--- /dev/null
+From 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 9 Nov 2018 11:59:45 +0100
+Subject: ALSA: oss: Use kvzalloc() for local buffer allocations
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 upstream.
+
+PCM OSS layer may allocate a few temporary buffers, one for the core
+read/write and another for the conversions via plugins. Currently
+both are allocated via vmalloc(). But as the allocation size is
+equivalent with the PCM period size, the required size might be quite
+small, depending on the application.
+
+This patch replaces these vmalloc() calls with kvzalloc() for covering
+small period sizes better. Also, we use "z"-alloc variant here for
+addressing the possible uninitialized access reported by syzkaller.
+
+Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c | 6 +++---
+ sound/core/oss/pcm_plugin.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1073,8 +1073,8 @@ static int snd_pcm_oss_change_params_loc
+ runtime->oss.channels = params_channels(params);
+ runtime->oss.rate = params_rate(params);
+
+- vfree(runtime->oss.buffer);
+- runtime->oss.buffer = vmalloc(runtime->oss.period_bytes);
++ kvfree(runtime->oss.buffer);
++ runtime->oss.buffer = kvzalloc(runtime->oss.period_bytes, GFP_KERNEL);
+ if (!runtime->oss.buffer) {
+ err = -ENOMEM;
+ goto failure;
+@@ -2380,7 +2380,7 @@ static void snd_pcm_oss_release_substrea
+ {
+ struct snd_pcm_runtime *runtime;
+ runtime = substream->runtime;
+- vfree(runtime->oss.buffer);
++ kvfree(runtime->oss.buffer);
+ runtime->oss.buffer = NULL;
+ #ifdef CONFIG_SND_PCM_OSS_PLUGINS
+ snd_pcm_oss_plugin_clear(substream);
+--- a/sound/core/oss/pcm_plugin.c
++++ b/sound/core/oss/pcm_plugin.c
+@@ -66,8 +66,8 @@ static int snd_pcm_plugin_alloc(struct s
+ return -ENXIO;
+ size /= 8;
+ if (plugin->buf_frames < frames) {
+- vfree(plugin->buf);
+- plugin->buf = vmalloc(size);
++ kvfree(plugin->buf);
++ plugin->buf = kvzalloc(size, GFP_KERNEL);
+ plugin->buf_frames = frames;
+ }
+ if (!plugin->buf) {
+@@ -191,7 +191,7 @@ int snd_pcm_plugin_free(struct snd_pcm_p
+ if (plugin->private_free)
+ plugin->private_free(plugin);
+ kfree(plugin->buf_channels);
+- vfree(plugin->buf);
++ kvfree(plugin->buf);
+ kfree(plugin);
+ return 0;
+ }
--- /dev/null
+From 9f2df09a33aa2c76ce6385d382693f98d7f2f07e Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 2 Nov 2018 15:48:42 -0700
+Subject: bfs: add sanity check at bfs_fill_super()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream.
+
+syzbot is reporting too large memory allocation at bfs_fill_super() [1].
+Since file system image is corrupted such that bfs_sb->s_start == 0,
+bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix
+this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and
+printf().
+
+[1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96
+
+Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+71c6b5d68e91149fc8a4@syzkaller.appspotmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tigran Aivazian <aivazian.tigran@gmail.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/bfs/inode.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/bfs/inode.c
++++ b/fs/bfs/inode.c
+@@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_b
+
+ s->s_magic = BFS_MAGIC;
+
+- if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) {
++ if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) ||
++ le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) {
+ printf("Superblock is corrupted\n");
+ goto out1;
+ }
+@@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_b
+ sizeof(struct bfs_inode)
+ + BFS_ROOT_INO - 1;
+ imap_len = (info->si_lasti / 8) + 1;
+- info->si_imap = kzalloc(imap_len, GFP_KERNEL);
+- if (!info->si_imap)
++ info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN);
++ if (!info->si_imap) {
++ printf("Cannot allocate %u bytes\n", imap_len);
+ goto out1;
++ }
+ for (i = 0; i < BFS_ROOT_INO; i++)
+ set_bit(i, info->si_imap);
+
--- /dev/null
+From d1fe6ad6f6bd61c84788d3a7b11e459a439c6169 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Thu, 8 Nov 2018 16:08:29 +0100
+Subject: brcmfmac: fix reporting support for 160 MHz channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit d1fe6ad6f6bd61c84788d3a7b11e459a439c6169 upstream.
+
+Driver can report IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ so it's
+important to provide valid & complete info about supported bands for
+each channel. By default no support for 160 MHz should be assumed unless
+firmware reports it for a given channel later.
+
+This fixes info passed to the userspace. Without that change userspace
+could try to use invalid channel and fail to start an interface.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5990,7 +5990,8 @@ static int brcmf_construct_chaninfo(stru
+ * for subsequent chanspecs.
+ */
+ channel->flags = IEEE80211_CHAN_NO_HT40 |
+- IEEE80211_CHAN_NO_80MHZ;
++ IEEE80211_CHAN_NO_80MHZ |
++ IEEE80211_CHAN_NO_160MHZ;
+ ch.bw = BRCMU_CHAN_BW_20;
+ cfg->d11inf.encchspec(&ch);
+ chaninfo = ch.chspec;
--- /dev/null
+From e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 14:05:26 +0100
+Subject: can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc upstream.
+
+If the "struct can_priv::echo_skb" is accessed out of bounds would lead
+to a kernel crash. Better print a sensible warning message instead and
+try to recover.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -457,7 +457,11 @@ struct sk_buff *__can_get_echo_skb(struc
+ {
+ struct can_priv *priv = netdev_priv(dev);
+
+- BUG_ON(idx >= priv->echo_skb_max);
++ if (idx >= priv->echo_skb_max) {
++ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
++ __func__, idx, priv->echo_skb_max);
++ return NULL;
++ }
+
+ if (priv->echo_skb[idx]) {
+ /* Using "struct canfd_frame::len" for the frame
--- /dev/null
+From 7da11ba5c5066dadc2e96835a6233d56d7b7764a Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 14:15:13 +0100
+Subject: can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 7da11ba5c5066dadc2e96835a6233d56d7b7764a upstream.
+
+Prior to echoing a successfully transmitted CAN frame (by calling
+can_get_echo_skb()), CAN drivers have to put the CAN frame (by calling
+can_put_echo_skb() in the transmit function). These put and get function
+take an index as parameter, which is used to identify the CAN frame.
+
+A driver calling can_get_echo_skb() with a index not pointing to a skb
+is a BUG, so add an appropriate error message.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -456,6 +456,8 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ struct can_priv *priv = netdev_priv(dev);
++ struct sk_buff *skb = priv->echo_skb[idx];
++ struct canfd_frame *cf;
+
+ if (idx >= priv->echo_skb_max) {
+ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+@@ -463,21 +465,20 @@ struct sk_buff *__can_get_echo_skb(struc
+ return NULL;
+ }
+
+- if (priv->echo_skb[idx]) {
+- /* Using "struct canfd_frame::len" for the frame
+- * length is supported on both CAN and CANFD frames.
+- */
+- struct sk_buff *skb = priv->echo_skb[idx];
+- struct canfd_frame *cf = (struct canfd_frame *)skb->data;
+- u8 len = cf->len;
+-
+- *len_ptr = len;
+- priv->echo_skb[idx] = NULL;
+-
+- return skb;
++ if (!skb) {
++ netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
++ __func__, idx);
++ return NULL;
+ }
+
+- return NULL;
++ /* Using "struct canfd_frame::len" for the frame
++ * length is supported on both CAN and CANFD frames.
++ */
++ cf = (struct canfd_frame *)skb->data;
++ *len_ptr = cf->len;
++ priv->echo_skb[idx] = NULL;
++
++ return skb;
+ }
+
+ /*
--- /dev/null
+From 200f5c49f7a2cd694436bfc6cb0662b794c96736 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 11:08:21 +0100
+Subject: can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 200f5c49f7a2cd694436bfc6cb0662b794c96736 upstream.
+
+This patch replaces the use of "struct can_frame::can_dlc" by "struct
+canfd_frame::len" to access the frame's length. As it is ensured that
+both structures have a compatible memory layout for this member this is
+no functional change. Futher, this compatibility is documented in a
+comment.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -460,11 +460,14 @@ struct sk_buff *__can_get_echo_skb(struc
+ BUG_ON(idx >= priv->echo_skb_max);
+
+ if (priv->echo_skb[idx]) {
++ /* Using "struct canfd_frame::len" for the frame
++ * length is supported on both CAN and CANFD frames.
++ */
+ struct sk_buff *skb = priv->echo_skb[idx];
+- struct can_frame *cf = (struct can_frame *)skb->data;
+- u8 dlc = cf->can_dlc;
++ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
++ u8 len = cf->len;
+
+- *len_ptr = dlc;
++ *len_ptr = len;
+ priv->echo_skb[idx] = NULL;
+
+ return skb;
--- /dev/null
+From a4310fa2f24687888ce80fdb0e88583561a23700 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 10:37:46 +0100
+Subject: can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit a4310fa2f24687888ce80fdb0e88583561a23700 upstream.
+
+This patch factors out all non sending parts of can_get_echo_skb() into
+a seperate function __can_get_echo_skb(), so that it can be re-used in
+an upcoming patch.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 36 +++++++++++++++++++++++++-----------
+ include/linux/can/dev.h | 1 +
+ 2 files changed, 26 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -453,14 +453,7 @@ void can_put_echo_skb(struct sk_buff *sk
+ }
+ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+
+-/*
+- * Get the skb from the stack and loop it back locally
+- *
+- * The function is typically called when the TX done interrupt
+- * is handled in the device driver. The driver must protect
+- * access to priv->echo_skb, if necessary.
+- */
+-unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ struct can_priv *priv = netdev_priv(dev);
+
+@@ -471,13 +464,34 @@ unsigned int can_get_echo_skb(struct net
+ struct can_frame *cf = (struct can_frame *)skb->data;
+ u8 dlc = cf->can_dlc;
+
+- netif_rx(priv->echo_skb[idx]);
++ *len_ptr = dlc;
+ priv->echo_skb[idx] = NULL;
+
+- return dlc;
++ return skb;
+ }
+
+- return 0;
++ return NULL;
++}
++
++/*
++ * Get the skb from the stack and loop it back locally
++ *
++ * The function is typically called when the TX done interrupt
++ * is handled in the device driver. The driver must protect
++ * access to priv->echo_skb, if necessary.
++ */
++unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
++{
++ struct sk_buff *skb;
++ u8 len;
++
++ skb = __can_get_echo_skb(dev, idx, &len);
++ if (!skb)
++ return 0;
++
++ netif_rx(skb);
++
++ return len;
+ }
+ EXPORT_SYMBOL_GPL(can_get_echo_skb);
+
+--- a/include/linux/can/dev.h
++++ b/include/linux/can/dev.h
+@@ -154,6 +154,7 @@ void can_change_state(struct net_device
+
+ void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev,
+ unsigned int idx);
++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr);
+ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx);
+ void can_free_echo_skb(struct net_device *dev, unsigned int idx);
+
--- /dev/null
+From 1a37bd823891568f8721989aed0615835632d81a Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Wed, 3 Oct 2018 14:57:47 +0800
+Subject: drm/ast: change resolution may cause screen blurred
+
+From: Y.C. Chen <yc_chen@aspeedtech.com>
+
+commit 1a37bd823891568f8721989aed0615835632d81a upstream.
+
+The value of pitches is not correct while calling mode_set.
+The issue we found so far on following system:
+- Debian8 with XFCE Desktop
+- Ubuntu with KDE Desktop
+- SUSE15 with KDE Desktop
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Cc: <stable@vger.kernel.org>
+Tested-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_mode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -545,6 +545,7 @@ static int ast_crtc_do_set_base(struct d
+ }
+ ast_bo_unreserve(bo);
+
++ ast_set_offset_reg(crtc);
+ ast_set_start_address_crt1(crtc, (u32)gpu_addr);
+
+ return 0;
--- /dev/null
+From 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Tue, 30 Oct 2018 11:34:46 +0800
+Subject: drm/ast: fixed cursor may disappear sometimes
+
+From: Y.C. Chen <yc_chen@aspeedtech.com>
+
+commit 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 upstream.
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_mode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -1236,7 +1236,7 @@ static int ast_cursor_move(struct drm_cr
+ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xc7, ((y >> 8) & 0x07));
+
+ /* dummy write to fire HWC */
+- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xCB, 0xFF, 0x00);
++ ast_show_cursor(crtc);
+
+ return 0;
+ }
--- /dev/null
+From 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Thu, 15 Nov 2018 11:42:16 +0100
+Subject: drm/ast: Remove existing framebuffers before loading driver
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a upstream.
+
+If vesafb attaches to the AST device, it configures the framebuffer memory
+for uncached access by default. When ast.ko later tries to attach itself to
+the device, it wants to use write-combining on the framebuffer memory, but
+vesefb's existing configuration for uncached access takes precedence. This
+results in reduced performance.
+
+Removing the framebuffer's configuration before loding the AST driver fixes
+the problem. Other DRM drivers already contain equivalent code.
+
+Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1112963
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: <stable@vger.kernel.org>
+Tested-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Tested-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_drv.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/gpu/drm/ast/ast_drv.c
++++ b/drivers/gpu/drm/ast/ast_drv.c
+@@ -60,8 +60,29 @@ static const struct pci_device_id pciidl
+
+ MODULE_DEVICE_TABLE(pci, pciidlist);
+
++static void ast_kick_out_firmware_fb(struct pci_dev *pdev)
++{
++ struct apertures_struct *ap;
++ bool primary = false;
++
++ ap = alloc_apertures(1);
++ if (!ap)
++ return;
++
++ ap->ranges[0].base = pci_resource_start(pdev, 0);
++ ap->ranges[0].size = pci_resource_len(pdev, 0);
++
++#ifdef CONFIG_X86
++ primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW;
++#endif
++ drm_fb_helper_remove_conflicting_framebuffers(ap, "astdrmfb", primary);
++ kfree(ap);
++}
++
+ static int ast_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
++ ast_kick_out_firmware_fb(pdev);
++
+ return drm_get_pci_dev(pdev, ent, &driver);
+ }
+
--- /dev/null
+From 4c62bd9cea7bcf10292f7e4c57a2bca332942697 Mon Sep 17 00:00:00 2001
+From: Andrew Price <anprice@redhat.com>
+Date: Mon, 8 Oct 2018 07:52:43 -0500
+Subject: gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
+
+From: Andrew Price <anprice@redhat.com>
+
+commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream.
+
+When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points
+to the same address. Move the assignment after that error check so that
+s_fs_info can only point to a valid sdp or NULL, which is checked for
+later in the error path, in gfs2_kill_super().
+
+Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com
+Signed-off-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -71,13 +71,13 @@ static struct gfs2_sbd *init_sbd(struct
+ if (!sdp)
+ return NULL;
+
+- sb->s_fs_info = sdp;
+ sdp->sd_vfs = sb;
+ sdp->sd_lkstats = alloc_percpu(struct gfs2_pcpu_lkstats);
+ if (!sdp->sd_lkstats) {
+ kfree(sdp);
+ return NULL;
+ }
++ sb->s_fs_info = sdp;
+
+ set_bit(SDF_NOJOURNALID, &sdp->sd_flags);
+ gfs2_tune_init(&sdp->sd_tune);
--- /dev/null
+From a05a14049999598a3bb6fab12db6b768a0215522 Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vz@mleia.com>
+Date: Fri, 2 Nov 2018 15:39:43 +0200
+Subject: gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+commit a05a14049999598a3bb6fab12db6b768a0215522 upstream.
+
+The change corrects the error path in gpiochip_add_data_with_key()
+by avoiding to call ida_simple_remove(), if ida_simple_get() returns
+an error.
+
+Note that ida_simple_remove()/ida_free() throws a BUG(), if id argument
+is negative, it allows to easily check the correctness of the fix by
+fuzzing the return value from ida_simple_get().
+
+Fixes: ff2b13592299 ("gpio: make the gpiochip a real device")
+Cc: stable@vger.kernel.org # v4.6+
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1153,7 +1153,7 @@ int gpiochip_add_data(struct gpio_chip *
+ gdev->descs = kcalloc(chip->ngpio, sizeof(gdev->descs[0]), GFP_KERNEL);
+ if (!gdev->descs) {
+ status = -ENOMEM;
+- goto err_free_gdev;
++ goto err_free_ida;
+ }
+
+ if (chip->ngpio == 0) {
+@@ -1285,8 +1285,9 @@ err_free_label:
+ kfree(gdev->label);
+ err_free_descs:
+ kfree(gdev->descs);
+-err_free_gdev:
++err_free_ida:
+ ida_simple_remove(&gpio_ida, gdev->id);
++err_free_gdev:
+ /* failures here can mean systems won't boot... */
+ pr_err("%s: GPIOs %d..%d (%s) failed to register\n", __func__,
+ gdev->base, gdev->base + gdev->ngpio - 1,
--- /dev/null
+From 82715ac71e6b94a2c2136e31f3a8e6748e33aa8c Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 3 Oct 2018 11:16:54 +0300
+Subject: iwlwifi: mvm: fix regulatory domain update when the firmware starts
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 82715ac71e6b94a2c2136e31f3a8e6748e33aa8c upstream.
+
+When the firmware starts, it doesn't have any regulatory
+information, hence it uses the world wide limitations. The
+driver can feed the firmware with previous knowledge that
+was kept in the driver, but the firmware may still not
+update its internal tables.
+
+This happens when we start a BSS interface, and then the
+firmware can change the regulatory tables based on our
+location and it'll use more lenient, location specific
+rules. Then, if the firmware is shut down (when the
+interface is brought down), and then an AP interface is
+created, the firmware will forget the country specific
+rules.
+
+The host will think that we are in a certain country that
+may allow channels and will try to teach the firmware about
+our location, but the firmware may still not allow to drop
+the world wide limitations and apply country specific rules
+because it was just re-started.
+
+In this case, the firmware will reply with MCC_RESP_ILLEGAL
+to the MCC_UPDATE_CMD. In that case, iwlwifi needs to let
+the upper layers (cfg80211 / hostapd) know that the channel
+list they know about has been updated.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201105
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 8 ++++++--
+ drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 5 ++---
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -327,8 +327,12 @@ struct ieee80211_regdomain *iwl_mvm_get_
+ goto out;
+ }
+
+- if (changed)
+- *changed = (resp->status == MCC_RESP_NEW_CHAN_PROFILE);
++ if (changed) {
++ u32 status = le32_to_cpu(resp->status);
++
++ *changed = (status == MCC_RESP_NEW_CHAN_PROFILE ||
++ status == MCC_RESP_ILLEGAL);
++ }
+
+ regd = iwl_parse_nvm_mcc_info(mvm->trans->dev, mvm->cfg,
+ __le32_to_cpu(resp->n_channels),
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
+@@ -739,9 +739,8 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm,
+ }
+
+ IWL_DEBUG_LAR(mvm,
+- "MCC response status: 0x%x. new MCC: 0x%x ('%c%c') change: %d n_chans: %d\n",
+- status, mcc, mcc >> 8, mcc & 0xff,
+- !!(status == MCC_RESP_NEW_CHAN_PROFILE), n_channels);
++ "MCC response status: 0x%x. new MCC: 0x%x ('%c%c') n_chans: %d\n",
++ status, mcc, mcc >> 8, mcc & 0xff, n_channels);
+
+ exit:
+ iwl_free_resp(&cmd);
--- /dev/null
+From ec484d03ef0df8d34086b95710e355a259cbe1f2 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Thu, 16 Aug 2018 13:25:48 +0300
+Subject: iwlwifi: mvm: support sta_statistics() even on older firmware
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit ec484d03ef0df8d34086b95710e355a259cbe1f2 upstream.
+
+The oldest firmware supported by iwlmvm do support getting
+the average beacon RSSI. Enable the sta_statistics() call
+from mac80211 even on older firmware versions.
+
+Fixes: 33cef9256342 ("iwlwifi: mvm: support beacon statistics for BSS client")
+Cc: stable@vger.kernel.org # 4.2+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -3976,10 +3976,6 @@ static void iwl_mvm_mac_sta_statistics(s
+ sinfo->filled |= BIT(NL80211_STA_INFO_SIGNAL_AVG);
+ }
+
+- if (!fw_has_capa(&mvm->fw->ucode_capa,
+- IWL_UCODE_TLV_CAPA_RADIO_BEACON_STATS))
+- return;
+-
+ /* if beacon filtering isn't on mac80211 does it anyway */
+ if (!(vif->driver_flags & IEEE80211_VIF_BEACON_FILTER))
+ return;
--- /dev/null
+From 604d415e2bd642b7e02c80e719e0396b9d4a77a6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 22 Oct 2018 09:24:27 -0700
+Subject: llc: do not use sk_eat_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream.
+
+syzkaller triggered a use-after-free [1], caused by a combination of
+skb_get() in llc_conn_state_process() and usage of sk_eat_skb()
+
+sk_eat_skb() is assuming the skb about to be freed is only used by
+the current thread. TCP/DCCP stacks enforce this because current
+thread holds the socket lock.
+
+llc_conn_state_process() wants to make sure skb does not disappear,
+and holds a reference on the skb it manipulates. But as soon as this
+skb is added to socket receive queue, another thread can consume it.
+
+This means that llc must use regular skb_unlink() and kfree_skb()
+so that both producer and consumer can safely work on the same skb.
+
+[1]
+BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
+BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
+BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline]
+BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655
+Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18
+
+CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113
+ print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
+ atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
+ refcount_read include/linux/refcount.h:43 [inline]
+ skb_unref include/linux/skbuff.h:967 [inline]
+ kfree_skb+0xb7/0x580 net/core/skbuff.c:655
+ llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224
+ llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297
+ llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438
+ llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ process_backlog+0x218/0x6f0 net/core/dev.c:5829
+ napi_poll net/core/dev.c:6249 [inline]
+ net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
+ __do_softirq+0x30c/0xb03 kernel/softirq.c:292
+ run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
+ smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
+ kthread+0x35a/0x420 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
+
+Allocated by task 18:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
+ kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644
+ __alloc_skb+0x119/0x770 net/core/skbuff.c:193
+ alloc_skb include/linux/skbuff.h:995 [inline]
+ llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54
+ llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline]
+ llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111
+ llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ process_backlog+0x218/0x6f0 net/core/dev.c:5829
+ napi_poll net/core/dev.c:6249 [inline]
+ net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
+ __do_softirq+0x30c/0xb03 kernel/softirq.c:292
+
+Freed by task 16383:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kmem_cache_free+0x83/0x290 mm/slab.c:3756
+ kfree_skbmem+0x154/0x230 net/core/skbuff.c:582
+ __kfree_skb+0x1d/0x20 net/core/skbuff.c:642
+ sk_eat_skb include/net/sock.h:2366 [inline]
+ llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882
+ sock_recvmsg_nosec net/socket.c:794 [inline]
+ sock_recvmsg+0xd0/0x110 net/socket.c:801
+ ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278
+ __sys_recvmmsg+0x303/0xb90 net/socket.c:2390
+ do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466
+ __do_sys_recvmmsg net/socket.c:2484 [inline]
+ __se_sys_recvmmsg net/socket.c:2480 [inline]
+ __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8801d1f6fac0
+ which belongs to the cache skbuff_head_cache of size 232
+The buggy address is located 228 bytes inside of
+ 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8)
+The buggy address belongs to the page:
+page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680
+raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/llc/af_llc.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -726,7 +726,6 @@ static int llc_ui_recvmsg(struct socket
+ struct sk_buff *skb = NULL;
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc = llc_sk(sk);
+- unsigned long cpu_flags;
+ size_t copied = 0;
+ u32 peek_seq = 0;
+ u32 *seq, skb_len;
+@@ -851,9 +850,8 @@ static int llc_ui_recvmsg(struct socket
+ goto copy_uaddr;
+
+ if (!(flags & MSG_PEEK)) {
+- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+- sk_eat_skb(sk, skb);
+- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
++ skb_unlink(skb, &sk->sk_receive_queue);
++ kfree_skb(skb);
+ *seq = 0;
+ }
+
+@@ -874,9 +872,8 @@ copy_uaddr:
+ llc_cmsg_rcv(msg, skb);
+
+ if (!(flags & MSG_PEEK)) {
+- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+- sk_eat_skb(sk, skb);
+- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
++ skb_unlink(skb, &sk->sk_receive_queue);
++ kfree_skb(skb);
+ *seq = 0;
+ }
+
--- /dev/null
+From cb5d21946d2a2f4687c482ab4604af1d29dac35a Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 15 Nov 2018 15:03:24 -0800
+Subject: MAINTAINERS: Add Sasha as a stable branch maintainer
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit cb5d21946d2a2f4687c482ab4604af1d29dac35a upstream.
+
+Sasha has somehow been convinced into helping me with the stable kernel
+maintenance. Codify this slip in good judgement before he realizes what
+he really signed up for :)
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ MAINTAINERS | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -11469,6 +11469,7 @@ F: arch/alpha/kernel/srm_env.c
+
+ STABLE BRANCH
+ M: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
++M: Sasha Levin <sashal@kernel.org>
+ L: stable@vger.kernel.org
+ S: Supported
+ F: Documentation/stable_kernel_rules.txt
--- /dev/null
+From 61448479a9f2c954cde0cfe778cb6bec5d0a748d Mon Sep 17 00:00:00 2001
+From: Dmitry Vyukov <dvyukov@google.com>
+Date: Fri, 26 Oct 2018 15:03:12 -0700
+Subject: mm: don't warn about large allocations for slab
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+commit 61448479a9f2c954cde0cfe778cb6bec5d0a748d upstream.
+
+Slub does not call kmalloc_slab() for sizes > KMALLOC_MAX_CACHE_SIZE,
+instead it falls back to kmalloc_large().
+
+For slab KMALLOC_MAX_CACHE_SIZE == KMALLOC_MAX_SIZE and it calls
+kmalloc_slab() for all allocations relying on NULL return value for
+over-sized allocations.
+
+This inconsistency leads to unwanted warnings from kmalloc_slab() for
+over-sized allocations for slab. Returning NULL for failed allocations is
+the expected behavior.
+
+Make slub and slab code consistent by checking size >
+KMALLOC_MAX_CACHE_SIZE in slab before calling kmalloc_slab().
+
+While we are here also fix the check in kmalloc_slab(). We should check
+against KMALLOC_MAX_CACHE_SIZE rather than KMALLOC_MAX_SIZE. It all kinda
+worked because for slab the constants are the same, and slub always checks
+the size against KMALLOC_MAX_CACHE_SIZE before kmalloc_slab(). But if we
+get there with size > KMALLOC_MAX_CACHE_SIZE anyhow bad things will
+happen. For example, in case of a newly introduced bug in slub code.
+
+Also move the check in kmalloc_slab() from function entry to the size >
+192 case. This partially compensates for the additional check in slab
+code and makes slub code a bit faster (at least theoretically).
+
+Also drop __GFP_NOWARN in the warning check. This warning means a bug in
+slab code itself, user-passed flags have nothing to do with it.
+
+Nothing of this affects slob.
+
+Link: http://lkml.kernel.org/r/20180927171502.226522-1-dvyukov@gmail.com
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: syzbot+87829a10073277282ad1@syzkaller.appspotmail.com
+Reported-by: syzbot+ef4e8fc3a06e9019bb40@syzkaller.appspotmail.com
+Reported-by: syzbot+6e438f4036df52cbb863@syzkaller.appspotmail.com
+Reported-by: syzbot+8574471d8734457d98aa@syzkaller.appspotmail.com
+Reported-by: syzbot+af1504df0807a083dbd9@syzkaller.appspotmail.com
+Acked-by: Christoph Lameter <cl@linux.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slab.c | 4 ++++
+ mm/slab_common.c | 12 ++++++------
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -3690,6 +3690,8 @@ __do_kmalloc_node(size_t size, gfp_t fla
+ struct kmem_cache *cachep;
+ void *ret;
+
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
++ return NULL;
+ cachep = kmalloc_slab(size, flags);
+ if (unlikely(ZERO_OR_NULL_PTR(cachep)))
+ return cachep;
+@@ -3725,6 +3727,8 @@ static __always_inline void *__do_kmallo
+ struct kmem_cache *cachep;
+ void *ret;
+
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE))
++ return NULL;
+ cachep = kmalloc_slab(size, flags);
+ if (unlikely(ZERO_OR_NULL_PTR(cachep)))
+ return cachep;
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -883,18 +883,18 @@ struct kmem_cache *kmalloc_slab(size_t s
+ {
+ int index;
+
+- if (unlikely(size > KMALLOC_MAX_SIZE)) {
+- WARN_ON_ONCE(!(flags & __GFP_NOWARN));
+- return NULL;
+- }
+-
+ if (size <= 192) {
+ if (!size)
+ return ZERO_SIZE_PTR;
+
+ index = size_index[size_index_elem(size)];
+- } else
++ } else {
++ if (unlikely(size > KMALLOC_MAX_CACHE_SIZE)) {
++ WARN_ON(1);
++ return NULL;
++ }
+ index = fls(size - 1);
++ }
+
+ #ifdef CONFIG_ZONE_DMA
+ if (unlikely((flags & GFP_DMA)))
--- /dev/null
+From df132eff463873e14e019a07f387b4d577d6d1f9 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 29 Oct 2018 23:10:29 +0800
+Subject: sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream.
+
+If a transport is removed by asconf but there still are some chunks with
+this transport queuing on out_chunk_list, later an use-after-free issue
+will be caused when accessing this transport from these chunks in
+sctp_outq_flush().
+
+This is an old bug, we fix it by clearing the transport of these chunks
+in out_chunk_list when removing a transport in sctp_assoc_rm_peer().
+
+Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/associola.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -488,8 +488,9 @@ void sctp_assoc_set_primary(struct sctp_
+ void sctp_assoc_rm_peer(struct sctp_association *asoc,
+ struct sctp_transport *peer)
+ {
+- struct list_head *pos;
+- struct sctp_transport *transport;
++ struct sctp_transport *transport;
++ struct list_head *pos;
++ struct sctp_chunk *ch;
+
+ pr_debug("%s: association:%p addr:%pISpc\n",
+ __func__, asoc, &peer->ipaddr.sa);
+@@ -547,7 +548,6 @@ void sctp_assoc_rm_peer(struct sctp_asso
+ */
+ if (!list_empty(&peer->transmitted)) {
+ struct sctp_transport *active = asoc->peer.active_path;
+- struct sctp_chunk *ch;
+
+ /* Reset the transport of each chunk on this list */
+ list_for_each_entry(ch, &peer->transmitted,
+@@ -569,6 +569,10 @@ void sctp_assoc_rm_peer(struct sctp_asso
+ sctp_transport_hold(active);
+ }
+
++ list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list)
++ if (ch->transport == peer)
++ ch->transport = NULL;
++
+ asoc->peer.transport_count--;
+
+ sctp_transport_free(peer);
--- /dev/null
+From 4458bba09788e70e8fb39ad003f087cd9dfbd6ac Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Date: Sat, 8 Sep 2018 01:42:58 +0900
+Subject: selinux: Add __GFP_NOWARN to allocation at str_read()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+commit 4458bba09788e70e8fb39ad003f087cd9dfbd6ac upstream.
+
+syzbot is hitting warning at str_read() [1] because len parameter can
+become larger than KMALLOC_MAX_SIZE. We don't need to emit warning for
+this case.
+
+[1] https://syzkaller.appspot.com/bug?id=7f2f5aad79ea8663c296a2eedb81978401a908f0
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+ac488b9811036cea7ea0@syzkaller.appspotmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/policydb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -1097,7 +1097,7 @@ static int str_read(char **strp, gfp_t f
+ if ((len == 0) || (len == (u32)-1))
+ return -EINVAL;
+
+- str = kmalloc(len + 1, flags);
++ str = kmalloc(len + 1, flags | __GFP_NOWARN);
+ if (!str)
+ return -ENOMEM;
+
--- /dev/null
+usb-core-fix-hub-port-connection-events-lost.patch
+usb-dwc3-core-clean-up-ulpi-device.patch
+usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch
+alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch
+maintainers-add-sasha-as-a-stable-branch-maintainer.patch
+gpio-don-t-free-unallocated-ida-on-gpiochip_add_data_with_key-error-path.patch
+iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch
+iwlwifi-mvm-fix-regulatory-domain-update-when-the-firmware-starts.patch
+brcmfmac-fix-reporting-support-for-160-mhz-channels.patch
+tools-power-cpupower-fix-compilation-with-static-true.patch
+v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch
+selinux-add-__gfp_nowarn-to-allocation-at-str_read.patch
+bfs-add-sanity-check-at-bfs_fill_super.patch
+sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch
+gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch
+llc-do-not-use-sk_eat_skb.patch
+mm-don-t-warn-about-large-allocations-for-slab.patch
+drm-ast-change-resolution-may-cause-screen-blurred.patch
+drm-ast-fixed-cursor-may-disappear-sometimes.patch
+drm-ast-remove-existing-framebuffers-before-loading-driver.patch
+can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch
+can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch
+can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch
+can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch
--- /dev/null
+From 9de9aa45e9bd67232e000cca42ceb134b8ae51b6 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Tue, 16 Oct 2018 11:56:26 +0300
+Subject: tools/power/cpupower: fix compilation with STATIC=true
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit 9de9aa45e9bd67232e000cca42ceb134b8ae51b6 upstream.
+
+Rename duplicate sysfs_read_file into cpupower_read_sysfs and fix linking.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Thomas Renninger <trenn@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/power/cpupower/bench/Makefile | 2 +-
+ tools/power/cpupower/lib/cpufreq.c | 2 +-
+ tools/power/cpupower/lib/cpuidle.c | 2 +-
+ tools/power/cpupower/lib/cpupower.c | 4 ++--
+ tools/power/cpupower/lib/cpupower_intern.h | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/tools/power/cpupower/bench/Makefile
++++ b/tools/power/cpupower/bench/Makefile
+@@ -8,7 +8,7 @@ endif
+ ifeq ($(strip $(STATIC)),true)
+ LIBS = -L../ -L$(OUTPUT) -lm
+ OBJS = $(OUTPUT)main.o $(OUTPUT)parse.o $(OUTPUT)system.o $(OUTPUT)benchmark.o \
+- $(OUTPUT)../lib/cpufreq.o $(OUTPUT)../lib/sysfs.o
++ $(OUTPUT)../lib/cpufreq.o $(OUTPUT)../lib/cpupower.o
+ else
+ LIBS = -L../ -L$(OUTPUT) -lm -lcpupower
+ OBJS = $(OUTPUT)main.o $(OUTPUT)parse.o $(OUTPUT)system.o $(OUTPUT)benchmark.o
+--- a/tools/power/cpupower/lib/cpufreq.c
++++ b/tools/power/cpupower/lib/cpufreq.c
+@@ -28,7 +28,7 @@ static unsigned int sysfs_cpufreq_read_f
+
+ snprintf(path, sizeof(path), PATH_TO_CPU "cpu%u/cpufreq/%s",
+ cpu, fname);
+- return sysfs_read_file(path, buf, buflen);
++ return cpupower_read_sysfs(path, buf, buflen);
+ }
+
+ /* helper function to write a new value to a /sys file */
+--- a/tools/power/cpupower/lib/cpuidle.c
++++ b/tools/power/cpupower/lib/cpuidle.c
+@@ -319,7 +319,7 @@ static unsigned int sysfs_cpuidle_read_f
+
+ snprintf(path, sizeof(path), PATH_TO_CPU "cpuidle/%s", fname);
+
+- return sysfs_read_file(path, buf, buflen);
++ return cpupower_read_sysfs(path, buf, buflen);
+ }
+
+
+--- a/tools/power/cpupower/lib/cpupower.c
++++ b/tools/power/cpupower/lib/cpupower.c
+@@ -15,7 +15,7 @@
+ #include "cpupower.h"
+ #include "cpupower_intern.h"
+
+-unsigned int sysfs_read_file(const char *path, char *buf, size_t buflen)
++unsigned int cpupower_read_sysfs(const char *path, char *buf, size_t buflen)
+ {
+ int fd;
+ ssize_t numread;
+@@ -95,7 +95,7 @@ static int sysfs_topology_read_file(unsi
+
+ snprintf(path, sizeof(path), PATH_TO_CPU "cpu%u/topology/%s",
+ cpu, fname);
+- if (sysfs_read_file(path, linebuf, MAX_LINE_LEN) == 0)
++ if (cpupower_read_sysfs(path, linebuf, MAX_LINE_LEN) == 0)
+ return -1;
+ *result = strtol(linebuf, &endp, 0);
+ if (endp == linebuf || errno == ERANGE)
+--- a/tools/power/cpupower/lib/cpupower_intern.h
++++ b/tools/power/cpupower/lib/cpupower_intern.h
+@@ -2,4 +2,4 @@
+ #define MAX_LINE_LEN 4096
+ #define SYSFS_PATH_MAX 255
+
+-unsigned int sysfs_read_file(const char *path, char *buf, size_t buflen);
++unsigned int cpupower_read_sysfs(const char *path, char *buf, size_t buflen);
--- /dev/null
+From 22454b79e6de05fa61a2a72d00d2eed798abbb75 Mon Sep 17 00:00:00 2001
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Date: Tue, 13 Nov 2018 14:40:34 +0100
+Subject: usb: core: Fix hub port connection events lost
+
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+
+commit 22454b79e6de05fa61a2a72d00d2eed798abbb75 upstream.
+
+This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset
+only if a device is was attached to the hub port before resetting the hub port.
+
+Using a Lenovo T480s attached to the ultra dock it was not possible to detect
+some usb-c devices at the dock usb-c ports because the hub_port_reset code
+will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset.
+Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the
+actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit.
+This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the
+new device was attached such that it was not detected.
+
+This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is
+currently no device attached to the port before the hub port reset.
+This will avoid clearing the connection bit for new attached devices.
+
+Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2809,7 +2809,9 @@ static int hub_port_reset(struct usb_hub
+ USB_PORT_FEAT_C_BH_PORT_RESET);
+ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_PORT_LINK_STATE);
+- usb_clear_port_feature(hub->hdev, port1,
++
++ if (udev)
++ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_CONNECTION);
+
+ /*
--- /dev/null
+From 08fd9a82fda86529bb2f2af3c2f7cb657b4d3066 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Mon, 27 Aug 2018 18:30:16 +0300
+Subject: usb: dwc3: core: Clean up ULPI device
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 08fd9a82fda86529bb2f2af3c2f7cb657b4d3066 upstream.
+
+If dwc3_core_init_mode() fails with deferred probe,
+next probe fails on sysfs with
+
+sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:11.0/dwc3.0.auto/dwc3.0.auto.ulpi'
+
+To avoid this failure, clean up ULPI device.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1145,6 +1145,7 @@ static int dwc3_probe(struct platform_de
+
+ err5:
+ dwc3_event_buffers_cleanup(dwc);
++ dwc3_ulpi_exit(dwc);
+
+ err4:
+ dwc3_free_scratch_buffers(dwc);
--- /dev/null
+From a5baeaeabcca3244782a9b6382ebab6f8a58f583 Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Fri, 9 Nov 2018 17:21:21 +0200
+Subject: usb: xhci: fix timeout for transition from RExit to U0
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit a5baeaeabcca3244782a9b6382ebab6f8a58f583 upstream.
+
+This definition is used by msecs_to_jiffies in milliseconds.
+According to the comments, max rexit timeout should be 20ms.
+Align with the comments to properly calculate the delay.
+
+Verified on Sunrise Point-LP and Cannon Lake.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-hub.c | 4 ++--
+ drivers/usb/host/xhci.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -814,7 +814,7 @@ static u32 xhci_get_port_status(struct u
+ time_left = wait_for_completion_timeout(
+ &bus_state->rexit_done[wIndex],
+ msecs_to_jiffies(
+- XHCI_MAX_REXIT_TIMEOUT));
++ XHCI_MAX_REXIT_TIMEOUT_MS));
+ spin_lock_irqsave(&xhci->lock, flags);
+
+ if (time_left) {
+@@ -828,7 +828,7 @@ static u32 xhci_get_port_status(struct u
+ } else {
+ int port_status = readl(port_array[wIndex]);
+ xhci_warn(xhci, "Port resume took longer than %i msec, port status = 0x%x\n",
+- XHCI_MAX_REXIT_TIMEOUT,
++ XHCI_MAX_REXIT_TIMEOUT_MS,
+ port_status);
+ status |= USB_PORT_STAT_SUSPEND;
+ clear_bit(wIndex, &bus_state->rexit_ports);
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1509,7 +1509,7 @@ struct xhci_bus_state {
+ * It can take up to 20 ms to transition from RExit to U0 on the
+ * Intel Lynx Point LP xHCI host.
+ */
+-#define XHCI_MAX_REXIT_TIMEOUT (20 * 1000)
++#define XHCI_MAX_REXIT_TIMEOUT_MS 20
+
+ static inline unsigned int hcd_index(struct usb_hcd *hcd)
+ {
--- /dev/null
+From 81c99089bce693b94b775b6eb888115d2d540086 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Mon, 27 Aug 2018 15:12:05 +0900
+Subject: v9fs_dir_readdir: fix double-free on p9stat_read error
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+commit 81c99089bce693b94b775b6eb888115d2d540086 upstream.
+
+p9stat_read will call p9stat_free on error, we should only free the
+struct content on success.
+
+There also is no need to "p9stat_init" st as the read function will
+zero the whole struct for us anyway, so clean up the code a bit while
+we are here.
+
+Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_dir.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/fs/9p/vfs_dir.c
++++ b/fs/9p/vfs_dir.c
+@@ -76,15 +76,6 @@ static inline int dt_type(struct p9_wsta
+ return rettype;
+ }
+
+-static void p9stat_init(struct p9_wstat *stbuf)
+-{
+- stbuf->name = NULL;
+- stbuf->uid = NULL;
+- stbuf->gid = NULL;
+- stbuf->muid = NULL;
+- stbuf->extension = NULL;
+-}
+-
+ /**
+ * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir
+ * @filp: opened file structure
+@@ -145,12 +136,10 @@ static int v9fs_dir_readdir(struct file
+ rdir->tail = n;
+ }
+ while (rdir->head < rdir->tail) {
+- p9stat_init(&st);
+ err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
+ rdir->tail - rdir->head, &st);
+ if (err) {
+ p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
+- p9stat_free(&st);
+ return -EIO;
+ }
+ reclen = st.size+2;
projects / thirdparty / kernel / stable-queue.git / commitdiff
