--- /dev/null
+From 10aa14527f458e9867cf3d2cc6b8cb0f6704448b Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Fri, 27 Jul 2018 13:05:58 +0200
+Subject: 9p: fix multiple NULL-pointer-dereferences
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit 10aa14527f458e9867cf3d2cc6b8cb0f6704448b upstream.
+
+Added checks to prevent GPFs from raising.
+
+Link: http://lkml.kernel.org/r/20180727110558.5479-1-tomasbortoli@gmail.com
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/trans_fd.c | 5 ++++-
+ net/9p/trans_rdma.c | 3 +++
+ net/9p/trans_virtio.c | 3 +++
+ net/9p/trans_xen.c | 3 +++
+ 4 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -940,7 +940,7 @@ p9_fd_create_tcp(struct p9_client *clien
+ if (err < 0)
+ return err;
+
+- if (valid_ipaddr4(addr) < 0)
++ if (addr == NULL || valid_ipaddr4(addr) < 0)
+ return -EINVAL;
+
+ csocket = NULL;
+@@ -990,6 +990,9 @@ p9_fd_create_unix(struct p9_client *clie
+
+ csocket = NULL;
+
++ if (addr == NULL)
++ return -EINVAL;
++
+ if (strlen(addr) >= UNIX_PATH_MAX) {
+ pr_err("%s (%d): address too long: %s\n",
+ __func__, task_pid_nr(current), addr);
+--- a/net/9p/trans_rdma.c
++++ b/net/9p/trans_rdma.c
+@@ -644,6 +644,9 @@ rdma_create_trans(struct p9_client *clie
+ struct rdma_conn_param conn_param;
+ struct ib_qp_init_attr qp_attr;
+
++ if (addr == NULL)
++ return -EINVAL;
++
+ /* Parse the transport specific mount options */
+ err = parse_opts(args, &opts);
+ if (err < 0)
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -650,6 +650,9 @@ p9_virtio_create(struct p9_client *clien
+ int ret = -ENOENT;
+ int found = 0;
+
++ if (devname == NULL)
++ return -EINVAL;
++
+ mutex_lock(&virtio_9p_lock);
+ list_for_each_entry(chan, &virtio_chan_list, chan_list) {
+ if (!strncmp(devname, chan->tag, chan->tag_len) &&
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -94,6 +94,9 @@ static int p9_xen_create(struct p9_clien
+ {
+ struct xen_9pfs_front_priv *priv;
+
++ if (addr == NULL)
++ return -EINVAL;
++
+ read_lock(&xen_9pfs_lock);
+ list_for_each_entry(priv, &xen_9pfs_devs, list) {
+ if (!strcmp(priv->tag, addr)) {
--- /dev/null
+From 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 Mon Sep 17 00:00:00 2001
+From: jiangyiwen <jiangyiwen@huawei.com>
+Date: Fri, 3 Aug 2018 12:11:34 +0800
+Subject: 9p/virtio: fix off-by-one error in sg list bounds check
+
+From: jiangyiwen <jiangyiwen@huawei.com>
+
+commit 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 upstream.
+
+Because the value of limit is VIRTQUEUE_NUM, if index is equal to
+limit, it will cause sg array out of bounds, so correct the judgement
+of BUG_ON.
+
+Link: http://lkml.kernel.org/r/5B63D5F6.6080109@huawei.com
+Signed-off-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Reported-By: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jun Piao <piaojun@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/trans_virtio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -188,7 +188,7 @@ static int pack_sg_list(struct scatterli
+ s = rest_of_page(data);
+ if (s > count)
+ s = count;
+- BUG_ON(index > limit);
++ BUG_ON(index >= limit);
+ /* Make sure we don't terminate early. */
+ sg_unmark_end(&sg[index]);
+ sg_set_buf(&sg[index++], data, s);
+@@ -233,6 +233,7 @@ pack_sg_list_p(struct scatterlist *sg, i
+ s = PAGE_SIZE - data_off;
+ if (s > count)
+ s = count;
++ BUG_ON(index >= limit);
+ /* Make sure we don't terminate early. */
+ sg_unmark_end(&sg[index]);
+ sg_set_page(&sg[index++], pdata[i++], s, data_off);
--- /dev/null
+From edf4e7b7b9104b58fddfcd073bd7dcc1585d5326 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Sat, 1 Sep 2018 01:57:52 -0700
+Subject: apparmor: fix bad debug check in apparmor_secid_to_secctx()
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit edf4e7b7b9104b58fddfcd073bd7dcc1585d5326 upstream.
+
+apparmor_secid_to_secctx() has a bad debug statement tripping on a
+condition handle by the code. When kconfig SECURITY_APPARMOR_DEBUG is
+enabled the debug WARN_ON will trip when **secdata is NULL resulting
+in the following trace.
+
+------------[ cut here ]------------
+AppArmor WARN apparmor_secid_to_secctx: ((!secdata)):
+WARNING: CPU: 0 PID: 14826 at security/apparmor/secid.c:82 apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 0 PID: 14826 Comm: syz-executor1 Not tainted 4.19.0-rc1+ #193
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
+ panic+0x238/0x4e7 kernel/panic.c:184
+ __warn.cold.8+0x163/0x1ba kernel/panic.c:536
+ report_bug+0x252/0x2d0 lib/bug.c:186
+ fixup_bug arch/x86/kernel/traps.c:178 [inline]
+ do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
+ do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
+ invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
+RIP: 0010:apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
+Code: c7 c7 40 66 58 87 e8 6a 6d 0f fe 0f 0b e9 6c fe ff ff e8 3e aa 44 fe 48 c7 c6 80 67 58 87 48 c7 c7 a0 65 58 87 e8 4b 6d 0f fe <0f> 0b e9 3f fe ff ff 48 89 df e8 fc a7 83 fe e9 ed fe ff ff bb f4
+RSP: 0018:ffff8801ba1bed10 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: ffff8801ba1beed0 RCX: ffffc9000227e000
+RDX: 0000000000018482 RSI: ffffffff8163ac01 RDI: 0000000000000001
+RBP: ffff8801ba1bed30 R08: ffff8801b80ec080 R09: ffffed003b603eca
+R10: ffffed003b603eca R11: ffff8801db01f657 R12: 0000000000000001
+R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801ba1beed0
+ security_secid_to_secctx+0x63/0xc0 security/security.c:1314
+ ctnetlink_secctx_size net/netfilter/nf_conntrack_netlink.c:621 [inline]
+ ctnetlink_nlmsg_size net/netfilter/nf_conntrack_netlink.c:659 [inline]
+ ctnetlink_conntrack_event+0x303/0x1470 net/netfilter/nf_conntrack_netlink.c:706
+ nf_conntrack_eventmask_report+0x55f/0x930 net/netfilter/nf_conntrack_ecache.c:151
+ nf_conntrack_event_report include/net/netfilter/nf_conntrack_ecache.h:112 [inline]
+ nf_ct_delete+0x33c/0x5d0 net/netfilter/nf_conntrack_core.c:601
+ nf_ct_iterate_cleanup+0x48c/0x5e0 net/netfilter/nf_conntrack_core.c:1892
+ nf_ct_iterate_cleanup_net+0x23c/0x2d0 net/netfilter/nf_conntrack_core.c:1974
+ ctnetlink_flush_conntrack net/netfilter/nf_conntrack_netlink.c:1226 [inline]
+ ctnetlink_del_conntrack+0x66c/0x850 net/netfilter/nf_conntrack_netlink.c:1258
+ nfnetlink_rcv_msg+0xd88/0x1070 net/netfilter/nfnetlink.c:228
+ netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454
+ nfnetlink_rcv+0x1c0/0x4d0 net/netfilter/nfnetlink.c:560
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:631
+ ___sys_sendmsg+0x7fd/0x930 net/socket.c:2114
+ __sys_sendmsg+0x11d/0x290 net/socket.c:2152
+ __do_sys_sendmsg net/socket.c:2161 [inline]
+ __se_sys_sendmsg net/socket.c:2159 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2159
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x457089
+Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f7bc6e03c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f7bc6e046d4 RCX: 0000000000457089
+RDX: 0000000000000000 RSI: 0000000020d65000 RDI: 0000000000000003
+RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000004d4588 R14: 00000000004c8d5c R15: 0000000000000000
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Kernel Offset: disabled
+Rebooting in 86400 seconds..
+
+CC: <stable@vger.kernel.org> #4.18
+Fixes: c092921219d2 ("apparmor: add support for mapping secids and using secctxes")
+Reported-by: syzbot+21016130b0580a9de3b5@syzkaller.appspotmail.com
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/secid.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/security/apparmor/secid.c
++++ b/security/apparmor/secid.c
+@@ -79,7 +79,6 @@ int apparmor_secid_to_secctx(u32 secid,
+ struct aa_label *label = aa_secid_to_label(secid);
+ int len;
+
+- AA_BUG(!secdata);
+ AA_BUG(!seclen);
+
+ if (!label)
--- /dev/null
+From ef6cb5f1a048fdf91ccee6d63d2bfa293338502d Mon Sep 17 00:00:00 2001
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+Date: Wed, 4 Jul 2018 20:58:33 +0530
+Subject: cxl: Fix wrong comparison in cxl_adapter_context_get()
+
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+
+commit ef6cb5f1a048fdf91ccee6d63d2bfa293338502d upstream.
+
+Function atomic_inc_unless_negative() returns a bool to indicate
+success/failure. However cxl_adapter_context_get() wrongly compares
+the return value against '>=0' which will always be true. The patch
+fixes this comparison to '==0' there by also fixing this compile time
+warning:
+
+ drivers/misc/cxl/main.c:290 cxl_adapter_context_get()
+ warn: 'atomic_inc_unless_negative(&adapter->contexts_num)' is unsigned
+
+Fixes: 70b565bbdb91 ("cxl: Prevent adapter reset if an active context exists")
+Cc: stable@vger.kernel.org # v4.9+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
+Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/cxl/main.c
++++ b/drivers/misc/cxl/main.c
+@@ -287,7 +287,7 @@ int cxl_adapter_context_get(struct cxl *
+ int rc;
+
+ rc = atomic_inc_unless_negative(&adapter->contexts_num);
+- return rc >= 0 ? 0 : -EBUSY;
++ return rc ? 0 : -EBUSY;
+ }
+
+ void cxl_adapter_context_put(struct cxl *adapter)
--- /dev/null
+From 7f43ef9f0d98abbc0eb5e697628ec06756bf60a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
+Date: Wed, 4 Jul 2018 17:14:05 +0200
+Subject: dma-buf: Move BUG_ON from _add_shared_fence to _add_shared_inplace
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michel Dänzer <michel.daenzer@amd.com>
+
+commit 7f43ef9f0d98abbc0eb5e697628ec06756bf60a9 upstream.
+
+Fixes the BUG_ON spuriously triggering under the following
+circumstances:
+
+* reservation_object_reserve_shared is called with shared_count ==
+ shared_max - 1, so obj->staged is freed in preparation of an in-place
+ update.
+
+* reservation_object_add_shared_fence is called with the first fence,
+ after which shared_count == shared_max.
+
+* reservation_object_add_shared_fence is called with a follow-up fence
+ from the same context.
+
+In the second reservation_object_add_shared_fence call, the BUG_ON
+triggers. However, nothing bad would happen in
+reservation_object_add_shared_inplace, since both fences are from the
+same context, so they only occupy a single slot.
+
+Prevent this by moving the BUG_ON to where an overflow would actually
+happen (e.g. if a buggy caller didn't call
+reservation_object_reserve_shared before).
+
+v2:
+* Fix description of breaking scenario (Christian König)
+* Add bugzilla reference
+
+Cc: stable@vger.kernel.org
+Bugzilla: https://bugs.freedesktop.org/106418
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> # v1
+Reviewed-by: Christian König <christian.koenig@amd.com> # v1
+Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
+Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180704151405.10357-1-michel@daenzer.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma-buf/reservation.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/dma-buf/reservation.c
++++ b/drivers/dma-buf/reservation.c
+@@ -141,6 +141,7 @@ reservation_object_add_shared_inplace(st
+ if (signaled) {
+ RCU_INIT_POINTER(fobj->shared[signaled_idx], fence);
+ } else {
++ BUG_ON(fobj->shared_count >= fobj->shared_max);
+ RCU_INIT_POINTER(fobj->shared[fobj->shared_count], fence);
+ fobj->shared_count++;
+ }
+@@ -230,10 +231,9 @@ void reservation_object_add_shared_fence
+ old = reservation_object_get_list(obj);
+ obj->staged = NULL;
+
+- if (!fobj) {
+- BUG_ON(old->shared_count >= old->shared_max);
++ if (!fobj)
+ reservation_object_add_shared_inplace(obj, old, fence);
+- } else
++ else
+ reservation_object_add_shared_replace(obj, old, fobj, fence);
+ }
+ EXPORT_SYMBOL(reservation_object_add_shared_fence);
--- /dev/null
+From ea93102f32244e3f45c8b26260be77ed0cc1d16c Mon Sep 17 00:00:00 2001
+From: Yannik Sembritzki <yannik@sembritzki.me>
+Date: Thu, 16 Aug 2018 14:05:23 +0100
+Subject: Fix kexec forbidding kernels signed with keys in the secondary keyring to boot
+
+From: Yannik Sembritzki <yannik@sembritzki.me>
+
+commit ea93102f32244e3f45c8b26260be77ed0cc1d16c upstream.
+
+The split of .system_keyring into .builtin_trusted_keys and
+.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
+keys which are now in the secondary keyring from being kexec'd.
+
+Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
+verify_pefile_signature().
+
+Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
+Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Cc: kexec@lists.infradead.org
+Cc: keyrings@vger.kernel.org
+Cc: linux-security-module@vger.kernel.org
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kexec-bzimage64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loade
+ static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
+ {
+ return verify_pefile_signature(kernel, kernel_len,
+- NULL,
++ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_KEXEC_PE_SIGNATURE);
+ }
+ #endif
--- /dev/null
+From 3111784bee81591ea2815011688d28b65df03627 Mon Sep 17 00:00:00 2001
+From: piaojun <piaojun@huawei.com>
+Date: Wed, 25 Jul 2018 11:13:16 +0800
+Subject: fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed
+
+From: piaojun <piaojun@huawei.com>
+
+commit 3111784bee81591ea2815011688d28b65df03627 upstream.
+
+In my testing, v9fs_fid_xattr_set will return successfully even if the
+backend ext4 filesystem has no space to store xattr key-value. That will
+cause inconsistent behavior between front end and back end. The reason is
+that lsetxattr will be triggered by p9_client_clunk, and unfortunately we
+did not catch the error. This patch will catch the error to notify upper
+caller.
+
+p9_client_clunk (in 9p)
+ p9_client_rpc(clnt, P9_TCLUNK, "d", fid->fid);
+ v9fs_clunk (in qemu)
+ put_fid
+ free_fid
+ v9fs_xattr_fid_clunk
+ v9fs_co_lsetxattr
+ s->ops->lsetxattr
+ ext4_xattr_user_set (in host ext4 filesystem)
+
+Link: http://lkml.kernel.org/r/5B57EACC.2060900@huawei.com
+Signed-off-by: Jun Piao <piaojun@huawei.com>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Ron Minnich <rminnich@sandia.gov>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/xattr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/9p/xattr.c
++++ b/fs/9p/xattr.c
+@@ -105,7 +105,7 @@ int v9fs_fid_xattr_set(struct p9_fid *fi
+ {
+ struct kvec kvec = {.iov_base = (void *)value, .iov_len = value_len};
+ struct iov_iter from;
+- int retval;
++ int retval, err;
+
+ iov_iter_kvec(&from, WRITE | ITER_KVEC, &kvec, 1, value_len);
+
+@@ -126,7 +126,9 @@ int v9fs_fid_xattr_set(struct p9_fid *fi
+ retval);
+ else
+ p9_client_write(fid, 0, &from, &retval);
+- p9_client_clunk(fid);
++ err = p9_client_clunk(fid);
++ if (!retval && err)
++ retval = err;
+ return retval;
+ }
+
--- /dev/null
+From 0625b4ba1a5d4703c7fb01c497bd6c156908af00 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@mellanox.com>
+Date: Tue, 14 Aug 2018 15:33:52 -0600
+Subject: IB/mlx5: Fix leaking stack memory to userspace
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+commit 0625b4ba1a5d4703c7fb01c497bd6c156908af00 upstream.
+
+mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
+were written.
+
+Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
+Cc: <stable@vger.kernel.org>
+Acked-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -1626,7 +1626,7 @@ static int create_qp_common(struct mlx5_
+ struct mlx5_ib_resources *devr = &dev->devr;
+ int inlen = MLX5_ST_SZ_BYTES(create_qp_in);
+ struct mlx5_core_dev *mdev = dev->mdev;
+- struct mlx5_ib_create_qp_resp resp;
++ struct mlx5_ib_create_qp_resp resp = {};
+ struct mlx5_ib_cq *send_cq;
+ struct mlx5_ib_cq *recv_cq;
+ unsigned long flags;
--- /dev/null
+From 921c0f5ba58e4064deb18b4985a202508fc5527f Mon Sep 17 00:00:00 2001
+From: Parav Pandit <parav@mellanox.com>
+Date: Sun, 8 Jul 2018 13:40:30 +0300
+Subject: IB/mlx5: Honor cnt_set_id_valid flag instead of set_id
+
+From: Parav Pandit <parav@mellanox.com>
+
+commit 921c0f5ba58e4064deb18b4985a202508fc5527f upstream.
+
+It is incorrect to depend on set_id value to know if counters were
+allocated or not. set_id_valid field is set to true when counters
+were allocated. Therefore, use set_id_valid while deciding to
+free counters.
+
+Cc: <stable@vger.kernel.org> # 4.15
+Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -4694,7 +4694,7 @@ static void mlx5_ib_dealloc_counters(str
+ int i;
+
+ for (i = 0; i < dev->num_ports; i++) {
+- if (dev->port[i].cnts.set_id)
++ if (dev->port[i].cnts.set_id_valid)
+ mlx5_core_dealloc_q_counter(dev->mdev,
+ dev->port[i].cnts.set_id);
+ kfree(dev->port[i].cnts.names);
--- /dev/null
+From 847462de3a0aabc5343a1e338537f69a03bb61af Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 10 Jul 2018 10:31:58 -0700
+Subject: IB/srpt: Fix srpt_cm_req_recv() error path (1/2)
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 847462de3a0aabc5343a1e338537f69a03bb61af upstream.
+
+Once a target session has been allocated, if an error occurs, the session
+must be freed. Since it is not safe to call blocking code from the context
+of an connection manager callback, trigger target session release in this
+case by calling srpt_close_ch().
+
+Fixes: db7683d7deb2 ("IB/srpt: Fix login-related race conditions")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2087,7 +2087,7 @@ static int srpt_cm_req_recv(struct srpt_
+ struct rdma_conn_param rdma_cm;
+ struct ib_cm_rep_param ib_cm;
+ } *rep_param = NULL;
+- struct srpt_rdma_ch *ch;
++ struct srpt_rdma_ch *ch = NULL;
+ char i_port_id[36];
+ u32 it_iu_len;
+ int i, ret;
+@@ -2234,13 +2234,15 @@ static int srpt_cm_req_recv(struct srpt_
+ TARGET_PROT_NORMAL,
+ i_port_id + 2, ch, NULL);
+ if (IS_ERR_OR_NULL(ch->sess)) {
++ WARN_ON_ONCE(ch->sess == NULL);
+ ret = PTR_ERR(ch->sess);
++ ch->sess = NULL;
+ pr_info("Rejected login for initiator %s: ret = %d.\n",
+ ch->sess_name, ret);
+ rej->reason = cpu_to_be32(ret == -ENOMEM ?
+ SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES :
+ SRP_LOGIN_REJ_CHANNEL_LIMIT_REACHED);
+- goto reject;
++ goto destroy_ib;
+ }
+
+ mutex_lock(&sport->mutex);
+@@ -2279,7 +2281,7 @@ static int srpt_cm_req_recv(struct srpt_
+ rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES);
+ pr_err("rejected SRP_LOGIN_REQ because enabling RTR failed (error code = %d)\n",
+ ret);
+- goto destroy_ib;
++ goto reject;
+ }
+
+ pr_debug("Establish connection sess=%p name=%s ch=%p\n", ch->sess,
+@@ -2379,6 +2381,15 @@ reject:
+ ib_send_cm_rej(ib_cm_id, IB_CM_REJ_CONSUMER_DEFINED, NULL, 0,
+ rej, sizeof(*rej));
+
++ if (ch && ch->sess) {
++ srpt_close_ch(ch);
++ /*
++ * Tell the caller not to free cm_id since
++ * srpt_release_channel_work() will do that.
++ */
++ ret = 0;
++ }
++
+ out:
+ kfree(rep_param);
+ kfree(rsp);
--- /dev/null
+From 6869e0004fe16184acd6488f0c637e0081a84a8a Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 10 Jul 2018 10:31:59 -0700
+Subject: IB/srpt: Fix srpt_cm_req_recv() error path (2/2)
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 6869e0004fe16184acd6488f0c637e0081a84a8a upstream.
+
+If a login request was received through the RDMA/CM and if an error occurs
+during login, clear rdma_cm_id->context instead of ib_cm_id->context.
+
+Fixes: 63cf1a902c9d ("IB/srpt: Add RDMA/CM support")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2360,8 +2360,11 @@ free_ring:
+ srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring,
+ ch->sport->sdev, ch->rq_size,
+ ch->max_rsp_size, DMA_TO_DEVICE);
++
+ free_ch:
+- if (ib_cm_id)
++ if (rdma_cm_id)
++ rdma_cm_id->context = NULL;
++ else
+ ib_cm_id->context = NULL;
+ kfree(ch);
+ ch = NULL;
--- /dev/null
+From e620ebfc228dcbef7519e3d16f43c6c6f1a1d0cb Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 26 Jun 2018 15:24:48 -0700
+Subject: IB/srpt: Support HCAs with more than two ports
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit e620ebfc228dcbef7519e3d16f43c6c6f1a1d0cb upstream.
+
+Since there are adapters that have four ports, increase the size of
+the srpt_device.port[] array. This patch avoids that the following
+warning is hit with quad port Chelsio adapters:
+
+ WARN_ON(sdev->device->phys_port_cnt > ARRAY_SIZE(sdev->port));
+
+Reported-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Steve Wise <swise@opengridcomputing.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 5 ++---
+ drivers/infiniband/ulp/srpt/ib_srpt.h | 4 ++--
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -2983,7 +2983,8 @@ static void srpt_add_one(struct ib_devic
+
+ pr_debug("device = %p\n", device);
+
+- sdev = kzalloc(sizeof(*sdev), GFP_KERNEL);
++ sdev = kzalloc(struct_size(sdev, port, device->phys_port_cnt),
++ GFP_KERNEL);
+ if (!sdev)
+ goto err;
+
+@@ -3037,8 +3038,6 @@ static void srpt_add_one(struct ib_devic
+ srpt_event_handler);
+ ib_register_event_handler(&sdev->event_handler);
+
+- WARN_ON(sdev->device->phys_port_cnt > ARRAY_SIZE(sdev->port));
+-
+ for (i = 1; i <= sdev->device->phys_port_cnt; i++) {
+ sport = &sdev->port[i - 1];
+ INIT_LIST_HEAD(&sport->nexus_list);
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.h
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.h
+@@ -396,9 +396,9 @@ struct srpt_port {
+ * @sdev_mutex: Serializes use_srq changes.
+ * @use_srq: Whether or not to use SRQ.
+ * @ioctx_ring: Per-HCA SRQ.
+- * @port: Information about the ports owned by this HCA.
+ * @event_handler: Per-HCA asynchronous IB event handler.
+ * @list: Node in srpt_dev_list.
++ * @port: Information about the ports owned by this HCA.
+ */
+ struct srpt_device {
+ struct ib_device *device;
+@@ -410,9 +410,9 @@ struct srpt_device {
+ struct mutex sdev_mutex;
+ bool use_srq;
+ struct srpt_recv_ioctx **ioctx_ring;
+- struct srpt_port port[2];
+ struct ib_event_handler event_handler;
+ struct list_head list;
++ struct srpt_port port[];
+ };
+
+ #endif /* IB_SRPT_H */
--- /dev/null
+From 14d15c2b278011056482eb015dff89f9cbf2b841 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Mon, 2 Jul 2018 14:08:45 -0700
+Subject: ib_srpt: Fix a use-after-free in __srpt_close_all_ch()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 14d15c2b278011056482eb015dff89f9cbf2b841 upstream.
+
+BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
+Read of size 4 at addr ffff8801269d23f8 by task check/29726
+
+CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Call Trace:
+ dump_stack+0xa4/0xf5
+ print_address_description+0x6f/0x270
+ kasan_report+0x241/0x360
+ __asan_load4+0x78/0x80
+ srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
+ srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
+ configfs_write_file+0x14e/0x1d0 [configfs]
+ __vfs_write+0xd2/0x3b0
+ vfs_write+0x101/0x270
+ ksys_write+0xab/0x120
+ __x64_sys_write+0x43/0x50
+ do_syscall_64+0x77/0x230
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f235cfe6154
+
+Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -1939,8 +1939,8 @@ static void __srpt_close_all_ch(struct s
+ list_for_each_entry(nexus, &sport->nexus_list, entry) {
+ list_for_each_entry(ch, &nexus->ch_list, list) {
+ if (srpt_disconnect_ch(ch) >= 0)
+- pr_info("Closing channel %s-%d because target %s_%d has been disabled\n",
+- ch->sess_name, ch->qp->qp_num,
++ pr_info("Closing channel %s because target %s_%d has been disabled\n",
++ ch->sess_name,
+ sport->sdev->device->name, sport->port);
+ srpt_close_ch(ch);
+ }
--- /dev/null
+From 995250959d22fc341b5424e3343b0ce5df672461 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Mon, 2 Jul 2018 14:08:18 -0700
+Subject: ib_srpt: Fix a use-after-free in srpt_close_ch()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 995250959d22fc341b5424e3343b0ce5df672461 upstream.
+
+Avoid that KASAN reports the following:
+
+BUG: KASAN: use-after-free in srpt_close_ch+0x4f/0x1b0 [ib_srpt]
+Read of size 4 at addr ffff880151180cb8 by task check/4681
+
+CPU: 15 PID: 4681 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Call Trace:
+ dump_stack+0xa4/0xf5
+ print_address_description+0x6f/0x270
+ kasan_report+0x241/0x360
+ __asan_load4+0x78/0x80
+ srpt_close_ch+0x4f/0x1b0 [ib_srpt]
+ srpt_set_enabled+0xf7/0x1e0 [ib_srpt]
+ srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
+ configfs_write_file+0x14e/0x1d0 [configfs]
+ __vfs_write+0xd2/0x3b0
+ vfs_write+0x101/0x270
+ ksys_write+0xab/0x120
+ __x64_sys_write+0x43/0x50
+ do_syscall_64+0x77/0x230
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -1833,8 +1833,7 @@ static bool srpt_close_ch(struct srpt_rd
+ int ret;
+
+ if (!srpt_set_ch_state(ch, CH_DRAINING)) {
+- pr_debug("%s-%d: already closed\n", ch->sess_name,
+- ch->qp->qp_num);
++ pr_debug("%s: already closed\n", ch->sess_name);
+ return false;
+ }
+
--- /dev/null
+From 7444a8092906ed44c09459780c56ba57043e39b1 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Wed, 27 Jun 2018 20:58:45 +0200
+Subject: libertas: fix suspend and resume for SDIO connected cards
+
+From: Daniel Mack <daniel@zonque.org>
+
+commit 7444a8092906ed44c09459780c56ba57043e39b1 upstream.
+
+Prior to commit 573185cc7e64 ("mmc: core: Invoke sdio func driver's PM
+callbacks from the sdio bus"), the MMC core used to call into the power
+management functions of SDIO clients itself and removed the card if the
+return code was non-zero. IOW, the mmc handled errors gracefully and didn't
+upchain them to the pm core.
+
+Since this change, the mmc core relies on generic power management
+functions which treat all errors as a reason to cancel the suspend
+immediately. This causes suspend attempts to fail when the libertas
+driver is loaded.
+
+To fix this, power down the card explicitly in if_sdio_suspend() when we
+know we're about to lose power and return success. Also set a flag in these
+cases, and power up the card again in if_sdio_resume().
+
+Fixes: 573185cc7e64 ("mmc: core: Invoke sdio func driver's PM callbacks from the sdio bus")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Reviewed-by: Chris Ball <chris@printf.net>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/libertas/dev.h | 1
+ drivers/net/wireless/marvell/libertas/if_sdio.c | 30 +++++++++++++++++++-----
+ 2 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/marvell/libertas/dev.h
++++ b/drivers/net/wireless/marvell/libertas/dev.h
+@@ -104,6 +104,7 @@ struct lbs_private {
+ u8 fw_ready;
+ u8 surpriseremoved;
+ u8 setup_fw_on_resume;
++ u8 power_up_on_resume;
+ int (*hw_host_to_card) (struct lbs_private *priv, u8 type, u8 *payload, u16 nb);
+ void (*reset_card) (struct lbs_private *priv);
+ int (*power_save) (struct lbs_private *priv);
+--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
+@@ -1290,15 +1290,23 @@ static void if_sdio_remove(struct sdio_f
+ static int if_sdio_suspend(struct device *dev)
+ {
+ struct sdio_func *func = dev_to_sdio_func(dev);
+- int ret;
+ struct if_sdio_card *card = sdio_get_drvdata(func);
++ struct lbs_private *priv = card->priv;
++ int ret;
+
+ mmc_pm_flag_t flags = sdio_get_host_pm_caps(func);
++ priv->power_up_on_resume = false;
+
+ /* If we're powered off anyway, just let the mmc layer remove the
+ * card. */
+- if (!lbs_iface_active(card->priv))
+- return -ENOSYS;
++ if (!lbs_iface_active(priv)) {
++ if (priv->fw_ready) {
++ priv->power_up_on_resume = true;
++ if_sdio_power_off(card);
++ }
++
++ return 0;
++ }
+
+ dev_info(dev, "%s: suspend: PM flags = 0x%x\n",
+ sdio_func_id(func), flags);
+@@ -1306,9 +1314,14 @@ static int if_sdio_suspend(struct device
+ /* If we aren't being asked to wake on anything, we should bail out
+ * and let the SD stack power down the card.
+ */
+- if (card->priv->wol_criteria == EHS_REMOVE_WAKEUP) {
++ if (priv->wol_criteria == EHS_REMOVE_WAKEUP) {
+ dev_info(dev, "Suspend without wake params -- powering down card\n");
+- return -ENOSYS;
++ if (priv->fw_ready) {
++ priv->power_up_on_resume = true;
++ if_sdio_power_off(card);
++ }
++
++ return 0;
+ }
+
+ if (!(flags & MMC_PM_KEEP_POWER)) {
+@@ -1321,7 +1334,7 @@ static int if_sdio_suspend(struct device
+ if (ret)
+ return ret;
+
+- ret = lbs_suspend(card->priv);
++ ret = lbs_suspend(priv);
+ if (ret)
+ return ret;
+
+@@ -1336,6 +1349,11 @@ static int if_sdio_resume(struct device
+
+ dev_info(dev, "%s: resume: we're back\n", sdio_func_id(func));
+
++ if (card->priv->power_up_on_resume) {
++ if_sdio_power_on(card);
++ wait_event(card->pwron_waitq, card->priv->fw_ready);
++ }
++
+ ret = lbs_resume(card->priv);
+
+ return ret;
--- /dev/null
+From 3512a18cbd8d09e22a790540cb9624c3c49827ba Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 26 Jul 2018 12:11:39 -0500
+Subject: mailbox: xgene-slimpro: Fix potential NULL pointer dereference
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 3512a18cbd8d09e22a790540cb9624c3c49827ba upstream.
+
+There is a potential execution path in which function
+platform_get_resource() returns NULL. If this happens,
+we will end up having a NULL pointer dereference.
+
+Fix this by replacing devm_ioremap with devm_ioremap_resource,
+which has the NULL check and the memory region request.
+
+This code was detected with the help of Coccinelle.
+
+Cc: stable@vger.kernel.org
+Fixes: f700e84f417b ("mailbox: Add support for APM X-Gene platform mailbox driver")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mailbox/mailbox-xgene-slimpro.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mailbox/mailbox-xgene-slimpro.c
++++ b/drivers/mailbox/mailbox-xgene-slimpro.c
+@@ -195,9 +195,9 @@ static int slimpro_mbox_probe(struct pla
+ platform_set_drvdata(pdev, ctx);
+
+ regs = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- mb_base = devm_ioremap(&pdev->dev, regs->start, resource_size(regs));
+- if (!mb_base)
+- return -ENOMEM;
++ mb_base = devm_ioremap_resource(&pdev->dev, regs);
++ if (IS_ERR(mb_base))
++ return PTR_ERR(mb_base);
+
+ /* Setup mailbox links */
+ for (i = 0; i < MBOX_CNT; i++) {
--- /dev/null
+From 1831af092308aa5a59ae61e47494e441c8be6b93 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sun, 10 Jun 2018 16:43:02 -0400
+Subject: media: Revert "[media] tvp5150: fix pad format frame height"
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+commit 1831af092308aa5a59ae61e47494e441c8be6b93 upstream.
+
+This reverts commit 0866df8dffd514185bfab0d205db76e4c02cf1e4.
+
+The v4l uAPI documentation [0] makes clear that in the case of interlaced
+video (i.e: field is V4L2_FIELD_ALTERNATE) the height refers to the number
+of lines in the field and not the number of lines in the full frame (which
+is twice the field height for interlaced formats).
+
+So the original height calculation was correct, and it shouldn't had been
+changed by the mentioned commit.
+
+[0]:https://linuxtv.org/downloads/v4l-dvb-apis/uapi/v4l/subdev-formats.html
+
+Fixes: 0866df8dffd5 ("[media] tvp5150: fix pad format frame height")
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Cc: <stable@vger.kernel.org> # for v4.12 and up
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/tvp5150.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/tvp5150.c
++++ b/drivers/media/i2c/tvp5150.c
+@@ -872,7 +872,7 @@ static int tvp5150_fill_fmt(struct v4l2_
+ f = &format->format;
+
+ f->width = decoder->rect.width;
+- f->height = decoder->rect.height;
++ f->height = decoder->rect.height / 2;
+
+ f->code = MEDIA_BUS_FMT_UYVY8_2X8;
+ f->field = V4L2_FIELD_ALTERNATE;
--- /dev/null
+From 7913690dcc5e18e235769fd87c34143072f5dbea Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Tue, 10 Jul 2018 00:29:43 +0200
+Subject: net/9p/client.c: version pointer uninitialized
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit 7913690dcc5e18e235769fd87c34143072f5dbea upstream.
+
+The p9_client_version() does not initialize the version pointer. If the
+call to p9pdu_readf() returns an error and version has not been allocated
+in p9pdu_readf(), then the program will jump to the "error" label and will
+try to free the version pointer. If version is not initialized, free()
+will be called with uninitialized, garbage data and will provoke a crash.
+
+Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.com
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
+Reviewed-by: Jun Piao <piaojun@huawei.com>
+Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Ron Minnich <rminnich@sandia.gov>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -958,7 +958,7 @@ static int p9_client_version(struct p9_c
+ {
+ int err = 0;
+ struct p9_req_t *req;
+- char *version;
++ char *version = NULL;
+ int msize;
+
+ p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",
--- /dev/null
+From 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Fri, 20 Jul 2018 11:27:30 +0200
+Subject: net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 upstream.
+
+The patch adds the flush in p9_mux_poll_stop() as it the function used by
+p9_conn_destroy(), in turn called by p9_fd_close() to stop the async
+polling associated with the data regarding the connection.
+
+Link: http://lkml.kernel.org/r/20180720092730.27104-1-tomasbortoli@gmail.com
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com
+To: Eric Van Hensbergen <ericvh@gmail.com>
+To: Ron Minnich <rminnich@sandia.gov>
+To: Latchesar Ionkov <lucho@ionkov.net>
+Cc: Yiwen Jiang <jiangyiwen@huwei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/trans_fd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_c
+ spin_lock_irqsave(&p9_poll_lock, flags);
+ list_del_init(&m->poll_pending_link);
+ spin_unlock_irqrestore(&p9_poll_lock, flags);
++
++ flush_work(&p9_poll_work);
+ }
+
+ /**
--- /dev/null
+From d497ebf5fb3a026c0817f8c96cde578787f24093 Mon Sep 17 00:00:00 2001
+From: Frederic Barrat <fbarrat@linux.ibm.com>
+Date: Mon, 18 Jun 2018 14:14:36 +0200
+Subject: ocxl: Fix page fault handler in case of fault on dying process
+
+From: Frederic Barrat <fbarrat@linux.ibm.com>
+
+commit d497ebf5fb3a026c0817f8c96cde578787f24093 upstream.
+
+If a process exits without doing proper cleanup, there's a window
+where an opencapi device can try to access the memory of the dying
+process and may trigger a page fault. That's an expected scenario and
+the ocxl driver holds a reference on the mm_struct of the process
+until the opencapi device is notified of the process exiting.
+However, if mm_users is already at 0, i.e. the address space of the
+process has already been destroyed, the driver shouldn't try resolving
+the page fault, as it will fail, but it can also try accessing already
+freed data.
+
+It is fixed by only calling the bottom half of the page fault handler
+if mm_users is greater than 0 and get a reference on mm_users instead
+of mm_count. Otherwise, we can safely return a translation fault to
+the device, as its associated memory context is being removed. The
+opencapi device will be properly cleaned up shortly after when closing
+the file descriptors.
+
+Fixes: 5ef3166e8a32 ("ocxl: Driver code for 'generic' opencapi devices")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Reviewed-By: Alastair D'Silva <alastair@d-silva.org>
+Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/ocxl/link.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/misc/ocxl/link.c
++++ b/drivers/misc/ocxl/link.c
+@@ -136,7 +136,7 @@ static void xsl_fault_handler_bh(struct
+ int rc;
+
+ /*
+- * We need to release a reference on the mm whenever exiting this
++ * We must release a reference on mm_users whenever exiting this
+ * function (taken in the memory fault interrupt handler)
+ */
+ rc = copro_handle_mm_fault(fault->pe_data.mm, fault->dar, fault->dsisr,
+@@ -172,7 +172,7 @@ static void xsl_fault_handler_bh(struct
+ }
+ r = RESTART;
+ ack:
+- mmdrop(fault->pe_data.mm);
++ mmput(fault->pe_data.mm);
+ ack_irq(spa, r);
+ }
+
+@@ -184,6 +184,7 @@ static irqreturn_t xsl_fault_handler(int
+ struct pe_data *pe_data;
+ struct ocxl_process_element *pe;
+ int lpid, pid, tid;
++ bool schedule = false;
+
+ read_irq(spa, &dsisr, &dar, &pe_handle);
+ trace_ocxl_fault(spa->spa_mem, pe_handle, dsisr, dar, -1);
+@@ -226,14 +227,19 @@ static irqreturn_t xsl_fault_handler(int
+ }
+ WARN_ON(pe_data->mm->context.id != pid);
+
+- spa->xsl_fault.pe = pe_handle;
+- spa->xsl_fault.dar = dar;
+- spa->xsl_fault.dsisr = dsisr;
+- spa->xsl_fault.pe_data = *pe_data;
+- mmgrab(pe_data->mm); /* mm count is released by bottom half */
+-
++ if (mmget_not_zero(pe_data->mm)) {
++ spa->xsl_fault.pe = pe_handle;
++ spa->xsl_fault.dar = dar;
++ spa->xsl_fault.dsisr = dsisr;
++ spa->xsl_fault.pe_data = *pe_data;
++ schedule = true;
++ /* mm_users count released by bottom half */
++ }
+ rcu_read_unlock();
+- schedule_work(&spa->xsl_fault.fault_work);
++ if (schedule)
++ schedule_work(&spa->xsl_fault.fault_work);
++ else
++ ack_irq(spa, ADDRESS_ERROR);
+ return IRQ_HANDLED;
+ }
+
--- /dev/null
+From 4231aba000f5a4583dd9f67057aadb68c3eca99d Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 27 Jul 2018 21:48:17 +1000
+Subject: powerpc/64s: Fix page table fragment refcount race vs speculative references
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 4231aba000f5a4583dd9f67057aadb68c3eca99d upstream.
+
+The page table fragment allocator uses the main page refcount racily
+with respect to speculative references. A customer observed a BUG due
+to page table page refcount underflow in the fragment allocator. This
+can be caused by the fragment allocator set_page_count stomping on a
+speculative reference, and then the speculative failure handler
+decrements the new reference, and the underflow eventually pops when
+the page tables are freed.
+
+Fix this by using a dedicated field in the struct page for the page
+table fragment allocator.
+
+Fixes: 5c1f6ee9a31c ("powerpc: Reduce PTE table memory wastage")
+Cc: stable@vger.kernel.org # v3.10+
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/mmu_context_book3s64.c | 8 ++++----
+ arch/powerpc/mm/pgtable-book3s64.c | 17 +++++++++++------
+ include/linux/mm_types.h | 5 ++++-
+ 3 files changed, 19 insertions(+), 11 deletions(-)
+
+--- a/arch/powerpc/mm/mmu_context_book3s64.c
++++ b/arch/powerpc/mm/mmu_context_book3s64.c
+@@ -200,9 +200,9 @@ static void pte_frag_destroy(void *pte_f
+ /* drop all the pending references */
+ count = ((unsigned long)pte_frag & ~PAGE_MASK) >> PTE_FRAG_SIZE_SHIFT;
+ /* We allow PTE_FRAG_NR fragments from a PTE page */
+- if (page_ref_sub_and_test(page, PTE_FRAG_NR - count)) {
++ if (atomic_sub_and_test(PTE_FRAG_NR - count, &page->pt_frag_refcount)) {
+ pgtable_page_dtor(page);
+- free_unref_page(page);
++ __free_page(page);
+ }
+ }
+
+@@ -215,9 +215,9 @@ static void pmd_frag_destroy(void *pmd_f
+ /* drop all the pending references */
+ count = ((unsigned long)pmd_frag & ~PAGE_MASK) >> PMD_FRAG_SIZE_SHIFT;
+ /* We allow PTE_FRAG_NR fragments from a PTE page */
+- if (page_ref_sub_and_test(page, PMD_FRAG_NR - count)) {
++ if (atomic_sub_and_test(PMD_FRAG_NR - count, &page->pt_frag_refcount)) {
+ pgtable_pmd_page_dtor(page);
+- free_unref_page(page);
++ __free_page(page);
+ }
+ }
+
+--- a/arch/powerpc/mm/pgtable-book3s64.c
++++ b/arch/powerpc/mm/pgtable-book3s64.c
+@@ -270,6 +270,8 @@ static pmd_t *__alloc_for_pmdcache(struc
+ return NULL;
+ }
+
++ atomic_set(&page->pt_frag_refcount, 1);
++
+ ret = page_address(page);
+ /*
+ * if we support only one fragment just return the
+@@ -285,7 +287,7 @@ static pmd_t *__alloc_for_pmdcache(struc
+ * count.
+ */
+ if (likely(!mm->context.pmd_frag)) {
+- set_page_count(page, PMD_FRAG_NR);
++ atomic_set(&page->pt_frag_refcount, PMD_FRAG_NR);
+ mm->context.pmd_frag = ret + PMD_FRAG_SIZE;
+ }
+ spin_unlock(&mm->page_table_lock);
+@@ -308,9 +310,10 @@ void pmd_fragment_free(unsigned long *pm
+ {
+ struct page *page = virt_to_page(pmd);
+
+- if (put_page_testzero(page)) {
++ BUG_ON(atomic_read(&page->pt_frag_refcount) <= 0);
++ if (atomic_dec_and_test(&page->pt_frag_refcount)) {
+ pgtable_pmd_page_dtor(page);
+- free_unref_page(page);
++ __free_page(page);
+ }
+ }
+
+@@ -352,6 +355,7 @@ static pte_t *__alloc_for_ptecache(struc
+ return NULL;
+ }
+
++ atomic_set(&page->pt_frag_refcount, 1);
+
+ ret = page_address(page);
+ /*
+@@ -367,7 +371,7 @@ static pte_t *__alloc_for_ptecache(struc
+ * count.
+ */
+ if (likely(!mm->context.pte_frag)) {
+- set_page_count(page, PTE_FRAG_NR);
++ atomic_set(&page->pt_frag_refcount, PTE_FRAG_NR);
+ mm->context.pte_frag = ret + PTE_FRAG_SIZE;
+ }
+ spin_unlock(&mm->page_table_lock);
+@@ -390,10 +394,11 @@ void pte_fragment_free(unsigned long *ta
+ {
+ struct page *page = virt_to_page(table);
+
+- if (put_page_testzero(page)) {
++ BUG_ON(atomic_read(&page->pt_frag_refcount) <= 0);
++ if (atomic_dec_and_test(&page->pt_frag_refcount)) {
+ if (!kernel)
+ pgtable_page_dtor(page);
+- free_unref_page(page);
++ __free_page(page);
+ }
+ }
+
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -139,7 +139,10 @@ struct page {
+ unsigned long _pt_pad_1; /* compound_head */
+ pgtable_t pmd_huge_pte; /* protected by page->ptl */
+ unsigned long _pt_pad_2; /* mapping */
+- struct mm_struct *pt_mm; /* x86 pgds only */
++ union {
++ struct mm_struct *pt_mm; /* x86 pgds only */
++ atomic_t pt_frag_refcount; /* powerpc */
++ };
+ #if ALLOC_SPLIT_PTLOCKS
+ spinlock_t *ptl;
+ #else
--- /dev/null
+From 1bd6a1c4b80a28d975287630644e6b47d0f977a5 Mon Sep 17 00:00:00 2001
+From: Hari Bathini <hbathini@linux.ibm.com>
+Date: Tue, 7 Aug 2018 02:12:45 +0530
+Subject: powerpc/fadump: handle crash memory ranges array index overflow
+
+From: Hari Bathini <hbathini@linux.ibm.com>
+
+commit 1bd6a1c4b80a28d975287630644e6b47d0f977a5 upstream.
+
+Crash memory ranges is an array of memory ranges of the crashing kernel
+to be exported as a dump via /proc/vmcore file. The size of the array
+is set based on INIT_MEMBLOCK_REGIONS, which works alright in most cases
+where memblock memory regions count is less than INIT_MEMBLOCK_REGIONS
+value. But this count can grow beyond INIT_MEMBLOCK_REGIONS value since
+commit 142b45a72e22 ("memblock: Add array resizing support").
+
+On large memory systems with a few DLPAR operations, the memblock memory
+regions count could be larger than INIT_MEMBLOCK_REGIONS value. On such
+systems, registering fadump results in crash or other system failures
+like below:
+
+ task: c00007f39a290010 ti: c00000000b738000 task.ti: c00000000b738000
+ NIP: c000000000047df4 LR: c0000000000f9e58 CTR: c00000000010f180
+ REGS: c00000000b73b570 TRAP: 0300 Tainted: G L X (4.4.140+)
+ MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 22004484 XER: 20000000
+ CFAR: c000000000008500 DAR: 000007a450000000 DSISR: 40000000 SOFTE: 0
+ ...
+ NIP [c000000000047df4] smp_send_reschedule+0x24/0x80
+ LR [c0000000000f9e58] resched_curr+0x138/0x160
+ Call Trace:
+ resched_curr+0x138/0x160 (unreliable)
+ check_preempt_curr+0xc8/0xf0
+ ttwu_do_wakeup+0x38/0x150
+ try_to_wake_up+0x224/0x4d0
+ __wake_up_common+0x94/0x100
+ ep_poll_callback+0xac/0x1c0
+ __wake_up_common+0x94/0x100
+ __wake_up_sync_key+0x70/0xa0
+ sock_def_readable+0x58/0xa0
+ unix_stream_sendmsg+0x2dc/0x4c0
+ sock_sendmsg+0x68/0xa0
+ ___sys_sendmsg+0x2cc/0x2e0
+ __sys_sendmsg+0x5c/0xc0
+ SyS_socketcall+0x36c/0x3f0
+ system_call+0x3c/0x100
+
+as array index overflow is not checked for while setting up crash memory
+ranges causing memory corruption. To resolve this issue, dynamically
+allocate memory for crash memory ranges and resize it incrementally,
+in units of pagesize, on hitting array size limit.
+
+Fixes: 2df173d9e85d ("fadump: Initialize elfcore header and add PT_LOAD program headers.")
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
+Reviewed-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+[mpe: Just use PAGE_SIZE directly, fixup variable placement]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/fadump.h | 3 -
+ arch/powerpc/kernel/fadump.c | 91 ++++++++++++++++++++++++++++++++------
+ 2 files changed, 77 insertions(+), 17 deletions(-)
+
+--- a/arch/powerpc/include/asm/fadump.h
++++ b/arch/powerpc/include/asm/fadump.h
+@@ -195,9 +195,6 @@ struct fadump_crash_info_header {
+ struct cpumask online_mask;
+ };
+
+-/* Crash memory ranges */
+-#define INIT_CRASHMEM_RANGES (INIT_MEMBLOCK_REGIONS + 2)
+-
+ struct fad_crash_memory_ranges {
+ unsigned long long base;
+ unsigned long long size;
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -47,8 +47,10 @@ static struct fadump_mem_struct fdm;
+ static const struct fadump_mem_struct *fdm_active;
+
+ static DEFINE_MUTEX(fadump_mutex);
+-struct fad_crash_memory_ranges crash_memory_ranges[INIT_CRASHMEM_RANGES];
++struct fad_crash_memory_ranges *crash_memory_ranges;
++int crash_memory_ranges_size;
+ int crash_mem_ranges;
++int max_crash_mem_ranges;
+
+ /* Scan the Firmware Assisted dump configuration details. */
+ int __init early_init_dt_scan_fw_dump(unsigned long node,
+@@ -868,38 +870,88 @@ static int __init process_fadump(const s
+ return 0;
+ }
+
+-static inline void fadump_add_crash_memory(unsigned long long base,
+- unsigned long long end)
++static void free_crash_memory_ranges(void)
++{
++ kfree(crash_memory_ranges);
++ crash_memory_ranges = NULL;
++ crash_memory_ranges_size = 0;
++ max_crash_mem_ranges = 0;
++}
++
++/*
++ * Allocate or reallocate crash memory ranges array in incremental units
++ * of PAGE_SIZE.
++ */
++static int allocate_crash_memory_ranges(void)
++{
++ struct fad_crash_memory_ranges *new_array;
++ u64 new_size;
++
++ new_size = crash_memory_ranges_size + PAGE_SIZE;
++ pr_debug("Allocating %llu bytes of memory for crash memory ranges\n",
++ new_size);
++
++ new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL);
++ if (new_array == NULL) {
++ pr_err("Insufficient memory for setting up crash memory ranges\n");
++ free_crash_memory_ranges();
++ return -ENOMEM;
++ }
++
++ crash_memory_ranges = new_array;
++ crash_memory_ranges_size = new_size;
++ max_crash_mem_ranges = (new_size /
++ sizeof(struct fad_crash_memory_ranges));
++ return 0;
++}
++
++static inline int fadump_add_crash_memory(unsigned long long base,
++ unsigned long long end)
+ {
+ if (base == end)
+- return;
++ return 0;
++
++ if (crash_mem_ranges == max_crash_mem_ranges) {
++ int ret;
++
++ ret = allocate_crash_memory_ranges();
++ if (ret)
++ return ret;
++ }
+
+ pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n",
+ crash_mem_ranges, base, end - 1, (end - base));
+ crash_memory_ranges[crash_mem_ranges].base = base;
+ crash_memory_ranges[crash_mem_ranges].size = end - base;
+ crash_mem_ranges++;
++ return 0;
+ }
+
+-static void fadump_exclude_reserved_area(unsigned long long start,
++static int fadump_exclude_reserved_area(unsigned long long start,
+ unsigned long long end)
+ {
+ unsigned long long ra_start, ra_end;
++ int ret = 0;
+
+ ra_start = fw_dump.reserve_dump_area_start;
+ ra_end = ra_start + fw_dump.reserve_dump_area_size;
+
+ if ((ra_start < end) && (ra_end > start)) {
+ if ((start < ra_start) && (end > ra_end)) {
+- fadump_add_crash_memory(start, ra_start);
+- fadump_add_crash_memory(ra_end, end);
++ ret = fadump_add_crash_memory(start, ra_start);
++ if (ret)
++ return ret;
++
++ ret = fadump_add_crash_memory(ra_end, end);
+ } else if (start < ra_start) {
+- fadump_add_crash_memory(start, ra_start);
++ ret = fadump_add_crash_memory(start, ra_start);
+ } else if (ra_end < end) {
+- fadump_add_crash_memory(ra_end, end);
++ ret = fadump_add_crash_memory(ra_end, end);
+ }
+ } else
+- fadump_add_crash_memory(start, end);
++ ret = fadump_add_crash_memory(start, end);
++
++ return ret;
+ }
+
+ static int fadump_init_elfcore_header(char *bufp)
+@@ -939,10 +991,11 @@ static int fadump_init_elfcore_header(ch
+ * Traverse through memblock structure and setup crash memory ranges. These
+ * ranges will be used create PT_LOAD program headers in elfcore header.
+ */
+-static void fadump_setup_crash_memory_ranges(void)
++static int fadump_setup_crash_memory_ranges(void)
+ {
+ struct memblock_region *reg;
+ unsigned long long start, end;
++ int ret;
+
+ pr_debug("Setup crash memory ranges.\n");
+ crash_mem_ranges = 0;
+@@ -953,7 +1006,9 @@ static void fadump_setup_crash_memory_ra
+ * specified during fadump registration. We need to create a separate
+ * program header for this chunk with the correct offset.
+ */
+- fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
++ ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size);
++ if (ret)
++ return ret;
+
+ for_each_memblock(memory, reg) {
+ start = (unsigned long long)reg->base;
+@@ -973,8 +1028,12 @@ static void fadump_setup_crash_memory_ra
+ }
+
+ /* add this range excluding the reserved dump area. */
+- fadump_exclude_reserved_area(start, end);
++ ret = fadump_exclude_reserved_area(start, end);
++ if (ret)
++ return ret;
+ }
++
++ return 0;
+ }
+
+ /*
+@@ -1097,6 +1156,7 @@ static int register_fadump(void)
+ {
+ unsigned long addr;
+ void *vaddr;
++ int ret;
+
+ /*
+ * If no memory is reserved then we can not register for firmware-
+@@ -1105,7 +1165,9 @@ static int register_fadump(void)
+ if (!fw_dump.reserve_dump_area_size)
+ return -ENODEV;
+
+- fadump_setup_crash_memory_ranges();
++ ret = fadump_setup_crash_memory_ranges();
++ if (ret)
++ return ret;
+
+ addr = be64_to_cpu(fdm.rmr_region.destination_address) + be64_to_cpu(fdm.rmr_region.source_len);
+ /* Initialize fadump crash info header. */
+@@ -1183,6 +1245,7 @@ void fadump_cleanup(void)
+ } else if (fw_dump.dump_registered) {
+ /* Un-register Firmware-assisted dump if it was registered. */
+ fadump_unregister_dump(&fdm);
++ free_crash_memory_ranges();
+ }
+ }
+
--- /dev/null
+From 810e9f86f36f59f1d6f6710220c49afe0c705f38 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 21 Aug 2018 13:03:23 +0000
+Subject: powerpc/nohash: fix pte_access_permitted()
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 810e9f86f36f59f1d6f6710220c49afe0c705f38 upstream.
+
+Commit 5769beaf180a8 ("powerpc/mm: Add proper pte access check helper
+for other platforms") replaced generic pte_access_permitted() by an
+arch specific one.
+
+The generic one is defined as
+(pte_present(pte) && (!(write) || pte_write(pte)))
+
+The arch specific one is open coded checking that _PAGE_USER and
+_PAGE_WRITE (_PAGE_RW) flags are set, but lacking to check that
+_PAGE_RO and _PAGE_PRIVILEGED are unset, leading to a useless test
+on targets like the 8xx which defines _PAGE_RW and _PAGE_USER as 0.
+
+Commit 5fa5b16be5b31 ("powerpc/mm/hugetlb: Use pte_access_permitted
+for hugetlb access check") replaced some tests performed with
+pte helpers by a call to pte_access_permitted(), leading to the same
+issue.
+
+This patch rewrites powerpc/nohash pte_access_permitted()
+using pte helpers.
+
+Fixes: 5769beaf180a8 ("powerpc/mm: Add proper pte access check helper for other platforms")
+Fixes: 5fa5b16be5b31 ("powerpc/mm/hugetlb: Use pte_access_permitted for hugetlb access check")
+Cc: stable@vger.kernel.org # v4.15+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/nohash/pgtable.h | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/include/asm/nohash/pgtable.h
++++ b/arch/powerpc/include/asm/nohash/pgtable.h
+@@ -51,17 +51,14 @@ static inline int pte_present(pte_t pte)
+ #define pte_access_permitted pte_access_permitted
+ static inline bool pte_access_permitted(pte_t pte, bool write)
+ {
+- unsigned long pteval = pte_val(pte);
+ /*
+ * A read-only access is controlled by _PAGE_USER bit.
+ * We have _PAGE_READ set for WRITE and EXECUTE
+ */
+- unsigned long need_pte_bits = _PAGE_PRESENT | _PAGE_USER;
+-
+- if (write)
+- need_pte_bits |= _PAGE_WRITE;
++ if (!pte_present(pte) || !pte_user(pte) || !pte_read(pte))
++ return false;
+
+- if ((pteval & need_pte_bits) != need_pte_bits)
++ if (write && !pte_write(pte))
+ return false;
+
+ return true;
--- /dev/null
+From de113256f8c1c24d8c79ae388bf2a5abd70f7577 Mon Sep 17 00:00:00 2001
+From: Ram Pai <linuxram@us.ibm.com>
+Date: Tue, 17 Jul 2018 06:51:03 -0700
+Subject: powerpc/pkeys: Deny read/write/execute by default
+
+From: Ram Pai <linuxram@us.ibm.com>
+
+commit de113256f8c1c24d8c79ae388bf2a5abd70f7577 upstream.
+
+Deny all permissions on all keys, with some exceptions. pkey-0 must
+allow all permissions, or else everything comes to a screaching halt.
+Execute-only key must allow execute permission.
+
+Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Ram Pai <linuxram@us.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pkeys.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/arch/powerpc/mm/pkeys.c
++++ b/arch/powerpc/mm/pkeys.c
+@@ -124,12 +124,10 @@ int pkey_initialize(void)
+
+ /* register mask is in BE format */
+ pkey_amr_mask = ~0x0ul;
+- pkey_iamr_mask = ~0x0ul;
++ pkey_amr_mask &= ~(0x3ul << pkeyshift(0));
+
+- for (i = 0; i < (pkeys_total - os_reserved); i++) {
+- pkey_amr_mask &= ~(0x3ul << pkeyshift(i));
+- pkey_iamr_mask &= ~(0x1ul << pkeyshift(i));
+- }
++ pkey_iamr_mask = ~0x0ul;
++ pkey_iamr_mask &= ~(0x3ul << pkeyshift(0));
+
+ pkey_uamor_mask = ~0x0ul;
+ pkey_uamor_mask &= ~(0x3ul << pkeyshift(0));
--- /dev/null
+From fe6a2804e65969a574377bdb3605afb79e6091a9 Mon Sep 17 00:00:00 2001
+From: Ram Pai <linuxram@us.ibm.com>
+Date: Tue, 17 Jul 2018 06:51:06 -0700
+Subject: powerpc/pkeys: Fix calculation of total pkeys.
+
+From: Ram Pai <linuxram@us.ibm.com>
+
+commit fe6a2804e65969a574377bdb3605afb79e6091a9 upstream.
+
+Total number of pkeys calculation is off by 1. Fix it.
+
+Fixes: 4fb158f65ac5 ("powerpc: track allocation status of all pkeys")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Ram Pai <linuxram@us.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pkeys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/mm/pkeys.c
++++ b/arch/powerpc/mm/pkeys.c
+@@ -92,7 +92,7 @@ int pkey_initialize(void)
+ * arch-neutral code.
+ */
+ pkeys_total = min_t(int, pkeys_total,
+- (ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT));
++ ((ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT)+1));
+
+ if (!pkey_mmu_enabled() || radix_enabled() || !pkeys_total)
+ static_branch_enable(&pkey_disabled);
--- /dev/null
+From a57a04c76e06822e4377831611364c846b7202ca Mon Sep 17 00:00:00 2001
+From: Ram Pai <linuxram@us.ibm.com>
+Date: Tue, 17 Jul 2018 06:51:02 -0700
+Subject: powerpc/pkeys: Give all threads control of their key permissions
+
+From: Ram Pai <linuxram@us.ibm.com>
+
+commit a57a04c76e06822e4377831611364c846b7202ca upstream.
+
+Currently in a multithreaded application, a key allocated by one
+thread is not usable by other threads. By "not usable" we mean that
+other threads are unable to change the access permissions for that
+key for themselves.
+
+When a new key is allocated in one thread, the corresponding UAMOR
+bits for that thread get enabled, however the UAMOR bits for that key
+for all other threads remain disabled.
+
+Other threads have no way to set permissions on the key, and the
+current default permissions are that read/write is enabled for all
+keys, which means the key has no effect for other threads. Although
+that may be the desired behaviour in some circumstances, having all
+threads able to control their permissions for the key is more
+flexible.
+
+The current behaviour also differs from the x86 behaviour, which is
+problematic for users.
+
+To fix this, enable the UAMOR bits for all keys, at process
+creation (in start_thread(), ie exec time). Since the contents of
+UAMOR are inherited at fork, all threads are capable of modifying the
+permissions on any key.
+
+This is technically an ABI break on powerpc, but pkey support is fairly
+new on powerpc and not widely used, and this brings us into
+line with x86.
+
+Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
+Cc: stable@vger.kernel.org # v4.16+
+Tested-by: Florian Weimer <fweimer@redhat.com>
+Signed-off-by: Ram Pai <linuxram@us.ibm.com>
+[mpe: Reword some of the changelog]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pkeys.c | 44 ++++++++++++++++++++++++++------------------
+ 1 file changed, 26 insertions(+), 18 deletions(-)
+
+--- a/arch/powerpc/mm/pkeys.c
++++ b/arch/powerpc/mm/pkeys.c
+@@ -15,8 +15,9 @@ bool pkey_execute_disable_supported;
+ int pkeys_total; /* Total pkeys as per device tree */
+ bool pkeys_devtree_defined; /* pkey property exported by device tree */
+ u32 initial_allocation_mask; /* Bits set for reserved keys */
+-u64 pkey_amr_uamor_mask; /* Bits in AMR/UMOR not to be touched */
++u64 pkey_amr_mask; /* Bits in AMR not to be touched */
+ u64 pkey_iamr_mask; /* Bits in AMR not to be touched */
++u64 pkey_uamor_mask; /* Bits in UMOR not to be touched */
+
+ #define AMR_BITS_PER_PKEY 2
+ #define AMR_RD_BIT 0x1UL
+@@ -119,20 +120,26 @@ int pkey_initialize(void)
+ #else
+ os_reserved = 0;
+ #endif
+- initial_allocation_mask = ~0x0;
+- pkey_amr_uamor_mask = ~0x0ul;
++ initial_allocation_mask = (0x1 << 0) | (0x1 << 1);
++
++ /* register mask is in BE format */
++ pkey_amr_mask = ~0x0ul;
+ pkey_iamr_mask = ~0x0ul;
+- /*
+- * key 0, 1 are reserved.
+- * key 0 is the default key, which allows read/write/execute.
+- * key 1 is recommended not to be used. PowerISA(3.0) page 1015,
+- * programming note.
+- */
+- for (i = 2; i < (pkeys_total - os_reserved); i++) {
+- initial_allocation_mask &= ~(0x1 << i);
+- pkey_amr_uamor_mask &= ~(0x3ul << pkeyshift(i));
++
++ for (i = 0; i < (pkeys_total - os_reserved); i++) {
++ pkey_amr_mask &= ~(0x3ul << pkeyshift(i));
+ pkey_iamr_mask &= ~(0x1ul << pkeyshift(i));
+ }
++
++ pkey_uamor_mask = ~0x0ul;
++ pkey_uamor_mask &= ~(0x3ul << pkeyshift(0));
++
++ /* mark the rest of the keys as reserved and hence unavailable */
++ for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) {
++ initial_allocation_mask |= (0x1 << i);
++ pkey_uamor_mask &= ~(0x3ul << pkeyshift(i));
++ }
++
+ return 0;
+ }
+
+@@ -289,9 +296,6 @@ void thread_pkey_regs_restore(struct thr
+ if (static_branch_likely(&pkey_disabled))
+ return;
+
+- /*
+- * TODO: Just set UAMOR to zero if @new_thread hasn't used any keys yet.
+- */
+ if (old_thread->amr != new_thread->amr)
+ write_amr(new_thread->amr);
+ if (old_thread->iamr != new_thread->iamr)
+@@ -305,9 +309,13 @@ void thread_pkey_regs_init(struct thread
+ if (static_branch_likely(&pkey_disabled))
+ return;
+
+- thread->amr = read_amr() & pkey_amr_uamor_mask;
+- thread->iamr = read_iamr() & pkey_iamr_mask;
+- thread->uamor = read_uamor() & pkey_amr_uamor_mask;
++ thread->amr = pkey_amr_mask;
++ thread->iamr = pkey_iamr_mask;
++ thread->uamor = pkey_uamor_mask;
++
++ write_uamor(pkey_uamor_mask);
++ write_amr(pkey_amr_mask);
++ write_iamr(pkey_iamr_mask);
+ }
+
+ static inline bool pkey_allows_readwrite(int pkey)
--- /dev/null
+From 4a4a5e5d2aadc793be95024f454cf511d115b62d Mon Sep 17 00:00:00 2001
+From: Ram Pai <linuxram@us.ibm.com>
+Date: Tue, 17 Jul 2018 06:51:04 -0700
+Subject: powerpc/pkeys: key allocation/deallocation must not change pkey registers
+
+From: Ram Pai <linuxram@us.ibm.com>
+
+commit 4a4a5e5d2aadc793be95024f454cf511d115b62d upstream.
+
+Key allocation and deallocation has the side effect of programming the
+UAMOR/AMR/IAMR registers. This is wrong, since its the responsibility of
+the application and not that of the kernel, to modify the permission on
+the key.
+
+Do not modify the pkey registers at key allocation/deallocation.
+
+This patch also fixes a bug where a sys_pkey_free() resets the UAMOR
+bits of the key, thus making its permissions unmodifiable from user
+space. Later if the same key gets reallocated from a different thread
+this thread will no longer be able to change the permissions on the key.
+
+Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
+Cc: stable@vger.kernel.org # v4.16+
+Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+Signed-off-by: Ram Pai <linuxram@us.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/pkeys.h | 11 -----------
+ arch/powerpc/mm/pkeys.c | 27 ---------------------------
+ 2 files changed, 38 deletions(-)
+
+--- a/arch/powerpc/include/asm/pkeys.h
++++ b/arch/powerpc/include/asm/pkeys.h
+@@ -94,8 +94,6 @@ static inline bool mm_pkey_is_allocated(
+ __mm_pkey_is_allocated(mm, pkey));
+ }
+
+-extern void __arch_activate_pkey(int pkey);
+-extern void __arch_deactivate_pkey(int pkey);
+ /*
+ * Returns a positive, 5-bit key on success, or -1 on failure.
+ * Relies on the mmap_sem to protect against concurrency in mm_pkey_alloc() and
+@@ -124,11 +122,6 @@ static inline int mm_pkey_alloc(struct m
+ ret = ffz((u32)mm_pkey_allocation_map(mm));
+ __mm_pkey_allocated(mm, ret);
+
+- /*
+- * Enable the key in the hardware
+- */
+- if (ret > 0)
+- __arch_activate_pkey(ret);
+ return ret;
+ }
+
+@@ -140,10 +133,6 @@ static inline int mm_pkey_free(struct mm
+ if (!mm_pkey_is_allocated(mm, pkey))
+ return -EINVAL;
+
+- /*
+- * Disable the key in the hardware
+- */
+- __arch_deactivate_pkey(pkey);
+ __mm_pkey_free(mm, pkey);
+
+ return 0;
+--- a/arch/powerpc/mm/pkeys.c
++++ b/arch/powerpc/mm/pkeys.c
+@@ -218,33 +218,6 @@ static inline void init_iamr(int pkey, u
+ write_iamr(old_iamr | new_iamr_bits);
+ }
+
+-static void pkey_status_change(int pkey, bool enable)
+-{
+- u64 old_uamor;
+-
+- /* Reset the AMR and IAMR bits for this key */
+- init_amr(pkey, 0x0);
+- init_iamr(pkey, 0x0);
+-
+- /* Enable/disable key */
+- old_uamor = read_uamor();
+- if (enable)
+- old_uamor |= (0x3ul << pkeyshift(pkey));
+- else
+- old_uamor &= ~(0x3ul << pkeyshift(pkey));
+- write_uamor(old_uamor);
+-}
+-
+-void __arch_activate_pkey(int pkey)
+-{
+- pkey_status_change(pkey, true);
+-}
+-
+-void __arch_deactivate_pkey(int pkey)
+-{
+- pkey_status_change(pkey, false);
+-}
+-
+ /*
+ * Set the access rights in AMR IAMR and UAMOR registers for @pkey to that
+ * specified in @init_val.
--- /dev/null
+From a4fcc877d4e18b5efe26e93f08f0cfd4e278c7d9 Mon Sep 17 00:00:00 2001
+From: Ram Pai <linuxram@us.ibm.com>
+Date: Tue, 17 Jul 2018 06:51:07 -0700
+Subject: powerpc/pkeys: Preallocate execute-only key
+
+From: Ram Pai <linuxram@us.ibm.com>
+
+commit a4fcc877d4e18b5efe26e93f08f0cfd4e278c7d9 upstream.
+
+execute-only key is allocated dynamically. This is a problem. When a
+thread implicitly creates an execute-only key, and resets the UAMOR
+for that key, the UAMOR value does not percolate to all the other
+threads. Any other thread may ignorantly change the permissions on the
+key. This can cause the key to be not execute-only for that thread.
+
+Preallocate the execute-only key and ensure that no thread can change
+the permission of the key, by resetting the corresponding bit in
+UAMOR.
+
+Fixes: 5586cf61e108 ("powerpc: introduce execute-only pkey")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Ram Pai <linuxram@us.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/mm/pkeys.c | 63 +++++++++++++-----------------------------------
+ 1 file changed, 18 insertions(+), 45 deletions(-)
+
+--- a/arch/powerpc/mm/pkeys.c
++++ b/arch/powerpc/mm/pkeys.c
+@@ -18,6 +18,7 @@ u32 initial_allocation_mask; /* Bits se
+ u64 pkey_amr_mask; /* Bits in AMR not to be touched */
+ u64 pkey_iamr_mask; /* Bits in AMR not to be touched */
+ u64 pkey_uamor_mask; /* Bits in UMOR not to be touched */
++int execute_only_key = 2;
+
+ #define AMR_BITS_PER_PKEY 2
+ #define AMR_RD_BIT 0x1UL
+@@ -120,7 +121,8 @@ int pkey_initialize(void)
+ #else
+ os_reserved = 0;
+ #endif
+- initial_allocation_mask = (0x1 << 0) | (0x1 << 1);
++ initial_allocation_mask = (0x1 << 0) | (0x1 << 1) |
++ (0x1 << execute_only_key);
+
+ /* register mask is in BE format */
+ pkey_amr_mask = ~0x0ul;
+@@ -128,9 +130,11 @@ int pkey_initialize(void)
+
+ pkey_iamr_mask = ~0x0ul;
+ pkey_iamr_mask &= ~(0x3ul << pkeyshift(0));
++ pkey_iamr_mask &= ~(0x3ul << pkeyshift(execute_only_key));
+
+ pkey_uamor_mask = ~0x0ul;
+ pkey_uamor_mask &= ~(0x3ul << pkeyshift(0));
++ pkey_uamor_mask &= ~(0x3ul << pkeyshift(execute_only_key));
+
+ /* mark the rest of the keys as reserved and hence unavailable */
+ for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) {
+@@ -138,6 +142,17 @@ int pkey_initialize(void)
+ pkey_uamor_mask &= ~(0x3ul << pkeyshift(i));
+ }
+
++ if (unlikely((pkeys_total - os_reserved) <= execute_only_key)) {
++ /*
++ * Insufficient number of keys to support
++ * execute only key. Mark it unavailable.
++ * Any AMR, UAMOR, IAMR bit set for
++ * this key is irrelevant since this key
++ * can never be allocated.
++ */
++ execute_only_key = -1;
++ }
++
+ return 0;
+ }
+
+@@ -148,8 +163,7 @@ void pkey_mm_init(struct mm_struct *mm)
+ if (static_branch_likely(&pkey_disabled))
+ return;
+ mm_pkey_allocation_map(mm) = initial_allocation_mask;
+- /* -1 means unallocated or invalid */
+- mm->context.execute_only_pkey = -1;
++ mm->context.execute_only_pkey = execute_only_key;
+ }
+
+ static inline u64 read_amr(void)
+@@ -301,48 +315,7 @@ static inline bool pkey_allows_readwrite
+
+ int __execute_only_pkey(struct mm_struct *mm)
+ {
+- bool need_to_set_mm_pkey = false;
+- int execute_only_pkey = mm->context.execute_only_pkey;
+- int ret;
+-
+- /* Do we need to assign a pkey for mm's execute-only maps? */
+- if (execute_only_pkey == -1) {
+- /* Go allocate one to use, which might fail */
+- execute_only_pkey = mm_pkey_alloc(mm);
+- if (execute_only_pkey < 0)
+- return -1;
+- need_to_set_mm_pkey = true;
+- }
+-
+- /*
+- * We do not want to go through the relatively costly dance to set AMR
+- * if we do not need to. Check it first and assume that if the
+- * execute-only pkey is readwrite-disabled than we do not have to set it
+- * ourselves.
+- */
+- if (!need_to_set_mm_pkey && !pkey_allows_readwrite(execute_only_pkey))
+- return execute_only_pkey;
+-
+- /*
+- * Set up AMR so that it denies access for everything other than
+- * execution.
+- */
+- ret = __arch_set_user_pkey_access(current, execute_only_pkey,
+- PKEY_DISABLE_ACCESS |
+- PKEY_DISABLE_WRITE);
+- /*
+- * If the AMR-set operation failed somehow, just return 0 and
+- * effectively disable execute-only support.
+- */
+- if (ret) {
+- mm_pkey_free(mm, execute_only_pkey);
+- return -1;
+- }
+-
+- /* We got one, store it and use it from here on out */
+- if (need_to_set_mm_pkey)
+- mm->context.execute_only_pkey = execute_only_pkey;
+- return execute_only_pkey;
++ return mm->context.execute_only_pkey;
+ }
+
+ static inline bool vma_is_pkey_exec_only(struct vm_area_struct *vma)
--- /dev/null
+From c76662e825f507b98938dc3bb141c4505bd4968c Mon Sep 17 00:00:00 2001
+From: Ram Pai <linuxram@us.ibm.com>
+Date: Tue, 17 Jul 2018 06:51:05 -0700
+Subject: powerpc/pkeys: Save the pkey registers before fork
+
+From: Ram Pai <linuxram@us.ibm.com>
+
+commit c76662e825f507b98938dc3bb141c4505bd4968c upstream.
+
+When a thread forks the contents of AMR, IAMR, UAMOR registers in the
+newly forked thread are not inherited.
+
+Save the registers before forking, for content of those
+registers to be automatically copied into the new thread.
+
+Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Ram Pai <linuxram@us.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/process.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -583,6 +583,7 @@ static void save_all(struct task_struct
+ __giveup_spe(tsk);
+
+ msr_check_and_clear(msr_all_available);
++ thread_pkey_regs_save(&tsk->thread);
+ }
+
+ void flush_all_to_thread(struct task_struct *tsk)
--- /dev/null
+From db2173198b9513f7add8009f225afa1f1c79bcc6 Mon Sep 17 00:00:00 2001
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Date: Fri, 17 Aug 2018 17:30:39 +1000
+Subject: powerpc/powernv/pci: Work around races in PCI bridge enabling
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+commit db2173198b9513f7add8009f225afa1f1c79bcc6 upstream.
+
+The generic code is racy when multiple children of a PCI bridge try to
+enable it simultaneously.
+
+This leads to drivers trying to access a device through a
+not-yet-enabled bridge, and this EEH errors under various
+circumstances when using parallel driver probing.
+
+There is work going on to fix that properly in the PCI core but it
+will take some time.
+
+x86 gets away with it because (outside of hotplug), the BIOS enables
+all the bridges at boot time.
+
+This patch does the same thing on powernv by enabling all bridges that
+have child devices at boot time, thus avoiding subsequent races. It's
+suitable for backporting to stable and distros, while the proper PCI
+fix will probably be significantly more invasive.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 37 ++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -3368,12 +3368,49 @@ static void pnv_pci_ioda_create_dbgfs(vo
+ #endif /* CONFIG_DEBUG_FS */
+ }
+
++static void pnv_pci_enable_bridge(struct pci_bus *bus)
++{
++ struct pci_dev *dev = bus->self;
++ struct pci_bus *child;
++
++ /* Empty bus ? bail */
++ if (list_empty(&bus->devices))
++ return;
++
++ /*
++ * If there's a bridge associated with that bus enable it. This works
++ * around races in the generic code if the enabling is done during
++ * parallel probing. This can be removed once those races have been
++ * fixed.
++ */
++ if (dev) {
++ int rc = pci_enable_device(dev);
++ if (rc)
++ pci_err(dev, "Error enabling bridge (%d)\n", rc);
++ pci_set_master(dev);
++ }
++
++ /* Perform the same to child busses */
++ list_for_each_entry(child, &bus->children, node)
++ pnv_pci_enable_bridge(child);
++}
++
++static void pnv_pci_enable_bridges(void)
++{
++ struct pci_controller *hose;
++
++ list_for_each_entry(hose, &hose_list, list_node)
++ pnv_pci_enable_bridge(hose->bus);
++}
++
+ static void pnv_pci_ioda_fixup(void)
+ {
+ pnv_pci_ioda_setup_PEs();
+ pnv_pci_ioda_setup_iommu_api();
+ pnv_pci_ioda_create_dbgfs();
+
++ pnv_pci_enable_bridges();
++
+ #ifdef CONFIG_EEH
+ pnv_eeh_post_init();
+ #endif
--- /dev/null
+From cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 Mon Sep 17 00:00:00 2001
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Tue, 7 Aug 2018 19:46:46 +0530
+Subject: powerpc/pseries: Fix endianness while restoring of r3 in MCE handler.
+
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+
+commit cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 upstream.
+
+During Machine Check interrupt on pseries platform, register r3 points
+RTAS extended event log passed by hypervisor. Since hypervisor uses r3
+to pass pointer to rtas log, it stores the original r3 value at the
+start of the memory (first 8 bytes) pointed by r3. Since hypervisor
+stores this info and rtas log is in BE format, linux should make
+sure to restore r3 value in correct endian format.
+
+Without this patch when MCE handler, after recovery, returns to code that
+that caused the MCE may end up with Data SLB access interrupt for invalid
+address followed by kernel panic or hang.
+
+ Severe Machine check interrupt [Recovered]
+ NIP [d00000000ca301b8]: init_module+0x1b8/0x338 [bork_kernel]
+ Initiator: CPU
+ Error type: SLB [Multihit]
+ Effective address: d00000000ca70000
+ cpu 0xa: Vector: 380 (Data SLB Access) at [c0000000fc7775b0]
+ pc: c0000000009694c0: vsnprintf+0x80/0x480
+ lr: c0000000009698e0: vscnprintf+0x20/0x60
+ sp: c0000000fc777830
+ msr: 8000000002009033
+ dar: a803a30c000000d0
+ current = 0xc00000000bc9ef00
+ paca = 0xc00000001eca5c00 softe: 3 irq_happened: 0x01
+ pid = 8860, comm = insmod
+ vscnprintf+0x20/0x60
+ vprintk_emit+0xb4/0x4b0
+ vprintk_func+0x5c/0xd0
+ printk+0x38/0x4c
+ init_module+0x1c0/0x338 [bork_kernel]
+ do_one_initcall+0x54/0x230
+ do_init_module+0x8c/0x248
+ load_module+0x12b8/0x15b0
+ sys_finit_module+0xa8/0x110
+ system_call+0x58/0x6c
+ --- Exception: c00 (System Call) at 00007fff8bda0644
+ SP (7fffdfbfe980) is in userspace
+
+This patch fixes this issue.
+
+Fixes: a08a53ea4c97 ("powerpc/le: Enable RTAS events support")
+Cc: stable@vger.kernel.org # v3.15+
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/pseries/ras.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/ras.c
++++ b/arch/powerpc/platforms/pseries/ras.c
+@@ -360,7 +360,7 @@ static struct rtas_error_log *fwnmi_get_
+ }
+
+ savep = __va(regs->gpr[3]);
+- regs->gpr[3] = savep[0]; /* restore original r3 */
++ regs->gpr[3] = be64_to_cpu(savep[0]); /* restore original r3 */
+
+ /* If it isn't an extended log we can use the per cpu 64bit buffer */
+ h = (struct rtas_error_log *)&savep[1];
--- /dev/null
+From d6ee76d3d37d156c479348821574b6f99d6472a1 Mon Sep 17 00:00:00 2001
+From: Luke Dashjr <luke@dashjr.org>
+Date: Thu, 16 Aug 2018 21:36:26 +0000
+Subject: powerpc64/ftrace: Include ftrace.h needed for enable/disable calls
+
+From: Luke Dashjr <luke@dashjr.org>
+
+commit d6ee76d3d37d156c479348821574b6f99d6472a1 upstream.
+
+this_cpu_disable_ftrace and this_cpu_enable_ftrace are inlines in
+ftrace.h Without it included, the build fails.
+
+Fixes: a4bc64d305af ("powerpc64/ftrace: Disable ftrace during kvm entry/exit")
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
+Acked-by: Naveen N. Rao <naveen.n.rao at linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -46,6 +46,7 @@
+ #include <linux/compiler.h>
+ #include <linux/of.h>
+
++#include <asm/ftrace.h>
+ #include <asm/reg.h>
+ #include <asm/ppc-opcode.h>
+ #include <asm/asm-prototypes.h>
--- /dev/null
+From 0dfe452241f4904de497aef01ad2f609ccb9be90 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Wed, 1 Aug 2018 14:25:41 -0700
+Subject: RDMA/mlx5: Fix shift overflow in mlx5_ib_create_wq
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 0dfe452241f4904de497aef01ad2f609ccb9be90 upstream.
+
+[ 61.182439] UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:5366:34
+[ 61.183673] shift exponent 4294967288 is too large for 32-bit type 'unsigned int'
+[ 61.185530] CPU: 0 PID: 639 Comm: qp Not tainted 4.18.0-rc1-00037-g4aa1d69a9c60-dirty #96
+[ 61.186981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
+[ 61.188315] Call Trace:
+[ 61.188661] dump_stack+0xc7/0x13b
+[ 61.190427] ubsan_epilogue+0x9/0x49
+[ 61.190899] __ubsan_handle_shift_out_of_bounds+0x1ea/0x22f
+[ 61.197040] mlx5_ib_create_wq+0x1c99/0x1d50
+[ 61.206632] ib_uverbs_ex_create_wq+0x499/0x820
+[ 61.213892] ib_uverbs_write+0x77e/0xae0
+[ 61.248018] vfs_write+0x121/0x3b0
+[ 61.249831] ksys_write+0xa1/0x120
+[ 61.254024] do_syscall_64+0x7c/0x2a0
+[ 61.256178] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 61.259211] RIP: 0033:0x7f54bab70e99
+[ 61.262125] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89
+[ 61.268678] RSP: 002b:00007ffe1541c318 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 61.271076] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f54bab70e99
+[ 61.273795] RDX: 0000000000000070 RSI: 0000000020000240 RDI: 0000000000000003
+[ 61.276982] RBP: 00007ffe1541c330 R08: 00000000200078e0 R09: 0000000000000002
+[ 61.280035] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004005c0
+[ 61.283279] R13: 00007ffe1541c420 R14: 0000000000000000 R15: 0000000000000000
+
+Cc: <stable@vger.kernel.org> # 4.7
+Fixes: 79b20a6c3014 ("IB/mlx5: Add receive Work Queue verbs")
+Cc: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -5365,7 +5365,9 @@ static int set_user_rq_size(struct mlx5_
+
+ rwq->wqe_count = ucmd->rq_wqe_count;
+ rwq->wqe_shift = ucmd->rq_wqe_shift;
+- rwq->buf_size = (rwq->wqe_count << rwq->wqe_shift);
++ if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift, &rwq->buf_size))
++ return -EINVAL;
++
+ rwq->log_rq_stride = rwq->wqe_shift;
+ rwq->log_rq_size = ilog2(rwq->wqe_count);
+ return 0;
--- /dev/null
+From 61b717d041b1976530f68f8b539b2e3a7dd8e39c Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 26 Jun 2018 08:39:36 -0700
+Subject: RDMA/rxe: Set wqe->status correctly if an unexpected response is received
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit 61b717d041b1976530f68f8b539b2e3a7dd8e39c upstream.
+
+Every function that returns COMPST_ERROR must set wqe->status to another
+value than IB_WC_SUCCESS before returning COMPST_ERROR. Fix the only code
+path for which this is not yet the case.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/sw/rxe/rxe_comp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/sw/rxe/rxe_comp.c
++++ b/drivers/infiniband/sw/rxe/rxe_comp.c
+@@ -276,6 +276,7 @@ static inline enum comp_state check_ack(
+ case IB_OPCODE_RC_RDMA_READ_RESPONSE_MIDDLE:
+ if (wqe->wr.opcode != IB_WR_RDMA_READ &&
+ wqe->wr.opcode != IB_WR_RDMA_READ_WITH_INV) {
++ wqe->status = IB_WC_FATAL_ERR;
+ return COMPST_ERROR;
+ }
+ reset_retry_counters(qp);
--- /dev/null
+From 817aef260037f33ee0f44c17fe341323d3aebd6d Mon Sep 17 00:00:00 2001
+From: Yannik Sembritzki <yannik@sembritzki.me>
+Date: Thu, 16 Aug 2018 14:05:10 +0100
+Subject: Replace magic for trusting the secondary keyring with #define
+
+From: Yannik Sembritzki <yannik@sembritzki.me>
+
+commit 817aef260037f33ee0f44c17fe341323d3aebd6d upstream.
+
+Replace the use of a magic number that indicates that verify_*_signature()
+should use the secondary keyring with a symbol.
+
+Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Cc: keyrings@vger.kernel.org
+Cc: linux-security-module@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ certs/system_keyring.c | 3 ++-
+ crypto/asymmetric_keys/pkcs7_key_type.c | 2 +-
+ include/linux/verification.h | 6 ++++++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -15,6 +15,7 @@
+ #include <linux/cred.h>
+ #include <linux/err.h>
+ #include <linux/slab.h>
++#include <linux/verification.h>
+ #include <keys/asymmetric-type.h>
+ #include <keys/system_keyring.h>
+ #include <crypto/pkcs7.h>
+@@ -230,7 +231,7 @@ int verify_pkcs7_signature(const void *d
+
+ if (!trusted_keys) {
+ trusted_keys = builtin_trusted_keys;
+- } else if (trusted_keys == (void *)1UL) {
++ } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+ trusted_keys = secondary_trusted_keys;
+ #else
+--- a/crypto/asymmetric_keys/pkcs7_key_type.c
++++ b/crypto/asymmetric_keys/pkcs7_key_type.c
+@@ -63,7 +63,7 @@ static int pkcs7_preparse(struct key_pre
+
+ return verify_pkcs7_signature(NULL, 0,
+ prep->data, prep->datalen,
+- (void *)1UL, usage,
++ VERIFY_USE_SECONDARY_KEYRING, usage,
+ pkcs7_view_content, prep);
+ }
+
+--- a/include/linux/verification.h
++++ b/include/linux/verification.h
+@@ -13,6 +13,12 @@
+ #define _LINUX_VERIFICATION_H
+
+ /*
++ * Indicate that both builtin trusted keys and secondary trusted keys
++ * should be used.
++ */
++#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
++
++/*
+ * The use to which an asymmetric key is being put.
+ */
+ enum key_being_used_for {
blkcg-introduce-blkg_root_lookup.patch
block-introduce-blk_exit_queue.patch
block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch
+apparmor-fix-bad-debug-check-in-apparmor_secid_to_secctx.patch
+dma-buf-move-bug_on-from-_add_shared_fence-to-_add_shared_inplace.patch
+libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch
+media-revert-tvp5150-fix-pad-format-frame-height.patch
+mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch
+replace-magic-for-trusting-the-secondary-keyring-with-define.patch
+fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch
+powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch
+powerpc-64s-fix-page-table-fragment-refcount-race-vs-speculative-references.patch
+powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch
+powerpc-pkeys-give-all-threads-control-of-their-key-permissions.patch
+powerpc-pkeys-deny-read-write-execute-by-default.patch
+powerpc-pkeys-key-allocation-deallocation-must-not-change-pkey-registers.patch
+powerpc-pkeys-save-the-pkey-registers-before-fork.patch
+powerpc-pkeys-fix-calculation-of-total-pkeys.patch
+powerpc-pkeys-preallocate-execute-only-key.patch
+powerpc-nohash-fix-pte_access_permitted.patch
+powerpc64-ftrace-include-ftrace.h-needed-for-enable-disable-calls.patch
+powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch
+cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch
+ocxl-fix-page-fault-handler-in-case-of-fault-on-dying-process.patch
+ib-mlx5-honor-cnt_set_id_valid-flag-instead-of-set_id.patch
+ib-mlx5-fix-leaking-stack-memory-to-userspace.patch
+ib-srpt-fix-srpt_cm_req_recv-error-path-1-2.patch
+ib-srpt-fix-srpt_cm_req_recv-error-path-2-2.patch
+ib-srpt-support-hcas-with-more-than-two-ports.patch
+rdma-mlx5-fix-shift-overflow-in-mlx5_ib_create_wq.patch
+ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch
+ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch
+rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch
+9p-fix-multiple-null-pointer-dereferences.patch
+fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch
+9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch
+net-9p-client.c-version-pointer-uninitialized.patch
+net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
