--- /dev/null
+From 709ae62e8e6d9ac4df7dadb3b8ae432675c45ef9 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Thu, 4 Oct 2018 11:39:42 +0800
+Subject: ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 709ae62e8e6d9ac4df7dadb3b8ae432675c45ef9 upstream.
+
+The issue is the same as commit dd9aa335c880 ("ALSA: hda/realtek - Can't
+adjust speaker's volume on a Dell AIO"), the output requires to connect
+to a node with Amp-out capability.
+
+Applying the same fixup ALC298_FIXUP_SPK_VOLUME can fix the issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1775068
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6455,6 +6455,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1028, 0x0706, "Dell Inspiron 7559", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
+ SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
++ SND_PCI_QUIRK(0x1028, 0x075c, "Dell XPS 27 7760", ALC298_FIXUP_SPK_VOLUME),
+ SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
+ SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3),
+ SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
--- /dev/null
+From 2823c8716c687d6c7e261a3a02b3cab43809fe9c Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 27 Aug 2018 10:34:07 -0500
+Subject: b43: fix DMA error related regression with proprietary firmware
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 2823c8716c687d6c7e261a3a02b3cab43809fe9c upstream.
+
+In commit 66cffd6daab7 ("b43: fix transmit failure when VT is switched"),
+a condition is noted where the network controller needs to be reset. Note
+that this situation happens when running the open-source firmware
+(http://netweb.ing.unibs.it/~openfwwf/), plus a number of other special
+conditions.
+
+for a different card model, it is reported that this change breaks
+operation running the proprietary firmware
+(https://marc.info/?l=linux-wireless&m=153504546924558&w=2). Rather
+than reverting the previous patch, the code is tweaked to avoid the
+reset unless the open-source firmware is being used.
+
+Fixes: 66cffd6daab7 ("b43: fix transmit failure when VT is switched")
+Cc: Stable <stable@vger.kernel.org> # 4.18+
+Cc: Taketo Kabe <kabe@sra-tohoku.co.jp>
+Reported-and-tested-by: D. Prabhu <d.praabhu@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/b43/dma.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/b43/dma.c
++++ b/drivers/net/wireless/broadcom/b43/dma.c
+@@ -1518,13 +1518,15 @@ void b43_dma_handle_txstatus(struct b43_
+ }
+ } else {
+ /* More than a single header/data pair were missed.
+- * Report this error, and reset the controller to
++ * Report this error. If running with open-source
++ * firmware, then reset the controller to
+ * revive operation.
+ */
+ b43dbg(dev->wl,
+ "Out of order TX status report on DMA ring %d. Expected %d, but got %d\n",
+ ring->index, firstused, slot);
+- b43_controller_restart(dev, "Out of order TX");
++ if (dev->fw.opensource)
++ b43_controller_restart(dev, "Out of order TX");
+ return;
+ }
+ }
--- /dev/null
+From d51aea13dd6753186a2bea7619029c460bdf0c4c Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 19 Sep 2018 17:22:21 -0700
+Subject: cpufreq: qcom-kryo: Fix section annotations
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit d51aea13dd6753186a2bea7619029c460bdf0c4c upstream.
+
+There is currently a warning when building the Kryo cpufreq driver into
+the kernel image:
+
+WARNING: vmlinux.o(.text+0x8aa424): Section mismatch in reference from
+the function qcom_cpufreq_kryo_probe() to the function
+.init.text:qcom_cpufreq_kryo_get_msm_id()
+The function qcom_cpufreq_kryo_probe() references
+the function __init qcom_cpufreq_kryo_get_msm_id().
+This is often because qcom_cpufreq_kryo_probe lacks a __init
+annotation or the annotation of qcom_cpufreq_kryo_get_msm_id is wrong.
+
+Remove the '__init' annotation from qcom_cpufreq_kryo_get_msm_id
+so that there is no more mismatch warning.
+
+Additionally, Nick noticed that the remove function was marked as
+'__init' when it should really be marked as '__exit'.
+
+Fixes: 46e2856b8e18 (cpufreq: Add Kryo CPU scaling driver)
+Fixes: 5ad7346b4ae2 (cpufreq: kryo: Add module remove and exit)
+Reported-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: 4.18+ <stable@vger.kernel.org> # 4.18+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/qcom-cpufreq-kryo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/qcom-cpufreq-kryo.c
++++ b/drivers/cpufreq/qcom-cpufreq-kryo.c
+@@ -44,7 +44,7 @@ enum _msm8996_version {
+
+ struct platform_device *cpufreq_dt_pdev, *kryo_cpufreq_pdev;
+
+-static enum _msm8996_version __init qcom_cpufreq_kryo_get_msm_id(void)
++static enum _msm8996_version qcom_cpufreq_kryo_get_msm_id(void)
+ {
+ size_t len;
+ u32 *msm_id;
+@@ -221,7 +221,7 @@ static int __init qcom_cpufreq_kryo_init
+ }
+ module_init(qcom_cpufreq_kryo_init);
+
+-static void __init qcom_cpufreq_kryo_exit(void)
++static void __exit qcom_cpufreq_kryo_exit(void)
+ {
+ platform_device_unregister(kryo_cpufreq_pdev);
+ platform_driver_unregister(&qcom_cpufreq_kryo_driver);
--- /dev/null
+From 13cc6f48c7434ce46ba6dbc90003a136a263d75a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Fri, 14 Sep 2018 18:34:28 +0300
+Subject: crypto: caam/jr - fix ablkcipher_edesc pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit 13cc6f48c7434ce46ba6dbc90003a136a263d75a upstream.
+
+In some cases the zero-length hw_desc array at the end of
+ablkcipher_edesc struct requires for 4B of tail padding.
+
+Due to tail padding and the way pointers to S/G table and IV
+are computed:
+ edesc->sec4_sg = (void *)edesc + sizeof(struct ablkcipher_edesc) +
+ desc_bytes;
+ iv = (u8 *)edesc->hw_desc + desc_bytes + sec4_sg_bytes;
+first 4 bytes of IV are overwritten by S/G table.
+
+Update computation of pointer to S/G table to rely on offset of hw_desc
+member and not on sizeof() operator.
+
+Cc: <stable@vger.kernel.org> # 4.13+
+Fixes: 115957bb3e59 ("crypto: caam - fix IV DMA mapping and updating")
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamalg.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/caam/caamalg.c
++++ b/drivers/crypto/caam/caamalg.c
+@@ -1553,8 +1553,8 @@ static struct ablkcipher_edesc *ablkciph
+ edesc->src_nents = src_nents;
+ edesc->dst_nents = dst_nents;
+ edesc->sec4_sg_bytes = sec4_sg_bytes;
+- edesc->sec4_sg = (void *)edesc + sizeof(struct ablkcipher_edesc) +
+- desc_bytes;
++ edesc->sec4_sg = (struct sec4_sg_entry *)((u8 *)edesc->hw_desc +
++ desc_bytes);
+ edesc->iv_dir = DMA_TO_DEVICE;
+
+ /* Make sure IV is located in a DMAable area */
+@@ -1757,8 +1757,8 @@ static struct ablkcipher_edesc *ablkciph
+ edesc->src_nents = src_nents;
+ edesc->dst_nents = dst_nents;
+ edesc->sec4_sg_bytes = sec4_sg_bytes;
+- edesc->sec4_sg = (void *)edesc + sizeof(struct ablkcipher_edesc) +
+- desc_bytes;
++ edesc->sec4_sg = (struct sec4_sg_entry *)((u8 *)edesc->hw_desc +
++ desc_bytes);
+ edesc->iv_dir = DMA_FROM_DEVICE;
+
+ /* Make sure IV is located in a DMAable area */
--- /dev/null
+From add92a817e60e308a419693413a38d9d1e663aff Mon Sep 17 00:00:00 2001
+From: Harsh Jain <harsh@chelsio.com>
+Date: Wed, 19 Sep 2018 22:42:16 +0530
+Subject: crypto: chelsio - Fix memory corruption in DMA Mapped buffers.
+
+From: Harsh Jain <harsh@chelsio.com>
+
+commit add92a817e60e308a419693413a38d9d1e663aff upstream.
+
+Update PCI Id in "cpl_rx_phys_dsgl" header. In case pci_chan_id and
+tx_chan_id are not derived from same queue, H/W can send request
+completion indication before completing DMA Transfer.
+
+Herbert, It would be good if fix can be merge to stable tree.
+For 4.14 kernel, It requires some update to avoid mege conficts.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Harsh Jain <harsh@chelsio.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/chelsio/chcr_algo.c | 32 ++++++++++++++++++++++----------
+ drivers/crypto/chelsio/chcr_crypto.h | 2 ++
+ 2 files changed, 24 insertions(+), 10 deletions(-)
+
+--- a/drivers/crypto/chelsio/chcr_algo.c
++++ b/drivers/crypto/chelsio/chcr_algo.c
+@@ -367,7 +367,8 @@ static inline void dsgl_walk_init(struct
+ walk->to = (struct phys_sge_pairs *)(dsgl + 1);
+ }
+
+-static inline void dsgl_walk_end(struct dsgl_walk *walk, unsigned short qid)
++static inline void dsgl_walk_end(struct dsgl_walk *walk, unsigned short qid,
++ int pci_chan_id)
+ {
+ struct cpl_rx_phys_dsgl *phys_cpl;
+
+@@ -385,6 +386,7 @@ static inline void dsgl_walk_end(struct
+ phys_cpl->rss_hdr_int.opcode = CPL_RX_PHYS_ADDR;
+ phys_cpl->rss_hdr_int.qid = htons(qid);
+ phys_cpl->rss_hdr_int.hash_val = 0;
++ phys_cpl->rss_hdr_int.channel = pci_chan_id;
+ }
+
+ static inline void dsgl_walk_add_page(struct dsgl_walk *walk,
+@@ -718,7 +720,7 @@ static inline void create_wreq(struct ch
+ FILL_WR_RX_Q_ID(ctx->dev->rx_channel_id, qid,
+ !!lcb, ctx->tx_qidx);
+
+- chcr_req->ulptx.cmd_dest = FILL_ULPTX_CMD_DEST(ctx->dev->tx_channel_id,
++ chcr_req->ulptx.cmd_dest = FILL_ULPTX_CMD_DEST(ctx->tx_chan_id,
+ qid);
+ chcr_req->ulptx.len = htonl((DIV_ROUND_UP(len16, 16) -
+ ((sizeof(chcr_req->wreq)) >> 4)));
+@@ -1339,16 +1341,23 @@ static int chcr_device_init(struct chcr_
+ adap->vres.ncrypto_fc);
+ rxq_perchan = u_ctx->lldi.nrxq / u_ctx->lldi.nchan;
+ txq_perchan = ntxq / u_ctx->lldi.nchan;
+- rxq_idx = ctx->dev->tx_channel_id * rxq_perchan;
+- rxq_idx += id % rxq_perchan;
+- txq_idx = ctx->dev->tx_channel_id * txq_perchan;
+- txq_idx += id % txq_perchan;
+ spin_lock(&ctx->dev->lock_chcr_dev);
+- ctx->rx_qidx = rxq_idx;
+- ctx->tx_qidx = txq_idx;
++ ctx->tx_chan_id = ctx->dev->tx_channel_id;
+ ctx->dev->tx_channel_id = !ctx->dev->tx_channel_id;
+ ctx->dev->rx_channel_id = 0;
+ spin_unlock(&ctx->dev->lock_chcr_dev);
++ rxq_idx = ctx->tx_chan_id * rxq_perchan;
++ rxq_idx += id % rxq_perchan;
++ txq_idx = ctx->tx_chan_id * txq_perchan;
++ txq_idx += id % txq_perchan;
++ ctx->rx_qidx = rxq_idx;
++ ctx->tx_qidx = txq_idx;
++ /* Channel Id used by SGE to forward packet to Host.
++ * Same value should be used in cpl_fw6_pld RSS_CH field
++ * by FW. Driver programs PCI channel ID to be used in fw
++ * at the time of queue allocation with value "pi->tx_chan"
++ */
++ ctx->pci_chan_id = txq_idx / txq_perchan;
+ }
+ out:
+ return err;
+@@ -2503,6 +2512,7 @@ void chcr_add_aead_dst_ent(struct aead_r
+ struct crypto_aead *tfm = crypto_aead_reqtfm(req);
+ struct dsgl_walk dsgl_walk;
+ unsigned int authsize = crypto_aead_authsize(tfm);
++ struct chcr_context *ctx = a_ctx(tfm);
+ u32 temp;
+
+ dsgl_walk_init(&dsgl_walk, phys_cpl);
+@@ -2512,7 +2522,7 @@ void chcr_add_aead_dst_ent(struct aead_r
+ dsgl_walk_add_page(&dsgl_walk, IV, &reqctx->iv_dma);
+ temp = req->cryptlen + (reqctx->op ? -authsize : authsize);
+ dsgl_walk_add_sg(&dsgl_walk, req->dst, temp, req->assoclen);
+- dsgl_walk_end(&dsgl_walk, qid);
++ dsgl_walk_end(&dsgl_walk, qid, ctx->pci_chan_id);
+ }
+
+ void chcr_add_cipher_src_ent(struct ablkcipher_request *req,
+@@ -2544,6 +2554,8 @@ void chcr_add_cipher_dst_ent(struct ablk
+ unsigned short qid)
+ {
+ struct chcr_blkcipher_req_ctx *reqctx = ablkcipher_request_ctx(req);
++ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(wrparam->req);
++ struct chcr_context *ctx = c_ctx(tfm);
+ struct dsgl_walk dsgl_walk;
+
+ dsgl_walk_init(&dsgl_walk, phys_cpl);
+@@ -2552,7 +2564,7 @@ void chcr_add_cipher_dst_ent(struct ablk
+ reqctx->dstsg = dsgl_walk.last_sg;
+ reqctx->dst_ofst = dsgl_walk.last_sg_len;
+
+- dsgl_walk_end(&dsgl_walk, qid);
++ dsgl_walk_end(&dsgl_walk, qid, ctx->pci_chan_id);
+ }
+
+ void chcr_add_hash_src_ent(struct ahash_request *req,
+--- a/drivers/crypto/chelsio/chcr_crypto.h
++++ b/drivers/crypto/chelsio/chcr_crypto.h
+@@ -255,6 +255,8 @@ struct chcr_context {
+ struct chcr_dev *dev;
+ unsigned char tx_qidx;
+ unsigned char rx_qidx;
++ unsigned char tx_chan_id;
++ unsigned char pci_chan_id;
+ struct __crypto_ctx crypto_ctx[0];
+ };
+
--- /dev/null
+From d80771c08363ad7fbf0f56f5301e7ca65065c582 Mon Sep 17 00:00:00 2001
+From: Leonard Crestez <leonard.crestez@nxp.com>
+Date: Fri, 21 Sep 2018 18:03:18 +0300
+Subject: crypto: mxs-dcp - Fix wait logic on chan threads
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+commit d80771c08363ad7fbf0f56f5301e7ca65065c582 upstream.
+
+When compiling with CONFIG_DEBUG_ATOMIC_SLEEP=y the mxs-dcp driver
+prints warnings such as:
+
+WARNING: CPU: 0 PID: 120 at kernel/sched/core.c:7736 __might_sleep+0x98/0x9c
+do not call blocking ops when !TASK_RUNNING; state=1 set at [<8081978c>] dcp_chan_thread_sha+0x3c/0x2ec
+
+The problem is that blocking ops will manipulate current->state
+themselves so it is not allowed to call them between
+set_current_state(TASK_INTERRUPTIBLE) and schedule().
+
+Fix this by converting the per-chan mutex to a spinlock (it only
+protects tiny list ops anyway) and rearranging the wait logic so that
+callbacks are called current->state as TASK_RUNNING. Those callbacks
+will indeed call blocking ops themselves so this is required.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/mxs-dcp.c | 53 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 30 insertions(+), 23 deletions(-)
+
+--- a/drivers/crypto/mxs-dcp.c
++++ b/drivers/crypto/mxs-dcp.c
+@@ -63,7 +63,7 @@ struct dcp {
+ struct dcp_coherent_block *coh;
+
+ struct completion completion[DCP_MAX_CHANS];
+- struct mutex mutex[DCP_MAX_CHANS];
++ spinlock_t lock[DCP_MAX_CHANS];
+ struct task_struct *thread[DCP_MAX_CHANS];
+ struct crypto_queue queue[DCP_MAX_CHANS];
+ };
+@@ -349,13 +349,20 @@ static int dcp_chan_thread_aes(void *dat
+
+ int ret;
+
+- do {
+- __set_current_state(TASK_INTERRUPTIBLE);
++ while (!kthread_should_stop()) {
++ set_current_state(TASK_INTERRUPTIBLE);
+
+- mutex_lock(&sdcp->mutex[chan]);
++ spin_lock(&sdcp->lock[chan]);
+ backlog = crypto_get_backlog(&sdcp->queue[chan]);
+ arq = crypto_dequeue_request(&sdcp->queue[chan]);
+- mutex_unlock(&sdcp->mutex[chan]);
++ spin_unlock(&sdcp->lock[chan]);
++
++ if (!backlog && !arq) {
++ schedule();
++ continue;
++ }
++
++ set_current_state(TASK_RUNNING);
+
+ if (backlog)
+ backlog->complete(backlog, -EINPROGRESS);
+@@ -363,11 +370,8 @@ static int dcp_chan_thread_aes(void *dat
+ if (arq) {
+ ret = mxs_dcp_aes_block_crypt(arq);
+ arq->complete(arq, ret);
+- continue;
+ }
+-
+- schedule();
+- } while (!kthread_should_stop());
++ }
+
+ return 0;
+ }
+@@ -409,9 +413,9 @@ static int mxs_dcp_aes_enqueue(struct ab
+ rctx->ecb = ecb;
+ actx->chan = DCP_CHAN_CRYPTO;
+
+- mutex_lock(&sdcp->mutex[actx->chan]);
++ spin_lock(&sdcp->lock[actx->chan]);
+ ret = crypto_enqueue_request(&sdcp->queue[actx->chan], &req->base);
+- mutex_unlock(&sdcp->mutex[actx->chan]);
++ spin_unlock(&sdcp->lock[actx->chan]);
+
+ wake_up_process(sdcp->thread[actx->chan]);
+
+@@ -640,13 +644,20 @@ static int dcp_chan_thread_sha(void *dat
+ struct ahash_request *req;
+ int ret, fini;
+
+- do {
+- __set_current_state(TASK_INTERRUPTIBLE);
++ while (!kthread_should_stop()) {
++ set_current_state(TASK_INTERRUPTIBLE);
+
+- mutex_lock(&sdcp->mutex[chan]);
++ spin_lock(&sdcp->lock[chan]);
+ backlog = crypto_get_backlog(&sdcp->queue[chan]);
+ arq = crypto_dequeue_request(&sdcp->queue[chan]);
+- mutex_unlock(&sdcp->mutex[chan]);
++ spin_unlock(&sdcp->lock[chan]);
++
++ if (!backlog && !arq) {
++ schedule();
++ continue;
++ }
++
++ set_current_state(TASK_RUNNING);
+
+ if (backlog)
+ backlog->complete(backlog, -EINPROGRESS);
+@@ -658,12 +669,8 @@ static int dcp_chan_thread_sha(void *dat
+ ret = dcp_sha_req_to_buf(arq);
+ fini = rctx->fini;
+ arq->complete(arq, ret);
+- if (!fini)
+- continue;
+ }
+-
+- schedule();
+- } while (!kthread_should_stop());
++ }
+
+ return 0;
+ }
+@@ -721,9 +728,9 @@ static int dcp_sha_update_fx(struct ahas
+ rctx->init = 1;
+ }
+
+- mutex_lock(&sdcp->mutex[actx->chan]);
++ spin_lock(&sdcp->lock[actx->chan]);
+ ret = crypto_enqueue_request(&sdcp->queue[actx->chan], &req->base);
+- mutex_unlock(&sdcp->mutex[actx->chan]);
++ spin_unlock(&sdcp->lock[actx->chan]);
+
+ wake_up_process(sdcp->thread[actx->chan]);
+ mutex_unlock(&actx->mutex);
+@@ -997,7 +1004,7 @@ static int mxs_dcp_probe(struct platform
+ platform_set_drvdata(pdev, sdcp);
+
+ for (i = 0; i < DCP_MAX_CHANS; i++) {
+- mutex_init(&sdcp->mutex[i]);
++ spin_lock_init(&sdcp->lock[i]);
+ init_completion(&sdcp->completion[i]);
+ crypto_init_queue(&sdcp->queue[i], 50);
+ }
--- /dev/null
+From ba439a6cbfa2936a6713f64cb499de7943673fe3 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Sat, 22 Sep 2018 20:41:55 -0400
+Subject: crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe()
+
+From: Waiman Long <longman@redhat.com>
+
+commit ba439a6cbfa2936a6713f64cb499de7943673fe3 upstream.
+
+The following KASAN warning was printed when booting a 64-bit kernel
+on some systems with Intel CPUs:
+
+[ 44.512826] ==================================================================
+[ 44.520165] BUG: KASAN: stack-out-of-bounds in find_first_bit+0xb0/0xc0
+[ 44.526786] Read of size 8 at addr ffff88041e02fc50 by task kworker/0:2/124
+
+[ 44.535253] CPU: 0 PID: 124 Comm: kworker/0:2 Tainted: G X --------- --- 4.18.0-12.el8.x86_64+debug #1
+[ 44.545858] Hardware name: Intel Corporation PURLEY/PURLEY, BIOS BKVDTRL1.86B.0005.D08.1712070559 12/07/2017
+[ 44.555682] Workqueue: events work_for_cpu_fn
+[ 44.560043] Call Trace:
+[ 44.562502] dump_stack+0x9a/0xe9
+[ 44.565832] print_address_description+0x65/0x22e
+[ 44.570683] ? find_first_bit+0xb0/0xc0
+[ 44.570689] kasan_report.cold.6+0x92/0x19f
+[ 44.578726] find_first_bit+0xb0/0xc0
+[ 44.578737] adf_probe+0x9eb/0x19a0 [qat_c62x]
+[ 44.578751] ? adf_remove+0x110/0x110 [qat_c62x]
+[ 44.591490] ? mark_held_locks+0xc8/0x140
+[ 44.591498] ? _raw_spin_unlock+0x30/0x30
+[ 44.591505] ? trace_hardirqs_on_caller+0x381/0x570
+[ 44.604418] ? adf_remove+0x110/0x110 [qat_c62x]
+[ 44.604427] local_pci_probe+0xd4/0x180
+[ 44.604432] ? pci_device_shutdown+0x110/0x110
+[ 44.617386] work_for_cpu_fn+0x51/0xa0
+[ 44.621145] process_one_work+0x8fe/0x16e0
+[ 44.625263] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
+[ 44.629799] ? lock_acquire+0x14c/0x400
+[ 44.633645] ? move_linked_works+0x12e/0x2a0
+[ 44.637928] worker_thread+0x536/0xb50
+[ 44.641690] ? __kthread_parkme+0xb6/0x180
+[ 44.645796] ? process_one_work+0x16e0/0x16e0
+[ 44.650160] kthread+0x30c/0x3d0
+[ 44.653400] ? kthread_create_worker_on_cpu+0xc0/0xc0
+[ 44.658457] ret_from_fork+0x3a/0x50
+
+[ 44.663557] The buggy address belongs to the page:
+[ 44.668350] page:ffffea0010780bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+[ 44.676356] flags: 0x17ffffc0000000()
+[ 44.680023] raw: 0017ffffc0000000 ffffea0010780bc8 ffffea0010780bc8 0000000000000000
+[ 44.687769] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+[ 44.695510] page dumped because: kasan: bad access detected
+
+[ 44.702578] Memory state around the buggy address:
+[ 44.707372] ffff88041e02fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 44.714593] ffff88041e02fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 44.721810] >ffff88041e02fc00: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2
+[ 44.729028] ^
+[ 44.734864] ffff88041e02fc80: f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
+[ 44.742082] ffff88041e02fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 44.749299] ==================================================================
+
+Looking into the code:
+
+ int ret, bar_mask;
+ :
+ for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
+
+It is casting a 32-bit integer pointer to a 64-bit unsigned long
+pointer. There are two problems here. First, the 32-bit pointer address
+may not be 64-bit aligned. Secondly, it is accessing an extra 4 bytes.
+
+This is fixed by changing the bar_mask type to unsigned long.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_c3xxx/adf_drv.c | 6 +++---
+ drivers/crypto/qat/qat_c3xxxvf/adf_drv.c | 6 +++---
+ drivers/crypto/qat/qat_c62x/adf_drv.c | 6 +++---
+ drivers/crypto/qat/qat_c62xvf/adf_drv.c | 6 +++---
+ drivers/crypto/qat/qat_dh895xcc/adf_drv.c | 6 +++---
+ drivers/crypto/qat/qat_dh895xccvf/adf_drv.c | 6 +++---
+ 6 files changed, 18 insertions(+), 18 deletions(-)
+
+--- a/drivers/crypto/qat/qat_c3xxx/adf_drv.c
++++ b/drivers/crypto/qat/qat_c3xxx/adf_drv.c
+@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde
+ struct adf_hw_device_data *hw_data;
+ char name[ADF_DEVICE_NAME_LENGTH];
+ unsigned int i, bar_nr;
+- int ret, bar_mask;
++ unsigned long bar_mask;
++ int ret;
+
+ switch (ent->device) {
+ case ADF_C3XXX_PCI_DEVICE_ID:
+@@ -235,8 +236,7 @@ static int adf_probe(struct pci_dev *pde
+ /* Find and map all the device's BARS */
+ i = 0;
+ bar_mask = pci_select_bars(pdev, IORESOURCE_MEM);
+- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
+- ADF_PCI_MAX_BARS * 2) {
++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) {
+ struct adf_bar *bar = &accel_pci_dev->pci_bars[i++];
+
+ bar->base_addr = pci_resource_start(pdev, bar_nr);
+--- a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c
+@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde
+ struct adf_hw_device_data *hw_data;
+ char name[ADF_DEVICE_NAME_LENGTH];
+ unsigned int i, bar_nr;
+- int ret, bar_mask;
++ unsigned long bar_mask;
++ int ret;
+
+ switch (ent->device) {
+ case ADF_C3XXXIOV_PCI_DEVICE_ID:
+@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde
+ /* Find and map all the device's BARS */
+ i = 0;
+ bar_mask = pci_select_bars(pdev, IORESOURCE_MEM);
+- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
+- ADF_PCI_MAX_BARS * 2) {
++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) {
+ struct adf_bar *bar = &accel_pci_dev->pci_bars[i++];
+
+ bar->base_addr = pci_resource_start(pdev, bar_nr);
+--- a/drivers/crypto/qat/qat_c62x/adf_drv.c
++++ b/drivers/crypto/qat/qat_c62x/adf_drv.c
+@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde
+ struct adf_hw_device_data *hw_data;
+ char name[ADF_DEVICE_NAME_LENGTH];
+ unsigned int i, bar_nr;
+- int ret, bar_mask;
++ unsigned long bar_mask;
++ int ret;
+
+ switch (ent->device) {
+ case ADF_C62X_PCI_DEVICE_ID:
+@@ -235,8 +236,7 @@ static int adf_probe(struct pci_dev *pde
+ /* Find and map all the device's BARS */
+ i = (hw_data->fuses & ADF_DEVICE_FUSECTL_MASK) ? 1 : 0;
+ bar_mask = pci_select_bars(pdev, IORESOURCE_MEM);
+- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
+- ADF_PCI_MAX_BARS * 2) {
++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) {
+ struct adf_bar *bar = &accel_pci_dev->pci_bars[i++];
+
+ bar->base_addr = pci_resource_start(pdev, bar_nr);
+--- a/drivers/crypto/qat/qat_c62xvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_c62xvf/adf_drv.c
+@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde
+ struct adf_hw_device_data *hw_data;
+ char name[ADF_DEVICE_NAME_LENGTH];
+ unsigned int i, bar_nr;
+- int ret, bar_mask;
++ unsigned long bar_mask;
++ int ret;
+
+ switch (ent->device) {
+ case ADF_C62XIOV_PCI_DEVICE_ID:
+@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde
+ /* Find and map all the device's BARS */
+ i = 0;
+ bar_mask = pci_select_bars(pdev, IORESOURCE_MEM);
+- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
+- ADF_PCI_MAX_BARS * 2) {
++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) {
+ struct adf_bar *bar = &accel_pci_dev->pci_bars[i++];
+
+ bar->base_addr = pci_resource_start(pdev, bar_nr);
+--- a/drivers/crypto/qat/qat_dh895xcc/adf_drv.c
++++ b/drivers/crypto/qat/qat_dh895xcc/adf_drv.c
+@@ -123,7 +123,8 @@ static int adf_probe(struct pci_dev *pde
+ struct adf_hw_device_data *hw_data;
+ char name[ADF_DEVICE_NAME_LENGTH];
+ unsigned int i, bar_nr;
+- int ret, bar_mask;
++ unsigned long bar_mask;
++ int ret;
+
+ switch (ent->device) {
+ case ADF_DH895XCC_PCI_DEVICE_ID:
+@@ -237,8 +238,7 @@ static int adf_probe(struct pci_dev *pde
+ /* Find and map all the device's BARS */
+ i = 0;
+ bar_mask = pci_select_bars(pdev, IORESOURCE_MEM);
+- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
+- ADF_PCI_MAX_BARS * 2) {
++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) {
+ struct adf_bar *bar = &accel_pci_dev->pci_bars[i++];
+
+ bar->base_addr = pci_resource_start(pdev, bar_nr);
+--- a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c
+@@ -125,7 +125,8 @@ static int adf_probe(struct pci_dev *pde
+ struct adf_hw_device_data *hw_data;
+ char name[ADF_DEVICE_NAME_LENGTH];
+ unsigned int i, bar_nr;
+- int ret, bar_mask;
++ unsigned long bar_mask;
++ int ret;
+
+ switch (ent->device) {
+ case ADF_DH895XCCIOV_PCI_DEVICE_ID:
+@@ -215,8 +216,7 @@ static int adf_probe(struct pci_dev *pde
+ /* Find and map all the device's BARS */
+ i = 0;
+ bar_mask = pci_select_bars(pdev, IORESOURCE_MEM);
+- for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
+- ADF_PCI_MAX_BARS * 2) {
++ for_each_set_bit(bar_nr, &bar_mask, ADF_PCI_MAX_BARS * 2) {
+ struct adf_bar *bar = &accel_pci_dev->pci_bars[i++];
+
+ bar->base_addr = pci_resource_start(pdev, bar_nr);
--- /dev/null
+From 41e270f6898e7502be9fd6920ee0a108ca259d36 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Mon, 17 Sep 2018 04:14:54 +0000
+Subject: Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 41e270f6898e7502be9fd6920ee0a108ca259d36 upstream.
+
+With CONFIG_DEBUG_PREEMPT=y, I always see this warning:
+BUG: using smp_processor_id() in preemptible [00000000]
+
+Fix the false warning by using get/put_cpu().
+
+Here vmbus_connect() sends a message to the host and waits for the
+host's response. The host will deliver the response message and an
+interrupt on CPU msg->target_vcpu, and later the interrupt handler
+will wake up vmbus_connect(). vmbus_connect() doesn't really have
+to run on the same cpu as CPU msg->target_vcpu, so it's safe to
+call put_cpu() just here.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: stable@vger.kernel.org
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/connection.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -76,6 +76,7 @@ static int vmbus_negotiate_version(struc
+ __u32 version)
+ {
+ int ret = 0;
++ unsigned int cur_cpu;
+ struct vmbus_channel_initiate_contact *msg;
+ unsigned long flags;
+
+@@ -118,9 +119,10 @@ static int vmbus_negotiate_version(struc
+ * the CPU attempting to connect may not be CPU 0.
+ */
+ if (version >= VERSION_WIN8_1) {
+- msg->target_vcpu =
+- hv_cpu_number_to_vp_number(smp_processor_id());
+- vmbus_connection.connect_cpu = smp_processor_id();
++ cur_cpu = get_cpu();
++ msg->target_vcpu = hv_cpu_number_to_vp_number(cur_cpu);
++ vmbus_connection.connect_cpu = cur_cpu;
++ put_cpu();
+ } else {
+ msg->target_vcpu = 0;
+ vmbus_connection.connect_cpu = 0;
--- /dev/null
+From 7012040576c6ae25a47035659ee48673612c2c27 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Wed, 19 Sep 2018 18:09:38 -0700
+Subject: firmware: Always initialize the fw_priv list object
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+commit 7012040576c6ae25a47035659ee48673612c2c27 upstream.
+
+When freeing the fw_priv the item is taken off the list. This causes an
+oops in the FW_OPT_NOCACHE case as the list object is not initialized.
+
+Make sure to initialize the list object regardless of this flag.
+
+Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()")
+Cc: stable@vger.kernel.org
+Cc: Rishabh Bhatnagar <rishabhb@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/firmware_loader/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/firmware_loader/main.c
++++ b/drivers/base/firmware_loader/main.c
+@@ -226,8 +226,11 @@ static int alloc_lookup_fw_priv(const ch
+ }
+
+ tmp = __allocate_fw_priv(fw_name, fwc, dbuf, size);
+- if (tmp && !(opt_flags & FW_OPT_NOCACHE))
+- list_add(&tmp->list, &fwc->head);
++ if (tmp) {
++ INIT_LIST_HEAD(&tmp->list);
++ if (!(opt_flags & FW_OPT_NOCACHE))
++ list_add(&tmp->list, &fwc->head);
++ }
+ spin_unlock(&fwc->lock);
+
+ *fw_priv = tmp;
--- /dev/null
+From 422b3db2a5036add39a82425b1dd9fb6c96481e8 Mon Sep 17 00:00:00 2001
+From: Rishabh Bhatnagar <rishabhb@codeaurora.org>
+Date: Fri, 31 Aug 2018 08:43:31 -0700
+Subject: firmware: Fix security issue with request_firmware_into_buf()
+
+From: Rishabh Bhatnagar <rishabhb@codeaurora.org>
+
+commit 422b3db2a5036add39a82425b1dd9fb6c96481e8 upstream.
+
+When calling request_firmware_into_buf() with the FW_OPT_NOCACHE flag
+it is expected that firmware is loaded into buffer from memory.
+But inside alloc_lookup_fw_priv every new firmware that is loaded is
+added to the firmware cache (fwc) list head. So if any driver requests
+a firmware that is already loaded the code iterates over the above
+mentioned list and it can end up giving a pointer to other device driver's
+firmware buffer.
+Also the existing copy may either be modified by drivers, remote processors
+or even freed. This causes a potential security issue with batched requests
+when using request_firmware_into_buf.
+
+Fix alloc_lookup_fw_priv to not add to the fwc head list if FW_OPT_NOCACHE
+is set, and also don't do the lookup in the list.
+
+Fixes: 0e742e9275 ("firmware: provide infrastructure to make fw caching optional")
+[mcgrof: broken since feature introduction on v4.8]
+
+Cc: stable@vger.kernel.org # v4.8+
+Signed-off-by: Vikram Mulukutla <markivx@codeaurora.org>
+Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org>
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/firmware_loader/main.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+--- a/drivers/base/firmware_loader/main.c
++++ b/drivers/base/firmware_loader/main.c
+@@ -209,21 +209,24 @@ static struct fw_priv *__lookup_fw_priv(
+ static int alloc_lookup_fw_priv(const char *fw_name,
+ struct firmware_cache *fwc,
+ struct fw_priv **fw_priv, void *dbuf,
+- size_t size)
++ size_t size, enum fw_opt opt_flags)
+ {
+ struct fw_priv *tmp;
+
+ spin_lock(&fwc->lock);
+- tmp = __lookup_fw_priv(fw_name);
+- if (tmp) {
+- kref_get(&tmp->ref);
+- spin_unlock(&fwc->lock);
+- *fw_priv = tmp;
+- pr_debug("batched request - sharing the same struct fw_priv and lookup for multiple requests\n");
+- return 1;
++ if (!(opt_flags & FW_OPT_NOCACHE)) {
++ tmp = __lookup_fw_priv(fw_name);
++ if (tmp) {
++ kref_get(&tmp->ref);
++ spin_unlock(&fwc->lock);
++ *fw_priv = tmp;
++ pr_debug("batched request - sharing the same struct fw_priv and lookup for multiple requests\n");
++ return 1;
++ }
+ }
++
+ tmp = __allocate_fw_priv(fw_name, fwc, dbuf, size);
+- if (tmp)
++ if (tmp && !(opt_flags & FW_OPT_NOCACHE))
+ list_add(&tmp->list, &fwc->head);
+ spin_unlock(&fwc->lock);
+
+@@ -493,7 +496,8 @@ int assign_fw(struct firmware *fw, struc
+ */
+ static int
+ _request_firmware_prepare(struct firmware **firmware_p, const char *name,
+- struct device *device, void *dbuf, size_t size)
++ struct device *device, void *dbuf, size_t size,
++ enum fw_opt opt_flags)
+ {
+ struct firmware *firmware;
+ struct fw_priv *fw_priv;
+@@ -511,7 +515,8 @@ _request_firmware_prepare(struct firmwar
+ return 0; /* assigned */
+ }
+
+- ret = alloc_lookup_fw_priv(name, &fw_cache, &fw_priv, dbuf, size);
++ ret = alloc_lookup_fw_priv(name, &fw_cache, &fw_priv, dbuf, size,
++ opt_flags);
+
+ /*
+ * bind with 'priv' now to avoid warning in failure path
+@@ -571,7 +576,8 @@ _request_firmware(const struct firmware
+ goto out;
+ }
+
+- ret = _request_firmware_prepare(&fw, name, device, buf, size);
++ ret = _request_firmware_prepare(&fw, name, device, buf, size,
++ opt_flags);
+ if (ret <= 0) /* error or already assigned */
+ goto out;
+
--- /dev/null
+From 19a4fbffc94e41abaa2a623a25ce2641d69eccf0 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Date: Thu, 13 Sep 2018 15:37:04 +0200
+Subject: gpiolib: Free the last requested descriptor
+
+From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+
+commit 19a4fbffc94e41abaa2a623a25ce2641d69eccf0 upstream.
+
+The current code only frees N-1 gpios if an error occurs during
+gpiod_set_transitory, gpiod_direction_output or gpiod_direction_input.
+Leading to gpios that cannot be used by userspace nor other drivers.
+
+Cc: Timur Tabi <timur@codeaurora.org>
+Cc: stable@vger.kernel.org
+Fixes: ab3dbcf78f60f46d ("gpioib: do not free unrequested descriptors)
+Reported-by: Jan Lorenzen <jl@newtec.dk>
+Reported-by: Jim Paris <jim@jtan.com>
+Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -565,7 +565,7 @@ static int linehandle_create(struct gpio
+ if (ret)
+ goto out_free_descs;
+ lh->descs[i] = desc;
+- count = i;
++ count = i + 1;
+
+ if (lflags & GPIOHANDLE_REQUEST_ACTIVE_LOW)
+ set_bit(FLAG_ACTIVE_LOW, &desc->flags);
--- /dev/null
+From 807588ac92018bde88a1958f546438e840eb0158 Mon Sep 17 00:00:00 2001
+From: Anisse Astier <anisse@astier.eu>
+Date: Wed, 12 Sep 2018 15:07:05 +0200
+Subject: HID: i2c-hid: disable runtime PM operations on hantick touchpad
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Anisse Astier <anisse@astier.eu>
+
+commit 807588ac92018bde88a1958f546438e840eb0158 upstream.
+
+This hantick HTIX5288 touchpad can quickly fall in a wrong state if
+there are too many open/close operations. This will either make it stop
+reporting any input, or will shift all the input reads by a few bytes,
+making it impossible to decode.
+
+Here, we never release the probed touchpad runtime pm while the driver
+is loaded, which should disable all runtime pm suspend/resumes.
+
+This fast repetition of sleep/wakeup is also more likely to happen when
+using runtime PM, which is why the quirk is done there, and not for all
+power downs, which would include suspend or module removal.
+
+Signed-off-by: Anisse Astier <anisse@astier.eu>
+Cc: stable@vger.kernel.org
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Philip Müller <philm@manjaro.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/i2c-hid/i2c-hid.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid.c
++++ b/drivers/hid/i2c-hid/i2c-hid.c
+@@ -48,6 +48,7 @@
+ #define I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV BIT(0)
+ #define I2C_HID_QUIRK_NO_IRQ_AFTER_RESET BIT(1)
+ #define I2C_HID_QUIRK_RESEND_REPORT_DESCR BIT(2)
++#define I2C_HID_QUIRK_NO_RUNTIME_PM BIT(3)
+
+ /* flags */
+ #define I2C_HID_STARTED 0
+@@ -169,7 +170,8 @@ static const struct i2c_hid_quirks {
+ { USB_VENDOR_ID_WEIDA, USB_DEVICE_ID_WEIDA_8755,
+ I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV },
+ { I2C_VENDOR_ID_HANTICK, I2C_PRODUCT_ID_HANTICK_5288,
+- I2C_HID_QUIRK_NO_IRQ_AFTER_RESET },
++ I2C_HID_QUIRK_NO_IRQ_AFTER_RESET |
++ I2C_HID_QUIRK_NO_RUNTIME_PM },
+ { USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS10FB_TOUCH,
+ I2C_HID_QUIRK_RESEND_REPORT_DESCR },
+ { 0, 0 }
+@@ -1106,7 +1108,9 @@ static int i2c_hid_probe(struct i2c_clie
+ goto err_mem_free;
+ }
+
+- pm_runtime_put(&client->dev);
++ if (!(ihid->quirks & I2C_HID_QUIRK_NO_RUNTIME_PM))
++ pm_runtime_put(&client->dev);
++
+ return 0;
+
+ err_mem_free:
+@@ -1132,7 +1136,8 @@ static int i2c_hid_remove(struct i2c_cli
+ struct i2c_hid *ihid = i2c_get_clientdata(client);
+ struct hid_device *hid;
+
+- pm_runtime_get_sync(&client->dev);
++ if (!(ihid->quirks & I2C_HID_QUIRK_NO_RUNTIME_PM))
++ pm_runtime_get_sync(&client->dev);
+ pm_runtime_disable(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
+ pm_runtime_put_noidle(&client->dev);
--- /dev/null
+From b3e9b515b08e407ab3a026dc2e4d935c48d05f69 Mon Sep 17 00:00:00 2001
+From: "Singh, Brijesh" <brijesh.singh@amd.com>
+Date: Thu, 4 Oct 2018 21:40:23 +0000
+Subject: iommu/amd: Clear memory encryption mask from physical address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Singh, Brijesh <brijesh.singh@amd.com>
+
+commit b3e9b515b08e407ab3a026dc2e4d935c48d05f69 upstream.
+
+Boris Ostrovsky reported a memory leak with device passthrough when SME
+is active.
+
+The VFIO driver uses iommu_iova_to_phys() to get the physical address for
+an iova. This physical address is later passed into vfio_unmap_unpin() to
+unpin the memory. The vfio_unmap_unpin() uses pfn_valid() before unpinning
+the memory. The pfn_valid() check was failing because encryption mask was
+part of the physical address returned. This resulted in the memory not
+being unpinned and therefore leaked after the guest terminates.
+
+The memory encryption mask must be cleared from the physical address in
+iommu_iova_to_phys().
+
+Fixes: 2543a786aa25 ("iommu/amd: Allow the AMD IOMMU to work with memory encryption")
+Reported-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Joerg Roedel <joro@8bytes.org>
+Cc: <iommu@lists.linux-foundation.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: kvm@vger.kernel.org
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -3073,7 +3073,7 @@ static phys_addr_t amd_iommu_iova_to_phy
+ return 0;
+
+ offset_mask = pte_pgsize - 1;
+- __pte = *pte & PM_ADDR_MASK;
++ __pte = __sme_clr(*pte & PM_ADDR_MASK);
+
+ return (__pte & ~offset_mask) | (iova & offset_mask);
+ }
--- /dev/null
+From 4233cfe6ec4683497d7318f55ce7617e97f2e610 Mon Sep 17 00:00:00 2001
+From: Song Liu <songliubraving@fb.com>
+Date: Wed, 3 Oct 2018 11:30:35 -0700
+Subject: ixgbe: check return value of napi_complete_done()
+
+From: Song Liu <songliubraving@fb.com>
+
+commit 4233cfe6ec4683497d7318f55ce7617e97f2e610 upstream.
+
+The NIC driver should only enable interrupts when napi_complete_done()
+returns true. This patch adds the check for ixgbe.
+
+Cc: stable@vger.kernel.org # 4.10+
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -3196,11 +3196,13 @@ int ixgbe_poll(struct napi_struct *napi,
+ return budget;
+
+ /* all work done, exit the polling mode */
+- napi_complete_done(napi, work_done);
+- if (adapter->rx_itr_setting & 1)
+- ixgbe_set_itr(q_vector);
+- if (!test_bit(__IXGBE_DOWN, &adapter->state))
+- ixgbe_irq_enable_queues(adapter, BIT_ULL(q_vector->v_idx));
++ if (likely(napi_complete_done(napi, work_done))) {
++ if (adapter->rx_itr_setting & 1)
++ ixgbe_set_itr(q_vector);
++ if (!test_bit(__IXGBE_DOWN, &adapter->state))
++ ixgbe_irq_enable_queues(adapter,
++ BIT_ULL(q_vector->v_idx));
++ }
+
+ return min(work_done, budget - 1);
+ }
--- /dev/null
+From c2b6d621c4ffe9936adf7a55c8b1c769672c306f Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 28 Jun 2018 15:53:17 -0400
+Subject: new primitive: discard_new_inode()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c2b6d621c4ffe9936adf7a55c8b1c769672c306f upstream.
+
+ We don't want open-by-handle picking half-set-up in-core
+struct inode from e.g. mkdir() having failed halfway through.
+In other words, we don't want such inodes returned by iget_locked()
+on their way to extinction. However, we can't just have them
+unhashed - otherwise open-by-handle immediately *after* that would've
+ended up creating a new in-core inode over the on-disk one that
+is in process of being freed right under us.
+
+ Solution: new flag (I_CREATING) set by insert_inode_locked() and
+removed by unlock_new_inode() and a new primitive (discard_new_inode())
+to be used by such halfway-through-setup failure exits instead of
+unlock_new_inode() / iput() combinations. That primitive unlocks new
+inode, but leaves I_CREATING in place.
+
+ iget_locked() treats finding an I_CREATING inode as failure
+(-ESTALE, once we sort out the error propagation).
+ insert_inode_locked() treats the same as instant -EBUSY.
+ ilookup() treats those as icache miss.
+
+[Fix by Dan Carpenter <dan.carpenter@oracle.com> folded in]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Miklos Szeredi <mszeredi@redhat.com>
+Cc: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 2 +-
+ fs/inode.c | 45 +++++++++++++++++++++++++++++++++++++++++----
+ include/linux/fs.h | 6 +++++-
+ 3 files changed, 47 insertions(+), 6 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1890,7 +1890,7 @@ void d_instantiate_new(struct dentry *en
+ spin_lock(&inode->i_lock);
+ __d_instantiate(entry, inode);
+ WARN_ON(!(inode->i_state & I_NEW));
+- inode->i_state &= ~I_NEW;
++ inode->i_state &= ~I_NEW & ~I_CREATING;
+ smp_mb();
+ wake_up_bit(&inode->i_state, __I_NEW);
+ spin_unlock(&inode->i_lock);
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -804,6 +804,10 @@ repeat:
+ __wait_on_freeing_inode(inode);
+ goto repeat;
+ }
++ if (unlikely(inode->i_state & I_CREATING)) {
++ spin_unlock(&inode->i_lock);
++ return ERR_PTR(-ESTALE);
++ }
+ __iget(inode);
+ spin_unlock(&inode->i_lock);
+ return inode;
+@@ -831,6 +835,10 @@ repeat:
+ __wait_on_freeing_inode(inode);
+ goto repeat;
+ }
++ if (unlikely(inode->i_state & I_CREATING)) {
++ spin_unlock(&inode->i_lock);
++ return ERR_PTR(-ESTALE);
++ }
+ __iget(inode);
+ spin_unlock(&inode->i_lock);
+ return inode;
+@@ -961,13 +969,26 @@ void unlock_new_inode(struct inode *inod
+ lockdep_annotate_inode_mutex_key(inode);
+ spin_lock(&inode->i_lock);
+ WARN_ON(!(inode->i_state & I_NEW));
+- inode->i_state &= ~I_NEW;
++ inode->i_state &= ~I_NEW & ~I_CREATING;
+ smp_mb();
+ wake_up_bit(&inode->i_state, __I_NEW);
+ spin_unlock(&inode->i_lock);
+ }
+ EXPORT_SYMBOL(unlock_new_inode);
+
++void discard_new_inode(struct inode *inode)
++{
++ lockdep_annotate_inode_mutex_key(inode);
++ spin_lock(&inode->i_lock);
++ WARN_ON(!(inode->i_state & I_NEW));
++ inode->i_state &= ~I_NEW;
++ smp_mb();
++ wake_up_bit(&inode->i_state, __I_NEW);
++ spin_unlock(&inode->i_lock);
++ iput(inode);
++}
++EXPORT_SYMBOL(discard_new_inode);
++
+ /**
+ * lock_two_nondirectories - take two i_mutexes on non-directory objects
+ *
+@@ -1039,6 +1060,8 @@ again:
+ * Use the old inode instead of the preallocated one.
+ */
+ spin_unlock(&inode_hash_lock);
++ if (IS_ERR(old))
++ return NULL;
+ wait_on_inode(old);
+ if (unlikely(inode_unhashed(old))) {
+ iput(old);
+@@ -1128,6 +1151,8 @@ again:
+ inode = find_inode_fast(sb, head, ino);
+ spin_unlock(&inode_hash_lock);
+ if (inode) {
++ if (IS_ERR(inode))
++ return NULL;
+ wait_on_inode(inode);
+ if (unlikely(inode_unhashed(inode))) {
+ iput(inode);
+@@ -1165,6 +1190,8 @@ again:
+ */
+ spin_unlock(&inode_hash_lock);
+ destroy_inode(inode);
++ if (IS_ERR(old))
++ return NULL;
+ inode = old;
+ wait_on_inode(inode);
+ if (unlikely(inode_unhashed(inode))) {
+@@ -1282,7 +1309,7 @@ struct inode *ilookup5_nowait(struct sup
+ inode = find_inode(sb, head, test, data);
+ spin_unlock(&inode_hash_lock);
+
+- return inode;
++ return IS_ERR(inode) ? NULL : inode;
+ }
+ EXPORT_SYMBOL(ilookup5_nowait);
+
+@@ -1338,6 +1365,8 @@ again:
+ spin_unlock(&inode_hash_lock);
+
+ if (inode) {
++ if (IS_ERR(inode))
++ return NULL;
+ wait_on_inode(inode);
+ if (unlikely(inode_unhashed(inode))) {
+ iput(inode);
+@@ -1421,12 +1450,17 @@ int insert_inode_locked(struct inode *in
+ }
+ if (likely(!old)) {
+ spin_lock(&inode->i_lock);
+- inode->i_state |= I_NEW;
++ inode->i_state |= I_NEW | I_CREATING;
+ hlist_add_head(&inode->i_hash, head);
+ spin_unlock(&inode->i_lock);
+ spin_unlock(&inode_hash_lock);
+ return 0;
+ }
++ if (unlikely(old->i_state & I_CREATING)) {
++ spin_unlock(&old->i_lock);
++ spin_unlock(&inode_hash_lock);
++ return -EBUSY;
++ }
+ __iget(old);
+ spin_unlock(&old->i_lock);
+ spin_unlock(&inode_hash_lock);
+@@ -1443,7 +1477,10 @@ EXPORT_SYMBOL(insert_inode_locked);
+ int insert_inode_locked4(struct inode *inode, unsigned long hashval,
+ int (*test)(struct inode *, void *), void *data)
+ {
+- struct inode *old = inode_insert5(inode, hashval, test, NULL, data);
++ struct inode *old;
++
++ inode->i_state |= I_CREATING;
++ old = inode_insert5(inode, hashval, test, NULL, data);
+
+ if (old != inode) {
+ iput(old);
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -2014,6 +2014,8 @@ static inline void init_sync_kiocb(struc
+ * I_OVL_INUSE Used by overlayfs to get exclusive ownership on upper
+ * and work dirs among overlayfs mounts.
+ *
++ * I_CREATING New object's inode in the middle of setting up.
++ *
+ * Q: What is the difference between I_WILL_FREE and I_FREEING?
+ */
+ #define I_DIRTY_SYNC (1 << 0)
+@@ -2034,7 +2036,8 @@ static inline void init_sync_kiocb(struc
+ #define __I_DIRTY_TIME_EXPIRED 12
+ #define I_DIRTY_TIME_EXPIRED (1 << __I_DIRTY_TIME_EXPIRED)
+ #define I_WB_SWITCH (1 << 13)
+-#define I_OVL_INUSE (1 << 14)
++#define I_OVL_INUSE (1 << 14)
++#define I_CREATING (1 << 15)
+
+ #define I_DIRTY_INODE (I_DIRTY_SYNC | I_DIRTY_DATASYNC)
+ #define I_DIRTY (I_DIRTY_INODE | I_DIRTY_PAGES)
+@@ -2918,6 +2921,7 @@ extern void lockdep_annotate_inode_mutex
+ static inline void lockdep_annotate_inode_mutex_key(struct inode *inode) { };
+ #endif
+ extern void unlock_new_inode(struct inode *);
++extern void discard_new_inode(struct inode *);
+ extern unsigned int get_next_ino(void);
+ extern void evict_inodes(struct super_block *sb);
+
--- /dev/null
+From cbe355f57c8074bc4f452e5b6e35509044c6fa23 Mon Sep 17 00:00:00 2001
+From: Ashish Samant <ashish.samant@oracle.com>
+Date: Fri, 5 Oct 2018 15:52:15 -0700
+Subject: ocfs2: fix locking for res->tracking and dlm->tracking_list
+
+From: Ashish Samant <ashish.samant@oracle.com>
+
+commit cbe355f57c8074bc4f452e5b6e35509044c6fa23 upstream.
+
+In dlm_init_lockres() we access and modify res->tracking and
+dlm->tracking_list without holding dlm->track_lock. This can cause list
+corruptions and can end up in kernel panic.
+
+Fix this by locking res->tracking and dlm->tracking_list with
+dlm->track_lock instead of dlm->spinlock.
+
+Link: http://lkml.kernel.org/r/1529951192-4686-1-git-send-email-ashish.samant@oracle.com
+Signed-off-by: Ashish Samant <ashish.samant@oracle.com>
+Reviewed-by: Changwei Ge <ge.changwei@h3c.com>
+Acked-by: Joseph Qi <jiangqi903@gmail.com>
+Acked-by: Jun Piao <piaojun@huawei.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <ge.changwei@h3c.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dlm/dlmmaster.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/dlm/dlmmaster.c
++++ b/fs/ocfs2/dlm/dlmmaster.c
+@@ -584,9 +584,9 @@ static void dlm_init_lockres(struct dlm_
+
+ res->last_used = 0;
+
+- spin_lock(&dlm->spinlock);
++ spin_lock(&dlm->track_lock);
+ list_add_tail(&res->tracking, &dlm->tracking_list);
+- spin_unlock(&dlm->spinlock);
++ spin_unlock(&dlm->track_lock);
+
+ memset(res->lvb, 0, DLM_LVB_LEN);
+ memset(res->refmap, 0, sizeof(res->refmap));
--- /dev/null
+From 601350ff58d5415a001769532f6b8333820e5786 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Fri, 28 Sep 2018 21:00:48 +0300
+Subject: ovl: fix access beyond unterminated strings
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 601350ff58d5415a001769532f6b8333820e5786 upstream.
+
+KASAN detected slab-out-of-bounds access in printk from overlayfs,
+because string format used %*s instead of %.*s.
+
+> BUG: KASAN: slab-out-of-bounds in string+0x298/0x2d0 lib/vsprintf.c:604
+> Read of size 1 at addr ffff8801c36c66ba by task syz-executor2/27811
+>
+> CPU: 0 PID: 27811 Comm: syz-executor2 Not tainted 4.19.0-rc5+ #36
+...
+> printk+0xa7/0xcf kernel/printk/printk.c:1996
+> ovl_lookup_index.cold.15+0xe8/0x1f8 fs/overlayfs/namei.c:689
+
+Reported-by: syzbot+376cea2b0ef340db3dd4@syzkaller.appspotmail.com
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin")
+Cc: <stable@vger.kernel.org> # v4.13
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/namei.c
++++ b/fs/overlayfs/namei.c
+@@ -705,7 +705,7 @@ struct dentry *ovl_lookup_index(struct o
+ index = NULL;
+ goto out;
+ }
+- pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n"
++ pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%.*s, err=%i);\n"
+ "overlayfs: mount with '-o index=off' to disable inodes index.\n",
+ d_inode(origin)->i_ino, name.len, name.name,
+ err);
--- /dev/null
+From 1a8f8d2a443ef9ad9a3065ba8c8119df714240fa Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 4 Oct 2018 14:49:10 +0200
+Subject: ovl: fix format of setxattr debug
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 1a8f8d2a443ef9ad9a3065ba8c8119df714240fa upstream.
+
+Format has a typo: it was meant to be "%.*s", not "%*s". But at some point
+callers grew nonprintable values as well, so use "%*pE" instead with a
+maximized length.
+
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 3a1e819b4e80 ("ovl: store file handle of lower inode on copy up")
+Cc: <stable@vger.kernel.org> # v4.12
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/overlayfs.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -147,8 +147,8 @@ static inline int ovl_do_setxattr(struct
+ const void *value, size_t size, int flags)
+ {
+ int err = vfs_setxattr(dentry, name, value, size, flags);
+- pr_debug("setxattr(%pd2, \"%s\", \"%*s\", 0x%x) = %i\n",
+- dentry, name, (int) size, (char *) value, flags, err);
++ pr_debug("setxattr(%pd2, \"%s\", \"%*pE\", %zu, 0x%x) = %i\n",
++ dentry, name, min((int)size, 48), value, size, flags, err);
+ return err;
+ }
+
--- /dev/null
+From 63e132528032ce937126aba591a7b37ec593a6bb Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Tue, 18 Sep 2018 16:34:31 +0300
+Subject: ovl: fix memory leak on unlink of indexed file
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 63e132528032ce937126aba591a7b37ec593a6bb upstream.
+
+The memory leak was detected by kmemleak when running xfstests
+overlay/051,053
+
+Fixes: caf70cb2ba5d ("ovl: cleanup orphan index entries")
+Cc: <stable@vger.kernel.org> # v4.13
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/util.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/util.c
++++ b/fs/overlayfs/util.c
+@@ -531,7 +531,7 @@ static void ovl_cleanup_index(struct den
+ struct dentry *upperdentry = ovl_dentry_upper(dentry);
+ struct dentry *index = NULL;
+ struct inode *inode;
+- struct qstr name;
++ struct qstr name = { };
+ int err;
+
+ err = ovl_get_index_name(lowerdentry, &name);
+@@ -574,6 +574,7 @@ static void ovl_cleanup_index(struct den
+ goto fail;
+
+ out:
++ kfree(name.name);
+ dput(index);
+ return;
+
--- /dev/null
+From 6faf05c2b2b4fe70d9068067437649401531de0a Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <miklos@szeredi.hu>
+Date: Wed, 22 Aug 2018 10:55:22 +0200
+Subject: ovl: set I_CREATING on inode being created
+
+From: Miklos Szeredi <miklos@szeredi.hu>
+
+commit 6faf05c2b2b4fe70d9068067437649401531de0a upstream.
+
+...otherwise there will be list corruption due to inode_sb_list_add() being
+called for inode already on the sb list.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: e950564b97fd ("vfs: don't evict uninitialized inode")
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+To: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/dir.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -601,6 +601,10 @@ static int ovl_create_object(struct dent
+ if (!inode)
+ goto out_drop_write;
+
++ spin_lock(&inode->i_lock);
++ inode->i_state |= I_CREATING;
++ spin_unlock(&inode->i_lock);
++
+ inode_init_owner(inode, dentry->d_parent->d_inode, mode);
+ attr.mode = inode->i_mode;
+
--- /dev/null
+From f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 5 Oct 2018 15:51:58 -0700
+Subject: proc: restrict kernel stack dumps to root
+
+From: Jann Horn <jannh@google.com>
+
+commit f8a00cef17206ecd1b30d3d9f99e10d9fa707aa7 upstream.
+
+Currently, you can use /proc/self/task/*/stack to cause a stack walk on
+a task you control while it is running on another CPU. That means that
+the stack can change under the stack walker. The stack walker does
+have guards against going completely off the rails and into random
+kernel memory, but it can interpret random data from your kernel stack
+as instruction pointers and stack pointers. This can cause exposure of
+kernel stack contents to userspace.
+
+Restrict the ability to inspect kernel stacks of arbitrary tasks to root
+in order to prevent a local attacker from exploiting racy stack unwinding
+to leak kernel task stack contents. See the added comment for a longer
+rationale.
+
+There don't seem to be any users of this userspace API that can't
+gracefully bail out if reading from the file fails. Therefore, I believe
+that this change is unlikely to break things. In the case that this patch
+does end up needing a revert, the next-best solution might be to fake a
+single-entry stack based on wchan.
+
+Link: http://lkml.kernel.org/r/20180927153316.200286-1-jannh@google.com
+Fixes: 2ec220e27f50 ("proc: add /proc/*/stack")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Ken Chen <kenchen@google.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -407,6 +407,20 @@ static int proc_pid_stack(struct seq_fil
+ unsigned long *entries;
+ int err;
+
++ /*
++ * The ability to racily run the kernel stack unwinder on a running task
++ * and then observe the unwinder output is scary; while it is useful for
++ * debugging kernel issues, it can also allow an attacker to leak kernel
++ * stack contents.
++ * Doing this in a manner that is at least safe from races would require
++ * some work to ensure that the remote task can not be scheduled; and
++ * even then, this would still expose the unwinder as local attack
++ * surface.
++ * Therefore, this interface is restricted to root.
++ */
++ if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN))
++ return -EACCES;
++
+ entries = kmalloc_array(MAX_STACK_TRACE_DEPTH, sizeof(*entries),
+ GFP_KERNEL);
+ if (!entries)
xen-avoid-crash-in-disable_hotplug_cpu.patch
xen-fix-gcc-warning-and-remove-duplicate-evtchn_row-evtchn_col-usage.patch
x86-apm-fix-build-warning-when-proc_fs-is-not-enabled.patch
+new-primitive-discard_new_inode.patch
+vfs-don-t-evict-uninitialized-inode.patch
+ovl-set-i_creating-on-inode-being-created.patch
+ovl-fix-access-beyond-unterminated-strings.patch
+ovl-fix-memory-leak-on-unlink-of-indexed-file.patch
+ovl-fix-format-of-setxattr-debug.patch
+sysfs-do-not-return-posix-acl-xattrs-via-listxattr.patch
+b43-fix-dma-error-related-regression-with-proprietary-firmware.patch
+firmware-fix-security-issue-with-request_firmware_into_buf.patch
+firmware-always-initialize-the-fw_priv-list-object.patch
+cpufreq-qcom-kryo-fix-section-annotations.patch
+smb2-fix-missing-files-in-root-share-directory-listing.patch
+iommu-amd-clear-memory-encryption-mask-from-physical-address.patch
+alsa-hda-realtek-cannot-adjust-speaker-s-volume-on-dell-xps-27-7760.patch
+crypto-qat-fix-kasan-stack-out-of-bounds-bug-in-adf_probe.patch
+crypto-chelsio-fix-memory-corruption-in-dma-mapped-buffers.patch
+crypto-mxs-dcp-fix-wait-logic-on-chan-threads.patch
+crypto-caam-jr-fix-ablkcipher_edesc-pointer-arithmetic.patch
+gpiolib-free-the-last-requested-descriptor.patch
+drivers-hv-vmbus-use-get-put_cpu-in-vmbus_connect.patch
+tools-hv-fcopy-set-error-in-case-an-unknown-operation-was-requested.patch
+proc-restrict-kernel-stack-dumps-to-root.patch
+ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch
+hid-i2c-hid-disable-runtime-pm-operations-on-hantick-touchpad.patch
+ixgbe-check-return-value-of-napi_complete_done.patch
--- /dev/null
+From 0595751f267994c3c7027377058e4185b3a28e75 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Thu, 17 May 2018 16:35:07 +0200
+Subject: smb2: fix missing files in root share directory listing
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit 0595751f267994c3c7027377058e4185b3a28e75 upstream.
+
+When mounting a Windows share that is the root of a drive (eg. C$)
+the server does not return . and .. directory entries. This results in
+the smb2 code path erroneously skipping the 2 first entries.
+
+Pseudo-code of the readdir() code path:
+
+cifs_readdir(struct file, struct dir_context)
+ initiate_cifs_search <-- if no reponse cached yet
+ server->ops->query_dir_first
+
+ dir_emit_dots
+ dir_emit <-- adds "." and ".." if we're at pos=0
+
+ find_cifs_entry
+ initiate_cifs_search <-- if pos < start of current response
+ (restart search)
+ server->ops->query_dir_next <-- if pos > end of current response
+ (fetch next search res)
+
+ for(...) <-- loops over cur response entries
+ starting at pos
+ cifs_filldir <-- skip . and .., emit entry
+ cifs_fill_dirent
+ dir_emit
+ pos++
+
+A) dir_emit_dots() always adds . & ..
+ and sets the current dir pos to 2 (0 and 1 are done).
+
+Therefore we always want the index_to_find to be 2 regardless of if
+the response has . and ..
+
+B) smb1 code initializes index_of_last_entry with a +2 offset
+
+ in cifssmb.c CIFSFindFirst():
+ psrch_inf->index_of_last_entry = 2 /* skip . and .. */ +
+ psrch_inf->entries_in_buffer;
+
+Later in find_cifs_entry() we want to find the next dir entry at pos=2
+as a result of (A)
+
+ first_entry_in_buffer = cfile->srch_inf.index_of_last_entry -
+ cfile->srch_inf.entries_in_buffer;
+
+This var is the dir pos that the first entry in the buffer will
+have therefore it must be 2 in the first call.
+
+If we don't offset index_of_last_entry by 2 (like in (B)),
+first_entry_in_buffer=0 but we were instructed to get pos=2 so this
+code in find_cifs_entry() skips the 2 first which is ok for non-root
+shares, as it skips . and .. from the response but is not ok for root
+shares where the 2 first are actual files
+
+ pos_in_buf = index_to_find - first_entry_in_buffer;
+ // pos_in_buf=2
+ // we skip 2 first response entries :(
+ for (i = 0; (i < (pos_in_buf)) && (cur_ent != NULL); i++) {
+ /* go entry by entry figuring out which is first */
+ cur_ent = nxt_dir_entry(cur_ent, end_of_smb,
+ cfile->srch_inf.info_level);
+ }
+
+C) cifs_filldir() skips . and .. so we can safely ignore them for now.
+
+Sample program:
+
+int main(int argc, char **argv)
+{
+ const char *path = argc >= 2 ? argv[1] : ".";
+ DIR *dh;
+ struct dirent *de;
+
+ printf("listing path <%s>\n", path);
+ dh = opendir(path);
+ if (!dh) {
+ printf("opendir error %d\n", errno);
+ return 1;
+ }
+
+ while (1) {
+ de = readdir(dh);
+ if (!de) {
+ if (errno) {
+ printf("readdir error %d\n", errno);
+ return 1;
+ }
+ printf("end of listing\n");
+ break;
+ }
+ printf("off=%lu <%s>\n", de->d_off, de->d_name);
+ }
+
+ return 0;
+}
+
+Before the fix with SMB1 on root shares:
+
+<.> off=1
+<..> off=2
+<$Recycle.Bin> off=3
+<bootmgr> off=4
+
+and on non-root shares:
+
+<.> off=1
+<..> off=4 <-- after adding .., the offsets jumps to +2 because
+<2536> off=5 we skipped . and .. from response buffer (C)
+<411> off=6 but still incremented pos
+<file> off=7
+<fsx> off=8
+
+Therefore the fix for smb2 is to mimic smb1 behaviour and offset the
+index_of_last_entry by 2.
+
+Test results comparing smb1 and smb2 before/after the fix on root
+share, non-root shares and on large directories (ie. multi-response
+dir listing):
+
+PRE FIX
+=======
+pre-1-root VS pre-2-root:
+ ERR pre-2-root is missing [bootmgr, $Recycle.Bin]
+pre-1-nonroot VS pre-2-nonroot:
+ OK~ same files, same order, different offsets
+pre-1-nonroot-large VS pre-2-nonroot-large:
+ OK~ same files, same order, different offsets
+
+POST FIX
+========
+post-1-root VS post-2-root:
+ OK same files, same order, same offsets
+post-1-nonroot VS post-2-nonroot:
+ OK same files, same order, same offsets
+post-1-nonroot-large VS post-2-nonroot-large:
+ OK same files, same order, same offsets
+
+REGRESSION?
+===========
+pre-1-root VS post-1-root:
+ OK same files, same order, same offsets
+pre-1-nonroot VS post-1-nonroot:
+ OK same files, same order, same offsets
+
+BugLink: https://bugzilla.samba.org/show_bug.cgi?id=13107
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Paulo Alcantara <palcantara@suse.deR>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1484,7 +1484,7 @@ smb2_query_dir_first(const unsigned int
+ }
+
+ srch_inf->entries_in_buffer = 0;
+- srch_inf->index_of_last_entry = 0;
++ srch_inf->index_of_last_entry = 2;
+
+ rc = SMB2_query_directory(xid, tcon, fid->persistent_fid,
+ fid->volatile_fid, 0, srch_inf);
--- /dev/null
+From ffc4c92227db5699493e43eb140b4cb5904c30ff Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 18 Sep 2018 00:36:36 -0400
+Subject: sysfs: Do not return POSIX ACL xattrs via listxattr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit ffc4c92227db5699493e43eb140b4cb5904c30ff upstream.
+
+Commit 786534b92f3c introduced a regression that caused listxattr to
+return the POSIX ACL attribute names even though sysfs doesn't support
+POSIX ACLs. This happens because simple_xattr_list checks for NULL
+i_acl / i_default_acl, but inode_init_always initializes those fields
+to ACL_NOT_CACHED ((void *)-1). For example:
+ $ getfattr -m- -d /sys
+ /sys: system.posix_acl_access: Operation not supported
+ /sys: system.posix_acl_default: Operation not supported
+Fix this in simple_xattr_list by checking if the filesystem supports POSIX ACLs.
+
+Fixes: 786534b92f3c ("tmpfs: listxattr should include POSIX ACL xattrs")
+Reported-by: Marc Aurèle La France <tsi@tuyoix.net>
+Tested-by: Marc Aurèle La France <tsi@tuyoix.net>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xattr.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -949,17 +949,19 @@ ssize_t simple_xattr_list(struct inode *
+ int err = 0;
+
+ #ifdef CONFIG_FS_POSIX_ACL
+- if (inode->i_acl) {
+- err = xattr_list_one(&buffer, &remaining_size,
+- XATTR_NAME_POSIX_ACL_ACCESS);
+- if (err)
+- return err;
+- }
+- if (inode->i_default_acl) {
+- err = xattr_list_one(&buffer, &remaining_size,
+- XATTR_NAME_POSIX_ACL_DEFAULT);
+- if (err)
+- return err;
++ if (IS_POSIXACL(inode)) {
++ if (inode->i_acl) {
++ err = xattr_list_one(&buffer, &remaining_size,
++ XATTR_NAME_POSIX_ACL_ACCESS);
++ if (err)
++ return err;
++ }
++ if (inode->i_default_acl) {
++ err = xattr_list_one(&buffer, &remaining_size,
++ XATTR_NAME_POSIX_ACL_DEFAULT);
++ if (err)
++ return err;
++ }
+ }
+ #endif
+
--- /dev/null
+From c2d68afba86d1ff01e7300c68bc16a9234dcd8e9 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Mon, 17 Sep 2018 04:14:55 +0000
+Subject: tools: hv: fcopy: set 'error' in case an unknown operation was requested
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit c2d68afba86d1ff01e7300c68bc16a9234dcd8e9 upstream.
+
+'error' variable is left uninitialized in case we see an unknown operation.
+As we don't immediately return and proceed to pwrite() we need to set it
+to something, HV_E_FAIL sounds good enough.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/hv/hv_fcopy_daemon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/hv/hv_fcopy_daemon.c
++++ b/tools/hv/hv_fcopy_daemon.c
+@@ -234,6 +234,7 @@ int main(int argc, char *argv[])
+ break;
+
+ default:
++ error = HV_E_FAIL;
+ syslog(LOG_ERR, "Unknown operation: %d",
+ buffer.hdr.operation);
+
--- /dev/null
+From e950564b97fd0f541b02eb207685d0746f5ecf29 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Tue, 24 Jul 2018 15:01:55 +0200
+Subject: vfs: don't evict uninitialized inode
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit e950564b97fd0f541b02eb207685d0746f5ecf29 upstream.
+
+iput() ends up calling ->evict() on new inode, which is not yet initialized
+by owning fs. So use destroy_inode() instead.
+
+Add to sb->s_inodes list only if inode is not in I_CREATING state (meaning
+that it wasn't allocated with new_inode(), which already does the
+insertion).
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 80ea09a002bf ("vfs: factor out inode_insert5()")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/inode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1050,6 +1050,7 @@ struct inode *inode_insert5(struct inode
+ {
+ struct hlist_head *head = inode_hashtable + hash(inode->i_sb, hashval);
+ struct inode *old;
++ bool creating = inode->i_state & I_CREATING;
+
+ again:
+ spin_lock(&inode_hash_lock);
+@@ -1083,6 +1084,8 @@ again:
+ inode->i_state |= I_NEW;
+ hlist_add_head(&inode->i_hash, head);
+ spin_unlock(&inode->i_lock);
++ if (!creating)
++ inode_sb_list_add(inode);
+ unlock:
+ spin_unlock(&inode_hash_lock);
+
+@@ -1117,12 +1120,13 @@ struct inode *iget5_locked(struct super_
+ struct inode *inode = ilookup5(sb, hashval, test, data);
+
+ if (!inode) {
+- struct inode *new = new_inode(sb);
++ struct inode *new = alloc_inode(sb);
+
+ if (new) {
++ new->i_state = 0;
+ inode = inode_insert5(new, hashval, test, set, data);
+ if (unlikely(inode != new))
+- iput(new);
++ destroy_inode(new);
+ }
+ }
+ return inode;
projects / thirdparty / kernel / stable-queue.git / commitdiff
