--- /dev/null
+From e57121d08c38dabec15cf3e1e2ad46721af30cae Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 11 Dec 2017 12:15:17 -0800
+Subject: crypto: chacha20poly1305 - validate the digest size
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e57121d08c38dabec15cf3e1e2ad46721af30cae upstream.
+
+If the rfc7539 template was instantiated with a hash algorithm with
+digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
+overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
+subsequent memory, including 'cryptlen'. This caused a crash during
+crypto_skcipher_decrypt().
+
+Fix it by, when instantiating the template, requiring that the
+underlying hash algorithm has the digest size expected for Poly1305.
+
+Reproducer:
+
+ #include <linux/if_alg.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int algfd, reqfd;
+ struct sockaddr_alg addr = {
+ .salg_type = "aead",
+ .salg_name = "rfc7539(chacha20,sha256)",
+ };
+ unsigned char buf[32] = { 0 };
+
+ algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ bind(algfd, (void *)&addr, sizeof(addr));
+ setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
+ reqfd = accept(algfd, 0, 0);
+ write(reqfd, buf, 16);
+ read(reqfd, buf, 16);
+ }
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/chacha20poly1305.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/crypto/chacha20poly1305.c
++++ b/crypto/chacha20poly1305.c
+@@ -610,6 +610,11 @@ static int chachapoly_create(struct cryp
+ algt->mask));
+ if (IS_ERR(poly))
+ return PTR_ERR(poly);
++ poly_hash = __crypto_hash_alg_common(poly);
++
++ err = -EINVAL;
++ if (poly_hash->digestsize != POLY1305_DIGEST_SIZE)
++ goto out_put_poly;
+
+ err = -ENOMEM;
+ inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
+@@ -618,7 +623,6 @@ static int chachapoly_create(struct cryp
+
+ ctx = aead_instance_ctx(inst);
+ ctx->saltlen = CHACHAPOLY_IV_SIZE - ivsize;
+- poly_hash = __crypto_hash_alg_common(poly);
+ err = crypto_init_ahash_spawn(&ctx->poly, poly_hash,
+ aead_crypto_instance(inst));
+ if (err)
--- /dev/null
+From 203f45003a3d03eea8fa28d74cfc74c354416fdb Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Tue, 19 Dec 2017 19:09:07 +0100
+Subject: crypto: n2 - cure use after free
+
+From: Jan Engelhardt <jengelh@inai.de>
+
+commit 203f45003a3d03eea8fa28d74cfc74c354416fdb upstream.
+
+queue_cache_init is first called for the Control Word Queue
+(n2_crypto_probe). At that time, queue_cache[0] is NULL and a new
+kmem_cache will be allocated. If the subsequent n2_register_algs call
+fails, the kmem_cache will be released in queue_cache_destroy, but
+queue_cache_init[0] is not set back to NULL.
+
+So when the Module Arithmetic Unit gets probed next (n2_mau_probe),
+queue_cache_init will not allocate a kmem_cache again, but leave it
+as its bogus value, causing a BUG() to trigger when queue_cache[0] is
+eventually passed to kmem_cache_zalloc:
+
+ n2_crypto: Found N2CP at /virtual-devices@100/n2cp@7
+ n2_crypto: Registered NCS HVAPI version 2.0
+ called queue_cache_init
+ n2_crypto: md5 alg registration failed
+ n2cp f028687c: /virtual-devices@100/n2cp@7: Unable to register algorithms.
+ called queue_cache_destroy
+ n2cp: probe of f028687c failed with error -22
+ n2_crypto: Found NCP at /virtual-devices@100/ncp@6
+ n2_crypto: Registered NCS HVAPI version 2.0
+ called queue_cache_init
+ kernel BUG at mm/slab.c:2993!
+ Call Trace:
+ [0000000000604488] kmem_cache_alloc+0x1a8/0x1e0
+ (inlined) kmem_cache_zalloc
+ (inlined) new_queue
+ (inlined) spu_queue_setup
+ (inlined) handle_exec_unit
+ [0000000010c61eb4] spu_mdesc_scan+0x1f4/0x460 [n2_crypto]
+ [0000000010c62b80] n2_mau_probe+0x100/0x220 [n2_crypto]
+ [000000000084b174] platform_drv_probe+0x34/0xc0
+
+Signed-off-by: Jan Engelhardt <jengelh@inai.de>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/n2_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/crypto/n2_core.c
++++ b/drivers/crypto/n2_core.c
+@@ -1620,6 +1620,7 @@ static int queue_cache_init(void)
+ CWQ_ENTRY_SIZE, 0, NULL);
+ if (!queue_cache[HV_NCS_QTYPE_CWQ - 1]) {
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
+ return -ENOMEM;
+ }
+ return 0;
+@@ -1629,6 +1630,8 @@ static void queue_cache_destroy(void)
+ {
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_MAU - 1]);
+ kmem_cache_destroy(queue_cache[HV_NCS_QTYPE_CWQ - 1]);
++ queue_cache[HV_NCS_QTYPE_MAU - 1] = NULL;
++ queue_cache[HV_NCS_QTYPE_CWQ - 1] = NULL;
+ }
+
+ static int spu_queue_register(struct spu_queue *p, unsigned long q_type)
--- /dev/null
+From d76c68109f37cb85b243a1cf0f40313afd2bae68 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 20 Dec 2017 14:28:25 -0800
+Subject: crypto: pcrypt - fix freeing pcrypt instances
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit d76c68109f37cb85b243a1cf0f40313afd2bae68 upstream.
+
+pcrypt is using the old way of freeing instances, where the ->free()
+method specified in the 'struct crypto_template' is passed a pointer to
+the 'struct crypto_instance'. But the crypto_instance is being
+kfree()'d directly, which is incorrect because the memory was actually
+allocated as an aead_instance, which contains the crypto_instance at a
+nonzero offset. Thus, the wrong pointer was being kfree()'d.
+
+Fix it by switching to the new way to free aead_instance's where the
+->free() method is specified in the aead_instance itself.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Fixes: 0496f56065e0 ("crypto: pcrypt - Add support for new AEAD interface")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/pcrypt.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -254,6 +254,14 @@ static void pcrypt_aead_exit_tfm(struct
+ crypto_free_aead(ctx->child);
+ }
+
++static void pcrypt_free(struct aead_instance *inst)
++{
++ struct pcrypt_instance_ctx *ctx = aead_instance_ctx(inst);
++
++ crypto_drop_aead(&ctx->spawn);
++ kfree(inst);
++}
++
+ static int pcrypt_init_instance(struct crypto_instance *inst,
+ struct crypto_alg *alg)
+ {
+@@ -319,6 +327,8 @@ static int pcrypt_create_aead(struct cry
+ inst->alg.encrypt = pcrypt_aead_encrypt;
+ inst->alg.decrypt = pcrypt_aead_decrypt;
+
++ inst->free = pcrypt_free;
++
+ err = aead_register_instance(tmpl, inst);
+ if (err)
+ goto out_drop_aead;
+@@ -349,14 +359,6 @@ static int pcrypt_create(struct crypto_t
+ return -EINVAL;
+ }
+
+-static void pcrypt_free(struct crypto_instance *inst)
+-{
+- struct pcrypt_instance_ctx *ctx = crypto_instance_ctx(inst);
+-
+- crypto_drop_aead(&ctx->spawn);
+- kfree(inst);
+-}
+-
+ static int pcrypt_cpumask_change_notify(struct notifier_block *self,
+ unsigned long val, void *data)
+ {
+@@ -469,7 +471,6 @@ static void pcrypt_fini_padata(struct pa
+ static struct crypto_template pcrypt_tmpl = {
+ .name = "pcrypt",
+ .create = pcrypt_create,
+- .free = pcrypt_free,
+ .module = THIS_MODULE,
+ };
+
--- /dev/null
+From 98801506552593c9b8ac11021b0cdad12cab4f6b Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 2 Jan 2018 10:02:19 +0000
+Subject: fscache: Fix the default for fscache_maybe_release_page()
+
+From: David Howells <dhowells@redhat.com>
+
+commit 98801506552593c9b8ac11021b0cdad12cab4f6b upstream.
+
+Fix the default for fscache_maybe_release_page() for when the cookie isn't
+valid or the page isn't cached. It mustn't return false as that indicates
+the page cannot yet be freed.
+
+The problem with the default is that if, say, there's no cache, but a
+network filesystem's pages are using up almost all the available memory, a
+system can OOM because the filesystem ->releasepage() op will not allow
+them to be released as fscache_maybe_release_page() incorrectly prevents
+it.
+
+This can be tested by writing a sequence of 512MiB files to an AFS mount.
+It does not affect NFS or CIFS because both of those wrap the call in a
+check of PG_fscache and it shouldn't bother Ceph as that only has
+PG_private set whilst writeback is in progress. This might be an issue for
+9P, however.
+
+Note that the pages aren't entirely stuck. Removing a file or unmounting
+will clear things because that uses ->invalidatepage() instead.
+
+Fixes: 201a15428bd5 ("FS-Cache: Handle pages pending storage that get evicted under OOM conditions")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Tested-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/fscache.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/fscache.h
++++ b/include/linux/fscache.h
+@@ -764,7 +764,7 @@ bool fscache_maybe_release_page(struct f
+ {
+ if (fscache_cookie_valid(cookie) && PageFsCache(page))
+ return __fscache_maybe_release_page(cookie, page, gfp);
+- return false;
++ return true;
+ }
+
+ /**
--- /dev/null
+From 4d9570158b6260f449e317a5f9ed030c2504a615 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Thu, 4 Jan 2018 16:17:49 -0800
+Subject: kernel/acct.c: fix the acct->needcheck check in check_free_space()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 4d9570158b6260f449e317a5f9ed030c2504a615 upstream.
+
+As Tsukada explains, the time_is_before_jiffies(acct->needcheck) check
+is very wrong, we need time_is_after_jiffies() to make sys_acct() work.
+
+Ignoring the overflows, the code should "goto out" if needcheck >
+jiffies, while currently it checks "needcheck < jiffies" and thus in the
+likely case check_free_space() does nothing until jiffies overflow.
+
+In particular this means that sys_acct() is simply broken, acct_on()
+sets acct->needcheck = jiffies and expects that check_free_space()
+should set acct->active = 1 after the free-space check, but this won't
+happen if jiffies increments in between.
+
+This was broken by commit 32dc73086015 ("get rid of timer in
+kern/acct.c") in 2011, then another (correct) commit 795a2f22a8ea
+("acct() should honour the limits from the very beginning") made the
+problem more visible.
+
+Link: http://lkml.kernel.org/r/20171213133940.GA6554@redhat.com
+Fixes: 32dc73086015 ("get rid of timer in kern/acct.c")
+Reported-by: TSUKADA Koutaro <tsukada@ascade.co.jp>
+Suggested-by: TSUKADA Koutaro <tsukada@ascade.co.jp>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/acct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -99,7 +99,7 @@ static int check_free_space(struct bsd_a
+ {
+ struct kstatfs sbuf;
+
+- if (time_is_before_jiffies(acct->needcheck))
++ if (time_is_after_jiffies(acct->needcheck))
+ goto out;
+
+ /* May block */
--- /dev/null
+From bdcf0a423ea1c40bbb40e7ee483b50fc8aa3d758 Mon Sep 17 00:00:00 2001
+From: Thiago Rafael Becker <thiago.becker@gmail.com>
+Date: Thu, 14 Dec 2017 15:33:12 -0800
+Subject: kernel: make groups_sort calling a responsibility group_info allocators
+
+From: Thiago Rafael Becker <thiago.becker@gmail.com>
+
+commit bdcf0a423ea1c40bbb40e7ee483b50fc8aa3d758 upstream.
+
+In testing, we found that nfsd threads may call set_groups in parallel
+for the same entry cached in auth.unix.gid, racing in the call of
+groups_sort, corrupting the groups for that entry and leading to
+permission denials for the client.
+
+This patch:
+ - Make groups_sort globally visible.
+ - Move the call to groups_sort to the modifiers of group_info
+ - Remove the call to groups_sort from set_groups
+
+Link: http://lkml.kernel.org/r/20171211151420.18655-1-thiago.becker@gmail.com
+Signed-off-by: Thiago Rafael Becker <thiago.becker@gmail.com>
+Reviewed-by: Matthew Wilcox <mawilcox@microsoft.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Acked-by: "J. Bruce Fields" <bfields@fieldses.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/s390/kernel/compat_linux.c | 1 +
+ fs/nfsd/auth.c | 3 +++
+ include/linux/cred.h | 1 +
+ kernel/groups.c | 5 +++--
+ kernel/uid16.c | 1 +
+ net/sunrpc/auth_gss/gss_rpc_xdr.c | 1 +
+ net/sunrpc/auth_gss/svcauth_gss.c | 1 +
+ net/sunrpc/svcauth_unix.c | 2 ++
+ 8 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kernel/compat_linux.c
++++ b/arch/s390/kernel/compat_linux.c
+@@ -263,6 +263,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setgroups16,
+ return retval;
+ }
+
++ groups_sort(group_info);
+ retval = set_current_groups(group_info);
+ put_group_info(group_info);
+
+--- a/fs/nfsd/auth.c
++++ b/fs/nfsd/auth.c
+@@ -59,6 +59,9 @@ int nfsd_setuser(struct svc_rqst *rqstp,
+ gi->gid[i] = exp->ex_anon_gid;
+ else
+ gi->gid[i] = rqgi->gid[i];
++
++ /* Each thread allocates its own gi, no race */
++ groups_sort(gi);
+ }
+ } else {
+ gi = get_group_info(rqgi);
+--- a/include/linux/cred.h
++++ b/include/linux/cred.h
+@@ -82,6 +82,7 @@ extern int set_current_groups(struct gro
+ extern void set_groups(struct cred *, struct group_info *);
+ extern int groups_search(const struct group_info *, kgid_t);
+ extern bool may_setgroups(void);
++extern void groups_sort(struct group_info *);
+
+ /*
+ * The security context of a task
+--- a/kernel/groups.c
++++ b/kernel/groups.c
+@@ -77,7 +77,7 @@ static int groups_from_user(struct group
+ }
+
+ /* a simple Shell sort */
+-static void groups_sort(struct group_info *group_info)
++void groups_sort(struct group_info *group_info)
+ {
+ int base, max, stride;
+ int gidsetsize = group_info->ngroups;
+@@ -103,6 +103,7 @@ static void groups_sort(struct group_inf
+ stride /= 3;
+ }
+ }
++EXPORT_SYMBOL(groups_sort);
+
+ /* a simple bsearch */
+ int groups_search(const struct group_info *group_info, kgid_t grp)
+@@ -134,7 +135,6 @@ int groups_search(const struct group_inf
+ void set_groups(struct cred *new, struct group_info *group_info)
+ {
+ put_group_info(new->group_info);
+- groups_sort(group_info);
+ get_group_info(group_info);
+ new->group_info = group_info;
+ }
+@@ -218,6 +218,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsi
+ return retval;
+ }
+
++ groups_sort(group_info);
+ retval = set_current_groups(group_info);
+ put_group_info(group_info);
+
+--- a/kernel/uid16.c
++++ b/kernel/uid16.c
+@@ -190,6 +190,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidset
+ return retval;
+ }
+
++ groups_sort(group_info);
+ retval = set_current_groups(group_info);
+ put_group_info(group_info);
+
+--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
+@@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct x
+ goto out_free_groups;
+ creds->cr_group_info->gid[i] = kgid;
+ }
++ groups_sort(creds->cr_group_info);
+
+ return 0;
+ out_free_groups:
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -481,6 +481,7 @@ static int rsc_parse(struct cache_detail
+ goto out;
+ rsci.cred.cr_group_info->gid[i] = kgid;
+ }
++ groups_sort(rsci.cred.cr_group_info);
+
+ /* mech name */
+ len = qword_get(&mesg, buf, mlen);
+--- a/net/sunrpc/svcauth_unix.c
++++ b/net/sunrpc/svcauth_unix.c
+@@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_d
+ ug.gi->gid[i] = kgid;
+ }
+
++ groups_sort(ug.gi);
+ ugp = unix_gid_lookup(cd, uid);
+ if (ugp) {
+ struct cache_head *ch;
+@@ -819,6 +820,7 @@ svcauth_unix_accept(struct svc_rqst *rqs
+ kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
+ cred->cr_group_info->gid[i] = kgid;
+ }
++ groups_sort(cred->cr_group_info);
+ if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
+ *authp = rpc_autherr_badverf;
+ return SVC_DENIED;
--- /dev/null
+From 429a787be6793554ee02aacc7e1f11ebcecc4453 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@fb.com>
+Date: Thu, 17 Nov 2016 12:30:37 -0700
+Subject: nbd: fix use-after-free of rq/bio in the xmit path
+
+From: Jens Axboe <axboe@fb.com>
+
+commit 429a787be6793554ee02aacc7e1f11ebcecc4453 upstream.
+
+For writes, we can get a completion in while we're still iterating
+the request and bio chain. If that happens, we're reading freed
+memory and we can crash.
+
+Break out after the last segment and avoid having the iterator
+read freed memory.
+
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nbd.c | 32 +++++++++++++++++++++++---------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -272,6 +272,7 @@ static int nbd_send_cmd(struct nbd_devic
+ int result, flags;
+ struct nbd_request request;
+ unsigned long size = blk_rq_bytes(req);
++ struct bio *bio;
+ u32 type;
+
+ if (req->cmd_type == REQ_TYPE_DRV_PRIV)
+@@ -305,16 +306,20 @@ static int nbd_send_cmd(struct nbd_devic
+ return -EIO;
+ }
+
+- if (type == NBD_CMD_WRITE) {
+- struct req_iterator iter;
++ if (type != NBD_CMD_WRITE)
++ return 0;
++
++ flags = 0;
++ bio = req->bio;
++ while (bio) {
++ struct bio *next = bio->bi_next;
++ struct bvec_iter iter;
+ struct bio_vec bvec;
+- /*
+- * we are really probing at internals to determine
+- * whether to set MSG_MORE or not...
+- */
+- rq_for_each_segment(bvec, req, iter) {
+- flags = 0;
+- if (!rq_iter_last(bvec, iter))
++
++ bio_for_each_segment(bvec, bio, iter) {
++ bool is_last = !next && bio_iter_last(bvec, iter);
++
++ if (is_last)
+ flags = MSG_MORE;
+ dev_dbg(nbd_to_dev(nbd), "request %p: sending %d bytes data\n",
+ cmd, bvec.bv_len);
+@@ -325,7 +330,16 @@ static int nbd_send_cmd(struct nbd_devic
+ result);
+ return -EIO;
+ }
++ /*
++ * The completion might already have come in,
++ * so break for the last one instead of letting
++ * the iterator do it. This prevents use-after-free
++ * of the bio.
++ */
++ if (is_last)
++ break;
+ }
++ bio = next;
+ }
+ return 0;
+ }
--- /dev/null
+kernel-acct.c-fix-the-acct-needcheck-check-in-check_free_space.patch
+crypto-n2-cure-use-after-free.patch
+crypto-chacha20poly1305-validate-the-digest-size.patch
+crypto-pcrypt-fix-freeing-pcrypt-instances.patch
+sunxi-rsb-include-of-based-modalias-in-device-uevent.patch
+fscache-fix-the-default-for-fscache_maybe_release_page.patch
+nbd-fix-use-after-free-of-rq-bio-in-the-xmit-path.patch
+kernel-make-groups_sort-calling-a-responsibility-group_info-allocators.patch
--- /dev/null
+From e2bf801ecd4e62222a46d1ba9e57e710171d29c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
+Date: Mon, 27 Nov 2017 20:05:34 +0100
+Subject: sunxi-rsb: Include OF based modalias in device uevent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Brüns <stefan.bruens@rwth-aachen.de>
+
+commit e2bf801ecd4e62222a46d1ba9e57e710171d29c1 upstream.
+
+Include the OF-based modalias in the uevent sent when registering devices
+on the sunxi RSB bus, so that user space has a chance to autoload the
+kernel module for the device.
+
+Fixes a regression caused by commit 3f241bfa60bd ("arm64: allwinner: a64:
+pine64: Use dcdc1 regulator for mmc0"). When the axp20x-rsb module for
+the AXP803 PMIC is built as a module, it is not loaded and the system
+ends up with an disfunctional MMC controller.
+
+Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus")
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/sunxi-rsb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bus/sunxi-rsb.c
++++ b/drivers/bus/sunxi-rsb.c
+@@ -178,6 +178,7 @@ static struct bus_type sunxi_rsb_bus = {
+ .match = sunxi_rsb_device_match,
+ .probe = sunxi_rsb_device_probe,
+ .remove = sunxi_rsb_device_remove,
++ .uevent = of_device_uevent_modalias,
+ };
+
+ static void sunxi_rsb_dev_release(struct device *dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
