024f1f55a0 upstream.
+
+When mounting overlayfs it needs a clean "work" directory under the
+supplied workdir.
+
+Previously the mount code removed this directory if it already existed and
+created a new one. If the removal failed (e.g. directory was not empty)
+then it fell back to a read-only mount not using the workdir.
+
+While this has never been reported, it is possible to get a non-empty
+"work" dir from a previous mount of overlayfs in case of crash in the
+middle of an operation using the work directory.
+
+In this case the left over state should be discarded and the overlay
+filesystem will be consistent, guaranteed by the atomicity of operations on
+moving to/from the workdir to the upper layer.
+
+This patch implements cleaning out any files left in workdir. It is
+implemented using real recursion for simplicity, but the depth is limited
+to 2, because the worst case is that of a directory containing whiteouts
+under "work".
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/overlayfs.h | 2 +
+ fs/overlayfs/readdir.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++-
+ fs/overlayfs/super.c | 2 -
+ 3 files changed, 65 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -168,6 +168,8 @@ int ovl_check_empty_dir(struct dentry *d
+ void ovl_cleanup_whiteouts(struct dentry *upper, struct list_head *list);
+ void ovl_cache_free(struct list_head *list);
+ int ovl_check_d_type_supported(struct path *realpath);
++void ovl_workdir_cleanup(struct inode *dir, struct vfsmount *mnt,
++ struct dentry *dentry, int level);
+
+ /* inode.c */
+ int ovl_setattr(struct dentry *dentry, struct iattr *attr);
+--- a/fs/overlayfs/readdir.c
++++ b/fs/overlayfs/readdir.c
+@@ -248,7 +248,7 @@ static inline int ovl_dir_read(struct pa
+ err = rdd->err;
+ } while (!err && rdd->count);
+
+- if (!err && rdd->first_maybe_whiteout)
++ if (!err && rdd->first_maybe_whiteout && rdd->dentry)
+ err = ovl_check_whiteouts(realpath->dentry, rdd);
+
+ fput(realfile);
+@@ -606,3 +606,64 @@ int ovl_check_d_type_supported(struct pa
+
+ return rdd.d_type_supported;
+ }
++
++static void ovl_workdir_cleanup_recurse(struct path *path, int level)
++{
++ int err;
++ struct inode *dir = path->dentry->d_inode;
++ LIST_HEAD(list);
++ struct ovl_cache_entry *p;
++ struct ovl_readdir_data rdd = {
++ .ctx.actor = ovl_fill_merge,
++ .dentry = NULL,
++ .list = &list,
++ .root = RB_ROOT,
++ .is_lowest = false,
++ };
++
++ err = ovl_dir_read(path, &rdd);
++ if (err)
++ goto out;
++
++ inode_lock_nested(dir, I_MUTEX_PARENT);
++ list_for_each_entry(p, &list, l_node) {
++ struct dentry *dentry;
++
++ if (p->name[0] == '.') {
++ if (p->len == 1)
++ continue;
++ if (p->len == 2 && p->name[1] == '.')
++ continue;
++ }
++ dentry = lookup_one_len(p->name, path->dentry, p->len);
++ if (IS_ERR(dentry))
++ continue;
++ if (dentry->d_inode)
++ ovl_workdir_cleanup(dir, path->mnt, dentry, level);
++ dput(dentry);
++ }
++ inode_unlock(dir);
++out:
++ ovl_cache_free(&list);
++}
++
++void ovl_workdir_cleanup(struct inode *dir, struct vfsmount *mnt,
++ struct dentry *dentry, int level)
++{
++ int err;
++
++ if (!d_is_dir(dentry) || level > 1) {
++ ovl_cleanup(dir, dentry);
++ return;
++ }
++
++ err = ovl_do_rmdir(dir, dentry);
++ if (err) {
++ struct path path = { .mnt = mnt, .dentry = dentry };
++
++ inode_unlock(dir);
++ ovl_workdir_cleanup_recurse(&path, level + 1);
++ inode_lock_nested(dir, I_MUTEX_PARENT);
++ ovl_cleanup(dir, dentry);
++ }
++}
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -805,7 +805,7 @@ retry:
+ goto out_dput;
+
+ retried = true;
+- ovl_cleanup(dir, work);
++ ovl_workdir_cleanup(dir, mnt, work, 0);
+ dput(work);
+ goto retry;
+ }
--- /dev/null
+From c11b9fdd6a612f376a5e886505f1c54c16d8c380 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 1 Sep 2016 11:11:59 +0200
+Subject: ovl: remove posix_acl_default from workdir
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit c11b9fdd6a612f376a5e886505f1c54c16d8c380 upstream.
+
+Clear out posix acl xattrs on workdir and also reset the mode after
+creation so that an inherited sgid bit is cleared.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -798,6 +798,10 @@ retry:
+ struct kstat stat = {
+ .mode = S_IFDIR | 0,
+ };
++ struct iattr attr = {
++ .ia_valid = ATTR_MODE,
++ .ia_mode = stat.mode,
++ };
+
+ if (work->d_inode) {
+ err = -EEXIST;
+@@ -813,6 +817,21 @@ retry:
+ err = ovl_create_real(dir, work, &stat, NULL, NULL, true);
+ if (err)
+ goto out_dput;
++
++ err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_DEFAULT);
++ if (err && err != -ENODATA)
++ goto out_dput;
++
++ err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_ACCESS);
++ if (err && err != -ENODATA)
++ goto out_dput;
++
++ /* Clear any inherited mode bits */
++ inode_lock(work->d_inode);
++ err = notify_change(work, &attr, NULL);
++ inode_unlock(work->d_inode);
++ if (err)
++ goto out_dput;
+ }
+ out_unlock:
+ inode_unlock(dir);
timekeeping-cap-array-access-in-timekeeping_debug.patch
timekeeping-avoid-taking-lock-in-nmi-path-with-config_debug_timekeeping.patch
xenbus-don-t-look-up-transaction-ids-for-ordinary-writes.patch
+ovl-proper-cleanup-of-workdir.patch
+ovl-don-t-copy-up-opaqueness.patch
+ovl-remove-posix_acl_default-from-workdir.patch
+ovl-listxattr-use-strnlen.patch
+ovl-fix-workdir-creation.patch
+mei-me-disable-driver-on-spt-sps-firmware.patch
+ubifs-fix-xattr-generic-handler-usage.patch
+ubifs-fix-assertion-in-layout_in_gaps.patch
+bdev-fix-null-pointer-dereference.patch
+bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a-power-of-two.patch
+irqchip-mips-gic-cleanup-chip-and-handler-setup.patch
+irqchip-mips-gic-implement-activate-op-for-device-domain.patch
+vhost-scsi-fix-reuse-of-vq-iov-in-response.patch
+x86-apic-do-not-init-irq-remapping-if-ioapic-is-disabled.patch
--- /dev/null
+From c0082e985fdf77b02fc9e0dac3b58504dcf11b7a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Vincent=20Stehl=C3=A9?= <vincent.stehle@intel.com>
+Date: Fri, 12 Aug 2016 15:26:30 +0200
+Subject: ubifs: Fix assertion in layout_in_gaps()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vincent Stehlé <vincent.stehle@intel.com>
+
+commit c0082e985fdf77b02fc9e0dac3b58504dcf11b7a upstream.
+
+An assertion in layout_in_gaps() verifies that the gap_lebs pointer is
+below the maximum bound. When computing this maximum bound the idx_lebs
+count is multiplied by sizeof(int), while C pointers arithmetic does take
+into account the size of the pointed elements implicitly already. Remove
+the multiplication to fix the assertion.
+
+Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
+Signed-off-by: Vincent Stehlé <vincent.stehle@intel.com>
+Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/tnc_commit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ubifs/tnc_commit.c
++++ b/fs/ubifs/tnc_commit.c
+@@ -370,7 +370,7 @@ static int layout_in_gaps(struct ubifs_i
+
+ p = c->gap_lebs;
+ do {
+- ubifs_assert(p < c->gap_lebs + sizeof(int) * c->lst.idx_lebs);
++ ubifs_assert(p < c->gap_lebs + c->lst.idx_lebs);
+ written = layout_leb_in_gaps(c, p);
+ if (written < 0) {
+ err = written;
--- /dev/null
+From 17ce1eb0b64eb27d4f9180daae7495fa022c7b0d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sun, 31 Jul 2016 21:42:23 +0200
+Subject: ubifs: Fix xattr generic handler usage
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 17ce1eb0b64eb27d4f9180daae7495fa022c7b0d upstream.
+
+UBIFS uses full names to work with xattrs, therefore we have to use
+xattr_full_name() to obtain the xattr prefix as string.
+
+Cc: Andreas Gruenbacher <agruenba@redhat.com>
+Fixes: 2b88fc21ca ("ubifs: Switch to generic xattr handlers")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Andreas Gruenbacher <agruenba@redhat.com>
+Tested-by: Dongsheng Yang <dongsheng081251@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/xattr.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/ubifs/xattr.c
++++ b/fs/ubifs/xattr.c
+@@ -575,7 +575,8 @@ static int ubifs_xattr_get(const struct
+ dbg_gen("xattr '%s', ino %lu ('%pd'), buf size %zd", name,
+ inode->i_ino, dentry, size);
+
+- return __ubifs_getxattr(inode, name, buffer, size);
++ name = xattr_full_name(handler, name);
++ return __ubifs_getxattr(inode, name, buffer, size);
+ }
+
+ static int ubifs_xattr_set(const struct xattr_handler *handler,
+@@ -586,6 +587,8 @@ static int ubifs_xattr_set(const struct
+ dbg_gen("xattr '%s', host ino %lu ('%pd'), size %zd",
+ name, inode->i_ino, dentry, size);
+
++ name = xattr_full_name(handler, name);
++
+ if (value)
+ return __ubifs_setxattr(inode, name, value, size, flags);
+ else
--- /dev/null
+From a77ec83a57890240c546df00ca5df1cdeedb1cc3 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Mon, 6 Jun 2016 18:07:59 -0400
+Subject: vhost/scsi: fix reuse of &vq->iov[out] in response
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit a77ec83a57890240c546df00ca5df1cdeedb1cc3 upstream.
+
+The address of the iovec &vq->iov[out] is not guaranteed to contain the scsi
+command's response iovec throughout the lifetime of the command. Rather, it
+is more likely to contain an iovec from an immediately following command
+after looping back around to vhost_get_vq_desc(). Pass along the iovec
+entirely instead.
+
+Fixes: 79c14141a487 ("vhost/scsi: Convert completion path to use copy_to_iter")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/scsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/vhost/scsi.c
++++ b/drivers/vhost/scsi.c
+@@ -88,7 +88,7 @@ struct vhost_scsi_cmd {
+ struct scatterlist *tvc_prot_sgl;
+ struct page **tvc_upages;
+ /* Pointer to response header iovec */
+- struct iovec *tvc_resp_iov;
++ struct iovec tvc_resp_iov;
+ /* Pointer to vhost_scsi for our device */
+ struct vhost_scsi *tvc_vhost;
+ /* Pointer to vhost_virtqueue for the cmd */
+@@ -547,7 +547,7 @@ static void vhost_scsi_complete_cmd_work
+ memcpy(v_rsp.sense, cmd->tvc_sense_buf,
+ se_cmd->scsi_sense_length);
+
+- iov_iter_init(&iov_iter, READ, cmd->tvc_resp_iov,
++ iov_iter_init(&iov_iter, READ, &cmd->tvc_resp_iov,
+ cmd->tvc_in_iovs, sizeof(v_rsp));
+ ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter);
+ if (likely(ret == sizeof(v_rsp))) {
+@@ -1044,7 +1044,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *
+ }
+ cmd->tvc_vhost = vs;
+ cmd->tvc_vq = vq;
+- cmd->tvc_resp_iov = &vq->iov[out];
++ cmd->tvc_resp_iov = vq->iov[out];
+ cmd->tvc_in_iovs = in;
+
+ pr_debug("vhost_scsi got command opcode: %#02x, lun: %d\n",
--- /dev/null
+From 2e63ad4bd5dd583871e6602f9d398b9322d358d9 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Tue, 23 Aug 2016 20:07:19 +0800
+Subject: x86/apic: Do not init irq remapping if ioapic is disabled
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit 2e63ad4bd5dd583871e6602f9d398b9322d358d9 upstream.
+
+native_smp_prepare_cpus
+ -> default_setup_apic_routing
+ -> enable_IR_x2apic
+ -> irq_remapping_prepare
+ -> intel_prepare_irq_remapping
+ -> intel_setup_irq_remapping
+
+So IR table is setup even if "noapic" boot parameter is added. As a result we
+crash later when the interrupt affinity is set due to a half initialized
+remapping infrastructure.
+
+Prevent remap initialization when IOAPIC is disabled.
+
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Joerg Roedel <joro@8bytes.org>
+Link: http://lkml.kernel.org/r/1471954039-3942-1-git-send-email-wanpeng.li@hotmail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1597,6 +1597,9 @@ void __init enable_IR_x2apic(void)
+ unsigned long flags;
+ int ret, ir_stat;
+
++ if (skip_ioapic_setup)
++ return;
++
+ ir_stat = irq_remapping_prepare();
+ if (ir_stat < 0 && !x2apic_supported())
+ return;
projects / thirdparty / kernel / stable-queue.git / commitdiff
