--- /dev/null
+From 693bdaa164b40b7aa6018b98af6f7e40dbd52457 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 23 Mar 2017 13:21:38 -0700
+Subject: ACPI / gpio: do not fall back to parsing _CRS when we get a deferral
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 693bdaa164b40b7aa6018b98af6f7e40dbd52457 upstream.
+
+If, while locating GPIOs by name, we get probe deferral, we should
+immediately report it to caller rather than trying to fall back to parsing
+unnamed GPIOs from _CRS block.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-and-Tested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-acpi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -571,8 +571,10 @@ struct gpio_desc *acpi_find_gpio(struct
+ }
+
+ desc = acpi_get_gpiod_by_index(adev, propname, idx, &info);
+- if (!IS_ERR(desc) || (PTR_ERR(desc) == -EPROBE_DEFER))
++ if (!IS_ERR(desc))
+ break;
++ if (PTR_ERR(desc) == -EPROBE_DEFER)
++ return ERR_CAST(desc);
+ }
+
+ /* Then from plain _CRS GPIOs */
--- /dev/null
+From d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 28 Mar 2017 09:11:30 +0100
+Subject: brcmfmac: use local iftype avoiding use-after-free of virtual interface
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 upstream.
+
+A use-after-free was found using KASAN. In brcmf_p2p_del_if() the virtual
+interface is removed using call to brcmf_remove_interface(). After that
+the virtual interface instance has been freed and should not be referenced.
+Solve this by storing the nl80211 iftype in local variable, which is used
+in a couple of places anyway.
+
+Reported-by: Daniel J Blueman <daniel@quora.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -2238,14 +2238,16 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy);
+ struct brcmf_p2p_info *p2p = &cfg->p2p;
+ struct brcmf_cfg80211_vif *vif;
++ enum nl80211_iftype iftype;
+ bool wait_for_disable = false;
+ int err;
+
+ brcmf_dbg(TRACE, "delete P2P vif\n");
+ vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev);
+
++ iftype = vif->wdev.iftype;
+ brcmf_cfg80211_arm_vif_event(cfg, vif);
+- switch (vif->wdev.iftype) {
++ switch (iftype) {
+ case NL80211_IFTYPE_P2P_CLIENT:
+ if (test_bit(BRCMF_VIF_STATUS_DISCONNECTING, &vif->sme_state))
+ wait_for_disable = true;
+@@ -2275,7 +2277,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ BRCMF_P2P_DISABLE_TIMEOUT);
+
+ err = 0;
+- if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) {
++ if (iftype != NL80211_IFTYPE_P2P_DEVICE) {
+ brcmf_vif_clear_mgmt_ies(vif);
+ err = brcmf_p2p_release_p2p_if(vif);
+ }
+@@ -2291,7 +2293,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ brcmf_remove_interface(vif->ifp, true);
+
+ brcmf_cfg80211_arm_vif_event(cfg, NULL);
+- if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE)
++ if (iftype != NL80211_IFTYPE_P2P_DEVICE)
+ p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL;
+
+ return err;
--- /dev/null
+From 86e3e83b443669dd2bcc5c8a83b23e3aa0694c0d Mon Sep 17 00:00:00 2001
+From: Sami Tolvanen <samitolvanen@google.com>
+Date: Fri, 31 Mar 2017 12:32:45 -0700
+Subject: dm verity fec: fix bufio leaks
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+commit 86e3e83b443669dd2bcc5c8a83b23e3aa0694c0d upstream.
+
+Buffers read through dm_bufio_read() were not released in all code paths.
+
+Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-verity-fec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -146,8 +146,6 @@ static int fec_decode_bufs(struct dm_ver
+ block = fec_buffer_rs_block(v, fio, n, i);
+ res = fec_decode_rs8(v, fio, block, &par[offset], neras);
+ if (res < 0) {
+- dm_bufio_release(buf);
+-
+ r = res;
+ goto error;
+ }
+@@ -172,6 +170,8 @@ static int fec_decode_bufs(struct dm_ver
+ done:
+ r = corrected;
+ error:
++ dm_bufio_release(buf);
++
+ if (r < 0 && neras)
+ DMERR_LIMIT("%s: FEC %llu: failed to correct: %d",
+ v->data_dev->name, (unsigned long long)rsb, r);
+@@ -269,7 +269,7 @@ static int fec_read_bufs(struct dm_verit
+ &is_zero) == 0) {
+ /* skip known zero blocks entirely */
+ if (is_zero)
+- continue;
++ goto done;
+
+ /*
+ * skip if we have already found the theoretical
--- /dev/null
+From f1a880a93baaadb14c10a348fd199f1cdb6bcccd Mon Sep 17 00:00:00 2001
+From: Sami Tolvanen <samitolvanen@google.com>
+Date: Wed, 15 Mar 2017 15:12:23 -0700
+Subject: dm verity fec: limit error correction recursion
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+commit f1a880a93baaadb14c10a348fd199f1cdb6bcccd upstream.
+
+If the hash tree itself is sufficiently corrupt in addition to data blocks,
+it's possible for error correction to end up in a deep recursive loop,
+which eventually causes a kernel panic. This change limits the
+recursion to a reasonable level during a single I/O operation.
+
+Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-verity-fec.c | 12 +++++++++++-
+ drivers/md/dm-verity-fec.h | 4 ++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -439,6 +439,13 @@ int verity_fec_decode(struct dm_verity *
+ if (!verity_fec_is_enabled(v))
+ return -EOPNOTSUPP;
+
++ if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) {
++ DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name);
++ return -EIO;
++ }
++
++ fio->level++;
++
+ if (type == DM_VERITY_BLOCK_TYPE_METADATA)
+ block += v->data_blocks;
+
+@@ -470,7 +477,7 @@ int verity_fec_decode(struct dm_verity *
+ if (r < 0) {
+ r = fec_decode_rsb(v, io, fio, rsb, offset, true);
+ if (r < 0)
+- return r;
++ goto done;
+ }
+
+ if (dest)
+@@ -480,6 +487,8 @@ int verity_fec_decode(struct dm_verity *
+ r = verity_for_bv_block(v, io, iter, fec_bv_copy);
+ }
+
++done:
++ fio->level--;
+ return r;
+ }
+
+@@ -520,6 +529,7 @@ void verity_fec_init_io(struct dm_verity
+ memset(fio->bufs, 0, sizeof(fio->bufs));
+ fio->nbufs = 0;
+ fio->output = NULL;
++ fio->level = 0;
+ }
+
+ /*
+--- a/drivers/md/dm-verity-fec.h
++++ b/drivers/md/dm-verity-fec.h
+@@ -27,6 +27,9 @@
+ #define DM_VERITY_FEC_BUF_MAX \
+ (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS))
+
++/* maximum recursion level for verity_fec_decode */
++#define DM_VERITY_FEC_MAX_RECURSION 4
++
+ #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device"
+ #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks"
+ #define DM_VERITY_OPT_FEC_START "fec_start"
+@@ -58,6 +61,7 @@ struct dm_verity_fec_io {
+ unsigned nbufs; /* number of buffers allocated */
+ u8 *output; /* buffer for corrected output */
+ size_t output_pos;
++ unsigned level; /* recursion level */
+ };
+
+ #ifdef CONFIG_DM_VERITY_FEC
--- /dev/null
+From b334e19ae9381f12a7521976883022385d2b7eef Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 13 Jan 2017 16:40:01 +0100
+Subject: Kbuild: use cc-disable-warning consistently for maybe-uninitialized
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit b334e19ae9381f12a7521976883022385d2b7eef upstream.
+
+In commit a76bcf557ef4 ("Kbuild: enable -Wmaybe-uninitialized warning
+for "make W=1""), I reverted another change that happened to fix a problem
+with old compilers, and now we get this report again with old compilers
+(prior to gcc-4.8) and GCOV enabled:
+
+ cc1: warnings being treated as errors
+ drivers/gpu/drm/i915/intel_ringbuffer.c: In function 'intel_ring_setup_status_page':
+ drivers/gpu/drm/i915/intel_ringbuffer.c:438: error: 'mmio.reg' may be used uninitialized in this function
+ At top level:
+>> cc1: error: unrecognized command line option "-Wno-maybe-uninitialized"
+
+The problem is that we turn off the warning conditionally in a number
+of places as we should, but one of them does it unconditionally.
+Instead, change it to call cc-disable-warning as we do elsewhere.
+
+The original patch that caused it was merged into linux-4.7, then
+4.8 removed the change and 4.9 brought it back, so we probably want
+a backport to 4.9 once this is merged.
+
+Use a ':=' assignment instead of '=' to force the cc-disable-warning
+call to only be evaluated once instead of every time.
+
+Fixes: a76bcf557ef4 ("Kbuild: enable -Wmaybe-uninitialized warning for "make W=1"")
+Fixes: e72e2dfe7c16 ("gcov: disable -Wmaybe-uninitialized warning")
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -370,7 +370,7 @@ LDFLAGS_MODULE =
+ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+ LDFLAGS_vmlinux =
+-CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized
++CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
+ CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
+
+
--- /dev/null
+From 7d65f82954dadbbe7b6e1aec7e07ad17bc6d958b Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 29 Mar 2017 14:15:24 +0200
+Subject: mac80211: unconditionally start new netdev queues with iTXQ support
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 7d65f82954dadbbe7b6e1aec7e07ad17bc6d958b upstream.
+
+When internal mac80211 TXQs aren't supported, netdev queues must
+always started out started even when driver queues are stopped
+while the interface is added. This is necessary because with the
+internal TXQ support netdev queues are never stopped and packet
+scheduling/dropping is done in mac80211.
+
+Fixes: 80a83cfc434b1 ("mac80211: skip netdev queue control with software queuing")
+Reported-and-tested-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -726,7 +726,8 @@ int ieee80211_do_open(struct wireless_de
+ ieee80211_recalc_ps(local);
+
+ if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
+- sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
++ sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
++ local->ops->wake_tx_queue) {
+ /* XXX: for AP_VLAN, actually track AP queues */
+ netif_tx_start_all_queues(dev);
+ } else if (dev) {
--- /dev/null
+From 1f06b81aea5ecba2c1f8afd87e0ba1b9f8f90160 Mon Sep 17 00:00:00 2001
+From: Alexander Polakov <apolyakov@beget.ru>
+Date: Fri, 7 Apr 2017 16:04:45 -0700
+Subject: mm/page_alloc.c: fix print order in show_free_areas()
+
+From: Alexander Polakov <apolyakov@beget.ru>
+
+commit 1f06b81aea5ecba2c1f8afd87e0ba1b9f8f90160 upstream.
+
+Fixes: 11fb998986a72a ("mm: move most file-based accounting to the node")
+Link: http://lkml.kernel.org/r/1490377730.30219.2.camel@beget.ru
+Signed-off-by: Alexander Polyakov <apolyakov@beget.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -4345,13 +4345,13 @@ void show_free_areas(unsigned int filter
+ K(node_page_state(pgdat, NR_FILE_MAPPED)),
+ K(node_page_state(pgdat, NR_FILE_DIRTY)),
+ K(node_page_state(pgdat, NR_WRITEBACK)),
++ K(node_page_state(pgdat, NR_SHMEM)),
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ K(node_page_state(pgdat, NR_SHMEM_THPS) * HPAGE_PMD_NR),
+ K(node_page_state(pgdat, NR_SHMEM_PMDMAPPED)
+ * HPAGE_PMD_NR),
+ K(node_page_state(pgdat, NR_ANON_THPS) * HPAGE_PMD_NR),
+ #endif
+- K(node_page_state(pgdat, NR_SHMEM)),
+ K(node_page_state(pgdat, NR_WRITEBACK_TEMP)),
+ K(node_page_state(pgdat, NR_UNSTABLE_NFS)),
+ node_page_state(pgdat, NR_PAGES_SCANNED),
--- /dev/null
+From cefdc26e86728812aea54248a534fd4a5da2a43d Mon Sep 17 00:00:00 2001
+From: Martin Brandenburg <martin@omnibond.com>
+Date: Thu, 6 Apr 2017 18:11:00 -0400
+Subject: orangefs: move features validation to fix filesystem hang
+
+From: Martin Brandenburg <martin@omnibond.com>
+
+commit cefdc26e86728812aea54248a534fd4a5da2a43d upstream.
+
+Without this fix (and another to the userspace component itself
+described later), the kernel will be unable to process any OrangeFS
+requests after the userspace component is restarted (due to a crash or
+at the administrator's behest).
+
+The bug here is that inside orangefs_remount, the orangefs_request_mutex
+is locked. When the userspace component restarts while the filesystem
+is mounted, it sends a ORANGEFS_DEV_REMOUNT_ALL ioctl to the device,
+which causes the kernel to send it a few requests aimed at synchronizing
+the state between the two. While this is happening the
+orangefs_request_mutex is locked to prevent any other requests going
+through.
+
+This is only half of the bugfix. The other half is in the userspace
+component which outright ignores(!) requests made before it considers
+the filesystem remounted, which is after the ioctl returns. Of course
+the ioctl doesn't return until after the userspace component responds to
+the request it ignores. The userspace component has been changed to
+allow ORANGEFS_VFS_OP_FEATURES regardless of the mount status.
+
+Mike Marshall says:
+ "I've tested this patch against the fixed userspace part. This patch is
+ real important, I hope it can make it into 4.11...
+
+ Here's what happens when the userspace daemon is restarted, without
+ the patch:
+
+ =============================================
+ [ INFO: possible recursive locking detected ]
+ [ 4.10.0-00007-ge98bdb3 #1 Not tainted ]
+ ---------------------------------------------
+ pvfs2-client-co/29032 is trying to acquire lock:
+ (orangefs_request_mutex){+.+.+.}, at: service_operation+0x3c7/0x7b0 [orangefs]
+ but task is already holding lock:
+ (orangefs_request_mutex){+.+.+.}, at: dispatch_ioctl_command+0x1bf/0x330 [orangefs]
+
+ CPU: 0 PID: 29032 Comm: pvfs2-client-co Not tainted 4.10.0-00007-ge98bdb3 #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.fc25 04/01/2014
+ Call Trace:
+ __lock_acquire+0x7eb/0x1290
+ lock_acquire+0xe8/0x1d0
+ mutex_lock_killable_nested+0x6f/0x6e0
+ service_operation+0x3c7/0x7b0 [orangefs]
+ orangefs_remount+0xea/0x150 [orangefs]
+ dispatch_ioctl_command+0x227/0x330 [orangefs]
+ orangefs_devreq_ioctl+0x29/0x70 [orangefs]
+ do_vfs_ioctl+0xa3/0x6e0
+ SyS_ioctl+0x79/0x90"
+
+Signed-off-by: Martin Brandenburg <martin@omnibond.com>
+Acked-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/orangefs/super.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/orangefs/super.c
++++ b/fs/orangefs/super.c
+@@ -263,8 +263,13 @@ int orangefs_remount(struct orangefs_sb_
+ if (!new_op)
+ return -ENOMEM;
+ new_op->upcall.req.features.features = 0;
+- ret = service_operation(new_op, "orangefs_features", 0);
+- orangefs_features = new_op->downcall.resp.features.features;
++ ret = service_operation(new_op, "orangefs_features",
++ ORANGEFS_OP_PRIORITY | ORANGEFS_OP_NO_MUTEX);
++ if (!ret)
++ orangefs_features =
++ new_op->downcall.resp.features.features;
++ else
++ orangefs_features = 0;
+ op_release(new_op);
+ } else {
+ orangefs_features = 0;
--- /dev/null
+From 5402e97af667e35e54177af8f6575518bf251d51 Mon Sep 17 00:00:00 2001
+From: "bsegall@google.com" <bsegall@google.com>
+Date: Fri, 7 Apr 2017 16:04:51 -0700
+Subject: ptrace: fix PTRACE_LISTEN race corrupting task->state
+
+From: bsegall@google.com <bsegall@google.com>
+
+commit 5402e97af667e35e54177af8f6575518bf251d51 upstream.
+
+In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against
+__TASK_TRACED. If this races with the ptrace_unfreeze_traced at the end
+of a PTRACE_LISTEN, this can wake the task /after/ the check against
+__TASK_TRACED, but before the reset of state to TASK_TRACED. This
+causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup
+against TRACED while the task is still on the rq wake_list, corrupting
+it.
+
+Oleg said:
+ "The kernel can crash or this can lead to other hard-to-debug problems.
+ In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced()
+ assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the
+ contract. Obviusly it is very wrong to manipulate task->state if this
+ task is already running, or WAKING, or it sleeps again"
+
+[akpm@linux-foundation.org: coding-style fixes]
+Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL")
+Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.com
+Signed-off-by: Ben Segall <bsegall@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/ptrace.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -181,11 +181,17 @@ static void ptrace_unfreeze_traced(struc
+
+ WARN_ON(!task->ptrace || task->parent != current);
+
++ /*
++ * PTRACE_LISTEN can allow ptrace_trap_notify to wake us up remotely.
++ * Recheck state under the lock to close this race.
++ */
+ spin_lock_irq(&task->sighand->siglock);
+- if (__fatal_signal_pending(task))
+- wake_up_state(task, __TASK_TRACED);
+- else
+- task->state = TASK_TRACED;
++ if (task->state == __TASK_TRACED) {
++ if (__fatal_signal_pending(task))
++ wake_up_state(task, __TASK_TRACED);
++ else
++ task->state = TASK_TRACED;
++ }
+ spin_unlock_irq(&task->sighand->siglock);
+ }
+
--- /dev/null
+From 806a28efe9b78ffae5e2757e1ee924b8e50c08ab Mon Sep 17 00:00:00 2001
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+Date: Mon, 20 Feb 2017 12:25:58 +0100
+Subject: Reset TreeId to zero on SMB2 TREE_CONNECT
+
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+
+commit 806a28efe9b78ffae5e2757e1ee924b8e50c08ab upstream.
+
+Currently the cifs module breaks the CIFS specs on reconnect as
+described in http://msdn.microsoft.com/en-us/library/cc246529.aspx:
+
+"TreeId (4 bytes): Uniquely identifies the tree connect for the
+command. This MUST be 0 for the SMB2 TREE_CONNECT Request."
+
+Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Tested-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1104,6 +1104,10 @@ SMB2_tcon(const unsigned int xid, struct
+ return -EINVAL;
+ }
+
++ /* SMB2 TREE_CONNECT request must be called with TreeId == 0 */
++ if (tcon)
++ tcon->tid = 0;
++
+ rc = small_smb2_init(SMB2_TREE_CONNECT, tcon, (void **) &req);
+ if (rc) {
+ kfree(unc_path);
--- /dev/null
+From 62277de758b155dc04b78f195a1cb5208c37b2df Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri, 17 Jun 2016 17:33:59 +0000
+Subject: ring-buffer: Fix return value check in test_ringbuffer()
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+commit 62277de758b155dc04b78f195a1cb5208c37b2df upstream.
+
+In case of error, the function kthread_run() returns ERR_PTR()
+and never returns NULL. The NULL test in the return value check
+should be replaced with IS_ERR().
+
+Link: http://lkml.kernel.org/r/1466184839-14927-1-git-send-email-weiyj_lk@163.com
+
+Fixes: 6c43e554a ("ring-buffer: Add ring buffer startup selftest")
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -4870,9 +4870,9 @@ static __init int test_ringbuffer(void)
+ rb_data[cpu].cnt = cpu;
+ rb_threads[cpu] = kthread_create(rb_test, &rb_data[cpu],
+ "rbtester/%d", cpu);
+- if (WARN_ON(!rb_threads[cpu])) {
++ if (WARN_ON(IS_ERR(rb_threads[cpu]))) {
+ pr_cont("FAILED\n");
+- ret = -1;
++ ret = PTR_ERR(rb_threads[cpu]);
+ goto out_free;
+ }
+
+@@ -4882,9 +4882,9 @@ static __init int test_ringbuffer(void)
+
+ /* Now create the rb hammer! */
+ rb_hammer = kthread_run(rb_hammer_test, NULL, "rbhammer");
+- if (WARN_ON(!rb_hammer)) {
++ if (WARN_ON(IS_ERR(rb_hammer))) {
+ pr_cont("FAILED\n");
+- ret = -1;
++ ret = PTR_ERR(rb_hammer);
+ goto out_free;
+ }
+
iio-bmg160-reset-chip-when-probing.patch
arm64-mm-unaligned-access-by-user-land-should-be-received-as-sigbus.patch
cfg80211-check-rdev-resume-callback-only-for-registered-wiphy.patch
+reset-treeid-to-zero-on-smb2-tree_connect.patch
+mm-page_alloc.c-fix-print-order-in-show_free_areas.patch
+ptrace-fix-ptrace_listen-race-corrupting-task-state.patch
+dm-verity-fec-limit-error-correction-recursion.patch
+dm-verity-fec-fix-bufio-leaks.patch
+acpi-gpio-do-not-fall-back-to-parsing-_crs-when-we-get-a-deferral.patch
+kbuild-use-cc-disable-warning-consistently-for-maybe-uninitialized.patch
+orangefs-move-features-validation-to-fix-filesystem-hang.patch
+xfs-honor-falloc_fl_keep_size-when-punching-ends-of-files.patch
+ring-buffer-fix-return-value-check-in-test_ringbuffer.patch
+mac80211-unconditionally-start-new-netdev-queues-with-itxq-support.patch
+brcmfmac-use-local-iftype-avoiding-use-after-free-of-virtual-interface.patch
--- /dev/null
+From 3dd09d5a8589c640abb49cfcf92b4ed669eafad1 Mon Sep 17 00:00:00 2001
+From: Calvin Owens <calvinowens@fb.com>
+Date: Mon, 3 Apr 2017 12:22:29 -0700
+Subject: xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files
+
+From: Calvin Owens <calvinowens@fb.com>
+
+commit 3dd09d5a8589c640abb49cfcf92b4ed669eafad1 upstream.
+
+When punching past EOF on XFS, fallocate(mode=PUNCH_HOLE|KEEP_SIZE) will
+round the file size up to the nearest multiple of PAGE_SIZE:
+
+ calvinow@vm-disks/generic-xfs-1 ~$ dd if=/dev/urandom of=test bs=2048 count=1
+ calvinow@vm-disks/generic-xfs-1 ~$ stat test
+ Size: 2048 Blocks: 8 IO Block: 4096 regular file
+ calvinow@vm-disks/generic-xfs-1 ~$ fallocate -n -l 2048 -o 2048 -p test
+ calvinow@vm-disks/generic-xfs-1 ~$ stat test
+ Size: 4096 Blocks: 8 IO Block: 4096 regular file
+
+Commit 3c2bdc912a1cc050 ("xfs: kill xfs_zero_remaining_bytes") replaced
+xfs_zero_remaining_bytes() with calls to iomap helpers. The new helpers
+don't enforce that [pos,offset) lies strictly on [0,i_size) when being
+called from xfs_free_file_space(), so by "leaking" these ranges into
+xfs_zero_range() we get this buggy behavior.
+
+Fix this by reintroducing the checks xfs_zero_remaining_bytes() did
+against i_size at the bottom of xfs_free_file_space().
+
+Reported-by: Aaron Gao <gzh@fb.com>
+Fixes: 3c2bdc912a1cc050 ("xfs: kill xfs_zero_remaining_bytes")
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Calvin Owens <calvinowens@fb.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_bmap_util.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_bmap_util.c
++++ b/fs/xfs/xfs_bmap_util.c
+@@ -1318,8 +1318,16 @@ xfs_free_file_space(
+ /*
+ * Now that we've unmap all full blocks we'll have to zero out any
+ * partial block at the beginning and/or end. xfs_zero_range is
+- * smart enough to skip any holes, including those we just created.
++ * smart enough to skip any holes, including those we just created,
++ * but we must take care not to zero beyond EOF and enlarge i_size.
+ */
++
++ if (offset >= XFS_ISIZE(ip))
++ return 0;
++
++ if (offset + len > XFS_ISIZE(ip))
++ len = XFS_ISIZE(ip) - offset;
++
+ return xfs_zero_range(ip, offset, len, NULL);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
