--- /dev/null
+From c988de29ca161823db6a7125e803d597ef75b49c Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <palcantara@suse.com>
+Date: Thu, 15 Nov 2018 15:20:52 +0100
+Subject: cifs: Fix separator when building path from dentry
+
+From: Paulo Alcantara <palcantara@suse.com>
+
+commit c988de29ca161823db6a7125e803d597ef75b49c upstream.
+
+Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for
+prefixpath too. Fixes a bug with smb1 UNIX extensions.
+
+Fixes: a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable")
+Signed-off-by: Paulo Alcantara <palcantara@suse.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -174,7 +174,7 @@ cifs_bp_rename_retry:
+
+ cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
+ memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
+- full_path[dfsplen] = '\\';
++ full_path[dfsplen] = dirsep;
+ for (i = 0; i < pplen-1; i++)
+ if (full_path[dfsplen+1+i] == '/')
+ full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);
--- /dev/null
+From 37c2578c0c40e286bc0d30bdc05290b2058cf66e Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Mon, 3 Dec 2018 00:54:35 +0000
+Subject: Drivers: hv: vmbus: Offload the handling of channels to two workqueues
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 37c2578c0c40e286bc0d30bdc05290b2058cf66e upstream.
+
+vmbus_process_offer() mustn't call channel->sc_creation_callback()
+directly for sub-channels, because sc_creation_callback() ->
+vmbus_open() may never get the host's response to the
+OPEN_CHANNEL message (the host may rescind a channel at any time,
+e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
+may not wake up the vmbus_open() as it's blocked due to a non-zero
+vmbus_connection.offer_in_progress, and finally we have a deadlock.
+
+The above is also true for primary channels, if the related device
+drivers use sync probing mode by default.
+
+And, usually the handling of primary channels and sub-channels can
+depend on each other, so we should offload them to different
+workqueues to avoid possible deadlock, e.g. in sync-probing mode,
+NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
+rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
+and waits for all the sub-channels to appear, but the latter
+can't get the rtnl_lock and this blocks the handling of sub-channels.
+
+The patch can fix the multiple-NIC deadlock described above for
+v3.x kernels (e.g. RHEL 7.x) which don't support async-probing
+of devices, and v4.4, v4.9, v4.14 and v4.18 which support async-probing
+but don't enable async-probing for Hyper-V drivers (yet).
+
+The patch can also fix the hang issue in sub-channel's handling described
+above for all versions of kernels, including v4.19 and v4.20-rc4.
+
+So actually the patch should be applied to all the existing kernels,
+not only the kernels that have 8195b1396ec8.
+
+Fixes: 8195b1396ec8 ("hv_netvsc: fix deadlock on hotplug")
+Cc: stable@vger.kernel.org
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/channel_mgmt.c | 185 +++++++++++++++++++++++++++++++---------------
+ drivers/hv/connection.c | 24 +++++
+ drivers/hv/hyperv_vmbus.h | 7 +
+ include/linux/hyperv.h | 7 +
+ 4 files changed, 160 insertions(+), 63 deletions(-)
+
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -444,61 +444,16 @@ void vmbus_free_channels(void)
+ }
+ }
+
+-/*
+- * vmbus_process_offer - Process the offer by creating a channel/device
+- * associated with this offer
+- */
+-static void vmbus_process_offer(struct vmbus_channel *newchannel)
++/* Note: the function can run concurrently for primary/sub channels. */
++static void vmbus_add_channel_work(struct work_struct *work)
+ {
+- struct vmbus_channel *channel;
+- bool fnew = true;
++ struct vmbus_channel *newchannel =
++ container_of(work, struct vmbus_channel, add_channel_work);
++ struct vmbus_channel *primary_channel = newchannel->primary_channel;
+ unsigned long flags;
+ u16 dev_type;
+ int ret;
+
+- /* Make sure this is a new offer */
+- mutex_lock(&vmbus_connection.channel_mutex);
+-
+- /*
+- * Now that we have acquired the channel_mutex,
+- * we can release the potentially racing rescind thread.
+- */
+- atomic_dec(&vmbus_connection.offer_in_progress);
+-
+- list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) {
+- if (!uuid_le_cmp(channel->offermsg.offer.if_type,
+- newchannel->offermsg.offer.if_type) &&
+- !uuid_le_cmp(channel->offermsg.offer.if_instance,
+- newchannel->offermsg.offer.if_instance)) {
+- fnew = false;
+- break;
+- }
+- }
+-
+- if (fnew)
+- list_add_tail(&newchannel->listentry,
+- &vmbus_connection.chn_list);
+-
+- mutex_unlock(&vmbus_connection.channel_mutex);
+-
+- if (!fnew) {
+- /*
+- * Check to see if this is a sub-channel.
+- */
+- if (newchannel->offermsg.offer.sub_channel_index != 0) {
+- /*
+- * Process the sub-channel.
+- */
+- newchannel->primary_channel = channel;
+- spin_lock_irqsave(&channel->lock, flags);
+- list_add_tail(&newchannel->sc_list, &channel->sc_list);
+- channel->num_sc++;
+- spin_unlock_irqrestore(&channel->lock, flags);
+- } else {
+- goto err_free_chan;
+- }
+- }
+-
+ dev_type = hv_get_dev_type(newchannel);
+
+ init_vp_index(newchannel, dev_type);
+@@ -516,21 +471,22 @@ static void vmbus_process_offer(struct v
+ /*
+ * This state is used to indicate a successful open
+ * so that when we do close the channel normally, we
+- * can cleanup properly
++ * can cleanup properly.
+ */
+ newchannel->state = CHANNEL_OPEN_STATE;
+
+- if (!fnew) {
+- if (channel->sc_creation_callback != NULL)
+- channel->sc_creation_callback(newchannel);
++ if (primary_channel != NULL) {
++ /* newchannel is a sub-channel. */
++
++ if (primary_channel->sc_creation_callback != NULL)
++ primary_channel->sc_creation_callback(newchannel);
++
+ newchannel->probe_done = true;
+ return;
+ }
+
+ /*
+- * Start the process of binding this offer to the driver
+- * We need to set the DeviceObject field before calling
+- * vmbus_child_dev_add()
++ * Start the process of binding the primary channel to the driver
+ */
+ newchannel->device_obj = vmbus_device_create(
+ &newchannel->offermsg.offer.if_type,
+@@ -559,13 +515,28 @@ static void vmbus_process_offer(struct v
+
+ err_deq_chan:
+ mutex_lock(&vmbus_connection.channel_mutex);
+- list_del(&newchannel->listentry);
++
++ /*
++ * We need to set the flag, otherwise
++ * vmbus_onoffer_rescind() can be blocked.
++ */
++ newchannel->probe_done = true;
++
++ if (primary_channel == NULL) {
++ list_del(&newchannel->listentry);
++ } else {
++ spin_lock_irqsave(&primary_channel->lock, flags);
++ list_del(&newchannel->sc_list);
++ spin_unlock_irqrestore(&primary_channel->lock, flags);
++ }
++
+ mutex_unlock(&vmbus_connection.channel_mutex);
+
+ if (newchannel->target_cpu != get_cpu()) {
+ put_cpu();
+ smp_call_function_single(newchannel->target_cpu,
+- percpu_channel_deq, newchannel, true);
++ percpu_channel_deq,
++ newchannel, true);
+ } else {
+ percpu_channel_deq(newchannel);
+ put_cpu();
+@@ -573,14 +544,104 @@ err_deq_chan:
+
+ vmbus_release_relid(newchannel->offermsg.child_relid);
+
+-err_free_chan:
+ free_channel(newchannel);
+ }
+
+ /*
++ * vmbus_process_offer - Process the offer by creating a channel/device
++ * associated with this offer
++ */
++static void vmbus_process_offer(struct vmbus_channel *newchannel)
++{
++ struct vmbus_channel *channel;
++ struct workqueue_struct *wq;
++ unsigned long flags;
++ bool fnew = true;
++
++ mutex_lock(&vmbus_connection.channel_mutex);
++
++ /*
++ * Now that we have acquired the channel_mutex,
++ * we can release the potentially racing rescind thread.
++ */
++ atomic_dec(&vmbus_connection.offer_in_progress);
++
++ list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) {
++ if (!uuid_le_cmp(channel->offermsg.offer.if_type,
++ newchannel->offermsg.offer.if_type) &&
++ !uuid_le_cmp(channel->offermsg.offer.if_instance,
++ newchannel->offermsg.offer.if_instance)) {
++ fnew = false;
++ break;
++ }
++ }
++
++ if (fnew)
++ list_add_tail(&newchannel->listentry,
++ &vmbus_connection.chn_list);
++ else {
++ /*
++ * Check to see if this is a valid sub-channel.
++ */
++ if (newchannel->offermsg.offer.sub_channel_index == 0) {
++ mutex_unlock(&vmbus_connection.channel_mutex);
++ /*
++ * Don't call free_channel(), because newchannel->kobj
++ * is not initialized yet.
++ */
++ kfree(newchannel);
++ WARN_ON_ONCE(1);
++ return;
++ }
++ /*
++ * Process the sub-channel.
++ */
++ newchannel->primary_channel = channel;
++ spin_lock_irqsave(&channel->lock, flags);
++ list_add_tail(&newchannel->sc_list, &channel->sc_list);
++ spin_unlock_irqrestore(&channel->lock, flags);
++ }
++
++ mutex_unlock(&vmbus_connection.channel_mutex);
++
++ /*
++ * vmbus_process_offer() mustn't call channel->sc_creation_callback()
++ * directly for sub-channels, because sc_creation_callback() ->
++ * vmbus_open() may never get the host's response to the
++ * OPEN_CHANNEL message (the host may rescind a channel at any time,
++ * e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
++ * may not wake up the vmbus_open() as it's blocked due to a non-zero
++ * vmbus_connection.offer_in_progress, and finally we have a deadlock.
++ *
++ * The above is also true for primary channels, if the related device
++ * drivers use sync probing mode by default.
++ *
++ * And, usually the handling of primary channels and sub-channels can
++ * depend on each other, so we should offload them to different
++ * workqueues to avoid possible deadlock, e.g. in sync-probing mode,
++ * NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
++ * rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
++ * and waits for all the sub-channels to appear, but the latter
++ * can't get the rtnl_lock and this blocks the handling of
++ * sub-channels.
++ */
++ INIT_WORK(&newchannel->add_channel_work, vmbus_add_channel_work);
++ wq = fnew ? vmbus_connection.handle_primary_chan_wq :
++ vmbus_connection.handle_sub_chan_wq;
++ queue_work(wq, &newchannel->add_channel_work);
++}
++
++/*
+ * We use this state to statically distribute the channel interrupt load.
+ */
+ static int next_numa_node_id;
++/*
++ * init_vp_index() accesses global variables like next_numa_node_id, and
++ * it can run concurrently for primary channels and sub-channels: see
++ * vmbus_process_offer(), so we need the lock to protect the global
++ * variables.
++ */
++static DEFINE_SPINLOCK(bind_channel_to_cpu_lock);
+
+ /*
+ * Starting with Win8, we can statically distribute the incoming
+@@ -618,6 +679,8 @@ static void init_vp_index(struct vmbus_c
+ return;
+ }
+
++ spin_lock(&bind_channel_to_cpu_lock);
++
+ /*
+ * Based on the channel affinity policy, we will assign the NUMA
+ * nodes.
+@@ -700,6 +763,8 @@ static void init_vp_index(struct vmbus_c
+ channel->target_cpu = cur_cpu;
+ channel->target_vp = hv_cpu_number_to_vp_number(cur_cpu);
+
++ spin_unlock(&bind_channel_to_cpu_lock);
++
+ free_cpumask_var(available_mask);
+ }
+
+--- a/drivers/hv/connection.c
++++ b/drivers/hv/connection.c
+@@ -161,6 +161,20 @@ int vmbus_connect(void)
+ goto cleanup;
+ }
+
++ vmbus_connection.handle_primary_chan_wq =
++ create_workqueue("hv_pri_chan");
++ if (!vmbus_connection.handle_primary_chan_wq) {
++ ret = -ENOMEM;
++ goto cleanup;
++ }
++
++ vmbus_connection.handle_sub_chan_wq =
++ create_workqueue("hv_sub_chan");
++ if (!vmbus_connection.handle_sub_chan_wq) {
++ ret = -ENOMEM;
++ goto cleanup;
++ }
++
+ INIT_LIST_HEAD(&vmbus_connection.chn_msg_list);
+ spin_lock_init(&vmbus_connection.channelmsg_lock);
+
+@@ -251,10 +265,14 @@ void vmbus_disconnect(void)
+ */
+ vmbus_initiate_unload(false);
+
+- if (vmbus_connection.work_queue) {
+- drain_workqueue(vmbus_connection.work_queue);
++ if (vmbus_connection.handle_sub_chan_wq)
++ destroy_workqueue(vmbus_connection.handle_sub_chan_wq);
++
++ if (vmbus_connection.handle_primary_chan_wq)
++ destroy_workqueue(vmbus_connection.handle_primary_chan_wq);
++
++ if (vmbus_connection.work_queue)
+ destroy_workqueue(vmbus_connection.work_queue);
+- }
+
+ if (vmbus_connection.int_page) {
+ free_pages((unsigned long)vmbus_connection.int_page, 0);
+--- a/drivers/hv/hyperv_vmbus.h
++++ b/drivers/hv/hyperv_vmbus.h
+@@ -327,7 +327,14 @@ struct vmbus_connection {
+ struct list_head chn_list;
+ struct mutex channel_mutex;
+
++ /*
++ * An offer message is handled first on the work_queue, and then
++ * is further handled on handle_primary_chan_wq or
++ * handle_sub_chan_wq.
++ */
+ struct workqueue_struct *work_queue;
++ struct workqueue_struct *handle_primary_chan_wq;
++ struct workqueue_struct *handle_sub_chan_wq;
+ };
+
+
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -869,6 +869,13 @@ struct vmbus_channel {
+
+ bool probe_done;
+
++ /*
++ * We must offload the handling of the primary/sub channels
++ * from the single-threaded vmbus_connection.work_queue to
++ * two different workqueue, otherwise we can block
++ * vmbus_connection.work_queue and hang: see vmbus_process_offer().
++ */
++ struct work_struct add_channel_work;
+ };
+
+ static inline bool is_hvsock_channel(const struct vmbus_channel *c)
--- /dev/null
+From a81a7c9c9ea3042ab02d66ac35def74abf091c15 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 28 Nov 2018 23:25:41 -0500
+Subject: drm/amdgpu/gmc8: update MC firmware for polaris
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit a81a7c9c9ea3042ab02d66ac35def74abf091c15 upstream.
+
+Some variants require different MC firmware images.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -52,6 +52,8 @@ MODULE_FIRMWARE("amdgpu/tonga_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris11_k_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris10_k_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_k_mc.bin");
+
+ static const u32 golden_settings_tonga_a11[] =
+@@ -220,22 +222,39 @@ static int gmc_v8_0_init_microcode(struc
+ chip_name = "tonga";
+ break;
+ case CHIP_POLARIS11:
+- chip_name = "polaris11";
++ if (((adev->pdev->device == 0x67ef) &&
++ ((adev->pdev->revision == 0xe0) ||
++ (adev->pdev->revision == 0xe5))) ||
++ ((adev->pdev->device == 0x67ff) &&
++ ((adev->pdev->revision == 0xcf) ||
++ (adev->pdev->revision == 0xef) ||
++ (adev->pdev->revision == 0xff))))
++ chip_name = "polaris11_k";
++ else if ((adev->pdev->device == 0x67ef) &&
++ (adev->pdev->revision == 0xe2))
++ chip_name = "polaris11_k";
++ else
++ chip_name = "polaris11";
+ break;
+ case CHIP_POLARIS10:
+- chip_name = "polaris10";
++ if ((adev->pdev->device == 0x67df) &&
++ ((adev->pdev->revision == 0xe1) ||
++ (adev->pdev->revision == 0xf7)))
++ chip_name = "polaris10_k";
++ else
++ chip_name = "polaris10";
+ break;
+ case CHIP_POLARIS12:
+- chip_name = "polaris12";
+ if (((adev->pdev->device == 0x6987) &&
+ ((adev->pdev->revision == 0xc0) ||
+ (adev->pdev->revision == 0xc3))) ||
+ ((adev->pdev->device == 0x6981) &&
+ ((adev->pdev->revision == 0x00) ||
+ (adev->pdev->revision == 0x01) ||
+- (adev->pdev->revision == 0x10)))) {
++ (adev->pdev->revision == 0x10))))
+ chip_name = "polaris12_k";
+- }
++ else
++ chip_name = "polaris12";
+ break;
+ case CHIP_FIJI:
+ case CHIP_CARRIZO:
--- /dev/null
+From d7fd67653f847327e545bdb198b901ee124afd7c Mon Sep 17 00:00:00 2001
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+Date: Thu, 22 Nov 2018 17:53:00 +0800
+Subject: drm/amdgpu: update mc firmware image for polaris12 variants
+
+From: Junwei Zhang <Jerry.Zhang@amd.com>
+
+commit d7fd67653f847327e545bdb198b901ee124afd7c upstream.
+
+Some new variants require updated firmware.
+
+Signed-off-by: Junwei Zhang <Jerry.Zhang@amd.com>
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c
+@@ -52,6 +52,7 @@ MODULE_FIRMWARE("amdgpu/tonga_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris11_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris10_mc.bin");
+ MODULE_FIRMWARE("amdgpu/polaris12_mc.bin");
++MODULE_FIRMWARE("amdgpu/polaris12_k_mc.bin");
+
+ static const u32 golden_settings_tonga_a11[] =
+ {
+@@ -226,6 +227,15 @@ static int gmc_v8_0_init_microcode(struc
+ break;
+ case CHIP_POLARIS12:
+ chip_name = "polaris12";
++ if (((adev->pdev->device == 0x6987) &&
++ ((adev->pdev->revision == 0xc0) ||
++ (adev->pdev->revision == 0xc3))) ||
++ ((adev->pdev->device == 0x6981) &&
++ ((adev->pdev->revision == 0x00) ||
++ (adev->pdev->revision == 0x01) ||
++ (adev->pdev->revision == 0x10)))) {
++ chip_name = "polaris12_k";
++ }
+ break;
+ case CHIP_FIJI:
+ case CHIP_CARRIZO:
--- /dev/null
+From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001
+From: Macpaul Lin <macpaul@gmail.com>
+Date: Wed, 17 Oct 2018 23:08:38 +0800
+Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
+
+From: Macpaul Lin <macpaul@gmail.com>
+
+commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream.
+
+This patch is trying to fix KE issue due to
+"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
+reported by Syzkaller scan."
+
+[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
+[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
+[26364:syz-executor0]Call trace:
+[26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
+[26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
+[26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
+[26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
+[26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
+[26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
+[26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
+[26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
+[26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
+[26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
+[26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
+[26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
+[26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
+[26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
+[26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
+[26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]The buggy address belongs to the variable:
+[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:report&]Memory state around the buggy address:
+[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
+[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
+[26364:syz-executor0][name:report&] ^
+[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
+[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
+[26364:syz-executor0][name:report&]
+[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
+[26364:syz-executor0]------------[cut here]------------
+
+After checking the source code, we've found there might be an out-of-bounds
+access to "config[len - 1]" array when the variable "len" is zero.
+
+Signed-off-by: Macpaul Lin <macpaul@gmail.com>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/kgdboc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/kgdboc.c
++++ b/drivers/tty/serial/kgdboc.c
+@@ -232,7 +232,7 @@ static void kgdboc_put_char(u8 chr)
+
+ static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
+ {
+- int len = strlen(kmessage);
++ size_t len = strlen(kmessage);
+
+ if (len >= MAX_CONFIG_LEN) {
+ printk(KERN_ERR "kgdboc: config string too long\n");
+@@ -254,7 +254,7 @@ static int param_set_kgdboc_var(const ch
+
+ strcpy(config, kmessage);
+ /* Chop out \n char as a result of echo */
+- if (config[len - 1] == '\n')
++ if (len && config[len - 1] == '\n')
+ config[len - 1] = '\0';
+
+ if (configured == 1)
--- /dev/null
+From ae86cbfef3818300f1972e52f67a93211acb0e24 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sat, 24 Nov 2018 10:47:04 -0800
+Subject: libnvdimm, pfn: Pad pfn namespaces relative to other regions
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit ae86cbfef3818300f1972e52f67a93211acb0e24 upstream.
+
+Commit cfe30b872058 "libnvdimm, pmem: adjust for section collisions with
+'System RAM'" enabled Linux to workaround occasions where platform
+firmware arranges for "System RAM" and "Persistent Memory" to collide
+within a single section boundary. Unfortunately, as reported in this
+issue [1], platform firmware can inflict the same collision between
+persistent memory regions.
+
+The approach of interrogating iomem_resource does not work in this
+case because platform firmware may merge multiple regions into a single
+iomem_resource range. Instead provide a method to interrogate regions
+that share the same parent bus.
+
+This is a stop-gap until the core-MM can grow support for hotplug on
+sub-section boundaries.
+
+[1]: https://github.com/pmem/ndctl/issues/76
+
+Fixes: cfe30b872058 ("libnvdimm, pmem: adjust for section collisions with...")
+Cc: <stable@vger.kernel.org>
+Reported-by: Patrick Geary <patrickg@supermicro.com>
+Tested-by: Patrick Geary <patrickg@supermicro.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/nd-core.h | 2 +
+ drivers/nvdimm/pfn_devs.c | 64 ++++++++++++++++++++++++-------------------
+ drivers/nvdimm/region_devs.c | 41 +++++++++++++++++++++++++++
+ 3 files changed, 80 insertions(+), 27 deletions(-)
+
+--- a/drivers/nvdimm/nd-core.h
++++ b/drivers/nvdimm/nd-core.h
+@@ -105,6 +105,8 @@ resource_size_t nd_pmem_available_dpa(st
+ struct nd_mapping *nd_mapping, resource_size_t *overlap);
+ resource_size_t nd_blk_available_dpa(struct nd_region *nd_region);
+ resource_size_t nd_region_available_dpa(struct nd_region *nd_region);
++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start,
++ resource_size_t size);
+ resource_size_t nvdimm_allocated_dpa(struct nvdimm_drvdata *ndd,
+ struct nd_label_id *label_id);
+ int alias_dpa_busy(struct device *dev, void *data);
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -589,14 +589,47 @@ static u64 phys_pmem_align_down(struct n
+ ALIGN_DOWN(phys, nd_pfn->align));
+ }
+
++/*
++ * Check if pmem collides with 'System RAM', or other regions when
++ * section aligned. Trim it accordingly.
++ */
++static void trim_pfn_device(struct nd_pfn *nd_pfn, u32 *start_pad, u32 *end_trunc)
++{
++ struct nd_namespace_common *ndns = nd_pfn->ndns;
++ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev);
++ struct nd_region *nd_region = to_nd_region(nd_pfn->dev.parent);
++ const resource_size_t start = nsio->res.start;
++ const resource_size_t end = start + resource_size(&nsio->res);
++ resource_size_t adjust, size;
++
++ *start_pad = 0;
++ *end_trunc = 0;
++
++ adjust = start - PHYS_SECTION_ALIGN_DOWN(start);
++ size = resource_size(&nsio->res) + adjust;
++ if (region_intersects(start - adjust, size, IORESOURCE_SYSTEM_RAM,
++ IORES_DESC_NONE) == REGION_MIXED
++ || nd_region_conflict(nd_region, start - adjust, size))
++ *start_pad = PHYS_SECTION_ALIGN_UP(start) - start;
++
++ /* Now check that end of the range does not collide. */
++ adjust = PHYS_SECTION_ALIGN_UP(end) - end;
++ size = resource_size(&nsio->res) + adjust;
++ if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
++ IORES_DESC_NONE) == REGION_MIXED
++ || !IS_ALIGNED(end, nd_pfn->align)
++ || nd_region_conflict(nd_region, start, size + adjust))
++ *end_trunc = end - phys_pmem_align_down(nd_pfn, end);
++}
++
+ static int nd_pfn_init(struct nd_pfn *nd_pfn)
+ {
+ u32 dax_label_reserve = is_nd_dax(&nd_pfn->dev) ? SZ_128K : 0;
+ struct nd_namespace_common *ndns = nd_pfn->ndns;
+- u32 start_pad = 0, end_trunc = 0;
++ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev);
+ resource_size_t start, size;
+- struct nd_namespace_io *nsio;
+ struct nd_region *nd_region;
++ u32 start_pad, end_trunc;
+ struct nd_pfn_sb *pfn_sb;
+ unsigned long npfns;
+ phys_addr_t offset;
+@@ -628,30 +661,7 @@ static int nd_pfn_init(struct nd_pfn *nd
+
+ memset(pfn_sb, 0, sizeof(*pfn_sb));
+
+- /*
+- * Check if pmem collides with 'System RAM' when section aligned and
+- * trim it accordingly
+- */
+- nsio = to_nd_namespace_io(&ndns->dev);
+- start = PHYS_SECTION_ALIGN_DOWN(nsio->res.start);
+- size = resource_size(&nsio->res);
+- if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+- IORES_DESC_NONE) == REGION_MIXED) {
+- start = nsio->res.start;
+- start_pad = PHYS_SECTION_ALIGN_UP(start) - start;
+- }
+-
+- start = nsio->res.start;
+- size = PHYS_SECTION_ALIGN_UP(start + size) - start;
+- if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM,
+- IORES_DESC_NONE) == REGION_MIXED
+- || !IS_ALIGNED(start + resource_size(&nsio->res),
+- nd_pfn->align)) {
+- size = resource_size(&nsio->res);
+- end_trunc = start + size - phys_pmem_align_down(nd_pfn,
+- start + size);
+- }
+-
++ trim_pfn_device(nd_pfn, &start_pad, &end_trunc);
+ if (start_pad + end_trunc)
+ dev_info(&nd_pfn->dev, "%s alignment collision, truncate %d bytes\n",
+ dev_name(&ndns->dev), start_pad + end_trunc);
+@@ -662,7 +672,7 @@ static int nd_pfn_init(struct nd_pfn *nd
+ * implementation will limit the pfns advertised through
+ * ->direct_access() to those that are included in the memmap.
+ */
+- start += start_pad;
++ start = nsio->res.start + start_pad;
+ size = resource_size(&nsio->res);
+ npfns = PFN_SECTION_ALIGN_UP((size - start_pad - end_trunc - SZ_8K)
+ / PAGE_SIZE);
+--- a/drivers/nvdimm/region_devs.c
++++ b/drivers/nvdimm/region_devs.c
+@@ -1112,6 +1112,47 @@ int nvdimm_has_cache(struct nd_region *n
+ }
+ EXPORT_SYMBOL_GPL(nvdimm_has_cache);
+
++struct conflict_context {
++ struct nd_region *nd_region;
++ resource_size_t start, size;
++};
++
++static int region_conflict(struct device *dev, void *data)
++{
++ struct nd_region *nd_region;
++ struct conflict_context *ctx = data;
++ resource_size_t res_end, region_end, region_start;
++
++ if (!is_memory(dev))
++ return 0;
++
++ nd_region = to_nd_region(dev);
++ if (nd_region == ctx->nd_region)
++ return 0;
++
++ res_end = ctx->start + ctx->size;
++ region_start = nd_region->ndr_start;
++ region_end = region_start + nd_region->ndr_size;
++ if (ctx->start >= region_start && ctx->start < region_end)
++ return -EBUSY;
++ if (res_end > region_start && res_end <= region_end)
++ return -EBUSY;
++ return 0;
++}
++
++int nd_region_conflict(struct nd_region *nd_region, resource_size_t start,
++ resource_size_t size)
++{
++ struct nvdimm_bus *nvdimm_bus = walk_to_nvdimm_bus(&nd_region->dev);
++ struct conflict_context ctx = {
++ .nd_region = nd_region,
++ .start = start,
++ .size = size,
++ };
++
++ return device_for_each_child(&nvdimm_bus->dev, &ctx, region_conflict);
++}
++
+ void __exit nd_region_devs_exit(void)
+ {
+ ida_destroy(®ion_ida);
--- /dev/null
+From 5c21e8100dfd57c806e833ae905e26efbb87840f Mon Sep 17 00:00:00 2001
+From: Ben Greear <greearb@candelatech.com>
+Date: Tue, 23 Oct 2018 13:36:52 -0700
+Subject: mac80211: Clear beacon_int in ieee80211_do_stop
+
+From: Ben Greear <greearb@candelatech.com>
+
+commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream.
+
+This fixes stale beacon-int values that would keep a netdev
+from going up.
+
+To reproduce:
+
+Create two VAP on one radio.
+vap1 has beacon-int 100, start it.
+vap2 has beacon-int 240, start it (and it will fail
+ because beacon-int mismatch).
+reconfigure vap2 to have beacon-int 100 and start it.
+ It will fail because the stale beacon-int 240 will be used
+ in the ifup path and hostapd never gets a chance to set the
+ new beacon interval.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1032,6 +1032,8 @@ static void ieee80211_do_stop(struct iee
+ if (local->open_count == 0)
+ ieee80211_clear_tx_pending(local);
+
++ sdata->vif.bss_conf.beacon_int = 0;
++
+ /*
+ * If the interface goes down while suspended, presumably because
+ * the device was unplugged and that happens before our resume,
--- /dev/null
+From 9ec1190d065998650fd9260dea8cf3e1f56c0e8c Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 28 Nov 2018 22:39:16 +0100
+Subject: mac80211: fix reordering of buffered broadcast packets
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream.
+
+If the buffered broadcast queue contains packets, letting new packets bypass
+that queue can lead to heavy reordering, since the driver is probably throttling
+transmission of buffered multicast packets after beacons.
+
+Keep buffering packets until the buffer has been cleared (and no client
+is in powersave mode).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -435,8 +435,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i
+ if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL))
+ info->hw_queue = tx->sdata->vif.cab_queue;
+
+- /* no stations in PS mode */
+- if (!atomic_read(&ps->num_sta_ps))
++ /* no stations in PS mode and no buffered packets */
++ if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf))
+ return TX_CONTINUE;
+
+ info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;
--- /dev/null
+From 990d71846a0b7281bd933c34d734e6afc7408e7e Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 3 Dec 2018 21:16:07 +0200
+Subject: mac80211: ignore NullFunc frames in the duplicate detection
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 990d71846a0b7281bd933c34d734e6afc7408e7e upstream.
+
+NullFunc packets should never be duplicate just like
+QoS-NullFunc packets.
+
+We saw a client that enters / exits power save with
+NullFunc frames (and not with QoS-NullFunc) despite the
+fact that the association supports HT.
+This specific client also re-uses a non-zero sequence number
+for different NullFunc frames.
+At some point, the client had to send a retransmission of
+the NullFunc frame and we dropped it, leading to a
+misalignment in the power save state.
+Fix this by never consider a NullFunc frame as duplicate,
+just like we do for QoS NullFunc frames.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449
+
+CC: <stable@vger.kernel.org>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1254,6 +1254,7 @@ ieee80211_rx_h_check_dup(struct ieee8021
+ return RX_CONTINUE;
+
+ if (ieee80211_is_ctl(hdr->frame_control) ||
++ ieee80211_is_nullfunc(hdr->frame_control) ||
+ ieee80211_is_qos_nullfunc(hdr->frame_control) ||
+ is_multicast_ether_addr(hdr->addr1))
+ return RX_CONTINUE;
--- /dev/null
+From a317e65face482371de30246b6494feb093ff7f9 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 13 Nov 2018 20:32:13 +0100
+Subject: mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit a317e65face482371de30246b6494feb093ff7f9 upstream.
+
+Make it behave like regular ieee80211_tx_status calls, except for the lack of
+filtered frame processing.
+This fixes spurious low-ack triggered disconnections with powersave clients
+connected to an AP.
+
+Fixes: f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/status.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -953,6 +953,8 @@ void ieee80211_tx_status_ext(struct ieee
+ /* Track when last TDLS packet was ACKed */
+ if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
+ sta->status_stats.last_tdls_pkt_time = jiffies;
++ } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
++ return;
+ } else {
+ ieee80211_lost_packet(sta, info);
+ }
--- /dev/null
+From a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 Mon Sep 17 00:00:00 2001
+From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+Date: Thu, 18 Oct 2018 01:02:12 +0300
+Subject: mac80211_hwsim: Timer should be initialized before device registered
+
+From: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+
+commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream.
+
+Otherwise if network manager starts configuring Wi-Fi interface
+immidiatelly after getting notification of its creation, we will get
+NULL pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
+ ...
+ Call Trace:
+ [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
+ [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
+ [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2698,6 +2698,10 @@ static int mac80211_hwsim_new_radio(stru
+
+ wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_CQM_RSSI_LIST);
+
++ tasklet_hrtimer_init(&data->beacon_timer,
++ mac80211_hwsim_beacon,
++ CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
++
+ err = ieee80211_register_hw(hw);
+ if (err < 0) {
+ printk(KERN_DEBUG "mac80211_hwsim: ieee80211_register_hw failed (%d)\n",
+@@ -2722,10 +2726,6 @@ static int mac80211_hwsim_new_radio(stru
+ data->debugfs,
+ data, &hwsim_simulate_radar);
+
+- tasklet_hrtimer_init(&data->beacon_timer,
+- mac80211_hwsim_beacon,
+- CLOCK_MONOTONIC, HRTIMER_MODE_ABS);
+-
+ spin_lock_bh(&hwsim_radio_lock);
+ list_add_tail(&data->list, &hwsim_radios);
+ spin_unlock_bh(&hwsim_radio_lock);
--- /dev/null
+From 87e4a5405f087427fbf8b437d2796283dce2b38f Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Tue, 27 Nov 2018 09:12:20 +0000
+Subject: Revert commit ef9209b642f "staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c"
+
+From: Young Xiao <YangX92@hotmail.com>
+
+commit 87e4a5405f087427fbf8b437d2796283dce2b38f upstream.
+
+pstapriv->max_num_sta is always <= NUM_STA, since max_num_sta is either
+set in _rtw_init_sta_priv() or rtw_set_beacon().
+
+Fixes: ef9209b642f1 ("staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c")
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+@@ -1574,7 +1574,7 @@ unsigned int OnAssocReq(struct adapter *
+ if (pstat->aid > 0) {
+ DBG_871X(" old AID %d\n", pstat->aid);
+ } else {
+- for (pstat->aid = 1; pstat->aid < NUM_STA; pstat->aid++)
++ for (pstat->aid = 1; pstat->aid <= NUM_STA; pstat->aid++)
+ if (pstapriv->sta_aid[pstat->aid - 1] == NULL)
+ break;
+
swiotlb-clean-up-reporting.patch
staging-lustre-remove-two-build-warnings.patch
staging-atomisp-remove-fun-strncpy-warning.patch
+cifs-fix-separator-when-building-path-from-dentry.patch
+staging-rtl8712-fix-possible-buffer-overrun.patch
+revert-commit-ef9209b642f-staging-rtl8723bs-fix-indenting-errors-and-an-off-by-one-mistake-in-core-rtw_mlme_ext.c.patch
+drm-amdgpu-update-mc-firmware-image-for-polaris12-variants.patch
+drm-amdgpu-gmc8-update-mc-firmware-for-polaris.patch
+drivers-hv-vmbus-offload-the-handling-of-channels-to-two-workqueues.patch
+tty-serial-8250_mtk-always-resume-the-device-in-probe.patch
+tty-do-not-set-tty_io_error-flag-if-console-port.patch
+kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch
+libnvdimm-pfn-pad-pfn-namespaces-relative-to-other-regions.patch
+mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch
+mac80211-clear-beacon_int-in-ieee80211_do_stop.patch
+mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch
+mac80211-fix-reordering-of-buffered-broadcast-packets.patch
+mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch
--- /dev/null
+From 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Wed, 28 Nov 2018 08:06:53 +0000
+Subject: staging: rtl8712: Fix possible buffer overrun
+
+From: Young Xiao <YangX92@hotmail.com>
+
+commit 300cd664865bed5d50ae0a42fb4e3a6f415e8a10 upstream.
+
+In commit 8b7a13c3f404 ("staging: r8712u: Fix possible buffer
+overrun") we fix a potential off by one by making the limit smaller.
+The better fix is to make the buffer larger. This makes it match up
+with the similar code in other drivers.
+
+Fixes: 8b7a13c3f404 ("staging: r8712u: Fix possible buffer overrun")
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/mlme_linux.c | 2 +-
+ drivers/staging/rtl8712/rtl871x_mlme.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8712/mlme_linux.c
++++ b/drivers/staging/rtl8712/mlme_linux.c
+@@ -158,7 +158,7 @@ void r8712_report_sec_ie(struct _adapter
+ p = buff;
+ p += sprintf(p, "ASSOCINFO(ReqIEs=");
+ len = sec_ie[1] + 2;
+- len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX - 1;
++ len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
+ for (i = 0; i < len; i++)
+ p += sprintf(p, "%02x", sec_ie[i]);
+ p += sprintf(p, ")");
+--- a/drivers/staging/rtl8712/rtl871x_mlme.c
++++ b/drivers/staging/rtl8712/rtl871x_mlme.c
+@@ -1361,7 +1361,7 @@ sint r8712_restruct_sec_ie(struct _adapt
+ u8 *out_ie, uint in_len)
+ {
+ u8 authmode = 0, match;
+- u8 sec_ie[255], uncst_oui[4], bkup_ie[255];
++ u8 sec_ie[IW_CUSTOM_MAX], uncst_oui[4], bkup_ie[255];
+ u8 wpa_oui[4] = {0x0, 0x50, 0xf2, 0x01};
+ uint ielength, cnt, remove_cnt;
+ int iEntry;
--- /dev/null
+From 2a48602615e0a2f563549c7d5c8d507f904cf96e Mon Sep 17 00:00:00 2001
+From: Chanho Park <parkch98@gmail.com>
+Date: Thu, 22 Nov 2018 18:23:47 +0900
+Subject: tty: do not set TTY_IO_ERROR flag if console port
+
+From: Chanho Park <parkch98@gmail.com>
+
+commit 2a48602615e0a2f563549c7d5c8d507f904cf96e upstream.
+
+Since Commit 761ed4a94582 ('tty: serial_core: convert uart_close to use
+tty_port_close') and Commit 4dda864d7307 ('tty: serial_core: Fix serial
+console crash on port shutdown), a serial port which is used as
+console can be stuck when logging out if there is a remained process.
+After logged out, agetty will try to grab the serial port but it will
+be failed because the previous process did not release the port
+correctly. To fix this, TTY_IO_ERROR bit should not be enabled of
+tty_port_close if the port is console port.
+
+Reproduce step:
+- Run background processes from serial console
+$ while true; do sleep 10; done &
+
+- Log out
+$ logout
+-> Stuck
+
+- Read journal log by journalctl | tail
+Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0.
+Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0.
+Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty
+
+Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close")
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Rob Herring <robh@kernel.org>
+Cc: Jiri Slaby <jslaby@suse.com>
+Signed-off-by: Chanho Park <parkch98@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_port.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_port.c
++++ b/drivers/tty/tty_port.c
+@@ -639,7 +639,8 @@ void tty_port_close(struct tty_port *por
+ if (tty_port_close_start(port, tty, filp) == 0)
+ return;
+ tty_port_shutdown(port, tty);
+- set_bit(TTY_IO_ERROR, &tty->flags);
++ if (!port->console)
++ set_bit(TTY_IO_ERROR, &tty->flags);
+ tty_port_close_end(port, tty);
+ tty_port_tty_set(port, NULL);
+ }
--- /dev/null
+From 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 Mon Sep 17 00:00:00 2001
+From: Peter Shih <pihsun@chromium.org>
+Date: Tue, 27 Nov 2018 12:49:50 +0800
+Subject: tty: serial: 8250_mtk: always resume the device in probe.
+
+From: Peter Shih <pihsun@chromium.org>
+
+commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream.
+
+serial8250_register_8250_port calls uart_config_port, which calls
+config_port on the port before it tries to power on the port. So we need
+the port to be on before calling serial8250_register_8250_port. Change
+the code to always do a runtime resume in probe before registering port,
+and always do a runtime suspend in remove.
+
+This basically reverts the change in commit 68e5fc4a255a ("tty: serial:
+8250_mtk: use pm_runtime callbacks for enabling"), but still use
+pm_runtime callbacks.
+
+Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
+Signed-off-by: Peter Shih <pihsun@chromium.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_mtk.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_mtk.c
++++ b/drivers/tty/serial/8250/8250_mtk.c
+@@ -222,17 +222,17 @@ static int mtk8250_probe(struct platform
+
+ platform_set_drvdata(pdev, data);
+
+- pm_runtime_enable(&pdev->dev);
+- if (!pm_runtime_enabled(&pdev->dev)) {
+- err = mtk8250_runtime_resume(&pdev->dev);
+- if (err)
+- return err;
+- }
++ err = mtk8250_runtime_resume(&pdev->dev);
++ if (err)
++ return err;
+
+ data->line = serial8250_register_8250_port(&uart);
+ if (data->line < 0)
+ return data->line;
+
++ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_enable(&pdev->dev);
++
+ return 0;
+ }
+
+@@ -243,13 +243,11 @@ static int mtk8250_remove(struct platfor
+ pm_runtime_get_sync(&pdev->dev);
+
+ serial8250_unregister_port(data->line);
++ mtk8250_runtime_suspend(&pdev->dev);
+
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_put_noidle(&pdev->dev);
+
+- if (!pm_runtime_status_suspended(&pdev->dev))
+- mtk8250_runtime_suspend(&pdev->dev);
+-
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
