--- /dev/null
+From 17df6453d4be17910456e99c5a85025aa1b7a246 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 12 Sep 2017 10:47:53 +0200
+Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler()
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream.
+
+Upon handling the firmware notification for scans the length was
+checked properly and may result in corrupting kernel heap memory
+due to buffer overruns. This fix addresses CVE-2017-0786.
+
+Cc: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 ++++++++++--
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3097,6 +3097,7 @@ brcmf_cfg80211_escan_handler(struct brcm
+ struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
+ s32 status;
+ struct brcmf_escan_result_le *escan_result_le;
++ u32 escan_buflen;
+ struct brcmf_bss_info_le *bss_info_le;
+ struct brcmf_bss_info_le *bss = NULL;
+ u32 bi_length;
+@@ -3113,11 +3114,23 @@ brcmf_cfg80211_escan_handler(struct brcm
+
+ if (status == BRCMF_E_STATUS_PARTIAL) {
+ brcmf_dbg(SCAN, "ESCAN Partial result\n");
++ if (e->datalen < sizeof(*escan_result_le)) {
++ brcmf_err("invalid event data length\n");
++ goto exit;
++ }
+ escan_result_le = (struct brcmf_escan_result_le *) data;
+ if (!escan_result_le) {
+ brcmf_err("Invalid escan result (NULL pointer)\n");
+ goto exit;
+ }
++ escan_buflen = le32_to_cpu(escan_result_le->buflen);
++ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
++ escan_buflen > e->datalen ||
++ escan_buflen < sizeof(*escan_result_le)) {
++ brcmf_err("Invalid escan buffer length: %d\n",
++ escan_buflen);
++ goto exit;
++ }
+ if (le16_to_cpu(escan_result_le->bss_count) != 1) {
+ brcmf_err("Invalid bss_count %d: ignoring\n",
+ escan_result_le->bss_count);
+@@ -3134,9 +3147,8 @@ brcmf_cfg80211_escan_handler(struct brcm
+ }
+
+ bi_length = le32_to_cpu(bss_info_le->length);
+- if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
+- WL_ESCAN_RESULTS_FIXED_SIZE)) {
+- brcmf_err("Invalid bss_info length %d: ignoring\n",
++ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) {
++ brcmf_err("Ignoring invalid bss_info length: %d\n",
+ bi_length);
+ goto exit;
+ }
--- /dev/null
+From 35f62727df0ed8e5e4857e162d94fd46d861f1cf Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 12 Sep 2017 10:47:54 +0200
+Subject: brcmfmac: setup passive scan if requested by user-space
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit 35f62727df0ed8e5e4857e162d94fd46d861f1cf upstream.
+
+The driver was not properly configuring firmware with regard to the
+type of scan. It always performed an active scan even when user-space
+was requesting for passive scan, ie. the scan request was done without
+any SSIDs specified.
+
+Reported-by: Huang, Jiangyang <Jiangyang.Huang@itron.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 19 ++--------
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 5 ++
+ 2 files changed, 9 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -978,7 +978,7 @@ static void brcmf_escan_prep(struct brcm
+
+ eth_broadcast_addr(params_le->bssid);
+ params_le->bss_type = DOT11_BSSTYPE_ANY;
+- params_le->scan_type = 0;
++ params_le->scan_type = BRCMF_SCANTYPE_ACTIVE;
+ params_le->channel_num = 0;
+ params_le->nprobes = cpu_to_le32(-1);
+ params_le->active_time = cpu_to_le32(-1);
+@@ -986,12 +986,9 @@ static void brcmf_escan_prep(struct brcm
+ params_le->home_time = cpu_to_le32(-1);
+ memset(¶ms_le->ssid_le, 0, sizeof(params_le->ssid_le));
+
+- /* if request is null exit so it will be all channel broadcast scan */
+- if (!request)
+- return;
+-
+ n_ssids = request->n_ssids;
+ n_channels = request->n_channels;
++
+ /* Copy channel array if applicable */
+ brcmf_dbg(SCAN, "### List of channelspecs to scan ### %d\n",
+ n_channels);
+@@ -1028,16 +1025,8 @@ static void brcmf_escan_prep(struct brcm
+ ptr += sizeof(ssid_le);
+ }
+ } else {
+- brcmf_dbg(SCAN, "Broadcast scan %p\n", request->ssids);
+- if ((request->ssids) && request->ssids->ssid_len) {
+- brcmf_dbg(SCAN, "SSID %s len=%d\n",
+- params_le->ssid_le.SSID,
+- request->ssids->ssid_len);
+- params_le->ssid_le.SSID_len =
+- cpu_to_le32(request->ssids->ssid_len);
+- memcpy(¶ms_le->ssid_le.SSID, request->ssids->ssid,
+- request->ssids->ssid_len);
+- }
++ brcmf_dbg(SCAN, "Performing passive scan\n");
++ params_le->scan_type = BRCMF_SCANTYPE_PASSIVE;
+ }
+ /* Adding mask to channel numbers */
+ params_le->channel_num =
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+@@ -45,6 +45,11 @@
+ #define BRCMF_SCAN_PARAMS_COUNT_MASK 0x0000ffff
+ #define BRCMF_SCAN_PARAMS_NSSID_SHIFT 16
+
++/* scan type definitions */
++#define BRCMF_SCANTYPE_DEFAULT 0xFF
++#define BRCMF_SCANTYPE_ACTIVE 0
++#define BRCMF_SCANTYPE_PASSIVE 1
++
+ /* primary (ie tx) key */
+ #define BRCMF_PRIMARY_KEY (1 << 1)
+ #define DOT11_BSSTYPE_ANY 2
--- /dev/null
+From 2ba7d7e0437127314864238f8bfcb8369d81075c Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 21 Sep 2017 17:19:20 +0300
+Subject: drm/i915/bios: ignore HDMI on port A
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 2ba7d7e0437127314864238f8bfcb8369d81075c upstream.
+
+The hardware state readout oopses after several warnings when trying to
+use HDMI on port A, if such a combination is configured in VBT. Filter
+the combo out already at the VBT parsing phase.
+
+v2: also ignore DVI (Ville)
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102889
+Cc: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Tested-by: Daniel Drake <dan@reactivated.net>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170921141920.18172-1-jani.nikula@intel.com
+(cherry picked from commit d27ffc1d00327c29b3aa97f941b42f0949f9e99f)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_bios.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/i915/intel_bios.c
++++ b/drivers/gpu/drm/i915/intel_bios.c
+@@ -1152,6 +1152,13 @@ static void parse_ddi_port(struct drm_i9
+ is_hdmi = is_dvi && (child->common.device_type & DEVICE_TYPE_NOT_HDMI_OUTPUT) == 0;
+ is_edp = is_dp && (child->common.device_type & DEVICE_TYPE_INTERNAL_CONNECTOR);
+
++ if (port == PORT_A && is_dvi) {
++ DRM_DEBUG_KMS("VBT claims port A supports DVI%s, ignoring\n",
++ is_hdmi ? "/HDMI" : "");
++ is_dvi = false;
++ is_hdmi = false;
++ }
++
+ info->supports_dvi = is_dvi;
+ info->supports_hdmi = is_hdmi;
+ info->supports_dp = is_dp;
--- /dev/null
+From 173b8439e1ba362007315868928bf9d26e5cc5a6 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 28 Dec 2016 00:22:52 -0500
+Subject: ext4: don't allow encrypted operations without keys
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 173b8439e1ba362007315868928bf9d26e5cc5a6 upstream.
+
+While we allow deletes without the key, the following should not be
+permitted:
+
+# cd /vdc/encrypted-dir-without-key
+# ls -l
+total 4
+-rw-r--r-- 1 root root 0 Dec 27 22:35 6,LKNRJsp209FbXoSvJWzB
+-rw-r--r-- 1 root root 286 Dec 27 22:35 uRJ5vJh9gE7vcomYMqTAyD
+# mv uRJ5vJh9gE7vcomYMqTAyD 6,LKNRJsp209FbXoSvJWzB
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/namei.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -3527,6 +3527,12 @@ static int ext4_rename(struct inode *old
+ EXT4_I(old_dentry->d_inode)->i_projid)))
+ return -EXDEV;
+
++ if ((ext4_encrypted_inode(old_dir) &&
++ !fscrypt_has_encryption_key(old_dir)) ||
++ (ext4_encrypted_inode(new_dir) &&
++ !fscrypt_has_encryption_key(new_dir)))
++ return -ENOKEY;
++
+ retval = dquot_initialize(old.dir);
+ if (retval)
+ return retval;
+@@ -3726,6 +3732,12 @@ static int ext4_cross_rename(struct inod
+ u8 new_file_type;
+ int retval;
+
++ if ((ext4_encrypted_inode(old_dir) &&
++ !fscrypt_has_encryption_key(old_dir)) ||
++ (ext4_encrypted_inode(new_dir) &&
++ !fscrypt_has_encryption_key(new_dir)))
++ return -ENOKEY;
++
+ if ((ext4_encrypted_inode(old_dir) ||
+ ext4_encrypted_inode(new_dir)) &&
+ (old_dir != new_dir) &&
--- /dev/null
+From a3bb2d5587521eea6dab2d05326abb0afb460abd Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Sun, 30 Jul 2017 23:33:01 -0400
+Subject: ext4: Don't clear SGID when inheriting ACLs
+
+From: Jan Kara <jack@suse.cz>
+
+commit a3bb2d5587521eea6dab2d05326abb0afb460abd upstream.
+
+When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
+set, DIR1 is expected to have SGID bit set (and owning group equal to
+the owning group of 'DIR0'). However when 'DIR0' also has some default
+ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
+'DIR1' to get cleared if user is not member of the owning group.
+
+Fix the problem by moving posix_acl_update_mode() out of
+__ext4_set_acl() into ext4_set_acl(). That way the function will not be
+called when inheriting ACLs which is what we want as it prevents SGID
+bit clearing and the mode has been properly set by posix_acl_create()
+anyway.
+
+Fixes: 073931017b49d9458aa351605b43a7e34598caef
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/acl.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+--- a/fs/ext4/acl.c
++++ b/fs/ext4/acl.c
+@@ -192,13 +192,6 @@ __ext4_set_acl(handle_t *handle, struct
+ switch (type) {
+ case ACL_TYPE_ACCESS:
+ name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
+- if (acl) {
+- error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+- if (error)
+- return error;
+- inode->i_ctime = ext4_current_time(inode);
+- ext4_mark_inode_dirty(handle, inode);
+- }
+ break;
+
+ case ACL_TYPE_DEFAULT:
+@@ -231,6 +224,8 @@ ext4_set_acl(struct inode *inode, struct
+ {
+ handle_t *handle;
+ int error, retries = 0;
++ umode_t mode = inode->i_mode;
++ int update_mode = 0;
+
+ retry:
+ handle = ext4_journal_start(inode, EXT4_HT_XATTR,
+@@ -238,7 +233,20 @@ retry:
+ if (IS_ERR(handle))
+ return PTR_ERR(handle);
+
++ if ((type == ACL_TYPE_ACCESS) && acl) {
++ error = posix_acl_update_mode(inode, &mode, &acl);
++ if (error)
++ goto out_stop;
++ update_mode = 1;
++ }
++
+ error = __ext4_set_acl(handle, inode, type, acl);
++ if (!error && update_mode) {
++ inode->i_mode = mode;
++ inode->i_ctime = ext4_current_time(inode);
++ ext4_mark_inode_dirty(handle, inode);
++ }
++out_stop:
+ ext4_journal_stop(handle);
+ if (error == -ENOSPC && ext4_should_retry_alloc(inode->i_sb, &retries))
+ goto retry;
--- /dev/null
+From a056bdaae7a181f7dcc876cfab2f94538e508709 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 26 May 2017 17:45:45 -0400
+Subject: ext4: fix data corruption for mmap writes
+
+From: Jan Kara <jack@suse.cz>
+
+commit a056bdaae7a181f7dcc876cfab2f94538e508709 upstream.
+
+mpage_submit_page() can race with another process growing i_size and
+writing data via mmap to the written-back page. As mpage_submit_page()
+samples i_size too early, it may happen that ext4_bio_write_page()
+zeroes out too large tail of the page and thus corrupts user data.
+
+Fix the problem by sampling i_size only after the page has been
+write-protected in page tables by clear_page_dirty_for_io() call.
+
+Reported-by: Michael Zimmer <michael@swarm64.com>
+Fixes: cb20d5188366f04d96d2e07b1240cc92170ade40
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -2107,15 +2107,29 @@ static int ext4_writepage(struct page *p
+ static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page)
+ {
+ int len;
+- loff_t size = i_size_read(mpd->inode);
++ loff_t size;
+ int err;
+
+ BUG_ON(page->index != mpd->first_page);
++ clear_page_dirty_for_io(page);
++ /*
++ * We have to be very careful here! Nothing protects writeback path
++ * against i_size changes and the page can be writeably mapped into
++ * page tables. So an application can be growing i_size and writing
++ * data through mmap while writeback runs. clear_page_dirty_for_io()
++ * write-protects our page in page tables and the page cannot get
++ * written to again until we release page lock. So only after
++ * clear_page_dirty_for_io() we are safe to sample i_size for
++ * ext4_bio_write_page() to zero-out tail of the written page. We rely
++ * on the barrier provided by TestClearPageDirty in
++ * clear_page_dirty_for_io() to make sure i_size is really sampled only
++ * after page tables are updated.
++ */
++ size = i_size_read(mpd->inode);
+ if (page->index == size >> PAGE_SHIFT)
+ len = size & ~PAGE_MASK;
+ else
+ len = PAGE_SIZE;
+- clear_page_dirty_for_io(page);
+ err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc, false);
+ if (!err)
+ mpd->wbc->nr_to_write--;
--- /dev/null
+From 363fa4e078cbdc97a172c19d19dc04b41b52ebc8 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Wed, 28 Dec 2016 17:31:15 -0800
+Subject: f2fs: don't allow encrypted operations without keys
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 363fa4e078cbdc97a172c19d19dc04b41b52ebc8 upstream.
+
+This patch fixes the renaming bug on encrypted filenames, which was pointed by
+
+ (ext4: don't allow encrypted operations without keys)
+
+Cc: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/namei.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -663,6 +663,12 @@ static int f2fs_rename(struct inode *old
+ bool is_old_inline = f2fs_has_inline_dentry(old_dir);
+ int err = -ENOENT;
+
++ if ((f2fs_encrypted_inode(old_dir) &&
++ !fscrypt_has_encryption_key(old_dir)) ||
++ (f2fs_encrypted_inode(new_dir) &&
++ !fscrypt_has_encryption_key(new_dir)))
++ return -ENOKEY;
++
+ if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) &&
+ !fscrypt_has_permitted_context(new_dir, old_inode)) {
+ err = -EPERM;
+@@ -843,6 +849,12 @@ static int f2fs_cross_rename(struct inod
+ int old_nlink = 0, new_nlink = 0;
+ int err = -ENOENT;
+
++ if ((f2fs_encrypted_inode(old_dir) &&
++ !fscrypt_has_encryption_key(old_dir)) ||
++ (f2fs_encrypted_inode(new_dir) &&
++ !fscrypt_has_encryption_key(new_dir)))
++ return -ENOKEY;
++
+ if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) &&
+ (old_dir != new_dir) &&
+ (!fscrypt_has_permitted_context(new_dir, old_inode) ||
--- /dev/null
+From fb458864d9a78cc433fec7979acbe4078c82d7a8 Mon Sep 17 00:00:00 2001
+From: Chanho Min <chanho.min@lge.com>
+Date: Tue, 26 Sep 2017 09:03:40 +0900
+Subject: mmc: core: add driver strength selection when selecting hs400es
+
+From: Chanho Min <chanho.min@lge.com>
+
+commit fb458864d9a78cc433fec7979acbe4078c82d7a8 upstream.
+
+The driver strength selection is missed and required when selecting
+hs400es. So, It is added here.
+
+Fixes: 81ac2af65793ecf ("mmc: core: implement enhanced strobe support")
+Signed-off-by: Hankyung Yu <hankyung.yu@lge.com>
+Signed-off-by: Chanho Min <chanho.min@lge.com>
+Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/mmc.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1255,6 +1255,23 @@ out_err:
+ return err;
+ }
+
++static void mmc_select_driver_type(struct mmc_card *card)
++{
++ int card_drv_type, drive_strength, drv_type;
++
++ card_drv_type = card->ext_csd.raw_driver_strength |
++ mmc_driver_type_mask(0);
++
++ drive_strength = mmc_select_drive_strength(card,
++ card->ext_csd.hs200_max_dtr,
++ card_drv_type, &drv_type);
++
++ card->drive_strength = drive_strength;
++
++ if (drv_type)
++ mmc_set_driver_type(card->host, drv_type);
++}
++
+ static int mmc_select_hs400es(struct mmc_card *card)
+ {
+ struct mmc_host *host = card->host;
+@@ -1303,6 +1320,8 @@ static int mmc_select_hs400es(struct mmc
+ goto out_err;
+ }
+
++ mmc_select_driver_type(card);
++
+ /* Switch card to HS400 */
+ val = EXT_CSD_TIMING_HS400 |
+ card->drive_strength << EXT_CSD_DRV_STR_SHIFT;
+@@ -1336,23 +1355,6 @@ out_err:
+ return err;
+ }
+
+-static void mmc_select_driver_type(struct mmc_card *card)
+-{
+- int card_drv_type, drive_strength, drv_type;
+-
+- card_drv_type = card->ext_csd.raw_driver_strength |
+- mmc_driver_type_mask(0);
+-
+- drive_strength = mmc_select_drive_strength(card,
+- card->ext_csd.hs200_max_dtr,
+- card_drv_type, &drv_type);
+-
+- card->drive_strength = drive_strength;
+-
+- if (drv_type)
+- mmc_set_driver_type(card->host, drv_type);
+-}
+-
+ /*
+ * For device supporting HS200 mode, the following sequence
+ * should be done before executing the tuning process.
--- /dev/null
+From 8969f1f8291762c13147c1ba89d46238af01675b Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Sun, 1 Oct 2017 09:37:35 +0200
+Subject: nvme-pci: Use PCI bus address for data/queues in CMB
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 8969f1f8291762c13147c1ba89d46238af01675b upstream.
+
+Currently, NVMe PCI host driver is programming CMB dma address as
+I/O SQs addresses. This results in failures on systems where 1:1
+outbound mapping is not used (example Broadcom iProc SOCs) because
+CMB BAR will be progammed with PCI bus address but NVMe PCI EP will
+try to access CMB using dma address.
+
+To have CMB working on systems without 1:1 outbound mapping, we
+program PCI bus address for I/O SQs instead of dma address. This
+approach will work on systems with/without 1:1 outbound mapping.
+
+Based on a report and previous patch from Abhishek Shah.
+
+Fixes: 8ffaadf7 ("NVMe: Use CMB for the IO SQes if available")
+Reported-by: Abhishek Shah <abhishek.shah@broadcom.com>
+Tested-by: Abhishek Shah <abhishek.shah@broadcom.com>
+Reviewed-by: Keith Busch <keith.busch@intel.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/pci.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -96,7 +96,7 @@ struct nvme_dev {
+ struct mutex shutdown_lock;
+ bool subsystem;
+ void __iomem *cmb;
+- dma_addr_t cmb_dma_addr;
++ pci_bus_addr_t cmb_bus_addr;
+ u64 cmb_size;
+ u32 cmbsz;
+ u32 cmbloc;
+@@ -1037,7 +1037,7 @@ static int nvme_alloc_sq_cmds(struct nvm
+ if (qid && dev->cmb && use_cmb_sqes && NVME_CMB_SQS(dev->cmbsz)) {
+ unsigned offset = (qid - 1) * roundup(SQ_SIZE(depth),
+ dev->ctrl.page_size);
+- nvmeq->sq_dma_addr = dev->cmb_dma_addr + offset;
++ nvmeq->sq_dma_addr = dev->cmb_bus_addr + offset;
+ nvmeq->sq_cmds_io = dev->cmb + offset;
+ } else {
+ nvmeq->sq_cmds = dma_alloc_coherent(dev->dev, SQ_SIZE(depth),
+@@ -1343,7 +1343,7 @@ static void __iomem *nvme_map_cmb(struct
+ resource_size_t bar_size;
+ struct pci_dev *pdev = to_pci_dev(dev->dev);
+ void __iomem *cmb;
+- dma_addr_t dma_addr;
++ int bar;
+
+ dev->cmbsz = readl(dev->bar + NVME_REG_CMBSZ);
+ if (!(NVME_CMB_SZ(dev->cmbsz)))
+@@ -1356,7 +1356,8 @@ static void __iomem *nvme_map_cmb(struct
+ szu = (u64)1 << (12 + 4 * NVME_CMB_SZU(dev->cmbsz));
+ size = szu * NVME_CMB_SZ(dev->cmbsz);
+ offset = szu * NVME_CMB_OFST(dev->cmbloc);
+- bar_size = pci_resource_len(pdev, NVME_CMB_BIR(dev->cmbloc));
++ bar = NVME_CMB_BIR(dev->cmbloc);
++ bar_size = pci_resource_len(pdev, bar);
+
+ if (offset > bar_size)
+ return NULL;
+@@ -1369,12 +1370,11 @@ static void __iomem *nvme_map_cmb(struct
+ if (size > bar_size - offset)
+ size = bar_size - offset;
+
+- dma_addr = pci_resource_start(pdev, NVME_CMB_BIR(dev->cmbloc)) + offset;
+- cmb = ioremap_wc(dma_addr, size);
++ cmb = ioremap_wc(pci_resource_start(pdev, bar) + offset, size);
+ if (!cmb)
+ return NULL;
+
+- dev->cmb_dma_addr = dma_addr;
++ dev->cmb_bus_addr = pci_bus_address(pdev, bar) + offset;
+ dev->cmb_size = size;
+ return cmb;
+ }
--- /dev/null
+From 50e76632339d4655859523a39249dd95ee5e93e7 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 7 Sep 2017 11:13:38 +0200
+Subject: sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 50e76632339d4655859523a39249dd95ee5e93e7 upstream.
+
+Cpusets vs. suspend-resume is _completely_ broken. And it got noticed
+because it now resulted in non-cpuset usage breaking too.
+
+On suspend cpuset_cpu_inactive() doesn't call into
+cpuset_update_active_cpus() because it doesn't want to move tasks about,
+there is no need, all tasks are frozen and won't run again until after
+we've resumed everything.
+
+But this means that when we finally do call into
+cpuset_update_active_cpus() after resuming the last frozen cpu in
+cpuset_cpu_active(), the top_cpuset will not have any difference with
+the cpu_active_mask and this it will not in fact do _anything_.
+
+So the cpuset configuration will not be restored. This was largely
+hidden because we would unconditionally create identity domains and
+mobile users would not in fact use cpusets much. And servers what do use
+cpusets tend to not suspend-resume much.
+
+An addition problem is that we'd not in fact wait for the cpuset work to
+finish before resuming the tasks, allowing spurious migrations outside
+of the specified domains.
+
+Fix the rebuild by introducing cpuset_force_rebuild() and fix the
+ordering with cpuset_wait_for_hotplug().
+
+Reported-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <stable@vger.kernel.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: deb7aa308ea2 ("cpuset: reorganize CPU / memory hotplug handling")
+Link: http://lkml.kernel.org/r/20170907091338.orwxrqkbfkki3c24@hirez.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Mike Galbraith <efault@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ include/linux/cpuset.h | 6 ++++++
+ kernel/cpuset.c | 16 +++++++++++++++-
+ kernel/power/process.c | 5 ++++-
+ kernel/sched/core.c | 7 +++----
+ 4 files changed, 28 insertions(+), 6 deletions(-)
+
+--- a/include/linux/cpuset.h
++++ b/include/linux/cpuset.h
+@@ -55,7 +55,9 @@ static inline void cpuset_dec(void)
+
+ extern int cpuset_init(void);
+ extern void cpuset_init_smp(void);
++extern void cpuset_force_rebuild(void);
+ extern void cpuset_update_active_cpus(bool cpu_online);
++extern void cpuset_wait_for_hotplug(void);
+ extern void cpuset_cpus_allowed(struct task_struct *p, struct cpumask *mask);
+ extern void cpuset_cpus_allowed_fallback(struct task_struct *p);
+ extern nodemask_t cpuset_mems_allowed(struct task_struct *p);
+@@ -168,11 +170,15 @@ static inline bool cpusets_enabled(void)
+ static inline int cpuset_init(void) { return 0; }
+ static inline void cpuset_init_smp(void) {}
+
++static inline void cpuset_force_rebuild(void) { }
++
+ static inline void cpuset_update_active_cpus(bool cpu_online)
+ {
+ partition_sched_domains(1, NULL, NULL);
+ }
+
++static inline void cpuset_wait_for_hotplug(void) { }
++
+ static inline void cpuset_cpus_allowed(struct task_struct *p,
+ struct cpumask *mask)
+ {
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -2276,6 +2276,13 @@ retry:
+ mutex_unlock(&cpuset_mutex);
+ }
+
++static bool force_rebuild;
++
++void cpuset_force_rebuild(void)
++{
++ force_rebuild = true;
++}
++
+ /**
+ * cpuset_hotplug_workfn - handle CPU/memory hotunplug for a cpuset
+ *
+@@ -2350,8 +2357,10 @@ static void cpuset_hotplug_workfn(struct
+ }
+
+ /* rebuild sched domains if cpus_allowed has changed */
+- if (cpus_updated)
++ if (cpus_updated || force_rebuild) {
++ force_rebuild = false;
+ rebuild_sched_domains();
++ }
+ }
+
+ void cpuset_update_active_cpus(bool cpu_online)
+@@ -2370,6 +2379,11 @@ void cpuset_update_active_cpus(bool cpu_
+ schedule_work(&cpuset_hotplug_work);
+ }
+
++void cpuset_wait_for_hotplug(void)
++{
++ flush_work(&cpuset_hotplug_work);
++}
++
+ /*
+ * Keep top_cpuset.mems_allowed tracking node_states[N_MEMORY].
+ * Call this routine anytime after node_states[N_MEMORY] changes.
+--- a/kernel/power/process.c
++++ b/kernel/power/process.c
+@@ -18,8 +18,9 @@
+ #include <linux/workqueue.h>
+ #include <linux/kmod.h>
+ #include <trace/events/power.h>
++#include <linux/cpuset.h>
+
+-/*
++/*
+ * Timeout for stopping processes
+ */
+ unsigned int __read_mostly freeze_timeout_msecs = 20 * MSEC_PER_SEC;
+@@ -200,6 +201,8 @@ void thaw_processes(void)
+ __usermodehelper_set_disable_depth(UMH_FREEZING);
+ thaw_workqueues();
+
++ cpuset_wait_for_hotplug();
++
+ read_lock(&tasklist_lock);
+ for_each_process_thread(g, p) {
+ /* No other threads should have PF_SUSPEND_TASK set */
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7292,16 +7292,15 @@ static void cpuset_cpu_active(void)
+ * operation in the resume sequence, just build a single sched
+ * domain, ignoring cpusets.
+ */
+- num_cpus_frozen--;
+- if (likely(num_cpus_frozen)) {
+- partition_sched_domains(1, NULL, NULL);
++ partition_sched_domains(1, NULL, NULL);
++ if (--num_cpus_frozen)
+ return;
+- }
+ /*
+ * This is the last CPU online operation. So fall through and
+ * restore the original sched domains by considering the
+ * cpuset configurations.
+ */
++ cpuset_force_rebuild();
+ }
+ cpuset_update_active_cpus(true);
+ }
iwlwifi-mvm-use-iwl_hcmd_nocopy-for-mcast_filter_cmd.patch
iwlwifi-add-workaround-to-disable-wide-channels-in-5ghz.patch
scsi-sd-do-not-override-max_sectors_kb-sysfs-setting.patch
+brcmfmac-add-length-check-in-brcmf_cfg80211_escan_handler.patch
+brcmfmac-setup-passive-scan-if-requested-by-user-space.patch
+drm-i915-bios-ignore-hdmi-on-port-a.patch
+nvme-pci-use-pci-bus-address-for-data-queues-in-cmb.patch
+mmc-core-add-driver-strength-selection-when-selecting-hs400es.patch
+sched-cpuset-pm-fix-cpuset-vs.-suspend-resume-bugs.patch
+vfs-deny-copy_file_range-for-non-regular-files.patch
+ext4-fix-data-corruption-for-mmap-writes.patch
+ext4-don-t-clear-sgid-when-inheriting-acls.patch
+ext4-don-t-allow-encrypted-operations-without-keys.patch
+f2fs-don-t-allow-encrypted-operations-without-keys.patch
--- /dev/null
+From 11cbfb10775aa2a01cee966d118049ede9d0bdf2 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Tue, 31 Jan 2017 10:34:56 +0200
+Subject: vfs: deny copy_file_range() for non regular files
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 11cbfb10775aa2a01cee966d118049ede9d0bdf2 upstream.
+
+There is no in-tree file system that implements copy_file_range()
+for non regular files.
+
+Deny an attempt to copy_file_range() a directory with EISDIR
+and any other non regualr file with EINVAL to conform with
+behavior of vfs_{clone,dedup}_file_range().
+
+This change is needed prior to converting sb_start_write()
+to file_start_write() in the vfs helper.
+
+Cc: linux-api@vger.kernel.org
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/read_write.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -1518,6 +1518,11 @@ ssize_t vfs_copy_file_range(struct file
+ if (flags != 0)
+ return -EINVAL;
+
++ if (S_ISDIR(inode_in->i_mode) || S_ISDIR(inode_out->i_mode))
++ return -EISDIR;
++ if (!S_ISREG(inode_in->i_mode) || !S_ISREG(inode_out->i_mode))
++ return -EINVAL;
++
+ ret = rw_verify_area(READ, file_in, &pos_in, len);
+ if (unlikely(ret))
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
