--- /dev/null
+From a01df75ce737951ad13a08d101306e88c3f57cb2 Mon Sep 17 00:00:00 2001
+From: James Kelly <jamespeterkelly@gmail.com>
+Date: Mon, 19 Mar 2018 21:29:50 +1100
+Subject: ASoC: ssm2602: Replace reg_default_raw with reg_default
+
+From: James Kelly <jamespeterkelly@gmail.com>
+
+commit a01df75ce737951ad13a08d101306e88c3f57cb2 upstream.
+
+SSM2602 driver is broken on recent kernels (at least
+since 4.9). User space applications such as amixer or
+alsamixer get EIO when attempting to access codec
+controls via the relevant IOCTLs.
+
+Root cause of these failures is the regcache_hw_init
+function in drivers/base/regmap/regcache.c, which
+prevents regmap cache initalization from the
+reg_defaults_raw element of the regmap_config structure
+when registers are write only. It also disables the
+regmap cache entirely when all registers are write only
+or volatile as is the case for the SSM2602 driver.
+
+Using the reg_defaults element of the regmap_config
+structure rather than the reg_defaults_raw element to
+initalize the regmap cache avoids the logic in the
+regcache_hw_init function entirely. It also makes this
+driver consistent with other ASoC codec drivers, as
+this driver was the ONLY codec driver that used the
+reg_defaults_raw element to initalize the cache.
+
+Tested on Digilent Zybo Z7 development board which has
+a SSM2603 codec chip connected to a Xilinx Zynq SoC.
+
+Signed-off-by: James Kelly <jamespeterkelly@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/ssm2602.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/sound/soc/codecs/ssm2602.c
++++ b/sound/soc/codecs/ssm2602.c
+@@ -54,10 +54,17 @@ struct ssm2602_priv {
+ * using 2 wire for device control, so we cache them instead.
+ * There is no point in caching the reset register
+ */
+-static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = {
+- 0x0097, 0x0097, 0x0079, 0x0079,
+- 0x000a, 0x0008, 0x009f, 0x000a,
+- 0x0000, 0x0000
++static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = {
++ { .reg = 0x00, .def = 0x0097 },
++ { .reg = 0x01, .def = 0x0097 },
++ { .reg = 0x02, .def = 0x0079 },
++ { .reg = 0x03, .def = 0x0079 },
++ { .reg = 0x04, .def = 0x000a },
++ { .reg = 0x05, .def = 0x0008 },
++ { .reg = 0x06, .def = 0x009f },
++ { .reg = 0x07, .def = 0x000a },
++ { .reg = 0x08, .def = 0x0000 },
++ { .reg = 0x09, .def = 0x0000 }
+ };
+
+
+@@ -620,8 +627,8 @@ const struct regmap_config ssm2602_regma
+ .volatile_reg = ssm2602_register_volatile,
+
+ .cache_type = REGCACHE_RBTREE,
+- .reg_defaults_raw = ssm2602_reg,
+- .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg),
++ .reg_defaults = ssm2602_reg,
++ .num_reg_defaults = ARRAY_SIZE(ssm2602_reg),
+ };
+ EXPORT_SYMBOL_GPL(ssm2602_regmap_config);
+
--- /dev/null
+From 7dac4a1726a9c64a517d595c40e95e2d0d135f6f Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 26 Mar 2018 23:54:10 -0400
+Subject: ext4: add validity checks for bitmap block numbers
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 7dac4a1726a9c64a517d595c40e95e2d0d135f6f upstream.
+
+An privileged attacker can cause a crash by mounting a crafted ext4
+image which triggers a out-of-bounds read in the function
+ext4_valid_block_bitmap() in fs/ext4/balloc.c.
+
+This issue has been assigned CVE-2018-1093.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/balloc.c | 16 ++++++++++++++--
+ fs/ext4/ialloc.c | 7 +++++++
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -337,20 +337,25 @@ static ext4_fsblk_t ext4_valid_block_bit
+ /* check whether block bitmap block number is set */
+ blk = ext4_block_bitmap(sb, desc);
+ offset = blk - group_first_block;
+- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ /* bad block bitmap */
+ return blk;
+
+ /* check whether the inode bitmap block number is set */
+ blk = ext4_inode_bitmap(sb, desc);
+ offset = blk - group_first_block;
+- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ /* bad block bitmap */
+ return blk;
+
+ /* check whether the inode table block number is set */
+ blk = ext4_inode_table(sb, desc);
+ offset = blk - group_first_block;
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
++ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
++ return blk;
+ next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
+ EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
+ EXT4_B2C(sbi, offset));
+@@ -416,6 +421,7 @@ struct buffer_head *
+ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
+ {
+ struct ext4_group_desc *desc;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct buffer_head *bh;
+ ext4_fsblk_t bitmap_blk;
+ int err;
+@@ -424,6 +430,12 @@ ext4_read_block_bitmap_nowait(struct sup
+ if (!desc)
+ return ERR_PTR(-EFSCORRUPTED);
+ bitmap_blk = ext4_block_bitmap(sb, desc);
++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
++ ext4_error(sb, "Invalid block bitmap block %llu in "
++ "block_group %u", bitmap_blk, block_group);
++ return ERR_PTR(-EFSCORRUPTED);
++ }
+ bh = sb_getblk(sb, bitmap_blk);
+ if (unlikely(!bh)) {
+ ext4_error(sb, "Cannot get buffer for block bitmap - "
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -119,6 +119,7 @@ static struct buffer_head *
+ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
+ {
+ struct ext4_group_desc *desc;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct buffer_head *bh = NULL;
+ ext4_fsblk_t bitmap_blk;
+ int err;
+@@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_bloc
+ return ERR_PTR(-EFSCORRUPTED);
+
+ bitmap_blk = ext4_inode_bitmap(sb, desc);
++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
++ ext4_error(sb, "Invalid inode bitmap blk %llu in "
++ "block_group %u", bitmap_blk, block_group);
++ return ERR_PTR(-EFSCORRUPTED);
++ }
+ bh = sb_getblk(sb, bitmap_blk);
+ if (unlikely(!bh)) {
+ ext4_error(sb, "Cannot read inode bitmap - "
--- /dev/null
+From 18db4b4e6fc31eda838dd1c1296d67dbcb3dc957 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 29 Mar 2018 22:10:35 -0400
+Subject: ext4: don't allow r/w mounts if metadata blocks overlap the superblock
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 18db4b4e6fc31eda838dd1c1296d67dbcb3dc957 upstream.
+
+If some metadata block, such as an allocation bitmap, overlaps the
+superblock, it's very likely that if the file system is mounted
+read/write, the results will not be pretty. So disallow r/w mounts
+for file systems corrupted in this particular way.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2260,6 +2260,8 @@ static int ext4_check_descriptors(struct
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Block bitmap for group %u overlaps "
+ "superblock", i);
++ if (!sb_rdonly(sb))
++ return 0;
+ }
+ if (block_bitmap < first_block || block_bitmap > last_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+@@ -2272,6 +2274,8 @@ static int ext4_check_descriptors(struct
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode bitmap for group %u overlaps "
+ "superblock", i);
++ if (!sb_rdonly(sb))
++ return 0;
+ }
+ if (inode_bitmap < first_block || inode_bitmap > last_block) {
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+@@ -2284,6 +2288,8 @@ static int ext4_check_descriptors(struct
+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ "Inode table for group %u overlaps "
+ "superblock", i);
++ if (!sb_rdonly(sb))
++ return 0;
+ }
+ if (inode_table < first_block ||
+ inode_table + sbi->s_itb_per_group - 1 > last_block) {
--- /dev/null
+From 044e6e3d74a3d7103a0c8a9305dfd94d64000660 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 19 Feb 2018 14:16:47 -0500
+Subject: ext4: don't update checksum of new initialized bitmaps
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 044e6e3d74a3d7103a0c8a9305dfd94d64000660 upstream.
+
+When reading the inode or block allocation bitmap, if the bitmap needs
+to be initialized, do not update the checksum in the block group
+descriptor. That's because we're not set up to journal those changes.
+Instead, just set the verified bit on the bitmap block, so that it's
+not necessary to validate the checksum.
+
+When a block or inode allocation actually happens, at that point the
+checksum will be calculated, and update of the bg descriptor block
+will be properly journalled.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/balloc.c | 3 +--
+ fs/ext4/ialloc.c | 47 +++--------------------------------------------
+ 2 files changed, 4 insertions(+), 46 deletions(-)
+
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -242,8 +242,6 @@ static int ext4_init_block_bitmap(struct
+ */
+ ext4_mark_bitmap_end(num_clusters_in_group(sb, block_group),
+ sb->s_blocksize * 8, bh->b_data);
+- ext4_block_bitmap_csum_set(sb, block_group, gdp, bh);
+- ext4_group_desc_csum_set(sb, block_group, gdp);
+ return 0;
+ }
+
+@@ -447,6 +445,7 @@ ext4_read_block_bitmap_nowait(struct sup
+ err = ext4_init_block_bitmap(sb, bh, block_group, desc);
+ set_bitmap_uptodate(bh);
+ set_buffer_uptodate(bh);
++ set_buffer_verified(bh);
+ ext4_unlock_group(sb, block_group);
+ unlock_buffer(bh);
+ if (err) {
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -63,44 +63,6 @@ void ext4_mark_bitmap_end(int start_bit,
+ memset(bitmap + (i >> 3), 0xff, (end_bit - i) >> 3);
+ }
+
+-/* Initializes an uninitialized inode bitmap */
+-static int ext4_init_inode_bitmap(struct super_block *sb,
+- struct buffer_head *bh,
+- ext4_group_t block_group,
+- struct ext4_group_desc *gdp)
+-{
+- struct ext4_group_info *grp;
+- struct ext4_sb_info *sbi = EXT4_SB(sb);
+- J_ASSERT_BH(bh, buffer_locked(bh));
+-
+- /* If checksum is bad mark all blocks and inodes use to prevent
+- * allocation, essentially implementing a per-group read-only flag. */
+- if (!ext4_group_desc_csum_verify(sb, block_group, gdp)) {
+- grp = ext4_get_group_info(sb, block_group);
+- if (!EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
+- percpu_counter_sub(&sbi->s_freeclusters_counter,
+- grp->bb_free);
+- set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT, &grp->bb_state);
+- if (!EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) {
+- int count;
+- count = ext4_free_inodes_count(sb, gdp);
+- percpu_counter_sub(&sbi->s_freeinodes_counter,
+- count);
+- }
+- set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state);
+- return -EFSBADCRC;
+- }
+-
+- memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8);
+- ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8,
+- bh->b_data);
+- ext4_inode_bitmap_csum_set(sb, block_group, gdp, bh,
+- EXT4_INODES_PER_GROUP(sb) / 8);
+- ext4_group_desc_csum_set(sb, block_group, gdp);
+-
+- return 0;
+-}
+-
+ void ext4_end_bitmap_read(struct buffer_head *bh, int uptodate)
+ {
+ if (uptodate) {
+@@ -184,17 +146,14 @@ ext4_read_inode_bitmap(struct super_bloc
+
+ ext4_lock_group(sb, block_group);
+ if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) {
+- err = ext4_init_inode_bitmap(sb, bh, block_group, desc);
++ memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8);
++ ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
++ sb->s_blocksize * 8, bh->b_data);
+ set_bitmap_uptodate(bh);
+ set_buffer_uptodate(bh);
+ set_buffer_verified(bh);
+ ext4_unlock_group(sb, block_group);
+ unlock_buffer(bh);
+- if (err) {
+- ext4_error(sb, "Failed to init inode bitmap for group "
+- "%u: %d", block_group, err);
+- goto out;
+- }
+ return bh;
+ }
+ ext4_unlock_group(sb, block_group);
--- /dev/null
+From 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 29 Mar 2018 21:56:09 -0400
+Subject: ext4: fail ext4_iget for root directory if unallocated
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 upstream.
+
+If the root directory has an i_links_count of zero, then when the file
+system is mounted, then when ext4_fill_super() notices the problem and
+tries to call iput() the root directory in the error return path,
+ext4_evict_inode() will try to free the inode on disk, before all of
+the file system structures are set up, and this will result in an OOPS
+caused by a NULL pointer dereference.
+
+This issue has been assigned CVE-2018-1092.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=199179
+https://bugzilla.redhat.com/show_bug.cgi?id=1560777
+
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4493,6 +4493,12 @@ struct inode *ext4_iget(struct super_blo
+ goto bad_inode;
+ raw_inode = ext4_raw_inode(&iloc);
+
++ if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
++ EXT4_ERROR_INODE(inode, "root inode unallocated");
++ ret = -EFSCORRUPTED;
++ goto bad_inode;
++ }
++
+ if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
+ ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
+ if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
--- /dev/null
+From e40ff213898502d299351cc2fe1e350cd186f0d3 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 1 Apr 2018 23:21:03 -0400
+Subject: ext4: force revalidation of directory pointer after seekdir(2)
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit e40ff213898502d299351cc2fe1e350cd186f0d3 upstream.
+
+A malicious user could force the directory pointer to be in an invalid
+spot by using seekdir(2). Use the mechanism we already have to notice
+if the directory has changed since the last time we called
+ext4_readdir() to force a revalidation of the pointer.
+
+Reported-by: syzbot+1236ce66f79263e8a862@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/dir.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/dir.c
++++ b/fs/ext4/dir.c
+@@ -363,13 +363,15 @@ static loff_t ext4_dir_llseek(struct fil
+ {
+ struct inode *inode = file->f_mapping->host;
+ int dx_dir = is_dx_dir(inode);
+- loff_t htree_max = ext4_get_htree_eof(file);
++ loff_t ret, htree_max = ext4_get_htree_eof(file);
+
+ if (likely(dx_dir))
+- return generic_file_llseek_size(file, offset, whence,
++ ret = generic_file_llseek_size(file, offset, whence,
+ htree_max, htree_max);
+ else
+- return ext4_llseek(file, offset, whence);
++ ret = ext4_llseek(file, offset, whence);
++ file->f_version = inode_peek_iversion(inode) - 1;
++ return ret;
+ }
+
+ /*
--- /dev/null
+From 73fdad00b208b139cf43f3163fbc0f67e4c6047c Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Thu, 22 Mar 2018 11:41:25 -0400
+Subject: ext4: protect i_disksize update by i_data_sem in direct write path
+
+From: Eryu Guan <guaneryu@gmail.com>
+
+commit 73fdad00b208b139cf43f3163fbc0f67e4c6047c upstream.
+
+i_disksize update should be protected by i_data_sem, by either taking
+the lock explicitly or by using ext4_update_i_disksize() helper. But the
+i_disksize updates in ext4_direct_IO_write() are not protected at all,
+which may be racing with i_disksize updates in writeback path in
+delalloc buffer write path.
+
+This is found by code inspection, and I didn't hit any i_disksize
+corruption due to this bug. Thanks to Jan Kara for catching this bug and
+suggesting the fix!
+
+Reported-by: Jan Kara <jack@suse.cz>
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -3396,7 +3396,6 @@ static ssize_t ext4_direct_IO_write(stru
+ {
+ struct file *file = iocb->ki_filp;
+ struct inode *inode = file->f_mapping->host;
+- struct ext4_inode_info *ei = EXT4_I(inode);
+ ssize_t ret;
+ loff_t offset = iocb->ki_pos;
+ size_t count = iov_iter_count(iter);
+@@ -3420,7 +3419,7 @@ static ssize_t ext4_direct_IO_write(stru
+ goto out;
+ }
+ orphan = 1;
+- ei->i_disksize = inode->i_size;
++ ext4_update_i_disksize(inode, inode->i_size);
+ ext4_journal_stop(handle);
+ }
+
+@@ -3548,7 +3547,7 @@ static ssize_t ext4_direct_IO_write(stru
+ if (ret > 0) {
+ loff_t end = offset + ret;
+ if (end > inode->i_size) {
+- ei->i_disksize = end;
++ ext4_update_i_disksize(inode, end);
+ i_size_write(inode, end);
+ /*
+ * We're going to return a positive `ret'
--- /dev/null
+From 6de0b13cc0b4ba10e98a9263d7a83b940720b77a Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Mon, 8 Jan 2018 10:41:41 +0800
+Subject: HID: core: Fix size as type u32
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit 6de0b13cc0b4ba10e98a9263d7a83b940720b77a upstream.
+
+When size is negative, calling memset will make segment fault.
+Declare the size as type u32 to keep memset safe.
+
+size in struct hid_report is unsigned, fix return type of
+hid_report_len to u32.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-core.c | 10 +++++-----
+ include/linux/hid.h | 6 +++---
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1370,7 +1370,7 @@ u8 *hid_alloc_report_buf(struct hid_repo
+ * of implement() working on 8 byte chunks
+ */
+
+- int len = hid_report_len(report) + 7;
++ u32 len = hid_report_len(report) + 7;
+
+ return kmalloc(len, flags);
+ }
+@@ -1435,7 +1435,7 @@ void __hid_request(struct hid_device *hi
+ {
+ char *buf;
+ int ret;
+- int len;
++ u32 len;
+
+ buf = hid_alloc_report_buf(report, GFP_KERNEL);
+ if (!buf)
+@@ -1461,14 +1461,14 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(__hid_request);
+
+-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+ int interrupt)
+ {
+ struct hid_report_enum *report_enum = hid->report_enum + type;
+ struct hid_report *report;
+ struct hid_driver *hdrv;
+ unsigned int a;
+- int rsize, csize = size;
++ u32 rsize, csize = size;
+ u8 *cdata = data;
+ int ret = 0;
+
+@@ -1526,7 +1526,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event);
+ *
+ * This is data entry for lower layers.
+ */
+-int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt)
++int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt)
+ {
+ struct hid_report_enum *report_enum;
+ struct hid_driver *hdrv;
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -801,7 +801,7 @@ extern int hidinput_connect(struct hid_d
+ extern void hidinput_disconnect(struct hid_device *);
+
+ int hid_set_field(struct hid_field *, unsigned, __s32);
+-int hid_input_report(struct hid_device *, int type, u8 *, int, int);
++int hid_input_report(struct hid_device *, int type, u8 *, u32, int);
+ int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field);
+ struct hid_field *hidinput_get_led_field(struct hid_device *hid);
+ unsigned int hidinput_count_leds(struct hid_device *hid);
+@@ -1106,13 +1106,13 @@ static inline void hid_hw_wait(struct hi
+ *
+ * @report: the report we want to know the length
+ */
+-static inline int hid_report_len(struct hid_report *report)
++static inline u32 hid_report_len(struct hid_report *report)
+ {
+ /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
+ return ((report->size - 1) >> 3) + 1 + (report->id > 0);
+ }
+
+-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size,
++int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
+ int interrupt);
+
+ /* HID quirks API */
--- /dev/null
+From 3064a03b94e60388f0955fcc29f3e8a978d28f75 Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Sat, 3 Feb 2018 23:57:15 +0800
+Subject: HID: Fix hid_report_len usage
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit 3064a03b94e60388f0955fcc29f3e8a978d28f75 upstream.
+
+Follow the change of return type u32 of hid_report_len,
+fix all the types of variables those get the return value of
+hid_report_len to u32, and all other code already uses u32.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-input.c | 3 ++-
+ drivers/hid/hid-multitouch.c | 5 +++--
+ drivers/hid/hid-rmi.c | 4 ++--
+ drivers/hid/wacom_sys.c | 2 +-
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -1279,7 +1279,8 @@ static void hidinput_led_worker(struct w
+ led_work);
+ struct hid_field *field;
+ struct hid_report *report;
+- int len, ret;
++ int ret;
++ u32 len;
+ __u8 *buf;
+
+ field = hidinput_get_led_field(hid);
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -315,7 +315,8 @@ static struct attribute_group mt_attribu
+ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
+ {
+ struct mt_device *td = hid_get_drvdata(hdev);
+- int ret, size = hid_report_len(report);
++ int ret;
++ u32 size = hid_report_len(report);
+ u8 *buf;
+
+ /*
+@@ -919,7 +920,7 @@ static void mt_set_input_mode(struct hid
+ struct hid_report_enum *re;
+ struct mt_class *cls = &td->mtclass;
+ char *buf;
+- int report_len;
++ u32 report_len;
+
+ if (td->inputmode < 0)
+ return;
+--- a/drivers/hid/hid-rmi.c
++++ b/drivers/hid/hid-rmi.c
+@@ -110,8 +110,8 @@ struct rmi_data {
+ u8 *writeReport;
+ u8 *readReport;
+
+- int input_report_size;
+- int output_report_size;
++ u32 input_report_size;
++ u32 output_report_size;
+
+ unsigned long flags;
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -351,7 +351,7 @@ static int wacom_set_device_mode(struct
+ u8 *rep_data;
+ struct hid_report *r;
+ struct hid_report_enum *re;
+- int length;
++ u32 length;
+ int error = -ENOMEM, limit = 0;
+
+ if (wacom_wac->mode_report < 0)
--- /dev/null
+From aa08192a254d362a4d5317647a81de6996961aef Mon Sep 17 00:00:00 2001
+From: Aniruddha Banerjee <aniruddhab@nvidia.com>
+Date: Wed, 28 Mar 2018 19:12:00 +0530
+Subject: irqchip/gic: Take lock when updating irq type
+
+From: Aniruddha Banerjee <aniruddhab@nvidia.com>
+
+commit aa08192a254d362a4d5317647a81de6996961aef upstream.
+
+Most MMIO GIC register accesses use a 1-hot bit scheme that
+avoids requiring any form of locking. This isn't true for the
+GICD_ICFGRn registers, which require a RMW sequence.
+
+Unfortunately, we seem to be missing a lock for these particular
+accesses, which could result in a race condition if changing the
+trigger type on any two interrupts within the same set of 16
+interrupts (and thus controlled by the same CFGR register).
+
+Introduce a private lock in the GIC common comde for this
+particular case, making it cover both GIC implementations
+in one go.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aniruddha Banerjee <aniruddhab@nvidia.com>
+[maz: updated changelog]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-common.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-gic-common.c
++++ b/drivers/irqchip/irq-gic-common.c
+@@ -21,6 +21,8 @@
+
+ #include "irq-gic-common.h"
+
++static DEFINE_RAW_SPINLOCK(irq_controller_lock);
++
+ static const struct gic_kvm_info *gic_kvm_info;
+
+ const struct gic_kvm_info *gic_get_kvm_info(void)
+@@ -52,11 +54,13 @@ int gic_configure_irq(unsigned int irq,
+ u32 confoff = (irq / 16) * 4;
+ u32 val, oldval;
+ int ret = 0;
++ unsigned long flags;
+
+ /*
+ * Read current configuration register, and insert the config
+ * for "irq", depending on "type".
+ */
++ raw_spin_lock_irqsave(&irq_controller_lock, flags);
+ val = oldval = readl_relaxed(base + GIC_DIST_CONFIG + confoff);
+ if (type & IRQ_TYPE_LEVEL_MASK)
+ val &= ~confmask;
+@@ -64,8 +68,10 @@ int gic_configure_irq(unsigned int irq,
+ val |= confmask;
+
+ /* If the current configuration is the same, then we are done */
+- if (val == oldval)
++ if (val == oldval) {
++ raw_spin_unlock_irqrestore(&irq_controller_lock, flags);
+ return 0;
++ }
+
+ /*
+ * Write back the new configuration, and possibly re-enable
+@@ -83,6 +89,7 @@ int gic_configure_irq(unsigned int irq,
+ pr_warn("GIC: PPI%d is secure or misconfigured\n",
+ irq - 16);
+ }
++ raw_spin_unlock_irqrestore(&irq_controller_lock, flags);
+
+ if (sync_access)
+ sync_access();
--- /dev/null
+From 85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 19 Feb 2018 12:22:53 -0500
+Subject: jbd2: if the journal is aborted then don't allow update of the log tail
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9 upstream.
+
+This updates the jbd2 superblock unnecessarily, and on an abort we
+shouldn't truncate the log.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/journal.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -951,7 +951,7 @@ out:
+ }
+
+ /*
+- * This is a variaon of __jbd2_update_log_tail which checks for validity of
++ * This is a variation of __jbd2_update_log_tail which checks for validity of
+ * provided log tail and locks j_checkpoint_mutex. So it is safe against races
+ * with other threads updating log tail.
+ */
+@@ -1394,6 +1394,9 @@ int jbd2_journal_update_sb_log_tail(jour
+ journal_superblock_t *sb = journal->j_superblock;
+ int ret;
+
++ if (is_journal_aborted(journal))
++ return -EIO;
++
+ BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex));
+ jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n",
+ tail_block, tail_tid);
--- /dev/null
+From 0bfdf598900fd62869659f360d3387ed80eb71cf Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Thu, 22 Mar 2018 20:41:46 +1000
+Subject: powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 0bfdf598900fd62869659f360d3387ed80eb71cf upstream.
+
+asm/barrier.h is not always included after asm/synch.h, which meant
+it was missing __SUBARCH_HAS_LWSYNC, so in some files smp_wmb() would
+be eieio when it should be lwsync. kernel/time/hrtimer.c is one case.
+
+__SUBARCH_HAS_LWSYNC is only used in one place, so just fold it in
+to where it's used. Previously with my small simulator config, 377
+instances of eieio in the tree. After this patch there are 55.
+
+Fixes: 46d075be585e ("powerpc: Optimise smp_wmb")
+Cc: stable@vger.kernel.org # v2.6.29+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/barrier.h | 3 ++-
+ arch/powerpc/include/asm/synch.h | 4 ----
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/include/asm/barrier.h
++++ b/arch/powerpc/include/asm/barrier.h
+@@ -34,7 +34,8 @@
+ #define rmb() __asm__ __volatile__ ("sync" : : : "memory")
+ #define wmb() __asm__ __volatile__ ("sync" : : : "memory")
+
+-#ifdef __SUBARCH_HAS_LWSYNC
++/* The sub-arch has lwsync */
++#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC)
+ # define SMPWMB LWSYNC
+ #else
+ # define SMPWMB eieio
+--- a/arch/powerpc/include/asm/synch.h
++++ b/arch/powerpc/include/asm/synch.h
+@@ -5,10 +5,6 @@
+ #include <linux/stringify.h>
+ #include <asm/feature-fixups.h>
+
+-#if defined(__powerpc64__) || defined(CONFIG_PPC_E500MC)
+-#define __SUBARCH_HAS_LWSYNC
+-#endif
+-
+ #ifndef __ASSEMBLY__
+ extern unsigned int __start___lwsync_fixup, __stop___lwsync_fixup;
+ extern void do_lwsync_fixups(unsigned long value, void *fixup_start,
--- /dev/null
+From 3b8070335f751aac9f1526ae2e012e6f5b8b0f21 Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 10 Apr 2018 21:49:33 +1000
+Subject: powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 3b8070335f751aac9f1526ae2e012e6f5b8b0f21 upstream.
+
+The OPAL NVRAM driver does not sleep in case it gets OPAL_BUSY or
+OPAL_BUSY_EVENT from firmware, which causes large scheduling
+latencies, and various lockup errors to trigger (again, BMC reboot
+can cause it).
+
+Fix this by converting it to the standard form OPAL_BUSY loop that
+sleeps.
+
+Fixes: 628daa8d5abf ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks")
+Depends-on: 34dd25de9fe3 ("powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops")
+Cc: stable@vger.kernel.org # v3.2+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal-nvram.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-nvram.c
++++ b/arch/powerpc/platforms/powernv/opal-nvram.c
+@@ -11,6 +11,7 @@
+
+ #define DEBUG
+
++#include <linux/delay.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+ #include <linux/of.h>
+@@ -56,8 +57,12 @@ static ssize_t opal_nvram_write(char *bu
+
+ while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) {
+ rc = opal_write_nvram(__pa(buf), count, off);
+- if (rc == OPAL_BUSY_EVENT)
++ if (rc == OPAL_BUSY_EVENT) {
++ msleep(OPAL_BUSY_DELAY_MS);
+ opal_poll_events(NULL);
++ } else if (rc == OPAL_BUSY) {
++ msleep(OPAL_BUSY_DELAY_MS);
++ }
+ }
+
+ if (rc)
--- /dev/null
+From 741de617661794246f84a21a02fc5e327bffc9ad Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 27 Mar 2018 01:02:33 +1000
+Subject: powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write()
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 741de617661794246f84a21a02fc5e327bffc9ad upstream.
+
+opal_nvram_write currently just assumes success if it encounters an
+error other than OPAL_BUSY or OPAL_BUSY_EVENT. Have it return -EIO
+on other errors instead.
+
+Fixes: 628daa8d5abf ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks")
+Cc: stable@vger.kernel.org # v3.2+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+Acked-by: Stewart Smith <stewart@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal-nvram.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/platforms/powernv/opal-nvram.c
++++ b/arch/powerpc/platforms/powernv/opal-nvram.c
+@@ -59,6 +59,10 @@ static ssize_t opal_nvram_write(char *bu
+ if (rc == OPAL_BUSY_EVENT)
+ opal_poll_events(NULL);
+ }
++
++ if (rc)
++ return -EIO;
++
+ *index += count;
+ return count;
+ }
--- /dev/null
+From 9f886f4d1d292442b2f22a0a33321eae821bde40 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 25 Feb 2017 18:21:33 -0400
+Subject: random: use a tighter cap in credit_entropy_bits_safe()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 9f886f4d1d292442b2f22a0a33321eae821bde40 upstream.
+
+This fixes a harmless UBSAN where root could potentially end up
+causing an overflow while bumping the entropy_total field (which is
+ignored once the entropy pool has been initialized, and this generally
+is completed during the boot sequence).
+
+This is marginal for the stable kernel series, but it's a really
+trivial patch, and it fixes UBSAN warning that might cause security
+folks to get overly excited for no reason.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reported-by: Chen Feng <puck.chen@hisilicon.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/random.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -741,7 +741,7 @@ retry:
+
+ static int credit_entropy_bits_safe(struct entropy_store *r, int nbits)
+ {
+- const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1));
++ const int nbits_max = r->poolinfo->poolwords * 32;
+
+ if (nbits < 0)
+ return -EINVAL;
usb-dwc3-pci-properly-cleanup-resource.patch
smb3-fix-root-directory-when-server-returns-inode-number-of-zero.patch
hid-i2c-hid-fix-size-check-and-type-usage.patch
+powerpc-powernv-handle-unknown-opal-errors-in-opal_nvram_write.patch
+powerpc-64-fix-smp_wmb-barrier-definition-use-use-lwsync-consistently.patch
+powerpc-powernv-fix-opal-nvram-driver-opal_busy-loops.patch
+hid-fix-hid_report_len-usage.patch
+hid-core-fix-size-as-type-u32.patch
+asoc-ssm2602-replace-reg_default_raw-with-reg_default.patch
+thunderbolt-resume-control-channel-after-hibernation-image-is-created.patch
+irqchip-gic-take-lock-when-updating-irq-type.patch
+random-use-a-tighter-cap-in-credit_entropy_bits_safe.patch
+jbd2-if-the-journal-is-aborted-then-don-t-allow-update-of-the-log-tail.patch
+ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch
+ext4-protect-i_disksize-update-by-i_data_sem-in-direct-write-path.patch
+ext4-add-validity-checks-for-bitmap-block-numbers.patch
+ext4-fail-ext4_iget-for-root-directory-if-unallocated.patch
+ext4-don-t-allow-r-w-mounts-if-metadata-blocks-overlap-the-superblock.patch
+ext4-force-revalidation-of-directory-pointer-after-seekdir-2.patch
--- /dev/null
+From f2a659f7d8d5da803836583aa16df06bdf324252 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Tue, 19 Dec 2017 12:44:56 +0300
+Subject: thunderbolt: Resume control channel after hibernation image is created
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit f2a659f7d8d5da803836583aa16df06bdf324252 upstream.
+
+The driver misses implementation of PM hook that undoes what
+->freeze_noirq() does after the hibernation image is created. This means
+the control channel is not resumed properly and the Thunderbolt bus
+becomes useless in later stages of hibernation (when the image is stored
+or if the operation fails).
+
+Fix this by pointing ->thaw_noirq to driver nhi_resume_noirq(). This
+makes sure the control channel is resumed properly.
+
+Fixes: 23dd5bb49d98 ("thunderbolt: Add suspend/hibernate support")
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thunderbolt/nhi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thunderbolt/nhi.c
++++ b/drivers/thunderbolt/nhi.c
+@@ -628,6 +628,7 @@ static const struct dev_pm_ops nhi_pm_op
+ * we just disable hotplug, the
+ * pci-tunnels stay alive.
+ */
++ .thaw_noirq = nhi_resume_noirq,
+ .restore_noirq = nhi_resume_noirq,
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
