--- /dev/null
+From 693abe11aa6b27aed6eb8222162f8fb986325cef Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Tue, 29 Jan 2019 15:38:21 +0800
+Subject: ALSA: hda/realtek - Fixed hp_pin no value
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 693abe11aa6b27aed6eb8222162f8fb986325cef upstream.
+
+Fix hp_pin always no value.
+
+[More notes on the changes:
+
+ The hp_pin value that is referred in alc294_hp_init() is always zero
+ at the moment the function gets called, hence this is actually
+ useless as in the current code.
+
+ And, this kind of init sequence should be called from the codec init
+ callback, instead of the parser function. So, the first fix in this
+ patch to move the call call into its own init_hook.
+
+ OTOH, this function is needed to be called only once after the boot,
+ and it'd take too long for invoking at each resume (where the init
+ callback gets called). So we add a new flag and invoke this only
+ once as an additional fix.
+
+ The one case is still not covered, though: S4 resume. But this
+ change itself won't lead to any regression in that regard, so we
+ leave S4 issue as is for now and fix it later. -- tiwai ]
+
+Fixes: bde1a7459623 ("ALSA: hda/realtek - Fixed headphone issue for ALC700")
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 78 ++++++++++++++++++++++++------------------
+ 1 file changed, 45 insertions(+), 33 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -117,6 +117,7 @@ struct alc_spec {
+ int codec_variant; /* flag for other variants */
+ unsigned int has_alc5505_dsp:1;
+ unsigned int no_depop_delay:1;
++ unsigned int done_hp_init:1;
+
+ /* for PLL fix */
+ hda_nid_t pll_nid;
+@@ -3372,6 +3373,48 @@ static void alc_default_shutup(struct hd
+ snd_hda_shutup_pins(codec);
+ }
+
++static void alc294_hp_init(struct hda_codec *codec)
++{
++ struct alc_spec *spec = codec->spec;
++ hda_nid_t hp_pin = spec->gen.autocfg.hp_pins[0];
++ int i, val;
++
++ if (!hp_pin)
++ return;
++
++ snd_hda_codec_write(codec, hp_pin, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
++
++ msleep(100);
++
++ snd_hda_codec_write(codec, hp_pin, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0);
++
++ alc_update_coef_idx(codec, 0x6f, 0x000f, 0);/* Set HP depop to manual mode */
++ alc_update_coefex_idx(codec, 0x58, 0x00, 0x8000, 0x8000); /* HP depop procedure start */
++
++ /* Wait for depop procedure finish */
++ val = alc_read_coefex_idx(codec, 0x58, 0x01);
++ for (i = 0; i < 20 && val & 0x0080; i++) {
++ msleep(50);
++ val = alc_read_coefex_idx(codec, 0x58, 0x01);
++ }
++ /* Set HP depop to auto mode */
++ alc_update_coef_idx(codec, 0x6f, 0x000f, 0x000b);
++ msleep(50);
++}
++
++static void alc294_init(struct hda_codec *codec)
++{
++ struct alc_spec *spec = codec->spec;
++
++ if (!spec->done_hp_init) {
++ alc294_hp_init(codec);
++ spec->done_hp_init = true;
++ }
++ alc_default_init(codec);
++}
++
+ static void alc5505_coef_set(struct hda_codec *codec, unsigned int index_reg,
+ unsigned int val)
+ {
+@@ -7288,37 +7331,6 @@ static void alc269_fill_coef(struct hda_
+ alc_update_coef_idx(codec, 0x4, 0, 1<<11);
+ }
+
+-static void alc294_hp_init(struct hda_codec *codec)
+-{
+- struct alc_spec *spec = codec->spec;
+- hda_nid_t hp_pin = spec->gen.autocfg.hp_pins[0];
+- int i, val;
+-
+- if (!hp_pin)
+- return;
+-
+- snd_hda_codec_write(codec, hp_pin, 0,
+- AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
+-
+- msleep(100);
+-
+- snd_hda_codec_write(codec, hp_pin, 0,
+- AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0);
+-
+- alc_update_coef_idx(codec, 0x6f, 0x000f, 0);/* Set HP depop to manual mode */
+- alc_update_coefex_idx(codec, 0x58, 0x00, 0x8000, 0x8000); /* HP depop procedure start */
+-
+- /* Wait for depop procedure finish */
+- val = alc_read_coefex_idx(codec, 0x58, 0x01);
+- for (i = 0; i < 20 && val & 0x0080; i++) {
+- msleep(50);
+- val = alc_read_coefex_idx(codec, 0x58, 0x01);
+- }
+- /* Set HP depop to auto mode */
+- alc_update_coef_idx(codec, 0x6f, 0x000f, 0x000b);
+- msleep(50);
+-}
+-
+ /*
+ */
+ static int patch_alc269(struct hda_codec *codec)
+@@ -7444,7 +7456,7 @@ static int patch_alc269(struct hda_codec
+ spec->codec_variant = ALC269_TYPE_ALC294;
+ spec->gen.mixer_nid = 0; /* ALC2x4 does not have any loopback mixer path */
+ alc_update_coef_idx(codec, 0x6b, 0x0018, (1<<4) | (1<<3)); /* UAJ MIC Vref control by verb */
+- alc294_hp_init(codec);
++ spec->init_hook = alc294_init;
+ break;
+ case 0x10ec0300:
+ spec->codec_variant = ALC269_TYPE_ALC300;
+@@ -7456,7 +7468,7 @@ static int patch_alc269(struct hda_codec
+ spec->codec_variant = ALC269_TYPE_ALC700;
+ spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */
+ alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */
+- alc294_hp_init(codec);
++ spec->init_hook = alc294_init;
+ break;
+
+ }
--- /dev/null
+From e190161f96b88ffae870405fd6c3fdd1d2e7f98d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 25 Jan 2019 17:11:32 +0100
+Subject: ALSA: pcm: Fix tight loop of OSS capture stream
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit e190161f96b88ffae870405fd6c3fdd1d2e7f98d upstream.
+
+When the trigger=off is passed for a PCM OSS stream, it sets the
+start_threshold of the given substream to the boundary size, so that
+it won't be automatically started. This can be problematic for a
+capture stream, unfortunately, as detected by syzkaller. The scenario
+is like the following:
+
+- In __snd_pcm_lib_xfer() that is invoked from snd_pcm_oss_read()
+ loop, we have a check whether the stream was already started or the
+ stream can be auto-started.
+- The function at this check returns 0 with trigger=off since we
+ explicitly disable the auto-start.
+- The loop continues and repeats calling __snd_pcm_lib_xfer() tightly,
+ which may lead to an RCU stall.
+
+This patch fixes the bug by simply allowing the wait for non-started
+stream in the case of OSS capture. For native usages, it's supposed
+to be done by the caller side (which is user-space), hence it returns
+zero like before.
+
+(In theory, __snd_pcm_lib_xfer() could wait even for the native API
+ usage cases, too; but I'd like to stay in a safer side for not
+ breaking the existing stuff for now.)
+
+Reported-by: syzbot+fbe0496f92a0ce7b786c@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_lib.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -2112,6 +2112,13 @@ int pcm_lib_apply_appl_ptr(struct snd_pc
+ return 0;
+ }
+
++/* allow waiting for a capture stream that hasn't been started */
++#if IS_ENABLED(CONFIG_SND_PCM_OSS)
++#define wait_capture_start(substream) ((substream)->oss.oss)
++#else
++#define wait_capture_start(substream) false
++#endif
++
+ /* the common loop for read/write data */
+ snd_pcm_sframes_t __snd_pcm_lib_xfer(struct snd_pcm_substream *substream,
+ void *data, bool interleaved,
+@@ -2182,7 +2189,7 @@ snd_pcm_sframes_t __snd_pcm_lib_xfer(str
+ err = snd_pcm_start(substream);
+ if (err < 0)
+ goto _end_unlock;
+- } else {
++ } else if (!wait_capture_start(substream)) {
+ /* nothing to do */
+ err = 0;
+ goto _end_unlock;
--- /dev/null
+From 9e6966646b6bc5078d579151b90016522d4ff2cb Mon Sep 17 00:00:00 2001
+From: Olek Poplavsky <woodenbits@gmail.com>
+Date: Thu, 24 Jan 2019 23:30:03 -0500
+Subject: ALSA: usb-audio: Add Opus #3 to quirks for native DSD support
+
+From: Olek Poplavsky <woodenbits@gmail.com>
+
+commit 9e6966646b6bc5078d579151b90016522d4ff2cb upstream.
+
+This patch adds quirk VID/PID IDs for the Opus #3 DAP (made by 'The Bit')
+in order to enable Native DSD support.
+
+[ NOTE: this could be handled in the generic way with fp->dvd_raw if
+ we add 0x10cb to the vendor whitelist, but since 0x10cb shows a
+ different vendor name (Erantech), put to the individual entry at
+ this time -- tiwai ]
+
+Signed-off-by: Olek Poplavsky <woodenbits@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1373,6 +1373,7 @@ u64 snd_usb_interface_dsd_format_quirks(
+ return SNDRV_PCM_FMTBIT_DSD_U32_BE;
+ break;
+
++ case USB_ID(0x10cb, 0x0103): /* The Bit Opus #3; with fp->dsd_raw */
+ case USB_ID(0x152a, 0x85de): /* SMSL D1 DAC */
+ case USB_ID(0x16d0, 0x09dd): /* Encore mDSD */
+ case USB_ID(0x0d8c, 0x0316): /* Hegel HD12 DSD */
--- /dev/null
+From 65dbb423cf28232fed1732b779249d6164c5999b Mon Sep 17 00:00:00 2001
+From: Koen Vandeputte <koen.vandeputte@ncentric.com>
+Date: Thu, 31 Jan 2019 15:00:01 -0600
+Subject: ARM: cns3xxx: Fix writing to wrong PCI config registers after alignment
+
+From: Koen Vandeputte <koen.vandeputte@ncentric.com>
+
+commit 65dbb423cf28232fed1732b779249d6164c5999b upstream.
+
+Originally, cns3xxx used its own functions for mapping, reading and
+writing config registers.
+
+Commit 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config
+accessors") removed the internal PCI config write function in favor of
+the generic one:
+
+ cns3xxx_pci_write_config() --> pci_generic_config_write()
+
+cns3xxx_pci_write_config() expected aligned addresses, being produced by
+cns3xxx_pci_map_bus() while the generic one pci_generic_config_write()
+actually expects the real address as both the function and hardware are
+capable of byte-aligned writes.
+
+This currently leads to pci_generic_config_write() writing to the wrong
+registers.
+
+For instance, upon ath9k module loading:
+
+- driver ath9k gets loaded
+- The driver wants to write value 0xA8 to register PCI_LATENCY_TIMER,
+ located at 0x0D
+- cns3xxx_pci_map_bus() aligns the address to 0x0C
+- pci_generic_config_write() effectively writes 0xA8 into register 0x0C
+ (CACHE_LINE_SIZE)
+
+Fix the bug by removing the alignment in the cns3xxx mapping function.
+
+Fixes: 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config accessors")
+Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
+[lorenzo.pieralisi@arm.com: updated commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Krzysztof Halasa <khalasa@piap.pl>
+Acked-by: Tim Harvey <tharvey@gateworks.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+CC: stable@vger.kernel.org # v4.0+
+CC: Bjorn Helgaas <bhelgaas@google.com>
+CC: Olof Johansson <olof@lixom.net>
+CC: Robin Leblon <robin.leblon@ncentric.com>
+CC: Rob Herring <robh@kernel.org>
+CC: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-cns3xxx/pcie.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-cns3xxx/pcie.c
++++ b/arch/arm/mach-cns3xxx/pcie.c
+@@ -83,7 +83,7 @@ static void __iomem *cns3xxx_pci_map_bus
+ } else /* remote PCI bus */
+ base = cnspci->cfg1_regs + ((busno & 0xf) << 20);
+
+- return base + (where & 0xffc) + (devfn << 12);
++ return base + where + (devfn << 12);
+ }
+
+ static int cns3xxx_pci_read_config(struct pci_bus *bus, unsigned int devfn,
--- /dev/null
+From 132fdc379eb143932d209a20fd581e1ce7630960 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Thu, 24 Jan 2019 17:28:37 +0000
+Subject: arm64: Do not issue IPIs for user executable ptes
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 132fdc379eb143932d209a20fd581e1ce7630960 upstream.
+
+Commit 3b8c9f1cdfc5 ("arm64: IPI each CPU after invalidating the I-cache
+for kernel mappings") was aimed at fixing the I-cache invalidation for
+kernel mappings. However, it inadvertently caused all cache maintenance
+for user mappings via set_pte_at() -> __sync_icache_dcache() ->
+sync_icache_aliases() to call kick_all_cpus_sync().
+
+Reported-by: Shijith Thotton <sthotton@marvell.com>
+Tested-by: Shijith Thotton <sthotton@marvell.com>
+Reported-by: Wandun Chen <chenwandun@huawei.com>
+Fixes: 3b8c9f1cdfc5 ("arm64: IPI each CPU after invalidating the I-cache for kernel mappings")
+Cc: <stable@vger.kernel.org> # 4.19.x-
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/flush.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/flush.c
++++ b/arch/arm64/mm/flush.c
+@@ -33,7 +33,11 @@ void sync_icache_aliases(void *kaddr, un
+ __clean_dcache_area_pou(kaddr, len);
+ __flush_icache_all();
+ } else {
+- flush_icache_range(addr, addr + len);
++ /*
++ * Don't issue kick_all_cpus_sync() after I-cache invalidation
++ * for user mappings.
++ */
++ __flush_icache_range(addr, addr + len);
+ }
+ }
+
--- /dev/null
+From f7daa9c8fd191724b9ab9580a7be55cd1a67d799 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Thu, 24 Jan 2019 16:32:57 +0000
+Subject: arm64: hibernate: Clean the __hyp_text to PoC after resume
+
+From: James Morse <james.morse@arm.com>
+
+commit f7daa9c8fd191724b9ab9580a7be55cd1a67d799 upstream.
+
+During resume hibernate restores all physical memory. Any memory
+that is accessed with the MMU disabled needs to be cleaned to the
+PoC.
+
+KVMs __hyp_text was previously ommitted as it runs with the MMU
+enabled, but now that the hyp-stub is located in this section,
+we must clean __hyp_text too.
+
+This ensures secondary CPUs that come online after hibernate
+has finished resuming, and load KVM via the freshly written
+hyp-stub see the correct instructions.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/hibernate.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/hibernate.c
++++ b/arch/arm64/kernel/hibernate.c
+@@ -299,8 +299,10 @@ int swsusp_arch_suspend(void)
+ dcache_clean_range(__idmap_text_start, __idmap_text_end);
+
+ /* Clean kvm setup code to PoC? */
+- if (el2_reset_needed())
++ if (el2_reset_needed()) {
+ dcache_clean_range(__hyp_idmap_text_start, __hyp_idmap_text_end);
++ dcache_clean_range(__hyp_text_start, __hyp_text_end);
++ }
+
+ /* make the crash dump kernel image protected again */
+ crash_post_resume();
--- /dev/null
+From 8fac5cbdfe0f01254d9d265c6aa1a95f94f58595 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Thu, 24 Jan 2019 16:32:56 +0000
+Subject: arm64: hyp-stub: Forbid kprobing of the hyp-stub
+
+From: James Morse <james.morse@arm.com>
+
+commit 8fac5cbdfe0f01254d9d265c6aa1a95f94f58595 upstream.
+
+The hyp-stub is loaded by the kernel's early startup code at EL2
+during boot, before KVM takes ownership later. The hyp-stub's
+text is part of the regular kernel text, meaning it can be kprobed.
+
+A breakpoint in the hyp-stub causes the CPU to spin in el2_sync_invalid.
+
+Add it to the __hyp_text.
+
+Signed-off-by: James Morse <james.morse@arm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/hyp-stub.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kernel/hyp-stub.S
++++ b/arch/arm64/kernel/hyp-stub.S
+@@ -28,6 +28,8 @@
+ #include <asm/virt.h>
+
+ .text
++ .pushsection .hyp.text, "ax"
++
+ .align 11
+
+ ENTRY(__hyp_stub_vectors)
--- /dev/null
+From 8ea235932314311f15ea6cf65c1393ed7e31af70 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Sun, 27 Jan 2019 09:29:42 +0100
+Subject: arm64: kaslr: ensure randomized quantities are clean also when kaslr is off
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 8ea235932314311f15ea6cf65c1393ed7e31af70 upstream.
+
+Commit 1598ecda7b23 ("arm64: kaslr: ensure randomized quantities are
+clean to the PoC") added cache maintenance to ensure that global
+variables set by the kaslr init routine are not wiped clean due to
+cache invalidation occurring during the second round of page table
+creation.
+
+However, if kaslr_early_init() exits early with no randomization
+being applied (either due to the lack of a seed, or because the user
+has disabled kaslr explicitly), no cache maintenance is performed,
+leading to the same issue we attempted to fix earlier, as far as the
+module_alloc_base variable is concerned.
+
+Note that module_alloc_base cannot be initialized statically, because
+that would cause it to be subject to a R_AARCH64_RELATIVE relocation,
+causing it to be overwritten by the second round of KASLR relocation
+processing.
+
+Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR")
+Cc: <stable@vger.kernel.org> # v4.6+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/kaslr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/kernel/kaslr.c
++++ b/arch/arm64/kernel/kaslr.c
+@@ -88,6 +88,7 @@ u64 __init kaslr_early_init(u64 dt_phys)
+ * we end up running with module randomization disabled.
+ */
+ module_alloc_base = (u64)_etext - MODULES_VSIZE;
++ __flush_dcache_area(&module_alloc_base, sizeof(module_alloc_base));
+
+ /*
+ * Try to map the FDT early. If this fails, we simply bail,
--- /dev/null
+From 082aaa8700415f6471ec9c5ef0c8307ca214989a Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Fri, 18 Jan 2019 15:54:34 -0800
+Subject: CIFS: Do not consider -ENODATA as stat failure for reads
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 082aaa8700415f6471ec9c5ef0c8307ca214989a upstream.
+
+When doing reads beyound the end of a file the server returns
+error STATUS_END_OF_FILE error which is mapped to -ENODATA.
+Currently we report it as a failure which confuses read stats.
+Change it to not consider -ENODATA as failure for stat purposes.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3139,7 +3139,7 @@ smb2_readv_callback(struct mid_q_entry *
+ rdata->mr = NULL;
+ }
+ #endif
+- if (rdata->result) {
++ if (rdata->result && rdata->result != -ENODATA) {
+ cifs_stats_fail_inc(tcon, SMB2_READ_HE);
+ trace_smb3_read_err(0 /* xid */,
+ rdata->cfile->fid.persistent_fid,
--- /dev/null
+From 8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Sat, 26 Jan 2019 12:21:32 -0800
+Subject: CIFS: Do not count -ENODATA as failure for query directory
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79 upstream.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3726,8 +3726,8 @@ SMB2_query_directory(const unsigned int
+ rsp->sync_hdr.Status == STATUS_NO_MORE_FILES) {
+ srch_inf->endOfSearch = true;
+ rc = 0;
+- }
+- cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE);
++ } else
++ cifs_stats_fail_inc(tcon, SMB2_QUERY_DIRECTORY_HE);
+ goto qdir_exit;
+ }
+
--- /dev/null
+From 9bda8723da2d55b1de833b98cf802b88006e5b69 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Wed, 23 Jan 2019 17:12:09 -0800
+Subject: CIFS: Fix possible oops and memory leaks in async IO
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 9bda8723da2d55b1de833b98cf802b88006e5b69 upstream.
+
+Allocation of a page array for non-cached IO was separated from
+allocation of rdata and wdata structures and this introduced memory
+leaks and a possible null pointer dereference. This patch fixes
+these problems.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -2670,6 +2670,7 @@ cifs_write_from_iter(loff_t offset, size
+
+ rc = cifs_write_allocate_pages(wdata->pages, nr_pages);
+ if (rc) {
++ kvfree(wdata->pages);
+ kfree(wdata);
+ add_credits_and_wake_if(server, credits, 0);
+ break;
+@@ -2681,6 +2682,7 @@ cifs_write_from_iter(loff_t offset, size
+ if (rc) {
+ for (i = 0; i < nr_pages; i++)
+ put_page(wdata->pages[i]);
++ kvfree(wdata->pages);
+ kfree(wdata);
+ add_credits_and_wake_if(server, credits, 0);
+ break;
+@@ -3360,8 +3362,12 @@ cifs_send_async_read(loff_t offset, size
+ }
+
+ rc = cifs_read_allocate_pages(rdata, npages);
+- if (rc)
+- goto error;
++ if (rc) {
++ kvfree(rdata->pages);
++ kfree(rdata);
++ add_credits_and_wake_if(server, credits, 0);
++ break;
++ }
+
+ rdata->tailsz = PAGE_SIZE;
+ }
+@@ -3381,7 +3387,6 @@ cifs_send_async_read(loff_t offset, size
+ if (!rdata->cfile->invalidHandle ||
+ !(rc = cifs_reopen_file(rdata->cfile, true)))
+ rc = server->ops->async_readv(rdata);
+-error:
+ if (rc) {
+ add_credits_and_wake_if(server, rdata->credits, 0);
+ kref_put(&rdata->refcount,
--- /dev/null
+From 7d42e72fe8ee5ab70b1af843dd7d8615e6fb0abe Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Fri, 25 Jan 2019 11:38:53 -0800
+Subject: CIFS: Fix trace command logging for SMB2 reads and writes
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 7d42e72fe8ee5ab70b1af843dd7d8615e6fb0abe upstream.
+
+Currently we log success once we send an async IO request to
+the server. Instead we need to analyse a response and then log
+success or failure for a particular command. Also fix argument
+list for read logging.
+
+Cc: <stable@vger.kernel.org> # 4.18
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 46 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3139,8 +3139,17 @@ smb2_readv_callback(struct mid_q_entry *
+ rdata->mr = NULL;
+ }
+ #endif
+- if (rdata->result)
++ if (rdata->result) {
+ cifs_stats_fail_inc(tcon, SMB2_READ_HE);
++ trace_smb3_read_err(0 /* xid */,
++ rdata->cfile->fid.persistent_fid,
++ tcon->tid, tcon->ses->Suid, rdata->offset,
++ rdata->bytes, rdata->result);
++ } else
++ trace_smb3_read_done(0 /* xid */,
++ rdata->cfile->fid.persistent_fid,
++ tcon->tid, tcon->ses->Suid,
++ rdata->offset, rdata->got_bytes);
+
+ queue_work(cifsiod_wq, &rdata->work);
+ DeleteMidQEntry(mid);
+@@ -3215,13 +3224,11 @@ smb2_async_readv(struct cifs_readdata *r
+ if (rc) {
+ kref_put(&rdata->refcount, cifs_readdata_release);
+ cifs_stats_fail_inc(io_parms.tcon, SMB2_READ_HE);
+- trace_smb3_read_err(rc, 0 /* xid */, io_parms.persistent_fid,
+- io_parms.tcon->tid, io_parms.tcon->ses->Suid,
+- io_parms.offset, io_parms.length);
+- } else
+- trace_smb3_read_done(0 /* xid */, io_parms.persistent_fid,
+- io_parms.tcon->tid, io_parms.tcon->ses->Suid,
+- io_parms.offset, io_parms.length);
++ trace_smb3_read_err(0 /* xid */, io_parms.persistent_fid,
++ io_parms.tcon->tid,
++ io_parms.tcon->ses->Suid,
++ io_parms.offset, io_parms.length, rc);
++ }
+
+ cifs_small_buf_release(buf);
+ return rc;
+@@ -3265,10 +3272,11 @@ SMB2_read(const unsigned int xid, struct
+ if (rc != -ENODATA) {
+ cifs_stats_fail_inc(io_parms->tcon, SMB2_READ_HE);
+ cifs_dbg(VFS, "Send error in read = %d\n", rc);
++ trace_smb3_read_err(xid, req->PersistentFileId,
++ io_parms->tcon->tid, ses->Suid,
++ io_parms->offset, io_parms->length,
++ rc);
+ }
+- trace_smb3_read_err(rc, xid, req->PersistentFileId,
+- io_parms->tcon->tid, ses->Suid,
+- io_parms->offset, io_parms->length);
+ free_rsp_buf(resp_buftype, rsp_iov.iov_base);
+ return rc == -ENODATA ? 0 : rc;
+ } else
+@@ -3354,8 +3362,17 @@ smb2_writev_callback(struct mid_q_entry
+ wdata->mr = NULL;
+ }
+ #endif
+- if (wdata->result)
++ if (wdata->result) {
+ cifs_stats_fail_inc(tcon, SMB2_WRITE_HE);
++ trace_smb3_write_err(0 /* no xid */,
++ wdata->cfile->fid.persistent_fid,
++ tcon->tid, tcon->ses->Suid, wdata->offset,
++ wdata->bytes, wdata->result);
++ } else
++ trace_smb3_write_done(0 /* no xid */,
++ wdata->cfile->fid.persistent_fid,
++ tcon->tid, tcon->ses->Suid,
++ wdata->offset, wdata->bytes);
+
+ queue_work(cifsiod_wq, &wdata->work);
+ DeleteMidQEntry(mid);
+@@ -3497,10 +3514,7 @@ smb2_async_writev(struct cifs_writedata
+ wdata->bytes, rc);
+ kref_put(&wdata->refcount, release);
+ cifs_stats_fail_inc(tcon, SMB2_WRITE_HE);
+- } else
+- trace_smb3_write_done(0 /* no xid */, req->PersistentFileId,
+- tcon->tid, tcon->ses->Suid, wdata->offset,
+- wdata->bytes);
++ }
+
+ async_writev_out:
+ cifs_small_buf_release(req);
--- /dev/null
+From d339adc12a4f885b572c5412e4869af8939db854 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Thu, 31 Jan 2019 13:46:07 +0100
+Subject: CIFS: fix use-after-free of the lease keys
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit d339adc12a4f885b572c5412e4869af8939db854 upstream.
+
+The request buffers are freed right before copying the pointers.
+Use the func args instead which are identical and still valid.
+
+Simple reproducer (requires KASAN enabled) on a cifs mount:
+
+echo foo > foo ; tail -f foo & rm foo
+
+Cc: <stable@vger.kernel.org> # 4.20
+Fixes: 179e44d49c2f ("smb3: add tracepoint for sending lease break responses to server")
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Paulo Alcantara <palcantara@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -4339,8 +4339,8 @@ SMB2_lease_break(const unsigned int xid,
+ rc = cifs_send_recv(xid, ses, &rqst, &resp_buf_type, flags, &rsp_iov);
+ cifs_small_buf_release(req);
+
+- please_key_low = (__u64 *)req->LeaseKey;
+- please_key_high = (__u64 *)(req->LeaseKey+8);
++ please_key_low = (__u64 *)lease_key;
++ please_key_high = (__u64 *)(lease_key+8);
+ if (rc) {
+ cifs_stats_fail_inc(tcon, SMB2_OPLOCK_BREAK_HE);
+ trace_smb3_lease_err(le32_to_cpu(lease_state), tcon->tid,
--- /dev/null
+From 1dbd449c9943e3145148cc893c2461b72ba6fef0 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Wed, 30 Jan 2019 13:52:36 -0500
+Subject: fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb()
+
+From: Waiman Long <longman@redhat.com>
+
+commit 1dbd449c9943e3145148cc893c2461b72ba6fef0 upstream.
+
+The nr_dentry_unused per-cpu counter tracks dentries in both the LRU
+lists and the shrink lists where the DCACHE_LRU_LIST bit is set.
+
+The shrink_dcache_sb() function moves dentries from the LRU list to a
+shrink list and subtracts the dentry count from nr_dentry_unused. This
+is incorrect as the nr_dentry_unused count will also be decremented in
+shrink_dentry_list() via d_shrink_del().
+
+To fix this double decrement, the decrement in the shrink_dcache_sb()
+function is taken out.
+
+Fixes: 4e717f5c1083 ("list_lru: remove special case function list_lru_dispose_all."
+Cc: stable@kernel.org
+Signed-off-by: Waiman Long <longman@redhat.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1188,15 +1188,11 @@ static enum lru_status dentry_lru_isolat
+ */
+ void shrink_dcache_sb(struct super_block *sb)
+ {
+- long freed;
+-
+ do {
+ LIST_HEAD(dispose);
+
+- freed = list_lru_walk(&sb->s_dentry_lru,
++ list_lru_walk(&sb->s_dentry_lru,
+ dentry_lru_isolate_shrink, &dispose, 1024);
+-
+- this_cpu_sub(nr_dentry_unused, freed);
+ shrink_dentry_list(&dispose);
+ } while (list_lru_count(&sb->s_dentry_lru) > 0);
+ }
--- /dev/null
+From e74c98ca2d6ae4376cc15fa2a22483430909d96b Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Wed, 30 Jan 2019 21:30:36 +0100
+Subject: gfs2: Revert "Fix loop in gfs2_rbm_find"
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit e74c98ca2d6ae4376cc15fa2a22483430909d96b upstream.
+
+This reverts commit 2d29f6b96d8f80322ed2dd895bca590491c38d34.
+
+It turns out that the fix can lead to a ~20 percent performance regression
+in initial writes to the page cache according to iozone. Let's revert this
+for now to have more time for a proper fix.
+
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/rgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1780,9 +1780,9 @@ static int gfs2_rbm_find(struct gfs2_rbm
+ goto next_iter;
+ }
+ if (ret == -E2BIG) {
+- n += rbm->bii - initial_bii;
+ rbm->bii = 0;
+ rbm->offset = 0;
++ n += (rbm->bii - initial_bii);
+ goto res_covered_end_of_rgrp;
+ }
+ return ret;
--- /dev/null
+From 2095a45e345e669ea77a9b34bdd7de5ceb422f93 Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Wed, 23 Jan 2019 08:00:57 +0800
+Subject: gpio: altera-a10sr: Set proper output level for direction_output
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit 2095a45e345e669ea77a9b34bdd7de5ceb422f93 upstream.
+
+The altr_a10sr_gpio_direction_output should set proper output level
+based on the value argument.
+
+Fixes: 26a48c4cc2f1 ("gpio: altera-a10sr: Add A10 System Resource Chip GPIO support.")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Tested by: Thor Thayer <thor.thayer@linux.intel.com>
+Reviewed by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-altera-a10sr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-altera-a10sr.c
++++ b/drivers/gpio/gpio-altera-a10sr.c
+@@ -66,8 +66,10 @@ static int altr_a10sr_gpio_direction_inp
+ static int altr_a10sr_gpio_direction_output(struct gpio_chip *gc,
+ unsigned int nr, int value)
+ {
+- if (nr <= (ALTR_A10SR_OUT_VALID_RANGE_HI - ALTR_A10SR_LED_VALID_SHIFT))
++ if (nr <= (ALTR_A10SR_OUT_VALID_RANGE_HI - ALTR_A10SR_LED_VALID_SHIFT)) {
++ altr_a10sr_gpio_set(gc, nr, value);
+ return 0;
++ }
+ return -EINVAL;
+ }
+
--- /dev/null
+From 2486e67374aa8b7854c2de32869642c2873b3d53 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Wed, 9 Jan 2019 11:11:24 +0200
+Subject: gpio: pcf857x: Fix interrupts on multiple instances
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 2486e67374aa8b7854c2de32869642c2873b3d53 upstream.
+
+When multiple instances of pcf857x chips are present, a fix up
+message [1] is printed during the probe of the 2nd and later
+instances.
+
+The issue is that the driver is using the same irq_chip data
+structure between multiple instances.
+
+Fix this by allocating the irq_chip data structure per instance.
+
+[1] fix up message addressed by this patch
+[ 1.212100] gpio gpiochip9: (pcf8575): detected irqchip that is shared with multiple gpiochips: please fix the driver.
+
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-pcf857x.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/drivers/gpio/gpio-pcf857x.c
++++ b/drivers/gpio/gpio-pcf857x.c
+@@ -84,6 +84,7 @@ MODULE_DEVICE_TABLE(of, pcf857x_of_table
+ */
+ struct pcf857x {
+ struct gpio_chip chip;
++ struct irq_chip irqchip;
+ struct i2c_client *client;
+ struct mutex lock; /* protect 'out' */
+ unsigned out; /* software latch */
+@@ -252,18 +253,6 @@ static void pcf857x_irq_bus_sync_unlock(
+ mutex_unlock(&gpio->lock);
+ }
+
+-static struct irq_chip pcf857x_irq_chip = {
+- .name = "pcf857x",
+- .irq_enable = pcf857x_irq_enable,
+- .irq_disable = pcf857x_irq_disable,
+- .irq_ack = noop,
+- .irq_mask = noop,
+- .irq_unmask = noop,
+- .irq_set_wake = pcf857x_irq_set_wake,
+- .irq_bus_lock = pcf857x_irq_bus_lock,
+- .irq_bus_sync_unlock = pcf857x_irq_bus_sync_unlock,
+-};
+-
+ /*-------------------------------------------------------------------------*/
+
+ static int pcf857x_probe(struct i2c_client *client,
+@@ -376,8 +365,17 @@ static int pcf857x_probe(struct i2c_clie
+
+ /* Enable irqchip if we have an interrupt */
+ if (client->irq) {
++ gpio->irqchip.name = "pcf857x",
++ gpio->irqchip.irq_enable = pcf857x_irq_enable,
++ gpio->irqchip.irq_disable = pcf857x_irq_disable,
++ gpio->irqchip.irq_ack = noop,
++ gpio->irqchip.irq_mask = noop,
++ gpio->irqchip.irq_unmask = noop,
++ gpio->irqchip.irq_set_wake = pcf857x_irq_set_wake,
++ gpio->irqchip.irq_bus_lock = pcf857x_irq_bus_lock,
++ gpio->irqchip.irq_bus_sync_unlock = pcf857x_irq_bus_sync_unlock,
+ status = gpiochip_irqchip_add_nested(&gpio->chip,
+- &pcf857x_irq_chip,
++ &gpio->irqchip,
+ 0, handle_level_irq,
+ IRQ_TYPE_NONE);
+ if (status) {
+@@ -392,7 +390,7 @@ static int pcf857x_probe(struct i2c_clie
+ if (status)
+ goto fail;
+
+- gpiochip_set_nested_irqchip(&gpio->chip, &pcf857x_irq_chip,
++ gpiochip_set_nested_irqchip(&gpio->chip, &gpio->irqchip,
+ client->irq);
+ gpio->irq_parent = client->irq;
+ }
--- /dev/null
+From f785ffb61605734b518afa766d1b5445e9f38c8d Mon Sep 17 00:00:00 2001
+From: Neo Hou <neo.hou@unisoc.com>
+Date: Wed, 16 Jan 2019 13:06:14 +0800
+Subject: gpio: sprd: Fix incorrect irq type setting for the async EIC
+
+From: Neo Hou <neo.hou@unisoc.com>
+
+commit f785ffb61605734b518afa766d1b5445e9f38c8d upstream.
+
+When setting async EIC as IRQ_TYPE_EDGE_BOTH type, we missed to set the
+SPRD_EIC_ASYNC_INTMODE register to 0, which means detecting edge signals.
+
+Thus this patch fixes the issue.
+
+Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Neo Hou <neo.hou@unisoc.com>
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-eic-sprd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-eic-sprd.c
++++ b/drivers/gpio/gpio-eic-sprd.c
+@@ -379,6 +379,7 @@ static int sprd_eic_irq_set_type(struct
+ irq_set_handler_locked(data, handle_edge_irq);
+ break;
+ case IRQ_TYPE_EDGE_BOTH:
++ sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTMODE, 0);
+ sprd_eic_update(chip, offset, SPRD_EIC_ASYNC_INTBOTH, 1);
+ irq_set_handler_locked(data, handle_edge_irq);
+ break;
--- /dev/null
+From 09d158d52d2bceda736797a61b6c13d7fc83707b Mon Sep 17 00:00:00 2001
+From: Neo Hou <neo.hou@unisoc.com>
+Date: Wed, 16 Jan 2019 13:06:13 +0800
+Subject: gpio: sprd: Fix the incorrect data register
+
+From: Neo Hou <neo.hou@unisoc.com>
+
+commit 09d158d52d2bceda736797a61b6c13d7fc83707b upstream.
+
+Since differnt type EICs have its own data register to read, thus fix the
+incorrect data register.
+
+Fixes: 25518e024e3a ("gpio: Add Spreadtrum EIC driver support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Neo Hou <neo.hou@unisoc.com>
+Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-eic-sprd.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-eic-sprd.c
++++ b/drivers/gpio/gpio-eic-sprd.c
+@@ -180,7 +180,18 @@ static void sprd_eic_free(struct gpio_ch
+
+ static int sprd_eic_get(struct gpio_chip *chip, unsigned int offset)
+ {
+- return sprd_eic_read(chip, offset, SPRD_EIC_DBNC_DATA);
++ struct sprd_eic *sprd_eic = gpiochip_get_data(chip);
++
++ switch (sprd_eic->type) {
++ case SPRD_EIC_DEBOUNCE:
++ return sprd_eic_read(chip, offset, SPRD_EIC_DBNC_DATA);
++ case SPRD_EIC_ASYNC:
++ return sprd_eic_read(chip, offset, SPRD_EIC_ASYNC_DATA);
++ case SPRD_EIC_SYNC:
++ return sprd_eic_read(chip, offset, SPRD_EIC_SYNC_DATA);
++ default:
++ return -ENOTSUPP;
++ }
+ }
+
+ static int sprd_eic_direction_input(struct gpio_chip *chip, unsigned int offset)
--- /dev/null
+From 1033be58992f818dc564196ded2bcc3f360bc297 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Fri, 4 Jan 2019 11:24:20 +0100
+Subject: gpiolib: fix line event timestamps for nested irqs
+
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+commit 1033be58992f818dc564196ded2bcc3f360bc297 upstream.
+
+Nested interrupts run inside the calling thread's context and the top
+half handler is never called which means that we never read the
+timestamp.
+
+This issue came up when trying to read line events from a gpiochip
+using regmap_irq_chip for interrupts.
+
+Fix it by reading the timestamp from the irq thread function if it's
+still 0 by the time the second handler is called.
+
+Fixes: d58f2bf261fd ("gpio: Timestamp events in hardirq handler")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -828,7 +828,14 @@ static irqreturn_t lineevent_irq_thread(
+ /* Do not leak kernel stack to userspace */
+ memset(&ge, 0, sizeof(ge));
+
+- ge.timestamp = le->timestamp;
++ /*
++ * We may be running from a nested threaded interrupt in which case
++ * we didn't get the timestamp from lineevent_irq_handler().
++ */
++ if (!le->timestamp)
++ ge.timestamp = ktime_get_real_ns();
++ else
++ ge.timestamp = le->timestamp;
+
+ if (le->eflags & GPIOEVENT_REQUEST_RISING_EDGE
+ && le->eflags & GPIOEVENT_REQUEST_FALLING_EDGE) {
--- /dev/null
+From 09ce351dff8e7636af0beb72cd4a86c3904a0500 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Thu, 17 Jan 2019 12:42:16 -0800
+Subject: IB/hfi1: Add limit test for RC/UC send via loopback
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 09ce351dff8e7636af0beb72cd4a86c3904a0500 upstream.
+
+Fix potential memory corruption and panic in loopback for IB_WR_SEND
+variants.
+
+The code blindly assumes the posted length will fit in the fetched rwqe,
+which is not a valid assumption.
+
+Fix by adding a limit test, and triggering the appropriate send completion
+and putting the QP in an error state. This mimics the handling for
+non-loopback QPs.
+
+Fixes: 15703461533a ("IB/{hfi1, qib, rdmavt}: Move ruc_loopback to rdmavt")
+Cc: <stable@vger.kernel.org> #v4.20+
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rdmavt/qp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/sw/rdmavt/qp.c
++++ b/drivers/infiniband/sw/rdmavt/qp.c
+@@ -2903,6 +2903,8 @@ send:
+ goto op_err;
+ if (!ret)
+ goto rnr_nak;
++ if (wqe->length > qp->r_len)
++ goto inv_err;
+ break;
+
+ case IB_WR_RDMA_WRITE_WITH_IMM:
+@@ -3071,7 +3073,10 @@ op_err:
+ goto err;
+
+ inv_err:
+- send_status = IB_WC_REM_INV_REQ_ERR;
++ send_status =
++ sqp->ibqp.qp_type == IB_QPT_RC ?
++ IB_WC_REM_INV_REQ_ERR :
++ IB_WC_SUCCESS;
+ wc.status = IB_WC_LOC_QP_OP_ERR;
+ goto err;
+
--- /dev/null
+From 7709b0dc265f28695487712c45f02bbd1f98415d Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Thu, 17 Jan 2019 12:42:04 -0800
+Subject: IB/hfi1: Remove overly conservative VM_EXEC flag check
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit 7709b0dc265f28695487712c45f02bbd1f98415d upstream.
+
+Applications that use the stack for execution purposes cause userspace PSM
+jobs to fail during mmap().
+
+Both Fortran (non-standard format parsing) and C (callback functions
+located in the stack) applications can be written such that stack
+execution is required. The linker notes this via the gnu_stack ELF flag.
+
+This causes READ_IMPLIES_EXEC to be set which forces all PROT_READ mmaps
+to have PROT_EXEC for the process.
+
+Checking for VM_EXEC bit and failing the request with EPERM is overly
+conservative and will break any PSM application using executable stacks.
+
+Cc: <stable@vger.kernel.org> #v4.14+
+Fixes: 12220267645c ("IB/hfi: Protect against writable mmap")
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/file_ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/hfi1/file_ops.c
++++ b/drivers/infiniband/hw/hfi1/file_ops.c
+@@ -488,7 +488,7 @@ static int hfi1_file_mmap(struct file *f
+ vmf = 1;
+ break;
+ case STATUS:
+- if (flags & (unsigned long)(VM_WRITE | VM_EXEC)) {
++ if (flags & VM_WRITE) {
+ ret = -EPERM;
+ goto done;
+ }
--- /dev/null
+From 7b21b69ab203136fdc153c7707fa6c409e523c2e Mon Sep 17 00:00:00 2001
+From: Yishai Hadas <yishaih@mellanox.com>
+Date: Sun, 27 Jan 2019 10:11:27 +0200
+Subject: IB/uverbs: Fix OOPs in uverbs_user_mmap_disassociate
+
+From: Yishai Hadas <yishaih@mellanox.com>
+
+commit 7b21b69ab203136fdc153c7707fa6c409e523c2e upstream.
+
+The vma->vm_mm can become impossible to get before rdma_umap_close() is
+called, in this case we must not try to get an mm that is already
+undergoing process exit. In this case there is no need to wait for
+anything as the VMA will be destroyed by another thread soon and is
+already effectively 'unreachable' by userspace.
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ PGD 800000012bc50067 P4D 800000012bc50067 PUD 129db5067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 1 PID: 2050 Comm: bash Tainted: G W OE 4.20.0-rc6+ #3
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:__rb_erase_color+0xb9/0x280
+ Code: 84 17 01 00 00 48 3b 68 10 0f 84 15 01 00 00 48 89
+ 58 08 48 89 de 48 89 ef 4c 89 e3 e8 90 84 22 00 e9 60 ff ff ff 48 8b 5d
+ 10 <f6> 03 01 0f 84 9c 00 00 00 48 8b 43 10 48 85 c0 74 09 f6 00 01 0f
+ RSP: 0018:ffffbecfc090bab8 EFLAGS: 00010246
+ RAX: ffff97616346cf30 RBX: 0000000000000000 RCX: 0000000000000101
+ RDX: 0000000000000000 RSI: ffff97623b6ca828 RDI: ffff97621ef10828
+ RBP: ffff97621ef10828 R08: ffff97621ef10828 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: ffff97623b6ca838
+ R13: ffffffffbb3fef50 R14: ffff97623b6ca828 R15: 0000000000000000
+ FS: 00007f7a5c31d740(0000) GS:ffff97623bb00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 000000011255a000 CR4: 00000000000006e0
+ Call Trace:
+ unlink_file_vma+0x3b/0x50
+ free_pgtables+0xa1/0x110
+ exit_mmap+0xca/0x1a0
+ ? mlx5_ib_dealloc_pd+0x28/0x30 [mlx5_ib]
+ mmput+0x54/0x140
+ uverbs_user_mmap_disassociate+0xcc/0x160 [ib_uverbs]
+ uverbs_destroy_ufile_hw+0xf7/0x120 [ib_uverbs]
+ ib_uverbs_remove_one+0xea/0x240 [ib_uverbs]
+ ib_unregister_device+0xfb/0x200 [ib_core]
+ mlx5_ib_remove+0x51/0xe0 [mlx5_ib]
+ mlx5_remove_device+0xc1/0xd0 [mlx5_core]
+ mlx5_unregister_device+0x3d/0xb0 [mlx5_core]
+ remove_one+0x2a/0x90 [mlx5_core]
+ pci_device_remove+0x3b/0xc0
+ device_release_driver_internal+0x16d/0x240
+ unbind_store+0xb2/0x100
+ kernfs_fop_write+0x102/0x180
+ __vfs_write+0x36/0x1a0
+ ? __alloc_fd+0xa9/0x170
+ ? set_close_on_exec+0x49/0x70
+ vfs_write+0xad/0x1a0
+ ksys_write+0x52/0xc0
+ do_syscall_64+0x5b/0x180
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Cc: <stable@vger.kernel.org> # 4.19
+Fixes: 5f9794dc94f5 ("RDMA/ucontext: Add a core API for mmaping driver IO memory")
+Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_main.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -1000,11 +1000,19 @@ void uverbs_user_mmap_disassociate(struc
+
+ /* Get an arbitrary mm pointer that hasn't been cleaned yet */
+ mutex_lock(&ufile->umap_lock);
+- if (!list_empty(&ufile->umaps)) {
+- mm = list_first_entry(&ufile->umaps,
+- struct rdma_umap_priv, list)
+- ->vma->vm_mm;
+- mmget(mm);
++ while (!list_empty(&ufile->umaps)) {
++ int ret;
++
++ priv = list_first_entry(&ufile->umaps,
++ struct rdma_umap_priv, list);
++ mm = priv->vma->vm_mm;
++ ret = mmget_not_zero(mm);
++ if (!ret) {
++ list_del_init(&priv->list);
++ mm = NULL;
++ continue;
++ }
++ break;
+ }
+ mutex_unlock(&ufile->umap_lock);
+ if (!mm)
--- /dev/null
+From 425784aa5b029eeb80498c73a68f62c3ad1d3b3f Mon Sep 17 00:00:00 2001
+From: Yishai Hadas <yishaih@mellanox.com>
+Date: Thu, 24 Jan 2019 14:33:12 +0200
+Subject: IB/uverbs: Fix OOPs upon device disassociation
+
+From: Yishai Hadas <yishaih@mellanox.com>
+
+commit 425784aa5b029eeb80498c73a68f62c3ad1d3b3f upstream.
+
+The async_file might be freed before the disassociation has been ended,
+causing qp shutdown to use after free on it.
+
+Since uverbs_destroy_ufile_hw is not a fence, it returns if a
+disassociation is ongoing in another thread. It has to be written this way
+to avoid deadlock. However this means that the ufile FD close cannot
+destroy anything that may still be used by an active kref, such as the the
+async_file.
+
+To fix that move the kref_put() to be in ib_uverbs_release_file().
+
+ BUG: unable to handle kernel paging request at ffffffffba682787
+ PGD bc80e067 P4D bc80e067 PUD bc80f063 PMD 1313df163 PTE 80000000bc682061
+ Oops: 0003 [#1] SMP PTI
+ CPU: 1 PID: 32410 Comm: bash Tainted: G OE 4.20.0-rc6+ #3
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:__pv_queued_spin_lock_slowpath+0x1b3/0x2a0
+ Code: 98 83 e2 60 49 89 df 48 8b 04 c5 80 18 72 ba 48 8d
+ ba 80 32 02 00 ba 00 80 00 00 4c 8d 65 14 41 bd 01 00 00 00 48 01 c7 85
+ d2 <48> 89 2f 48 89 fb 74 14 8b 45 08 85 c0 75 42 84 d2 74 6b f3 90 83
+ RSP: 0018:ffffc1bbc064fb58 EFLAGS: 00010006
+ RAX: ffffffffba65f4e7 RBX: ffff9f209c656c00 RCX: 0000000000000001
+ RDX: 0000000000008000 RSI: 0000000000000000 RDI: ffffffffba682787
+ RBP: ffff9f217bb23280 R08: 0000000000000001 R09: 0000000000000000
+ R10: ffff9f209d2c7800 R11: ffffffffffffffe8 R12: ffff9f217bb23294
+ R13: 0000000000000001 R14: 0000000000000000 R15: ffff9f209c656c00
+ FS: 00007fac55aad740(0000) GS:ffff9f217bb00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffffffba682787 CR3: 000000012f8e0000 CR4: 00000000000006e0
+ Call Trace:
+ _raw_spin_lock_irq+0x27/0x30
+ ib_uverbs_release_uevent+0x1e/0xa0 [ib_uverbs]
+ uverbs_free_qp+0x7e/0x90 [ib_uverbs]
+ destroy_hw_idr_uobject+0x1c/0x50 [ib_uverbs]
+ uverbs_destroy_uobject+0x2e/0x180 [ib_uverbs]
+ __uverbs_cleanup_ufile+0x73/0x90 [ib_uverbs]
+ uverbs_destroy_ufile_hw+0x5d/0x120 [ib_uverbs]
+ ib_uverbs_remove_one+0xea/0x240 [ib_uverbs]
+ ib_unregister_device+0xfb/0x200 [ib_core]
+ mlx5_ib_remove+0x51/0xe0 [mlx5_ib]
+ mlx5_remove_device+0xc1/0xd0 [mlx5_core]
+ mlx5_unregister_device+0x3d/0xb0 [mlx5_core]
+ remove_one+0x2a/0x90 [mlx5_core]
+ pci_device_remove+0x3b/0xc0
+ device_release_driver_internal+0x16d/0x240
+ unbind_store+0xb2/0x100
+ kernfs_fop_write+0x102/0x180
+ __vfs_write+0x36/0x1a0
+ ? __alloc_fd+0xa9/0x170
+ ? set_close_on_exec+0x49/0x70
+ vfs_write+0xad/0x1a0
+ ksys_write+0x52/0xc0
+ do_syscall_64+0x5b/0x180
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7fac551aac60
+
+Cc: <stable@vger.kernel.org> # 4.2
+Fixes: 036b10635739 ("IB/uverbs: Enable device removal when there are active user space applications")
+Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/uverbs_main.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -262,6 +262,9 @@ void ib_uverbs_release_file(struct kref
+ if (atomic_dec_and_test(&file->device->refcount))
+ ib_uverbs_comp_dev(file->device);
+
++ if (file->async_file)
++ kref_put(&file->async_file->ref,
++ ib_uverbs_release_async_event_file);
+ put_device(&file->device->dev);
+ kfree(file);
+ }
+@@ -1132,10 +1135,6 @@ static int ib_uverbs_close(struct inode
+ list_del_init(&file->list);
+ mutex_unlock(&file->device->lists_mutex);
+
+- if (file->async_file)
+- kref_put(&file->async_file->ref,
+- ib_uverbs_release_async_event_file);
+-
+ kref_put(&file->ref, ib_uverbs_release_file);
+
+ return 0;
--- /dev/null
+From 198bc3252ea3a45b0c5d500e6a5b91cfdd08f001 Mon Sep 17 00:00:00 2001
+From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Date: Wed, 16 Jan 2019 20:11:44 +0100
+Subject: iommu/vt-d: Fix memory leak in intel_iommu_put_resv_regions()
+
+From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+
+commit 198bc3252ea3a45b0c5d500e6a5b91cfdd08f001 upstream.
+
+Commit 9d3a4de4cb8d ("iommu: Disambiguate MSI region types") changed
+the reserved region type in intel_iommu_get_resv_regions() from
+IOMMU_RESV_RESERVED to IOMMU_RESV_MSI, but it forgot to also change
+the type in intel_iommu_put_resv_regions().
+
+This leads to a memory leak, because now the check in
+intel_iommu_put_resv_regions() for IOMMU_RESV_RESERVED will never
+be true, and no allocated regions will be freed.
+
+Fix this by changing the region type in intel_iommu_put_resv_regions()
+to IOMMU_RESV_MSI, matching the type of the allocated regions.
+
+Fixes: 9d3a4de4cb8d ("iommu: Disambiguate MSI region types")
+Cc: <stable@vger.kernel.org> # v4.11+
+Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -5204,7 +5204,7 @@ static void intel_iommu_put_resv_regions
+ struct iommu_resv_region *entry, *next;
+
+ list_for_each_entry_safe(entry, next, head, list) {
+- if (entry->type == IOMMU_RESV_RESERVED)
++ if (entry->type == IOMMU_RESV_MSI)
+ kfree(entry);
+ }
+ }
--- /dev/null
+From 8c9620b1cc9b69e82fa8d4081d646d0016b602e7 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sat, 19 Jan 2019 16:31:00 +0100
+Subject: mmc: bcm2835: Fix DMA channel leak on probe error
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 8c9620b1cc9b69e82fa8d4081d646d0016b602e7 upstream.
+
+The BCM2835 MMC host driver requests a DMA channel on probe but neglects
+to release the channel in the probe error path. The channel may
+therefore be leaked, in particular if devm_clk_get() causes probe
+deferral. Fix it.
+
+Fixes: 660fc733bd74 ("mmc: bcm2835: Add new driver for the sdhost controller.")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v4.12+
+Cc: Frank Pavlic <f.pavlic@kunbus.de>
+Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/bcm2835.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/host/bcm2835.c
++++ b/drivers/mmc/host/bcm2835.c
+@@ -1427,6 +1427,8 @@ static int bcm2835_probe(struct platform
+
+ err:
+ dev_dbg(dev, "%s -> err %d\n", __func__, ret);
++ if (host->dma_chan_rxtx)
++ dma_release_channel(host->dma_chan_rxtx);
+ mmc_free_host(mmc);
+
+ return ret;
--- /dev/null
+From 3751e008da0df4384031bd66a516c0292f915605 Mon Sep 17 00:00:00 2001
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+Date: Wed, 23 Jan 2019 20:05:25 +0800
+Subject: mmc: mediatek: fix incorrect register setting of hs400_cmd_int_delay
+
+From: Chaotian Jing <chaotian.jing@mediatek.com>
+
+commit 3751e008da0df4384031bd66a516c0292f915605 upstream.
+
+to set cmd internal delay, need set PAD_TUNE register but not PAD_CMD_TUNE
+register.
+
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Fixes: 1ede5cb88a29 ("mmc: mediatek: Use data tune for CMD line tune")
+Cc: stable@vger.kernel.org # v4.12+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/mtk-sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -846,7 +846,7 @@ static void msdc_set_mclk(struct msdc_ho
+
+ if (timing == MMC_TIMING_MMC_HS400 &&
+ host->dev_comp->hs400_tune)
+- sdr_set_field(host->base + PAD_CMD_TUNE,
++ sdr_set_field(host->base + tune_reg,
+ MSDC_PAD_TUNE_CMDRRDLY,
+ host->hs400_cmd_int_delay);
+ dev_dbg(host->dev, "sclk: %d, timing: %d\n", host->mmc->actual_clock,
--- /dev/null
+From 8fc75bed96bb94e23ca51bd9be4daf65c57697bf Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trondmy@gmail.com>
+Date: Tue, 29 Jan 2019 15:52:55 -0500
+Subject: NFS: Fix up return value on fatal errors in nfs_page_async_flush()
+
+From: Trond Myklebust <trondmy@gmail.com>
+
+commit 8fc75bed96bb94e23ca51bd9be4daf65c57697bf upstream.
+
+Ensure that we return the fatal error value that caused us to exit
+nfs_page_async_flush().
+
+Fixes: c373fff7bd25 ("NFSv4: Don't special case "launder"")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: stable@vger.kernel.org # v4.12+
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/write.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -621,11 +621,12 @@ static int nfs_page_async_flush(struct n
+ nfs_set_page_writeback(page);
+ WARN_ON_ONCE(test_bit(PG_CLEAN, &req->wb_flags));
+
+- ret = 0;
++ ret = req->wb_context->error;
+ /* If there is a fatal error that covers this write, just exit */
+- if (nfs_error_is_fatal_on_server(req->wb_context->error))
++ if (nfs_error_is_fatal_on_server(ret))
+ goto out_launder;
+
++ ret = 0;
+ if (!nfs_pageio_add_request(pgio, req)) {
+ ret = pgio->pg_error;
+ /*
+@@ -635,9 +636,9 @@ static int nfs_page_async_flush(struct n
+ nfs_context_set_write_error(req->wb_context, ret);
+ if (nfs_error_is_fatal_on_server(ret))
+ goto out_launder;
+- }
++ } else
++ ret = -EAGAIN;
+ nfs_redirty_request(req);
+- ret = -EAGAIN;
+ } else
+ nfs_add_stats(page_file_mapping(page)->host,
+ NFSIOS_WRITEPAGES, 1);
--- /dev/null
+From ed5f13261cb65b02c611ae9971677f33581d4286 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 25 Jan 2019 10:33:59 -0800
+Subject: selftests/seccomp: Enhance per-arch ptrace syscall skip tests
+
+From: Kees Cook <keescook@chromium.org>
+
+commit ed5f13261cb65b02c611ae9971677f33581d4286 upstream.
+
+Passing EPERM during syscall skipping was confusing since the test wasn't
+actually exercising the errno evaluation -- it was just passing a literal
+"1" (EPERM). Instead, expand the tests to check both direct value returns
+(positive, 45000 in this case), and errno values (negative, -ESRCH in this
+case) to check both fake success and fake failure during syscall skipping.
+
+Reported-by: Colin Ian King <colin.king@canonical.com>
+Fixes: a33b2d0359a0 ("selftests/seccomp: Add tests for basic ptrace actions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 72 ++++++++++++++++++++------
+ 1 file changed, 57 insertions(+), 15 deletions(-)
+
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -1563,7 +1563,16 @@ TEST_F(TRACE_poke, getpid_runs_normally)
+ #ifdef SYSCALL_NUM_RET_SHARE_REG
+ # define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(-1, action)
+ #else
+-# define EXPECT_SYSCALL_RETURN(val, action) EXPECT_EQ(val, action)
++# define EXPECT_SYSCALL_RETURN(val, action) \
++ do { \
++ errno = 0; \
++ if (val < 0) { \
++ EXPECT_EQ(-1, action); \
++ EXPECT_EQ(-(val), errno); \
++ } else { \
++ EXPECT_EQ(val, action); \
++ } \
++ } while (0)
+ #endif
+
+ /* Use PTRACE_GETREGS and PTRACE_SETREGS when available. This is useful for
+@@ -1602,7 +1611,7 @@ int get_syscall(struct __test_metadata *
+
+ /* Architecture-specific syscall changing routine. */
+ void change_syscall(struct __test_metadata *_metadata,
+- pid_t tracee, int syscall)
++ pid_t tracee, int syscall, int result)
+ {
+ int ret;
+ ARCH_REGS regs;
+@@ -1661,7 +1670,7 @@ void change_syscall(struct __test_metada
+ #ifdef SYSCALL_NUM_RET_SHARE_REG
+ TH_LOG("Can't modify syscall return on this architecture");
+ #else
+- regs.SYSCALL_RET = EPERM;
++ regs.SYSCALL_RET = result;
+ #endif
+
+ #ifdef HAVE_GETREGS
+@@ -1689,14 +1698,19 @@ void tracer_syscall(struct __test_metada
+ case 0x1002:
+ /* change getpid to getppid. */
+ EXPECT_EQ(__NR_getpid, get_syscall(_metadata, tracee));
+- change_syscall(_metadata, tracee, __NR_getppid);
++ change_syscall(_metadata, tracee, __NR_getppid, 0);
+ break;
+ case 0x1003:
+- /* skip gettid. */
++ /* skip gettid with valid return code. */
+ EXPECT_EQ(__NR_gettid, get_syscall(_metadata, tracee));
+- change_syscall(_metadata, tracee, -1);
++ change_syscall(_metadata, tracee, -1, 45000);
+ break;
+ case 0x1004:
++ /* skip openat with error. */
++ EXPECT_EQ(__NR_openat, get_syscall(_metadata, tracee));
++ change_syscall(_metadata, tracee, -1, -ESRCH);
++ break;
++ case 0x1005:
+ /* do nothing (allow getppid) */
+ EXPECT_EQ(__NR_getppid, get_syscall(_metadata, tracee));
+ break;
+@@ -1729,9 +1743,11 @@ void tracer_ptrace(struct __test_metadat
+ nr = get_syscall(_metadata, tracee);
+
+ if (nr == __NR_getpid)
+- change_syscall(_metadata, tracee, __NR_getppid);
++ change_syscall(_metadata, tracee, __NR_getppid, 0);
++ if (nr == __NR_gettid)
++ change_syscall(_metadata, tracee, -1, 45000);
+ if (nr == __NR_openat)
+- change_syscall(_metadata, tracee, -1);
++ change_syscall(_metadata, tracee, -1, -ESRCH);
+ }
+
+ FIXTURE_DATA(TRACE_syscall) {
+@@ -1748,8 +1764,10 @@ FIXTURE_SETUP(TRACE_syscall)
+ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1002),
+ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_gettid, 0, 1),
+ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1003),
+- BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
++ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_openat, 0, 1),
+ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1004),
++ BPF_JUMP(BPF_JMP|BPF_JEQ|BPF_K, __NR_getppid, 0, 1),
++ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRACE | 0x1005),
+ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+ };
+
+@@ -1797,15 +1815,26 @@ TEST_F(TRACE_syscall, ptrace_syscall_red
+ EXPECT_NE(self->mypid, syscall(__NR_getpid));
+ }
+
+-TEST_F(TRACE_syscall, ptrace_syscall_dropped)
++TEST_F(TRACE_syscall, ptrace_syscall_errno)
++{
++ /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
++ teardown_trace_fixture(_metadata, self->tracer);
++ self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
++ true);
++
++ /* Tracer should skip the open syscall, resulting in ESRCH. */
++ EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
++}
++
++TEST_F(TRACE_syscall, ptrace_syscall_faked)
+ {
+ /* Swap SECCOMP_RET_TRACE tracer for PTRACE_SYSCALL tracer. */
+ teardown_trace_fixture(_metadata, self->tracer);
+ self->tracer = setup_trace_fixture(_metadata, tracer_ptrace, NULL,
+ true);
+
+- /* Tracer should skip the open syscall, resulting in EPERM. */
+- EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_openat));
++ /* Tracer should skip the gettid syscall, resulting fake pid. */
++ EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
+ }
+
+ TEST_F(TRACE_syscall, syscall_allowed)
+@@ -1838,7 +1867,21 @@ TEST_F(TRACE_syscall, syscall_redirected
+ EXPECT_NE(self->mypid, syscall(__NR_getpid));
+ }
+
+-TEST_F(TRACE_syscall, syscall_dropped)
++TEST_F(TRACE_syscall, syscall_errno)
++{
++ long ret;
++
++ ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
++ ASSERT_EQ(0, ret);
++
++ ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &self->prog, 0, 0);
++ ASSERT_EQ(0, ret);
++
++ /* openat has been skipped and an errno return. */
++ EXPECT_SYSCALL_RETURN(-ESRCH, syscall(__NR_openat));
++}
++
++TEST_F(TRACE_syscall, syscall_faked)
+ {
+ long ret;
+
+@@ -1849,8 +1892,7 @@ TEST_F(TRACE_syscall, syscall_dropped)
+ ASSERT_EQ(0, ret);
+
+ /* gettid has been skipped and an altered return value stored. */
+- EXPECT_SYSCALL_RETURN(EPERM, syscall(__NR_gettid));
+- EXPECT_NE(self->mytid, syscall(__NR_gettid));
++ EXPECT_SYSCALL_RETURN(45000, syscall(__NR_gettid));
+ }
+
+ TEST_F(TRACE_syscall, skip_after_RET_TRACE)
virtio_net-use-xdp_return_frame-to-free-xdp_frames-on-destroying-vqs.patch
virtio_net-differentiate-sk_buff-and-xdp_frame-on-freeing.patch
ipv6-consider-sk_bound_dev_if-when-binding-a-socket-to-an-address.patch
+cifs-do-not-count-enodata-as-failure-for-query-directory.patch
+cifs-fix-possible-oops-and-memory-leaks-in-async-io.patch
+cifs-fix-trace-command-logging-for-smb2-reads-and-writes.patch
+cifs-fix-use-after-free-of-the-lease-keys.patch
+cifs-do-not-consider-enodata-as-stat-failure-for-reads.patch
+fs-dcache-fix-incorrect-nr_dentry_unused-accounting-in-shrink_dcache_sb.patch
+iommu-vt-d-fix-memory-leak-in-intel_iommu_put_resv_regions.patch
+selftests-seccomp-enhance-per-arch-ptrace-syscall-skip-tests.patch
+nfs-fix-up-return-value-on-fatal-errors-in-nfs_page_async_flush.patch
+arm-cns3xxx-fix-writing-to-wrong-pci-config-registers-after-alignment.patch
+arm64-kaslr-ensure-randomized-quantities-are-clean-also-when-kaslr-is-off.patch
+arm64-do-not-issue-ipis-for-user-executable-ptes.patch
+arm64-hyp-stub-forbid-kprobing-of-the-hyp-stub.patch
+arm64-hibernate-clean-the-__hyp_text-to-poc-after-resume.patch
+gpio-altera-a10sr-set-proper-output-level-for-direction_output.patch
+gpiolib-fix-line-event-timestamps-for-nested-irqs.patch
+gpio-pcf857x-fix-interrupts-on-multiple-instances.patch
+gpio-sprd-fix-the-incorrect-data-register.patch
+gpio-sprd-fix-incorrect-irq-type-setting-for-the-async-eic.patch
+gfs2-revert-fix-loop-in-gfs2_rbm_find.patch
+mmc-bcm2835-fix-dma-channel-leak-on-probe-error.patch
+mmc-mediatek-fix-incorrect-register-setting-of-hs400_cmd_int_delay.patch
+alsa-usb-audio-add-opus-3-to-quirks-for-native-dsd-support.patch
+alsa-hda-realtek-fixed-hp_pin-no-value.patch
+alsa-pcm-fix-tight-loop-of-oss-capture-stream.patch
+ib-uverbs-fix-oops-upon-device-disassociation.patch
+ib-uverbs-fix-oops-in-uverbs_user_mmap_disassociate.patch
+ib-hfi1-remove-overly-conservative-vm_exec-flag-check.patch
+ib-hfi1-add-limit-test-for-rc-uc-send-via-loopback.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
