--- /dev/null
+From 607975b30db41aad6edc846ed567191aa6b7d893 Mon Sep 17 00:00:00 2001
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Date: Tue, 23 Jul 2019 15:44:41 +0800
+Subject: ALSA: ac97: Fix double free of ac97_codec_device
+
+From: Ding Xiang <dingxiang@cmss.chinamobile.com>
+
+commit 607975b30db41aad6edc846ed567191aa6b7d893 upstream.
+
+put_device will call ac97_codec_release to free
+ac97_codec_device and other resources, so remove the kfree
+and other redundant code.
+
+Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
+Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/ac97/bus.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/sound/ac97/bus.c
++++ b/sound/ac97/bus.c
+@@ -125,17 +125,12 @@ static int ac97_codec_add(struct ac97_co
+ vendor_id);
+
+ ret = device_add(&codec->dev);
+- if (ret)
+- goto err_free_codec;
++ if (ret) {
++ put_device(&codec->dev);
++ return ret;
++ }
+
+ return 0;
+-err_free_codec:
+- of_node_put(codec->dev.of_node);
+- put_device(&codec->dev);
+- kfree(codec);
+- ac97_ctrl->codecs[idx] = NULL;
+-
+- return ret;
+ }
+
+ unsigned int snd_ac97_bus_scan_one(struct ac97_controller *adrv,
--- /dev/null
+From 3f8809499bf02ef7874254c5e23fc764a47a21a0 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 25 Jul 2019 14:57:37 +0800
+Subject: ALSA: hda - Add a conexant codec entry to let mute led work
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 3f8809499bf02ef7874254c5e23fc764a47a21a0 upstream.
+
+This conexant codec isn't in the supported codec list yet, the hda
+generic driver can drive this codec well, but on a Lenovo machine
+with mute/mic-mute leds, we need to apply CXT_FIXUP_THINKPAD_ACPI
+to make the leds work. After adding this codec to the list, the
+driver patch_conexant.c will apply THINKPAD_ACPI to this machine.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1096,6 +1096,7 @@ static int patch_conexant_auto(struct hd
+ */
+
+ static const struct hda_device_id snd_hda_id_conexant[] = {
++ HDA_CODEC_ENTRY(0x14f11f86, "CX8070", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f12008, "CX8200", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f15045, "CX20549 (Venice)", patch_conexant_auto),
+ HDA_CODEC_ENTRY(0x14f15047, "CX20551 (Waikiki)", patch_conexant_auto),
--- /dev/null
+From 70256b42caaf3e13c2932c2be7903a73fbe8bb8b Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 18 Jul 2019 17:53:13 +0800
+Subject: ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 70256b42caaf3e13c2932c2be7903a73fbe8bb8b upstream.
+
+Commit 7b9584fa1c0b ("staging: line6: Move altsetting to properties")
+set a wrong altsetting for LINE6_PODHD500_1 during refactoring.
+
+Set the correct altsetting number to fix the issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1790595
+Fixes: 7b9584fa1c0b ("staging: line6: Move altsetting to properties")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/line6/podhd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/line6/podhd.c
++++ b/sound/usb/line6/podhd.c
+@@ -417,7 +417,7 @@ static const struct line6_properties pod
+ .name = "POD HD500",
+ .capabilities = LINE6_CAP_PCM
+ | LINE6_CAP_HWMON,
+- .altsetting = 1,
++ .altsetting = 0,
+ .ep_ctrl_r = 0x81,
+ .ep_ctrl_w = 0x01,
+ .ep_audio_r = 0x86,
--- /dev/null
+From 49ed96943a8e0c62cc5a9b0a6cfc88be87d1fcec Mon Sep 17 00:00:00 2001
+From: Hridya Valsaraju <hridya@google.com>
+Date: Mon, 15 Jul 2019 12:18:04 -0700
+Subject: binder: prevent transactions to context manager from its own process.
+
+From: Hridya Valsaraju <hridya@google.com>
+
+commit 49ed96943a8e0c62cc5a9b0a6cfc88be87d1fcec upstream.
+
+Currently, a transaction to context manager from its own process
+is prevented by checking if its binder_proc struct is the same as
+that of the sender. However, this would not catch cases where the
+process opens the binder device again and uses the new fd to send
+a transaction to the context manager.
+
+Reported-by: syzbot+8b3c354d33c4ac78bfad@syzkaller.appspotmail.com
+Signed-off-by: Hridya Valsaraju <hridya@google.com>
+Acked-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190715191804.112933-1-hridya@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2838,7 +2838,7 @@ static void binder_transaction(struct bi
+ else
+ return_error = BR_DEAD_REPLY;
+ mutex_unlock(&context->context_mgr_node_lock);
+- if (target_node && target_proc == proc) {
++ if (target_node && target_proc->pid == proc->pid) {
+ binder_user_error("%d:%d got transaction to context manager from process owning it\n",
+ proc->pid, thread->pid);
+ return_error = BR_FAILED_REPLY;
--- /dev/null
+From 3d139703d397f6281368047ba7ad1c8bf95aa8ab Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 8 Jul 2019 15:13:56 +0800
+Subject: fpga-manager: altera-ps-spi: Fix build error
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 3d139703d397f6281368047ba7ad1c8bf95aa8ab upstream.
+
+If BITREVERSE is m and FPGA_MGR_ALTERA_PS_SPI is y,
+build fails:
+
+drivers/fpga/altera-ps-spi.o: In function `altera_ps_write':
+altera-ps-spi.c:(.text+0x4ec): undefined reference to `byte_rev_table'
+
+Select BITREVERSE to fix this.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: fcfe18f885f6 ("fpga-manager: altera-ps-spi: use bitrev8x4")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Moritz Fischer <mdf@kernel.org>
+Link: https://lore.kernel.org/r/20190708071356.50928-1-yuehaibing@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/fpga/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/fpga/Kconfig
++++ b/drivers/fpga/Kconfig
+@@ -39,6 +39,7 @@ config ALTERA_PR_IP_CORE_PLAT
+ config FPGA_MGR_ALTERA_PS_SPI
+ tristate "Altera FPGA Passive Serial over SPI"
+ depends on SPI
++ select BITREVERSE
+ help
+ FPGA manager driver support for Altera Arria/Cyclone/Stratix
+ using the passive serial interface over SPI.
--- /dev/null
+From 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 Mon Sep 17 00:00:00 2001
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+Date: Thu, 11 Jul 2019 21:27:57 +0800
+Subject: hpet: Fix division by zero in hpet_time_div()
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+commit 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 upstream.
+
+The base value in do_div() called by hpet_time_div() is truncated from
+unsigned long to uint32_t, resulting in a divide-by-zero exception.
+
+UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2
+division by zero
+CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+ 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
+ ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
+ 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
+Call Trace:
+ [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
+ [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
+ [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
+ [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
+ [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
+ [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
+ [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
+ [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
+ [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
+ [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
+ [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
+ [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
+ [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
+ [<ffffffff82846003>] tracesys_phase2+0x90/0x95
+
+The main C reproducer autogenerated by syzkaller,
+
+ syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+ memcpy((void*)0x20000100, "/dev/hpet\000", 10);
+ syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
+ syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);
+
+Fix it by using div64_ul().
+
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Zhang HongJun <zhanghongjun2@huawei.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/hpet.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/hpet.c
++++ b/drivers/char/hpet.c
+@@ -570,8 +570,7 @@ static inline unsigned long hpet_time_di
+ unsigned long long m;
+
+ m = hpets->hp_tick_freq + (dis >> 1);
+- do_div(m, dis);
+- return (unsigned long)m;
++ return div64_ul(m, dis);
+ }
+
+ static int
--- /dev/null
+From 1be8624a0cbef720e8da39a15971e01abffc865b Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Fri, 12 Jul 2019 12:58:14 +0300
+Subject: mei: me: add mule creek canyon (EHL) device ids
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 1be8624a0cbef720e8da39a15971e01abffc865b upstream.
+
+Add Mule Creek Canyon (PCH) MEI device ids for Elkhart Lake (EHL) Platform.
+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190712095814.20746-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hw-me-regs.h | 3 +++
+ drivers/misc/mei/pci-me.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -141,6 +141,9 @@
+
+ #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */
+
++#define MEI_DEV_ID_MCC 0x4B70 /* Mule Creek Canyon (EHL) */
++#define MEI_DEV_ID_MCC_4 0x4B75 /* Mule Creek Canyon 4 (EHL) */
++
+ /*
+ * MEI HW Section
+ */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -107,6 +107,9 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_MCC, MEI_ME_PCH12_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_MCC_4, MEI_ME_PCH8_CFG)},
++
+ /* required last entry */
+ {0, }
+ };
--- /dev/null
+From f16d80b75a096c52354c6e0a574993f3b0dfbdfe Mon Sep 17 00:00:00 2001
+From: Michael Neuling <mikey@neuling.org>
+Date: Fri, 19 Jul 2019 15:05:02 +1000
+Subject: powerpc/tm: Fix oops on sigreturn on systems without TM
+
+From: Michael Neuling <mikey@neuling.org>
+
+commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream.
+
+On systems like P9 powernv where we have no TM (or P8 booted with
+ppc_tm=off), userspace can construct a signal context which still has
+the MSR TS bits set. The kernel tries to restore this context which
+results in the following crash:
+
+ Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
+ Oops: Unrecoverable exception, sig: 6 [#1]
+ LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+ Modules linked in:
+ CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
+ NIP: c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
+ REGS: c00000003fffbd70 TRAP: 0700 Not tainted (5.2.0-11045-g7142b497d8)
+ MSR: 8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]> CR: 42004242 XER: 00000000
+ CFAR: c0000000000022e0 IRQMASK: 0
+ GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
+ GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
+ GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
+ GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
+ GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
+ GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
+ GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
+ NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
+ LR [00007fffb2d67e48] 0x7fffb2d67e48
+ Call Trace:
+ Instruction dump:
+ e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
+ e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
+
+The problem is the signal code assumes TM is enabled when
+CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as
+with P9 powernv or if `ppc_tm=off` is used on P8.
+
+This means any local user can crash the system.
+
+Fix the problem by returning a bad stack frame to the user if they try
+to set the MSR TS bits with sigreturn() on systems where TM is not
+supported.
+
+Found with sigfuz kernel selftest on P9.
+
+This fixes CVE-2019-13648.
+
+Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
+Cc: stable@vger.kernel.org # v3.9
+Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/signal_32.c | 3 +++
+ arch/powerpc/kernel/signal_64.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -1202,6 +1202,9 @@ SYSCALL_DEFINE0(rt_sigreturn)
+ goto bad;
+
+ if (MSR_TM_ACTIVE(msr_hi<<32)) {
++ /* Trying to start TM on non TM system */
++ if (!cpu_has_feature(CPU_FTR_TM))
++ goto bad;
+ /* We only recheckpoint on return if we're
+ * transaction.
+ */
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -750,6 +750,11 @@ SYSCALL_DEFINE0(rt_sigreturn)
+ if (MSR_TM_ACTIVE(msr)) {
+ /* We recheckpoint on return. */
+ struct ucontext __user *uc_transact;
++
++ /* Trying to start TM on non TM system */
++ if (!cpu_has_feature(CPU_FTR_TM))
++ goto badframe;
++
+ if (__get_user(uc_transact, &uc->uc_link))
+ goto badframe;
+ if (restore_tm_sigcontexts(current, &uc->uc_mcontext,
--- /dev/null
+From 4d202c8c8ed3822327285747db1765967110b274 Mon Sep 17 00:00:00 2001
+From: "Gautham R. Shenoy" <ego@linux.vnet.ibm.com>
+Date: Wed, 17 Jul 2019 16:05:24 +0530
+Subject: powerpc/xive: Fix loop exit-condition in xive_find_target_in_mask()
+
+From: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+
+commit 4d202c8c8ed3822327285747db1765967110b274 upstream.
+
+xive_find_target_in_mask() has the following for(;;) loop which has a
+bug when @first == cpumask_first(@mask) and condition 1 fails to hold
+for every CPU in @mask. In this case we loop forever in the for-loop.
+
+ first = cpu;
+ for (;;) {
+ if (cpu_online(cpu) && xive_try_pick_target(cpu)) // condition 1
+ return cpu;
+ cpu = cpumask_next(cpu, mask);
+ if (cpu == first) // condition 2
+ break;
+
+ if (cpu >= nr_cpu_ids) // condition 3
+ cpu = cpumask_first(mask);
+ }
+
+This is because, when @first == cpumask_first(@mask), we never hit the
+condition 2 (cpu == first) since prior to this check, we would have
+executed "cpu = cpumask_next(cpu, mask)" which will set the value of
+@cpu to a value greater than @first or to nr_cpus_ids. When this is
+coupled with the fact that condition 1 is not met, we will never exit
+this loop.
+
+This was discovered by the hard-lockup detector while running LTP test
+concurrently with SMT switch tests.
+
+ watchdog: CPU 12 detected hard LOCKUP on other CPUs 68
+ watchdog: CPU 12 TB:85587019220796, last SMP heartbeat TB:85578827223399 (15999ms ago)
+ watchdog: CPU 68 Hard LOCKUP
+ watchdog: CPU 68 TB:85587019361273, last heartbeat TB:85576815065016 (19930ms ago)
+ CPU: 68 PID: 45050 Comm: hxediag Kdump: loaded Not tainted 4.18.0-100.el8.ppc64le #1
+ NIP: c0000000006f5578 LR: c000000000cba9ec CTR: 0000000000000000
+ REGS: c000201fff3c7d80 TRAP: 0100 Not tainted (4.18.0-100.el8.ppc64le)
+ MSR: 9000000002883033 <SF,HV,VEC,VSX,FP,ME,IR,DR,RI,LE> CR: 24028424 XER: 00000000
+ CFAR: c0000000006f558c IRQMASK: 1
+ GPR00: c0000000000afc58 c000201c01c43400 c0000000015ce500 c000201cae26ec18
+ GPR04: 0000000000000800 0000000000000540 0000000000000800 00000000000000f8
+ GPR08: 0000000000000020 00000000000000a8 0000000080000000 c00800001a1beed8
+ GPR12: c0000000000b1410 c000201fff7f4c00 0000000000000000 0000000000000000
+ GPR16: 0000000000000000 0000000000000000 0000000000000540 0000000000000001
+ GPR20: 0000000000000048 0000000010110000 c00800001a1e3780 c000201cae26ed18
+ GPR24: 0000000000000000 c000201cae26ed8c 0000000000000001 c000000001116bc0
+ GPR28: c000000001601ee8 c000000001602494 c000201cae26ec18 000000000000001f
+ NIP [c0000000006f5578] find_next_bit+0x38/0x90
+ LR [c000000000cba9ec] cpumask_next+0x2c/0x50
+ Call Trace:
+ [c000201c01c43400] [c000201cae26ec18] 0xc000201cae26ec18 (unreliable)
+ [c000201c01c43420] [c0000000000afc58] xive_find_target_in_mask+0x1b8/0x240
+ [c000201c01c43470] [c0000000000b0228] xive_pick_irq_target.isra.3+0x168/0x1f0
+ [c000201c01c435c0] [c0000000000b1470] xive_irq_startup+0x60/0x260
+ [c000201c01c43640] [c0000000001d8328] __irq_startup+0x58/0xf0
+ [c000201c01c43670] [c0000000001d844c] irq_startup+0x8c/0x1a0
+ [c000201c01c436b0] [c0000000001d57b0] __setup_irq+0x9f0/0xa90
+ [c000201c01c43760] [c0000000001d5aa0] request_threaded_irq+0x140/0x220
+ [c000201c01c437d0] [c00800001a17b3d4] bnx2x_nic_load+0x188c/0x3040 [bnx2x]
+ [c000201c01c43950] [c00800001a187c44] bnx2x_self_test+0x1fc/0x1f70 [bnx2x]
+ [c000201c01c43a90] [c000000000adc748] dev_ethtool+0x11d8/0x2cb0
+ [c000201c01c43b60] [c000000000b0b61c] dev_ioctl+0x5ac/0xa50
+ [c000201c01c43bf0] [c000000000a8d4ec] sock_do_ioctl+0xbc/0x1b0
+ [c000201c01c43c60] [c000000000a8dfb8] sock_ioctl+0x258/0x4f0
+ [c000201c01c43d20] [c0000000004c9704] do_vfs_ioctl+0xd4/0xa70
+ [c000201c01c43de0] [c0000000004ca274] sys_ioctl+0xc4/0x160
+ [c000201c01c43e30] [c00000000000b388] system_call+0x5c/0x70
+ Instruction dump:
+ 78aad182 54a806be 3920ffff 78a50664 794a1f24 7d294036 7d43502a 7d295039
+ 4182001c 48000034 78a9d182 79291f24 <7d23482a> 2fa90000 409e0020 38a50040
+
+To fix this, move the check for condition 2 after the check for
+condition 3, so that we are able to break out of the loop soon after
+iterating through all the CPUs in the @mask in the problem case. Use
+do..while() to achieve this.
+
+Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller")
+Cc: stable@vger.kernel.org # v4.12+
+Reported-by: Indira P. Joga <indira.priya@in.ibm.com>
+Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1563359724-13931-1-git-send-email-ego@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/sysdev/xive/common.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/sysdev/xive/common.c
++++ b/arch/powerpc/sysdev/xive/common.c
+@@ -483,7 +483,7 @@ static int xive_find_target_in_mask(cons
+ * Now go through the entire mask until we find a valid
+ * target.
+ */
+- for (;;) {
++ do {
+ /*
+ * We re-check online as the fallback case passes us
+ * an untested affinity mask
+@@ -491,12 +491,11 @@ static int xive_find_target_in_mask(cons
+ if (cpu_online(cpu) && xive_try_pick_target(cpu))
+ return cpu;
+ cpu = cpumask_next(cpu, mask);
+- if (cpu == first)
+- break;
+ /* Wrap around */
+ if (cpu >= nr_cpu_ids)
+ cpu = cpumask_first(mask);
+- }
++ } while (cpu != first);
++
+ return -1;
+ }
+
btrfs-inode-don-t-compress-if-nodatasum-or-nodatacow-set.patch
x86-sysfb_efi-add-quirks-for-some-devices-with-swapped-width-and-height.patch
x86-speculation-mds-apply-more-accurate-check-on-hypervisor-platform.patch
+binder-prevent-transactions-to-context-manager-from-its-own-process.patch
+fpga-manager-altera-ps-spi-fix-build-error.patch
+mei-me-add-mule-creek-canyon-ehl-device-ids.patch
+hpet-fix-division-by-zero-in-hpet_time_div.patch
+alsa-ac97-fix-double-free-of-ac97_codec_device.patch
+alsa-line6-fix-wrong-altsetting-for-line6_podhd500_1.patch
+alsa-hda-add-a-conexant-codec-entry-to-let-mute-led-work.patch
+powerpc-xive-fix-loop-exit-condition-in-xive_find_target_in_mask.patch
+powerpc-tm-fix-oops-on-sigreturn-on-systems-without-tm.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
