--- /dev/null
+From 9e7460fc325dad06d2066abdbc1f4dd49456f9a4 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Fri, 15 Sep 2017 10:50:07 +0300
+Subject: arm64: dt marvell: Fix AP806 system controller size
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+commit 9e7460fc325dad06d2066abdbc1f4dd49456f9a4 upstream.
+
+Extend the container size to 0x2000 to include the gpio controller at
+offset 0x1040.
+
+While at it, add start address notation to the gpio node name to match
+its 'offset' property.
+
+Fixes: 63dac0f4924b ("arm64: dts: marvell: add gpio support for Armada
+7K/8K")
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/boot/dts/marvell/armada-ap806.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/marvell/armada-ap806.dtsi
++++ b/arch/arm64/boot/dts/marvell/armada-ap806.dtsi
+@@ -254,7 +254,7 @@
+
+ ap_syscon: system-controller@6f4000 {
+ compatible = "syscon", "simple-mfd";
+- reg = <0x6f4000 0x1000>;
++ reg = <0x6f4000 0x2000>;
+
+ ap_clk: clock {
+ compatible = "marvell,ap806-clock";
+@@ -265,7 +265,7 @@
+ compatible = "marvell,ap806-pinctrl";
+ };
+
+- ap_gpio: gpio {
++ ap_gpio: gpio@1040 {
+ compatible = "marvell,armada-8k-gpio";
+ offset = <0x1040>;
+ ngpios = <20>;
--- /dev/null
+From c0d8832e78cbfd4a64b7112e34920af4b0b0e60e Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Fri, 6 Oct 2017 14:16:52 +0100
+Subject: arm64: Ensure the instruction emulation is ready for userspace
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit c0d8832e78cbfd4a64b7112e34920af4b0b0e60e upstream.
+
+We trap and emulate some instructions (e.g, mrs, deprecated instructions)
+for the userspace. However the handlers for these are registered as
+late_initcalls and the userspace could be up and running from the initramfs
+by that time (with populate_rootfs, which is a rootfs_initcall()). This
+could cause problems for the early applications ending up in failure
+like :
+
+[ 11.152061] modprobe[93]: undefined instruction: pc=0000ffff8ca48ff4
+
+This patch promotes the specific calls to core_initcalls, which are
+guaranteed to be completed before we hit userspace.
+
+Cc: Dave Martin <dave.martin@arm.com>
+Cc: Matthias Brugger <mbrugger@suse.com>
+Cc: James Morse <james.morse@arm.com>
+Reported-by: Matwey V. Kornilov <matwey.kornilov@gmail.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/armv8_deprecated.c | 2 +-
+ arch/arm64/kernel/cpufeature.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/armv8_deprecated.c
++++ b/arch/arm64/kernel/armv8_deprecated.c
+@@ -649,4 +649,4 @@ static int __init armv8_deprecated_init(
+ return 0;
+ }
+
+-late_initcall(armv8_deprecated_init);
++core_initcall(armv8_deprecated_init);
+--- a/arch/arm64/kernel/cpufeature.c
++++ b/arch/arm64/kernel/cpufeature.c
+@@ -1294,4 +1294,4 @@ static int __init enable_mrs_emulation(v
+ return 0;
+ }
+
+-late_initcall(enable_mrs_emulation);
++core_initcall(enable_mrs_emulation);
--- /dev/null
+From 93dc1774d2a4c7a298d5cdf78cc8acdcb7b1428d Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 7 Sep 2017 15:37:30 +0200
+Subject: auxdisplay: charlcd: properly restore atomic counter on error path
+
+From: Willy Tarreau <w@1wt.eu>
+
+commit 93dc1774d2a4c7a298d5cdf78cc8acdcb7b1428d upstream.
+
+Commit f4757af ("staging: panel: Fix single-open policy race condition")
+introduced in 3.19-rc1 attempted to fix a race condition on the open, but
+failed to properly do it and used to exit without restoring the semaphore.
+
+This results in -EBUSY being returned after the first open error until
+the module is reloaded or the system restarted (ie: consecutive to a
+dual open resulting in -EBUSY or to a permission error).
+
+[ Note for stable maintainers: the code moved from drivers/misc/panel.c
+ to drivers/auxdisplay/{charlcd,panel}.c during 4.12. The patch easily
+ applies there (modulo the renamed atomic counter) but I can provide a
+ tested backport if desired. ]
+
+Fixes: f4757af85 # 3.19-rc1
+Cc: Mariusz Gorski <marius.gorski@gmail.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Miguel Ojeda Sandonis <miguel.ojeda.sandonis@gmail.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/auxdisplay/charlcd.c | 11 +++++++++--
+ drivers/auxdisplay/panel.c | 11 +++++++++--
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+--- a/drivers/auxdisplay/charlcd.c
++++ b/drivers/auxdisplay/charlcd.c
+@@ -647,18 +647,25 @@ static ssize_t charlcd_write(struct file
+ static int charlcd_open(struct inode *inode, struct file *file)
+ {
+ struct charlcd_priv *priv = to_priv(the_charlcd);
++ int ret;
+
++ ret = -EBUSY;
+ if (!atomic_dec_and_test(&charlcd_available))
+- return -EBUSY; /* open only once at a time */
++ goto fail; /* open only once at a time */
+
++ ret = -EPERM;
+ if (file->f_mode & FMODE_READ) /* device is write-only */
+- return -EPERM;
++ goto fail;
+
+ if (priv->must_clear) {
+ charlcd_clear_display(&priv->lcd);
+ priv->must_clear = false;
+ }
+ return nonseekable_open(inode, file);
++
++ fail:
++ atomic_inc(&charlcd_available);
++ return ret;
+ }
+
+ static int charlcd_release(struct inode *inode, struct file *file)
+--- a/drivers/auxdisplay/panel.c
++++ b/drivers/auxdisplay/panel.c
+@@ -1105,14 +1105,21 @@ static ssize_t keypad_read(struct file *
+
+ static int keypad_open(struct inode *inode, struct file *file)
+ {
++ int ret;
++
++ ret = -EBUSY;
+ if (!atomic_dec_and_test(&keypad_available))
+- return -EBUSY; /* open only once at a time */
++ goto fail; /* open only once at a time */
+
++ ret = -EPERM;
+ if (file->f_mode & FMODE_WRITE) /* device is read-only */
+- return -EPERM;
++ goto fail;
+
+ keypad_buflen = 0; /* flush the buffer on opening */
+ return 0;
++ fail:
++ atomic_inc(&keypad_available);
++ return ret;
+ }
+
+ static int keypad_release(struct inode *inode, struct file *file)
--- /dev/null
+From 2d8ce70a08fe033c904115d59276ad86adeaa337 Mon Sep 17 00:00:00 2001
+From: Goffredo Baroncelli <kreijack@inwind.it>
+Date: Tue, 3 Oct 2017 19:31:10 +0200
+Subject: btrfs: avoid overflow when sector_t is 32 bit
+
+From: Goffredo Baroncelli <kreijack@inwind.it>
+
+commit 2d8ce70a08fe033c904115d59276ad86adeaa337 upstream.
+
+Jean-Denis Girard noticed commit c821e7f3 "pass bytes to
+btrfs_bio_alloc" (https://patchwork.kernel.org/patch/9763081/)
+introduces a regression on 32 bit machines.
+When CONFIG_LBDAF is _not_ defined (CONFIG_LBDAF == Support for large
+(2TB+) block devices and files) sector_t is 32 bit on 32bit machines.
+
+In the function submit_extent_page, 'sector' (which is sector_t type) is
+multiplied by 512 to convert it from sectors to bytes, leading to an
+overflow when the disk is bigger than 4GB (!).
+
+I added a cast to u64 to avoid overflow.
+
+Fixes: c821e7f3 ("btrfs: pass bytes to btrfs_bio_alloc")
+Signed-off-by: Goffredo Baroncelli <kreijack@inwind.it>
+Tested-by: Jean-Denis Girard <jd.girard@sysnux.pf>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2799,7 +2799,7 @@ static int submit_extent_page(int op, in
+ }
+ }
+
+- bio = btrfs_bio_alloc(bdev, sector << 9);
++ bio = btrfs_bio_alloc(bdev, (u64)sector << 9);
+ bio_add_page(bio, page, page_size, offset);
+ bio->bi_end_io = end_io_func;
+ bio->bi_private = tree;
--- /dev/null
+From 69ad59767d094752c23c0fc180a79532fde073d0 Mon Sep 17 00:00:00 2001
+From: Tsutomu Itoh <t-itoh@jp.fujitsu.com>
+Date: Wed, 4 Oct 2017 11:05:17 +0900
+Subject: Btrfs: fix overlap of fs_info::flags values
+
+From: Tsutomu Itoh <t-itoh@jp.fujitsu.com>
+
+commit 69ad59767d094752c23c0fc180a79532fde073d0 upstream.
+
+Because the values of BTRFS_FS_EXCL_OP and BTRFS_FS_QUOTA_OVERRIDE overlap,
+we should change the value.
+
+First, BTRFS_FS_EXCL_OP was set to 14.
+
+ commit 171938e52807 ("btrfs: track exclusive filesystem operation in flags")
+
+Next, the value of BTRFS_FS_QUOTA_OVERRIDE was set to 14.
+
+ commit f29efe292198 ("btrfs: add quota override flag to enable quota override for CAP_SYS_RESOURCE")
+
+As a result, the value 14 overlapped, by accident.
+This problem is solved by defining the value of BTRFS_FS_EXCL_OP as 16,
+the flags are internal.
+
+Fixes: f29efe292198 ("btrfs: add quota override flag to enable quota override for CAP_SYS_RESOURCE")
+Signed-off-by: Tsutomu Itoh <t-itoh@jp.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ minimize the change, update only BTRFS_FS_EXCL_OP ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ctree.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -723,7 +723,7 @@ struct btrfs_delayed_root;
+ * Indicate that a whole-filesystem exclusive operation is running
+ * (device replace, resize, device add/delete, balance)
+ */
+-#define BTRFS_FS_EXCL_OP 14
++#define BTRFS_FS_EXCL_OP 16
+
+ struct btrfs_fs_info {
+ u8 fsid[BTRFS_FSID_SIZE];
--- /dev/null
+From c4fa6c43ce4b427350cfbb659436bfe3d9e09a1d Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Thu, 21 Sep 2017 09:54:13 -0400
+Subject: cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute() returns
+
+From: Waiman Long <longman@redhat.com>
+
+commit c4fa6c43ce4b427350cfbb659436bfe3d9e09a1d upstream.
+
+The cgroup_taskset structure within the larger cgroup_mgctx structure
+is supposed to be used once and then discarded. That is not really the
+case in the hotplug code path:
+
+cpuset_hotplug_workfn()
+ - cgroup_transfer_tasks()
+ - cgroup_migrate()
+ - cgroup_migrate_add_task()
+ - cgroup_migrate_execute()
+
+In this case, the cgroup_migrate() function is called multiple time
+with the same cgroup_mgctx structure to transfer the tasks from
+one cgroup to another one-by-one. The second time cgroup_migrate()
+is called, the cgroup_taskset will be in an incorrect state and so
+may cause the system to panic. For example,
+
+ [ 150.888410] Faulting instruction address: 0xc0000000001db648
+ [ 150.888414] Oops: Kernel access of bad area, sig: 11 [#1]
+ [ 150.888417] SMP NR_CPUS=2048
+ [ 150.888417] NUMA
+ [ 150.888419] pSeries
+ :
+ [ 150.888545] NIP [c0000000001db648] cpuset_can_attach+0x58/0x1b0
+ [ 150.888548] LR [c0000000001db638] cpuset_can_attach+0x48/0x1b0
+ [ 150.888551] Call Trace:
+ [ 150.888554] [c0000005f65cb940] [c0000000001db638] cpuset_can_attach+0x48/0x1b 0 (unreliable)
+ [ 150.888559] [c0000005f65cb9a0] [c0000000001cff04] cgroup_migrate_execute+0xc4/0x4b0
+ [ 150.888563] [c0000005f65cba20] [c0000000001d7d14] cgroup_transfer_tasks+0x1d4/0x370
+ [ 150.888568] [c0000005f65cbb70] [c0000000001ddcb0] cpuset_hotplug_workfn+0x710/0x8f0
+ [ 150.888572] [c0000005f65cbc80] [c00000000012032c] process_one_work+0x1ac/0x4d0
+ [ 150.888576] [c0000005f65cbd20] [c0000000001206f8] worker_thread+0xa8/0x5b0
+ [ 150.888580] [c0000005f65cbdc0] [c0000000001293f8] kthread+0x168/0x1b0
+ [ 150.888584] [c0000005f65cbe30] [c00000000000b368] ret_from_kernel_thread+0x5c/0x74
+
+To allow reuse of the cgroup_mgctx structure, some fields in that
+structure are now re-initialized at the end of cgroup_migrate_execute()
+function call so that the structure can be reused again in a later
+iteration without causing problem.
+
+This bug was introduced in the commit e595cd706982 ("group: track
+migration context in cgroup_mgctx") in 4.11. This commit moves the
+cgroup_taskset initialization out of cgroup_migrate(). The commit
+10467270fb3 ("cgroup: don't call migration methods if there are no
+tasks to migrate") helped, but did not completely resolve the problem.
+
+Fixes: e595cd706982bff0211e6fafe5a108421e747fbc ("group: track migration context in cgroup_mgctx")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup/cgroup.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -2168,6 +2168,14 @@ out_release_tset:
+ list_del_init(&cset->mg_node);
+ }
+ spin_unlock_irq(&css_set_lock);
++
++ /*
++ * Re-initialize the cgroup_taskset structure in case it is reused
++ * again in another cgroup_migrate_add_task()/cgroup_migrate_execute()
++ * iteration.
++ */
++ tset->nr_tasks = 0;
++ tset->csets = &tset->src_csets;
+ return ret;
+ }
+
--- /dev/null
+From bf563b01c2895a4bfd1a29cc5abc67fe706ecffd Mon Sep 17 00:00:00 2001
+From: Nicolai Stange <nstange@suse.de>
+Date: Mon, 11 Sep 2017 09:45:42 +0200
+Subject: driver core: platform: Don't read past the end of "driver_override" buffer
+
+From: Nicolai Stange <nstange@suse.de>
+
+commit bf563b01c2895a4bfd1a29cc5abc67fe706ecffd upstream.
+
+When printing the driver_override parameter when it is 4095 and 4094 bytes
+long, the printing code would access invalid memory because we need count+1
+bytes for printing.
+
+Reject driver_override values of these lengths in driver_override_store().
+
+This is in close analogy to commit 4efe874aace5 ("PCI: Don't read past the
+end of sysfs "driver_override" buffer") from Sasha Levin.
+
+Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
+Signed-off-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/platform.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -868,7 +868,8 @@ static ssize_t driver_override_store(str
+ struct platform_device *pdev = to_platform_device(dev);
+ char *driver_override, *old, *cp;
+
+- if (count > PATH_MAX)
++ /* We need to keep extra room for a newline */
++ if (count >= (PAGE_SIZE - 1))
+ return -EINVAL;
+
+ driver_override = kstrndup(buf, count, GFP_KERNEL);
--- /dev/null
+From 549e658a0919e355a2b2144dc380b3729bef7f3e Mon Sep 17 00:00:00 2001
+From: Olaf Hering <olaf@aepfle.de>
+Date: Thu, 21 Sep 2017 23:41:48 -0700
+Subject: Drivers: hv: fcopy: restore correct transfer length
+
+From: Olaf Hering <olaf@aepfle.de>
+
+commit 549e658a0919e355a2b2144dc380b3729bef7f3e upstream.
+
+Till recently the expected length of bytes read by the
+daemon did depend on the context. It was either hv_start_fcopy or
+hv_do_fcopy. The daemon had a buffer size of two pages, which was much
+larger than needed.
+
+Now the expected length of bytes read by the
+daemon changed slightly. For START_FILE_COPY it is still the size of
+hv_start_fcopy. But for WRITE_TO_FILE and the other operations it is as
+large as the buffer that arrived via vmbus. In case of WRITE_TO_FILE
+that is slightly larger than a struct hv_do_fcopy. Since the buffer in
+the daemon was still larger everything was fine.
+
+Currently, the daemon reads only what is actually needed.
+The new buffer layout is as large as a struct hv_do_fcopy, for the
+WRITE_TO_FILE operation. Since the kernel expects a slightly larger
+size, hvt_op_read will return -EINVAL because the daemon will read
+slightly less than expected. Address this by restoring the expected
+buffer size in case of WRITE_TO_FILE.
+
+Fixes: 'c7e490fc23eb ("Drivers: hv: fcopy: convert to hv_utils_transport")'
+Fixes: '3f2baa8a7d2e ("Tools: hv: update buffer handling in hv_fcopy_daemon")'
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_fcopy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hv/hv_fcopy.c
++++ b/drivers/hv/hv_fcopy.c
+@@ -170,6 +170,10 @@ static void fcopy_send_data(struct work_
+ out_src = smsg_out;
+ break;
+
++ case WRITE_TO_FILE:
++ out_src = fcopy_transaction.fcopy_msg;
++ out_len = sizeof(struct hv_do_fcopy);
++ break;
+ default:
+ out_src = fcopy_transaction.fcopy_msg;
+ out_len = fcopy_transaction.recv_len;
--- /dev/null
+From 2b0b8499ae75df91455bbeb7491d45affc384fb0 Mon Sep 17 00:00:00 2001
+From: Shu Wang <shuwang@redhat.com>
+Date: Tue, 12 Sep 2017 10:14:54 +0800
+Subject: ftrace: Fix kmemleak in unregister_ftrace_graph
+
+From: Shu Wang <shuwang@redhat.com>
+
+commit 2b0b8499ae75df91455bbeb7491d45affc384fb0 upstream.
+
+The trampoline allocated by function tracer was overwriten by function_graph
+tracer, and caused a memory leak. The save_global_trampoline should have
+saved the previous trampoline in register_ftrace_graph() and restored it in
+unregister_ftrace_graph(). But as it is implemented, save_global_trampoline was
+only used in unregister_ftrace_graph as default value 0, and it overwrote the
+previous trampoline's value. Causing the previous allocated trampoline to be
+lost.
+
+kmmeleak backtrace:
+ kmemleak_vmalloc+0x77/0xc0
+ __vmalloc_node_range+0x1b5/0x2c0
+ module_alloc+0x7c/0xd0
+ arch_ftrace_update_trampoline+0xb5/0x290
+ ftrace_startup+0x78/0x210
+ register_ftrace_function+0x8b/0xd0
+ function_trace_init+0x4f/0x80
+ tracing_set_tracer+0xe6/0x170
+ tracing_set_trace_write+0x90/0xd0
+ __vfs_write+0x37/0x170
+ vfs_write+0xb2/0x1b0
+ SyS_write+0x55/0xc0
+ do_syscall_64+0x67/0x180
+ return_from_SYSCALL_64+0x0/0x6a
+
+[
+ Looking further into this, I found that this was left over from when the
+ function and function graph tracers shared the same ftrace_ops. But in
+ commit 5f151b2401 ("ftrace: Fix function_profiler and function tracer
+ together"), the two were separated, and the save_global_trampoline no
+ longer was necessary (and it may have been broken back then too).
+ -- Steven Rostedt
+]
+
+Link: http://lkml.kernel.org/r/20170912021454.5976-1-shuwang@redhat.com
+
+Fixes: 5f151b2401 ("ftrace: Fix function_profiler and function tracer together")
+Signed-off-by: Shu Wang <shuwang@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -4954,9 +4954,6 @@ static char ftrace_graph_buf[FTRACE_FILT
+ static char ftrace_graph_notrace_buf[FTRACE_FILTER_SIZE] __initdata;
+ static int ftrace_graph_set_hash(struct ftrace_hash *hash, char *buffer);
+
+-static unsigned long save_global_trampoline;
+-static unsigned long save_global_flags;
+-
+ static int __init set_graph_function(char *str)
+ {
+ strlcpy(ftrace_graph_buf, str, FTRACE_FILTER_SIZE);
+@@ -6756,17 +6753,6 @@ void unregister_ftrace_graph(void)
+ unregister_pm_notifier(&ftrace_suspend_notifier);
+ unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL);
+
+-#ifdef CONFIG_DYNAMIC_FTRACE
+- /*
+- * Function graph does not allocate the trampoline, but
+- * other global_ops do. We need to reset the ALLOC_TRAMP flag
+- * if one was used.
+- */
+- global_ops.trampoline = save_global_trampoline;
+- if (save_global_flags & FTRACE_OPS_FL_ALLOC_TRAMP)
+- global_ops.flags |= FTRACE_OPS_FL_ALLOC_TRAMP;
+-#endif
+-
+ out:
+ mutex_unlock(&ftrace_lock);
+ }
--- /dev/null
+From 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b Mon Sep 17 00:00:00 2001
+From: Adrian Salido <salidoa@google.com>
+Date: Fri, 8 Sep 2017 10:55:27 -0700
+Subject: HID: i2c-hid: allocate hid buffers for real worst case
+
+From: Adrian Salido <salidoa@google.com>
+
+commit 8320caeeffdefec3b58b9d4a7ed8e1079492fe7b upstream.
+
+The buffer allocation is not currently accounting for an extra byte for
+the report id. This can cause an out of bounds access in function
+i2c_hid_set_or_send_report() with reportID > 15.
+
+Signed-off-by: Adrian Salido <salidoa@google.com>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -543,7 +543,8 @@ static int i2c_hid_alloc_buffers(struct
+ {
+ /* the worst case is computed from the set_report command with a
+ * reportID > 15 and the maximum report length */
+- int args_len = sizeof(__u8) + /* optional ReportID byte */
++ int args_len = sizeof(__u8) + /* ReportID */
++ sizeof(__u8) + /* optional ReportID byte */
+ sizeof(__u16) + /* data register */
+ sizeof(__u16) + /* size of the report */
+ report_size; /* report */
--- /dev/null
+From cac72b990d34f4c70208998a86f910ba38253c94 Mon Sep 17 00:00:00 2001
+From: Lyude <lyude@redhat.com>
+Date: Sat, 22 Jul 2017 21:15:09 -0400
+Subject: HID: rmi: Make sure the HID device is opened on resume
+
+From: Lyude <lyude@redhat.com>
+
+commit cac72b990d34f4c70208998a86f910ba38253c94 upstream.
+
+So it looks like that suspend/resume has actually always been broken on
+hid-rmi. The fact it worked was a rather silly coincidence that was
+relying on the HID device to already be opened upon resume. This means
+that so long as anything was reading the /dev/input/eventX node for for
+an RMI device, it would suspend and resume correctly. As well, if
+nothing happened to be keeping the HID device away it would shut off,
+then the RMI driver would get confused on resume when it stopped
+responding and explode.
+
+So, call hid_hw_open() in rmi_post_resume() so we make sure that the
+device is alive before we try talking to it.
+
+This fixes RMI device suspend/resume over HID.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=196851
+[jkosina@suse.cz: removed useless hunk that was zero-initializing 'ret']
+Signed-off-by: Lyude <lyude@redhat.com>
+Cc: Andrew Duggan <aduggan@synaptics.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-rmi.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-rmi.c
++++ b/drivers/hid/hid-rmi.c
+@@ -436,17 +436,24 @@ static int rmi_post_resume(struct hid_de
+ if (!(data->device_flags & RMI_DEVICE))
+ return 0;
+
+- ret = rmi_reset_attn_mode(hdev);
++ /* Make sure the HID device is ready to receive events */
++ ret = hid_hw_open(hdev);
+ if (ret)
+ return ret;
+
++ ret = rmi_reset_attn_mode(hdev);
++ if (ret)
++ goto out;
++
+ ret = rmi_driver_resume(rmi_dev, false);
+ if (ret) {
+ hid_warn(hdev, "Failed to resume device: %d\n", ret);
+- return ret;
++ goto out;
+ }
+
+- return 0;
++out:
++ hid_hw_close(hdev);
++ return ret;
+ }
+ #endif /* CONFIG_PM */
+
--- /dev/null
+From 2a5e597c6bb1b873e473e5f57147e9e5d2755430 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Mon, 18 Sep 2017 09:27:42 -0700
+Subject: HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 2a5e597c6bb1b873e473e5f57147e9e5d2755430 upstream.
+
+The wacom_get_hdev_data function is used to find and return a reference to
+the "other half" of a Wacom device (i.e., the touch device associated with
+a pen, or vice-versa). To ensure these references are properly accounted
+for, the function is supposed to automatically increment the refcount before
+returning. This was not done, however, for devices which have pen & touch
+on different interfaces of the same USB device. This can lead to a WARNING
+("refcount_t: underflow; use-after-free") when removing the module or device
+as we call kref_put() more times than kref_get(). Triggering an "actual" use-
+after-free would be difficult since both devices will disappear nearly-
+simultaneously. To silence this warning and prevent the potential error, we
+need to increment the refcount for all cases within wacom_get_hdev_data.
+
+Fixes: 41372d5d40 ("HID: wacom: Augment 'oVid' and 'oPid' with heuristics for HID_GENERIC")
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_sys.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -668,8 +668,10 @@ static struct wacom_hdev_data *wacom_get
+
+ /* Try to find an already-probed interface from the same device */
+ list_for_each_entry(data, &wacom_udev_list, list) {
+- if (compare_device_paths(hdev, data->dev, '/'))
++ if (compare_device_paths(hdev, data->dev, '/')) {
++ kref_get(&data->kref);
+ return data;
++ }
+ }
+
+ /* Fallback to finding devices that appear to be "siblings" */
--- /dev/null
+From ce06760ba46b66dae50f2519ae76bd15e89b5710 Mon Sep 17 00:00:00 2001
+From: Ping Cheng <pinglinux@gmail.com>
+Date: Thu, 31 Aug 2017 15:50:03 -0700
+Subject: HID: wacom: bits shifted too much for 9th and 10th buttons
+
+From: Ping Cheng <pinglinux@gmail.com>
+
+commit ce06760ba46b66dae50f2519ae76bd15e89b5710 upstream.
+
+Cintiq 12 has 10 expresskey buttons. The bit shift for the last
+two buttons were off by 5.
+
+Fixes: c7f0522 ("HID: wacom: Slim down wacom_intuos_pad processing")
+
+Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
+Tested-by: Matthieu Robin <matthieu@macolu.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Cc: Jason Gerecke <killertofu@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -567,8 +567,8 @@ static int wacom_intuos_pad(struct wacom
+ keys = data[9] & 0x07;
+ }
+ } else {
+- buttons = ((data[6] & 0x10) << 10) |
+- ((data[5] & 0x10) << 9) |
++ buttons = ((data[6] & 0x10) << 5) |
++ ((data[5] & 0x10) << 4) |
+ ((data[6] & 0x0F) << 4) |
+ (data[5] & 0x0F);
+ }
--- /dev/null
+From d252f4a10fb9c8f7187c6c936ff530039f8cb799 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Wed, 30 Aug 2017 15:13:26 -0700
+Subject: HID: wacom: Correct coordinate system of touchring and pen twist
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit d252f4a10fb9c8f7187c6c936ff530039f8cb799 upstream.
+
+The MobileStudio Pro, Cintiq Pro, and 2nd-gen Intuos Pro devices use a
+different coordinate system for their touchring and pen twist than prior
+devices. Prior devices had zero aligned to the tablet's left and would
+increase clockwise. Userspace expects data from the kernel to be in this
+old coordinate space, so adjustments are necessary.
+
+While the coordinate system for pen twist is formally defined by the HID
+standard, no such definition existed for the touchring at the time these
+tablets were introduced. Future tablets are expected to report touchring
+data using the same "zero-up clockwise-increasing" coordinate system
+defined for twist.
+
+Fixes: 50066a042d ("HID: wacom: generic: Add support for height, tilt, and twist usages")
+Fixes: 4922cd26f0 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
+Fixes: 60a2218698 ("HID: wacom: generic: add support for touchring")
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 73 ++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 68 insertions(+), 5 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1227,11 +1227,17 @@ static void wacom_intuos_pro2_bt_pen(str
+ continue;
+
+ if (range) {
++ /* Fix rotation alignment: userspace expects zero at left */
++ int16_t rotation = (int16_t)get_unaligned_le16(&frame[9]);
++ rotation += 1800/4;
++ if (rotation > 899)
++ rotation -= 1800;
++
+ input_report_abs(pen_input, ABS_X, get_unaligned_le16(&frame[1]));
+ input_report_abs(pen_input, ABS_Y, get_unaligned_le16(&frame[3]));
+ input_report_abs(pen_input, ABS_TILT_X, (char)frame[7]);
+ input_report_abs(pen_input, ABS_TILT_Y, (char)frame[8]);
+- input_report_abs(pen_input, ABS_Z, (int16_t)get_unaligned_le16(&frame[9]));
++ input_report_abs(pen_input, ABS_Z, rotation);
+ input_report_abs(pen_input, ABS_WHEEL, get_unaligned_le16(&frame[11]));
+ }
+ input_report_abs(pen_input, ABS_PRESSURE, get_unaligned_le16(&frame[5]));
+@@ -1319,12 +1325,19 @@ static void wacom_intuos_pro2_bt_pad(str
+ unsigned char *data = wacom->data;
+
+ int buttons = (data[282] << 1) | ((data[281] >> 6) & 0x01);
+- int ring = data[285];
+- int prox = buttons | (ring & 0x80);
++ int ring = data[285] & 0x7F;
++ bool ringstatus = data[285] & 0x80;
++ bool prox = buttons || ringstatus;
++
++ /* Fix touchring data: userspace expects 0 at left and increasing clockwise */
++ ring = 71 - ring;
++ ring += 3*72/16;
++ if (ring > 71)
++ ring -= 72;
+
+ wacom_report_numbered_buttons(pad_input, 9, buttons);
+
+- input_report_abs(pad_input, ABS_WHEEL, (ring & 0x80) ? (ring & 0x7f) : 0);
++ input_report_abs(pad_input, ABS_WHEEL, ringstatus ? ring : 0);
+
+ input_report_key(pad_input, wacom->tool[1], prox ? 1 : 0);
+ input_report_abs(pad_input, ABS_MISC, prox ? PAD_DEVICE_ID : 0);
+@@ -1616,6 +1629,20 @@ static int wacom_tpc_irq(struct wacom_wa
+ return 0;
+ }
+
++static int wacom_offset_rotation(struct input_dev *input, struct hid_usage *usage,
++ int value, int num, int denom)
++{
++ struct input_absinfo *abs = &input->absinfo[usage->code];
++ int range = (abs->maximum - abs->minimum + 1);
++
++ value += num*range/denom;
++ if (value > abs->maximum)
++ value -= range;
++ else if (value < abs->minimum)
++ value += range;
++ return value;
++}
++
+ int wacom_equivalent_usage(int usage)
+ {
+ if ((usage & HID_USAGE_PAGE) == WACOM_HID_UP_WACOMDIGITIZER) {
+@@ -1898,6 +1925,7 @@ static void wacom_wac_pad_event(struct h
+ unsigned equivalent_usage = wacom_equivalent_usage(usage->hid);
+ int i;
+ bool is_touch_on = value;
++ bool do_report = false;
+
+ /*
+ * Avoid reporting this event and setting inrange_state if this usage
+@@ -1912,6 +1940,29 @@ static void wacom_wac_pad_event(struct h
+ }
+
+ switch (equivalent_usage) {
++ case WACOM_HID_WD_TOUCHRING:
++ /*
++ * Userspace expects touchrings to increase in value with
++ * clockwise gestures and have their zero point at the
++ * tablet's left. HID events "should" be clockwise-
++ * increasing and zero at top, though the MobileStudio
++ * Pro and 2nd-gen Intuos Pro don't do this...
++ */
++ if (hdev->vendor == 0x56a &&
++ (hdev->product == 0x34d || hdev->product == 0x34e || /* MobileStudio Pro */
++ hdev->product == 0x357 || hdev->product == 0x358)) { /* Intuos Pro 2 */
++ value = (field->logical_maximum - value);
++
++ if (hdev->product == 0x357 || hdev->product == 0x358)
++ value = wacom_offset_rotation(input, usage, value, 3, 16);
++ else if (hdev->product == 0x34d || hdev->product == 0x34e)
++ value = wacom_offset_rotation(input, usage, value, 1, 2);
++ }
++ else {
++ value = wacom_offset_rotation(input, usage, value, 1, 4);
++ }
++ do_report = true;
++ break;
+ case WACOM_HID_WD_TOUCHRINGSTATUS:
+ if (!value)
+ input_event(input, usage->type, usage->code, 0);
+@@ -1945,10 +1996,14 @@ static void wacom_wac_pad_event(struct h
+ value, i);
+ /* fall through*/
+ default:
++ do_report = true;
++ break;
++ }
++
++ if (do_report) {
+ input_event(input, usage->type, usage->code, value);
+ if (value)
+ wacom_wac->hid_data.pad_input_event_flag = true;
+- break;
+ }
+ }
+
+@@ -2089,6 +2144,14 @@ static void wacom_wac_pen_event(struct h
+ wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL);
+ wacom_wac->serial[0] |= (__u32)value;
+ return;
++ case HID_DG_TWIST:
++ /*
++ * Userspace expects pen twist to have its zero point when
++ * the buttons/finger is on the tablet's left. HID values
++ * are zero when buttons are toward the top.
++ */
++ value = wacom_offset_rotation(input, usage, value, 1, 4);
++ break;
+ case WACOM_HID_WD_SENSE:
+ wacom_wac->hid_data.sense_state = value;
+ return;
--- /dev/null
+From 92380b572d95caf48f8424746aeee63c5a2b1922 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Thu, 7 Sep 2017 17:47:38 -0700
+Subject: HID: wacom: generic: Clear ABS_MISC when tool leaves proximity
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 92380b572d95caf48f8424746aeee63c5a2b1922 upstream.
+
+The tool ID information sent in ABS_MISC is expected to be reset to 0
+when a tool leaves proximity. Not doing this can cause problems if a
+tool is removed and then re-introduced. Kernel event filtering will
+prevent the (identical) ABS_MISC event from being sent when the tool
+re-enters proxmity. This can cause userspace to not properly set the
+tool ID.
+
+Fixes: f85c9dc678 ("HID: wacom: generic: Support tool ID and additional tool types")
+Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2272,7 +2272,7 @@ static void wacom_wac_pen_report(struct
+ input_report_key(input, wacom_wac->tool[0], prox);
+ if (wacom_wac->serial[0]) {
+ input_event(input, EV_MSC, MSC_SERIAL, wacom_wac->serial[0]);
+- input_report_abs(input, ABS_MISC, id);
++ input_report_abs(input, ABS_MISC, prox ? id : 0);
+ }
+
+ wacom_wac->hid_data.tipswitch = false;
--- /dev/null
+From 993f0d93f8538c15bd5c12a1a9fd74c777efea1b Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Thu, 7 Sep 2017 17:44:12 -0700
+Subject: HID: wacom: generic: Send MSC_SERIAL and ABS_MISC when leaving prox
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 993f0d93f8538c15bd5c12a1a9fd74c777efea1b upstream.
+
+The latest generation of pro devices (MobileStudio Pro, 2nd-gen Intuos
+Pro, Cintiq Pro) send a serial number of '0' whenever the pen is too far
+away for reliable communication. Userspace defines that a serial number
+of '0' is invalid, so we need to be careful not to actually forward
+this value. Additionally, since EMR ISDv4 devices do not support serial
+numbers or tool IDs, we'd like to not send these events if they aren't
+necessary.
+
+The existing code achieves these goals by adding a check for a non-zero
+serial number within the wacom_wac_pen_report function. The MSC_SERIAL
+and ABS_MISC events are only sent if the serial number is non-zero. This
+code fails, however when the pen for a pro device leaves proximity. When
+the pen leaves prox and the tablet sends a serial of 0, wacom_wac_pen_event
+dutifully clears the serial number. When wacom_wac_pen_report is called,
+it does not send either the MSC_SERIAL of the exiting tool nor an ABS_MISC
+event.
+
+This patch prevents the wacom_wac_pen_event function from clearing an
+already-set serial number. This ensures that we have the serial number
+handy when exiting proximity, but requires us to manually clear it
+afterwards to ensure the driver does not send stale data (e.g. when
+switching between AES pens that report a serial nubmer of 0 for the
+first few fully in-proximity packets).
+
+Fixes: f85c9dc678 ("HID: wacom: generic: Support tool ID and additional tool types")
+Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2141,8 +2141,10 @@ static void wacom_wac_pen_event(struct h
+ wacom_wac->hid_data.tipswitch |= value;
+ return;
+ case HID_DG_TOOLSERIALNUMBER:
+- wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL);
+- wacom_wac->serial[0] |= (__u32)value;
++ if (value) {
++ wacom_wac->serial[0] = (wacom_wac->serial[0] & ~0xFFFFFFFFULL);
++ wacom_wac->serial[0] |= (__u32)value;
++ }
+ return;
+ case HID_DG_TWIST:
+ /*
+@@ -2156,15 +2158,17 @@ static void wacom_wac_pen_event(struct h
+ wacom_wac->hid_data.sense_state = value;
+ return;
+ case WACOM_HID_WD_SERIALHI:
+- wacom_wac->serial[0] = (wacom_wac->serial[0] & 0xFFFFFFFF);
+- wacom_wac->serial[0] |= ((__u64)value) << 32;
+- /*
+- * Non-USI EMR devices may contain additional tool type
+- * information here. See WACOM_HID_WD_TOOLTYPE case for
+- * more details.
+- */
+- if (value >> 20 == 1) {
+- wacom_wac->id[0] |= value & 0xFFFFF;
++ if (value) {
++ wacom_wac->serial[0] = (wacom_wac->serial[0] & 0xFFFFFFFF);
++ wacom_wac->serial[0] |= ((__u64)value) << 32;
++ /*
++ * Non-USI EMR devices may contain additional tool type
++ * information here. See WACOM_HID_WD_TOOLTYPE case for
++ * more details.
++ */
++ if (value >> 20 == 1) {
++ wacom_wac->id[0] |= value & 0xFFFFF;
++ }
+ }
+ return;
+ case WACOM_HID_WD_TOOLTYPE:
+@@ -2279,6 +2283,7 @@ static void wacom_wac_pen_report(struct
+ if (!prox) {
+ wacom_wac->tool[0] = 0;
+ wacom_wac->id[0] = 0;
++ wacom_wac->serial[0] = 0;
+ }
+ }
+
--- /dev/null
+From 74aebed6dc13425233f2224668353cff7a112776 Mon Sep 17 00:00:00 2001
+From: Aaron Armstrong Skomra <skomra@gmail.com>
+Date: Mon, 28 Aug 2017 14:15:39 -0700
+Subject: HID: wacom: leds: Don't try to control the EKR's read-only LEDs
+
+From: Aaron Armstrong Skomra <skomra@gmail.com>
+
+commit 74aebed6dc13425233f2224668353cff7a112776 upstream.
+
+Commit a50aac7193f1 introduces 'led.groups' and adds EKR support
+for these groups. However, unlike the other devices with LEDs,
+the EKR's LEDs are read-only and we shouldn't attempt to control
+them in wacom_led_control().
+
+See bug: https://sourceforge.net/p/linuxwacom/bugs/342/
+
+Fixes: a50aac7193f1 ("HID: wacom: leds: dynamically allocate LED groups")
+Signed-off-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
+Reviewed-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_sys.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -766,6 +766,9 @@ static int wacom_led_control(struct waco
+ if (!wacom->led.groups)
+ return -ENOTSUPP;
+
++ if (wacom->wacom_wac.features.type == REMOTE)
++ return -ENOTSUPP;
++
+ if (wacom->wacom_wac.pid) { /* wireless connected */
+ report_id = WAC_CMD_WL_LED_CONTROL;
+ buf_size = 13;
--- /dev/null
+From b63c4c2718d641ba9bec888994f0cb0c23a1ef45 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Wed, 30 Aug 2017 15:13:25 -0700
+Subject: HID: wacom: Properly report negative values from Intuos Pro 2 Bluetooth
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit b63c4c2718d641ba9bec888994f0cb0c23a1ef45 upstream.
+
+The wacom driver's IRQ handler for Bluetooth reports from the 2nd-gen
+Intuos Pro does not correctly process negative numbers. Values for
+tilt and rotation (which can go negative) are instead interpreted as
+unsigned and so jump to very large values when the data should be
+negative. This commit properly casts the data to ensure we report
+negative numbers when necessary.
+
+Fixes: 4922cd2 ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_wac.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1229,9 +1229,9 @@ static void wacom_intuos_pro2_bt_pen(str
+ if (range) {
+ input_report_abs(pen_input, ABS_X, get_unaligned_le16(&frame[1]));
+ input_report_abs(pen_input, ABS_Y, get_unaligned_le16(&frame[3]));
+- input_report_abs(pen_input, ABS_TILT_X, frame[7]);
+- input_report_abs(pen_input, ABS_TILT_Y, frame[8]);
+- input_report_abs(pen_input, ABS_Z, get_unaligned_le16(&frame[9]));
++ input_report_abs(pen_input, ABS_TILT_X, (char)frame[7]);
++ input_report_abs(pen_input, ABS_TILT_Y, (char)frame[8]);
++ input_report_abs(pen_input, ABS_Z, (int16_t)get_unaligned_le16(&frame[9]));
+ input_report_abs(pen_input, ABS_WHEEL, get_unaligned_le16(&frame[11]));
+ }
+ input_report_abs(pen_input, ABS_PRESSURE, get_unaligned_le16(&frame[5]));
--- /dev/null
+From 920ce7c33db25cf4acb4ade3ae8c93bd23dfd730 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 19 Sep 2017 18:47:41 +0300
+Subject: intel_th: pci: Add Cedar Fork PCH support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 920ce7c33db25cf4acb4ade3ae8c93bd23dfd730 upstream.
+
+This adds Intel(R) Trace Hub PCI ID for Cedar Fork PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -105,6 +105,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6),
+ .driver_data = (kernel_ulong_t)0,
+ },
++ {
++ /* Cedar Fork PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x18e1),
++ .driver_data = (kernel_ulong_t)&intel_th_2x,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From 24600840c74112ad04a9ddd99d7d7f731dcaa1cb Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 19 Sep 2017 18:47:42 +0300
+Subject: intel_th: pci: Add Lewisburg PCH support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 24600840c74112ad04a9ddd99d7d7f731dcaa1cb upstream.
+
+This adds Intel(R) Trace Hub PCI ID for Lewisburg PCH.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -91,6 +91,11 @@ static const struct pci_device_id intel_
+ .driver_data = (kernel_ulong_t)0,
+ },
+ {
++ /* Lewisburg PCH */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa1a6),
++ .driver_data = (kernel_ulong_t)0,
++ },
++ {
+ /* Gemini Lake */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e),
+ .driver_data = (kernel_ulong_t)0,
--- /dev/null
+From b4391db42308c9940944b5d7be5ca4b78fb88dd0 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Sep 2017 23:29:19 +0200
+Subject: netlink: fix nla_put_{u8,u16,u32} for KASAN
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit b4391db42308c9940944b5d7be5ca4b78fb88dd0 upstream.
+
+When CONFIG_KASAN is enabled, the "--param asan-stack=1" causes rather large
+stack frames in some functions. This goes unnoticed normally because
+CONFIG_FRAME_WARN is disabled with CONFIG_KASAN by default as of commit
+3f181b4d8652 ("lib/Kconfig.debug: disable -Wframe-larger-than warnings with
+KASAN=y").
+
+The kernelci.org build bot however has the warning enabled and that led
+me to investigate it a little further, as every build produces these warnings:
+
+net/wireless/nl80211.c:4389:1: warning: the frame size of 2240 bytes is larger than 2048 bytes [-Wframe-larger-than=]
+net/wireless/nl80211.c:1895:1: warning: the frame size of 3776 bytes is larger than 2048 bytes [-Wframe-larger-than=]
+net/wireless/nl80211.c:1410:1: warning: the frame size of 2208 bytes is larger than 2048 bytes [-Wframe-larger-than=]
+net/bridge/br_netlink.c:1282:1: warning: the frame size of 2544 bytes is larger than 2048 bytes [-Wframe-larger-than=]
+
+Most of this problem is now solved in gcc-8, which can consolidate
+the stack slots for the inline function arguments. On older compilers
+we can add a workaround by declaring a local variable in each function
+to pass the inline function argument.
+
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netlink.h | 73 +++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 55 insertions(+), 18 deletions(-)
+
+--- a/include/net/netlink.h
++++ b/include/net/netlink.h
+@@ -768,7 +768,10 @@ static inline int nla_parse_nested(struc
+ */
+ static inline int nla_put_u8(struct sk_buff *skb, int attrtype, u8 value)
+ {
+- return nla_put(skb, attrtype, sizeof(u8), &value);
++ /* temporary variables to work around GCC PR81715 with asan-stack=1 */
++ u8 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(u8), &tmp);
+ }
+
+ /**
+@@ -779,7 +782,9 @@ static inline int nla_put_u8(struct sk_b
+ */
+ static inline int nla_put_u16(struct sk_buff *skb, int attrtype, u16 value)
+ {
+- return nla_put(skb, attrtype, sizeof(u16), &value);
++ u16 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(u16), &tmp);
+ }
+
+ /**
+@@ -790,7 +795,9 @@ static inline int nla_put_u16(struct sk_
+ */
+ static inline int nla_put_be16(struct sk_buff *skb, int attrtype, __be16 value)
+ {
+- return nla_put(skb, attrtype, sizeof(__be16), &value);
++ __be16 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(__be16), &tmp);
+ }
+
+ /**
+@@ -801,7 +808,9 @@ static inline int nla_put_be16(struct sk
+ */
+ static inline int nla_put_net16(struct sk_buff *skb, int attrtype, __be16 value)
+ {
+- return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, value);
++ __be16 tmp = value;
++
++ return nla_put_be16(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
+ }
+
+ /**
+@@ -812,7 +821,9 @@ static inline int nla_put_net16(struct s
+ */
+ static inline int nla_put_le16(struct sk_buff *skb, int attrtype, __le16 value)
+ {
+- return nla_put(skb, attrtype, sizeof(__le16), &value);
++ __le16 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(__le16), &tmp);
+ }
+
+ /**
+@@ -823,7 +834,9 @@ static inline int nla_put_le16(struct sk
+ */
+ static inline int nla_put_u32(struct sk_buff *skb, int attrtype, u32 value)
+ {
+- return nla_put(skb, attrtype, sizeof(u32), &value);
++ u32 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(u32), &tmp);
+ }
+
+ /**
+@@ -834,7 +847,9 @@ static inline int nla_put_u32(struct sk_
+ */
+ static inline int nla_put_be32(struct sk_buff *skb, int attrtype, __be32 value)
+ {
+- return nla_put(skb, attrtype, sizeof(__be32), &value);
++ __be32 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(__be32), &tmp);
+ }
+
+ /**
+@@ -845,7 +860,9 @@ static inline int nla_put_be32(struct sk
+ */
+ static inline int nla_put_net32(struct sk_buff *skb, int attrtype, __be32 value)
+ {
+- return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, value);
++ __be32 tmp = value;
++
++ return nla_put_be32(skb, attrtype | NLA_F_NET_BYTEORDER, tmp);
+ }
+
+ /**
+@@ -856,7 +873,9 @@ static inline int nla_put_net32(struct s
+ */
+ static inline int nla_put_le32(struct sk_buff *skb, int attrtype, __le32 value)
+ {
+- return nla_put(skb, attrtype, sizeof(__le32), &value);
++ __le32 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(__le32), &tmp);
+ }
+
+ /**
+@@ -869,7 +888,9 @@ static inline int nla_put_le32(struct sk
+ static inline int nla_put_u64_64bit(struct sk_buff *skb, int attrtype,
+ u64 value, int padattr)
+ {
+- return nla_put_64bit(skb, attrtype, sizeof(u64), &value, padattr);
++ u64 tmp = value;
++
++ return nla_put_64bit(skb, attrtype, sizeof(u64), &tmp, padattr);
+ }
+
+ /**
+@@ -882,7 +903,9 @@ static inline int nla_put_u64_64bit(stru
+ static inline int nla_put_be64(struct sk_buff *skb, int attrtype, __be64 value,
+ int padattr)
+ {
+- return nla_put_64bit(skb, attrtype, sizeof(__be64), &value, padattr);
++ __be64 tmp = value;
++
++ return nla_put_64bit(skb, attrtype, sizeof(__be64), &tmp, padattr);
+ }
+
+ /**
+@@ -895,7 +918,9 @@ static inline int nla_put_be64(struct sk
+ static inline int nla_put_net64(struct sk_buff *skb, int attrtype, __be64 value,
+ int padattr)
+ {
+- return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, value,
++ __be64 tmp = value;
++
++ return nla_put_be64(skb, attrtype | NLA_F_NET_BYTEORDER, tmp,
+ padattr);
+ }
+
+@@ -909,7 +934,9 @@ static inline int nla_put_net64(struct s
+ static inline int nla_put_le64(struct sk_buff *skb, int attrtype, __le64 value,
+ int padattr)
+ {
+- return nla_put_64bit(skb, attrtype, sizeof(__le64), &value, padattr);
++ __le64 tmp = value;
++
++ return nla_put_64bit(skb, attrtype, sizeof(__le64), &tmp, padattr);
+ }
+
+ /**
+@@ -920,7 +947,9 @@ static inline int nla_put_le64(struct sk
+ */
+ static inline int nla_put_s8(struct sk_buff *skb, int attrtype, s8 value)
+ {
+- return nla_put(skb, attrtype, sizeof(s8), &value);
++ s8 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(s8), &tmp);
+ }
+
+ /**
+@@ -931,7 +960,9 @@ static inline int nla_put_s8(struct sk_b
+ */
+ static inline int nla_put_s16(struct sk_buff *skb, int attrtype, s16 value)
+ {
+- return nla_put(skb, attrtype, sizeof(s16), &value);
++ s16 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(s16), &tmp);
+ }
+
+ /**
+@@ -942,7 +973,9 @@ static inline int nla_put_s16(struct sk_
+ */
+ static inline int nla_put_s32(struct sk_buff *skb, int attrtype, s32 value)
+ {
+- return nla_put(skb, attrtype, sizeof(s32), &value);
++ s32 tmp = value;
++
++ return nla_put(skb, attrtype, sizeof(s32), &tmp);
+ }
+
+ /**
+@@ -955,7 +988,9 @@ static inline int nla_put_s32(struct sk_
+ static inline int nla_put_s64(struct sk_buff *skb, int attrtype, s64 value,
+ int padattr)
+ {
+- return nla_put_64bit(skb, attrtype, sizeof(s64), &value, padattr);
++ s64 tmp = value;
++
++ return nla_put_64bit(skb, attrtype, sizeof(s64), &tmp, padattr);
+ }
+
+ /**
+@@ -1005,7 +1040,9 @@ static inline int nla_put_msecs(struct s
+ static inline int nla_put_in_addr(struct sk_buff *skb, int attrtype,
+ __be32 addr)
+ {
+- return nla_put_be32(skb, attrtype, addr);
++ __be32 tmp = addr;
++
++ return nla_put_be32(skb, attrtype, tmp);
+ }
+
+ /**
--- /dev/null
+From dc7ab6773e8171e07f16fd0df0c5eea28c899503 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 24 Sep 2017 22:19:10 +0300
+Subject: ovl: fix dentry leak in ovl_indexdir_cleanup()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit dc7ab6773e8171e07f16fd0df0c5eea28c899503 upstream.
+
+index dentry was not released when breaking out of the loop
+due to index verification error.
+
+Fixes: 415543d5c64f ("ovl: cleanup bad and stale index entries on mount")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/readdir.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/readdir.c
++++ b/fs/overlayfs/readdir.c
+@@ -672,6 +672,7 @@ int ovl_indexdir_cleanup(struct dentry *
+ struct path *lowerstack, unsigned int numlower)
+ {
+ int err;
++ struct dentry *index = NULL;
+ struct inode *dir = dentry->d_inode;
+ struct path path = { .mnt = mnt, .dentry = dentry };
+ LIST_HEAD(list);
+@@ -690,8 +691,6 @@ int ovl_indexdir_cleanup(struct dentry *
+
+ inode_lock_nested(dir, I_MUTEX_PARENT);
+ list_for_each_entry(p, &list, l_node) {
+- struct dentry *index;
+-
+ if (p->name[0] == '.') {
+ if (p->len == 1)
+ continue;
+@@ -701,6 +700,7 @@ int ovl_indexdir_cleanup(struct dentry *
+ index = lookup_one_len(p->name, dentry, p->len);
+ if (IS_ERR(index)) {
+ err = PTR_ERR(index);
++ index = NULL;
+ break;
+ }
+ err = ovl_verify_index(index, lowerstack, numlower);
+@@ -712,7 +712,9 @@ int ovl_indexdir_cleanup(struct dentry *
+ break;
+ }
+ dput(index);
++ index = NULL;
+ }
++ dput(index);
+ inode_unlock(dir);
+ out:
+ ovl_cache_free(&list);
--- /dev/null
+From 9f4ec904dbd4eb1a2db10d5e7dc16eae386fe64d Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 24 Sep 2017 17:36:26 +0300
+Subject: ovl: fix dput() of ERR_PTR in ovl_cleanup_index()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 9f4ec904dbd4eb1a2db10d5e7dc16eae386fe64d upstream.
+
+Fixes: caf70cb2ba5d ("ovl: cleanup orphan index entries")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/util.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/util.c
++++ b/fs/overlayfs/util.c
+@@ -418,7 +418,7 @@ void ovl_inuse_unlock(struct dentry *den
+ }
+ }
+
+-/* Called must hold OVL_I(inode)->oi_lock */
++/* Caller must hold OVL_I(inode)->lock */
+ static void ovl_cleanup_index(struct dentry *dentry)
+ {
+ struct inode *dir = ovl_indexdir(dentry->d_sb)->d_inode;
+@@ -457,6 +457,9 @@ static void ovl_cleanup_index(struct den
+ err = PTR_ERR(index);
+ if (!IS_ERR(index))
+ err = ovl_cleanup(dir, index);
++ else
++ index = NULL;
++
+ inode_unlock(dir);
+ if (err)
+ goto fail;
--- /dev/null
+From e0082a0f04c432cb6d7128ef60d8e425e45ce025 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sun, 24 Sep 2017 13:01:35 +0300
+Subject: ovl: fix error value printed in ovl_lookup_index()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit e0082a0f04c432cb6d7128ef60d8e425e45ce025 upstream.
+
+Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/namei.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/overlayfs/namei.c
++++ b/fs/overlayfs/namei.c
+@@ -506,6 +506,7 @@ static struct dentry *ovl_lookup_index(s
+
+ index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
+ if (IS_ERR(index)) {
++ err = PTR_ERR(index);
+ pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n"
+ "overlayfs: mount with '-o index=off' to disable inodes index.\n",
+ d_inode(origin)->i_ino, name.len, name.name,
--- /dev/null
+From 5820dc0888d302ac05f8b91ffdf7e4e53b4fbf53 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Mon, 25 Sep 2017 16:39:55 +0300
+Subject: ovl: fix missing unlock_rename() in ovl_do_copy_up()
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 5820dc0888d302ac05f8b91ffdf7e4e53b4fbf53 upstream.
+
+Use the ovl_lock_rename_workdir() helper which requires
+unlock_rename() only on lock success.
+
+Fixes: ("fd210b7d67ee ovl: move copy up lock out")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/copy_up.c | 6 ++----
+ fs/overlayfs/dir.c | 20 --------------------
+ fs/overlayfs/overlayfs.h | 1 +
+ fs/overlayfs/util.c | 19 +++++++++++++++++++
+ 4 files changed, 22 insertions(+), 24 deletions(-)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -561,10 +561,8 @@ static int ovl_do_copy_up(struct ovl_cop
+ c->tmpfile = true;
+ err = ovl_copy_up_locked(c);
+ } else {
+- err = -EIO;
+- if (lock_rename(c->workdir, c->destdir) != NULL) {
+- pr_err("overlayfs: failed to lock workdir+upperdir\n");
+- } else {
++ err = ovl_lock_rename_workdir(c->workdir, c->destdir);
++ if (!err) {
+ err = ovl_copy_up_locked(c);
+ unlock_rename(c->workdir, c->destdir);
+ }
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -216,26 +216,6 @@ out_unlock:
+ return err;
+ }
+
+-static int ovl_lock_rename_workdir(struct dentry *workdir,
+- struct dentry *upperdir)
+-{
+- /* Workdir should not be the same as upperdir */
+- if (workdir == upperdir)
+- goto err;
+-
+- /* Workdir should not be subdir of upperdir and vice versa */
+- if (lock_rename(workdir, upperdir) != NULL)
+- goto err_unlock;
+-
+- return 0;
+-
+-err_unlock:
+- unlock_rename(workdir, upperdir);
+-err:
+- pr_err("overlayfs: failed to lock workdir+upperdir\n");
+- return -EIO;
+-}
+-
+ static struct dentry *ovl_clear_empty(struct dentry *dentry,
+ struct list_head *list)
+ {
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -234,6 +234,7 @@ bool ovl_inuse_trylock(struct dentry *de
+ void ovl_inuse_unlock(struct dentry *dentry);
+ int ovl_nlink_start(struct dentry *dentry, bool *locked);
+ void ovl_nlink_end(struct dentry *dentry, bool locked);
++int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *upperdir);
+
+ static inline bool ovl_is_impuredir(struct dentry *dentry)
+ {
+--- a/fs/overlayfs/util.c
++++ b/fs/overlayfs/util.c
+@@ -548,3 +548,22 @@ void ovl_nlink_end(struct dentry *dentry
+ mutex_unlock(&OVL_I(d_inode(dentry))->lock);
+ }
+ }
++
++int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *upperdir)
++{
++ /* Workdir should not be the same as upperdir */
++ if (workdir == upperdir)
++ goto err;
++
++ /* Workdir should not be subdir of upperdir and vice versa */
++ if (lock_rename(workdir, upperdir) != NULL)
++ goto err_unlock;
++
++ return 0;
++
++err_unlock:
++ unlock_rename(workdir, upperdir);
++err:
++ pr_err("overlayfs: failed to lock workdir+upperdir\n");
++ return -EIO;
++}
--- /dev/null
+From 85fdee1eef1a9e48ad5716916677e0c5fbc781e3 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Fri, 29 Sep 2017 10:21:21 +0300
+Subject: ovl: fix regression caused by exclusive upper/work dir protection
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 85fdee1eef1a9e48ad5716916677e0c5fbc781e3 upstream.
+
+Enforcing exclusive ownership on upper/work dirs caused a docker
+regression: https://github.com/moby/moby/issues/34672.
+
+Euan spotted the regression and pointed to the offending commit.
+Vivek has brought the regression to my attention and provided this
+reproducer:
+
+Terminal 1:
+
+ mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none
+ merged/
+
+Terminal 2:
+
+ unshare -m
+
+Terminal 1:
+
+ umount merged
+ mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none
+ merged/
+ mount: /root/overlay-testing/merged: none already mounted or mount point
+ busy
+
+To fix the regression, I replaced the error with an alarming warning.
+With index feature enabled, mount does fail, but logs a suggestion to
+override exclusive dir protection by disabling index.
+Note that index=off mount does take the inuse locks, so a concurrent
+index=off will issue the warning and a concurrent index=on mount will fail.
+
+Documentation was updated to reflect this change.
+
+Fixes: 2cac0c00a6cd ("ovl: get exclusive ownership on upper/work dirs")
+Reported-by: Euan Kemp <euank@euank.com>
+Reported-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/filesystems/overlayfs.txt | 5 ++++-
+ fs/overlayfs/ovl_entry.h | 3 +++
+ fs/overlayfs/super.c | 27 +++++++++++++++++++--------
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+
+--- a/Documentation/filesystems/overlayfs.txt
++++ b/Documentation/filesystems/overlayfs.txt
+@@ -210,8 +210,11 @@ path as another overlay mount and it may
+ beneath or above the path of another overlay lower layer path.
+
+ Using an upper layer path and/or a workdir path that are already used by
+-another overlay mount is not allowed and will fail with EBUSY. Using
++another overlay mount is not allowed and may fail with EBUSY. Using
+ partially overlapping paths is not allowed but will not fail with EBUSY.
++If files are accessed from two overlayfs mounts which share or overlap the
++upper layer and/or workdir path the behavior of the overlay is undefined,
++though it will not result in a crash or deadlock.
+
+ Mounting an overlay using an upper layer path, where the upper layer path
+ was previously used by another mounted overlay in combination with a
+--- a/fs/overlayfs/ovl_entry.h
++++ b/fs/overlayfs/ovl_entry.h
+@@ -37,6 +37,9 @@ struct ovl_fs {
+ bool noxattr;
+ /* sb common to all layers */
+ struct super_block *same_sb;
++ /* Did we take the inuse lock? */
++ bool upperdir_locked;
++ bool workdir_locked;
+ };
+
+ /* private information held for every overlayfs dentry */
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -210,9 +210,10 @@ static void ovl_put_super(struct super_b
+
+ dput(ufs->indexdir);
+ dput(ufs->workdir);
+- ovl_inuse_unlock(ufs->workbasedir);
++ if (ufs->workdir_locked)
++ ovl_inuse_unlock(ufs->workbasedir);
+ dput(ufs->workbasedir);
+- if (ufs->upper_mnt)
++ if (ufs->upper_mnt && ufs->upperdir_locked)
+ ovl_inuse_unlock(ufs->upper_mnt->mnt_root);
+ mntput(ufs->upper_mnt);
+ for (i = 0; i < ufs->numlower; i++)
+@@ -880,9 +881,13 @@ static int ovl_fill_super(struct super_b
+ goto out_put_upperpath;
+
+ err = -EBUSY;
+- if (!ovl_inuse_trylock(upperpath.dentry)) {
+- pr_err("overlayfs: upperdir is in-use by another mount\n");
++ if (ovl_inuse_trylock(upperpath.dentry)) {
++ ufs->upperdir_locked = true;
++ } else if (ufs->config.index) {
++ pr_err("overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.\n");
+ goto out_put_upperpath;
++ } else {
++ pr_warn("overlayfs: upperdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
+ }
+
+ err = ovl_mount_dir(ufs->config.workdir, &workpath);
+@@ -900,9 +905,13 @@ static int ovl_fill_super(struct super_b
+ }
+
+ err = -EBUSY;
+- if (!ovl_inuse_trylock(workpath.dentry)) {
+- pr_err("overlayfs: workdir is in-use by another mount\n");
++ if (ovl_inuse_trylock(workpath.dentry)) {
++ ufs->workdir_locked = true;
++ } else if (ufs->config.index) {
++ pr_err("overlayfs: workdir is in-use by another mount, mount with '-o index=off' to override exclusive workdir protection.\n");
+ goto out_put_workpath;
++ } else {
++ pr_warn("overlayfs: workdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
+ }
+
+ ufs->workbasedir = workpath.dentry;
+@@ -1155,11 +1164,13 @@ out_put_lowerpath:
+ out_free_lowertmp:
+ kfree(lowertmp);
+ out_unlock_workdentry:
+- ovl_inuse_unlock(workpath.dentry);
++ if (ufs->workdir_locked)
++ ovl_inuse_unlock(workpath.dentry);
+ out_put_workpath:
+ path_put(&workpath);
+ out_unlock_upperdentry:
+- ovl_inuse_unlock(upperpath.dentry);
++ if (ufs->upperdir_locked)
++ ovl_inuse_unlock(upperpath.dentry);
+ out_put_upperpath:
+ path_put(&upperpath);
+ out_free_config:
--- /dev/null
+From 6098d7ddd62f532f80ee2a4b01aca500a8e4e9e4 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Sep 2017 23:29:18 +0200
+Subject: rocker: fix rocker_tlv_put_* functions for KASAN
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6098d7ddd62f532f80ee2a4b01aca500a8e4e9e4 upstream.
+
+Inlining these functions creates lots of stack variables that each take
+64 bytes when KASAN is enabled, leading to this warning about potential
+stack overflow:
+
+drivers/net/ethernet/rocker/rocker_ofdpa.c: In function 'ofdpa_cmd_flow_tbl_add':
+drivers/net/ethernet/rocker/rocker_ofdpa.c:621:1: error: the frame size of 2752 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
+
+gcc-8 can now consolidate the stack slots itself, but on older versions
+we get the same behavior by using a temporary variable that holds a
+copy of the inline function argument.
+
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/rocker/rocker_tlv.h | 48 +++++++++++++++++++------------
+ 1 file changed, 30 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/ethernet/rocker/rocker_tlv.h
++++ b/drivers/net/ethernet/rocker/rocker_tlv.h
+@@ -139,40 +139,52 @@ rocker_tlv_start(struct rocker_desc_info
+ int rocker_tlv_put(struct rocker_desc_info *desc_info,
+ int attrtype, int attrlen, const void *data);
+
+-static inline int rocker_tlv_put_u8(struct rocker_desc_info *desc_info,
+- int attrtype, u8 value)
++static inline int
++rocker_tlv_put_u8(struct rocker_desc_info *desc_info, int attrtype, u8 value)
+ {
+- return rocker_tlv_put(desc_info, attrtype, sizeof(u8), &value);
++ u8 tmp = value; /* work around GCC PR81715 */
++
++ return rocker_tlv_put(desc_info, attrtype, sizeof(u8), &tmp);
+ }
+
+-static inline int rocker_tlv_put_u16(struct rocker_desc_info *desc_info,
+- int attrtype, u16 value)
++static inline int
++rocker_tlv_put_u16(struct rocker_desc_info *desc_info, int attrtype, u16 value)
+ {
+- return rocker_tlv_put(desc_info, attrtype, sizeof(u16), &value);
++ u16 tmp = value;
++
++ return rocker_tlv_put(desc_info, attrtype, sizeof(u16), &tmp);
+ }
+
+-static inline int rocker_tlv_put_be16(struct rocker_desc_info *desc_info,
+- int attrtype, __be16 value)
++static inline int
++rocker_tlv_put_be16(struct rocker_desc_info *desc_info, int attrtype, __be16 value)
+ {
+- return rocker_tlv_put(desc_info, attrtype, sizeof(__be16), &value);
++ __be16 tmp = value;
++
++ return rocker_tlv_put(desc_info, attrtype, sizeof(__be16), &tmp);
+ }
+
+-static inline int rocker_tlv_put_u32(struct rocker_desc_info *desc_info,
+- int attrtype, u32 value)
++static inline int
++rocker_tlv_put_u32(struct rocker_desc_info *desc_info, int attrtype, u32 value)
+ {
+- return rocker_tlv_put(desc_info, attrtype, sizeof(u32), &value);
++ u32 tmp = value;
++
++ return rocker_tlv_put(desc_info, attrtype, sizeof(u32), &tmp);
+ }
+
+-static inline int rocker_tlv_put_be32(struct rocker_desc_info *desc_info,
+- int attrtype, __be32 value)
++static inline int
++rocker_tlv_put_be32(struct rocker_desc_info *desc_info, int attrtype, __be32 value)
+ {
+- return rocker_tlv_put(desc_info, attrtype, sizeof(__be32), &value);
++ __be32 tmp = value;
++
++ return rocker_tlv_put(desc_info, attrtype, sizeof(__be32), &tmp);
+ }
+
+-static inline int rocker_tlv_put_u64(struct rocker_desc_info *desc_info,
+- int attrtype, u64 value)
++static inline int
++rocker_tlv_put_u64(struct rocker_desc_info *desc_info, int attrtype, u64 value)
+ {
+- return rocker_tlv_put(desc_info, attrtype, sizeof(u64), &value);
++ u64 tmp = value;
++
++ return rocker_tlv_put(desc_info, attrtype, sizeof(u64), &tmp);
+ }
+
+ static inline struct rocker_tlv *
powerpc-64s-use-emergency-stack-for-kernel-tm-bad-thing-program-checks.patch
powerpc-tm-fix-illegal-tm-state-in-signal-handler.patch
percpu-make-this_cpu_generic_read-atomic-w.r.t.-interrupts.patch
+intel_th-pci-add-cedar-fork-pch-support.patch
+intel_th-pci-add-lewisburg-pch-support.patch
+driver-core-platform-don-t-read-past-the-end-of-driver_override-buffer.patch
+cgroup-reinit-cgroup_taskset-structure-before-cgroup_migrate_execute-returns.patch
+drivers-hv-fcopy-restore-correct-transfer-length.patch
+vmbus-don-t-acquire-the-mutex-in-vmbus_hvsock_device_unregister.patch
+stm-class-fix-a-use-after-free.patch
+auxdisplay-charlcd-properly-restore-atomic-counter-on-error-path.patch
+ftrace-fix-kmemleak-in-unregister_ftrace_graph.patch
+ovl-fix-error-value-printed-in-ovl_lookup_index.patch
+ovl-fix-dput-of-err_ptr-in-ovl_cleanup_index.patch
+ovl-fix-dentry-leak-in-ovl_indexdir_cleanup.patch
+ovl-fix-missing-unlock_rename-in-ovl_do_copy_up.patch
+ovl-fix-regression-caused-by-exclusive-upper-work-dir-protection.patch
+arm64-dt-marvell-fix-ap806-system-controller-size.patch
+arm64-ensure-the-instruction-emulation-is-ready-for-userspace.patch
+hid-rmi-make-sure-the-hid-device-is-opened-on-resume.patch
+hid-i2c-hid-allocate-hid-buffers-for-real-worst-case.patch
+hid-wacom-leds-don-t-try-to-control-the-ekr-s-read-only-leds.patch
+hid-wacom-properly-report-negative-values-from-intuos-pro-2-bluetooth.patch
+hid-wacom-correct-coordinate-system-of-touchring-and-pen-twist.patch
+hid-wacom-generic-send-msc_serial-and-abs_misc-when-leaving-prox.patch
+hid-wacom-generic-clear-abs_misc-when-tool-leaves-proximity.patch
+hid-wacom-always-increment-hdev-refcount-within-wacom_get_hdev_data.patch
+hid-wacom-bits-shifted-too-much-for-9th-and-10th-buttons.patch
+btrfs-avoid-overflow-when-sector_t-is-32-bit.patch
+btrfs-fix-overlap-of-fs_info-flags-values.patch
+rocker-fix-rocker_tlv_put_-functions-for-kasan.patch
+netlink-fix-nla_put_-u8-u16-u32-for-kasan.patch
--- /dev/null
+From fd085bb1766d6a598f53af2308374a546a49775a Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Tue, 19 Sep 2017 18:47:40 +0300
+Subject: stm class: Fix a use-after-free
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit fd085bb1766d6a598f53af2308374a546a49775a upstream.
+
+For reasons unknown, the stm_source removal path uses device_destroy()
+to kill the underlying device object. Because device_destroy() uses
+devt to look for the device to destroy and the fact that stm_source
+devices don't have one (or all have the same one), it just picks the
+first device in the class, which may well be the wrong one.
+
+That is, loading stm_console and stm_heartbeat and then removing both
+will die in dereferencing a freed object.
+
+Since this should have been device_unregister() in the first place,
+use it instead of device_destroy().
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2 ("stm class: Introduce an abstraction for System Trace Module devices")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -1119,7 +1119,7 @@ void stm_source_unregister_device(struct
+
+ stm_source_link_drop(src);
+
+- device_destroy(&stm_source_class, src->dev.devt);
++ device_unregister(&src->dev);
+ }
+ EXPORT_SYMBOL_GPL(stm_source_unregister_device);
+
--- /dev/null
+From 33c150c2ee4a65a59190a124b45d05b1abf9478e Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 21 Sep 2017 23:41:47 -0700
+Subject: vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 33c150c2ee4a65a59190a124b45d05b1abf9478e upstream.
+
+Due to commit 54a66265d675 ("Drivers: hv: vmbus: Fix rescind handling"),
+we need this patch to resolve the below deadlock:
+
+after we get the mutex in vmbus_hvsock_device_unregister() and call
+vmbus_device_unregister() -> device_unregister() -> ... -> device_release()
+-> vmbus_device_release(), we'll get a deadlock, because
+vmbus_device_release() tries to get the same mutex.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel_mgmt.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -922,14 +922,10 @@ static void vmbus_onoffer_rescind(struct
+
+ void vmbus_hvsock_device_unregister(struct vmbus_channel *channel)
+ {
+- mutex_lock(&vmbus_connection.channel_mutex);
+-
+ BUG_ON(!is_hvsock_channel(channel));
+
+ channel->rescind = true;
+ vmbus_device_unregister(channel->device_obj);
+-
+- mutex_unlock(&vmbus_connection.channel_mutex);
+ }
+ EXPORT_SYMBOL_GPL(vmbus_hvsock_device_unregister);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
