Merge 4.4.85 into android-4.4

Changes in 4.4.85
	af_key: do not use GFP_KERNEL in atomic contexts
	dccp: purge write queue in dccp_destroy_sock()
	dccp: defer ccid_hc_tx_delete() at dismantle time
	ipv4: fix NULL dereference in free_fib_info_rcu()
	net_sched/sfq: update hierarchical backlog when drop packet
	ipv4: better IP_MAX_MTU enforcement
	sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
	tipc: fix use-after-free
	ipv6: reset fn->rr_ptr when replacing route
	ipv6: repair fib6 tree in failure case
	tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
	irda: do not leak initialized list.dev to userspace
	net: sched: fix NULL pointer dereference when action calls some targets
	net_sched: fix order of queue length updates in qdisc_replace()
	mei: me: add broxton pci device ids
	mei: me: add lewisburg device ids
	Input: trackpoint - add new trackpoint firmware ID
	Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
	ALSA: core: Fix unexpected error at replacing user TLV
	ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
	ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
	i2c: designware: Fix system suspend
	drm: Release driver tracking before making the object available again
	drm/atomic: If the atomic check fails, return its value first
	drm: rcar-du: lvds: Fix PLL frequency-related configuration
	drm: rcar-du: lvds: Rename PLLEN bit to PLLON
	drm: rcar-du: Fix crash in encoder failure error path
	drm: rcar-du: Fix display timing controller parameter
	drm: rcar-du: Fix H/V sync signal polarity configuration
	tracing: Fix freeing of filter in create_filter() when set_str is false
	cifs: Fix df output for users with quota limits
	cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
	nfsd: Limit end of page list when decoding NFSv4 WRITE
	perf/core: Fix group {cpu,task} validation
	Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
	Bluetooth: cmtp: fix possible might sleep error in cmtp_session
	Bluetooth: bnep: fix possible might sleep error in bnep_session
	binder: use group leader instead of open thread
	binder: Use wake up hint for synchronous transactions.
	ANDROID: binder: fix proc->tsk check.
	iio: imu: adis16480: Fix acceleration scale factor for adis16480
	iio: hid-sensor-trigger: Fix the race with user space powering up sensors
	staging: rtl8188eu: add RNX-N150NUB support
	ASoC: simple-card: don't fail if sysclk setting is not supported
	ASoC: rsnd: disable SRC.out only when stop timing
	ASoC: rsnd: avoid pointless loop in rsnd_mod_interrupt()
	ASoC: rsnd: Add missing initialization of ADG req_rate
	ASoC: rsnd: ssi: 24bit data needs right-aligned settings
	ASoC: rsnd: don't call update callback if it was NULL
	ntb_transport: fix qp count bug
	ntb_transport: fix bug calculating num_qps_mw
	ACPI: ioapic: Clear on-stack resource before using it
	ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
	Linux 4.4.85

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

3 files changed, 16 insertions, 12 deletions

diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index 26a3b389a265..fa8df3fef6fc 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -183,15 +183,20 @@ cifs_bp_rename_retry:
 }
 
 /*
+ * Don't allow path components longer than the server max.
  * Don't allow the separator character in a path component.
  * The VFS will not allow "/", but "\" is allowed by posix.
  */
 static int
-check_name(struct dentry *direntry)
+check_name(struct dentry *direntry, struct cifs_tcon *tcon)
 {
 	struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
 	int i;
 
+	if (unlikely(direntry->d_name.len >
+		     tcon->fsAttrInfo.MaxPathNameComponentLength))
+		return -ENAMETOOLONG;
+
 	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {
 		for (i = 0; i < direntry->d_name.len; i++) {
 			if (direntry->d_name.name[i] == '\\') {
@@ -489,10 +494,6 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
 		return finish_no_open(file, res);
 	}
 
-	rc = check_name(direntry);
-	if (rc)
-		return rc;
-
 	xid = get_xid();
 
 	cifs_dbg(FYI, "parent inode = 0x%p name is: %pd and dentry = 0x%p\n",
@@ -505,6 +506,11 @@ cifs_atomic_open(struct inode *inode, struct dentry *direntry,
 	}
 
 	tcon = tlink_tcon(tlink);
+
+	rc = check_name(direntry, tcon);
+	if (rc)
+		goto out_free_xid;
+
 	server = tcon->ses->server;
 
 	if (server->ops->new_lease_key)
@@ -765,7 +771,7 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
 	}
 	pTcon = tlink_tcon(tlink);
 
-	rc = check_name(direntry);
+	rc = check_name(direntry, pTcon);
 	if (rc)
 		goto lookup_out;
 
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index f4afa3b1cc56..6c484ddf26a9 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2768,8 +2768,8 @@ copy_fs_info_to_kstatfs(struct smb2_fs_full_size_info *pfs_inf,
 	kst->f_bsize = le32_to_cpu(pfs_inf->BytesPerSector) *
 			  le32_to_cpu(pfs_inf->SectorsPerAllocationUnit);
 	kst->f_blocks = le64_to_cpu(pfs_inf->TotalAllocationUnits);
-	kst->f_bfree  = le64_to_cpu(pfs_inf->ActualAvailableAllocationUnits);
-	kst->f_bavail = le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits);
+	kst->f_bfree  = kst->f_bavail =
+			le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits);
 	return;
 }
 
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 3f68a25f2169..544672b440de 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -129,7 +129,7 @@ static void next_decode_page(struct nfsd4_compoundargs *argp)
 	argp->p = page_address(argp->pagelist[0]);
 	argp->pagelist++;
 	if (argp->pagelen < PAGE_SIZE) {
-		argp->end = argp->p + (argp->pagelen>>2);
+		argp->end = argp->p + XDR_QUADLEN(argp->pagelen);
 		argp->pagelen = 0;
 	} else {
 		argp->end = argp->p + (PAGE_SIZE>>2);
@@ -1246,9 +1246,7 @@ nfsd4_decode_write(struct nfsd4_compoundargs *argp, struct nfsd4_write *write)
 		argp->pagelen -= pages * PAGE_SIZE;
 		len -= pages * PAGE_SIZE;
 
-		argp->p = (__be32 *)page_address(argp->pagelist[0]);
-		argp->pagelist++;
-		argp->end = argp->p + XDR_QUADLEN(PAGE_SIZE);
+		next_decode_page(argp);
 	}
 	argp->p += XDR_QUADLEN(len);