--- /dev/null
+From 30da870ce4a4e007c901858a96e9e394a1daa74a Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 6 May 2018 12:15:20 -0400
+Subject: affs_lookup(): close a race with affs_remove_link()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 30da870ce4a4e007c901858a96e9e394a1daa74a upstream.
+
+we unlock the directory hash too early - if we are looking at secondary
+link and primary (in another directory) gets removed just as we unlock,
+we could have the old primary moved in place of the secondary, leaving
+us to look into freed entry (and leaving our dentry with ->d_fsdata
+pointing to a freed entry).
+
+Cc: stable@vger.kernel.org # 2.4.4+
+Acked-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/affs/namei.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/affs/namei.c
++++ b/fs/affs/namei.c
+@@ -224,9 +224,10 @@ affs_lookup(struct inode *dir, struct de
+
+ affs_lock_dir(dir);
+ bh = affs_find_entry(dir, dentry);
+- affs_unlock_dir(dir);
+- if (IS_ERR(bh))
++ if (IS_ERR(bh)) {
++ affs_unlock_dir(dir);
+ return ERR_CAST(bh);
++ }
+ if (bh) {
+ u32 ino = bh->b_blocknr;
+
+@@ -240,10 +241,13 @@ affs_lookup(struct inode *dir, struct de
+ }
+ affs_brelse(bh);
+ inode = affs_iget(sb, ino);
+- if (IS_ERR(inode))
++ if (IS_ERR(inode)) {
++ affs_unlock_dir(dir);
+ return ERR_CAST(inode);
++ }
+ }
+ d_add(dentry, inode);
++ affs_unlock_dir(dir);
+ return NULL;
+ }
+
--- /dev/null
+From baf10564fbb66ea222cae66fbff11c444590ffd9 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 20 May 2018 16:46:23 -0400
+Subject: aio: fix io_destroy(2) vs. lookup_ioctx() race
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit baf10564fbb66ea222cae66fbff11c444590ffd9 upstream.
+
+kill_ioctx() used to have an explicit RCU delay between removing the
+reference from ->ioctx_table and percpu_ref_kill() dropping the refcount.
+At some point that delay had been removed, on the theory that
+percpu_ref_kill() itself contained an RCU delay. Unfortunately, that was
+the wrong kind of RCU delay and it didn't care about rcu_read_lock() used
+by lookup_ioctx(). As the result, we could get ctx freed right under
+lookup_ioctx(). Tejun has fixed that in a6d7cff472e ("fs/aio: Add explicit
+RCU grace period when freeing kioctx"); however, that fix is not enough.
+
+Suppose io_destroy() from one thread races with e.g. io_setup() from another;
+CPU1 removes the reference from current->mm->ioctx_table[...] just as CPU2
+has picked it (under rcu_read_lock()). Then CPU1 proceeds to drop the
+refcount, getting it to 0 and triggering a call of free_ioctx_users(),
+which proceeds to drop the secondary refcount and once that reaches zero
+calls free_ioctx_reqs(). That does
+ INIT_RCU_WORK(&ctx->free_rwork, free_ioctx);
+ queue_rcu_work(system_wq, &ctx->free_rwork);
+and schedules freeing the whole thing after RCU delay.
+
+In the meanwhile CPU2 has gotten around to percpu_ref_get(), bumping the
+refcount from 0 to 1 and returned the reference to io_setup().
+
+Tejun's fix (that queue_rcu_work() in there) guarantees that ctx won't get
+freed until after percpu_ref_get(). Sure, we'd increment the counter before
+ctx can be freed. Now we are out of rcu_read_lock() and there's nothing to
+stop freeing of the whole thing. Unfortunately, CPU2 assumes that since it
+has grabbed the reference, ctx is *NOT* going away until it gets around to
+dropping that reference.
+
+The fix is obvious - use percpu_ref_tryget_live() and treat failure as miss.
+It's not costlier than what we currently do in normal case, it's safe to
+call since freeing *is* delayed and it closes the race window - either
+lookup_ioctx() comes before percpu_ref_kill() (in which case ctx->users
+won't reach 0 until the caller of lookup_ioctx() drops it) or lookup_ioctx()
+fails, ctx->users is unaffected and caller of lookup_ioctx() doesn't see
+the object in question at all.
+
+Cc: stable@kernel.org
+Fixes: a6d7cff472e "fs/aio: Add explicit RCU grace period when freeing kioctx"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1006,8 +1006,8 @@ static struct kioctx *lookup_ioctx(unsig
+
+ ctx = rcu_dereference(table->table[id]);
+ if (ctx && ctx->user_id == ctx_id) {
+- percpu_ref_get(&ctx->users);
+- ret = ctx;
++ if (percpu_ref_tryget_live(&ctx->users))
++ ret = ctx;
+ }
+ out:
+ rcu_read_unlock();
--- /dev/null
+From ba3696e94d9d590d9a7e55f68e81c25dba515191 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 14 May 2018 18:23:50 +0100
+Subject: KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit ba3696e94d9d590d9a7e55f68e81c25dba515191 upstream.
+
+Trivial fix to spelling mistake in debugfs_entries text.
+
+Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kernel-janitors@vger.kernel.org
+Cc: <stable@vger.kernel.org> # 3.10+
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/mips.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/mips.c
++++ b/arch/mips/kvm/mips.c
+@@ -39,7 +39,7 @@ struct kvm_stats_debugfs_item debugfs_en
+ { "cache", VCPU_STAT(cache_exits), KVM_STAT_VCPU },
+ { "signal", VCPU_STAT(signal_exits), KVM_STAT_VCPU },
+ { "interrupt", VCPU_STAT(int_exits), KVM_STAT_VCPU },
+- { "cop_unsuable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU },
++ { "cop_unusable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU },
+ { "tlbmod", VCPU_STAT(tlbmod_exits), KVM_STAT_VCPU },
+ { "tlbmiss_ld", VCPU_STAT(tlbmiss_ld_exits), KVM_STAT_VCPU },
+ { "tlbmiss_st", VCPU_STAT(tlbmiss_st_exits), KVM_STAT_VCPU },
--- /dev/null
+From 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 14 May 2018 16:49:43 +0100
+Subject: MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 upstream.
+
+Check the TIF_32BIT_FPREGS task setting of the tracee rather than the
+tracer in determining the layout of floating-point general registers in
+the floating-point context, correcting access to odd-numbered registers
+for o32 tracees where the setting disagrees between the two processes.
+
+Fixes: 597ce1723e0f ("MIPS: Support for 64-bit FP with O32 binaries")
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 3.14+
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 4 ++--
+ arch/mips/kernel/ptrace32.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -702,7 +702,7 @@ long arch_ptrace(struct task_struct *chi
+ fregs = get_fpu_regs(child);
+
+ #ifdef CONFIG_32BIT
+- if (test_thread_flag(TIF_32BIT_FPREGS)) {
++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
+ /*
+ * The odd registers are actually the high
+ * order bits of the values stored in the even
+@@ -796,7 +796,7 @@ long arch_ptrace(struct task_struct *chi
+ child->thread.fpu.fcr31 = 0;
+ }
+ #ifdef CONFIG_32BIT
+- if (test_thread_flag(TIF_32BIT_FPREGS)) {
++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
+ /*
+ * The odd registers are actually the high
+ * order bits of the values stored in the even
+--- a/arch/mips/kernel/ptrace32.c
++++ b/arch/mips/kernel/ptrace32.c
+@@ -97,7 +97,7 @@ long compat_arch_ptrace(struct task_stru
+ break;
+ }
+ fregs = get_fpu_regs(child);
+- if (test_thread_flag(TIF_32BIT_FPREGS)) {
++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
+ /*
+ * The odd registers are actually the high
+ * order bits of the values stored in the even
+@@ -203,7 +203,7 @@ long compat_arch_ptrace(struct task_stru
+ sizeof(child->thread.fpu));
+ child->thread.fpu.fcr31 = 0;
+ }
+- if (test_thread_flag(TIF_32BIT_FPREGS)) {
++ if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
+ /*
+ * The odd registers are actually the high
+ * order bits of the values stored in the even
--- /dev/null
+From 71e909c0cdad28a1df1fa14442929e68615dee45 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 30 Apr 2018 15:56:47 +0100
+Subject: MIPS: ptrace: Expose FIR register through FP regset
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit 71e909c0cdad28a1df1fa14442929e68615dee45 upstream.
+
+Correct commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
+and expose the FIR register using the unused 4 bytes at the end of the
+NT_PRFPREG regset. Without that register included clients cannot use
+the PTRACE_GETREGSET request to retrieve the complete FPU register set
+and have to resort to one of the older interfaces, either PTRACE_PEEKUSR
+or PTRACE_GETFPREGS, to retrieve the missing piece of data. Also the
+register is irreversibly missing from core dumps.
+
+This register is architecturally hardwired and read-only so the write
+path does not matter. Ignore data supplied on writes then.
+
+Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 3.13+
+Patchwork: https://patchwork.linux-mips.org/patch/19273/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -444,7 +444,7 @@ static int fpr_get_msa(struct task_struc
+ /*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer.
+ * Choose the appropriate helper for general registers, and then copy
+- * the FCSR register separately.
++ * the FCSR and FIR registers separately.
+ */
+ static int fpr_get(struct task_struct *target,
+ const struct user_regset *regset,
+@@ -452,6 +452,7 @@ static int fpr_get(struct task_struct *t
+ void *kbuf, void __user *ubuf)
+ {
+ const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
++ const int fir_pos = fcr31_pos + sizeof(u32);
+ int err;
+
+ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
+@@ -464,6 +465,12 @@ static int fpr_get(struct task_struct *t
+ err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+ &target->thread.fpu.fcr31,
+ fcr31_pos, fcr31_pos + sizeof(u32));
++ if (err)
++ return err;
++
++ err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
++ &boot_cpu_data.fpu_id,
++ fir_pos, fir_pos + sizeof(u32));
+
+ return err;
+ }
+@@ -512,7 +519,8 @@ static int fpr_set_msa(struct task_struc
+ /*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context.
+ * Choose the appropriate helper for general registers, and then copy
+- * the FCSR register separately.
++ * the FCSR register separately. Ignore the incoming FIR register
++ * contents though, as the register is read-only.
+ *
+ * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
+ * which is supposed to have been guaranteed by the kernel before
+@@ -526,6 +534,7 @@ static int fpr_set(struct task_struct *t
+ const void *kbuf, const void __user *ubuf)
+ {
+ const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
++ const int fir_pos = fcr31_pos + sizeof(u32);
+ u32 fcr31;
+ int err;
+
+@@ -551,6 +560,11 @@ static int fpr_set(struct task_struct *t
+ target->thread.fpu.fcr31 = fcr31 & ~FPU_CSR_ALL_X;
+ }
+
++ if (count > 0)
++ err = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
++ fir_pos,
++ fir_pos + sizeof(u32));
++
+ return err;
+ }
+
--- /dev/null
+mips-ptrace-expose-fir-register-through-fp-regset.patch
+mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch
+kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch
+affs_lookup-close-a-race-with-affs_remove_link.patch
+aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch
--- /dev/null
+mips-c-r4k-fix-data-corruption-related-to-cache-coherence.patch
+mips-ptrace-expose-fir-register-through-fp-regset.patch
+mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch
+kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch
+affs_lookup-close-a-race-with-affs_remove_link.patch
+fs-don-t-scan-the-inode-cache-before-sb_born-is-set.patch
+aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch
--- /dev/null
+mips-xilfpga-stop-generating-useless-dtb.o.patch
+mips-xilfpga-actually-include-fdt-in-fitimage.patch
+mips-c-r4k-fix-data-corruption-related-to-cache-coherence.patch
+mips-fix-build-with-debug_zboot-and-mach_jz4770.patch
+mips-ptrace-expose-fir-register-through-fp-regset.patch
+mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch
+kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch
+affs_lookup-close-a-race-with-affs_remove_link.patch
+fix-breakage-caused-by-d_find_alias-semantics-change.patch
+fs-don-t-scan-the-inode-cache-before-sb_born-is-set.patch
+aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch
--- /dev/null
+mips-ptrace-expose-fir-register-through-fp-regset.patch
+mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch
+kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch
+affs_lookup-close-a-race-with-affs_remove_link.patch
+aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch
--- /dev/null
+mips-c-r4k-fix-data-corruption-related-to-cache-coherence.patch
+mips-ptrace-expose-fir-register-through-fp-regset.patch
+mips-fix-ptrace-2-ptrace_peekusr-and-ptrace_pokeusr-accesses-to-o32-fgrs.patch
+kvm-fix-spelling-mistake-cop_unsuable-cop_unusable.patch
+affs_lookup-close-a-race-with-affs_remove_link.patch
+aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch