--- /dev/null
+From ea6789980fdaa610d7eb63602c746bf6ec70cd2b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 11 Oct 2017 23:32:27 +0100
+Subject: assoc_array: Fix a buggy node-splitting case
+
+From: David Howells <dhowells@redhat.com>
+
+commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b upstream.
+
+This fixes CVE-2017-12193.
+
+Fix a case in the assoc_array implementation in which a new leaf is
+added that needs to go into a node that happens to be full, where the
+existing leaves in that node cluster together at that level to the
+exclusion of new leaf.
+
+What needs to happen is that the existing leaves get moved out to a new
+node, N1, at level + 1 and the existing node needs replacing with one,
+N0, that has pointers to the new leaf and to N1.
+
+The code that tries to do this gets this wrong in two ways:
+
+ (1) The pointer that should've pointed from N0 to N1 is set to point
+ recursively to N0 instead.
+
+ (2) The backpointer from N0 needs to be set correctly in the case N0 is
+ either the root node or reached through a shortcut.
+
+Fix this by removing this path and using the split_node path instead,
+which achieves the same end, but in a more general way (thanks to Eric
+Biggers for spotting the redundancy).
+
+The problem manifests itself as:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: assoc_array_apply_edit+0x59/0xe5
+
+Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
+Reported-and-tested-by: WU Fan <u3536072@connect.hku.hk>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
+ 1 file changed, 17 insertions(+), 34 deletions(-)
+
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -598,21 +598,31 @@ static bool assoc_array_insert_into_term
+ if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0)
+ goto all_leaves_cluster_together;
+
+- /* Otherwise we can just insert a new node ahead of the old
+- * one.
++ /* Otherwise all the old leaves cluster in the same slot, but
++ * the new leaf wants to go into a different slot - so we
++ * create a new node (n0) to hold the new leaf and a pointer to
++ * a new node (n1) holding all the old leaves.
++ *
++ * This can be done by falling through to the node splitting
++ * path.
+ */
+- goto present_leaves_cluster_but_not_new_leaf;
++ pr_devel("present leaves cluster but not new leaf\n");
+ }
+
+ split_node:
+ pr_devel("split node\n");
+
+- /* We need to split the current node; we know that the node doesn't
+- * simply contain a full set of leaves that cluster together (it
+- * contains meta pointers and/or non-clustering leaves).
++ /* We need to split the current node. The node must contain anything
++ * from a single leaf (in the one leaf case, this leaf will cluster
++ * with the new leaf) and the rest meta-pointers, to all leaves, some
++ * of which may cluster.
++ *
++ * It won't contain the case in which all the current leaves plus the
++ * new leaves want to cluster in the same slot.
+ *
+ * We need to expel at least two leaves out of a set consisting of the
+- * leaves in the node and the new leaf.
++ * leaves in the node and the new leaf. The current meta pointers can
++ * just be copied as they shouldn't cluster with any of the leaves.
+ *
+ * We need a new node (n0) to replace the current one and a new node to
+ * take the expelled nodes (n1).
+@@ -717,33 +727,6 @@ found_slot_for_multiple_occupancy:
+ pr_devel("<--%s() = ok [split node]\n", __func__);
+ return true;
+
+-present_leaves_cluster_but_not_new_leaf:
+- /* All the old leaves cluster in the same slot, but the new leaf wants
+- * to go into a different slot, so we create a new node to hold the new
+- * leaf and a pointer to a new node holding all the old leaves.
+- */
+- pr_devel("present leaves cluster but not new leaf\n");
+-
+- new_n0->back_pointer = node->back_pointer;
+- new_n0->parent_slot = node->parent_slot;
+- new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch;
+- new_n1->back_pointer = assoc_array_node_to_ptr(new_n0);
+- new_n1->parent_slot = edit->segment_cache[0];
+- new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch;
+- edit->adjust_count_on = new_n0;
+-
+- for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++)
+- new_n1->slots[i] = node->slots[i];
+-
+- new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0);
+- edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]];
+-
+- edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot];
+- edit->set[0].to = assoc_array_node_to_ptr(new_n0);
+- edit->excised_meta[0] = assoc_array_node_to_ptr(node);
+- pr_devel("<--%s() = ok [insert node before]\n", __func__);
+- return true;
+-
+ all_leaves_cluster_together:
+ /* All the leaves, new and old, want to cluster together in this node
+ * in the same slot, so we have to replace this node with a shortcut to
--- /dev/null
+From 8f65a923e6b628e187d5e791cf49393dd5e8c2f9 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Date: Tue, 24 Oct 2017 12:23:28 +0200
+Subject: can: kvaser_usb: Correct return value in printout
+
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+
+commit 8f65a923e6b628e187d5e791cf49393dd5e8c2f9 upstream.
+
+If the return value from kvaser_usb_send_simple_msg() was non-zero, the
+return value from kvaser_usb_flush_queue() was printed in the kernel
+warning.
+
+Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/kvaser_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/kvaser_usb.c
++++ b/drivers/net/can/usb/kvaser_usb.c
+@@ -1607,7 +1607,8 @@ static int kvaser_usb_close(struct net_d
+ if (err)
+ netdev_warn(netdev, "Cannot flush queue, error %d\n", err);
+
+- if (kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel))
++ err = kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel);
++ if (err)
+ netdev_warn(netdev, "Cannot reset card, error %d\n", err);
+
+ err = kvaser_usb_stop_chip(priv);
--- /dev/null
+From e1d2d1329a5722dbecc9c278303fcc4aa01f8790 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Date: Tue, 24 Oct 2017 12:23:29 +0200
+Subject: can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages
+
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+
+commit e1d2d1329a5722dbecc9c278303fcc4aa01f8790 upstream.
+
+To avoid kernel warning "Unhandled message (68)", ignore the
+CMD_FLUSH_QUEUE_REPLY message for now.
+
+As of Leaf v2 firmware version v4.1.844 (2017-02-15), flush tx queue is
+synchronous. There is a capability bit indicating whether flushing tx
+queue is synchronous or asynchronous.
+
+A proper solution would be to query the device for capabilities. If the
+synchronous tx flush capability bit is set, we should wait for
+CMD_FLUSH_QUEUE_REPLY message, while flushing the tx queue.
+
+Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/kvaser_usb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/can/usb/kvaser_usb.c
++++ b/drivers/net/can/usb/kvaser_usb.c
+@@ -134,6 +134,7 @@ static inline bool kvaser_is_usbcan(cons
+ #define CMD_RESET_ERROR_COUNTER 49
+ #define CMD_TX_ACKNOWLEDGE 50
+ #define CMD_CAN_ERROR_EVENT 51
++#define CMD_FLUSH_QUEUE_REPLY 68
+
+ #define CMD_LEAF_USB_THROTTLE 77
+ #define CMD_LEAF_LOG_MESSAGE 106
+@@ -1297,6 +1298,11 @@ static void kvaser_usb_handle_message(co
+ goto warn;
+ break;
+
++ case CMD_FLUSH_QUEUE_REPLY:
++ if (dev->family != KVASER_LEAF)
++ goto warn;
++ break;
++
+ default:
+ warn: dev_warn(dev->udev->dev.parent,
+ "Unhandled message (%d)\n", msg->id);
--- /dev/null
+From 3a379f5b36ae039dfeb6f73316e47ab1af4945df Mon Sep 17 00:00:00 2001
+From: Gerhard Bertelsmann <info@gerhard-bertelsmann.de>
+Date: Thu, 17 Aug 2017 15:59:49 +0200
+Subject: can: sun4i: fix loopback mode
+
+From: Gerhard Bertelsmann <info@gerhard-bertelsmann.de>
+
+commit 3a379f5b36ae039dfeb6f73316e47ab1af4945df upstream.
+
+Fix loopback mode by setting the right flag and remove presume mode.
+
+Signed-off-by: Gerhard Bertelsmann <info@gerhard-bertelsmann.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/sun4i_can.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/can/sun4i_can.c
++++ b/drivers/net/can/sun4i_can.c
+@@ -342,7 +342,7 @@ static int sun4i_can_start(struct net_de
+
+ /* enter the selected mode */
+ mod_reg_val = readl(priv->base + SUN4I_REG_MSEL_ADDR);
+- if (priv->can.ctrlmode & CAN_CTRLMODE_PRESUME_ACK)
++ if (priv->can.ctrlmode & CAN_CTRLMODE_LOOPBACK)
+ mod_reg_val |= SUN4I_MSEL_LOOPBACK_MODE;
+ else if (priv->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)
+ mod_reg_val |= SUN4I_MSEL_LISTEN_ONLY_MODE;
+@@ -811,7 +811,6 @@ static int sun4ican_probe(struct platfor
+ priv->can.ctrlmode_supported = CAN_CTRLMODE_BERR_REPORTING |
+ CAN_CTRLMODE_LISTENONLY |
+ CAN_CTRLMODE_LOOPBACK |
+- CAN_CTRLMODE_PRESUME_ACK |
+ CAN_CTRLMODE_3_SAMPLES;
+ priv->base = addr;
+ priv->clk = clk;
--- /dev/null
+From c6cdd51404b7ac12dd95173ddfc548c59ecf037f Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 25 Oct 2017 16:34:27 +0200
+Subject: fuse: fix READDIRPLUS skipping an entry
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit c6cdd51404b7ac12dd95173ddfc548c59ecf037f upstream.
+
+Marios Titas running a Haskell program noticed a problem with fuse's
+readdirplus: when it is interrupted by a signal, it skips one directory
+entry.
+
+The reason is that fuse erronously updates ctx->pos after a failed
+dir_emit().
+
+The issue originates from the patch adding readdirplus support.
+
+Reported-by: Jakob Unterwurzacher <jakobunt@gmail.com>
+Tested-by: Marios Titas <redneb@gmx.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 0b05b18381ee ("fuse: implement NFS-like readdirplus support")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1295,7 +1295,8 @@ static int parse_dirplusfile(char *buf,
+ */
+ over = !dir_emit(ctx, dirent->name, dirent->namelen,
+ dirent->ino, dirent->type);
+- ctx->pos = dirent->off;
++ if (!over)
++ ctx->pos = dirent->off;
+ }
+
+ buf += reclen;
--- /dev/null
+From 57a95b41869b8f0d1949c24df2a9dac1ca7082ee Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 24 Oct 2017 11:08:18 -0700
+Subject: Input: elan_i2c - add ELAN0611 to the ACPI table
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 57a95b41869b8f0d1949c24df2a9dac1ca7082ee upstream.
+
+ELAN0611 touchpad uses elan_i2c as its driver. It can be found
+on Lenovo ideapad 320-15IKB.
+
+So add it to ACPI table to enable the touchpad.
+
+[Ido Adiv <idoad123@gmail.com> reports that the same ACPI ID is used for
+Elan touchpad in ideapad 520].
+
+BugLink: https://bugs.launchpad.net/bugs/1723736
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1240,6 +1240,7 @@ static const struct acpi_device_id elan_
+ { "ELAN0605", 0 },
+ { "ELAN0609", 0 },
+ { "ELAN060B", 0 },
++ { "ELAN0611", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
--- /dev/null
+From a50829479f58416a013a4ccca791336af3c584c7 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 23 Oct 2017 16:46:00 -0700
+Subject: Input: gtco - fix potential out-of-bound access
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a50829479f58416a013a4ccca791336af3c584c7 upstream.
+
+parse_hid_report_descriptor() has a while (i < length) loop, which
+only guarantees that there's at least 1 byte in the buffer, but the
+loop body can read multiple bytes which causes out-of-bounds access.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/gtco.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(
+
+ /* Walk this report and pull out the info we need */
+ while (i < length) {
+- prefix = report[i];
+-
+- /* Skip over prefix */
+- i++;
++ prefix = report[i++];
+
+ /* Determine data size and save the data in the proper variable */
+- size = PREF_SIZE(prefix);
++ size = (1U << PREF_SIZE(prefix)) >> 1;
++ if (i + size > length) {
++ dev_err(ddev,
++ "Not enough data (need %d, have %d)\n",
++ i + size, length);
++ break;
++ }
++
+ switch (size) {
+ case 1:
+ data = report[i];
+@@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(
+ case 2:
+ data16 = get_unaligned_le16(&report[i]);
+ break;
+- case 3:
+- size = 4;
++ case 4:
+ data32 = get_unaligned_le32(&report[i]);
+ break;
+ }
--- /dev/null
+From 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Sun, 15 Oct 2017 18:16:33 +0100
+Subject: scsi: sg: Re-fix off by one in sg_fill_request_table()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b upstream.
+
+Commit 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
+introduced an off-by-one error in sg_ioctl(), which was fixed by commit
+bd46fc406b30 ("scsi: sg: off by one in sg_ioctl()").
+
+Unfortunately commit 4759df905a47 ("scsi: sg: factor out
+sg_fill_request_table()") moved that code, and reintroduced the
+bug (perhaps due to a botched rebase). Fix it again.
+
+Fixes: 4759df905a47 ("scsi: sg: factor out sg_fill_request_table()")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -848,7 +848,7 @@ sg_fill_request_table(Sg_fd *sfp, sg_req
+
+ val = 0;
+ list_for_each_entry(srp, &sfp->rq_list, entry) {
+- if (val > SG_MAX_QUEUE)
++ if (val >= SG_MAX_QUEUE)
+ break;
+ rinfo[val].req_state = srp->done + 1;
+ rinfo[val].problem =
--- /dev/null
+From ab31fd0ce65ec93828b617123792c1bb7c6dcc42 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+Date: Fri, 13 Oct 2017 15:40:07 +0200
+Subject: scsi: zfcp: fix erp_action use-before-initialize in REC action trace
+
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+
+commit ab31fd0ce65ec93828b617123792c1bb7c6dcc42 upstream.
+
+v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN
+recovery") extended accessing parent pointer fields of struct
+zfcp_erp_action for tracing. If an erp_action has never been enqueued
+before, these parent pointer fields are uninitialized and NULL. Examples
+are zfcp objects freshly added to the parent object's children list,
+before enqueueing their first recovery subsequently. In
+zfcp_erp_try_rport_unblock(), we iterate such list. Accessing erp_action
+fields can cause a NULL pointer dereference. Since the kernel can read
+from lowcore on s390, it does not immediately cause a kernel page
+fault. Instead it can cause hangs on trying to acquire the wrong
+erp_action->adapter->dbf->rec_lock in zfcp_dbf_rec_action_lvl()
+ ^bogus^
+while holding already other locks with IRQs disabled.
+
+Real life example from attaching lots of LUNs in parallel on many CPUs:
+
+crash> bt 17723
+PID: 17723 TASK: ... CPU: 25 COMMAND: "zfcperp0.0.1800"
+ LOWCORE INFO:
+ -psw : 0x0404300180000000 0x000000000038e424
+ -function : _raw_spin_lock_wait_flags at 38e424
+...
+ #0 [fdde8fc90] zfcp_dbf_rec_action_lvl at 3e0004e9862 [zfcp]
+ #1 [fdde8fce8] zfcp_erp_try_rport_unblock at 3e0004dfddc [zfcp]
+ #2 [fdde8fd38] zfcp_erp_strategy at 3e0004e0234 [zfcp]
+ #3 [fdde8fda8] zfcp_erp_thread at 3e0004e0a12 [zfcp]
+ #4 [fdde8fe60] kthread at 173550
+ #5 [fdde8feb8] kernel_thread_starter at 10add2
+
+zfcp_adapter
+ zfcp_port
+ zfcp_unit <address>, 0x404040d600000000
+ scsi_device NULL, returning early!
+zfcp_scsi_dev.status = 0x40000000
+0x40000000 ZFCP_STATUS_COMMON_RUNNING
+
+crash> zfcp_unit <address>
+struct zfcp_unit {
+ erp_action = {
+ adapter = 0x0,
+ port = 0x0,
+ unit = 0x0,
+ },
+}
+
+zfcp_erp_action is always fully embedded into its container object. Such
+container object is never moved in its object tree (only add or delete).
+Hence, erp_action parent pointers can never change.
+
+To fix the issue, initialize the erp_action parent pointers before
+adding the erp_action container to any list and thus before it becomes
+accessible from outside of its initializing function.
+
+In order to also close the time window between zfcp_erp_setup_act()
+memsetting the entire erp_action to zero and setting the parent pointers
+again, drop the memset and instead explicitly initialize individually
+all erp_action fields except for parent pointers. To be extra careful
+not to introduce any other unintended side effect, even keep zeroing the
+erp_action fields for list and timer. Also double-check with
+WARN_ON_ONCE that erp_action parent pointers never change, so we get to
+know when we would deviate from previous behavior.
+
+Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
+Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery")
+Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_aux.c | 5 +++++
+ drivers/s390/scsi/zfcp_erp.c | 18 +++++++++++-------
+ drivers/s390/scsi/zfcp_scsi.c | 5 +++++
+ 3 files changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_aux.c
++++ b/drivers/s390/scsi/zfcp_aux.c
+@@ -358,6 +358,8 @@ struct zfcp_adapter *zfcp_adapter_enqueu
+
+ adapter->next_port_scan = jiffies;
+
++ adapter->erp_action.adapter = adapter;
++
+ if (zfcp_qdio_setup(adapter))
+ goto failed;
+
+@@ -514,6 +516,9 @@ struct zfcp_port *zfcp_port_enqueue(stru
+ port->dev.groups = zfcp_port_attr_groups;
+ port->dev.release = zfcp_port_release;
+
++ port->erp_action.adapter = adapter;
++ port->erp_action.port = port;
++
+ if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) {
+ kfree(port);
+ goto err_out;
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -193,9 +193,8 @@ static struct zfcp_erp_action *zfcp_erp_
+ atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE,
+ &zfcp_sdev->status);
+ erp_action = &zfcp_sdev->erp_action;
+- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
+- erp_action->port = port;
+- erp_action->sdev = sdev;
++ WARN_ON_ONCE(erp_action->port != port);
++ WARN_ON_ONCE(erp_action->sdev != sdev);
+ if (!(atomic_read(&zfcp_sdev->status) &
+ ZFCP_STATUS_COMMON_RUNNING))
+ act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
+@@ -208,8 +207,8 @@ static struct zfcp_erp_action *zfcp_erp_
+ zfcp_erp_action_dismiss_port(port);
+ atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, &port->status);
+ erp_action = &port->erp_action;
+- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
+- erp_action->port = port;
++ WARN_ON_ONCE(erp_action->port != port);
++ WARN_ON_ONCE(erp_action->sdev != NULL);
+ if (!(atomic_read(&port->status) & ZFCP_STATUS_COMMON_RUNNING))
+ act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
+ break;
+@@ -219,7 +218,8 @@ static struct zfcp_erp_action *zfcp_erp_
+ zfcp_erp_action_dismiss_adapter(adapter);
+ atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, &adapter->status);
+ erp_action = &adapter->erp_action;
+- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
++ WARN_ON_ONCE(erp_action->port != NULL);
++ WARN_ON_ONCE(erp_action->sdev != NULL);
+ if (!(atomic_read(&adapter->status) &
+ ZFCP_STATUS_COMMON_RUNNING))
+ act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
+@@ -229,7 +229,11 @@ static struct zfcp_erp_action *zfcp_erp_
+ return NULL;
+ }
+
+- erp_action->adapter = adapter;
++ WARN_ON_ONCE(erp_action->adapter != adapter);
++ memset(&erp_action->list, 0, sizeof(erp_action->list));
++ memset(&erp_action->timer, 0, sizeof(erp_action->timer));
++ erp_action->step = ZFCP_ERP_STEP_UNINITIALIZED;
++ erp_action->fsf_req_id = 0;
+ erp_action->action = need;
+ erp_action->status = act_status;
+
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -115,10 +115,15 @@ static int zfcp_scsi_slave_alloc(struct
+ struct zfcp_unit *unit;
+ int npiv = adapter->connection_features & FSF_FEATURE_NPIV_MODE;
+
++ zfcp_sdev->erp_action.adapter = adapter;
++ zfcp_sdev->erp_action.sdev = sdev;
++
+ port = zfcp_get_port_by_wwpn(adapter, rport->port_name);
+ if (!port)
+ return -ENXIO;
+
++ zfcp_sdev->erp_action.port = port;
++
+ unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev));
+ if (unit)
+ put_device(&unit->dev);
alsa-hda-realtek-add-support-for-alc236-alc3204.patch
alsa-hda-fix-headset-mic-problem-for-dell-machines-with-alc236.patch
ceph-unlock-dangling-spinlock-in-try_flush_caps.patch
+usb-xhci-handle-error-condition-in-xhci_stop_device.patch
+spi-uapi-spidev-add-missing-ioctl-header.patch
+fuse-fix-readdirplus-skipping-an-entry.patch
+xen-gntdev-avoid-out-of-bounds-access-in-case-of-partial-gntdev_mmap.patch
+input-elan_i2c-add-elan0611-to-the-acpi-table.patch
+input-gtco-fix-potential-out-of-bound-access.patch
+assoc_array-fix-a-buggy-node-splitting-case.patch
+scsi-zfcp-fix-erp_action-use-before-initialize-in-rec-action-trace.patch
+scsi-sg-re-fix-off-by-one-in-sg_fill_request_table.patch
+can-sun4i-fix-loopback-mode.patch
+can-kvaser_usb-correct-return-value-in-printout.patch
+can-kvaser_usb-ignore-cmd_flush_queue_reply-messages.patch
--- /dev/null
+From a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Sun, 10 Sep 2017 20:29:45 +0300
+Subject: spi: uapi: spidev: add missing ioctl header
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+commit a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 upstream.
+
+The SPI_IOC_MESSAGE() macro references _IOC_SIZEBITS. Add linux/ioctl.h
+to make sure this macro is defined. This fixes the following build
+failure of lcdproc with the musl libc:
+
+In file included from .../sysroot/usr/include/sys/ioctl.h:7:0,
+ from hd44780-spi.c:31:
+hd44780-spi.c: In function 'spi_transfer':
+hd44780-spi.c:89:24: error: '_IOC_SIZEBITS' undeclared (first use in this function)
+ status = ioctl(p->fd, SPI_IOC_MESSAGE(1), &xfer);
+ ^
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/spi/spidev.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/uapi/linux/spi/spidev.h
++++ b/include/uapi/linux/spi/spidev.h
+@@ -23,6 +23,7 @@
+ #define SPIDEV_H
+
+ #include <linux/types.h>
++#include <linux/ioctl.h>
+
+ /* User space versions of kernel symbols for SPI clocking modes,
+ * matching <linux/spi/spi.h>
--- /dev/null
+From b3207c65dfafae27e7c492cb9188c0dc0eeaf3fd Mon Sep 17 00:00:00 2001
+From: Mayank Rana <mrana@codeaurora.org>
+Date: Fri, 6 Oct 2017 17:45:30 +0300
+Subject: usb: xhci: Handle error condition in xhci_stop_device()
+
+From: Mayank Rana <mrana@codeaurora.org>
+
+commit b3207c65dfafae27e7c492cb9188c0dc0eeaf3fd upstream.
+
+xhci_stop_device() calls xhci_queue_stop_endpoint() multiple times
+without checking the return value. xhci_queue_stop_endpoint() can
+return error if the HC is already halted or unable to queue commands.
+This can cause a deadlock condition as xhci_stop_device() would
+end up waiting indefinitely for a completion for the command that
+didn't get queued. Fix this by checking the return value and bailing
+out of xhci_stop_device() in case of error. This patch happens to fix
+potential memory leaks of the allocated command structures as well.
+
+Fixes: c311e391a7ef ("xhci: rework command timeout and cancellation,")
+Signed-off-by: Mayank Rana <mrana@codeaurora.org>
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/usb/host/xhci-hub.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -394,15 +394,25 @@ static int xhci_stop_device(struct xhci_
+ GFP_NOWAIT);
+ if (!command) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+- xhci_free_command(xhci, cmd);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto cmd_cleanup;
++ }
+
++ ret = xhci_queue_stop_endpoint(xhci, command, slot_id,
++ i, suspend);
++ if (ret) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ xhci_free_command(xhci, command);
++ goto cmd_cleanup;
+ }
+- xhci_queue_stop_endpoint(xhci, command, slot_id, i,
+- suspend);
+ }
+ }
+- xhci_queue_stop_endpoint(xhci, cmd, slot_id, 0, suspend);
++ ret = xhci_queue_stop_endpoint(xhci, cmd, slot_id, 0, suspend);
++ if (ret) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ goto cmd_cleanup;
++ }
++
+ xhci_ring_cmd_db(xhci);
+ spin_unlock_irqrestore(&xhci->lock, flags);
+
+@@ -413,6 +423,8 @@ static int xhci_stop_device(struct xhci_
+ xhci_warn(xhci, "Timeout while waiting for stop endpoint command\n");
+ ret = -ETIME;
+ }
++
++cmd_cleanup:
+ xhci_free_command(xhci, cmd);
+ return ret;
+ }
--- /dev/null
+From 298d275d4d9bea3524ff4bc76678c140611d8a8d Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Wed, 25 Oct 2017 17:08:07 +0200
+Subject: xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 298d275d4d9bea3524ff4bc76678c140611d8a8d upstream.
+
+In case gntdev_mmap() succeeds only partially in mapping grant pages
+it will leave some vital information uninitialized needed later for
+cleanup. This will lead to an out of bounds array access when unmapping
+the already mapped pages.
+
+So just initialize the data needed for unmapping the pages a little bit
+earlier.
+
+Reported-by: Arthur Borsboom <arthurborsboom@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/gntdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -827,6 +827,7 @@ static int gntdev_mmap(struct file *flip
+ mutex_unlock(&priv->lock);
+
+ if (use_ptemod) {
++ map->pages_vm_start = vma->vm_start;
+ err = apply_to_page_range(vma->vm_mm, vma->vm_start,
+ vma->vm_end - vma->vm_start,
+ find_grant_ptes, map);
+@@ -864,7 +865,6 @@ static int gntdev_mmap(struct file *flip
+ set_grant_ptes_as_special, NULL);
+ }
+ #endif
+- map->pages_vm_start = vma->vm_start;
+ }
+
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
