--- /dev/null
+From d6b340d7cb33c816ef4abe8143764ec5ab14a5cc Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 26 Jul 2018 14:58:03 +0200
+Subject: ALSA: trident: Suppress gcc string warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d6b340d7cb33c816ef4abe8143764ec5ab14a5cc upstream.
+
+The meddlesome gcc warns about the possible shortname string in
+trident driver code:
+ sound/pci/trident/trident.c: In function ‘snd_trident_probe’:
+ sound/pci/trident/trident.c:126:2: warning: ‘strcat’ accessing 17 or more bytes at offsets 36 and 20 may overlap 1 byte at offset 36 [-Wrestrict]
+ strcat(card->shortname, card->driver);
+
+It happens since gcc calculates the possible string size from
+card->driver, but this can't be true since we did set the string just
+before that, and they are much shorter.
+
+For shutting it up, use the exactly same string set to card->driver
+for strcat() to card->shortname, too.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/trident/trident.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/trident/trident.c
++++ b/sound/pci/trident/trident.c
+@@ -123,7 +123,7 @@ static int snd_trident_probe(struct pci_
+ } else {
+ strcpy(card->shortname, "Trident ");
+ }
+- strcat(card->shortname, card->driver);
++ strcat(card->shortname, str);
+ sprintf(card->longname, "%s PCI Audio at 0x%lx, irq %d",
+ card->shortname, trident->port, trident->irq);
+
--- /dev/null
+From dc25ab067645eabd037f1a23d49a666f9e0b8c68 Mon Sep 17 00:00:00 2001
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+Date: Mon, 5 Nov 2018 16:57:47 +1100
+Subject: drm/ast: Fix incorrect free on ioregs
+
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+
+commit dc25ab067645eabd037f1a23d49a666f9e0b8c68 upstream.
+
+If the platform has no IO space, ioregs is placed next to the already
+allocated regs. In this case, it should not be separately freed.
+
+This prevents a kernel warning from __vunmap "Trying to vfree()
+nonexistent vm area" when unloading the driver.
+
+Fixes: 0dd68309b9c5 ("drm/ast: Try to use MMIO registers when PIO isn't supported")
+
+Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ast/ast_main.c
++++ b/drivers/gpu/drm/ast/ast_main.c
+@@ -556,7 +556,8 @@ int ast_driver_unload(struct drm_device
+ drm_mode_config_cleanup(dev);
+
+ ast_mm_fini(ast);
+- pci_iounmap(dev->pdev, ast->ioregs);
++ if (ast->ioregs != ast->regs + AST_IO_MM_OFFSET)
++ pci_iounmap(dev->pdev, ast->ioregs);
+ pci_iounmap(dev->pdev, ast->regs);
+ kfree(ast);
+ return 0;
--- /dev/null
+From 23a336b34258aba3b50ea6863cca4e81b5ef6384 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <sergio@correia.cc>
+Date: Thu, 22 Nov 2018 02:33:29 -0300
+Subject: drm: set is_master to 0 upon drm_new_set_master() failure
+
+From: Sergio Correia <sergio@correia.cc>
+
+commit 23a336b34258aba3b50ea6863cca4e81b5ef6384 upstream.
+
+When drm_new_set_master() fails, set is_master to 0, to prevent a
+possible NULL pointer deref.
+
+Here is a problematic flow: we check is_master in drm_is_current_master(),
+then proceed to call drm_lease_owner() passing master. If we do not restore
+is_master status when drm_new_set_master() fails, we may have a situation
+in which is_master will be 1 and master itself, NULL, leading to the deref
+of a NULL pointer in drm_lease_owner().
+
+This fixes the following OOPS, observed on an ArchLinux running a 4.19.2
+kernel:
+
+[ 97.804282] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
+[ 97.807224] PGD 0 P4D 0
+[ 97.807224] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 97.807224] CPU: 0 PID: 1348 Comm: xfwm4 Tainted: P OE 4.19.2-arch1-1-ARCH #1
+[ 97.807224] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./AB350 Pro4, BIOS P5.10 10/16/2018
+[ 97.807224] RIP: 0010:drm_lease_owner+0xd/0x20 [drm]
+[ 97.807224] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44
+[ 97.807224] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202
+[ 97.807224] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88
+[ 97.807224] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 97.807224] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000
+[ 97.807224] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888
+[ 97.807224] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8
+[ 97.807224] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000
+[ 97.807224] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 97.807224] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0
+[ 97.807224] Call Trace:
+[ 97.807224] drm_is_current_master+0x1a/0x30 [drm]
+[ 97.807224] drm_master_release+0x3e/0x130 [drm]
+[ 97.807224] drm_file_free.part.0+0x2be/0x2d0 [drm]
+[ 97.807224] drm_open+0x1ba/0x1e0 [drm]
+[ 97.807224] drm_stub_open+0xaf/0xe0 [drm]
+[ 97.807224] chrdev_open+0xa3/0x1b0
+[ 97.807224] ? cdev_put.part.0+0x20/0x20
+[ 97.807224] do_dentry_open+0x132/0x340
+[ 97.807224] path_openat+0x2d1/0x14e0
+[ 97.807224] ? mem_cgroup_commit_charge+0x7a/0x520
+[ 97.807224] do_filp_open+0x93/0x100
+[ 97.807224] ? __check_object_size+0x102/0x189
+[ 97.807224] ? _raw_spin_unlock+0x16/0x30
+[ 97.807224] do_sys_open+0x186/0x210
+[ 97.807224] do_syscall_64+0x5b/0x170
+[ 97.807224] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 97.807224] RIP: 0033:0x7f4147b07976
+[ 97.807224] Code: 89 54 24 08 e8 7b f4 ff ff 8b 74 24 0c 48 8b 3c 24 41 89 c0 44 8b 54 24 08 b8 01 01 00 00 89 f2 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 30 44 89 c7 89 44 24 08 e8 a6 f4 ff ff 8b 44
+[ 97.807224] RSP: 002b:00007ffcced96ca0 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
+[ 97.807224] RAX: ffffffffffffffda RBX: 00005619d5037f80 RCX: 00007f4147b07976
+[ 97.807224] RDX: 0000000000000002 RSI: 00005619d46b969c RDI: 00000000ffffff9c
+[ 98.040039] RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000000
+[ 98.040039] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000024
+[ 98.040039] R13: 0000000000000012 R14: 00005619d5035950 R15: 0000000000000012
+[ 98.040039] Modules linked in: nct6775 hwmon_vid algif_skcipher af_alg nls_iso8859_1 nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common arc4 videodev media snd_usb_audio snd_hda_codec_hdmi snd_usbmidi_lib snd_rawmidi snd_seq_device mousedev input_leds iwlmvm mac80211 snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec edac_mce_amd kvm_amd snd_hda_core kvm iwlwifi snd_hwdep r8169 wmi_bmof cfg80211 snd_pcm irqbypass snd_timer snd libphy soundcore pinctrl_amd rfkill pcspkr sp5100_tco evdev gpio_amdpt k10temp mac_hid i2c_piix4 wmi pcc_cpufreq acpi_cpufreq vboxnetflt(OE) vboxnetadp(OE) vboxpci(OE) vboxdrv(OE) msr sg crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 fscrypto uas usb_storage dm_crypt hid_generic usbhid hid
+[ 98.040039] dm_mod raid1 md_mod sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc ahci libahci aesni_intel aes_x86_64 libata crypto_simd cryptd glue_helper ccp xhci_pci rng_core scsi_mod xhci_hcd nvidia_drm(POE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm agpgart nvidia_uvm(POE) nvidia_modeset(POE) nvidia(POE) ipmi_devintf ipmi_msghandler
+[ 98.040039] CR2: 0000000000000080
+[ 98.040039] ---[ end trace 3b65093b6fe62b2f ]---
+[ 98.040039] RIP: 0010:drm_lease_owner+0xd/0x20 [drm]
+[ 98.040039] Code: 83 c4 18 5b 5d c3 b8 ea ff ff ff eb e2 b8 ed ff ff ff eb db e8 b4 ca 68 fb 0f 1f 40 00 0f 1f 44 00 00 48 89 f8 eb 03 48 89 d0 <48> 8b 90 80 00 00 00 48 85 d2 75 f1 c3 66 0f 1f 44 00 00 0f 1f 44
+[ 98.040039] RSP: 0018:ffffb8cf08e07bb0 EFLAGS: 00010202
+[ 98.040039] RAX: 0000000000000000 RBX: ffff9cf0f2586c00 RCX: ffff9cf0f2586c88
+[ 98.040039] RDX: ffff9cf0ddbd8000 RSI: 0000000000000000 RDI: 0000000000000000
+[ 98.040039] RBP: ffff9cf1040e9800 R08: 0000000000000000 R09: 0000000000000000
+[ 98.040039] R10: ffffdeb30fd5d680 R11: ffffdeb30f5d6808 R12: ffff9cf1040e9888
+[ 98.040039] R13: 0000000000000000 R14: dead000000000200 R15: ffff9cf0f2586cc8
+[ 98.040039] FS: 00007f4145513180(0000) GS:ffff9cf10ea00000(0000) knlGS:0000000000000000
+[ 98.040039] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 98.040039] CR2: 0000000000000080 CR3: 00000003d7548000 CR4: 00000000003406f0
+
+Signed-off-by: Sergio Correia <sergio@correia.cc>
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181122053329.2692-1-sergio@correia.cc
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_auth.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/drm_auth.c
++++ b/drivers/gpu/drm/drm_auth.c
+@@ -133,6 +133,7 @@ static int drm_new_set_master(struct drm
+
+ lockdep_assert_held_once(&dev->master_mutex);
+
++ WARN_ON(fpriv->is_master);
+ old_master = fpriv->master;
+ fpriv->master = drm_master_create(dev);
+ if (!fpriv->master) {
+@@ -161,6 +162,7 @@ out_err:
+ /* drop references and restore old master on failure */
+ drm_master_put(&fpriv->master);
+ fpriv->master = old_master;
++ fpriv->is_master = 0;
+
+ return ret;
+ }
--- /dev/null
+From db7a691a1551a748cb92d9c89c6b190ea87e28d5 Mon Sep 17 00:00:00 2001
+From: Michael Guralnik <michaelgur@mellanox.com>
+Date: Wed, 21 Nov 2018 15:03:54 +0200
+Subject: IB/mlx5: Avoid load failure due to unknown link width
+
+From: Michael Guralnik <michaelgur@mellanox.com>
+
+commit db7a691a1551a748cb92d9c89c6b190ea87e28d5 upstream.
+
+If the firmware reports a connection width that is not 1x, 4x, 8x or 12x
+it causes the driver to fail during initialization.
+
+To prevent this failure every time a new width is introduced to the RDMA
+stack, we will set a default 4x width for these widths which ar unknown to
+the driver.
+
+This is needed to allow to run old kernels with new firmware.
+
+Cc: <stable@vger.kernel.org> # 4.1
+Fixes: 1b5daf11b015 ("IB/mlx5: Avoid using the MAD_IFC command under ISSI > 0 mode")
+Signed-off-by: Michael Guralnik <michaelgur@mellanox.com>
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/main.c | 29 +++++++++++------------------
+ 1 file changed, 11 insertions(+), 18 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -710,31 +710,26 @@ enum mlx5_ib_width {
+ MLX5_IB_WIDTH_12X = 1 << 4
+ };
+
+-static int translate_active_width(struct ib_device *ibdev, u8 active_width,
++static void translate_active_width(struct ib_device *ibdev, u8 active_width,
+ u8 *ib_width)
+ {
+ struct mlx5_ib_dev *dev = to_mdev(ibdev);
+- int err = 0;
+
+- if (active_width & MLX5_IB_WIDTH_1X) {
++ if (active_width & MLX5_IB_WIDTH_1X)
+ *ib_width = IB_WIDTH_1X;
+- } else if (active_width & MLX5_IB_WIDTH_2X) {
+- mlx5_ib_dbg(dev, "active_width %d is not supported by IB spec\n",
+- (int)active_width);
+- err = -EINVAL;
+- } else if (active_width & MLX5_IB_WIDTH_4X) {
++ else if (active_width & MLX5_IB_WIDTH_4X)
+ *ib_width = IB_WIDTH_4X;
+- } else if (active_width & MLX5_IB_WIDTH_8X) {
++ else if (active_width & MLX5_IB_WIDTH_8X)
+ *ib_width = IB_WIDTH_8X;
+- } else if (active_width & MLX5_IB_WIDTH_12X) {
++ else if (active_width & MLX5_IB_WIDTH_12X)
+ *ib_width = IB_WIDTH_12X;
+- } else {
+- mlx5_ib_dbg(dev, "Invalid active_width %d\n",
++ else {
++ mlx5_ib_dbg(dev, "Invalid active_width %d, setting width to default value: 4x\n",
+ (int)active_width);
+- err = -EINVAL;
++ *ib_width = IB_WIDTH_4X;
+ }
+
+- return err;
++ return;
+ }
+
+ static int mlx5_mtu_to_ib_mtu(int mtu)
+@@ -842,10 +837,8 @@ static int mlx5_query_hca_port(struct ib
+ if (err)
+ goto out;
+
+- err = translate_active_width(ibdev, ib_link_width_oper,
+- &props->active_width);
+- if (err)
+- goto out;
++ translate_active_width(ibdev, ib_link_width_oper, &props->active_width);
++
+ err = mlx5_query_port_ib_proto_oper(mdev, &props->active_speed, port);
+ if (err)
+ goto out;
--- /dev/null
+From 24c3456c8d5ee6fc1933ca40f7b4406130682668 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Wed, 14 Nov 2018 10:17:01 -0800
+Subject: iser: set sector for ambiguous mr status errors
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit 24c3456c8d5ee6fc1933ca40f7b4406130682668 upstream.
+
+If for some reason we failed to query the mr status, we need to make sure
+to provide sufficient information for an ambiguous error (guard error on
+sector 0).
+
+Fixes: 0a7a08ad6f5f ("IB/iser: Implement check_protection")
+Cc: <stable@vger.kernel.org>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/iser/iser_verbs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/ulp/iser/iser_verbs.c
++++ b/drivers/infiniband/ulp/iser/iser_verbs.c
+@@ -1110,7 +1110,9 @@ u8 iser_check_task_pi_status(struct iscs
+ IB_MR_CHECK_SIG_STATUS, &mr_status);
+ if (ret) {
+ pr_err("ib_check_mr_status failed, ret %d\n", ret);
+- goto err;
++ /* Not a lot we can do, return ambiguous guard error */
++ *sector = 0;
++ return 0x1;
+ }
+
+ if (mr_status.fail_status & IB_MR_CHECK_SIG_STATUS) {
+@@ -1138,9 +1140,6 @@ u8 iser_check_task_pi_status(struct iscs
+ }
+
+ return 0;
+-err:
+- /* Not alot we can do here, return ambiguous guard error */
+- return 0x1;
+ }
+
+ void iser_err_comp(struct ib_wc *wc, const char *type)
--- /dev/null
+From 2dd453168643d9475028cd867c57e65956a0f7f9 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Mon, 10 Sep 2018 16:20:14 -0700
+Subject: kgdboc: Fix restrict error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 2dd453168643d9475028cd867c57e65956a0f7f9 upstream.
+
+There's an error when compiled with restrict:
+
+drivers/tty/serial/kgdboc.c: In function ‘configure_kgdboc’:
+drivers/tty/serial/kgdboc.c:137:2: error: ‘strcpy’ source argument is the same
+as destination [-Werror=restrict]
+ strcpy(config, opt);
+ ^~~~~~~~~~~~~~~~~~~
+
+As the error implies, this is from trying to use config as both source and
+destination. Drop the call to the function where config is the argument
+since nothing else happens in the function.
+
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/kgdboc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/serial/kgdboc.c
++++ b/drivers/tty/serial/kgdboc.c
+@@ -162,15 +162,13 @@ static int configure_kgdboc(void)
+ {
+ struct tty_driver *p;
+ int tty_line = 0;
+- int err;
++ int err = -ENODEV;
+ char *cptr = config;
+ struct console *cons;
+
+- err = kgdboc_option_setup(config);
+- if (err || !strlen(config) || isspace(config[0]))
++ if (!strlen(config) || isspace(config[0]))
+ goto noconfig;
+
+- err = -ENODEV;
+ kgdboc_io_ops.is_console = 0;
+ kgdb_tty_driver = NULL;
+
--- /dev/null
+From c50cbd85cd7027d32ac5945bb60217936b4f7eaf Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 21 Nov 2018 22:14:39 +0300
+Subject: mips: fix mips_get_syscall_arg o32 check
+
+From: Dmitry V. Levin <ldv@altlinux.org>
+
+commit c50cbd85cd7027d32ac5945bb60217936b4f7eaf upstream.
+
+When checking for TIF_32BIT_REGS flag, mips_get_syscall_arg() should
+use the task specified as its argument instead of the current task.
+
+This potentially affects all syscall_get_arguments() users
+who specify tasks different from the current.
+
+Fixes: c0ff3c53d4f99 ("MIPS: Enable HAVE_ARCH_TRACEHOOK.")
+Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Patchwork: https://patchwork.linux-mips.org/patch/21185/
+Cc: Elvira Khabirova <lineprinter@altlinux.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/syscall.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/syscall.h
++++ b/arch/mips/include/asm/syscall.h
+@@ -51,7 +51,7 @@ static inline unsigned long mips_get_sys
+ #ifdef CONFIG_64BIT
+ case 4: case 5: case 6: case 7:
+ #ifdef CONFIG_MIPS32_O32
+- if (test_thread_flag(TIF_32BIT_REGS))
++ if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
+ return get_user(*arg, (int *)usp + n);
+ else
+ #endif
--- /dev/null
+From 7d35baa4e9ec4b717bc0e58a39cdb6a1c50f5465 Mon Sep 17 00:00:00 2001
+From: Mathias Kresin <dev@kresin.me>
+Date: Mon, 26 Nov 2018 11:25:40 +0100
+Subject: MIPS: ralink: Fix mt7620 nd_sd pinmux
+
+From: Mathias Kresin <dev@kresin.me>
+
+commit 7d35baa4e9ec4b717bc0e58a39cdb6a1c50f5465 upstream.
+
+In case the nd_sd group is set to the sd-card function, Pins 45 + 46 are
+configured as GPIOs. If they are blocked by the sd function, they can't
+be used as GPIOs.
+
+Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
+Signed-off-by: Mathias Kresin <dev@kresin.me>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: f576fb6a0700 ("MIPS: ralink: cleanup the soc specific pinmux data")
+Patchwork: https://patchwork.linux-mips.org/patch/21220/
+Cc: John Crispin <john@phrozen.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/ralink/mt7620.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/ralink/mt7620.c
++++ b/arch/mips/ralink/mt7620.c
+@@ -81,7 +81,7 @@ static struct rt2880_pmx_func pcie_rst_g
+ };
+ static struct rt2880_pmx_func nd_sd_grp[] = {
+ FUNC("nand", MT7620_GPIO_MODE_NAND, 45, 15),
+- FUNC("sd", MT7620_GPIO_MODE_SD, 45, 15)
++ FUNC("sd", MT7620_GPIO_MODE_SD, 47, 13)
+ };
+
+ static struct rt2880_pmx_group mt7620a_pinmux_data[] = {
--- /dev/null
+From 42c335f7e67029d2e01711f2f2bc6252277c8993 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 9 May 2017 15:34:44 -0700
+Subject: scsi: csiostor: Avoid content leaks and casts
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 42c335f7e67029d2e01711f2f2bc6252277c8993 upstream.
+
+When copying attributes, the len argument was padded out and the
+resulting memcpy() would copy beyond the end of the source buffer.
+Avoid this, and use size_t for val_len to avoid all the casts.
+Similarly, avoid source buffer casts and use void *.
+
+Additionally enforces val_len can be represented by u16 and that the DMA
+buffer was not overflowed. Fixes the size of mfa, which is not
+FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN (but it will be padded up to 4). This
+was noticed by the future CONFIG_FORTIFY_SOURCE checks.
+
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Varun Prakash <varun@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/csiostor/csio_lnode.c | 43 ++++++++++++++++++++++---------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+--- a/drivers/scsi/csiostor/csio_lnode.c
++++ b/drivers/scsi/csiostor/csio_lnode.c
+@@ -238,14 +238,23 @@ csio_osname(uint8_t *buf, size_t buf_len
+ }
+
+ static inline void
+-csio_append_attrib(uint8_t **ptr, uint16_t type, uint8_t *val, uint16_t len)
++csio_append_attrib(uint8_t **ptr, uint16_t type, void *val, size_t val_len)
+ {
++ uint16_t len;
+ struct fc_fdmi_attr_entry *ae = (struct fc_fdmi_attr_entry *)*ptr;
++
++ if (WARN_ON(val_len > U16_MAX))
++ return;
++
++ len = val_len;
++
+ ae->type = htons(type);
+ len += 4; /* includes attribute type and length */
+ len = (len + 3) & ~3; /* should be multiple of 4 bytes */
+ ae->len = htons(len);
+- memcpy(ae->value, val, len);
++ memcpy(ae->value, val, val_len);
++ if (len > val_len)
++ memset(ae->value + val_len, 0, len - val_len);
+ *ptr += len;
+ }
+
+@@ -335,7 +344,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h
+ numattrs++;
+ val = htonl(FC_PORTSPEED_1GBIT | FC_PORTSPEED_10GBIT);
+ csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_SUPPORTEDSPEED,
+- (uint8_t *)&val,
++ &val,
+ FC_FDMI_PORT_ATTR_SUPPORTEDSPEED_LEN);
+ numattrs++;
+
+@@ -346,23 +355,22 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h
+ else
+ val = htonl(CSIO_HBA_PORTSPEED_UNKNOWN);
+ csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_CURRENTPORTSPEED,
+- (uint8_t *)&val,
+- FC_FDMI_PORT_ATTR_CURRENTPORTSPEED_LEN);
++ &val, FC_FDMI_PORT_ATTR_CURRENTPORTSPEED_LEN);
+ numattrs++;
+
+ mfs = ln->ln_sparm.csp.sp_bb_data;
+ csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_MAXFRAMESIZE,
+- (uint8_t *)&mfs, FC_FDMI_PORT_ATTR_MAXFRAMESIZE_LEN);
++ &mfs, sizeof(mfs));
+ numattrs++;
+
+ strcpy(buf, "csiostor");
+ csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_OSDEVICENAME, buf,
+- (uint16_t)strlen(buf));
++ strlen(buf));
+ numattrs++;
+
+ if (!csio_hostname(buf, sizeof(buf))) {
+ csio_append_attrib(&pld, FC_FDMI_PORT_ATTR_HOSTNAME,
+- buf, (uint16_t)strlen(buf));
++ buf, strlen(buf));
+ numattrs++;
+ }
+ attrib_blk->numattrs = htonl(numattrs);
+@@ -444,33 +452,32 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *h
+
+ strcpy(buf, "Chelsio Communications");
+ csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MANUFACTURER, buf,
+- (uint16_t)strlen(buf));
++ strlen(buf));
+ numattrs++;
+ csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_SERIALNUMBER,
+- hw->vpd.sn, (uint16_t)sizeof(hw->vpd.sn));
++ hw->vpd.sn, sizeof(hw->vpd.sn));
+ numattrs++;
+ csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MODEL, hw->vpd.id,
+- (uint16_t)sizeof(hw->vpd.id));
++ sizeof(hw->vpd.id));
+ numattrs++;
+ csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MODELDESCRIPTION,
+- hw->model_desc, (uint16_t)strlen(hw->model_desc));
++ hw->model_desc, strlen(hw->model_desc));
+ numattrs++;
+ csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_HARDWAREVERSION,
+- hw->hw_ver, (uint16_t)sizeof(hw->hw_ver));
++ hw->hw_ver, sizeof(hw->hw_ver));
+ numattrs++;
+ csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_FIRMWAREVERSION,
+- hw->fwrev_str, (uint16_t)strlen(hw->fwrev_str));
++ hw->fwrev_str, strlen(hw->fwrev_str));
+ numattrs++;
+
+ if (!csio_osname(buf, sizeof(buf))) {
+ csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_OSNAMEVERSION,
+- buf, (uint16_t)strlen(buf));
++ buf, strlen(buf));
+ numattrs++;
+ }
+
+ csio_append_attrib(&pld, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD,
+- (uint8_t *)&maxpayload,
+- FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN);
++ &maxpayload, FC_FDMI_HBA_ATTR_MAXCTPAYLOAD_LEN);
+ len = (uint32_t)(pld - (uint8_t *)cmd);
+ numattrs++;
+ attrib_blk->numattrs = htonl(numattrs);
+@@ -1794,6 +1801,8 @@ csio_ln_mgmt_submit_req(struct csio_iore
+ struct csio_mgmtm *mgmtm = csio_hw_to_mgmtm(hw);
+ int rv;
+
++ BUG_ON(pld_len > pld->len);
++
+ io_req->io_cbfn = io_cbfn; /* Upper layer callback handler */
+ io_req->fw_handle = (uintptr_t) (io_req);
+ io_req->eq_idx = mgmtm->eq_idx;
--- /dev/null
+From 81df022b688d43d2a3667518b2f755d384397910 Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Mon, 27 Nov 2017 23:47:35 +0100
+Subject: scsi: scsi_devinfo: cleanly zero-pad devinfo strings
+
+From: Martin Wilck <mwilck@suse.com>
+
+commit 81df022b688d43d2a3667518b2f755d384397910 upstream.
+
+Cleanly fill memory for "vendor" and "model" with 0-bytes for the
+"compatible" case rather than adding only a single 0 byte. This
+simplifies the devinfo code a a bit, and avoids mistakes in other places
+of the code (not in current upstream, but we had one such mistake in the
+SUSE kernel).
+
+[mkp: applied by hand and added braces]
+
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_devinfo.c | 22 +++++++---------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -33,7 +33,6 @@ struct scsi_dev_info_list_table {
+ };
+
+
+-static const char spaces[] = " "; /* 16 of them */
+ static unsigned scsi_default_dev_flags;
+ static LIST_HEAD(scsi_dev_info_list);
+ static char scsi_dev_flags[256];
+@@ -298,20 +297,13 @@ static void scsi_strcpy_devinfo(char *na
+ size_t from_length;
+
+ from_length = strlen(from);
+- strncpy(to, from, min(to_length, from_length));
+- if (from_length < to_length) {
+- if (compatible) {
+- /*
+- * NUL terminate the string if it is short.
+- */
+- to[from_length] = '\0';
+- } else {
+- /*
+- * space pad the string if it is short.
+- */
+- strncpy(&to[from_length], spaces,
+- to_length - from_length);
+- }
++ /* this zero-pads the destination */
++ strncpy(to, from, to_length);
++ if (from_length < to_length && !compatible) {
++ /*
++ * space pad the string if it is short.
++ */
++ memset(&to[from_length], ' ', to_length - from_length);
+ }
+ if (from_length > to_length)
+ printk(KERN_WARNING "%s: %s string '%s' is too long\n",
scsi-bfa-convert-to-strlcpy-strlcat.patch
staging-rts5208-fix-gcc-8-logic-error-warning.patch
kdb-use-memmove-instead-of-overlapping-memcpy.patch
+x86-power-64-use-char-arrays-for-asm-function-names.patch
+iser-set-sector-for-ambiguous-mr-status-errors.patch
+uprobes-fix-handle_swbp-vs.-unregister-register-race-once-more.patch
+mips-ralink-fix-mt7620-nd_sd-pinmux.patch
+mips-fix-mips_get_syscall_arg-o32-check.patch
+ib-mlx5-avoid-load-failure-due-to-unknown-link-width.patch
+drm-ast-fix-incorrect-free-on-ioregs.patch
+drm-set-is_master-to-0-upon-drm_new_set_master-failure.patch
+scsi-scsi_devinfo-cleanly-zero-pad-devinfo-strings.patch
+alsa-trident-suppress-gcc-string-warning.patch
+scsi-csiostor-avoid-content-leaks-and-casts.patch
+kgdboc-fix-restrict-error.patch
--- /dev/null
+From 09d3f015d1e1b4fee7e9bbdcf54201d239393391 Mon Sep 17 00:00:00 2001
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+Date: Thu, 22 Nov 2018 17:10:31 +0100
+Subject: uprobes: Fix handle_swbp() vs. unregister() + register() race once more
+
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+
+commit 09d3f015d1e1b4fee7e9bbdcf54201d239393391 upstream.
+
+Commit:
+
+ 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race")
+
+added the UPROBE_COPY_INSN flag, and corresponding smp_wmb() and smp_rmb()
+memory barriers, to ensure that handle_swbp() uses fully-initialized
+uprobes only.
+
+However, the smp_rmb() is mis-placed: this barrier should be placed
+after handle_swbp() has tested for the flag, thus guaranteeing that
+(program-order) subsequent loads from the uprobe can see the initial
+stores performed by prepare_uprobe().
+
+Move the smp_rmb() accordingly. Also amend the comments associated
+to the two memory barriers to indicate their actual locations.
+
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: stable@kernel.org
+Fixes: 142b18ddc8143 ("uprobes: Fix handle_swbp() vs unregister() + register() race")
+Link: http://lkml.kernel.org/r/20181122161031.15179-1-andrea.parri@amarulasolutions.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/uprobes.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -608,7 +608,7 @@ static int prepare_uprobe(struct uprobe
+ BUG_ON((uprobe->offset & ~PAGE_MASK) +
+ UPROBE_SWBP_INSN_SIZE > PAGE_SIZE);
+
+- smp_wmb(); /* pairs with rmb() in find_active_uprobe() */
++ smp_wmb(); /* pairs with the smp_rmb() in handle_swbp() */
+ set_bit(UPROBE_COPY_INSN, &uprobe->flags);
+
+ out:
+@@ -1902,10 +1902,18 @@ static void handle_swbp(struct pt_regs *
+ * After we hit the bp, _unregister + _register can install the
+ * new and not-yet-analyzed uprobe at the same address, restart.
+ */
+- smp_rmb(); /* pairs with wmb() in install_breakpoint() */
+ if (unlikely(!test_bit(UPROBE_COPY_INSN, &uprobe->flags)))
+ goto out;
+
++ /*
++ * Pairs with the smp_wmb() in prepare_uprobe().
++ *
++ * Guarantees that if we see the UPROBE_COPY_INSN bit set, then
++ * we must also see the stores to &uprobe->arch performed by the
++ * prepare_uprobe() call.
++ */
++ smp_rmb();
++
+ /* Tracing handlers use ->utask to communicate with fetch methods */
+ if (!get_utask())
+ goto out;
--- /dev/null
+From c0944883c97c0ddc71da67cc731590a7c878a1a2 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 9 May 2017 14:00:51 -0700
+Subject: x86/power/64: Use char arrays for asm function names
+
+From: Kees Cook <keescook@chromium.org>
+
+commit c0944883c97c0ddc71da67cc731590a7c878a1a2 upstream.
+
+This switches the hibernate_64.S function names into character arrays
+to match other areas of the kernel where this is done (e.g., linker
+scripts). Specifically this fixes a compile-time error noticed by the
+future CONFIG_FORTIFY_SOURCE routines that complained about PAGE_SIZE
+being copied out of the "single byte" core_restore_code variable.
+
+Additionally drops the "acpi_save_state_mem" exern which does not
+appear to be used anywhere else in the kernel.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/suspend_64.h | 5 ++---
+ arch/x86/power/hibernate_64.c | 6 +++---
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/suspend_64.h
++++ b/arch/x86/include/asm/suspend_64.h
+@@ -42,8 +42,7 @@ struct saved_context {
+ set_debugreg((thread)->debugreg##register, register)
+
+ /* routines for saving/restoring kernel state */
+-extern int acpi_save_state_mem(void);
+-extern char core_restore_code;
+-extern char restore_registers;
++extern char core_restore_code[];
++extern char restore_registers[];
+
+ #endif /* _ASM_X86_SUSPEND_64_H */
+--- a/arch/x86/power/hibernate_64.c
++++ b/arch/x86/power/hibernate_64.c
+@@ -126,7 +126,7 @@ static int relocate_restore_code(void)
+ if (!relocated_restore_code)
+ return -ENOMEM;
+
+- memcpy((void *)relocated_restore_code, &core_restore_code, PAGE_SIZE);
++ memcpy((void *)relocated_restore_code, core_restore_code, PAGE_SIZE);
+
+ /* Make the page containing the relocated code executable */
+ pgd = (pgd_t *)__va(read_cr3()) + pgd_index(relocated_restore_code);
+@@ -197,8 +197,8 @@ int arch_hibernation_header_save(void *a
+
+ if (max_size < sizeof(struct restore_data_record))
+ return -EOVERFLOW;
+- rdr->jump_address = (unsigned long)&restore_registers;
+- rdr->jump_address_phys = __pa_symbol(&restore_registers);
++ rdr->jump_address = (unsigned long)restore_registers;
++ rdr->jump_address_phys = __pa_symbol(restore_registers);
+ rdr->cr3 = restore_cr3;
+ rdr->magic = RESTORE_MAGIC;
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
