--- /dev/null
+From 747df19747bc9752cd40b9cce761e17a033aa5c2 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Thu, 11 Oct 2018 20:32:05 +0200
+Subject: ASoC: sta32x: set ->component pointer in private struct
+
+From: Daniel Mack <daniel@zonque.org>
+
+commit 747df19747bc9752cd40b9cce761e17a033aa5c2 upstream.
+
+The ESD watchdog code in sta32x_watchdog() dereferences the pointer
+which is never assigned.
+
+This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct
+regmap API usage.") which went unnoticed since nobody seems to use that ESD
+workaround.
+
+Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.")
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/sta32x.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/soc/codecs/sta32x.c
++++ b/sound/soc/codecs/sta32x.c
+@@ -880,6 +880,9 @@ static int sta32x_probe(struct snd_soc_c
+ struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec);
+ struct sta32x_platform_data *pdata = sta32x->pdata;
+ int i, ret = 0, thermal = 0;
++
++ sta32x->component = component;
++
+ ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies),
+ sta32x->supplies);
+ if (ret != 0) {
--- /dev/null
+From fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 13 Sep 2018 10:51:31 +0200
+Subject: crypto: lrw - Fix out-of bounds access on counter overflow
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream.
+
+When the LRW block counter overflows, the current implementation returns
+128 as the index to the precomputed multiplication table, which has 128
+entries. This patch fixes it to return the correct value (127).
+
+Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
+Cc: <stable@vger.kernel.org> # 2.6.20+
+Reported-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/lrw.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -132,7 +132,12 @@ static inline int get_index128(be128 *bl
+ return x + ffz(val);
+ }
+
+- return x;
++ /*
++ * If we get here, then x == 128 and we are incrementing the counter
++ * from all ones to all zeros. This means we must return index 127, i.e.
++ * the one corresponding to key2*{ 1,...,1 }.
++ */
++ return 127;
+ }
+
+ static int crypt(struct blkcipher_desc *d,
--- /dev/null
+From fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Sun, 23 Sep 2018 21:10:43 +0000
+Subject: Drivers: hv: kvp: Fix two "this statement may fall through" warnings
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d upstream.
+
+We don't need to call process_ib_ipinfo() if message->kvp_hdr.operation is
+KVP_OP_GET_IP_INFO in kvp_send_key(), because here we just need to pass on
+the op code from the host to the userspace; when the userspace returns
+the info requested by the host, we pass the info on to the host in
+kvp_respond_to_host() -> process_ob_ipinfo(). BTW, the current buggy code
+actually doesn't cause any harm, because only message->kvp_hdr.operation
+is used by the userspace, in the case of KVP_OP_GET_IP_INFO.
+
+The patch also adds a missing "break;" in kvp_send_key(). BTW, the current
+buggy code actually doesn't cause any harm, because in the case of
+KVP_OP_SET, the unexpected fall-through corrupts
+message->body.kvp_set.data.key_size, but that is not really used: see
+the definition of struct hv_kvp_exchg_msg_value.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_kvp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/hv/hv_kvp.c
++++ b/drivers/hv/hv_kvp.c
+@@ -336,7 +336,6 @@ static void process_ib_ipinfo(void *in_m
+
+ out->body.kvp_ip_val.dhcp_enabled = in->kvp_ip_val.dhcp_enabled;
+
+- default:
+ utf16s_to_utf8s((wchar_t *)in->kvp_ip_val.adapter_id,
+ MAX_ADAPTER_ID_SIZE,
+ UTF16_LITTLE_ENDIAN,
+@@ -389,7 +388,7 @@ kvp_send_key(struct work_struct *dummy)
+ process_ib_ipinfo(in_msg, message, KVP_OP_SET_IP_INFO);
+ break;
+ case KVP_OP_GET_IP_INFO:
+- process_ib_ipinfo(in_msg, message, KVP_OP_GET_IP_INFO);
++ /* We only need to pass on message->kvp_hdr.operation. */
+ break;
+ case KVP_OP_SET:
+ switch (in_msg->body.kvp_set.data.value_type) {
+@@ -429,6 +428,9 @@ kvp_send_key(struct work_struct *dummy)
+ break;
+
+ }
++
++ break;
++
+ case KVP_OP_GET:
+ message->body.kvp_set.data.key_size =
+ utf16s_to_utf8s(
--- /dev/null
+From 625ef8a3acd111d5f496d190baf99d1a815bd03e Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Tue, 2 Oct 2018 21:18:45 -0400
+Subject: ext4: initialize retries variable in ext4_da_write_inline_data_begin()
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 625ef8a3acd111d5f496d190baf99d1a815bd03e upstream.
+
+Variable retries is not initialized in ext4_da_write_inline_data_begin()
+which can lead to nondeterministic number of retries in case we hit
+ENOSPC. Initialize retries to zero as we do everywhere else.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Fixes: bc0ca9df3b2a ("ext4: retry allocation when inline->extent conversion failed")
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -859,7 +859,7 @@ int ext4_da_write_inline_data_begin(stru
+ handle_t *handle;
+ struct page *page;
+ struct ext4_iloc iloc;
+- int retries;
++ int retries = 0;
+
+ ret = ext4_get_inode_loc(inode, &iloc);
+ if (ret)
--- /dev/null
+From 746a923b863a1065ef77324e1e43f19b1a3eab5c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 18 Oct 2018 15:15:05 +0200
+Subject: genirq: Fix race on spurious interrupt detection
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 746a923b863a1065ef77324e1e43f19b1a3eab5c upstream.
+
+Commit 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of
+threaded irqs") made detection of spurious interrupts work for threaded
+handlers by:
+
+a) incrementing a counter every time the thread returns IRQ_HANDLED, and
+b) checking whether that counter has increased every time the thread is
+ woken.
+
+However for oneshot interrupts, the commit unmasks the interrupt before
+incrementing the counter. If another interrupt occurs right after
+unmasking but before the counter is incremented, that interrupt is
+incorrectly considered spurious:
+
+time
+ | irq_thread()
+ | irq_thread_fn()
+ | action->thread_fn()
+ | irq_finalize_oneshot()
+ | unmask_threaded_irq() /* interrupt is unmasked */
+ |
+ | /* interrupt fires, incorrectly deemed spurious */
+ |
+ | atomic_inc(&desc->threads_handled); /* counter is incremented */
+ v
+
+This is observed with a hi3110 CAN controller receiving data at high volume
+(from a separate machine sending with "cangen -g 0 -i -x"): The controller
+signals a huge number of interrupts (hundreds of millions per day) and
+every second there are about a dozen which are deemed spurious.
+
+In theory with high CPU load and the presence of higher priority tasks, the
+number of incorrectly detected spurious interrupts might increase beyond
+the 99,900 threshold and cause disablement of the interrupt.
+
+In practice it just increments the spurious interrupt count. But that can
+cause people to waste time investigating it over and over.
+
+Fix it by moving the accounting before the invocation of
+irq_finalize_oneshot().
+
+[ tglx: Folded change log update ]
+
+Fixes: 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of threaded irqs")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mathias Duckeck <m.duckeck@kunbus.de>
+Cc: Akshay Bhat <akshay.bhat@timesys.com>
+Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com>
+Cc: stable@vger.kernel.org # v3.16+
+Link: https://lkml.kernel.org/r/1dfd8bbd16163940648045495e3e9698e63b50ad.1539867047.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/manage.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -864,6 +864,9 @@ irq_forced_thread_fn(struct irq_desc *de
+
+ local_bh_disable();
+ ret = action->thread_fn(action->irq, action->dev_id);
++ if (ret == IRQ_HANDLED)
++ atomic_inc(&desc->threads_handled);
++
+ irq_finalize_oneshot(desc, action);
+ local_bh_enable();
+ return ret;
+@@ -880,6 +883,9 @@ static irqreturn_t irq_thread_fn(struct
+ irqreturn_t ret;
+
+ ret = action->thread_fn(action->irq, action->dev_id);
++ if (ret == IRQ_HANDLED)
++ atomic_inc(&desc->threads_handled);
++
+ irq_finalize_oneshot(desc, action);
+ return ret;
+ }
+@@ -957,8 +963,6 @@ static int irq_thread(void *data)
+ irq_thread_check_affinity(desc, action);
+
+ action_ret = handler_fn(desc, action);
+- if (action_ret == IRQ_HANDLED)
+- atomic_inc(&desc->threads_handled);
+ if (action_ret == IRQ_WAKE_THREAD)
+ irq_wake_secondary(desc, action);
+
--- /dev/null
+From 3df629d873f8683af6f0d34dfc743f637966d483 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 13 Oct 2018 00:19:13 -0400
+Subject: gfs2_meta: ->mount() can get NULL dev_name
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3df629d873f8683af6f0d34dfc743f637966d483 upstream.
+
+get in sync with mount_bdev() handling of the same
+
+Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -1353,6 +1353,9 @@ static struct dentry *gfs2_mount_meta(st
+ struct path path;
+ int error;
+
++ if (!dev_name || !*dev_name)
++ return ERR_PTR(-EINVAL);
++
+ error = kern_path(dev_name, LOOKUP_FOLLOW, &path);
+ if (error) {
+ pr_warn("path_lookup on %s returned error %d\n",
--- /dev/null
+From f11274396a538b31bc010f782e05c2ce3f804c13 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Fri, 19 Oct 2018 17:01:33 -0300
+Subject: HID: hiddev: fix potential Spectre v1
+
+From: Breno Leitao <leitao@debian.org>
+
+commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream.
+
+uref->usage_index can be indirectly controlled by userspace, hence leading
+to a potential exploitation of the Spectre variant 1 vulnerability.
+
+This field is used as an array index by the hiddev_ioctl_usage() function,
+when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
+HIDIOCSUSAGES.
+
+For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
+field->maxusage and then used as an index to dereference field->usage
+array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
+uref->usage_index is checked against an array maximum value and then it is
+used as an index in an array.
+
+This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
+traditional Spectre V1 first load:
+
+ copy_from_user(uref, user_arg, sizeof(*uref))
+ if (uref->usage_index >= field->maxusage)
+ goto inval;
+ i = field->usage[uref->usage_index].collection_index;
+ return i;
+
+This patch fixes this by sanitizing field uref->usage_index before using it
+to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
+HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+v2: Contemplate cmd == HIDIOC{G,S}USAGES case
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -521,14 +521,24 @@ static noinline int hiddev_ioctl_usage(s
+ if (cmd == HIDIOCGCOLLECTIONINDEX) {
+ if (uref->usage_index >= field->maxusage)
+ goto inval;
++ uref->usage_index =
++ array_index_nospec(uref->usage_index,
++ field->maxusage);
+ } else if (uref->usage_index >= field->report_count)
+ goto inval;
+ }
+
+- if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+- uref->usage_index + uref_multi->num_values > field->report_count))
+- goto inval;
++ if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
++ if (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
++ uref->usage_index + uref_multi->num_values >
++ field->report_count)
++ goto inval;
++
++ uref->usage_index =
++ array_index_nospec(uref->usage_index,
++ field->report_count -
++ uref_multi->num_values);
++ }
+
+ switch (cmd) {
+ case HIDIOCGUSAGE:
--- /dev/null
+From 22146c3ce98962436e401f7b7016a6f664c9ffb5 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri, 26 Oct 2018 15:10:58 -0700
+Subject: hugetlbfs: dirty pages as they are added to pagecache
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 22146c3ce98962436e401f7b7016a6f664c9ffb5 upstream.
+
+Some test systems were experiencing negative huge page reserve counts and
+incorrect file block counts. This was traced to /proc/sys/vm/drop_caches
+removing clean pages from hugetlbfs file pagecaches. When non-hugetlbfs
+explicit code removes the pages, the appropriate accounting is not
+performed.
+
+This can be recreated as follows:
+ fallocate -l 2M /dev/hugepages/foo
+ echo 1 > /proc/sys/vm/drop_caches
+ fallocate -l 2M /dev/hugepages/foo
+ grep -i huge /proc/meminfo
+ AnonHugePages: 0 kB
+ ShmemHugePages: 0 kB
+ HugePages_Total: 2048
+ HugePages_Free: 2047
+ HugePages_Rsvd: 18446744073709551615
+ HugePages_Surp: 0
+ Hugepagesize: 2048 kB
+ Hugetlb: 4194304 kB
+ ls -lsh /dev/hugepages/foo
+ 4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo
+
+To address this issue, dirty pages as they are added to pagecache. This
+can easily be reproduced with fallocate as shown above. Read faulted
+pages will eventually end up being marked dirty. But there is a window
+where they are clean and could be impacted by code such as drop_caches.
+So, just dirty them all as they are added to the pagecache.
+
+Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com
+Fixes: 6bda666a03f0 ("hugepages: fold find_or_alloc_pages into huge_no_page()")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Acked-by: Mihcla Hocko <mhocko@suse.com>
+Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3537,6 +3537,12 @@ int huge_add_to_page_cache(struct page *
+ return err;
+ ClearPagePrivate(page);
+
++ /*
++ * set page dirty so that it will not be removed from cache/file
++ * by non-hugetlbfs specific code paths.
++ */
++ set_page_dirty(page);
++
+ spin_lock(&inode->i_lock);
+ inode->i_blocks += blocks_per_huge_page(h);
+ spin_unlock(&inode->i_lock);
--- /dev/null
+From bc1b45326223e7e890053cf6266357adfa61942d Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Mon, 24 Sep 2018 10:51:43 +0300
+Subject: iio: adc: at91: fix acking DRDY irq on simple conversions
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+commit bc1b45326223e7e890053cf6266357adfa61942d upstream.
+
+When doing simple conversions, the driver did not acknowledge the DRDY irq.
+If this irq status is not acked, it will be left pending, and as soon as a
+trigger is enabled, the irq handler will be called, it doesn't know why
+this status has occurred because no channel is pending, and then it will go
+int a irq loop and board will hang.
+To avoid this situation, read the LCDR after a raw conversion is done.
+
+Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
+Cc: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -276,6 +276,8 @@ static void handle_adc_eoc_trigger(int i
+ iio_trigger_poll(idev->trig);
+ } else {
+ st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb));
++ /* Needed to ACK the DRDY interruption */
++ at91_adc_readl(st, AT91_ADC_LCDR);
+ st->done = true;
+ wake_up_interruptible(&st->wq_data_avail);
+ }
--- /dev/null
+From aea835f2dc8a682942b859179c49ad1841a6c8b9 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Mon, 24 Sep 2018 10:51:44 +0300
+Subject: iio: adc: at91: fix wrong channel number in triggered buffer mode
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+commit aea835f2dc8a682942b859179c49ad1841a6c8b9 upstream.
+
+When channels are registered, the hardware channel number is not the
+actual iio channel number.
+This is because the driver is probed with a certain number of accessible
+channels. Some pins are routed and some not, depending on the description of
+the board in the DT.
+Because of that, channels 0,1,2,3 can correspond to hardware channels
+2,3,4,5 for example.
+In the buffered triggered case, we need to do the translation accordingly.
+Fixed the channel number to stop reading the wrong channel.
+
+Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
+Cc: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -245,12 +245,14 @@ static irqreturn_t at91_adc_trigger_hand
+ struct iio_poll_func *pf = p;
+ struct iio_dev *idev = pf->indio_dev;
+ struct at91_adc_state *st = iio_priv(idev);
++ struct iio_chan_spec const *chan;
+ int i, j = 0;
+
+ for (i = 0; i < idev->masklength; i++) {
+ if (!test_bit(i, idev->active_scan_mask))
+ continue;
+- st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i));
++ chan = idev->channels + i;
++ st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel));
+ j++;
+ }
+
--- /dev/null
+From 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 7 Sep 2018 14:33:24 -0700
+Subject: ima: fix showing large 'violations' or 'runtime_measurements_count'
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream.
+
+The 12 character temporary buffer is not necessarily long enough to hold
+a 'long' value. Increase it.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_fs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/integrity/ima/ima_fs.c
++++ b/security/integrity/ima/ima_fs.c
+@@ -26,14 +26,14 @@
+ #include "ima.h"
+
+ static int valid_policy = 1;
+-#define TMPBUFLEN 12
++
+ static ssize_t ima_show_htable_value(char __user *buf, size_t count,
+ loff_t *ppos, atomic_long_t *val)
+ {
+- char tmpbuf[TMPBUFLEN];
++ char tmpbuf[32]; /* greater than largest 'long' string value */
+ ssize_t len;
+
+- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
++ len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
+ }
+
--- /dev/null
+From ccd3c4373eacb044eb3832966299d13d2631f66f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 5 Oct 2018 18:44:40 -0400
+Subject: jbd2: fix use after free in jbd2_log_do_checkpoint()
+
+From: Jan Kara <jack@suse.cz>
+
+commit ccd3c4373eacb044eb3832966299d13d2631f66f upstream.
+
+The code cleaning transaction's lists of checkpoint buffers has a bug
+where it increases bh refcount only after releasing
+journal->j_list_lock. Thus the following race is possible:
+
+CPU0 CPU1
+jbd2_log_do_checkpoint()
+ jbd2_journal_try_to_free_buffers()
+ __journal_try_to_free_buffer(bh)
+ ...
+ while (transaction->t_checkpoint_io_list)
+ ...
+ if (buffer_locked(bh)) {
+
+<-- IO completes now, buffer gets unlocked -->
+
+ spin_unlock(&journal->j_list_lock);
+ spin_lock(&journal->j_list_lock);
+ __jbd2_journal_remove_checkpoint(jh);
+ spin_unlock(&journal->j_list_lock);
+ try_to_free_buffers(page);
+ get_bh(bh) <-- accesses freed bh
+
+Fix the problem by grabbing bh reference before unlocking
+journal->j_list_lock.
+
+Fixes: dc6e8d669cf5 ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()")
+Fixes: be1158cc615f ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()")
+Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/checkpoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -254,8 +254,8 @@ restart:
+ bh = jh2bh(jh);
+
+ if (buffer_locked(bh)) {
+- spin_unlock(&journal->j_list_lock);
+ get_bh(bh);
++ spin_unlock(&journal->j_list_lock);
+ wait_on_buffer(bh);
+ /* the journal_head may have gone by now */
+ BUFFER_TRACE(bh, "brelse");
+@@ -336,8 +336,8 @@ restart2:
+ jh = transaction->t_checkpoint_io_list;
+ bh = jh2bh(jh);
+ if (buffer_locked(bh)) {
+- spin_unlock(&journal->j_list_lock);
+ get_bh(bh);
++ spin_unlock(&journal->j_list_lock);
+ wait_on_buffer(bh);
+ /* the journal_head may have gone by now */
+ BUFFER_TRACE(bh, "brelse");
--- /dev/null
+From 6a32c2469c3fbfee8f25bcd20af647326650a6cf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 30 Oct 2018 15:07:32 -0700
+Subject: kbuild: fix kernel/bounds.c 'W=1' warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6a32c2469c3fbfee8f25bcd20af647326650a6cf upstream.
+
+Building any configuration with 'make W=1' produces a warning:
+
+kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes]
+
+When also passing -Werror, this prevents us from building any other files.
+Nobody ever calls the function, but we can't make it 'static' either
+since we want the compiler output.
+
+Calling it 'main' instead however avoids the warning, because gcc
+does not insist on having a declaration for main.
+
+Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reported-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bounds.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/bounds.c
++++ b/kernel/bounds.c
+@@ -12,7 +12,7 @@
+ #include <linux/log2.h>
+ #include <linux/spinlock_types.h>
+
+-void foo(void)
++int main(void)
+ {
+ /* The enum constants to put into include/generated/bounds.h */
+ DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS);
+@@ -22,4 +22,6 @@ void foo(void)
+ #endif
+ DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t));
+ /* End of constants */
++
++ return 0;
+ }
--- /dev/null
+From b6eae0f61db27748606cc00dafcfd1e2c032f0a5 Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Date: Tue, 25 Sep 2018 13:53:02 -0700
+Subject: libnvdimm: Hold reference on parent while scheduling async init
+
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+
+commit b6eae0f61db27748606cc00dafcfd1e2c032f0a5 upstream.
+
+Unlike asynchronous initialization in the core we have not yet associated
+the device with the parent, and as such the device doesn't hold a reference
+to the parent.
+
+In order to resolve that we should be holding a reference on the parent
+until the asynchronous initialization has completed.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 4d88a97aa9e8 ("libnvdimm: ...base ... infrastructure")
+Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/bus.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -158,6 +158,8 @@ static void nd_async_device_register(voi
+ put_device(dev);
+ }
+ put_device(dev);
++ if (dev->parent)
++ put_device(dev->parent);
+ }
+
+ static void nd_async_device_unregister(void *d, async_cookie_t cookie)
+@@ -175,6 +177,8 @@ static void nd_async_device_unregister(v
+ void __nd_device_register(struct device *dev)
+ {
+ dev->bus = &nvdimm_bus_type;
++ if (dev->parent)
++ get_device(dev->parent);
+ get_device(dev);
+ async_schedule_domain(nd_async_device_register, dev,
+ &nd_async_domain);
--- /dev/null
+From 076ed3da0c9b2f88d9157dbe7044a45641ae369e Mon Sep 17 00:00:00 2001
+From: Stefan Nuernberger <snu@amazon.com>
+Date: Mon, 17 Sep 2018 19:46:53 +0200
+Subject: net/ipv4: defensive cipso option parsing
+
+From: Stefan Nuernberger <snu@amazon.com>
+
+commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream.
+
+commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
+a possible infinite loop in the IP option parsing of CIPSO. The fix
+assumes that ip_options_compile filtered out all zero length options and
+that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
+While this assumption currently holds true, add explicit checks for zero
+length and invalid length options to be safe for the future. Even though
+ip_options_compile should have validated the options, the introduction of
+new one-byte options can still confuse this code without the additional
+checks.
+
+Signed-off-by: Stefan Nuernberger <snu@amazon.com>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: Simon Veith <sveith@amazon.de>
+Cc: stable@vger.kernel.org
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/cipso_ipv4.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1582,7 +1582,7 @@ static int cipso_v4_parsetag_loc(const s
+ *
+ * Description:
+ * Parse the packet's IP header looking for a CIPSO option. Returns a pointer
+- * to the start of the CIPSO option on success, NULL if one if not found.
++ * to the start of the CIPSO option on success, NULL if one is not found.
+ *
+ */
+ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+@@ -1592,10 +1592,8 @@ unsigned char *cipso_v4_optptr(const str
+ int optlen;
+ int taglen;
+
+- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
+ switch (optptr[0]) {
+- case IPOPT_CIPSO:
+- return optptr;
+ case IPOPT_END:
+ return NULL;
+ case IPOPT_NOOP:
+@@ -1604,6 +1602,11 @@ unsigned char *cipso_v4_optptr(const str
+ default:
+ taglen = optptr[1];
+ }
++ if (!taglen || taglen > optlen)
++ return NULL;
++ if (optptr[0] == IPOPT_CIPSO)
++ return optptr;
++
+ optlen -= taglen;
+ optptr += taglen;
+ }
--- /dev/null
+From d0c9606b31a21028fb5b753c8ad79626292accfd Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 26 Sep 2018 08:14:01 -0700
+Subject: PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
+
+From: Bin Meng <bmeng.cn@gmail.com>
+
+commit d0c9606b31a21028fb5b753c8ad79626292accfd upstream.
+
+Add Device IDs to the Intel GPU "spurious interrupt" quirk table.
+
+For these devices, unplugging the VGA cable and plugging it in again causes
+spurious interrupts from the IGD. Linux eventually disables the interrupt,
+but of course that disables any other devices sharing the interrupt.
+
+The theory is that this is a VGA BIOS defect: it should have disabled the
+IGD interrupt but failed to do so.
+
+See f67fd55fa96f ("PCI: Add quirk for still enabled interrupts on Intel
+Sandy Bridge GPUs") and 7c82126a94e6 ("PCI: Add new ID for Intel GPU
+"spurious interrupt" quirk") for some history.
+
+[bhelgaas: See link below for discussion about how to fix this more
+generically instead of adding device IDs for every new Intel GPU. I hope
+this is the last patch to add device IDs.]
+
+Link: https://lore.kernel.org/linux-pci/1537974841-29928-1-git-send-email-bmeng.cn@gmail.com
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+[bhelgaas: changelog]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3061,7 +3061,11 @@ static void disable_igfx_irq(struct pci_
+
+ pci_iounmap(dev, regs);
+ }
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0042, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0046, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x004a, disable_igfx_irq);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0106, disable_igfx_irq);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0152, disable_igfx_irq);
+
--- /dev/null
+From 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Sun, 30 Sep 2018 00:45:50 +0800
+Subject: printk: Fix panic caused by passing log_buf_len to command line
+
+From: He Zhe <zhe.he@windriver.com>
+
+commit 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 upstream.
+
+log_buf_len_setup does not check input argument before passing it to
+simple_strtoull. The argument would be a NULL pointer if "log_buf_len",
+without its value, is set in command line and thus causes the following
+panic.
+
+PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0
+[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1
+[ 0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70
+...
+[ 0.000000] Call Trace:
+[ 0.000000] simple_strtoull+0x29/0x70
+[ 0.000000] memparse+0x26/0x90
+[ 0.000000] log_buf_len_setup+0x17/0x22
+[ 0.000000] do_early_param+0x57/0x8e
+[ 0.000000] parse_args+0x208/0x320
+[ 0.000000] ? rdinit_setup+0x30/0x30
+[ 0.000000] parse_early_options+0x29/0x2d
+[ 0.000000] ? rdinit_setup+0x30/0x30
+[ 0.000000] parse_early_param+0x36/0x4d
+[ 0.000000] setup_arch+0x336/0x99e
+[ 0.000000] start_kernel+0x6f/0x4ee
+[ 0.000000] x86_64_start_reservations+0x24/0x26
+[ 0.000000] x86_64_start_kernel+0x6f/0x72
+[ 0.000000] secondary_startup_64+0xa4/0xb0
+
+This patch adds a check to prevent the panic.
+
+Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com
+Cc: stable@vger.kernel.org
+Cc: rostedt@goodmis.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/printk.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -881,7 +881,12 @@ static void __init log_buf_len_update(un
+ /* save requested log_buf_len since it's too early to process it */
+ static int __init log_buf_len_setup(char *str)
+ {
+- unsigned size = memparse(str, &str);
++ unsigned int size;
++
++ if (!str)
++ return -EINVAL;
++
++ size = memparse(str, &str);
+
+ log_buf_len_update(size);
+
signal-always-deliver-the-kernel-s-sigkill-and-sigstop-to-a-pid-namespace-init.patch
dmaengine-dma-jz4780-return-error-if-not-probed-from-dt.patch
alsa-hda-check-the-non-cached-stream-buffers-more-explicitly.patch
+xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch
+tpm-restore-functionality-to-xen-vtpm-driver.patch
+xen-fix-race-in-xen_qlock_wait.patch
+xen-make-xen_qlock_wait-nestable.patch
+net-ipv4-defensive-cipso-option-parsing.patch
+libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch
+asoc-sta32x-set-component-pointer-in-private-struct.patch
+jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch
+gfs2_meta-mount-can-get-null-dev_name.patch
+ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch
+hid-hiddev-fix-potential-spectre-v1.patch
+pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch
+signal-genwqe-fix-sending-of-sigkill.patch
+crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch
+ima-fix-showing-large-violations-or-runtime_measurements_count.patch
+hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch
+kbuild-fix-kernel-bounds.c-w-1-warning.patch
+iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch
+iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch
+drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch
+w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch
+smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch
+smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch
+smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch
+printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch
+genirq-fix-race-on-spurious-interrupt-detection.patch
--- /dev/null
+From 0ab93e9c99f8208c0a1a7b7170c827936268c996 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 13 Sep 2018 11:28:01 +0200
+Subject: signal/GenWQE: Fix sending of SIGKILL
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream.
+
+The genweq_add_file and genwqe_del_file by caching current without
+using reference counting embed the assumption that a file descriptor
+will never be passed from one process to another. It even embeds the
+assumption that the the thread that opened the file will be in
+existence when the process terminates. Neither of which are
+guaranteed to be true.
+
+Therefore replace caching the task_struct of the opener with
+pid of the openers thread group id. All the knowledge of the
+opener is used for is as the target of SIGKILL and a SIGKILL
+will kill the entire process group.
+
+Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
+signal argument, update it's ownly caller, and use kill_pid
+instead of force_sig.
+
+The work force_sig does in changing signal handling state is not
+relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess
+will be killed just with less work, and less confusion. The work done
+by force_sig is really only needed for handling syncrhonous
+exceptions.
+
+It will still be possible to cause genwqe_device_remove to wait
+8 seconds by passing a file descriptor to another process but
+the possible user after free is fixed.
+
+Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
+Cc: stable@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Frank Haverkamp <haver@linux.vnet.ibm.com>
+Cc: Joerg-Stephan Vogt <jsvogt@de.ibm.com>
+Cc: Michael Jung <mijung@gmx.net>
+Cc: Michael Ruettger <michael@ibmra.de>
+Cc: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
+Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Cc: Eberhard S. Amann <esa@linux.vnet.ibm.com>
+Cc: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Cc: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/genwqe/card_base.h | 2 +-
+ drivers/misc/genwqe/card_dev.c | 9 +++++----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/misc/genwqe/card_base.h
++++ b/drivers/misc/genwqe/card_base.h
+@@ -404,7 +404,7 @@ struct genwqe_file {
+ struct file *filp;
+
+ struct fasync_struct *async_queue;
+- struct task_struct *owner;
++ struct pid *opener;
+ struct list_head list; /* entry in list of open files */
+
+ spinlock_t map_lock; /* lock for dma_mappings */
+--- a/drivers/misc/genwqe/card_dev.c
++++ b/drivers/misc/genwqe/card_dev.c
+@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq
+ {
+ unsigned long flags;
+
+- cfile->owner = current;
++ cfile->opener = get_pid(task_tgid(current));
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_add(&cfile->list, &cd->file_list);
+ spin_unlock_irqrestore(&cd->file_lock, flags);
+@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_del(&cfile->list);
+ spin_unlock_irqrestore(&cd->file_lock, flags);
++ put_pid(cfile->opener);
+
+ return 0;
+ }
+@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen
+ return files;
+ }
+
+-static int genwqe_force_sig(struct genwqe_dev *cd, int sig)
++static int genwqe_terminate(struct genwqe_dev *cd)
+ {
+ unsigned int files = 0;
+ unsigned long flags;
+@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq
+
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_for_each_entry(cfile, &cd->file_list, list) {
+- force_sig(sig, cfile->owner);
++ kill_pid(cfile->opener, SIGKILL, 1);
+ files++;
+ }
+ spin_unlock_irqrestore(&cd->file_lock, flags);
+@@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces
+ dev_warn(&pci_dev->dev,
+ "[%s] send SIGKILL and wait ...\n", __func__);
+
+- rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */
++ rc = genwqe_terminate(cd);
+ if (rc) {
+ /* Give kill_timout more seconds to end processes */
+ for (i = 0; (i < genwqe_kill_timeout) &&
--- /dev/null
+From 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sat, 15 Sep 2018 23:04:41 -0500
+Subject: smb3: allow stats which track session and share reconnects to be reset
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 upstream.
+
+Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats
+except the session and share reconnect counts. Fix it to
+reset those as well.
+
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_debug.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/cifs/cifs_debug.c
++++ b/fs/cifs/cifs_debug.c
+@@ -285,6 +285,9 @@ static ssize_t cifs_stats_proc_write(str
+ atomic_set(&totBufAllocCount, 0);
+ atomic_set(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
++ atomic_set(&tcpSesReconnectCount, 0);
++ atomic_set(&tconInfoReconnectCount, 0);
++
+ spin_lock(&GlobalMid_Lock);
+ GlobalMaxActiveXid = 0;
+ GlobalCurrentXid = 0;
--- /dev/null
+From 1e77a8c204c9d1b655c61751b8ad0fde22421dbb Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Fri, 19 Oct 2018 00:45:21 -0500
+Subject: smb3: do not attempt cifs operation in smb3 query info error path
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 1e77a8c204c9d1b655c61751b8ad0fde22421dbb upstream.
+
+If backupuid mount option is sent, we can incorrectly retry
+(on access denied on query info) with a cifs (FindFirst) operation
+on an smb3 mount which causes the server to force the session close.
+
+We set backup intent on open so no need for this fallback.
+
+See kernel bugzilla 201435
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -756,7 +756,15 @@ cifs_get_inode_info(struct inode **inode
+ } else if (rc == -EREMOTE) {
+ cifs_create_dfs_fattr(&fattr, sb);
+ rc = 0;
+- } else if (rc == -EACCES && backup_cred(cifs_sb)) {
++ } else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
++ (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
++ == 0)) {
++ /*
++ * For SMB2 and later the backup intent flag is already
++ * sent if needed on open and there is no path based
++ * FindFirst operation to use to retry with
++ */
++
+ srchinf = kzalloc(sizeof(struct cifs_search_info),
+ GFP_KERNEL);
+ if (srchinf == NULL) {
--- /dev/null
+From 926674de6705f0f1dbf29a62fd758d0977f535d6 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sun, 28 Oct 2018 13:13:23 -0500
+Subject: smb3: on kerberos mount if server doesn't specify auth type use krb5
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 926674de6705f0f1dbf29a62fd758d0977f535d6 upstream.
+
+Some servers (e.g. Azure) do not include a spnego blob in the SMB3
+negotiate protocol response, so on kerberos mounts ("sec=krb5")
+we can fail, as we expected the server to list its supported
+auth types (OIDs in the spnego blob in the negprot response).
+Change this so that on krb5 mounts we default to trying krb5 if the
+server doesn't list its supported protocol mechanisms.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_spnego.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifs_spnego.c
++++ b/fs/cifs/cifs_spnego.c
+@@ -143,8 +143,10 @@ cifs_get_spnego_key(struct cifs_ses *ses
+ sprintf(dp, ";sec=krb5");
+ else if (server->sec_mskerberos)
+ sprintf(dp, ";sec=mskrb5");
+- else
+- goto out;
++ else {
++ cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");
++ sprintf(dp, ";sec=krb5");
++ }
+
+ dp = description + strlen(description);
+ sprintf(dp, ";uid=0x%x",
--- /dev/null
+From e487a0f52301293152a6f8c4e217f2a11dd808e3 Mon Sep 17 00:00:00 2001
+From: "Dr. Greg Wettstein" <greg@wind.enjellic.com>
+Date: Mon, 17 Sep 2018 18:53:33 -0400
+Subject: tpm: Restore functionality to xen vtpm driver.
+
+From: Dr. Greg Wettstein <greg@wind.enjellic.com>
+
+commit e487a0f52301293152a6f8c4e217f2a11dd808e3 upstream.
+
+Functionality of the xen-tpmfront driver was lost secondary to
+the introduction of xenbus multi-page support in commit ccc9d90a9a8b
+("xenbus_client: Extend interface to support multi-page ring").
+
+In this commit pointer to location of where the shared page address
+is stored was being passed to the xenbus_grant_ring() function rather
+then the address of the shared page itself. This resulted in a situation
+where the driver would attach to the vtpm-stubdom but any attempt
+to send a command to the stub domain would timeout.
+
+A diagnostic finding for this regression is the following error
+message being generated when the xen-tpmfront driver probes for a
+device:
+
+<3>vtpm vtpm-0: tpm_transmit: tpm_send: error -62
+
+<3>vtpm vtpm-0: A TPM error (-62) occurred attempting to determine
+the timeouts
+
+This fix is relevant to all kernels from 4.1 forward which is the
+release in which multi-page xenbus support was introduced.
+
+Daniel De Graaf formulated the fix by code inspection after the
+regression point was located.
+
+Fixes: ccc9d90a9a8b ("xenbus_client: Extend interface to support multi-page ring")
+Signed-off-by: Dr. Greg Wettstein <greg@enjellic.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[boris: Updated commit message, added Fixes tag]
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: stable@vger.kernel.org # v4.1+
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+
+---
+ drivers/char/tpm/xen-tpmfront.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/xen-tpmfront.c
++++ b/drivers/char/tpm/xen-tpmfront.c
+@@ -201,7 +201,7 @@ static int setup_ring(struct xenbus_devi
+ return -ENOMEM;
+ }
+
+- rv = xenbus_grant_ring(dev, &priv->shr, 1, &gref);
++ rv = xenbus_grant_ring(dev, priv->shr, 1, &gref);
+ if (rv < 0)
+ return rv;
+
--- /dev/null
+From a007734618fee1bf35556c04fa498d41d42c7301 Mon Sep 17 00:00:00 2001
+From: Andreas Kemnade <andreas@kemnade.info>
+Date: Sat, 22 Sep 2018 21:20:54 +0200
+Subject: w1: omap-hdq: fix missing bus unregister at removal
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+commit a007734618fee1bf35556c04fa498d41d42c7301 upstream.
+
+The bus master was not removed after unloading the module
+or unbinding the driver. That lead to oopses like this
+
+[ 127.842987] Unable to handle kernel paging request at virtual address bf01d04c
+[ 127.850646] pgd = 70e3cd9a
+[ 127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000
+[ 127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
+[ 127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq]
+[ 127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12
+[ 127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree)
+[ 127.890441] PC is at 0xbf01d04c
+[ 127.893798] LR is at w1_search_process_cb+0x4c/0xfc
+[ 127.898956] pc : [<bf01d04c>] lr : [<c05f9580>] psr: a0070013
+[ 127.905609] sp : cf885f48 ip : bf01d04c fp : ddf1e11c
+[ 127.911132] r10: cf8fe040 r9 : c05f8d00 r8 : cf8fe040
+[ 127.916656] r7 : 000000f0 r6 : cf8fe02c r5 : cf8fe000 r4 : cf8fe01c
+[ 127.923553] r3 : c05f8d00 r2 : 000000f0 r1 : cf8fe000 r0 : dde1ef10
+[ 127.930450] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+[ 127.938018] Control: 10c5387d Table: 8f8f0019 DAC: 00000051
+[ 127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f)
+[ 127.951171] Stack: (0xcf885f48 to 0xcf886000)
+[ 127.955810] 5f40: cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00
+[ 127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000
+[ 127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000
+[ 127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+[ 127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[ 128.007781] [<c05f9580>] (w1_search_process_cb) from [<c05f9700>] (w1_process+0x6c/0x118)
+[ 128.016479] [<c05f9700>] (w1_process) from [<c01499a4>] (kthread+0x130/0x148)
+[ 128.024047] [<c01499a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+[ 128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8)
+[ 128.037017] 5fa0: 00000000 00000000 00000000 00000000
+[ 128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[ 128.061340] Code: bad PC value
+[ 128.064697] ---[ end trace af066e33c0e14119 ]---
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/w1/masters/omap_hdq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/w1/masters/omap_hdq.c
++++ b/drivers/w1/masters/omap_hdq.c
+@@ -785,6 +785,8 @@ static int omap_hdq_remove(struct platfo
+ /* remove module dependency */
+ pm_runtime_disable(&pdev->dev);
+
++ w1_remove_master_device(&omap_w1_master);
++
+ return 0;
+ }
+
--- /dev/null
+From 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 1 Oct 2018 07:57:42 +0200
+Subject: xen: fix race in xen_qlock_wait()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 upstream.
+
+In the following situation a vcpu waiting for a lock might not be
+woken up from xen_poll_irq():
+
+CPU 1: CPU 2: CPU 3:
+takes a spinlock
+ tries to get lock
+ -> xen_qlock_wait()
+frees the lock
+-> xen_qlock_kick(cpu2)
+ -> xen_clear_irq_pending()
+
+takes lock again
+ tries to get lock
+ -> *lock = _Q_SLOW_VAL
+ -> *lock == _Q_SLOW_VAL ?
+ -> xen_poll_irq()
+frees the lock
+-> xen_qlock_kick(cpu3)
+
+And cpu 2 will sleep forever.
+
+This can be avoided easily by modifying xen_qlock_wait() to call
+xen_poll_irq() only if the related irq was not pending and to call
+xen_clear_irq_pending() only if it was pending.
+
+Cc: stable@vger.kernel.org
+Cc: Waiman.Long@hp.com
+Cc: peterz@infradead.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/spinlock.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/xen/spinlock.c
++++ b/arch/x86/xen/spinlock.c
+@@ -47,17 +47,12 @@ static void xen_qlock_wait(u8 *byte, u8
+ if (irq == -1)
+ return;
+
+- /* clear pending */
+- xen_clear_irq_pending(irq);
+- barrier();
++ /* If irq pending already clear it and return. */
++ if (xen_test_irq_pending(irq)) {
++ xen_clear_irq_pending(irq);
++ return;
++ }
+
+- /*
+- * We check the byte value after clearing pending IRQ to make sure
+- * that we won't miss a wakeup event because of the clearing.
+- *
+- * The sync_clear_bit() call in xen_clear_irq_pending() is atomic.
+- * So it is effectively a memory barrier for x86.
+- */
+ if (READ_ONCE(*byte) != val)
+ return;
+
--- /dev/null
+From a856531951dc8094359dfdac21d59cee5969c18e Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 1 Oct 2018 07:57:42 +0200
+Subject: xen: make xen_qlock_wait() nestable
+
+From: Juergen Gross <jgross@suse.com>
+
+commit a856531951dc8094359dfdac21d59cee5969c18e upstream.
+
+xen_qlock_wait() isn't safe for nested calls due to interrupts. A call
+of xen_qlock_kick() might be ignored in case a deeper nesting level
+was active right before the call of xen_poll_irq():
+
+CPU 1: CPU 2:
+spin_lock(lock1)
+ spin_lock(lock1)
+ -> xen_qlock_wait()
+ -> xen_clear_irq_pending()
+ Interrupt happens
+spin_unlock(lock1)
+-> xen_qlock_kick(CPU 2)
+spin_lock_irqsave(lock2)
+ spin_lock_irqsave(lock2)
+ -> xen_qlock_wait()
+ -> xen_clear_irq_pending()
+ clears kick for lock1
+ -> xen_poll_irq()
+spin_unlock_irq_restore(lock2)
+-> xen_qlock_kick(CPU 2)
+ wakes up
+ spin_unlock_irq_restore(lock2)
+ IRET
+ resumes in xen_qlock_wait()
+ -> xen_poll_irq()
+ never wakes up
+
+The solution is to disable interrupts in xen_qlock_wait() and not to
+poll for the irq in case xen_qlock_wait() is called in nmi context.
+
+Cc: stable@vger.kernel.org
+Cc: Waiman.Long@hp.com
+Cc: peterz@infradead.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/spinlock.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/xen/spinlock.c
++++ b/arch/x86/xen/spinlock.c
+@@ -41,29 +41,25 @@ static void xen_qlock_kick(int cpu)
+ */
+ static void xen_qlock_wait(u8 *byte, u8 val)
+ {
++ unsigned long flags;
+ int irq = __this_cpu_read(lock_kicker_irq);
+
+ /* If kicker interrupts not initialized yet, just spin */
+- if (irq == -1)
++ if (irq == -1 || in_nmi())
+ return;
+
+- /* If irq pending already clear it and return. */
++ /* Guard against reentry. */
++ local_irq_save(flags);
++
++ /* If irq pending already clear it. */
+ if (xen_test_irq_pending(irq)) {
+ xen_clear_irq_pending(irq);
+- return;
++ } else if (READ_ONCE(*byte) == val) {
++ /* Block until irq becomes pending (or a spurious wakeup) */
++ xen_poll_irq(irq);
+ }
+
+- if (READ_ONCE(*byte) != val)
+- return;
+-
+- /*
+- * If an interrupt happens here, it will leave the wakeup irq
+- * pending, which will cause xen_poll_irq() to return
+- * immediately.
+- */
+-
+- /* Block until irq becomes pending (or perhaps a spurious wakeup) */
+- xen_poll_irq(irq);
++ local_irq_restore(flags);
+ }
+
+ #else /* CONFIG_QUEUED_SPINLOCKS */
--- /dev/null
+From 7250f422da0480d8512b756640f131b9b893ccda Mon Sep 17 00:00:00 2001
+From: Joe Jin <joe.jin@oracle.com>
+Date: Tue, 16 Oct 2018 15:21:16 -0700
+Subject: xen-swiotlb: use actually allocated size on check physical continuous
+
+From: Joe Jin <joe.jin@oracle.com>
+
+commit 7250f422da0480d8512b756640f131b9b893ccda upstream.
+
+xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the
+order of the pages and not size argument (bytes). This is inconsistent with
+range_straddles_page_boundary and memset which use the 'size' value,
+which may lead to not exchanging memory with Xen (range_straddles_page_boundary()
+returned true). And then the call to xen_swiotlb_free_coherent() would
+actually try to exchange the memory with Xen, leading to the kernel
+hitting an BUG (as the hypercall returned an error).
+
+This patch fixes it by making the 'size' variable be of the same size
+as the amount of memory allocated.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Joe Jin <joe.jin@oracle.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Christoph Helwig <hch@lst.de>
+Cc: Dongli Zhang <dongli.zhang@oracle.com>
+Cc: John Sobecki <john.sobecki@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/swiotlb-xen.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -310,6 +310,9 @@ xen_swiotlb_alloc_coherent(struct device
+ */
+ flags &= ~(__GFP_DMA | __GFP_HIGHMEM);
+
++ /* Convert the size to actually allocated. */
++ size = 1UL << (order + XEN_PAGE_SHIFT);
++
+ /* On ARM this function returns an ioremap'ped virtual address for
+ * which virt_to_phys doesn't return the corresponding physical
+ * address. In fact on ARM virt_to_phys only works for kernel direct
+@@ -359,6 +362,9 @@ xen_swiotlb_free_coherent(struct device
+ * physical address */
+ phys = xen_bus_to_phys(dev_addr);
+
++ /* Convert the size to actually allocated. */
++ size = 1UL << (order + XEN_PAGE_SHIFT);
++
+ if (((dev_addr + size - 1 <= dma_mask)) ||
+ range_straddles_page_boundary(phys, size))
+ xen_destroy_contiguous_region(phys, order);
projects / thirdparty / kernel / stable-queue.git / commitdiff
