--- /dev/null
+From d3d6a18d7d351cbcc9b33dbedf710e65f8ce1595 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Fri, 8 Feb 2019 16:59:49 -0800
+Subject: aio: Fix locking in aio_poll()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit d3d6a18d7d351cbcc9b33dbedf710e65f8ce1595 upstream.
+
+wake_up_locked() may but does not have to be called with interrupts
+disabled. Since the fuse filesystem calls wake_up_locked() without
+disabling interrupts aio_poll_wake() may be called with interrupts
+enabled. Since the kioctx.ctx_lock may be acquired from IRQ context,
+all code that acquires that lock from thread context must disable
+interrupts. Hence change the spin_trylock() call in aio_poll_wake()
+into a spin_trylock_irqsave() call. This patch fixes the following
+lockdep complaint:
+
+=====================================================
+WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
+5.0.0-rc4-next-20190131 #23 Not tainted
+-----------------------------------------------------
+syz-executor2/13779 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
+0000000098ac1230 (&fiq->waitq){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline]
+0000000098ac1230 (&fiq->waitq){+.+.}, at: aio_poll fs/aio.c:1772 [inline]
+0000000098ac1230 (&fiq->waitq){+.+.}, at: __io_submit_one fs/aio.c:1875 [inline]
+0000000098ac1230 (&fiq->waitq){+.+.}, at: io_submit_one+0xedf/0x1cf0 fs/aio.c:1908
+
+and this task is already holding:
+000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: spin_lock_irq include/linux/spinlock.h:354 [inline]
+000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: aio_poll fs/aio.c:1771 [inline]
+000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: __io_submit_one fs/aio.c:1875 [inline]
+000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xeb6/0x1cf0 fs/aio.c:1908
+which would create a new lock dependency:
+ (&(&ctx->ctx_lock)->rlock){..-.} -> (&fiq->waitq){+.+.}
+
+but this new dependency connects a SOFTIRQ-irq-safe lock:
+ (&(&ctx->ctx_lock)->rlock){..-.}
+
+... which became SOFTIRQ-irq-safe at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
+ _raw_spin_lock_irq+0x60/0x80 kernel/locking/spinlock.c:160
+ spin_lock_irq include/linux/spinlock.h:354 [inline]
+ free_ioctx_users+0x2d/0x4a0 fs/aio.c:610
+ percpu_ref_put_many include/linux/percpu-refcount.h:285 [inline]
+ percpu_ref_put include/linux/percpu-refcount.h:301 [inline]
+ percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123 [inline]
+ percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 lib/percpu-refcount.c:158
+ __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
+ rcu_do_batch kernel/rcu/tree.c:2486 [inline]
+ invoke_rcu_callbacks kernel/rcu/tree.c:2799 [inline]
+ rcu_core+0x928/0x1390 kernel/rcu/tree.c:2780
+ __do_softirq+0x266/0x95a kernel/softirq.c:292
+ run_ksoftirqd kernel/softirq.c:654 [inline]
+ run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
+ smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
+ kthread+0x357/0x430 kernel/kthread.c:247
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+
+to a SOFTIRQ-irq-unsafe lock:
+ (&fiq->waitq){+.+.}
+
+... which became SOFTIRQ-irq-unsafe at:
+...
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
+ spin_lock include/linux/spinlock.h:329 [inline]
+ flush_bg_queue+0x1f3/0x3c0 fs/fuse/dev.c:415
+ fuse_request_queue_background+0x2d1/0x580 fs/fuse/dev.c:676
+ fuse_request_send_background+0x58/0x120 fs/fuse/dev.c:687
+ fuse_send_init fs/fuse/inode.c:989 [inline]
+ fuse_fill_super+0x13bb/0x1730 fs/fuse/inode.c:1214
+ mount_nodev+0x68/0x110 fs/super.c:1392
+ fuse_mount+0x2d/0x40 fs/fuse/inode.c:1239
+ legacy_get_tree+0xf2/0x200 fs/fs_context.c:590
+ vfs_get_tree+0x123/0x450 fs/super.c:1481
+ do_new_mount fs/namespace.c:2610 [inline]
+ do_mount+0x1436/0x2c40 fs/namespace.c:2932
+ ksys_mount+0xdb/0x150 fs/namespace.c:3148
+ __do_sys_mount fs/namespace.c:3162 [inline]
+ __se_sys_mount fs/namespace.c:3159 [inline]
+ __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+other info that might help us debug this:
+
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&fiq->waitq);
+ local_irq_disable();
+ lock(&(&ctx->ctx_lock)->rlock);
+ lock(&fiq->waitq);
+ <Interrupt>
+ lock(&(&ctx->ctx_lock)->rlock);
+
+ *** DEADLOCK ***
+
+1 lock held by syz-executor2/13779:
+ #0: 000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: spin_lock_irq include/linux/spinlock.h:354 [inline]
+ #0: 000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: aio_poll fs/aio.c:1771 [inline]
+ #0: 000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: __io_submit_one fs/aio.c:1875 [inline]
+ #0: 000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xeb6/0x1cf0 fs/aio.c:1908
+
+the dependencies between SOFTIRQ-irq-safe lock and the holding lock:
+-> (&(&ctx->ctx_lock)->rlock){..-.} {
+ IN-SOFTIRQ-W at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
+ _raw_spin_lock_irq+0x60/0x80 kernel/locking/spinlock.c:160
+ spin_lock_irq include/linux/spinlock.h:354 [inline]
+ free_ioctx_users+0x2d/0x4a0 fs/aio.c:610
+ percpu_ref_put_many include/linux/percpu-refcount.h:285 [inline]
+ percpu_ref_put include/linux/percpu-refcount.h:301 [inline]
+ percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123 [inline]
+ percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 lib/percpu-refcount.c:158
+ __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
+ rcu_do_batch kernel/rcu/tree.c:2486 [inline]
+ invoke_rcu_callbacks kernel/rcu/tree.c:2799 [inline]
+ rcu_core+0x928/0x1390 kernel/rcu/tree.c:2780
+ __do_softirq+0x266/0x95a kernel/softirq.c:292
+ run_ksoftirqd kernel/softirq.c:654 [inline]
+ run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
+ smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
+ kthread+0x357/0x430 kernel/kthread.c:247
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+ INITIAL USE at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline]
+ _raw_spin_lock_irq+0x60/0x80 kernel/locking/spinlock.c:160
+ spin_lock_irq include/linux/spinlock.h:354 [inline]
+ __do_sys_io_cancel fs/aio.c:2052 [inline]
+ __se_sys_io_cancel fs/aio.c:2035 [inline]
+ __x64_sys_io_cancel+0xd5/0x5a0 fs/aio.c:2035
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ }
+ ... key at: [<ffffffff8a574140>] __key.52370+0x0/0x40
+ ... acquired at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
+ spin_lock include/linux/spinlock.h:329 [inline]
+ aio_poll fs/aio.c:1772 [inline]
+ __io_submit_one fs/aio.c:1875 [inline]
+ io_submit_one+0xedf/0x1cf0 fs/aio.c:1908
+ __do_sys_io_submit fs/aio.c:1953 [inline]
+ __se_sys_io_submit fs/aio.c:1923 [inline]
+ __x64_sys_io_submit+0x1bd/0x580 fs/aio.c:1923
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+the dependencies between the lock to be acquired
+ and SOFTIRQ-irq-unsafe lock:
+-> (&fiq->waitq){+.+.} {
+ HARDIRQ-ON-W at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
+ spin_lock include/linux/spinlock.h:329 [inline]
+ flush_bg_queue+0x1f3/0x3c0 fs/fuse/dev.c:415
+ fuse_request_queue_background+0x2d1/0x580 fs/fuse/dev.c:676
+ fuse_request_send_background+0x58/0x120 fs/fuse/dev.c:687
+ fuse_send_init fs/fuse/inode.c:989 [inline]
+ fuse_fill_super+0x13bb/0x1730 fs/fuse/inode.c:1214
+ mount_nodev+0x68/0x110 fs/super.c:1392
+ fuse_mount+0x2d/0x40 fs/fuse/inode.c:1239
+ legacy_get_tree+0xf2/0x200 fs/fs_context.c:590
+ vfs_get_tree+0x123/0x450 fs/super.c:1481
+ do_new_mount fs/namespace.c:2610 [inline]
+ do_mount+0x1436/0x2c40 fs/namespace.c:2932
+ ksys_mount+0xdb/0x150 fs/namespace.c:3148
+ __do_sys_mount fs/namespace.c:3162 [inline]
+ __se_sys_mount fs/namespace.c:3159 [inline]
+ __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ SOFTIRQ-ON-W at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
+ spin_lock include/linux/spinlock.h:329 [inline]
+ flush_bg_queue+0x1f3/0x3c0 fs/fuse/dev.c:415
+ fuse_request_queue_background+0x2d1/0x580 fs/fuse/dev.c:676
+ fuse_request_send_background+0x58/0x120 fs/fuse/dev.c:687
+ fuse_send_init fs/fuse/inode.c:989 [inline]
+ fuse_fill_super+0x13bb/0x1730 fs/fuse/inode.c:1214
+ mount_nodev+0x68/0x110 fs/super.c:1392
+ fuse_mount+0x2d/0x40 fs/fuse/inode.c:1239
+ legacy_get_tree+0xf2/0x200 fs/fs_context.c:590
+ vfs_get_tree+0x123/0x450 fs/super.c:1481
+ do_new_mount fs/namespace.c:2610 [inline]
+ do_mount+0x1436/0x2c40 fs/namespace.c:2932
+ ksys_mount+0xdb/0x150 fs/namespace.c:3148
+ __do_sys_mount fs/namespace.c:3162 [inline]
+ __se_sys_mount fs/namespace.c:3159 [inline]
+ __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ INITIAL USE at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
+ spin_lock include/linux/spinlock.h:329 [inline]
+ flush_bg_queue+0x1f3/0x3c0 fs/fuse/dev.c:415
+ fuse_request_queue_background+0x2d1/0x580 fs/fuse/dev.c:676
+ fuse_request_send_background+0x58/0x120 fs/fuse/dev.c:687
+ fuse_send_init fs/fuse/inode.c:989 [inline]
+ fuse_fill_super+0x13bb/0x1730 fs/fuse/inode.c:1214
+ mount_nodev+0x68/0x110 fs/super.c:1392
+ fuse_mount+0x2d/0x40 fs/fuse/inode.c:1239
+ legacy_get_tree+0xf2/0x200 fs/fs_context.c:590
+ vfs_get_tree+0x123/0x450 fs/super.c:1481
+ do_new_mount fs/namespace.c:2610 [inline]
+ do_mount+0x1436/0x2c40 fs/namespace.c:2932
+ ksys_mount+0xdb/0x150 fs/namespace.c:3148
+ __do_sys_mount fs/namespace.c:3162 [inline]
+ __se_sys_mount fs/namespace.c:3159 [inline]
+ __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ }
+ ... key at: [<ffffffff8a60dec0>] __key.43450+0x0/0x40
+ ... acquired at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
+ spin_lock include/linux/spinlock.h:329 [inline]
+ aio_poll fs/aio.c:1772 [inline]
+ __io_submit_one fs/aio.c:1875 [inline]
+ io_submit_one+0xedf/0x1cf0 fs/aio.c:1908
+ __do_sys_io_submit fs/aio.c:1953 [inline]
+ __se_sys_io_submit fs/aio.c:1923 [inline]
+ __x64_sys_io_submit+0x1bd/0x580 fs/aio.c:1923
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+stack backtrace:
+CPU: 0 PID: 13779 Comm: syz-executor2 Not tainted 5.0.0-rc4-next-20190131 #23
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_bad_irq_dependency kernel/locking/lockdep.c:1573 [inline]
+ check_usage.cold+0x60f/0x940 kernel/locking/lockdep.c:1605
+ check_irq_usage kernel/locking/lockdep.c:1650 [inline]
+ check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline]
+ check_prev_add kernel/locking/lockdep.c:1860 [inline]
+ check_prevs_add kernel/locking/lockdep.c:1968 [inline]
+ validate_chain kernel/locking/lockdep.c:2339 [inline]
+ __lock_acquire+0x1f12/0x4790 kernel/locking/lockdep.c:3320
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144
+ spin_lock include/linux/spinlock.h:329 [inline]
+ aio_poll fs/aio.c:1772 [inline]
+ __io_submit_one fs/aio.c:1875 [inline]
+ io_submit_one+0xedf/0x1cf0 fs/aio.c:1908
+ __do_sys_io_submit fs/aio.c:1953 [inline]
+ __se_sys_io_submit fs/aio.c:1923 [inline]
+ __x64_sys_io_submit+0x1bd/0x580 fs/aio.c:1923
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Avi Kivity <avi@scylladb.com>
+Cc: Miklos Szeredi <miklos@szeredi.hu>
+Cc: <stable@vger.kernel.org>
+Fixes: e8693bcfa0b4 ("aio: allow direct aio poll comletions for keyed wakeups") # v4.19
+Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+[ bvanassche: added a comment ]
+Reluctantly-Acked-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1680,6 +1680,7 @@ static int aio_poll_wake(struct wait_que
+ struct poll_iocb *req = container_of(wait, struct poll_iocb, wait);
+ struct aio_kiocb *iocb = container_of(req, struct aio_kiocb, poll);
+ __poll_t mask = key_to_poll(key);
++ unsigned long flags;
+
+ req->woken = true;
+
+@@ -1688,10 +1689,15 @@ static int aio_poll_wake(struct wait_que
+ if (!(mask & req->events))
+ return 0;
+
+- /* try to complete the iocb inline if we can: */
+- if (spin_trylock(&iocb->ki_ctx->ctx_lock)) {
++ /*
++ * Try to complete the iocb inline if we can. Use
++ * irqsave/irqrestore because not all filesystems (e.g. fuse)
++ * call this function with IRQs disabled and because IRQs
++ * have to be disabled before ctx_lock is obtained.
++ */
++ if (spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) {
+ list_del(&iocb->ki_list);
+- spin_unlock(&iocb->ki_ctx->ctx_lock);
++ spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags);
+
+ list_del_init(&req->wait.entry);
+ aio_poll_complete(iocb, mask);
--- /dev/null
+From d012d1325ba523b8ef3e55ba79c943e220154fdc Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 3 Jan 2019 22:10:26 +0100
+Subject: alpha: wire up io_pgetevents system call
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit d012d1325ba523b8ef3e55ba79c943e220154fdc upstream.
+
+The io_pgetevents system call was added in linux-4.18 but has
+no entry for alpha:
+
+warning: #warning syscall io_pgetevents not implemented [-Wcpp]
+
+Assign a the next system call number here.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/kernel/syscalls/syscall.tbl | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/alpha/kernel/syscalls/syscall.tbl
++++ b/arch/alpha/kernel/syscalls/syscall.tbl
+@@ -451,3 +451,4 @@
+ 520 common preadv2 sys_preadv2
+ 521 common pwritev2 sys_pwritev2
+ 522 common statx sys_statx
++523 common io_pgetevents sys_io_pgetevents
--- /dev/null
+From d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 9 Jan 2019 16:05:10 -0600
+Subject: applicom: Fix potential Spectre v1 vulnerabilities
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c upstream.
+
+IndexCard is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/char/applicom.c:418 ac_write() warn: potential spectre issue 'apbs' [r]
+drivers/char/applicom.c:728 ac_ioctl() warn: potential spectre issue 'apbs' [r] (local cap)
+
+Fix this by sanitizing IndexCard before using it to index apbs.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/applicom.c | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+--- a/drivers/char/applicom.c
++++ b/drivers/char/applicom.c
+@@ -32,6 +32,7 @@
+ #include <linux/wait.h>
+ #include <linux/init.h>
+ #include <linux/fs.h>
++#include <linux/nospec.h>
+
+ #include <asm/io.h>
+ #include <linux/uaccess.h>
+@@ -386,7 +387,11 @@ static ssize_t ac_write(struct file *fil
+ TicCard = st_loc.tic_des_from_pc; /* tic number to send */
+ IndexCard = NumCard - 1;
+
+- if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO)
++ if (IndexCard >= MAX_BOARD)
++ return -EINVAL;
++ IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
++
++ if (!apbs[IndexCard].RamIO)
+ return -EINVAL;
+
+ #ifdef DEBUG
+@@ -697,6 +702,7 @@ static long ac_ioctl(struct file *file,
+ unsigned char IndexCard;
+ void __iomem *pmem;
+ int ret = 0;
++ static int warncount = 10;
+ volatile unsigned char byte_reset_it;
+ struct st_ram_io *adgl;
+ void __user *argp = (void __user *)arg;
+@@ -711,16 +717,12 @@ static long ac_ioctl(struct file *file,
+ mutex_lock(&ac_mutex);
+ IndexCard = adgl->num_card-1;
+
+- if(cmd != 6 && ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) {
+- static int warncount = 10;
+- if (warncount) {
+- printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number %d\n",(int)IndexCard+1);
+- warncount--;
+- }
+- kfree(adgl);
+- mutex_unlock(&ac_mutex);
+- return -EINVAL;
+- }
++ if (cmd != 6 && IndexCard >= MAX_BOARD)
++ goto err;
++ IndexCard = array_index_nospec(IndexCard, MAX_BOARD);
++
++ if (cmd != 6 && !apbs[IndexCard].RamIO)
++ goto err;
+
+ switch (cmd) {
+
+@@ -838,5 +840,16 @@ static long ac_ioctl(struct file *file,
+ kfree(adgl);
+ mutex_unlock(&ac_mutex);
+ return 0;
++
++err:
++ if (warncount) {
++ pr_warn("APPLICOM driver IOCTL, bad board number %d\n",
++ (int)IndexCard + 1);
++ warncount--;
++ }
++ kfree(adgl);
++ mutex_unlock(&ac_mutex);
++ return -EINVAL;
++
+ }
+
--- /dev/null
+From 00df214b1faae520880cc5c57e206f21239ef741 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Sun, 27 Jan 2019 16:33:59 +0800
+Subject: Bluetooth: btrtl: Restore old logic to assume firmware is already loaded
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 00df214b1faae520880cc5c57e206f21239ef741 upstream.
+
+Realtek bluetooth may not work after reboot:
+[ 12.446130] Bluetooth: hci0: RTL: rtl: unknown IC info, lmp subver a99e, hci rev 826c, hci ver 0008
+
+This is a regression introduced by commit 26503ad25de8 ("Bluetooth:
+btrtl: split the device initialization into smaller parts"). The new
+logic errors out early when no matching IC info can be found, in this
+case it means the firmware is already loaded.
+
+So let's assume the firmware is already loaded when we can't find
+matching IC info, like the old logic did.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201921
+Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts")
+Cc: stable@vger.kernel.org # 4.19+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btrtl.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/bluetooth/btrtl.c
++++ b/drivers/bluetooth/btrtl.c
+@@ -552,10 +552,9 @@ struct btrtl_device_info *btrtl_initiali
+ hdev->bus);
+
+ if (!btrtl_dev->ic_info) {
+- rtl_dev_err(hdev, "rtl: unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
++ rtl_dev_info(hdev, "rtl: unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
+ lmp_subver, hci_rev, hci_ver);
+- ret = -EINVAL;
+- goto err_free;
++ return btrtl_dev;
+ }
+
+ if (btrtl_dev->ic_info->has_rom_version) {
+@@ -610,6 +609,11 @@ int btrtl_download_firmware(struct hci_d
+ * standard btusb. Once that firmware is uploaded, the subver changes
+ * to a different value.
+ */
++ if (!btrtl_dev->ic_info) {
++ rtl_dev_info(hdev, "rtl: assuming no firmware upload needed\n");
++ return 0;
++ }
++
+ switch (btrtl_dev->ic_info->lmp_subver) {
+ case RTL_ROM_LMP_8723A:
+ case RTL_ROM_LMP_3499:
--- /dev/null
+From c4f5627f7eeecde1bb6b646d8c0907b96dc2b2a6 Mon Sep 17 00:00:00 2001
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Wed, 2 Jan 2019 16:11:20 -0800
+Subject: Bluetooth: Fix locking in bt_accept_enqueue() for BH context
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+commit c4f5627f7eeecde1bb6b646d8c0907b96dc2b2a6 upstream.
+
+With commit e16337622016 ("Bluetooth: Handle bt_accept_enqueue() socket
+atomically") lock_sock[_nested]() is used to acquire the socket lock
+before manipulating the socket. lock_sock[_nested]() may block, which
+is problematic since bt_accept_enqueue() can be called in bottom half
+context (e.g. from rfcomm_connect_ind()):
+
+[<ffffff80080d81ec>] __might_sleep+0x4c/0x80
+[<ffffff800876c7b0>] lock_sock_nested+0x24/0x58
+[<ffffff8000d7c27c>] bt_accept_enqueue+0x48/0xd4 [bluetooth]
+[<ffffff8000e67d8c>] rfcomm_connect_ind+0x190/0x218 [rfcomm]
+
+Add a parameter to bt_accept_enqueue() to indicate whether the
+function is called from BH context, and acquire the socket lock
+with bh_lock_sock_nested() if that's the case.
+
+Also adapt all callers of bt_accept_enqueue() to pass the new
+parameter:
+
+- l2cap_sock_new_connection_cb()
+ - uses lock_sock() to lock the parent socket => process context
+
+- rfcomm_connect_ind()
+ - acquires the parent socket lock with bh_lock_sock() => BH
+ context
+
+- __sco_chan_add()
+ - called from sco_chan_add(), which is called from sco_connect().
+ parent is NULL, hence bt_accept_enqueue() isn't called in this
+ code path and we can ignore it
+ - also called from sco_conn_ready(). uses bh_lock_sock() to acquire
+ the parent lock => BH context
+
+Fixes: e16337622016 ("Bluetooth: Handle bt_accept_enqueue() socket atomically")
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/bluetooth/bluetooth.h | 2 +-
+ net/bluetooth/af_bluetooth.c | 16 +++++++++++++---
+ net/bluetooth/l2cap_sock.c | 2 +-
+ net/bluetooth/rfcomm/sock.c | 2 +-
+ net/bluetooth/sco.c | 2 +-
+ 5 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/include/net/bluetooth/bluetooth.h
++++ b/include/net/bluetooth/bluetooth.h
+@@ -276,7 +276,7 @@ int bt_sock_ioctl(struct socket *sock,
+ int bt_sock_wait_state(struct sock *sk, int state, unsigned long timeo);
+ int bt_sock_wait_ready(struct sock *sk, unsigned long flags);
+
+-void bt_accept_enqueue(struct sock *parent, struct sock *sk);
++void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh);
+ void bt_accept_unlink(struct sock *sk);
+ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock);
+
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -154,15 +154,25 @@ void bt_sock_unlink(struct bt_sock_list
+ }
+ EXPORT_SYMBOL(bt_sock_unlink);
+
+-void bt_accept_enqueue(struct sock *parent, struct sock *sk)
++void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh)
+ {
+ BT_DBG("parent %p, sk %p", parent, sk);
+
+ sock_hold(sk);
+- lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
++
++ if (bh)
++ bh_lock_sock_nested(sk);
++ else
++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
++
+ list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
+ bt_sk(sk)->parent = parent;
+- release_sock(sk);
++
++ if (bh)
++ bh_unlock_sock(sk);
++ else
++ release_sock(sk);
++
+ parent->sk_ack_backlog++;
+ }
+ EXPORT_SYMBOL(bt_accept_enqueue);
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1252,7 +1252,7 @@ static struct l2cap_chan *l2cap_sock_new
+
+ l2cap_sock_init(sk, parent);
+
+- bt_accept_enqueue(parent, sk);
++ bt_accept_enqueue(parent, sk, false);
+
+ release_sock(parent);
+
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -988,7 +988,7 @@ int rfcomm_connect_ind(struct rfcomm_ses
+ rfcomm_pi(sk)->channel = channel;
+
+ sk->sk_state = BT_CONFIG;
+- bt_accept_enqueue(parent, sk);
++ bt_accept_enqueue(parent, sk, true);
+
+ /* Accept connection and return socket DLC */
+ *d = rfcomm_pi(sk)->dlc;
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -193,7 +193,7 @@ static void __sco_chan_add(struct sco_co
+ conn->sk = sk;
+
+ if (parent)
+- bt_accept_enqueue(parent, sk);
++ bt_accept_enqueue(parent, sk, true);
+ }
+
+ static int sco_chan_add(struct sco_conn *conn, struct sock *sk,
--- /dev/null
+From 82f844c22588bf47132c82faeda50b6db473162c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 22 Jan 2019 18:22:53 +0100
+Subject: gnss: sirf: fix premature wakeup interrupt enable
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 82f844c22588bf47132c82faeda50b6db473162c upstream.
+
+Make sure the receiver is powered (and booted) before enabling the
+wakeup interrupt to avoid spurious interrupts due to a floating input.
+
+Similarly, disable the interrupt before powering off on probe errors and
+on unbind.
+
+Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers")
+Cc: stable <stable@vger.kernel.org> # 4.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gnss/sirf.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+--- a/drivers/gnss/sirf.c
++++ b/drivers/gnss/sirf.c
+@@ -310,30 +310,26 @@ static int sirf_probe(struct serdev_devi
+ ret = -ENODEV;
+ goto err_put_device;
+ }
++
++ ret = regulator_enable(data->vcc);
++ if (ret)
++ goto err_put_device;
++
++ /* Wait for chip to boot into hibernate mode. */
++ msleep(SIRF_BOOT_DELAY);
+ }
+
+ if (data->wakeup) {
+ ret = gpiod_to_irq(data->wakeup);
+ if (ret < 0)
+- goto err_put_device;
+-
++ goto err_disable_vcc;
+ data->irq = ret;
+
+- ret = devm_request_threaded_irq(dev, data->irq, NULL,
+- sirf_wakeup_handler,
++ ret = request_threaded_irq(data->irq, NULL, sirf_wakeup_handler,
+ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "wakeup", data);
+ if (ret)
+- goto err_put_device;
+- }
+-
+- if (data->on_off) {
+- ret = regulator_enable(data->vcc);
+- if (ret)
+- goto err_put_device;
+-
+- /* Wait for chip to boot into hibernate mode */
+- msleep(SIRF_BOOT_DELAY);
++ goto err_disable_vcc;
+ }
+
+ if (IS_ENABLED(CONFIG_PM)) {
+@@ -342,7 +338,7 @@ static int sirf_probe(struct serdev_devi
+ } else {
+ ret = sirf_runtime_resume(dev);
+ if (ret < 0)
+- goto err_disable_vcc;
++ goto err_free_irq;
+ }
+
+ ret = gnss_register_device(gdev);
+@@ -356,6 +352,9 @@ err_disable_rpm:
+ pm_runtime_disable(dev);
+ else
+ sirf_runtime_suspend(dev);
++err_free_irq:
++ if (data->wakeup)
++ free_irq(data->irq, data);
+ err_disable_vcc:
+ if (data->on_off)
+ regulator_disable(data->vcc);
+@@ -376,6 +375,9 @@ static void sirf_remove(struct serdev_de
+ else
+ sirf_runtime_suspend(&serdev->dev);
+
++ if (data->wakeup)
++ free_irq(data->irq, data);
++
+ if (data->on_off)
+ regulator_disable(data->vcc);
+
--- /dev/null
+From 72faa7a773ca59336f3c889e878de81445c5a85c Mon Sep 17 00:00:00 2001
+From: Liu Xiang <liu.xiang6@zte.com.cn>
+Date: Sat, 16 Feb 2019 17:12:24 +0800
+Subject: MIPS: irq: Allocate accurate order pages for irq stack
+
+From: Liu Xiang <liu.xiang6@zte.com.cn>
+
+commit 72faa7a773ca59336f3c889e878de81445c5a85c upstream.
+
+The irq_pages is the number of pages for irq stack, but not the
+order which is needed by __get_free_pages().
+We can use get_order() to calculate the accurate order.
+
+Signed-off-by: Liu Xiang <liu.xiang6@zte.com.cn>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: fe8bd18ffea5 ("MIPS: Introduce irq_stack")
+Cc: linux-mips@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.11+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/irq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/irq.c
++++ b/arch/mips/kernel/irq.c
+@@ -52,6 +52,7 @@ asmlinkage void spurious_interrupt(void)
+ void __init init_IRQ(void)
+ {
+ int i;
++ unsigned int order = get_order(IRQ_STACK_SIZE);
+
+ for (i = 0; i < NR_IRQS; i++)
+ irq_set_noprobe(i);
+@@ -62,8 +63,7 @@ void __init init_IRQ(void)
+ arch_init_irq();
+
+ for_each_possible_cpu(i) {
+- int irq_pages = IRQ_STACK_SIZE / PAGE_SIZE;
+- void *s = (void *)__get_free_pages(GFP_KERNEL, irq_pages);
++ void *s = (void *)__get_free_pages(GFP_KERNEL, order);
+
+ irq_stack[i] = s;
+ pr_debug("CPU%d IRQ stack at 0x%p - 0x%p\n", i,
--- /dev/null
+From d2b284d356e9758d2bafd505d482e3c9433ef424 Mon Sep 17 00:00:00 2001
+From: Luis Chamberlain <mcgrof@kernel.org>
+Date: Thu, 7 Feb 2019 11:06:00 -0800
+Subject: Revert "selftests: firmware: add CONFIG_FW_LOADER_USER_HELPER_FALLBACK to config"
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+commit d2b284d356e9758d2bafd505d482e3c9433ef424 upstream.
+
+This reverts commit 7492902e8d22b568463897fa967c0886764cf034.
+
+The commit tried to address an issue discovered by Dan where he got
+a message saying:
+
+'usermode helper disabled so ignoring test'.
+
+Dans's commit is forcing CONFIG_FW_LOADER_USER_HELPER_FALLBACK but just
+having CONFIG_FW_LOADER_USER_HELPER suffices to emulate the_FALLBACK
+functionality.
+
+Dan's commit is trying to fix an issue which is hidden from a previous
+commit. That issue will be addressed properly next.
+
+Fixes: 7492902e8d22 ("selftests: firmware: add CONFIG_FW_LOADER_USER_HELPER_FALLBACK to config")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/firmware/config | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/tools/testing/selftests/firmware/config
++++ b/tools/testing/selftests/firmware/config
+@@ -1,6 +1,5 @@
+ CONFIG_TEST_FIRMWARE=y
+ CONFIG_FW_LOADER=y
+ CONFIG_FW_LOADER_USER_HELPER=y
+-CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y
+ CONFIG_IKCONFIG=y
+ CONFIG_IKCONFIG_PROC=y
--- /dev/null
+From 13ac7db09c914e4991a08b7ad578267d5cdd9856 Mon Sep 17 00:00:00 2001
+From: Luis Chamberlain <mcgrof@kernel.org>
+Date: Thu, 7 Feb 2019 11:06:01 -0800
+Subject: Revert "selftests: firmware: remove use of non-standard diff -Z option"
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+commit 13ac7db09c914e4991a08b7ad578267d5cdd9856 upstream.
+
+This reverts commit f70b472e937bb659a7b7a14e64f07308e230888c.
+
+This breaks testing on Debian, and this patch was NACKed anyway.
+The proper way to address this is a quirk for busybox as that is
+where the issue is present.
+
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Fixes: f70b472e937b ("selftests: firmware: remove use of non-standard diff -Z option")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/firmware/fw_filesystem.sh | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/firmware/fw_filesystem.sh
++++ b/tools/testing/selftests/firmware/fw_filesystem.sh
+@@ -155,8 +155,11 @@ read_firmwares()
+ {
+ for i in $(seq 0 3); do
+ config_set_read_fw_idx $i
+- # Verify the contents match
+- if ! diff -q "$FW" $DIR/read_firmware 2>/dev/null ; then
++ # Verify the contents are what we expect.
++ # -Z required for now -- check for yourself, md5sum
++ # on $FW and DIR/read_firmware will yield the same. Even
++ # cmp agrees, so something is off.
++ if ! diff -q -Z "$FW" $DIR/read_firmware 2>/dev/null ; then
+ echo "request #$i: firmware was not loaded" >&2
+ exit 1
+ fi
+@@ -168,7 +171,7 @@ read_firmwares_expect_nofile()
+ for i in $(seq 0 3); do
+ config_set_read_fw_idx $i
+ # Ensures contents differ
+- if diff -q "$FW" $DIR/read_firmware 2>/dev/null ; then
++ if diff -q -Z "$FW" $DIR/read_firmware 2>/dev/null ; then
+ echo "request $i: file was not expected to match" >&2
+ exit 1
+ fi
--- /dev/null
+From 344c0152d878922365464b7140c74c2a5e073d99 Mon Sep 17 00:00:00 2001
+From: Luis Chamberlain <mcgrof@kernel.org>
+Date: Thu, 7 Feb 2019 11:06:02 -0800
+Subject: selftests: firmware: fix verify_reqs() return value
+
+From: Luis Chamberlain <mcgrof@kernel.org>
+
+commit 344c0152d878922365464b7140c74c2a5e073d99 upstream.
+
+commit a6a9be9270c87 ("selftests: firmware: return Kselftest Skip code
+for skipped tests") by Shuah modified failures to return the special
+error code of $ksft_skip (4). We have a corner case issue where we
+*do* want to verify_reqs().
+
+Cc: <stable@vger.kernel.org> # >= 4.18
+Fixes: a6a9be9270c87 ("selftests: firmware: return Kselftest Skip code for for skipped tests")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/firmware/fw_lib.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/firmware/fw_lib.sh
++++ b/tools/testing/selftests/firmware/fw_lib.sh
+@@ -91,7 +91,7 @@ verify_reqs()
+ if [ "$TEST_REQS_FW_SYSFS_FALLBACK" = "yes" ]; then
+ if [ ! "$HAS_FW_LOADER_USER_HELPER" = "yes" ]; then
+ echo "usermode helper disabled so ignoring test"
+- exit $ksft_skip
++ exit 0
+ fi
+ fi
+ }
tipc-fix-rdm-dgram-connect-regression.patch
x86-cpu-amd-set-the-cpb-bit-unconditionally-on-f17h.patch
x86-boot-compressed-64-do-not-read-legacy-rom-on-efi-system.patch
+tracing-fix-event-filters-and-triggers-to-handle-negative-numbers.patch
+xhci-tegra-prevent-error-pointer-dereference.patch
+usb-xhci-fix-for-enabling-usb-role-switch-quirk-on-intel_sunrisepoint_lp_xhci.patch
+applicom-fix-potential-spectre-v1-vulnerabilities.patch
+alpha-wire-up-io_pgetevents-system-call.patch
+mips-irq-allocate-accurate-order-pages-for-irq-stack.patch
+aio-fix-locking-in-aio_poll.patch
+xtensa-fix-get_wchan.patch
+gnss-sirf-fix-premature-wakeup-interrupt-enable.patch
+usb-serial-cp210x-fix-gpio-in-autosuspend.patch
+revert-selftests-firmware-add-config_fw_loader_user_helper_fallback-to-config.patch
+revert-selftests-firmware-remove-use-of-non-standard-diff-z-option.patch
+selftests-firmware-fix-verify_reqs-return-value.patch
+bluetooth-btrtl-restore-old-logic-to-assume-firmware-is-already-loaded.patch
+bluetooth-fix-locking-in-bt_accept_enqueue-for-bh-context.patch
--- /dev/null
+From 6a072128d262d2b98d31626906a96700d1fc11eb Mon Sep 17 00:00:00 2001
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Date: Thu, 23 Aug 2018 13:25:34 +0300
+Subject: tracing: Fix event filters and triggers to handle negative numbers
+
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+
+commit 6a072128d262d2b98d31626906a96700d1fc11eb upstream.
+
+Then tracing syscall exit event it is extremely useful to filter exit
+codes equal to some negative value, to react only to required errors.
+But negative numbers does not work:
+
+[root@snorch sys_exit_read]# echo "ret == -1" > filter
+bash: echo: write error: Invalid argument
+[root@snorch sys_exit_read]# cat filter
+ret == -1
+ ^
+parse_error: Invalid value (did you forget quotes)?
+
+Similar thing happens when setting triggers.
+
+These is a regression in v4.17 introduced by the commit mentioned below,
+testing without these commit shows no problem with negative numbers.
+
+Link: http://lkml.kernel.org/r/20180823102534.7642-1-ptikhomirov@virtuozzo.com
+
+Cc: stable@vger.kernel.org
+Fixes: 80765597bc58 ("tracing: Rewrite filter logic to be simpler and faster")
+Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_filter.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1301,7 +1301,7 @@ static int parse_pred(const char *str, v
+ /* go past the last quote */
+ i++;
+
+- } else if (isdigit(str[i])) {
++ } else if (isdigit(str[i]) || str[i] == '-') {
+
+ /* Make sure the field is not a string */
+ if (is_string_field(field)) {
+@@ -1314,6 +1314,9 @@ static int parse_pred(const char *str, v
+ goto err_free;
+ }
+
++ if (str[i] == '-')
++ i++;
++
+ /* We allow 0xDEADBEEF */
+ while (isalnum(str[i]))
+ i++;
--- /dev/null
+From 7b0b644b9aa2de5032db0f468fddca091d0b7b90 Mon Sep 17 00:00:00 2001
+From: Karoly Pados <pados@pados.hu>
+Date: Sun, 17 Feb 2019 18:59:01 +0100
+Subject: USB: serial: cp210x: fix GPIO in autosuspend
+
+From: Karoly Pados <pados@pados.hu>
+
+commit 7b0b644b9aa2de5032db0f468fddca091d0b7b90 upstream.
+
+Current GPIO code in cp210x fails to take USB autosuspend into account,
+making it practically impossible to use GPIOs with autosuspend enabled
+without user configuration. Fix this like for ftdi_sio in a previous patch.
+Tested on a CP2102N.
+
+Signed-off-by: Karoly Pados <pados@pados.hu>
+Fixes: cf5276ce7867 ("USB: serial: cp210x: Adding GPIO support for CP2105")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -1354,8 +1354,13 @@ static int cp210x_gpio_get(struct gpio_c
+ if (priv->partnum == CP210X_PARTNUM_CP2105)
+ req_type = REQTYPE_INTERFACE_TO_HOST;
+
++ result = usb_autopm_get_interface(serial->interface);
++ if (result)
++ return result;
++
+ result = cp210x_read_vendor_block(serial, req_type,
+ CP210X_READ_LATCH, &buf, sizeof(buf));
++ usb_autopm_put_interface(serial->interface);
+ if (result < 0)
+ return result;
+
+@@ -1376,6 +1381,10 @@ static void cp210x_gpio_set(struct gpio_
+
+ buf.mask = BIT(gpio);
+
++ result = usb_autopm_get_interface(serial->interface);
++ if (result)
++ goto out;
++
+ if (priv->partnum == CP210X_PARTNUM_CP2105) {
+ result = cp210x_write_vendor_block(serial,
+ REQTYPE_HOST_TO_INTERFACE,
+@@ -1393,6 +1402,8 @@ static void cp210x_gpio_set(struct gpio_
+ NULL, 0, USB_CTRL_SET_TIMEOUT);
+ }
+
++ usb_autopm_put_interface(serial->interface);
++out:
+ if (result < 0) {
+ dev_err(&serial->interface->dev, "failed to set GPIO value: %d\n",
+ result);
--- /dev/null
+From 8fde481ef3674ae5ad0dbfef4df18ff507c5675a Mon Sep 17 00:00:00 2001
+From: Balaji Manoharan <m.balaji@intel.com>
+Date: Wed, 20 Feb 2019 19:50:53 +0200
+Subject: usb: xhci: Fix for Enabling USB ROLE SWITCH QUIRK on INTEL_SUNRISEPOINT_LP_XHCI
+
+From: Balaji Manoharan <m.balaji@intel.com>
+
+commit 8fde481ef3674ae5ad0dbfef4df18ff507c5675a upstream.
+
+This fix enables USB role feature on intel commercial nuc
+platform which is based on Kabylake chipset.
+
+Signed-off-by: Balaji Manoharan <m.balaji@intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -194,6 +194,7 @@ static void xhci_pci_quirks(struct devic
+ xhci->quirks |= XHCI_SSIC_PORT_UNUSED;
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+ (pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
++ pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI))
+ xhci->quirks |= XHCI_INTEL_USB_ROLE_SW;
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
--- /dev/null
+From 0326ccb5feac6eac35ba6254260e2774277cd976 Mon Sep 17 00:00:00 2001
+From: Thierry Reding <treding@nvidia.com>
+Date: Wed, 20 Feb 2019 14:48:41 +0100
+Subject: xhci: tegra: Prevent error pointer dereference
+
+From: Thierry Reding <treding@nvidia.com>
+
+commit 0326ccb5feac6eac35ba6254260e2774277cd976 upstream.
+
+During initialization, the host and super-speed power domains will
+contain an ERR_PTR() encoded error code rather than being NULL. To
+avoid a crash, use a !IS_ERR_OR_NULL() condition during cleanup.
+
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Fixes: 6494a9ad86de ("usb: xhci: tegra: Add genpd support")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-tegra.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-tegra.c
++++ b/drivers/usb/host/xhci-tegra.c
+@@ -941,9 +941,9 @@ static void tegra_xusb_powerdomain_remov
+ device_link_del(tegra->genpd_dl_ss);
+ if (tegra->genpd_dl_host)
+ device_link_del(tegra->genpd_dl_host);
+- if (tegra->genpd_dev_ss)
++ if (!IS_ERR_OR_NULL(tegra->genpd_dev_ss))
+ dev_pm_domain_detach(tegra->genpd_dev_ss, true);
+- if (tegra->genpd_dev_host)
++ if (!IS_ERR_OR_NULL(tegra->genpd_dev_host))
+ dev_pm_domain_detach(tegra->genpd_dev_host, true);
+ }
+
--- /dev/null
+From d90b88fd3653f1fb66ecc6571b860d5a5749fa56 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 2 Jan 2019 01:08:32 -0800
+Subject: xtensa: fix get_wchan
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit d90b88fd3653f1fb66ecc6571b860d5a5749fa56 upstream.
+
+Stack unwinding is implemented incorrectly in xtensa get_wchan: instead
+of extracting a0 and a1 registers from the spill location under the
+stack pointer it extracts a word pointed to by the stack pointer and
+subtracts 4 or 3 from it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/kernel/process.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/xtensa/kernel/process.c
++++ b/arch/xtensa/kernel/process.c
+@@ -321,8 +321,8 @@ unsigned long get_wchan(struct task_stru
+
+ /* Stack layout: sp-4: ra, sp-3: sp' */
+
+- pc = MAKE_PC_FROM_RA(*(unsigned long*)sp - 4, sp);
+- sp = *(unsigned long *)sp - 3;
++ pc = MAKE_PC_FROM_RA(SPILL_SLOT(sp, 0), sp);
++ sp = SPILL_SLOT(sp, 1);
+ } while (count++ < 16);
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
