--- /dev/null
+From 310ca162d779efee8a2dc3731439680f3e9c1e86 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Thu, 8 Nov 2018 14:01:02 +0100
+Subject: block/loop: Use global lock for ioctl() operation.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 310ca162d779efee8a2dc3731439680f3e9c1e86 upstream.
+
+syzbot is reporting NULL pointer dereference [1] which is caused by
+race condition between ioctl(loop_fd, LOOP_CLR_FD, 0) versus
+ioctl(other_loop_fd, LOOP_SET_FD, loop_fd) due to traversing other
+loop devices at loop_validate_file() without holding corresponding
+lo->lo_ctl_mutex locks.
+
+Since ioctl() request on loop devices is not frequent operation, we don't
+need fine grained locking. Let's use global lock in order to allow safe
+traversal at loop_validate_file().
+
+Note that syzbot is also reporting circular locking dependency between
+bdev->bd_mutex and lo->lo_ctl_mutex [2] which is caused by calling
+blkdev_reread_part() with lock held. This patch does not address it.
+
+[1] https://syzkaller.appspot.com/bug?id=f3cfe26e785d85f9ee259f385515291d21bd80a3
+[2] https://syzkaller.appspot.com/bug?id=bf154052f0eea4bc7712499e4569505907d15889
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+bf89c128e05dd6c62523@syzkaller.appspotmail.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 47 ++++++++++++++++++++++++-----------------------
+ drivers/block/loop.h | 1 -
+ 2 files changed, 24 insertions(+), 24 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -81,6 +81,7 @@
+
+ static DEFINE_IDR(loop_index_idr);
+ static DEFINE_MUTEX(loop_index_mutex);
++static DEFINE_MUTEX(loop_ctl_mutex);
+
+ static int max_part;
+ static int part_shift;
+@@ -1012,7 +1013,7 @@ static int loop_clr_fd(struct loop_devic
+ */
+ if (lo->lo_refcnt > 1) {
+ lo->lo_flags |= LO_FLAGS_AUTOCLEAR;
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return 0;
+ }
+
+@@ -1061,12 +1062,12 @@ static int loop_clr_fd(struct loop_devic
+ lo->lo_flags = 0;
+ if (!part_shift)
+ lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN;
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ /*
+- * Need not hold lo_ctl_mutex to fput backing file.
+- * Calling fput holding lo_ctl_mutex triggers a circular
++ * Need not hold loop_ctl_mutex to fput backing file.
++ * Calling fput holding loop_ctl_mutex triggers a circular
+ * lock dependency possibility warning as fput can take
+- * bd_mutex which is usually taken before lo_ctl_mutex.
++ * bd_mutex which is usually taken before loop_ctl_mutex.
+ */
+ fput(filp);
+ return 0;
+@@ -1300,7 +1301,7 @@ static int lo_ioctl(struct block_device
+ struct loop_device *lo = bdev->bd_disk->private_data;
+ int err;
+
+- mutex_lock_nested(&lo->lo_ctl_mutex, 1);
++ mutex_lock_nested(&loop_ctl_mutex, 1);
+ switch (cmd) {
+ case LOOP_SET_FD:
+ err = loop_set_fd(lo, mode, bdev, arg);
+@@ -1309,7 +1310,7 @@ static int lo_ioctl(struct block_device
+ err = loop_change_fd(lo, bdev, arg);
+ break;
+ case LOOP_CLR_FD:
+- /* loop_clr_fd would have unlocked lo_ctl_mutex on success */
++ /* loop_clr_fd would have unlocked loop_ctl_mutex on success */
+ err = loop_clr_fd(lo);
+ if (!err)
+ goto out_unlocked;
+@@ -1340,7 +1341,7 @@ static int lo_ioctl(struct block_device
+ default:
+ err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL;
+ }
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+
+ out_unlocked:
+ return err;
+@@ -1473,16 +1474,16 @@ static int lo_compat_ioctl(struct block_
+
+ switch(cmd) {
+ case LOOP_SET_STATUS:
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ err = loop_set_status_compat(
+ lo, (const struct compat_loop_info __user *) arg);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ break;
+ case LOOP_GET_STATUS:
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ err = loop_get_status_compat(
+ lo, (struct compat_loop_info __user *) arg);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ break;
+ case LOOP_SET_CAPACITY:
+ case LOOP_CLR_FD:
+@@ -1513,9 +1514,9 @@ static int lo_open(struct block_device *
+ goto out;
+ }
+
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ lo->lo_refcnt++;
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ out:
+ mutex_unlock(&loop_index_mutex);
+ return err;
+@@ -1525,7 +1526,7 @@ static void __lo_release(struct loop_dev
+ {
+ int err;
+
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+
+ if (--lo->lo_refcnt)
+ goto out;
+@@ -1547,7 +1548,7 @@ static void __lo_release(struct loop_dev
+ }
+
+ out:
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ }
+
+ static void lo_release(struct gendisk *disk, fmode_t mode)
+@@ -1593,10 +1594,10 @@ static int unregister_transfer_cb(int id
+ struct loop_device *lo = ptr;
+ struct loop_func_table *xfer = data;
+
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ if (lo->lo_encryption == xfer)
+ loop_release_xfer(lo);
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ return 0;
+ }
+
+@@ -1677,7 +1678,7 @@ static int loop_add(struct loop_device *
+ if (!part_shift)
+ disk->flags |= GENHD_FL_NO_PART_SCAN;
+ disk->flags |= GENHD_FL_EXT_DEVT;
+- mutex_init(&lo->lo_ctl_mutex);
++ mutex_init(&loop_ctl_mutex);
+ lo->lo_number = i;
+ lo->lo_thread = NULL;
+ init_waitqueue_head(&lo->lo_event);
+@@ -1789,19 +1790,19 @@ static long loop_control_ioctl(struct fi
+ ret = loop_lookup(&lo, parm);
+ if (ret < 0)
+ break;
+- mutex_lock(&lo->lo_ctl_mutex);
++ mutex_lock(&loop_ctl_mutex);
+ if (lo->lo_state != Lo_unbound) {
+ ret = -EBUSY;
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ break;
+ }
+ if (lo->lo_refcnt > 0) {
+ ret = -EBUSY;
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ break;
+ }
+ lo->lo_disk->private_data = NULL;
+- mutex_unlock(&lo->lo_ctl_mutex);
++ mutex_unlock(&loop_ctl_mutex);
+ idr_remove(&loop_index_idr, lo->lo_number);
+ loop_remove(lo);
+ break;
+--- a/drivers/block/loop.h
++++ b/drivers/block/loop.h
+@@ -55,7 +55,6 @@ struct loop_device {
+ struct bio_list lo_bio_list;
+ unsigned int lo_bio_count;
+ int lo_state;
+- struct mutex lo_ctl_mutex;
+ struct task_struct *lo_thread;
+ wait_queue_head_t lo_event;
+ /* wait queue for incoming requests */
--- /dev/null
+From a214720cbf50cd8c3f76bbb9c3f5c283910e9d33 Mon Sep 17 00:00:00 2001
+From: YunQiang Su <ysu@wavecomp.com>
+Date: Tue, 8 Jan 2019 13:45:10 +0800
+Subject: Disable MSI also when pcie-octeon.pcie_disable on
+
+From: YunQiang Su <ysu@wavecomp.com>
+
+commit a214720cbf50cd8c3f76bbb9c3f5c283910e9d33 upstream.
+
+Octeon has an boot-time option to disable pcie.
+
+Since MSI depends on PCI-E, we should also disable MSI also with
+this option is on in order to avoid inadvertently accessing PCIe
+registers.
+
+Signed-off-by: YunQiang Su <ysu@wavecomp.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: pburton@wavecomp.com
+Cc: linux-mips@vger.kernel.org
+Cc: aaro.koskinen@iki.fi
+Cc: stable@vger.kernel.org # v3.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/pci/msi-octeon.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/pci/msi-octeon.c
++++ b/arch/mips/pci/msi-octeon.c
+@@ -369,7 +369,9 @@ int __init octeon_msi_initialize(void)
+ int irq;
+ struct irq_chip *msi;
+
+- if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) {
++ if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_INVALID) {
++ return 0;
++ } else if (octeon_dma_bar_type == OCTEON_DMA_BAR_TYPE_PCIE) {
+ msi_rcv_reg[0] = CVMX_PEXP_NPEI_MSI_RCV0;
+ msi_rcv_reg[1] = CVMX_PEXP_NPEI_MSI_RCV1;
+ msi_rcv_reg[2] = CVMX_PEXP_NPEI_MSI_RCV2;
--- /dev/null
+From cd26d1c4d1bc947b56ae404998ae2276df7b39b7 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Tue, 13 Nov 2018 09:06:46 -0500
+Subject: media: vb2: vb2_mmap: move lock up
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 upstream.
+
+If a filehandle is dup()ped, then it is possible to close it from one fd
+and call mmap from the other. This creates a race condition in vb2_mmap
+where it is using queue data that __vb2_queue_free (called from close())
+is in the process of releasing.
+
+By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided
+since __vb2_queue_free is called with the same mutex locked. So vb2_mmap
+now reads consistent buffer data.
+
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-core.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -2474,9 +2474,13 @@ int vb2_mmap(struct vb2_queue *q, struct
+ return -EINVAL;
+ }
+ }
++
++ mutex_lock(&q->mmap_lock);
++
+ if (vb2_fileio_is_active(q)) {
+ dprintk(1, "mmap: file io in progress\n");
+- return -EBUSY;
++ ret = -EBUSY;
++ goto unlock;
+ }
+
+ /*
+@@ -2484,7 +2488,7 @@ int vb2_mmap(struct vb2_queue *q, struct
+ */
+ ret = __find_plane_by_offset(q, off, &buffer, &plane);
+ if (ret)
+- return ret;
++ goto unlock;
+
+ vb = q->bufs[buffer];
+
+@@ -2500,8 +2504,9 @@ int vb2_mmap(struct vb2_queue *q, struct
+ return -EINVAL;
+ }
+
+- mutex_lock(&q->mmap_lock);
+ ret = call_memop(vb, mmap, vb->planes[plane].mem_priv, vma);
++
++unlock:
+ mutex_unlock(&q->mmap_lock);
+ if (ret)
+ return ret;
--- /dev/null
+From 701f49bc028edb19ffccd101997dd84f0d71e279 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Mon, 29 Oct 2018 06:15:31 -0400
+Subject: media: vivid: fix error handling of kthread_run
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 701f49bc028edb19ffccd101997dd84f0d71e279 upstream.
+
+kthread_run returns an error pointer, but elsewhere in the code
+dev->kthread_vid_cap/out is checked against NULL.
+
+If kthread_run returns an error, then set the pointer to NULL.
+
+I chose this method over changing all kthread_vid_cap/out tests
+elsewhere since this is more robust.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+53d5b2df0d9744411e2e@syzkaller.appspotmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vivid/vivid-kthread-cap.c | 5 ++++-
+ drivers/media/platform/vivid/vivid-kthread-out.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/vivid/vivid-kthread-cap.c
++++ b/drivers/media/platform/vivid/vivid-kthread-cap.c
+@@ -829,8 +829,11 @@ int vivid_start_generating_vid_cap(struc
+ "%s-vid-cap", dev->v4l2_dev.name);
+
+ if (IS_ERR(dev->kthread_vid_cap)) {
++ int err = PTR_ERR(dev->kthread_vid_cap);
++
++ dev->kthread_vid_cap = NULL;
+ v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n");
+- return PTR_ERR(dev->kthread_vid_cap);
++ return err;
+ }
+ *pstreaming = true;
+ vivid_grab_controls(dev, true);
+--- a/drivers/media/platform/vivid/vivid-kthread-out.c
++++ b/drivers/media/platform/vivid/vivid-kthread-out.c
+@@ -248,8 +248,11 @@ int vivid_start_generating_vid_out(struc
+ "%s-vid-out", dev->v4l2_dev.name);
+
+ if (IS_ERR(dev->kthread_vid_out)) {
++ int err = PTR_ERR(dev->kthread_vid_out);
++
++ dev->kthread_vid_out = NULL;
+ v4l2_err(&dev->v4l2_dev, "kernel_thread() failed\n");
+- return PTR_ERR(dev->kthread_vid_out);
++ return err;
+ }
+ *pstreaming = true;
+ vivid_grab_controls(dev, true);
--- /dev/null
+From 9729d6d282a6d7ce88e64c9119cecdf79edf4e88 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Mon, 29 Oct 2018 13:32:38 -0400
+Subject: media: vivid: set min width/height to a value > 0
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 9729d6d282a6d7ce88e64c9119cecdf79edf4e88 upstream.
+
+The capture DV timings capabilities allowed for a minimum width and
+height of 0. So passing a timings struct with 0 values is allowed
+and will later cause a division by zero.
+
+Ensure that the width and height must be >= 16 to avoid this.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+57c3d83d71187054d56f@syzkaller.appspotmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vivid/vivid-vid-common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/vivid/vivid-vid-common.c
++++ b/drivers/media/platform/vivid/vivid-vid-common.c
+@@ -33,7 +33,7 @@ const struct v4l2_dv_timings_cap vivid_d
+ .type = V4L2_DV_BT_656_1120,
+ /* keep this initialization for compatibility with GCC < 4.4.6 */
+ .reserved = { 0 },
+- V4L2_INIT_BT_TIMINGS(0, MAX_WIDTH, 0, MAX_HEIGHT, 25000000, 600000000,
++ V4L2_INIT_BT_TIMINGS(16, MAX_WIDTH, 16, MAX_HEIGHT, 25000000, 600000000,
+ V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT,
+ V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_INTERLACED)
+ };
--- /dev/null
+From ac4ca4b9f4623ba5e1ea7a582f286567c611e027 Mon Sep 17 00:00:00 2001
+From: Jonathan Hunter <jonathanh@nvidia.com>
+Date: Tue, 13 Nov 2018 08:56:31 +0000
+Subject: mfd: tps6586x: Handle interrupts on suspend
+
+From: Jonathan Hunter <jonathanh@nvidia.com>
+
+commit ac4ca4b9f4623ba5e1ea7a582f286567c611e027 upstream.
+
+The tps6586x driver creates an irqchip that is used by its various child
+devices for managing interrupts. The tps6586x-rtc device is one of its
+children that uses the tps6586x irqchip. When using the tps6586x-rtc as
+a wake-up device from suspend, the following is seen:
+
+ PM: Syncing filesystems ... done.
+ Freezing user space processes ... (elapsed 0.001 seconds) done.
+ OOM killer disabled.
+ Freezing remaining freezable tasks ... (elapsed 0.000 seconds) done.
+ Disabling non-boot CPUs ...
+ Entering suspend state LP1
+ Enabling non-boot CPUs ...
+ CPU1 is up
+ tps6586x 3-0034: failed to read interrupt status
+ tps6586x 3-0034: failed to read interrupt status
+
+The reason why the tps6586x interrupt status cannot be read is because
+the tps6586x interrupt is not masked during suspend and when the
+tps6586x-rtc interrupt occurs, to wake-up the device, the interrupt is
+seen before the i2c controller has been resumed in order to read the
+tps6586x interrupt status.
+
+The tps6586x-rtc driver sets it's interrupt as a wake-up source during
+suspend, which gets propagated to the parent tps6586x interrupt.
+However, the tps6586x-rtc driver cannot disable it's interrupt during
+suspend otherwise we would never be woken up and so the tps6586x must
+disable it's interrupt instead.
+
+Prevent the tps6586x interrupt handler from executing on exiting suspend
+before the i2c controller has been resumed by disabling the tps6586x
+interrupt on entering suspend and re-enabling it on resuming from
+suspend.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
+Tested-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/tps6586x.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/mfd/tps6586x.c
++++ b/drivers/mfd/tps6586x.c
+@@ -601,6 +601,29 @@ static int tps6586x_i2c_remove(struct i2
+ return 0;
+ }
+
++static int __maybe_unused tps6586x_i2c_suspend(struct device *dev)
++{
++ struct tps6586x *tps6586x = dev_get_drvdata(dev);
++
++ if (tps6586x->client->irq)
++ disable_irq(tps6586x->client->irq);
++
++ return 0;
++}
++
++static int __maybe_unused tps6586x_i2c_resume(struct device *dev)
++{
++ struct tps6586x *tps6586x = dev_get_drvdata(dev);
++
++ if (tps6586x->client->irq)
++ enable_irq(tps6586x->client->irq);
++
++ return 0;
++}
++
++static SIMPLE_DEV_PM_OPS(tps6586x_pm_ops, tps6586x_i2c_suspend,
++ tps6586x_i2c_resume);
++
+ static const struct i2c_device_id tps6586x_id_table[] = {
+ { "tps6586x", 0 },
+ { },
+@@ -612,6 +635,7 @@ static struct i2c_driver tps6586x_driver
+ .name = "tps6586x",
+ .owner = THIS_MODULE,
+ .of_match_table = of_match_ptr(tps6586x_of_match),
++ .pm = &tps6586x_pm_ops,
+ },
+ .probe = tps6586x_i2c_probe,
+ .remove = tps6586x_i2c_remove,
--- /dev/null
+From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Date: Fri, 11 Jan 2019 14:34:38 +0100
+Subject: omap2fb: Fix stack memory disclosure
+
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+
+commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.
+
+Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
+OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
+cases could all leak uninitialized stack memory--either due to
+uninitialized padding or 'reserved' fields.
+
+Fix them by clearing the shared union used to store copied out data.
+
+[1] https://github.com/vlad902/kernel-uninitialized-memory-checker
+
+Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
+Cc: security@kernel.org
+[b.zolnierkie: prefix patch subject with "omap2fb: "]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+@@ -606,6 +606,8 @@ int omapfb_ioctl(struct fb_info *fbi, un
+
+ int r = 0;
+
++ memset(&p, 0, sizeof(p));
++
+ switch (cmd) {
+ case OMAPFB_SYNC_GFX:
+ DBG("ioctl SYNC_GFX\n");
--- /dev/null
+From 400b8b9a2a17918f8ce00786f596f530e7f30d50 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 14 Jan 2019 18:34:02 +0800
+Subject: sctp: allocate sctp_sockaddr_entry with kzalloc
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 400b8b9a2a17918f8ce00786f596f530e7f30d50 upstream.
+
+The similar issue as fixed in Commit 4a2eb0c37b47 ("sctp: initialize
+sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists
+in sctp_inetaddr_event, as Alexander noticed.
+
+To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp
+ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist().
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/ipv6.c | 5 +----
+ net/sctp/protocol.c | 4 +---
+ 2 files changed, 2 insertions(+), 7 deletions(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -97,11 +97,9 @@ static int sctp_inet6addr_event(struct n
+
+ switch (ev) {
+ case NETDEV_UP:
+- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
+ if (addr) {
+ addr->a.v6.sin6_family = AF_INET6;
+- addr->a.v6.sin6_port = 0;
+- addr->a.v6.sin6_flowinfo = 0;
+ addr->a.v6.sin6_addr = ifa->addr;
+ addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
+ addr->valid = 1;
+@@ -411,7 +409,6 @@ static void sctp_v6_copy_addrlist(struct
+ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
+ if (addr) {
+ addr->a.v6.sin6_family = AF_INET6;
+- addr->a.v6.sin6_port = 0;
+ addr->a.v6.sin6_addr = ifp->addr;
+ addr->a.v6.sin6_scope_id = dev->ifindex;
+ addr->valid = 1;
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -149,7 +149,6 @@ static void sctp_v4_copy_addrlist(struct
+ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
+ if (addr) {
+ addr->a.v4.sin_family = AF_INET;
+- addr->a.v4.sin_port = 0;
+ addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
+ addr->valid = 1;
+ INIT_LIST_HEAD(&addr->list);
+@@ -755,10 +754,9 @@ static int sctp_inetaddr_event(struct no
+
+ switch (ev) {
+ case NETDEV_UP:
+- addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
++ addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
+ if (addr) {
+ addr->a.v4.sin_family = AF_INET;
+- addr->a.v4.sin_port = 0;
+ addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
+ addr->valid = 1;
+ spin_lock_bh(&net->sctp.local_addr_lock);
--- /dev/null
+From 5b0e7310a2a33c06edc7eb81ffc521af9b2c5610 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Wed, 9 Jan 2019 10:55:10 -0500
+Subject: selinux: fix GPF on invalid policy
+
+From: Stephen Smalley <sds@tycho.nsa.gov>
+
+commit 5b0e7310a2a33c06edc7eb81ffc521af9b2c5610 upstream.
+
+levdatum->level can be NULL if we encounter an error while loading
+the policy during sens_read prior to initializing it. Make sure
+sens_destroy handles that case correctly.
+
+Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/policydb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -717,7 +717,8 @@ static int sens_destroy(void *key, void
+ kfree(key);
+ if (datum) {
+ levdatum = datum;
+- ebitmap_destroy(&levdatum->level->cat);
++ if (levdatum->level)
++ ebitmap_destroy(&levdatum->level->cat);
+ kfree(levdatum->level);
+ }
+ kfree(datum);
btrfs-wait-on-ordered-extents-on-abort-cleanup.patch
yama-check-for-pid-death-before-checking-ancestry.patch
scsi-sd-fix-cache_type_store.patch
+mfd-tps6586x-handle-interrupts-on-suspend.patch
+disable-msi-also-when-pcie-octeon.pcie_disable-on.patch
+omap2fb-fix-stack-memory-disclosure.patch
+media-vivid-fix-error-handling-of-kthread_run.patch
+media-vivid-set-min-width-height-to-a-value-0.patch
+media-vb2-vb2_mmap-move-lock-up.patch
+sunrpc-handle-enomem-in-rpcb_getport_async.patch
+selinux-fix-gpf-on-invalid-policy.patch
+sctp-allocate-sctp_sockaddr_entry-with-kzalloc.patch
+block-loop-use-global-lock-for-ioctl-operation.patch
--- /dev/null
+From 81c88b18de1f11f70c97f28ced8d642c00bb3955 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 20 Dec 2018 10:35:11 -0500
+Subject: sunrpc: handle ENOMEM in rpcb_getport_async
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 81c88b18de1f11f70c97f28ced8d642c00bb3955 upstream.
+
+If we ignore the error we'll hit a null dereference a little later.
+
+Reported-by: syzbot+4b98281f2401ab849f4b@syzkaller.appspotmail.com
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/rpcb_clnt.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/sunrpc/rpcb_clnt.c
++++ b/net/sunrpc/rpcb_clnt.c
+@@ -772,6 +772,12 @@ void rpcb_getport_async(struct rpc_task
+ case RPCBVERS_3:
+ map->r_netid = xprt->address_strings[RPC_DISPLAY_NETID];
+ map->r_addr = rpc_sockaddr2uaddr(sap, GFP_ATOMIC);
++ if (!map->r_addr) {
++ status = -ENOMEM;
++ dprintk("RPC: %5u %s: no memory available\n",
++ task->tk_pid, __func__);
++ goto bailout_free_args;
++ }
+ map->r_owner = "";
+ break;
+ case RPCBVERS_2:
+@@ -794,6 +800,8 @@ void rpcb_getport_async(struct rpc_task
+ rpc_put_task(child);
+ return;
+
++bailout_free_args:
++ kfree(map);
+ bailout_release_client:
+ rpc_release_client(rpcb_clnt);
+ bailout_nofree:
projects / thirdparty / kernel / stable-queue.git / commitdiff
