--- /dev/null
+From 17df6453d4be17910456e99c5a85025aa1b7a246 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 12 Sep 2017 10:47:53 +0200
+Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream.
+
+Upon handling the firmware notification for scans the length was
+checked properly and may result in corrupting kernel heap memory
+due to buffer overruns. This fix addresses CVE-2017-0786.
+
+Cc: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+@@ -2914,6 +2914,7 @@ brcmf_cfg80211_escan_handler(struct brcm
+ struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
+ s32 status;
+ struct brcmf_escan_result_le *escan_result_le;
++ u32 escan_buflen;
+ struct brcmf_bss_info_le *bss_info_le;
+ struct brcmf_bss_info_le *bss = NULL;
+ u32 bi_length;
+@@ -2930,11 +2931,23 @@ brcmf_cfg80211_escan_handler(struct brcm
+
+ if (status == BRCMF_E_STATUS_PARTIAL) {
+ brcmf_dbg(SCAN, "ESCAN Partial result\n");
++ if (e->datalen < sizeof(*escan_result_le)) {
++ brcmf_err("invalid event data length\n");
++ goto exit;
++ }
+ escan_result_le = (struct brcmf_escan_result_le *) data;
+ if (!escan_result_le) {
+ brcmf_err("Invalid escan result (NULL pointer)\n");
+ goto exit;
+ }
++ escan_buflen = le32_to_cpu(escan_result_le->buflen);
++ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
++ escan_buflen > e->datalen ||
++ escan_buflen < sizeof(*escan_result_le)) {
++ brcmf_err("Invalid escan buffer length: %d\n",
++ escan_buflen);
++ goto exit;
++ }
+ if (le16_to_cpu(escan_result_le->bss_count) != 1) {
+ brcmf_err("Invalid bss_count %d: ignoring\n",
+ escan_result_le->bss_count);
+@@ -2951,9 +2964,8 @@ brcmf_cfg80211_escan_handler(struct brcm
+ }
+
+ bi_length = le32_to_cpu(bss_info_le->length);
+- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
+- WL_ESCAN_RESULTS_FIXED_SIZE)) {
+- brcmf_err("Invalid bss_info length %d: ignoring\n",
++ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
++ brcmf_err("Ignoring invalid bss_info length: %d\n",
+ bi_length);
+ goto exit;
+ }
--- /dev/null
+From 35f62727df0ed8e5e4857e162d94fd46d861f1cf Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 12 Sep 2017 10:47:54 +0200
+Subject: brcmfmac: setup passive scan if requested by user-space
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit 35f62727df0ed8e5e4857e162d94fd46d861f1cf upstream.
+
+The driver was not properly configuring firmware with regard to the
+type of scan. It always performed an active scan even when user-space
+was requesting for passive scan, ie. the scan request was done without
+any SSIDs specified.
+
+Reported-by: Huang, Jiangyang <Jiangyang.Huang@itron.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 19 ++++---------------
+ drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h | 5 +++++
+ 2 files changed, 9 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+@@ -876,7 +876,7 @@ static void brcmf_escan_prep(struct brcm
+
+ eth_broadcast_addr(params_le->bssid);
+ params_le->bss_type = DOT11_BSSTYPE_ANY;
+- params_le->scan_type = 0;
++ params_le->scan_type = BRCMF_SCANTYPE_ACTIVE;
+ params_le->channel_num = 0;
+ params_le->nprobes = cpu_to_le32(-1);
+ params_le->active_time = cpu_to_le32(-1);
+@@ -884,12 +884,9 @@ static void brcmf_escan_prep(struct brcm
+ params_le->home_time = cpu_to_le32(-1);
+ memset(¶ms_le->ssid_le, 0, sizeof(params_le->ssid_le));
+
+- /* if request is null exit so it will be all channel broadcast scan */
+- if (!request)
+- return;
+-
+ n_ssids = request->n_ssids;
+ n_channels = request->n_channels;
++
+ /* Copy channel array if applicable */
+ brcmf_dbg(SCAN, "### List of channelspecs to scan ### %d\n",
+ n_channels);
+@@ -926,16 +923,8 @@ static void brcmf_escan_prep(struct brcm
+ ptr += sizeof(ssid_le);
+ }
+ } else {
+- brcmf_dbg(SCAN, "Broadcast scan %p\n", request->ssids);
+- if ((request->ssids) && request->ssids->ssid_len) {
+- brcmf_dbg(SCAN, "SSID %s len=%d\n",
+- params_le->ssid_le.SSID,
+- request->ssids->ssid_len);
+- params_le->ssid_le.SSID_len =
+- cpu_to_le32(request->ssids->ssid_len);
+- memcpy(¶ms_le->ssid_le.SSID, request->ssids->ssid,
+- request->ssids->ssid_len);
+- }
++ brcmf_dbg(SCAN, "Performing passive scan\n");
++ params_le->scan_type = BRCMF_SCANTYPE_PASSIVE;
+ }
+ /* Adding mask to channel numbers */
+ params_le->channel_num =
+--- a/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/brcm80211/brcmfmac/fwil_types.h
+@@ -45,6 +45,11 @@
+ #define BRCMF_SCAN_PARAMS_COUNT_MASK 0x0000ffff
+ #define BRCMF_SCAN_PARAMS_NSSID_SHIFT 16
+
++/* scan type definitions */
++#define BRCMF_SCANTYPE_DEFAULT 0xFF
++#define BRCMF_SCANTYPE_ACTIVE 0
++#define BRCMF_SCANTYPE_PASSIVE 1
++
+ /* primary (ie tx) key */
+ #define BRCMF_PRIMARY_KEY (1 << 1)
+ #define DOT11_BSSTYPE_ANY 2
--- /dev/null
+From 2ba7d7e0437127314864238f8bfcb8369d81075c Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 21 Sep 2017 17:19:20 +0300
+Subject: drm/i915/bios: ignore HDMI on port A
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 2ba7d7e0437127314864238f8bfcb8369d81075c upstream.
+
+The hardware state readout oopses after several warnings when trying to
+use HDMI on port A, if such a combination is configured in VBT. Filter
+the combo out already at the VBT parsing phase.
+
+v2: also ignore DVI (Ville)
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102889
+Cc: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Tested-by: Daniel Drake <dan@reactivated.net>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170921141920.18172-1-jani.nikula@intel.com
+(cherry picked from commit d27ffc1d00327c29b3aa97f941b42f0949f9e99f)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_bios.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -957,6 +957,13 @@ static void parse_ddi_port(struct drm_i9
+ is_hdmi = is_dvi && (child->common.device_type & DEVICE_TYPE_NOT_HDMI_OUTPUT) == 0;
+ is_edp = is_dp && (child->common.device_type & DEVICE_TYPE_INTERNAL_CONNECTOR);
+
++ if (port == PORT_A && is_dvi) {
++ DRM_DEBUG_KMS("VBT claims port A supports DVI%s, ignoring\n",
++ is_hdmi ? "/HDMI" : "");
++ is_dvi = false;
++ is_hdmi = false;
++ }
++
+ info->supports_dvi = is_dvi;
+ info->supports_hdmi = is_hdmi;
+ info->supports_dp = is_dp;
--- /dev/null
+From 173b8439e1ba362007315868928bf9d26e5cc5a6 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 28 Dec 2016 00:22:52 -0500
+Subject: ext4: don't allow encrypted operations without keys
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 173b8439e1ba362007315868928bf9d26e5cc5a6 upstream.
+
+While we allow deletes without the key, the following should not be
+permitted:
+
+# cd /vdc/encrypted-dir-without-key
+# ls -l
+total 4
+-rw-r--r-- 1 root root 0 Dec 27 22:35 6,LKNRJsp209FbXoSvJWzB
+-rw-r--r-- 1 root root 286 Dec 27 22:35 uRJ5vJh9gE7vcomYMqTAyD
+# mv uRJ5vJh9gE7vcomYMqTAyD 6,LKNRJsp209FbXoSvJWzB
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ fs/ext4/namei.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -3506,6 +3506,12 @@ static int ext4_rename(struct inode *old
+ int credits;
+ u8 old_file_type;
+
++ if ((ext4_encrypted_inode(old_dir) &&
++ !ext4_has_encryption_key(old_dir)) ||
++ (ext4_encrypted_inode(new_dir) &&
++ !ext4_has_encryption_key(new_dir)))
++ return -ENOKEY;
++
+ retval = dquot_initialize(old.dir);
+ if (retval)
+ return retval;
+@@ -3706,6 +3712,12 @@ static int ext4_cross_rename(struct inod
+ u8 new_file_type;
+ int retval;
+
++ if ((ext4_encrypted_inode(old_dir) &&
++ !ext4_has_encryption_key(old_dir)) ||
++ (ext4_encrypted_inode(new_dir) &&
++ !ext4_has_encryption_key(new_dir)))
++ return -ENOKEY;
++
+ if ((ext4_encrypted_inode(old_dir) ||
+ ext4_encrypted_inode(new_dir)) &&
+ (old_dir != new_dir) &&
--- /dev/null
+From a3bb2d5587521eea6dab2d05326abb0afb460abd Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Sun, 30 Jul 2017 23:33:01 -0400
+Subject: ext4: Don't clear SGID when inheriting ACLs
+
+From: Jan Kara <jack@suse.cz>
+
+commit a3bb2d5587521eea6dab2d05326abb0afb460abd upstream.
+
+When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
+set, DIR1 is expected to have SGID bit set (and owning group equal to
+the owning group of 'DIR0'). However when 'DIR0' also has some default
+ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
+'DIR1' to get cleared if user is not member of the owning group.
+
+Fix the problem by moving posix_acl_update_mode() out of
+__ext4_set_acl() into ext4_set_acl(). That way the function will not be
+called when inheriting ACLs which is what we want as it prevents SGID
+bit clearing and the mode has been properly set by posix_acl_create()
+anyway.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/acl.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -195,13 +195,6 @@ __ext4_set_acl(handle_t *handle, struct
+ switch (type) {
+ case ACL_TYPE_ACCESS:
+ name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
+- if (acl) {
+- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+- if (error)
+- return error;
+- inode->i_ctime = ext4_current_time(inode);
+- ext4_mark_inode_dirty(handle, inode);
+- }
+ break;
+
+ case ACL_TYPE_DEFAULT:
+@@ -234,6 +227,8 @@ ext4_set_acl(struct inode *inode, struct
+ {
+ handle_t *handle;
+ int error, retries = 0;
++ umode_t mode = inode->i_mode;
++ int update_mode = 0;
+
+ retry:
+ handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+@@ -241,7 +236,20 @@ retry:
+ if (IS_ERR(handle))
+ return PTR_ERR(handle);
+
++ if ((type == ACL_TYPE_ACCESS) && acl) {
++ error = posix_acl_update_mode(inode, &mode, &acl);
++ if (error)
++ goto out_stop;
++ update_mode = 1;
++ }
++
+ error = __ext4_set_acl(handle, inode, type, acl);
++ if (!error && update_mode) {
++ inode->i_mode = mode;
++ inode->i_ctime = ext4_current_time(inode);
++ ext4_mark_inode_dirty(handle, inode);
++ }
++out_stop:
+ ext4_journal_stop(handle);
+ if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries))
+ goto retry;
--- /dev/null
+From a056bdaae7a181f7dcc876cfab2f94538e508709 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 26 May 2017 17:45:45 -0400
+Subject: ext4: fix data corruption for mmap writes
+
+From: Jan Kara <jack@suse.cz>
+
+commit a056bdaae7a181f7dcc876cfab2f94538e508709 upstream.
+
+mpage_submit_page() can race with another process growing i_size and
+writing data via mmap to the written-back page. As mpage_submit_page()
+samples i_size too early, it may happen that ext4_bio_write_page()
+zeroes out too large tail of the page and thus corrupts user data.
+
+Fix the problem by sampling i_size only after the page has been
+write-protected in page tables by clear_page_dirty_for_io() call.
+
+Reported-by: Michael Zimmer <michael@swarm64.com>
+CC: stable@vger.kernel.org
+Fixes: cb20d5188366f04d96d2e07b1240cc92170ade40
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1946,15 +1946,29 @@ static int ext4_writepage(struct page *p
+ static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page)
+ {
+ int len;
+- loff_t size = i_size_read(mpd->inode);
++ loff_t size;
+ int err;
+
+ BUG_ON(page->index != mpd->first_page);
+- if (page->index == size >> PAGE_CACHE_SHIFT)
+- len = size & ~PAGE_CACHE_MASK;
+- else
+- len = PAGE_CACHE_SIZE;
+ clear_page_dirty_for_io(page);
++ /*
++ * We have to be very careful here! Nothing protects writeback path
++ * against i_size changes and the page can be writeably mapped into
++ * page tables. So an application can be growing i_size and writing
++ * data through mmap while writeback runs. clear_page_dirty_for_io()
++ * write-protects our page in page tables and the page cannot get
++ * written to again until we release page lock. So only after
++ * clear_page_dirty_for_io() we are safe to sample i_size for
++ * ext4_bio_write_page() to zero-out tail of the written page. We rely
++ * on the barrier provided by TestClearPageDirty in
++ * clear_page_dirty_for_io() to make sure i_size is really sampled only
++ * after page tables are updated.
++ */
++ size = i_size_read(mpd->inode);
++ if (page->index == size >> PAGE_SHIFT)
++ len = size & ~PAGE_MASK;
++ else
++ len = PAGE_SIZE;
+ err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc, false);
+ if (!err)
+ mpd->wbc->nr_to_write--;
--- /dev/null
+From 363fa4e078cbdc97a172c19d19dc04b41b52ebc8 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Wed, 28 Dec 2016 17:31:15 -0800
+Subject: f2fs: don't allow encrypted operations without keys
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 363fa4e078cbdc97a172c19d19dc04b41b52ebc8 upstream.
+
+This patch fixes the renaming bug on encrypted filenames, which was pointed by
+
+ (ext4: don't allow encrypted operations without keys)
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/namei.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -597,6 +597,12 @@ static int f2fs_rename(struct inode *old
+ struct f2fs_dir_entry *new_entry;
+ int err = -ENOENT;
+
++ if ((f2fs_encrypted_inode(old_dir) &&
++ !fscrypt_has_encryption_key(old_dir)) ||
++ (f2fs_encrypted_inode(new_dir) &&
++ !fscrypt_has_encryption_key(new_dir)))
++ return -ENOKEY;
++
+ if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) &&
+ !f2fs_is_child_context_consistent_with_parent(new_dir,
+ old_inode)) {
+@@ -755,6 +761,12 @@ static int f2fs_cross_rename(struct inod
+ int old_nlink = 0, new_nlink = 0;
+ int err = -ENOENT;
+
++ if ((f2fs_encrypted_inode(old_dir) &&
++ !fscrypt_has_encryption_key(old_dir)) ||
++ (f2fs_encrypted_inode(new_dir) &&
++ !fscrypt_has_encryption_key(new_dir)))
++ return -ENOKEY;
++
+ if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) &&
+ (old_dir != new_dir) &&
+ (!f2fs_is_child_context_consistent_with_parent(new_dir,
--- /dev/null
+From 77bf25ea70200cddf083f74b7f617e5f07fac8bd Mon Sep 17 00:00:00 2001
+From: Keith Busch <keith.busch@intel.com>
+Date: Thu, 26 Nov 2015 12:21:29 +0100
+Subject: nvme: protect against simultaneous shutdown invocations
+
+From: Keith Busch <keith.busch@intel.com>
+
+commit 77bf25ea70200cddf083f74b7f617e5f07fac8bd upstream.
+
+[Back-ported to 4.4. The difference is the file location of the struct
+definition that's adding the mutex.
+
+This fixes reported kernel panics in 4.4-stable from simultaneous
+controller resets that was never supposed to be allowed to happen.]
+
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+[hch: split from a larger patch]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/nvme/host/nvme.h | 2 ++
+ drivers/nvme/host/pci.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -14,6 +14,7 @@
+ #ifndef _NVME_H
+ #define _NVME_H
+
++#include <linux/mutex.h>
+ #include <linux/nvme.h>
+ #include <linux/pci.h>
+ #include <linux/kref.h>
+@@ -62,6 +63,7 @@ struct nvme_dev {
+ struct work_struct reset_work;
+ struct work_struct probe_work;
+ struct work_struct scan_work;
++ struct mutex shutdown_lock;
+ char name[12];
+ char serial[20];
+ char model[40];
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2954,6 +2954,7 @@ static void nvme_dev_shutdown(struct nvm
+
+ nvme_dev_list_remove(dev);
+
++ mutex_lock(&dev->shutdown_lock);
+ if (pci_is_enabled(to_pci_dev(dev->dev))) {
+ nvme_freeze_queues(dev);
+ csts = readl(&dev->bar->csts);
+@@ -2972,6 +2973,7 @@ static void nvme_dev_shutdown(struct nvm
+
+ for (i = dev->queue_count - 1; i >= 0; i--)
+ nvme_clear_queue(dev->queues[i]);
++ mutex_unlock(&dev->shutdown_lock);
+ }
+
+ static void nvme_dev_remove(struct nvme_dev *dev)
+@@ -3328,6 +3330,7 @@ static int nvme_probe(struct pci_dev *pd
+
+ INIT_LIST_HEAD(&dev->namespaces);
+ INIT_WORK(&dev->reset_work, nvme_reset_work);
++ mutex_init(&dev->shutdown_lock);
+ dev->dev = get_device(&pdev->dev);
+ pci_set_drvdata(pdev, dev);
+
--- /dev/null
+From 50e76632339d4655859523a39249dd95ee5e93e7 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 7 Sep 2017 11:13:38 +0200
+Subject: sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 50e76632339d4655859523a39249dd95ee5e93e7 upstream.
+
+Cpusets vs. suspend-resume is _completely_ broken. And it got noticed
+because it now resulted in non-cpuset usage breaking too.
+
+On suspend cpuset_cpu_inactive() doesn't call into
+cpuset_update_active_cpus() because it doesn't want to move tasks about,
+there is no need, all tasks are frozen and won't run again until after
+we've resumed everything.
+
+But this means that when we finally do call into
+cpuset_update_active_cpus() after resuming the last frozen cpu in
+cpuset_cpu_active(), the top_cpuset will not have any difference with
+the cpu_active_mask and this it will not in fact do _anything_.
+
+So the cpuset configuration will not be restored. This was largely
+hidden because we would unconditionally create identity domains and
+mobile users would not in fact use cpusets much. And servers what do use
+cpusets tend to not suspend-resume much.
+
+An addition problem is that we'd not in fact wait for the cpuset work to
+finish before resuming the tasks, allowing spurious migrations outside
+of the specified domains.
+
+Fix the rebuild by introducing cpuset_force_rebuild() and fix the
+ordering with cpuset_wait_for_hotplug().
+
+Reported-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@vger.kernel.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: deb7aa308ea2 ("cpuset: reorganize CPU / memory hotplug handling")
+Link: http://lkml.kernel.org/r/20170907091338.orwxrqkbfkki3c24@hirez.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Mike Galbraith <efault@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/cpuset.h | 6 ++++++
+ kernel/cpuset.c | 16 +++++++++++++++-
+ kernel/power/process.c | 5 ++++-
+ kernel/sched/core.c | 7 +++----
+ 4 files changed, 28 insertions(+), 6 deletions(-)
+
+--- a/include/linux/cpuset.h
++++ b/include/linux/cpuset.h
+@@ -43,7 +43,9 @@ static inline void cpuset_dec(void)
+
+ extern int cpuset_init(void);
+ extern void cpuset_init_smp(void);
++extern void cpuset_force_rebuild(void);
+ extern void cpuset_update_active_cpus(bool cpu_online);
++extern void cpuset_wait_for_hotplug(void);
+ extern void cpuset_cpus_allowed(struct task_struct *p, struct cpumask *mask);
+ extern void cpuset_cpus_allowed_fallback(struct task_struct *p);
+ extern nodemask_t cpuset_mems_allowed(struct task_struct *p);
+@@ -147,11 +149,15 @@ static inline bool cpusets_enabled(void)
+ static inline int cpuset_init(void) { return 0; }
+ static inline void cpuset_init_smp(void) {}
+
++static inline void cpuset_force_rebuild(void) { }
++
+ static inline void cpuset_update_active_cpus(bool cpu_online)
+ {
+ partition_sched_domains(1, NULL, NULL);
+ }
+
++static inline void cpuset_wait_for_hotplug(void) { }
++
+ static inline void cpuset_cpus_allowed(struct task_struct *p,
+ struct cpumask *mask)
+ {
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -2281,6 +2281,13 @@ retry:
+ mutex_unlock(&cpuset_mutex);
+ }
+
++static bool force_rebuild;
++
++void cpuset_force_rebuild(void)
++{
++ force_rebuild = true;
++}
++
+ /**
+ * cpuset_hotplug_workfn - handle CPU/memory hotunplug for a cpuset
+ *
+@@ -2355,8 +2362,10 @@ static void cpuset_hotplug_workfn(struct
+ }
+
+ /* rebuild sched domains if cpus_allowed has changed */
+- if (cpus_updated)
++ if (cpus_updated || force_rebuild) {
++ force_rebuild = false;
+ rebuild_sched_domains();
++ }
+ }
+
+ void cpuset_update_active_cpus(bool cpu_online)
+@@ -2375,6 +2384,11 @@ void cpuset_update_active_cpus(bool cpu_
+ schedule_work(&cpuset_hotplug_work);
+ }
+
++void cpuset_wait_for_hotplug(void)
++{
++ flush_work(&cpuset_hotplug_work);
++}
++
+ /*
+ * Keep top_cpuset.mems_allowed tracking node_states[N_MEMORY].
+ * Call this routine anytime after node_states[N_MEMORY] changes.
+--- a/kernel/power/process.c
++++ b/kernel/power/process.c
+@@ -18,8 +18,9 @@
+ #include <linux/workqueue.h>
+ #include <linux/kmod.h>
+ #include <trace/events/power.h>
++#include <linux/cpuset.h>
+
+-/*
++/*
+ * Timeout for stopping processes
+ */
+ unsigned int __read_mostly freeze_timeout_msecs = 20 * MSEC_PER_SEC;
+@@ -198,6 +199,8 @@ void thaw_processes(void)
+ __usermodehelper_set_disable_depth(UMH_FREEZING);
+ thaw_workqueues();
+
++ cpuset_wait_for_hotplug();
++
+ read_lock(&tasklist_lock);
+ for_each_process_thread(g, p) {
+ /* No other threads should have PF_SUSPEND_TASK set */
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7286,17 +7286,16 @@ static int cpuset_cpu_active(struct noti
+ * operation in the resume sequence, just build a single sched
+ * domain, ignoring cpusets.
+ */
+- num_cpus_frozen--;
+- if (likely(num_cpus_frozen)) {
+- partition_sched_domains(1, NULL, NULL);
++ partition_sched_domains(1, NULL, NULL);
++ if (--num_cpus_frozen)
+ break;
+- }
+
+ /*
+ * This is the last CPU online operation. So fall through and
+ * restore the original sched domains by considering the
+ * cpuset configurations.
+ */
++ cpuset_force_rebuild();
+
+ case CPU_ONLINE:
+ cpuset_update_active_cpus(true);
iio-adc-mcp320x-fix-oops-on-module-unload.patch
uwb-properly-check-kthread_run-return-value.patch
uwb-ensure-that-endpoint-is-interrupt.patch
+brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch
+brcmfmac-setup-passive-scan-if-requested-by-user-space.patch
+drm-i915-bios-ignore-hdmi-on-port-a.patch
+nvme-protect-against-simultaneous-shutdown-invocations.patch
+sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch
+ext4-fix-data-corruption-for-mmap-writes.patch
+ext4-don-t-clear-sgid-when-inheriting-acls.patch
+ext4-don-t-allow-encrypted-operations-without-keys.patch
+f2fs-don-t-allow-encrypted-operations-without-keys.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
