--- /dev/null
+From 1be3c1fae6c1e1f5bb982b255d2034034454527a Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 8 Aug 2019 00:50:58 -0500
+Subject: ALSA: firewire: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream.
+
+In iso_packets_buffer_init(), 'b->packets' is allocated through
+kmalloc_array(). Then, the aligned packet size is checked. If it is
+larger than PAGE_SIZE, -EINVAL will be returned to indicate the error.
+However, the allocated 'b->packets' is not deallocated on this path,
+leading to a memory leak.
+
+To fix the above issue, free 'b->packets' before returning the error code.
+
+Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Cc: <stable@vger.kernel.org> # v2.6.39+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/packets-buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/packets-buffer.c
++++ b/sound/firewire/packets-buffer.c
+@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p
+ packets_per_page = PAGE_SIZE / packet_size;
+ if (WARN_ON(!packets_per_page)) {
+ err = -EINVAL;
+- goto error;
++ goto err_packets;
+ }
+ pages = DIV_ROUND_UP(count, packets_per_page);
+
--- /dev/null
+From c1c6c877b0c79fd7e05c931435aa42211eaeebaf Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 6 Aug 2019 14:03:56 +0200
+Subject: ALSA: hda - Don't override global PCM hw info flag
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c1c6c877b0c79fd7e05c931435aa42211eaeebaf upstream.
+
+The commit bfcba288b97f ("ALSA - hda: Add support for link audio time
+reporting") introduced the conditional PCM hw info setup, but it
+overwrites the global azx_pcm_hw object. This will cause a problem if
+any other HD-audio controller, as it'll inherit the same bit flag
+although another controller doesn't support that feature.
+
+Fix the bug by setting the PCM hw info flag locally.
+
+Fixes: bfcba288b97f ("ALSA - hda: Add support for link audio time reporting")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_controller.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -609,11 +609,9 @@ static int azx_pcm_open(struct snd_pcm_s
+ }
+ runtime->private_data = azx_dev;
+
+- if (chip->gts_present)
+- azx_pcm_hw.info = azx_pcm_hw.info |
+- SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME;
+-
+ runtime->hw = azx_pcm_hw;
++ if (chip->gts_present)
++ runtime->hw.info |= SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME;
+ runtime->hw.channels_min = hinfo->channels_min;
+ runtime->hw.channels_max = hinfo->channels_max;
+ runtime->hw.formats = hinfo->formats;
--- /dev/null
+From c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 6 Aug 2019 17:31:48 +0200
+Subject: ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c02f77d32d2c45cfb1b2bb99eabd8a78f5ecc7db upstream.
+
+A long-time problem on the recent AMD chip (X370, X470, B450, etc with
+PCI ID 1022:1457) with Realtek codecs is the crackled or distorted
+sound for capture streams, as well as occasional playback hiccups.
+After lengthy debugging sessions, the workarounds we've found are like
+the following:
+
+- Set up the proper driver caps for this controller, similar as the
+ other AMD controller.
+
+- Correct the DMA position reporting with the fixed FIFO size, which
+ is similar like as workaround used for VIA chip set.
+
+- Even after the position correction, PulseAudio still shows
+ mysterious stalls of playback streams when a capture is triggered in
+ timer-scheduled mode. Since we have no clear way to eliminate the
+ stall, pass the BATCH PCM flag for PA to suppress the tsched mode as
+ a temporary workaround.
+
+This patch implements the workarounds. For the driver caps, it
+defines a new preset, AXZ_DCAPS_PRESET_AMD_SB. It enables the FIFO-
+corrected position reporting (corresponding to the new position_fix=6)
+and enforces the SNDRV_PCM_INFO_BATCH flag.
+
+Note that the current implementation is merely a workaround.
+Hopefully we'll find a better alternative in future, especially about
+removing the BATCH flag hack again.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195303
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_controller.c | 7 ++++
+ sound/pci/hda/hda_controller.h | 2 -
+ sound/pci/hda/hda_intel.c | 63 ++++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 70 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -624,6 +624,13 @@ static int azx_pcm_open(struct snd_pcm_s
+ 20,
+ 178000000);
+
++ /* by some reason, the playback stream stalls on PulseAudio with
++ * tsched=1 when a capture stream triggers. Until we figure out the
++ * real cause, disable tsched mode by telling the PCM info flag.
++ */
++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND)
++ runtime->hw.info |= SNDRV_PCM_INFO_BATCH;
++
+ if (chip->align_buffer_size)
+ /* constrain buffer sizes to be multiple of 128
+ bytes. This is more efficient in terms of memory
+--- a/sound/pci/hda/hda_controller.h
++++ b/sound/pci/hda/hda_controller.h
+@@ -40,7 +40,7 @@
+ /* 14 unused */
+ #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */
+ #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */
+-/* 17 unused */
++#define AZX_DCAPS_AMD_WORKAROUND (1 << 17) /* AMD-specific workaround */
+ #define AZX_DCAPS_NO_64BIT (1 << 18) /* No 64bit address */
+ #define AZX_DCAPS_SYNC_WRITE (1 << 19) /* sync each cmd write */
+ #define AZX_DCAPS_OLD_SSYNC (1 << 20) /* Old SSYNC reg for ICH */
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -78,6 +78,7 @@ enum {
+ POS_FIX_VIACOMBO,
+ POS_FIX_COMBO,
+ POS_FIX_SKL,
++ POS_FIX_FIFO,
+ };
+
+ /* Defines for ATI HD Audio support in SB450 south bridge */
+@@ -149,7 +150,7 @@ module_param_array(model, charp, NULL, 0
+ MODULE_PARM_DESC(model, "Use the given board model.");
+ module_param_array(position_fix, int, NULL, 0444);
+ MODULE_PARM_DESC(position_fix, "DMA pointer read method."
+- "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+).");
++ "(-1 = system default, 0 = auto, 1 = LPIB, 2 = POSBUF, 3 = VIACOMBO, 4 = COMBO, 5 = SKL+, 6 = FIFO).");
+ module_param_array(bdl_pos_adj, int, NULL, 0644);
+ MODULE_PARM_DESC(bdl_pos_adj, "BDL position adjustment offset.");
+ module_param_array(probe_mask, int, NULL, 0444);
+@@ -350,6 +351,11 @@ enum {
+ #define AZX_DCAPS_PRESET_ATI_HDMI_NS \
+ (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF)
+
++/* quirks for AMD SB */
++#define AZX_DCAPS_PRESET_AMD_SB \
++ (AZX_DCAPS_NO_TCSEL | AZX_DCAPS_SYNC_WRITE | AZX_DCAPS_AMD_WORKAROUND |\
++ AZX_DCAPS_SNOOP_TYPE(ATI) | AZX_DCAPS_PM_RUNTIME)
++
+ /* quirks for Nvidia */
+ #define AZX_DCAPS_PRESET_NVIDIA \
+ (AZX_DCAPS_NO_MSI | AZX_DCAPS_CORBRP_SELF_CLEAR |\
+@@ -917,6 +923,49 @@ static unsigned int azx_via_get_position
+ return bound_pos + mod_dma_pos;
+ }
+
++#define AMD_FIFO_SIZE 32
++
++/* get the current DMA position with FIFO size correction */
++static unsigned int azx_get_pos_fifo(struct azx *chip, struct azx_dev *azx_dev)
++{
++ struct snd_pcm_substream *substream = azx_dev->core.substream;
++ struct snd_pcm_runtime *runtime = substream->runtime;
++ unsigned int pos, delay;
++
++ pos = snd_hdac_stream_get_pos_lpib(azx_stream(azx_dev));
++ if (!runtime)
++ return pos;
++
++ runtime->delay = AMD_FIFO_SIZE;
++ delay = frames_to_bytes(runtime, AMD_FIFO_SIZE);
++ if (azx_dev->insufficient) {
++ if (pos < delay) {
++ delay = pos;
++ runtime->delay = bytes_to_frames(runtime, pos);
++ } else {
++ azx_dev->insufficient = 0;
++ }
++ }
++
++ /* correct the DMA position for capture stream */
++ if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
++ if (pos < delay)
++ pos += azx_dev->core.bufsize;
++ pos -= delay;
++ }
++
++ return pos;
++}
++
++static int azx_get_delay_from_fifo(struct azx *chip, struct azx_dev *azx_dev,
++ unsigned int pos)
++{
++ struct snd_pcm_substream *substream = azx_dev->core.substream;
++
++ /* just read back the calculated value in the above */
++ return substream->runtime->delay;
++}
++
+ static unsigned int azx_skl_get_dpib_pos(struct azx *chip,
+ struct azx_dev *azx_dev)
+ {
+@@ -1484,6 +1533,7 @@ static int check_position_fix(struct azx
+ case POS_FIX_VIACOMBO:
+ case POS_FIX_COMBO:
+ case POS_FIX_SKL:
++ case POS_FIX_FIFO:
+ return fix;
+ }
+
+@@ -1500,6 +1550,10 @@ static int check_position_fix(struct azx
+ dev_dbg(chip->card->dev, "Using VIACOMBO position fix\n");
+ return POS_FIX_VIACOMBO;
+ }
++ if (chip->driver_caps & AZX_DCAPS_AMD_WORKAROUND) {
++ dev_dbg(chip->card->dev, "Using FIFO position fix\n");
++ return POS_FIX_FIFO;
++ }
+ if (chip->driver_caps & AZX_DCAPS_POSFIX_LPIB) {
+ dev_dbg(chip->card->dev, "Using LPIB position fix\n");
+ return POS_FIX_LPIB;
+@@ -1520,6 +1574,7 @@ static void assign_position_fix(struct a
+ [POS_FIX_VIACOMBO] = azx_via_get_position,
+ [POS_FIX_COMBO] = azx_get_pos_lpib,
+ [POS_FIX_SKL] = azx_get_pos_skl,
++ [POS_FIX_FIFO] = azx_get_pos_fifo,
+ };
+
+ chip->get_position[0] = chip->get_position[1] = callbacks[fix];
+@@ -1534,6 +1589,9 @@ static void assign_position_fix(struct a
+ azx_get_delay_from_lpib;
+ }
+
++ if (fix == POS_FIX_FIFO)
++ chip->get_delay[0] = chip->get_delay[1] =
++ azx_get_delay_from_fifo;
+ }
+
+ /*
+@@ -2516,6 +2574,9 @@ static const struct pci_device_id azx_id
+ /* AMD Hudson */
+ { PCI_DEVICE(0x1022, 0x780d),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
++ /* AMD, X370 & co */
++ { PCI_DEVICE(0x1022, 0x1457),
++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_AMD_SB },
+ /* AMD Stoney */
+ { PCI_DEVICE(0x1022, 0x157a),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB |
--- /dev/null
+From 30a8beeb3042f49d0537b7050fd21b490166a3d9 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Wed, 31 Jul 2019 10:54:47 -0400
+Subject: can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream.
+
+Uninitialized Kernel memory can leak to USB devices.
+
+Fix by using kzalloc() instead of kmalloc() on the affected buffers.
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -852,7 +852,7 @@ static int pcan_usb_fd_init(struct peak_
+ goto err_out;
+
+ /* allocate command buffer once for all for the interface */
+- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE,
++ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE,
+ GFP_KERNEL);
+ if (!pdev->cmd_buffer_addr)
+ goto err_out_1;
--- /dev/null
+From ead16e53c2f0ed946d82d4037c630e2f60f4ab69 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Wed, 31 Jul 2019 10:54:47 -0400
+Subject: can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream.
+
+Uninitialized Kernel memory can leak to USB devices.
+
+Fix by using kzalloc() instead of kmalloc() on the affected buffers.
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com
+Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+@@ -500,7 +500,7 @@ static int pcan_usb_pro_drv_loaded(struc
+ u8 *buffer;
+ int err;
+
+- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
++ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+
--- /dev/null
+From 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee Mon Sep 17 00:00:00 2001
+From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Date: Fri, 12 Jul 2019 11:19:38 +0300
+Subject: drm/i915: Fix wrong escape clock divisor init for GLK
+
+From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+
+commit 73a0ff0b30af79bf0303d557eb82f1d1945bb6ee upstream.
+
+According to Bspec clock divisor registers in GeminiLake
+should be initialized by shifting 1(<<) to amount of correspondent
+divisor. While i915 was writing all this time that value as is.
+
+Surprisingly that it by accident worked, until we met some issues
+with Microtech Etab.
+
+v2: Added Fixes tag and cc
+v3: Added stable to cc as well.
+
+Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Reviewed-by: Vandita Kulkarni <vandita.kulkarni@intel.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108826
+Fixes: bcc657004841 ("drm/i915/glk: Program txesc clock divider for GLK")
+Cc: Deepak M <m.deepak@intel.com>
+Cc: Madhav Chauhan <madhav.chauhan@intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: intel-gfx@lists.freedesktop.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190712081938.14185-1-stanislav.lisovskiy@intel.com
+(cherry picked from commit ce52ad5dd52cfaf3398058384e0ff94134bbd89c)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_dsi_pll.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_dsi_pll.c
++++ b/drivers/gpu/drm/i915/intel_dsi_pll.c
+@@ -422,8 +422,8 @@ static void glk_dsi_program_esc_clock(st
+ else
+ txesc2_div = 10;
+
+- I915_WRITE(MIPIO_TXESC_CLK_DIV1, txesc1_div & GLK_TX_ESC_CLK_DIV1_MASK);
+- I915_WRITE(MIPIO_TXESC_CLK_DIV2, txesc2_div & GLK_TX_ESC_CLK_DIV2_MASK);
++ I915_WRITE(MIPIO_TXESC_CLK_DIV1, (1 << (txesc1_div - 1)) & GLK_TX_ESC_CLK_DIV1_MASK);
++ I915_WRITE(MIPIO_TXESC_CLK_DIV2, (1 << (txesc2_div - 1)) & GLK_TX_ESC_CLK_DIV2_MASK);
+ }
+
+ /* Program BXT Mipi clocks and dividers */
--- /dev/null
+From 38ada2f406a9b81fb1249c5c9227fa657e7d5671 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 26 Jul 2019 08:00:49 -0700
+Subject: hwmon: (nct7802) Fix wrong detection of in4 presence
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream.
+
+The code to detect if in4 is present is wrong; if in4 is not present,
+the in4_input sysfs attribute is still present.
+
+In detail:
+
+- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug).
+- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input
+ file under /sys and the "sensors" command displays in4_input.
+ But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep.
+
+Fix is_visible function to detect and report in4_input visibility
+as expected.
+
+Reported-by: Gilles Buloz <Gilles.Buloz@kontron.com>
+Cc: Gilles Buloz <Gilles.Buloz@kontron.com>
+Cc: stable@vger.kernel.org
+Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/nct7802.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwmon/nct7802.c
++++ b/drivers/hwmon/nct7802.c
+@@ -768,7 +768,7 @@ static struct attribute *nct7802_in_attr
+ &sensor_dev_attr_in3_alarm.dev_attr.attr,
+ &sensor_dev_attr_in3_beep.dev_attr.attr,
+
+- &sensor_dev_attr_in4_input.dev_attr.attr, /* 17 */
++ &sensor_dev_attr_in4_input.dev_attr.attr, /* 16 */
+ &sensor_dev_attr_in4_min.dev_attr.attr,
+ &sensor_dev_attr_in4_max.dev_attr.attr,
+ &sensor_dev_attr_in4_alarm.dev_attr.attr,
+@@ -794,9 +794,9 @@ static umode_t nct7802_in_is_visible(str
+
+ if (index >= 6 && index < 11 && (reg & 0x03) != 0x03) /* VSEN1 */
+ return 0;
+- if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c) /* VSEN2 */
++ if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c) /* VSEN2 */
+ return 0;
+- if (index >= 17 && (reg & 0x30) != 0x30) /* VSEN3 */
++ if (index >= 16 && (reg & 0x30) != 0x30) /* VSEN3 */
+ return 0;
+
+ return attr->mode;
--- /dev/null
+From 87e7e25aee6b59fef740856f4e86d4b60496c9e1 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Sun, 21 Jul 2019 14:02:27 +0300
+Subject: iwlwifi: don't unmap as page memory that was mapped as single
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 upstream.
+
+In order to remember how to unmap a memory (as single or
+as page), we maintain a bit per Transmit Buffer (TBs) in
+the meta data (structure iwl_cmd_meta).
+We maintain a bitmap: 1 bit per TB.
+If the TB is set, we will free the memory as a page.
+This bitmap was never cleared. Fix this.
+
+Cc: stable@vger.kernel.org
+Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+@@ -401,6 +401,8 @@ static void iwl_pcie_tfd_unmap(struct iw
+ DMA_TO_DEVICE);
+ }
+
++ meta->tbs = 0;
++
+ if (trans->cfg->use_tfh) {
+ struct iwl_tfh_tfd *tfd_fh = (void *)tfd;
+
--- /dev/null
+From 39bd984c203e86f3109b49c2a2e20677c4d3ab65 Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Mon, 24 Jun 2019 22:29:33 +0300
+Subject: iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 39bd984c203e86f3109b49c2a2e20677c4d3ab65 upstream.
+
+Firmware versions before 41 don't support the GEO_TX_POWER_LIMIT
+command, and sending it to the firmware will cause a firmware crash.
+We allow this via debugfs, so we need to return an error value in case
+it's not supported.
+
+This had already been fixed during init, when we send the command if
+the ACPI WGDS table is present. Fix it also for the other,
+userspace-triggered case.
+
+Cc: stable@vger.kernel.org
+Fixes: 7fe90e0e3d60 ("iwlwifi: mvm: refactor geo init")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -912,6 +912,17 @@ int iwl_mvm_sar_select_profile(struct iw
+ return iwl_mvm_send_cmd_pdu(mvm, REDUCE_TX_POWER_CMD, 0, len, &cmd);
+ }
+
++static bool iwl_mvm_sar_geo_support(struct iwl_mvm *mvm)
++{
++ /*
++ * The GEO_TX_POWER_LIMIT command is not supported on earlier
++ * firmware versions. Unfortunately, we don't have a TLV API
++ * flag to rely on, so rely on the major version which is in
++ * the first byte of ucode_ver.
++ */
++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41;
++}
++
+ int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm)
+ {
+ struct iwl_geo_tx_power_profiles_resp *resp;
+@@ -927,6 +938,9 @@ int iwl_mvm_get_sar_geo_profile(struct i
+ .data = { &geo_cmd },
+ };
+
++ if (!iwl_mvm_sar_geo_support(mvm))
++ return -EOPNOTSUPP;
++
+ ret = iwl_mvm_send_cmd(mvm, &cmd);
+ if (ret) {
+ IWL_ERR(mvm, "Failed to get geographic profile info %d\n", ret);
+@@ -952,13 +966,7 @@ static int iwl_mvm_sar_geo_init(struct i
+ int ret, i, j;
+ u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT);
+
+- /*
+- * This command is not supported on earlier firmware versions.
+- * Unfortunately, we don't have a TLV API flag to rely on, so
+- * rely on the major version which is in the first byte of
+- * ucode_ver.
+- */
+- if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41)
++ if (!iwl_mvm_sar_geo_support(mvm))
+ return 0;
+
+ ret = iwl_mvm_sar_get_wgds_table(mvm);
--- /dev/null
+From ba3224db78034435e9ff0247277cce7c7bb1756c Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 22 Jul 2019 12:47:27 +0300
+Subject: iwlwifi: mvm: fix an out-of-bound access
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit ba3224db78034435e9ff0247277cce7c7bb1756c upstream.
+
+The index for the elements of the ACPI object we dereference
+was static. This means that if we called the function twice
+we wouldn't start from 3 again, but rather from the latest
+index we reached in the previous call.
+This was dutifully reported by KASAN.
+
+Fix this.
+
+Cc: stable@vger.kernel.org
+Fixes: 6996490501ed ("iwlwifi: mvm: add support for EWRD (Dynamic SAR) ACPI table")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -778,7 +778,7 @@ static int iwl_mvm_sar_get_ewrd_table(st
+
+ for (i = 0; i < n_profiles; i++) {
+ /* the tables start at element 3 */
+- static int pos = 3;
++ int pos = 3;
+
+ /* The EWRD profiles officially go from 2 to 4, but we
+ * save them in sar_profiles[1-3] (because we don't
--- /dev/null
+From f5a47fae6aa3eb06f100e701d2342ee56b857bee Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Fri, 19 Jul 2019 12:21:59 +0300
+Subject: iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit f5a47fae6aa3eb06f100e701d2342ee56b857bee upstream.
+
+We erroneously added a check for FW API version 41 before sending
+GEO_TX_POWER_LIMIT, but this was already implemented in version 38.
+Additionally, it was cherry-picked to older versions, namely 17, 26
+and 29, so check for those as well.
+
+Cc: stable@vger.kernel.org
+Fixes: eca1e56ceedd ("iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -918,9 +918,14 @@ static bool iwl_mvm_sar_geo_support(stru
+ * The GEO_TX_POWER_LIMIT command is not supported on earlier
+ * firmware versions. Unfortunately, we don't have a TLV API
+ * flag to rely on, so rely on the major version which is in
+- * the first byte of ucode_ver.
++ * the first byte of ucode_ver. This was implemented
++ * initially on version 38 and then backported to 36, 29 and
++ * 17.
+ */
+- return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 41;
++ return IWL_UCODE_SERIAL(mvm->fw->ucode_ver) >= 38 ||
++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 36 ||
++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 29 ||
++ IWL_UCODE_SERIAL(mvm->fw->ucode_ver) == 17;
+ }
+
+ int iwl_mvm_get_sar_geo_profile(struct iwl_mvm *mvm)
--- /dev/null
+From 17e433b54393a6269acbcb792da97791fe1592d8 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Mon, 5 Aug 2019 10:03:19 +0800
+Subject: KVM: Fix leak vCPU's VMCS value into other pCPU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpengli@tencent.com>
+
+commit 17e433b54393a6269acbcb792da97791fe1592d8 upstream.
+
+After commit d73eb57b80b (KVM: Boost vCPUs that are delivering interrupts), a
+five years old bug is exposed. Running ebizzy benchmark in three 80 vCPUs VMs
+on one 80 pCPUs Skylake server, a lot of rcu_sched stall warning splatting
+in the VMs after stress testing:
+
+ INFO: rcu_sched detected stalls on CPUs/tasks: { 4 41 57 62 77} (detected by 15, t=60004 jiffies, g=899, c=898, q=15073)
+ Call Trace:
+ flush_tlb_mm_range+0x68/0x140
+ tlb_flush_mmu.part.75+0x37/0xe0
+ tlb_finish_mmu+0x55/0x60
+ zap_page_range+0x142/0x190
+ SyS_madvise+0x3cd/0x9c0
+ system_call_fastpath+0x1c/0x21
+
+swait_active() sustains to be true before finish_swait() is called in
+kvm_vcpu_block(), voluntarily preempted vCPUs are taken into account
+by kvm_vcpu_on_spin() loop greatly increases the probability condition
+kvm_arch_vcpu_runnable(vcpu) is checked and can be true, when APICv
+is enabled the yield-candidate vCPU's VMCS RVI field leaks(by
+vmx_sync_pir_to_irr()) into spinning-on-a-taken-lock vCPU's current
+VMCS.
+
+This patch fixes it by checking conservatively a subset of events.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Marc Zyngier <Marc.Zyngier@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: 98f4a1467 (KVM: add kvm_arch_vcpu_runnable() test to kvm_vcpu_on_spin() loop)
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/powerpc.c | 5 +++++
+ arch/x86/include/asm/kvm_host.h | 1 +
+ arch/x86/kvm/svm.c | 6 ++++++
+ arch/x86/kvm/vmx.c | 6 ++++++
+ arch/x86/kvm/x86.c | 16 ++++++++++++++++
+ include/linux/kvm_host.h | 1 +
+ virt/kvm/kvm_main.c | 25 ++++++++++++++++++++++++-
+ 7 files changed, 59 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -58,6 +58,11 @@ int kvm_arch_vcpu_runnable(struct kvm_vc
+ return !!(v->arch.pending_exceptions) || kvm_request_pending(v);
+ }
+
++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
++{
++ return kvm_arch_vcpu_runnable(vcpu);
++}
++
+ bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu)
+ {
+ return false;
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1077,6 +1077,7 @@ struct kvm_x86_ops {
+ int (*update_pi_irte)(struct kvm *kvm, unsigned int host_irq,
+ uint32_t guest_irq, bool set);
+ void (*apicv_post_state_restore)(struct kvm_vcpu *vcpu);
++ bool (*dy_apicv_has_pending_interrupt)(struct kvm_vcpu *vcpu);
+
+ int (*set_hv_timer)(struct kvm_vcpu *vcpu, u64 guest_deadline_tsc);
+ void (*cancel_hv_timer)(struct kvm_vcpu *vcpu);
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -4637,6 +4637,11 @@ static void svm_deliver_avic_intr(struct
+ kvm_vcpu_wake_up(vcpu);
+ }
+
++static bool svm_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu)
++{
++ return false;
++}
++
+ static void svm_ir_list_del(struct vcpu_svm *svm, struct amd_iommu_pi_data *pi)
+ {
+ unsigned long flags;
+@@ -5746,6 +5751,7 @@ static struct kvm_x86_ops svm_x86_ops __
+
+ .pmu_ops = &amd_pmu_ops,
+ .deliver_posted_interrupt = svm_deliver_avic_intr,
++ .dy_apicv_has_pending_interrupt = svm_dy_apicv_has_pending_interrupt,
+ .update_pi_irte = svm_update_pi_irte,
+ .setup_mce = svm_setup_mce,
+ };
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -9431,6 +9431,11 @@ static int vmx_sync_pir_to_irr(struct kv
+ return max_irr;
+ }
+
++static bool vmx_dy_apicv_has_pending_interrupt(struct kvm_vcpu *vcpu)
++{
++ return pi_test_on(vcpu_to_pi_desc(vcpu));
++}
++
+ static void vmx_load_eoi_exitmap(struct kvm_vcpu *vcpu, u64 *eoi_exit_bitmap)
+ {
+ if (!kvm_vcpu_apicv_active(vcpu))
+@@ -12756,6 +12761,7 @@ static struct kvm_x86_ops vmx_x86_ops __
+ .hwapic_isr_update = vmx_hwapic_isr_update,
+ .sync_pir_to_irr = vmx_sync_pir_to_irr,
+ .deliver_posted_interrupt = vmx_deliver_posted_interrupt,
++ .dy_apicv_has_pending_interrupt = vmx_dy_apicv_has_pending_interrupt,
+
+ .set_tss_addr = vmx_set_tss_addr,
+ .get_tdp_level = get_ept_level,
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8711,6 +8711,22 @@ int kvm_arch_vcpu_runnable(struct kvm_vc
+ return kvm_vcpu_running(vcpu) || kvm_vcpu_has_events(vcpu);
+ }
+
++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
++{
++ if (READ_ONCE(vcpu->arch.pv.pv_unhalted))
++ return true;
++
++ if (kvm_test_request(KVM_REQ_NMI, vcpu) ||
++ kvm_test_request(KVM_REQ_SMI, vcpu) ||
++ kvm_test_request(KVM_REQ_EVENT, vcpu))
++ return true;
++
++ if (vcpu->arch.apicv_active && kvm_x86_ops->dy_apicv_has_pending_interrupt(vcpu))
++ return true;
++
++ return false;
++}
++
+ bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu)
+ {
+ return vcpu->arch.preempted_in_kernel;
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -808,6 +808,7 @@ void kvm_arch_check_processor_compat(voi
+ int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu);
+ bool kvm_arch_vcpu_in_kernel(struct kvm_vcpu *vcpu);
+ int kvm_arch_vcpu_should_kick(struct kvm_vcpu *vcpu);
++bool kvm_arch_dy_runnable(struct kvm_vcpu *vcpu);
+
+ #ifndef __KVM_HAVE_ARCH_VM_ALLOC
+ static inline struct kvm *kvm_arch_alloc_vm(void)
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2314,6 +2314,29 @@ static bool kvm_vcpu_eligible_for_direct
+ #endif
+ }
+
++/*
++ * Unlike kvm_arch_vcpu_runnable, this function is called outside
++ * a vcpu_load/vcpu_put pair. However, for most architectures
++ * kvm_arch_vcpu_runnable does not require vcpu_load.
++ */
++bool __weak kvm_arch_dy_runnable(struct kvm_vcpu *vcpu)
++{
++ return kvm_arch_vcpu_runnable(vcpu);
++}
++
++static bool vcpu_dy_runnable(struct kvm_vcpu *vcpu)
++{
++ if (kvm_arch_dy_runnable(vcpu))
++ return true;
++
++#ifdef CONFIG_KVM_ASYNC_PF
++ if (!list_empty_careful(&vcpu->async_pf.done))
++ return true;
++#endif
++
++ return false;
++}
++
+ void kvm_vcpu_on_spin(struct kvm_vcpu *me, bool yield_to_kernel_mode)
+ {
+ struct kvm *kvm = me->kvm;
+@@ -2343,7 +2366,7 @@ void kvm_vcpu_on_spin(struct kvm_vcpu *m
+ continue;
+ if (vcpu == me)
+ continue;
+- if (swait_active(&vcpu->wq) && !kvm_arch_vcpu_runnable(vcpu))
++ if (swait_active(&vcpu->wq) && !vcpu_dy_runnable(vcpu))
+ continue;
+ if (yield_to_kernel_mode && !kvm_arch_vcpu_in_kernel(vcpu))
+ continue;
--- /dev/null
+From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 26 Jul 2019 15:47:58 -0700
+Subject: mac80211: don't WARN on short WMM parameters from AP
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream.
+
+In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN
+on bad WMM parameters from buggy APs"), an AP may not transmit a
+fully-formed WMM IE. For example, it may miss or repeat an Access
+Category. The above loop won't catch that and will instead leave one of
+the four ACs zeroed out. This triggers the following warning in
+drv_conf_tx()
+
+ wlan0: invalid CW_min/CW_max: 0/0
+
+and it may leave one of the hardware queues unconfigured. If we detect
+such a case, let's just print a warning and fall back to the defaults.
+
+Tested with a hacked version of hostapd, intentionally corrupting the
+IEs in hostapd_eid_wmm().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1867,6 +1867,16 @@ static bool ieee80211_sta_wmm_params(str
+ }
+ }
+
++ /* WMM specification requires all 4 ACIs. */
++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
++ if (params[ac].cw_min == 0) {
++ sdata_info(sdata,
++ "AP has invalid WMM params (missing AC %d), using defaults\n",
++ ac);
++ return false;
++ }
++ }
++
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ mlme_dbg(sdata,
+ "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
--- /dev/null
+From df612421fe2566654047769c6852ffae1a31df16 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 24 Jul 2019 12:46:34 -0700
+Subject: mwifiex: fix 802.11n/WPA detection
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit df612421fe2566654047769c6852ffae1a31df16 upstream.
+
+Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant
+vendor IEs") adjusted the ieee_types_vendor_header struct, which
+inadvertently messed up the offsets used in
+mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring
+mwifiex_is_rsn_oui_present().
+
+As it stands, commit 63d7ef36103d breaks compatibility with WPA (not
+WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is
+not supported by AP" case in mwifiex_is_network_compatible().
+
+Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/main.h | 1 +
+ drivers/net/wireless/marvell/mwifiex/scan.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/main.h
++++ b/drivers/net/wireless/marvell/mwifiex/main.h
+@@ -122,6 +122,7 @@ enum {
+
+ #define MWIFIEX_MAX_TOTAL_SCAN_TIME (MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S)
+
++#define WPA_GTK_OUI_OFFSET 2
+ #define RSN_GTK_OUI_OFFSET 2
+
+ #define MWIFIEX_OUI_NOT_PRESENT 0
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifie
+ u8 ret = MWIFIEX_OUI_NOT_PRESENT;
+
+ if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) {
+- iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data;
++ iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data +
++ WPA_GTK_OUI_OFFSET);
+ oui = &mwifiex_wpa_oui[cipher][0];
+ ret = mwifiex_search_oui_in_ie(iebody, oui);
+ if (ret)
--- /dev/null
+From 09a54f0ebfe263bc27c90bbd80187b9a93283887 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sat, 3 Aug 2019 10:28:18 -0400
+Subject: NFSv4: Fix an Oops in nfs4_do_setattr
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 09a54f0ebfe263bc27c90bbd80187b9a93283887 upstream.
+
+If the user specifies an open mode of 3, then we don't have a NFSv4 state
+attached to the context, and so we Oops when we try to dereference it.
+
+Reported-by: Olga Kornievskaia <aglo@umich.edu>
+Fixes: 29b59f9416937 ("NFSv4: change nfs4_do_setattr to take...")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v4.10: 991eedb1371dc: NFSv4: Only pass the...
+Cc: stable@vger.kernel.org # v4.10+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2966,7 +2966,7 @@ static int _nfs4_do_setattr(struct inode
+
+ if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) {
+ /* Use that stateid */
+- } else if (ctx != NULL) {
++ } else if (ctx != NULL && ctx->state) {
+ struct nfs_lock_context *l_ctx;
+ if (!nfs4_valid_open_stateid(ctx->state))
+ return -EBADF;
--- /dev/null
+From 991eedb1371dc09b0f9848f59c8898fe63d198c0 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 9 Apr 2018 11:15:30 -0400
+Subject: NFSv4: Only pass the delegation to setattr if we're sending a truncate
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 991eedb1371dc09b0f9848f59c8898fe63d198c0 upstream.
+
+Even then it isn't really necessary. The reason why we may not want to
+pass in a stateid in other cases is that we cannot use the delegation
+credential.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2954,7 +2954,6 @@ static int _nfs4_do_setattr(struct inode
+ };
+ struct rpc_cred *delegation_cred = NULL;
+ unsigned long timestamp = jiffies;
+- fmode_t fmode;
+ bool truncate;
+ int status;
+
+@@ -2962,11 +2961,12 @@ static int _nfs4_do_setattr(struct inode
+
+ /* Servers should only apply open mode checks for file size changes */
+ truncate = (arg->iap->ia_valid & ATTR_SIZE) ? true : false;
+- fmode = truncate ? FMODE_WRITE : FMODE_READ;
++ if (!truncate)
++ goto zero_stateid;
+
+- if (nfs4_copy_delegation_stateid(inode, fmode, &arg->stateid, &delegation_cred)) {
++ if (nfs4_copy_delegation_stateid(inode, FMODE_WRITE, &arg->stateid, &delegation_cred)) {
+ /* Use that stateid */
+- } else if (truncate && ctx != NULL) {
++ } else if (ctx != NULL) {
+ struct nfs_lock_context *l_ctx;
+ if (!nfs4_valid_open_stateid(ctx->state))
+ return -EBADF;
+@@ -2978,8 +2978,10 @@ static int _nfs4_do_setattr(struct inode
+ nfs_put_lock_context(l_ctx);
+ if (status == -EIO)
+ return -EBADF;
+- } else
++ } else {
++zero_stateid:
+ nfs4_stateid_copy(&arg->stateid, &zero_stateid);
++ }
+ if (delegation_cred)
+ msg.rpc_cred = delegation_cred;
+
tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch
perf-core-fix-creating-kernel-counters-for-pmus-that.patch
hid-sony-fix-race-condition-between-rumble-and-device-remove.patch
+can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch
+can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch
+hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch
+drm-i915-fix-wrong-escape-clock-divisor-init-for-glk.patch
+alsa-firewire-fix-a-memory-leak-bug.patch
+alsa-hda-don-t-override-global-pcm-hw-info-flag.patch
+alsa-hda-workaround-for-crackled-sound-on-amd-controller-1022-1457.patch
+mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch
+smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch
+smb3-send-cap_dfs-capability-during-session-setup.patch
+nfsv4-only-pass-the-delegation-to-setattr-if-we-re-sending-a-truncate.patch
+nfsv4-fix-an-oops-in-nfs4_do_setattr.patch
+kvm-fix-leak-vcpu-s-vmcs-value-into-other-pcpu.patch
+mwifiex-fix-802.11n-wpa-detection.patch
+iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch
+iwlwifi-mvm-fix-an-out-of-bound-access.patch
+iwlwifi-mvm-don-t-send-geo_tx_power_limit-on-version-41.patch
+iwlwifi-mvm-fix-version-check-for-geo_tx_power_limit-support.patch
--- /dev/null
+From e99c63e4d86d3a94818693147b469fa70de6f945 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Mon, 22 Jul 2019 11:34:59 -0700
+Subject: SMB3: Fix deadlock in validate negotiate hits reconnect
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream.
+
+Currently we skip SMB2_TREE_CONNECT command when checking during
+reconnect because Tree Connect happens when establishing
+an SMB session. For SMB 3.0 protocol version the code also calls
+validate negotiate which results in SMB2_IOCL command being sent
+over the wire. This may deadlock on trying to acquire a mutex when
+checking for reconnect. Fix this by skipping SMB2_IOCL command
+when doing the reconnect check.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -166,7 +166,7 @@ smb2_reconnect(__le16 smb2_command, stru
+ if (tcon == NULL)
+ return 0;
+
+- if (smb2_command == SMB2_TREE_CONNECT)
++ if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL)
+ return 0;
+
+ if (tcon->tidStatus == CifsExiting) {
--- /dev/null
+From 8d33096a460d5b9bd13300f01615df5bb454db10 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 25 Jul 2019 18:13:10 -0500
+Subject: smb3: send CAP_DFS capability during session setup
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream.
+
+We had a report of a server which did not do a DFS referral
+because the session setup Capabilities field was set to 0
+(unlike negotiate protocol where we set CAP_DFS). Better to
+send it session setup in the capabilities as well (this also
+more closely matches Windows client behavior).
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -834,7 +834,12 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_
+ else
+ req->SecurityMode = 0;
+
++#ifdef CONFIG_CIFS_DFS_UPCALL
++ req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS);
++#else
+ req->Capabilities = 0;
++#endif /* DFS_UPCALL */
++
+ req->Channel = 0; /* MBZ */
+
+ sess_data->iov[0].iov_base = (char *)req;
projects / thirdparty / kernel / stable-queue.git / commitdiff
