--- /dev/null
+From 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Mon, 5 Nov 2018 09:52:48 +0100
+Subject: 9p/net: put a lower bound on msize
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+commit 574d356b7a02c7e1b01a1d9cba8a26b3c2888f45 upstream.
+
+If the requested msize is too small (either from command line argument
+or from the server version reply), we won't get any work done.
+If it's *really* too small, nothing will work, and this got caught by
+syzbot recently (on a new kmem_cache_create_usercopy() call)
+
+Just set a minimum msize to 4k in both code paths, until someone
+complains they have a use-case for a smaller msize.
+
+We need to check in both mount option and server reply individually
+because the msize for the first version request would be unchecked
+with just a global check on clnt->msize.
+
+Link: http://lkml.kernel.org/r/1541407968-31350-1-git-send-email-asmadeus@codewreck.org
+Reported-by: syzbot+0c1d61e4db7db94102ca@syzkaller.appspotmail.com
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -181,6 +181,12 @@ static int parse_opts(char *opts, struct
+ ret = r;
+ continue;
+ }
++ if (option < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "msize should be at least 4k\n");
++ ret = -EINVAL;
++ continue;
++ }
+ clnt->msize = option;
+ break;
+ case Opt_trans:
+@@ -983,10 +989,18 @@ static int p9_client_version(struct p9_c
+ else if (!strncmp(version, "9P2000", 6))
+ c->proto_version = p9_proto_legacy;
+ else {
++ p9_debug(P9_DEBUG_ERROR,
++ "server returned an unknown version: %s\n", version);
+ err = -EREMOTEIO;
+ goto error;
+ }
+
++ if (msize < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "server returned a msize < 4096: %d\n", msize);
++ err = -EREMOTEIO;
++ goto error;
++ }
+ if (msize < c->msize)
+ c->msize = msize;
+
+@@ -1043,6 +1057,13 @@ struct p9_client *p9_client_create(const
+ if (clnt->msize > clnt->trans_mod->maxsize)
+ clnt->msize = clnt->trans_mod->maxsize;
+
++ if (clnt->msize < 4096) {
++ p9_debug(P9_DEBUG_ERROR,
++ "Please specify a msize of at least 4k\n");
++ err = -EINVAL;
++ goto free_client;
++ }
++
+ err = p9_client_version(clnt);
+ if (err)
+ goto close_trans;
--- /dev/null
+From db23d88756abd38e0995ea8449d0025b3de4b26b Mon Sep 17 00:00:00 2001
+From: Evan Green <evgreen@chromium.org>
+Date: Tue, 4 Dec 2018 11:14:19 -0800
+Subject: iio: adc: qcom-spmi-adc5: Initialize prescale properly
+
+From: Evan Green <evgreen@chromium.org>
+
+commit db23d88756abd38e0995ea8449d0025b3de4b26b upstream.
+
+adc5_get_dt_data uses a local, prop, feeds it to adc5_get_dt_channel_data,
+and then puts the result into adc->chan_props. The problem is
+adc5_get_dt_channel_data may not initialize that structure fully, so a
+garbage value is used for prescale if the optional "qcom,pre-scaling" is
+not defined in DT. adc5_read_raw then uses this as an array index,
+generating a crash that looks like this:
+
+[ 6.683186] Unable to handle kernel paging request at virtual address ffffff90e78c7964
+Call trace:
+qcom_vadc_scale_code_voltage_factor+0x74/0x104
+qcom_vadc_scale_hw_calib_die_temp+0x20/0x60
+qcom_adc5_hw_scale+0x78/0xa4
+adc5_read_raw+0x3d0/0x65c
+iio_channel_read+0x240/0x30c
+iio_read_channel_processed+0x10c/0x150
+qpnp_tm_get_temp+0xc0/0x40c
+of_thermal_get_temp+0x7c/0x98
+thermal_zone_get_temp+0xac/0xd8
+thermal_zone_device_update+0xc0/0x38c
+qpnp_tm_probe+0x624/0x81c
+platform_drv_probe+0xe4/0x11c
+really_probe+0x188/0x3fc
+driver_probe_device+0xb8/0x188
+__device_attach_driver+0x114/0x180
+bus_for_each_drv+0xd8/0x118
+__device_attach+0x180/0x27c
+device_initial_probe+0x20/0x2c
+bus_probe_device+0x78/0x124
+deferred_probe_work_func+0xfc/0x138
+process_one_work+0x3d8/0x8b0
+process_scheduled_works+0x48/0x6c
+worker_thread+0x488/0x7cc
+kthread+0x24c/0x264
+ret_from_fork+0x10/0x18
+
+Unfortunately, when I went to add the initializer for this and tried to
+boot it, my machine shut down immediately, complaining that it was
+hotter than the sun. It appears that adc5_chans_pmic and adc5_chans_rev2
+were initializing prescale_index as if it were directly a divisor,
+rather than the index into adc5_prescale_ratios that it is.
+
+Fix the uninitialized value, and change the static initialization to use
+indices into adc5_prescale_ratios.
+
+Signed-off-by: Evan Green <evgreen@chromium.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/qcom-spmi-adc5.c | 58 ++++++++++++++++++++-------------------
+ 1 file changed, 31 insertions(+), 27 deletions(-)
+
+--- a/drivers/iio/adc/qcom-spmi-adc5.c
++++ b/drivers/iio/adc/qcom-spmi-adc5.c
+@@ -423,6 +423,7 @@ struct adc5_channels {
+ enum vadc_scale_fn_type scale_fn_type;
+ };
+
++/* In these definitions, _pre refers to an index into adc5_prescale_ratios. */
+ #define ADC5_CHAN(_dname, _type, _mask, _pre, _scale) \
+ { \
+ .datasheet_name = _dname, \
+@@ -443,63 +444,63 @@ struct adc5_channels {
+ _pre, _scale) \
+
+ static const struct adc5_channels adc5_chans_pmic[ADC5_MAX_CHANNEL] = {
+- [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 1,
++ [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 0,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 1,
++ [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 0,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 3,
++ [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 1,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 3,
++ [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 1,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 1,
++ [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 0,
+ SCALE_HW_CALIB_PMIC_THERM)
+- [ADC5_USB_IN_I] = ADC5_CHAN_VOLT("usb_in_i_uv", 1,
++ [ADC5_USB_IN_I] = ADC5_CHAN_VOLT("usb_in_i_uv", 0,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_USB_IN_V_16] = ADC5_CHAN_VOLT("usb_in_v_div_16", 16,
++ [ADC5_USB_IN_V_16] = ADC5_CHAN_VOLT("usb_in_v_div_16", 8,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_CHG_TEMP] = ADC5_CHAN_TEMP("chg_temp", 1,
++ [ADC5_CHG_TEMP] = ADC5_CHAN_TEMP("chg_temp", 0,
+ SCALE_HW_CALIB_PM5_CHG_TEMP)
+ /* Charger prescales SBUx and MID_CHG to fit within 1.8V upper unit */
+- [ADC5_SBUx] = ADC5_CHAN_VOLT("chg_sbux", 3,
++ [ADC5_SBUx] = ADC5_CHAN_VOLT("chg_sbux", 1,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_MID_CHG_DIV6] = ADC5_CHAN_VOLT("chg_mid_chg", 6,
++ [ADC5_MID_CHG_DIV6] = ADC5_CHAN_VOLT("chg_mid_chg", 3,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm", 1,
++ [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm", 0,
+ SCALE_HW_CALIB_XOTHERM)
+- [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 1,
++ [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+- [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 1,
++ [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+- [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 1,
++ [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+- [ADC5_AMUX_THM2] = ADC5_CHAN_TEMP("amux_thm2", 1,
++ [ADC5_AMUX_THM2] = ADC5_CHAN_TEMP("amux_thm2", 0,
+ SCALE_HW_CALIB_PM5_SMB_TEMP)
+ };
+
+ static const struct adc5_channels adc5_chans_rev2[ADC5_MAX_CHANNEL] = {
+- [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 1,
++ [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 0,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 1,
++ [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 0,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 3,
++ [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 1,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 3,
++ [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 1,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_VCOIN] = ADC5_CHAN_VOLT("vcoin", 3,
++ [ADC5_VCOIN] = ADC5_CHAN_VOLT("vcoin", 1,
+ SCALE_HW_CALIB_DEFAULT)
+- [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 1,
++ [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 0,
+ SCALE_HW_CALIB_PMIC_THERM)
+- [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 1,
++ [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+- [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 1,
++ [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+- [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 1,
++ [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+- [ADC5_AMUX_THM4_100K_PU] = ADC5_CHAN_TEMP("amux_thm4_100k_pu", 1,
++ [ADC5_AMUX_THM4_100K_PU] = ADC5_CHAN_TEMP("amux_thm4_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+- [ADC5_AMUX_THM5_100K_PU] = ADC5_CHAN_TEMP("amux_thm5_100k_pu", 1,
++ [ADC5_AMUX_THM5_100K_PU] = ADC5_CHAN_TEMP("amux_thm5_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+- [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm_100k_pu", 1,
++ [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm_100k_pu", 0,
+ SCALE_HW_CALIB_THERM_100K_PULLUP)
+ };
+
+@@ -558,6 +559,9 @@ static int adc5_get_dt_channel_data(stru
+ return ret;
+ }
+ prop->prescale = ret;
++ } else {
++ prop->prescale =
++ adc->data->adc_chans[prop->channel].prescale_index;
+ }
+
+ ret = of_property_read_u32(node, "qcom,hw-settle-time", &value);
--- /dev/null
+From 0e76df5c978338f3051e5126fc0c4245c57a307a Mon Sep 17 00:00:00 2001
+From: Mircea Caprioru <mircea.caprioru@analog.com>
+Date: Thu, 6 Dec 2018 15:53:15 +0200
+Subject: iio: dac: ad5686: fix bit shift read register
+
+From: Mircea Caprioru <mircea.caprioru@analog.com>
+
+commit 0e76df5c978338f3051e5126fc0c4245c57a307a upstream.
+
+This patch solves the register readback issue with the bit shift. When the
+dac resolution was lower than the register size (ex. 12 bits out of 16
+bits) the readback value was not shifted with the difference in bits and
+the value was higher. Also a mask is applied on the read value in order to
+get the value relative to the actual bit size.
+
+Fixes: 0357e488b8 ("iio:dac:ad5686: Refactor the driver")
+Signed-off-by: Mircea Caprioru <mircea.caprioru@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/dac/ad5686.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/dac/ad5686.c
++++ b/drivers/iio/dac/ad5686.c
+@@ -124,7 +124,8 @@ static int ad5686_read_raw(struct iio_de
+ mutex_unlock(&indio_dev->mlock);
+ if (ret < 0)
+ return ret;
+- *val = ret;
++ *val = (ret >> chan->scan_type.shift) &
++ GENMASK(chan->scan_type.realbits - 1, 0);
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_SCALE:
+ *val = st->vref_mv;
--- /dev/null
+From d53ec8af56d5163f8a42e961ece3aeb5c560e79d Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Thu, 20 Dec 2018 14:00:11 -0800
+Subject: RDMA/iwcm: Don't copy past the end of dev_name() string
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit d53ec8af56d5163f8a42e961ece3aeb5c560e79d upstream.
+
+We now use dev_name(&ib_device->dev) instead of ib_device->name in iwpm
+messages. The name field in struct device is a const char *, where as
+ib_device->name is a char array of size IB_DEVICE_NAME_MAX, and it is
+pre-initialized to zeros.
+
+Since iw_cm_map() was using memcpy() to copy in the device name, and
+copying IWPM_DEVNAME_SIZE bytes, it ends up copying past the end of the
+source device name string and copying random bytes. This results in iwpmd
+failing the REGISTER_PID request from iwcm. Thus port mapping is broken.
+
+Validate the device and if names, and use strncpy() to inialize the entire
+message field.
+
+Fixes: 896de0090a85 ("RDMA/core: Use dev_name instead of ibdev->name")
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/iwcm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/core/iwcm.c
++++ b/drivers/infiniband/core/iwcm.c
+@@ -502,17 +502,21 @@ static void iw_cm_check_wildcard(struct
+ */
+ static int iw_cm_map(struct iw_cm_id *cm_id, bool active)
+ {
++ const char *devname = dev_name(&cm_id->device->dev);
++ const char *ifname = cm_id->device->iwcm->ifname;
+ struct iwpm_dev_data pm_reg_msg;
+ struct iwpm_sa_data pm_msg;
+ int status;
+
++ if (strlen(devname) >= sizeof(pm_reg_msg.dev_name) ||
++ strlen(ifname) >= sizeof(pm_reg_msg.if_name))
++ return -EINVAL;
++
+ cm_id->m_local_addr = cm_id->local_addr;
+ cm_id->m_remote_addr = cm_id->remote_addr;
+
+- memcpy(pm_reg_msg.dev_name, dev_name(&cm_id->device->dev),
+- sizeof(pm_reg_msg.dev_name));
+- memcpy(pm_reg_msg.if_name, cm_id->device->iwcm->ifname,
+- sizeof(pm_reg_msg.if_name));
++ strncpy(pm_reg_msg.dev_name, devname, sizeof(pm_reg_msg.dev_name));
++ strncpy(pm_reg_msg.if_name, ifname, sizeof(pm_reg_msg.if_name));
+
+ if (iwpm_register_pid(&pm_reg_msg, RDMA_NL_IWCM) ||
+ !iwpm_valid_pid())
--- /dev/null
+From ed041919f0d23c109d52cde8da6ddc211c52d67e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 17 Dec 2018 13:20:40 -0800
+Subject: RDMA/srpt: Fix a use-after-free in the channel release code
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit ed041919f0d23c109d52cde8da6ddc211c52d67e upstream.
+
+This patch avoids that KASAN sporadically reports the following:
+
+BUG: KASAN: use-after-free in rxe_run_task+0x1e/0x60 [rdma_rxe]
+Read of size 1 at addr ffff88801c50d8f4 by task check/24830
+
+CPU: 4 PID: 24830 Comm: check Not tainted 4.20.0-rc6-dbg+ #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+Call Trace:
+ dump_stack+0x86/0xca
+ print_address_description+0x71/0x239
+ kasan_report.cold.5+0x242/0x301
+ __asan_load1+0x47/0x50
+ rxe_run_task+0x1e/0x60 [rdma_rxe]
+ rxe_post_send+0x4bd/0x8d0 [rdma_rxe]
+ srpt_zerolength_write+0xe1/0x160 [ib_srpt]
+ srpt_close_ch+0x8b/0xe0 [ib_srpt]
+ srpt_set_enabled+0xe7/0x150 [ib_srpt]
+ srpt_tpg_enable_store+0xc0/0x100 [ib_srpt]
+ configfs_write_file+0x157/0x1d0
+ __vfs_write+0xd7/0x3d0
+ vfs_write+0x102/0x290
+ ksys_write+0xab/0x130
+ __x64_sys_write+0x43/0x50
+ do_syscall_64+0x71/0x210
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Allocated by task 13856:
+ save_stack+0x43/0xd0
+ kasan_kmalloc+0xc7/0xe0
+ kasan_slab_alloc+0x11/0x20
+ kmem_cache_alloc+0x105/0x320
+ rxe_alloc+0xff/0x1f0 [rdma_rxe]
+ rxe_create_qp+0x9f/0x160 [rdma_rxe]
+ ib_create_qp+0xf5/0x690 [ib_core]
+ rdma_create_qp+0x6a/0x140 [rdma_cm]
+ srpt_cm_req_recv.cold.59+0x1588/0x237b [ib_srpt]
+ srpt_rdma_cm_req_recv.isra.35+0x1d5/0x220 [ib_srpt]
+ srpt_rdma_cm_handler+0x6f/0x100 [ib_srpt]
+ cma_listen_handler+0x59/0x60 [rdma_cm]
+ cma_ib_req_handler+0xd5b/0x2570 [rdma_cm]
+ cm_process_work+0x2e/0x110 [ib_cm]
+ cm_work_handler+0x2aae/0x502b [ib_cm]
+ process_one_work+0x481/0x9e0
+ worker_thread+0x67/0x5b0
+ kthread+0x1cf/0x1f0
+ ret_from_fork+0x24/0x30
+
+Freed by task 3440:
+ save_stack+0x43/0xd0
+ __kasan_slab_free+0x139/0x190
+ kasan_slab_free+0xe/0x10
+ kmem_cache_free+0xbc/0x330
+ rxe_elem_release+0x66/0xe0 [rdma_rxe]
+ rxe_destroy_qp+0x3f/0x50 [rdma_rxe]
+ ib_destroy_qp+0x140/0x360 [ib_core]
+ srpt_release_channel_work+0xdc/0x310 [ib_srpt]
+ process_one_work+0x481/0x9e0
+ worker_thread+0x67/0x5b0
+ kthread+0x1cf/0x1f0
+ ret_from_fork+0x24/0x30
+
+Cc: Sergey Gorenko <sergeygo@mellanox.com>
+Cc: Max Gurtovoy <maxg@mellanox.com>
+Cc: Laurence Oberman <loberman@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2010,6 +2010,14 @@ static void srpt_free_ch(struct kref *kr
+ kfree_rcu(ch, rcu);
+ }
+
++/*
++ * Shut down the SCSI target session, tell the connection manager to
++ * disconnect the associated RDMA channel, transition the QP to the error
++ * state and remove the channel from the channel list. This function is
++ * typically called from inside srpt_zerolength_write_done(). Concurrent
++ * srpt_zerolength_write() calls from inside srpt_close_ch() are possible
++ * as long as the channel is on sport->nexus_list.
++ */
+ static void srpt_release_channel_work(struct work_struct *w)
+ {
+ struct srpt_rdma_ch *ch;
+@@ -2037,6 +2045,11 @@ static void srpt_release_channel_work(st
+ else
+ ib_destroy_cm_id(ch->ib_cm.cm_id);
+
++ sport = ch->sport;
++ mutex_lock(&sport->mutex);
++ list_del_rcu(&ch->list);
++ mutex_unlock(&sport->mutex);
++
+ srpt_destroy_ch_ib(ch);
+
+ srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
+@@ -2047,11 +2060,6 @@ static void srpt_release_channel_work(st
+ sdev, ch->rq_size,
+ srp_max_req_size, DMA_FROM_DEVICE);
+
+- sport = ch->sport;
+- mutex_lock(&sport->mutex);
+- list_del_rcu(&ch->list);
+- mutex_unlock(&sport->mutex);
+-
+ wake_up(&sport->ch_releaseQ);
+
+ kref_put(&ch->kref, srpt_free_ch);
--- /dev/null
+From e48d8ed9c6193502d849b35767fd18e20bbd7ba2 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Thu, 25 Oct 2018 12:40:57 -0700
+Subject: rxe: fix error completion wr_id and qp_num
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit e48d8ed9c6193502d849b35767fd18e20bbd7ba2 upstream.
+
+Error completions must still contain a valid wr_id and
+qp_num such that the consumer can rely on. Correctly
+fill these fields in receive error completions.
+
+Reported-by: Walker Benjamin <benjamin.walker@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Tested-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rxe/rxe_resp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -844,11 +844,16 @@ static enum resp_states do_complete(stru
+
+ memset(&cqe, 0, sizeof(cqe));
+
+- wc->wr_id = wqe->wr_id;
+- wc->status = qp->resp.status;
+- wc->qp = &qp->ibqp;
++ if (qp->rcq->is_user) {
++ uwc->status = qp->resp.status;
++ uwc->qp_num = qp->ibqp.qp_num;
++ uwc->wr_id = wqe->wr_id;
++ } else {
++ wc->status = qp->resp.status;
++ wc->qp = &qp->ibqp;
++ wc->wr_id = wqe->wr_id;
++ }
+
+- /* fields after status are not required for errors */
+ if (wc->status == IB_WC_SUCCESS) {
+ wc->opcode = (pkt->mask & RXE_IMMDT_MASK &&
+ pkt->mask & RXE_WRITE_MASK) ?
nfsd4-zero-length-write-should-succeed.patch
revert-powerpc-tm-unset-msr-if-not-recheckpointing.patch
powerpc-tm-set-msr-just-prior-to-recheckpoint.patch
+iio-adc-qcom-spmi-adc5-initialize-prescale-properly.patch
+iio-dac-ad5686-fix-bit-shift-read-register.patch
+9p-net-put-a-lower-bound-on-msize.patch
+rxe-fix-error-completion-wr_id-and-qp_num.patch
+stm-class-fix-a-module-refcount-leak-in-policy-creation-error-path.patch
+rdma-srpt-fix-a-use-after-free-in-the-channel-release-code.patch
+rdma-iwcm-don-t-copy-past-the-end-of-dev_name-string.patch
--- /dev/null
+From c18614a1a11276837bdd44403d84d207c9951538 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Wed, 19 Dec 2018 17:19:20 +0200
+Subject: stm class: Fix a module refcount leak in policy creation error path
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit c18614a1a11276837bdd44403d84d207c9951538 upstream.
+
+Commit c7fd62bc69d0 ("stm class: Introduce framing protocol drivers")
+adds a bug into the error path of policy creation, that would do a
+module_put() on a wrong module, if one tried to create a policy for
+an stm device which already has a policy, using a different protocol.
+IOW,
+
+| mkdir /config/stp-policy/dummy_stm.0:p_basic.test
+| mkdir /config/stp-policy/dummy_stm.0:p_sys-t.test # puts "p_basic"
+| mkdir /config/stp-policy/dummy_stm.0:p_sys-t.test # "p_basic" -> -1
+
+throws:
+
+| general protection fault: 0000 [#1] SMP PTI
+| CPU: 3 PID: 2887 Comm: mkdir
+| RIP: 0010:module_put.part.31+0xe/0x90
+| Call Trace:
+| module_put+0x13/0x20
+| stm_put_protocol+0x11/0x20 [stm_core]
+| stp_policy_make+0xf1/0x210 [stm_core]
+| ? __kmalloc+0x183/0x220
+| ? configfs_mkdir+0x10d/0x4c0
+| configfs_mkdir+0x169/0x4c0
+| vfs_mkdir+0x108/0x1c0
+| do_mkdirat+0xe8/0x110
+| __x64_sys_mkdir+0x1b/0x20
+| do_syscall_64+0x5a/0x140
+| entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Correct this sad mistake by calling calling 'put' on the correct
+reference, which happens to match another error path in the same
+function, so we consolidate the two at the same time.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: c7fd62bc69d0 ("stm class: Introduce framing protocol drivers")
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/policy.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/hwtracing/stm/policy.c
++++ b/drivers/hwtracing/stm/policy.c
+@@ -440,10 +440,8 @@ stp_policy_make(struct config_group *gro
+
+ stm->policy = kzalloc(sizeof(*stm->policy), GFP_KERNEL);
+ if (!stm->policy) {
+- mutex_unlock(&stm->policy_mutex);
+- stm_put_protocol(pdrv);
+- stm_put_device(stm);
+- return ERR_PTR(-ENOMEM);
++ ret = ERR_PTR(-ENOMEM);
++ goto unlock_policy;
+ }
+
+ config_group_init_type_name(&stm->policy->group, name,
+@@ -458,7 +456,11 @@ unlock_policy:
+ mutex_unlock(&stm->policy_mutex);
+
+ if (IS_ERR(ret)) {
+- stm_put_protocol(stm->pdrv);
++ /*
++ * pdrv and stm->pdrv at this point can be quite different,
++ * and only one of them needs to be 'put'
++ */
++ stm_put_protocol(pdrv);
+ stm_put_device(stm);
+ }
+