--- /dev/null
+From d8949aad3eab5d396f4fefcd581773bf07b9a79e Mon Sep 17 00:00:00 2001
+From: Johan Hedberg <johan.hedberg@intel.com>
+Date: Fri, 4 Sep 2015 12:22:46 +0300
+Subject: Bluetooth: Delay check for conn->smp in smp_conn_security()
+
+From: Johan Hedberg <johan.hedberg@intel.com>
+
+commit d8949aad3eab5d396f4fefcd581773bf07b9a79e upstream.
+
+There are several actions that smp_conn_security() might make that do
+not require a valid SMP context (conn->smp pointer). One of these
+actions is to encrypt the link with an existing LTK. If the SMP
+context wasn't initialized properly we should still allow the
+independent actions to be done, i.e. the check for the context should
+only be done at the last possible moment.
+
+Reported-by: Chuck Ebbert <cebbert.lkml@gmail.com>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/smp.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/bluetooth/smp.c
++++ b/net/bluetooth/smp.c
+@@ -2311,12 +2311,6 @@ int smp_conn_security(struct hci_conn *h
+ if (!conn)
+ return 1;
+
+- chan = conn->smp;
+- if (!chan) {
+- BT_ERR("SMP security requested but not available");
+- return 1;
+- }
+-
+ if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
+ return 1;
+
+@@ -2330,6 +2324,12 @@ int smp_conn_security(struct hci_conn *h
+ if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
+ return 0;
+
++ chan = conn->smp;
++ if (!chan) {
++ BT_ERR("SMP security requested but not available");
++ return 1;
++ }
++
+ l2cap_chan_lock(chan);
+
+ /* If SMP is already in progress ignore this request */
--- /dev/null
+From e0ddde9d44e37fbc21ce893553094ecf1a633ab5 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Tue, 22 Sep 2015 09:29:38 -0500
+Subject: disabling oplocks/leases via module parm enable_oplocks broken for SMB3
+
+From: Steve French <smfrench@gmail.com>
+
+commit e0ddde9d44e37fbc21ce893553094ecf1a633ab5 upstream.
+
+leases (oplocks) were always requested for SMB2/SMB3 even when oplocks
+disabled in the cifs.ko module.
+
+Signed-off-by: Steve French <steve.french@primarydata.com>
+Reviewed-by: Chandrika Srinivasan <chandrika.srinivasan@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -50,9 +50,13 @@ change_conf(struct TCP_Server_Info *serv
+ break;
+ default:
+ server->echoes = true;
+- server->oplocks = true;
++ if (enable_oplocks) {
++ server->oplocks = true;
++ server->oplock_credits = 1;
++ } else
++ server->oplocks = false;
++
+ server->echo_credits = 1;
+- server->oplock_credits = 1;
+ }
+ server->credits -= server->echo_credits + server->oplock_credits;
+ return 0;
--- /dev/null
+From 646200a041203f440fb6fcf9cacd9efeda9de74c Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Mon, 28 Sep 2015 17:21:07 -0500
+Subject: [SMB3] Do not fall back to SMBWriteX in set_file_size error cases
+
+From: Steve French <smfrench@gmail.com>
+
+commit 646200a041203f440fb6fcf9cacd9efeda9de74c upstream.
+
+The error paths in set_file_size for cifs and smb3 are incorrect.
+
+In the unlikely event that a server did not support set file info
+of the file size, the code incorrectly falls back to trying SMBWriteX
+(note that only the original core SMB Write, used for example by DOS,
+can set the file size this way - this actually does not work for the more
+recent SMBWriteX). The idea was since the old DOS SMB Write could set
+the file size if you write zero bytes at that offset then use that if
+server rejects the normal set file info call.
+
+Fortunately the SMBWriteX will never be sent on the wire (except when
+file size is zero) since the length and offset fields were reversed
+in the two places in this function that call SMBWriteX causing
+the fall back path to return an error. It is also important to never call
+an SMB request from an SMB2/sMB3 session (which theoretically would
+be possible, and can cause a brief session drop, although the client
+recovers) so this should be fixed. In practice this path does not happen
+with modern servers but the error fall back to SMBWriteX is clearly wrong.
+
+Removing the calls to SMBWriteX in the error paths in cifs_set_file_size
+
+Pointed out by PaX/grsecurity team
+
+Signed-off-by: Steve French <steve.french@primarydata.com>
+Reported-by: PaX Team <pageexec@freemail.hu>
+CC: Emese Revfy <re.emese@gmail.com>
+CC: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 36 +-----------------------------------
+ 1 file changed, 1 insertion(+), 35 deletions(-)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -2034,7 +2034,6 @@ cifs_set_file_size(struct inode *inode,
+ struct tcon_link *tlink = NULL;
+ struct cifs_tcon *tcon = NULL;
+ struct TCP_Server_Info *server;
+- struct cifs_io_parms io_parms;
+
+ /*
+ * To avoid spurious oplock breaks from server, in the case of
+@@ -2056,18 +2055,6 @@ cifs_set_file_size(struct inode *inode,
+ rc = -ENOSYS;
+ cifsFileInfo_put(open_file);
+ cifs_dbg(FYI, "SetFSize for attrs rc = %d\n", rc);
+- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
+- unsigned int bytes_written;
+-
+- io_parms.netfid = open_file->fid.netfid;
+- io_parms.pid = open_file->pid;
+- io_parms.tcon = tcon;
+- io_parms.offset = 0;
+- io_parms.length = attrs->ia_size;
+- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written,
+- NULL, NULL, 1);
+- cifs_dbg(FYI, "Wrt seteof rc %d\n", rc);
+- }
+ } else
+ rc = -EINVAL;
+
+@@ -2093,28 +2080,7 @@ cifs_set_file_size(struct inode *inode,
+ else
+ rc = -ENOSYS;
+ cifs_dbg(FYI, "SetEOF by path (setattrs) rc = %d\n", rc);
+- if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
+- __u16 netfid;
+- int oplock = 0;
+-
+- rc = SMBLegacyOpen(xid, tcon, full_path, FILE_OPEN,
+- GENERIC_WRITE, CREATE_NOT_DIR, &netfid,
+- &oplock, NULL, cifs_sb->local_nls,
+- cifs_remap(cifs_sb));
+- if (rc == 0) {
+- unsigned int bytes_written;
+-
+- io_parms.netfid = netfid;
+- io_parms.pid = current->tgid;
+- io_parms.tcon = tcon;
+- io_parms.offset = 0;
+- io_parms.length = attrs->ia_size;
+- rc = CIFSSMBWrite(xid, &io_parms, &bytes_written, NULL,
+- NULL, 1);
+- cifs_dbg(FYI, "wrt seteof rc %d\n", rc);
+- CIFSSMBClose(xid, tcon, netfid);
+- }
+- }
++
+ if (tlink)
+ cifs_put_tlink(tlink);
+
--- /dev/null
+From ceb1b0b9b4d1089e9f2731a314689ae17784c861 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Thu, 24 Sep 2015 00:52:37 -0500
+Subject: [SMB3] Fix sec=krb5 on smb3 mounts
+
+From: Steve French <smfrench@gmail.com>
+
+commit ceb1b0b9b4d1089e9f2731a314689ae17784c861 upstream.
+
+Kerberos, which is very important for security, was only enabled for
+CIFS not SMB2/SMB3 mounts (e.g. vers=3.0)
+
+Patch based on the information detailed in
+http://thread.gmane.org/gmane.linux.kernel.cifs/10081/focus=10307
+to enable Kerberized SMB2/SMB3
+
+a) SMB2_negotiate: enable/use decode_negTokenInit in SMB2_negotiate
+b) SMB2_sess_setup: handle Kerberos sectype and replicate Kerberos
+ SMB1 processing done in sess_auth_kerberos
+
+Signed-off-by: Noel Power <noel.power@suse.com>
+Signed-off-by: Jim McDonough <jmcd@samba.org>
+Signed-off-by: Steve French <steve.french@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 76 +++++++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -46,6 +46,7 @@
+ #include "smb2status.h"
+ #include "smb2glob.h"
+ #include "cifspdu.h"
++#include "cifs_spnego.h"
+
+ /*
+ * The following table defines the expected "StructureSize" of SMB2 requests
+@@ -486,19 +487,15 @@ SMB2_negotiate(const unsigned int xid, s
+ cifs_dbg(FYI, "missing security blob on negprot\n");
+
+ rc = cifs_enable_signing(server, ses->sign);
+-#ifdef CONFIG_SMB2_ASN1 /* BB REMOVEME when updated asn1.c ready */
+ if (rc)
+ goto neg_exit;
+- if (blob_length)
++ if (blob_length) {
+ rc = decode_negTokenInit(security_blob, blob_length, server);
+- if (rc == 1)
+- rc = 0;
+- else if (rc == 0) {
+- rc = -EIO;
+- goto neg_exit;
++ if (rc == 1)
++ rc = 0;
++ else if (rc == 0)
++ rc = -EIO;
+ }
+-#endif
+-
+ neg_exit:
+ free_rsp_buf(resp_buftype, rsp);
+ return rc;
+@@ -592,7 +589,8 @@ SMB2_sess_setup(const unsigned int xid,
+ __le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
+ struct TCP_Server_Info *server = ses->server;
+ u16 blob_length = 0;
+- char *security_blob;
++ struct key *spnego_key = NULL;
++ char *security_blob = NULL;
+ char *ntlmssp_blob = NULL;
+ bool use_spnego = false; /* else use raw ntlmssp */
+
+@@ -620,7 +618,8 @@ SMB2_sess_setup(const unsigned int xid,
+ ses->ntlmssp->sesskey_per_smbsess = true;
+
+ /* FIXME: allow for other auth types besides NTLMSSP (e.g. krb5) */
+- ses->sectype = RawNTLMSSP;
++ if (ses->sectype != Kerberos && ses->sectype != RawNTLMSSP)
++ ses->sectype = RawNTLMSSP;
+
+ ssetup_ntlmssp_authenticate:
+ if (phase == NtLmChallenge)
+@@ -649,7 +648,48 @@ ssetup_ntlmssp_authenticate:
+ iov[0].iov_base = (char *)req;
+ /* 4 for rfc1002 length field and 1 for pad */
+ iov[0].iov_len = get_rfc1002_length(req) + 4 - 1;
+- if (phase == NtLmNegotiate) {
++
++ if (ses->sectype == Kerberos) {
++#ifdef CONFIG_CIFS_UPCALL
++ struct cifs_spnego_msg *msg;
++
++ spnego_key = cifs_get_spnego_key(ses);
++ if (IS_ERR(spnego_key)) {
++ rc = PTR_ERR(spnego_key);
++ spnego_key = NULL;
++ goto ssetup_exit;
++ }
++
++ msg = spnego_key->payload.data;
++ /*
++ * check version field to make sure that cifs.upcall is
++ * sending us a response in an expected form
++ */
++ if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
++ cifs_dbg(VFS,
++ "bad cifs.upcall version. Expected %d got %d",
++ CIFS_SPNEGO_UPCALL_VERSION, msg->version);
++ rc = -EKEYREJECTED;
++ goto ssetup_exit;
++ }
++ ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len,
++ GFP_KERNEL);
++ if (!ses->auth_key.response) {
++ cifs_dbg(VFS,
++ "Kerberos can't allocate (%u bytes) memory",
++ msg->sesskey_len);
++ rc = -ENOMEM;
++ goto ssetup_exit;
++ }
++ ses->auth_key.len = msg->sesskey_len;
++ blob_length = msg->secblob_len;
++ iov[1].iov_base = msg->data + msg->sesskey_len;
++ iov[1].iov_len = blob_length;
++#else
++ rc = -EOPNOTSUPP;
++ goto ssetup_exit;
++#endif /* CONFIG_CIFS_UPCALL */
++ } else if (phase == NtLmNegotiate) { /* if not krb5 must be ntlmssp */
+ ntlmssp_blob = kmalloc(sizeof(struct _NEGOTIATE_MESSAGE),
+ GFP_KERNEL);
+ if (ntlmssp_blob == NULL) {
+@@ -672,6 +712,8 @@ ssetup_ntlmssp_authenticate:
+ /* with raw NTLMSSP we don't encapsulate in SPNEGO */
+ security_blob = ntlmssp_blob;
+ }
++ iov[1].iov_base = security_blob;
++ iov[1].iov_len = blob_length;
+ } else if (phase == NtLmAuthenticate) {
+ req->hdr.SessionId = ses->Suid;
+ ntlmssp_blob = kzalloc(sizeof(struct _NEGOTIATE_MESSAGE) + 500,
+@@ -699,6 +741,8 @@ ssetup_ntlmssp_authenticate:
+ } else {
+ security_blob = ntlmssp_blob;
+ }
++ iov[1].iov_base = security_blob;
++ iov[1].iov_len = blob_length;
+ } else {
+ cifs_dbg(VFS, "illegal ntlmssp phase\n");
+ rc = -EIO;
+@@ -710,8 +754,6 @@ ssetup_ntlmssp_authenticate:
+ cpu_to_le16(sizeof(struct smb2_sess_setup_req) -
+ 1 /* pad */ - 4 /* rfc1001 len */);
+ req->SecurityBufferLength = cpu_to_le16(blob_length);
+- iov[1].iov_base = security_blob;
+- iov[1].iov_len = blob_length;
+
+ inc_rfc1001_len(req, blob_length - 1 /* pad */);
+
+@@ -722,6 +764,7 @@ ssetup_ntlmssp_authenticate:
+
+ kfree(security_blob);
+ rsp = (struct smb2_sess_setup_rsp *)iov[0].iov_base;
++ ses->Suid = rsp->hdr.SessionId;
+ if (resp_buftype != CIFS_NO_BUFFER &&
+ rsp->hdr.Status == STATUS_MORE_PROCESSING_REQUIRED) {
+ if (phase != NtLmNegotiate) {
+@@ -739,7 +782,6 @@ ssetup_ntlmssp_authenticate:
+ /* NTLMSSP Negotiate sent now processing challenge (response) */
+ phase = NtLmChallenge; /* process ntlmssp challenge */
+ rc = 0; /* MORE_PROCESSING is not an error here but expected */
+- ses->Suid = rsp->hdr.SessionId;
+ rc = decode_ntlmssp_challenge(rsp->Buffer,
+ le16_to_cpu(rsp->SecurityBufferLength), ses);
+ }
+@@ -796,6 +838,10 @@ keygen_exit:
+ kfree(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+ }
++ if (spnego_key) {
++ key_invalidate(spnego_key);
++ key_put(spnego_key);
++ }
+ kfree(ses->ntlmssp);
+
+ return rc;
--- /dev/null
+From 6f29b9bba7b08c6b1d6f2cc4cf750b342fc1946c Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Sun, 20 Sep 2015 23:03:28 +0800
+Subject: NFS: Do cleanup before resetting pageio read/write to mds
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit 6f29b9bba7b08c6b1d6f2cc4cf750b342fc1946c upstream.
+
+There is a reference leak of layout segment after resetting
+pageio read/write to mds.
+
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/read.c | 3 +++
+ fs/nfs/write.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/fs/nfs/read.c
++++ b/fs/nfs/read.c
+@@ -72,6 +72,9 @@ void nfs_pageio_reset_read_mds(struct nf
+ {
+ struct nfs_pgio_mirror *mirror;
+
++ if (pgio->pg_ops && pgio->pg_ops->pg_cleanup)
++ pgio->pg_ops->pg_cleanup(pgio);
++
+ pgio->pg_ops = &nfs_pgio_rw_ops;
+
+ /* read path should never have more than one mirror */
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1351,6 +1351,9 @@ void nfs_pageio_reset_write_mds(struct n
+ {
+ struct nfs_pgio_mirror *mirror;
+
++ if (pgio->pg_ops && pgio->pg_ops->pg_cleanup)
++ pgio->pg_ops->pg_cleanup(pgio);
++
+ pgio->pg_ops = &nfs_pgio_rw_ops;
+
+ nfs_pageio_stop_mirroring(pgio);
--- /dev/null
+From 8fa4592a14ebb3c22a21d846d1e4f65dab7d1a7c Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Thu, 1 Oct 2015 18:38:27 -0400
+Subject: NFS: Fix a write performance regression
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 8fa4592a14ebb3c22a21d846d1e4f65dab7d1a7c upstream.
+
+If all other conditions in nfs_can_extend_write() are met, and there
+are no locks, then we should be able to assume close-to-open semantics
+and the ability to extend our write to cover the whole page.
+
+With this patch, the xfstests generic/074 test completes in 242s instead
+of >1400s on my test rig.
+
+Fixes: bd61e0a9c852 ("locks: convert posix locks to file_lock_context")
+Cc: Jeff Layton <jlayton@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/write.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1223,7 +1223,7 @@ static int nfs_can_extend_write(struct f
+ return 1;
+ if (!flctx || (list_empty_careful(&flctx->flc_flock) &&
+ list_empty_careful(&flctx->flc_posix)))
+- return 0;
++ return 1;
+
+ /* Check to see if there are whole file write locks */
+ ret = 0;
--- /dev/null
+From 048883e0b934d9a5103d40e209cb14b7f33d2933 Mon Sep 17 00:00:00 2001
+From: Peng Tao <tao.peng@primarydata.com>
+Date: Fri, 11 Sep 2015 11:14:06 +0800
+Subject: nfs: fix pg_test page count calculation
+
+From: Peng Tao <tao.peng@primarydata.com>
+
+commit 048883e0b934d9a5103d40e209cb14b7f33d2933 upstream.
+
+We really want sizeof(struct page *) instead. Otherwise we limit
+maximum IO size to 64 pages rather than 512 pages on a 64bit system.
+
+Fixes 2e11f829(nfs: cap request size to fit a kmalloced page array).
+
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Peng Tao <tao.peng@primarydata.com>
+Fixes: 2e11f8296d22 ("nfs: cap request size to fit a kmalloced page array")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pagelist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -508,7 +508,7 @@ size_t nfs_generic_pg_test(struct nfs_pa
+ * for it without upsetting the slab allocator.
+ */
+ if (((mirror->pg_count + req->wb_bytes) >> PAGE_SHIFT) *
+- sizeof(struct page) > PAGE_SIZE)
++ sizeof(struct page *) > PAGE_SIZE)
+ return 0;
+
+ return min(mirror->pg_bsize - mirror->pg_count, (size_t)req->wb_bytes);
--- /dev/null
+From 306a5549355966e480e0dcacdc6b9321d153e0c0 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Wed, 16 Sep 2015 17:21:27 -0400
+Subject: nfs: fix v4.2 SEEK on files over 2 gigs
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 306a5549355966e480e0dcacdc6b9321d153e0c0 upstream.
+
+We're incorrectly assigning a loff_t return to an int. If SEEK_HOLE or
+SEEK_DATA returns an offset over 2^31 then the application will see a
+weird lseek() result (usually -EIO).
+
+Fixes: bdcc2cd14e4e "NFSv4.2: handle NFS-specific llseek errors"
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Reviewed-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs42proc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -175,10 +175,12 @@ loff_t nfs42_proc_llseek(struct file *fi
+ {
+ struct nfs_server *server = NFS_SERVER(file_inode(filep));
+ struct nfs4_exception exception = { };
+- int err;
++ loff_t err;
+
+ do {
+ err = _nfs42_proc_llseek(filep, offset, whence);
++ if (err >= 0)
++ break;
+ if (err == -ENOTSUPP)
+ return -EOPNOTSUPP;
+ err = nfs4_handle_exception(server, err, &exception);
--- /dev/null
+From 24311f884189d42d40354a6f38ca218eb9aeb811 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Sun, 20 Sep 2015 10:50:17 -0400
+Subject: NFSv4: Recovery of recalled read delegations is broken
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 24311f884189d42d40354a6f38ca218eb9aeb811 upstream.
+
+When a read delegation is being recalled, and we're reclaiming the
+cached opens, we need to make sure that we only reclaim read-only
+modes.
+A previous attempt to do this, relied on retrieving the delegation
+type from the nfs4_opendata structure. Unfortunately, as Kinglong
+pointed out, this field can only be set when performing reboot recovery.
+
+Furthermore, if we call nfs4_open_recover(), then we end up clobbering
+the state->flags for all modes that we're not recovering...
+
+The fix is to have the delegation recall code pass this information
+to the recovery call, and then refactor the recovery code so that
+nfs4_open_delegation_recall() does not need to call nfs4_open_recover().
+
+Reported-by: Kinglong Mee <kinglongmee@gmail.com>
+Fixes: 39f897fdbd46 ("NFSv4: When returning a delegation, don't...")
+Tested-by: Kinglong Mee <kinglongmee@gmail.com>
+Cc: NeilBrown <neilb@suse.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/delegation.c | 8 +++--
+ fs/nfs/delegation.h | 2 -
+ fs/nfs/nfs4proc.c | 81 ++++++++++++++++++++++++++++++----------------------
+ 3 files changed, 53 insertions(+), 38 deletions(-)
+
+--- a/fs/nfs/delegation.c
++++ b/fs/nfs/delegation.c
+@@ -113,7 +113,8 @@ out:
+ return status;
+ }
+
+-static int nfs_delegation_claim_opens(struct inode *inode, const nfs4_stateid *stateid)
++static int nfs_delegation_claim_opens(struct inode *inode,
++ const nfs4_stateid *stateid, fmode_t type)
+ {
+ struct nfs_inode *nfsi = NFS_I(inode);
+ struct nfs_open_context *ctx;
+@@ -140,7 +141,7 @@ again:
+ /* Block nfs4_proc_unlck */
+ mutex_lock(&sp->so_delegreturn_mutex);
+ seq = raw_seqcount_begin(&sp->so_reclaim_seqcount);
+- err = nfs4_open_delegation_recall(ctx, state, stateid);
++ err = nfs4_open_delegation_recall(ctx, state, stateid, type);
+ if (!err)
+ err = nfs_delegation_claim_locks(ctx, state, stateid);
+ if (!err && read_seqcount_retry(&sp->so_reclaim_seqcount, seq))
+@@ -411,7 +412,8 @@ static int nfs_end_delegation_return(str
+ do {
+ if (test_bit(NFS_DELEGATION_REVOKED, &delegation->flags))
+ break;
+- err = nfs_delegation_claim_opens(inode, &delegation->stateid);
++ err = nfs_delegation_claim_opens(inode, &delegation->stateid,
++ delegation->type);
+ if (!issync || err != -EAGAIN)
+ break;
+ /*
+--- a/fs/nfs/delegation.h
++++ b/fs/nfs/delegation.h
+@@ -54,7 +54,7 @@ void nfs_delegation_reap_unclaimed(struc
+
+ /* NFSv4 delegation-related procedures */
+ int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync);
+-int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid);
++int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid, fmode_t type);
+ int nfs4_lock_delegation_recall(struct file_lock *fl, struct nfs4_state *state, const nfs4_stateid *stateid);
+ bool nfs4_copy_delegation_stateid(nfs4_stateid *dst, struct inode *inode, fmode_t flags);
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1127,6 +1127,21 @@ static int nfs4_wait_for_completion_rpc_
+ return ret;
+ }
+
++static bool nfs4_mode_match_open_stateid(struct nfs4_state *state,
++ fmode_t fmode)
++{
++ switch(fmode & (FMODE_READ|FMODE_WRITE)) {
++ case FMODE_READ|FMODE_WRITE:
++ return state->n_rdwr != 0;
++ case FMODE_WRITE:
++ return state->n_wronly != 0;
++ case FMODE_READ:
++ return state->n_rdonly != 0;
++ }
++ WARN_ON_ONCE(1);
++ return false;
++}
++
+ static int can_open_cached(struct nfs4_state *state, fmode_t mode, int open_mode)
+ {
+ int ret = 0;
+@@ -1561,17 +1576,13 @@ static struct nfs4_opendata *nfs4_open_r
+ return opendata;
+ }
+
+-static int nfs4_open_recover_helper(struct nfs4_opendata *opendata, fmode_t fmode, struct nfs4_state **res)
++static int nfs4_open_recover_helper(struct nfs4_opendata *opendata,
++ fmode_t fmode)
+ {
+ struct nfs4_state *newstate;
+ int ret;
+
+- if ((opendata->o_arg.claim == NFS4_OPEN_CLAIM_DELEGATE_CUR ||
+- opendata->o_arg.claim == NFS4_OPEN_CLAIM_DELEG_CUR_FH) &&
+- (opendata->o_arg.u.delegation_type & fmode) != fmode)
+- /* This mode can't have been delegated, so we must have
+- * a valid open_stateid to cover it - not need to reclaim.
+- */
++ if (!nfs4_mode_match_open_stateid(opendata->state, fmode))
+ return 0;
+ opendata->o_arg.open_flags = 0;
+ opendata->o_arg.fmode = fmode;
+@@ -1587,14 +1598,14 @@ static int nfs4_open_recover_helper(stru
+ newstate = nfs4_opendata_to_nfs4_state(opendata);
+ if (IS_ERR(newstate))
+ return PTR_ERR(newstate);
++ if (newstate != opendata->state)
++ ret = -ESTALE;
+ nfs4_close_state(newstate, fmode);
+- *res = newstate;
+- return 0;
++ return ret;
+ }
+
+ static int nfs4_open_recover(struct nfs4_opendata *opendata, struct nfs4_state *state)
+ {
+- struct nfs4_state *newstate;
+ int ret;
+
+ /* Don't trigger recovery in nfs_test_and_clear_all_open_stateid */
+@@ -1605,27 +1616,15 @@ static int nfs4_open_recover(struct nfs4
+ clear_bit(NFS_DELEGATED_STATE, &state->flags);
+ clear_bit(NFS_OPEN_STATE, &state->flags);
+ smp_rmb();
+- if (state->n_rdwr != 0) {
+- ret = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE, &newstate);
+- if (ret != 0)
+- return ret;
+- if (newstate != state)
+- return -ESTALE;
+- }
+- if (state->n_wronly != 0) {
+- ret = nfs4_open_recover_helper(opendata, FMODE_WRITE, &newstate);
+- if (ret != 0)
+- return ret;
+- if (newstate != state)
+- return -ESTALE;
+- }
+- if (state->n_rdonly != 0) {
+- ret = nfs4_open_recover_helper(opendata, FMODE_READ, &newstate);
+- if (ret != 0)
+- return ret;
+- if (newstate != state)
+- return -ESTALE;
+- }
++ ret = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE);
++ if (ret != 0)
++ return ret;
++ ret = nfs4_open_recover_helper(opendata, FMODE_WRITE);
++ if (ret != 0)
++ return ret;
++ ret = nfs4_open_recover_helper(opendata, FMODE_READ);
++ if (ret != 0)
++ return ret;
+ /*
+ * We may have performed cached opens for all three recoveries.
+ * Check if we need to update the current stateid.
+@@ -1749,18 +1748,32 @@ static int nfs4_handle_delegation_recall
+ return err;
+ }
+
+-int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
++int nfs4_open_delegation_recall(struct nfs_open_context *ctx,
++ struct nfs4_state *state, const nfs4_stateid *stateid,
++ fmode_t type)
+ {
+ struct nfs_server *server = NFS_SERVER(state->inode);
+ struct nfs4_opendata *opendata;
+- int err;
++ int err = 0;
+
+ opendata = nfs4_open_recoverdata_alloc(ctx, state,
+ NFS4_OPEN_CLAIM_DELEG_CUR_FH);
+ if (IS_ERR(opendata))
+ return PTR_ERR(opendata);
+ nfs4_stateid_copy(&opendata->o_arg.u.delegation, stateid);
+- err = nfs4_open_recover(opendata, state);
++ clear_bit(NFS_DELEGATED_STATE, &state->flags);
++ switch (type & (FMODE_READ|FMODE_WRITE)) {
++ case FMODE_READ|FMODE_WRITE:
++ case FMODE_WRITE:
++ err = nfs4_open_recover_helper(opendata, FMODE_READ|FMODE_WRITE);
++ if (err)
++ break;
++ err = nfs4_open_recover_helper(opendata, FMODE_WRITE);
++ if (err)
++ break;
++ case FMODE_READ:
++ err = nfs4_open_recover_helper(opendata, FMODE_READ);
++ }
+ nfs4_opendata_put(opendata);
+ return nfs4_handle_delegation_recall_error(server, state, stateid, err);
+ }
--- /dev/null
+From 6b3600b4ba0810c84437cf76556d9afbd55c1bfc Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Sat, 26 Sep 2015 21:21:12 +0800
+Subject: regulator: axp20x: Fix enable bit indexes for DCDC4 and DCDC5
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 6b3600b4ba0810c84437cf76556d9afbd55c1bfc upstream.
+
+The enable bit indexes for DCDC4 and DCDC5 regulators are off by 1.
+
+We haven't run into any problems with this since either the regulators
+aren't defined in the DT and aren't used, or all the DCDC regulators
+have the "always-on" property set, as they are almost always used
+for system critical loads.
+
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/axp20x-regulator.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/regulator/axp20x-regulator.c
++++ b/drivers/regulator/axp20x-regulator.c
+@@ -192,9 +192,9 @@ static const struct regulator_desc axp22
+ AXP_DESC(AXP22X, DCDC3, "dcdc3", "vin3", 600, 1860, 20,
+ AXP22X_DCDC3_V_OUT, 0x3f, AXP22X_PWR_OUT_CTRL1, BIT(3)),
+ AXP_DESC(AXP22X, DCDC4, "dcdc4", "vin4", 600, 1540, 20,
+- AXP22X_DCDC4_V_OUT, 0x3f, AXP22X_PWR_OUT_CTRL1, BIT(3)),
++ AXP22X_DCDC4_V_OUT, 0x3f, AXP22X_PWR_OUT_CTRL1, BIT(4)),
+ AXP_DESC(AXP22X, DCDC5, "dcdc5", "vin5", 1000, 2550, 50,
+- AXP22X_DCDC5_V_OUT, 0x1f, AXP22X_PWR_OUT_CTRL1, BIT(4)),
++ AXP22X_DCDC5_V_OUT, 0x1f, AXP22X_PWR_OUT_CTRL1, BIT(5)),
+ /* secondary switchable output of DCDC1 */
+ AXP_DESC_SW(AXP22X, DC1SW, "dc1sw", "dcdc1", 1600, 3400, 100,
+ AXP22X_DCDC1_V_OUT, 0x1f, AXP22X_PWR_OUT_CTRL2, BIT(7)),
--- /dev/null
+From 23c3f310e897837aeb8ffe8700b803cb58e7b35d Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Date: Thu, 17 Sep 2015 14:50:20 +0100
+Subject: regulator: core: Correct return value check in regulator_resolve_supply
+
+From: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+
+commit 23c3f310e897837aeb8ffe8700b803cb58e7b35d upstream.
+
+The ret pointer passed to regulator_dev_lookup is only filled with a
+valid error code if regulator_dev_lookup returned NULL. Currently
+regulator_resolve_supply checks this ret value before it checks if a
+regulator was returned, this can result in valid regulator lookups being
+ignored.
+
+Fixes: 6261b06de565 ("regulator: Defer lookup of supply to regulator_get")
+Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1376,15 +1376,15 @@ static int regulator_resolve_supply(stru
+ return 0;
+
+ r = regulator_dev_lookup(dev, rdev->supply_name, &ret);
+- if (ret == -ENODEV) {
+- /*
+- * No supply was specified for this regulator and
+- * there will never be one.
+- */
+- return 0;
+- }
+-
+ if (!r) {
++ if (ret == -ENODEV) {
++ /*
++ * No supply was specified for this regulator and
++ * there will never be one.
++ */
++ return 0;
++ }
++
+ if (have_full_constraints()) {
+ r = dummy_regulator_rdev;
+ } else {
--- /dev/null
+From 06423121d9eba0a56b9341cf82b88479017bce14 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Thu, 1 Oct 2015 10:59:48 +0100
+Subject: regulator: core: Handle probe deferral from DT when resolving supplies
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 06423121d9eba0a56b9341cf82b88479017bce14 upstream.
+
+When resolving regulator-regulator supplies we ignore probe deferral
+returns from regulator_dev_lookup() (such as are generated for DT when
+we can see a supply is registered) and just fall back to the dummy
+regulator if there are full constraints (as is the case for DT). This
+means that probe deferral is broken for DT systems, fix that by paying
+attention to -EPROBE_DEFER return codes like we do -ENODEV.
+
+A further patch will simplify this further, this is a minimal fix for
+the specific issue.
+
+Fixes: 9f7e25edb1575a6d2 (regulator: core: Handle full constraints systems when resolving supplies)
+Reported-by: Sascha Hauer <s.hauer@pengutronix.de>
+Tested-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Mark Brown <broonnie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1385,6 +1385,10 @@ static int regulator_resolve_supply(stru
+ return 0;
+ }
+
++ /* Did the lookup explicitly defer for us? */
++ if (ret == -EPROBE_DEFER)
++ return ret;
++
+ if (have_full_constraints()) {
+ r = dummy_regulator_rdev;
+ } else {
netfilter-nf_log-wait-for-rcu-grace-after-logger-unregistration.patch
netfilter-nft_compat-skip-family-comparison-in-case-of-nfproto_unspec.patch
netfilter-nf_log-don-t-zap-all-loggers-on-unregister.patch
+regulator-core-correct-return-value-check-in-regulator_resolve_supply.patch
+regulator-axp20x-fix-enable-bit-indexes-for-dcdc4-and-dcdc5.patch
+regulator-core-handle-probe-deferral-from-dt-when-resolving-supplies.patch
+bluetooth-delay-check-for-conn-smp-in-smp_conn_security.patch
+nfs-fix-v4.2-seek-on-files-over-2-gigs.patch
+nfs-do-cleanup-before-resetting-pageio-read-write-to-mds.patch
+nfsv4-recovery-of-recalled-read-delegations-is-broken.patch
+nfs-fix-pg_test-page-count-calculation.patch
+nfs-fix-a-write-performance-regression.patch
+fix-sec-krb5-on-smb3-mounts.patch
+disabling-oplocks-leases-via-module-parm-enable_oplocks-broken-for-smb3.patch
+do-not-fall-back-to-smbwritex-in-set_file_size-error-cases.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
