--- /dev/null
+From 3d4e8303f2c747c8540a0a0126d0151514f6468b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 16:36:11 +0100
+Subject: ALSA: timer: Remove kernel warning at compat ioctl error paths
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream.
+
+Some timer compat ioctls have NULL checks of timer instance with
+snd_BUG_ON() that bring up WARN_ON() when the debug option is set.
+Actually the condition can be met in the normal situation and it's
+confusing and bad to spew kernel warnings with stack trace there.
+Let's remove snd_BUG_ON() invocation and replace with the simple
+checks. Also, correct the error code to EBADFD to follow the native
+ioctl error handling.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer_compat.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/sound/core/timer_compat.c
++++ b/sound/core/timer_compat.c
+@@ -40,11 +40,11 @@ static int snd_timer_user_info_compat(st
+ struct snd_timer *t;
+
+ tu = file->private_data;
+- if (snd_BUG_ON(!tu->timeri))
+- return -ENXIO;
++ if (!tu->timeri)
++ return -EBADFD;
+ t = tu->timeri->timer;
+- if (snd_BUG_ON(!t))
+- return -ENXIO;
++ if (!t)
++ return -EBADFD;
+ memset(&info, 0, sizeof(info));
+ info.card = t->card ? t->card->number : -1;
+ if (t->hw.flags & SNDRV_TIMER_HW_SLAVE)
+@@ -73,8 +73,8 @@ static int snd_timer_user_status_compat(
+ struct snd_timer_status32 status;
+
+ tu = file->private_data;
+- if (snd_BUG_ON(!tu->timeri))
+- return -ENXIO;
++ if (!tu->timeri)
++ return -EBADFD;
+ memset(&status, 0, sizeof(status));
+ status.tstamp.tv_sec = tu->tstamp.tv_sec;
+ status.tstamp.tv_nsec = tu->tstamp.tv_nsec;
--- /dev/null
+From 0a62d6c966956d77397c32836a5bbfe3af786fc1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:28:06 +0100
+Subject: ALSA: usb-audio: Add sanity checks in v2 clock parsers
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream.
+
+The helper functions to parse and look for the clock source, selector
+and multiplier unit may return the descriptor with a too short length
+than required, while there is no sanity check in the caller side.
+Add some sanity checks in the parsers, at least, to guarantee the
+given descriptor size, for avoiding the potential crashes.
+
+Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/clock.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -43,7 +43,7 @@ static struct uac_clock_source_descripto
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_SOURCE))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
+ return cs;
+ }
+
+@@ -59,8 +59,11 @@ static struct uac_clock_selector_descrip
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_SELECTOR))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) {
++ if (cs->bLength < 5 + cs->bNrInPins)
++ return NULL;
+ return cs;
++ }
+ }
+
+ return NULL;
+@@ -75,7 +78,7 @@ static struct uac_clock_multiplier_descr
+ while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ cs, UAC2_CLOCK_MULTIPLIER))) {
+- if (cs->bClockID == clock_id)
++ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
+ return cs;
+ }
+
--- /dev/null
+From d937cd6790a2bef2d07b500487646bd794c039bb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 16:55:51 +0100
+Subject: ALSA: usb-audio: Add sanity checks to FE parser
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d937cd6790a2bef2d07b500487646bd794c039bb upstream.
+
+When the usb-audio descriptor contains the malformed feature unit
+description with a too short length, the driver may access
+out-of-bounds. Add a sanity check of the header size at the beginning
+of parse_audio_feature_unit().
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1373,6 +1373,12 @@ static int parse_audio_feature_unit(stru
+ __u8 *bmaControls;
+
+ if (state->mixer->protocol == UAC_VERSION_1) {
++ if (hdr->bLength < 7) {
++ usb_audio_err(state->chip,
++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ csize = hdr->bControlSize;
+ if (!csize) {
+ usb_audio_dbg(state->chip,
+@@ -1390,6 +1396,12 @@ static int parse_audio_feature_unit(stru
+ }
+ } else {
+ struct uac2_feature_unit_descriptor *ftr = _ftr;
++ if (hdr->bLength < 6) {
++ usb_audio_err(state->chip,
++ "unit %u: invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ csize = 4;
+ channels = (hdr->bLength - 6) / 4 - 1;
+ bmaControls = ftr->bmaControls;
--- /dev/null
+From f658f17b5e0e339935dca23e77e0f3cad591926b Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:00:32 +0100
+Subject: ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream.
+
+The usb-audio driver may trigger an out-of-bound access at parsing a
+malformed selector unit, as it checks the header length only after
+evaluating bNrInPins field, which can be already above the given
+length. Fix it by adding the length check beforehand.
+
+Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2018,7 +2018,8 @@ static int parse_audio_selector_unit(str
+ const struct usbmix_name_map *map;
+ char **namelist;
+
+- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) {
++ if (desc->bLength < 5 || !desc->bNrInPins ||
++ desc->bLength < 5 + desc->bNrInPins) {
+ usb_audio_err(state->chip,
+ "invalid SELECTOR UNIT descriptor %d\n", unitid);
+ return -EINVAL;
--- /dev/null
+From 8428a8ebde2db1e988e41a58497a28beb7ce1705 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Nov 2017 17:07:43 +0100
+Subject: ALSA: usb-audio: Fix potential zero-division at parsing FU
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream.
+
+parse_audio_feature_unit() contains a code dividing potentially with
+zero when a malformed FU descriptor is passed. Although there is
+already a sanity check, it checks only the value zero, hence it can
+still lead to a zero-division when a value 1 is passed there.
+
+Fix it by correcting the sanity check (and the error message
+thereof).
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1380,9 +1380,9 @@ static int parse_audio_feature_unit(stru
+ return -EINVAL;
+ }
+ csize = hdr->bControlSize;
+- if (!csize) {
++ if (csize <= 1) {
+ usb_audio_dbg(state->chip,
+- "unit %u: invalid bControlSize == 0\n",
++ "unit %u: invalid bControlSize <= 1\n",
+ unitid);
+ return -EINVAL;
+ }
--- /dev/null
+From ecc0c469f27765ed1e2b967be0aa17cee1a60b76 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 17 Nov 2017 15:29:13 -0800
+Subject: autofs: don't fail mount for transient error
+
+From: NeilBrown <neilb@suse.com>
+
+commit ecc0c469f27765ed1e2b967be0aa17cee1a60b76 upstream.
+
+Currently if the autofs kernel module gets an error when writing to the
+pipe which links to the daemon, then it marks the whole moutpoint as
+catatonic, and it will stop working.
+
+It is possible that the error is transient. This can happen if the
+daemon is slow and more than 16 requests queue up. If a subsequent
+process tries to queue a request, and is then signalled, the write to
+the pipe will return -ERESTARTSYS and autofs will take that as total
+failure.
+
+So change the code to assess -ERESTARTSYS and -ENOMEM as transient
+failures which only abort the current request, not the whole mountpoint.
+
+It isn't a crash or a data corruption, but having autofs mountpoints
+suddenly stop working is rather inconvenient.
+
+Ian said:
+
+: And given the problems with a half dozen (or so) user space applications
+: consuming large amounts of CPU under heavy mount and umount activity this
+: could happen more easily than we expect.
+
+Link: http://lkml.kernel.org/r/87y3norvgp.fsf@notabene.neil.brown.name
+Signed-off-by: NeilBrown <neilb@suse.com>
+Acked-by: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/autofs4/waitq.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/fs/autofs4/waitq.c
++++ b/fs/autofs4/waitq.c
+@@ -87,7 +87,8 @@ static int autofs4_write(struct autofs_s
+ spin_unlock_irqrestore(¤t->sighand->siglock, flags);
+ }
+
+- return (bytes > 0);
++ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */
++ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO;
+ }
+
+ static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
+@@ -101,6 +102,7 @@ static void autofs4_notify_daemon(struct
+ } pkt;
+ struct file *pipe = NULL;
+ size_t pktsz;
++ int ret;
+
+ DPRINTK("wait id = 0x%08lx, name = %.*s, type=%d",
+ (unsigned long) wq->wait_queue_token, wq->name.len, wq->name.name, type);
+@@ -173,7 +175,18 @@ static void autofs4_notify_daemon(struct
+ mutex_unlock(&sbi->wq_mutex);
+
+ if (autofs4_write(sbi, pipe, &pkt, pktsz))
++ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) {
++ case 0:
++ break;
++ case -ENOMEM:
++ case -ERESTARTSYS:
++ /* Just fail this one */
++ autofs4_wait_release(sbi, wq->wait_queue_token, ret);
++ break;
++ default:
+ autofs4_catatonic_mode(sbi);
++ break;
++ }
+ fput(pipe);
+ }
+
--- /dev/null
+From 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Fri, 13 Oct 2017 16:35:29 -0700
+Subject: bcache: check ca->alloc_thread initialized before wake up it
+
+From: Coly Li <colyli@suse.de>
+
+commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream.
+
+In bcache code, sysfs entries are created before all resources get
+allocated, e.g. allocation thread of a cache set.
+
+There is posibility for NULL pointer deference if a resource is accessed
+but which is not initialized yet. Indeed Jorg Bornschein catches one on
+cache set allocation thread and gets a kernel oops.
+
+The reason for this bug is, when bch_bucket_alloc() is called during
+cache set registration and attaching, ca->alloc_thread is not properly
+allocated and initialized yet, call wake_up_process() on ca->alloc_thread
+triggers NULL pointer deference failure. A simple and fast fix is, before
+waking up ca->alloc_thread, checking whether it is allocated, and only
+wake up ca->alloc_thread when it is not NULL.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reported-by: Jorg Bornschein <jb@capsec.org>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/alloc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca,
+
+ finish_wait(&ca->set->bucket_wait, &w);
+ out:
+- wake_up_process(ca->alloc_thread);
++ if (ca->alloc_thread)
++ wake_up_process(ca->alloc_thread);
+
+ trace_bcache_alloc(ca, reserve);
+
--- /dev/null
+From d59b23795933678c9638fd20c942d2b4f3cd6185 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Mon, 30 Oct 2017 14:46:31 -0700
+Subject: bcache: only permit to recovery read error when cache device is clean
+
+From: Coly Li <colyli@suse.de>
+
+commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream.
+
+When bcache does read I/Os, for example in writeback or writethrough mode,
+if a read request on cache device is failed, bcache will try to recovery
+the request by reading from cached device. If the data on cached device is
+not synced with cache device, then requester will get a stale data.
+
+For critical storage system like database, providing stale data from
+recovery may result an application level data corruption, which is
+unacceptible.
+
+With this patch, for a failed read request in writeback or writethrough
+mode, recovery a recoverable read request only happens when cache device
+is clean. That is to say, all data on cached device is up to update.
+
+For other cache modes in bcache, read request will never hit
+cached_dev_read_error(), they don't need this patch.
+
+Please note, because cache mode can be switched arbitrarily in run time, a
+writethrough mode might be switched from a writeback mode. Therefore
+checking dc->has_data in writethrough mode still makes sense.
+
+Changelog:
+V4: Fix parens error pointed by Michael Lyle.
+v3: By response from Kent Oversteet, he thinks recovering stale data is a
+ bug to fix, and option to permit it is unnecessary. So this version
+ the sysfs file is removed.
+v2: rename sysfs entry from allow_stale_data_on_failure to
+ allow_stale_data_on_failure, and fix the confusing commit log.
+v1: initial patch posted.
+
+[small change to patch comment spelling by mlyle]
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Michael Lyle <mlyle@lyle.org>
+Reported-by: Arne Wolf <awolf@lenovo.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: Nix <nix@esperi.org.uk>
+Cc: Kai Krakow <hurikhan77@gmail.com>
+Cc: Eric Wheeler <bcache@lists.ewheeler.net>
+Cc: Junhui Tang <tang.junhui@zte.com.cn>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/request.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -705,8 +705,16 @@ static void cached_dev_read_error(struct
+ {
+ struct search *s = container_of(cl, struct search, cl);
+ struct bio *bio = &s->bio.bio;
++ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+
+- if (s->recoverable) {
++ /*
++ * If cache device is dirty (dc->has_dirty is non-zero), then
++ * recovery a failed read request from cached device may get a
++ * stale data back. So read failure recovery is only permitted
++ * when cache device is clean.
++ */
++ if (s->recoverable &&
++ (dc && !atomic_read(&dc->has_dirty))) {
+ /* Retry from the backing device: */
+ trace_bcache_read_retry(s->orig_bio);
+
--- /dev/null
+From b9a41d21dceadf8104812626ef85dc56ee8a60ed Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 1 Nov 2017 15:42:36 +0800
+Subject: dm: fix race between dm_get_from_kobject() and __dm_destroy()
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream.
+
+The following BUG_ON was hit when testing repeat creation and removal of
+DM devices:
+
+ kernel BUG at drivers/md/dm.c:2919!
+ CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44
+ Call Trace:
+ [<ffffffff81649e8b>] dm_get_from_kobject+0x34/0x3a
+ [<ffffffff81650ef1>] dm_attr_show+0x2b/0x5e
+ [<ffffffff817b46d1>] ? mutex_lock+0x26/0x44
+ [<ffffffff811df7f5>] sysfs_kf_seq_show+0x83/0xcf
+ [<ffffffff811de257>] kernfs_seq_show+0x23/0x25
+ [<ffffffff81199118>] seq_read+0x16f/0x325
+ [<ffffffff811de994>] kernfs_fop_read+0x3a/0x13f
+ [<ffffffff8117b625>] __vfs_read+0x26/0x9d
+ [<ffffffff8130eb59>] ? security_file_permission+0x3c/0x44
+ [<ffffffff8117bdb8>] ? rw_verify_area+0x83/0xd9
+ [<ffffffff8117be9d>] vfs_read+0x8f/0xcf
+ [<ffffffff81193e34>] ? __fdget_pos+0x12/0x41
+ [<ffffffff8117c686>] SyS_read+0x4b/0x76
+ [<ffffffff817b606e>] system_call_fastpath+0x12/0x71
+
+The bug can be easily triggered, if an extra delay (e.g. 10ms) is added
+between the test of DMF_FREEING & DMF_DELETING and dm_get() in
+dm_get_from_kobject().
+
+To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and
+dm_get() are done in an atomic way, so _minor_lock is used.
+
+The other callers of dm_get() have also been checked to be OK: some
+callers invoke dm_get() under _minor_lock, some callers invoke it under
+_hash_lock, and dm_start_request() invoke it after increasing
+md->open_count.
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -3033,11 +3033,15 @@ struct mapped_device *dm_get_from_kobjec
+
+ md = container_of(kobj, struct mapped_device, kobj_holder.kobj);
+
+- if (test_bit(DMF_FREEING, &md->flags) ||
+- dm_deleting_md(md))
+- return NULL;
+-
++ spin_lock(&_minor_lock);
++ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) {
++ md = NULL;
++ goto out;
++ }
+ dm_get(md);
++out:
++ spin_unlock(&_minor_lock);
++
+ return md;
+ }
+
--- /dev/null
+From db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 22 Aug 2017 23:41:28 +0300
+Subject: eCryptfs: use after free in ecryptfs_release_messaging()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream.
+
+We're freeing the list iterator so we should be using the _safe()
+version of hlist_for_each_entry().
+
+Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/messaging.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/ecryptfs/messaging.c
++++ b/fs/ecryptfs/messaging.c
+@@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void)
+ }
+ if (ecryptfs_daemon_hash) {
+ struct ecryptfs_daemon *daemon;
++ struct hlist_node *n;
+ int i;
+
+ mutex_lock(&ecryptfs_daemon_hash_mux);
+ for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
+ int rc;
+
+- hlist_for_each_entry(daemon,
+- &ecryptfs_daemon_hash[i],
+- euid_chain) {
++ hlist_for_each_entry_safe(daemon, n,
++ &ecryptfs_daemon_hash[i],
++ euid_chain) {
+ rc = ecryptfs_exorcise_daemon(daemon);
+ if (rc)
+ printk(KERN_ERR "%s: Error whilst "
--- /dev/null
+From 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 6 Oct 2017 23:09:55 -0400
+Subject: ext4: fix interaction between i_size, fallocate, and delalloc after a crash
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 51e3ae81ec58e95f10a98ef3dd6d7bce5d8e35a2 upstream.
+
+If there are pending writes subject to delayed allocation, then i_size
+will show size after the writes have completed, while i_disksize
+contains the value of i_size on the disk (since the writes have not
+been persisted to disk).
+
+If fallocate(2) is called with the FALLOC_FL_KEEP_SIZE flag, either
+with or without the FALLOC_FL_ZERO_RANGE flag set, and the new size
+after the fallocate(2) is between i_size and i_disksize, then after a
+crash, if a journal commit has resulted in the changes made by the
+fallocate() call to be persisted after a crash, but the delayed
+allocation write has not resolved itself, i_size would not be updated,
+and this would cause the following e2fsck complaint:
+
+Inode 12, end of extent exceeds allowed value
+ (logical block 33, physical block 33441, len 7)
+
+This can only take place on a sparse file, where the fallocate(2) call
+is allocating blocks in a range which is before a pending delayed
+allocation write which is extending i_size. Since this situation is
+quite rare, and the window in which the crash must take place is
+typically < 30 seconds, in practice this condition will rarely happen.
+
+Nevertheless, it can be triggered in testing, and in particular by
+xfstests generic/456.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4807,7 +4807,8 @@ static long ext4_zero_range(struct file
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+- offset + len > i_size_read(inode)) {
++ (offset + len > i_size_read(inode) ||
++ offset + len > EXT4_I(inode)->i_disksize)) {
+ new_size = offset + len;
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
+@@ -4951,7 +4952,8 @@ long ext4_fallocate(struct file *file, i
+ }
+
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+- offset + len > i_size_read(inode)) {
++ (offset + len > i_size_read(inode) ||
++ offset + len > EXT4_I(inode)->i_disksize)) {
+ new_size = offset + len;
+ ret = inode_newsize_ok(inode, new_size);
+ if (ret)
--- /dev/null
+From 8ee031631546cf2f7859cc69593bd60bbdd70b46 Mon Sep 17 00:00:00 2001
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+Date: Wed, 6 Sep 2017 17:59:07 +0300
+Subject: fs/9p: Compare qid.path in v9fs_test_inode
+
+From: Tuomas Tynkkynen <tuomas@tuxera.com>
+
+commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.
+
+Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
+and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
+instead of iget_locked(). However, the test() callback is not checking
+fid.path at all, which means that a lookup in the inode cache can now
+accidentally locate a completely wrong inode from the same inode hash
+bucket if the other fields (qid.type and qid.version) match.
+
+Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.")
+Reviewed-by: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_inode.c | 3 +++
+ fs/9p/vfs_inode_dotl.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode
+
+ if (v9inode->qid.type != st->qid.type)
+ return 0;
++
++ if (v9inode->qid.path != st->qid.path)
++ return 0;
+ return 1;
+ }
+
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i
+
+ if (v9inode->qid.type != st->qid.type)
+ return 0;
++
++ if (v9inode->qid.path != st->qid.path)
++ return 0;
+ return 1;
+ }
+
--- /dev/null
+From 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Fri, 27 Oct 2017 20:52:56 -0700
+Subject: iscsi-target: Fix non-immediate TMR reference leak
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 3fc9fb13a4b2576aeab86c62fd64eb29ab68659c upstream.
+
+This patch fixes a se_cmd->cmd_kref reference leak that can
+occur when a non immediate TMR is proceeded our of command
+sequence number order, and CMDSN_LOWER_THAN_EXP is returned
+by iscsit_sequence_cmd().
+
+To address this bug, call target_put_sess_cmd() during this
+special case following what iscsit_process_scsi_cmd() does
+upon CMDSN_LOWER_THAN_EXP.
+
+Cc: Mike Christie <mchristi@redhat.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -1915,12 +1915,14 @@ attach:
+
+ if (!(hdr->opcode & ISCSI_OP_IMMEDIATE)) {
+ int cmdsn_ret = iscsit_sequence_cmd(conn, cmd, buf, hdr->cmdsn);
+- if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP)
++ if (cmdsn_ret == CMDSN_HIGHER_THAN_EXP) {
+ out_of_order_cmdsn = 1;
+- else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP)
++ } else if (cmdsn_ret == CMDSN_LOWER_THAN_EXP) {
++ target_put_sess_cmd(&cmd->se_cmd);
+ return 0;
+- else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER)
++ } else if (cmdsn_ret == CMDSN_ERROR_CANNOT_RECOVER) {
+ return -1;
++ }
+ }
+ iscsit_ack_from_expstatsn(conn, be32_to_cpu(hdr->exp_statsn));
+
--- /dev/null
+From 34be4dbf87fc3e474a842305394534216d428f5d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 19 Oct 2017 16:47:48 +0200
+Subject: isofs: fix timestamps beyond 2027
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 34be4dbf87fc3e474a842305394534216d428f5d upstream.
+
+isofs uses a 'char' variable to load the number of years since
+1900 for an inode timestamp. On architectures that use a signed
+char type by default, this results in an invalid date for
+anything beyond 2027.
+
+This changes the function argument to a 'u8' array, which
+is defined the same way on all architectures, and unambiguously
+lets us use years until 2155.
+
+This should be backported to all kernels that might still be
+in use by that date.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/isofs.h | 2 +-
+ fs/isofs/rock.h | 2 +-
+ fs/isofs/util.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/isofs/isofs.h
++++ b/fs/isofs/isofs.h
+@@ -103,7 +103,7 @@ static inline unsigned int isonum_733(ch
+ /* Ignore bigendian datum due to broken mastering programs */
+ return get_unaligned_le32(p);
+ }
+-extern int iso_date(char *, int);
++extern int iso_date(u8 *, int);
+
+ struct inode; /* To make gcc happy */
+
+--- a/fs/isofs/rock.h
++++ b/fs/isofs/rock.h
+@@ -65,7 +65,7 @@ struct RR_PL_s {
+ };
+
+ struct stamp {
+- char time[7];
++ __u8 time[7]; /* actually 6 unsigned, 1 signed */
+ } __attribute__ ((packed));
+
+ struct RR_TF_s {
+--- a/fs/isofs/util.c
++++ b/fs/isofs/util.c
+@@ -14,7 +14,7 @@
+ * to GMT. Thus we should always be correct.
+ */
+
+-int iso_date(char * p, int flag)
++int iso_date(u8 *p, int flag)
+ {
+ int year, month, day, hour, minute, second, tz;
+ int crtime, days, i;
--- /dev/null
+From 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 Mon Sep 17 00:00:00 2001
+From: Mirko Parthey <mirko.parthey@web.de>
+Date: Thu, 18 May 2017 21:30:03 +0200
+Subject: MIPS: BCM47XX: Fix LED inversion for WRT54GSv1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirko Parthey <mirko.parthey@web.de>
+
+commit 56a46acf62af5ba44fca2f3f1c7c25a2d5385b19 upstream.
+
+The WLAN LED on the Linksys WRT54GSv1 is active low, but the software
+treats it as active high. Fix the inverted logic.
+
+Fixes: 7bb26b169116 ("MIPS: BCM47xx: Fix LEDs on WRT54GS V1.0")
+Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
+Looks-ok-by: Rafał Miłecki <zajec5@gmail.com>
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16071/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/bcm47xx/leds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/bcm47xx/leds.c
++++ b/arch/mips/bcm47xx/leds.c
+@@ -323,7 +323,7 @@ bcm47xx_leds_linksys_wrt54g3gv2[] __init
+ /* Verified on: WRT54GS V1.0 */
+ static const struct gpio_led
+ bcm47xx_leds_linksys_wrt54g_type_0101[] __initconst = {
+- BCM47XX_GPIO_LED(0, "green", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF),
++ BCM47XX_GPIO_LED(0, "green", "wlan", 1, LEDS_GPIO_DEFSTATE_OFF),
+ BCM47XX_GPIO_LED(1, "green", "power", 0, LEDS_GPIO_DEFSTATE_ON),
+ BCM47XX_GPIO_LED(7, "green", "dmz", 1, LEDS_GPIO_DEFSTATE_OFF),
+ };
--- /dev/null
+From 547da673173de51f73887377eb275304775064ad Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Tue, 7 Nov 2017 19:09:20 +0000
+Subject: MIPS: Fix an n32 core file generation regset support regression
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit 547da673173de51f73887377eb275304775064ad upstream.
+
+Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
+regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF
+core dumper to use regsets.)", that caused n32 processes to dump o32
+core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file
+header's `e_flags' member:
+
+$ file tls-core
+tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), [...]
+$ ./tls-core
+Aborted (core dumped)
+$ file core
+core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style
+$
+
+Previously the flag was set as the result of a:
+
+statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the
+regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is
+no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the
+`->e_flags' member of the regset view chosen is. We have the views
+defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64
+one, and the latter is used for n32 as well. Consequently an o32 core
+file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class
+is chosen elsewhere, and the 32-bit one is correctly selected for n32).
+
+Correct the issue then by defining an n32 regset view and using it as
+appropriate. Issue discovered in GDB testing.
+
+Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Djordje Todorovic <djordje.todorovic@rt-rk.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17617/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -522,6 +522,19 @@ static const struct user_regset_view use
+ .n = ARRAY_SIZE(mips64_regsets),
+ };
+
++#ifdef CONFIG_MIPS32_N32
++
++static const struct user_regset_view user_mipsn32_view = {
++ .name = "mipsn32",
++ .e_flags = EF_MIPS_ABI2,
++ .e_machine = ELF_ARCH,
++ .ei_osabi = ELF_OSABI,
++ .regsets = mips64_regsets,
++ .n = ARRAY_SIZE(mips64_regsets),
++};
++
++#endif /* CONFIG_MIPS32_N32 */
++
+ #endif /* CONFIG_64BIT */
+
+ const struct user_regset_view *task_user_regset_view(struct task_struct *task)
+@@ -533,6 +546,10 @@ const struct user_regset_view *task_user
+ if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ return &user_mips_view;
+ #endif
++#ifdef CONFIG_MIPS32_N32
++ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
++ return &user_mipsn32_view;
++#endif
+ return &user_mips64_view;
+ #endif
+ }
--- /dev/null
+From f02fee227e5f21981152850744a6084ff3fa94ee Mon Sep 17 00:00:00 2001
+From: Joshua Watt <jpewhacker@gmail.com>
+Date: Tue, 7 Nov 2017 16:25:47 -0600
+Subject: NFS: Fix typo in nomigration mount option
+
+From: Joshua Watt <jpewhacker@gmail.com>
+
+commit f02fee227e5f21981152850744a6084ff3fa94ee upstream.
+
+The option was incorrectly masking off all other options.
+
+Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1321,7 +1321,7 @@ static int nfs_parse_mount_options(char
+ mnt->options |= NFS_OPTION_MIGRATION;
+ break;
+ case Opt_nomigration:
+- mnt->options &= NFS_OPTION_MIGRATION;
++ mnt->options &= ~NFS_OPTION_MIGRATION;
+ break;
+
+ /*
--- /dev/null
+From c05cefcc72416a37eba5a2b35f0704ed758a9145 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 5 Nov 2017 15:45:22 -0500
+Subject: nfs: Fix ugly referral attributes
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream.
+
+Before traversing a referral and performing a mount, the mounted-on
+directory looks strange:
+
+dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31 1969 dir.0
+
+nfs4_get_referral is wiping out any cached attributes with what was
+returned via GETATTR(fs_locations), but the bit mask for that
+operation does not request any file attributes.
+
+Retrieve owner and timestamp information so that the memcpy in
+nfs4_get_referral fills in more attributes.
+
+Changes since v1:
+- Don't request attributes that the client unconditionally replaces
+- Request only MOUNTED_ON_FILEID or FILEID attribute, not both
+- encode_fs_locations() doesn't use the third bitmask word
+
+Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral")
+Suggested-by: Pradeep Thomas <pradeepthomas@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -243,15 +243,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT
+ };
+
+ const u32 nfs4_fs_locations_bitmap[3] = {
+- FATTR4_WORD0_TYPE
+- | FATTR4_WORD0_CHANGE
++ FATTR4_WORD0_CHANGE
+ | FATTR4_WORD0_SIZE
+ | FATTR4_WORD0_FSID
+ | FATTR4_WORD0_FILEID
+ | FATTR4_WORD0_FS_LOCATIONS,
+- FATTR4_WORD1_MODE
+- | FATTR4_WORD1_NUMLINKS
+- | FATTR4_WORD1_OWNER
++ FATTR4_WORD1_OWNER
+ | FATTR4_WORD1_OWNER_GROUP
+ | FATTR4_WORD1_RAWDEV
+ | FATTR4_WORD1_SPACE_USED
+@@ -6143,9 +6140,7 @@ static int _nfs4_proc_fs_locations(struc
+ struct page *page)
+ {
+ struct nfs_server *server = NFS_SERVER(dir);
+- u32 bitmask[3] = {
+- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,
+- };
++ u32 bitmask[3];
+ struct nfs4_fs_locations_arg args = {
+ .dir_fh = NFS_FH(dir),
+ .name = name,
+@@ -6164,12 +6159,15 @@ static int _nfs4_proc_fs_locations(struc
+
+ dprintk("%s: start\n", __func__);
+
++ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS;
++ bitmask[1] = nfs4_fattr_bitmap[1];
++
+ /* Ask for the fileid of the absent filesystem if mounted_on_fileid
+ * is not supported */
+ if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)
+- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID;
++ bitmask[0] &= ~FATTR4_WORD0_FILEID;
+ else
+- bitmask[0] |= FATTR4_WORD0_FILEID;
++ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;
+
+ nfs_fattr_init(&fs_locations->fattr);
+ fs_locations->server = server;
--- /dev/null
+From 95da1b3a5aded124dd1bda1e3cdb876184813140 Mon Sep 17 00:00:00 2001
+From: Andrew Elble <aweits@rit.edu>
+Date: Fri, 3 Nov 2017 14:06:31 -0400
+Subject: nfsd: deal with revoked delegations appropriately
+
+From: Andrew Elble <aweits@rit.edu>
+
+commit 95da1b3a5aded124dd1bda1e3cdb876184813140 upstream.
+
+If a delegation has been revoked by the server, operations using that
+delegation should error out with NFS4ERR_DELEG_REVOKED in the >4.1
+case, and NFS4ERR_BAD_STATEID otherwise.
+
+The server needs NFSv4.1 clients to explicitly free revoked delegations.
+If the server returns NFS4ERR_DELEG_REVOKED, the client will do that;
+otherwise it may just forget about the delegation and be unable to
+recover when it later sees SEQ4_STATUS_RECALLABLE_STATE_REVOKED set on a
+SEQUENCE reply. That can cause the Linux 4.1 client to loop in its
+stage manager.
+
+Signed-off-by: Andrew Elble <aweits@rit.edu>
+Reviewed-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4state.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3602,7 +3602,8 @@ static struct nfs4_delegation *find_dele
+ {
+ struct nfs4_stid *ret;
+
+- ret = find_stateid_by_type(cl, s, NFS4_DELEG_STID);
++ ret = find_stateid_by_type(cl, s,
++ NFS4_DELEG_STID|NFS4_REVOKED_DELEG_STID);
+ if (!ret)
+ return NULL;
+ return delegstateid(ret);
+@@ -3625,6 +3626,12 @@ nfs4_check_deleg(struct nfs4_client *cl,
+ deleg = find_deleg_stateid(cl, &open->op_delegate_stateid);
+ if (deleg == NULL)
+ goto out;
++ if (deleg->dl_stid.sc_type == NFS4_REVOKED_DELEG_STID) {
++ nfs4_put_stid(&deleg->dl_stid);
++ if (cl->cl_minorversion)
++ status = nfserr_deleg_revoked;
++ goto out;
++ }
+ flags = share_access_to_flags(open->op_share_access);
+ status = nfs4_check_delegmode(deleg, flags);
+ if (status) {
+@@ -4451,6 +4458,16 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ struct nfs4_stid **s, struct nfsd_net *nn)
+ {
+ __be32 status;
++ bool return_revoked = false;
++
++ /*
++ * only return revoked delegations if explicitly asked.
++ * otherwise we report revoked or bad_stateid status.
++ */
++ if (typemask & NFS4_REVOKED_DELEG_STID)
++ return_revoked = true;
++ else if (typemask & NFS4_DELEG_STID)
++ typemask |= NFS4_REVOKED_DELEG_STID;
+
+ if (ZERO_STATEID(stateid) || ONE_STATEID(stateid))
+ return nfserr_bad_stateid;
+@@ -4465,6 +4482,12 @@ nfsd4_lookup_stateid(struct nfsd4_compou
+ *s = find_stateid_by_type(cstate->clp, stateid, typemask);
+ if (!*s)
+ return nfserr_bad_stateid;
++ if (((*s)->sc_type == NFS4_REVOKED_DELEG_STID) && !return_revoked) {
++ nfs4_put_stid(*s);
++ if (cstate->minorversion)
++ return nfserr_deleg_revoked;
++ return nfserr_bad_stateid;
++ }
+ return nfs_ok;
+ }
+
--- /dev/null
+From 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 Mon Sep 17 00:00:00 2001
+From: Andreas Rohner <andreas.rohner@gmx.net>
+Date: Fri, 17 Nov 2017 15:29:35 -0800
+Subject: nilfs2: fix race condition that causes file system corruption
+
+From: Andreas Rohner <andreas.rohner@gmx.net>
+
+commit 31ccb1f7ba3cfe29631587d451cf5bb8ab593550 upstream.
+
+There is a race condition between nilfs_dirty_inode() and
+nilfs_set_file_dirty().
+
+When a file is opened, nilfs_dirty_inode() is called to update the
+access timestamp in the inode. It calls __nilfs_mark_inode_dirty() in a
+separate transaction. __nilfs_mark_inode_dirty() caches the ifile
+buffer_head in the i_bh field of the inode info structure and marks it
+as dirty.
+
+After some data was written to the file in another transaction, the
+function nilfs_set_file_dirty() is called, which adds the inode to the
+ns_dirty_files list.
+
+Then the segment construction calls nilfs_segctor_collect_dirty_files(),
+which goes through the ns_dirty_files list and checks the i_bh field.
+If there is a cached buffer_head in i_bh it is not marked as dirty
+again.
+
+Since nilfs_dirty_inode() and nilfs_set_file_dirty() use separate
+transactions, it is possible that a segment construction that writes out
+the ifile occurs in-between the two. If this happens the inode is not
+on the ns_dirty_files list, but its ifile block is still marked as dirty
+and written out.
+
+In the next segment construction, the data for the file is written out
+and nilfs_bmap_propagate() updates the b-tree. Eventually the bmap root
+is written into the i_bh block, which is not dirty, because it was
+written out in another segment construction.
+
+As a result the bmap update can be lost, which leads to file system
+corruption. Either the virtual block address points to an unallocated
+DAT block, or the DAT entry will be reused for something different.
+
+The error can remain undetected for a long time. A typical error
+message would be one of the "bad btree" errors or a warning that a DAT
+entry could not be found.
+
+This bug can be reproduced reliably by a simple benchmark that creates
+and overwrites millions of 4k files.
+
+Link: http://lkml.kernel.org/r/1509367935-3086-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp
+Signed-off-by: Andreas Rohner <andreas.rohner@gmx.net>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Tested-by: Andreas Rohner <andreas.rohner@gmx.net>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nilfs2/segment.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/segment.c
++++ b/fs/nilfs2/segment.c
+@@ -1884,8 +1884,6 @@ static int nilfs_segctor_collect_dirty_f
+ "failed to get inode block.\n");
+ return err;
+ }
+- mark_buffer_dirty(ibh);
+- nilfs_mdt_mark_dirty(ifile);
+ spin_lock(&nilfs->ns_inode_lock);
+ if (likely(!ii->i_bh))
+ ii->i_bh = ibh;
+@@ -1894,6 +1892,10 @@ static int nilfs_segctor_collect_dirty_f
+ goto retry;
+ }
+
++ // Always redirty the buffer to avoid race condition
++ mark_buffer_dirty(ii->i_bh);
++ nilfs_mdt_mark_dirty(ifile);
++
+ clear_bit(NILFS_I_QUEUED, &ii->i_state);
+ set_bit(NILFS_I_BUSY, &ii->i_state);
+ list_move_tail(&ii->i_dirty, &sci->sc_dirty_files);
arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch
alsa-hda-add-raven-pci-id.patch
dm-bufio-fix-integer-overflow-when-limiting-maximum-cache-size.patch
+dm-fix-race-between-dm_get_from_kobject-and-__dm_destroy.patch
+mips-fix-an-n32-core-file-generation-regset-support-regression.patch
+mips-bcm47xx-fix-led-inversion-for-wrt54gsv1.patch
+autofs-don-t-fail-mount-for-transient-error.patch
+nilfs2-fix-race-condition-that-causes-file-system-corruption.patch
+ecryptfs-use-after-free-in-ecryptfs_release_messaging.patch
+bcache-check-ca-alloc_thread-initialized-before-wake-up-it.patch
+bcache-only-permit-to-recovery-read-error-when-cache-device-is-clean.patch
+isofs-fix-timestamps-beyond-2027.patch
+nfs-fix-typo-in-nomigration-mount-option.patch
+nfs-fix-ugly-referral-attributes.patch
+nfsd-deal-with-revoked-delegations-appropriately.patch
+ext4-fix-interaction-between-i_size-fallocate-and-delalloc-after-a-crash.patch
+alsa-usb-audio-add-sanity-checks-to-fe-parser.patch
+alsa-usb-audio-fix-potential-out-of-bound-access-at-parsing-su.patch
+alsa-usb-audio-fix-potential-zero-division-at-parsing-fu.patch
+alsa-usb-audio-add-sanity-checks-in-v2-clock-parsers.patch
+alsa-timer-remove-kernel-warning-at-compat-ioctl-error-paths.patch
+fs-9p-compare-qid.path-in-v9fs_test_inode.patch
+iscsi-target-fix-non-immediate-tmr-reference-leak.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
