--- /dev/null
+From dfb00a56935186171abb5280b3407c3f910011f1 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Fri, 14 Apr 2017 12:43:01 +0900
+Subject: ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit dfb00a56935186171abb5280b3407c3f910011f1 upstream.
+
+An abstraction of asynchronous transaction for transmission of MIDI
+messages was introduced in Linux v4.4. Each driver can utilize this
+abstraction to transfer MIDI messages via fixed-length payload of
+transaction to a certain unit address. Filling payload of the transaction
+is done by callback. In this callback, each driver can return negative
+error code, however current implementation assigns the return value to
+unsigned variable.
+
+This commit changes type of the variable to fix the bug.
+
+Reported-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Fixes: 585d7cba5e1f ("ALSA: firewire-lib: add helper functions for asynchronous transactions to transfer MIDI messages")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/lib.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/lib.h
++++ b/sound/firewire/lib.h
+@@ -45,7 +45,7 @@ struct snd_fw_async_midi_port {
+
+ struct snd_rawmidi_substream *substream;
+ snd_fw_async_midi_port_fill fill;
+- unsigned int consume_bytes;
++ int consume_bytes;
+ };
+
+ int snd_fw_async_midi_port_init(struct snd_fw_async_midi_port *port,
--- /dev/null
+From 3d016d57fdc5e6caa4cd67896f4b081bccad6e2c Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Mon, 3 Apr 2017 21:13:40 +0900
+Subject: ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 3d016d57fdc5e6caa4cd67896f4b081bccad6e2c upstream.
+
+At a commit 6c29230e2a5f ("ALSA: oxfw: delayed registration of sound
+card"), ALSA oxfw driver fails to handle SCS.1m/1d, due to -EBUSY at a call
+of snd_card_register(). The cause is that the driver manages to register
+two rawmidi instances with the same device number 0. This is a regression
+introduced since kernel 4.7.
+
+This commit fixes the regression, by fixing up device property after
+discovering stream formats.
+
+Fixes: 6c29230e2a5f ("ALSA: oxfw: delayed registration of sound card")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/oxfw/oxfw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/oxfw/oxfw.c
++++ b/sound/firewire/oxfw/oxfw.c
+@@ -226,11 +226,11 @@ static void do_registration(struct work_
+ if (err < 0)
+ goto error;
+
+- err = detect_quirks(oxfw);
++ err = snd_oxfw_stream_discover(oxfw);
+ if (err < 0)
+ goto error;
+
+- err = snd_oxfw_stream_discover(oxfw);
++ err = detect_quirks(oxfw);
+ if (err < 0)
+ goto error;
+
--- /dev/null
+From 4e7655fd4f47c23e5249ea260dc802f909a64611 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 9 Apr 2017 10:41:27 +0200
+Subject: ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4e7655fd4f47c23e5249ea260dc802f909a64611 upstream.
+
+The snd_use_lock_sync() (thus its implementation
+snd_use_lock_sync_helper()) has the 5 seconds timeout to break out of
+the sync loop. It was introduced from the beginning, just to be
+"safer", in terms of avoiding the stupid bugs.
+
+However, as Ben Hutchings suggested, this timeout rather introduces a
+potential leak or use-after-free that was apparently fixed by the
+commit 2d7d54002e39 ("ALSA: seq: Fix race during FIFO resize"):
+for example, snd_seq_fifo_event_in() -> snd_seq_event_dup() ->
+copy_from_user() could block for a long time, and snd_use_lock_sync()
+goes timeout and still leaves the cell at releasing the pool.
+
+For fixing such a problem, we remove the break by the timeout while
+still keeping the warning.
+
+Suggested-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_lock.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/sound/core/seq/seq_lock.c
++++ b/sound/core/seq/seq_lock.c
+@@ -28,19 +28,16 @@
+ /* wait until all locks are released */
+ void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line)
+ {
+- int max_count = 5 * HZ;
++ int warn_count = 5 * HZ;
+
+ if (atomic_read(lockp) < 0) {
+ pr_warn("ALSA: seq_lock: lock trouble [counter = %d] in %s:%d\n", atomic_read(lockp), file, line);
+ return;
+ }
+ while (atomic_read(lockp) > 0) {
+- if (max_count == 0) {
+- pr_warn("ALSA: seq_lock: timeout [%d left] in %s:%d\n", atomic_read(lockp), file, line);
+- break;
+- }
++ if (warn_count-- == 0)
++ pr_warn("ALSA: seq_lock: waiting [%d left] in %s:%d\n", atomic_read(lockp), file, line);
+ schedule_timeout_uninterruptible(1);
+- max_count--;
+ }
+ }
+
--- /dev/null
+From 6492f09e864417d382e22b922ae30693a7ce2982 Mon Sep 17 00:00:00 2001
+From: Noam Camus <noamca@mellanox.com>
+Date: Tue, 4 Apr 2017 11:00:41 +0300
+Subject: ARC: [plat-eznps] Fix build error
+
+From: Noam Camus <noamca@mellanox.com>
+
+commit 6492f09e864417d382e22b922ae30693a7ce2982 upstream.
+
+Make ATOMIC_INIT available for all ARC platforms (including plat-eznps)
+
+Signed-off-by: Noam Camus <noamca@mellanox.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/atomic.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/atomic.h
++++ b/arch/arc/include/asm/atomic.h
+@@ -17,10 +17,11 @@
+ #include <asm/barrier.h>
+ #include <asm/smp.h>
+
++#define ATOMIC_INIT(i) { (i) }
++
+ #ifndef CONFIG_ARC_PLAT_EZNPS
+
+ #define atomic_read(v) READ_ONCE((v)->counter)
+-#define ATOMIC_INIT(i) { (i) }
+
+ #ifdef CONFIG_ARC_HAS_LLSC
+
--- /dev/null
+From 6e4cac23c5a648d50b107d1b53e9c4e1120c7943 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 24 Apr 2017 14:09:55 +0200
+Subject: ASoC: intel: Fix PM and non-atomic crash in bytcr drivers
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6e4cac23c5a648d50b107d1b53e9c4e1120c7943 upstream.
+
+The FE setups of Intel SST bytcr_rt5640 and bytcr_rt5651 drivers carry
+the ignore_suspend flag, and this prevents the suspend/resume working
+properly while the stream is running, since SST core code has the
+check of the running streams and returns -EBUSY. Drop these
+superfluous flags for fixing the behavior.
+
+Also, the bytcr_rt5640 driver lacks of nonatomic flag in some FE
+definitions, which leads to the kernel Oops at suspend/resume like:
+
+ BUG: scheduling while atomic: systemd-sleep/3144/0x00000003
+ Call Trace:
+ dump_stack+0x5c/0x7a
+ __schedule_bug+0x55/0x70
+ __schedule+0x63c/0x8c0
+ schedule+0x3d/0x90
+ schedule_timeout+0x16b/0x320
+ ? del_timer_sync+0x50/0x50
+ ? sst_wait_timeout+0xa9/0x170 [snd_intel_sst_core]
+ ? sst_wait_timeout+0xa9/0x170 [snd_intel_sst_core]
+ ? remove_wait_queue+0x60/0x60
+ ? sst_prepare_and_post_msg+0x275/0x960 [snd_intel_sst_core]
+ ? sst_pause_stream+0x9b/0x110 [snd_intel_sst_core]
+ ....
+
+This patch addresses these appropriately, too.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Acked-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 4 ++--
+ sound/soc/intel/boards/bytcr_rt5651.c | 2 --
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -621,7 +621,7 @@ static struct snd_soc_dai_link byt_rt564
+ .codec_dai_name = "snd-soc-dummy-dai",
+ .codec_name = "snd-soc-dummy",
+ .platform_name = "sst-mfld-platform",
+- .ignore_suspend = 1,
++ .nonatomic = true,
+ .dynamic = 1,
+ .dpcm_playback = 1,
+ .dpcm_capture = 1,
+@@ -634,7 +634,6 @@ static struct snd_soc_dai_link byt_rt564
+ .codec_dai_name = "snd-soc-dummy-dai",
+ .codec_name = "snd-soc-dummy",
+ .platform_name = "sst-mfld-platform",
+- .ignore_suspend = 1,
+ .nonatomic = true,
+ .dynamic = 1,
+ .dpcm_playback = 1,
+@@ -661,6 +660,7 @@ static struct snd_soc_dai_link byt_rt564
+ | SND_SOC_DAIFMT_CBS_CFS,
+ .be_hw_params_fixup = byt_rt5640_codec_fixup,
+ .ignore_suspend = 1,
++ .nonatomic = true,
+ .dpcm_playback = 1,
+ .dpcm_capture = 1,
+ .init = byt_rt5640_init,
+--- a/sound/soc/intel/boards/bytcr_rt5651.c
++++ b/sound/soc/intel/boards/bytcr_rt5651.c
+@@ -235,7 +235,6 @@ static struct snd_soc_dai_link byt_rt565
+ .codec_dai_name = "snd-soc-dummy-dai",
+ .codec_name = "snd-soc-dummy",
+ .platform_name = "sst-mfld-platform",
+- .ignore_suspend = 1,
+ .nonatomic = true,
+ .dynamic = 1,
+ .dpcm_playback = 1,
+@@ -249,7 +248,6 @@ static struct snd_soc_dai_link byt_rt565
+ .codec_dai_name = "snd-soc-dummy-dai",
+ .codec_name = "snd-soc-dummy",
+ .platform_name = "sst-mfld-platform",
+- .ignore_suspend = 1,
+ .nonatomic = true,
+ .dynamic = 1,
+ .dpcm_playback = 1,
--- /dev/null
+From 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Wed, 19 Apr 2017 10:01:48 +0800
+Subject: ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 upstream.
+
+ceph_set_acl() calls __ceph_setattr() if the setacl operation needs
+to modify inode's i_mode. __ceph_setattr() updates inode's i_mode,
+then calls posix_acl_chmod().
+
+The problem is that __ceph_setattr() calls posix_acl_chmod() before
+sending the setattr request. The get_acl() call in posix_acl_chmod()
+can trigger a getxattr request. The reply of the getxattr request
+can restore inode's i_mode to its old value. The set_acl() call in
+posix_acl_chmod() sees old value of inode's i_mode, so it calls
+__ceph_setattr() again.
+
+Link: http://tracker.ceph.com/issues/19688
+Reported-by: Jerry Lee <leisurelysw24@gmail.com>
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Tested-by: Luis Henriques <lhenriques@suse.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/inode.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -2069,11 +2069,6 @@ int __ceph_setattr(struct inode *inode,
+ if (inode_dirty_flags)
+ __mark_inode_dirty(inode, inode_dirty_flags);
+
+- if (ia_valid & ATTR_MODE) {
+- err = posix_acl_chmod(inode, attr->ia_mode);
+- if (err)
+- goto out_put;
+- }
+
+ if (mask) {
+ req->r_inode = inode;
+@@ -2087,13 +2082,11 @@ int __ceph_setattr(struct inode *inode,
+ ceph_cap_string(dirtied), mask);
+
+ ceph_mdsc_put_request(req);
+- if (mask & CEPH_SETATTR_SIZE)
+- __ceph_do_pending_vmtruncate(inode);
+- ceph_free_cap_flush(prealloc_cf);
+- return err;
+-out_put:
+- ceph_mdsc_put_request(req);
+ ceph_free_cap_flush(prealloc_cf);
++
++ if (err >= 0 && (mask & CEPH_SETATTR_SIZE))
++ __ceph_do_pending_vmtruncate(inode);
++
+ return err;
+ }
+
+@@ -2112,7 +2105,12 @@ int ceph_setattr(struct dentry *dentry,
+ if (err != 0)
+ return err;
+
+- return __ceph_setattr(inode, attr);
++ err = __ceph_setattr(inode, attr);
++
++ if (err >= 0 && (attr->ia_valid & ATTR_MODE))
++ err = posix_acl_chmod(inode, attr->ia_mode);
++
++ return err;
+ }
+
+ /*
--- /dev/null
+From dc434e056fe1dada20df7ba07f32739d3a701adf Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Tue, 14 Mar 2017 16:06:45 +0100
+Subject: cpu/hotplug: Serialize callback invocations proper
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit dc434e056fe1dada20df7ba07f32739d3a701adf upstream.
+
+The setup/remove_state/instance() functions in the hotplug core code are
+serialized against concurrent CPU hotplug, but unfortunately not serialized
+against themself.
+
+As a consequence a concurrent invocation of these function results in
+corruption of the callback machinery because two instances try to invoke
+callbacks on remote cpus at the same time. This results in missing callback
+invocations and initiator threads waiting forever on the completion.
+
+The obvious solution to replace get_cpu_online() with cpu_hotplug_begin()
+is not possible because at least one callsite calls into these functions
+from a get_online_cpu() locked region.
+
+Extend the protection scope of the cpuhp_state_mutex from solely protecting
+the state arrays to cover the callback invocation machinery as well.
+
+Fixes: 5b7aa87e0482 ("cpu/hotplug: Implement setup/removal interface")
+Reported-and-tested-by: Bart Van Assche <Bart.VanAssche@sandisk.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: hpa@zytor.com
+Cc: mingo@kernel.org
+Cc: akpm@linux-foundation.org
+Cc: torvalds@linux-foundation.org
+Link: http://lkml.kernel.org/r/20170314150645.g4tdyoszlcbajmna@linutronix.de
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpu.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1333,26 +1333,21 @@ static int cpuhp_store_callbacks(enum cp
+ struct cpuhp_step *sp;
+ int ret = 0;
+
+- mutex_lock(&cpuhp_state_mutex);
+-
+ if (state == CPUHP_AP_ONLINE_DYN || state == CPUHP_BP_PREPARE_DYN) {
+ ret = cpuhp_reserve_state(state);
+ if (ret < 0)
+- goto out;
++ return ret;
+ state = ret;
+ }
+ sp = cpuhp_get_step(state);
+- if (name && sp->name) {
+- ret = -EBUSY;
+- goto out;
+- }
++ if (name && sp->name)
++ return -EBUSY;
++
+ sp->startup.single = startup;
+ sp->teardown.single = teardown;
+ sp->name = name;
+ sp->multi_instance = multi_instance;
+ INIT_HLIST_HEAD(&sp->list);
+-out:
+- mutex_unlock(&cpuhp_state_mutex);
+ return ret;
+ }
+
+@@ -1426,6 +1421,7 @@ int __cpuhp_state_add_instance(enum cpuh
+ return -EINVAL;
+
+ get_online_cpus();
++ mutex_lock(&cpuhp_state_mutex);
+
+ if (!invoke || !sp->startup.multi)
+ goto add_node;
+@@ -1445,16 +1441,14 @@ int __cpuhp_state_add_instance(enum cpuh
+ if (ret) {
+ if (sp->teardown.multi)
+ cpuhp_rollback_install(cpu, state, node);
+- goto err;
++ goto unlock;
+ }
+ }
+ add_node:
+ ret = 0;
+- mutex_lock(&cpuhp_state_mutex);
+ hlist_add_head(node, &sp->list);
++unlock:
+ mutex_unlock(&cpuhp_state_mutex);
+-
+-err:
+ put_online_cpus();
+ return ret;
+ }
+@@ -1489,6 +1483,7 @@ int __cpuhp_setup_state(enum cpuhp_state
+ return -EINVAL;
+
+ get_online_cpus();
++ mutex_lock(&cpuhp_state_mutex);
+
+ ret = cpuhp_store_callbacks(state, name, startup, teardown,
+ multi_instance);
+@@ -1522,6 +1517,7 @@ int __cpuhp_setup_state(enum cpuhp_state
+ }
+ }
+ out:
++ mutex_unlock(&cpuhp_state_mutex);
+ put_online_cpus();
+ /*
+ * If the requested state is CPUHP_AP_ONLINE_DYN, return the
+@@ -1545,6 +1541,8 @@ int __cpuhp_state_remove_instance(enum c
+ return -EINVAL;
+
+ get_online_cpus();
++ mutex_lock(&cpuhp_state_mutex);
++
+ if (!invoke || !cpuhp_get_teardown_cb(state))
+ goto remove;
+ /*
+@@ -1561,7 +1559,6 @@ int __cpuhp_state_remove_instance(enum c
+ }
+
+ remove:
+- mutex_lock(&cpuhp_state_mutex);
+ hlist_del(node);
+ mutex_unlock(&cpuhp_state_mutex);
+ put_online_cpus();
+@@ -1569,6 +1566,7 @@ remove:
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(__cpuhp_state_remove_instance);
++
+ /**
+ * __cpuhp_remove_state - Remove the callbacks for an hotplug machine state
+ * @state: The state to remove
+@@ -1587,6 +1585,7 @@ void __cpuhp_remove_state(enum cpuhp_sta
+
+ get_online_cpus();
+
++ mutex_lock(&cpuhp_state_mutex);
+ if (sp->multi_instance) {
+ WARN(!hlist_empty(&sp->list),
+ "Error: Removing state %d which has instances left.\n",
+@@ -1611,6 +1610,7 @@ void __cpuhp_remove_state(enum cpuhp_sta
+ }
+ remove:
+ cpuhp_store_callbacks(state, NULL, NULL, NULL, false);
++ mutex_unlock(&cpuhp_state_mutex);
+ put_online_cpus();
+ }
+ EXPORT_SYMBOL(__cpuhp_remove_state);
--- /dev/null
+From 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 13 Apr 2017 15:36:31 -0700
+Subject: Input: i8042 - add Clevo P650RS to the i8042 reset list
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 upstream.
+
+Clevo P650RS and other similar devices require i8042 to be reset in order
+to detect Synaptics touchpad.
+
+Reported-by: Paweł Bylica <chfast@gmail.com>
+Tested-by: Ed Bordin <edbordin@gmail.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -613,6 +613,13 @@ static const struct dmi_system_id __init
+ DMI_MATCH(DMI_PRODUCT_NAME, "20046"),
+ },
+ },
++ {
++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Fri, 21 Apr 2017 23:14:48 +0200
+Subject: macsec: avoid heap overflow in skb_to_sgvec
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee upstream.
+
+While this may appear as a humdrum one line change, it's actually quite
+important. An sk_buff stores data in three places:
+
+1. A linear chunk of allocated memory in skb->data. This is the easiest
+ one to work with, but it precludes using scatterdata since the memory
+ must be linear.
+2. The array skb_shinfo(skb)->frags, which is of maximum length
+ MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
+ can point to different pages.
+3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
+ which in turn can have data in either (1) or (2).
+
+The first two are rather easy to deal with, since they're of a fixed
+maximum length, while the third one is not, since there can be
+potentially limitless chains of fragments. Fortunately dealing with
+frag_list is opt-in for drivers, so drivers don't actually have to deal
+with this mess. For whatever reason, macsec decided it wanted pain, and
+so it explicitly specified NETIF_F_FRAGLIST.
+
+Because dealing with (1), (2), and (3) is insane, most users of sk_buff
+doing any sort of crypto or paging operation calls a convenient function
+called skb_to_sgvec (which happens to be recursive if (3) is in use!).
+This takes a sk_buff as input, and writes into its output pointer an
+array of scattergather list items. Sometimes people like to declare a
+fixed size scattergather list on the stack; othertimes people like to
+allocate a fixed size scattergather list on the heap. However, if you're
+doing it in a fixed-size fashion, you really shouldn't be using
+NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
+frag_list children arent't shared and then you check the number of
+fragments in total required.)
+
+Macsec specifically does this:
+
+ size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
+ tmp = kmalloc(size, GFP_ATOMIC);
+ *sg = (struct scatterlist *)(tmp + sg_offset);
+ ...
+ sg_init_table(sg, MAX_SKB_FRAGS + 1);
+ skb_to_sgvec(skb, sg, 0, skb->len);
+
+Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
+using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
+overflow the heap, and disaster ensues.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/macsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2713,7 +2713,7 @@ static netdev_tx_t macsec_start_xmit(str
+ }
+
+ #define MACSEC_FEATURES \
+- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
++ (NETIF_F_SG | NETIF_F_HIGHDMA)
+ static struct lock_class_key macsec_netdev_addr_lock_key;
+
+ static int macsec_dev_init(struct net_device *dev)
--- /dev/null
+From c46f59e90226fa5bfcc83650edebe84ae47d454b Mon Sep 17 00:00:00 2001
+From: James Cowgill <James.Cowgill@imgtec.com>
+Date: Tue, 11 Apr 2017 13:51:07 +0100
+Subject: MIPS: Avoid BUG warning in arch_check_elf
+
+From: James Cowgill <James.Cowgill@imgtec.com>
+
+commit c46f59e90226fa5bfcc83650edebe84ae47d454b upstream.
+
+arch_check_elf contains a usage of current_cpu_data that will call
+smp_processor_id() with preemption enabled and therefore triggers a
+"BUG: using smp_processor_id() in preemptible" warning when an fpxx
+executable is loaded.
+
+As a follow-up to commit b244614a60ab ("MIPS: Avoid a BUG warning during
+prctl(PR_SET_FP_MODE, ...)"), apply the same fix to arch_check_elf by
+using raw_current_cpu_data instead. The rationale quoted from the previous
+commit:
+
+"It is assumed throughout the kernel that if any CPU has an FPU, then
+all CPUs would have an FPU as well, so it is safe to perform the check
+with preemption enabled - change the code to use raw_ variant of the
+check to avoid the warning."
+
+Fixes: 46490b572544 ("MIPS: kernel: elf: Improve the overall ABI and FPU mode checks")
+Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15951/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/elf.c
++++ b/arch/mips/kernel/elf.c
+@@ -257,7 +257,7 @@ int arch_check_elf(void *_ehdr, bool has
+ else if ((prog_req.fr1 && prog_req.frdefault) ||
+ (prog_req.single && !prog_req.frdefault))
+ /* Make sure 64-bit MIPS III/IV/64R1 will not pick FR1 */
+- state->overall_fp_mode = ((current_cpu_data.fpu_id & MIPS_FPIR_F64) &&
++ state->overall_fp_mode = ((raw_current_cpu_data.fpu_id & MIPS_FPIR_F64) &&
+ cpu_has_mips_r2_r6) ?
+ FP_FR1 : FP_FR0;
+ else if (prog_req.fr1)
--- /dev/null
+From 9d7f29cdb4ca53506115cf1d7a02ce6013894df0 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 5 Apr 2017 16:32:45 +0100
+Subject: MIPS: cevt-r4k: Fix out-of-bounds array access
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 9d7f29cdb4ca53506115cf1d7a02ce6013894df0 upstream.
+
+calculate_min_delta() may incorrectly access a 4th element of buf2[]
+which only has 3 elements. This may trigger undefined behaviour and has
+been reported to cause strange crashes in start_kernel() sometime after
+timer initialization when built with GCC 5.3, possibly due to
+register/stack corruption:
+
+sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns
+CPU 0 Unable to handle kernel paging request at virtual address ffffb0aa, epc == 8067daa8, ra == 8067da84
+Oops[#1]:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.18 #51
+task: 8065e3e0 task.stack: 80644000
+$ 0 : 00000000 00000001 00000000 00000000
+$ 4 : 8065b4d0 00000000 805d0000 00000010
+$ 8 : 00000010 80321400 fffff000 812de408
+$12 : 00000000 00000000 00000000 ffffffff
+$16 : 00000002 ffffffff 80660000 806a666c
+$20 : 806c0000 00000000 00000000 00000000
+$24 : 00000000 00000010
+$28 : 80644000 80645ed0 00000000 8067da84
+Hi : 00000000
+Lo : 00000000
+epc : 8067daa8 start_kernel+0x33c/0x500
+ra : 8067da84 start_kernel+0x318/0x500
+Status: 11000402 KERNEL EXL
+Cause : 4080040c (ExcCode 03)
+BadVA : ffffb0aa
+PrId : 0501992c (MIPS 1004Kc)
+Modules linked in:
+Process swapper/0 (pid: 0, threadinfo=80644000, task=8065e3e0, tls=00000000)
+Call Trace:
+[<8067daa8>] start_kernel+0x33c/0x500
+Code: 24050240 0c0131f9 24849c64 <a200b0a8> 41606020 000000c0 0c1a45e6 00000000 0c1a5f44
+
+UBSAN also detects the same issue:
+
+================================================================
+UBSAN: Undefined behaviour in arch/mips/kernel/cevt-r4k.c:85:41
+load of address 80647e4c with insufficient space
+for an object of type 'unsigned int'
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.18 #47
+Call Trace:
+[<80028f70>] show_stack+0x88/0xa4
+[<80312654>] dump_stack+0x84/0xc0
+[<8034163c>] ubsan_epilogue+0x14/0x50
+[<803417d8>] __ubsan_handle_type_mismatch+0x160/0x168
+[<8002dab0>] r4k_clockevent_init+0x544/0x764
+[<80684d34>] time_init+0x18/0x90
+[<8067fa5c>] start_kernel+0x2f0/0x500
+=================================================================
+
+buf2[] is intentionally only 3 elements so that the last element is the
+median once 5 samples have been inserted, so explicitly prevent the
+possibility of comparing against the 4th element rather than extending
+the array.
+
+Fixes: 1fa405552e33f2 ("MIPS: cevt-r4k: Dynamically calculate min_delta_ns")
+Reported-by: Rabin Vincent <rabinv@axis.com>
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Tested-by: Rabin Vincent <rabinv@axis.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15892/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/cevt-r4k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/cevt-r4k.c
++++ b/arch/mips/kernel/cevt-r4k.c
+@@ -80,7 +80,7 @@ static unsigned int calculate_min_delta(
+ }
+
+ /* Sorted insert of 75th percentile into buf2 */
+- for (k = 0; k < i; ++k) {
++ for (k = 0; k < i && k < ARRAY_SIZE(buf2); ++k) {
+ if (buf1[ARRAY_SIZE(buf1) - 1] < buf2[k]) {
+ l = min_t(unsigned int,
+ i, ARRAY_SIZE(buf2) - 1);
--- /dev/null
+From 162b270c664dca2e0944308e92f9fcc887151a72 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 30 Mar 2017 16:06:02 +0100
+Subject: MIPS: KGDB: Use kernel context for sleeping threads
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 162b270c664dca2e0944308e92f9fcc887151a72 upstream.
+
+KGDB is a kernel debug stub and it can't be used to debug userland as it
+can only safely access kernel memory.
+
+On MIPS however KGDB has always got the register state of sleeping
+processes from the userland register context at the beginning of the
+kernel stack. This is meaningless for kernel threads (which never enter
+userland), and for user threads it prevents the user seeing what it is
+doing while in the kernel:
+
+(gdb) info threads
+ Id Target Id Frame
+ ...
+ 3 Thread 2 (kthreadd) 0x0000000000000000 in ?? ()
+ 2 Thread 1 (init) 0x000000007705c4b4 in ?? ()
+ 1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201
+
+Get the register state instead from the (partial) kernel register
+context stored in the task's thread_struct for resume() to restore. All
+threads now correctly appear to be in context_switch():
+
+(gdb) info threads
+ Id Target Id Frame
+ ...
+ 3 Thread 2 (kthreadd) context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
+ 2 Thread 1 (init) context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
+ 1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201
+
+Call clobbered registers which aren't saved and exception registers
+(BadVAddr & Cause) which can't be easily determined without stack
+unwinding are reported as 0. The PC is taken from the return address,
+such that the state presented matches that found immediately after
+returning from resume().
+
+Fixes: 8854700115ec ("[MIPS] kgdb: add arch support for the kernel's kgdb core")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15829/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/kgdb.c | 48 +++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+--- a/arch/mips/kernel/kgdb.c
++++ b/arch/mips/kernel/kgdb.c
+@@ -244,9 +244,6 @@ static int compute_signal(int tt)
+ void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p)
+ {
+ int reg;
+- struct thread_info *ti = task_thread_info(p);
+- unsigned long ksp = (unsigned long)ti + THREAD_SIZE - 32;
+- struct pt_regs *regs = (struct pt_regs *)ksp - 1;
+ #if (KGDB_GDB_REG_SIZE == 32)
+ u32 *ptr = (u32 *)gdb_regs;
+ #else
+@@ -254,25 +251,46 @@ void sleeping_thread_to_gdb_regs(unsigne
+ #endif
+
+ for (reg = 0; reg < 16; reg++)
+- *(ptr++) = regs->regs[reg];
++ *(ptr++) = 0;
+
+ /* S0 - S7 */
+- for (reg = 16; reg < 24; reg++)
+- *(ptr++) = regs->regs[reg];
++ *(ptr++) = p->thread.reg16;
++ *(ptr++) = p->thread.reg17;
++ *(ptr++) = p->thread.reg18;
++ *(ptr++) = p->thread.reg19;
++ *(ptr++) = p->thread.reg20;
++ *(ptr++) = p->thread.reg21;
++ *(ptr++) = p->thread.reg22;
++ *(ptr++) = p->thread.reg23;
+
+ for (reg = 24; reg < 28; reg++)
+ *(ptr++) = 0;
+
+ /* GP, SP, FP, RA */
+- for (reg = 28; reg < 32; reg++)
+- *(ptr++) = regs->regs[reg];
+-
+- *(ptr++) = regs->cp0_status;
+- *(ptr++) = regs->lo;
+- *(ptr++) = regs->hi;
+- *(ptr++) = regs->cp0_badvaddr;
+- *(ptr++) = regs->cp0_cause;
+- *(ptr++) = regs->cp0_epc;
++ *(ptr++) = (long)p;
++ *(ptr++) = p->thread.reg29;
++ *(ptr++) = p->thread.reg30;
++ *(ptr++) = p->thread.reg31;
++
++ *(ptr++) = p->thread.cp0_status;
++
++ /* lo, hi */
++ *(ptr++) = 0;
++ *(ptr++) = 0;
++
++ /*
++ * BadVAddr, Cause
++ * Ideally these would come from the last exception frame up the stack
++ * but that requires unwinding, otherwise we can't know much for sure.
++ */
++ *(ptr++) = 0;
++ *(ptr++) = 0;
++
++ /*
++ * PC
++ * use return address (RA), i.e. the moment after return from resume()
++ */
++ *(ptr++) = p->thread.reg31;
+ }
+
+ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
--- /dev/null
+From b05c73bd1e3ec60357580eb042ee932a5ed754d5 Mon Sep 17 00:00:00 2001
+From: Maksim Salau <maksim.salau@gmail.com>
+Date: Sun, 23 Apr 2017 20:31:40 +0300
+Subject: net: can: usb: gs_usb: Fix buffer on stack
+
+From: Maksim Salau <maksim.salau@gmail.com>
+
+commit b05c73bd1e3ec60357580eb042ee932a5ed754d5 upstream.
+
+Allocate buffers on HEAP instead of STACK for local structures
+that are to be sent using usb_control_msg().
+
+Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/gs_usb.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -740,13 +740,18 @@ static const struct net_device_ops gs_us
+ static int gs_usb_set_identify(struct net_device *netdev, bool do_identify)
+ {
+ struct gs_can *dev = netdev_priv(netdev);
+- struct gs_identify_mode imode;
++ struct gs_identify_mode *imode;
+ int rc;
+
++ imode = kmalloc(sizeof(*imode), GFP_KERNEL);
++
++ if (!imode)
++ return -ENOMEM;
++
+ if (do_identify)
+- imode.mode = GS_CAN_IDENTIFY_ON;
++ imode->mode = GS_CAN_IDENTIFY_ON;
+ else
+- imode.mode = GS_CAN_IDENTIFY_OFF;
++ imode->mode = GS_CAN_IDENTIFY_OFF;
+
+ rc = usb_control_msg(interface_to_usbdev(dev->iface),
+ usb_sndctrlpipe(interface_to_usbdev(dev->iface),
+@@ -756,10 +761,12 @@ static int gs_usb_set_identify(struct ne
+ USB_RECIP_INTERFACE,
+ dev->channel,
+ 0,
+- &imode,
+- sizeof(imode),
++ imode,
++ sizeof(*imode),
+ 100);
+
++ kfree(imode);
++
+ return (rc > 0) ? 0 : rc;
+ }
+
--- /dev/null
+From e6838a29ecb484c97e4efef9429643b9851fba6e Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Fri, 21 Apr 2017 16:10:18 -0400
+Subject: nfsd: check for oversized NFSv2/v3 arguments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream.
+
+A client can append random data to the end of an NFSv2 or NFSv3 RPC call
+without our complaining; we'll just stop parsing at the end of the
+expected data and ignore the rest.
+
+Encoded arguments and replies are stored together in an array of pages,
+and if a call is too large it could leave inadequate space for the
+reply. This is normally OK because NFS RPC's typically have either
+short arguments and long replies (like READ) or long arguments and short
+replies (like WRITE). But a client that sends an incorrectly long reply
+can violate those assumptions. This was observed to cause crashes.
+
+Also, several operations increment rq_next_page in the decode routine
+before checking the argument size, which can leave rq_next_page pointing
+well past the end of the page array, causing trouble later in
+svc_free_pages.
+
+So, following a suggestion from Neil Brown, add a central check to
+enforce our expectation that no NFSv2/v3 call has both a large call and
+a large reply.
+
+As followup we may also want to rewrite the encoding routines to check
+more carefully that they aren't running off the end of the page array.
+
+We may also consider rejecting calls that have any extra garbage
+appended. That would be safer, and within our rights by spec, but given
+the age of our server and the NFS protocol, and the fact that we've
+never enforced this before, we may need to balance that against the
+possibility of breaking some oddball client.
+
+Reported-by: Tuomas Haanpää <thaan@synopsys.com>
+Reported-by: Ari Kauppi <ari@synopsys.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -733,6 +733,37 @@ static __be32 map_new_errors(u32 vers, _
+ return nfserr;
+ }
+
++/*
++ * A write procedure can have a large argument, and a read procedure can
++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
++ * reply that can both be larger than a page. The xdr code has taken
++ * advantage of this assumption to be a sloppy about bounds checking in
++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
++ * problem, we enforce these assumptions here:
++ */
++static bool nfs_request_too_big(struct svc_rqst *rqstp,
++ struct svc_procedure *proc)
++{
++ /*
++ * The ACL code has more careful bounds-checking and is not
++ * susceptible to this problem:
++ */
++ if (rqstp->rq_prog != NFS_PROGRAM)
++ return false;
++ /*
++ * Ditto NFSv4 (which can in theory have argument and reply both
++ * more than a page):
++ */
++ if (rqstp->rq_vers >= 4)
++ return false;
++ /* The reply will be small, we're OK: */
++ if (proc->pc_xdrressize > 0 &&
++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
++ return false;
++
++ return rqstp->rq_arg.len > PAGE_SIZE;
++}
++
+ int
+ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
+ {
+@@ -745,6 +776,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __
+ rqstp->rq_vers, rqstp->rq_proc);
+ proc = rqstp->rq_procinfo;
+
++ if (nfs_request_too_big(rqstp, proc)) {
++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
++ *statp = rpc_garbage_args;
++ return 1;
++ }
+ /*
+ * Give the xdr decoder a chance to change this if it wants
+ * (necessary in the NFSv4.0 compound case)
--- /dev/null
+From 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Fri, 21 Apr 2017 15:26:30 -0400
+Subject: nfsd: stricter decoding of write-like NFSv2/v3 ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 upstream.
+
+The NFSv2/v3 code does not systematically check whether we decode past
+the end of the buffer. This generally appears to be harmless, but there
+are a few places where we do arithmetic on the pointers involved and
+don't account for the possibility that a length could be negative. Add
+checks to catch these.
+
+Reported-by: Tuomas Haanpää <thaan@synopsys.com>
+Reported-by: Ari Kauppi <ari@synopsys.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs3xdr.c | 4 ++++
+ fs/nfsd/nfsxdr.c | 2 ++
+ 2 files changed, 6 insertions(+)
+
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
+ args->count = ntohl(*p++);
+ args->stable = ntohl(*p++);
+ len = args->len = ntohl(*p++);
++ if ((void *)p > head->iov_base + head->iov_len)
++ return 0;
+ /*
+ * The count must equal the amount of data passed.
+ */
+@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rq
+ /* first copy and check from the first page */
+ old = (char*)p;
+ vec = &rqstp->rq_arg.head[0];
++ if ((void *)old > vec->iov_base + vec->iov_len)
++ return 0;
+ avail = vec->iov_len - (old - (char*)vec->iov_base);
+ while (len && avail && *old) {
+ *new++ = *old++;
+--- a/fs/nfsd/nfsxdr.c
++++ b/fs/nfsd/nfsxdr.c
+@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst
+ * bytes.
+ */
+ hdr = (void*)p - head->iov_base;
++ if (hdr > head->iov_len)
++ return 0;
+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
+
+ /*
--- /dev/null
+From db44bac41bbfc0c0d9dd943092d8bded3c9db19b Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 25 Apr 2017 16:21:34 -0400
+Subject: nfsd4: minor NFSv2/v3 write decoding cleanup
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit db44bac41bbfc0c0d9dd943092d8bded3c9db19b upstream.
+
+Use a couple shortcuts that will simplify a following bugfix.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs3xdr.c | 9 +++++----
+ fs/nfsd/nfsxdr.c | 8 ++++----
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -358,6 +358,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
+ {
+ unsigned int len, v, hdr, dlen;
+ u32 max_blocksize = svc_max_payload(rqstp);
++ struct kvec *head = rqstp->rq_arg.head;
++ struct kvec *tail = rqstp->rq_arg.tail;
+
+ p = decode_fh(p, &args->fh);
+ if (!p)
+@@ -377,9 +379,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
+ * Check to make sure that we got the right number of
+ * bytes.
+ */
+- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
+- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
+- + rqstp->rq_arg.tail[0].iov_len - hdr;
++ hdr = (void*)p - head->iov_base;
++ dlen = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len - hdr;
+ /*
+ * Round the length of the data which was specified up to
+ * the next multiple of XDR units and then compare that
+@@ -396,7 +397,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
+ len = args->len = max_blocksize;
+ }
+ rqstp->rq_vec[0].iov_base = (void*)p;
+- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
++ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
+ v = 0;
+ while (len > rqstp->rq_vec[v].iov_len) {
+ len -= rqstp->rq_vec[v].iov_len;
+--- a/fs/nfsd/nfsxdr.c
++++ b/fs/nfsd/nfsxdr.c
+@@ -280,6 +280,7 @@ nfssvc_decode_writeargs(struct svc_rqst
+ struct nfsd_writeargs *args)
+ {
+ unsigned int len, hdr, dlen;
++ struct kvec *head = rqstp->rq_arg.head;
+ int v;
+
+ p = decode_fh(p, &args->fh);
+@@ -300,9 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst
+ * Check to make sure that we got the right number of
+ * bytes.
+ */
+- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
+- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
+- - hdr;
++ hdr = (void*)p - head->iov_base;
++ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
+
+ /*
+ * Round the length of the data which was specified up to
+@@ -316,7 +316,7 @@ nfssvc_decode_writeargs(struct svc_rqst
+ return 0;
+
+ rqstp->rq_vec[0].iov_base = (void*)p;
+- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
++ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
+ v = 0;
+ while (len > rqstp->rq_vec[v].iov_len) {
+ len -= rqstp->rq_vec[v].iov_len;
--- /dev/null
+From 71d6ad08379304128e4bdfaf0b4185d54375423e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 14 Apr 2017 17:22:18 -0400
+Subject: p9_client_readdir() fix
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 71d6ad08379304128e4bdfaf0b4185d54375423e upstream.
+
+Don't assume that server is sane and won't return more data than
+asked for.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -2101,6 +2101,10 @@ int p9_client_readdir(struct p9_fid *fid
+ trace_9p_protocol_dump(clnt, req->rc);
+ goto free_and_error;
+ }
++ if (rsize < count) {
++ pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize);
++ count = rsize;
++ }
+
+ p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count);
+
--- /dev/null
+From e7661a8e5ce10b5321882d0bbaf3f81070903319 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Wed, 12 Apr 2017 09:21:19 +0200
+Subject: scsi: return correct blkprep status code in case scsi_init_io() fails.
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit e7661a8e5ce10b5321882d0bbaf3f81070903319 upstream.
+
+When instrumenting the SCSI layer to run into the
+!blk_rq_nr_phys_segments(rq) case the following warning emitted from the
+block layer:
+
+blk_peek_request: bad return=-22
+
+This happens because since commit fd3fc0b4d730 ("scsi: don't BUG_ON()
+empty DMA transfers") we return the wrong error value from
+scsi_prep_fn() back to the block layer.
+
+[mkp: silenced checkpatch]
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Fixes: fd3fc0b4d730 scsi: don't BUG_ON() empty DMA transfers
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -1038,10 +1038,10 @@ int scsi_init_io(struct scsi_cmnd *cmd)
+ struct scsi_device *sdev = cmd->device;
+ struct request *rq = cmd->request;
+ bool is_mq = (rq->mq_ctx != NULL);
+- int error;
++ int error = BLKPREP_KILL;
+
+ if (WARN_ON_ONCE(!blk_rq_nr_phys_segments(rq)))
+- return -EINVAL;
++ goto err_exit;
+
+ error = scsi_init_sgtable(rq, &cmd->sdb);
+ if (error)
ipv6-check-skb-protocol-before-lookup-for-nexthop.patch
tcp-memset-ca_priv-data-to-0-properly.patch
ipv6-check-raw-payload-size-correctly-in-ioctl.patch
+alsa-oxfw-fix-regression-to-handle-stanton-scs.1m-1d.patch
+alsa-firewire-lib-fix-inappropriate-assignment-between-signed-unsigned-type.patch
+alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch
+scsi-return-correct-blkprep-status-code-in-case-scsi_init_io-fails.patch
+arc-fix-build-error.patch
+mips-kgdb-use-kernel-context-for-sleeping-threads.patch
+mips-cevt-r4k-fix-out-of-bounds-array-access.patch
+mips-avoid-bug-warning-in-arch_check_elf.patch
+p9_client_readdir-fix.patch
+asoc-intel-fix-pm-and-non-atomic-crash-in-bytcr-drivers.patch
+input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch
+nfsd-check-for-oversized-nfsv2-v3-arguments.patch
+nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
+nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
+ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch
+macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
+net-can-usb-gs_usb-fix-buffer-on-stack.patch
+cpu-hotplug-serialize-callback-invocations-proper.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
