--- /dev/null
+From 76b3421b39bd610546931fc923edcf90c18fa395 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 30 Apr 2018 10:06:48 +0200
+Subject: ALSA: aloop: Add missing cable lock to ctl API callbacks
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream.
+
+Some control API callbacks in aloop driver are too lazy to take the
+loopback->cable_lock and it results in possible races of cable access
+while it's being freed. It eventually lead to a UAF, as reported by
+fuzzer recently.
+
+This patch covers such control API callbacks and add the proper mutex
+locks.
+
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -832,9 +832,11 @@ static int loopback_rate_shift_get(struc
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].rate_shift;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -866,9 +868,11 @@ static int loopback_notify_get(struct sn
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -880,12 +884,14 @@ static int loopback_notify_put(struct sn
+ int change = 0;
+
+ val = ucontrol->value.integer.value[0] ? 1 : 0;
++ mutex_lock(&loopback->cable_lock);
+ if (val != loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify) {
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify = val;
+ change = 1;
+ }
++ mutex_unlock(&loopback->cable_lock);
+ return change;
+ }
+
+@@ -893,15 +899,18 @@ static int loopback_active_get(struct sn
+ struct snd_ctl_elem_value *ucontrol)
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+- struct loopback_cable *cable = loopback->cables
+- [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
++ struct loopback_cable *cable;
++
+ unsigned int val = 0;
+
++ mutex_lock(&loopback->cable_lock);
++ cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+ if (cable != NULL) {
+ unsigned int running = cable->running ^ cable->pause;
+
+ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
+ }
++ mutex_unlock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] = val;
+ return 0;
+ }
+@@ -944,9 +953,11 @@ static int loopback_rate_get(struct snd_
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].rate;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -966,9 +977,11 @@ static int loopback_channels_get(struct
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].channels;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
--- /dev/null
+From 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 Mon Sep 17 00:00:00 2001
+From: Robert Rosengren <robert.rosengren@axis.com>
+Date: Mon, 26 Mar 2018 07:24:49 +0200
+Subject: ALSA: aloop: Mark paused device as inactive
+
+From: Robert Rosengren <robert.rosengren@axis.com>
+
+commit 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 upstream.
+
+Show paused ALSA aloop device as inactive, i.e. the control
+"PCM Slave Active" set as false. Notification sent upon state change.
+
+This makes it possible for client capturing from aloop device to know if
+data is expected. Without it the client expects data even if playback
+is paused.
+
+Signed-off-by: Robert Rosengren <robert.rosengren@axis.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -296,6 +296,8 @@ static int loopback_trigger(struct snd_p
+ cable->pause |= stream;
+ loopback_timer_stop(dpcm);
+ spin_unlock(&cable->lock);
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ loopback_active_notify(dpcm);
+ break;
+ case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
+ case SNDRV_PCM_TRIGGER_RESUME:
+@@ -304,6 +306,8 @@ static int loopback_trigger(struct snd_p
+ cable->pause &= ~stream;
+ loopback_timer_start(dpcm);
+ spin_unlock(&cable->lock);
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ loopback_active_notify(dpcm);
+ break;
+ default:
+ return -EINVAL;
+@@ -893,9 +897,11 @@ static int loopback_active_get(struct sn
+ [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+ unsigned int val = 0;
+
+- if (cable != NULL)
+- val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ?
+- 1 : 0;
++ if (cable != NULL) {
++ unsigned int running = cable->running ^ cable->pause;
++
++ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
++ }
+ ucontrol->value.integer.value[0] = val;
+ return 0;
+ }
--- /dev/null
+From f13876e2c33a657a71bcbb10f767c0951b165020 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 2 May 2018 08:48:46 +0200
+Subject: ALSA: pcm: Check PCM state at xfern compat ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream.
+
+Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go
+further and hit the sanity check pcm_sanity_check() when the ioctl is
+called right after open. It may eventually spew a kernel warning, as
+triggered by syzbot, depending on kconfig.
+
+The lack of PCM state check there was just an oversight. Although
+it's no real crash, the spurious kernel warning is annoying, so let's
+add the proper check.
+
+Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_compat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -426,6 +426,8 @@ static int snd_pcm_ioctl_xfern_compat(st
+ return -ENOTTY;
+ if (substream->stream != dir)
+ return -EINVAL;
++ if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN)
++ return -EBADFD;
+
+ if ((ch = substream->runtime->channels) > 128)
+ return -EINVAL;
--- /dev/null
+From 8f22e52528cc372b218b5f100457469615c733ce Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 26 Apr 2018 09:17:45 +0200
+Subject: ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8f22e52528cc372b218b5f100457469615c733ce upstream.
+
+The sequencer virmidi code has an open race at its output trigger
+callback: namely, virmidi keeps only one event packet for processing
+while it doesn't protect for concurrent output trigger calls.
+
+snd_virmidi_output_trigger() tries to process the previously
+unfinished event before starting encoding the given MIDI stream, but
+this is done without any lock. Meanwhile, if another rawmidi stream
+starts the output trigger, this proceeds further, and overwrites the
+event package that is being processed in another thread. This
+eventually corrupts and may lead to the invalid memory access if the
+event type is like SYSEX.
+
+The fix is just to move the spinlock to cover both the pending event
+and the new stream.
+
+The bug was spotted by a new fuzzer, RaceFuzzer.
+
+BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_virmidi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_virmidi.c
++++ b/sound/core/seq/seq_virmidi.c
+@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s
+ }
+ return;
+ }
++ spin_lock_irqsave(&substream->runtime->lock, flags);
+ if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
+ if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
+- return;
++ goto out;
+ vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
+ }
+- spin_lock_irqsave(&substream->runtime->lock, flags);
+ while (1) {
+ count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
+ if (count <= 0)
--- /dev/null
+From 4f32ac2e452c2180cd2df581cbadac183e27ecd0 Mon Sep 17 00:00:00 2001
+From: Danit Goldberg <danitg@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:54 +0300
+Subject: IB/mlx5: Use unlimited rate when static rate is not supported
+
+From: Danit Goldberg <danitg@mellanox.com>
+
+commit 4f32ac2e452c2180cd2df581cbadac183e27ecd0 upstream.
+
+Before the change, if the user passed a static rate value different
+than zero and the FW doesn't support static rate,
+it would end up configuring rate of 2.5 GBps.
+
+Fix this by using rate 0; unlimited, in cases where FW
+doesn't support static rate configuration.
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Danit Goldberg <danitg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -1352,18 +1352,18 @@ enum {
+
+ static int ib_rate_to_mlx5(struct mlx5_ib_dev *dev, u8 rate)
+ {
+- if (rate == IB_RATE_PORT_CURRENT) {
++ if (rate == IB_RATE_PORT_CURRENT)
+ return 0;
+- } else if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) {
++
++ if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS)
+ return -EINVAL;
+- } else {
+- while (rate != IB_RATE_2_5_GBPS &&
+- !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
+- MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
+- --rate;
+- }
+
+- return rate + MLX5_STAT_RATE_OFFSET;
++ while (rate != IB_RATE_PORT_CURRENT &&
++ !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
++ MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
++ --rate;
++
++ return rate ? rate + MLX5_STAT_RATE_OFFSET : rate;
+ }
+
+ static int mlx5_set_path(struct mlx5_ib_dev *dev, const struct ib_ah_attr *ah,
--- /dev/null
+From f372b81101e6895252298e563d634d5e44ae81e7 Mon Sep 17 00:00:00 2001
+From: "Vittorio Gambaletta (VittGam)" <linuxbugs@vittgam.net>
+Date: Wed, 25 Apr 2018 15:22:13 -0700
+Subject: Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro
+
+From: Vittorio Gambaletta (VittGam) <linuxbugs@vittgam.net>
+
+commit f372b81101e6895252298e563d634d5e44ae81e7 upstream.
+
+This patch adds the correct platform data information for the Caroline
+Chromebook, so that the mouse button does not get stuck in pressed state
+after the first click.
+
+The Samus button keymap and platform data definition are the correct
+ones for Caroline, so they have been reused here.
+
+Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
+Signed-off-by: Salvatore Bellizzi <lkml@seppia.net>
+Tested-by: Guenter Roeck <groeck@chromium.org>
+Cc: stable@vger.kernel.org
+[dtor: adjusted vendor spelling to match shipping firmware]
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -2523,6 +2523,15 @@ static const struct dmi_system_id mxt_dm
+ .driver_data = samus_platform_data,
+ },
+ {
++ /* Samsung Chromebook Pro */
++ .ident = "Samsung Chromebook Pro",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Google"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Caroline"),
++ },
++ .driver_data = samus_platform_data,
++ },
++ {
+ /* Other Google Chromebooks */
+ .ident = "Chromebook",
+ .matches = {
--- /dev/null
+From 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 6 Apr 2018 10:23:05 -0700
+Subject: Input: leds - fix out of bound access
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc upstream.
+
+UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with
+led > LED_CHARGING:
+
+[ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds]
+[ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128
+
+This happens because we were writing to the led structure before making
+sure that it exists.
+
+Reported-by: Tasos Sahanidis <tasos@tasossah.com>
+Tested-by: Tasos Sahanidis <tasos@tasossah.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/input-leds.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/input-leds.c
++++ b/drivers/input/input-leds.c
+@@ -88,6 +88,7 @@ static int input_leds_connect(struct inp
+ const struct input_device_id *id)
+ {
+ struct input_leds *leds;
++ struct input_led *led;
+ unsigned int num_leds;
+ unsigned int led_code;
+ int led_no;
+@@ -119,14 +120,13 @@ static int input_leds_connect(struct inp
+
+ led_no = 0;
+ for_each_set_bit(led_code, dev->ledbit, LED_CNT) {
+- struct input_led *led = &leds->leds[led_no];
++ if (!input_led_info[led_code].name)
++ continue;
+
++ led = &leds->leds[led_no];
+ led->handle = &leds->handle;
+ led->code = led_code;
+
+- if (!input_led_info[led_code].name)
+- continue;
+-
+ led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s",
+ dev_name(&dev->dev),
+ input_led_info[led_code].name);
--- /dev/null
+From 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?=
+ <sz.lin@moxa.com>
+Date: Thu, 26 Apr 2018 14:30:13 +0800
+Subject: NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: SZ Lin (林上智) <sz.lin@moxa.com>
+
+commit 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 upstream.
+
+This patch adds support for PID 0x90b2 of ublox R410M.
+
+qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer
+[/dev/cdc-wdm0] Device manufacturer retrieved:
+ Manufacturer: 'u-blox'
+
+qmicli -d /dev/cdc-wdm0 --dms-get-model
+[/dev/cdc-wdm0] Device model retrieved:
+ Model: 'SARA-R410M-02B'
+
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -631,6 +631,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
+ {QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
+ {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
++ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
--- /dev/null
+From 002bf2282b2d7318e444dca9ffcb994afc5d5f15 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:53 +0300
+Subject: RDMA/mlx5: Protect from shift operand overflow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
+
+Ensure that user didn't supply values too large that can cause overflow.
+
+UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23
+shift exponent -2147483648 is negative
+CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call
+Trace:
+dump_stack+0xde/0x164
+ubsan_epilogue+0xe/0x81
+set_rq_size+0x7c2/0xa90
+create_qp_common+0xc18/0x43c0
+mlx5_ib_create_qp+0x379/0x1ca0
+create_qp.isra.5+0xc94/0x2260
+ib_uverbs_create_qp+0x21b/0x2a0
+ib_uverbs_write+0xc2c/0x1010
+vfs_write+0x1b0/0x550
+SyS_write+0xc7/0x1a0
+do_syscall_64+0x1aa/0x740
+entry_SYSCALL_64_after_hwframe+0x26/0x9b
+RIP: 0033:0x433569
+RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569
+RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003
+RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8
+R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000
+R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Cc: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -231,7 +231,11 @@ static int set_rq_size(struct mlx5_ib_de
+ } else {
+ if (ucmd) {
+ qp->rq.wqe_cnt = ucmd->rq_wqe_count;
++ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
++ return -EINVAL;
+ qp->rq.wqe_shift = ucmd->rq_wqe_shift;
++ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
++ return -EINVAL;
+ qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
+ qp->rq.max_post = qp->rq.wqe_cnt;
+ } else {
--- /dev/null
+From 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Thu, 19 Apr 2018 08:28:11 -0700
+Subject: RDMA/ucma: Allow resolving address w/o specifying source address
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 upstream.
+
+The RDMA CM will select a source device and address by consulting
+the routing table if no source address is passed into
+rdma_resolve_address(). Userspace will ask for this by passing an
+all-zero source address in the RESOLVE_IP command. Unfortunately
+the new check for non-zero address size rejects this with EINVAL,
+which breaks valid userspace applications.
+
+Fix this by explicitly allowing a zero address family for the source.
+
+Fixes: 2975d5de6428 ("RDMA/ucma: Check AF family prior resolving address")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -675,7 +675,7 @@ static ssize_t ucma_resolve_ip(struct uc
+ if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+ return -EFAULT;
+
+- if (!rdma_addr_size_in6(&cmd.src_addr) ||
++ if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) ||
+ !rdma_addr_size_in6(&cmd.dst_addr))
+ return -EINVAL;
+
ath10k-rebuild-crypto-header-in-rx-data-frames.patch
gpmi-nand-handle-ecc-errors-in-erased-pages.patch
usb-serial-option-add-support-for-quectel-ep06.patch
+alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
+alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
+alsa-aloop-mark-paused-device-as-inactive.patch
+alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
+tracepoint-do-not-warn-on-enomem.patch
+input-leds-fix-out-of-bound-access.patch
+input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
+xfs-prevent-creating-negative-sized-file-via-insert_range.patch
+rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
+rdma-mlx5-protect-from-shift-operand-overflow.patch
+net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
+ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
--- /dev/null
+From d66a270be3310d7aa132fec0cea77d3d32a0ff75 Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Thu, 15 Mar 2018 08:44:24 -0400
+Subject: tracepoint: Do not warn on ENOMEM
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit d66a270be3310d7aa132fec0cea77d3d32a0ff75 upstream.
+
+Tracepoint should only warn when a kernel API user does not respect the
+required preconditions (e.g. same tracepoint enabled twice, or called
+to remove a tracepoint that does not exist).
+
+Silence warning in out-of-memory conditions, given that the error is
+returned to the caller.
+
+This ensures that out-of-memory error-injection testing does not trigger
+warnings in tracepoint.c, which were seen by syzbot.
+
+Link: https://lkml.kernel.org/r/001a114465e241a8720567419a72@google.com
+Link: https://lkml.kernel.org/r/001a1140e0de15fc910567464190@google.com
+Link: http://lkml.kernel.org/r/20180315124424.32319-1-mathieu.desnoyers@efficios.com
+
+CC: Peter Zijlstra <peterz@infradead.org>
+CC: Jiri Olsa <jolsa@redhat.com>
+CC: Arnaldo Carvalho de Melo <acme@kernel.org>
+CC: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+CC: Namhyung Kim <namhyung@kernel.org>
+CC: stable@vger.kernel.org
+Fixes: de7b2973903c6 ("tracepoint: Use struct pointer instead of name hash for reg/unreg tracepoints")
+Reported-by: syzbot+9c0d616860575a73166a@syzkaller.appspotmail.com
+Reported-by: syzbot+4e9ae7fa46233396f64d@syzkaller.appspotmail.com
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/tracepoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/tracepoint.c
++++ b/kernel/tracepoint.c
+@@ -202,7 +202,7 @@ static int tracepoint_add_func(struct tr
+ lockdep_is_held(&tracepoints_mutex));
+ old = func_add(&tp_funcs, func, prio);
+ if (IS_ERR(old)) {
+- WARN_ON_ONCE(1);
++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+ return PTR_ERR(old);
+ }
+
+@@ -235,7 +235,7 @@ static int tracepoint_remove_func(struct
+ lockdep_is_held(&tracepoints_mutex));
+ old = func_remove(&tp_funcs, func);
+ if (IS_ERR(old)) {
+- WARN_ON_ONCE(1);
++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+ return PTR_ERR(old);
+ }
+
--- /dev/null
+From 7d83fb14258b9961920cd86f0b921caaeb3ebe85 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 16 Apr 2018 23:07:45 -0700
+Subject: xfs: prevent creating negative-sized file via INSERT_RANGE
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit 7d83fb14258b9961920cd86f0b921caaeb3ebe85 upstream.
+
+During the "insert range" fallocate operation, i_size grows by the
+specified 'len' bytes. XFS verifies that i_size + len < s_maxbytes, as
+it should. But this comparison is done using the signed 'loff_t', and
+'i_size + len' can wrap around to a negative value, causing the check to
+incorrectly pass, resulting in an inode with "negative" i_size. This is
+possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX.
+ext4 and f2fs don't run into this because they set a smaller s_maxbytes.
+
+Fix it by using subtraction instead.
+
+Reproducer:
+ xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096"
+
+Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate")
+Cc: <stable@vger.kernel.org> # v4.1+
+Originally-From: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+[darrick: fix signed integer addition overflow too]
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_file.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/xfs_file.c
++++ b/fs/xfs/xfs_file.c
+@@ -969,22 +969,26 @@ xfs_file_fallocate(
+ if (error)
+ goto out_unlock;
+ } else if (mode & FALLOC_FL_INSERT_RANGE) {
+- unsigned int blksize_mask = i_blocksize(inode) - 1;
++ unsigned int blksize_mask = i_blocksize(inode) - 1;
++ loff_t isize = i_size_read(inode);
+
+- new_size = i_size_read(inode) + len;
+ if (offset & blksize_mask || len & blksize_mask) {
+ error = -EINVAL;
+ goto out_unlock;
+ }
+
+- /* check the new inode size does not wrap through zero */
+- if (new_size > inode->i_sb->s_maxbytes) {
++ /*
++ * New inode size must not exceed ->s_maxbytes, accounting for
++ * possible signed overflow.
++ */
++ if (inode->i_sb->s_maxbytes - isize < len) {
+ error = -EFBIG;
+ goto out_unlock;
+ }
++ new_size = isize + len;
+
+ /* Offset should be less than i_size */
+- if (offset >= i_size_read(inode)) {
++ if (offset >= isize) {
+ error = -EINVAL;
+ goto out_unlock;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
