--- /dev/null
+From 76b3421b39bd610546931fc923edcf90c18fa395 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 30 Apr 2018 10:06:48 +0200
+Subject: ALSA: aloop: Add missing cable lock to ctl API callbacks
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream.
+
+Some control API callbacks in aloop driver are too lazy to take the
+loopback->cable_lock and it results in possible races of cable access
+while it's being freed. It eventually lead to a UAF, as reported by
+fuzzer recently.
+
+This patch covers such control API callbacks and add the proper mutex
+locks.
+
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -832,9 +832,11 @@ static int loopback_rate_shift_get(struc
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].rate_shift;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -866,9 +868,11 @@ static int loopback_notify_get(struct sn
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -880,12 +884,14 @@ static int loopback_notify_put(struct sn
+ int change = 0;
+
+ val = ucontrol->value.integer.value[0] ? 1 : 0;
++ mutex_lock(&loopback->cable_lock);
+ if (val != loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify) {
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].notify = val;
+ change = 1;
+ }
++ mutex_unlock(&loopback->cable_lock);
+ return change;
+ }
+
+@@ -893,15 +899,18 @@ static int loopback_active_get(struct sn
+ struct snd_ctl_elem_value *ucontrol)
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+- struct loopback_cable *cable = loopback->cables
+- [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
++ struct loopback_cable *cable;
++
+ unsigned int val = 0;
+
++ mutex_lock(&loopback->cable_lock);
++ cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+ if (cable != NULL) {
+ unsigned int running = cable->running ^ cable->pause;
+
+ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
+ }
++ mutex_unlock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] = val;
+ return 0;
+ }
+@@ -944,9 +953,11 @@ static int loopback_rate_get(struct snd_
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].rate;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
+@@ -966,9 +977,11 @@ static int loopback_channels_get(struct
+ {
+ struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+
++ mutex_lock(&loopback->cable_lock);
+ ucontrol->value.integer.value[0] =
+ loopback->setup[kcontrol->id.subdevice]
+ [kcontrol->id.device].channels;
++ mutex_unlock(&loopback->cable_lock);
+ return 0;
+ }
+
--- /dev/null
+From 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 Mon Sep 17 00:00:00 2001
+From: Robert Rosengren <robert.rosengren@axis.com>
+Date: Mon, 26 Mar 2018 07:24:49 +0200
+Subject: ALSA: aloop: Mark paused device as inactive
+
+From: Robert Rosengren <robert.rosengren@axis.com>
+
+commit 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 upstream.
+
+Show paused ALSA aloop device as inactive, i.e. the control
+"PCM Slave Active" set as false. Notification sent upon state change.
+
+This makes it possible for client capturing from aloop device to know if
+data is expected. Without it the client expects data even if playback
+is paused.
+
+Signed-off-by: Robert Rosengren <robert.rosengren@axis.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -296,6 +296,8 @@ static int loopback_trigger(struct snd_p
+ cable->pause |= stream;
+ loopback_timer_stop(dpcm);
+ spin_unlock(&cable->lock);
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ loopback_active_notify(dpcm);
+ break;
+ case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
+ case SNDRV_PCM_TRIGGER_RESUME:
+@@ -304,6 +306,8 @@ static int loopback_trigger(struct snd_p
+ cable->pause &= ~stream;
+ loopback_timer_start(dpcm);
+ spin_unlock(&cable->lock);
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ loopback_active_notify(dpcm);
+ break;
+ default:
+ return -EINVAL;
+@@ -893,9 +897,11 @@ static int loopback_active_get(struct sn
+ [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+ unsigned int val = 0;
+
+- if (cable != NULL)
+- val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ?
+- 1 : 0;
++ if (cable != NULL) {
++ unsigned int running = cable->running ^ cable->pause;
++
++ val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
++ }
+ ucontrol->value.integer.value[0] = val;
+ return 0;
+ }
--- /dev/null
+From 52759c0963510a2843774aac9b65ccaed3308dc0 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 29 Apr 2018 15:01:46 +0900
+Subject: ALSA: dice: fix kernel NULL pointer dereference due to invalid calculation for array index
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 52759c0963510a2843774aac9b65ccaed3308dc0 upstream.
+
+At a commit f91c9d7610a ('ALSA: firewire-lib: cache maximum length of
+payload to reduce function calls'), maximum size of payload for tx
+isochronous packet is cached to reduce the number of function calls.
+
+This cache was programmed to updated at a first callback of ohci1394 IR
+context. However, the maximum size is required to queueing packets before
+starting the isochronous context.
+
+As a result, the cached value is reused to queue packets in next time to
+starting the isochronous context. Then the cache is updated in a first
+callback of the isochronous context. This can cause kernel NULL pointer
+dereference in a below call graph:
+
+(sound/firewire/amdtp-stream.c)
+amdtp_stream_start()
+->queue_in_packet()
+ ->queue_packet()
+ (drivers/firewire/core-iso.c)
+ ->fw_iso_context_queue()
+ ->struct fw_card_driver.queue_iso()
+ (drivers/firewire/ohci.c)
+ = ohci_queue_iso()
+ ->queue_iso_packet_per_buffer()
+ buffer->pages[page]
+
+The issued dereference occurs in a case that:
+ - target unit supports different stream formats for sampling transmission
+ frequency.
+ - maximum length of payload for tx stream in a first trial is bigger
+ than the length in a second trial.
+
+In this case, correct number of pages are allocated for DMA and the 'pages'
+array has enough elements, while index of the element is wrongly calculated
+according to the old value of length of payload in a call of
+'queue_in_packet()'. Then it causes the issue.
+
+This commit fixes the critical bug. This affects all of drivers in ALSA
+firewire stack in Linux kernel v4.12 or later.
+
+[12665.302360] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+[12665.302415] IP: ohci_queue_iso+0x47c/0x800 [firewire_ohci]
+[12665.302439] PGD 0
+[12665.302440] P4D 0
+[12665.302450]
+[12665.302470] Oops: 0000 [#1] SMP PTI
+[12665.302487] Modules linked in: ...
+[12665.303096] CPU: 1 PID: 12760 Comm: jackd Tainted: P OE 4.13.0-38-generic #43-Ubuntu
+[12665.303154] Hardware name: /DH77DF, BIOS KCH7710H.86A.0069.2012.0224.1825 02/24/2012
+[12665.303215] task: ffff9ce87da2ae80 task.stack: ffffb5b8823d0000
+[12665.303258] RIP: 0010:ohci_queue_iso+0x47c/0x800 [firewire_ohci]
+[12665.303301] RSP: 0018:ffffb5b8823d3ab8 EFLAGS: 00010086
+[12665.303337] RAX: ffff9ce4f4876930 RBX: 0000000000000008 RCX: ffff9ce88a3955e0
+[12665.303384] RDX: 0000000000000000 RSI: 0000000034877f00 RDI: 0000000000000000
+[12665.303427] RBP: ffffb5b8823d3b68 R08: ffff9ce8ccb390a0 R09: ffff9ce877639ab0
+[12665.303475] R10: 0000000000000108 R11: 0000000000000000 R12: 0000000000000003
+[12665.303513] R13: 0000000000000000 R14: ffff9ce4f4876950 R15: 0000000000000000
+[12665.303554] FS: 00007f2ec467f8c0(0000) GS:ffff9ce8df280000(0000) knlGS:0000000000000000
+[12665.303600] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[12665.303633] CR2: 0000000000000030 CR3: 00000002dcf90004 CR4: 00000000000606e0
+[12665.303674] Call Trace:
+[12665.303698] fw_iso_context_queue+0x18/0x20 [firewire_core]
+[12665.303735] queue_packet+0x88/0xe0 [snd_firewire_lib]
+[12665.303770] amdtp_stream_start+0x19b/0x270 [snd_firewire_lib]
+[12665.303811] start_streams+0x276/0x3c0 [snd_dice]
+[12665.303840] snd_dice_stream_start_duplex+0x1bf/0x480 [snd_dice]
+[12665.303882] ? vma_gap_callbacks_rotate+0x1e/0x30
+[12665.303914] ? __rb_insert_augmented+0xab/0x240
+[12665.303936] capture_prepare+0x3c/0x70 [snd_dice]
+[12665.303961] snd_pcm_do_prepare+0x1d/0x30 [snd_pcm]
+[12665.303985] snd_pcm_action_single+0x3b/0x90 [snd_pcm]
+[12665.304009] snd_pcm_action_nonatomic+0x68/0x70 [snd_pcm]
+[12665.304035] snd_pcm_prepare+0x68/0x90 [snd_pcm]
+[12665.304058] snd_pcm_common_ioctl1+0x4c0/0x940 [snd_pcm]
+[12665.304083] snd_pcm_capture_ioctl1+0x19b/0x250 [snd_pcm]
+[12665.304108] snd_pcm_capture_ioctl+0x27/0x40 [snd_pcm]
+[12665.304131] do_vfs_ioctl+0xa8/0x630
+[12665.304148] ? entry_SYSCALL_64_after_hwframe+0xe9/0x139
+[12665.304172] ? entry_SYSCALL_64_after_hwframe+0xe2/0x139
+[12665.304195] ? entry_SYSCALL_64_after_hwframe+0xdb/0x139
+[12665.304218] ? entry_SYSCALL_64_after_hwframe+0xd4/0x139
+[12665.304242] ? entry_SYSCALL_64_after_hwframe+0xcd/0x139
+[12665.304265] ? entry_SYSCALL_64_after_hwframe+0xc6/0x139
+[12665.304288] ? entry_SYSCALL_64_after_hwframe+0xbf/0x139
+[12665.304312] ? entry_SYSCALL_64_after_hwframe+0xb8/0x139
+[12665.304335] ? entry_SYSCALL_64_after_hwframe+0xb1/0x139
+[12665.304358] SyS_ioctl+0x79/0x90
+[12665.304374] ? entry_SYSCALL_64_after_hwframe+0x72/0x139
+[12665.304397] entry_SYSCALL_64_fastpath+0x24/0xab
+[12665.304417] RIP: 0033:0x7f2ec3750ef7
+[12665.304433] RSP: 002b:00007fff99e31388 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[12665.304465] RAX: ffffffffffffffda RBX: 00007fff99e312f0 RCX: 00007f2ec3750ef7
+[12665.304494] RDX: 0000000000000000 RSI: 0000000000004140 RDI: 0000000000000007
+[12665.304522] RBP: 0000556ebc63fd60 R08: 0000556ebc640560 R09: 0000000000000000
+[12665.304553] R10: 0000000000000001 R11: 0000000000000246 R12: 0000556ebc63fcf0
+[12665.304584] R13: 0000000000000000 R14: 0000000000000007 R15: 0000000000000000
+[12665.304612] Code: 01 00 00 44 89 eb 45 31 ed 45 31 db 66 41 89 1e 66 41 89 5e 0c 66 45 89 5e 0e 49 8b 49 08 49 63 d4 4d 85 c0 49 63 ff 48 8b 14 d1 <48> 8b 72 30 41 8d 14 37 41 89 56 04 48 63 d3 0f 84 ce 00 00 00
+[12665.304713] RIP: ohci_queue_iso+0x47c/0x800 [firewire_ohci] RSP: ffffb5b8823d3ab8
+[12665.304743] CR2: 0000000000000030
+[12665.317701] ---[ end trace 9d55b056dd52a19f ]---
+
+Fixes: f91c9d7610a ('ALSA: firewire-lib: cache maximum length of payload to reduce function calls')
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp-stream.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/amdtp-stream.c
++++ b/sound/firewire/amdtp-stream.c
+@@ -773,8 +773,6 @@ static void amdtp_stream_first_callback(
+ u32 cycle;
+ unsigned int packets;
+
+- s->max_payload_length = amdtp_stream_get_max_payload(s);
+-
+ /*
+ * For in-stream, first packet has come.
+ * For out-stream, prepared to transmit first packet
+@@ -879,6 +877,9 @@ int amdtp_stream_start(struct amdtp_stre
+
+ amdtp_stream_update(s);
+
++ if (s->direction == AMDTP_IN_STREAM)
++ s->max_payload_length = amdtp_stream_get_max_payload(s);
++
+ if (s->flags & CIP_NO_HEADER)
+ s->tag = TAG_NO_CIP_HEADER;
+ else
--- /dev/null
+From 6a30abaa40b62aed46ef12ea4c16c48565bdb376 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 27 Apr 2018 17:17:35 +0200
+Subject: ALSA: hda - Fix incorrect usage of IS_REACHABLE()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6a30abaa40b62aed46ef12ea4c16c48565bdb376 upstream.
+
+The commit c469652bb5e8 ("ALSA: hda - Use IS_REACHABLE() for
+dependency on input") simplified the dependencies with IS_REACHABLE()
+macro, but it broke due to its incorrect usage: it should have been
+IS_REACHABLE(CONFIG_INPUT) instead of IS_REACHABLE(INPUT).
+
+Fixes: c469652bb5e8 ("ALSA: hda - Use IS_REACHABLE() for dependency on input")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3722,7 +3722,7 @@ static void alc280_fixup_hp_gpio4(struct
+ }
+ }
+
+-#if IS_REACHABLE(INPUT)
++#if IS_REACHABLE(CONFIG_INPUT)
+ static void gpio2_mic_hotkey_event(struct hda_codec *codec,
+ struct hda_jack_callback *event)
+ {
--- /dev/null
+From f13876e2c33a657a71bcbb10f767c0951b165020 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 2 May 2018 08:48:46 +0200
+Subject: ALSA: pcm: Check PCM state at xfern compat ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream.
+
+Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go
+further and hit the sanity check pcm_sanity_check() when the ioctl is
+called right after open. It may eventually spew a kernel warning, as
+triggered by syzbot, depending on kconfig.
+
+The lack of PCM state check there was just an oversight. Although
+it's no real crash, the spurious kernel warning is annoying, so let's
+add the proper check.
+
+Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_compat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -423,6 +423,8 @@ static int snd_pcm_ioctl_xfern_compat(st
+ return -ENOTTY;
+ if (substream->stream != dir)
+ return -EINVAL;
++ if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN)
++ return -EBADFD;
+
+ if ((ch = substream->runtime->channels) > 128)
+ return -EINVAL;
--- /dev/null
+From 8f22e52528cc372b218b5f100457469615c733ce Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 26 Apr 2018 09:17:45 +0200
+Subject: ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8f22e52528cc372b218b5f100457469615c733ce upstream.
+
+The sequencer virmidi code has an open race at its output trigger
+callback: namely, virmidi keeps only one event packet for processing
+while it doesn't protect for concurrent output trigger calls.
+
+snd_virmidi_output_trigger() tries to process the previously
+unfinished event before starting encoding the given MIDI stream, but
+this is done without any lock. Meanwhile, if another rawmidi stream
+starts the output trigger, this proceeds further, and overwrites the
+event package that is being processed in another thread. This
+eventually corrupts and may lead to the invalid memory access if the
+event type is like SYSEX.
+
+The fix is just to move the spinlock to cover both the pending event
+and the new stream.
+
+The bug was spotted by a new fuzzer, RaceFuzzer.
+
+BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_virmidi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_virmidi.c
++++ b/sound/core/seq/seq_virmidi.c
+@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s
+ }
+ return;
+ }
++ spin_lock_irqsave(&substream->runtime->lock, flags);
+ if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
+ if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
+- return;
++ goto out;
+ vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
+ }
+- spin_lock_irqsave(&substream->runtime->lock, flags);
+ while (1) {
+ count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
+ if (count <= 0)
--- /dev/null
+From 4f32ac2e452c2180cd2df581cbadac183e27ecd0 Mon Sep 17 00:00:00 2001
+From: Danit Goldberg <danitg@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:54 +0300
+Subject: IB/mlx5: Use unlimited rate when static rate is not supported
+
+From: Danit Goldberg <danitg@mellanox.com>
+
+commit 4f32ac2e452c2180cd2df581cbadac183e27ecd0 upstream.
+
+Before the change, if the user passed a static rate value different
+than zero and the FW doesn't support static rate,
+it would end up configuring rate of 2.5 GBps.
+
+Fix this by using rate 0; unlimited, in cases where FW
+doesn't support static rate configuration.
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Danit Goldberg <danitg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -2199,18 +2199,18 @@ enum {
+
+ static int ib_rate_to_mlx5(struct mlx5_ib_dev *dev, u8 rate)
+ {
+- if (rate == IB_RATE_PORT_CURRENT) {
++ if (rate == IB_RATE_PORT_CURRENT)
+ return 0;
+- } else if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) {
++
++ if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS)
+ return -EINVAL;
+- } else {
+- while (rate != IB_RATE_2_5_GBPS &&
+- !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
+- MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
+- --rate;
+- }
+
+- return rate + MLX5_STAT_RATE_OFFSET;
++ while (rate != IB_RATE_PORT_CURRENT &&
++ !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
++ MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
++ --rate;
++
++ return rate ? rate + MLX5_STAT_RATE_OFFSET : rate;
+ }
+
+ static int modify_raw_packet_eth_prio(struct mlx5_core_dev *dev,
--- /dev/null
+From f372b81101e6895252298e563d634d5e44ae81e7 Mon Sep 17 00:00:00 2001
+From: "Vittorio Gambaletta (VittGam)" <linuxbugs@vittgam.net>
+Date: Wed, 25 Apr 2018 15:22:13 -0700
+Subject: Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro
+
+From: Vittorio Gambaletta (VittGam) <linuxbugs@vittgam.net>
+
+commit f372b81101e6895252298e563d634d5e44ae81e7 upstream.
+
+This patch adds the correct platform data information for the Caroline
+Chromebook, so that the mouse button does not get stuck in pressed state
+after the first click.
+
+The Samus button keymap and platform data definition are the correct
+ones for Caroline, so they have been reused here.
+
+Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
+Signed-off-by: Salvatore Bellizzi <lkml@seppia.net>
+Tested-by: Guenter Roeck <groeck@chromium.org>
+Cc: stable@vger.kernel.org
+[dtor: adjusted vendor spelling to match shipping firmware]
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3031,6 +3031,15 @@ static const struct dmi_system_id mxt_dm
+ .driver_data = samus_platform_data,
+ },
+ {
++ /* Samsung Chromebook Pro */
++ .ident = "Samsung Chromebook Pro",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Google"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Caroline"),
++ },
++ .driver_data = samus_platform_data,
++ },
++ {
+ /* Other Google Chromebooks */
+ .ident = "Chromebook",
+ .matches = {
--- /dev/null
+From 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 6 Apr 2018 10:23:05 -0700
+Subject: Input: leds - fix out of bound access
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc upstream.
+
+UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with
+led > LED_CHARGING:
+
+[ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds]
+[ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128
+
+This happens because we were writing to the led structure before making
+sure that it exists.
+
+Reported-by: Tasos Sahanidis <tasos@tasossah.com>
+Tested-by: Tasos Sahanidis <tasos@tasossah.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/input-leds.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/input-leds.c
++++ b/drivers/input/input-leds.c
+@@ -88,6 +88,7 @@ static int input_leds_connect(struct inp
+ const struct input_device_id *id)
+ {
+ struct input_leds *leds;
++ struct input_led *led;
+ unsigned int num_leds;
+ unsigned int led_code;
+ int led_no;
+@@ -119,14 +120,13 @@ static int input_leds_connect(struct inp
+
+ led_no = 0;
+ for_each_set_bit(led_code, dev->ledbit, LED_CNT) {
+- struct input_led *led = &leds->leds[led_no];
++ if (!input_led_info[led_code].name)
++ continue;
+
++ led = &leds->leds[led_no];
+ led->handle = &leds->handle;
+ led->code = led_code;
+
+- if (!input_led_info[led_code].name)
+- continue;
+-
+ led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s",
+ dev_name(&dev->dev),
+ input_led_info[led_code].name);
--- /dev/null
+From 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?=
+ <sz.lin@moxa.com>
+Date: Thu, 26 Apr 2018 14:30:13 +0800
+Subject: NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: SZ Lin (林上智) <sz.lin@moxa.com>
+
+commit 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 upstream.
+
+This patch adds support for PID 0x90b2 of ublox R410M.
+
+qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer
+[/dev/cdc-wdm0] Device manufacturer retrieved:
+ Manufacturer: 'u-blox'
+
+qmicli -d /dev/cdc-wdm0 --dms-get-model
+[/dev/cdc-wdm0] Device model retrieved:
+ Model: 'SARA-R410M-02B'
+
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1098,6 +1098,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
+ {QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
+ {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
++ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */
--- /dev/null
+From 26bff1bd74a4f7417509a83295614e9dab995b2a Mon Sep 17 00:00:00 2001
+From: Raju Rangoju <rajur@chelsio.com>
+Date: Mon, 23 Apr 2018 21:42:37 +0530
+Subject: RDMA/cxgb4: release hw resources on device removal
+
+From: Raju Rangoju <rajur@chelsio.com>
+
+commit 26bff1bd74a4f7417509a83295614e9dab995b2a upstream.
+
+The c4iw_rdev_close() logic was not releasing all the hw
+resources (PBL and RQT memory) during the device removal
+event (driver unload / system reboot). This can cause panic
+in gen_pool_destroy().
+
+The module remove function will wait for all the hw
+resources to be released during the device removal event.
+
+Fixes c12a67fe(iw_cxgb4: free EQ queue memory on last deref)
+Signed-off-by: Raju Rangoju <rajur@chelsio.com>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/cxgb4/device.c | 9 ++++++++-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 4 ++++
+ drivers/infiniband/hw/cxgb4/resource.c | 26 ++++++++++++++++++++++++--
+ 3 files changed, 36 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/cxgb4/device.c
++++ b/drivers/infiniband/hw/cxgb4/device.c
+@@ -884,6 +884,11 @@ static int c4iw_rdev_open(struct c4iw_rd
+
+ rdev->status_page->db_off = 0;
+
++ init_completion(&rdev->rqt_compl);
++ init_completion(&rdev->pbl_compl);
++ kref_init(&rdev->rqt_kref);
++ kref_init(&rdev->pbl_kref);
++
+ return 0;
+ err_free_status_page_and_wr_log:
+ if (c4iw_wr_log && rdev->wr_log)
+@@ -902,13 +907,15 @@ destroy_resource:
+
+ static void c4iw_rdev_close(struct c4iw_rdev *rdev)
+ {
+- destroy_workqueue(rdev->free_workq);
+ kfree(rdev->wr_log);
+ c4iw_release_dev_ucontext(rdev, &rdev->uctx);
+ free_page((unsigned long)rdev->status_page);
+ c4iw_pblpool_destroy(rdev);
+ c4iw_rqtpool_destroy(rdev);
++ wait_for_completion(&rdev->pbl_compl);
++ wait_for_completion(&rdev->rqt_compl);
+ c4iw_ocqp_pool_destroy(rdev);
++ destroy_workqueue(rdev->free_workq);
+ c4iw_destroy_resource(&rdev->resource);
+ }
+
+--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
++++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
+@@ -185,6 +185,10 @@ struct c4iw_rdev {
+ struct wr_log_entry *wr_log;
+ int wr_log_size;
+ struct workqueue_struct *free_workq;
++ struct completion rqt_compl;
++ struct completion pbl_compl;
++ struct kref rqt_kref;
++ struct kref pbl_kref;
+ };
+
+ static inline int c4iw_fatal_error(struct c4iw_rdev *rdev)
+--- a/drivers/infiniband/hw/cxgb4/resource.c
++++ b/drivers/infiniband/hw/cxgb4/resource.c
+@@ -260,12 +260,22 @@ u32 c4iw_pblpool_alloc(struct c4iw_rdev
+ rdev->stats.pbl.cur += roundup(size, 1 << MIN_PBL_SHIFT);
+ if (rdev->stats.pbl.cur > rdev->stats.pbl.max)
+ rdev->stats.pbl.max = rdev->stats.pbl.cur;
++ kref_get(&rdev->pbl_kref);
+ } else
+ rdev->stats.pbl.fail++;
+ mutex_unlock(&rdev->stats.lock);
+ return (u32)addr;
+ }
+
++static void destroy_pblpool(struct kref *kref)
++{
++ struct c4iw_rdev *rdev;
++
++ rdev = container_of(kref, struct c4iw_rdev, pbl_kref);
++ gen_pool_destroy(rdev->pbl_pool);
++ complete(&rdev->pbl_compl);
++}
++
+ void c4iw_pblpool_free(struct c4iw_rdev *rdev, u32 addr, int size)
+ {
+ pr_debug("%s addr 0x%x size %d\n", __func__, addr, size);
+@@ -273,6 +283,7 @@ void c4iw_pblpool_free(struct c4iw_rdev
+ rdev->stats.pbl.cur -= roundup(size, 1 << MIN_PBL_SHIFT);
+ mutex_unlock(&rdev->stats.lock);
+ gen_pool_free(rdev->pbl_pool, (unsigned long)addr, size);
++ kref_put(&rdev->pbl_kref, destroy_pblpool);
+ }
+
+ int c4iw_pblpool_create(struct c4iw_rdev *rdev)
+@@ -310,7 +321,7 @@ int c4iw_pblpool_create(struct c4iw_rdev
+
+ void c4iw_pblpool_destroy(struct c4iw_rdev *rdev)
+ {
+- gen_pool_destroy(rdev->pbl_pool);
++ kref_put(&rdev->pbl_kref, destroy_pblpool);
+ }
+
+ /*
+@@ -331,12 +342,22 @@ u32 c4iw_rqtpool_alloc(struct c4iw_rdev
+ rdev->stats.rqt.cur += roundup(size << 6, 1 << MIN_RQT_SHIFT);
+ if (rdev->stats.rqt.cur > rdev->stats.rqt.max)
+ rdev->stats.rqt.max = rdev->stats.rqt.cur;
++ kref_get(&rdev->rqt_kref);
+ } else
+ rdev->stats.rqt.fail++;
+ mutex_unlock(&rdev->stats.lock);
+ return (u32)addr;
+ }
+
++static void destroy_rqtpool(struct kref *kref)
++{
++ struct c4iw_rdev *rdev;
++
++ rdev = container_of(kref, struct c4iw_rdev, rqt_kref);
++ gen_pool_destroy(rdev->rqt_pool);
++ complete(&rdev->rqt_compl);
++}
++
+ void c4iw_rqtpool_free(struct c4iw_rdev *rdev, u32 addr, int size)
+ {
+ pr_debug("%s addr 0x%x size %d\n", __func__, addr, size << 6);
+@@ -344,6 +365,7 @@ void c4iw_rqtpool_free(struct c4iw_rdev
+ rdev->stats.rqt.cur -= roundup(size << 6, 1 << MIN_RQT_SHIFT);
+ mutex_unlock(&rdev->stats.lock);
+ gen_pool_free(rdev->rqt_pool, (unsigned long)addr, size << 6);
++ kref_put(&rdev->rqt_kref, destroy_rqtpool);
+ }
+
+ int c4iw_rqtpool_create(struct c4iw_rdev *rdev)
+@@ -380,7 +402,7 @@ int c4iw_rqtpool_create(struct c4iw_rdev
+
+ void c4iw_rqtpool_destroy(struct c4iw_rdev *rdev)
+ {
+- gen_pool_destroy(rdev->rqt_pool);
++ kref_put(&rdev->rqt_kref, destroy_rqtpool);
+ }
+
+ /*
--- /dev/null
+From 4f9ca2d8686ecfdd40ca4f0294a3d94f83f05cea Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Thu, 26 Apr 2018 15:37:48 +0300
+Subject: RDMA/mlx4: Add missed RSS hash inner header flag
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 4f9ca2d8686ecfdd40ca4f0294a3d94f83f05cea upstream.
+
+Despite being advertised to user space application, the RSS inner
+header flag was filtered by checks at the beginning of QP creation
+routine.
+
+Cc: <stable@vger.kernel.org> # 4.15
+Fixes: 4d02ebd9bbbd ("IB/mlx4: Fix RSS hash fields restrictions")
+Fixes: 07d84f7b6adf ("IB/mlx4: Add support to RSS hash for inner headers")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/qp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -673,7 +673,8 @@ static int set_qp_rss(struct mlx4_ib_dev
+ MLX4_IB_RX_HASH_SRC_PORT_TCP |
+ MLX4_IB_RX_HASH_DST_PORT_TCP |
+ MLX4_IB_RX_HASH_SRC_PORT_UDP |
+- MLX4_IB_RX_HASH_DST_PORT_UDP)) {
++ MLX4_IB_RX_HASH_DST_PORT_UDP |
++ MLX4_IB_RX_HASH_INNER)) {
+ pr_debug("RX Hash fields_mask has unsupported mask (0x%llx)\n",
+ ucmd->rx_hash_fields_mask);
+ return (-EOPNOTSUPP);
--- /dev/null
+From b4bd701ac469075d94ed9699a28755f2862252b9 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:52 +0300
+Subject: RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit b4bd701ac469075d94ed9699a28755f2862252b9 upstream.
+
+Failure in rereg MR releases UMEM but leaves the MR to be destroyed
+by the user. As a result the following scenario may happen:
+"create MR -> rereg MR with failure -> call to rereg MR again" and
+hit "NULL-ptr deref or user memory access" errors.
+
+Ensure that rereg MR is only performed on a non-dead MR.
+
+Cc: syzkaller <syzkaller@googlegroups.com>
+Cc: <stable@vger.kernel.org> # 4.5
+Fixes: 395a8e4c32ea ("IB/mlx5: Refactoring register MR code")
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/mr.c | 32 +++++++++++++++++++++++---------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -833,25 +833,28 @@ static int mr_umem_get(struct ib_pd *pd,
+ int *order)
+ {
+ struct mlx5_ib_dev *dev = to_mdev(pd->device);
++ struct ib_umem *u;
+ int err;
+
+- *umem = ib_umem_get(pd->uobject->context, start, length,
+- access_flags, 0);
+- err = PTR_ERR_OR_ZERO(*umem);
++ *umem = NULL;
++
++ u = ib_umem_get(pd->uobject->context, start, length, access_flags, 0);
++ err = PTR_ERR_OR_ZERO(u);
+ if (err) {
+- *umem = NULL;
+- mlx5_ib_err(dev, "umem get failed (%d)\n", err);
++ mlx5_ib_dbg(dev, "umem get failed (%d)\n", err);
+ return err;
+ }
+
+- mlx5_ib_cont_pages(*umem, start, MLX5_MKEY_PAGE_SHIFT_MASK, npages,
++ mlx5_ib_cont_pages(u, start, MLX5_MKEY_PAGE_SHIFT_MASK, npages,
+ page_shift, ncont, order);
+ if (!*npages) {
+ mlx5_ib_warn(dev, "avoid zero region\n");
+- ib_umem_release(*umem);
++ ib_umem_release(u);
+ return -EINVAL;
+ }
+
++ *umem = u;
++
+ mlx5_ib_dbg(dev, "npages %d, ncont %d, order %d, page_shift %d\n",
+ *npages, *ncont, *order, *page_shift);
+
+@@ -1340,13 +1343,12 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *
+ int access_flags = flags & IB_MR_REREG_ACCESS ?
+ new_access_flags :
+ mr->access_flags;
+- u64 addr = (flags & IB_MR_REREG_TRANS) ? virt_addr : mr->umem->address;
+- u64 len = (flags & IB_MR_REREG_TRANS) ? length : mr->umem->length;
+ int page_shift = 0;
+ int upd_flags = 0;
+ int npages = 0;
+ int ncont = 0;
+ int order = 0;
++ u64 addr, len;
+ int err;
+
+ mlx5_ib_dbg(dev, "start 0x%llx, virt_addr 0x%llx, length 0x%llx, access_flags 0x%x\n",
+@@ -1354,6 +1356,17 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *
+
+ atomic_sub(mr->npages, &dev->mdev->priv.reg_pages);
+
++ if (!mr->umem)
++ return -EINVAL;
++
++ if (flags & IB_MR_REREG_TRANS) {
++ addr = virt_addr;
++ len = length;
++ } else {
++ addr = mr->umem->address;
++ len = mr->umem->length;
++ }
++
+ if (flags != IB_MR_REREG_PD) {
+ /*
+ * Replace umem. This needs to be done whether or not UMR is
+@@ -1361,6 +1374,7 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *
+ */
+ flags |= IB_MR_REREG_TRANS;
+ ib_umem_release(mr->umem);
++ mr->umem = NULL;
+ err = mr_umem_get(pd, addr, len, access_flags, &mr->umem,
+ &npages, &page_shift, &ncont, &order);
+ if (err < 0) {
--- /dev/null
+From 002bf2282b2d7318e444dca9ffcb994afc5d5f15 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:53 +0300
+Subject: RDMA/mlx5: Protect from shift operand overflow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
+
+Ensure that user didn't supply values too large that can cause overflow.
+
+UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23
+shift exponent -2147483648 is negative
+CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call
+Trace:
+dump_stack+0xde/0x164
+ubsan_epilogue+0xe/0x81
+set_rq_size+0x7c2/0xa90
+create_qp_common+0xc18/0x43c0
+mlx5_ib_create_qp+0x379/0x1ca0
+create_qp.isra.5+0xc94/0x2260
+ib_uverbs_create_qp+0x21b/0x2a0
+ib_uverbs_write+0xc2c/0x1010
+vfs_write+0x1b0/0x550
+SyS_write+0xc7/0x1a0
+do_syscall_64+0x1aa/0x740
+entry_SYSCALL_64_after_hwframe+0x26/0x9b
+RIP: 0033:0x433569
+RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569
+RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003
+RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8
+R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000
+R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Cc: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -256,7 +256,11 @@ static int set_rq_size(struct mlx5_ib_de
+ } else {
+ if (ucmd) {
+ qp->rq.wqe_cnt = ucmd->rq_wqe_count;
++ if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
++ return -EINVAL;
+ qp->rq.wqe_shift = ucmd->rq_wqe_shift;
++ if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
++ return -EINVAL;
+ qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
+ qp->rq.max_post = qp->rq.wqe_cnt;
+ } else {
--- /dev/null
+From 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Thu, 19 Apr 2018 08:28:11 -0700
+Subject: RDMA/ucma: Allow resolving address w/o specifying source address
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 upstream.
+
+The RDMA CM will select a source device and address by consulting
+the routing table if no source address is passed into
+rdma_resolve_address(). Userspace will ask for this by passing an
+all-zero source address in the RESOLVE_IP command. Unfortunately
+the new check for non-zero address size rejects this with EINVAL,
+which breaks valid userspace applications.
+
+Fix this by explicitly allowing a zero address family for the source.
+
+Fixes: 2975d5de6428 ("RDMA/ucma: Check AF family prior resolving address")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -678,7 +678,7 @@ static ssize_t ucma_resolve_ip(struct uc
+ if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+ return -EFAULT;
+
+- if (!rdma_addr_size_in6(&cmd.src_addr) ||
++ if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) ||
+ !rdma_addr_size_in6(&cmd.dst_addr))
+ return -EINVAL;
+
--- /dev/null
+From af8a41cccf8f469165c6debc8fe07c5fd2ca501a Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Fri, 20 Apr 2018 10:30:09 +0800
+Subject: rtlwifi: cleanup 8723be ant_sel definition
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit af8a41cccf8f469165c6debc8fe07c5fd2ca501a upstream.
+
+Some HP laptops have only a single wifi antenna. This would not be a
+problem except that they were shipped with an incorrectly encoded
+EFUSE. It should have been possible to open the computer and transfer
+the antenna connection to the other terminal except that such action
+might void the warranty, and moving the antenna broke the Windows
+driver. The fix was to add a module option that would override the
+EFUSE encoding. That was done with commit c18d8f509571 ("rtlwifi:
+rtl8723be: Add antenna select module parameter"). There was still a
+problem with Bluetooth coexistence, which was addressed with commit
+baa170229095 ("rtlwifi: btcoexist: Implement antenna selection").
+There were still problems, thus there were commit 0ff78adeef11
+("rtlwifi: rtl8723be: fix ant_sel code") and commit 6d6226928369
+("rtlwifi: btcoexist: Fix antenna selection code"). Despite all these
+attempts at fixing the problem, the code is not yet right. A proper
+fix is important as there are now instances of laptops having
+RTL8723DE chips with the same problem.
+
+The module parameter ant_sel is used to control antenna number and path.
+At present enum ANT_{X2,X1} is used to define the antenna number, but
+this choice is not intuitive, thus change to a new enum ANT_{MAIN,AUX}
+to make it more readable. This change showed examples where incorrect
+values were used. It was also possible to remove a workaround in
+halbtcoutsrc.c.
+
+The experimental results with single antenna connected to specific path
+are now as follows:
+ ant_sel ANT_MAIN(#1) ANT_AUX(#2)
+ 0 -8 -62
+ 1 -62 -10
+ 2 -6 -60
+
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Fixes: c18d8f509571 ("rtlwifi: rtl8723be: Add antenna select module parameter")
+Fixes: baa170229095 ("rtlwifi: btcoexist: Implement antenna selection")
+Fixes: 0ff78adeef11 ("rtlwifi: rtl8723be: fix ant_sel code")
+Fixes: 6d6226928369 ("rtlwifi: btcoexist: Fix antenna selection code")
+Cc: Stable <stable@vger.kernel.org> # 4.7+
+Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c | 15 ----------
+ drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c | 11 ++++---
+ drivers/net/wireless/realtek/rtlwifi/wifi.h | 5 +++
+ 3 files changed, 12 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
+@@ -173,16 +173,6 @@ static u8 halbtc_get_wifi_central_chnl(s
+
+ u8 rtl_get_hwpg_single_ant_path(struct rtl_priv *rtlpriv)
+ {
+- struct rtl_mod_params *mod_params = rtlpriv->cfg->mod_params;
+-
+- /* override ant_num / ant_path */
+- if (mod_params->ant_sel) {
+- rtlpriv->btcoexist.btc_info.ant_num =
+- (mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1);
+-
+- rtlpriv->btcoexist.btc_info.single_ant_path =
+- (mod_params->ant_sel == 1 ? 0 : 1);
+- }
+ return rtlpriv->btcoexist.btc_info.single_ant_path;
+ }
+
+@@ -193,7 +183,6 @@ u8 rtl_get_hwpg_bt_type(struct rtl_priv
+
+ u8 rtl_get_hwpg_ant_num(struct rtl_priv *rtlpriv)
+ {
+- struct rtl_mod_params *mod_params = rtlpriv->cfg->mod_params;
+ u8 num;
+
+ if (rtlpriv->btcoexist.btc_info.ant_num == ANT_X2)
+@@ -201,10 +190,6 @@ u8 rtl_get_hwpg_ant_num(struct rtl_priv
+ else
+ num = 1;
+
+- /* override ant_num / ant_path */
+- if (mod_params->ant_sel)
+- num = (mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1) + 1;
+-
+ return num;
+ }
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
+@@ -846,6 +846,9 @@ static bool _rtl8723be_init_mac(struct i
+ return false;
+ }
+
++ if (rtlpriv->cfg->ops->get_btc_status())
++ rtlpriv->btcoexist.btc_ops->btc_power_on_setting(rtlpriv);
++
+ bytetmp = rtl_read_byte(rtlpriv, REG_MULTI_FUNC_CTRL);
+ rtl_write_byte(rtlpriv, REG_MULTI_FUNC_CTRL, bytetmp | BIT(3));
+
+@@ -2696,21 +2699,21 @@ void rtl8723be_read_bt_coexist_info_from
+ rtlpriv->btcoexist.btc_info.bt_type = BT_RTL8723B;
+ rtlpriv->btcoexist.btc_info.ant_num = (value & 0x1);
+ rtlpriv->btcoexist.btc_info.single_ant_path =
+- (value & 0x40); /*0xc3[6]*/
++ (value & 0x40 ? ANT_AUX : ANT_MAIN); /*0xc3[6]*/
+ } else {
+ rtlpriv->btcoexist.btc_info.btcoexist = 0;
+ rtlpriv->btcoexist.btc_info.bt_type = BT_RTL8723B;
+ rtlpriv->btcoexist.btc_info.ant_num = ANT_X2;
+- rtlpriv->btcoexist.btc_info.single_ant_path = 0;
++ rtlpriv->btcoexist.btc_info.single_ant_path = ANT_MAIN;
+ }
+
+ /* override ant_num / ant_path */
+ if (mod_params->ant_sel) {
+ rtlpriv->btcoexist.btc_info.ant_num =
+- (mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1);
++ (mod_params->ant_sel == 1 ? ANT_X1 : ANT_X2);
+
+ rtlpriv->btcoexist.btc_info.single_ant_path =
+- (mod_params->ant_sel == 1 ? 0 : 1);
++ (mod_params->ant_sel == 1 ? ANT_AUX : ANT_MAIN);
+ }
+ }
+
+--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+@@ -2707,6 +2707,11 @@ enum bt_ant_num {
+ ANT_X1 = 1,
+ };
+
++enum bt_ant_path {
++ ANT_MAIN = 0,
++ ANT_AUX = 1,
++};
++
+ enum bt_co_type {
+ BT_2WIRE = 0,
+ BT_ISSC_3WIRE = 1,
--- /dev/null
+From f5957dade4f373b04fa1f5315a489f18cc2c4cb4 Mon Sep 17 00:00:00 2001
+From: Bryant G Ly <bryantly@linux.vnet.ibm.com>
+Date: Tue, 17 Apr 2018 10:33:21 -0500
+Subject: scsi: target: Fix fortify_panic kernel exception
+
+From: Bryant G Ly <bryantly@linux.vnet.ibm.com>
+
+commit f5957dade4f373b04fa1f5315a489f18cc2c4cb4 upstream.
+
+memcmp() requires the two buffers passed as arguments to be at least
+'size' bytes long, otherwise a fortify_panic will trigger.
+
+Use memchr_inv() instead of memcmp() to determine whether the received
+payload is zeroed or not.
+
+The bug was found by running a block backstore via LIO.
+
+[ 496.212958] Call Trace:
+[ 496.212960] [c0000007e58e3800] [c000000000cbbefc] fortify_panic+0x24/0x38 (unreliable)
+[ 496.212965] [c0000007e58e3860] [d00000000f150c28] iblock_execute_write_same+0x3b8/0x3c0 [target_core_iblock]
+[ 496.212976] [c0000007e58e3910] [d000000006c737d4] __target_execute_cmd+0x54/0x150 [target_core_mod]
+[ 496.212982] [c0000007e58e3940] [d000000006d32ce4] ibmvscsis_write_pending+0x74/0xe0 [ibmvscsis]
+[ 496.212991] [c0000007e58e39b0] [d000000006c74fc8] transport_generic_new_cmd+0x318/0x370 [target_core_mod]
+[ 496.213001] [c0000007e58e3a30] [d000000006c75084] transport_handle_cdb_direct+0x64/0xd0 [target_core_mod]
+[ 496.213011] [c0000007e58e3aa0] [d000000006c75298] target_submit_cmd_map_sgls+0x1a8/0x320 [target_core_mod]
+[ 496.213021] [c0000007e58e3b30] [d000000006c75458] target_submit_cmd+0x48/0x60 [target_core_mod]
+[ 496.213026] [c0000007e58e3bd0] [d000000006d34c20] ibmvscsis_scheduler+0x370/0x600 [ibmvscsis]
+[ 496.213031] [c0000007e58e3c90] [c00000000013135c] process_one_work+0x1ec/0x580
+[ 496.213035] [c0000007e58e3d20] [c000000000131798] worker_thread+0xa8/0x600
+[ 496.213039] [c0000007e58e3dc0] [c00000000013a468] kthread+0x168/0x1b0
+[ 496.213044] [c0000007e58e3e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4
+
+[mkp: tweaked commit message]
+
+Fixes: 2237498f0b5c ("target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout")
+Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Reviewed-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Tested-by: Taylor Jakobson <tjakobs@us.ibm.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Nicholas Bellinger <nab@linux-iscsi.org>
+Cc: <stable@vger.kernel.org> # v4.13+
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_iblock.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/target/target_core_iblock.c
++++ b/drivers/target/target_core_iblock.c
+@@ -427,8 +427,8 @@ iblock_execute_zero_out(struct block_dev
+ {
+ struct se_device *dev = cmd->se_dev;
+ struct scatterlist *sg = &cmd->t_data_sg[0];
+- unsigned char *buf, zero = 0x00, *p = &zero;
+- int rc, ret;
++ unsigned char *buf, *not_zero;
++ int ret;
+
+ buf = kmap(sg_page(sg)) + sg->offset;
+ if (!buf)
+@@ -437,10 +437,10 @@ iblock_execute_zero_out(struct block_dev
+ * Fall back to block_execute_write_same() slow-path if
+ * incoming WRITE_SAME payload does not contain zeros.
+ */
+- rc = memcmp(buf, p, cmd->data_length);
++ not_zero = memchr_inv(buf, 0x00, cmd->data_length);
+ kunmap(sg_page(sg));
+
+- if (rc)
++ if (not_zero)
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+
+ ret = blkdev_issue_zeroout(bdev,
crypto-talitos-fix-ipsec-cipher-in-length.patch
acpi-button-make-module-loadable-when-booted-in-non-acpi-mode.patch
usb-serial-option-add-support-for-quectel-ep06.patch
+alsa-hda-fix-incorrect-usage-of-is_reachable.patch
+alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
+alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
+alsa-dice-fix-kernel-null-pointer-dereference-due-to-invalid-calculation-for-array-index.patch
+alsa-aloop-mark-paused-device-as-inactive.patch
+alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
+tracepoint-do-not-warn-on-enomem.patch
+scsi-target-fix-fortify_panic-kernel-exception.patch
+input-leds-fix-out-of-bound-access.patch
+input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
+rtlwifi-cleanup-8723be-ant_sel-definition.patch
+xfs-prevent-creating-negative-sized-file-via-insert_range.patch
+rdma-cxgb4-release-hw-resources-on-device-removal.patch
+rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
+rdma-mlx5-fix-multiple-null-ptr-deref-errors-in-rereg_mr-flow.patch
+rdma-mlx4-add-missed-rss-hash-inner-header-flag.patch
+rdma-mlx5-protect-from-shift-operand-overflow.patch
+net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
+ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
--- /dev/null
+From d66a270be3310d7aa132fec0cea77d3d32a0ff75 Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Thu, 15 Mar 2018 08:44:24 -0400
+Subject: tracepoint: Do not warn on ENOMEM
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit d66a270be3310d7aa132fec0cea77d3d32a0ff75 upstream.
+
+Tracepoint should only warn when a kernel API user does not respect the
+required preconditions (e.g. same tracepoint enabled twice, or called
+to remove a tracepoint that does not exist).
+
+Silence warning in out-of-memory conditions, given that the error is
+returned to the caller.
+
+This ensures that out-of-memory error-injection testing does not trigger
+warnings in tracepoint.c, which were seen by syzbot.
+
+Link: https://lkml.kernel.org/r/001a114465e241a8720567419a72@google.com
+Link: https://lkml.kernel.org/r/001a1140e0de15fc910567464190@google.com
+Link: http://lkml.kernel.org/r/20180315124424.32319-1-mathieu.desnoyers@efficios.com
+
+CC: Peter Zijlstra <peterz@infradead.org>
+CC: Jiri Olsa <jolsa@redhat.com>
+CC: Arnaldo Carvalho de Melo <acme@kernel.org>
+CC: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+CC: Namhyung Kim <namhyung@kernel.org>
+CC: stable@vger.kernel.org
+Fixes: de7b2973903c6 ("tracepoint: Use struct pointer instead of name hash for reg/unreg tracepoints")
+Reported-by: syzbot+9c0d616860575a73166a@syzkaller.appspotmail.com
+Reported-by: syzbot+4e9ae7fa46233396f64d@syzkaller.appspotmail.com
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/tracepoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/tracepoint.c
++++ b/kernel/tracepoint.c
+@@ -207,7 +207,7 @@ static int tracepoint_add_func(struct tr
+ lockdep_is_held(&tracepoints_mutex));
+ old = func_add(&tp_funcs, func, prio);
+ if (IS_ERR(old)) {
+- WARN_ON_ONCE(1);
++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+ return PTR_ERR(old);
+ }
+
+@@ -240,7 +240,7 @@ static int tracepoint_remove_func(struct
+ lockdep_is_held(&tracepoints_mutex));
+ old = func_remove(&tp_funcs, func);
+ if (IS_ERR(old)) {
+- WARN_ON_ONCE(1);
++ WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+ return PTR_ERR(old);
+ }
+
--- /dev/null
+From 7d83fb14258b9961920cd86f0b921caaeb3ebe85 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 16 Apr 2018 23:07:45 -0700
+Subject: xfs: prevent creating negative-sized file via INSERT_RANGE
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit 7d83fb14258b9961920cd86f0b921caaeb3ebe85 upstream.
+
+During the "insert range" fallocate operation, i_size grows by the
+specified 'len' bytes. XFS verifies that i_size + len < s_maxbytes, as
+it should. But this comparison is done using the signed 'loff_t', and
+'i_size + len' can wrap around to a negative value, causing the check to
+incorrectly pass, resulting in an inode with "negative" i_size. This is
+possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX.
+ext4 and f2fs don't run into this because they set a smaller s_maxbytes.
+
+Fix it by using subtraction instead.
+
+Reproducer:
+ xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096"
+
+Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate")
+Cc: <stable@vger.kernel.org> # v4.1+
+Originally-From: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+[darrick: fix signed integer addition overflow too]
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_file.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/xfs_file.c
++++ b/fs/xfs/xfs_file.c
+@@ -811,22 +811,26 @@ xfs_file_fallocate(
+ if (error)
+ goto out_unlock;
+ } else if (mode & FALLOC_FL_INSERT_RANGE) {
+- unsigned int blksize_mask = i_blocksize(inode) - 1;
++ unsigned int blksize_mask = i_blocksize(inode) - 1;
++ loff_t isize = i_size_read(inode);
+
+- new_size = i_size_read(inode) + len;
+ if (offset & blksize_mask || len & blksize_mask) {
+ error = -EINVAL;
+ goto out_unlock;
+ }
+
+- /* check the new inode size does not wrap through zero */
+- if (new_size > inode->i_sb->s_maxbytes) {
++ /*
++ * New inode size must not exceed ->s_maxbytes, accounting for
++ * possible signed overflow.
++ */
++ if (inode->i_sb->s_maxbytes - isize < len) {
+ error = -EFBIG;
+ goto out_unlock;
+ }
++ new_size = isize + len;
+
+ /* Offset should be less than i_size */
+- if (offset >= i_size_read(inode)) {
++ if (offset >= isize) {
+ error = -EINVAL;
+ goto out_unlock;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
