--- /dev/null
+From 90cd45c81685630a708da8336462eebbab95de8d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Apr 2019 18:04:17 +0200
+Subject: ALSA: seq: Fix race of get-subscription call vs port-delete ioctls
+
+[ Upstream commit 2eabc5ec8ab4d4748a82050dfcb994119b983750 ]
+
+The snd_seq_ioctl_get_subscription() retrieves the port subscriber
+information as a pointer, while the object isn't protected, hence it
+may be deleted before the actual reference. This race was spotted by
+syzkaller and may lead to a UAF.
+
+The fix is simply copying the data in the lookup function that
+performs in the rwsem to protect against the deletion.
+
+Reported-by: syzbot+9437020c82413d00222d@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 10 ++--------
+ sound/core/seq/seq_ports.c | 13 ++++++++-----
+ sound/core/seq/seq_ports.h | 5 +++--
+ 3 files changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 3b1b2e9fb33e..881c965555c5 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1905,20 +1905,14 @@ static int snd_seq_ioctl_get_subscription(struct snd_seq_client *client,
+ int result;
+ struct snd_seq_client *sender = NULL;
+ struct snd_seq_client_port *sport = NULL;
+- struct snd_seq_subscribers *p;
+
+ result = -EINVAL;
+ if ((sender = snd_seq_client_use_ptr(subs->sender.client)) == NULL)
+ goto __end;
+ if ((sport = snd_seq_port_use_ptr(sender, subs->sender.port)) == NULL)
+ goto __end;
+- p = snd_seq_port_get_subscription(&sport->c_src, &subs->dest);
+- if (p) {
+- result = 0;
+- *subs = p->info;
+- } else
+- result = -ENOENT;
+-
++ result = snd_seq_port_get_subscription(&sport->c_src, &subs->dest,
++ subs);
+ __end:
+ if (sport)
+ snd_seq_port_unlock(sport);
+diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c
+index a42e2ce4a726..9cfe4fcee9a5 100644
+--- a/sound/core/seq/seq_ports.c
++++ b/sound/core/seq/seq_ports.c
+@@ -635,20 +635,23 @@ int snd_seq_port_disconnect(struct snd_seq_client *connector,
+
+
+ /* get matched subscriber */
+-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
+- struct snd_seq_addr *dest_addr)
++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
++ struct snd_seq_addr *dest_addr,
++ struct snd_seq_port_subscribe *subs)
+ {
+- struct snd_seq_subscribers *s, *found = NULL;
++ struct snd_seq_subscribers *s;
++ int err = -ENOENT;
+
+ down_read(&src_grp->list_mutex);
+ list_for_each_entry(s, &src_grp->list_head, src_list) {
+ if (addr_match(dest_addr, &s->info.dest)) {
+- found = s;
++ *subs = s->info;
++ err = 0;
+ break;
+ }
+ }
+ up_read(&src_grp->list_mutex);
+- return found;
++ return err;
+ }
+
+ /*
+diff --git a/sound/core/seq/seq_ports.h b/sound/core/seq/seq_ports.h
+index 26bd71f36c41..06003b36652e 100644
+--- a/sound/core/seq/seq_ports.h
++++ b/sound/core/seq/seq_ports.h
+@@ -135,7 +135,8 @@ int snd_seq_port_subscribe(struct snd_seq_client_port *port,
+ struct snd_seq_port_subscribe *info);
+
+ /* get matched subscriber */
+-struct snd_seq_subscribers *snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
+- struct snd_seq_addr *dest_addr);
++int snd_seq_port_get_subscription(struct snd_seq_port_subs_info *src_grp,
++ struct snd_seq_addr *dest_addr,
++ struct snd_seq_port_subscribe *subs);
+
+ #endif
+--
+2.20.1
+
--- /dev/null
+From f803fd6dadeea3e9c512b50031a1ae253a19c46e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Apr 2019 17:35:22 +0200
+Subject: ALSA: seq: Protect in-kernel ioctl calls with mutex
+
+[ Upstream commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32 ]
+
+ALSA OSS sequencer calls the ioctl function indirectly via
+snd_seq_kernel_client_ctl(). While we already applied the protection
+against races between the normal ioctls and writes via the client's
+ioctl_mutex, this code path was left untouched. And this seems to be
+the cause of still remaining some rare UAF as spontaneously triggered
+by syzkaller.
+
+For the sake of robustness, wrap the ioctl_mutex also for the call via
+snd_seq_kernel_client_ctl(), too.
+
+Reported-by: syzbot+e4c8abb920efa77bace9@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 09491b27092e..3b1b2e9fb33e 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -2354,14 +2354,19 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
+ {
+ const struct ioctl_handler *handler;
+ struct snd_seq_client *client;
++ int err;
+
+ client = clientptr(clientid);
+ if (client == NULL)
+ return -ENXIO;
+
+ for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
+- if (handler->cmd == cmd)
+- return handler->func(client, arg);
++ if (handler->cmd == cmd) {
++ mutex_lock(&client->ioctl_mutex);
++ err = handler->func(client, arg);
++ mutex_unlock(&client->ioctl_mutex);
++ return err;
++ }
+ }
+
+ pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
+--
+2.20.1
+
--- /dev/null
+From c02767771b72c3af9348fd42a422d86326ff67e2 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 14 May 2019 14:30:06 +0530
+Subject: arm64/mm: Inhibit huge-vmap with ptdump
+
+[ Upstream commit 7ba36eccb3f83983a651efd570b4f933ecad1b5c ]
+
+The arm64 ptdump code can race with concurrent modification of the
+kernel page tables. At the time this was added, this was sound as:
+
+* Modifications to leaf entries could result in stale information being
+ logged, but would not result in a functional problem.
+
+* Boot time modifications to non-leaf entries (e.g. freeing of initmem)
+ were performed when the ptdump code cannot be invoked.
+
+* At runtime, modifications to non-leaf entries only occurred in the
+ vmalloc region, and these were strictly additive, as intermediate
+ entries were never freed.
+
+However, since commit:
+
+ commit 324420bf91f6 ("arm64: add support for ioremap() block mappings")
+
+... it has been possible to create huge mappings in the vmalloc area at
+runtime, and as part of this existing intermediate levels of table my be
+removed and freed.
+
+It's possible for the ptdump code to race with this, and continue to
+walk tables which have been freed (and potentially poisoned or
+reallocated). As a result of this, the ptdump code may dereference bogus
+addresses, which could be fatal.
+
+Since huge-vmap is a TLB and memory optimization, we can disable it when
+the runtime ptdump code is in use to avoid this problem.
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Fixes: 324420bf91f60582 ("arm64: add support for ioremap() block mappings")
+Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/mmu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
+index 0a56898f8410..efd65fc85238 100644
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -765,13 +765,18 @@ void *__init fixmap_remap_fdt(phys_addr_t dt_phys)
+
+ int __init arch_ioremap_pud_supported(void)
+ {
+- /* only 4k granule supports level 1 block mappings */
+- return IS_ENABLED(CONFIG_ARM64_4K_PAGES);
++ /*
++ * Only 4k granule supports level 1 block mappings.
++ * SW table walks can't handle removal of intermediate entries.
++ */
++ return IS_ENABLED(CONFIG_ARM64_4K_PAGES) &&
++ !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS);
+ }
+
+ int __init arch_ioremap_pmd_supported(void)
+ {
+- return 1;
++ /* See arch_ioremap_pud_supported() */
++ return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS);
+ }
+
+ int pud_set_huge(pud_t *pud, phys_addr_t phys, pgprot_t prot)
+--
+2.20.1
+
--- /dev/null
+From 681f44c7295df6288871bba98e673c196d0c7f16 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Fri, 12 Apr 2019 15:45:06 +0800
+Subject: Drivers: misc: fix out-of-bounds access in function
+ param_set_kgdbts_var
+
+[ Upstream commit b281218ad4311a0342a40cb02fb17a363df08b48 ]
+
+There is an out-of-bounds access to "config[len - 1]" array when the
+variable "len" is zero.
+
+See commit dada6a43b040 ("kgdboc: fix KASAN global-out-of-bounds bug
+in param_set_kgdboc_var()") for details.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/kgdbts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c
+index 99635dd9dbac..bb3a76ad80da 100644
+--- a/drivers/misc/kgdbts.c
++++ b/drivers/misc/kgdbts.c
+@@ -1132,7 +1132,7 @@ static void kgdbts_put_char(u8 chr)
+
+ static int param_set_kgdbts_var(const char *kmessage, struct kernel_param *kp)
+ {
+- int len = strlen(kmessage);
++ size_t len = strlen(kmessage);
+
+ if (len >= MAX_CONFIG_LEN) {
+ printk(KERN_ERR "kgdbts: config string too long\n");
+@@ -1152,7 +1152,7 @@ static int param_set_kgdbts_var(const char *kmessage, struct kernel_param *kp)
+
+ strcpy(config, kmessage);
+ /* Chop out \n char as a result of echo */
+- if (config[len - 1] == '\n')
++ if (len && config[len - 1] == '\n')
+ config[len - 1] = '\0';
+
+ /* Go and configure with the new params. */
+--
+2.20.1
+
--- /dev/null
+From 928ef7ef0ea00fd23187f23ea566268060fe0526 Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 24 May 2019 16:06:23 +0200
+Subject: KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
+
+[ Upstream commit 19ec166c3f39fe1d3789888a74cc95544ac266d4 ]
+
+kselftests exposed a problem in the s390 handling for memory slots.
+Right now we only do proper memory slot handling for creation of new
+memory slots. Neither MOVE, nor DELETION are handled properly. Let us
+implement those.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/kvm-s390.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index 2032ab81b2d7..07f571900676 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -3288,21 +3288,28 @@ void kvm_arch_commit_memory_region(struct kvm *kvm,
+ const struct kvm_memory_slot *new,
+ enum kvm_mr_change change)
+ {
+- int rc;
+-
+- /* If the basics of the memslot do not change, we do not want
+- * to update the gmap. Every update causes several unnecessary
+- * segment translation exceptions. This is usually handled just
+- * fine by the normal fault handler + gmap, but it will also
+- * cause faults on the prefix page of running guest CPUs.
+- */
+- if (old->userspace_addr == mem->userspace_addr &&
+- old->base_gfn * PAGE_SIZE == mem->guest_phys_addr &&
+- old->npages * PAGE_SIZE == mem->memory_size)
+- return;
++ int rc = 0;
+
+- rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr,
+- mem->guest_phys_addr, mem->memory_size);
++ switch (change) {
++ case KVM_MR_DELETE:
++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE,
++ old->npages * PAGE_SIZE);
++ break;
++ case KVM_MR_MOVE:
++ rc = gmap_unmap_segment(kvm->arch.gmap, old->base_gfn * PAGE_SIZE,
++ old->npages * PAGE_SIZE);
++ if (rc)
++ break;
++ /* FALLTHROUGH */
++ case KVM_MR_CREATE:
++ rc = gmap_map_segment(kvm->arch.gmap, mem->userspace_addr,
++ mem->guest_phys_addr, mem->memory_size);
++ break;
++ case KVM_MR_FLAGS_ONLY:
++ break;
++ default:
++ WARN(1, "Unknown KVM MR CHANGE: %d\n", change);
++ }
+ if (rc)
+ pr_warn("failed to commit memory region\n");
+ return;
+--
+2.20.1
+
--- /dev/null
+From 1abdc7e52abb4227689ac20ac0eadff1b0454019 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 May 2019 17:34:30 +0200
+Subject: KVM: x86/pmu: do not mask the value that is written to fixed PMUs
+
+[ Upstream commit 2924b52117b2812e9633d5ea337333299166d373 ]
+
+According to the SDM, for MSR_IA32_PERFCTR0/1 "the lower-order 32 bits of
+each MSR may be written with any value, and the high-order 8 bits are
+sign-extended according to the value of bit 31", but the fixed counters
+in real hardware are limited to the width of the fixed counters ("bits
+beyond the width of the fixed-function counter are reserved and must be
+written as zeros"). Fix KVM to do the same.
+
+Reported-by: Nadav Amit <nadav.amit@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/pmu_intel.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kvm/pmu_intel.c b/arch/x86/kvm/pmu_intel.c
+index 5ab4a364348e..2729131fe9bf 100644
+--- a/arch/x86/kvm/pmu_intel.c
++++ b/arch/x86/kvm/pmu_intel.c
+@@ -235,11 +235,14 @@ static int intel_pmu_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ }
+ break;
+ default:
+- if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0)) ||
+- (pmc = get_fixed_pmc(pmu, msr))) {
+- if (!msr_info->host_initiated)
+- data = (s64)(s32)data;
+- pmc->counter += data - pmc_read_counter(pmc);
++ if ((pmc = get_gp_pmc(pmu, msr, MSR_IA32_PERFCTR0))) {
++ if (msr_info->host_initiated)
++ pmc->counter = data;
++ else
++ pmc->counter = (s32)data;
++ return 0;
++ } else if ((pmc = get_fixed_pmc(pmu, msr))) {
++ pmc->counter = data;
+ return 0;
+ } else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) {
+ if (data == pmc->eventsel)
+--
+2.20.1
+
--- /dev/null
+From dd03b1fee7b8410464beedaf696be7a3deec7fbd Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 11 Apr 2019 19:58:32 +0200
+Subject: Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"
+
+[ Upstream commit f0654ba94e33699b295ce4f3dc73094db6209035 ]
+
+This reverts commit feb689025fbb6f0aa6297d3ddf97de945ea4ad32.
+
+The fix attempt was incorrect, leading to the mutex deadlock through
+the close of OSS sequencer client. The proper fix needs more
+consideration, so let's revert it now.
+
+Fixes: feb689025fbb ("ALSA: seq: Protect in-kernel ioctl calls with mutex")
+Reported-by: syzbot+47ded6c0f23016cde310@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 881c965555c5..bc6d371031fc 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -2348,19 +2348,14 @@ int snd_seq_kernel_client_ctl(int clientid, unsigned int cmd, void *arg)
+ {
+ const struct ioctl_handler *handler;
+ struct snd_seq_client *client;
+- int err;
+
+ client = clientptr(clientid);
+ if (client == NULL)
+ return -ENXIO;
+
+ for (handler = ioctl_handlers; handler->cmd > 0; ++handler) {
+- if (handler->cmd == cmd) {
+- mutex_lock(&client->ioctl_mutex);
+- err = handler->func(client, arg);
+- mutex_unlock(&client->ioctl_mutex);
+- return err;
+- }
++ if (handler->cmd == cmd)
++ return handler->func(client, arg);
+ }
+
+ pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
+--
+2.20.1
+
--- /dev/null
+From dcd64802cff863b28cf08e3ca092acb2fddf96ff Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 4 May 2019 17:48:29 +0100
+Subject: scsi: bnx2fc: fix incorrect cast to u64 on shift operation
+
+[ Upstream commit d0c0d902339249c75da85fd9257a86cbb98dfaa5 ]
+
+Currently an int is being shifted and the result is being cast to a u64
+which leads to undefined behaviour if the shift is more than 31 bits. Fix
+this by casting the integer value 1 to u64 before the shift operation.
+
+Addresses-Coverity: ("Bad shift operation")
+Fixes: 7b594769120b ("[SCSI] bnx2fc: Handle REC_TOV error code from firmware")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bnx2fc/bnx2fc_hwi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/bnx2fc/bnx2fc_hwi.c b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+index 5ff9f89c17c7..39b2f60149d9 100644
+--- a/drivers/scsi/bnx2fc/bnx2fc_hwi.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_hwi.c
+@@ -829,7 +829,7 @@ ret_err_rqe:
+ ((u64)err_entry->data.err_warn_bitmap_hi << 32) |
+ (u64)err_entry->data.err_warn_bitmap_lo;
+ for (i = 0; i < BNX2FC_NUM_ERR_BITS; i++) {
+- if (err_warn_bit_map & (u64) (1 << i)) {
++ if (err_warn_bit_map & ((u64)1 << i)) {
+ err_warn = i;
+ break;
+ }
+--
+2.20.1
+
--- /dev/null
+From 5e62b88fb9b0117108bfe19fe220b52fc220e2fd Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Mon, 6 May 2019 17:26:49 -0700
+Subject: scsi: lpfc: add check for loss of ndlp when sending RRQ
+
+[ Upstream commit c8cb261a072c88ca1aff0e804a30db4c7606521b ]
+
+There was a missing qualification of a valid ndlp structure when calling to
+send an RRQ for an abort. Add the check.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Tested-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index 4905455bbfc7..b5be4df05733 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -6789,7 +6789,10 @@ int
+ lpfc_send_rrq(struct lpfc_hba *phba, struct lpfc_node_rrq *rrq)
+ {
+ struct lpfc_nodelist *ndlp = lpfc_findnode_did(rrq->vport,
+- rrq->nlp_DID);
++ rrq->nlp_DID);
++ if (!ndlp)
++ return 1;
++
+ if (lpfc_test_rrq_active(phba, ndlp, rrq->xritag))
+ return lpfc_issue_els_rrq(rrq->vport, ndlp,
+ rrq->nlp_DID, rrq);
+--
+2.20.1
+
--- /dev/null
+From 9e36bd5b4bcbd8560f799bf5dac9ea8db9695c9d Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 20 May 2019 15:37:49 -0700
+Subject: selftests/timers: Add missing fflush(stdout) calls
+
+[ Upstream commit fe48319243a626c860fd666ca032daacc2ba84a5 ]
+
+When running under a pipe, some timer tests would not report output in
+real-time because stdout flushes were missing after printf()s that lacked
+a newline. This adds them to restore real-time status output that humans
+can enjoy.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/timers/adjtick.c | 1 +
+ tools/testing/selftests/timers/leapcrash.c | 1 +
+ tools/testing/selftests/timers/mqueue-lat.c | 1 +
+ tools/testing/selftests/timers/nanosleep.c | 1 +
+ tools/testing/selftests/timers/nsleep-lat.c | 1 +
+ tools/testing/selftests/timers/raw_skew.c | 1 +
+ tools/testing/selftests/timers/set-tai.c | 1 +
+ tools/testing/selftests/timers/set-tz.c | 2 ++
+ tools/testing/selftests/timers/threadtest.c | 1 +
+ tools/testing/selftests/timers/valid-adjtimex.c | 2 ++
+ 10 files changed, 12 insertions(+)
+
+diff --git a/tools/testing/selftests/timers/adjtick.c b/tools/testing/selftests/timers/adjtick.c
+index 9887fd538fec..91316ab4b041 100644
+--- a/tools/testing/selftests/timers/adjtick.c
++++ b/tools/testing/selftests/timers/adjtick.c
+@@ -147,6 +147,7 @@ int check_tick_adj(long tickval)
+
+ eppm = get_ppm_drift();
+ printf("%lld usec, %lld ppm", systick + (systick * eppm / MILLION), eppm);
++ fflush(stdout);
+
+ tx1.modes = 0;
+ adjtimex(&tx1);
+diff --git a/tools/testing/selftests/timers/leapcrash.c b/tools/testing/selftests/timers/leapcrash.c
+index a1071bdbdeb7..a77c70b47495 100644
+--- a/tools/testing/selftests/timers/leapcrash.c
++++ b/tools/testing/selftests/timers/leapcrash.c
+@@ -114,6 +114,7 @@ int main(void)
+ }
+ clear_time_state();
+ printf(".");
++ fflush(stdout);
+ }
+ printf("[OK]\n");
+ return ksft_exit_pass();
+diff --git a/tools/testing/selftests/timers/mqueue-lat.c b/tools/testing/selftests/timers/mqueue-lat.c
+index a2a3924d0b41..efdb62470052 100644
+--- a/tools/testing/selftests/timers/mqueue-lat.c
++++ b/tools/testing/selftests/timers/mqueue-lat.c
+@@ -113,6 +113,7 @@ int main(int argc, char **argv)
+ int ret;
+
+ printf("Mqueue latency : ");
++ fflush(stdout);
+
+ ret = mqueue_lat_test();
+ if (ret < 0) {
+diff --git a/tools/testing/selftests/timers/nanosleep.c b/tools/testing/selftests/timers/nanosleep.c
+index ff942ff7c9b3..2e6e94c02a33 100644
+--- a/tools/testing/selftests/timers/nanosleep.c
++++ b/tools/testing/selftests/timers/nanosleep.c
+@@ -153,6 +153,7 @@ int main(int argc, char **argv)
+ continue;
+
+ printf("Nanosleep %-31s ", clockstring(clockid));
++ fflush(stdout);
+
+ length = 10;
+ while (length <= (NSEC_PER_SEC * 10)) {
+diff --git a/tools/testing/selftests/timers/nsleep-lat.c b/tools/testing/selftests/timers/nsleep-lat.c
+index 2d7898fda0f1..ac06cf10a5c2 100644
+--- a/tools/testing/selftests/timers/nsleep-lat.c
++++ b/tools/testing/selftests/timers/nsleep-lat.c
+@@ -166,6 +166,7 @@ int main(int argc, char **argv)
+ continue;
+
+ printf("nsleep latency %-26s ", clockstring(clockid));
++ fflush(stdout);
+
+ length = 10;
+ while (length <= (NSEC_PER_SEC * 10)) {
+diff --git a/tools/testing/selftests/timers/raw_skew.c b/tools/testing/selftests/timers/raw_skew.c
+index 0ab937a17ebb..4e631da7f956 100644
+--- a/tools/testing/selftests/timers/raw_skew.c
++++ b/tools/testing/selftests/timers/raw_skew.c
+@@ -124,6 +124,7 @@ int main(int argv, char **argc)
+ printf("WARNING: ADJ_OFFSET in progress, this will cause inaccurate results\n");
+
+ printf("Estimating clock drift: ");
++ fflush(stdout);
+ sleep(120);
+
+ get_monotonic_and_raw(&mon, &raw);
+diff --git a/tools/testing/selftests/timers/set-tai.c b/tools/testing/selftests/timers/set-tai.c
+index dc88dbc8831f..3ae76ab483de 100644
+--- a/tools/testing/selftests/timers/set-tai.c
++++ b/tools/testing/selftests/timers/set-tai.c
+@@ -66,6 +66,7 @@ int main(int argc, char **argv)
+ printf("tai offset started at %i\n", ret);
+
+ printf("Checking tai offsets can be properly set: ");
++ fflush(stdout);
+ for (i = 1; i <= 60; i++) {
+ ret = set_tai(i);
+ ret = get_tai();
+diff --git a/tools/testing/selftests/timers/set-tz.c b/tools/testing/selftests/timers/set-tz.c
+index f4184928b16b..b038131c9682 100644
+--- a/tools/testing/selftests/timers/set-tz.c
++++ b/tools/testing/selftests/timers/set-tz.c
+@@ -76,6 +76,7 @@ int main(int argc, char **argv)
+ printf("tz_minuteswest started at %i, dst at %i\n", min, dst);
+
+ printf("Checking tz_minuteswest can be properly set: ");
++ fflush(stdout);
+ for (i = -15*60; i < 15*60; i += 30) {
+ ret = set_tz(i, dst);
+ ret = get_tz_min();
+@@ -87,6 +88,7 @@ int main(int argc, char **argv)
+ printf("[OK]\n");
+
+ printf("Checking invalid tz_minuteswest values are caught: ");
++ fflush(stdout);
+
+ if (!set_tz(-15*60-1, dst)) {
+ printf("[FAILED] %i didn't return failure!\n", -15*60-1);
+diff --git a/tools/testing/selftests/timers/threadtest.c b/tools/testing/selftests/timers/threadtest.c
+index e632e116f05e..a4bf736dd842 100644
+--- a/tools/testing/selftests/timers/threadtest.c
++++ b/tools/testing/selftests/timers/threadtest.c
+@@ -175,6 +175,7 @@ int main(int argc, char **argv)
+ strftime(buf, 255, "%a, %d %b %Y %T %z", localtime(&start));
+ printf("%s\n", buf);
+ printf("Testing consistency with %i threads for %ld seconds: ", thread_count, runtime);
++ fflush(stdout);
+
+ /* spawn */
+ for (i = 0; i < thread_count; i++)
+diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c
+index 60fe3c569bd9..a747645d79f4 100644
+--- a/tools/testing/selftests/timers/valid-adjtimex.c
++++ b/tools/testing/selftests/timers/valid-adjtimex.c
+@@ -134,6 +134,7 @@ int validate_freq(void)
+ /* Set the leap second insert flag */
+
+ printf("Testing ADJ_FREQ... ");
++ fflush(stdout);
+ for (i = 0; i < NUM_FREQ_VALID; i++) {
+ tx.modes = ADJ_FREQUENCY;
+ tx.freq = valid_freq[i];
+@@ -261,6 +262,7 @@ int set_bad_offset(long sec, long usec, int use_nano)
+ int validate_set_offset(void)
+ {
+ printf("Testing ADJ_SETOFFSET... ");
++ fflush(stdout);
+
+ /* Test valid values */
+ if (set_offset(NSEC_PER_SEC - 1, 1))
+--
+2.20.1
+
cgroup-use-css_tryget-instead-of-css_tryget_online-in-task_get_css.patch
asoc-cs42xx8-add-regcache-mask-dirty.patch
asoc-fsl_asrc-fix-the-issue-about-unsupported-rate.patch
+x86-uaccess-kcov-disable-stack-protector.patch
+alsa-seq-protect-in-kernel-ioctl-calls-with-mutex.patch
+alsa-seq-fix-race-of-get-subscription-call-vs-port-d.patch
+revert-alsa-seq-protect-in-kernel-ioctl-calls-with-m.patch
+drivers-misc-fix-out-of-bounds-access-in-function-pa.patch
+scsi-lpfc-add-check-for-loss-of-ndlp-when-sending-rr.patch
+arm64-mm-inhibit-huge-vmap-with-ptdump.patch
+scsi-bnx2fc-fix-incorrect-cast-to-u64-on-shift-opera.patch
+selftests-timers-add-missing-fflush-stdout-calls.patch
+usbnet-ipheth-fix-racing-condition.patch
+kvm-x86-pmu-do-not-mask-the-value-that-is-written-to.patch
+kvm-s390-fix-memory-slot-handling-for-kvm_set_user_m.patch
--- /dev/null
+From 3d109e979f72e05b3022f3a1747d9bcb079b908d Mon Sep 17 00:00:00 2001
+From: Bernd Eckstein <3erndeckstein@gmail.com>
+Date: Mon, 20 May 2019 17:31:09 +0200
+Subject: usbnet: ipheth: fix racing condition
+
+[ Upstream commit 94d250fae48e6f873d8362308f5c4d02cd1b1fd2 ]
+
+Fix a racing condition in ipheth.c that can lead to slow performance.
+
+Bug: In ipheth_tx(), netif_wake_queue() may be called on the callback
+ipheth_sndbulk_callback(), _before_ netif_stop_queue() is called.
+When this happens, the queue is stopped longer than it needs to be,
+thus reducing network performance.
+
+Fix: Move netif_stop_queue() in front of usb_submit_urb(). Now the order
+is always correct. In case, usb_submit_urb() fails, the queue is woken up
+again as callback will not fire.
+
+Testing: This racing condition is usually not noticeable, as it has to
+occur very frequently to slowdown the network. The callback from the USB
+is usually triggered slow enough, so the situation does not appear.
+However, on a Ubuntu Linux on VMWare Workstation, running on Windows 10,
+the we loose the race quite often and the following speedup can be noticed:
+
+Without this patch: Download: 4.10 Mbit/s, Upload: 4.01 Mbit/s
+With this patch: Download: 36.23 Mbit/s, Upload: 17.61 Mbit/s
+
+Signed-off-by: Oliver Zweigle <Oliver.Zweigle@faro.com>
+Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ipheth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 01f95d192d25..2b16a5fed9de 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -437,17 +437,18 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net)
+ dev);
+ dev->tx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+
++ netif_stop_queue(net);
+ retval = usb_submit_urb(dev->tx_urb, GFP_ATOMIC);
+ if (retval) {
+ dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n",
+ __func__, retval);
+ dev->net->stats.tx_errors++;
+ dev_kfree_skb_any(skb);
++ netif_wake_queue(net);
+ } else {
+ dev->net->stats.tx_packets++;
+ dev->net->stats.tx_bytes += skb->len;
+ dev_consume_skb_any(skb);
+- netif_stop_queue(net);
+ }
+
+ return NETDEV_TX_OK;
+--
+2.20.1
+
--- /dev/null
+From e59bc317814f6548a21fb3f146c6e6fadd9e6e30 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 7 Mar 2019 19:54:25 +0100
+Subject: x86/uaccess, kcov: Disable stack protector
+
+[ Upstream commit 40ea97290b08be2e038b31cbb33097d1145e8169 ]
+
+New tooling noticed this mishap:
+
+ kernel/kcov.o: warning: objtool: write_comp_data()+0x138: call to __stack_chk_fail() with UACCESS enabled
+ kernel/kcov.o: warning: objtool: __sanitizer_cov_trace_pc()+0xd9: call to __stack_chk_fail() with UACCESS enabled
+
+All the other instrumentation (KASAN,UBSAN) also have stack protector
+disabled.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/Makefile b/kernel/Makefile
+index 314e7d62f5f0..184fa9aa5802 100644
+--- a/kernel/Makefile
++++ b/kernel/Makefile
+@@ -28,6 +28,7 @@ KCOV_INSTRUMENT_extable.o := n
+ # Don't self-instrument.
+ KCOV_INSTRUMENT_kcov.o := n
+ KASAN_SANITIZE_kcov.o := n
++CFLAGS_kcov.o := $(call cc-option, -fno-conserve-stack -fno-stack-protector)
+
+ # cond_syscall is currently not LTO compatible
+ CFLAGS_sys_ni.o = $(DISABLE_LTO)
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
