--- /dev/null
+From c8c6ee611926685a7d753409e0a6e48b9e1b8748 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 14 Feb 2019 11:41:33 +0800
+Subject: ALSA: hda/realtek: Disable PC beep in passthrough on alc285
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit c8c6ee611926685a7d753409e0a6e48b9e1b8748 upstream.
+
+It is reported that there's a constant background "hum/whitenoise"
+in the headset on the Lenovo X1 machines with the codec alc285, and it
+is confirmed that if we run the command below, the noise will stop.
+ sudo hda-verb /dev/snd/hwC0D0 0x1d SET_PIN_WIDGET_CONTROL 0x0
+
+Then I consulted this issue with Kailang, he told me the pin 0x1d on
+this codec is used for PC beep in, the noise probably comes from this
+pin and we can also disable the PC beep in passthrough, then the PC
+beep in will not affect other sound playback.
+
+Fixes: c4cfcf6f4297 ("ALSA: hda/realtek - fix the pop noise on headphone for lenovo laptops")
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1660581
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5601,6 +5601,7 @@ enum {
+ ALC294_FIXUP_ASUS_HEADSET_MIC,
+ ALC294_FIXUP_ASUS_SPK,
+ ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE,
++ ALC285_FIXUP_LENOVO_PC_BEEP_IN_NOISE,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -6534,6 +6535,17 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
+ },
++ [ALC285_FIXUP_LENOVO_PC_BEEP_IN_NOISE] = {
++ .type = HDA_FIXUP_VERBS,
++ .v.verbs = (const struct hda_verb[]) {
++ /* Disable PCBEEP-IN passthrough */
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x36 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x57d7 },
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC285_FIXUP_LENOVO_HEADPHONE_NOISE
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -7215,7 +7227,7 @@ static const struct snd_hda_pin_quirk al
+ {0x12, 0x90a60130},
+ {0x19, 0x03a11020},
+ {0x21, 0x0321101f}),
+- SND_HDA_PIN_QUIRK(0x10ec0285, 0x17aa, "Lenovo", ALC285_FIXUP_LENOVO_HEADPHONE_NOISE,
++ SND_HDA_PIN_QUIRK(0x10ec0285, 0x17aa, "Lenovo", ALC285_FIXUP_LENOVO_PC_BEEP_IN_NOISE,
+ {0x12, 0x90a60130},
+ {0x14, 0x90170110},
+ {0x19, 0x04a11040},
--- /dev/null
+From 7f665b1c3283aae5b61843136d0a8ee808ba3199 Mon Sep 17 00:00:00 2001
+From: Jeremy Soller <jeremy@system76.com>
+Date: Wed, 13 Feb 2019 10:56:19 -0700
+Subject: ALSA: hda/realtek - Headset microphone and internal speaker support for System76 oryp5
+
+From: Jeremy Soller <jeremy@system76.com>
+
+commit 7f665b1c3283aae5b61843136d0a8ee808ba3199 upstream.
+
+On the System76 Oryx Pro (oryp5), there is a headset microphone input
+attached to 0x19 that does not have a jack detect. In order to get it
+working, the pin configuration needs to be set correctly, and the
+ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC fixup needs to be applied. This is
+similar to the MIC_NO_PRESENCE fixups for some Dell laptops, except we
+have a separate microphone jack that is already configured correctly.
+
+Since the ALC1220 does not have a fixup similar to
+ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC, I have exposed the fixup from the
+ALC269 in a way that it can be accessed from the
+alc1220_fixup_system76_oryp5 function. In addition, the
+alc1220_fixup_clevo_p950 needs to be applied to gain speaker output.
+
+Signed-off-by: Jeremy Soller <jeremy@system76.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -1855,6 +1855,8 @@ enum {
+ ALC887_FIXUP_BASS_CHMAP,
+ ALC1220_FIXUP_GB_DUAL_CODECS,
+ ALC1220_FIXUP_CLEVO_P950,
++ ALC1220_FIXUP_SYSTEM76_ORYP5,
++ ALC1220_FIXUP_SYSTEM76_ORYP5_PINS,
+ };
+
+ static void alc889_fixup_coef(struct hda_codec *codec,
+@@ -2056,6 +2058,17 @@ static void alc1220_fixup_clevo_p950(str
+ snd_hda_override_conn_list(codec, 0x1b, 1, conn1);
+ }
+
++static void alc_fixup_headset_mode_no_hp_mic(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action);
++
++static void alc1220_fixup_system76_oryp5(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ alc1220_fixup_clevo_p950(codec, fix, action);
++ alc_fixup_headset_mode_no_hp_mic(codec, fix, action);
++}
++
+ static const struct hda_fixup alc882_fixups[] = {
+ [ALC882_FIXUP_ABIT_AW9D_MAX] = {
+ .type = HDA_FIXUP_PINS,
+@@ -2300,6 +2313,19 @@ static const struct hda_fixup alc882_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc1220_fixup_clevo_p950,
+ },
++ [ALC1220_FIXUP_SYSTEM76_ORYP5] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc1220_fixup_system76_oryp5,
++ },
++ [ALC1220_FIXUP_SYSTEM76_ORYP5_PINS] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x19, 0x01a1913c }, /* use as headset mic, without its own jack detect */
++ {}
++ },
++ .chained = true,
++ .chain_id = ALC1220_FIXUP_SYSTEM76_ORYP5,
++ },
+ };
+
+ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
+@@ -2376,6 +2402,8 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK(0x1558, 0x9501, "Clevo P950HR", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK(0x1558, 0x95e1, "Clevo P95xER", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK(0x1558, 0x95e2, "Clevo P950ER", ALC1220_FIXUP_CLEVO_P950),
++ SND_PCI_QUIRK(0x1558, 0x96e1, "System76 Oryx Pro (oryp5)", ALC1220_FIXUP_SYSTEM76_ORYP5_PINS),
++ SND_PCI_QUIRK(0x1558, 0x97e1, "System76 Oryx Pro (oryp5)", ALC1220_FIXUP_SYSTEM76_ORYP5_PINS),
+ SND_PCI_QUIRK_VENDOR(0x1558, "Clevo laptop", ALC882_FIXUP_EAPD),
+ SND_PCI_QUIRK(0x161f, 0x2054, "Medion laptop", ALC883_FIXUP_EAPD),
+ SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Y530", ALC882_FIXUP_LENOVO_Y530),
--- /dev/null
+From 04242ff3ac0abbaa4362f97781dac268e6c3541a Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Mon, 11 Feb 2019 15:18:52 +0800
+Subject: ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit 04242ff3ac0abbaa4362f97781dac268e6c3541a upstream.
+
+Otherwise, mdsc->snap_flush_list may get corrupted.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/snap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -616,7 +616,8 @@ int __ceph_finish_cap_snap(struct ceph_i
+ capsnap->size);
+
+ spin_lock(&mdsc->snap_flush_lock);
+- list_add_tail(&ci->i_snap_flush_item, &mdsc->snap_flush_list);
++ if (list_empty(&ci->i_snap_flush_item))
++ list_add_tail(&ci->i_snap_flush_item, &mdsc->snap_flush_list);
+ spin_unlock(&mdsc->snap_flush_lock);
+ return 1; /* caller may want to ceph_flush_snaps */
+ }
--- /dev/null
+From fa84667b98fd1a191b2465d66b440bda6714b3bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ren=C3=A9=20van=20Dorst?= <opensource@vdorst.com>
+Date: Wed, 30 Jan 2019 17:10:49 +0100
+Subject: gpio: MT7621: use a per instance irq_chip structure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: René van Dorst <opensource@vdorst.com>
+
+commit fa84667b98fd1a191b2465d66b440bda6714b3bf upstream.
+
+This fixes the kernel complains:
+gpio gpiochip1: (1e000600.gpio-bank1): detected irqchip that is shared
+ with multiple gpiochips: please fix the driver.
+gpio gpiochip2: (1e000600.gpio-bank2): detected irqchip that is shared
+ with multiple gpiochips: please fix the driver.
+
+Fixes: 4ba9c3afda41 ("gpio: mt7621: Add a driver for MT7621")
+Cc: stable@vger.kernel.org
+Signed-off-by: René van Dorst <opensource@vdorst.com>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-mediatek@lists.infradead.org
+Tested-by: Greg Ungerer <gerg@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-mt7621.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpio/gpio-mt7621.c
++++ b/drivers/gpio/gpio-mt7621.c
+@@ -30,6 +30,7 @@
+ #define GPIO_REG_EDGE 0xA0
+
+ struct mtk_gc {
++ struct irq_chip irq_chip;
+ struct gpio_chip chip;
+ spinlock_t lock;
+ int bank;
+@@ -189,13 +190,6 @@ mediatek_gpio_irq_type(struct irq_data *
+ return 0;
+ }
+
+-static struct irq_chip mediatek_gpio_irq_chip = {
+- .irq_unmask = mediatek_gpio_irq_unmask,
+- .irq_mask = mediatek_gpio_irq_mask,
+- .irq_mask_ack = mediatek_gpio_irq_mask,
+- .irq_set_type = mediatek_gpio_irq_type,
+-};
+-
+ static int
+ mediatek_gpio_xlate(struct gpio_chip *chip,
+ const struct of_phandle_args *spec, u32 *flags)
+@@ -254,6 +248,13 @@ mediatek_gpio_bank_probe(struct device *
+ return ret;
+ }
+
++ rg->irq_chip.name = dev_name(dev);
++ rg->irq_chip.parent_device = dev;
++ rg->irq_chip.irq_unmask = mediatek_gpio_irq_unmask;
++ rg->irq_chip.irq_mask = mediatek_gpio_irq_mask;
++ rg->irq_chip.irq_mask_ack = mediatek_gpio_irq_mask;
++ rg->irq_chip.irq_set_type = mediatek_gpio_irq_type;
++
+ if (mtk->gpio_irq) {
+ /*
+ * Manually request the irq here instead of passing
+@@ -270,14 +271,14 @@ mediatek_gpio_bank_probe(struct device *
+ return ret;
+ }
+
+- ret = gpiochip_irqchip_add(&rg->chip, &mediatek_gpio_irq_chip,
++ ret = gpiochip_irqchip_add(&rg->chip, &rg->irq_chip,
+ 0, handle_simple_irq, IRQ_TYPE_NONE);
+ if (ret) {
+ dev_err(dev, "failed to add gpiochip_irqchip\n");
+ return ret;
+ }
+
+- gpiochip_set_chained_irqchip(&rg->chip, &mediatek_gpio_irq_chip,
++ gpiochip_set_chained_irqchip(&rg->chip, &rg->irq_chip,
+ mtk->gpio_irq, NULL);
+ }
+
+@@ -310,7 +311,6 @@ mediatek_gpio_probe(struct platform_devi
+ mtk->gpio_irq = irq_of_parse_and_map(np, 0);
+ mtk->dev = dev;
+ platform_set_drvdata(pdev, mtk);
+- mediatek_gpio_irq_chip.name = dev_name(dev);
+
+ for (i = 0; i < MTK_BANK_CNT; i++) {
+ ret = mediatek_gpio_bank_probe(dev, np, i);
--- /dev/null
+From af14b2c98adb85e9517390bb88309338b9075350 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Thu, 14 Feb 2019 00:06:18 +0100
+Subject: gpio: pxa: avoid attempting to set pin direction via pinctrl on MMP2
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+commit af14b2c98adb85e9517390bb88309338b9075350 upstream.
+
+Similarly to PXA3xx, pinctrl-single can't set pin direction on MMP2 either.
+See also: commit 9dabfdd84bdfa ("gpio: pxa: disable pinctrl calls for
+PXA3xx")
+
+Cc: stable@vger.kernel.org
+Fixes: a770d946371e ("gpio: pxa: add pin control gpio direction and request")
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-pxa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-pxa.c
++++ b/drivers/gpio/gpio-pxa.c
+@@ -245,6 +245,7 @@ static bool pxa_gpio_has_pinctrl(void)
+ {
+ switch (gpio_type) {
+ case PXA3XX_GPIO:
++ case MMP2_GPIO:
+ return false;
+
+ default:
--- /dev/null
+From a08bf91ce28ed3ae7b6fef35d843fef8dc8c2cd9 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 14 Feb 2019 16:20:01 +0000
+Subject: KEYS: allow reaching the keys quotas exactly
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit a08bf91ce28ed3ae7b6fef35d843fef8dc8c2cd9 upstream.
+
+If the sysctl 'kernel.keys.maxkeys' is set to some number n, then
+actually users can only add up to 'n - 1' keys. Likewise for
+'kernel.keys.maxbytes' and the root_* versions of these sysctls. But
+these sysctls are apparently supposed to be *maximums*, as per their
+names and all documentation I could find -- the keyrings(7) man page,
+Documentation/security/keys/core.rst, and all the mentions of EDQUOT
+meaning that the key quota was *exceeded* (as opposed to reached).
+
+Thus, fix the code to allow reaching the quotas exactly.
+
+Fixes: 0b77f5bfb45c ("keys: make the keyring quotas controllable through /proc/sys")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/key.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -265,8 +265,8 @@ struct key *key_alloc(struct key_type *t
+
+ spin_lock(&user->lock);
+ if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) {
+- if (user->qnkeys + 1 >= maxkeys ||
+- user->qnbytes + quotalen >= maxbytes ||
++ if (user->qnkeys + 1 > maxkeys ||
++ user->qnbytes + quotalen > maxbytes ||
+ user->qnbytes + quotalen < user->qnbytes)
+ goto no_quota;
+ }
--- /dev/null
+From 2c4f1fcbef0bc324830bc2fb1a264c08ec93dec5 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@gmail.com>
+Date: Fri, 25 Jan 2019 23:10:50 +0800
+Subject: kprobe: Do not use uaccess functions to access kernel memory that can fault
+
+From: Changbin Du <changbin.du@gmail.com>
+
+commit 2c4f1fcbef0bc324830bc2fb1a264c08ec93dec5 upstream.
+
+The userspace can ask kprobe to intercept strings at any memory address,
+including invalid kernel address. In this case, fetch_store_strlen()
+would crash since it uses general usercopy function, and user access
+functions are no longer allowed to access kernel memory.
+
+For example, we can crash the kernel by doing something as below:
+
+$ sudo kprobe 'p:do_sys_open +0(+0(%si)):string'
+
+[ 103.620391] BUG: GPF in non-whitelisted uaccess (non-canonical address?)
+[ 103.622104] general protection fault: 0000 [#1] SMP PTI
+[ 103.623424] CPU: 10 PID: 1046 Comm: cat Not tainted 5.0.0-rc3-00130-gd73aba1-dirty #96
+[ 103.625321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-2-g628b2e6-dirty-20190104_103505-linux 04/01/2014
+[ 103.628284] RIP: 0010:process_fetch_insn+0x1ab/0x4b0
+[ 103.629518] Code: 10 83 80 28 2e 00 00 01 31 d2 31 ff 48 8b 74 24 28 eb 0c 81 fa ff 0f 00 00 7f 1c 85 c0 75 18 66 66 90 0f ae e8 48 63
+ ca 89 f8 <8a> 0c 31 66 66 90 83 c2 01 84 c9 75 dc 89 54 24 34 89 44 24 28 48
+[ 103.634032] RSP: 0018:ffff88845eb37ce0 EFLAGS: 00010246
+[ 103.635312] RAX: 0000000000000000 RBX: ffff888456c4e5a8 RCX: 0000000000000000
+[ 103.637057] RDX: 0000000000000000 RSI: 2e646c2f6374652f RDI: 0000000000000000
+[ 103.638795] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+[ 103.640556] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
+[ 103.642297] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 103.644040] FS: 0000000000000000(0000) GS:ffff88846f000000(0000) knlGS:0000000000000000
+[ 103.646019] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 103.647436] CR2: 00007ffc79758038 CR3: 0000000463360006 CR4: 0000000000020ee0
+[ 103.649147] Call Trace:
+[ 103.649781] ? sched_clock_cpu+0xc/0xa0
+[ 103.650747] ? do_sys_open+0x5/0x220
+[ 103.651635] kprobe_trace_func+0x303/0x380
+[ 103.652645] ? do_sys_open+0x5/0x220
+[ 103.653528] kprobe_dispatcher+0x45/0x50
+[ 103.654682] ? do_sys_open+0x1/0x220
+[ 103.655875] kprobe_ftrace_handler+0x90/0xf0
+[ 103.657282] ftrace_ops_assist_func+0x54/0xf0
+[ 103.658564] ? __call_rcu+0x1dc/0x280
+[ 103.659482] 0xffffffffc00000bf
+[ 103.660384] ? __ia32_sys_open+0x20/0x20
+[ 103.661682] ? do_sys_open+0x1/0x220
+[ 103.662863] do_sys_open+0x5/0x220
+[ 103.663988] do_syscall_64+0x60/0x210
+[ 103.665201] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 103.666862] RIP: 0033:0x7fc22fadccdd
+[ 103.668034] Code: 48 89 54 24 e0 41 83 e2 40 75 32 89 f0 25 00 00 41 00 3d 00 00 41 00 74 24 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff
+ ff 0f 05 <48> 3d 00 f0 ff ff 77 33 f3 c3 66 0f 1f 84 00 00 00 00 00 48 8d 44
+[ 103.674029] RSP: 002b:00007ffc7972c3a8 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
+[ 103.676512] RAX: ffffffffffffffda RBX: 0000562f86147a21 RCX: 00007fc22fadccdd
+[ 103.678853] RDX: 0000000000080000 RSI: 00007fc22fae1428 RDI: 00000000ffffff9c
+[ 103.681151] RBP: ffffffffffffffff R08: 0000000000000000 R09: 0000000000000000
+[ 103.683489] R10: 0000000000000000 R11: 0000000000000287 R12: 00007fc22fce90a8
+[ 103.685774] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
+[ 103.688056] Modules linked in:
+[ 103.689131] ---[ end trace 43792035c28984a1 ]---
+
+This can be fixed by using probe_mem_read() instead, as it can handle faulting
+kernel memory addresses, which kprobes can legitimately do.
+
+Link: http://lkml.kernel.org/r/20190125151051.7381-1-changbin.du@gmail.com
+
+Cc: stable@vger.kernel.org
+Fixes: 9da3f2b7405 ("x86/fault: BUG() when uaccess helpers fault on kernel addresses")
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_kprobe.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -878,22 +878,14 @@ static const struct file_operations kpro
+ static nokprobe_inline int
+ fetch_store_strlen(unsigned long addr)
+ {
+- mm_segment_t old_fs;
+ int ret, len = 0;
+ u8 c;
+
+- old_fs = get_fs();
+- set_fs(KERNEL_DS);
+- pagefault_disable();
+-
+ do {
+- ret = __copy_from_user_inatomic(&c, (u8 *)addr + len, 1);
++ ret = probe_mem_read(&c, (u8 *)addr + len, 1);
+ len++;
+ } while (c && ret == 0 && len < MAX_STRING_SIZE);
+
+- pagefault_enable();
+- set_fs(old_fs);
+-
+ return (ret < 0) ? ret : len;
+ }
+
--- /dev/null
+From 0fd3fd0a9bb0b02b6435bb7070e9f7b82a23f068 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 5 Feb 2019 20:30:27 +0100
+Subject: libceph: handle an empty authorize reply
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 0fd3fd0a9bb0b02b6435bb7070e9f7b82a23f068 upstream.
+
+The authorize reply can be empty, for example when the ticket used to
+build the authorizer is too old and TAG_BADAUTHORIZER is returned from
+the service. Calling ->verify_authorizer_reply() results in an attempt
+to decrypt and validate (somewhat) random data in au->buf (most likely
+the signature block from calc_signature()), which fails and ends up in
+con_fault_finish() with !con->auth_retry. The ticket isn't invalidated
+and the connection is retried again and again until a new ticket is
+obtained from the monitor:
+
+ libceph: osd2 192.168.122.1:6809 bad authorize reply
+ libceph: osd2 192.168.122.1:6809 bad authorize reply
+ libceph: osd2 192.168.122.1:6809 bad authorize reply
+ libceph: osd2 192.168.122.1:6809 bad authorize reply
+
+Let TAG_BADAUTHORIZER handler kick in and increment con->auth_retry.
+
+Cc: stable@vger.kernel.org
+Fixes: 5c056fdc5b47 ("libceph: verify authorize reply on connect")
+Link: https://tracker.ceph.com/issues/20164
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -2071,6 +2071,8 @@ static int process_connect(struct ceph_c
+ dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
+
+ if (con->auth) {
++ int len = le32_to_cpu(con->in_reply.authorizer_len);
++
+ /*
+ * Any connection that defines ->get_authorizer()
+ * should also define ->add_authorizer_challenge() and
+@@ -2080,8 +2082,7 @@ static int process_connect(struct ceph_c
+ */
+ if (con->in_reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER) {
+ ret = con->ops->add_authorizer_challenge(
+- con, con->auth->authorizer_reply_buf,
+- le32_to_cpu(con->in_reply.authorizer_len));
++ con, con->auth->authorizer_reply_buf, len);
+ if (ret < 0)
+ return ret;
+
+@@ -2091,10 +2092,12 @@ static int process_connect(struct ceph_c
+ return 0;
+ }
+
+- ret = con->ops->verify_authorizer_reply(con);
+- if (ret < 0) {
+- con->error_msg = "bad authorize reply";
+- return ret;
++ if (len) {
++ ret = con->ops->verify_authorizer_reply(con);
++ if (ret < 0) {
++ con->error_msg = "bad authorize reply";
++ return ret;
++ }
+ }
+ }
+
--- /dev/null
+From 4ff3a9d14c6c06eaa4e5976c61599ea2bd9e81b2 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 14 Feb 2019 22:03:25 +0800
+Subject: mac80211: Free mpath object when rhashtable insertion fails
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 4ff3a9d14c6c06eaa4e5976c61599ea2bd9e81b2 upstream.
+
+When rhashtable insertion fails the mesh table code doesn't free
+the now-orphan mesh path object. This patch fixes that.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mesh_pathtbl.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -436,17 +436,15 @@ struct mesh_path *mesh_path_add(struct i
+ } while (unlikely(ret == -EEXIST && !mpath));
+ spin_unlock_bh(&tbl->walk_lock);
+
+- if (ret && ret != -EEXIST)
+- return ERR_PTR(ret);
+-
+- /* At this point either new_mpath was added, or we found a
+- * matching entry already in the table; in the latter case
+- * free the unnecessary new entry.
+- */
+- if (ret == -EEXIST) {
++ if (ret) {
+ kfree(new_mpath);
++
++ if (ret != -EEXIST)
++ return ERR_PTR(ret);
++
+ new_mpath = mpath;
+ }
++
+ sdata->u.mesh.mesh_paths_generation++;
+ return new_mpath;
+ }
+@@ -481,6 +479,9 @@ int mpp_path_add(struct ieee80211_sub_if
+ hlist_add_head_rcu(&new_mpath->walk_list, &tbl->walk_head);
+ spin_unlock_bh(&tbl->walk_lock);
+
++ if (ret)
++ kfree(new_mpath);
++
+ sdata->u.mesh.mpp_paths_generation++;
+ return ret;
+ }
--- /dev/null
+From 83e37e0bdd1470bbe6612250b745ad39b1a7b130 Mon Sep 17 00:00:00 2001
+From: Rakesh Pillai <pillair@codeaurora.org>
+Date: Fri, 15 Feb 2019 14:16:02 +0530
+Subject: mac80211: Restore vif beacon interval if start ap fails
+
+From: Rakesh Pillai <pillair@codeaurora.org>
+
+commit 83e37e0bdd1470bbe6612250b745ad39b1a7b130 upstream.
+
+The starting of AP interface can fail due to invalid
+beacon interval, which does not match the minimum gcd
+requirement set by the wifi driver. In such case, the
+beacon interval of that interface gets updated with
+that invalid beacon interval.
+
+The next time that interface is brought up in AP mode,
+an interface combination check is performed and the
+beacon interval is taken from the previously set value.
+
+In a case where an invalid beacon interval, i.e. a beacon
+interval value which does not satisfy the minimum gcd criteria
+set by the driver, is set, all the subsequent trials to
+bring that interface in AP mode will fail, even if the
+subsequent trials have a valid beacon interval.
+
+To avoid this, in case of a failure in bringing up an
+interface in AP mode due to interface combination error,
+the interface beacon interval which is stored in bss
+conf, needs to be restored with the last working value
+of beacon interval.
+
+Tested on ath10k using WCN3990.
+
+Cc: stable@vger.kernel.org
+Fixes: 0c317a02ca98 ("cfg80211: support virtual interfaces with different beacon intervals")
+Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -941,6 +941,7 @@ static int ieee80211_start_ap(struct wip
+ BSS_CHANGED_P2P_PS |
+ BSS_CHANGED_TXPOWER;
+ int err;
++ int prev_beacon_int;
+
+ old = sdata_dereference(sdata->u.ap.beacon, sdata);
+ if (old)
+@@ -963,6 +964,7 @@ static int ieee80211_start_ap(struct wip
+
+ sdata->needed_rx_chains = sdata->local->rx_chains;
+
++ prev_beacon_int = sdata->vif.bss_conf.beacon_int;
+ sdata->vif.bss_conf.beacon_int = params->beacon_interval;
+
+ if (params->he_cap)
+@@ -974,8 +976,10 @@ static int ieee80211_start_ap(struct wip
+ if (!err)
+ ieee80211_vif_copy_chanctx_to_vlans(sdata, false);
+ mutex_unlock(&local->mtx);
+- if (err)
++ if (err) {
++ sdata->vif.bss_conf.beacon_int = prev_beacon_int;
+ return err;
++ }
+
+ /*
+ * Apply control port protocol, this allows us to
--- /dev/null
+From b4c3fbe6360178dc2181b7b43b7ae793a192b282 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 14 Feb 2019 22:03:24 +0800
+Subject: mac80211: Use linked list instead of rhashtable walk for mesh tables
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit b4c3fbe6360178dc2181b7b43b7ae793a192b282 upstream.
+
+The mesh table code walks over hash tables for two purposes. First of
+all it's used as part of a netlink dump process, but it is also used
+for looking up entries to delete using criteria other than the hash
+key.
+
+The second purpose is directly contrary to the design specification
+of rhashtable walks. It is only meant for use by netlink dumps.
+
+This is because rhashtable is resizable and you cannot obtain a
+stable walk over it during a resize process.
+
+In fact mesh's use of rhashtable for dumping is bogus too. Rather
+than using rhashtable walk's iterator to keep track of the current
+position, it always converts the current position to an integer
+which defeats the purpose of the iterator.
+
+Therefore this patch converts all uses of rhashtable walk into a
+simple linked list.
+
+This patch also adds a new spin lock to protect the hash table
+insertion/removal as well as the walk list modifications. In fact
+the previous code was buggy as the removals can race with each
+other, potentially resulting in a double-free.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mesh.h | 6 +
+ net/mac80211/mesh_pathtbl.c | 138 +++++++++++---------------------------------
+ 2 files changed, 43 insertions(+), 101 deletions(-)
+
+--- a/net/mac80211/mesh.h
++++ b/net/mac80211/mesh.h
+@@ -70,6 +70,7 @@ enum mesh_deferred_task_flags {
+ * @dst: mesh path destination mac address
+ * @mpp: mesh proxy mac address
+ * @rhash: rhashtable list pointer
++ * @walk_list: linked list containing all mesh_path objects.
+ * @gate_list: list pointer for known gates list
+ * @sdata: mesh subif
+ * @next_hop: mesh neighbor to which frames for this destination will be
+@@ -105,6 +106,7 @@ struct mesh_path {
+ u8 dst[ETH_ALEN];
+ u8 mpp[ETH_ALEN]; /* used for MPP or MAP */
+ struct rhash_head rhash;
++ struct hlist_node walk_list;
+ struct hlist_node gate_list;
+ struct ieee80211_sub_if_data *sdata;
+ struct sta_info __rcu *next_hop;
+@@ -133,12 +135,16 @@ struct mesh_path {
+ * gate's mpath may or may not be resolved and active.
+ * @gates_lock: protects updates to known_gates
+ * @rhead: the rhashtable containing struct mesh_paths, keyed by dest addr
++ * @walk_head: linked list containging all mesh_path objects
++ * @walk_lock: lock protecting walk_head
+ * @entries: number of entries in the table
+ */
+ struct mesh_table {
+ struct hlist_head known_gates;
+ spinlock_t gates_lock;
+ struct rhashtable rhead;
++ struct hlist_head walk_head;
++ spinlock_t walk_lock;
+ atomic_t entries; /* Up to MAX_MESH_NEIGHBOURS */
+ };
+
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -59,8 +59,10 @@ static struct mesh_table *mesh_table_all
+ return NULL;
+
+ INIT_HLIST_HEAD(&newtbl->known_gates);
++ INIT_HLIST_HEAD(&newtbl->walk_head);
+ atomic_set(&newtbl->entries, 0);
+ spin_lock_init(&newtbl->gates_lock);
++ spin_lock_init(&newtbl->walk_lock);
+
+ return newtbl;
+ }
+@@ -249,28 +251,15 @@ mpp_path_lookup(struct ieee80211_sub_if_
+ static struct mesh_path *
+ __mesh_path_lookup_by_idx(struct mesh_table *tbl, int idx)
+ {
+- int i = 0, ret;
+- struct mesh_path *mpath = NULL;
+- struct rhashtable_iter iter;
+-
+- ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
+- if (ret)
+- return NULL;
+-
+- rhashtable_walk_start(&iter);
++ int i = 0;
++ struct mesh_path *mpath;
+
+- while ((mpath = rhashtable_walk_next(&iter))) {
+- if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
+- continue;
+- if (IS_ERR(mpath))
+- break;
++ hlist_for_each_entry_rcu(mpath, &tbl->walk_head, walk_list) {
+ if (i++ == idx)
+ break;
+ }
+- rhashtable_walk_stop(&iter);
+- rhashtable_walk_exit(&iter);
+
+- if (IS_ERR(mpath) || !mpath)
++ if (!mpath)
+ return NULL;
+
+ if (mpath_expired(mpath)) {
+@@ -432,6 +421,7 @@ struct mesh_path *mesh_path_add(struct i
+ return ERR_PTR(-ENOMEM);
+
+ tbl = sdata->u.mesh.mesh_paths;
++ spin_lock_bh(&tbl->walk_lock);
+ do {
+ ret = rhashtable_lookup_insert_fast(&tbl->rhead,
+ &new_mpath->rhash,
+@@ -441,8 +431,10 @@ struct mesh_path *mesh_path_add(struct i
+ mpath = rhashtable_lookup_fast(&tbl->rhead,
+ dst,
+ mesh_rht_params);
+-
++ else if (!ret)
++ hlist_add_head(&new_mpath->walk_list, &tbl->walk_head);
+ } while (unlikely(ret == -EEXIST && !mpath));
++ spin_unlock_bh(&tbl->walk_lock);
+
+ if (ret && ret != -EEXIST)
+ return ERR_PTR(ret);
+@@ -480,9 +472,14 @@ int mpp_path_add(struct ieee80211_sub_if
+
+ memcpy(new_mpath->mpp, mpp, ETH_ALEN);
+ tbl = sdata->u.mesh.mpp_paths;
++
++ spin_lock_bh(&tbl->walk_lock);
+ ret = rhashtable_lookup_insert_fast(&tbl->rhead,
+ &new_mpath->rhash,
+ mesh_rht_params);
++ if (!ret)
++ hlist_add_head_rcu(&new_mpath->walk_list, &tbl->walk_head);
++ spin_unlock_bh(&tbl->walk_lock);
+
+ sdata->u.mesh.mpp_paths_generation++;
+ return ret;
+@@ -503,20 +500,9 @@ void mesh_plink_broken(struct sta_info *
+ struct mesh_table *tbl = sdata->u.mesh.mesh_paths;
+ static const u8 bcast[ETH_ALEN] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
+ struct mesh_path *mpath;
+- struct rhashtable_iter iter;
+- int ret;
+-
+- ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
+- if (ret)
+- return;
+-
+- rhashtable_walk_start(&iter);
+
+- while ((mpath = rhashtable_walk_next(&iter))) {
+- if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
+- continue;
+- if (IS_ERR(mpath))
+- break;
++ rcu_read_lock();
++ hlist_for_each_entry_rcu(mpath, &tbl->walk_head, walk_list) {
+ if (rcu_access_pointer(mpath->next_hop) == sta &&
+ mpath->flags & MESH_PATH_ACTIVE &&
+ !(mpath->flags & MESH_PATH_FIXED)) {
+@@ -530,8 +516,7 @@ void mesh_plink_broken(struct sta_info *
+ WLAN_REASON_MESH_PATH_DEST_UNREACHABLE, bcast);
+ }
+ }
+- rhashtable_walk_stop(&iter);
+- rhashtable_walk_exit(&iter);
++ rcu_read_unlock();
+ }
+
+ static void mesh_path_free_rcu(struct mesh_table *tbl,
+@@ -551,6 +536,7 @@ static void mesh_path_free_rcu(struct me
+
+ static void __mesh_path_del(struct mesh_table *tbl, struct mesh_path *mpath)
+ {
++ hlist_del_rcu(&mpath->walk_list);
+ rhashtable_remove_fast(&tbl->rhead, &mpath->rhash, mesh_rht_params);
+ mesh_path_free_rcu(tbl, mpath);
+ }
+@@ -571,27 +557,14 @@ void mesh_path_flush_by_nexthop(struct s
+ struct ieee80211_sub_if_data *sdata = sta->sdata;
+ struct mesh_table *tbl = sdata->u.mesh.mesh_paths;
+ struct mesh_path *mpath;
+- struct rhashtable_iter iter;
+- int ret;
+-
+- ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
+- if (ret)
+- return;
+-
+- rhashtable_walk_start(&iter);
+-
+- while ((mpath = rhashtable_walk_next(&iter))) {
+- if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
+- continue;
+- if (IS_ERR(mpath))
+- break;
++ struct hlist_node *n;
+
++ spin_lock_bh(&tbl->walk_lock);
++ hlist_for_each_entry_safe(mpath, n, &tbl->walk_head, walk_list) {
+ if (rcu_access_pointer(mpath->next_hop) == sta)
+ __mesh_path_del(tbl, mpath);
+ }
+-
+- rhashtable_walk_stop(&iter);
+- rhashtable_walk_exit(&iter);
++ spin_unlock_bh(&tbl->walk_lock);
+ }
+
+ static void mpp_flush_by_proxy(struct ieee80211_sub_if_data *sdata,
+@@ -599,51 +572,26 @@ static void mpp_flush_by_proxy(struct ie
+ {
+ struct mesh_table *tbl = sdata->u.mesh.mpp_paths;
+ struct mesh_path *mpath;
+- struct rhashtable_iter iter;
+- int ret;
+-
+- ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
+- if (ret)
+- return;
+-
+- rhashtable_walk_start(&iter);
+-
+- while ((mpath = rhashtable_walk_next(&iter))) {
+- if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
+- continue;
+- if (IS_ERR(mpath))
+- break;
++ struct hlist_node *n;
+
++ spin_lock_bh(&tbl->walk_lock);
++ hlist_for_each_entry_safe(mpath, n, &tbl->walk_head, walk_list) {
+ if (ether_addr_equal(mpath->mpp, proxy))
+ __mesh_path_del(tbl, mpath);
+ }
+-
+- rhashtable_walk_stop(&iter);
+- rhashtable_walk_exit(&iter);
++ spin_unlock_bh(&tbl->walk_lock);
+ }
+
+ static void table_flush_by_iface(struct mesh_table *tbl)
+ {
+ struct mesh_path *mpath;
+- struct rhashtable_iter iter;
+- int ret;
+-
+- ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
+- if (ret)
+- return;
+-
+- rhashtable_walk_start(&iter);
++ struct hlist_node *n;
+
+- while ((mpath = rhashtable_walk_next(&iter))) {
+- if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
+- continue;
+- if (IS_ERR(mpath))
+- break;
++ spin_lock_bh(&tbl->walk_lock);
++ hlist_for_each_entry_safe(mpath, n, &tbl->walk_head, walk_list) {
+ __mesh_path_del(tbl, mpath);
+ }
+-
+- rhashtable_walk_stop(&iter);
+- rhashtable_walk_exit(&iter);
++ spin_unlock_bh(&tbl->walk_lock);
+ }
+
+ /**
+@@ -675,7 +623,7 @@ static int table_path_del(struct mesh_ta
+ {
+ struct mesh_path *mpath;
+
+- rcu_read_lock();
++ spin_lock_bh(&tbl->walk_lock);
+ mpath = rhashtable_lookup_fast(&tbl->rhead, addr, mesh_rht_params);
+ if (!mpath) {
+ rcu_read_unlock();
+@@ -683,7 +631,7 @@ static int table_path_del(struct mesh_ta
+ }
+
+ __mesh_path_del(tbl, mpath);
+- rcu_read_unlock();
++ spin_unlock_bh(&tbl->walk_lock);
+ return 0;
+ }
+
+@@ -854,28 +802,16 @@ void mesh_path_tbl_expire(struct ieee802
+ struct mesh_table *tbl)
+ {
+ struct mesh_path *mpath;
+- struct rhashtable_iter iter;
+- int ret;
++ struct hlist_node *n;
+
+- ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_KERNEL);
+- if (ret)
+- return;
+-
+- rhashtable_walk_start(&iter);
+-
+- while ((mpath = rhashtable_walk_next(&iter))) {
+- if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
+- continue;
+- if (IS_ERR(mpath))
+- break;
++ spin_lock_bh(&tbl->walk_lock);
++ hlist_for_each_entry_safe(mpath, n, &tbl->walk_head, walk_list) {
+ if ((!(mpath->flags & MESH_PATH_RESOLVING)) &&
+ (!(mpath->flags & MESH_PATH_FIXED)) &&
+ time_after(jiffies, mpath->exp_time + MESH_PATH_EXPIRE))
+ __mesh_path_del(tbl, mpath);
+ }
+-
+- rhashtable_walk_stop(&iter);
+- rhashtable_walk_exit(&iter);
++ spin_unlock_bh(&tbl->walk_lock);
+ }
+
+ void mesh_path_expire(struct ieee80211_sub_if_data *sdata)
--- /dev/null
+From 13443154f6cac61d148471ede6d7f1f6b5ea946a Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Fri, 15 Feb 2019 20:14:15 +0000
+Subject: MIPS: eBPF: Always return sign extended 32b values
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit 13443154f6cac61d148471ede6d7f1f6b5ea946a upstream.
+
+The function prototype used to call JITed eBPF code (ie. the type of the
+struct bpf_prog bpf_func field) returns an unsigned int. The MIPS n64
+ABI that MIPS64 kernels target defines that 32 bit integers should
+always be sign extended when passed in registers as either arguments or
+return values.
+
+This means that when returning any value which may not already be sign
+extended (ie. of type REG_64BIT or REG_32BIT_ZERO_EX) we need to perform
+that sign extension in order to comply with the n64 ABI. Without this we
+see strange looking test failures from test_bpf.ko, such as:
+
+ test_bpf: #65 ALU64_MOV_X:
+ dst = 4294967295 jited:1 ret -1 != -1 FAIL (1 times)
+
+Although the return value printed matches the expected value, this is
+only because printf is only examining the least significant 32 bits of
+the 64 bit register value we returned. The register holding the expected
+value is sign extended whilst the v0 register was set to a zero extended
+value by our JITed code, so when compared by a conditional branch
+instruction the values are not equal.
+
+We already handle this when the return value register is of type
+REG_32BIT_ZERO_EX, so simply extend this to also cover REG_64BIT.
+
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/net/ebpf_jit.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/net/ebpf_jit.c
++++ b/arch/mips/net/ebpf_jit.c
+@@ -343,12 +343,15 @@ static int build_int_epilogue(struct jit
+ const struct bpf_prog *prog = ctx->skf;
+ int stack_adjust = ctx->stack_size;
+ int store_offset = stack_adjust - 8;
++ enum reg_val_type td;
+ int r0 = MIPS_R_V0;
+
+- if (dest_reg == MIPS_R_RA &&
+- get_reg_val_type(ctx, prog->len, BPF_REG_0) == REG_32BIT_ZERO_EX)
++ if (dest_reg == MIPS_R_RA) {
+ /* Don't let zero extended value escape. */
+- emit_instr(ctx, sll, r0, r0, 0);
++ td = get_reg_val_type(ctx, prog->len, BPF_REG_0);
++ if (td == REG_64BIT || td == REG_32BIT_ZERO_EX)
++ emit_instr(ctx, sll, r0, r0, 0);
++ }
+
+ if (ctx->flags & EBPF_SAVE_RA) {
+ emit_instr(ctx, ld, MIPS_R_RA, store_offset, MIPS_R_SP);
--- /dev/null
+From d04ca383860bef90a0dab4eb397907f7f05e839e Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Wed, 6 Feb 2019 15:34:16 +0100
+Subject: mt76x0u: fix suspend/resume
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit d04ca383860bef90a0dab4eb397907f7f05e839e upstream.
+
+We need to reset MCU and do other initializations on resume otherwise
+MT7610U device will fail to initialize, what cause system hung due to
+USB requests timeouts.
+
+Patch fixes 4.19 -> 4.20 regression.
+
+Cc: stable@vger.kernel.org # 4.20+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt76/mt76x0/usb.c | 46 +++++++++++++++---------
+ 1 file changed, 29 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76x0/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x0/usb.c
+@@ -159,39 +159,49 @@ static const struct ieee80211_ops mt76x0
+ .wake_tx_queue = mt76_wake_tx_queue,
+ };
+
+-static int mt76x0u_register_device(struct mt76x02_dev *dev)
++static int mt76x0u_init_hardware(struct mt76x02_dev *dev)
+ {
+- struct ieee80211_hw *hw = dev->mt76.hw;
+ int err;
+
+- err = mt76u_alloc_queues(&dev->mt76);
+- if (err < 0)
+- goto out_err;
+-
+- err = mt76u_mcu_init_rx(&dev->mt76);
+- if (err < 0)
+- goto out_err;
+-
+ mt76x0_chip_onoff(dev, true, true);
+- if (!mt76x02_wait_for_mac(&dev->mt76)) {
+- err = -ETIMEDOUT;
+- goto out_err;
+- }
++
++ if (!mt76x02_wait_for_mac(&dev->mt76))
++ return -ETIMEDOUT;
+
+ err = mt76x0u_mcu_init(dev);
+ if (err < 0)
+- goto out_err;
++ return err;
+
+ mt76x0_init_usb_dma(dev);
+ err = mt76x0_init_hardware(dev);
+ if (err < 0)
+- goto out_err;
++ return err;
+
+ mt76_rmw(dev, MT_US_CYC_CFG, MT_US_CYC_CNT, 0x1e);
+ mt76_wr(dev, MT_TXOP_CTRL_CFG,
+ FIELD_PREP(MT_TXOP_TRUN_EN, 0x3f) |
+ FIELD_PREP(MT_TXOP_EXT_CCA_DLY, 0x58));
+
++ return 0;
++}
++
++static int mt76x0u_register_device(struct mt76x02_dev *dev)
++{
++ struct ieee80211_hw *hw = dev->mt76.hw;
++ int err;
++
++ err = mt76u_alloc_queues(&dev->mt76);
++ if (err < 0)
++ goto out_err;
++
++ err = mt76u_mcu_init_rx(&dev->mt76);
++ if (err < 0)
++ goto out_err;
++
++ err = mt76x0u_init_hardware(dev);
++ if (err < 0)
++ goto out_err;
++
+ err = mt76x0_register_device(dev);
+ if (err < 0)
+ goto out_err;
+@@ -300,6 +310,8 @@ static int __maybe_unused mt76x0_suspend
+
+ mt76u_stop_queues(&dev->mt76);
+ mt76x0u_mac_stop(dev);
++ clear_bit(MT76_STATE_MCU_RUNNING, &dev->mt76.state);
++ mt76x0_chip_onoff(dev, false, false);
+ usb_kill_urb(usb->mcu.res.urb);
+
+ return 0;
+@@ -327,7 +339,7 @@ static int __maybe_unused mt76x0_resume(
+ tasklet_enable(&usb->rx_tasklet);
+ tasklet_enable(&usb->tx_tasklet);
+
+- ret = mt76x0_init_hardware(dev);
++ ret = mt76x0u_init_hardware(dev);
+ if (ret)
+ goto err;
+
--- /dev/null
+From 050c17f239fd53adb55aa768d4f41bc76c0fe045 Mon Sep 17 00:00:00 2001
+From: Ralph Campbell <rcampbell@nvidia.com>
+Date: Wed, 20 Feb 2019 22:18:58 -0800
+Subject: numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES
+
+From: Ralph Campbell <rcampbell@nvidia.com>
+
+commit 050c17f239fd53adb55aa768d4f41bc76c0fe045 upstream.
+
+The system call, get_mempolicy() [1], passes an unsigned long *nodemask
+pointer and an unsigned long maxnode argument which specifies the length
+of the user's nodemask array in bits (which is rounded up). The manual
+page says that if the maxnode value is too small, get_mempolicy will
+return EINVAL but there is no system call to return this minimum value.
+To determine this value, some programs search /proc/<pid>/status for a
+line starting with "Mems_allowed:" and use the number of digits in the
+mask to determine the minimum value. A recent change to the way this line
+is formatted [2] causes these programs to compute a value less than
+MAX_NUMNODES so get_mempolicy() returns EINVAL.
+
+Change get_mempolicy(), the older compat version of get_mempolicy(), and
+the copy_nodes_to_user() function to use nr_node_ids instead of
+MAX_NUMNODES, thus preserving the defacto method of computing the minimum
+size for the nodemask array and the maxnode argument.
+
+[1] http://man7.org/linux/man-pages/man2/get_mempolicy.2.html
+[2] https://lore.kernel.org/lkml/1545405631-6808-1-git-send-email-longman@redhat.com
+
+Link: http://lkml.kernel.org/r/20190211180245.22295-1-rcampbell@nvidia.com
+Fixes: 4fb8e5b89bcbbbb ("include/linux/nodemask.h: use nr_node_ids (not MAX_NUMNODES) in __nodemask_pr_numnodes()")
+Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
+Suggested-by: Alexander Duyck <alexander.duyck@gmail.com>
+Cc: Waiman Long <longman@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1314,7 +1314,7 @@ static int copy_nodes_to_user(unsigned l
+ nodemask_t *nodes)
+ {
+ unsigned long copy = ALIGN(maxnode-1, 64) / 8;
+- const int nbytes = BITS_TO_LONGS(MAX_NUMNODES) * sizeof(long);
++ unsigned int nbytes = BITS_TO_LONGS(nr_node_ids) * sizeof(long);
+
+ if (copy > nbytes) {
+ if (copy > PAGE_SIZE)
+@@ -1491,7 +1491,7 @@ static int kernel_get_mempolicy(int __us
+ int uninitialized_var(pval);
+ nodemask_t nodes;
+
+- if (nmask != NULL && maxnode < MAX_NUMNODES)
++ if (nmask != NULL && maxnode < nr_node_ids)
+ return -EINVAL;
+
+ err = do_get_mempolicy(&pval, &nodes, addr, flags);
+@@ -1527,7 +1527,7 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, in
+ unsigned long nr_bits, alloc_size;
+ DECLARE_BITMAP(bm, MAX_NUMNODES);
+
+- nr_bits = min_t(unsigned long, maxnode-1, MAX_NUMNODES);
++ nr_bits = min_t(unsigned long, maxnode-1, nr_node_ids);
+ alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+
+ if (nmask)
--- /dev/null
+From a5a08c35d382a5a8da397260c3febb8dff4bdeef Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Thu, 31 Jan 2019 09:29:53 -0800
+Subject: pinctrl: qcom: qcs404: Correct SDC tile
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+commit a5a08c35d382a5a8da397260c3febb8dff4bdeef upstream.
+
+The SDC controls live in the south tile, not the north one. Correct this
+so that we program the right registers.
+
+Cc: stable@vger.kernel.org
+Fixes: 22eb8301dbc1 ("pinctrl: qcom: Add qcs404 pinctrl driver")
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/qcom/pinctrl-qcs404.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-qcs404.c
++++ b/drivers/pinctrl/qcom/pinctrl-qcs404.c
+@@ -79,7 +79,7 @@ enum {
+ .intr_cfg_reg = 0, \
+ .intr_status_reg = 0, \
+ .intr_target_reg = 0, \
+- .tile = NORTH, \
++ .tile = SOUTH, \
+ .mux_bit = -1, \
+ .pull_bit = pull, \
+ .drv_bit = drv, \
--- /dev/null
+From b2b469939e93458753cfbf8282ad52636495965e Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Wed, 20 Feb 2019 22:19:42 -0800
+Subject: proc, oom: do not report alien mms when setting oom_score_adj
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit b2b469939e93458753cfbf8282ad52636495965e upstream.
+
+Tetsuo has reported that creating a thousands of processes sharing MM
+without SIGHAND (aka alien threads) and setting
+/proc/<pid>/oom_score_adj will swamp the kernel log and takes ages [1]
+to finish. This is especially worrisome that all that printing is done
+under RCU lock and this can potentially trigger RCU stall or softlockup
+detector.
+
+The primary reason for the printk was to catch potential users who might
+depend on the behavior prior to 44a70adec910 ("mm, oom_adj: make sure
+processes sharing mm have same view of oom_score_adj") but after more
+than 2 years without a single report I guess it is safe to simply remove
+the printk altogether.
+
+The next step should be moving oom_score_adj over to the mm struct and
+remove all the tasks crawling as suggested by [2]
+
+[1] http://lkml.kernel.org/r/97fce864-6f75-bca5-14bc-12c9f890e740@i-love.sakura.ne.jp
+[2] http://lkml.kernel.org/r/20190117155159.GA4087@dhcp22.suse.cz
+
+Link: http://lkml.kernel.org/r/20190212102129.26288-1-mhocko@kernel.org
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Yong-Taek Lee <ytk.lee@samsung.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -1084,10 +1084,6 @@ static int __set_oom_adj(struct file *fi
+
+ task_lock(p);
+ if (!p->vfork_done && process_shares_mm(p, mm)) {
+- pr_info("updating oom_score_adj for %d (%s) from %d to %d because it shares mm with %d (%s). Report if this is unexpected.\n",
+- task_pid_nr(p), p->comm,
+- p->signal->oom_score_adj, oom_adj,
+- task_pid_nr(task), task->comm);
+ p->signal->oom_score_adj = oom_adj;
+ if (!legacy && has_capability_noaudit(current, CAP_SYS_RESOURCE))
+ p->signal->oom_score_adj_min = (short)oom_adj;
arm-8834-1-fix-kprobes-optimized-kprobes-illegal-instruction.patch
+kprobe-do-not-use-uaccess-functions-to-access-kernel-memory-that-can-fault.patch
+tracing-fix-number-of-entries-in-trace-header.patch
+mips-ebpf-always-return-sign-extended-32b-values.patch
+mt76x0u-fix-suspend-resume.patch
+gpio-mt7621-use-a-per-instance-irq_chip-structure.patch
+gpio-pxa-avoid-attempting-to-set-pin-direction-via-pinctrl-on-mmp2.patch
+mac80211-restore-vif-beacon-interval-if-start-ap-fails.patch
+mac80211-use-linked-list-instead-of-rhashtable-walk-for-mesh-tables.patch
+mac80211-free-mpath-object-when-rhashtable-insertion-fails.patch
+pinctrl-qcom-qcs404-correct-sdc-tile.patch
+libceph-handle-an-empty-authorize-reply.patch
+ceph-avoid-repeatedly-adding-inode-to-mdsc-snap_flush_list.patch
+numa-change-get_mempolicy-to-use-nr_node_ids-instead-of-max_numnodes.patch
+proc-oom-do-not-report-alien-mms-when-setting-oom_score_adj.patch
+alsa-hda-realtek-headset-microphone-and-internal-speaker-support-for-system76-oryp5.patch
+alsa-hda-realtek-disable-pc-beep-in-passthrough-on-alc285.patch
+keys-allow-reaching-the-keys-quotas-exactly.patch
--- /dev/null
+From 9e7382153f80ba45a0bbcd540fb77d4b15f6e966 Mon Sep 17 00:00:00 2001
+From: Quentin Perret <quentin.perret@arm.com>
+Date: Thu, 14 Feb 2019 15:29:50 +0000
+Subject: tracing: Fix number of entries in trace header
+
+From: Quentin Perret <quentin.perret@arm.com>
+
+commit 9e7382153f80ba45a0bbcd540fb77d4b15f6e966 upstream.
+
+The following commit
+
+ 441dae8f2f29 ("tracing: Add support for display of tgid in trace output")
+
+removed the call to print_event_info() from print_func_help_header_irq()
+which results in the ftrace header not reporting the number of entries
+written in the buffer. As this wasn't the original intent of the patch,
+re-introduce the call to print_event_info() to restore the orginal
+behaviour.
+
+Link: http://lkml.kernel.org/r/20190214152950.4179-1-quentin.perret@arm.com
+
+Acked-by: Joel Fernandes <joelaf@google.com>
+Cc: stable@vger.kernel.org
+Fixes: 441dae8f2f29 ("tracing: Add support for display of tgid in trace output")
+Signed-off-by: Quentin Perret <quentin.perret@arm.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -3384,6 +3384,8 @@ static void print_func_help_header_irq(s
+ const char tgid_space[] = " ";
+ const char space[] = " ";
+
++ print_event_info(buf, m);
++
+ seq_printf(m, "# %s _-----=> irqs-off\n",
+ tgid ? tgid_space : space);
+ seq_printf(m, "# %s / _----=> need-resched\n",
projects / thirdparty / kernel / stable-queue.git / commitdiff
