--- /dev/null
+From c463a158cb6c5d9a85b7d894cd4f8116e8bd6be0 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 12 Aug 2018 12:53:20 +0200
+Subject: i2c: core: ACPI: Properly set status byte to 0 for multi-byte writes
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit c463a158cb6c5d9a85b7d894cd4f8116e8bd6be0 upstream.
+
+acpi_gsb_i2c_write_bytes() returns i2c_transfer()'s return value, which
+is the number of transfers executed on success, so 1.
+
+The ACPI code expects us to store 0 in gsb->status for success, not 1.
+
+Specifically this breaks the following code in the Thinkpad 8 DSDT:
+
+ ECWR = I2CW = ECWR /* \_SB_.I2C1.BAT0.ECWR */
+ If ((ECST == Zero))
+ {
+ ECRD = I2CR /* \_SB_.I2C1.I2CR */
+ }
+
+Before this commit we set ECST to 1, causing the read to never happen
+breaking battery monitoring on the Thinkpad 8.
+
+This commit makes acpi_gsb_i2c_write_bytes() return 0 when i2c_transfer()
+returns 1, so the single write transfer completed successfully, and
+makes it return -EIO on for other (unexpected) return values >= 0.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/i2c-core-acpi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -475,11 +475,16 @@ static int acpi_gsb_i2c_write_bytes(stru
+ msgs[0].buf = buffer;
+
+ ret = i2c_transfer(client->adapter, msgs, ARRAY_SIZE(msgs));
+- if (ret < 0)
+- dev_err(&client->adapter->dev, "i2c write failed\n");
+
+ kfree(buffer);
+- return ret;
++
++ if (ret < 0) {
++ dev_err(&client->adapter->dev, "i2c write failed: %d\n", ret);
++ return ret;
++ }
++
++ /* 1 transfer must have completed successfully */
++ return (ret == 1) ? 0 : -EIO;
+ }
+
+ static acpi_status
--- /dev/null
+From bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <eha@deif.com>
+Date: Thu, 16 Aug 2018 10:43:12 +0200
+Subject: i2c: imx: Fix race condition in dma read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Esben Haabendal <eha@deif.com>
+
+commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream.
+
+This fixes a race condition, where the DMAEN bit ends up being set after
+I2C slave has transmitted a byte following the dummy read. When that
+happens, an interrupt is generated instead, and no DMA request is generated
+to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).
+
+Fixed by setting the DMAEN bit before the dummy read.
+
+Signed-off-by: Esben Haabendal <eha@deif.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-imx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -665,9 +665,6 @@ static int i2c_imx_dma_read(struct imx_i
+ struct imx_i2c_dma *dma = i2c_imx->dma;
+ struct device *dev = &i2c_imx->adapter.dev;
+
+- temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
+- temp |= I2CR_DMAEN;
+- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+
+ dma->chan_using = dma->chan_rx;
+ dma->dma_transfer_dir = DMA_DEV_TO_MEM;
+@@ -780,6 +777,7 @@ static int i2c_imx_read(struct imx_i2c_s
+ int i, result;
+ unsigned int temp;
+ int block_data = msgs->flags & I2C_M_RECV_LEN;
++ int use_dma = i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data;
+
+ dev_dbg(&i2c_imx->adapter.dev,
+ "<%s> write slave address: addr=0x%x\n",
+@@ -806,12 +804,14 @@ static int i2c_imx_read(struct imx_i2c_s
+ */
+ if ((msgs->len - 1) || block_data)
+ temp &= ~I2CR_TXAK;
++ if (use_dma)
++ temp |= I2CR_DMAEN;
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+ imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR); /* dummy read */
+
+ dev_dbg(&i2c_imx->adapter.dev, "<%s> read data\n", __func__);
+
+- if (i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data)
++ if (use_dma)
+ return i2c_imx_dma_read(i2c_imx, msgs, is_lastmsg);
+
+ /* read data */
--- /dev/null
+From 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:31 -0500
+Subject: PCI: hotplug: Don't leak pci_slot on registration failure
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.
+
+If addition of sysfs files fails on registration of a hotplug slot, the
+struct pci_slot as well as the entry in the slot_list is leaked. The
+issue has been present since the hotplug core was introduced in 2002:
+https://git.kernel.org/tglx/history/c/a8a2069f432c
+
+Perhaps the idea was that even though sysfs addition fails, the slot
+should still be usable. But that's not how drivers use the interface,
+they abort probe if a non-zero value is returned.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v2.4.15+
+Cc: Greg Kroah-Hartman <greg@kroah.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pci_hotplug_core.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/pci/hotplug/pci_hotplug_core.c
++++ b/drivers/pci/hotplug/pci_hotplug_core.c
+@@ -452,8 +452,17 @@ int __pci_hp_register(struct hotplug_slo
+ list_add(&slot->slot_list, &pci_hotplug_slot_list);
+
+ result = fs_add_slot(pci_slot);
++ if (result)
++ goto err_list_del;
++
+ kobject_uevent(&pci_slot->kobj, KOBJ_ADD);
+ dbg("Added slot %s to the list\n", name);
++ goto out;
++
++err_list_del:
++ list_del(&slot->slot_list);
++ pci_slot->hotplug = NULL;
++ pci_destroy_slot(pci_slot);
+ out:
+ mutex_unlock(&pci_hp_mutex);
+ return result;
--- /dev/null
+From a5fb9fb023a1435f2b42bccd7f547560f3a21dc3 Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Wed, 18 Jul 2018 15:40:26 -0500
+Subject: PCI: OF: Fix I/O space page leak
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+commit a5fb9fb023a1435f2b42bccd7f547560f3a21dc3 upstream.
+
+When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
+driver was left disabled, the kernel crashed with this BUG:
+
+ kernel BUG at lib/ioremap.c:72!
+ Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+ Modules linked in:
+ CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
+ Hardware name: Renesas Condor board based on r8a77980 (DT)
+ Workqueue: events deferred_probe_work_func
+ pstate: 80000005 (Nzcv daif -PAN -UAO)
+ pc : ioremap_page_range+0x370/0x3c8
+ lr : ioremap_page_range+0x40/0x3c8
+ sp : ffff000008da39e0
+ x29: ffff000008da39e0 x28: 00e8000000000f07
+ x27: ffff7dfffee00000 x26: 0140000000000000
+ x25: ffff7dfffef00000 x24: 00000000000fe100
+ x23: ffff80007b906000 x22: ffff000008ab8000
+ x21: ffff000008bb1d58 x20: ffff7dfffef00000
+ x19: ffff800009c30fb8 x18: 0000000000000001
+ x17: 00000000000152d0 x16: 00000000014012d0
+ x15: 0000000000000000 x14: 0720072007200720
+ x13: 0720072007200720 x12: 0720072007200720
+ x11: 0720072007300730 x10: 00000000000000ae
+ x9 : 0000000000000000 x8 : ffff7dffff000000
+ x7 : 0000000000000000 x6 : 0000000000000100
+ x5 : 0000000000000000 x4 : 000000007b906000
+ x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
+ x1 : 0000000040000000 x0 : 00e80000fe100f07
+ Process kworker/0:1 (pid: 39, stack limit = 0x (ptrval))
+ Call trace:
+ ioremap_page_range+0x370/0x3c8
+ pci_remap_iospace+0x7c/0xac
+ pci_parse_request_of_pci_ranges+0x13c/0x190
+ rcar_pcie_probe+0x4c/0xb04
+ platform_drv_probe+0x50/0xbc
+ driver_probe_device+0x21c/0x308
+ __device_attach_driver+0x98/0xc8
+ bus_for_each_drv+0x54/0x94
+ __device_attach+0xc4/0x12c
+ device_initial_probe+0x10/0x18
+ bus_probe_device+0x90/0x98
+ deferred_probe_work_func+0xb0/0x150
+ process_one_work+0x12c/0x29c
+ worker_thread+0x200/0x3fc
+ kthread+0x108/0x134
+ ret_from_fork+0x10/0x18
+ Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
+
+It turned out that pci_remap_iospace() wasn't undone when the driver's
+probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
+the probe was retried, finally causing the BUG due to trying to remap
+already remapped pages.
+
+Introduce the devm_pci_remap_iospace() managed API and replace the
+pci_remap_iospace() call with it to fix the bug.
+
+Fixes: dbf9826d5797 ("PCI: generic: Convert to DT resource parsing API")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+[lorenzo.pieralisi@arm.com: split commit/updated the commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+[Backport just for the new api which other patches need - gregkh]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci.c | 38 ++++++++++++++++++++++++++++++++++++++
+ include/linux/pci.h | 2 ++
+ 2 files changed, 40 insertions(+)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -3446,6 +3446,44 @@ void pci_unmap_iospace(struct resource *
+ }
+ EXPORT_SYMBOL(pci_unmap_iospace);
+
++static void devm_pci_unmap_iospace(struct device *dev, void *ptr)
++{
++ struct resource **res = ptr;
++
++ pci_unmap_iospace(*res);
++}
++
++/**
++ * devm_pci_remap_iospace - Managed pci_remap_iospace()
++ * @dev: Generic device to remap IO address for
++ * @res: Resource describing the I/O space
++ * @phys_addr: physical address of range to be mapped
++ *
++ * Managed pci_remap_iospace(). Map is automatically unmapped on driver
++ * detach.
++ */
++int devm_pci_remap_iospace(struct device *dev, const struct resource *res,
++ phys_addr_t phys_addr)
++{
++ const struct resource **ptr;
++ int error;
++
++ ptr = devres_alloc(devm_pci_unmap_iospace, sizeof(*ptr), GFP_KERNEL);
++ if (!ptr)
++ return -ENOMEM;
++
++ error = pci_remap_iospace(res, phys_addr);
++ if (error) {
++ devres_free(ptr);
++ } else {
++ *ptr = res;
++ devres_add(dev, ptr);
++ }
++
++ return error;
++}
++EXPORT_SYMBOL(devm_pci_remap_iospace);
++
+ /**
+ * devm_pci_remap_cfgspace - Managed pci_remap_cfgspace()
+ * @dev: Generic device to remap IO address for
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1235,6 +1235,8 @@ int pci_register_io_range(phys_addr_t ad
+ unsigned long pci_address_to_pio(phys_addr_t addr);
+ phys_addr_t pci_pio_to_address(unsigned long pio);
+ int pci_remap_iospace(const struct resource *res, phys_addr_t phys_addr);
++int devm_pci_remap_iospace(struct device *dev, const struct resource *res,
++ phys_addr_t phys_addr);
+ void pci_unmap_iospace(struct resource *res);
+ void __iomem *devm_pci_remap_cfgspace(struct device *dev,
+ resource_size_t offset,
--- /dev/null
+From 1204e35bedf4e5015cda559ed8c84789a6dae24e Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:34 -0500
+Subject: PCI: pciehp: Fix unprotected list iteration in IRQ handler
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 1204e35bedf4e5015cda559ed8c84789a6dae24e upstream.
+
+Commit b440bde74f04 ("PCI: Add pci_ignore_hotplug() to ignore hotplug
+events for a device") iterates over the devices on a hotplug port's
+subordinate bus in pciehp's IRQ handler without acquiring pci_bus_sem.
+It is thus possible for a user to cause a crash by concurrently
+manipulating the device list, e.g. by disabling slot power via sysfs
+on a different CPU or by initiating a remove/rescan via sysfs.
+
+This can't be fixed by acquiring pci_bus_sem because it may sleep.
+The simplest fix is to avoid the list iteration altogether and just
+check the ignore_hotplug flag on the port itself. This works because
+pci_ignore_hotplug() sets the flag both on the device as well as on its
+parent bridge.
+
+We do lose the ability to print the name of the device blocking hotplug
+in the debug message, but that's probably bearable.
+
+Fixes: b440bde74f04 ("PCI: Add pci_ignore_hotplug() to ignore hotplug events for a device")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pciehp_hpc.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -562,8 +562,6 @@ static irqreturn_t pciehp_isr(int irq, v
+ {
+ struct controller *ctrl = (struct controller *)dev_id;
+ struct pci_dev *pdev = ctrl_dev(ctrl);
+- struct pci_bus *subordinate = pdev->subordinate;
+- struct pci_dev *dev;
+ struct slot *slot = ctrl->slot;
+ u16 status, events;
+ u8 present;
+@@ -611,14 +609,9 @@ static irqreturn_t pciehp_isr(int irq, v
+ wake_up(&ctrl->queue);
+ }
+
+- if (subordinate) {
+- list_for_each_entry(dev, &subordinate->devices, bus_list) {
+- if (dev->ignore_hotplug) {
+- ctrl_dbg(ctrl, "ignoring hotplug event %#06x (%s requested no hotplug)\n",
+- events, pci_name(dev));
+- return IRQ_HANDLED;
+- }
+- }
++ if (pdev->ignore_hotplug) {
++ ctrl_dbg(ctrl, "ignoring hotplug event %#06x\n", events);
++ return IRQ_HANDLED;
+ }
+
+ /* Check Attention Button Pressed */
--- /dev/null
+From 281e878eab191cce4259abbbf1a0322e3adae02c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:32 -0500
+Subject: PCI: pciehp: Fix use-after-free on unplug
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream.
+
+When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
+hotplug_slot struct is deregistered and thus freed before freeing the
+IRQ. The IRQ handler and the work items it schedules print the slot
+name referenced from the freed structure in various informational and
+debug log messages, each time resulting in a quadruple dereference of
+freed pointers (hotplug_slot -> pci_slot -> kobject -> name).
+
+At best the slot name is logged as "(null)", at worst kernel memory is
+exposed in logs or the driver crashes:
+
+ pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present
+
+An attacker may provoke the bug by unplugging multiple devices on a
+Thunderbolt daisy chain at once. Unplugging can also be simulated by
+powering down slots via sysfs. The bug is particularly easy to trigger
+in poll mode.
+
+It has been present since the driver's introduction in 2004:
+https://git.kernel.org/tglx/history/c/c16b4b14d980
+
+Fix by rearranging teardown such that the IRQ is freed first. Run the
+work items queued by the IRQ handler to completion before freeing the
+hotplug_slot struct by draining the work queue from the ->release_slot
+callback which is invoked by pci_hp_deregister().
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v2.6.4
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pciehp.h | 1 +
+ drivers/pci/hotplug/pciehp_core.c | 7 +++++++
+ drivers/pci/hotplug/pciehp_hpc.c | 5 ++---
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/hotplug/pciehp.h
++++ b/drivers/pci/hotplug/pciehp.h
+@@ -132,6 +132,7 @@ int pciehp_unconfigure_device(struct slo
+ void pciehp_queue_pushbutton_work(struct work_struct *work);
+ struct controller *pcie_init(struct pcie_device *dev);
+ int pcie_init_notification(struct controller *ctrl);
++void pcie_shutdown_notification(struct controller *ctrl);
+ int pciehp_enable_slot(struct slot *p_slot);
+ int pciehp_disable_slot(struct slot *p_slot);
+ void pcie_reenable_notification(struct controller *ctrl);
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -76,6 +76,12 @@ static int reset_slot(struct hotplug_slo
+ */
+ static void release_slot(struct hotplug_slot *hotplug_slot)
+ {
++ struct slot *slot = hotplug_slot->private;
++
++ /* queued work needs hotplug_slot name */
++ cancel_delayed_work(&slot->work);
++ drain_workqueue(slot->wq);
++
+ kfree(hotplug_slot->ops);
+ kfree(hotplug_slot->info);
+ kfree(hotplug_slot);
+@@ -278,6 +284,7 @@ static void pciehp_remove(struct pcie_de
+ {
+ struct controller *ctrl = get_service_data(dev);
+
++ pcie_shutdown_notification(ctrl);
+ cleanup_slot(ctrl);
+ pciehp_release_ctrl(ctrl);
+ }
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -789,7 +789,7 @@ int pcie_init_notification(struct contro
+ return 0;
+ }
+
+-static void pcie_shutdown_notification(struct controller *ctrl)
++void pcie_shutdown_notification(struct controller *ctrl)
+ {
+ if (ctrl->notification_enabled) {
+ pcie_disable_notification(ctrl);
+@@ -824,7 +824,7 @@ abort:
+ static void pcie_cleanup_slot(struct controller *ctrl)
+ {
+ struct slot *slot = ctrl->slot;
+- cancel_delayed_work(&slot->work);
++
+ destroy_workqueue(slot->wq);
+ kfree(slot);
+ }
+@@ -912,7 +912,6 @@ abort:
+
+ void pciehp_release_ctrl(struct controller *ctrl)
+ {
+- pcie_shutdown_notification(ctrl);
+ pcie_cleanup_slot(ctrl);
+ kfree(ctrl);
+ }
--- /dev/null
+From 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 Mon Sep 17 00:00:00 2001
+From: Myron Stowe <myron.stowe@redhat.com>
+Date: Mon, 13 Aug 2018 12:19:39 -0600
+Subject: PCI: Skip MPS logic for Virtual Functions (VFs)
+
+From: Myron Stowe <myron.stowe@redhat.com>
+
+commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream.
+
+PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
+Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
+VFs. Just prior to the table it states:
+
+ "PF and VF functionality is defined in Section 7.5.3.4 except where
+ noted in Table 9-16. For VF fields marked 'RsvdP', the PF setting
+ applies to the VF."
+
+All of which implies that with respect to Max_Payload_Size Supported
+(MPSS), MPS, and MRRS values, we should not be paying any attention to the
+VF's fields, but rather only to the PF's. Only looking at the PF's fields
+also logically makes sense as it's the sole physical interface to the PCIe
+bus.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
+Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge")
+Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # 4.3+
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Sinan Kaya <okaya@kernel.org>
+Cc: Dongdong Liu <liudongdong3@huawei.com>
+Cc: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/probe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1560,6 +1560,10 @@ static void pci_configure_mps(struct pci
+ if (!pci_is_pcie(dev) || !bridge || !pci_is_pcie(bridge))
+ return;
+
++ /* MPS and MRRS fields are of type 'RsvdP' for VFs, short-circuit out */
++ if (dev->is_virtfn)
++ return;
++
+ mps = pcie_get_mps(dev);
+ p_mps = pcie_get_mps(bridge);
+
--- /dev/null
+From a13f085d111e90469faf2d9965eb39b11c114d7e Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 21 Aug 2018 21:59:37 -0700
+Subject: reiserfs: fix broken xattr handling (heap corruption, bad retval)
+
+From: Jann Horn <jannh@google.com>
+
+commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.
+
+This fixes the following issues:
+
+- When a buffer size is supplied to reiserfs_listxattr() such that each
+ individual name fits, but the concatenation of all names doesn't fit,
+ reiserfs_listxattr() overflows the supplied buffer. This leads to a
+ kernel heap overflow (verified using KASAN) followed by an out-of-bounds
+ usercopy and is therefore a security bug.
+
+- When a buffer size is supplied to reiserfs_listxattr() such that a
+ name doesn't fit, -ERANGE should be returned. But reiserfs instead just
+ truncates the list of names; I have verified that if the only xattr on a
+ file has a longer name than the supplied buffer length, listxattr()
+ incorrectly returns zero.
+
+With my patch applied, -ERANGE is returned in both cases and the memory
+corruption doesn't happen anymore.
+
+Credit for making me clean this code up a bit goes to Al Viro, who pointed
+out that the ->actor calling convention is suboptimal and should be
+changed.
+
+Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
+Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Cc: Eric Biggers <ebiggers@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/xattr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -792,8 +792,10 @@ static int listxattr_filler(struct dir_c
+ return 0;
+ size = namelen + 1;
+ if (b->buf) {
+- if (size > b->size)
++ if (b->pos + size > b->size) {
++ b->pos = -ERANGE;
+ return -ERANGE;
++ }
+ memcpy(b->buf + b->pos, name, namelen);
+ b->buf[b->pos + namelen] = 0;
+ }
packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch
net-smc-no-shutdown-in-state-smc_listen.patch
parisc-remove-unnecessary-barriers-from-spinlock.h.patch
+pci-of-fix-i-o-space-page-leak.patch
+pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch
+pci-skip-mps-logic-for-virtual-functions-vfs.patch
+pci-pciehp-fix-use-after-free-on-unplug.patch
+pci-pciehp-fix-unprotected-list-iteration-in-irq-handler.patch
+i2c-core-acpi-properly-set-status-byte-to-0-for-multi-byte-writes.patch
+i2c-imx-fix-race-condition-in-dma-read.patch
+reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
