Merge 4.4.196 into android-4.4-p

Changes in 4.4.196
	video: ssd1307fb: Start page range at page_offset
	gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property()
	ipmi_si: Only schedule continuously in the thread in maintenance mode
	clk: qoriq: Fix -Wunused-const-variable
	clk: sirf: Don't reference clk_init_data after registration
	powerpc/rtas: use device model APIs and serialization during LPM
	powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function
	powerpc/pseries/mobility: use cond_resched when updating device tree
	pinctrl: tegra: Fix write barrier placement in pmx_writel
	vfio_pci: Restore original state on release
	powerpc/64s/exception: machine check use correct cfar for late handler
	powerpc/pseries: correctly track irq state in default idle
	scsi: core: Reduce memory required for SCSI logging
	mfd: intel-lpss: Remove D3cold delay
	ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as writes
	HID: apple: Fix stuck function keys when using FN
	security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb()
	fat: work around race with userspace's read via blockdev while mounting
	hypfs: Fix error number left in struct pointer member
	ocfs2: wait for recovering done after direct unlock request
	kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K
	ANDROID: binder: remove waitqueue when thread exits.
	ANDROID: binder: synchronize_rcu() when using POLLFREE.
	hso: fix NULL-deref on tty open
	ipv6: drop incoming packets having a v4mapped source address
	net: ipv4: avoid mixed n_redirects and rate_tokens usage
	net: qlogic: Fix memory leak in ql_alloc_large_buffers
	nfc: fix memory leak in llcp_sock_bind()
	sch_dsmark: fix potential NULL deref in dsmark_init()
	xen-netfront: do not use ~0U as error return value for xennet_fill_frags()
	net/rds: Fix error handling in rds_ib_add_one()
	sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
	Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
	smack: use GFP_NOFS while holding inode_smack::smk_lock
	NFC: fix attrs checks in netlink interface
	Linux 4.4.196

Change-Id: I7e03bb3ca1865988df014b8e38336b76430842a9
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

3 files changed, 33 insertions, 6 deletions

diff --git a/fs/fat/dir.c b/fs/fat/dir.c
index 8b2127ffb226..9b77e2ad2b59 100644
--- a/fs/fat/dir.c
+++ b/fs/fat/dir.c
@@ -1097,8 +1097,11 @@ static int fat_zeroed_cluster(struct inode *dir, sector_t blknr, int nr_used,
 			err = -ENOMEM;
 			goto error;
 		}
+		/* Avoid race with userspace read via bdev */
+		lock_buffer(bhs[n]);
 		memset(bhs[n]->b_data, 0, sb->s_blocksize);
 		set_buffer_uptodate(bhs[n]);
+		unlock_buffer(bhs[n]);
 		mark_buffer_dirty_inode(bhs[n], dir);
 
 		n++;
@@ -1155,6 +1158,8 @@ int fat_alloc_new_dir(struct inode *dir, struct timespec *ts)
 	fat_time_unix2fat(sbi, ts, &time, &date, &time_cs);
 
 	de = (struct msdos_dir_entry *)bhs[0]->b_data;
+	/* Avoid race with userspace read via bdev */
+	lock_buffer(bhs[0]);
 	/* filling the new directory slots ("." and ".." entries) */
 	memcpy(de[0].name, MSDOS_DOT, MSDOS_NAME);
 	memcpy(de[1].name, MSDOS_DOTDOT, MSDOS_NAME);
@@ -1177,6 +1182,7 @@ int fat_alloc_new_dir(struct inode *dir, struct timespec *ts)
 	de[0].size = de[1].size = 0;
 	memset(de + 2, 0, sb->s_blocksize - 2 * sizeof(*de));
 	set_buffer_uptodate(bhs[0]);
+	unlock_buffer(bhs[0]);
 	mark_buffer_dirty_inode(bhs[0], dir);
 
 	err = fat_zeroed_cluster(dir, blknr, 1, bhs, MAX_BUF_PER_PAGE);
@@ -1234,11 +1240,14 @@ static int fat_add_new_entries(struct inode *dir, void *slots, int nr_slots,
 
 			/* fill the directory entry */
 			copy = min(size, sb->s_blocksize);
+			/* Avoid race with userspace read via bdev */
+			lock_buffer(bhs[n]);
 			memcpy(bhs[n]->b_data, slots, copy);
-			slots += copy;
-			size -= copy;
 			set_buffer_uptodate(bhs[n]);
+			unlock_buffer(bhs[n]);
 			mark_buffer_dirty_inode(bhs[n], dir);
+			slots += copy;
+			size -= copy;
 			if (!size)
 				break;
 			n++;
diff --git a/fs/fat/fatent.c b/fs/fat/fatent.c
index e3fc477728b3..be8529739d23 100644
--- a/fs/fat/fatent.c
+++ b/fs/fat/fatent.c
@@ -389,8 +389,11 @@ static int fat_mirror_bhs(struct super_block *sb, struct buffer_head **bhs,
 				err = -ENOMEM;
 				goto error;
 			}
+			/* Avoid race with userspace read via bdev */
+			lock_buffer(c_bh);
 			memcpy(c_bh->b_data, bhs[n]->b_data, sb->s_blocksize);
 			set_buffer_uptodate(c_bh);
+			unlock_buffer(c_bh);
 			mark_buffer_dirty_inode(c_bh, sbi->fat_inode);
 			if (sb->s_flags & MS_SYNCHRONOUS)
 				err = sync_dirty_buffer(c_bh);
diff --git a/fs/ocfs2/dlm/dlmunlock.c b/fs/ocfs2/dlm/dlmunlock.c
index 2e3c9dbab68c..d137d4692b91 100644
--- a/fs/ocfs2/dlm/dlmunlock.c
+++ b/fs/ocfs2/dlm/dlmunlock.c
@@ -105,7 +105,8 @@ static enum dlm_status dlmunlock_common(struct dlm_ctxt *dlm,
 	enum dlm_status status;
 	int actions = 0;
 	int in_use;
-        u8 owner;
+	u8 owner;
+	int recovery_wait = 0;
 
 	mlog(0, "master_node = %d, valblk = %d\n", master_node,
 	     flags & LKM_VALBLK);
@@ -208,9 +209,12 @@ static enum dlm_status dlmunlock_common(struct dlm_ctxt *dlm,
 		}
 		if (flags & LKM_CANCEL)
 			lock->cancel_pending = 0;
-		else
-			lock->unlock_pending = 0;
-
+		else {
+			if (!lock->unlock_pending)
+				recovery_wait = 1;
+			else
+				lock->unlock_pending = 0;
+		}
 	}
 
 	/* get an extra ref on lock.  if we are just switching
@@ -244,6 +248,17 @@ leave:
 	spin_unlock(&res->spinlock);
 	wake_up(&res->wq);
 
+	if (recovery_wait) {
+		spin_lock(&res->spinlock);
+		/* Unlock request will directly succeed after owner dies,
+		 * and the lock is already removed from grant list. We have to
+		 * wait for RECOVERING done or we miss the chance to purge it
+		 * since the removement is much faster than RECOVERING proc.
+		 */
+		__dlm_wait_on_lockres_flags(res, DLM_LOCK_RES_RECOVERING);
+		spin_unlock(&res->spinlock);
+	}
+
 	/* let the caller's final dlm_lock_put handle the actual kfree */
 	if (actions & DLM_UNLOCK_FREE_LOCK) {
 		/* this should always be coupled with list removal */