--- /dev/null
+From ebe8c5500e361bb8083a820c77e92b6e4b42deff Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Wed, 3 Apr 2019 15:31:49 +0800
+Subject: ALSA: hda/realtek - Move to ACT_INIT state
+
+[ Upstream commit 8983eb602af511fc5822f5ff4a82074c68816fd9 ]
+
+It will be lose Mic JD state when Chrome OS boot and headset was plugged.
+Just Implement of reset combo jack JD verb for ACT_PRE_PROBE state.
+Intel test result was also failed.
+It test passed until changed the initial state to ACT_INIT.
+Mic JD will show every time.
+This patch also changed the model name as 'alc-chrome-book' for
+application of Chrome OS.
+
+Fixes: 10f5b1b85ed1 ("ALSA: hda/realtek - Fixed Headset Mic JD not stable")
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 41 +++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index f061167062bc..a9f69c3a3e0b 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5490,7 +5490,7 @@ static void alc_headset_btn_callback(struct hda_codec *codec,
+ jack->jack->button_state = report;
+ }
+
+-static void alc295_fixup_chromebook(struct hda_codec *codec,
++static void alc_fixup_headset_jack(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+
+@@ -5500,16 +5500,6 @@ static void alc295_fixup_chromebook(struct hda_codec *codec,
+ alc_headset_btn_callback);
+ snd_hda_jack_add_kctl(codec, 0x55, "Headset Jack", false,
+ SND_JACK_HEADSET, alc_headset_btn_keymap);
+- switch (codec->core.vendor_id) {
+- case 0x10ec0295:
+- alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */
+- alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15);
+- break;
+- case 0x10ec0236:
+- alc_update_coef_idx(codec, 0x1b, 0x8000, 1 << 15); /* Reset HP JD */
+- alc_update_coef_idx(codec, 0x1b, 0x8000, 0 << 15);
+- break;
+- }
+ break;
+ case HDA_FIXUP_ACT_INIT:
+ switch (codec->core.vendor_id) {
+@@ -5530,6 +5520,25 @@ static void alc295_fixup_chromebook(struct hda_codec *codec,
+ }
+ }
+
++static void alc295_fixup_chromebook(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ switch (action) {
++ case HDA_FIXUP_ACT_INIT:
++ switch (codec->core.vendor_id) {
++ case 0x10ec0295:
++ alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */
++ alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15);
++ break;
++ case 0x10ec0236:
++ alc_update_coef_idx(codec, 0x1b, 0x8000, 1 << 15); /* Reset HP JD */
++ alc_update_coef_idx(codec, 0x1b, 0x8000, 0 << 15);
++ break;
++ }
++ break;
++ }
++}
++
+ static void alc_fixup_disable_mic_vref(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -5684,6 +5693,7 @@ enum {
+ ALC285_FIXUP_LENOVO_PC_BEEP_IN_NOISE,
+ ALC255_FIXUP_ACER_HEADSET_MIC,
+ ALC295_FIXUP_CHROME_BOOK,
++ ALC225_FIXUP_HEADSET_JACK,
+ ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE,
+ ALC225_FIXUP_WYSE_AUTO_MUTE,
+ ALC225_FIXUP_WYSE_DISABLE_MIC_VREF,
+@@ -6645,6 +6655,12 @@ static const struct hda_fixup alc269_fixups[] = {
+ [ALC295_FIXUP_CHROME_BOOK] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc295_fixup_chromebook,
++ .chained = true,
++ .chain_id = ALC225_FIXUP_HEADSET_JACK
++ },
++ [ALC225_FIXUP_HEADSET_JACK] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc_fixup_headset_jack,
+ },
+ [ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE] = {
+ .type = HDA_FIXUP_PINS,
+@@ -7143,7 +7159,8 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
+ {.id = ALC255_FIXUP_DUMMY_LINEOUT_VERB, .name = "alc255-dummy-lineout"},
+ {.id = ALC255_FIXUP_DELL_HEADSET_MIC, .name = "alc255-dell-headset"},
+ {.id = ALC295_FIXUP_HP_X360, .name = "alc295-hp-x360"},
+- {.id = ALC295_FIXUP_CHROME_BOOK, .name = "alc-sense-combo"},
++ {.id = ALC225_FIXUP_HEADSET_JACK, .name = "alc-headset-jack"},
++ {.id = ALC295_FIXUP_CHROME_BOOK, .name = "alc-chrome-book"},
+ {.id = ALC299_FIXUP_PREDATOR_SPK, .name = "predator-spk"},
+ {}
+ };
+--
+2.19.1
+
--- /dev/null
+From 6471bc7725e4ff233f56eeba295ed87c875fa9cb Mon Sep 17 00:00:00 2001
+From: Paolo Valente <paolo.valente@linaro.org>
+Date: Wed, 10 Apr 2019 10:38:33 +0200
+Subject: block, bfq: fix use after free in bfq_bfqq_expire
+
+[ Upstream commit eed47d19d9362bdd958e4ab56af480b9dbf6b2b6 ]
+
+The function bfq_bfqq_expire() invokes the function
+__bfq_bfqq_expire(), and the latter may free the in-service bfq-queue.
+If this happens, then no other instruction of bfq_bfqq_expire() must
+be executed, or a use-after-free will occur.
+
+Basing on the assumption that __bfq_bfqq_expire() invokes
+bfq_put_queue() on the in-service bfq-queue exactly once, the queue is
+assumed to be freed if its refcounter is equal to one right before
+invoking __bfq_bfqq_expire().
+
+But, since commit 9dee8b3b057e ("block, bfq: fix queue removal from
+weights tree") this assumption is false. __bfq_bfqq_expire() may also
+invoke bfq_weights_tree_remove() and, since commit 9dee8b3b057e
+("block, bfq: fix queue removal from weights tree"), also
+the latter function may invoke bfq_put_queue(). So __bfq_bfqq_expire()
+may invoke bfq_put_queue() twice, and this is the actual case where
+the in-service queue may happen to be freed.
+
+To address this issue, this commit moves the check on the refcounter
+of the queue right around the last bfq_put_queue() that may be invoked
+on the queue.
+
+Fixes: 9dee8b3b057e ("block, bfq: fix queue removal from weights tree")
+Reported-by: Dmitrii Tcvetkov <demfloro@demfloro.ru>
+Reported-by: Douglas Anderson <dianders@chromium.org>
+Tested-by: Dmitrii Tcvetkov <demfloro@demfloro.ru>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Paolo Valente <paolo.valente@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 15 +++++++--------
+ block/bfq-iosched.h | 2 +-
+ block/bfq-wf2q.c | 17 +++++++++++++++--
+ 3 files changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index e5ed28629271..72510c470001 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -2804,7 +2804,7 @@ static void bfq_dispatch_remove(struct request_queue *q, struct request *rq)
+ bfq_remove_request(q, rq);
+ }
+
+-static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq)
++static bool __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq)
+ {
+ /*
+ * If this bfqq is shared between multiple processes, check
+@@ -2837,9 +2837,11 @@ static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq)
+ /*
+ * All in-service entities must have been properly deactivated
+ * or requeued before executing the next function, which
+- * resets all in-service entites as no more in service.
++ * resets all in-service entities as no more in service. This
++ * may cause bfqq to be freed. If this happens, the next
++ * function returns true.
+ */
+- __bfq_bfqd_reset_in_service(bfqd);
++ return __bfq_bfqd_reset_in_service(bfqd);
+ }
+
+ /**
+@@ -3244,7 +3246,6 @@ void bfq_bfqq_expire(struct bfq_data *bfqd,
+ bool slow;
+ unsigned long delta = 0;
+ struct bfq_entity *entity = &bfqq->entity;
+- int ref;
+
+ /*
+ * Check whether the process is slow (see bfq_bfqq_is_slow).
+@@ -3313,10 +3314,8 @@ void bfq_bfqq_expire(struct bfq_data *bfqd,
+ * reason.
+ */
+ __bfq_bfqq_recalc_budget(bfqd, bfqq, reason);
+- ref = bfqq->ref;
+- __bfq_bfqq_expire(bfqd, bfqq);
+-
+- if (ref == 1) /* bfqq is gone, no more actions on it */
++ if (__bfq_bfqq_expire(bfqd, bfqq))
++ /* bfqq is gone, no more actions on it */
+ return;
+
+ bfqq->injected_service = 0;
+diff --git a/block/bfq-iosched.h b/block/bfq-iosched.h
+index 746bd570b85a..ca98c98a8179 100644
+--- a/block/bfq-iosched.h
++++ b/block/bfq-iosched.h
+@@ -993,7 +993,7 @@ bool __bfq_deactivate_entity(struct bfq_entity *entity,
+ bool ins_into_idle_tree);
+ bool next_queue_may_preempt(struct bfq_data *bfqd);
+ struct bfq_queue *bfq_get_next_queue(struct bfq_data *bfqd);
+-void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd);
++bool __bfq_bfqd_reset_in_service(struct bfq_data *bfqd);
+ void bfq_deactivate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq,
+ bool ins_into_idle_tree, bool expiration);
+ void bfq_activate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq);
+diff --git a/block/bfq-wf2q.c b/block/bfq-wf2q.c
+index 4aab1a8191f0..8077bf71d2ac 100644
+--- a/block/bfq-wf2q.c
++++ b/block/bfq-wf2q.c
+@@ -1599,7 +1599,8 @@ struct bfq_queue *bfq_get_next_queue(struct bfq_data *bfqd)
+ return bfqq;
+ }
+
+-void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd)
++/* returns true if the in-service queue gets freed */
++bool __bfq_bfqd_reset_in_service(struct bfq_data *bfqd)
+ {
+ struct bfq_queue *in_serv_bfqq = bfqd->in_service_queue;
+ struct bfq_entity *in_serv_entity = &in_serv_bfqq->entity;
+@@ -1623,8 +1624,20 @@ void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd)
+ * service tree either, then release the service reference to
+ * the queue it represents (taken with bfq_get_entity).
+ */
+- if (!in_serv_entity->on_st)
++ if (!in_serv_entity->on_st) {
++ /*
++ * If no process is referencing in_serv_bfqq any
++ * longer, then the service reference may be the only
++ * reference to the queue. If this is the case, then
++ * bfqq gets freed here.
++ */
++ int ref = in_serv_bfqq->ref;
+ bfq_put_queue(in_serv_bfqq);
++ if (ref == 1)
++ return true;
++ }
++
++ return false;
+ }
+
+ void bfq_deactivate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq,
+--
+2.19.1
+
--- /dev/null
+From f837e448c47f20117933a180dfad6250aad02315 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Tue, 23 Apr 2019 16:39:45 +1000
+Subject: cifs: fix memory leak in SMB2_read
+
+[ Upstream commit 05fd5c2c61732152a6bddc318aae62d7e436629b ]
+
+Commit 088aaf17aa79300cab14dbee2569c58cfafd7d6e introduced a leak where
+if SMB2_read() returned an error we would return without freeing the
+request buffer.
+
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 938e75cc3b66..85a3c051e622 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3402,6 +3402,7 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
+ rc);
+ }
+ free_rsp_buf(resp_buftype, rsp_iov.iov_base);
++ cifs_small_buf_release(req);
+ return rc == -ENODATA ? 0 : rc;
+ } else
+ trace_smb3_read_done(xid, req->PersistentFileId,
+--
+2.19.1
+
--- /dev/null
+From c921a41961d3ee46eb01044967eedf46489ce833 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 25 Apr 2019 22:24:05 -0700
+Subject: fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
+
+[ Upstream commit 89189557b47b35683a27c80ee78aef18248eefb4 ]
+
+Syzkaller report this:
+
+ sysctl could not get directory: /net//bridge -12
+ kasan: CONFIG_KASAN_INLINE enabled
+ kasan: GPF could be caused by NULL-ptr deref or user memory access
+ general protection fault: 0000 [#1] SMP KASAN PTI
+ CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline]
+ RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline]
+ RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline]
+ RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459
+ Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48
+ RSP: 0018:ffff8881bb507778 EFLAGS: 00010206
+ RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a
+ RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568
+ RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4
+ R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ erase_entry fs/proc/proc_sysctl.c:178 [inline]
+ erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207
+ start_unregistering fs/proc/proc_sysctl.c:331 [inline]
+ drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631
+ get_subdir fs/proc/proc_sysctl.c:1022 [inline]
+ __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
+ br_netfilter_init+0x68/0x1000 [br_netfilter]
+ do_one_initcall+0xbc/0x47d init/main.c:901
+ do_init_module+0x1b5/0x547 kernel/module.c:3456
+ load_module+0x6405/0x8c10 kernel/module.c:3804
+ __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
+ do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle
+ iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter]
+ Dumping ftrace buffer:
+ (ftrace buffer empty)
+ ---[ end trace 68741688d5fbfe85 ]---
+
+commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer
+dereference in put_links") forgot to handle start_unregistering() case,
+while header->parent is NULL, it calls erase_header() and as seen in the
+above syzkaller call trace, accessing &header->parent->root will trigger
+a NULL pointer dereference.
+
+As that commit explained, there is also no need to call
+start_unregistering() if header->parent is NULL.
+
+Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com
+Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links")
+Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/proc_sysctl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index d65390727541..7325baa8f9d4 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -1626,9 +1626,11 @@ static void drop_sysctl_table(struct ctl_table_header *header)
+ if (--header->nreg)
+ return;
+
+- if (parent)
++ if (parent) {
+ put_links(header);
+- start_unregistering(header);
++ start_unregistering(header);
++ }
++
+ if (!--header->count)
+ kfree_rcu(header, rcu);
+
+--
+2.19.1
+
--- /dev/null
+From 195806445dc8a91cd24ce88c6b4d2893d9e5b464 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Fri, 1 Mar 2019 10:09:55 +0200
+Subject: intel_th: gth: Fix an off-by-one in output unassigning
+
+[ Upstream commit 91d3f8a629849968dc91d6ce54f2d46abf4feb7f ]
+
+Commit 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs")
+fixes a NULL dereference for all masters except the last one ("256+"),
+which keeps the stale pointer after the output driver had been unassigned.
+
+Fix the off-by-one.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/intel_th/gth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c
+index cc287cf6eb29..edc52d75e6bd 100644
+--- a/drivers/hwtracing/intel_th/gth.c
++++ b/drivers/hwtracing/intel_th/gth.c
+@@ -616,7 +616,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev,
+ othdev->output.port = -1;
+ othdev->output.active = false;
+ gth->output[port].output = NULL;
+- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++)
++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++)
+ if (gth->master[master] == port)
+ gth->master[master] = -1;
+ spin_unlock(>h->gth_lock);
+--
+2.19.1
+
--- /dev/null
+From 2e8c16fd1fdf0088cbbde5e050f92cc197bf38b8 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 14 Mar 2019 10:50:20 +0100
+Subject: netfilter: nf_tables: bogus EBUSY in helper removal from transaction
+
+[ Upstream commit 8ffcd32f64633926163cdd07a7d295c500a947d1 ]
+
+Proper use counter updates when activating and deactivating the object,
+otherwise, this hits bogus EBUSY error.
+
+Fixes: cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase")
+Reported-by: Laura Garcia <nevola@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_objref.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
+index d8737c115257..bf92a40dd1b2 100644
+--- a/net/netfilter/nft_objref.c
++++ b/net/netfilter/nft_objref.c
+@@ -64,21 +64,34 @@ nla_put_failure:
+ return -1;
+ }
+
+-static void nft_objref_destroy(const struct nft_ctx *ctx,
+- const struct nft_expr *expr)
++static void nft_objref_deactivate(const struct nft_ctx *ctx,
++ const struct nft_expr *expr,
++ enum nft_trans_phase phase)
+ {
+ struct nft_object *obj = nft_objref_priv(expr);
+
++ if (phase == NFT_TRANS_COMMIT)
++ return;
++
+ obj->use--;
+ }
+
++static void nft_objref_activate(const struct nft_ctx *ctx,
++ const struct nft_expr *expr)
++{
++ struct nft_object *obj = nft_objref_priv(expr);
++
++ obj->use++;
++}
++
+ static struct nft_expr_type nft_objref_type;
+ static const struct nft_expr_ops nft_objref_ops = {
+ .type = &nft_objref_type,
+ .size = NFT_EXPR_SIZE(sizeof(struct nft_object *)),
+ .eval = nft_objref_eval,
+ .init = nft_objref_init,
+- .destroy = nft_objref_destroy,
++ .activate = nft_objref_activate,
++ .deactivate = nft_objref_deactivate,
+ .dump = nft_objref_dump,
+ };
+
+--
+2.19.1
+
--- /dev/null
+From cde4a3e910919f5b01be7dfa728ee735fa8f9937 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 8 Mar 2019 15:30:03 +0100
+Subject: netfilter: nf_tables: bogus EBUSY when deleting set after flush
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 273fe3f1006ea5ebc63d6729e43e8e45e32b256a ]
+
+Set deletion after flush coming in the same batch results in EBUSY. Add
+set use counter to track the number of references to this set from
+rules. We cannot rely on the list of bindings for this since such list
+is still populated from the preparation phase.
+
+Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 6 ++++++
+ net/netfilter/nf_tables_api.c | 28 +++++++++++++++++++++++++++-
+ net/netfilter/nft_dynset.c | 13 +++++++++----
+ net/netfilter/nft_lookup.c | 13 +++++++++----
+ net/netfilter/nft_objref.c | 13 +++++++++----
+ 5 files changed, 60 insertions(+), 13 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 0612439909dc..9e0b9ecb43db 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -382,6 +382,7 @@ void nft_unregister_set(struct nft_set_type *type);
+ * @dtype: data type (verdict or numeric type defined by userspace)
+ * @objtype: object type (see NFT_OBJECT_* definitions)
+ * @size: maximum set size
++ * @use: number of rules references to this set
+ * @nelems: number of elements
+ * @ndeact: number of deactivated elements queued for removal
+ * @timeout: default timeout value in jiffies
+@@ -407,6 +408,7 @@ struct nft_set {
+ u32 dtype;
+ u32 objtype;
+ u32 size;
++ u32 use;
+ atomic_t nelems;
+ u32 ndeact;
+ u64 timeout;
+@@ -467,6 +469,10 @@ struct nft_set_binding {
+ u32 flags;
+ };
+
++enum nft_trans_phase;
++void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
++ struct nft_set_binding *binding,
++ enum nft_trans_phase phase);
+ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_binding *binding);
+ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index acb124ce92ec..e2aac80f9b7b 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3624,6 +3624,9 @@ err1:
+
+ static void nft_set_destroy(struct nft_set *set)
+ {
++ if (WARN_ON(set->use > 0))
++ return;
++
+ set->ops->destroy(set);
+ module_put(to_set_type(set->ops)->owner);
+ kfree(set->name);
+@@ -3664,7 +3667,7 @@ static int nf_tables_delset(struct net *net, struct sock *nlsk,
+ NL_SET_BAD_ATTR(extack, attr);
+ return PTR_ERR(set);
+ }
+- if (!list_empty(&set->bindings) ||
++ if (set->use ||
+ (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
+ NL_SET_BAD_ATTR(extack, attr);
+ return -EBUSY;
+@@ -3694,6 +3697,9 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_binding *i;
+ struct nft_set_iter iter;
+
++ if (set->use == UINT_MAX)
++ return -EOVERFLOW;
++
+ if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
+ return -EBUSY;
+
+@@ -3721,6 +3727,7 @@ bind:
+ binding->chain = ctx->chain;
+ list_add_tail_rcu(&binding->list, &set->bindings);
+ nft_set_trans_bind(ctx, set);
++ set->use++;
+
+ return 0;
+ }
+@@ -3740,6 +3747,25 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
+ }
+ EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
+
++void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
++ struct nft_set_binding *binding,
++ enum nft_trans_phase phase)
++{
++ switch (phase) {
++ case NFT_TRANS_PREPARE:
++ set->use--;
++ return;
++ case NFT_TRANS_ABORT:
++ case NFT_TRANS_RELEASE:
++ set->use--;
++ /* fall through */
++ default:
++ nf_tables_unbind_set(ctx, set, binding,
++ phase == NFT_TRANS_COMMIT);
++ }
++}
++EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
++
+ void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
+ {
+ if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index f1172f99752b..eb7f9a5f2aeb 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -241,11 +241,15 @@ static void nft_dynset_deactivate(const struct nft_ctx *ctx,
+ {
+ struct nft_dynset *priv = nft_expr_priv(expr);
+
+- if (phase == NFT_TRANS_PREPARE)
+- return;
++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
++}
++
++static void nft_dynset_activate(const struct nft_ctx *ctx,
++ const struct nft_expr *expr)
++{
++ struct nft_dynset *priv = nft_expr_priv(expr);
+
+- nf_tables_unbind_set(ctx, priv->set, &priv->binding,
+- phase == NFT_TRANS_COMMIT);
++ priv->set->use++;
+ }
+
+ static void nft_dynset_destroy(const struct nft_ctx *ctx,
+@@ -293,6 +297,7 @@ static const struct nft_expr_ops nft_dynset_ops = {
+ .eval = nft_dynset_eval,
+ .init = nft_dynset_init,
+ .destroy = nft_dynset_destroy,
++ .activate = nft_dynset_activate,
+ .deactivate = nft_dynset_deactivate,
+ .dump = nft_dynset_dump,
+ };
+diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
+index 14496da5141d..161c3451a747 100644
+--- a/net/netfilter/nft_lookup.c
++++ b/net/netfilter/nft_lookup.c
+@@ -127,11 +127,15 @@ static void nft_lookup_deactivate(const struct nft_ctx *ctx,
+ {
+ struct nft_lookup *priv = nft_expr_priv(expr);
+
+- if (phase == NFT_TRANS_PREPARE)
+- return;
++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
++}
++
++static void nft_lookup_activate(const struct nft_ctx *ctx,
++ const struct nft_expr *expr)
++{
++ struct nft_lookup *priv = nft_expr_priv(expr);
+
+- nf_tables_unbind_set(ctx, priv->set, &priv->binding,
+- phase == NFT_TRANS_COMMIT);
++ priv->set->use++;
+ }
+
+ static void nft_lookup_destroy(const struct nft_ctx *ctx,
+@@ -222,6 +226,7 @@ static const struct nft_expr_ops nft_lookup_ops = {
+ .size = NFT_EXPR_SIZE(sizeof(struct nft_lookup)),
+ .eval = nft_lookup_eval,
+ .init = nft_lookup_init,
++ .activate = nft_lookup_activate,
+ .deactivate = nft_lookup_deactivate,
+ .destroy = nft_lookup_destroy,
+ .dump = nft_lookup_dump,
+diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
+index ae178e914486..d8737c115257 100644
+--- a/net/netfilter/nft_objref.c
++++ b/net/netfilter/nft_objref.c
+@@ -161,11 +161,15 @@ static void nft_objref_map_deactivate(const struct nft_ctx *ctx,
+ {
+ struct nft_objref_map *priv = nft_expr_priv(expr);
+
+- if (phase == NFT_TRANS_PREPARE)
+- return;
++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
++}
++
++static void nft_objref_map_activate(const struct nft_ctx *ctx,
++ const struct nft_expr *expr)
++{
++ struct nft_objref_map *priv = nft_expr_priv(expr);
+
+- nf_tables_unbind_set(ctx, priv->set, &priv->binding,
+- phase == NFT_TRANS_COMMIT);
++ priv->set->use++;
+ }
+
+ static void nft_objref_map_destroy(const struct nft_ctx *ctx,
+@@ -182,6 +186,7 @@ static const struct nft_expr_ops nft_objref_map_ops = {
+ .size = NFT_EXPR_SIZE(sizeof(struct nft_objref_map)),
+ .eval = nft_objref_map_eval,
+ .init = nft_objref_map_init,
++ .activate = nft_objref_map_activate,
+ .deactivate = nft_objref_map_deactivate,
+ .destroy = nft_objref_map_destroy,
+ .dump = nft_objref_map_dump,
+--
+2.19.1
+
--- /dev/null
+From 0e20067714cf44e7cdf36ab315b814192e28d9ca Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Thu, 4 Apr 2019 12:20:05 +0000
+Subject: powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64
+
+[ Upstream commit dd9a994fc68d196a052b73747e3366c57d14a09e ]
+
+Commit b5b4453e7912 ("powerpc/vdso64: Fix CLOCK_MONOTONIC
+inconsistencies across Y2038") changed the type of wtom_clock_sec
+to s64 on PPC64. Therefore, VDSO32 needs to read it with a 4 bytes
+shift in order to retrieve the lower part of it.
+
+Fixes: b5b4453e7912 ("powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038")
+Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de>
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/vdso32/gettimeofday.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S
+index 1e0bc5955a40..afd516b572f8 100644
+--- a/arch/powerpc/kernel/vdso32/gettimeofday.S
++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S
+@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
+ * can be used, r7 contains NSEC_PER_SEC.
+ */
+
+- lwz r5,WTOM_CLOCK_SEC(r9)
++ lwz r5,(WTOM_CLOCK_SEC+LOPART)(r9)
+ lwz r6,WTOM_CLOCK_NSEC(r9)
+
+ /* We now have our offset in r5,r6. We create a fake dependency
+--
+2.19.1
+
--- /dev/null
+netfilter-nf_tables-bogus-ebusy-when-deleting-set-af.patch
+netfilter-nf_tables-bogus-ebusy-in-helper-removal-fr.patch
+intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch
+powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch
+alsa-hda-realtek-move-to-act_init-state.patch
+fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch
+block-bfq-fix-use-after-free-in-bfq_bfqq_expire.patch
+cifs-fix-memory-leak-in-smb2_read.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
