--- /dev/null
+From fed69888831c62f15713f25e890e41967a912518 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Thu, 11 Oct 2018 20:32:05 +0200
+Subject: ASoC: sta32x: set ->component pointer in private struct
+
+commit 747df19747bc9752cd40b9cce761e17a033aa5c2 upstream
+
+The ESD watchdog code in sta32x_watchdog() dereferences the pointer
+which is never assigned.
+
+This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct
+regmap API usage.") which went unnoticed since nobody seems to use that ESD
+workaround.
+
+Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.")
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/sta32x.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/codecs/sta32x.c b/sound/soc/codecs/sta32x.c
+index 5b888476d9ff..b728140c79a9 100644
+--- a/sound/soc/codecs/sta32x.c
++++ b/sound/soc/codecs/sta32x.c
+@@ -879,6 +879,9 @@ static int sta32x_probe(struct snd_soc_codec *codec)
+ struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec);
+ struct sta32x_platform_data *pdata = sta32x->pdata;
+ int i, ret = 0, thermal = 0;
++
++ sta32x->codec = codec;
++
+ ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies),
+ sta32x->supplies);
+ if (ret != 0) {
+--
+2.19.1
+
--- /dev/null
+From 5a00f191357bd8e890ffd5e89b3cda9669b283b9 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 8 May 2018 15:09:41 -0600
+Subject: block: break discard submissions into the user defined size
+
+[ Upstream commit af097f5d199e2aa3ab3ef777f0716e487b8f7b08 ]
+
+Don't build discards bigger than what the user asked for, if the
+user decided to limit the size by writing to 'discard_max_bytes'.
+
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-lib.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/block/blk-lib.c b/block/blk-lib.c
+index 2bc544ce3d2e..53a45663e688 100644
+--- a/block/blk-lib.c
++++ b/block/blk-lib.c
+@@ -59,10 +59,16 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector,
+ unsigned int req_sects;
+ sector_t end_sect, tmp;
+
+- /* Make sure bi_size doesn't overflow */
+- req_sects = min_t(sector_t, nr_sects, UINT_MAX >> 9);
++ /*
++ * Issue in chunks of the user defined max discard setting,
++ * ensuring that bi_size doesn't overflow
++ */
++ req_sects = min_t(sector_t, nr_sects,
++ q->limits.max_discard_sectors);
++ if (req_sects > UINT_MAX >> 9)
++ req_sects = UINT_MAX >> 9;
+
+- /**
++ /*
+ * If splitting a request, and the next starting sector would be
+ * misaligned, stop the discard at the previous aligned sector.
+ */
+--
+2.19.1
+
--- /dev/null
+From e272ad9ad5704fd33041f49e21cfc96bf26859a9 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 3 Jul 2018 13:34:22 -0400
+Subject: block: fix infinite loop if the device loses discard capability
+
+[ Upstream commit b88aef36b87c9787a4db724923ec4f57dfd513f3 ]
+
+If __blkdev_issue_discard is in progress and a device mapper device is
+reloaded with a table that doesn't support discard,
+q->limits.max_discard_sectors is set to zero. This results in infinite
+loop in __blkdev_issue_discard.
+
+This patch checks if max_discard_sectors is zero and aborts with
+-EOPNOTSUPP.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Tested-by: Zdenek Kabelac <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-lib.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/block/blk-lib.c b/block/blk-lib.c
+index 53a45663e688..0bdc77888dc5 100644
+--- a/block/blk-lib.c
++++ b/block/blk-lib.c
+@@ -65,6 +65,8 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector,
+ */
+ req_sects = min_t(sector_t, nr_sects,
+ q->limits.max_discard_sectors);
++ if (!req_sects)
++ goto fail;
+ if (req_sects > UINT_MAX >> 9)
+ req_sects = UINT_MAX >> 9;
+
+@@ -102,6 +104,14 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector,
+
+ *biop = bio;
+ return 0;
++
++fail:
++ if (bio) {
++ submit_bio_wait(bio);
++ bio_put(bio);
++ }
++ *biop = NULL;
++ return -EOPNOTSUPP;
+ }
+ EXPORT_SYMBOL(__blkdev_issue_discard);
+
+--
+2.19.1
+
--- /dev/null
+From 7383229f1bd7910f79ff73721fab7dd6e32a74fa Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 10 Sep 2018 14:12:07 +0300
+Subject: cifs: integer overflow in in SMB2_ioctl()
+
+commit 2d204ee9d671327915260071c19350d84344e096 upstream
+
+The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
+wrap around to a smaller value which looks like it would lead to an
+information leak.
+
+Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 69309538ffb8..1581e8668b09 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -2020,14 +2020,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
+ /* We check for obvious errors in the output buffer length and offset */
+ if (*plen == 0)
+ goto ioctl_exit; /* server returned no data */
+- else if (*plen > 0xFF00) {
++ else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
+ cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
+ *plen = 0;
+ rc = -EIO;
+ goto ioctl_exit;
+ }
+
+- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
++ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
+ cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
+ le32_to_cpu(rsp->OutputOffset));
+ *plen = 0;
+--
+2.19.1
+
--- /dev/null
+From 01eed54d031486826fe26456b783c481056d41b0 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Mon, 2 Jul 2018 14:08:45 -0700
+Subject: ib_srpt: Fix a use-after-free in __srpt_close_all_ch()
+
+commit 14d15c2b278011056482eb015dff89f9cbf2b841 upstream
+
+BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
+Read of size 4 at addr ffff8801269d23f8 by task check/29726
+
+CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Call Trace:
+ dump_stack+0xa4/0xf5
+ print_address_description+0x6f/0x270
+ kasan_report+0x241/0x360
+ __asan_load4+0x78/0x80
+ srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
+ srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
+ configfs_write_file+0x14e/0x1d0 [configfs]
+ __vfs_write+0xd2/0x3b0
+ vfs_write+0x101/0x270
+ ksys_write+0xab/0x120
+ __x64_sys_write+0x43/0x50
+ do_syscall_64+0x77/0x230
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f235cfe6154
+
+Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index 60105ba77889..47f3f562d86f 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -1775,8 +1775,8 @@ static void __srpt_close_all_ch(struct srpt_device *sdev)
+
+ list_for_each_entry(ch, &sdev->rch_list, list) {
+ if (srpt_disconnect_ch(ch) >= 0)
+- pr_info("Closing channel %s-%d because target %s has been disabled\n",
+- ch->sess_name, ch->qp->qp_num,
++ pr_info("Closing channel %s because target %s has been disabled\n",
++ ch->sess_name,
+ sdev->device->name);
+ srpt_close_ch(ch);
+ }
+--
+2.19.1
+
--- /dev/null
+From ed953fc889a5d818dc5c0914dea42b17955ba4cc Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Wed, 14 Mar 2018 10:22:04 +0100
+Subject: perf record: Synthesize features before events in pipe mode
+
+[ Upstream commit a2015516c5c0be932a69e1d3405c2fb03b4eacf1 ]
+
+We need to synthesize events first, because some features works on top
+of them (on report side).
+
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Tested-by: Stephane Eranian <eranian@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20180314092205.23291-1-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-record.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
+index b205c1340456..5e53cafe6cf9 100644
+--- a/tools/perf/builtin-record.c
++++ b/tools/perf/builtin-record.c
+@@ -800,13 +800,10 @@ static int record__synthesize(struct record *rec, bool tail)
+ return 0;
+
+ if (file->is_pipe) {
+- err = perf_event__synthesize_features(
+- tool, session, rec->evlist, process_synthesized_event);
+- if (err < 0) {
+- pr_err("Couldn't synthesize features.\n");
+- return err;
+- }
+-
++ /*
++ * We need to synthesize events first, because some
++ * features works on top of them (on report side).
++ */
+ err = perf_event__synthesize_attrs(tool, session,
+ process_synthesized_event);
+ if (err < 0) {
+@@ -814,6 +811,13 @@ static int record__synthesize(struct record *rec, bool tail)
+ goto out;
+ }
+
++ err = perf_event__synthesize_features(tool, session, rec->evlist,
++ process_synthesized_event);
++ if (err < 0) {
++ pr_err("Couldn't synthesize features.\n");
++ return err;
++ }
++
+ if (have_tracepoints(&rec->evlist->entries)) {
+ /*
+ * FIXME err <= 0 here actually means that
+--
+2.19.1
+
--- /dev/null
+block-break-discard-submissions-into-the-user-define.patch
+block-fix-infinite-loop-if-the-device-loses-discard-.patch
+asoc-sta32x-set-component-pointer-in-private-struct.patch
+ubifs-fix-directory-size-calculation-for-symlinks.patch
+ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch
+perf-record-synthesize-features-before-events-in-pip.patch
+cifs-integer-overflow-in-in-smb2_ioctl.patch
--- /dev/null
+From beb7d7fa2ad93076c29c868730e867579a3508fd Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 11 Jun 2018 23:41:09 +0200
+Subject: ubifs: Fix directory size calculation for symlinks
+
+commit 00ee8b60102862f4daf0814d12a2ea2744fc0b9b upstream
+
+We have to account the name of the symlink and not the target length.
+
+Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/dir.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index ef820f803176..4e6e32c0c08a 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1147,8 +1147,7 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry,
+ struct ubifs_inode *ui;
+ struct ubifs_inode *dir_ui = ubifs_inode(dir);
+ struct ubifs_info *c = dir->i_sb->s_fs_info;
+- int err, len = strlen(symname);
+- int sz_change = CALC_DENT_SIZE(len);
++ int err, sz_change, len = strlen(symname);
+ struct fscrypt_str disk_link = FSTR_INIT((char *)symname, len + 1);
+ struct fscrypt_symlink_data *sd = NULL;
+ struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1,
+@@ -1189,6 +1188,8 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry,
+ if (err)
+ goto out_budg;
+
++ sz_change = CALC_DENT_SIZE(fname_len(&nm));
++
+ inode = ubifs_new_inode(c, dir, S_IFLNK | S_IRWXUGO);
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
