--- /dev/null
+From 040d9e2bce0a5b321c402b79ee43a8e8d2fd3b06 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 23 Jan 2018 01:47:42 -0800
+Subject: apparmor: fix display of .ns_name for containers
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 040d9e2bce0a5b321c402b79ee43a8e8d2fd3b06 upstream.
+
+The .ns_name should not be virtualized by the current ns view. It
+needs to report the ns base name as that is being used during startup
+as part of determining apparmor policy namespace support.
+
+BugLink: http://bugs.launchpad.net/bugs/1746463
+Fixes: d9f02d9c237aa ("apparmor: fix display of ns name")
+Cc: Stable <stable@vger.kernel.org>
+Reported-by: Serge Hallyn <serge@hallyn.com>
+Tested-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/apparmorfs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -1189,9 +1189,7 @@ static int seq_ns_level_show(struct seq_
+ static int seq_ns_name_show(struct seq_file *seq, void *v)
+ {
+ struct aa_label *label = begin_current_label_crit_section();
+-
+- seq_printf(seq, "%s\n", aa_ns_name(labels_ns(label),
+- labels_ns(label), true));
++ seq_printf(seq, "%s\n", labels_ns(label)->base.name);
+ end_current_label_crit_section(label);
+
+ return 0;
--- /dev/null
+From 98cf5bbff413eadf1b9cb195a7b80cc61c72a50e Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 1 Feb 2018 11:24:10 +0100
+Subject: apparmor: fix logging of the existence test for signals
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 98cf5bbff413eadf1b9cb195a7b80cc61c72a50e upstream.
+
+The existence test is not being properly logged as the signal mapping
+maps it to the last entry in the named signal table. This is done
+to help catch bugs by making the 0 mapped signal value invalid so
+that we can catch the signal value not being filled in.
+
+When fixing the off-by-one comparision logic the reporting of the
+existence test was broken, because the logic behind the mapped named
+table was hidden. Fix this by adding a define for the name lookup
+and using it.
+
+Cc: Stable <stable@vger.kernel.org>
+Fixes: f7dc4c9a855a1 ("apparmor: fix off-by-one comparison on MAXMAPPED_SIG")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/include/sig_names.h | 4 +++-
+ security/apparmor/ipc.c | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/security/apparmor/include/sig_names.h
++++ b/security/apparmor/include/sig_names.h
+@@ -2,6 +2,8 @@
+
+ #define SIGUNKNOWN 0
+ #define MAXMAPPED_SIG 35
++#define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1)
++
+ /* provide a mapping of arch signal to internal signal # for mediation
+ * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO
+ * map to the same entry those that may/or may not get a separate entry
+@@ -56,7 +58,7 @@ static const int sig_map[MAXMAPPED_SIG]
+ };
+
+ /* this table is ordered post sig_map[sig] mapping */
+-static const char *const sig_names[MAXMAPPED_SIG + 1] = {
++static const char *const sig_names[MAXMAPPED_SIGNAME] = {
+ "unknown",
+ "hup",
+ "int",
+--- a/security/apparmor/ipc.c
++++ b/security/apparmor/ipc.c
+@@ -174,7 +174,7 @@ static void audit_signal_cb(struct audit
+ audit_signal_mask(ab, aad(sa)->denied);
+ }
+ }
+- if (aad(sa)->signal < MAXMAPPED_SIG)
++ if (aad(sa)->signal < MAXMAPPED_SIGNAME)
+ audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
+ else
+ audit_log_format(ab, " signal=rtmin+%d",
--- /dev/null
+From b5beb07ad32ab533027aa988d96a44965ec116f7 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Fri, 9 Feb 2018 04:57:39 -0800
+Subject: apparmor: fix resource audit messages when auditing peer
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit b5beb07ad32ab533027aa988d96a44965ec116f7 upstream.
+
+Resource auditing is using the peer field which is not available
+when the rlim data struct is used, because it is a different element
+of the same union. Accessing peer during resource auditing could
+cause garbage log entries or even oops the kernel.
+
+Move the rlim data block into the same struct as the peer field
+so they can be used together.
+
+CC: <stable@vger.kernel.org>
+Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/include/audit.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/security/apparmor/include/audit.h
++++ b/security/apparmor/include/audit.h
+@@ -126,6 +126,10 @@ struct apparmor_audit_data {
+ const char *target;
+ kuid_t ouid;
+ } fs;
++ struct {
++ int rlim;
++ unsigned long max;
++ } rlim;
+ int signal;
+ };
+ };
+@@ -135,10 +139,6 @@ struct apparmor_audit_data {
+ long pos;
+ } iface;
+ struct {
+- int rlim;
+- unsigned long max;
+- } rlim;
+- struct {
+ const char *src_name;
+ const char *type;
+ const char *trans;
--- /dev/null
+From 1e047eaab3bb5564f25b41e9cd3a053009f4e789 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 6 Apr 2018 10:03:17 +0900
+Subject: block/loop: fix deadlock after loop_set_status
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 1e047eaab3bb5564f25b41e9cd3a053009f4e789 upstream.
+
+syzbot is reporting deadlocks at __blkdev_get() [1].
+
+----------------------------------------
+[ 92.493919] systemd-udevd D12696 525 1 0x00000000
+[ 92.495891] Call Trace:
+[ 92.501560] schedule+0x23/0x80
+[ 92.502923] schedule_preempt_disabled+0x5/0x10
+[ 92.504645] __mutex_lock+0x416/0x9e0
+[ 92.510760] __blkdev_get+0x73/0x4f0
+[ 92.512220] blkdev_get+0x12e/0x390
+[ 92.518151] do_dentry_open+0x1c3/0x2f0
+[ 92.519815] path_openat+0x5d9/0xdc0
+[ 92.521437] do_filp_open+0x7d/0xf0
+[ 92.527365] do_sys_open+0x1b8/0x250
+[ 92.528831] do_syscall_64+0x6e/0x270
+[ 92.530341] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+[ 92.931922] 1 lock held by systemd-udevd/525:
+[ 92.933642] #0: 00000000a2849e25 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x73/0x4f0
+----------------------------------------
+
+The reason of deadlock turned out that wait_event_interruptible() in
+blk_queue_enter() got stuck with bdev->bd_mutex held at __blkdev_put()
+due to q->mq_freeze_depth == 1.
+
+----------------------------------------
+[ 92.787172] a.out S12584 634 633 0x80000002
+[ 92.789120] Call Trace:
+[ 92.796693] schedule+0x23/0x80
+[ 92.797994] blk_queue_enter+0x3cb/0x540
+[ 92.803272] generic_make_request+0xf0/0x3d0
+[ 92.807970] submit_bio+0x67/0x130
+[ 92.810928] submit_bh_wbc+0x15e/0x190
+[ 92.812461] __block_write_full_page+0x218/0x460
+[ 92.815792] __writepage+0x11/0x50
+[ 92.817209] write_cache_pages+0x1ae/0x3d0
+[ 92.825585] generic_writepages+0x5a/0x90
+[ 92.831865] do_writepages+0x43/0xd0
+[ 92.836972] __filemap_fdatawrite_range+0xc1/0x100
+[ 92.838788] filemap_write_and_wait+0x24/0x70
+[ 92.840491] __blkdev_put+0x69/0x1e0
+[ 92.841949] blkdev_close+0x16/0x20
+[ 92.843418] __fput+0xda/0x1f0
+[ 92.844740] task_work_run+0x87/0xb0
+[ 92.846215] do_exit+0x2f5/0xba0
+[ 92.850528] do_group_exit+0x34/0xb0
+[ 92.852018] SyS_exit_group+0xb/0x10
+[ 92.853449] do_syscall_64+0x6e/0x270
+[ 92.854944] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+[ 92.943530] 1 lock held by a.out/634:
+[ 92.945105] #0: 00000000a2849e25 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x3c/0x1e0
+----------------------------------------
+
+The reason of q->mq_freeze_depth == 1 turned out that loop_set_status()
+forgot to call blk_mq_unfreeze_queue() at error paths for
+info->lo_encrypt_type != NULL case.
+
+----------------------------------------
+[ 37.509497] CPU: 2 PID: 634 Comm: a.out Tainted: G W 4.16.0+ #457
+[ 37.513608] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
+[ 37.518832] RIP: 0010:blk_freeze_queue_start+0x17/0x40
+[ 37.521778] RSP: 0018:ffffb0c2013e7c60 EFLAGS: 00010246
+[ 37.524078] RAX: 0000000000000000 RBX: ffff8b07b1519798 RCX: 0000000000000000
+[ 37.527015] RDX: 0000000000000002 RSI: ffffb0c2013e7cc0 RDI: ffff8b07b1519798
+[ 37.529934] RBP: ffffb0c2013e7cc0 R08: 0000000000000008 R09: 47a189966239b898
+[ 37.532684] R10: dad78b99b278552f R11: 9332dca72259d5ef R12: ffff8b07acd73678
+[ 37.535452] R13: 0000000000004c04 R14: 0000000000000000 R15: ffff8b07b841e940
+[ 37.538186] FS: 00007fede33b9740(0000) GS:ffff8b07b8e80000(0000) knlGS:0000000000000000
+[ 37.541168] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 37.543590] CR2: 00000000206fdf18 CR3: 0000000130b30006 CR4: 00000000000606e0
+[ 37.546410] Call Trace:
+[ 37.547902] blk_freeze_queue+0x9/0x30
+[ 37.549968] loop_set_status+0x67/0x3c0 [loop]
+[ 37.549975] loop_set_status64+0x3b/0x70 [loop]
+[ 37.549986] lo_ioctl+0x223/0x810 [loop]
+[ 37.549995] blkdev_ioctl+0x572/0x980
+[ 37.550003] block_ioctl+0x34/0x40
+[ 37.550006] do_vfs_ioctl+0xa7/0x6d0
+[ 37.550017] ksys_ioctl+0x6b/0x80
+[ 37.573076] SyS_ioctl+0x5/0x10
+[ 37.574831] do_syscall_64+0x6e/0x270
+[ 37.576769] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+----------------------------------------
+
+[1] https://syzkaller.appspot.com/bug?id=cd662bc3f6022c0979d01a262c318fab2ee9b56f
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <bot+48594378e9851eab70bcd6f99327c7db58c5a28a@syzkaller.appspotmail.com>
+Fixes: ecdd09597a572513 ("block/loop: fix race between I/O and set_status")
+Cc: Ming Lei <tom.leiming@gmail.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: stable <stable@vger.kernel.org>
+Cc: Jens Axboe <axboe@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1103,11 +1103,15 @@ loop_set_status(struct loop_device *lo,
+ if (info->lo_encrypt_type) {
+ unsigned int type = info->lo_encrypt_type;
+
+- if (type >= MAX_LO_CRYPT)
+- return -EINVAL;
++ if (type >= MAX_LO_CRYPT) {
++ err = -EINVAL;
++ goto exit;
++ }
+ xfer = xfer_funcs[type];
+- if (xfer == NULL)
+- return -EINVAL;
++ if (xfer == NULL) {
++ err = -EINVAL;
++ goto exit;
++ }
+ } else
+ xfer = NULL;
+
--- /dev/null
+From 082f2300cfa1a3d9d5221c38c5eba85d4ab98bd8 Mon Sep 17 00:00:00 2001
+From: Szymon Janc <szymon.janc@codecoup.pl>
+Date: Tue, 3 Apr 2018 13:40:06 +0200
+Subject: Bluetooth: Fix connection if directed advertising and privacy is used
+
+From: Szymon Janc <szymon.janc@codecoup.pl>
+
+commit 082f2300cfa1a3d9d5221c38c5eba85d4ab98bd8 upstream.
+
+Local random address needs to be updated before creating connection if
+RPA from LE Direct Advertising Report was resolved in host. Otherwise
+remote device might ignore connection request due to address mismatch.
+
+This was affecting following qualification test cases:
+GAP/CONN/SCEP/BV-03-C, GAP/CONN/GCEP/BV-05-C, GAP/CONN/DCEP/BV-05-C
+
+Before patch:
+< HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #11350 [hci0] 84680.231216
+ Address: 56:BC:E8:24:11:68 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: F2:F1:06:3D:9C:42 (Static)
+> HCI Event: Command Complete (0x0e) plen 4 #11351 [hci0] 84680.246022
+ LE Set Random Address (0x08|0x0005) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #11352 [hci0] 84680.246417
+ Type: Passive (0x00)
+ Interval: 60.000 msec (0x0060)
+ Window: 30.000 msec (0x0030)
+ Own address type: Random (0x01)
+ Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
+> HCI Event: Command Complete (0x0e) plen 4 #11353 [hci0] 84680.248854
+ LE Set Scan Parameters (0x08|0x000b) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #11354 [hci0] 84680.249466
+ Scanning: Enabled (0x01)
+ Filter duplicates: Enabled (0x01)
+> HCI Event: Command Complete (0x0e) plen 4 #11355 [hci0] 84680.253222
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 18 #11356 [hci0] 84680.458387
+ LE Direct Advertising Report (0x0b)
+ Num reports: 1
+ Event type: Connectable directed - ADV_DIRECT_IND (0x01)
+ Address type: Random (0x01)
+ Address: 53:38:DA:46:8C:45 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Direct address type: Random (0x01)
+ Direct address: 7C:D6:76:8C:DF:82 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: F2:F1:06:3D:9C:42 (Static)
+ RSSI: -74 dBm (0xb6)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #11357 [hci0] 84680.458737
+ Scanning: Disabled (0x00)
+ Filter duplicates: Disabled (0x00)
+> HCI Event: Command Complete (0x0e) plen 4 #11358 [hci0] 84680.469982
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Create Connection (0x08|0x000d) plen 25 #11359 [hci0] 84680.470444
+ Scan interval: 60.000 msec (0x0060)
+ Scan window: 60.000 msec (0x0060)
+ Filter policy: White list is not used (0x00)
+ Peer address type: Random (0x01)
+ Peer address: 53:38:DA:46:8C:45 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Own address type: Random (0x01)
+ Min connection interval: 30.00 msec (0x0018)
+ Max connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Min connection length: 0.000 msec (0x0000)
+ Max connection length: 0.000 msec (0x0000)
+> HCI Event: Command Status (0x0f) plen 4 #11360 [hci0] 84680.474971
+ LE Create Connection (0x08|0x000d) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Create Connection Cancel (0x08|0x000e) plen 0 #11361 [hci0] 84682.545385
+> HCI Event: Command Complete (0x0e) plen 4 #11362 [hci0] 84682.551014
+ LE Create Connection Cancel (0x08|0x000e) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 19 #11363 [hci0] 84682.551074
+ LE Connection Complete (0x01)
+ Status: Unknown Connection Identifier (0x02)
+ Handle: 0
+ Role: Master (0x00)
+ Peer address type: Public (0x00)
+ Peer address: 00:00:00:00:00:00 (OUI 00-00-00)
+ Connection interval: 0.00 msec (0x0000)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 0 msec (0x0000)
+ Master clock accuracy: 0x00
+
+After patch:
+< HCI Command: LE Set Scan Parameters (0x08|0x000b) plen 7 #210 [hci0] 667.152459
+ Type: Passive (0x00)
+ Interval: 60.000 msec (0x0060)
+ Window: 30.000 msec (0x0030)
+ Own address type: Random (0x01)
+ Filter policy: Accept all advertisement, inc. directed unresolved RPA (0x02)
+> HCI Event: Command Complete (0x0e) plen 4 #211 [hci0] 667.153613
+ LE Set Scan Parameters (0x08|0x000b) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #212 [hci0] 667.153704
+ Scanning: Enabled (0x01)
+ Filter duplicates: Enabled (0x01)
+> HCI Event: Command Complete (0x0e) plen 4 #213 [hci0] 667.154584
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 18 #214 [hci0] 667.182619
+ LE Direct Advertising Report (0x0b)
+ Num reports: 1
+ Event type: Connectable directed - ADV_DIRECT_IND (0x01)
+ Address type: Random (0x01)
+ Address: 50:52:D9:A6:48:A0 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Direct address type: Random (0x01)
+ Direct address: 7C:C1:57:A5:B7:A8 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: F4:28:73:5D:38:B0 (Static)
+ RSSI: -70 dBm (0xba)
+< HCI Command: LE Set Scan Enable (0x08|0x000c) plen 2 #215 [hci0] 667.182704
+ Scanning: Disabled (0x00)
+ Filter duplicates: Disabled (0x00)
+> HCI Event: Command Complete (0x0e) plen 4 #216 [hci0] 667.183599
+ LE Set Scan Enable (0x08|0x000c) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Random Address (0x08|0x0005) plen 6 #217 [hci0] 667.183645
+ Address: 7C:C1:57:A5:B7:A8 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: F4:28:73:5D:38:B0 (Static)
+> HCI Event: Command Complete (0x0e) plen 4 #218 [hci0] 667.184590
+ LE Set Random Address (0x08|0x0005) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Create Connection (0x08|0x000d) plen 25 #219 [hci0] 667.184613
+ Scan interval: 60.000 msec (0x0060)
+ Scan window: 60.000 msec (0x0060)
+ Filter policy: White list is not used (0x00)
+ Peer address type: Random (0x01)
+ Peer address: 50:52:D9:A6:48:A0 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Own address type: Random (0x01)
+ Min connection interval: 30.00 msec (0x0018)
+ Max connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Min connection length: 0.000 msec (0x0000)
+ Max connection length: 0.000 msec (0x0000)
+> HCI Event: Command Status (0x0f) plen 4 #220 [hci0] 667.186558
+ LE Create Connection (0x08|0x000d) ncmd 1
+ Status: Success (0x00)
+> HCI Event: LE Meta Event (0x3e) plen 19 #221 [hci0] 667.485824
+ LE Connection Complete (0x01)
+ Status: Success (0x00)
+ Handle: 0
+ Role: Master (0x00)
+ Peer address type: Random (0x01)
+ Peer address: 50:52:D9:A6:48:A0 (Resolvable)
+ Identity type: Public (0x00)
+ Identity: 11:22:33:44:55:66 (OUI 11-22-33)
+ Connection interval: 50.00 msec (0x0028)
+ Connection latency: 0 (0x0000)
+ Supervision timeout: 420 msec (0x002a)
+ Master clock accuracy: 0x07
+@ MGMT Event: Device Connected (0x000b) plen 13 {0x0002} [hci0] 667.485996
+ LE Address: 11:22:33:44:55:66 (OUI 11-22-33)
+ Flags: 0x00000000
+ Data length: 0
+
+Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/bluetooth/hci_core.h | 2 +-
+ net/bluetooth/hci_conn.c | 29 +++++++++++++++++++++--------
+ net/bluetooth/hci_event.c | 15 +++++++++++----
+ net/bluetooth/l2cap_core.c | 2 +-
+ 4 files changed, 34 insertions(+), 14 deletions(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -895,7 +895,7 @@ struct hci_conn *hci_connect_le_scan(str
+ u16 conn_timeout);
+ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
+ u8 dst_type, u8 sec_level, u16 conn_timeout,
+- u8 role);
++ u8 role, bdaddr_t *direct_rpa);
+ struct hci_conn *hci_connect_acl(struct hci_dev *hdev, bdaddr_t *dst,
+ u8 sec_level, u8 auth_type);
+ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -749,18 +749,31 @@ static bool conn_use_rpa(struct hci_conn
+ }
+
+ static void hci_req_add_le_create_conn(struct hci_request *req,
+- struct hci_conn *conn)
++ struct hci_conn *conn,
++ bdaddr_t *direct_rpa)
+ {
+ struct hci_cp_le_create_conn cp;
+ struct hci_dev *hdev = conn->hdev;
+ u8 own_addr_type;
+
+- /* Update random address, but set require_privacy to false so
+- * that we never connect with an non-resolvable address.
++ /* If direct address was provided we use it instead of current
++ * address.
+ */
+- if (hci_update_random_address(req, false, conn_use_rpa(conn),
+- &own_addr_type))
+- return;
++ if (direct_rpa) {
++ if (bacmp(&req->hdev->random_addr, direct_rpa))
++ hci_req_add(req, HCI_OP_LE_SET_RANDOM_ADDR, 6,
++ direct_rpa);
++
++ /* direct address is always RPA */
++ own_addr_type = ADDR_LE_DEV_RANDOM;
++ } else {
++ /* Update random address, but set require_privacy to false so
++ * that we never connect with an non-resolvable address.
++ */
++ if (hci_update_random_address(req, false, conn_use_rpa(conn),
++ &own_addr_type))
++ return;
++ }
+
+ memset(&cp, 0, sizeof(cp));
+
+@@ -825,7 +838,7 @@ static void hci_req_directed_advertising
+
+ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
+ u8 dst_type, u8 sec_level, u16 conn_timeout,
+- u8 role)
++ u8 role, bdaddr_t *direct_rpa)
+ {
+ struct hci_conn_params *params;
+ struct hci_conn *conn;
+@@ -940,7 +953,7 @@ struct hci_conn *hci_connect_le(struct h
+ hci_dev_set_flag(hdev, HCI_LE_SCAN_INTERRUPTED);
+ }
+
+- hci_req_add_le_create_conn(&req, conn);
++ hci_req_add_le_create_conn(&req, conn, direct_rpa);
+
+ create_conn:
+ err = hci_req_run(&req, create_le_conn_complete);
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4648,7 +4648,8 @@ static void hci_le_conn_update_complete_
+ /* This function requires the caller holds hdev->lock */
+ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
+ bdaddr_t *addr,
+- u8 addr_type, u8 adv_type)
++ u8 addr_type, u8 adv_type,
++ bdaddr_t *direct_rpa)
+ {
+ struct hci_conn *conn;
+ struct hci_conn_params *params;
+@@ -4699,7 +4700,8 @@ static struct hci_conn *check_pending_le
+ }
+
+ conn = hci_connect_le(hdev, addr, addr_type, BT_SECURITY_LOW,
+- HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER);
++ HCI_LE_AUTOCONN_TIMEOUT, HCI_ROLE_MASTER,
++ direct_rpa);
+ if (!IS_ERR(conn)) {
+ /* If HCI_AUTO_CONN_EXPLICIT is set, conn is already owned
+ * by higher layer that tried to connect, if no then
+@@ -4808,8 +4810,13 @@ static void process_adv_report(struct hc
+ bdaddr_type = irk->addr_type;
+ }
+
+- /* Check if we have been requested to connect to this device */
+- conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type);
++ /* Check if we have been requested to connect to this device.
++ *
++ * direct_addr is set only for directed advertising reports (it is NULL
++ * for advertising reports) and is already verified to be RPA above.
++ */
++ conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
++ direct_addr);
+ if (conn && type == LE_ADV_IND) {
+ /* Store report for later inclusion by
+ * mgmt_device_connected
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7156,7 +7156,7 @@ int l2cap_chan_connect(struct l2cap_chan
+ hcon = hci_connect_le(hdev, dst, dst_type,
+ chan->sec_level,
+ HCI_LE_CONN_TIMEOUT,
+- HCI_ROLE_SLAVE);
++ HCI_ROLE_SLAVE, NULL);
+ else
+ hcon = hci_connect_le_scan(hdev, dst, dst_type,
+ chan->sec_level,
--- /dev/null
+From bb5208b314c5127b716b2ee4f55803a8bb73b750 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 16 Mar 2018 21:28:08 +0100
+Subject: Bluetooth: hci_bcm: Treat Interrupt ACPI resources as always being active-low
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit bb5208b314c5127b716b2ee4f55803a8bb73b750 upstream.
+
+Older devices with a serdev attached bcm bt hci, use an Interrupt ACPI
+resource to describe the IRQ (rather then a GpioInt resource).
+
+These device seem to all claim the IRQ is active-high and seem to all need
+a DMI quirk to treat it as active-low. Instead simply always assume that
+Interrupt resource specified IRQs are always active-low.
+
+This fixes the bt device not being able to wake the host from runtime-
+suspend on the: Asus T100TAM, Asus T200TA, Lenovo Yoga2 and the Toshiba
+Encore, without the need to add 4 new DMI quirks for these models.
+
+This also allows us to remove 2 DMI quirks for the Asus T100TA and Asus
+T100CHI series. Likely the 2 remaining quirks can also be removed but I
+could not find a DSDT of these devices to verify this.
+
+Cc: stable@vger.kernel.org
+Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=198953
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1554835
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_bcm.c | 20 +++-----------------
+ 1 file changed, 3 insertions(+), 17 deletions(-)
+
+--- a/drivers/bluetooth/hci_bcm.c
++++ b/drivers/bluetooth/hci_bcm.c
+@@ -795,22 +795,6 @@ static const struct acpi_gpio_mapping ac
+ #ifdef CONFIG_ACPI
+ /* IRQ polarity of some chipsets are not defined correctly in ACPI table. */
+ static const struct dmi_system_id bcm_active_low_irq_dmi_table[] = {
+- {
+- .ident = "Asus T100TA",
+- .matches = {
+- DMI_EXACT_MATCH(DMI_SYS_VENDOR,
+- "ASUSTeK COMPUTER INC."),
+- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TA"),
+- },
+- },
+- {
+- .ident = "Asus T100CHI",
+- .matches = {
+- DMI_EXACT_MATCH(DMI_SYS_VENDOR,
+- "ASUSTeK COMPUTER INC."),
+- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100CHI"),
+- },
+- },
+ { /* Handle ThinkPad 8 tablets with BCM2E55 chipset ACPI ID */
+ .ident = "Lenovo ThinkPad 8",
+ .matches = {
+@@ -838,7 +822,9 @@ static int bcm_resource(struct acpi_reso
+ switch (ares->type) {
+ case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
+ irq = &ares->data.extended_irq;
+- dev->irq_active_low = irq->polarity == ACPI_ACTIVE_LOW;
++ if (irq->polarity != ACPI_ACTIVE_LOW)
++ dev_info(dev->dev, "ACPI Interrupt resource is active-high, this is usually wrong, treating the IRQ as active-low\n");
++ dev->irq_active_low = true;
+ break;
+
+ case ACPI_RESOURCE_TYPE_GPIO:
--- /dev/null
+From c61611f70958d86f659bca25c02ae69413747a8d Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Fri, 13 Apr 2018 15:35:20 -0700
+Subject: get_user_pages_fast(): return -EFAULT on access_ok failure
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit c61611f70958d86f659bca25c02ae69413747a8d upstream.
+
+get_user_pages_fast is supposed to be a faster drop-in equivalent of
+get_user_pages. As such, callers expect it to return a negative return
+code when passed an invalid address, and never expect it to return 0
+when passed a positive number of pages, since its documentation says:
+
+ * Returns number of pages pinned. This may be fewer than the number
+ * requested. If nr_pages is 0 or negative, returns 0. If no pages
+ * were pinned, returns -errno.
+
+When get_user_pages_fast fall back on get_user_pages this is exactly
+what happens. Unfortunately the implementation is inconsistent: it
+returns 0 if passed a kernel address, confusing callers: for example,
+the following is pretty common but does not appear to do the right thing
+with a kernel address:
+
+ ret = get_user_pages_fast(addr, 1, writeable, &page);
+ if (ret < 0)
+ return ret;
+
+Change get_user_pages_fast to return -EFAULT when supplied a kernel
+address to make it match expectations.
+
+All callers have been audited for consistency with the documented
+semantics.
+
+Link: http://lkml.kernel.org/r/1522962072-182137-4-git-send-email-mst@redhat.com
+Fixes: 5b65c4677a57 ("mm, x86/mm: Fix performance regression in get_user_pages_fast()")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reported-by: syzbot+6304bf97ef436580fede@syzkaller.appspotmail.com
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Thorsten Leemhuis <regressions@leemhuis.info>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/gup.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -1806,9 +1806,12 @@ int get_user_pages_fast(unsigned long st
+ len = (unsigned long) nr_pages << PAGE_SHIFT;
+ end = start + len;
+
++ if (nr_pages <= 0)
++ return 0;
++
+ if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
+ (void __user *)start, len)))
+- return 0;
++ return -EFAULT;
+
+ if (gup_fast_permitted(start, nr_pages, write)) {
+ local_irq_disable();
--- /dev/null
+From 30ce4d1903e1d8a7ccd110860a5eef3c638ed8be Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 8 Apr 2018 11:57:10 -0400
+Subject: getname_kernel() needs to make sure that ->name != ->iname in long case
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 30ce4d1903e1d8a7ccd110860a5eef3c638ed8be upstream.
+
+missed it in "kill struct filename.separate" several years ago.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -222,9 +222,10 @@ getname_kernel(const char * filename)
+ if (len <= EMBEDDED_NAME_MAX) {
+ result->name = (char *)result->iname;
+ } else if (len <= PATH_MAX) {
++ const size_t size = offsetof(struct filename, iname[1]);
+ struct filename *tmp;
+
+- tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
++ tmp = kmalloc(size, GFP_KERNEL);
+ if (unlikely(!tmp)) {
+ __putname(result);
+ return ERR_PTR(-ENOMEM);
--- /dev/null
+From 09e35a4a1ca8b9988ca9b8557d17948cd6c0808b Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Fri, 13 Apr 2018 15:35:16 -0700
+Subject: mm/gup_benchmark: handle gup failures
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit 09e35a4a1ca8b9988ca9b8557d17948cd6c0808b upstream.
+
+Patch series "mm/get_user_pages_fast fixes, cleanups", v2.
+
+Turns out get_user_pages_fast and __get_user_pages_fast return different
+values on error when given a single page: __get_user_pages_fast returns
+0. get_user_pages_fast returns either 0 or an error.
+
+Callers of get_user_pages_fast expect an error so fix it up to return an
+error consistently.
+
+Stress the difference between get_user_pages_fast and
+__get_user_pages_fast to make sure callers aren't confused.
+
+This patch (of 3):
+
+__gup_benchmark_ioctl does not handle the case where get_user_pages_fast
+fails:
+
+ - a negative return code will cause a buffer overrun
+
+ - returning with partial success will cause use of uninitialized
+ memory.
+
+[akpm@linux-foundation.org: simplification]
+Link: http://lkml.kernel.org/r/1522962072-182137-3-git-send-email-mst@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Thorsten Leemhuis <regressions@leemhuis.info>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/gup_benchmark.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/gup_benchmark.c
++++ b/mm/gup_benchmark.c
+@@ -23,7 +23,7 @@ static int __gup_benchmark_ioctl(unsigne
+ struct page **pages;
+
+ nr_pages = gup->size / PAGE_SIZE;
+- pages = kvmalloc(sizeof(void *) * nr_pages, GFP_KERNEL);
++ pages = kvzalloc(sizeof(void *) * nr_pages, GFP_KERNEL);
+ if (!pages)
+ return -ENOMEM;
+
+@@ -41,6 +41,8 @@ static int __gup_benchmark_ioctl(unsigne
+ }
+
+ nr = get_user_pages_fast(addr, nr, gup->flags & 1, pages + i);
++ if (nr <= 0)
++ break;
+ i += nr;
+ }
+ end_time = ktime_get();
--- /dev/null
+From 8d0d8ed3356aa9ed43b819aaedd39b08ca453007 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 2 Apr 2018 16:49:30 -0700
+Subject: nfit: fix region registration vs block-data-window ranges
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 8d0d8ed3356aa9ed43b819aaedd39b08ca453007 upstream.
+
+Commit 1cf03c00e7c1 "nfit: scrub and register regions in a workqueue"
+mistakenly attempts to register a region per BLK aperture. There is
+nothing to register for individual apertures as they belong as a set to
+a BLK aperture group that are registered with a corresponding
+DIMM-control-region. Filter them for registration to prevent some
+needless devm_kzalloc() allocations.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 1cf03c00e7c1 ("nfit: scrub and register regions in a workqueue")
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -3024,15 +3024,21 @@ static void acpi_nfit_scrub(struct work_
+ static int acpi_nfit_register_regions(struct acpi_nfit_desc *acpi_desc)
+ {
+ struct nfit_spa *nfit_spa;
+- int rc;
+
+- list_for_each_entry(nfit_spa, &acpi_desc->spas, list)
+- if (nfit_spa_type(nfit_spa->spa) == NFIT_SPA_DCR) {
+- /* BLK regions don't need to wait for ars results */
+- rc = acpi_nfit_register_region(acpi_desc, nfit_spa);
+- if (rc)
+- return rc;
+- }
++ list_for_each_entry(nfit_spa, &acpi_desc->spas, list) {
++ int rc, type = nfit_spa_type(nfit_spa->spa);
++
++ /* PMEM and VMEM will be registered by the ARS workqueue */
++ if (type == NFIT_SPA_PM || type == NFIT_SPA_VOLATILE)
++ continue;
++ /* BLK apertures belong to BLK region registration below */
++ if (type == NFIT_SPA_BDW)
++ continue;
++ /* BLK regions don't need to wait for ARS results */
++ rc = acpi_nfit_register_region(acpi_desc, nfit_spa);
++ if (rc)
++ return rc;
++ }
+
+ acpi_desc->ars_start_flags = 0;
+ if (!acpi_desc->cancel)
--- /dev/null
+From cbe095e2b584623b882ebaf6c18e0b9077baa3f7 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Thu, 5 Apr 2018 10:32:59 -0700
+Subject: Revert "scsi: core: return BLK_STS_OK for DID_OK in __scsi_error_from_host_byte()"
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit cbe095e2b584623b882ebaf6c18e0b9077baa3f7 upstream.
+
+The description of commit e39a97353e53 is wrong: it mentions that commit
+2a842acab109 introduced a bug in __scsi_error_from_host_byte() although that
+commit did not change the behavior of that function. Additionally, commit
+e39a97353e53 introduced a bug: it causes commands that fail with
+hostbyte=DID_OK and driverbyte=DRIVER_SENSE to be completed with
+BLK_STS_OK. Hence revert that commit.
+
+Fixes: e39a97353e53 ("scsi: core: return BLK_STS_OK for DID_OK in __scsi_error_from_host_byte()")
+Reported-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Hannes Reinecke <hare@suse.com>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Cc: Damien Le Moal <damien.lemoal@wdc.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Lee Duncan <lduncan@suse.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -721,8 +721,6 @@ static blk_status_t __scsi_error_from_ho
+ int result)
+ {
+ switch (host_byte(result)) {
+- case DID_OK:
+- return BLK_STS_OK;
+ case DID_TRANSPORT_FAILFAST:
+ return BLK_STS_TRANSPORT;
+ case DID_TARGET_FAILURE:
--- /dev/null
+From 7972326a26b5bf8dc2adac575c4e03ee7e9d193a Mon Sep 17 00:00:00 2001
+From: Sudhir Sreedharan <ssreedharan@mvista.com>
+Date: Thu, 15 Feb 2018 12:52:45 +0530
+Subject: rtl8187: Fix NULL pointer dereference in priv->conf_mutex
+
+From: Sudhir Sreedharan <ssreedharan@mvista.com>
+
+commit 7972326a26b5bf8dc2adac575c4e03ee7e9d193a upstream.
+
+This can be reproduced by bind/unbind the driver multiple times
+in AM3517 board.
+
+Analysis revealed that rtl8187_start() was invoked before probe
+finishes(ie. before the mutex is initialized).
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250
+ Hardware name: Generic AM3517 (Flattened Device Tree)
+ [<c010e0d8>] (unwind_backtrace) from [<c010beac>] (show_stack+0x10/0x14)
+ [<c010beac>] (show_stack) from [<c017401c>] (register_lock_class+0x4f4/0x55c)
+ [<c017401c>] (register_lock_class) from [<c0176fe0>] (__lock_acquire+0x74/0x1938)
+ [<c0176fe0>] (__lock_acquire) from [<c0178cfc>] (lock_acquire+0xfc/0x23c)
+ [<c0178cfc>] (lock_acquire) from [<c08aa2f8>] (mutex_lock_nested+0x50/0x3b0)
+ [<c08aa2f8>] (mutex_lock_nested) from [<c05f5bf8>] (rtl8187_start+0x2c/0xd54)
+ [<c05f5bf8>] (rtl8187_start) from [<c082dea0>] (drv_start+0xa8/0x320)
+ [<c082dea0>] (drv_start) from [<c084d1d4>] (ieee80211_do_open+0x2bc/0x8e4)
+ [<c084d1d4>] (ieee80211_do_open) from [<c069be94>] (__dev_open+0xb8/0x120)
+ [<c069be94>] (__dev_open) from [<c069c11c>] (__dev_change_flags+0x88/0x14c)
+ [<c069c11c>] (__dev_change_flags) from [<c069c1f8>] (dev_change_flags+0x18/0x48)
+ [<c069c1f8>] (dev_change_flags) from [<c0710b08>] (devinet_ioctl+0x738/0x840)
+ [<c0710b08>] (devinet_ioctl) from [<c067925c>] (sock_ioctl+0x164/0x2f4)
+ [<c067925c>] (sock_ioctl) from [<c02883f8>] (do_vfs_ioctl+0x8c/0x9d0)
+ [<c02883f8>] (do_vfs_ioctl) from [<c0288da8>] (SyS_ioctl+0x6c/0x7c)
+ [<c0288da8>] (SyS_ioctl) from [<c0107760>] (ret_fast_syscall+0x0/0x1c)
+ Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ pgd = cd1ec000
+ [00000000] *pgd=8d1de831, *pte=00000000, *ppte=00000000
+ Internal error: Oops: 817 [#1] PREEMPT ARM
+ Modules linked in:
+ CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250
+ Hardware name: Generic AM3517 (Flattened Device Tree)
+ task: ce73eec0 task.stack: cd1ea000
+ PC is at mutex_lock_nested+0xe8/0x3b0
+ LR is at mutex_lock_nested+0xd0/0x3b0
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sudhir Sreedharan <ssreedharan@mvista.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+@@ -1450,6 +1450,7 @@ static int rtl8187_probe(struct usb_inte
+ goto err_free_dev;
+ }
+ mutex_init(&priv->io_mutex);
++ mutex_init(&priv->conf_mutex);
+
+ SET_IEEE80211_DEV(dev, &intf->dev);
+ usb_set_intfdata(intf, dev);
+@@ -1625,7 +1626,6 @@ static int rtl8187_probe(struct usb_inte
+ printk(KERN_ERR "rtl8187: Cannot register device\n");
+ goto err_free_dmabuf;
+ }
+- mutex_init(&priv->conf_mutex);
+ skb_queue_head_init(&priv->b_tx_status.queue);
+
+ wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n",
--- /dev/null
+From 8b09ca746a643ca452cd41a522046a96ee5a55fd Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Fri, 6 Apr 2018 18:10:04 +0200
+Subject: s390/compat: fix setup_frame32
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit 8b09ca746a643ca452cd41a522046a96ee5a55fd upstream.
+
+Git commit c60a03fee0e5 ("s390: switch to {get,put}_compat_sigset()")
+contains a typo and now copies the wrong pointer to user space.
+Use the correct pointer instead.
+
+Reported-and-tested-by: Stefan Liebler <stli@linux.vnet.ibm.com>
+Fixes: c60a03fee0e5 ("s390: switch to {get,put}_compat_sigset()")
+Cc: <stable@vger.kernel.org> # v4.15+
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/compat_signal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/compat_signal.c
++++ b/arch/s390/kernel/compat_signal.c
+@@ -279,7 +279,7 @@ static int setup_frame32(struct ksignal
+ if (put_compat_sigset((compat_sigset_t __user *)frame->sc.oldmask,
+ set, sizeof(compat_sigset_t)))
+ return -EFAULT;
+- if (__put_user(ptr_to_compat(&frame->sc), &frame->sc.sregs))
++ if (__put_user(ptr_to_compat(&frame->sregs), &frame->sc.sregs))
+ return -EFAULT;
+
+ /* Store registers needed to create the signal frame */
--- /dev/null
+From 15deb080a6087b73089139569558965750e69d67 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 3 Apr 2018 16:02:15 +0200
+Subject: s390/ipl: ensure loadparm valid flag is set
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 15deb080a6087b73089139569558965750e69d67 upstream.
+
+When loadparm is set in reipl parm block, the kernel should also set
+DIAG308_FLAGS_LP_VALID flag.
+
+This fixes loadparm ignoring during z/VM fcp -> ccw reipl and kvm direct
+boot -> ccw reipl.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/ipl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/s390/kernel/ipl.c
++++ b/arch/s390/kernel/ipl.c
+@@ -776,6 +776,7 @@ static ssize_t reipl_generic_loadparm_st
+ /* copy and convert to ebcdic */
+ memcpy(ipb->hdr.loadparm, buf, lp_len);
+ ASCEBC(ipb->hdr.loadparm, LOADPARM_LEN);
++ ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID;
+ return len;
+ }
+
--- /dev/null
+From 0cf1e05157b9e5530dcc3ca9fec9bf617fc93375 Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Wed, 7 Mar 2018 14:01:01 +0100
+Subject: s390/qdio: don't merge ERROR output buffers
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+commit 0cf1e05157b9e5530dcc3ca9fec9bf617fc93375 upstream.
+
+On an Output queue, both EMPTY and PENDING buffer states imply that the
+buffer is ready for completion-processing by the upper-layer drivers.
+
+So for a non-QEBSM Output queue, get_buf_states() merges mixed
+batches of PENDING and EMPTY buffers into one large batch of EMPTY
+buffers. The upper-layer driver (ie. qeth) later distuingishes PENDING
+from EMPTY by inspecting the slsb_state for
+QDIO_OUTBUF_STATE_FLAG_PENDING.
+
+But the merge logic in get_buf_states() contains a bug that causes us to
+erronously also merge ERROR buffers into such a batch of EMPTY buffers
+(ERROR is 0xaf, EMPTY is 0xa1; so ERROR & EMPTY == EMPTY).
+Effectively, most outbound ERROR buffers are currently discarded
+silently and processed as if they had succeeded.
+
+Note that this affects _all_ non-QEBSM device types, not just IQD with CQ.
+
+Fix it by explicitly spelling out the exact conditions for merging.
+
+For extracting the "get initial state" part out of the loop, this relies
+on the fact that get_buf_states() is never called with a count of 0. The
+QEBSM path already strictly requires this, and the two callers with
+variable 'count' make sure of it.
+
+Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
+Cc: <stable@vger.kernel.org> #v3.2+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Reviewed-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/qdio_main.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -207,7 +207,10 @@ again:
+ return 0;
+ }
+
+-/* returns number of examined buffers and their common state in *state */
++/*
++ * Returns number of examined buffers and their common state in *state.
++ * Requested number of buffers-to-examine must be > 0.
++ */
+ static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr,
+ unsigned char *state, unsigned int count,
+ int auto_ack, int merge_pending)
+@@ -218,17 +221,23 @@ static inline int get_buf_states(struct
+ if (is_qebsm(q))
+ return qdio_do_eqbs(q, state, bufnr, count, auto_ack);
+
+- for (i = 0; i < count; i++) {
+- if (!__state) {
+- __state = q->slsb.val[bufnr];
+- if (merge_pending && __state == SLSB_P_OUTPUT_PENDING)
+- __state = SLSB_P_OUTPUT_EMPTY;
+- } else if (merge_pending) {
+- if ((q->slsb.val[bufnr] & __state) != __state)
+- break;
+- } else if (q->slsb.val[bufnr] != __state)
+- break;
++ /* get initial state: */
++ __state = q->slsb.val[bufnr];
++ if (merge_pending && __state == SLSB_P_OUTPUT_PENDING)
++ __state = SLSB_P_OUTPUT_EMPTY;
++
++ for (i = 1; i < count; i++) {
+ bufnr = next_buf(bufnr);
++
++ /* merge PENDING into EMPTY: */
++ if (merge_pending &&
++ q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING &&
++ __state == SLSB_P_OUTPUT_EMPTY)
++ continue;
++
++ /* stop if next state differs from initial state: */
++ if (q->slsb.val[bufnr] != __state)
++ break;
+ }
+ *state = __state;
+ return i;
--- /dev/null
+From dae55b6fef58530c13df074bcc182c096609339e Mon Sep 17 00:00:00 2001
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Mon, 5 Mar 2018 09:39:38 +0100
+Subject: s390/qdio: don't retry EQBS after CCQ 96
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+commit dae55b6fef58530c13df074bcc182c096609339e upstream.
+
+Immediate retry of EQBS after CCQ 96 means that we potentially misreport
+the state of buffers inspected during the first EQBS call.
+
+This occurs when
+1. the first EQBS finds all inspected buffers still in the initial state
+ set by the driver (ie INPUT EMPTY or OUTPUT PRIMED),
+2. the EQBS terminates early with CCQ 96, and
+3. by the time that the second EQBS comes around, the state of those
+ previously inspected buffers has changed.
+
+If the state reported by the second EQBS is 'driver-owned', all we know
+is that the previous buffers are driver-owned now as well. But we can't
+tell if they all have the same state. So for instance
+- the second EQBS reports OUTPUT EMPTY, but any number of the previous
+ buffers could be OUTPUT ERROR by now,
+- the second EQBS reports OUTPUT ERROR, but any number of the previous
+ buffers could be OUTPUT EMPTY by now.
+
+Effectively, this can result in both over- and underreporting of errors.
+
+If the state reported by the second EQBS is 'HW-owned', that doesn't
+guarantee that the previous buffers have not been switched to
+driver-owned in the mean time. So for instance
+- the second EQBS reports INPUT EMPTY, but any number of the previous
+ buffers could be INPUT PRIMED (or INPUT ERROR) by now.
+
+This would result in failure to process pending work on the queue. If
+it's the final check before yielding initiative, this can cause
+a (temporary) queue stall due to IRQ avoidance.
+
+Fixes: 25f269f17316 ("[S390] qdio: EQBS retry after CCQ 96")
+Cc: <stable@vger.kernel.org> #v3.2+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/cio/qdio_main.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/s390/cio/qdio_main.c
++++ b/drivers/s390/cio/qdio_main.c
+@@ -128,7 +128,7 @@ static inline int qdio_check_ccq(struct
+ static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state,
+ int start, int count, int auto_ack)
+ {
+- int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0;
++ int rc, tmp_count = count, tmp_start = start, nr = q->nr;
+ unsigned int ccq = 0;
+
+ qperf_inc(q, eqbs);
+@@ -151,14 +151,7 @@ again:
+ qperf_inc(q, eqbs_partial);
+ DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x",
+ tmp_count);
+- /*
+- * Retry once, if that fails bail out and process the
+- * extracted buffers before trying again.
+- */
+- if (!retried++)
+- goto again;
+- else
+- return count - tmp_count;
++ return count - tmp_count;
+ }
+
+ DBF_ERROR("%4x EQBS ERROR", SCH_NO(q));
--- /dev/null
+From 6d6340672ba3a99c4cf7af79c2edf7aa25595c84 Mon Sep 17 00:00:00 2001
+From: Bill Kuzeja <William.Kuzeja@stratus.com>
+Date: Fri, 23 Mar 2018 10:37:25 -0400
+Subject: scsi: qla2xxx: Fix small memory leak in qla2x00_probe_one on probe failure
+
+From: Bill Kuzeja <William.Kuzeja@stratus.com>
+
+commit 6d6340672ba3a99c4cf7af79c2edf7aa25595c84 upstream.
+
+The code that fixes the crashes in the following commit introduced a small
+memory leak:
+
+commit 6a2cf8d3663e ("scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure")
+
+Fixing this requires a bit of reworking, which I've explained. Also provide
+some code cleanup.
+
+There is a small window in qla2x00_probe_one where if qla2x00_alloc_queues
+fails, we end up never freeing req and rsp and leak 0xc0 and 0xc8 bytes
+respectively (the sizes of req and rsp).
+
+I originally put in checks to test for this condition which were based on
+the incorrect assumption that if ha->rsp_q_map and ha->req_q_map were
+allocated, then rsp and req were allocated as well. This is incorrect.
+There is a window between these allocations:
+
+ ret = qla2x00_mem_alloc(ha, req_length, rsp_length, &req, &rsp);
+ goto probe_hw_failed;
+
+[if successful, both rsp and req allocated]
+
+ base_vha = qla2x00_create_host(sht, ha);
+ goto probe_hw_failed;
+
+ ret = qla2x00_request_irqs(ha, rsp);
+ goto probe_failed;
+
+ if (qla2x00_alloc_queues(ha, req, rsp)) {
+ goto probe_failed;
+
+[if successful, now ha->rsp_q_map and ha->req_q_map allocated]
+
+To simplify this, we should just set req and rsp to NULL after we free
+them. Sounds simple enough? The problem is that req and rsp are pointers
+defined in the qla2x00_probe_one and they are not always passed by reference
+to the routines that free them.
+
+Here are paths which can free req and rsp:
+
+PATH 1:
+qla2x00_probe_one
+ ret = qla2x00_mem_alloc(ha, req_length, rsp_length, &req, &rsp);
+ [req and rsp are passed by reference, but if this fails, we currently
+ do not NULL out req and rsp. Easily fixed]
+
+PATH 2:
+qla2x00_probe_one
+ failing in qla2x00_request_irqs or qla2x00_alloc_queues
+ probe_failed:
+ qla2x00_free_device(base_vha);
+ qla2x00_free_req_que(ha, req)
+ qla2x00_free_rsp_que(ha, rsp)
+
+PATH 3:
+qla2x00_probe_one:
+ failing in qla2x00_mem_alloc or qla2x00_create_host
+ probe_hw_failed:
+ qla2x00_free_req_que(ha, req)
+ qla2x00_free_rsp_que(ha, rsp)
+
+PATH 1: This should currently work, but it doesn't because rsp and rsp are
+not set to NULL in qla2x00_mem_alloc. Easily remedied.
+
+PATH 2: req and rsp aren't passed in at all to qla2x00_free_device but are
+derived from ha->req_q_map[0] and ha->rsp_q_map[0]. These are only set up if
+qla2x00_alloc_queues succeeds.
+
+In qla2x00_free_queues, we are protected from crashing if these don't exist
+because req_qid_map and rsp_qid_map are only set on their allocation. We are
+guarded in this way:
+
+ for (cnt = 0; cnt < ha->max_req_queues; cnt++) {
+ if (!test_bit(cnt, ha->req_qid_map))
+ continue;
+
+PATH 3: This works. We haven't freed req or rsp yet (or they were never
+allocated if qla2x00_mem_alloc failed), so we'll attempt to free them here.
+
+To summarize, there are a few small changes to make this work correctly and
+(and for some cleanup):
+
+1) (For PATH 1) Set *rsp and *req to NULL in case of failure in
+qla2x00_mem_alloc so these are correctly set to NULL back in
+qla2x00_probe_one
+
+2) After jumping to probe_failed: and calling qla2x00_free_device,
+explicitly set rsp and req to NULL so further calls with these pointers do
+not crash, i.e. the free queue calls in the probe_hw_failed section we fall
+through to.
+
+3) Fix return code check in the call to qla2x00_alloc_queues. We currently
+drop the return code on the floor. The probe fails but the caller of the
+probe doesn't have an error code, so it attaches to pci. This can result in
+a crash on module shutdown.
+
+4) Remove unnecessary NULL checks in qla2x00_free_req_que,
+qla2x00_free_rsp_que, and the egregious NULL checks before kfrees and vfrees
+in qla2x00_mem_free.
+
+I tested this out running a scenario where the card breaks at various times
+during initialization. I made sure I forced every error exit path in
+qla2x00_probe_one.
+
+Cc: <stable@vger.kernel.org> # v4.16
+Fixes: 6a2cf8d3663e ("scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure")
+Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 44 ++++++++++++++++++++----------------------
+ 1 file changed, 21 insertions(+), 23 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -471,9 +471,6 @@ fail_req_map:
+
+ static void qla2x00_free_req_que(struct qla_hw_data *ha, struct req_que *req)
+ {
+- if (!ha->req_q_map)
+- return;
+-
+ if (IS_QLAFX00(ha)) {
+ if (req && req->ring_fx00)
+ dma_free_coherent(&ha->pdev->dev,
+@@ -484,17 +481,14 @@ static void qla2x00_free_req_que(struct
+ (req->length + 1) * sizeof(request_t),
+ req->ring, req->dma);
+
+- if (req) {
++ if (req)
+ kfree(req->outstanding_cmds);
+- kfree(req);
+- }
++
++ kfree(req);
+ }
+
+ static void qla2x00_free_rsp_que(struct qla_hw_data *ha, struct rsp_que *rsp)
+ {
+- if (!ha->rsp_q_map)
+- return;
+-
+ if (IS_QLAFX00(ha)) {
+ if (rsp && rsp->ring)
+ dma_free_coherent(&ha->pdev->dev,
+@@ -505,8 +499,7 @@ static void qla2x00_free_rsp_que(struct
+ (rsp->length + 1) * sizeof(response_t),
+ rsp->ring, rsp->dma);
+ }
+- if (rsp)
+- kfree(rsp);
++ kfree(rsp);
+ }
+
+ static void qla2x00_free_queues(struct qla_hw_data *ha)
+@@ -3107,7 +3100,8 @@ qla2x00_probe_one(struct pci_dev *pdev,
+ goto probe_failed;
+
+ /* Alloc arrays of request and response ring ptrs */
+- if (qla2x00_alloc_queues(ha, req, rsp)) {
++ ret = qla2x00_alloc_queues(ha, req, rsp);
++ if (ret) {
+ ql_log(ql_log_fatal, base_vha, 0x003d,
+ "Failed to allocate memory for queue pointers..."
+ "aborting.\n");
+@@ -3408,8 +3402,15 @@ probe_failed:
+ }
+
+ qla2x00_free_device(base_vha);
+-
+ scsi_host_put(base_vha->host);
++ /*
++ * Need to NULL out local req/rsp after
++ * qla2x00_free_device => qla2x00_free_queues frees
++ * what these are pointing to. Or else we'll
++ * fall over below in qla2x00_free_req/rsp_que.
++ */
++ req = NULL;
++ rsp = NULL;
+
+ probe_hw_failed:
+ qla2x00_mem_free(ha);
+@@ -4115,6 +4116,7 @@ fail_npiv_info:
+ (*rsp)->dma = 0;
+ fail_rsp_ring:
+ kfree(*rsp);
++ *rsp = NULL;
+ fail_rsp:
+ dma_free_coherent(&ha->pdev->dev, ((*req)->length + 1) *
+ sizeof(request_t), (*req)->ring, (*req)->dma);
+@@ -4122,6 +4124,7 @@ fail_rsp:
+ (*req)->dma = 0;
+ fail_req_ring:
+ kfree(*req);
++ *req = NULL;
+ fail_req:
+ dma_free_coherent(&ha->pdev->dev, sizeof(struct ct_sns_pkt),
+ ha->ct_sns, ha->ct_sns_dma);
+@@ -4509,16 +4512,11 @@ qla2x00_mem_free(struct qla_hw_data *ha)
+ dma_free_coherent(&ha->pdev->dev, ha->init_cb_size,
+ ha->init_cb, ha->init_cb_dma);
+
+- if (ha->optrom_buffer)
+- vfree(ha->optrom_buffer);
+- if (ha->nvram)
+- kfree(ha->nvram);
+- if (ha->npiv_info)
+- kfree(ha->npiv_info);
+- if (ha->swl)
+- kfree(ha->swl);
+- if (ha->loop_id_map)
+- kfree(ha->loop_id_map);
++ vfree(ha->optrom_buffer);
++ kfree(ha->nvram);
++ kfree(ha->npiv_info);
++ kfree(ha->swl);
++ kfree(ha->loop_id_map);
+
+ ha->srb_mempool = NULL;
+ ha->ctx_mempool = NULL;
--- /dev/null
+From 2ee5671e3ae35e53bb5a53a89ac8f033e4b1721f Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Fri, 23 Mar 2018 14:37:05 +0100
+Subject: scsi: scsi_dh: Don't look for NULL devices handlers by name
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit 2ee5671e3ae35e53bb5a53a89ac8f033e4b1721f upstream.
+
+Currently scsi_dh_lookup() doesn't check for NULL as a device name. This
+combined with nvme over dm-mpath results in the following messages
+emitted by device-mapper:
+
+ device-mapper: multipath: Could not failover device 259:67: Handler scsi_dh_(null) error 14.
+
+Let scsi_dh_lookup() fail fast on NULL names.
+
+[mkp: typo fix]
+
+Cc: <stable@vger.kernel.org> # v4.16
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_dh.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/scsi_dh.c
++++ b/drivers/scsi/scsi_dh.c
+@@ -112,6 +112,9 @@ static struct scsi_device_handler *scsi_
+ {
+ struct scsi_device_handler *dh;
+
++ if (!name || strlen(name) == 0)
++ return NULL;
++
+ dh = __scsi_dh_lookup(name);
+ if (!dh) {
+ request_module("scsi_dh_%s", name);
xen-xenbus_dev_frontend-fix-xs_transaction_end-handling.patch
hugetlbfs-fix-bug-in-pgoff-overflow-checking.patch
nfsd-fix-incorrect-umasks.patch
+scsi-scsi_dh-don-t-look-for-null-devices-handlers-by-name.patch
+scsi-qla2xxx-fix-small-memory-leak-in-qla2x00_probe_one-on-probe-failure.patch
+revert-scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch
+apparmor-fix-logging-of-the-existence-test-for-signals.patch
+apparmor-fix-display-of-.ns_name-for-containers.patch
+apparmor-fix-resource-audit-messages-when-auditing-peer.patch
+block-loop-fix-deadlock-after-loop_set_status.patch
+nfit-fix-region-registration-vs-block-data-window-ranges.patch
+s390-qdio-don-t-retry-eqbs-after-ccq-96.patch
+s390-qdio-don-t-merge-error-output-buffers.patch
+s390-ipl-ensure-loadparm-valid-flag-is-set.patch
+s390-compat-fix-setup_frame32.patch
+get_user_pages_fast-return-efault-on-access_ok-failure.patch
+mm-gup_benchmark-handle-gup-failures.patch
+getname_kernel-needs-to-make-sure-that-name-iname-in-long-case.patch
+bluetooth-fix-connection-if-directed-advertising-and-privacy-is-used.patch
+bluetooth-hci_bcm-treat-interrupt-acpi-resources-as-always-being-active-low.patch
+rtl8187-fix-null-pointer-dereference-in-priv-conf_mutex.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
