--- /dev/null
+From c5b4a50b74018b3677098151ec5f4fce07d5e6a0 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 11 Jun 2018 19:24:16 +0100
+Subject: Btrfs: fix return value on rename exchange failure
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit c5b4a50b74018b3677098151ec5f4fce07d5e6a0 upstream.
+
+If we failed during a rename exchange operation after starting/joining a
+transaction, we would end up replacing the return value, stored in the
+local 'ret' variable, with the return value from btrfs_end_transaction().
+So this could end up returning 0 (success) to user space despite the
+operation having failed and aborted the transaction, because if there are
+multiple tasks having a reference on the transaction at the time
+btrfs_end_transaction() is called by the rename exchange, that function
+returns 0 (otherwise it returns -EIO and not the original error value).
+So fix this by not overwriting the return value on error after getting
+a transaction handle.
+
+Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT")
+CC: stable@vger.kernel.org # 4.9+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -9561,6 +9561,7 @@ static int btrfs_rename_exchange(struct
+ u64 new_idx = 0;
+ u64 root_objectid;
+ int ret;
++ int ret2;
+ bool root_log_pinned = false;
+ bool dest_log_pinned = false;
+
+@@ -9751,7 +9752,8 @@ out_fail:
+ dest_log_pinned = false;
+ }
+ }
+- ret = btrfs_end_transaction(trans, root);
++ ret2 = btrfs_end_transaction(trans, root);
++ ret = ret ? ret : ret2;
+ out_notrans:
+ if (new_ino == BTRFS_FIRST_FREE_OBJECTID)
+ up_read(&dest->fs_info->subvol_sem);
--- /dev/null
+From 5811375325420052fcadd944792a416a43072b7f Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Wed, 31 Jan 2018 17:09:13 -0700
+Subject: Btrfs: fix unexpected cow in run_delalloc_nocow
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 5811375325420052fcadd944792a416a43072b7f upstream.
+
+Fstests generic/475 provides a way to fail metadata reads while
+checking if checksum exists for the inode inside run_delalloc_nocow(),
+and csum_exist_in_range() interprets error (-EIO) as inode having
+checksum and makes its caller enter the cow path.
+
+In case of free space inode, this ends up with a warning in
+cow_file_range().
+
+The same problem applies to btrfs_cross_ref_exist() since it may also
+read metadata in between.
+
+With this, run_delalloc_nocow() bails out when errors occur at the two
+places.
+
+cc: <stable@vger.kernel.org> v2.6.28+
+Fixes: 17d217fe970d ("Btrfs: fix nodatasum handling in balancing code")
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ fs/btrfs/inode.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1230,6 +1230,8 @@ static noinline int csum_exist_in_range(
+ list_del(&sums->list);
+ kfree(sums);
+ }
++ if (ret < 0)
++ return ret;
+ return 1;
+ }
+
+@@ -1381,10 +1383,23 @@ next_slot:
+ goto out_check;
+ if (btrfs_extent_readonly(root, disk_bytenr))
+ goto out_check;
+- if (btrfs_cross_ref_exist(trans, root, ino,
++ ret = btrfs_cross_ref_exist(trans, root, ino,
+ found_key.offset -
+- extent_offset, disk_bytenr))
++ extent_offset, disk_bytenr);
++ if (ret) {
++ /*
++ * ret could be -EIO if the above fails to read
++ * metadata.
++ */
++ if (ret < 0) {
++ if (cow_start != (u64)-1)
++ cur_offset = cow_start;
++ goto error;
++ }
++
++ WARN_ON_ONCE(nolock);
+ goto out_check;
++ }
+ disk_bytenr += extent_offset;
+ disk_bytenr += cur_offset - found_key.offset;
+ num_bytes = min(end + 1, extent_end) - cur_offset;
+@@ -1402,8 +1417,20 @@ next_slot:
+ * this ensure that csum for a given extent are
+ * either valid or do not exist.
+ */
+- if (csum_exist_in_range(root, disk_bytenr, num_bytes))
++ ret = csum_exist_in_range(root, disk_bytenr, num_bytes);
++ if (ret) {
++ /*
++ * ret could be -EIO if the above fails to read
++ * metadata.
++ */
++ if (ret < 0) {
++ if (cow_start != (u64)-1)
++ cur_offset = cow_start;
++ goto error;
++ }
++ WARN_ON_ONCE(nolock);
+ goto out_check;
++ }
+ if (!btrfs_inc_nocow_writers(root->fs_info,
+ disk_bytenr))
+ goto out_check;
--- /dev/null
+From c043ec1ca5baae63726aae32abbe003192bc6eec Mon Sep 17 00:00:00 2001
+From: Martin Kelly <mkelly@xevo.com>
+Date: Mon, 26 Mar 2018 14:27:51 -0700
+Subject: iio:buffer: make length types match kfifo types
+
+From: Martin Kelly <mkelly@xevo.com>
+
+commit c043ec1ca5baae63726aae32abbe003192bc6eec upstream.
+
+Currently, we use int for buffer length and bytes_per_datum. However,
+kfifo uses unsigned int for length and size_t for element size. We need
+to make sure these matches or we will have bugs related to overflow (in
+the range between INT_MAX and UINT_MAX for length, for example).
+
+In addition, set_bytes_per_datum uses size_t while bytes_per_datum is an
+int, which would cause bugs for large values of bytes_per_datum.
+
+Change buffer length to use unsigned int and bytes_per_datum to use
+size_t.
+
+Signed-off-by: Martin Kelly <mkelly@xevo.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[bwh: Backported to 4.9:
+ - Drop change to iio_dma_buffer_set_length()
+ - Adjust filename, context]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/buffer/kfifo_buf.c | 4 ++--
+ include/linux/iio/buffer.h | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/buffer/kfifo_buf.c
++++ b/drivers/iio/buffer/kfifo_buf.c
+@@ -19,7 +19,7 @@ struct iio_kfifo {
+ #define iio_to_kfifo(r) container_of(r, struct iio_kfifo, buffer)
+
+ static inline int __iio_allocate_kfifo(struct iio_kfifo *buf,
+- int bytes_per_datum, int length)
++ size_t bytes_per_datum, unsigned int length)
+ {
+ if ((length == 0) || (bytes_per_datum == 0))
+ return -EINVAL;
+@@ -71,7 +71,7 @@ static int iio_set_bytes_per_datum_kfifo
+ return 0;
+ }
+
+-static int iio_set_length_kfifo(struct iio_buffer *r, int length)
++static int iio_set_length_kfifo(struct iio_buffer *r, unsigned int length)
+ {
+ /* Avoid an invalid state */
+ if (length < 2)
+--- a/include/linux/iio/buffer.h
++++ b/include/linux/iio/buffer.h
+@@ -61,7 +61,7 @@ struct iio_buffer_access_funcs {
+ int (*request_update)(struct iio_buffer *buffer);
+
+ int (*set_bytes_per_datum)(struct iio_buffer *buffer, size_t bpd);
+- int (*set_length)(struct iio_buffer *buffer, int length);
++ int (*set_length)(struct iio_buffer *buffer, unsigned int length);
+
+ int (*enable)(struct iio_buffer *buffer, struct iio_dev *indio_dev);
+ int (*disable)(struct iio_buffer *buffer, struct iio_dev *indio_dev);
+@@ -96,8 +96,8 @@ struct iio_buffer_access_funcs {
+ * @watermark: [INTERN] number of datums to wait for poll/read.
+ */
+ struct iio_buffer {
+- int length;
+- int bytes_per_datum;
++ unsigned int length;
++ size_t bytes_per_datum;
+ struct attribute_group *scan_el_attrs;
+ long *scan_mask;
+ bool scan_timestamp;
--- /dev/null
+From 18f3e95b90b28318ef35910d21c39908de672331 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 12 Jun 2018 17:54:42 +0800
+Subject: MIPS: io: Add barrier after register read in inX()
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 18f3e95b90b28318ef35910d21c39908de672331 upstream.
+
+While a barrier is present in the outX() functions before the register
+write, a similar barrier is missing in the inX() functions after the
+register read. This could allow memory accesses following inX() to
+observe stale data.
+
+This patch is very similar to commit a1cc7034e33d12dc1 ("MIPS: io: Add
+barrier after register read in readX()"). Because war_io_reorder_wmb()
+is both used by writeX() and outX(), if readX() need a barrier then so
+does inX().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Patchwork: https://patchwork.linux-mips.org/patch/19516/
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: Huacai Chen <chenhuacai@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/io.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/include/asm/io.h
++++ b/arch/mips/include/asm/io.h
+@@ -412,6 +412,8 @@ static inline type pfx##in##bwlq##p(unsi
+ __val = *__addr; \
+ slow; \
+ \
++ /* prevent prefetching of coherent DMA data prematurely */ \
++ rmb(); \
+ return pfx##ioswab##bwlq(__addr, __val); \
+ }
+
--- /dev/null
+From 988a35f8da1dec5a8cd2788054d1e717be61bf25 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 11 May 2018 19:54:19 +0900
+Subject: printk: fix possible reuse of va_list variable
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 988a35f8da1dec5a8cd2788054d1e717be61bf25 upstream.
+
+I noticed that there is a possibility that printk_safe_log_store() causes
+kernel oops because "args" parameter is passed to vsnprintf() again when
+atomic_cmpxchg() detected that we raced. Fix this by using va_copy().
+
+Link: http://lkml.kernel.org/r/201805112002.GIF21216.OFVHFOMLJtQFSO@I-love.SAKURA.ne.jp
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: dvyukov@google.com
+Cc: syzkaller@googlegroups.com
+Cc: fengguang.wu@intel.com
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 42a0bb3f71383b45 ("printk/nmi: generic solution for safe printk in NMI")
+Cc: 4.7+ <stable@vger.kernel.org> # v4.7+
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/nmi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/printk/nmi.c
++++ b/kernel/printk/nmi.c
+@@ -63,6 +63,7 @@ static int vprintk_nmi(const char *fmt,
+ struct nmi_seq_buf *s = this_cpu_ptr(&nmi_print_seq);
+ int add = 0;
+ size_t len;
++ va_list ap;
+
+ again:
+ len = atomic_read(&s->len);
+@@ -79,7 +80,9 @@ again:
+ if (!len)
+ smp_rmb();
+
+- add = vsnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, args);
++ va_copy(ap, args);
++ add = vsnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, ap);
++ va_end(ap);
+
+ /*
+ * Do it once again if the buffer has been flushed in the meantime.
pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch
pci-add-acs-quirk-for-intel-300-series.patch
pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch
+printk-fix-possible-reuse-of-va_list-variable.patch
+mips-io-add-barrier-after-register-read-in-inx.patch
+time-make-sure-jiffies_to_msecs-preserves-non-zero-time-periods.patch
+x.509-unpack-rsa-signaturevalue-field-from-bit-string.patch
+btrfs-fix-return-value-on-rename-exchange-failure.patch
+btrfs-fix-unexpected-cow-in-run_delalloc_nocow.patch
+iio-buffer-make-length-types-match-kfifo-types.patch
--- /dev/null
+From abcbcb80cd09cd40f2089d912764e315459b71f7 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Fri, 22 Jun 2018 16:33:57 +0200
+Subject: time: Make sure jiffies_to_msecs() preserves non-zero time periods
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+commit abcbcb80cd09cd40f2089d912764e315459b71f7 upstream.
+
+For the common cases where 1000 is a multiple of HZ, or HZ is a multiple of
+1000, jiffies_to_msecs() never returns zero when passed a non-zero time
+period.
+
+However, if HZ > 1000 and not an integer multiple of 1000 (e.g. 1024 or
+1200, as used on alpha and DECstation), jiffies_to_msecs() may return zero
+for small non-zero time periods. This may break code that relies on
+receiving back a non-zero value.
+
+jiffies_to_usecs() does not need such a fix: one jiffy can only be less
+than one µs if HZ > 1000000, and such large values of HZ are already
+rejected at build time, twice:
+
+ - include/linux/jiffies.h does #error if HZ >= 12288,
+ - kernel/time/time.c has BUILD_BUG_ON(HZ > USEC_PER_SEC).
+
+Broken since forever.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: linux-alpha@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180622143357.7495-1-geert@linux-m68k.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/time.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/time/time.c
++++ b/kernel/time/time.c
+@@ -28,6 +28,7 @@
+ */
+
+ #include <linux/export.h>
++#include <linux/kernel.h>
+ #include <linux/timex.h>
+ #include <linux/capability.h>
+ #include <linux/timekeeper_internal.h>
+@@ -258,9 +259,10 @@ unsigned int jiffies_to_msecs(const unsi
+ return (j + (HZ / MSEC_PER_SEC) - 1)/(HZ / MSEC_PER_SEC);
+ #else
+ # if BITS_PER_LONG == 32
+- return (HZ_TO_MSEC_MUL32 * j) >> HZ_TO_MSEC_SHR32;
++ return (HZ_TO_MSEC_MUL32 * j + (1ULL << HZ_TO_MSEC_SHR32) - 1) >>
++ HZ_TO_MSEC_SHR32;
+ # else
+- return (j * HZ_TO_MSEC_NUM) / HZ_TO_MSEC_DEN;
++ return DIV_ROUND_UP(j * HZ_TO_MSEC_NUM, HZ_TO_MSEC_DEN);
+ # endif
+ #endif
+ }
--- /dev/null
+From b65c32ec5a942ab3ada93a048089a938918aba7f Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Sat, 19 May 2018 14:23:54 +0200
+Subject: X.509: unpack RSA signatureValue field from BIT STRING
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+commit b65c32ec5a942ab3ada93a048089a938918aba7f upstream.
+
+The signatureValue field of a X.509 certificate is encoded as a BIT STRING.
+For RSA signatures this BIT STRING is of so-called primitive subtype, which
+contains a u8 prefix indicating a count of unused bits in the encoding.
+
+We have to strip this prefix from signature data, just as we already do for
+key data in x509_extract_key_data() function.
+
+This wasn't noticed earlier because this prefix byte is zero for RSA key
+sizes divisible by 8. Since BIT STRING is a big-endian encoding adding zero
+prefixes has no bearing on its value.
+
+The signature length, however was incorrect, which is a problem for RSA
+implementations that need it to be exactly correct (like AMD CCP).
+
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Fixes: c26fd69fa009 ("X.509: Add a crypto key parser for binary (DER) X.509 certificates")
+Cc: stable@vger.kernel.org
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -249,6 +249,15 @@ int x509_note_signature(void *context, s
+ return -EINVAL;
+ }
+
++ if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0) {
++ /* Discard the BIT STRING metadata */
++ if (vlen < 1 || *(const u8 *)value != 0)
++ return -EBADMSG;
++
++ value++;
++ vlen--;
++ }
++
+ ctx->cert->raw_sig = value;
+ ctx->cert->raw_sig_size = vlen;
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
