--- /dev/null
+From ea6789980fdaa610d7eb63602c746bf6ec70cd2b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 11 Oct 2017 23:32:27 +0100
+Subject: assoc_array: Fix a buggy node-splitting case
+
+From: David Howells <dhowells@redhat.com>
+
+commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b upstream.
+
+This fixes CVE-2017-12193.
+
+Fix a case in the assoc_array implementation in which a new leaf is
+added that needs to go into a node that happens to be full, where the
+existing leaves in that node cluster together at that level to the
+exclusion of new leaf.
+
+What needs to happen is that the existing leaves get moved out to a new
+node, N1, at level + 1 and the existing node needs replacing with one,
+N0, that has pointers to the new leaf and to N1.
+
+The code that tries to do this gets this wrong in two ways:
+
+ (1) The pointer that should've pointed from N0 to N1 is set to point
+ recursively to N0 instead.
+
+ (2) The backpointer from N0 needs to be set correctly in the case N0 is
+ either the root node or reached through a shortcut.
+
+Fix this by removing this path and using the split_node path instead,
+which achieves the same end, but in a more general way (thanks to Eric
+Biggers for spotting the redundancy).
+
+The problem manifests itself as:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: assoc_array_apply_edit+0x59/0xe5
+
+Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
+Reported-and-tested-by: WU Fan <u3536072@connect.hku.hk>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
+ 1 file changed, 17 insertions(+), 34 deletions(-)
+
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -598,21 +598,31 @@ static bool assoc_array_insert_into_term
+ if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0)
+ goto all_leaves_cluster_together;
+
+- /* Otherwise we can just insert a new node ahead of the old
+- * one.
++ /* Otherwise all the old leaves cluster in the same slot, but
++ * the new leaf wants to go into a different slot - so we
++ * create a new node (n0) to hold the new leaf and a pointer to
++ * a new node (n1) holding all the old leaves.
++ *
++ * This can be done by falling through to the node splitting
++ * path.
+ */
+- goto present_leaves_cluster_but_not_new_leaf;
++ pr_devel("present leaves cluster but not new leaf\n");
+ }
+
+ split_node:
+ pr_devel("split node\n");
+
+- /* We need to split the current node; we know that the node doesn't
+- * simply contain a full set of leaves that cluster together (it
+- * contains meta pointers and/or non-clustering leaves).
++ /* We need to split the current node. The node must contain anything
++ * from a single leaf (in the one leaf case, this leaf will cluster
++ * with the new leaf) and the rest meta-pointers, to all leaves, some
++ * of which may cluster.
++ *
++ * It won't contain the case in which all the current leaves plus the
++ * new leaves want to cluster in the same slot.
+ *
+ * We need to expel at least two leaves out of a set consisting of the
+- * leaves in the node and the new leaf.
++ * leaves in the node and the new leaf. The current meta pointers can
++ * just be copied as they shouldn't cluster with any of the leaves.
+ *
+ * We need a new node (n0) to replace the current one and a new node to
+ * take the expelled nodes (n1).
+@@ -717,33 +727,6 @@ found_slot_for_multiple_occupancy:
+ pr_devel("<--%s() = ok [split node]\n", __func__);
+ return true;
+
+-present_leaves_cluster_but_not_new_leaf:
+- /* All the old leaves cluster in the same slot, but the new leaf wants
+- * to go into a different slot, so we create a new node to hold the new
+- * leaf and a pointer to a new node holding all the old leaves.
+- */
+- pr_devel("present leaves cluster but not new leaf\n");
+-
+- new_n0->back_pointer = node->back_pointer;
+- new_n0->parent_slot = node->parent_slot;
+- new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch;
+- new_n1->back_pointer = assoc_array_node_to_ptr(new_n0);
+- new_n1->parent_slot = edit->segment_cache[0];
+- new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch;
+- edit->adjust_count_on = new_n0;
+-
+- for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++)
+- new_n1->slots[i] = node->slots[i];
+-
+- new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0);
+- edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]];
+-
+- edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot];
+- edit->set[0].to = assoc_array_node_to_ptr(new_n0);
+- edit->excised_meta[0] = assoc_array_node_to_ptr(node);
+- pr_devel("<--%s() = ok [insert node before]\n", __func__);
+- return true;
+-
+ all_leaves_cluster_together:
+ /* All the leaves, new and old, want to cluster together in this node
+ * in the same slot, so we have to replace this node with a shortcut to
--- /dev/null
+From 8f65a923e6b628e187d5e791cf49393dd5e8c2f9 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Date: Tue, 24 Oct 2017 12:23:28 +0200
+Subject: can: kvaser_usb: Correct return value in printout
+
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+
+commit 8f65a923e6b628e187d5e791cf49393dd5e8c2f9 upstream.
+
+If the return value from kvaser_usb_send_simple_msg() was non-zero, the
+return value from kvaser_usb_flush_queue() was printed in the kernel
+warning.
+
+Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/kvaser_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/kvaser_usb.c
++++ b/drivers/net/can/usb/kvaser_usb.c
+@@ -1609,7 +1609,8 @@ static int kvaser_usb_close(struct net_d
+ if (err)
+ netdev_warn(netdev, "Cannot flush queue, error %d\n", err);
+
+- if (kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel))
++ err = kvaser_usb_send_simple_msg(dev, CMD_RESET_CHIP, priv->channel);
++ if (err)
+ netdev_warn(netdev, "Cannot reset card, error %d\n", err);
+
+ err = kvaser_usb_stop_chip(priv);
--- /dev/null
+From e1d2d1329a5722dbecc9c278303fcc4aa01f8790 Mon Sep 17 00:00:00 2001
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Date: Tue, 24 Oct 2017 12:23:29 +0200
+Subject: can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages
+
+From: Jimmy Assarsson <jimmyassarsson@gmail.com>
+
+commit e1d2d1329a5722dbecc9c278303fcc4aa01f8790 upstream.
+
+To avoid kernel warning "Unhandled message (68)", ignore the
+CMD_FLUSH_QUEUE_REPLY message for now.
+
+As of Leaf v2 firmware version v4.1.844 (2017-02-15), flush tx queue is
+synchronous. There is a capability bit indicating whether flushing tx
+queue is synchronous or asynchronous.
+
+A proper solution would be to query the device for capabilities. If the
+synchronous tx flush capability bit is set, we should wait for
+CMD_FLUSH_QUEUE_REPLY message, while flushing the tx queue.
+
+Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/kvaser_usb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/can/usb/kvaser_usb.c
++++ b/drivers/net/can/usb/kvaser_usb.c
+@@ -137,6 +137,7 @@ static inline bool kvaser_is_usbcan(cons
+ #define CMD_RESET_ERROR_COUNTER 49
+ #define CMD_TX_ACKNOWLEDGE 50
+ #define CMD_CAN_ERROR_EVENT 51
++#define CMD_FLUSH_QUEUE_REPLY 68
+
+ #define CMD_LEAF_USB_THROTTLE 77
+ #define CMD_LEAF_LOG_MESSAGE 106
+@@ -1301,6 +1302,11 @@ static void kvaser_usb_handle_message(co
+ goto warn;
+ break;
+
++ case CMD_FLUSH_QUEUE_REPLY:
++ if (dev->family != KVASER_LEAF)
++ goto warn;
++ break;
++
+ default:
+ warn: dev_warn(dev->udev->dev.parent,
+ "Unhandled message (%d)\n", msg->id);
--- /dev/null
+From 3a379f5b36ae039dfeb6f73316e47ab1af4945df Mon Sep 17 00:00:00 2001
+From: Gerhard Bertelsmann <info@gerhard-bertelsmann.de>
+Date: Thu, 17 Aug 2017 15:59:49 +0200
+Subject: can: sun4i: fix loopback mode
+
+From: Gerhard Bertelsmann <info@gerhard-bertelsmann.de>
+
+commit 3a379f5b36ae039dfeb6f73316e47ab1af4945df upstream.
+
+Fix loopback mode by setting the right flag and remove presume mode.
+
+Signed-off-by: Gerhard Bertelsmann <info@gerhard-bertelsmann.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/sun4i_can.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/can/sun4i_can.c
++++ b/drivers/net/can/sun4i_can.c
+@@ -342,7 +342,7 @@ static int sun4i_can_start(struct net_de
+
+ /* enter the selected mode */
+ mod_reg_val = readl(priv->base + SUN4I_REG_MSEL_ADDR);
+- if (priv->can.ctrlmode & CAN_CTRLMODE_PRESUME_ACK)
++ if (priv->can.ctrlmode & CAN_CTRLMODE_LOOPBACK)
+ mod_reg_val |= SUN4I_MSEL_LOOPBACK_MODE;
+ else if (priv->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)
+ mod_reg_val |= SUN4I_MSEL_LISTEN_ONLY_MODE;
+@@ -811,7 +811,6 @@ static int sun4ican_probe(struct platfor
+ priv->can.ctrlmode_supported = CAN_CTRLMODE_BERR_REPORTING |
+ CAN_CTRLMODE_LISTENONLY |
+ CAN_CTRLMODE_LOOPBACK |
+- CAN_CTRLMODE_PRESUME_ACK |
+ CAN_CTRLMODE_3_SAMPLES;
+ priv->base = addr;
+ priv->clk = clk;
--- /dev/null
+From 51e13359cd5ea34acc62c90627603352956380af Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Oct 2017 21:56:20 +0200
+Subject: cfg80211: fix connect/disconnect edge cases
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 51e13359cd5ea34acc62c90627603352956380af upstream.
+
+If we try to connect while already connected/connecting, but
+this fails, we set ssid_len=0 but leave current_bss hanging,
+leading to errors.
+
+Check all of this better, first of all ensuring that we can't
+try to connect to a different SSID while connected/ing; ensure
+that prev_bssid is set for re-association attempts even in the
+case of the driver supporting the connect() method, and don't
+reset ssid_len in the failure cases.
+
+While at it, also reset ssid_len while disconnecting unless we
+were connected and expect a disconnected event, and warn on a
+successful connection without ssid_len being set.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/sme.c | 50 +++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 41 insertions(+), 9 deletions(-)
+
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -522,11 +522,6 @@ static int cfg80211_sme_connect(struct w
+ return -EOPNOTSUPP;
+
+ if (wdev->current_bss) {
+- if (!prev_bssid)
+- return -EALREADY;
+- if (prev_bssid &&
+- !ether_addr_equal(prev_bssid, wdev->current_bss->pub.bssid))
+- return -ENOTCONN;
+ cfg80211_unhold_bss(wdev->current_bss);
+ cfg80211_put_bss(wdev->wiphy, &wdev->current_bss->pub);
+ wdev->current_bss = NULL;
+@@ -1063,11 +1058,35 @@ int cfg80211_connect(struct cfg80211_reg
+
+ ASSERT_WDEV_LOCK(wdev);
+
+- if (WARN_ON(wdev->connect_keys)) {
+- kzfree(wdev->connect_keys);
+- wdev->connect_keys = NULL;
++ /*
++ * If we have an ssid_len, we're trying to connect or are
++ * already connected, so reject a new SSID unless it's the
++ * same (which is the case for re-association.)
++ */
++ if (wdev->ssid_len &&
++ (wdev->ssid_len != connect->ssid_len ||
++ memcmp(wdev->ssid, connect->ssid, wdev->ssid_len)))
++ return -EALREADY;
++
++ /*
++ * If connected, reject (re-)association unless prev_bssid
++ * matches the current BSSID.
++ */
++ if (wdev->current_bss) {
++ if (!prev_bssid)
++ return -EALREADY;
++ if (!ether_addr_equal(prev_bssid, wdev->current_bss->pub.bssid))
++ return -ENOTCONN;
+ }
+
++ /*
++ * Reject if we're in the process of connecting with WEP,
++ * this case isn't very interesting and trying to handle
++ * it would make the code much more complex.
++ */
++ if (wdev->connect_keys)
++ return -EINPROGRESS;
++
+ cfg80211_oper_and_ht_capa(&connect->ht_capa_mask,
+ rdev->wiphy.ht_capa_mod_mask);
+
+@@ -1118,7 +1137,12 @@ int cfg80211_connect(struct cfg80211_reg
+
+ if (err) {
+ wdev->connect_keys = NULL;
+- wdev->ssid_len = 0;
++ /*
++ * This could be reassoc getting refused, don't clear
++ * ssid_len in that case.
++ */
++ if (!wdev->current_bss)
++ wdev->ssid_len = 0;
+ return err;
+ }
+
+@@ -1145,6 +1169,14 @@ int cfg80211_disconnect(struct cfg80211_
+ else if (wdev->ssid_len)
+ err = rdev_disconnect(rdev, dev, reason);
+
++ /*
++ * Clear ssid_len unless we actually were fully connected,
++ * in which case cfg80211_disconnected() will take care of
++ * this later.
++ */
++ if (!wdev->current_bss)
++ wdev->ssid_len = 0;
++
+ return err;
+ }
+
--- /dev/null
+From db3b5474f462e77b82ca1e27627f03c47b622c99 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Aur=C3=A9lien=20Aptel?= <aaptel@suse.com>
+Date: Wed, 11 Oct 2017 13:23:36 +0200
+Subject: CIFS: Fix NULL pointer deref on SMB2_tcon() failure
+
+From: Aurélien Aptel <aaptel@suse.com>
+
+commit db3b5474f462e77b82ca1e27627f03c47b622c99 upstream.
+
+If SendReceive2() fails rsp is set to NULL but is dereferenced in the
+error handling code.
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1243,7 +1243,7 @@ SMB2_tcon(const unsigned int xid, struct
+ struct smb2_tree_connect_req *req;
+ struct smb2_tree_connect_rsp *rsp = NULL;
+ struct kvec iov[2];
+- struct kvec rsp_iov;
++ struct kvec rsp_iov = { NULL, 0 };
+ int rc = 0;
+ int resp_buftype;
+ int unc_path_len;
+@@ -1360,7 +1360,7 @@ tcon_exit:
+ return rc;
+
+ tcon_error_exit:
+- if (rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) {
++ if (rsp && rsp->hdr.sync_hdr.Status == STATUS_BAD_NETWORK_NAME) {
+ cifs_dbg(VFS, "BAD_NETWORK_NAME: %s\n", tree);
+ }
+ goto tcon_exit;
--- /dev/null
+From 5b454a64555055aaa5769b3ba877bd911d375d5a Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
+Date: Thu, 19 Oct 2017 13:09:29 -0700
+Subject: cifs: Select all required crypto modules
+
+From: Benjamin Gilbert <benjamin.gilbert@coreos.com>
+
+commit 5b454a64555055aaa5769b3ba877bd911d375d5a upstream.
+
+Some dependencies were lost when CIFS_SMB2 was merged into CIFS.
+
+Fixes: 2a38e12053b7 ("[SMB3] Remove ifdef since SMB3 (and later) now STRONGLY preferred")
+Signed-off-by: Benjamin Gilbert <benjamin.gilbert@coreos.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/Kconfig | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/cifs/Kconfig
++++ b/fs/cifs/Kconfig
+@@ -5,9 +5,14 @@ config CIFS
+ select CRYPTO
+ select CRYPTO_MD4
+ select CRYPTO_MD5
++ select CRYPTO_SHA256
++ select CRYPTO_CMAC
+ select CRYPTO_HMAC
+ select CRYPTO_ARC4
++ select CRYPTO_AEAD2
++ select CRYPTO_CCM
+ select CRYPTO_ECB
++ select CRYPTO_AES
+ select CRYPTO_DES
+ help
+ This is the client VFS module for the SMB3 family of NAS protocols,
--- /dev/null
+From 8b95f4f730cba02ef6febbdc4ca7e55ca045b00e Mon Sep 17 00:00:00 2001
+From: Rex Zhu <Rex.Zhu@amd.com>
+Date: Fri, 20 Oct 2017 15:07:41 +0800
+Subject: drm/amd/powerplay: fix uninitialized variable
+
+From: Rex Zhu <Rex.Zhu@amd.com>
+
+commit 8b95f4f730cba02ef6febbdc4ca7e55ca045b00e upstream.
+
+refresh_rate was not initialized when program
+display gap.
+this patch can fix vce ring test failed
+when do S3 on Polaris10.
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=103102
+bug: https://bugzilla.kernel.org/show_bug.cgi?id=196615
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
+@@ -830,7 +830,7 @@ uint32_t smu7_get_xclk(struct pp_hwmgr *
+ {
+ uint32_t reference_clock, tmp;
+ struct cgs_display_info info = {0};
+- struct cgs_mode_info mode_info;
++ struct cgs_mode_info mode_info = {0};
+
+ info.mode_info = &mode_info;
+
+@@ -3951,10 +3951,9 @@ static int smu7_program_display_gap(stru
+ uint32_t ref_clock;
+ uint32_t refresh_rate = 0;
+ struct cgs_display_info info = {0};
+- struct cgs_mode_info mode_info;
++ struct cgs_mode_info mode_info = {0};
+
+ info.mode_info = &mode_info;
+-
+ cgs_get_active_displays_info(hwmgr->device, &info);
+ num_active_displays = info.display_count;
+
+@@ -3970,6 +3969,7 @@ static int smu7_program_display_gap(stru
+ frame_time_in_us = 1000000 / refresh_rate;
+
+ pre_vbi_time_in_us = frame_time_in_us - 200 - mode_info.vblank_time_us;
++
+ data->frame_time_x2 = frame_time_in_us * 2 / 100;
+
+ display_gap2 = pre_vbi_time_in_us * (ref_clock / 100);
--- /dev/null
+From 7277f755048da562eb2489becacd38d0d05e1e06 Mon Sep 17 00:00:00 2001
+From: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
+Date: Tue, 24 Oct 2017 16:27:28 +0100
+Subject: drm/i915/perf: fix perf enable/disable ioctls with 32bits userspace
+
+From: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
+
+commit 7277f755048da562eb2489becacd38d0d05e1e06 upstream.
+
+The compat callback was missing and triggered failures in 32bits
+userspace when enabling/disable the perf stream. We don't require any
+particular processing here as these ioctls don't take any argument.
+
+Signed-off-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
+Fixes: eec688e1420 ("drm/i915: Add i915 perf infrastructure")
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Link: https://patchwork.freedesktop.org/patch/msgid/20171024152728.4873-1-lionel.g.landwerlin@intel.com
+(cherry picked from commit 191f896085cf3b5d85920d58a759da4eea141721)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_perf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_perf.c
++++ b/drivers/gpu/drm/i915/i915_perf.c
+@@ -2480,6 +2480,10 @@ static const struct file_operations fops
+ .poll = i915_perf_poll,
+ .read = i915_perf_read,
+ .unlocked_ioctl = i915_perf_ioctl,
++ /* Our ioctl have no arguments, so it's safe to use the same function
++ * to handle 32bits compatibility.
++ */
++ .compat_ioctl = i915_perf_ioctl,
+ };
+
+
--- /dev/null
+From 06e2290844fa408d3295ac03a1647f0798518ebe Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Mon, 25 Sep 2017 20:11:58 -0500
+Subject: Fix encryption labels and lengths for SMB3.1.1
+
+From: Steve French <smfrench@gmail.com>
+
+commit 06e2290844fa408d3295ac03a1647f0798518ebe upstream.
+
+SMB3.1.1 is most secure and recent dialect. Fixup labels and lengths
+for sMB3.1.1 signing and encryption.
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsglob.h | 8 ++++++--
+ fs/cifs/smb2transport.c | 26 ++++++++++++++------------
+ 2 files changed, 20 insertions(+), 14 deletions(-)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -661,7 +661,9 @@ struct TCP_Server_Info {
+ #endif
+ unsigned int max_read;
+ unsigned int max_write;
+- __u8 preauth_hash[512];
++#ifdef CONFIG_CIFS_SMB311
++ __u8 preauth_sha_hash[64]; /* save initital negprot hash */
++#endif /* 3.1.1 */
+ struct delayed_work reconnect; /* reconnect workqueue job */
+ struct mutex reconnect_mutex; /* prevent simultaneous reconnects */
+ unsigned long echo_interval;
+@@ -849,7 +851,9 @@ struct cifs_ses {
+ __u8 smb3signingkey[SMB3_SIGN_KEY_SIZE];
+ __u8 smb3encryptionkey[SMB3_SIGN_KEY_SIZE];
+ __u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE];
+- __u8 preauth_hash[512];
++#ifdef CONFIG_CIFS_SMB311
++ __u8 preauth_sha_hash[64];
++#endif /* 3.1.1 */
+ };
+
+ static inline bool
+--- a/fs/cifs/smb2transport.c
++++ b/fs/cifs/smb2transport.c
+@@ -390,6 +390,7 @@ generate_smb30signingkey(struct cifs_ses
+ return generate_smb3signingkey(ses, &triplet);
+ }
+
++#ifdef CONFIG_CIFS_SMB311
+ int
+ generate_smb311signingkey(struct cifs_ses *ses)
+
+@@ -398,25 +399,26 @@ generate_smb311signingkey(struct cifs_se
+ struct derivation *d;
+
+ d = &triplet.signing;
+- d->label.iov_base = "SMB2AESCMAC";
+- d->label.iov_len = 12;
+- d->context.iov_base = "SmbSign";
+- d->context.iov_len = 8;
++ d->label.iov_base = "SMBSigningKey";
++ d->label.iov_len = 14;
++ d->context.iov_base = ses->preauth_sha_hash;
++ d->context.iov_len = 64;
+
+ d = &triplet.encryption;
+- d->label.iov_base = "SMB2AESCCM";
+- d->label.iov_len = 11;
+- d->context.iov_base = "ServerIn ";
+- d->context.iov_len = 10;
++ d->label.iov_base = "SMBC2SCipherKey";
++ d->label.iov_len = 16;
++ d->context.iov_base = ses->preauth_sha_hash;
++ d->context.iov_len = 64;
+
+ d = &triplet.decryption;
+- d->label.iov_base = "SMB2AESCCM";
+- d->label.iov_len = 11;
+- d->context.iov_base = "ServerOut";
+- d->context.iov_len = 10;
++ d->label.iov_base = "SMBS2CCipherKey";
++ d->label.iov_len = 16;
++ d->context.iov_base = ses->preauth_sha_hash;
++ d->context.iov_len = 64;
+
+ return generate_smb3signingkey(ses, &triplet);
+ }
++#endif /* 311 */
+
+ int
+ smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server)
--- /dev/null
+From c6cdd51404b7ac12dd95173ddfc548c59ecf037f Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 25 Oct 2017 16:34:27 +0200
+Subject: fuse: fix READDIRPLUS skipping an entry
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit c6cdd51404b7ac12dd95173ddfc548c59ecf037f upstream.
+
+Marios Titas running a Haskell program noticed a problem with fuse's
+readdirplus: when it is interrupted by a signal, it skips one directory
+entry.
+
+The reason is that fuse erronously updates ctx->pos after a failed
+dir_emit().
+
+The issue originates from the patch adding readdirplus support.
+
+Reported-by: Jakob Unterwurzacher <jakobunt@gmail.com>
+Tested-by: Marios Titas <redneb@gmx.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 0b05b18381ee ("fuse: implement NFS-like readdirplus support")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1312,7 +1312,8 @@ static int parse_dirplusfile(char *buf,
+ */
+ over = !dir_emit(ctx, dirent->name, dirent->namelen,
+ dirent->ino, dirent->type);
+- ctx->pos = dirent->off;
++ if (!over)
++ ctx->pos = dirent->off;
+ }
+
+ buf += reclen;
--- /dev/null
+From 57a95b41869b8f0d1949c24df2a9dac1ca7082ee Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 24 Oct 2017 11:08:18 -0700
+Subject: Input: elan_i2c - add ELAN0611 to the ACPI table
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 57a95b41869b8f0d1949c24df2a9dac1ca7082ee upstream.
+
+ELAN0611 touchpad uses elan_i2c as its driver. It can be found
+on Lenovo ideapad 320-15IKB.
+
+So add it to ACPI table to enable the touchpad.
+
+[Ido Adiv <idoad123@gmail.com> reports that the same ACPI ID is used for
+Elan touchpad in ideapad 520].
+
+BugLink: https://bugs.launchpad.net/bugs/1723736
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1253,6 +1253,7 @@ static const struct acpi_device_id elan_
+ { "ELAN0605", 0 },
+ { "ELAN0609", 0 },
+ { "ELAN060B", 0 },
++ { "ELAN0611", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
--- /dev/null
+From a50829479f58416a013a4ccca791336af3c584c7 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 23 Oct 2017 16:46:00 -0700
+Subject: Input: gtco - fix potential out-of-bound access
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit a50829479f58416a013a4ccca791336af3c584c7 upstream.
+
+parse_hid_report_descriptor() has a while (i < length) loop, which
+only guarantees that there's at least 1 byte in the buffer, but the
+loop body can read multiple bytes which causes out-of-bounds access.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/gtco.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -230,13 +230,17 @@ static void parse_hid_report_descriptor(
+
+ /* Walk this report and pull out the info we need */
+ while (i < length) {
+- prefix = report[i];
+-
+- /* Skip over prefix */
+- i++;
++ prefix = report[i++];
+
+ /* Determine data size and save the data in the proper variable */
+- size = PREF_SIZE(prefix);
++ size = (1U << PREF_SIZE(prefix)) >> 1;
++ if (i + size > length) {
++ dev_err(ddev,
++ "Not enough data (need %d, have %d)\n",
++ i + size, length);
++ break;
++ }
++
+ switch (size) {
+ case 1:
+ data = report[i];
+@@ -244,8 +248,7 @@ static void parse_hid_report_descriptor(
+ case 2:
+ data16 = get_unaligned_le16(&report[i]);
+ break;
+- case 3:
+- size = 4;
++ case 4:
+ data32 = get_unaligned_le32(&report[i]);
+ break;
+ }
--- /dev/null
+From 2cde3716321ec64a1faeaf567bd94100c7b4160f Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Tue, 10 Oct 2017 20:18:28 +1000
+Subject: KVM: PPC: Book3S HV: POWER9 more doorbell fixes
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 2cde3716321ec64a1faeaf567bd94100c7b4160f upstream.
+
+- Add another case where msgsync is required.
+- Required barrier sequence for global doorbells is msgsync ; lwsync
+
+When msgsnd is used for IPIs to other cores, msgsync must be executed by
+the target to order stores performed on the source before its msgsnd
+(provided the source executes the appropriate sync).
+
+Fixes: 1704a81ccebc ("KVM: PPC: Book3S HV: Use msgsnd for IPIs to other cores on POWER9")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv_rmhandlers.S | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+@@ -1296,6 +1296,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
+ bne 3f
+ BEGIN_FTR_SECTION
+ PPC_MSGSYNC
++ lwsync
+ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+ lbz r0, HSTATE_HOST_IPI(r13)
+ cmpwi r0, 0
+@@ -2767,6 +2768,10 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
+ PPC_MSGCLR(6)
+ /* see if it's a host IPI */
+ li r3, 1
++BEGIN_FTR_SECTION
++ PPC_MSGSYNC
++ lwsync
++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+ lbz r0, HSTATE_HOST_IPI(r13)
+ cmpwi r0, 0
+ bnelr
--- /dev/null
+From 8f6a9f0d0604817f7c8d4376fd51718f1bf192ee Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Wed, 11 Oct 2017 16:00:34 +1100
+Subject: KVM: PPC: Book3S: Protect kvmppc_gpa_to_ua() with SRCU
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+commit 8f6a9f0d0604817f7c8d4376fd51718f1bf192ee upstream.
+
+kvmppc_gpa_to_ua() accesses KVM memory slot array via
+srcu_dereference_check() and this produces warnings from RCU like below.
+
+This extends the existing srcu_read_lock/unlock to cover that
+kvmppc_gpa_to_ua() as well.
+
+We did not hit this before as this lock is not needed for the realmode
+handlers and hash guests would use the realmode path all the time;
+however the radix guests are always redirected to the virtual mode
+handlers and hence the warning.
+
+[ 68.253798] ./include/linux/kvm_host.h:575 suspicious rcu_dereference_check() usage!
+[ 68.253799]
+ other info that might help us debug this:
+
+[ 68.253802]
+ rcu_scheduler_active = 2, debug_locks = 1
+[ 68.253804] 1 lock held by qemu-system-ppc/6413:
+[ 68.253806] #0: (&vcpu->mutex){+.+.}, at: [<c00800000e3c22f4>] vcpu_load+0x3c/0xc0 [kvm]
+[ 68.253826]
+ stack backtrace:
+[ 68.253830] CPU: 92 PID: 6413 Comm: qemu-system-ppc Tainted: G W 4.14.0-rc3-00553-g432dcba58e9c-dirty #72
+[ 68.253833] Call Trace:
+[ 68.253839] [c000000fd3d9f790] [c000000000b7fcc8] dump_stack+0xe8/0x160 (unreliable)
+[ 68.253845] [c000000fd3d9f7d0] [c0000000001924c0] lockdep_rcu_suspicious+0x110/0x180
+[ 68.253851] [c000000fd3d9f850] [c0000000000e825c] kvmppc_gpa_to_ua+0x26c/0x2b0
+[ 68.253858] [c000000fd3d9f8b0] [c00800000e3e1984] kvmppc_h_put_tce+0x12c/0x2a0 [kvm]
+
+Fixes: 121f80ba68f1 ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO")
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_64_vio.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -479,28 +479,30 @@ long kvmppc_h_put_tce(struct kvm_vcpu *v
+ return ret;
+
+ dir = iommu_tce_direction(tce);
++
++ idx = srcu_read_lock(&vcpu->kvm->srcu);
++
+ if ((dir != DMA_NONE) && kvmppc_gpa_to_ua(vcpu->kvm,
+- tce & ~(TCE_PCI_READ | TCE_PCI_WRITE), &ua, NULL))
+- return H_PARAMETER;
++ tce & ~(TCE_PCI_READ | TCE_PCI_WRITE), &ua, NULL)) {
++ ret = H_PARAMETER;
++ goto unlock_exit;
++ }
+
+ entry = ioba >> stt->page_shift;
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+- if (dir == DMA_NONE) {
++ if (dir == DMA_NONE)
+ ret = kvmppc_tce_iommu_unmap(vcpu->kvm,
+ stit->tbl, entry);
+- } else {
+- idx = srcu_read_lock(&vcpu->kvm->srcu);
++ else
+ ret = kvmppc_tce_iommu_map(vcpu->kvm, stit->tbl,
+ entry, ua, dir);
+- srcu_read_unlock(&vcpu->kvm->srcu, idx);
+- }
+
+ if (ret == H_SUCCESS)
+ continue;
+
+ if (ret == H_TOO_HARD)
+- return ret;
++ goto unlock_exit;
+
+ WARN_ON_ONCE(1);
+ kvmppc_clear_tce(stit->tbl, entry);
+@@ -508,7 +510,10 @@ long kvmppc_h_put_tce(struct kvm_vcpu *v
+
+ kvmppc_tce_put(stt, entry, tce);
+
+- return H_SUCCESS;
++unlock_exit:
++ srcu_read_unlock(&vcpu->kvm->srcu, idx);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(kvmppc_h_put_tce);
+
--- /dev/null
+From ac64115a66c18c01745bbd3c47a36b124e5fd8c0 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Thu, 14 Sep 2017 23:56:25 +0200
+Subject: KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM
+
+From: Greg Kurz <groug@kaod.org>
+
+commit ac64115a66c18c01745bbd3c47a36b124e5fd8c0 upstream.
+
+The following program causes a kernel oops:
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <linux/kvm.h>
+
+main()
+{
+ int fd = open("/dev/kvm", O_RDWR);
+ ioctl(fd, KVM_CHECK_EXTENSION, KVM_CAP_PPC_HTM);
+}
+
+This happens because when using the global KVM fd with
+KVM_CHECK_EXTENSION, kvm_vm_ioctl_check_extension() gets
+called with a NULL kvm argument, which gets dereferenced
+in is_kvmppc_hv_enabled(). Spotted while reading the code.
+
+Let's use the hv_enabled fallback variable, like everywhere
+else in this function.
+
+Fixes: 23528bb21ee2 ("KVM: PPC: Introduce KVM_CAP_PPC_HTM")
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/powerpc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -639,8 +639,7 @@ int kvm_vm_ioctl_check_extension(struct
+ break;
+ #endif
+ case KVM_CAP_PPC_HTM:
+- r = cpu_has_feature(CPU_FTR_TM_COMP) &&
+- is_kvmppc_hv_enabled(kvm);
++ r = cpu_has_feature(CPU_FTR_TM_COMP) && hv_enabled;
+ break;
+ default:
+ r = 0;
--- /dev/null
+From 32e67a3a06b88904155170560b7a63d372b320bd Mon Sep 17 00:00:00 2001
+From: Josef Bacik <jbacik@fb.com>
+Date: Tue, 24 Oct 2017 15:57:18 -0400
+Subject: nbd: handle interrupted sendmsg with a sndtimeo set
+
+From: Josef Bacik <jbacik@fb.com>
+
+commit 32e67a3a06b88904155170560b7a63d372b320bd upstream.
+
+If you do not set sk_sndtimeo you will get -ERESTARTSYS if there is a
+pending signal when you enter sendmsg, which we handle properly.
+However if you set a timeout for your commands we'll set sk_sndtimeo to
+that timeout, which means that sendmsg will start returning -EINTR
+instead of -ERESTARTSYS. Fix this by checking either cases and doing
+the correct thing.
+
+Fixes: dc88e34d69d8 ("nbd: set sk->sk_sndtimeo for our sockets")
+Reported-and-tested-by: Daniel Xu <dlxu@fb.com>
+Signed-off-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nbd.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -386,6 +386,15 @@ static int sock_xmit(struct nbd_device *
+ return result;
+ }
+
++/*
++ * Different settings for sk->sk_sndtimeo can result in different return values
++ * if there is a signal pending when we enter sendmsg, because reasons?
++ */
++static inline int was_interrupted(int result)
++{
++ return result == -ERESTARTSYS || result == -EINTR;
++}
++
+ /* always call with the tx_lock held */
+ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd, int index)
+ {
+@@ -458,7 +467,7 @@ static int nbd_send_cmd(struct nbd_devic
+ result = sock_xmit(nbd, index, 1, &from,
+ (type == NBD_CMD_WRITE) ? MSG_MORE : 0, &sent);
+ if (result <= 0) {
+- if (result == -ERESTARTSYS) {
++ if (was_interrupted(result)) {
+ /* If we havne't sent anything we can just return BUSY,
+ * however if we have sent something we need to make
+ * sure we only allow this req to be sent until we are
+@@ -502,7 +511,7 @@ send_pages:
+ }
+ result = sock_xmit(nbd, index, 1, &from, flags, &sent);
+ if (result <= 0) {
+- if (result == -ERESTARTSYS) {
++ if (was_interrupted(result)) {
+ /* We've already sent the header, we
+ * have no choice but to set pending and
+ * return BUSY.
--- /dev/null
+From b3885bd6edb41b91a0e3976469f72ae31bfb8d95 Mon Sep 17 00:00:00 2001
+From: Hirofumi Nakagawa <nklabs@gmail.com>
+Date: Tue, 26 Sep 2017 03:09:53 +0900
+Subject: ovl: add NULL check in ovl_alloc_inode
+
+From: Hirofumi Nakagawa <nklabs@gmail.com>
+
+commit b3885bd6edb41b91a0e3976469f72ae31bfb8d95 upstream.
+
+This was detected by fault injection test
+
+Signed-off-by: Hirofumi Nakagawa <nklabs@gmail.com>
+Fixes: 13cf199d0088 ("ovl: allocate an ovl_inode struct")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/super.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -174,6 +174,9 @@ static struct inode *ovl_alloc_inode(str
+ {
+ struct ovl_inode *oi = kmem_cache_alloc(ovl_inode_cachep, GFP_KERNEL);
+
++ if (!oi)
++ return NULL;
++
+ oi->cache = NULL;
+ oi->redirect = NULL;
+ oi->version = 0;
--- /dev/null
+From fa0096e3bad69ed6f34843fd7ae1c45ca987012a Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Tue, 24 Oct 2017 12:24:11 +0300
+Subject: ovl: do not cleanup unsupported index entries
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit fa0096e3bad69ed6f34843fd7ae1c45ca987012a upstream.
+
+With index=on, ovl_indexdir_cleanup() tries to cleanup invalid index
+entries (e.g. bad index name). This behavior could result in cleaning of
+entries created by newer kernels and is therefore undesirable.
+Instead, abort mount if such entries are encountered. We still cleanup
+'stale' entries and 'orphan' entries, both those cases can be a result
+of offline changes to lower and upper dirs.
+
+When encoutering an index entry of type directory or whiteout, kernel
+was supposed to fallback to read-only mount, but the fill_super()
+operation returns EROFS in this case instead of returning success with
+read-only mount flag, so mount fails when encoutering directory or
+whiteout index entries. Bless this behavior by returning -EINVAL on
+directory and whiteout index entries as we do for all unsupported index
+entries.
+
+Fixes: 61b674710cd9 ("ovl: do not cleanup directory and whiteout index..")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/namei.c | 7 +++----
+ fs/overlayfs/readdir.c | 11 +++++------
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+--- a/fs/overlayfs/namei.c
++++ b/fs/overlayfs/namei.c
+@@ -405,14 +405,13 @@ int ovl_verify_index(struct dentry *inde
+ * be treated as stale (i.e. after unlink of the overlay inode).
+ * We don't know the verification rules for directory and whiteout
+ * index entries, because they have not been implemented yet, so return
+- * EROFS if those entries are found to avoid corrupting an index that
+- * was created by a newer kernel.
++ * EINVAL if those entries are found to abort the mount to avoid
++ * corrupting an index that was created by a newer kernel.
+ */
+- err = -EROFS;
++ err = -EINVAL;
+ if (d_is_dir(index) || ovl_is_whiteout(index))
+ goto fail;
+
+- err = -EINVAL;
+ if (index->d_name.len < sizeof(struct ovl_fh)*2)
+ goto fail;
+
+--- a/fs/overlayfs/readdir.c
++++ b/fs/overlayfs/readdir.c
+@@ -704,13 +704,12 @@ int ovl_indexdir_cleanup(struct dentry *
+ break;
+ }
+ err = ovl_verify_index(index, lowerstack, numlower);
+- if (err) {
+- if (err == -EROFS)
+- break;
++ /* Cleanup stale and orphan index entries */
++ if (err && (err == -ESTALE || err == -ENOENT))
+ err = ovl_cleanup(dir, index);
+- if (err)
+- break;
+- }
++ if (err)
++ break;
++
+ dput(index);
+ index = NULL;
+ }
--- /dev/null
+From 6eaf011144af10cad34c0d46f82e50d382c8e926 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 12 Oct 2017 19:03:04 +0300
+Subject: ovl: fix EIO from lookup of non-indexed upper
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 6eaf011144af10cad34c0d46f82e50d382c8e926 upstream.
+
+Commit fbaf94ee3cd5 ("ovl: don't set origin on broken lower hardlink")
+attempt to avoid the condition of non-indexed upper inode with lower
+hardlink as origin. If this condition is found, lookup returns EIO.
+
+The protection of commit mentioned above does not cover the case of lower
+that is not a hardlink when it is copied up (with either index=off/on)
+and then lower is hardlinked while overlay is offline.
+
+Changes to lower layer while overlayfs is offline should not result in
+unexpected behavior, so a permanent EIO error after creating a link in
+lower layer should not be considered as correct behavior.
+
+This fix replaces EIO error with success in cases where upper has origin
+but no index is found, or index is found that does not match upper
+inode. In those cases, lookup will not fail and the returned overlay inode
+will be hashed by upper inode instead of by lower origin inode.
+
+Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/inode.c | 20 ++++++++++++++++----
+ fs/overlayfs/namei.c | 20 ++++++++------------
+ fs/overlayfs/overlayfs.h | 3 ++-
+ 3 files changed, 26 insertions(+), 17 deletions(-)
+
+--- a/fs/overlayfs/inode.c
++++ b/fs/overlayfs/inode.c
+@@ -595,18 +595,30 @@ static bool ovl_verify_inode(struct inod
+ return true;
+ }
+
+-struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry)
++struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry,
++ struct dentry *index)
+ {
+ struct dentry *lowerdentry = ovl_dentry_lower(dentry);
+ struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL;
+ struct inode *inode;
++ /* Already indexed or could be indexed on copy up? */
++ bool indexed = (index || (ovl_indexdir(dentry->d_sb) && !upperdentry));
++
++ if (WARN_ON(upperdentry && indexed && !lowerdentry))
++ return ERR_PTR(-EIO);
+
+ if (!realinode)
+ realinode = d_inode(lowerdentry);
+
+- if (!S_ISDIR(realinode->i_mode) &&
+- (upperdentry || (lowerdentry && ovl_indexdir(dentry->d_sb)))) {
+- struct inode *key = d_inode(lowerdentry ?: upperdentry);
++ /*
++ * Copy up origin (lower) may exist for non-indexed upper, but we must
++ * not use lower as hash key in that case.
++ * Hash inodes that are or could be indexed by origin inode and
++ * non-indexed upper inodes that could be hard linked by upper inode.
++ */
++ if (!S_ISDIR(realinode->i_mode) && (upperdentry || indexed)) {
++ struct inode *key = d_inode(indexed ? lowerdentry :
++ upperdentry);
+ unsigned int nlink;
+
+ inode = iget5_locked(dentry->d_sb, (unsigned long) key,
+--- a/fs/overlayfs/namei.c
++++ b/fs/overlayfs/namei.c
+@@ -516,18 +516,9 @@ static struct dentry *ovl_lookup_index(s
+
+ inode = d_inode(index);
+ if (d_is_negative(index)) {
+- if (upper && d_inode(origin)->i_nlink > 1) {
+- pr_warn_ratelimited("overlayfs: hard link with origin but no index (ino=%lu).\n",
+- d_inode(origin)->i_ino);
+- goto fail;
+- }
+-
+- dput(index);
+- index = NULL;
++ goto out_dput;
+ } else if (upper && d_inode(upper) != inode) {
+- pr_warn_ratelimited("overlayfs: wrong index found (index=%pd2, ino=%lu, upper ino=%lu).\n",
+- index, inode->i_ino, d_inode(upper)->i_ino);
+- goto fail;
++ goto out_dput;
+ } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) ||
+ ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) {
+ /*
+@@ -547,6 +538,11 @@ out:
+ kfree(name.name);
+ return index;
+
++out_dput:
++ dput(index);
++ index = NULL;
++ goto out;
++
+ fail:
+ dput(index);
+ index = ERR_PTR(-EIO);
+@@ -709,7 +705,7 @@ struct dentry *ovl_lookup(struct inode *
+ upperdentry = dget(index);
+
+ if (upperdentry || ctr) {
+- inode = ovl_get_inode(dentry, upperdentry);
++ inode = ovl_get_inode(dentry, upperdentry, index);
+ err = PTR_ERR(inode);
+ if (IS_ERR(inode))
+ goto out_free_oe;
+--- a/fs/overlayfs/overlayfs.h
++++ b/fs/overlayfs/overlayfs.h
+@@ -284,7 +284,8 @@ int ovl_update_time(struct inode *inode,
+ bool ovl_is_private_xattr(const char *name);
+
+ struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev);
+-struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry);
++struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry,
++ struct dentry *index);
+ static inline void ovl_copyattr(struct inode *from, struct inode *to)
+ {
+ to->i_uid = from->i_uid;
--- /dev/null
+From 7937a56fdf0b064c2ffa33025210f725a4ebc822 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Fri, 20 Oct 2017 17:19:06 +0300
+Subject: ovl: handle ENOENT on index lookup
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 7937a56fdf0b064c2ffa33025210f725a4ebc822 upstream.
+
+Treat ENOENT from index entry lookup the same way as treating a returned
+negative dentry. Apparently, either could be returned if file is not
+found, depending on the underlying file system.
+
+Fixes: 359f392ca53e ("ovl: lookup index entry for copy up origin")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/namei.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/overlayfs/namei.c
++++ b/fs/overlayfs/namei.c
+@@ -507,6 +507,10 @@ static struct dentry *ovl_lookup_index(s
+ index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
+ if (IS_ERR(index)) {
+ err = PTR_ERR(index);
++ if (err == -ENOENT) {
++ index = NULL;
++ goto out;
++ }
+ pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n"
+ "overlayfs: mount with '-o index=off' to disable inodes index.\n",
+ d_inode(origin)->i_ino, name.len, name.name,
--- /dev/null
+From 0cc2b4e5a020fc7f4d1795741c116c983e9467d7 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 24 Oct 2017 15:20:45 +0200
+Subject: PM / QoS: Fix device resume latency PM QoS
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 0cc2b4e5a020fc7f4d1795741c116c983e9467d7 upstream.
+
+The special value of 0 for device resume latency PM QoS means
+"no restriction", but there are two problems with that.
+
+First, device resume latency PM QoS requests with 0 as the
+value are always put in front of requests with positive
+values in the priority lists used internally by the PM QoS
+framework, causing 0 to be chosen as an effective constraint
+value. However, that 0 is then interpreted as "no restriction"
+effectively overriding the other requests with specific
+restrictions which is incorrect.
+
+Second, the users of device resume latency PM QoS have no
+way to specify that *any* resume latency at all should be
+avoided, which is an artificial limitation in general.
+
+To address these issues, modify device resume latency PM QoS to
+use S32_MAX as the "no constraint" value and 0 as the "no
+latency at all" one and rework its users (the cpuidle menu
+governor, the genpd QoS governor and the runtime PM framework)
+to follow these changes.
+
+Also add a special "n/a" value to the corresponding user space I/F
+to allow user space to indicate that it cannot accept any resume
+latencies at all for the given device.
+
+Fixes: 85dc0b8a4019 (PM / QoS: Make it possible to expose PM QoS latency constraints)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=197323
+Reported-by: Reinette Chatre <reinette.chatre@intel.com>
+Tested-by: Reinette Chatre <reinette.chatre@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Alex Shi <alex.shi@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/testing/sysfs-devices-power | 4 +
+ drivers/base/cpu.c | 3 -
+ drivers/base/power/domain_governor.c | 53 ++++++++++++++------------
+ drivers/base/power/qos.c | 2
+ drivers/base/power/runtime.c | 2
+ drivers/base/power/sysfs.c | 25 ++++++++++--
+ drivers/cpuidle/governors/menu.c | 4 -
+ include/linux/pm_qos.h | 5 +-
+ 8 files changed, 63 insertions(+), 35 deletions(-)
+
+--- a/Documentation/ABI/testing/sysfs-devices-power
++++ b/Documentation/ABI/testing/sysfs-devices-power
+@@ -211,7 +211,9 @@ Description:
+ device, after it has been suspended at run time, from a resume
+ request to the moment the device will be ready to process I/O,
+ in microseconds. If it is equal to 0, however, this means that
+- the PM QoS resume latency may be arbitrary.
++ the PM QoS resume latency may be arbitrary and the special value
++ "n/a" means that user space cannot accept any resume latency at
++ all for the given device.
+
+ Not all drivers support this attribute. If it isn't supported,
+ it is not present.
+--- a/drivers/base/cpu.c
++++ b/drivers/base/cpu.c
+@@ -377,7 +377,8 @@ int register_cpu(struct cpu *cpu, int nu
+
+ per_cpu(cpu_sys_devices, num) = &cpu->dev;
+ register_cpu_under_node(num, cpu_to_node(num));
+- dev_pm_qos_expose_latency_limit(&cpu->dev, 0);
++ dev_pm_qos_expose_latency_limit(&cpu->dev,
++ PM_QOS_RESUME_LATENCY_NO_CONSTRAINT);
+
+ return 0;
+ }
+--- a/drivers/base/power/domain_governor.c
++++ b/drivers/base/power/domain_governor.c
+@@ -14,23 +14,20 @@
+ static int dev_update_qos_constraint(struct device *dev, void *data)
+ {
+ s64 *constraint_ns_p = data;
+- s32 constraint_ns = -1;
++ s64 constraint_ns = -1;
+
+ if (dev->power.subsys_data && dev->power.subsys_data->domain_data)
+ constraint_ns = dev_gpd_data(dev)->td.effective_constraint_ns;
+
+- if (constraint_ns < 0) {
++ if (constraint_ns < 0)
+ constraint_ns = dev_pm_qos_read_value(dev);
+- constraint_ns *= NSEC_PER_USEC;
+- }
+- if (constraint_ns == 0)
++
++ if (constraint_ns == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT)
+ return 0;
+
+- /*
+- * constraint_ns cannot be negative here, because the device has been
+- * suspended.
+- */
+- if (constraint_ns < *constraint_ns_p || *constraint_ns_p == 0)
++ constraint_ns *= NSEC_PER_USEC;
++
++ if (constraint_ns < *constraint_ns_p || *constraint_ns_p < 0)
+ *constraint_ns_p = constraint_ns;
+
+ return 0;
+@@ -63,10 +60,14 @@ static bool default_suspend_ok(struct de
+
+ spin_unlock_irqrestore(&dev->power.lock, flags);
+
+- if (constraint_ns < 0)
++ if (constraint_ns == 0)
+ return false;
+
+- constraint_ns *= NSEC_PER_USEC;
++ if (constraint_ns == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT)
++ constraint_ns = -1;
++ else
++ constraint_ns *= NSEC_PER_USEC;
++
+ /*
+ * We can walk the children without any additional locking, because
+ * they all have been suspended at this point and their
+@@ -76,14 +77,19 @@ static bool default_suspend_ok(struct de
+ device_for_each_child(dev, &constraint_ns,
+ dev_update_qos_constraint);
+
+- if (constraint_ns > 0) {
+- constraint_ns -= td->suspend_latency_ns +
+- td->resume_latency_ns;
+- if (constraint_ns == 0)
+- return false;
++ if (constraint_ns < 0) {
++ /* The children have no constraints. */
++ td->effective_constraint_ns = PM_QOS_RESUME_LATENCY_NO_CONSTRAINT;
++ td->cached_suspend_ok = true;
++ } else {
++ constraint_ns -= td->suspend_latency_ns + td->resume_latency_ns;
++ if (constraint_ns > 0) {
++ td->effective_constraint_ns = constraint_ns;
++ td->cached_suspend_ok = true;
++ } else {
++ td->effective_constraint_ns = 0;
++ }
+ }
+- td->effective_constraint_ns = constraint_ns;
+- td->cached_suspend_ok = constraint_ns >= 0;
+
+ /*
+ * The children have been suspended already, so we don't need to take
+@@ -145,13 +151,14 @@ static bool __default_power_down_ok(stru
+ td = &to_gpd_data(pdd)->td;
+ constraint_ns = td->effective_constraint_ns;
+ /* default_suspend_ok() need not be called before us. */
+- if (constraint_ns < 0) {
++ if (constraint_ns < 0)
+ constraint_ns = dev_pm_qos_read_value(pdd->dev);
+- constraint_ns *= NSEC_PER_USEC;
+- }
+- if (constraint_ns == 0)
++
++ if (constraint_ns == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT)
+ continue;
+
++ constraint_ns *= NSEC_PER_USEC;
++
+ /*
+ * constraint_ns cannot be negative here, because the device has
+ * been suspended.
+--- a/drivers/base/power/qos.c
++++ b/drivers/base/power/qos.c
+@@ -189,7 +189,7 @@ static int dev_pm_qos_constraints_alloca
+ plist_head_init(&c->list);
+ c->target_value = PM_QOS_RESUME_LATENCY_DEFAULT_VALUE;
+ c->default_value = PM_QOS_RESUME_LATENCY_DEFAULT_VALUE;
+- c->no_constraint_value = PM_QOS_RESUME_LATENCY_DEFAULT_VALUE;
++ c->no_constraint_value = PM_QOS_RESUME_LATENCY_NO_CONSTRAINT;
+ c->type = PM_QOS_MIN;
+ c->notifiers = n;
+
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -253,7 +253,7 @@ static int rpm_check_suspend_allowed(str
+ || (dev->power.request_pending
+ && dev->power.request == RPM_REQ_RESUME))
+ retval = -EAGAIN;
+- else if (__dev_pm_qos_read_value(dev) < 0)
++ else if (__dev_pm_qos_read_value(dev) == 0)
+ retval = -EPERM;
+ else if (dev->power.runtime_status == RPM_SUSPENDED)
+ retval = 1;
+--- a/drivers/base/power/sysfs.c
++++ b/drivers/base/power/sysfs.c
+@@ -218,7 +218,14 @@ static ssize_t pm_qos_resume_latency_sho
+ struct device_attribute *attr,
+ char *buf)
+ {
+- return sprintf(buf, "%d\n", dev_pm_qos_requested_resume_latency(dev));
++ s32 value = dev_pm_qos_requested_resume_latency(dev);
++
++ if (value == 0)
++ return sprintf(buf, "n/a\n");
++ else if (value == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT)
++ value = 0;
++
++ return sprintf(buf, "%d\n", value);
+ }
+
+ static ssize_t pm_qos_resume_latency_store(struct device *dev,
+@@ -228,11 +235,21 @@ static ssize_t pm_qos_resume_latency_sto
+ s32 value;
+ int ret;
+
+- if (kstrtos32(buf, 0, &value))
+- return -EINVAL;
++ if (!kstrtos32(buf, 0, &value)) {
++ /*
++ * Prevent users from writing negative or "no constraint" values
++ * directly.
++ */
++ if (value < 0 || value == PM_QOS_RESUME_LATENCY_NO_CONSTRAINT)
++ return -EINVAL;
+
+- if (value < 0)
++ if (value == 0)
++ value = PM_QOS_RESUME_LATENCY_NO_CONSTRAINT;
++ } else if (!strcmp(buf, "n/a") || !strcmp(buf, "n/a\n")) {
++ value = 0;
++ } else {
+ return -EINVAL;
++ }
+
+ ret = dev_pm_qos_update_request(dev->power.qos->resume_latency_req,
+ value);
+--- a/drivers/cpuidle/governors/menu.c
++++ b/drivers/cpuidle/governors/menu.c
+@@ -298,8 +298,8 @@ static int menu_select(struct cpuidle_dr
+ data->needs_update = 0;
+ }
+
+- /* resume_latency is 0 means no restriction */
+- if (resume_latency && resume_latency < latency_req)
++ if (resume_latency < latency_req &&
++ resume_latency != PM_QOS_RESUME_LATENCY_NO_CONSTRAINT)
+ latency_req = resume_latency;
+
+ /* Special case when user has set very strict latency requirement */
+--- a/include/linux/pm_qos.h
++++ b/include/linux/pm_qos.h
+@@ -27,16 +27,17 @@ enum pm_qos_flags_status {
+ PM_QOS_FLAGS_ALL,
+ };
+
+-#define PM_QOS_DEFAULT_VALUE -1
++#define PM_QOS_DEFAULT_VALUE (-1)
++#define PM_QOS_LATENCY_ANY S32_MAX
+
+ #define PM_QOS_CPU_DMA_LAT_DEFAULT_VALUE (2000 * USEC_PER_SEC)
+ #define PM_QOS_NETWORK_LAT_DEFAULT_VALUE (2000 * USEC_PER_SEC)
+ #define PM_QOS_NETWORK_THROUGHPUT_DEFAULT_VALUE 0
+ #define PM_QOS_MEMORY_BANDWIDTH_DEFAULT_VALUE 0
+ #define PM_QOS_RESUME_LATENCY_DEFAULT_VALUE 0
++#define PM_QOS_RESUME_LATENCY_NO_CONSTRAINT PM_QOS_LATENCY_ANY
+ #define PM_QOS_LATENCY_TOLERANCE_DEFAULT_VALUE 0
+ #define PM_QOS_LATENCY_TOLERANCE_NO_CONSTRAINT (-1)
+-#define PM_QOS_LATENCY_ANY ((s32)(~(__u32)0 >> 1))
+
+ #define PM_QOS_FLAG_NO_POWER_OFF (1 << 0)
+ #define PM_QOS_FLAG_REMOTE_WAKEUP (1 << 1)
--- /dev/null
+From 0a5e2ec2647737907d267c09dc9a25fab1468865 Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Thu, 5 Oct 2017 08:29:47 +0200
+Subject: s390/kvm: fix detection of guest machine checks
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 0a5e2ec2647737907d267c09dc9a25fab1468865 upstream.
+
+The new detection code for guest machine checks added a check based
+on %r11 to .Lcleanup_sie to distinguish between normal asynchronous
+interrupts and machine checks. But the funtion is called from the
+program check handler as well with an undefined value in %r11.
+
+The effect is that all program exceptions pointing to the SIE instruction
+will set the CIF_MCCK_GUEST bit. The bit stays set for the CPU until the
+ next machine check comes in which will incorrectly be interpreted as a
+guest machine check.
+
+The simplest fix is to stop using .Lcleanup_sie in the program check
+handler and duplicate a few instructions.
+
+Fixes: c929500d7a5a ("s390/nmi: s390: New low level handling for machine check happening in guest")
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/entry.S | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -521,12 +521,15 @@ ENTRY(pgm_check_handler)
+ tmhh %r8,0x0001 # test problem state bit
+ jnz 2f # -> fault in user space
+ #if IS_ENABLED(CONFIG_KVM)
+- # cleanup critical section for sie64a
++ # cleanup critical section for program checks in sie64a
+ lgr %r14,%r9
+ slg %r14,BASED(.Lsie_critical_start)
+ clg %r14,BASED(.Lsie_critical_length)
+ jhe 0f
+- brasl %r14,.Lcleanup_sie
++ lg %r14,__SF_EMPTY(%r15) # get control block pointer
++ ni __SIE_PROG0C+3(%r14),0xfe # no longer in SIE
++ lctlg %c1,%c1,__LC_USER_ASCE # load primary asce
++ larl %r9,sie_exit # skip forward to sie_exit
+ #endif
+ 0: tmhh %r8,0x4000 # PER bit set in old PSW ?
+ jnz 1f # -> enabled, can't be a double fault
--- /dev/null
+From 45348de2c8a7a1e64c5be27b22c9786b4152dd41 Mon Sep 17 00:00:00 2001
+From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Date: Mon, 16 Oct 2017 17:22:31 -0700
+Subject: scsi: aacraid: Fix controller initialization failure
+
+From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+
+commit 45348de2c8a7a1e64c5be27b22c9786b4152dd41 upstream.
+
+This is a fix to an issue where the driver sends its periodic WELLNESS
+command to the controller after the driver shut it down.This causes the
+controller to crash. The window where this can happen is small, but it
+can be hit at around 4 hours of constant resets.
+
+Fixes: fbd185986eba (aacraid: Fix AIF triggered IOP_RESET)
+Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
+Reviewed-by: Dave Carroll <david.carroll@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/comminit.c | 8 +++++---
+ drivers/scsi/aacraid/linit.c | 7 ++++++-
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/aacraid/comminit.c
++++ b/drivers/scsi/aacraid/comminit.c
+@@ -302,9 +302,11 @@ int aac_send_shutdown(struct aac_dev * d
+ return -ENOMEM;
+ aac_fib_init(fibctx);
+
+- mutex_lock(&dev->ioctl_mutex);
+- dev->adapter_shutdown = 1;
+- mutex_unlock(&dev->ioctl_mutex);
++ if (!dev->adapter_shutdown) {
++ mutex_lock(&dev->ioctl_mutex);
++ dev->adapter_shutdown = 1;
++ mutex_unlock(&dev->ioctl_mutex);
++ }
+
+ cmd = (struct aac_close *) fib_data(fibctx);
+ cmd->command = cpu_to_le32(VM_CloseAll);
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -1401,8 +1401,9 @@ static void __aac_shutdown(struct aac_de
+ {
+ int i;
+
++ mutex_lock(&aac->ioctl_mutex);
+ aac->adapter_shutdown = 1;
+- aac_send_shutdown(aac);
++ mutex_unlock(&aac->ioctl_mutex);
+
+ if (aac->aif_thread) {
+ int i;
+@@ -1415,7 +1416,11 @@ static void __aac_shutdown(struct aac_de
+ }
+ kthread_stop(aac->thread);
+ }
++
++ aac_send_shutdown(aac);
++
+ aac_adapter_disable_int(aac);
++
+ if (aac_is_src(aac)) {
+ if (aac->max_msix > 1) {
+ for (i = 0; i < aac->max_msix; i++) {
--- /dev/null
+From 1010f21ecf8ac43be676d498742de18fa6c20987 Mon Sep 17 00:00:00 2001
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+Date: Mon, 16 Oct 2017 11:26:05 -0700
+Subject: scsi: qla2xxx: Initialize Work element before requesting IRQs
+
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+
+commit 1010f21ecf8ac43be676d498742de18fa6c20987 upstream.
+
+commit a9e170e28636 ("scsi: qla2xxx: Fix uninitialized work element")
+moved initializiation of work element earlier in the probe to fix call
+stack. However, it still leaves a window where interrupt can be
+generated before work element is initialized. Fix that window by
+initializing work element before we are requesting IRQs.
+
+[mkp: fixed typos]
+
+Fixes: a9e170e28636 ("scsi: qla2xxx: Fix uninitialized work element")
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3051,6 +3051,8 @@ qla2x00_probe_one(struct pci_dev *pdev,
+ host->max_cmd_len, host->max_channel, host->max_lun,
+ host->transportt, sht->vendor_id);
+
++ INIT_WORK(&base_vha->iocb_work, qla2x00_iocb_work_fn);
++
+ /* Set up the irqs */
+ ret = qla2x00_request_irqs(ha, rsp);
+ if (ret)
+@@ -3165,8 +3167,6 @@ qla2x00_probe_one(struct pci_dev *pdev,
+ host->can_queue, base_vha->req,
+ base_vha->mgmt_svr_loop_id, host->sg_tablesize);
+
+- INIT_WORK(&base_vha->iocb_work, qla2x00_iocb_work_fn);
+-
+ if (ha->mqenable) {
+ bool mq = false;
+ bool startit = false;
--- /dev/null
+From 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Sun, 15 Oct 2017 18:16:33 +0100
+Subject: scsi: sg: Re-fix off by one in sg_fill_request_table()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit 587c3c9f286cee5c9cac38d28c8ae1875f4ec85b upstream.
+
+Commit 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
+introduced an off-by-one error in sg_ioctl(), which was fixed by commit
+bd46fc406b30 ("scsi: sg: off by one in sg_ioctl()").
+
+Unfortunately commit 4759df905a47 ("scsi: sg: factor out
+sg_fill_request_table()") moved that code, and reintroduced the
+bug (perhaps due to a botched rebase). Fix it again.
+
+Fixes: 4759df905a47 ("scsi: sg: factor out sg_fill_request_table()")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -837,7 +837,7 @@ sg_fill_request_table(Sg_fd *sfp, sg_req
+
+ val = 0;
+ list_for_each_entry(srp, &sfp->rq_list, entry) {
+- if (val > SG_MAX_QUEUE)
++ if (val >= SG_MAX_QUEUE)
+ break;
+ rinfo[val].req_state = srp->done + 1;
+ rinfo[val].problem =
--- /dev/null
+From ab31fd0ce65ec93828b617123792c1bb7c6dcc42 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+Date: Fri, 13 Oct 2017 15:40:07 +0200
+Subject: scsi: zfcp: fix erp_action use-before-initialize in REC action trace
+
+From: Steffen Maier <maier@linux.vnet.ibm.com>
+
+commit ab31fd0ce65ec93828b617123792c1bb7c6dcc42 upstream.
+
+v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN
+recovery") extended accessing parent pointer fields of struct
+zfcp_erp_action for tracing. If an erp_action has never been enqueued
+before, these parent pointer fields are uninitialized and NULL. Examples
+are zfcp objects freshly added to the parent object's children list,
+before enqueueing their first recovery subsequently. In
+zfcp_erp_try_rport_unblock(), we iterate such list. Accessing erp_action
+fields can cause a NULL pointer dereference. Since the kernel can read
+from lowcore on s390, it does not immediately cause a kernel page
+fault. Instead it can cause hangs on trying to acquire the wrong
+erp_action->adapter->dbf->rec_lock in zfcp_dbf_rec_action_lvl()
+ ^bogus^
+while holding already other locks with IRQs disabled.
+
+Real life example from attaching lots of LUNs in parallel on many CPUs:
+
+crash> bt 17723
+PID: 17723 TASK: ... CPU: 25 COMMAND: "zfcperp0.0.1800"
+ LOWCORE INFO:
+ -psw : 0x0404300180000000 0x000000000038e424
+ -function : _raw_spin_lock_wait_flags at 38e424
+...
+ #0 [fdde8fc90] zfcp_dbf_rec_action_lvl at 3e0004e9862 [zfcp]
+ #1 [fdde8fce8] zfcp_erp_try_rport_unblock at 3e0004dfddc [zfcp]
+ #2 [fdde8fd38] zfcp_erp_strategy at 3e0004e0234 [zfcp]
+ #3 [fdde8fda8] zfcp_erp_thread at 3e0004e0a12 [zfcp]
+ #4 [fdde8fe60] kthread at 173550
+ #5 [fdde8feb8] kernel_thread_starter at 10add2
+
+zfcp_adapter
+ zfcp_port
+ zfcp_unit <address>, 0x404040d600000000
+ scsi_device NULL, returning early!
+zfcp_scsi_dev.status = 0x40000000
+0x40000000 ZFCP_STATUS_COMMON_RUNNING
+
+crash> zfcp_unit <address>
+struct zfcp_unit {
+ erp_action = {
+ adapter = 0x0,
+ port = 0x0,
+ unit = 0x0,
+ },
+}
+
+zfcp_erp_action is always fully embedded into its container object. Such
+container object is never moved in its object tree (only add or delete).
+Hence, erp_action parent pointers can never change.
+
+To fix the issue, initialize the erp_action parent pointers before
+adding the erp_action container to any list and thus before it becomes
+accessible from outside of its initializing function.
+
+In order to also close the time window between zfcp_erp_setup_act()
+memsetting the entire erp_action to zero and setting the parent pointers
+again, drop the memset and instead explicitly initialize individually
+all erp_action fields except for parent pointers. To be extra careful
+not to introduce any other unintended side effect, even keep zeroing the
+erp_action fields for list and timer. Also double-check with
+WARN_ON_ONCE that erp_action parent pointers never change, so we get to
+know when we would deviate from previous behavior.
+
+Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
+Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery")
+Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_aux.c | 5 +++++
+ drivers/s390/scsi/zfcp_erp.c | 18 +++++++++++-------
+ drivers/s390/scsi/zfcp_scsi.c | 5 +++++
+ 3 files changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_aux.c
++++ b/drivers/s390/scsi/zfcp_aux.c
+@@ -358,6 +358,8 @@ struct zfcp_adapter *zfcp_adapter_enqueu
+
+ adapter->next_port_scan = jiffies;
+
++ adapter->erp_action.adapter = adapter;
++
+ if (zfcp_qdio_setup(adapter))
+ goto failed;
+
+@@ -514,6 +516,9 @@ struct zfcp_port *zfcp_port_enqueue(stru
+ port->dev.groups = zfcp_port_attr_groups;
+ port->dev.release = zfcp_port_release;
+
++ port->erp_action.adapter = adapter;
++ port->erp_action.port = port;
++
+ if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) {
+ kfree(port);
+ goto err_out;
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -193,9 +193,8 @@ static struct zfcp_erp_action *zfcp_erp_
+ atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE,
+ &zfcp_sdev->status);
+ erp_action = &zfcp_sdev->erp_action;
+- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
+- erp_action->port = port;
+- erp_action->sdev = sdev;
++ WARN_ON_ONCE(erp_action->port != port);
++ WARN_ON_ONCE(erp_action->sdev != sdev);
+ if (!(atomic_read(&zfcp_sdev->status) &
+ ZFCP_STATUS_COMMON_RUNNING))
+ act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
+@@ -208,8 +207,8 @@ static struct zfcp_erp_action *zfcp_erp_
+ zfcp_erp_action_dismiss_port(port);
+ atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, &port->status);
+ erp_action = &port->erp_action;
+- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
+- erp_action->port = port;
++ WARN_ON_ONCE(erp_action->port != port);
++ WARN_ON_ONCE(erp_action->sdev != NULL);
+ if (!(atomic_read(&port->status) & ZFCP_STATUS_COMMON_RUNNING))
+ act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
+ break;
+@@ -219,7 +218,8 @@ static struct zfcp_erp_action *zfcp_erp_
+ zfcp_erp_action_dismiss_adapter(adapter);
+ atomic_or(ZFCP_STATUS_COMMON_ERP_INUSE, &adapter->status);
+ erp_action = &adapter->erp_action;
+- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
++ WARN_ON_ONCE(erp_action->port != NULL);
++ WARN_ON_ONCE(erp_action->sdev != NULL);
+ if (!(atomic_read(&adapter->status) &
+ ZFCP_STATUS_COMMON_RUNNING))
+ act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
+@@ -229,7 +229,11 @@ static struct zfcp_erp_action *zfcp_erp_
+ return NULL;
+ }
+
+- erp_action->adapter = adapter;
++ WARN_ON_ONCE(erp_action->adapter != adapter);
++ memset(&erp_action->list, 0, sizeof(erp_action->list));
++ memset(&erp_action->timer, 0, sizeof(erp_action->timer));
++ erp_action->step = ZFCP_ERP_STEP_UNINITIALIZED;
++ erp_action->fsf_req_id = 0;
+ erp_action->action = need;
+ erp_action->status = act_status;
+
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -115,10 +115,15 @@ static int zfcp_scsi_slave_alloc(struct
+ struct zfcp_unit *unit;
+ int npiv = adapter->connection_features & FSF_FEATURE_NPIV_MODE;
+
++ zfcp_sdev->erp_action.adapter = adapter;
++ zfcp_sdev->erp_action.sdev = sdev;
++
+ port = zfcp_get_port_by_wwpn(adapter, rport->port_name);
+ if (!port)
+ return -ENXIO;
+
++ zfcp_sdev->erp_action.port = port;
++
+ unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev));
+ if (unit)
+ put_device(&unit->dev);
alsa-hda-fix-headset-mic-problem-for-dell-machines-with-alc236.patch
ceph-unlock-dangling-spinlock-in-try_flush_caps.patch
fix-tracing-sample-code-warning.patch
+kvm-ppc-fix-oops-when-checking-kvm_cap_ppc_htm.patch
+kvm-ppc-book3s-hv-power9-more-doorbell-fixes.patch
+kvm-ppc-book3s-protect-kvmppc_gpa_to_ua-with-srcu.patch
+s390-kvm-fix-detection-of-guest-machine-checks.patch
+nbd-handle-interrupted-sendmsg-with-a-sndtimeo-set.patch
+spi-uapi-spidev-add-missing-ioctl-header.patch
+spi-a3700-return-correct-value-on-timeout-detection.patch
+spi-bcm-qspi-fix-use-after-free-in-bcm_qspi_probe-in-error-path.patch
+spi-armada-3700-fix-failing-commands-with-quad-spi.patch
+ovl-add-null-check-in-ovl_alloc_inode.patch
+ovl-fix-eio-from-lookup-of-non-indexed-upper.patch
+ovl-handle-enoent-on-index-lookup.patch
+ovl-do-not-cleanup-unsupported-index-entries.patch
+fuse-fix-readdirplus-skipping-an-entry.patch
+xen-gntdev-avoid-out-of-bounds-access-in-case-of-partial-gntdev_mmap.patch
+xen-fix-booting-ballooned-down-hvm-guest.patch
+cifs-select-all-required-crypto-modules.patch
+cifs-fix-null-pointer-deref-on-smb2_tcon-failure.patch
+input-elan_i2c-add-elan0611-to-the-acpi-table.patch
+input-gtco-fix-potential-out-of-bound-access.patch
+fix-encryption-labels-and-lengths-for-smb3.1.1.patch
+smb3-validate-negotiate-request-must-always-be-signed.patch
+assoc_array-fix-a-buggy-node-splitting-case.patch
+scsi-zfcp-fix-erp_action-use-before-initialize-in-rec-action-trace.patch
+scsi-aacraid-fix-controller-initialization-failure.patch
+scsi-qla2xxx-initialize-work-element-before-requesting-irqs.patch
+scsi-sg-re-fix-off-by-one-in-sg_fill_request_table.patch
+x86-cpu-amd-apply-the-erratum-688-fix-when-the-bios-doesn-t.patch
+drm-amd-powerplay-fix-uninitialized-variable.patch
+pm-qos-fix-device-resume-latency-pm-qos.patch
+drm-i915-perf-fix-perf-enable-disable-ioctls-with-32bits-userspace.patch
+can-sun4i-fix-loopback-mode.patch
+can-kvaser_usb-correct-return-value-in-printout.patch
+can-kvaser_usb-ignore-cmd_flush_queue_reply-messages.patch
+cfg80211-fix-connect-disconnect-edge-cases.patch
--- /dev/null
+From 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Wed, 25 Oct 2017 15:58:31 -0500
+Subject: SMB3: Validate negotiate request must always be signed
+
+From: Steve French <smfrench@gmail.com>
+
+commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream.
+
+According to MS-SMB2 3.2.55 validate_negotiate request must
+always be signed. Some Windows can fail the request if you send it unsigned
+
+See kernel bugzilla bug 197311
+
+Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1963,6 +1963,9 @@ SMB2_ioctl(const unsigned int xid, struc
+ } else
+ iov[0].iov_len = get_rfc1002_length(req) + 4;
+
++ /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */
++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO)
++ req->hdr.sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
+
+ rc = SendReceive2(xid, ses, iov, n_iov, &resp_buftype, flags, &rsp_iov);
+ cifs_small_buf_release(req);
--- /dev/null
+From 5a866ec0014b2baa4ecbb1eaa19c835482829d08 Mon Sep 17 00:00:00 2001
+From: Maxime Chevallier <maxime.chevallier@smile.fr>
+Date: Tue, 10 Oct 2017 10:43:17 +0200
+Subject: spi: a3700: Return correct value on timeout detection
+
+From: Maxime Chevallier <maxime.chevallier@smile.fr>
+
+commit 5a866ec0014b2baa4ecbb1eaa19c835482829d08 upstream.
+
+When waiting for transfer completion, a3700_spi_wait_completion
+returns a boolean indicating if a timeout occurred.
+
+The function was returning 'true' everytime, failing to detect any
+timeout.
+
+This patch makes it return 'false' when a timeout is reached.
+
+Signed-off-by: Maxime Chevallier <maxime.chevallier@smile.fr>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-armada-3700.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-armada-3700.c
++++ b/drivers/spi/spi-armada-3700.c
+@@ -392,7 +392,8 @@ static bool a3700_spi_wait_completion(st
+
+ spireg_write(a3700_spi, A3700_SPI_INT_MASK_REG, 0);
+
+- return true;
++ /* Timeout was reached */
++ return false;
+ }
+
+ static bool a3700_spi_transfer_wait(struct spi_device *spi,
--- /dev/null
+From 747e1f60470b975363cbbfcde0c41a3166391be5 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@free-electrons.com>
+Date: Wed, 13 Sep 2017 18:21:38 +0200
+Subject: spi: armada-3700: Fix failing commands with quad-SPI
+
+From: Miquel Raynal <miquel.raynal@free-electrons.com>
+
+commit 747e1f60470b975363cbbfcde0c41a3166391be5 upstream.
+
+A3700 SPI controller datasheet states that only the first line (IO0) is
+used to receive and send instructions, addresses and dummy bytes,
+unless for addresses during an RX operation in a quad SPI configuration
+(see p.821 of the Armada-3720-DB datasheet). Otherwise, some commands
+such as SPI NOR commands like READ_FROM_CACHE_DUAL_IO(0xeb) and
+READ_FROM_CACHE_DUAL_IO(0xbb) will fail because these commands must send
+address bytes through the four pins. Data transfer always use the four
+bytes with this setup.
+
+Thus, in quad SPI configuration, the A3700_SPI_ADDR_PIN bit must be set
+only in this case to inform the controller that it must use the number
+of pins indicated in the {A3700_SPI_DATA_PIN1,A3700_SPI_DATA_PIN0} field
+during the address cycles of an RX operation.
+
+Suggested-by: Ken Ma <make@marvell.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@free-electrons.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-armada-3700.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-armada-3700.c
++++ b/drivers/spi/spi-armada-3700.c
+@@ -161,7 +161,7 @@ static void a3700_spi_deactivate_cs(stru
+ }
+
+ static int a3700_spi_pin_mode_set(struct a3700_spi *a3700_spi,
+- unsigned int pin_mode)
++ unsigned int pin_mode, bool receiving)
+ {
+ u32 val;
+
+@@ -177,6 +177,9 @@ static int a3700_spi_pin_mode_set(struct
+ break;
+ case SPI_NBITS_QUAD:
+ val |= A3700_SPI_DATA_PIN1;
++ /* RX during address reception uses 4-pin */
++ if (receiving)
++ val |= A3700_SPI_ADDR_PIN;
+ break;
+ default:
+ dev_err(&a3700_spi->master->dev, "wrong pin mode %u", pin_mode);
+@@ -654,7 +657,7 @@ static int a3700_spi_transfer_one(struct
+ else if (xfer->rx_buf)
+ nbits = xfer->rx_nbits;
+
+- a3700_spi_pin_mode_set(a3700_spi, nbits);
++ a3700_spi_pin_mode_set(a3700_spi, nbits, xfer->rx_buf ? true : false);
+
+ if (xfer->rx_buf) {
+ /* Set read data length */
--- /dev/null
+From c0368e4db4a3e8a3dce40f3f621c06e14c560d79 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 11 Oct 2017 14:59:22 -0700
+Subject: spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit c0368e4db4a3e8a3dce40f3f621c06e14c560d79 upstream.
+
+There was an inversion in how the error path in bcm_qspi_probe() is done
+which would make us trip over a KASAN use-after-free report. Turns out
+that qspi->dev_ids does not get allocated until later in the probe
+process. Fix this by introducing a new lable: qspi_resource_err which
+takes care of cleaning up the SPI master instance.
+
+Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-bcm-qspi.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-bcm-qspi.c
++++ b/drivers/spi/spi-bcm-qspi.c
+@@ -1278,7 +1278,7 @@ int bcm_qspi_probe(struct platform_devic
+ goto qspi_probe_err;
+ }
+ } else {
+- goto qspi_probe_err;
++ goto qspi_resource_err;
+ }
+
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi");
+@@ -1300,7 +1300,7 @@ int bcm_qspi_probe(struct platform_devic
+ qspi->base[CHIP_SELECT] = devm_ioremap_resource(dev, res);
+ if (IS_ERR(qspi->base[CHIP_SELECT])) {
+ ret = PTR_ERR(qspi->base[CHIP_SELECT]);
+- goto qspi_probe_err;
++ goto qspi_resource_err;
+ }
+ }
+
+@@ -1308,7 +1308,7 @@ int bcm_qspi_probe(struct platform_devic
+ GFP_KERNEL);
+ if (!qspi->dev_ids) {
+ ret = -ENOMEM;
+- goto qspi_probe_err;
++ goto qspi_resource_err;
+ }
+
+ for (val = 0; val < num_irqs; val++) {
+@@ -1397,8 +1397,9 @@ qspi_reg_err:
+ bcm_qspi_hw_uninit(qspi);
+ clk_disable_unprepare(qspi->clk);
+ qspi_probe_err:
+- spi_master_put(master);
+ kfree(qspi->dev_ids);
++qspi_resource_err:
++ spi_master_put(master);
+ return ret;
+ }
+ /* probe function to be called by SoC specific platform driver probe */
--- /dev/null
+From a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Sun, 10 Sep 2017 20:29:45 +0300
+Subject: spi: uapi: spidev: add missing ioctl header
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+commit a2b4a79b88b24c49d98d45a06a014ffd22ada1a4 upstream.
+
+The SPI_IOC_MESSAGE() macro references _IOC_SIZEBITS. Add linux/ioctl.h
+to make sure this macro is defined. This fixes the following build
+failure of lcdproc with the musl libc:
+
+In file included from .../sysroot/usr/include/sys/ioctl.h:7:0,
+ from hd44780-spi.c:31:
+hd44780-spi.c: In function 'spi_transfer':
+hd44780-spi.c:89:24: error: '_IOC_SIZEBITS' undeclared (first use in this function)
+ status = ioctl(p->fd, SPI_IOC_MESSAGE(1), &xfer);
+ ^
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/spi/spidev.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/uapi/linux/spi/spidev.h
++++ b/include/uapi/linux/spi/spidev.h
+@@ -23,6 +23,7 @@
+ #define SPIDEV_H
+
+ #include <linux/types.h>
++#include <linux/ioctl.h>
+
+ /* User space versions of kernel symbols for SPI clocking modes,
+ * matching <linux/spi/spi.h>
--- /dev/null
+From bfc1168de949cd3e9ca18c3480b5085deff1ea7c Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Sun, 22 Oct 2017 12:47:31 +0200
+Subject: x86/cpu/AMD: Apply the Erratum 688 fix when the BIOS doesn't
+
+From: Borislav Petkov <bp@suse.de>
+
+commit bfc1168de949cd3e9ca18c3480b5085deff1ea7c upstream.
+
+Some F14h machines have an erratum which, "under a highly specific
+and detailed set of internal timing conditions" can lead to skipping
+instructions and RIP corruption.
+
+Add the fix for those machines when their BIOS doesn't apply it or
+there simply isn't BIOS update for them.
+
+Tested-by: <mirh@protonmail.ch>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sherry Hurwitz <sherry.hurwitz@amd.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Link: http://lkml.kernel.org/r/20171022104731.28249-1-bp@alien8.de
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=197285
+[ Added pr_info() that we activated the workaround. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/amd_nb.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/arch/x86/kernel/amd_nb.c
++++ b/arch/x86/kernel/amd_nb.c
+@@ -27,6 +27,8 @@ static const struct pci_device_id amd_ro
+ {}
+ };
+
++#define PCI_DEVICE_ID_AMD_CNB17H_F4 0x1704
++
+ const struct pci_device_id amd_nb_misc_ids[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_10H_NB_MISC) },
+@@ -37,6 +39,7 @@ const struct pci_device_id amd_nb_misc_i
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F3) },
++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F3) },
+ {}
+ };
+ EXPORT_SYMBOL_GPL(amd_nb_misc_ids);
+@@ -48,6 +51,7 @@ static const struct pci_device_id amd_nb
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F4) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F4) },
++ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_CNB17H_F4) },
+ {}
+ };
+
+@@ -402,11 +406,48 @@ void amd_flush_garts(void)
+ }
+ EXPORT_SYMBOL_GPL(amd_flush_garts);
+
++static void __fix_erratum_688(void *info)
++{
++#define MSR_AMD64_IC_CFG 0xC0011021
++
++ msr_set_bit(MSR_AMD64_IC_CFG, 3);
++ msr_set_bit(MSR_AMD64_IC_CFG, 14);
++}
++
++/* Apply erratum 688 fix so machines without a BIOS fix work. */
++static __init void fix_erratum_688(void)
++{
++ struct pci_dev *F4;
++ u32 val;
++
++ if (boot_cpu_data.x86 != 0x14)
++ return;
++
++ if (!amd_northbridges.num)
++ return;
++
++ F4 = node_to_amd_nb(0)->link;
++ if (!F4)
++ return;
++
++ if (pci_read_config_dword(F4, 0x164, &val))
++ return;
++
++ if (val & BIT(2))
++ return;
++
++ on_each_cpu(__fix_erratum_688, NULL, 0);
++
++ pr_info("x86/cpu/AMD: CPU erratum 688 worked around\n");
++}
++
+ static __init int init_amd_nbs(void)
+ {
+ amd_cache_northbridges();
+ amd_cache_gart();
+
++ fix_erratum_688();
++
+ return 0;
+ }
+
--- /dev/null
+From 5266b8e4445cc836c46689d80a9ff539fa3bfbda Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 26 Oct 2017 11:50:56 +0200
+Subject: xen: fix booting ballooned down hvm guest
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 5266b8e4445cc836c46689d80a9ff539fa3bfbda upstream.
+
+Commit 96edd61dcf44362d3ef0bed1a5361e0ac7886a63 ("xen/balloon: don't
+online new memory initially") introduced a regression when booting a
+HVM domain with memory less than mem-max: instead of ballooning down
+immediately the system would try to use the memory up to mem-max
+resulting in Xen crashing the domain.
+
+For HVM domains the current size will be reflected in Xenstore node
+memory/static-max instead of memory/target.
+
+Additionally we have to trigger the ballooning process at once.
+
+Fixes: 96edd61dcf44362d3ef0bed1a5361e0ac7886a63 ("xen/balloon: don't online new memory initially")
+Reported-by: Simon Gaiser <hw42@ipsumj.de>
+Suggested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-balloon.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/xen/xen-balloon.c
++++ b/drivers/xen/xen-balloon.c
+@@ -57,7 +57,7 @@ static int register_balloon(struct devic
+ static void watch_target(struct xenbus_watch *watch,
+ const char *path, const char *token)
+ {
+- unsigned long long new_target;
++ unsigned long long new_target, static_max;
+ int err;
+ static bool watch_fired;
+ static long target_diff;
+@@ -72,13 +72,20 @@ static void watch_target(struct xenbus_w
+ * pages. PAGE_SHIFT converts bytes to pages, hence PAGE_SHIFT - 10.
+ */
+ new_target >>= PAGE_SHIFT - 10;
+- if (watch_fired) {
+- balloon_set_new_target(new_target - target_diff);
+- return;
++
++ if (!watch_fired) {
++ watch_fired = true;
++ err = xenbus_scanf(XBT_NIL, "memory", "static-max", "%llu",
++ &static_max);
++ if (err != 1)
++ static_max = new_target;
++ else
++ static_max >>= PAGE_SHIFT - 10;
++ target_diff = xen_pv_domain() ? 0
++ : static_max - balloon_stats.target_pages;
+ }
+
+- watch_fired = true;
+- target_diff = new_target - balloon_stats.target_pages;
++ balloon_set_new_target(new_target - target_diff);
+ }
+ static struct xenbus_watch target_watch = {
+ .node = "memory/target",
--- /dev/null
+From 298d275d4d9bea3524ff4bc76678c140611d8a8d Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Wed, 25 Oct 2017 17:08:07 +0200
+Subject: xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 298d275d4d9bea3524ff4bc76678c140611d8a8d upstream.
+
+In case gntdev_mmap() succeeds only partially in mapping grant pages
+it will leave some vital information uninitialized needed later for
+cleanup. This will lead to an out of bounds array access when unmapping
+the already mapped pages.
+
+So just initialize the data needed for unmapping the pages a little bit
+earlier.
+
+Reported-by: Arthur Borsboom <arthurborsboom@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/gntdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -1024,6 +1024,7 @@ static int gntdev_mmap(struct file *flip
+ mutex_unlock(&priv->lock);
+
+ if (use_ptemod) {
++ map->pages_vm_start = vma->vm_start;
+ err = apply_to_page_range(vma->vm_mm, vma->vm_start,
+ vma->vm_end - vma->vm_start,
+ find_grant_ptes, map);
+@@ -1061,7 +1062,6 @@ static int gntdev_mmap(struct file *flip
+ set_grant_ptes_as_special, NULL);
+ }
+ #endif
+- map->pages_vm_start = vma->vm_start;
+ }
+
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
