--- /dev/null
+From 13d3047c81505cc0fb9bdae7810676e70523c8bf Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Mon, 12 Feb 2018 13:55:23 +0300
+Subject: ACPI / hotplug / PCI: Check presence of slot itself in get_slot_status()
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 13d3047c81505cc0fb9bdae7810676e70523c8bf upstream.
+
+Mike Lothian reported that plugging in a USB-C device does not work
+properly in his Dell Alienware system. This system has an Intel Alpine
+Ridge Thunderbolt controller providing USB-C functionality. In these
+systems the USB controller (xHCI) is hotplugged whenever a device is
+connected to the port using ACPI-based hotplug.
+
+The ACPI description of the root port in question is as follows:
+
+ Device (RP01)
+ {
+ Name (_ADR, 0x001C0000)
+
+ Device (PXSX)
+ {
+ Name (_ADR, 0x02)
+
+ Method (_RMV, 0, NotSerialized)
+ {
+ // ...
+ }
+ }
+
+Here _ADR 0x02 means device 0, function 2 on the bus under root port (RP01)
+but that seems to be incorrect because device 0 is the upstream port of the
+Alpine Ridge PCIe switch and it has no functions other than 0 (the bridge
+itself). When we get ACPI Notify() to the root port resulting from
+connecting a USB-C device, Linux tries to read PCI_VENDOR_ID from device 0,
+function 2 which of course always returns 0xffffffff because there is no
+such function and we never find the device.
+
+In Windows this works fine.
+
+Now, since we get ACPI Notify() to the root port and not to the PXSX device
+we should actually start our scan from there as well and not from the
+non-existent PXSX device. Fix this by checking presence of the slot itself
+(function 0) if we fail to do that otherwise.
+
+While there use pci_bus_read_dev_vendor_id() in get_slot_status(), which is
+the recommended way to read Device and Vendor IDs of devices on PCI buses.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198557
+Reported-by: Mike Lothian <mike@fireburn.co.uk>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/acpiphp_glue.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/drivers/pci/hotplug/acpiphp_glue.c
++++ b/drivers/pci/hotplug/acpiphp_glue.c
+@@ -558,6 +558,7 @@ static unsigned int get_slot_status(stru
+ {
+ unsigned long long sta = 0;
+ struct acpiphp_func *func;
++ u32 dvid;
+
+ list_for_each_entry(func, &slot->funcs, sibling) {
+ if (func->flags & FUNC_HAS_STA) {
+@@ -568,19 +569,27 @@ static unsigned int get_slot_status(stru
+ if (ACPI_SUCCESS(status) && sta)
+ break;
+ } else {
+- u32 dvid;
+-
+- pci_bus_read_config_dword(slot->bus,
+- PCI_DEVFN(slot->device,
+- func->function),
+- PCI_VENDOR_ID, &dvid);
+- if (dvid != 0xffffffff) {
++ if (pci_bus_read_dev_vendor_id(slot->bus,
++ PCI_DEVFN(slot->device, func->function),
++ &dvid, 0)) {
+ sta = ACPI_STA_ALL;
+ break;
+ }
+ }
+ }
+
++ if (!sta) {
++ /*
++ * Check for the slot itself since it may be that the
++ * ACPI slot is a device below PCIe upstream port so in
++ * that case it may not even be reachable yet.
++ */
++ if (pci_bus_read_dev_vendor_id(slot->bus,
++ PCI_DEVFN(slot->device, 0), &dvid, 0)) {
++ sta = ACPI_STA_ALL;
++ }
++ }
++
+ return (unsigned int)sta;
+ }
+
--- /dev/null
+From bbf038618a24d72e2efc19146ef421bb1e1eda1a Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 19 Mar 2018 18:01:45 +0100
+Subject: ACPI / video: Add quirk to force acpi-video backlight on Samsung 670Z5E
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit bbf038618a24d72e2efc19146ef421bb1e1eda1a upstream.
+
+Just like many other Samsung models, the 670Z5E needs to use the acpi-video
+backlight interface rather then the native one for backlight control to
+work, add a quirk for this.
+
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1557060
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/video_detect.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -220,6 +220,15 @@ static const struct dmi_system_id video_
+ },
+ },
+ {
++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1557060 */
++ .callback = video_detect_force_video,
++ .ident = "SAMSUNG 670Z5E",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "670Z5E"),
++ },
++ },
++ {
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1094948 */
+ .callback = video_detect_force_video,
+ .ident = "SAMSUNG 730U3E/740U3E",
--- /dev/null
+From 5fcd7f3f966f37f3f9a215af4cc1597fe338d0d5 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Fri, 16 Feb 2018 19:19:28 +0100
+Subject: CIFS: add sha512 secmech
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit 5fcd7f3f966f37f3f9a215af4cc1597fe338d0d5 upstream.
+
+* prepare for SMB3.11 pre-auth integrity
+* enable sha512 when SMB311 is enabled in Kconfig
+* add sha512 as a soft dependency
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/Kconfig | 1 +
+ fs/cifs/cifsencrypt.c | 7 +++++++
+ fs/cifs/cifsfs.c | 1 +
+ fs/cifs/cifsglob.h | 2 ++
+ fs/cifs/smb2proto.h | 3 +++
+ fs/cifs/smb2transport.c | 30 ++++++++++++++++++++++++++++++
+ 6 files changed, 44 insertions(+)
+
+--- a/fs/cifs/Kconfig
++++ b/fs/cifs/Kconfig
+@@ -190,6 +190,7 @@ config CIFS_NFSD_EXPORT
+ config CIFS_SMB311
+ bool "SMB3.1.1 network file system support (Experimental)"
+ depends on CIFS
++ select CRYPTO_SHA512
+
+ help
+ This enables experimental support for the newest, SMB3.1.1, dialect.
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -829,6 +829,11 @@ cifs_crypto_secmech_release(struct TCP_S
+ server->secmech.md5 = NULL;
+ }
+
++ if (server->secmech.md5) {
++ crypto_free_shash(server->secmech.sha512);
++ server->secmech.sha512 = NULL;
++ }
++
+ if (server->secmech.hmacmd5) {
+ crypto_free_shash(server->secmech.hmacmd5);
+ server->secmech.hmacmd5 = NULL;
+@@ -852,4 +857,6 @@ cifs_crypto_secmech_release(struct TCP_S
+ server->secmech.sdeschmacmd5 = NULL;
+ kfree(server->secmech.sdescmd5);
+ server->secmech.sdescmd5 = NULL;
++ kfree(server->secmech.sdescsha512);
++ server->secmech.sdescsha512 = NULL;
+ }
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -1476,6 +1476,7 @@ MODULE_SOFTDEP("pre: nls");
+ MODULE_SOFTDEP("pre: aes");
+ MODULE_SOFTDEP("pre: cmac");
+ MODULE_SOFTDEP("pre: sha256");
++MODULE_SOFTDEP("pre: sha512");
+ MODULE_SOFTDEP("pre: aead2");
+ MODULE_SOFTDEP("pre: ccm");
+ module_init(init_cifs)
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -130,10 +130,12 @@ struct cifs_secmech {
+ struct crypto_shash *md5; /* md5 hash function */
+ struct crypto_shash *hmacsha256; /* hmac-sha256 hash function */
+ struct crypto_shash *cmacaes; /* block-cipher based MAC function */
++ struct crypto_shash *sha512; /* sha512 hash function */
+ struct sdesc *sdeschmacmd5; /* ctxt to generate ntlmv2 hash, CR1 */
+ struct sdesc *sdescmd5; /* ctxt to generate cifs/smb signature */
+ struct sdesc *sdeschmacsha256; /* ctxt to generate smb2 signature */
+ struct sdesc *sdesccmacaes; /* ctxt to generate smb3 signature */
++ struct sdesc *sdescsha512; /* ctxt to generate smb3.11 signing key */
+ struct crypto_aead *ccmaesencrypt; /* smb3 encryption aead */
+ struct crypto_aead *ccmaesdecrypt; /* smb3 decryption aead */
+ };
+--- a/fs/cifs/smb2proto.h
++++ b/fs/cifs/smb2proto.h
+@@ -203,4 +203,7 @@ extern int smb3_validate_negotiate(const
+
+ extern enum securityEnum smb2_select_sectype(struct TCP_Server_Info *,
+ enum securityEnum);
++#ifdef CONFIG_CIFS_SMB311
++extern int smb311_crypto_shash_allocate(struct TCP_Server_Info *server);
++#endif
+ #endif /* _SMB2PROTO_H */
+--- a/fs/cifs/smb2transport.c
++++ b/fs/cifs/smb2transport.c
+@@ -70,6 +70,36 @@ err:
+ return rc;
+ }
+
++#ifdef CONFIG_CIFS_SMB311
++int
++smb311_crypto_shash_allocate(struct TCP_Server_Info *server)
++{
++ struct cifs_secmech *p = &server->secmech;
++ int rc = 0;
++
++ rc = cifs_alloc_hash("hmac(sha256)",
++ &p->hmacsha256,
++ &p->sdeschmacsha256);
++ if (rc)
++ return rc;
++
++ rc = cifs_alloc_hash("cmac(aes)", &p->cmacaes, &p->sdesccmacaes);
++ if (rc)
++ goto err;
++
++ rc = cifs_alloc_hash("sha512", &p->sha512, &p->sdescsha512);
++ if (rc)
++ goto err;
++
++ return 0;
++
++err:
++ cifs_free_hash(&p->cmacaes, &p->sdesccmacaes);
++ cifs_free_hash(&p->hmacsha256, &p->sdeschmacsha256);
++ return rc;
++}
++#endif
++
+ static struct cifs_ses *
+ smb2_find_smb_ses_unlocked(struct TCP_Server_Info *server, __u64 ses_id)
+ {
--- /dev/null
+From b7a73c84eb96dabd6bb8e9d7c56f796d83efee8e Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Tue, 13 Feb 2018 15:42:30 +1100
+Subject: cifs: fix memory leak in SMB2_open()
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit b7a73c84eb96dabd6bb8e9d7c56f796d83efee8e upstream.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1773,8 +1773,10 @@ SMB2_open(const unsigned int xid, struct
+ rc = alloc_path_with_tree_prefix(©_path, ©_size,
+ &name_len,
+ tcon->treeName, path);
+- if (rc)
++ if (rc) {
++ cifs_small_buf_release(req);
+ return rc;
++ }
+ req->NameLength = cpu_to_le16(name_len * 2);
+ uni_path_len = copy_size;
+ path = copy_path;
+@@ -1785,8 +1787,10 @@ SMB2_open(const unsigned int xid, struct
+ if (uni_path_len % 8 != 0) {
+ copy_size = roundup(uni_path_len, 8);
+ copy_path = kzalloc(copy_size, GFP_KERNEL);
+- if (!copy_path)
++ if (!copy_path) {
++ cifs_small_buf_release(req);
+ return -ENOMEM;
++ }
+ memcpy((char *)copy_path, (const char *)path,
+ uni_path_len);
+ uni_path_len = copy_size;
--- /dev/null
+From 70e80655f58e17a2e38e577e1b4fa7a8c99619a0 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 19 Feb 2018 11:11:13 -0600
+Subject: CIFS: fix sha512 check in cifs_crypto_secmech_release
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 70e80655f58e17a2e38e577e1b4fa7a8c99619a0 upstream.
+
+It seems this is a copy-paste error and that the proper variable to use
+in this particular case is _sha512_ instead of _md5_.
+
+Addresses-Coverity-ID: 1465358 ("Copy-paste error")
+Fixes: 1c6614d229e7 ("CIFS: add sha512 secmech")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsencrypt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -829,7 +829,7 @@ cifs_crypto_secmech_release(struct TCP_S
+ server->secmech.md5 = NULL;
+ }
+
+- if (server->secmech.md5) {
++ if (server->secmech.sha512) {
+ crypto_free_shash(server->secmech.sha512);
+ server->secmech.sha512 = NULL;
+ }
--- /dev/null
+From 82fb82be05585426405667dd5f0510aa953ba439 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Fri, 16 Feb 2018 19:19:27 +0100
+Subject: CIFS: refactor crypto shash/sdesc allocation&free
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit 82fb82be05585426405667dd5f0510aa953ba439 upstream.
+
+shash and sdesc and always allocated and freed together.
+* abstract this in new functions cifs_alloc_hash() and cifs_free_hash().
+* make smb2/3 crypto allocation independent from each other.
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsencrypt.c | 78 ++++--------------------------------------------
+ fs/cifs/cifsproto.h | 5 +++
+ fs/cifs/link.c | 25 +++------------
+ fs/cifs/misc.c | 54 +++++++++++++++++++++++++++++++++
+ fs/cifs/smb2transport.c | 75 +++++++++-------------------------------------
+ fs/cifs/smbencrypt.c | 25 +++------------
+ 6 files changed, 91 insertions(+), 171 deletions(-)
+
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -36,37 +36,6 @@
+ #include <crypto/skcipher.h>
+ #include <crypto/aead.h>
+
+-static int
+-cifs_crypto_shash_md5_allocate(struct TCP_Server_Info *server)
+-{
+- int rc;
+- unsigned int size;
+-
+- if (server->secmech.sdescmd5 != NULL)
+- return 0; /* already allocated */
+-
+- server->secmech.md5 = crypto_alloc_shash("md5", 0, 0);
+- if (IS_ERR(server->secmech.md5)) {
+- cifs_dbg(VFS, "could not allocate crypto md5\n");
+- rc = PTR_ERR(server->secmech.md5);
+- server->secmech.md5 = NULL;
+- return rc;
+- }
+-
+- size = sizeof(struct shash_desc) +
+- crypto_shash_descsize(server->secmech.md5);
+- server->secmech.sdescmd5 = kmalloc(size, GFP_KERNEL);
+- if (!server->secmech.sdescmd5) {
+- crypto_free_shash(server->secmech.md5);
+- server->secmech.md5 = NULL;
+- return -ENOMEM;
+- }
+- server->secmech.sdescmd5->shash.tfm = server->secmech.md5;
+- server->secmech.sdescmd5->shash.flags = 0x0;
+-
+- return 0;
+-}
+-
+ int __cifs_calc_signature(struct smb_rqst *rqst,
+ struct TCP_Server_Info *server, char *signature,
+ struct shash_desc *shash)
+@@ -132,13 +101,10 @@ static int cifs_calc_signature(struct sm
+ if (!rqst->rq_iov || !signature || !server)
+ return -EINVAL;
+
+- if (!server->secmech.sdescmd5) {
+- rc = cifs_crypto_shash_md5_allocate(server);
+- if (rc) {
+- cifs_dbg(VFS, "%s: Can't alloc md5 crypto\n", __func__);
+- return -1;
+- }
+- }
++ rc = cifs_alloc_hash("md5", &server->secmech.md5,
++ &server->secmech.sdescmd5);
++ if (rc)
++ return -1;
+
+ rc = crypto_shash_init(&server->secmech.sdescmd5->shash);
+ if (rc) {
+@@ -663,37 +629,6 @@ CalcNTLMv2_response(const struct cifs_se
+ return rc;
+ }
+
+-static int crypto_hmacmd5_alloc(struct TCP_Server_Info *server)
+-{
+- int rc;
+- unsigned int size;
+-
+- /* check if already allocated */
+- if (server->secmech.sdeschmacmd5)
+- return 0;
+-
+- server->secmech.hmacmd5 = crypto_alloc_shash("hmac(md5)", 0, 0);
+- if (IS_ERR(server->secmech.hmacmd5)) {
+- cifs_dbg(VFS, "could not allocate crypto hmacmd5\n");
+- rc = PTR_ERR(server->secmech.hmacmd5);
+- server->secmech.hmacmd5 = NULL;
+- return rc;
+- }
+-
+- size = sizeof(struct shash_desc) +
+- crypto_shash_descsize(server->secmech.hmacmd5);
+- server->secmech.sdeschmacmd5 = kmalloc(size, GFP_KERNEL);
+- if (!server->secmech.sdeschmacmd5) {
+- crypto_free_shash(server->secmech.hmacmd5);
+- server->secmech.hmacmd5 = NULL;
+- return -ENOMEM;
+- }
+- server->secmech.sdeschmacmd5->shash.tfm = server->secmech.hmacmd5;
+- server->secmech.sdeschmacmd5->shash.flags = 0x0;
+-
+- return 0;
+-}
+-
+ int
+ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct nls_table *nls_cp)
+ {
+@@ -757,9 +692,10 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
+
+ mutex_lock(&ses->server->srv_mutex);
+
+- rc = crypto_hmacmd5_alloc(ses->server);
++ rc = cifs_alloc_hash("hmac(md5)",
++ &ses->server->secmech.hmacmd5,
++ &ses->server->secmech.sdeschmacmd5);
+ if (rc) {
+- cifs_dbg(VFS, "could not crypto alloc hmacmd5 rc %d\n", rc);
+ goto unlock;
+ }
+
+--- a/fs/cifs/cifsproto.h
++++ b/fs/cifs/cifsproto.h
+@@ -538,4 +538,9 @@ enum securityEnum cifs_select_sectype(st
+ struct cifs_aio_ctx *cifs_aio_ctx_alloc(void);
+ void cifs_aio_ctx_release(struct kref *refcount);
+ int setup_aio_ctx_iter(struct cifs_aio_ctx *ctx, struct iov_iter *iter, int rw);
++
++int cifs_alloc_hash(const char *name, struct crypto_shash **shash,
++ struct sdesc **sdesc);
++void cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc);
++
+ #endif /* _CIFSPROTO_H */
+--- a/fs/cifs/link.c
++++ b/fs/cifs/link.c
+@@ -50,25 +50,12 @@ static int
+ symlink_hash(unsigned int link_len, const char *link_str, u8 *md5_hash)
+ {
+ int rc;
+- unsigned int size;
+- struct crypto_shash *md5;
+- struct sdesc *sdescmd5;
++ struct crypto_shash *md5 = NULL;
++ struct sdesc *sdescmd5 = NULL;
+
+- md5 = crypto_alloc_shash("md5", 0, 0);
+- if (IS_ERR(md5)) {
+- rc = PTR_ERR(md5);
+- cifs_dbg(VFS, "%s: Crypto md5 allocation error %d\n",
+- __func__, rc);
+- return rc;
+- }
+- size = sizeof(struct shash_desc) + crypto_shash_descsize(md5);
+- sdescmd5 = kmalloc(size, GFP_KERNEL);
+- if (!sdescmd5) {
+- rc = -ENOMEM;
++ rc = cifs_alloc_hash("md5", &md5, &sdescmd5);
++ if (rc)
+ goto symlink_hash_err;
+- }
+- sdescmd5->shash.tfm = md5;
+- sdescmd5->shash.flags = 0x0;
+
+ rc = crypto_shash_init(&sdescmd5->shash);
+ if (rc) {
+@@ -85,9 +72,7 @@ symlink_hash(unsigned int link_len, cons
+ cifs_dbg(VFS, "%s: Could not generate md5 hash\n", __func__);
+
+ symlink_hash_err:
+- crypto_free_shash(md5);
+- kfree(sdescmd5);
+-
++ cifs_free_hash(&md5, &sdescmd5);
+ return rc;
+ }
+
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -848,3 +848,57 @@ setup_aio_ctx_iter(struct cifs_aio_ctx *
+ iov_iter_bvec(&ctx->iter, ITER_BVEC | rw, ctx->bv, npages, ctx->len);
+ return 0;
+ }
++
++/**
++ * cifs_alloc_hash - allocate hash and hash context together
++ *
++ * The caller has to make sure @sdesc is initialized to either NULL or
++ * a valid context. Both can be freed via cifs_free_hash().
++ */
++int
++cifs_alloc_hash(const char *name,
++ struct crypto_shash **shash, struct sdesc **sdesc)
++{
++ int rc = 0;
++ size_t size;
++
++ if (*sdesc != NULL)
++ return 0;
++
++ *shash = crypto_alloc_shash(name, 0, 0);
++ if (IS_ERR(*shash)) {
++ cifs_dbg(VFS, "could not allocate crypto %s\n", name);
++ rc = PTR_ERR(*shash);
++ *shash = NULL;
++ *sdesc = NULL;
++ return rc;
++ }
++
++ size = sizeof(struct shash_desc) + crypto_shash_descsize(*shash);
++ *sdesc = kmalloc(size, GFP_KERNEL);
++ if (*sdesc == NULL) {
++ cifs_dbg(VFS, "no memory left to allocate crypto %s\n", name);
++ crypto_free_shash(*shash);
++ *shash = NULL;
++ return -ENOMEM;
++ }
++
++ (*sdesc)->shash.tfm = *shash;
++ (*sdesc)->shash.flags = 0x0;
++ return 0;
++}
++
++/**
++ * cifs_free_hash - free hash and hash context together
++ *
++ * Freeing a NULL hash or context is safe.
++ */
++void
++cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc)
++{
++ kfree(*sdesc);
++ *sdesc = NULL;
++ if (*shash)
++ crypto_free_shash(*shash);
++ *shash = NULL;
++}
+--- a/fs/cifs/smb2transport.c
++++ b/fs/cifs/smb2transport.c
+@@ -43,76 +43,31 @@
+ static int
+ smb2_crypto_shash_allocate(struct TCP_Server_Info *server)
+ {
+- int rc;
+- unsigned int size;
+-
+- if (server->secmech.sdeschmacsha256 != NULL)
+- return 0; /* already allocated */
+-
+- server->secmech.hmacsha256 = crypto_alloc_shash("hmac(sha256)", 0, 0);
+- if (IS_ERR(server->secmech.hmacsha256)) {
+- cifs_dbg(VFS, "could not allocate crypto hmacsha256\n");
+- rc = PTR_ERR(server->secmech.hmacsha256);
+- server->secmech.hmacsha256 = NULL;
+- return rc;
+- }
+-
+- size = sizeof(struct shash_desc) +
+- crypto_shash_descsize(server->secmech.hmacsha256);
+- server->secmech.sdeschmacsha256 = kmalloc(size, GFP_KERNEL);
+- if (!server->secmech.sdeschmacsha256) {
+- crypto_free_shash(server->secmech.hmacsha256);
+- server->secmech.hmacsha256 = NULL;
+- return -ENOMEM;
+- }
+- server->secmech.sdeschmacsha256->shash.tfm = server->secmech.hmacsha256;
+- server->secmech.sdeschmacsha256->shash.flags = 0x0;
+-
+- return 0;
++ return cifs_alloc_hash("hmac(sha256)",
++ &server->secmech.hmacsha256,
++ &server->secmech.sdeschmacsha256);
+ }
+
+ static int
+ smb3_crypto_shash_allocate(struct TCP_Server_Info *server)
+ {
+- unsigned int size;
++ struct cifs_secmech *p = &server->secmech;
+ int rc;
+
+- if (server->secmech.sdesccmacaes != NULL)
+- return 0; /* already allocated */
+-
+- rc = smb2_crypto_shash_allocate(server);
++ rc = cifs_alloc_hash("hmac(sha256)",
++ &p->hmacsha256,
++ &p->sdeschmacsha256);
+ if (rc)
+- return rc;
+-
+- server->secmech.cmacaes = crypto_alloc_shash("cmac(aes)", 0, 0);
+- if (IS_ERR(server->secmech.cmacaes)) {
+- cifs_dbg(VFS, "could not allocate crypto cmac-aes");
+- kfree(server->secmech.sdeschmacsha256);
+- server->secmech.sdeschmacsha256 = NULL;
+- crypto_free_shash(server->secmech.hmacsha256);
+- server->secmech.hmacsha256 = NULL;
+- rc = PTR_ERR(server->secmech.cmacaes);
+- server->secmech.cmacaes = NULL;
+- return rc;
+- }
++ goto err;
+
+- size = sizeof(struct shash_desc) +
+- crypto_shash_descsize(server->secmech.cmacaes);
+- server->secmech.sdesccmacaes = kmalloc(size, GFP_KERNEL);
+- if (!server->secmech.sdesccmacaes) {
+- cifs_dbg(VFS, "%s: Can't alloc cmacaes\n", __func__);
+- kfree(server->secmech.sdeschmacsha256);
+- server->secmech.sdeschmacsha256 = NULL;
+- crypto_free_shash(server->secmech.hmacsha256);
+- crypto_free_shash(server->secmech.cmacaes);
+- server->secmech.hmacsha256 = NULL;
+- server->secmech.cmacaes = NULL;
+- return -ENOMEM;
+- }
+- server->secmech.sdesccmacaes->shash.tfm = server->secmech.cmacaes;
+- server->secmech.sdesccmacaes->shash.flags = 0x0;
++ rc = cifs_alloc_hash("cmac(aes)", &p->cmacaes, &p->sdesccmacaes);
++ if (rc)
++ goto err;
+
+ return 0;
++err:
++ cifs_free_hash(&p->hmacsha256, &p->sdeschmacsha256);
++ return rc;
+ }
+
+ static struct cifs_ses *
+@@ -457,7 +412,7 @@ smb3_calc_signature(struct smb_rqst *rqs
+ cifs_dbg(VFS, "%s: Could not init cmac aes\n", __func__);
+ return rc;
+ }
+-
++
+ rc = __cifs_calc_signature(rqst, server, sigptr,
+ &server->secmech.sdesccmacaes->shash);
+
+--- a/fs/cifs/smbencrypt.c
++++ b/fs/cifs/smbencrypt.c
+@@ -121,25 +121,12 @@ int
+ mdfour(unsigned char *md4_hash, unsigned char *link_str, int link_len)
+ {
+ int rc;
+- unsigned int size;
+- struct crypto_shash *md4;
+- struct sdesc *sdescmd4;
++ struct crypto_shash *md4 = NULL;
++ struct sdesc *sdescmd4 = NULL;
+
+- md4 = crypto_alloc_shash("md4", 0, 0);
+- if (IS_ERR(md4)) {
+- rc = PTR_ERR(md4);
+- cifs_dbg(VFS, "%s: Crypto md4 allocation error %d\n",
+- __func__, rc);
+- return rc;
+- }
+- size = sizeof(struct shash_desc) + crypto_shash_descsize(md4);
+- sdescmd4 = kmalloc(size, GFP_KERNEL);
+- if (!sdescmd4) {
+- rc = -ENOMEM;
++ rc = cifs_alloc_hash("md4", &md4, &sdescmd4);
++ if (rc)
+ goto mdfour_err;
+- }
+- sdescmd4->shash.tfm = md4;
+- sdescmd4->shash.flags = 0x0;
+
+ rc = crypto_shash_init(&sdescmd4->shash);
+ if (rc) {
+@@ -156,9 +143,7 @@ mdfour(unsigned char *md4_hash, unsigned
+ cifs_dbg(VFS, "%s: Could not generate md4 hash\n", __func__);
+
+ mdfour_err:
+- crypto_free_shash(md4);
+- kfree(sdescmd4);
+-
++ cifs_free_hash(&md4, &sdescmd4);
+ return rc;
+ }
+
--- /dev/null
+From 262916bc69faf90104aa784d55e10760a4199594 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Tue, 20 Feb 2018 12:45:21 +1100
+Subject: fix smb3-encryption breakage when CONFIG_DEBUG_SG=y
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 262916bc69faf90104aa784d55e10760a4199594 upstream.
+
+We can not use the standard sg_set_buf() fucntion since when
+CONFIG_DEBUG_SG=y this adds a check that will BUG_ON for cifs.ko
+when we pass it an object from the stack.
+
+Create a new wrapper smb2_sg_set_buf() which avoids doing that particular check
+and use it for smb3 encryption instead.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -2060,6 +2060,15 @@ fill_transform_hdr(struct smb2_transform
+ inc_rfc1001_len(tr_hdr, orig_len);
+ }
+
++/* We can not use the normal sg_set_buf() as we will sometimes pass a
++ * stack object as buf.
++ */
++static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf,
++ unsigned int buflen)
++{
++ sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf));
++}
++
+ static struct scatterlist *
+ init_sg(struct smb_rqst *rqst, u8 *sign)
+ {
+@@ -2074,16 +2083,16 @@ init_sg(struct smb_rqst *rqst, u8 *sign)
+ return NULL;
+
+ sg_init_table(sg, sg_len);
+- sg_set_buf(&sg[0], rqst->rq_iov[0].iov_base + 24, assoc_data_len);
++ smb2_sg_set_buf(&sg[0], rqst->rq_iov[0].iov_base + 24, assoc_data_len);
+ for (i = 1; i < rqst->rq_nvec; i++)
+- sg_set_buf(&sg[i], rqst->rq_iov[i].iov_base,
++ smb2_sg_set_buf(&sg[i], rqst->rq_iov[i].iov_base,
+ rqst->rq_iov[i].iov_len);
+ for (j = 0; i < sg_len - 1; i++, j++) {
+ unsigned int len = (j < rqst->rq_npages - 1) ? rqst->rq_pagesz
+ : rqst->rq_tailsz;
+ sg_set_page(&sg[i], rqst->rq_pages[j], len, 0);
+ }
+- sg_set_buf(&sg[sg_len - 1], sign, SMB2_SIGNATURE_SIZE);
++ smb2_sg_set_buf(&sg[sg_len - 1], sign, SMB2_SIGNATURE_SIZE);
+ return sg;
+ }
+
--- /dev/null
+From ac75a041048b8c1f7418e27621ca5efda8571043 Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Mon, 8 Jan 2018 10:41:40 +0800
+Subject: HID: i2c-hid: fix size check and type usage
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit ac75a041048b8c1f7418e27621ca5efda8571043 upstream.
+
+When convert char array with signed int, if the inbuf[x] is negative then
+upper bits will be set to 1. Fix this by using u8 instead of char.
+
+ret_size has to be at least 3, hid_input_report use it after minus 2 bytes.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -143,10 +143,10 @@ struct i2c_hid {
+ * register of the HID
+ * descriptor. */
+ unsigned int bufsize; /* i2c buffer size */
+- char *inbuf; /* Input buffer */
+- char *rawbuf; /* Raw Input buffer */
+- char *cmdbuf; /* Command buffer */
+- char *argsbuf; /* Command arguments buffer */
++ u8 *inbuf; /* Input buffer */
++ u8 *rawbuf; /* Raw Input buffer */
++ u8 *cmdbuf; /* Command buffer */
++ u8 *argsbuf; /* Command arguments buffer */
+
+ unsigned long flags; /* device flags */
+ unsigned long quirks; /* Various quirks */
+@@ -450,7 +450,8 @@ out_unlock:
+
+ static void i2c_hid_get_input(struct i2c_hid *ihid)
+ {
+- int ret, ret_size;
++ int ret;
++ u32 ret_size;
+ int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
+
+ if (size > ihid->bufsize)
+@@ -475,7 +476,7 @@ static void i2c_hid_get_input(struct i2c
+ return;
+ }
+
+- if (ret_size > size) {
++ if ((ret_size > size) || (ret_size <= 2)) {
+ dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
+ __func__, size, ret_size);
+ return;
--- /dev/null
+From f7f6d915a10f7f2bce17e3b1b7d3376562395a28 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 11 Apr 2018 18:05:34 +0200
+Subject: i2c: i801: Restore configuration at shutdown
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit f7f6d915a10f7f2bce17e3b1b7d3376562395a28 upstream.
+
+On some systems, the BIOS expects certain SMBus register values to
+match the hardware defaults. Restore these configuration registers at
+shutdown time to avoid confusing the BIOS. This avoids hard-locking
+such systems upon reboot.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Tested-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-i801.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -1700,6 +1700,15 @@ static void i801_remove(struct pci_dev *
+ */
+ }
+
++static void i801_shutdown(struct pci_dev *dev)
++{
++ struct i801_priv *priv = pci_get_drvdata(dev);
++
++ /* Restore config registers to avoid hard hang on some systems */
++ i801_disable_host_notify(priv);
++ pci_write_config_byte(dev, SMBHSTCFG, priv->original_hstcfg);
++}
++
+ #ifdef CONFIG_PM
+ static int i801_suspend(struct device *dev)
+ {
+@@ -1729,6 +1738,7 @@ static struct pci_driver i801_driver = {
+ .id_table = i801_ids,
+ .probe = i801_probe,
+ .remove = i801_remove,
++ .shutdown = i801_shutdown,
+ .driver = {
+ .pm = &i801_pm_ops,
+ },
--- /dev/null
+From a086bb8317303dd74725dca933b9b29575159382 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Wed, 11 Apr 2018 18:03:31 +0200
+Subject: i2c: i801: Save register SMBSLVCMD value only once
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit a086bb8317303dd74725dca933b9b29575159382 upstream.
+
+Saving the original value of register SMBSLVCMD in
+i801_enable_host_notify() doesn't work, because this function is
+called not only at probe time but also at resume time. Do it in
+i801_probe() instead, so that the saved value is not overwritten at
+resume time.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Fixes: 22e94bd6779e ("i2c: i801: store and restore the SLVCMD register at load and unload")
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Tested-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@vger.kernel.org # v4.10+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-i801.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -965,8 +965,6 @@ static void i801_enable_host_notify(stru
+ if (!(priv->features & FEATURE_HOST_NOTIFY))
+ return;
+
+- priv->original_slvcmd = inb_p(SMBSLVCMD(priv));
+-
+ if (!(SMBSLVCMD_HST_NTFY_INTREN & priv->original_slvcmd))
+ outb_p(SMBSLVCMD_HST_NTFY_INTREN | priv->original_slvcmd,
+ SMBSLVCMD(priv));
+@@ -1614,6 +1612,10 @@ static int i801_probe(struct pci_dev *de
+ outb_p(inb_p(SMBAUXCTL(priv)) &
+ ~(SMBAUXCTL_CRC | SMBAUXCTL_E32B), SMBAUXCTL(priv));
+
++ /* Remember original Host Notify setting */
++ if (priv->features & FEATURE_HOST_NOTIFY)
++ priv->original_slvcmd = inb_p(SMBSLVCMD(priv));
++
+ /* Default timeout in interrupt mode: 200 ms */
+ priv->adapter.timeout = HZ / 5;
+
--- /dev/null
+From f00e71091ab92eba52122332586c6ecaa9cd1a56 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 8 Feb 2018 10:23:44 +0300
+Subject: regmap: Fix reversed bounds check in regmap_raw_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f00e71091ab92eba52122332586c6ecaa9cd1a56 upstream.
+
+We're supposed to be checking that "val_len" is not too large but
+instead we check if it is smaller than the max.
+
+The only function affected would be regmap_i2c_smbus_i2c_write() in
+drivers/base/regmap/regmap-i2c.c. Strangely that function has its own
+limit check which returns an error if (count >= I2C_SMBUS_BLOCK_MAX) so
+it doesn't look like it has ever been able to do anything except return
+an error.
+
+Fixes: c335931ed9d2 ("regmap: Add raw_write/read checks for max_raw_write/read sizes")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -1739,7 +1739,7 @@ int regmap_raw_write(struct regmap *map,
+ return -EINVAL;
+ if (val_len % map->format.val_bytes)
+ return -EINVAL;
+- if (map->max_raw_write && map->max_raw_write > val_len)
++ if (map->max_raw_write && map->max_raw_write < val_len)
+ return -E2BIG;
+
+ map->lock(map->lock_arg);
media-vsp1-fix-brx-conditional-path-in-wpf.patch
x86-xen-delay-get_cpu_cap-until-stack-canary-is-established.patch
xen-netfront-fix-hang-on-device-removal.patch
+regmap-fix-reversed-bounds-check-in-regmap_raw_write.patch
+acpi-video-add-quirk-to-force-acpi-video-backlight-on-samsung-670z5e.patch
+acpi-hotplug-pci-check-presence-of-slot-itself-in-get_slot_status.patch
+usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch
+usb-fix-usb3-devices-behind-usb3-hubs-not-resuming-at-hibernate-thaw.patch
+usb-dwc3-prevent-setting-prtcap-to-otg-from-debugfs.patch
+usb-dwc3-pci-properly-cleanup-resource.patch
+usb-dwc3-gadget-never-call-complete-from-ep_queue.patch
+cifs-fix-memory-leak-in-smb2_open.patch
+fix-smb3-encryption-breakage-when-config_debug_sg-y.patch
+smb3-fix-root-directory-when-server-returns-inode-number-of-zero.patch
+hid-i2c-hid-fix-size-check-and-type-usage.patch
+i2c-i801-save-register-smbslvcmd-value-only-once.patch
+i2c-i801-restore-configuration-at-shutdown.patch
+cifs-refactor-crypto-shash-sdesc-allocation-free.patch
+cifs-add-sha512-secmech.patch
+cifs-fix-sha512-check-in-cifs_crypto_secmech_release.patch
--- /dev/null
+From 7ea884c77e5c97f1e0a1a422d961d27f78ca2745 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sat, 31 Mar 2018 18:13:38 -0500
+Subject: smb3: Fix root directory when server returns inode number of zero
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 7ea884c77e5c97f1e0a1a422d961d27f78ca2745 upstream.
+
+Some servers return inode number zero for the root directory, which
+causes ls to display incorrect data (missing "." and "..").
+
+If the server returns zero for the inode number of the root directory,
+fake an inode number for it.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsglob.h | 1 +
+ fs/cifs/inode.c | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -1449,6 +1449,7 @@ struct dfs_info3_param {
+ #define CIFS_FATTR_NEED_REVAL 0x4
+ #define CIFS_FATTR_INO_COLLISION 0x8
+ #define CIFS_FATTR_UNKNOWN_NLINK 0x10
++#define CIFS_FATTR_FAKE_ROOT_INO 0x20
+
+ struct cifs_fattr {
+ u32 cf_flags;
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -707,6 +707,18 @@ cgfi_exit:
+ return rc;
+ }
+
++/* Simple function to return a 64 bit hash of string. Rarely called */
++static __u64 simple_hashstr(const char *str)
++{
++ const __u64 hash_mult = 1125899906842597L; /* a big enough prime */
++ __u64 hash = 0;
++
++ while (*str)
++ hash = (hash + (__u64) *str++) * hash_mult;
++
++ return hash;
++}
++
+ int
+ cifs_get_inode_info(struct inode **inode, const char *full_path,
+ FILE_ALL_INFO *data, struct super_block *sb, int xid,
+@@ -816,6 +828,14 @@ cifs_get_inode_info(struct inode **inode
+ tmprc);
+ fattr.cf_uniqueid = iunique(sb, ROOT_I);
+ cifs_autodisable_serverino(cifs_sb);
++ } else if ((fattr.cf_uniqueid == 0) &&
++ strlen(full_path) == 0) {
++ /* some servers ret bad root ino ie 0 */
++ cifs_dbg(FYI, "Invalid (0) inodenum\n");
++ fattr.cf_flags |=
++ CIFS_FATTR_FAKE_ROOT_INO;
++ fattr.cf_uniqueid =
++ simple_hashstr(tcon->treeName);
+ }
+ }
+ } else
+@@ -832,6 +852,16 @@ cifs_get_inode_info(struct inode **inode
+ &fattr.cf_uniqueid, data);
+ if (tmprc)
+ fattr.cf_uniqueid = CIFS_I(*inode)->uniqueid;
++ else if ((fattr.cf_uniqueid == 0) &&
++ strlen(full_path) == 0) {
++ /*
++ * Reuse existing root inode num since
++ * inum zero for root causes ls of . and .. to
++ * not be returned
++ */
++ cifs_dbg(FYI, "Srv ret 0 inode num for root\n");
++ fattr.cf_uniqueid = CIFS_I(*inode)->uniqueid;
++ }
+ } else
+ fattr.cf_uniqueid = CIFS_I(*inode)->uniqueid;
+ }
+@@ -893,6 +923,9 @@ cifs_get_inode_info(struct inode **inode
+ }
+
+ cgii_exit:
++ if ((*inode) && ((*inode)->i_ino == 0))
++ cifs_dbg(FYI, "inode number of zero returned\n");
++
+ kfree(buf);
+ cifs_put_tlink(tlink);
+ return rc;
--- /dev/null
+From c91815b596245fd7da349ecc43c8def670d2269e Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+Date: Mon, 26 Mar 2018 13:14:47 +0300
+Subject: usb: dwc3: gadget: never call ->complete() from ->ep_queue()
+
+From: Felipe Balbi <felipe.balbi@linux.intel.com>
+
+commit c91815b596245fd7da349ecc43c8def670d2269e upstream.
+
+This is a requirement which has always existed but, somehow, wasn't
+reflected in the documentation and problems weren't found until now
+when Tuba Yavuz found a possible deadlock happening between dwc3 and
+f_hid. She described the situation as follows:
+
+spin_lock_irqsave(&hidg->write_spinlock, flags); // first acquire
+/* we our function has been disabled by host */
+if (!hidg->req) {
+ free_ep_req(hidg->in_ep, hidg->req);
+ goto try_again;
+}
+
+[...]
+
+status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC);
+=>
+ [...]
+ => usb_gadget_giveback_request
+ =>
+ f_hidg_req_complete
+ =>
+ spin_lock_irqsave(&hidg->write_spinlock, flags); // second acquire
+
+Note that this happens because dwc3 would call ->complete() on a
+failed usb_ep_queue() due to failed Start Transfer command. This is,
+anyway, a theoretical situation because dwc3 currently uses "No
+Response Update Transfer" command for Bulk and Interrupt endpoints.
+
+It's still good to make this case impossible to happen even if the "No
+Reponse Update Transfer" command is changed.
+
+Reported-by: Tuba Yavuz <tuba@ece.ufl.edu>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 43 +++++++++++++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -174,18 +174,8 @@ static void dwc3_ep_inc_deq(struct dwc3_
+ dwc3_ep_inc_trb(&dep->trb_dequeue);
+ }
+
+-/**
+- * dwc3_gadget_giveback - call struct usb_request's ->complete callback
+- * @dep: The endpoint to whom the request belongs to
+- * @req: The request we're giving back
+- * @status: completion code for the request
+- *
+- * Must be called with controller's lock held and interrupts disabled. This
+- * function will unmap @req and call its ->complete() callback to notify upper
+- * layers that it has completed.
+- */
+-void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
+- int status)
++void dwc3_gadget_del_and_unmap_request(struct dwc3_ep *dep,
++ struct dwc3_request *req, int status)
+ {
+ struct dwc3 *dwc = dep->dwc;
+
+@@ -198,18 +188,35 @@ void dwc3_gadget_giveback(struct dwc3_ep
+
+ if (req->trb)
+ usb_gadget_unmap_request_by_dev(dwc->sysdev,
+- &req->request, req->direction);
++ &req->request, req->direction);
+
+ req->trb = NULL;
+-
+ trace_dwc3_gadget_giveback(req);
+
++ if (dep->number > 1)
++ pm_runtime_put(dwc->dev);
++}
++
++/**
++ * dwc3_gadget_giveback - call struct usb_request's ->complete callback
++ * @dep: The endpoint to whom the request belongs to
++ * @req: The request we're giving back
++ * @status: completion code for the request
++ *
++ * Must be called with controller's lock held and interrupts disabled. This
++ * function will unmap @req and call its ->complete() callback to notify upper
++ * layers that it has completed.
++ */
++void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
++ int status)
++{
++ struct dwc3 *dwc = dep->dwc;
++
++ dwc3_gadget_del_and_unmap_request(dep, req, status);
++
+ spin_unlock(&dwc->lock);
+ usb_gadget_giveback_request(&dep->endpoint, &req->request);
+ spin_lock(&dwc->lock);
+-
+- if (dep->number > 1)
+- pm_runtime_put(dwc->dev);
+ }
+
+ /**
+@@ -1233,7 +1240,7 @@ static int __dwc3_gadget_kick_transfer(s
+ if (req->trb)
+ memset(req->trb, 0, sizeof(struct dwc3_trb));
+ dep->queued_requests--;
+- dwc3_gadget_giveback(dep, req, ret);
++ dwc3_gadget_del_and_unmap_request(dep, req, ret);
+ return ret;
+ }
+
--- /dev/null
+From cabdf83dadfb3d83eec31e0f0638a92dbd716435 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Mon, 19 Mar 2018 13:07:35 -0700
+Subject: usb: dwc3: pci: Properly cleanup resource
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit cabdf83dadfb3d83eec31e0f0638a92dbd716435 upstream.
+
+Platform device is allocated before adding resources. Make sure to
+properly cleanup on error case.
+
+Cc: <stable@vger.kernel.org>
+Fixes: f1c7e7108109 ("usb: dwc3: convert to pcim_enable_device()")
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -212,7 +212,7 @@ static int dwc3_pci_probe(struct pci_dev
+ ret = platform_device_add_resources(dwc->dwc3, res, ARRAY_SIZE(res));
+ if (ret) {
+ dev_err(dev, "couldn't add resources to dwc3 device\n");
+- return ret;
++ goto err;
+ }
+
+ dwc->pci = pci;
--- /dev/null
+From daaecc6541d014dca073473ec8a4120c0babbeb4 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Tue, 27 Feb 2018 12:54:37 +0200
+Subject: usb: dwc3: prevent setting PRTCAP to OTG from debugfs
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit daaecc6541d014dca073473ec8a4120c0babbeb4 upstream.
+
+We don't support PRTCAP == OTG yet, so prevent user from
+setting it via debugfs.
+
+Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -128,6 +128,9 @@ static void __dwc3_set_mode(struct work_
+ if (dwc->dr_mode != USB_DR_MODE_OTG)
+ return;
+
++ if (dwc->desired_dr_role == DWC3_GCTL_PRTCAP_OTG)
++ return;
++
+ switch (dwc->current_dr_role) {
+ case DWC3_GCTL_PRTCAP_HOST:
+ dwc3_host_exit(dwc);
--- /dev/null
+From 64627388b50158fd24d6ad88132525b95a5ef573 Mon Sep 17 00:00:00 2001
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Date: Wed, 21 Mar 2018 13:29:42 +0800
+Subject: USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+
+commit 64627388b50158fd24d6ad88132525b95a5ef573 upstream.
+
+USB3 hubs don't support global suspend.
+
+USB3 specification 10.10, Enhanced SuperSpeed hubs only support selective
+suspend and resume, they do not support global suspend/resume where the
+hub downstream facing ports states are not affected.
+
+When system enters hibernation it first enters freeze process where only
+the root hub enters suspend, usb_port_suspend() is not called for other
+devices, and suspend status flags are not set for them. Other devices are
+expected to suspend globally. Some external USB3 hubs will suspend the
+downstream facing port at global suspend. These devices won't be resumed
+at thaw as the suspend status flag is not set.
+
+A USB3 removable hard disk connected through a USB3 hub that won't resume
+at thaw will fail to synchronize SCSI cache, return “cmd cmplt err -71”
+error, and needs a 60 seconds timeout which causing system hang for 60s
+before the USB host reset the port for the USB3 removable hard disk to
+recover.
+
+Fix this by always calling usb_port_suspend() during freeze for USB3
+devices.
+
+Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/generic.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/generic.c
++++ b/drivers/usb/core/generic.c
+@@ -210,8 +210,13 @@ static int generic_suspend(struct usb_de
+ if (!udev->parent)
+ rc = hcd_bus_suspend(udev, msg);
+
+- /* Non-root devices don't need to do anything for FREEZE or PRETHAW */
+- else if (msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW)
++ /*
++ * Non-root USB2 devices don't need to do anything for FREEZE
++ * or PRETHAW. USB3 devices don't support global suspend and
++ * needs to be selectively suspended.
++ */
++ else if ((msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW)
++ && (udev->speed < USB_SPEED_SUPER))
+ rc = 0;
+ else
+ rc = usb_port_suspend(udev, msg);
--- /dev/null
+From 7fafcfdf6377b18b2a726ea554d6e593ba44349f Mon Sep 17 00:00:00 2001
+From: "Yavuz, Tuba" <tuba@ece.ufl.edu>
+Date: Fri, 23 Mar 2018 17:00:38 +0000
+Subject: USB: gadget: f_midi: fixing a possible double-free in f_midi
+
+From: Yavuz, Tuba <tuba@ece.ufl.edu>
+
+commit 7fafcfdf6377b18b2a726ea554d6e593ba44349f upstream.
+
+It looks like there is a possibility of a double-free vulnerability on an
+error path of the f_midi_set_alt function in the f_midi driver. If the
+path is feasible then free_ep_req gets called twice:
+
+ req->complete = f_midi_complete;
+ err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
+ => ...
+ usb_gadget_giveback_request
+ =>
+ f_midi_complete (CALLBACK)
+ (inside f_midi_complete, for various cases of status)
+ free_ep_req(ep, req); // first kfree
+ if (err) {
+ ERROR(midi, "%s: couldn't enqueue request: %d\n",
+ midi->out_ep->name, err);
+ free_ep_req(midi->out_ep, req); // second kfree
+ return err;
+ }
+
+The double-free possibility was introduced with commit ad0d1a058eac
+("usb: gadget: f_midi: fix leak on failed to enqueue out requests").
+
+Found by MOXCAFE tool.
+
+Signed-off-by: Tuba Yavuz <tuba@ece.ufl.edu>
+Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests")
+Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_midi.c | 3 ++-
+ drivers/usb/gadget/u_f.h | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -405,7 +405,8 @@ static int f_midi_set_alt(struct usb_fun
+ if (err) {
+ ERROR(midi, "%s: couldn't enqueue request: %d\n",
+ midi->out_ep->name, err);
+- free_ep_req(midi->out_ep, req);
++ if (req->buf != NULL)
++ free_ep_req(midi->out_ep, req);
+ return err;
+ }
+ }
+--- a/drivers/usb/gadget/u_f.h
++++ b/drivers/usb/gadget/u_f.h
+@@ -64,7 +64,9 @@ struct usb_request *alloc_ep_req(struct
+ /* Frees a usb_request previously allocated by alloc_ep_req() */
+ static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
+ {
++ WARN_ON(req->buf == NULL);
+ kfree(req->buf);
++ req->buf = NULL;
+ usb_ep_free_request(ep, req);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
