--- /dev/null
+From bb06c388fa20ae24cfe80c52488de718a7e3a53f Mon Sep 17 00:00:00 2001
+From: zhengbin <zhengbin13@huawei.com>
+Date: Wed, 13 Mar 2019 16:01:37 +0800
+Subject: 9p/net: fix memory leak in p9_client_create
+
+From: zhengbin <zhengbin13@huawei.com>
+
+commit bb06c388fa20ae24cfe80c52488de718a7e3a53f upstream.
+
+If msize is less than 4096, we should close and put trans, destroy
+tagpool, not just free client. This patch fixes that.
+
+Link: http://lkml.kernel.org/m/1552464097-142659-1-git-send-email-zhengbin13@huawei.com
+Cc: stable@vger.kernel.org
+Fixes: 574d356b7a02 ("9p/net: put a lower bound on msize")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: zhengbin <zhengbin13@huawei.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -1082,7 +1082,7 @@ struct p9_client *p9_client_create(const
+ p9_debug(P9_DEBUG_ERROR,
+ "Please specify a msize of at least 4k\n");
+ err = -EINVAL;
+- goto free_client;
++ goto close_trans;
+ }
+
+ err = p9_client_version(clnt);
--- /dev/null
+From 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Thu, 24 Jan 2019 14:35:13 +0800
+Subject: 9p: use inode->i_lock to protect i_size_write() under 32-bit
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream.
+
+Use inode->i_lock to protect i_size_write(), else i_size_read() in
+generic_fillattr() may loop infinitely in read_seqcount_begin() when
+multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl()
+simultaneously under 32-bit SMP environment, and a soft lockup will be
+triggered as show below:
+
+ watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217]
+ Modules linked in:
+ CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
+ Hardware name: Generic DT based system
+ PC is at generic_fillattr+0x104/0x108
+ LR is at 0xec497f00
+ pc : [<802b8898>] lr : [<ec497f00>] psr: 200c0013
+ sp : ec497e20 ip : ed608030 fp : ec497e3c
+ r10: 00000000 r9 : ec497f00 r8 : ed608030
+ r7 : ec497ebc r6 : ec497f00 r5 : ee5c1550 r4 : ee005780
+ r3 : 0000052d r2 : 00000000 r1 : ec497f00 r0 : ed608030
+ Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 10c5387d Table: ac48006a DAC: 00000051
+ CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
+ Hardware name: Generic DT based system
+ Backtrace:
+ [<8010d974>] (dump_backtrace) from [<8010dc88>] (show_stack+0x20/0x24)
+ [<8010dc68>] (show_stack) from [<80a1d194>] (dump_stack+0xb0/0xdc)
+ [<80a1d0e4>] (dump_stack) from [<80109f34>] (show_regs+0x1c/0x20)
+ [<80109f18>] (show_regs) from [<801d0a80>] (watchdog_timer_fn+0x280/0x2f8)
+ [<801d0800>] (watchdog_timer_fn) from [<80198658>] (__hrtimer_run_queues+0x18c/0x380)
+ [<801984cc>] (__hrtimer_run_queues) from [<80198e60>] (hrtimer_run_queues+0xb8/0xf0)
+ [<80198da8>] (hrtimer_run_queues) from [<801973e8>] (run_local_timers+0x28/0x64)
+ [<801973c0>] (run_local_timers) from [<80197460>] (update_process_times+0x3c/0x6c)
+ [<80197424>] (update_process_times) from [<801ab2b8>] (tick_nohz_handler+0xe0/0x1bc)
+ [<801ab1d8>] (tick_nohz_handler) from [<80843050>] (arch_timer_handler_virt+0x38/0x48)
+ [<80843018>] (arch_timer_handler_virt) from [<80180a64>] (handle_percpu_devid_irq+0x8c/0x240)
+ [<801809d8>] (handle_percpu_devid_irq) from [<8017ac20>] (generic_handle_irq+0x34/0x44)
+ [<8017abec>] (generic_handle_irq) from [<8017b344>] (__handle_domain_irq+0x6c/0xc4)
+ [<8017b2d8>] (__handle_domain_irq) from [<801022e0>] (gic_handle_irq+0x4c/0x88)
+ [<80102294>] (gic_handle_irq) from [<80101a30>] (__irq_svc+0x70/0x98)
+ [<802b8794>] (generic_fillattr) from [<8056b284>] (v9fs_vfs_getattr_dotl+0x74/0xa4)
+ [<8056b210>] (v9fs_vfs_getattr_dotl) from [<802b8904>] (vfs_getattr_nosec+0x68/0x7c)
+ [<802b889c>] (vfs_getattr_nosec) from [<802b895c>] (vfs_getattr+0x44/0x48)
+ [<802b8918>] (vfs_getattr) from [<802b8a74>] (vfs_statx+0x9c/0xec)
+ [<802b89d8>] (vfs_statx) from [<802b9428>] (sys_lstat64+0x48/0x78)
+ [<802b93e0>] (sys_lstat64) from [<80101000>] (ret_fast_syscall+0x0/0x28)
+
+[dominique.martinet@cea.fr: updated comment to not refer to a function
+in another subsystem]
+Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com
+Cc: stable@vger.kernel.org
+Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode->i_size directly.")
+Reported-by: Xing Gaopeng <xingaopeng@huawei.com>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/v9fs_vfs.h | 23 +++++++++++++++++++++--
+ fs/9p/vfs_file.c | 6 +++++-
+ fs/9p/vfs_inode.c | 23 +++++++++++------------
+ fs/9p/vfs_inode_dotl.c | 27 ++++++++++++++-------------
+ fs/9p/vfs_super.c | 4 ++--
+ 5 files changed, 53 insertions(+), 30 deletions(-)
+
+--- a/fs/9p/v9fs_vfs.h
++++ b/fs/9p/v9fs_vfs.h
+@@ -40,6 +40,9 @@
+ */
+ #define P9_LOCK_TIMEOUT (30*HZ)
+
++/* flags for v9fs_stat2inode() & v9fs_stat2inode_dotl() */
++#define V9FS_STAT2INODE_KEEP_ISIZE 1
++
+ extern struct file_system_type v9fs_fs_type;
+ extern const struct address_space_operations v9fs_addr_operations;
+ extern const struct file_operations v9fs_file_operations;
+@@ -61,8 +64,10 @@ int v9fs_init_inode(struct v9fs_session_
+ struct inode *inode, umode_t mode, dev_t);
+ void v9fs_evict_inode(struct inode *inode);
+ ino_t v9fs_qid2ino(struct p9_qid *qid);
+-void v9fs_stat2inode(struct p9_wstat *, struct inode *, struct super_block *);
+-void v9fs_stat2inode_dotl(struct p9_stat_dotl *, struct inode *);
++void v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode,
++ struct super_block *sb, unsigned int flags);
++void v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode,
++ unsigned int flags);
+ int v9fs_dir_release(struct inode *inode, struct file *filp);
+ int v9fs_file_open(struct inode *inode, struct file *file);
+ void v9fs_inode2stat(struct inode *inode, struct p9_wstat *stat);
+@@ -83,4 +88,18 @@ static inline void v9fs_invalidate_inode
+ }
+
+ int v9fs_open_to_dotl_flags(int flags);
++
++static inline void v9fs_i_size_write(struct inode *inode, loff_t i_size)
++{
++ /*
++ * 32-bit need the lock, concurrent updates could break the
++ * sequences and make i_size_read() loop forever.
++ * 64-bit updates are atomic and can skip the locking.
++ */
++ if (sizeof(i_size) > sizeof(long))
++ spin_lock(&inode->i_lock);
++ i_size_write(inode, i_size);
++ if (sizeof(i_size) > sizeof(long))
++ spin_unlock(&inode->i_lock);
++}
+ #endif
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -442,7 +442,11 @@ v9fs_file_write_iter(struct kiocb *iocb,
+ i_size = i_size_read(inode);
+ if (iocb->ki_pos > i_size) {
+ inode_add_bytes(inode, iocb->ki_pos - i_size);
+- i_size_write(inode, iocb->ki_pos);
++ /*
++ * Need to serialize against i_size_write() in
++ * v9fs_stat2inode()
++ */
++ v9fs_i_size_write(inode, iocb->ki_pos);
+ }
+ return retval;
+ }
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -538,7 +538,7 @@ static struct inode *v9fs_qid_iget(struc
+ if (retval)
+ goto error;
+
+- v9fs_stat2inode(st, inode, sb);
++ v9fs_stat2inode(st, inode, sb, 0);
+ v9fs_cache_inode_get_cookie(inode);
+ unlock_new_inode(inode);
+ return inode;
+@@ -1080,7 +1080,7 @@ v9fs_vfs_getattr(const struct path *path
+ if (IS_ERR(st))
+ return PTR_ERR(st);
+
+- v9fs_stat2inode(st, d_inode(dentry), dentry->d_sb);
++ v9fs_stat2inode(st, d_inode(dentry), dentry->d_sb, 0);
+ generic_fillattr(d_inode(dentry), stat);
+
+ p9stat_free(st);
+@@ -1158,12 +1158,13 @@ static int v9fs_vfs_setattr(struct dentr
+ * @stat: Plan 9 metadata (mistat) structure
+ * @inode: inode to populate
+ * @sb: superblock of filesystem
++ * @flags: control flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE)
+ *
+ */
+
+ void
+ v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode,
+- struct super_block *sb)
++ struct super_block *sb, unsigned int flags)
+ {
+ umode_t mode;
+ char ext[32];
+@@ -1204,10 +1205,11 @@ v9fs_stat2inode(struct p9_wstat *stat, s
+ mode = p9mode2perm(v9ses, stat);
+ mode |= inode->i_mode & ~S_IALLUGO;
+ inode->i_mode = mode;
+- i_size_write(inode, stat->length);
+
++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE))
++ v9fs_i_size_write(inode, stat->length);
+ /* not real number of blocks, but 512 byte ones ... */
+- inode->i_blocks = (i_size_read(inode) + 512 - 1) >> 9;
++ inode->i_blocks = (stat->length + 512 - 1) >> 9;
+ v9inode->cache_validity &= ~V9FS_INO_INVALID_ATTR;
+ }
+
+@@ -1404,9 +1406,9 @@ int v9fs_refresh_inode(struct p9_fid *fi
+ {
+ int umode;
+ dev_t rdev;
+- loff_t i_size;
+ struct p9_wstat *st;
+ struct v9fs_session_info *v9ses;
++ unsigned int flags;
+
+ v9ses = v9fs_inode2v9ses(inode);
+ st = p9_client_stat(fid);
+@@ -1419,16 +1421,13 @@ int v9fs_refresh_inode(struct p9_fid *fi
+ if ((inode->i_mode & S_IFMT) != (umode & S_IFMT))
+ goto out;
+
+- spin_lock(&inode->i_lock);
+ /*
+ * We don't want to refresh inode->i_size,
+ * because we may have cached data
+ */
+- i_size = inode->i_size;
+- v9fs_stat2inode(st, inode, inode->i_sb);
+- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE)
+- inode->i_size = i_size;
+- spin_unlock(&inode->i_lock);
++ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ?
++ V9FS_STAT2INODE_KEEP_ISIZE : 0;
++ v9fs_stat2inode(st, inode, inode->i_sb, flags);
+ out:
+ p9stat_free(st);
+ kfree(st);
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -143,7 +143,7 @@ static struct inode *v9fs_qid_iget_dotl(
+ if (retval)
+ goto error;
+
+- v9fs_stat2inode_dotl(st, inode);
++ v9fs_stat2inode_dotl(st, inode, 0);
+ v9fs_cache_inode_get_cookie(inode);
+ retval = v9fs_get_acl(inode, fid);
+ if (retval)
+@@ -497,7 +497,7 @@ v9fs_vfs_getattr_dotl(const struct path
+ if (IS_ERR(st))
+ return PTR_ERR(st);
+
+- v9fs_stat2inode_dotl(st, d_inode(dentry));
++ v9fs_stat2inode_dotl(st, d_inode(dentry), 0);
+ generic_fillattr(d_inode(dentry), stat);
+ /* Change block size to what the server returned */
+ stat->blksize = st->st_blksize;
+@@ -608,11 +608,13 @@ int v9fs_vfs_setattr_dotl(struct dentry
+ * v9fs_stat2inode_dotl - populate an inode structure with stat info
+ * @stat: stat structure
+ * @inode: inode to populate
++ * @flags: ctrl flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE)
+ *
+ */
+
+ void
+-v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode)
++v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode,
++ unsigned int flags)
+ {
+ umode_t mode;
+ struct v9fs_inode *v9inode = V9FS_I(inode);
+@@ -632,7 +634,8 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl
+ mode |= inode->i_mode & ~S_IALLUGO;
+ inode->i_mode = mode;
+
+- i_size_write(inode, stat->st_size);
++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE))
++ v9fs_i_size_write(inode, stat->st_size);
+ inode->i_blocks = stat->st_blocks;
+ } else {
+ if (stat->st_result_mask & P9_STATS_ATIME) {
+@@ -662,8 +665,9 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl
+ }
+ if (stat->st_result_mask & P9_STATS_RDEV)
+ inode->i_rdev = new_decode_dev(stat->st_rdev);
+- if (stat->st_result_mask & P9_STATS_SIZE)
+- i_size_write(inode, stat->st_size);
++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE) &&
++ stat->st_result_mask & P9_STATS_SIZE)
++ v9fs_i_size_write(inode, stat->st_size);
+ if (stat->st_result_mask & P9_STATS_BLOCKS)
+ inode->i_blocks = stat->st_blocks;
+ }
+@@ -929,9 +933,9 @@ v9fs_vfs_get_link_dotl(struct dentry *de
+
+ int v9fs_refresh_inode_dotl(struct p9_fid *fid, struct inode *inode)
+ {
+- loff_t i_size;
+ struct p9_stat_dotl *st;
+ struct v9fs_session_info *v9ses;
++ unsigned int flags;
+
+ v9ses = v9fs_inode2v9ses(inode);
+ st = p9_client_getattr_dotl(fid, P9_STATS_ALL);
+@@ -943,16 +947,13 @@ int v9fs_refresh_inode_dotl(struct p9_fi
+ if ((inode->i_mode & S_IFMT) != (st->st_mode & S_IFMT))
+ goto out;
+
+- spin_lock(&inode->i_lock);
+ /*
+ * We don't want to refresh inode->i_size,
+ * because we may have cached data
+ */
+- i_size = inode->i_size;
+- v9fs_stat2inode_dotl(st, inode);
+- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE)
+- inode->i_size = i_size;
+- spin_unlock(&inode->i_lock);
++ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ?
++ V9FS_STAT2INODE_KEEP_ISIZE : 0;
++ v9fs_stat2inode_dotl(st, inode, flags);
+ out:
+ kfree(st);
+ return 0;
+--- a/fs/9p/vfs_super.c
++++ b/fs/9p/vfs_super.c
+@@ -172,7 +172,7 @@ static struct dentry *v9fs_mount(struct
+ goto release_sb;
+ }
+ d_inode(root)->i_ino = v9fs_qid2ino(&st->qid);
+- v9fs_stat2inode_dotl(st, d_inode(root));
++ v9fs_stat2inode_dotl(st, d_inode(root), 0);
+ kfree(st);
+ } else {
+ struct p9_wstat *st = NULL;
+@@ -183,7 +183,7 @@ static struct dentry *v9fs_mount(struct
+ }
+
+ d_inode(root)->i_ino = v9fs_qid2ino(&st->qid);
+- v9fs_stat2inode(st, d_inode(root), sb);
++ v9fs_stat2inode(st, d_inode(root), sb, 0);
+
+ p9stat_free(st);
+ kfree(st);
--- /dev/null
+From cc29ea007347f39f4c5a4d27b0b555955a0277f9 Mon Sep 17 00:00:00 2001
+From: "S.j. Wang" <shengjiu.wang@nxp.com>
+Date: Mon, 18 Feb 2019 08:29:11 +0000
+Subject: ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
+
+From: S.j. Wang <shengjiu.wang@nxp.com>
+
+commit cc29ea007347f39f4c5a4d27b0b555955a0277f9 upstream.
+
+The ESAI_xCR_xWA is xCR's bit, not the xCCR's bit, driver set it to
+wrong register, correct it.
+
+Fixes 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Ackedy-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/fsl/fsl_esai.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/fsl/fsl_esai.c
++++ b/sound/soc/fsl/fsl_esai.c
+@@ -395,7 +395,8 @@ static int fsl_esai_set_dai_fmt(struct s
+ break;
+ case SND_SOC_DAIFMT_RIGHT_J:
+ /* Data on rising edge of bclk, frame high, right aligned */
+- xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCR_xWA;
++ xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP;
++ xcr |= ESAI_xCR_xWA;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
+ /* Data on rising edge of bclk, frame high, 1clk before data */
+@@ -452,12 +453,12 @@ static int fsl_esai_set_dai_fmt(struct s
+ return -EINVAL;
+ }
+
+- mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR;
++ mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR | ESAI_xCR_xWA;
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_TCR, mask, xcr);
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_RCR, mask, xcr);
+
+ mask = ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCCR_xFSP |
+- ESAI_xCCR_xFSD | ESAI_xCCR_xCKD | ESAI_xCR_xWA;
++ ESAI_xCCR_xFSD | ESAI_xCCR_xCKD;
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, mask, xccr);
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, mask, xccr);
+
--- /dev/null
+From 77568e535af7c4f97eaef1e555bf0af83772456c Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 31 Jan 2019 23:51:41 -0800
+Subject: crypto: ahash - fix another early termination in hash walk
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 77568e535af7c4f97eaef1e555bf0af83772456c upstream.
+
+Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and
+"michael_mic", fail the improved hash tests because they sometimes
+produce the wrong digest. The bug is that in the case where a
+scatterlist element crosses pages, not all the data is actually hashed
+because the scatterlist walk terminates too early. This happens because
+the 'nbytes' variable in crypto_hash_walk_done() is assigned the number
+of bytes remaining in the page, then later interpreted as the number of
+bytes remaining in the scatterlist element. Fix it.
+
+Fixes: 900a081f6912 ("crypto: ahash - Fix early termination in hash walk")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ahash.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -86,17 +86,17 @@ static int hash_walk_new_entry(struct cr
+ int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err)
+ {
+ unsigned int alignmask = walk->alignmask;
+- unsigned int nbytes = walk->entrylen;
+
+ walk->data -= walk->offset;
+
+- if (nbytes && walk->offset & alignmask && !err) {
+- walk->offset = ALIGN(walk->offset, alignmask + 1);
+- nbytes = min(nbytes,
+- ((unsigned int)(PAGE_SIZE)) - walk->offset);
+- walk->entrylen -= nbytes;
++ if (walk->entrylen && (walk->offset & alignmask) && !err) {
++ unsigned int nbytes;
+
++ walk->offset = ALIGN(walk->offset, alignmask + 1);
++ nbytes = min(walk->entrylen,
++ (unsigned int)(PAGE_SIZE - walk->offset));
+ if (nbytes) {
++ walk->entrylen -= nbytes;
+ walk->data += walk->offset;
+ return nbytes;
+ }
+@@ -116,7 +116,7 @@ int crypto_hash_walk_done(struct crypto_
+ if (err)
+ return err;
+
+- if (nbytes) {
++ if (walk->entrylen) {
+ walk->offset = 0;
+ walk->pg++;
+ return hash_walk_next(walk);
--- /dev/null
+From 42e95d1f10dcf8b18b1d7f52f7068985b3dc5b79 Mon Sep 17 00:00:00 2001
+From: Pankaj Gupta <pankaj.gupta@nxp.com>
+Date: Fri, 1 Feb 2019 07:18:20 +0000
+Subject: crypto: caam - fixed handling of sg list
+
+From: Pankaj Gupta <pankaj.gupta@nxp.com>
+
+commit 42e95d1f10dcf8b18b1d7f52f7068985b3dc5b79 upstream.
+
+when the source sg contains more than 1 fragment and
+destination sg contains 1 fragment, the caam driver
+mishandle the buffers to be sent to caam.
+
+Fixes: f2147b88b2b1 ("crypto: caam - Convert GCM to new AEAD interface")
+Cc: <stable@vger.kernel.org> # 4.2+
+Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
+Signed-off-by: Arun Pathak <arun.pathak@nxp.com>
+Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamalg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/caam/caamalg.c
++++ b/drivers/crypto/caam/caamalg.c
+@@ -1097,6 +1097,7 @@ static void init_ablkcipher_job(u32 *sh_
+ } else {
+ if (edesc->dst_nents == 1) {
+ dst_dma = sg_dma_address(req->dst);
++ out_options = 0;
+ } else {
+ dst_dma = edesc->sec4_sg_dma + (edesc->src_nents + 1) *
+ sizeof(struct sec4_sg_entry);
--- /dev/null
+From 4359669a087633132203c52d67dd8c31e09e7b2e Mon Sep 17 00:00:00 2001
+From: Zhang Zhijie <zhangzj@rock-chips.com>
+Date: Wed, 13 Feb 2019 16:24:38 +0800
+Subject: crypto: rockchip - fix scatterlist nents error
+
+From: Zhang Zhijie <zhangzj@rock-chips.com>
+
+commit 4359669a087633132203c52d67dd8c31e09e7b2e upstream.
+
+In some cases, the nents of src scatterlist is different from
+dst scatterlist. So two variables are used to handle the nents
+of src&dst scatterlist.
+
+Reported-by: Eric Biggers <ebiggers@google.com>
+Fixes: 433cd2c617bf ("crypto: rockchip - add crypto driver for rk3288")
+Cc: <stable@vger.kernel.org> # v4.5+
+Signed-off-by: Zhang Zhijie <zhangzj@rock-chips.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/rockchip/rk3288_crypto.c | 2 +-
+ drivers/crypto/rockchip/rk3288_crypto.h | 3 ++-
+ drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c | 5 +++--
+ drivers/crypto/rockchip/rk3288_crypto_ahash.c | 2 +-
+ 4 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/rockchip/rk3288_crypto.c
++++ b/drivers/crypto/rockchip/rk3288_crypto.c
+@@ -119,7 +119,7 @@ static int rk_load_data(struct rk_crypto
+ count = (dev->left_bytes > PAGE_SIZE) ?
+ PAGE_SIZE : dev->left_bytes;
+
+- if (!sg_pcopy_to_buffer(dev->first, dev->nents,
++ if (!sg_pcopy_to_buffer(dev->first, dev->src_nents,
+ dev->addr_vir, count,
+ dev->total - dev->left_bytes)) {
+ dev_err(dev->dev, "[%s:%d] pcopy err\n",
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -207,7 +207,8 @@ struct rk_crypto_info {
+ void *addr_vir;
+ int aligned;
+ int align_size;
+- size_t nents;
++ size_t src_nents;
++ size_t dst_nents;
+ unsigned int total;
+ unsigned int count;
+ dma_addr_t addr_in;
+--- a/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c
+@@ -260,8 +260,9 @@ static int rk_ablk_start(struct rk_crypt
+ dev->total = req->nbytes;
+ dev->sg_src = req->src;
+ dev->first = req->src;
+- dev->nents = sg_nents(req->src);
++ dev->src_nents = sg_nents(req->src);
+ dev->sg_dst = req->dst;
++ dev->dst_nents = sg_nents(req->dst);
+ dev->aligned = 1;
+
+ spin_lock_irqsave(&dev->lock, flags);
+@@ -297,7 +298,7 @@ static int rk_ablk_rx(struct rk_crypto_i
+
+ dev->unload_data(dev);
+ if (!dev->aligned) {
+- if (!sg_pcopy_from_buffer(req->dst, dev->nents,
++ if (!sg_pcopy_from_buffer(req->dst, dev->dst_nents,
+ dev->addr_vir, dev->count,
+ dev->total - dev->left_bytes -
+ dev->count)) {
+--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+@@ -206,7 +206,7 @@ static int rk_ahash_start(struct rk_cryp
+ dev->sg_dst = NULL;
+ dev->sg_src = req->src;
+ dev->first = req->src;
+- dev->nents = sg_nents(req->src);
++ dev->src_nents = sg_nents(req->src);
+ rctx = ahash_request_ctx(req);
+ rctx->mode = 0;
+
--- /dev/null
+From c1c214adcb56d36433480c8fedf772498e7e539c Mon Sep 17 00:00:00 2001
+From: Zhang Zhijie <zhangzj@rock-chips.com>
+Date: Wed, 13 Feb 2019 16:24:39 +0800
+Subject: crypto: rockchip - update new iv to device in multiple operations
+
+From: Zhang Zhijie <zhangzj@rock-chips.com>
+
+commit c1c214adcb56d36433480c8fedf772498e7e539c upstream.
+
+For chain mode in cipher(eg. AES-CBC/DES-CBC), the iv is continuously
+updated in the operation. The new iv value should be written to device
+register by software.
+
+Reported-by: Eric Biggers <ebiggers@google.com>
+Fixes: 433cd2c617bf ("crypto: rockchip - add crypto driver for rk3288")
+Cc: <stable@vger.kernel.org> # v4.5+
+Signed-off-by: Zhang Zhijie <zhangzj@rock-chips.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/rockchip/rk3288_crypto.h | 1
+ drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c | 34 +++++++++++++++++++++
+ 2 files changed, 35 insertions(+)
+
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -245,6 +245,7 @@ struct rk_cipher_ctx {
+ struct rk_crypto_info *dev;
+ unsigned int keylen;
+ u32 mode;
++ u8 iv[AES_BLOCK_SIZE];
+ };
+
+ enum alg_type {
+--- a/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c
+@@ -242,6 +242,17 @@ static void crypto_dma_start(struct rk_c
+ static int rk_set_data_start(struct rk_crypto_info *dev)
+ {
+ int err;
++ struct ablkcipher_request *req =
++ ablkcipher_request_cast(dev->async_req);
++ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
++ struct rk_cipher_ctx *ctx = crypto_ablkcipher_ctx(tfm);
++ u32 ivsize = crypto_ablkcipher_ivsize(tfm);
++ u8 *src_last_blk = page_address(sg_page(dev->sg_src)) +
++ dev->sg_src->offset + dev->sg_src->length - ivsize;
++
++ /* store the iv that need to be updated in chain mode */
++ if (ctx->mode & RK_CRYPTO_DEC)
++ memcpy(ctx->iv, src_last_blk, ivsize);
+
+ err = dev->load_data(dev, dev->sg_src, dev->sg_dst);
+ if (!err)
+@@ -286,6 +297,28 @@ static void rk_iv_copyback(struct rk_cry
+ memcpy_fromio(req->info, dev->reg + RK_CRYPTO_AES_IV_0, ivsize);
+ }
+
++static void rk_update_iv(struct rk_crypto_info *dev)
++{
++ struct ablkcipher_request *req =
++ ablkcipher_request_cast(dev->async_req);
++ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
++ struct rk_cipher_ctx *ctx = crypto_ablkcipher_ctx(tfm);
++ u32 ivsize = crypto_ablkcipher_ivsize(tfm);
++ u8 *new_iv = NULL;
++
++ if (ctx->mode & RK_CRYPTO_DEC) {
++ new_iv = ctx->iv;
++ } else {
++ new_iv = page_address(sg_page(dev->sg_dst)) +
++ dev->sg_dst->offset + dev->sg_dst->length - ivsize;
++ }
++
++ if (ivsize == DES_BLOCK_SIZE)
++ memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, new_iv, ivsize);
++ else if (ivsize == AES_BLOCK_SIZE)
++ memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, new_iv, ivsize);
++}
++
+ /* return:
+ * true some err was occurred
+ * fault no err, continue
+@@ -307,6 +340,7 @@ static int rk_ablk_rx(struct rk_crypto_i
+ }
+ }
+ if (dev->left_bytes) {
++ rk_update_iv(dev);
+ if (dev->aligned) {
+ if (sg_is_last(dev->sg_src)) {
+ dev_err(dev->dev, "[%s:%d] Lack of data\n",
--- /dev/null
+From 2ea8bab4dd2a9014e723b28091831fa850b82d83 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 9 Feb 2019 00:39:27 +0100
+Subject: iio: adc: exynos-adc: Fix NULL pointer exception on unbind
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 2ea8bab4dd2a9014e723b28091831fa850b82d83 upstream.
+
+Fix NULL pointer exception on device unbind when device tree does not
+contain "has-touchscreen" property. In such case the input device is
+not registered so it should not be unregistered.
+
+ $ echo "12d10000.adc" > /sys/bus/platform/drivers/exynos-adc/unbind
+
+ Unable to handle kernel NULL pointer dereference at virtual address 00000474
+ ...
+ (input_unregister_device) from [<c0772060>] (exynos_adc_remove+0x20/0x80)
+ (exynos_adc_remove) from [<c0587d5c>] (platform_drv_remove+0x20/0x40)
+ (platform_drv_remove) from [<c05860f0>] (device_release_driver_internal+0xdc/0x1ac)
+ (device_release_driver_internal) from [<c0583ecc>] (unbind_store+0x60/0xd4)
+ (unbind_store) from [<c031b89c>] (kernfs_fop_write+0x100/0x1e0)
+ (kernfs_fop_write) from [<c029709c>] (__vfs_write+0x2c/0x17c)
+ (__vfs_write) from [<c0297374>] (vfs_write+0xa4/0x184)
+ (vfs_write) from [<c0297594>] (ksys_write+0x4c/0xac)
+ (ksys_write) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+
+Fixes: 2bb8ad9b44c5 ("iio: exynos-adc: add experimental touchscreen support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/exynos_adc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/exynos_adc.c
++++ b/drivers/iio/adc/exynos_adc.c
+@@ -916,7 +916,7 @@ static int exynos_adc_remove(struct plat
+ struct iio_dev *indio_dev = platform_get_drvdata(pdev);
+ struct exynos_adc *info = iio_priv(indio_dev);
+
+- if (IS_REACHABLE(CONFIG_INPUT)) {
++ if (IS_REACHABLE(CONFIG_INPUT) && info->input) {
+ free_irq(info->tsirq, info);
+ input_unregister_device(info->input);
+ }
+9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch
+9p-net-fix-memory-leak-in-p9_client_create.patch
+asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch
+iio-adc-exynos-adc-fix-null-pointer-exception-on-unbind.patch
+stm-class-fix-an-endless-loop-in-channel-allocation.patch
+crypto-caam-fixed-handling-of-sg-list.patch
+crypto-ahash-fix-another-early-termination-in-hash-walk.patch
+crypto-rockchip-fix-scatterlist-nents-error.patch
+crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch
media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch
--- /dev/null
+From a1d75dad3a2c689e70a1c4e0214cca9de741d0aa Mon Sep 17 00:00:00 2001
+From: Zhi Jin <zhi.jin@intel.com>
+Date: Thu, 6 Sep 2018 15:22:10 +0800
+Subject: stm class: Fix an endless loop in channel allocation
+
+From: Zhi Jin <zhi.jin@intel.com>
+
+commit a1d75dad3a2c689e70a1c4e0214cca9de741d0aa upstream.
+
+There is a bug in the channel allocation logic that leads to an endless
+loop when looking for a contiguous range of channels in a range with a
+mixture of free and occupied channels. For example, opening three
+consequtive channels, closing the first two and requesting 4 channels in
+a row will trigger this soft lockup. The bug is that the search loop
+forgets to skip over the range once it detects that one channel in that
+range is occupied.
+
+Restore the original intent to the logic by fixing the omission.
+
+Signed-off-by: Zhi Jin <zhi.jin@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+CC: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -252,6 +252,9 @@ static int find_free_channels(unsigned l
+ ;
+ if (i == width)
+ return pos;
++
++ /* step over [pos..pos+i) to continue search */
++ pos += i;
+ }
+
+ return -1;
projects / thirdparty / kernel / stable-queue.git / commitdiff
