--- /dev/null
+From 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 Apr 2019 17:06:33 +0200
+Subject: ALSA: core: Fix card races between register and disconnect
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac upstream.
+
+There is a small race window in the card disconnection code that
+allows the registration of another card with the very same card id.
+This leads to a warning in procfs creation as caught by syzkaller.
+
+The problem is that we delete snd_cards and snd_cards_lock entries at
+the very beginning of the disconnection procedure. This makes the
+slot available to be assigned for another card object while the
+disconnection procedure is being processed. Then it becomes possible
+to issue a procfs registration with the existing file name although we
+check the conflict beforehand.
+
+The fix is simply to move the snd_cards and snd_cards_lock clearances
+at the end of the disconnection procedure. The references to these
+entries are merely either from the global proc files like
+/proc/asound/cards or from the card registration / disconnection, so
+it should be fine to shift at the very end.
+
+Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/init.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/sound/core/init.c
++++ b/sound/core/init.c
+@@ -408,14 +408,7 @@ int snd_card_disconnect(struct snd_card
+ card->shutdown = 1;
+ spin_unlock(&card->files_lock);
+
+- /* phase 1: disable fops (user space) operations for ALSA API */
+- mutex_lock(&snd_card_mutex);
+- snd_cards[card->number] = NULL;
+- clear_bit(card->number, snd_cards_lock);
+- mutex_unlock(&snd_card_mutex);
+-
+- /* phase 2: replace file->f_op with special dummy operations */
+-
++ /* replace file->f_op with special dummy operations */
+ spin_lock(&card->files_lock);
+ list_for_each_entry(mfile, &card->files_list, list) {
+ /* it's critical part, use endless loop */
+@@ -431,7 +424,7 @@ int snd_card_disconnect(struct snd_card
+ }
+ spin_unlock(&card->files_lock);
+
+- /* phase 3: notify all connected devices about disconnection */
++ /* notify all connected devices about disconnection */
+ /* at this point, they cannot respond to any calls except release() */
+
+ #if IS_ENABLED(CONFIG_SND_MIXER_OSS)
+@@ -447,6 +440,13 @@ int snd_card_disconnect(struct snd_card
+ device_del(&card->card_dev);
+ card->registered = false;
+ }
++
++ /* disable fops (user space) operations for ALSA API */
++ mutex_lock(&snd_card_mutex);
++ snd_cards[card->number] = NULL;
++ clear_bit(card->number, snd_cards_lock);
++ mutex_unlock(&snd_card_mutex);
++
+ #ifdef CONFIG_PM
+ wake_up(&card->power_sleep);
+ #endif
--- /dev/null
+From ff8acf929014b7f87315588e0daf8597c8aa9d1c Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Wed, 17 Apr 2019 00:21:21 -0700
+Subject: arm64: futex: Restore oldval initialization to work around buggy compilers
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+commit ff8acf929014b7f87315588e0daf8597c8aa9d1c upstream.
+
+Commit 045afc24124d ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with
+non-zero result value") removed oldval's zero initialization in
+arch_futex_atomic_op_inuser because it is not necessary. Unfortunately,
+Android's arm64 GCC 4.9.4 [1] does not agree:
+
+../kernel/futex.c: In function 'do_futex':
+../kernel/futex.c:1658:17: warning: 'oldval' may be used uninitialized
+in this function [-Wmaybe-uninitialized]
+ return oldval == cmparg;
+ ^
+In file included from ../kernel/futex.c:73:0:
+../arch/arm64/include/asm/futex.h:53:6: note: 'oldval' was declared here
+ int oldval, ret, tmp;
+ ^
+
+GCC fails to follow that when ret is non-zero, futex_atomic_op_inuser
+returns right away, avoiding the uninitialized use that it claims.
+Restoring the zero initialization works around this issue.
+
+[1]: https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/
+
+Cc: stable@vger.kernel.org
+Fixes: 045afc24124d ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/futex.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/include/asm/futex.h
++++ b/arch/arm64/include/asm/futex.h
+@@ -53,7 +53,7 @@
+ static inline int
+ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr)
+ {
+- int oldval, ret, tmp;
++ int oldval = 0, ret, tmp;
+
+ pagefault_disable();
+
--- /dev/null
+From b98749cac4a695f084a5ff076f4510b23e353ecd Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Fri, 29 Mar 2019 10:49:12 +0100
+Subject: CIFS: keep FileInfo handle live during oplock break
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit b98749cac4a695f084a5ff076f4510b23e353ecd upstream.
+
+In the oplock break handler, writing pending changes from pages puts
+the FileInfo handle. If the refcount reaches zero it closes the handle
+and waits for any oplock break handler to return, thus causing a deadlock.
+
+To prevent this situation:
+
+* We add a wait flag to cifsFileInfo_put() to decide whether we should
+ wait for running/pending oplock break handlers
+
+* We keep an additionnal reference of the SMB FileInfo handle so that
+ for the rest of the handler putting the handle won't close it.
+ - The ref is bumped everytime we queue the handler via the
+ cifs_queue_oplock_break() helper.
+ - The ref is decremented at the end of the handler
+
+This bug was triggered by xfstest 464.
+
+Also important fix to address the various reports of
+oops in smb2_push_mandatory_locks
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsglob.h | 2 ++
+ fs/cifs/file.c | 30 +++++++++++++++++++++++++-----
+ fs/cifs/misc.c | 25 +++++++++++++++++++++++--
+ fs/cifs/smb2misc.c | 6 +++---
+ 4 files changed, 53 insertions(+), 10 deletions(-)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -1157,6 +1157,7 @@ cifsFileInfo_get_locked(struct cifsFileI
+ }
+
+ struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file);
++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr);
+ void cifsFileInfo_put(struct cifsFileInfo *cifs_file);
+
+ #define CIFS_CACHE_READ_FLG 1
+@@ -1651,6 +1652,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock;
+ #endif /* CONFIG_CIFS_ACL */
+
+ void cifs_oplock_break(struct work_struct *work);
++void cifs_queue_oplock_break(struct cifsFileInfo *cfile);
+
+ extern const struct slow_work_ops cifs_oplock_break_ops;
+ extern struct workqueue_struct *cifsiod_wq;
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -358,13 +358,31 @@ cifsFileInfo_get(struct cifsFileInfo *ci
+ return cifs_file;
+ }
+
+-/*
+- * Release a reference on the file private data. This may involve closing
+- * the filehandle out on the server. Must be called without holding
+- * tcon->open_file_lock and cifs_file->file_info_lock.
++/**
++ * cifsFileInfo_put - release a reference of file priv data
++ *
++ * Always potentially wait for oplock handler. See _cifsFileInfo_put().
+ */
+ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
+ {
++ _cifsFileInfo_put(cifs_file, true);
++}
++
++/**
++ * _cifsFileInfo_put - release a reference of file priv data
++ *
++ * This may involve closing the filehandle @cifs_file out on the
++ * server. Must be called without holding tcon->open_file_lock and
++ * cifs_file->file_info_lock.
++ *
++ * If @wait_for_oplock_handler is true and we are releasing the last
++ * reference, wait for any running oplock break handler of the file
++ * and cancel any pending one. If calling this function from the
++ * oplock break handler, you need to pass false.
++ *
++ */
++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler)
++{
+ struct inode *inode = d_inode(cifs_file->dentry);
+ struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink);
+ struct TCP_Server_Info *server = tcon->ses->server;
+@@ -411,7 +429,8 @@ void cifsFileInfo_put(struct cifsFileInf
+
+ spin_unlock(&tcon->open_file_lock);
+
+- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
++ oplock_break_cancelled = wait_oplock_handler ?
++ cancel_work_sync(&cifs_file->oplock_break) : false;
+
+ if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
+ struct TCP_Server_Info *server = tcon->ses->server;
+@@ -3913,6 +3932,7 @@ void cifs_oplock_break(struct work_struc
+ cinode);
+ cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
+ }
++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */);
+ cifs_done_oplock_break(cinode);
+ }
+
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -494,8 +494,7 @@ is_valid_oplock_break(char *buffer, stru
+ CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+ &pCifsInode->flags);
+
+- queue_work(cifsoplockd_wq,
+- &netfile->oplock_break);
++ cifs_queue_oplock_break(netfile);
+ netfile->oplock_break_cancelled = false;
+
+ spin_unlock(&tcon->open_file_lock);
+@@ -592,6 +591,28 @@ void cifs_put_writer(struct cifsInodeInf
+ spin_unlock(&cinode->writers_lock);
+ }
+
++/**
++ * cifs_queue_oplock_break - queue the oplock break handler for cfile
++ *
++ * This function is called from the demultiplex thread when it
++ * receives an oplock break for @cfile.
++ *
++ * Assumes the tcon->open_file_lock is held.
++ * Assumes cfile->file_info_lock is NOT held.
++ */
++void cifs_queue_oplock_break(struct cifsFileInfo *cfile)
++{
++ /*
++ * Bump the handle refcount now while we hold the
++ * open_file_lock to enforce the validity of it for the oplock
++ * break handler. The matching put is done at the end of the
++ * handler.
++ */
++ cifsFileInfo_get(cfile);
++
++ queue_work(cifsoplockd_wq, &cfile->oplock_break);
++}
++
+ void cifs_done_oplock_break(struct cifsInodeInfo *cinode)
+ {
+ clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -512,7 +512,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
+ clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+ &cinode->flags);
+
+- queue_work(cifsoplockd_wq, &cfile->oplock_break);
++ cifs_queue_oplock_break(cfile);
+ kfree(lw);
+ return true;
+ }
+@@ -656,8 +656,8 @@ smb2_is_valid_oplock_break(char *buffer,
+ CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+ &cinode->flags);
+ spin_unlock(&cfile->file_info_lock);
+- queue_work(cifsoplockd_wq,
+- &cfile->oplock_break);
++
++ cifs_queue_oplock_break(cfile);
+
+ spin_unlock(&tcon->open_file_lock);
+ spin_unlock(&cifs_tcp_ses_lock);
--- /dev/null
+From 678cce4019d746da6c680c48ba9e6d417803e127 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 31 Mar 2019 13:04:11 -0700
+Subject: crypto: x86/poly1305 - fix overflow during partial reduction
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 678cce4019d746da6c680c48ba9e6d417803e127 upstream.
+
+The x86_64 implementation of Poly1305 produces the wrong result on some
+inputs because poly1305_4block_avx2() incorrectly assumes that when
+partially reducing the accumulator, the bits carried from limb 'd4' to
+limb 'h0' fit in a 32-bit integer. This is true for poly1305-generic
+which processes only one block at a time. However, it's not true for
+the AVX2 implementation, which processes 4 blocks at a time and
+therefore can produce intermediate limbs about 4x larger.
+
+Fix it by making the relevant calculations use 64-bit arithmetic rather
+than 32-bit. Note that most of the carries already used 64-bit
+arithmetic, but the d4 -> h0 carry was different for some reason.
+
+To be safe I also made the same change to the corresponding SSE2 code,
+though that only operates on 1 or 2 blocks at a time. I don't think
+it's really needed for poly1305_block_sse2(), but it doesn't hurt
+because it's already x86_64 code. It *might* be needed for
+poly1305_2block_sse2(), but overflows aren't easy to reproduce there.
+
+This bug was originally detected by my patches that improve testmgr to
+fuzz algorithms against their generic implementation. But also add a
+test vector which reproduces it directly (in the AVX2 case).
+
+Fixes: b1ccc8f4b631 ("crypto: poly1305 - Add a four block AVX2 variant for x86_64")
+Fixes: c70f4abef07a ("crypto: poly1305 - Add a SSE2 SIMD variant for x86_64")
+Cc: <stable@vger.kernel.org> # v4.3+
+Cc: Martin Willi <martin@strongswan.org>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/crypto/poly1305-avx2-x86_64.S | 14 +++++++---
+ arch/x86/crypto/poly1305-sse2-x86_64.S | 22 ++++++++++------
+ crypto/testmgr.h | 44 ++++++++++++++++++++++++++++++++-
+ 3 files changed, 67 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/crypto/poly1305-avx2-x86_64.S
++++ b/arch/x86/crypto/poly1305-avx2-x86_64.S
+@@ -321,6 +321,12 @@ ENTRY(poly1305_4block_avx2)
+ vpaddq t2,t1,t1
+ vmovq t1x,d4
+
++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
++ # amount. Careful: we must not assume the carry bits 'd0 >> 26',
++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
++ # integers. It's true in a single-block implementation, but not here.
++
+ # d1 += d0 >> 26
+ mov d0,%rax
+ shr $26,%rax
+@@ -359,16 +365,16 @@ ENTRY(poly1305_4block_avx2)
+ # h0 += (d4 >> 26) * 5
+ mov d4,%rax
+ shr $26,%rax
+- lea (%eax,%eax,4),%eax
+- add %eax,%ebx
++ lea (%rax,%rax,4),%rax
++ add %rax,%rbx
+ # h4 = d4 & 0x3ffffff
+ mov d4,%rax
+ and $0x3ffffff,%eax
+ mov %eax,h4
+
+ # h1 += h0 >> 26
+- mov %ebx,%eax
+- shr $26,%eax
++ mov %rbx,%rax
++ shr $26,%rax
+ add %eax,h1
+ # h0 = h0 & 0x3ffffff
+ andl $0x3ffffff,%ebx
+--- a/arch/x86/crypto/poly1305-sse2-x86_64.S
++++ b/arch/x86/crypto/poly1305-sse2-x86_64.S
+@@ -251,16 +251,16 @@ ENTRY(poly1305_block_sse2)
+ # h0 += (d4 >> 26) * 5
+ mov d4,%rax
+ shr $26,%rax
+- lea (%eax,%eax,4),%eax
+- add %eax,%ebx
++ lea (%rax,%rax,4),%rax
++ add %rax,%rbx
+ # h4 = d4 & 0x3ffffff
+ mov d4,%rax
+ and $0x3ffffff,%eax
+ mov %eax,h4
+
+ # h1 += h0 >> 26
+- mov %ebx,%eax
+- shr $26,%eax
++ mov %rbx,%rax
++ shr $26,%rax
+ add %eax,h1
+ # h0 = h0 & 0x3ffffff
+ andl $0x3ffffff,%ebx
+@@ -518,6 +518,12 @@ ENTRY(poly1305_2block_sse2)
+ paddq t2,t1
+ movq t1,d4
+
++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
++ # amount. Careful: we must not assume the carry bits 'd0 >> 26',
++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
++ # integers. It's true in a single-block implementation, but not here.
++
+ # d1 += d0 >> 26
+ mov d0,%rax
+ shr $26,%rax
+@@ -556,16 +562,16 @@ ENTRY(poly1305_2block_sse2)
+ # h0 += (d4 >> 26) * 5
+ mov d4,%rax
+ shr $26,%rax
+- lea (%eax,%eax,4),%eax
+- add %eax,%ebx
++ lea (%rax,%rax,4),%rax
++ add %rax,%rbx
+ # h4 = d4 & 0x3ffffff
+ mov d4,%rax
+ and $0x3ffffff,%eax
+ mov %eax,h4
+
+ # h1 += h0 >> 26
+- mov %ebx,%eax
+- shr $26,%eax
++ mov %rbx,%rax
++ shr $26,%rax
+ add %eax,h1
+ # h0 = h0 & 0x3ffffff
+ andl $0x3ffffff,%ebx
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -4527,7 +4527,49 @@ static struct hash_testvec poly1305_tv_t
+ .psize = 80,
+ .digest = "\x13\x00\x00\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00",
+- },
++ }, { /* Regression test for overflow in AVX2 implementation */
++ .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff\xff\xff\xff\xff"
++ "\xff\xff\xff\xff",
++ .psize = 300,
++ .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8"
++ "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1",
++ }
+ };
+
+ /*
--- /dev/null
+From fccfb9ce70ed4ea7a145f77b86de62e38178517f Mon Sep 17 00:00:00 2001
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+Date: Tue, 19 Mar 2019 12:47:00 +0200
+Subject: iio: ad_sigma_delta: select channel when reading register
+
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+
+commit fccfb9ce70ed4ea7a145f77b86de62e38178517f upstream.
+
+The desired channel has to be selected in order to correctly fill the
+buffer with the corresponding data.
+The `ad_sd_write_reg()` already does this, but for the
+`ad_sd_read_reg_raw()` this was omitted.
+
+Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices")
+Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ad_sigma_delta.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_
+ if (sigma_delta->info->has_registers) {
+ data[0] = reg << sigma_delta->info->addr_shift;
+ data[0] |= sigma_delta->info->read_mask;
++ data[0] |= sigma_delta->comm;
+ spi_message_add_tail(&t[0], &m);
+ }
+ spi_message_add_tail(&t[1], &m);
--- /dev/null
+From 09c6bdee51183a575bf7546890c8c137a75a2b44 Mon Sep 17 00:00:00 2001
+From: Georg Ottinger <g.ottinger@abatec.at>
+Date: Wed, 30 Jan 2019 14:42:02 +0100
+Subject: iio: adc: at91: disable adc channel interrupt in timeout case
+
+From: Georg Ottinger <g.ottinger@abatec.at>
+
+commit 09c6bdee51183a575bf7546890c8c137a75a2b44 upstream.
+
+Having a brief look at at91_adc_read_raw() it is obvious that in the case
+of a timeout the setting of AT91_ADC_CHDR and AT91_ADC_IDR registers is
+omitted. If 2 different channels are queried we can end up with a
+situation where two interrupts are enabled, but only one interrupt is
+cleared in the interrupt handler. Resulting in a interrupt loop and a
+system hang.
+
+Signed-off-by: Georg Ottinger <g.ottinger@abatec.at>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -704,23 +704,29 @@ static int at91_adc_read_raw(struct iio_
+ ret = wait_event_interruptible_timeout(st->wq_data_avail,
+ st->done,
+ msecs_to_jiffies(1000));
+- if (ret == 0)
+- ret = -ETIMEDOUT;
+- if (ret < 0) {
+- mutex_unlock(&st->lock);
+- return ret;
+- }
+-
+- *val = st->last_value;
+
++ /* Disable interrupts, regardless if adc conversion was
++ * successful or not
++ */
+ at91_adc_writel(st, AT91_ADC_CHDR,
+ AT91_ADC_CH(chan->channel));
+ at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel));
+
+- st->last_value = 0;
+- st->done = false;
++ if (ret > 0) {
++ /* a valid conversion took place */
++ *val = st->last_value;
++ st->last_value = 0;
++ st->done = false;
++ ret = IIO_VAL_INT;
++ } else if (ret == 0) {
++ /* conversion timeout */
++ dev_err(&idev->dev, "ADC Channel %d timeout.\n",
++ chan->channel);
++ ret = -ETIMEDOUT;
++ }
++
+ mutex_unlock(&st->lock);
+- return IIO_VAL_INT;
++ return ret;
+
+ case IIO_CHAN_INFO_SCALE:
+ *val = st->vref_mv;
--- /dev/null
+From 40a7198a4a01037003c7ca714f0d048a61e729ac Mon Sep 17 00:00:00 2001
+From: Mike Looijmans <mike.looijmans@topic.nl>
+Date: Wed, 13 Feb 2019 08:41:47 +0100
+Subject: iio/gyro/bmg160: Use millidegrees for temperature scale
+
+From: Mike Looijmans <mike.looijmans@topic.nl>
+
+commit 40a7198a4a01037003c7ca714f0d048a61e729ac upstream.
+
+Standard unit for temperature is millidegrees Celcius, whereas this driver
+was reporting in degrees. Fix the scale factor in the driver.
+
+Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/gyro/bmg160_core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/gyro/bmg160_core.c
++++ b/drivers/iio/gyro/bmg160_core.c
+@@ -583,11 +583,10 @@ static int bmg160_read_raw(struct iio_de
+ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
+ return bmg160_get_filter(data, val);
+ case IIO_CHAN_INFO_SCALE:
+- *val = 0;
+ switch (chan->type) {
+ case IIO_TEMP:
+- *val2 = 500000;
+- return IIO_VAL_INT_PLUS_MICRO;
++ *val = 500;
++ return IIO_VAL_INT;
+ case IIO_ANGL_VEL:
+ {
+ int i;
+@@ -595,6 +594,7 @@ static int bmg160_read_raw(struct iio_de
+ for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) {
+ if (bmg160_scale_table[i].dps_range ==
+ data->dps_range) {
++ *val = 0;
+ *val2 = bmg160_scale_table[i].scale;
+ return IIO_VAL_INT_PLUS_MICRO;
+ }
--- /dev/null
+From fe2d3df639a7940a125a33d6460529b9689c5406 Mon Sep 17 00:00:00 2001
+From: "he, bo" <bo.he@intel.com>
+Date: Wed, 6 Mar 2019 10:32:20 +0800
+Subject: io: accel: kxcjk1013: restore the range after resume.
+
+From: he, bo <bo.he@intel.com>
+
+commit fe2d3df639a7940a125a33d6460529b9689c5406 upstream.
+
+On some laptops, kxcjk1013 is powered off when system enters S3. We need
+restore the range regiter during resume. Otherwise, the sensor doesn't
+work properly after S3.
+
+Signed-off-by: he, bo <bo.he@intel.com>
+Signed-off-by: Chen, Hu <hu1.chen@intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/accel/kxcjk-1013.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/accel/kxcjk-1013.c
++++ b/drivers/iio/accel/kxcjk-1013.c
+@@ -1340,6 +1340,8 @@ static int kxcjk1013_resume(struct devic
+
+ mutex_lock(&data->mutex);
+ ret = kxcjk1013_set_mode(data, OPERATION);
++ if (ret == 0)
++ ret = kxcjk1013_set_range(data, data->range);
+ mutex_unlock(&data->mutex);
+
+ return ret;
--- /dev/null
+From 5f843ed415581cfad4ef8fefe31c138a8346ca8a Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Mon, 15 Apr 2019 15:01:25 +0900
+Subject: kprobes: Fix error check when reusing optimized probes
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 5f843ed415581cfad4ef8fefe31c138a8346ca8a upstream.
+
+The following commit introduced a bug in one of our error paths:
+
+ 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()")
+
+it missed to handle the return value of kprobe_optready() as
+error-value. In reality, the kprobe_optready() returns a bool
+result, so "true" case must be passed instead of 0.
+
+This causes some errors on kprobe boot-time selftests on ARM:
+
+ [ ] Beginning kprobe tests...
+ [ ] Probe ARM code
+ [ ] kprobe
+ [ ] kretprobe
+ [ ] ARM instruction simulation
+ [ ] Check decoding tables
+ [ ] Run test cases
+ [ ] FAIL: test_case_handler not run
+ [ ] FAIL: Test andge r10, r11, r14, asr r7
+ [ ] FAIL: Scenario 11
+ ...
+ [ ] FAIL: Scenario 7
+ [ ] Total instruction simulation tests=1631, pass=1433 fail=198
+ [ ] kprobe tests failed
+
+This can happen if an optimized probe is unregistered and next
+kprobe is registered on same address until the previous probe
+is not reclaimed.
+
+If this happens, a hidden aggregated probe may be kept in memory,
+and no new kprobe can probe same address. Also, in that case
+register_kprobe() will return "1" instead of minus error value,
+which can mislead caller logic.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
+Cc: David S . Miller <davem@davemloft.net>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Naveen N . Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org # v5.0+
+Fixes: 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()")
+Link: http://lkml.kernel.org/r/155530808559.32517.539898325433642204.stgit@devnote2
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kprobes.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -668,7 +668,6 @@ static void unoptimize_kprobe(struct kpr
+ static int reuse_unused_kprobe(struct kprobe *ap)
+ {
+ struct optimized_kprobe *op;
+- int ret;
+
+ BUG_ON(!kprobe_unused(ap));
+ /*
+@@ -682,9 +681,8 @@ static int reuse_unused_kprobe(struct kp
+ /* Enable the probe again */
+ ap->flags &= ~KPROBE_FLAG_DISABLED;
+ /* Optimize it again (remove from op->list) */
+- ret = kprobe_optready(ap);
+- if (ret)
+- return ret;
++ if (!kprobe_optready(ap))
++ return -EINVAL;
+
+ optimize_kprobe(ap);
+ return 0;
--- /dev/null
+From fabe38ab6b2bd9418350284c63825f13b8a6abba Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sun, 24 Feb 2019 01:50:20 +0900
+Subject: kprobes: Mark ftrace mcount handler functions nokprobe
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit fabe38ab6b2bd9418350284c63825f13b8a6abba upstream.
+
+Mark ftrace mcount handler functions nokprobe since
+probing on these functions with kretprobe pushes
+return address incorrectly on kretprobe shadow stack.
+
+Reported-by: Francis Deslauriers <francis.deslauriers@efficios.com>
+Tested-by: Andrea Righi <righi.andrea@gmail.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Acked-by: Steven Rostedt <rostedt@goodmis.org>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/155094062044.6137.6419622920568680640.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -32,6 +32,7 @@
+ #include <linux/list.h>
+ #include <linux/hash.h>
+ #include <linux/rcupdate.h>
++#include <linux/kprobes.h>
+
+ #include <trace/events/sched.h>
+
+@@ -5246,7 +5247,7 @@ void ftrace_reset_array_ops(struct trace
+ tr->ops->func = ftrace_stub;
+ }
+
+-static inline void
++static nokprobe_inline void
+ __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
+ struct ftrace_ops *ignored, struct pt_regs *regs)
+ {
+@@ -5309,11 +5310,13 @@ static void ftrace_ops_list_func(unsigne
+ {
+ __ftrace_ops_list_func(ip, parent_ip, NULL, regs);
+ }
++NOKPROBE_SYMBOL(ftrace_ops_list_func);
+ #else
+ static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip)
+ {
+ __ftrace_ops_list_func(ip, parent_ip, NULL, NULL);
+ }
++NOKPROBE_SYMBOL(ftrace_ops_no_ops);
+ #endif
+
+ /*
+@@ -5343,6 +5346,7 @@ static void ftrace_ops_assist_func(unsig
+ preempt_enable_notrace();
+ trace_clear_recursion(bit);
+ }
++NOKPROBE_SYMBOL(ftrace_ops_assist_func);
+
+ /**
+ * ftrace_ops_get_func - get the function a trampoline should call
--- /dev/null
+From 8f4dc2e77cdfaf7e644ef29693fa229db29ee1de Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 2 Apr 2019 08:10:47 -0700
+Subject: KVM: x86: Don't clear EFER during SMM transitions for 32-bit vCPU
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 8f4dc2e77cdfaf7e644ef29693fa229db29ee1de upstream.
+
+Neither AMD nor Intel CPUs have an EFER field in the legacy SMRAM save
+state area, i.e. don't save/restore EFER across SMM transitions. KVM
+somewhat models this, e.g. doesn't clear EFER on entry to SMM if the
+guest doesn't support long mode. But during RSM, KVM unconditionally
+clears EFER so that it can get back to pure 32-bit mode in order to
+start loading CRs with their actual non-SMM values.
+
+Clear EFER only when it will be written when loading the non-SMM state
+so as to preserve bits that can theoretically be set on 32-bit vCPUs,
+e.g. KVM always emulates EFER_SCE.
+
+And because CR4.PAE is cleared only to play nice with EFER, wrap that
+code in the long mode check as well. Note, this may result in a
+compiler warning about cr4 being consumed uninitialized. Re-read CR4
+even though it's technically unnecessary, as doing so allows for more
+readable code and RSM emulation is not a performance critical path.
+
+Fixes: 660a5d517aaab ("KVM: x86: save/load state on SMM switch")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2579,15 +2579,13 @@ static int em_rsm(struct x86_emulate_ctx
+ * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
+ * supports long mode.
+ */
+- cr4 = ctxt->ops->get_cr(ctxt, 4);
+ if (emulator_has_longmode(ctxt)) {
+ struct desc_struct cs_desc;
+
+ /* Zero CR4.PCIDE before CR0.PG. */
+- if (cr4 & X86_CR4_PCIDE) {
++ cr4 = ctxt->ops->get_cr(ctxt, 4);
++ if (cr4 & X86_CR4_PCIDE)
+ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
+- cr4 &= ~X86_CR4_PCIDE;
+- }
+
+ /* A 32-bit code segment is required to clear EFER.LMA. */
+ memset(&cs_desc, 0, sizeof(cs_desc));
+@@ -2601,13 +2599,16 @@ static int em_rsm(struct x86_emulate_ctx
+ if (cr0 & X86_CR0_PE)
+ ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
+
+- /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */
+- if (cr4 & X86_CR4_PAE)
+- ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
+-
+- /* And finally go back to 32-bit mode. */
+- efer = 0;
+- ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
++ if (emulator_has_longmode(ctxt)) {
++ /* Clear CR4.PAE before clearing EFER.LME. */
++ cr4 = ctxt->ops->get_cr(ctxt, 4);
++ if (cr4 & X86_CR4_PAE)
++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
++
++ /* And finally go back to 32-bit mode. */
++ efer = 0;
++ ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
++ }
+
+ smbase = ctxt->ops->get_smbase(ctxt);
+ if (emulator_has_longmode(ctxt))
--- /dev/null
+From 4856bfd230985e43e84c26473c91028ff0a533bd Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 1 Mar 2019 14:48:37 +0100
+Subject: mac80211: do not call driver wake_tx_queue op during reconfig
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 4856bfd230985e43e84c26473c91028ff0a533bd upstream.
+
+There are several scenarios in which mac80211 can call drv_wake_tx_queue
+after ieee80211_restart_hw has been called and has not yet completed.
+Driver private structs are considered uninitialized until mac80211 has
+uploaded the vifs, stations and keys again, so using private tx queue
+data during that time is not safe.
+
+The driver can also not rely on drv_reconfig_complete to figure out when
+it is safe to accept drv_wake_tx_queue calls again, because it is only
+called after all tx queues are woken again.
+
+To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig
+is set.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/driver-ops.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/driver-ops.h
++++ b/net/mac80211/driver-ops.h
+@@ -1163,6 +1163,9 @@ static inline void drv_wake_tx_queue(str
+ {
+ struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
+
++ if (local->in_reconfig)
++ return;
++
+ if (!check_sdata_in_driver(sdata))
+ return;
+
--- /dev/null
+From 3fe3331bb285700ab2253dbb07f8e478fcea2f1b Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Thu, 21 Mar 2019 21:15:22 +0000
+Subject: perf/x86/amd: Add event map for AMD Family 17h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit 3fe3331bb285700ab2253dbb07f8e478fcea2f1b upstream.
+
+Family 17h differs from prior families by:
+
+ - Does not support an L2 cache miss event
+ - It has re-enumerated PMC counters for:
+ - L2 cache references
+ - front & back end stalled cycles
+
+So we add a new amd_f17h_perfmon_event_map[] so that the generic
+perf event names will resolve to the correct h/w events on
+family 17h and above processors.
+
+Reference sections 2.1.13.3.3 (stalls) and 2.1.13.3.6 (L2):
+
+ https://www.amd.com/system/files/TechDocs/54945_PPR_Family_17h_Models_00h-0Fh.pdf
+
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Cc: <stable@vger.kernel.org> # v4.9+
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Martin Liška <mliska@suse.cz>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Pu Wen <puwen@hygon.cn>
+Cc: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+Fixes: e40ed1542dd7 ("perf/x86: Add perf support for AMD family-17h processors")
+[ Improved the formatting a bit. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/amd/core.c | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/events/amd/core.c
++++ b/arch/x86/events/amd/core.c
+@@ -113,22 +113,39 @@ static __initconst const u64 amd_hw_cach
+ };
+
+ /*
+- * AMD Performance Monitor K7 and later.
++ * AMD Performance Monitor K7 and later, up to and including Family 16h:
+ */
+ static const u64 amd_perfmon_event_map[PERF_COUNT_HW_MAX] =
+ {
+- [PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
+- [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
+- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d,
+- [PERF_COUNT_HW_CACHE_MISSES] = 0x077e,
+- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
+- [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
+- [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */
+- [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */
++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d,
++ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e,
++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */
++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */
++};
++
++/*
++ * AMD Performance Monitor Family 17h and later:
++ */
++static const u64 amd_f17h_perfmon_event_map[PERF_COUNT_HW_MAX] =
++{
++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0xff60,
++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x0287,
++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x0187,
+ };
+
+ static u64 amd_pmu_event_map(int hw_event)
+ {
++ if (boot_cpu_data.x86 >= 0x17)
++ return amd_f17h_perfmon_event_map[hw_event];
++
+ return amd_perfmon_event_map[hw_event];
+ }
+
--- /dev/null
+From 0228034d8e5915b98c33db35a98f5e909e848ae9 Mon Sep 17 00:00:00 2001
+From: Saurav Kashyap <skashyap@marvell.com>
+Date: Thu, 18 Apr 2019 03:40:12 -0700
+Subject: Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO"
+
+From: Saurav Kashyap <skashyap@marvell.com>
+
+commit 0228034d8e5915b98c33db35a98f5e909e848ae9 upstream.
+
+This patch clears FC_RP_STARTED flag during logoff, because of this
+re-login(flogi) didn't happen to the switch.
+
+This reverts commit 1550ec458e0cf1a40a170ab1f4c46e3f52860f65.
+
+Fixes: 1550ec458e0c ("scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO")
+Cc: <stable@vger.kernel.org> # v4.18+
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Reviewed-by: Hannes Reinecke <hare@#suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libfc/fc_rport.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/libfc/fc_rport.c
++++ b/drivers/scsi/libfc/fc_rport.c
+@@ -1935,7 +1935,6 @@ static void fc_rport_recv_logo_req(struc
+ FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n",
+ fc_rport_state(rdata));
+
+- rdata->flags &= ~FC_RP_STARTED;
+ fc_rport_enter_delete(rdata, RPORT_EV_STOP);
+ mutex_unlock(&rdata->rp_mutex);
+ kref_put(&rdata->kref, rdata->local_port->tt.rport_destroy);
--- /dev/null
+From 4a58038b9e420276157785afa0a0bbb4b9bc2265 Mon Sep 17 00:00:00 2001
+From: "Suthikulpanit, Suravee" <Suravee.Suthikulpanit@amd.com>
+Date: Wed, 20 Mar 2019 08:12:28 +0000
+Subject: Revert "svm: Fix AVIC incomplete IPI emulation"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Suthikulpanit, Suravee <Suravee.Suthikulpanit@amd.com>
+
+commit 4a58038b9e420276157785afa0a0bbb4b9bc2265 upstream.
+
+This reverts commit bb218fbcfaaa3b115d4cd7a43c0ca164f3a96e57.
+
+As Oren Twaig pointed out the old discussion:
+
+ https://patchwork.kernel.org/patch/8292231/
+
+that the change coud potentially cause an extra IPI to be sent to
+the destination vcpu because the AVIC hardware already set the IRR bit
+before the incomplete IPI #VMEXIT with id=1 (target vcpu is not running).
+Since writting to ICR and ICR2 will also set the IRR. If something triggers
+the destination vcpu to get scheduled before the emulation finishes, then
+this could result in an additional IPI.
+
+Also, the issue mentioned in the commit bb218fbcfaaa was misdiagnosed.
+
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Reported-by: Oren Twaig <oren@scalemp.com>
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3940,14 +3940,25 @@ static int avic_incomplete_ipi_intercept
+ kvm_lapic_reg_write(apic, APIC_ICR, icrl);
+ break;
+ case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: {
++ int i;
++ struct kvm_vcpu *vcpu;
++ struct kvm *kvm = svm->vcpu.kvm;
+ struct kvm_lapic *apic = svm->vcpu.arch.apic;
+
+ /*
+- * Update ICR high and low, then emulate sending IPI,
+- * which is handled when writing APIC_ICR.
++ * At this point, we expect that the AVIC HW has already
++ * set the appropriate IRR bits on the valid target
++ * vcpus. So, we just need to kick the appropriate vcpu.
+ */
+- kvm_lapic_reg_write(apic, APIC_ICR2, icrh);
+- kvm_lapic_reg_write(apic, APIC_ICR, icrl);
++ kvm_for_each_vcpu(i, vcpu, kvm) {
++ bool m = kvm_apic_match_dest(vcpu, apic,
++ icrl & KVM_APIC_SHORT_MASK,
++ GET_APIC_DEST_FIELD(icrh),
++ icrl & KVM_APIC_DEST_MASK);
++
++ if (m && !avic_vcpu_is_running(vcpu))
++ kvm_vcpu_wake_up(vcpu);
++ }
+ break;
+ }
+ case AVIC_IPI_FAILURE_INVALID_TARGET:
--- /dev/null
+From 746ba11f170603bf1eaade817553a6c2e9135bbe Mon Sep 17 00:00:00 2001
+From: Vijayakumar Durai <vijayakumar.durai1@vivint.com>
+Date: Wed, 27 Mar 2019 11:03:17 +0100
+Subject: rt2x00: do not increment sequence number while re-transmitting
+
+From: Vijayakumar Durai <vijayakumar.durai1@vivint.com>
+
+commit 746ba11f170603bf1eaade817553a6c2e9135bbe upstream.
+
+Currently rt2x00 devices retransmit the management frames with
+incremented sequence number if hardware is assigning the sequence.
+
+This is HW bug fixed already for non-QOS data frames, but it should
+be fixed for management frames except beacon.
+
+Without fix retransmitted frames have wrong SN:
+
+ AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1
+ AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1
+ AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1
+
+With the fix SN stays correctly the same:
+
+ 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C
+ 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
+ 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vijayakumar Durai <vijayakumar.durai1@vivint.com>
+[sgruszka: simplify code, change comments and changelog]
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ralink/rt2x00/rt2x00.h | 1 -
+ drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 10 ----------
+ drivers/net/wireless/ralink/rt2x00/rt2x00queue.c | 15 +++++++++------
+ 3 files changed, 9 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
+@@ -669,7 +669,6 @@ enum rt2x00_state_flags {
+ CONFIG_CHANNEL_HT40,
+ CONFIG_POWERSAVING,
+ CONFIG_HT_DISABLED,
+- CONFIG_QOS_DISABLED,
+ CONFIG_MONITORING,
+
+ /*
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
+@@ -666,19 +666,9 @@ void rt2x00mac_bss_info_changed(struct i
+ rt2x00dev->intf_associated--;
+
+ rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated);
+-
+- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
+ }
+
+ /*
+- * Check for access point which do not support 802.11e . We have to
+- * generate data frames sequence number in S/W for such AP, because
+- * of H/W bug.
+- */
+- if (changes & BSS_CHANGED_QOS && !bss_conf->qos)
+- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
+-
+- /*
+ * When the erp information has changed, we should perform
+ * additional configuration steps. For all other changes we are done.
+ */
+--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
+@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descri
+ if (!rt2x00_has_cap_flag(rt2x00dev, REQUIRE_SW_SEQNO)) {
+ /*
+ * rt2800 has a H/W (or F/W) bug, device incorrectly increase
+- * seqno on retransmited data (non-QOS) frames. To workaround
+- * the problem let's generate seqno in software if QOS is
+- * disabled.
++ * seqno on retransmitted data (non-QOS) and management frames.
++ * To workaround the problem let's generate seqno in software.
++ * Except for beacons which are transmitted periodically by H/W
++ * hence hardware has to assign seqno for them.
+ */
+- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags))
+- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
+- else
++ if (ieee80211_is_beacon(hdr->frame_control)) {
++ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
+ /* H/W will generate sequence number */
+ return;
++ }
++
++ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
+ }
+
+ /*
modpost-file2alias-go-back-to-simple-devtable-lookup.patch
modpost-file2alias-check-prototype-of-handler.patch
tpm-tpm_i2c_atmel-return-e2big-when-the-transfer-is-.patch
+cifs-keep-fileinfo-handle-live-during-oplock-break.patch
+kvm-x86-don-t-clear-efer-during-smm-transitions-for-32-bit-vcpu.patch
+staging-iio-ad7192-fix-ad7193-channel-address.patch
+iio-gyro-bmg160-use-millidegrees-for-temperature-scale.patch
+iio-ad_sigma_delta-select-channel-when-reading-register.patch
+iio-adc-at91-disable-adc-channel-interrupt-in-timeout-case.patch
+io-accel-kxcjk1013-restore-the-range-after-resume.patch
+staging-comedi-vmk80xx-fix-use-of-uninitialized-semaphore.patch
+staging-comedi-vmk80xx-fix-possible-double-free-of-usb_rx_buf.patch
+staging-comedi-ni_usb6501-fix-use-of-uninitialized-mutex.patch
+staging-comedi-ni_usb6501-fix-possible-double-free-of-usb_rx_buf.patch
+alsa-core-fix-card-races-between-register-and-disconnect.patch
+revert-scsi-fcoe-clear-fc_rp_started-flags-when-receiving-a-logo.patch
+revert-svm-fix-avic-incomplete-ipi-emulation.patch
+crypto-x86-poly1305-fix-overflow-during-partial-reduction.patch
+arm64-futex-restore-oldval-initialization-to-work-around-buggy-compilers.patch
+x86-kprobes-verify-stack-frame-on-kretprobe.patch
+kprobes-mark-ftrace-mcount-handler-functions-nokprobe.patch
+kprobes-fix-error-check-when-reusing-optimized-probes.patch
+rt2x00-do-not-increment-sequence-number-while-re-transmitting.patch
+mac80211-do-not-call-driver-wake_tx_queue-op-during-reconfig.patch
+perf-x86-amd-add-event-map-for-amd-family-17h.patch
--- /dev/null
+From af4b54a2e5ba18259ff9aac445bf546dd60d037e Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 15 Apr 2019 12:43:02 +0100
+Subject: staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit af4b54a2e5ba18259ff9aac445bf546dd60d037e upstream.
+
+`ni6501_alloc_usb_buffers()` is called from `ni6501_auto_attach()` to
+allocate RX and TX buffers for USB transfers. It allocates
+`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the
+allocation of `devpriv->usb_tx_buf` fails, it frees
+`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an
+error. Later, `ni6501_detach()` will be called from the core comedi
+module code to clean up. `ni6501_detach()` also frees both
+`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
+`devpriv->usb_rx_buf` may have already beed freed, leading to a
+double-free error. Fix it bu removing the call to
+`kfree(devpriv->usb_rx_buf)` from `ni6501_alloc_usb_buffers()`, relying
+on `ni6501_detach()` to free the memory.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/ni_usb6501.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/ni_usb6501.c
++++ b/drivers/staging/comedi/drivers/ni_usb6501.c
+@@ -472,10 +472,8 @@ static int ni6501_alloc_usb_buffers(stru
+
+ size = usb_endpoint_maxp(devpriv->ep_tx);
+ devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
+- if (!devpriv->usb_tx_buf) {
+- kfree(devpriv->usb_rx_buf);
++ if (!devpriv->usb_tx_buf)
+ return -ENOMEM;
+- }
+
+ return 0;
+ }
--- /dev/null
+From 660cf4ce9d0f3497cc7456eaa6d74c8b71d6282c Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 15 Apr 2019 12:43:01 +0100
+Subject: staging: comedi: ni_usb6501: Fix use of uninitialized mutex
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 660cf4ce9d0f3497cc7456eaa6d74c8b71d6282c upstream.
+
+If `ni6501_auto_attach()` returns an error, the core comedi module code
+will call `ni6501_detach()` to clean up. If `ni6501_auto_attach()`
+successfully allocated the comedi device private data, `ni6501_detach()`
+assumes that a `struct mutex mut` contained in the private data has been
+initialized and uses it. Unfortunately, there are a couple of places
+where `ni6501_auto_attach()` can return an error after allocating the
+device private data but before initializing the mutex, so this
+assumption is invalid. Fix it by initializing the mutex just after
+allocating the private data in `ni6501_auto_attach()` before any other
+errors can be retturned. Also move the call to `usb_set_intfdata()`
+just to keep the code a bit neater (either position for the call is
+fine).
+
+I believe this was the cause of the following syzbot crash report
+<https://syzkaller.appspot.com/bug?extid=cf4f2b6c24aff0a3edf6>:
+
+usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
+usb 1-1: config 0 descriptor??
+usb 1-1: string descriptor 0 read error: -71
+comedi comedi0: Wrong number of endpoints
+ni6501 1-1:0.233: driver 'ni6501' failed to auto-configure device.
+INFO: trying to register non-static key.
+the code is fine but needs lockdep annotation.
+turning off the locking correctness validator.
+CPU: 0 PID: 585 Comm: kworker/0:3 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe8/0x16e lib/dump_stack.c:113
+ assign_lock_key kernel/locking/lockdep.c:786 [inline]
+ register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
+ __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
+ lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
+ __mutex_lock_common kernel/locking/mutex.c:925 [inline]
+ __mutex_lock+0xfe/0x12b0 kernel/locking/mutex.c:1072
+ ni6501_detach+0x5b/0x110 drivers/staging/comedi/drivers/ni_usb6501.c:567
+ comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
+ comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
+ comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
+ comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
+ comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
+ comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
+ comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
+ usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
+ really_probe+0x2da/0xb10 drivers/base/dd.c:509
+ driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
+ __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
+ bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
+ __device_attach+0x223/0x3a0 drivers/base/dd.c:844
+ bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
+ device_add+0xad2/0x16e0 drivers/base/core.c:2106
+ usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
+ generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
+ usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
+ really_probe+0x2da/0xb10 drivers/base/dd.c:509
+ driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
+ __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
+ bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
+ __device_attach+0x223/0x3a0 drivers/base/dd.c:844
+ bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
+ device_add+0xad2/0x16e0 drivers/base/core.c:2106
+ usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
+ hub_port_connect drivers/usb/core/hub.c:5089 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
+ port_event drivers/usb/core/hub.c:5350 [inline]
+ hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
+ process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
+ worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
+ kthread+0x313/0x420 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+
+Reported-by: syzbot+cf4f2b6c24aff0a3edf6@syzkaller.appspotmail.com
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/ni_usb6501.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/ni_usb6501.c
++++ b/drivers/staging/comedi/drivers/ni_usb6501.c
+@@ -527,6 +527,9 @@ static int ni6501_auto_attach(struct com
+ if (!devpriv)
+ return -ENOMEM;
+
++ mutex_init(&devpriv->mut);
++ usb_set_intfdata(intf, devpriv);
++
+ ret = ni6501_find_endpoints(dev);
+ if (ret)
+ return ret;
+@@ -535,9 +538,6 @@ static int ni6501_auto_attach(struct com
+ if (ret)
+ return ret;
+
+- mutex_init(&devpriv->mut);
+- usb_set_intfdata(intf, devpriv);
+-
+ ret = comedi_alloc_subdevices(dev, 2);
+ if (ret)
+ return ret;
--- /dev/null
+From 663d294b4768bfd89e529e069bffa544a830b5bf Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 15 Apr 2019 12:52:30 +0100
+Subject: staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 663d294b4768bfd89e529e069bffa544a830b5bf upstream.
+
+`vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to
+allocate RX and TX buffers for USB transfers. It allocates
+`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`. If the
+allocation of `devpriv->usb_tx_buf` fails, it frees
+`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an
+error. Later, `vmk80xx_detach()` will be called from the core comedi
+module code to clean up. `vmk80xx_detach()` also frees both
+`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
+`devpriv->usb_rx_buf` may have already been freed, leading to a
+double-free error. Fix it by removing the call to
+`kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying
+on `vmk80xx_detach()` to free the memory.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/vmk80xx.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/vmk80xx.c
++++ b/drivers/staging/comedi/drivers/vmk80xx.c
+@@ -691,10 +691,8 @@ static int vmk80xx_alloc_usb_buffers(str
+
+ size = usb_endpoint_maxp(devpriv->ep_tx);
+ devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
+- if (!devpriv->usb_tx_buf) {
+- kfree(devpriv->usb_rx_buf);
++ if (!devpriv->usb_tx_buf)
+ return -ENOMEM;
+- }
+
+ return 0;
+ }
--- /dev/null
+From 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 15 Apr 2019 12:10:14 +0100
+Subject: staging: comedi: vmk80xx: Fix use of uninitialized semaphore
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e upstream.
+
+If `vmk80xx_auto_attach()` returns an error, the core comedi module code
+will call `vmk80xx_detach()` to clean up. If `vmk80xx_auto_attach()`
+successfully allocated the comedi device private data,
+`vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained
+in the private data has been initialized and uses it. Unfortunately,
+there are a couple of places where `vmk80xx_auto_attach()` can return an
+error after allocating the device private data but before initializing
+the semaphore, so this assumption is invalid. Fix it by initializing
+the semaphore just after allocating the private data in
+`vmk80xx_auto_attach()` before any other errors can be returned.
+
+I believe this was the cause of the following syzbot crash report
+<https://syzkaller.appspot.com/bug?extid=54c2f58f15fe6876b6ad>:
+
+usb 1-1: config 0 has no interface number 0
+usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d
+usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
+usb 1-1: config 0 descriptor??
+vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device.
+INFO: trying to register non-static key.
+the code is fine but needs lockdep annotation.
+turning off the locking correctness validator.
+CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe8/0x16e lib/dump_stack.c:113
+ assign_lock_key kernel/locking/lockdep.c:786 [inline]
+ register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
+ __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
+ lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
+ down+0x12/0x80 kernel/locking/semaphore.c:58
+ vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829
+ comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
+ comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
+ comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
+ comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
+ comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
+ comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
+ comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
+ usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
+ really_probe+0x2da/0xb10 drivers/base/dd.c:509
+ driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
+ __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
+ bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
+ __device_attach+0x223/0x3a0 drivers/base/dd.c:844
+ bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
+ device_add+0xad2/0x16e0 drivers/base/core.c:2106
+ usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
+ generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
+ usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
+ really_probe+0x2da/0xb10 drivers/base/dd.c:509
+ driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
+ __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
+ bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
+ __device_attach+0x223/0x3a0 drivers/base/dd.c:844
+ bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
+ device_add+0xad2/0x16e0 drivers/base/core.c:2106
+ usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
+ hub_port_connect drivers/usb/core/hub.c:5089 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
+ port_event drivers/usb/core/hub.c:5350 [inline]
+ hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
+ process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
+ worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
+ kthread+0x313/0x420 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+
+Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/vmk80xx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/vmk80xx.c
++++ b/drivers/staging/comedi/drivers/vmk80xx.c
+@@ -809,6 +809,8 @@ static int vmk80xx_auto_attach(struct co
+
+ devpriv->model = board->model;
+
++ sema_init(&devpriv->limit_sem, 8);
++
+ ret = vmk80xx_find_usb_endpoints(dev);
+ if (ret)
+ return ret;
+@@ -817,8 +819,6 @@ static int vmk80xx_auto_attach(struct co
+ if (ret)
+ return ret;
+
+- sema_init(&devpriv->limit_sem, 8);
+-
+ usb_set_intfdata(intf, devpriv);
+
+ if (devpriv->model == VMK8055_MODEL)
--- /dev/null
+From 7ce0f216221856a17fc4934b39284678a5fef2e9 Mon Sep 17 00:00:00 2001
+From: Mircea Caprioru <mircea.caprioru@analog.com>
+Date: Wed, 20 Feb 2019 13:08:20 +0200
+Subject: staging: iio: ad7192: Fix ad7193 channel address
+
+From: Mircea Caprioru <mircea.caprioru@analog.com>
+
+commit 7ce0f216221856a17fc4934b39284678a5fef2e9 upstream.
+
+This patch fixes the differential channels addresses for the ad7193.
+
+Signed-off-by: Mircea Caprioru <mircea.caprioru@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/adc/ad7192.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/iio/adc/ad7192.c
++++ b/drivers/staging/iio/adc/ad7192.c
+@@ -109,10 +109,10 @@
+ #define AD7192_CH_AIN3 BIT(6) /* AIN3 - AINCOM */
+ #define AD7192_CH_AIN4 BIT(7) /* AIN4 - AINCOM */
+
+-#define AD7193_CH_AIN1P_AIN2M 0x000 /* AIN1(+) - AIN2(-) */
+-#define AD7193_CH_AIN3P_AIN4M 0x001 /* AIN3(+) - AIN4(-) */
+-#define AD7193_CH_AIN5P_AIN6M 0x002 /* AIN5(+) - AIN6(-) */
+-#define AD7193_CH_AIN7P_AIN8M 0x004 /* AIN7(+) - AIN8(-) */
++#define AD7193_CH_AIN1P_AIN2M 0x001 /* AIN1(+) - AIN2(-) */
++#define AD7193_CH_AIN3P_AIN4M 0x002 /* AIN3(+) - AIN4(-) */
++#define AD7193_CH_AIN5P_AIN6M 0x004 /* AIN5(+) - AIN6(-) */
++#define AD7193_CH_AIN7P_AIN8M 0x008 /* AIN7(+) - AIN8(-) */
+ #define AD7193_CH_TEMP 0x100 /* Temp senseor */
+ #define AD7193_CH_AIN2P_AIN2M 0x200 /* AIN2(+) - AIN2(-) */
+ #define AD7193_CH_AIN1 0x401 /* AIN1 - AINCOM */
--- /dev/null
+From 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Sun, 24 Feb 2019 01:49:52 +0900
+Subject: x86/kprobes: Verify stack frame on kretprobe
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 upstream.
+
+Verify the stack frame pointer on kretprobe trampoline handler,
+If the stack frame pointer does not match, it skips the wrong
+entry and tries to find correct one.
+
+This can happen if user puts the kretprobe on the function
+which can be used in the path of ftrace user-function call.
+Such functions should not be probed, so this adds a warning
+message that reports which function should be blacklisted.
+
+Tested-by: Andrea Righi <righi.andrea@gmail.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Acked-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kprobes/core.c | 26 ++++++++++++++++++++++++++
+ include/linux/kprobes.h | 1 +
+ 2 files changed, 27 insertions(+)
+
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -545,6 +545,7 @@ void arch_prepare_kretprobe(struct kretp
+ unsigned long *sara = stack_addr(regs);
+
+ ri->ret_addr = (kprobe_opcode_t *) *sara;
++ ri->fp = sara;
+
+ /* Replace the return addr with trampoline addr */
+ *sara = (unsigned long) &kretprobe_trampoline;
+@@ -746,15 +747,21 @@ __visible __used void *trampoline_handle
+ unsigned long flags, orig_ret_address = 0;
+ unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
+ kprobe_opcode_t *correct_ret_addr = NULL;
++ void *frame_pointer;
++ bool skipped = false;
+
+ INIT_HLIST_HEAD(&empty_rp);
+ kretprobe_hash_lock(current, &head, &flags);
+ /* fixup registers */
+ #ifdef CONFIG_X86_64
+ regs->cs = __KERNEL_CS;
++ /* On x86-64, we use pt_regs->sp for return address holder. */
++ frame_pointer = ®s->sp;
+ #else
+ regs->cs = __KERNEL_CS | get_kernel_rpl();
+ regs->gs = 0;
++ /* On x86-32, we use pt_regs->flags for return address holder. */
++ frame_pointer = ®s->flags;
+ #endif
+ regs->ip = trampoline_address;
+ regs->orig_ax = ~0UL;
+@@ -776,8 +783,25 @@ __visible __used void *trampoline_handle
+ if (ri->task != current)
+ /* another task is sharing our hash bucket */
+ continue;
++ /*
++ * Return probes must be pushed on this hash list correct
++ * order (same as return order) so that it can be poped
++ * correctly. However, if we find it is pushed it incorrect
++ * order, this means we find a function which should not be
++ * probed, because the wrong order entry is pushed on the
++ * path of processing other kretprobe itself.
++ */
++ if (ri->fp != frame_pointer) {
++ if (!skipped)
++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n");
++ skipped = true;
++ continue;
++ }
+
+ orig_ret_address = (unsigned long)ri->ret_addr;
++ if (skipped)
++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n",
++ ri->rp->kp.addr);
+
+ if (orig_ret_address != trampoline_address)
+ /*
+@@ -795,6 +819,8 @@ __visible __used void *trampoline_handle
+ if (ri->task != current)
+ /* another task is sharing our hash bucket */
+ continue;
++ if (ri->fp != frame_pointer)
++ continue;
+
+ orig_ret_address = (unsigned long)ri->ret_addr;
+ if (ri->rp && ri->rp->handler) {
+--- a/include/linux/kprobes.h
++++ b/include/linux/kprobes.h
+@@ -197,6 +197,7 @@ struct kretprobe_instance {
+ struct kretprobe *rp;
+ kprobe_opcode_t *ret_addr;
+ struct task_struct *task;
++ void *fp;
+ char data[0];
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
