--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Tue, 28 Aug 2018 07:32:35 +0900
+Subject: 9p: clear dangling pointers in p9stat_free
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+[ Upstream commit 62e3941776fea8678bb8120607039410b1b61a65 ]
+
+p9stat_free is more of a cleanup function than a 'free' function as it
+only frees the content of the struct; there are chances of use-after-free
+if it is improperly used (e.g. p9stat_free called twice as it used to be
+possible to)
+
+Clearing dangling pointers makes the function idempotent and safer to use.
+
+Link: http://lkml.kernel.org/r/1535410108-20650-2-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/9p/protocol.c
++++ b/net/9p/protocol.c
+@@ -46,10 +46,15 @@ p9pdu_writef(struct p9_fcall *pdu, int p
+ void p9stat_free(struct p9_wstat *stbuf)
+ {
+ kfree(stbuf->name);
++ stbuf->name = NULL;
+ kfree(stbuf->uid);
++ stbuf->uid = NULL;
+ kfree(stbuf->gid);
++ stbuf->gid = NULL;
+ kfree(stbuf->muid);
++ stbuf->muid = NULL;
+ kfree(stbuf->extension);
++ stbuf->extension = NULL;
+ }
+ EXPORT_SYMBOL(p9stat_free);
+
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Sat, 8 Sep 2018 01:18:43 +0900
+Subject: 9p locks: fix glock.client_id leak in do_lock
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+[ Upstream commit b4dc44b3cac9e8327e0655f530ed0c46f2e6214c ]
+
+the 9p client code overwrites our glock.client_id pointing to a static
+buffer by an allocated string holding the network provided value which
+we do not care about; free and reset the value as appropriate.
+
+This is almost identical to the leak in v9fs_file_getlock() fixed by
+Al Viro in commit ce85dd58ad5a6 ("9p: we are leaking glock.client_id
+in v9fs_file_getlock()"), which was returned as an error by a coverity
+false positive -- while we are here attempt to make the code slightly
+more robust to future change of the net/9p/client code and hopefully
+more clear to coverity that there is no problem.
+
+Link: http://lkml.kernel.org/r/1536339057-21974-5-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/9p/vfs_file.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -204,6 +204,14 @@ static int v9fs_file_do_lock(struct file
+ break;
+ if (schedule_timeout_interruptible(P9_LOCK_TIMEOUT) != 0)
+ break;
++ /*
++ * p9_client_lock_dotl overwrites flock.client_id with the
++ * server message, free and reuse the client name
++ */
++ if (flock.client_id != fid->clnt->name) {
++ kfree(flock.client_id);
++ flock.client_id = fid->clnt->name;
++ }
+ }
+
+ /* map 9p status to VFS status */
+@@ -235,6 +243,8 @@ out_unlock:
+ locks_lock_file_wait(filp, fl);
+ fl->fl_type = fl_type;
+ }
++ if (flock.client_id != fid->clnt->name)
++ kfree(flock.client_id);
+ out:
+ return res;
+ }
+@@ -269,7 +279,7 @@ static int v9fs_file_getlock(struct file
+
+ res = p9_client_getlock_dotl(fid, &glock);
+ if (res < 0)
+- return res;
++ goto out;
+ /* map 9p lock type to os lock type */
+ switch (glock.type) {
+ case P9_LOCK_TYPE_RDLCK:
+@@ -290,7 +300,9 @@ static int v9fs_file_getlock(struct file
+ fl->fl_end = glock.start + glock.length - 1;
+ fl->fl_pid = glock.proc_id;
+ }
+- kfree(glock.client_id);
++out:
++ if (glock.client_id != fid->clnt->name)
++ kfree(glock.client_id);
+ return res;
+ }
+
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Mon, 10 Sep 2018 14:45:23 -0300
+Subject: ARM: imx_v6_v7_defconfig: Select CONFIG_TMPFS_POSIX_ACL
+
+From: Fabio Estevam <fabio.estevam@nxp.com>
+
+[ Upstream commit 35d3cbe84544da74e39e1cec01374092467e3119 ]
+
+Andreas Müller reports:
+
+"Fixes:
+
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[220]: Failed to apply ACL on /dev/v4l-subdev0: Operation not supported
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[224]: Failed to apply ACL on /dev/v4l-subdev1: Operation not supported
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[215]: Failed to apply ACL on /dev/v4l-subdev10: Operation not supported
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[228]: Failed to apply ACL on /dev/v4l-subdev2: Operation not supported
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[232]: Failed to apply ACL on /dev/v4l-subdev5: Operation not supported
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[217]: Failed to apply ACL on /dev/v4l-subdev11: Operation not supported
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[214]: Failed to apply ACL on /dev/dri/card1: Operation not supported
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[216]: Failed to apply ACL on /dev/v4l-subdev8: Operation not supported
+| Sep 04 09:05:10 imx6qdl-variscite-som systemd-udevd[226]: Failed to apply ACL on /dev/v4l-subdev9: Operation not supported
+
+and nasty follow-ups: Starting weston from sddm as unpriviledged user fails
+with some hints on missing access rights."
+
+Select the CONFIG_TMPFS_POSIX_ACL option to fix these issues.
+
+Reported-by: Andreas Müller <schnitzeltony@gmail.com>
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Acked-by: Otavio Salvador <otavio@ossystems.com.br>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/configs/imx_v6_v7_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/configs/imx_v6_v7_defconfig
++++ b/arch/arm/configs/imx_v6_v7_defconfig
+@@ -361,6 +361,7 @@ CONFIG_ZISOFS=y
+ CONFIG_UDF_FS=m
+ CONFIG_MSDOS_FS=m
+ CONFIG_VFAT_FS=y
++CONFIG_TMPFS_POSIX_ACL=y
+ CONFIG_JFFS2_FS=y
+ CONFIG_UBIFS_FS=y
+ CONFIG_NFS_FS=y
--- /dev/null
+From e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Wed, 3 Oct 2018 12:54:29 +0000
+Subject: cdrom: fix improper type cast, which can leat to information leak.
+
+From: Young_X <YangX92@hotmail.com>
+
+commit e4f3aa2e1e67bb48dfbaaf1cad59013d5a5bc276 upstream.
+
+There is another cast from unsigned long to int which causes
+a bounds check to fail with specially crafted input. The value is
+then used as an index in the slot array in cdrom_slot_status().
+
+This issue is similar to CVE-2018-16658 and CVE-2018-10940.
+
+Signed-off-by: Young_X <YangX92@hotmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2435,7 +2435,7 @@ static int cdrom_ioctl_select_disc(struc
+ return -ENOSYS;
+
+ if (arg != CDSL_CURRENT && arg != CDSL_NONE) {
+- if ((int)arg >= cdi->capacity)
++ if (arg >= cdi->capacity)
+ return -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Wed, 26 Sep 2018 12:11:27 +0300
+Subject: drm/omap: fix memory barrier bug in DMM driver
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+[ Upstream commit 538f66ba204944470a653a4cccc5f8befdf97c22 ]
+
+A DMM timeout "timed out waiting for done" has been observed on DRA7
+devices. The timeout happens rarely, and only when the system is under
+heavy load.
+
+Debugging showed that the timeout can be made to happen much more
+frequently by optimizing the DMM driver, so that there's almost no code
+between writing the last DMM descriptors to RAM, and writing to DMM
+register which starts the DMM transaction.
+
+The current theory is that a wmb() does not properly ensure that the
+data written to RAM is observable by all the components in the system.
+
+This DMM timeout has caused interesting (and rare) bugs as the error
+handling was not functioning properly (the error handling has been fixed
+in previous commits):
+
+ * If a DMM timeout happened when a GEM buffer was being pinned for
+ display on the screen, a timeout error would be shown, but the driver
+ would continue programming DSS HW with broken buffer, leading to
+ SYNCLOST floods and possible crashes.
+
+ * If a DMM timeout happened when other user (say, video decoder) was
+ pinning a GEM buffer, a timeout would be shown but if the user
+ handled the error properly, no other issues followed.
+
+ * If a DMM timeout happened when a GEM buffer was being released, the
+ driver does not even notice the error, leading to crashes or hang
+ later.
+
+This patch adds wmb() and readl() calls after the last bit is written to
+RAM, which should ensure that the execution proceeds only after the data
+is actually in RAM, and thus observable by DMM.
+
+The read-back should not be needed. Further study is required to understand
+if DMM is somehow special case and read-back is ok, or if DRA7's memory
+barriers do not work correctly.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+@@ -273,6 +273,17 @@ static int dmm_txn_commit(struct dmm_txn
+ }
+
+ txn->last_pat->next_pa = 0;
++ /* ensure that the written descriptors are visible to DMM */
++ wmb();
++
++ /*
++ * NOTE: the wmb() above should be enough, but there seems to be a bug
++ * in OMAP's memory barrier implementation, which in some rare cases may
++ * cause the writes not to be observable after wmb().
++ */
++
++ /* read back to ensure the data is in RAM */
++ readl(&txn->last_pat->next_pa);
+
+ /* write to PAT_DESCR to clear out any pending transaction */
+ dmm_write(dmm, 0x0, reg[PAT_DESCR][engine->id]);
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Nicholas Mc Guire <hofrat@osadl.org>
+Date: Sun, 9 Sep 2018 12:02:32 -0400
+Subject: media: pci: cx23885: handle adding to list failure
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit c5d59528e24ad22500347b199d52b9368e686a42 ]
+
+altera_hw_filt_init() which calls append_internal() assumes
+that the node was successfully linked in while in fact it can
+silently fail. So the call-site needs to set return to -ENOMEM
+on append_internal() returning NULL and exit through the err path.
+
+Fixes: 349bcf02e361 ("[media] Altera FPGA based CI driver module")
+
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/cx23885/altera-ci.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/media/pci/cx23885/altera-ci.c
++++ b/drivers/media/pci/cx23885/altera-ci.c
+@@ -660,6 +660,10 @@ static int altera_hw_filt_init(struct al
+ }
+
+ temp_int = append_internal(inter);
++ if (!temp_int) {
++ ret = -ENOMEM;
++ goto err;
++ }
+ inter->filts_used = 1;
+ inter->dev = config->dev;
+ inter->fpga_rw = config->fpga_rw;
+@@ -694,6 +698,7 @@ err:
+ __func__, ret);
+
+ kfree(pid_filt);
++ kfree(inter);
+
+ return ret;
+ }
+@@ -728,6 +733,10 @@ int altera_ci_init(struct altera_ci_conf
+ }
+
+ temp_int = append_internal(inter);
++ if (!temp_int) {
++ ret = -ENOMEM;
++ goto err;
++ }
+ inter->cis_used = 1;
+ inter->dev = config->dev;
+ inter->fpga_rw = config->fpga_rw;
+@@ -796,6 +805,7 @@ err:
+ ci_dbg_print("%s: Cannot initialize CI: Error %d.\n", __func__, ret);
+
+ kfree(state);
++ kfree(inter);
+
+ return ret;
+ }
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Thu, 28 Jun 2018 12:20:33 -0400
+Subject: media: tvp5150: fix width alignment during set_selection()
+
+From: Marco Felsch <m.felsch@pengutronix.de>
+
+[ Upstream commit bd24db04101f45a9c1d874fe21b0c7eab7bcadec ]
+
+The driver ignored the width alignment which exists due to the UYVY
+colorspace format. Fix the width alignment and make use of the the
+provided v4l2 helper function to set the width, height and all
+alignments in one.
+
+Fixes: 963ddc63e20d ("[media] media: tvp5150: Add cropping support")
+
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/tvp5150.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/i2c/tvp5150.c
++++ b/drivers/media/i2c/tvp5150.c
+@@ -897,9 +897,6 @@ static int tvp5150_set_selection(struct
+
+ /* tvp5150 has some special limits */
+ rect.left = clamp(rect.left, 0, TVP5150_MAX_CROP_LEFT);
+- rect.width = clamp_t(unsigned int, rect.width,
+- TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left,
+- TVP5150_H_MAX - rect.left);
+ rect.top = clamp(rect.top, 0, TVP5150_MAX_CROP_TOP);
+
+ /* Calculate height based on current standard */
+@@ -913,9 +910,16 @@ static int tvp5150_set_selection(struct
+ else
+ hmax = TVP5150_V_MAX_OTHERS;
+
+- rect.height = clamp_t(unsigned int, rect.height,
++ /*
++ * alignments:
++ * - width = 2 due to UYVY colorspace
++ * - height, image = no special alignment
++ */
++ v4l_bound_align_image(&rect.width,
++ TVP5150_H_MAX - TVP5150_MAX_CROP_LEFT - rect.left,
++ TVP5150_H_MAX - rect.left, 1, &rect.height,
+ hmax - TVP5150_MAX_CROP_TOP - rect.top,
+- hmax - rect.top);
++ hmax - rect.top, 0, 0);
+
+ tvp5150_write(sd, TVP5150_VERT_BLANKING_START, rect.top);
+ tvp5150_write(sd, TVP5150_VERT_BLANKING_STOP,
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Dengcheng Zhu <dzhu@wavecomp.com>
+Date: Tue, 11 Sep 2018 14:49:20 -0700
+Subject: MIPS: kexec: Mark CPU offline before disabling local IRQ
+
+From: Dengcheng Zhu <dzhu@wavecomp.com>
+
+[ Upstream commit dc57aaf95a516f70e2d527d8287a0332c481a226 ]
+
+After changing CPU online status, it will not be sent any IPIs such as in
+__flush_cache_all() on software coherency systems. Do this before disabling
+local IRQ.
+
+Signed-off-by: Dengcheng Zhu <dzhu@wavecomp.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20571/
+Cc: pburton@wavecomp.com
+Cc: ralf@linux-mips.org
+Cc: linux-mips@linux-mips.org
+Cc: rachel.mozes@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/kernel/crash.c | 3 +++
+ arch/mips/kernel/machine_kexec.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/arch/mips/kernel/crash.c
++++ b/arch/mips/kernel/crash.c
+@@ -34,6 +34,9 @@ static void crash_shutdown_secondary(voi
+ if (!cpu_online(cpu))
+ return;
+
++ /* We won't be sent IPIs any more. */
++ set_cpu_online(cpu, false);
++
+ local_irq_disable();
+ if (!cpumask_test_cpu(cpu, &cpus_in_crash))
+ crash_save_cpu(regs, cpu);
+--- a/arch/mips/kernel/machine_kexec.c
++++ b/arch/mips/kernel/machine_kexec.c
+@@ -96,6 +96,9 @@ machine_kexec(struct kimage *image)
+ *ptr = (unsigned long) phys_to_virt(*ptr);
+ }
+
++ /* Mark offline BEFORE disabling local irq. */
++ set_cpu_online(smp_processor_id(), false);
++
+ /*
+ * we do not want to be bothered.
+ */
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Huacai Chen <chenhc@lemote.com>
+Date: Sat, 15 Sep 2018 14:01:12 +0800
+Subject: MIPS/PCI: Call pcie_bus_configure_settings() to set MPS/MRRS
+
+From: Huacai Chen <chenhc@lemote.com>
+
+[ Upstream commit 2794f688b2c336e0da85e9f91fed33febbd9f54a ]
+
+Call pcie_bus_configure_settings() on MIPS, like for other platforms.
+The function pcie_bus_configure_settings() makes sure the MPS (Max
+Payload Size) across the bus is uniform and provides the ability to
+tune the MRSS (Max Read Request Size) and MPS (Max Payload Size) to
+higher performance values. Some devices will not operate properly if
+these aren't set correctly because the firmware doesn't always do it.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/20649/
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: Huacai Chen <chenhuacai@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/pci/pci-legacy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/mips/pci/pci-legacy.c
++++ b/arch/mips/pci/pci-legacy.c
+@@ -116,8 +116,12 @@ static void pcibios_scanbus(struct pci_c
+ if (pci_has_flag(PCI_PROBE_ONLY)) {
+ pci_bus_claim_resources(bus);
+ } else {
++ struct pci_bus *child;
++
+ pci_bus_size_bridges(bus);
+ pci_bus_assign_resources(bus);
++ list_for_each_entry(child, &bus->children, node)
++ pcie_bus_configure_settings(child);
+ }
+ pci_bus_add_devices(bus);
+ }
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Joel Stanley <joel@jms.id.au>
+Date: Fri, 14 Sep 2018 13:36:47 +0930
+Subject: powerpc/boot: Ensure _zimage_start is a weak symbol
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit ee9d21b3b3583712029a0db65a4b7c081d08d3b3 ]
+
+When building with clang crt0's _zimage_start is not marked weak, which
+breaks the build when linking the kernel image:
+
+ $ objdump -t arch/powerpc/boot/crt0.o |grep _zimage_start$
+ 0000000000000058 g .text 0000000000000000 _zimage_start
+
+ ld: arch/powerpc/boot/wrapper.a(crt0.o): in function '_zimage_start':
+ (.text+0x58): multiple definition of '_zimage_start';
+ arch/powerpc/boot/pseries-head.o:(.text+0x0): first defined here
+
+Clang requires the .weak directive to appear after the symbol is
+declared. The binutils manual says:
+
+ This directive sets the weak attribute on the comma separated list of
+ symbol names. If the symbols do not already exist, they will be
+ created.
+
+So it appears this is different with clang. The only reference I could
+see for this was an OpenBSD mailing list post[1].
+
+Changing it to be after the declaration fixes building with Clang, and
+still works with GCC.
+
+ $ objdump -t arch/powerpc/boot/crt0.o |grep _zimage_start$
+ 0000000000000058 w .text 0000000000000000 _zimage_start
+
+Reported to clang as https://bugs.llvm.org/show_bug.cgi?id=38921
+
+[1] https://groups.google.com/forum/#!topic/fa.openbsd.tech/PAgKKen2YCY
+
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/boot/crt0.S | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/boot/crt0.S
++++ b/arch/powerpc/boot/crt0.S
+@@ -47,8 +47,10 @@ p_end: .long _end
+ p_pstack: .long _platform_stack_top
+ #endif
+
+- .weak _zimage_start
+ .globl _zimage_start
++ /* Clang appears to require the .weak directive to be after the symbol
++ * is defined. See https://bugs.llvm.org/show_bug.cgi?id=38921 */
++ .weak _zimage_start
+ _zimage_start:
+ .globl _zimage_start_lib
+ _zimage_start_lib:
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+Date: Wed, 12 Sep 2018 11:23:20 +1000
+Subject: powerpc/eeh: Fix possible null deref in eeh_dump_dev_log()
+
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+
+[ Upstream commit f9bc28aedfb5bbd572d2d365f3095c1becd7209b ]
+
+If an error occurs during an unplug operation, it's possible for
+eeh_dump_dev_log() to be called when edev->pdn is null, which
+currently leads to dereferencing a null pointer.
+
+Handle this by skipping the error log for those devices.
+
+Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/eeh.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/powerpc/kernel/eeh.c
++++ b/arch/powerpc/kernel/eeh.c
+@@ -169,6 +169,11 @@ static size_t eeh_dump_dev_log(struct ee
+ int n = 0, l = 0;
+ char buffer[128];
+
++ if (!pdn) {
++ pr_warn("EEH: Note: No error log for absent device.\n");
++ return 0;
++ }
++
+ n += scnprintf(buf+n, len-n, "%04x:%02x:%02x.%01x\n",
+ edev->phb->global_number, pdn->busno,
+ PCI_SLOT(pdn->devfn), PCI_FUNC(pdn->devfn));
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 1 Oct 2018 16:21:51 +1000
+Subject: powerpc/nohash: fix undefined behaviour when testing page size support
+
+From: Daniel Axtens <dja@axtens.net>
+
+[ Upstream commit f5e284803a7206d43e26f9ffcae5de9626d95e37 ]
+
+When enumerating page size definitions to check hardware support,
+we construct a constant which is (1U << (def->shift - 10)).
+
+However, the array of page size definitions is only initalised for
+various MMU_PAGE_* constants, so it contains a number of 0-initialised
+elements with def->shift == 0. This means we end up shifting by a
+very large number, which gives the following UBSan splat:
+
+================================================================================
+UBSAN: Undefined behaviour in /home/dja/dev/linux/linux/arch/powerpc/mm/tlb_nohash.c:506:21
+shift exponent 4294967286 is too large for 32-bit type 'unsigned int'
+CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc3-00045-ga604f927b012-dirty #6
+Call Trace:
+[c00000000101bc20] [c000000000a13d54] .dump_stack+0xa8/0xec (unreliable)
+[c00000000101bcb0] [c0000000004f20a8] .ubsan_epilogue+0x18/0x64
+[c00000000101bd30] [c0000000004f2b10] .__ubsan_handle_shift_out_of_bounds+0x110/0x1a4
+[c00000000101be20] [c000000000d21760] .early_init_mmu+0x1b4/0x5a0
+[c00000000101bf10] [c000000000d1ba28] .early_setup+0x100/0x130
+[c00000000101bf90] [c000000000000528] start_here_multiplatform+0x68/0x80
+================================================================================
+
+Fix this by first checking if the element exists (shift != 0) before
+constructing the constant.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/mm/tlb_nohash.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/mm/tlb_nohash.c
++++ b/arch/powerpc/mm/tlb_nohash.c
+@@ -481,6 +481,9 @@ static void setup_page_sizes(void)
+ for (psize = 0; psize < MMU_PAGE_COUNT; ++psize) {
+ struct mmu_psize_def *def = &mmu_psize_defs[psize];
+
++ if (!def->shift)
++ continue;
++
+ if (tlb1ps & (1U << (def->shift - 10))) {
+ def->flags |= MMU_PAGE_SIZE_DIRECT;
+
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 31 Jul 2018 17:55:57 -0300
+Subject: powerpc/selftests: Wait all threads to join
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 693b31b2fc1636f0aa7af53136d3b49f6ad9ff39 ]
+
+Test tm-tmspr might exit before all threads stop executing, because it just
+waits for the very last thread to join before proceeding/exiting.
+
+This patch makes sure that all threads that were created will join before
+proceeding/exiting.
+
+This patch also guarantees that the amount of threads being created is equal
+to thread_num.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/tm/tm-tmspr.c | 27 ++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/tools/testing/selftests/powerpc/tm/tm-tmspr.c
++++ b/tools/testing/selftests/powerpc/tm/tm-tmspr.c
+@@ -98,7 +98,7 @@ void texasr(void *in)
+
+ int test_tmspr()
+ {
+- pthread_t thread;
++ pthread_t *thread;
+ int thread_num;
+ unsigned long i;
+
+@@ -107,21 +107,28 @@ int test_tmspr()
+ /* To cause some context switching */
+ thread_num = 10 * sysconf(_SC_NPROCESSORS_ONLN);
+
++ thread = malloc(thread_num * sizeof(pthread_t));
++ if (thread == NULL)
++ return EXIT_FAILURE;
++
+ /* Test TFIAR and TFHAR */
+- for (i = 0 ; i < thread_num ; i += 2){
+- if (pthread_create(&thread, NULL, (void*)tfiar_tfhar, (void *)i))
++ for (i = 0; i < thread_num; i += 2) {
++ if (pthread_create(&thread[i], NULL, (void *)tfiar_tfhar,
++ (void *)i))
+ return EXIT_FAILURE;
+ }
+- if (pthread_join(thread, NULL) != 0)
+- return EXIT_FAILURE;
+-
+ /* Test TEXASR */
+- for (i = 0 ; i < thread_num ; i++){
+- if (pthread_create(&thread, NULL, (void*)texasr, (void *)i))
++ for (i = 1; i < thread_num; i += 2) {
++ if (pthread_create(&thread[i], NULL, (void *)texasr, (void *)i))
+ return EXIT_FAILURE;
+ }
+- if (pthread_join(thread, NULL) != 0)
+- return EXIT_FAILURE;
++
++ for (i = 0; i < thread_num; i++) {
++ if (pthread_join(thread[i], NULL) != 0)
++ return EXIT_FAILURE;
++ }
++
++ free(thread);
+
+ if (passed)
+ return 0;
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Wed, 12 Sep 2018 15:31:55 +0100
+Subject: sc16is7xx: Fix for multi-channel stall
+
+From: Phil Elwell <phil@raspberrypi.org>
+
+[ Upstream commit 8344498721059754e09d30fe255a12dab8fb03ef ]
+
+The SC16IS752 is a dual-channel device. The two channels are largely
+independent, but the IRQ signals are wired together as an open-drain,
+active low signal which will be driven low while either of the
+channels requires attention, which can be for significant periods of
+time until operations complete and the interrupt can be acknowledged.
+In that respect it is should be treated as a true level-sensitive IRQ.
+
+The kernel, however, needs to be able to exit interrupt context in
+order to use I2C or SPI to access the device registers (which may
+involve sleeping). Therefore the interrupt needs to be masked out or
+paused in some way.
+
+The usual way to manage sleeping from within an interrupt handler
+is to use a threaded interrupt handler - a regular interrupt routine
+does the minimum amount of work needed to triage the interrupt before
+waking the interrupt service thread. If the threaded IRQ is marked as
+IRQF_ONESHOT the kernel will automatically mask out the interrupt
+until the thread runs to completion. The sc16is7xx driver used to
+use a threaded IRQ, but a patch switched to using a kthread_worker
+in order to set realtime priorities on the handler thread and for
+other optimisations. The end result is non-threaded IRQ that
+schedules some work then returns IRQ_HANDLED, making the kernel
+think that all IRQ processing has completed.
+
+The work-around to prevent a constant stream of interrupts is to
+mark the interrupt as edge-sensitive rather than level-sensitive,
+but interpreting an active-low source as a falling-edge source
+requires care to prevent a total cessation of interrupts. Whereas
+an edge-triggering source will generate a new edge for every interrupt
+condition a level-triggering source will keep the signal at the
+interrupting level until it no longer requires attention; in other
+words, the host won't see another edge until all interrupt conditions
+are cleared. It is therefore vital that the interrupt handler does not
+exit with an outstanding interrupt condition, otherwise the kernel
+will not receive another interrupt unless some other operation causes
+the interrupt state on the device to be cleared.
+
+The existing sc16is7xx driver has a very simple interrupt "thread"
+(kthread_work job) that processes interrupts on each channel in turn
+until there are no more. If both channels are active and the first
+channel starts interrupting while the handler for the second channel
+is running then it will not be detected and an IRQ stall ensues. This
+could be handled easily if there was a shared IRQ status register, or
+a convenient way to determine if the IRQ had been deasserted for any
+length of time, but both appear to be lacking.
+
+Avoid this problem (or at least make it much less likely to happen)
+by reducing the granularity of per-channel interrupt processing
+to one condition per iteration, only exiting the overall loop when
+both channels are no longer interrupting.
+
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -661,7 +661,7 @@ static void sc16is7xx_handle_tx(struct u
+ uart_write_wakeup(port);
+ }
+
+-static void sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno)
++static bool sc16is7xx_port_irq(struct sc16is7xx_port *s, int portno)
+ {
+ struct uart_port *port = &s->p[portno].port;
+
+@@ -670,7 +670,7 @@ static void sc16is7xx_port_irq(struct sc
+
+ iir = sc16is7xx_port_read(port, SC16IS7XX_IIR_REG);
+ if (iir & SC16IS7XX_IIR_NO_INT_BIT)
+- break;
++ return false;
+
+ iir &= SC16IS7XX_IIR_ID_MASK;
+
+@@ -692,16 +692,23 @@ static void sc16is7xx_port_irq(struct sc
+ port->line, iir);
+ break;
+ }
+- } while (1);
++ } while (0);
++ return true;
+ }
+
+ static void sc16is7xx_ist(struct kthread_work *ws)
+ {
+ struct sc16is7xx_port *s = to_sc16is7xx_port(ws, irq_work);
+- int i;
+
+- for (i = 0; i < s->devtype->nr_uart; ++i)
+- sc16is7xx_port_irq(s, i);
++ while (1) {
++ bool keep_polling = false;
++ int i;
++
++ for (i = 0; i < s->devtype->nr_uart; ++i)
++ keep_polling |= sc16is7xx_port_irq(s, i);
++ if (!keep_polling)
++ break;
++ }
+ }
+
+ static irqreturn_t sc16is7xx_irq(int irq, void *dev_id)
--- /dev/null
+powerpc-eeh-fix-possible-null-deref-in-eeh_dump_dev_log.patch
+tty-check-name-length-in-tty_find_polling_driver.patch
+arm-imx_v6_v7_defconfig-select-config_tmpfs_posix_acl.patch
+powerpc-nohash-fix-undefined-behaviour-when-testing-page-size-support.patch
+drm-omap-fix-memory-barrier-bug-in-dmm-driver.patch
+media-pci-cx23885-handle-adding-to-list-failure.patch
+mips-kexec-mark-cpu-offline-before-disabling-local-irq.patch
+powerpc-boot-ensure-_zimage_start-is-a-weak-symbol.patch
+mips-pci-call-pcie_bus_configure_settings-to-set-mps-mrrs.patch
+sc16is7xx-fix-for-multi-channel-stall.patch
+media-tvp5150-fix-width-alignment-during-set_selection.patch
+powerpc-selftests-wait-all-threads-to-join.patch
+9p-locks-fix-glock.client_id-leak-in-do_lock.patch
+9p-clear-dangling-pointers-in-p9stat_free.patch
+cdrom-fix-improper-type-cast-which-can-leat-to-information-leak.patch
--- /dev/null
+From foo@baz Tue Nov 13 16:15:51 PST 2018
+From: Miles Chen <miles.chen@mediatek.com>
+Date: Mon, 8 Oct 2018 10:39:17 +0800
+Subject: tty: check name length in tty_find_polling_driver()
+
+From: Miles Chen <miles.chen@mediatek.com>
+
+[ Upstream commit 33a1a7be198657c8ca26ad406c4d2a89b7162bcc ]
+
+The issue is found by a fuzzing test.
+If tty_find_polling_driver() recevies an incorrect input such as
+',,' or '0b', the len becomes 0 and strncmp() always return 0.
+In this case, a null p->ops->poll_init() is called and it causes a kernel
+panic.
+
+Fix this by checking name length against zero in tty_find_polling_driver().
+
+$echo ,, > /sys/module/kgdboc/parameters/kgdboc
+[ 20.804451] WARNING: CPU: 1 PID: 104 at drivers/tty/serial/serial_core.c:457
+uart_get_baud_rate+0xe8/0x190
+[ 20.804917] Modules linked in:
+[ 20.805317] CPU: 1 PID: 104 Comm: sh Not tainted 4.19.0-rc7ajb #8
+[ 20.805469] Hardware name: linux,dummy-virt (DT)
+[ 20.805732] pstate: 20000005 (nzCv daif -PAN -UAO)
+[ 20.805895] pc : uart_get_baud_rate+0xe8/0x190
+[ 20.806042] lr : uart_get_baud_rate+0xc0/0x190
+[ 20.806476] sp : ffffffc06acff940
+[ 20.806676] x29: ffffffc06acff940 x28: 0000000000002580
+[ 20.806977] x27: 0000000000009600 x26: 0000000000009600
+[ 20.807231] x25: ffffffc06acffad0 x24: 00000000ffffeff0
+[ 20.807576] x23: 0000000000000001 x22: 0000000000000000
+[ 20.807807] x21: 0000000000000001 x20: 0000000000000000
+[ 20.808049] x19: ffffffc06acffac8 x18: 0000000000000000
+[ 20.808277] x17: 0000000000000000 x16: 0000000000000000
+[ 20.808520] x15: ffffffffffffffff x14: ffffffff00000000
+[ 20.808757] x13: ffffffffffffffff x12: 0000000000000001
+[ 20.809011] x11: 0101010101010101 x10: ffffff880d59ff5f
+[ 20.809292] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3
+[ 20.809549] x7 : 0000000000000000 x6 : ffffff880d59ff5f
+[ 20.809803] x5 : 0000000080008001 x4 : 0000000000000003
+[ 20.810056] x3 : ffffff900853e6b4 x2 : dfffff9000000000
+[ 20.810693] x1 : ffffffc06acffad0 x0 : 0000000000000cb0
+[ 20.811005] Call trace:
+[ 20.811214] uart_get_baud_rate+0xe8/0x190
+[ 20.811479] serial8250_do_set_termios+0xe0/0x6f4
+[ 20.811719] serial8250_set_termios+0x48/0x54
+[ 20.811928] uart_set_options+0x138/0x1bc
+[ 20.812129] uart_poll_init+0x114/0x16c
+[ 20.812330] tty_find_polling_driver+0x158/0x200
+[ 20.812545] configure_kgdboc+0xbc/0x1bc
+[ 20.812745] param_set_kgdboc_var+0xb8/0x150
+[ 20.812960] param_attr_store+0xbc/0x150
+[ 20.813160] module_attr_store+0x40/0x58
+[ 20.813364] sysfs_kf_write+0x8c/0xa8
+[ 20.813563] kernfs_fop_write+0x154/0x290
+[ 20.813764] vfs_write+0xf0/0x278
+[ 20.813951] __arm64_sys_write+0x84/0xf4
+[ 20.814400] el0_svc_common+0xf4/0x1dc
+[ 20.814616] el0_svc_handler+0x98/0xbc
+[ 20.814804] el0_svc+0x8/0xc
+[ 20.822005] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+[ 20.826913] Mem abort info:
+[ 20.827103] ESR = 0x84000006
+[ 20.827352] Exception class = IABT (current EL), IL = 16 bits
+[ 20.827655] SET = 0, FnV = 0
+[ 20.827855] EA = 0, S1PTW = 0
+[ 20.828135] user pgtable: 4k pages, 39-bit VAs, pgdp = (____ptrval____)
+[ 20.828484] [0000000000000000] pgd=00000000aadee003, pud=00000000aadee003, pmd=0000000000000000
+[ 20.829195] Internal error: Oops: 84000006 [#1] SMP
+[ 20.829564] Modules linked in:
+[ 20.829890] CPU: 1 PID: 104 Comm: sh Tainted: G W 4.19.0-rc7ajb #8
+[ 20.830545] Hardware name: linux,dummy-virt (DT)
+[ 20.830829] pstate: 60000085 (nZCv daIf -PAN -UAO)
+[ 20.831174] pc : (null)
+[ 20.831457] lr : serial8250_do_set_termios+0x358/0x6f4
+[ 20.831727] sp : ffffffc06acff9b0
+[ 20.831936] x29: ffffffc06acff9b0 x28: ffffff9008d7c000
+[ 20.832267] x27: ffffff900969e16f x26: 0000000000000000
+[ 20.832589] x25: ffffff900969dfb0 x24: 0000000000000000
+[ 20.832906] x23: ffffffc06acffad0 x22: ffffff900969e160
+[ 20.833232] x21: 0000000000000000 x20: ffffffc06acffac8
+[ 20.833559] x19: ffffff900969df90 x18: 0000000000000000
+[ 20.833878] x17: 0000000000000000 x16: 0000000000000000
+[ 20.834491] x15: ffffffffffffffff x14: ffffffff00000000
+[ 20.834821] x13: ffffffffffffffff x12: 0000000000000001
+[ 20.835143] x11: 0101010101010101 x10: ffffff880d59ff5f
+[ 20.835467] x9 : ffffff880d59ff5e x8 : ffffffc06acffaf3
+[ 20.835790] x7 : 0000000000000000 x6 : ffffff880d59ff5f
+[ 20.836111] x5 : c06419717c314100 x4 : 0000000000000007
+[ 20.836419] x3 : 0000000000000000 x2 : 0000000000000000
+[ 20.836732] x1 : 0000000000000001 x0 : ffffff900969df90
+[ 20.837100] Process sh (pid: 104, stack limit = 0x(____ptrval____))
+[ 20.837396] Call trace:
+[ 20.837566] (null)
+[ 20.837816] serial8250_set_termios+0x48/0x54
+[ 20.838089] uart_set_options+0x138/0x1bc
+[ 20.838570] uart_poll_init+0x114/0x16c
+[ 20.838834] tty_find_polling_driver+0x158/0x200
+[ 20.839119] configure_kgdboc+0xbc/0x1bc
+[ 20.839380] param_set_kgdboc_var+0xb8/0x150
+[ 20.839658] param_attr_store+0xbc/0x150
+[ 20.839920] module_attr_store+0x40/0x58
+[ 20.840183] sysfs_kf_write+0x8c/0xa8
+[ 20.840183] sysfs_kf_write+0x8c/0xa8
+[ 20.840440] kernfs_fop_write+0x154/0x290
+[ 20.840702] vfs_write+0xf0/0x278
+[ 20.840942] __arm64_sys_write+0x84/0xf4
+[ 20.841209] el0_svc_common+0xf4/0x1dc
+[ 20.841471] el0_svc_handler+0x98/0xbc
+[ 20.841713] el0_svc+0x8/0xc
+[ 20.842057] Code: bad PC value
+[ 20.842764] ---[ end trace a8835d7de79aaadf ]---
+[ 20.843134] Kernel panic - not syncing: Fatal exception
+[ 20.843515] SMP: stopping secondary CPUs
+[ 20.844289] Kernel Offset: disabled
+[ 20.844634] CPU features: 0x0,21806002
+[ 20.844857] Memory Limit: none
+[ 20.845172] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Signed-off-by: Miles Chen <miles.chen@mediatek.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/tty_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -354,7 +354,7 @@ struct tty_driver *tty_find_polling_driv
+ mutex_lock(&tty_mutex);
+ /* Search through the tty devices to look for a match */
+ list_for_each_entry(p, &tty_drivers, tty_drivers) {
+- if (strncmp(name, p->name, len) != 0)
++ if (!len || strncmp(name, p->name, len) != 0)
+ continue;
+ stp = str;
+ if (*stp == ',')
projects / thirdparty / kernel / stable-queue.git / commitdiff
