--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Fri, 22 Jun 2018 12:35:00 +0800
+Subject: btrfs: Don't remove block group that still has pinned down bytes
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 43794446548730ac8461be30bbe47d5d027d1d16 ]
+
+[BUG]
+Under certain KVM load and LTP tests, it is possible to hit the
+following calltrace if quota is enabled:
+
+BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
+BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
+
+WARNING: CPU: 0 PID: 49 at ../block/blk-core.c:172 blk_status_to_errno+0x1a/0x30
+CPU: 0 PID: 49 Comm: kworker/u2:1 Not tainted 4.12.14-15-default #1 SLE15 (unreleased)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs]
+task: ffff9f827b340bc0 task.stack: ffffb4f8c0304000
+RIP: 0010:blk_status_to_errno+0x1a/0x30
+Call Trace:
+ submit_extent_page+0x191/0x270 [btrfs]
+ ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
+ __do_readpage+0x2d2/0x810 [btrfs]
+ ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ __extent_read_full_page+0xe7/0x100 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ read_extent_buffer_pages+0x1ab/0x2d0 [btrfs]
+ ? run_one_async_done+0xc0/0xc0 [btrfs]
+ btree_read_extent_buffer_pages+0x94/0xf0 [btrfs]
+ read_tree_block+0x31/0x60 [btrfs]
+ read_block_for_search.isra.35+0xf0/0x2e0 [btrfs]
+ btrfs_search_slot+0x46b/0xa00 [btrfs]
+ ? kmem_cache_alloc+0x1a8/0x510
+ ? btrfs_get_token_32+0x5b/0x120 [btrfs]
+ find_parent_nodes+0x11d/0xeb0 [btrfs]
+ ? leaf_space_used+0xb8/0xd0 [btrfs]
+ ? btrfs_leaf_free_space+0x49/0x90 [btrfs]
+ ? btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
+ btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
+ btrfs_find_all_roots+0x45/0x60 [btrfs]
+ btrfs_qgroup_trace_extent_post+0x20/0x40 [btrfs]
+ btrfs_add_delayed_data_ref+0x1a3/0x1d0 [btrfs]
+ btrfs_alloc_reserved_file_extent+0x38/0x40 [btrfs]
+ insert_reserved_file_extent.constprop.71+0x289/0x2e0 [btrfs]
+ btrfs_finish_ordered_io+0x2f4/0x7f0 [btrfs]
+ ? pick_next_task_fair+0x2cd/0x530
+ ? __switch_to+0x92/0x4b0
+ btrfs_worker_helper+0x81/0x300 [btrfs]
+ process_one_work+0x1da/0x3f0
+ worker_thread+0x2b/0x3f0
+ ? process_one_work+0x3f0/0x3f0
+ kthread+0x11a/0x130
+ ? kthread_create_on_node+0x40/0x40
+ ret_from_fork+0x35/0x40
+
+BTRFS critical (device vda2): unable to find logical 8820195328 length 16384
+BTRFS: error (device vda2) in btrfs_finish_ordered_io:3023: errno=-5 IO failure
+BTRFS info (device vda2): forced readonly
+BTRFS error (device vda2): pending csums is 2887680
+
+[CAUSE]
+It's caused by race with block group auto removal:
+
+- There is a meta block group X, which has only one tree block
+ The tree block belongs to fs tree 257.
+- In current transaction, some operation modified fs tree 257
+ The tree block gets COWed, so the block group X is empty, and marked
+ as unused, queued to be deleted.
+- Some workload (like fsync) wakes up cleaner_kthread()
+ Which will call btrfs_delete_unused_bgs() to remove unused block
+ groups.
+ So block group X along its chunk map get removed.
+- Some delalloc work finished for fs tree 257
+ Quota needs to get the original reference of the extent, which will
+ read tree blocks of commit root of 257.
+ Then since the chunk map gets removed, the above warning gets
+ triggered.
+
+[FIX]
+Just let btrfs_delete_unused_bgs() skip block group which still has
+pinned bytes.
+
+However there is a minor side effect: currently we only queue empty
+blocks at update_block_group(), and such empty block group with pinned
+bytes won't go through update_block_group() again, such block group
+won't be removed, until it gets new extent allocated and removed.
+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -9487,7 +9487,7 @@ void btrfs_delete_unused_bgs(struct btrf
+ /* Don't want to race with allocators so take the groups_sem */
+ down_write(&space_info->groups_sem);
+ spin_lock(&block_group->lock);
+- if (block_group->reserved ||
++ if (block_group->reserved || block_group->pinned ||
+ btrfs_block_group_used(&block_group->item) ||
+ block_group->ro) {
+ /*
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 3 Jul 2018 17:10:07 +0800
+Subject: btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 389305b2aa68723c754f88d9dbd268a400e10664 ]
+
+Invalid reloc tree can cause kernel NULL pointer dereference when btrfs
+does some cleanup of the reloc roots.
+
+It turns out that fs_info::reloc_ctl can be NULL in
+btrfs_recover_relocation() as we allocate relocation control after all
+reloc roots have been verified.
+So when we hit: note, we haven't called set_reloc_control() thus
+fs_info::reloc_ctl is still NULL.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833
+Reported-by: Xu Wen <wen.xu@gatech.edu>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/relocation.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1311,18 +1311,19 @@ static void __del_reloc_root(struct btrf
+ struct mapping_node *node = NULL;
+ struct reloc_control *rc = root->fs_info->reloc_ctl;
+
+- spin_lock(&rc->reloc_root_tree.lock);
+- rb_node = tree_search(&rc->reloc_root_tree.rb_root,
+- root->node->start);
+- if (rb_node) {
+- node = rb_entry(rb_node, struct mapping_node, rb_node);
+- rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
++ if (rc) {
++ spin_lock(&rc->reloc_root_tree.lock);
++ rb_node = tree_search(&rc->reloc_root_tree.rb_root,
++ root->node->start);
++ if (rb_node) {
++ node = rb_entry(rb_node, struct mapping_node, rb_node);
++ rb_erase(&node->rb_node, &rc->reloc_root_tree.rb_root);
++ }
++ spin_unlock(&rc->reloc_root_tree.lock);
++ if (!node)
++ return;
++ BUG_ON((struct btrfs_root *)node->data != root);
+ }
+- spin_unlock(&rc->reloc_root_tree.lock);
+-
+- if (!node)
+- return;
+- BUG_ON((struct btrfs_root *)node->data != root);
+
+ spin_lock(&root->fs_info->trans_lock);
+ list_del_init(&root->root_list);
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+Date: Tue, 31 Jul 2018 16:20:21 +0900
+Subject: btrfs: replace: Reset on-disk dev stats value after replace
+
+From: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+
+[ Upstream commit 1e7e1f9e3aba00c9b9c323bfeeddafe69ff21ff6 ]
+
+on-disk devs stats value is updated in btrfs_run_dev_stats(),
+which is called during commit transaction, if device->dev_stats_ccnt
+is not zero.
+
+Since current replace operation does not touch dev_stats_ccnt,
+on-disk dev stats value is not updated. Therefore "btrfs device stats"
+may return old device's value after umount/mount
+(Example: See "btrfs ins dump-t -t DEV $DEV" after btrfs/100 finish).
+
+Fix this by just incrementing dev_stats_ccnt in
+btrfs_dev_replace_finishing() when replace is succeeded and this will
+update the values.
+
+Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/dev-replace.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -584,6 +584,12 @@ static int btrfs_dev_replace_finishing(s
+ btrfs_rm_dev_replace_unblocked(fs_info);
+
+ /*
++ * Increment dev_stats_ccnt so that btrfs_run_dev_stats() will
++ * update on-disk dev stats value during commit transaction
++ */
++ atomic_inc(&tgt_device->dev_stats_ccnt);
++
++ /*
+ * this is again a consistent state where no dev_replace procedure
+ * is running, the target device is part of the filesystem, the
+ * source device is not part of the filesystem anymore and its 1st
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 22 Aug 2018 12:19:24 +1000
+Subject: cifs: check if SMB2 PDU size has been padded and suppress the warning
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit e6c47dd0da1e3a484e778046fc10da0b20606a86 ]
+
+Some SMB2/3 servers, Win2016 but possibly others too, adds padding
+not only between PDUs in a compound but also to the final PDU.
+This padding extends the PDU to a multiple of 8 bytes.
+
+Check if the unexpected length looks like this might be the case
+and avoid triggering the log messages for :
+
+ "SMB2 server sent bad RFC1001 len %d not %d\n"
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2misc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -183,6 +183,13 @@ smb2_check_message(char *buf, unsigned i
+ return 0;
+
+ /*
++ * Some windows servers (win2016) will pad also the final
++ * PDU in a compound to 8 bytes.
++ */
++ if (((clc_len + 7) & ~7) == len)
++ return 0;
++
++ /*
+ * MacOS server pads after SMB2.1 write response with 3 bytes
+ * of junk. Other servers match RFC1001 len to actual
+ * SMB2/SMB3 frame length (header + smb2 response specific data)
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: John Pittman <jpittman@redhat.com>
+Date: Mon, 6 Aug 2018 15:53:12 -0400
+Subject: dm kcopyd: avoid softlockup in run_complete_job
+
+From: John Pittman <jpittman@redhat.com>
+
+[ Upstream commit 784c9a29e99eb40b842c29ecf1cc3a79e00fb629 ]
+
+It was reported that softlockups occur when using dm-snapshot ontop of
+slow (rbd) storage. E.g.:
+
+[ 4047.990647] watchdog: BUG: soft lockup - CPU#10 stuck for 22s! [kworker/10:23:26177]
+...
+[ 4048.034151] Workqueue: kcopyd do_work [dm_mod]
+[ 4048.034156] RIP: 0010:copy_callback+0x41/0x160 [dm_snapshot]
+...
+[ 4048.034190] Call Trace:
+[ 4048.034196] ? __chunk_is_tracked+0x70/0x70 [dm_snapshot]
+[ 4048.034200] run_complete_job+0x5f/0xb0 [dm_mod]
+[ 4048.034205] process_jobs+0x91/0x220 [dm_mod]
+[ 4048.034210] ? kcopyd_put_pages+0x40/0x40 [dm_mod]
+[ 4048.034214] do_work+0x46/0xa0 [dm_mod]
+[ 4048.034219] process_one_work+0x171/0x370
+[ 4048.034221] worker_thread+0x1fc/0x3f0
+[ 4048.034224] kthread+0xf8/0x130
+[ 4048.034226] ? max_active_store+0x80/0x80
+[ 4048.034227] ? kthread_bind+0x10/0x10
+[ 4048.034231] ret_from_fork+0x35/0x40
+[ 4048.034233] Kernel panic - not syncing: softlockup: hung tasks
+
+Fix this by calling cond_resched() after run_complete_job()'s callout to
+the dm_kcopyd_notify_fn (which is dm-snap.c:copy_callback in the above
+trace).
+
+Signed-off-by: John Pittman <jpittman@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-kcopyd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-kcopyd.c
++++ b/drivers/md/dm-kcopyd.c
+@@ -454,6 +454,8 @@ static int run_complete_job(struct kcopy
+ if (atomic_dec_and_test(&kc->nr_jobs))
+ wake_up(&kc->destroyq);
+
++ cond_resched();
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Tue, 21 Aug 2018 21:59:44 -0700
+Subject: fat: validate ->i_start before using
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+[ Upstream commit 0afa9626667c3659ef8bd82d42a11e39fedf235c ]
+
+On corrupted FATfs may have invalid ->i_start. To handle it, this checks
+->i_start before using, and return proper error code.
+
+Link: http://lkml.kernel.org/r/87o9f8y1t5.fsf_-_@mail.parknet.co.jp
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fat/cache.c | 19 ++++++++++++-------
+ fs/fat/fat.h | 5 +++++
+ fs/fat/fatent.c | 6 +++---
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+--- a/fs/fat/cache.c
++++ b/fs/fat/cache.c
+@@ -226,7 +226,8 @@ static inline void cache_init(struct fat
+ int fat_get_cluster(struct inode *inode, int cluster, int *fclus, int *dclus)
+ {
+ struct super_block *sb = inode->i_sb;
+- const int limit = sb->s_maxbytes >> MSDOS_SB(sb)->cluster_bits;
++ struct msdos_sb_info *sbi = MSDOS_SB(sb);
++ const int limit = sb->s_maxbytes >> sbi->cluster_bits;
+ struct fat_entry fatent;
+ struct fat_cache_id cid;
+ int nr;
+@@ -235,6 +236,12 @@ int fat_get_cluster(struct inode *inode,
+
+ *fclus = 0;
+ *dclus = MSDOS_I(inode)->i_start;
++ if (!fat_valid_entry(sbi, *dclus)) {
++ fat_fs_error_ratelimit(sb,
++ "%s: invalid start cluster (i_pos %lld, start %08x)",
++ __func__, MSDOS_I(inode)->i_pos, *dclus);
++ return -EIO;
++ }
+ if (cluster == 0)
+ return 0;
+
+@@ -251,9 +258,8 @@ int fat_get_cluster(struct inode *inode,
+ /* prevent the infinite loop of cluster chain */
+ if (*fclus > limit) {
+ fat_fs_error_ratelimit(sb,
+- "%s: detected the cluster chain loop"
+- " (i_pos %lld)", __func__,
+- MSDOS_I(inode)->i_pos);
++ "%s: detected the cluster chain loop (i_pos %lld)",
++ __func__, MSDOS_I(inode)->i_pos);
+ nr = -EIO;
+ goto out;
+ }
+@@ -263,9 +269,8 @@ int fat_get_cluster(struct inode *inode,
+ goto out;
+ else if (nr == FAT_ENT_FREE) {
+ fat_fs_error_ratelimit(sb,
+- "%s: invalid cluster chain (i_pos %lld)",
+- __func__,
+- MSDOS_I(inode)->i_pos);
++ "%s: invalid cluster chain (i_pos %lld)",
++ __func__, MSDOS_I(inode)->i_pos);
+ nr = -EIO;
+ goto out;
+ } else if (nr == FAT_ENT_EOF) {
+--- a/fs/fat/fat.h
++++ b/fs/fat/fat.h
+@@ -347,6 +347,11 @@ static inline void fatent_brelse(struct
+ fatent->fat_inode = NULL;
+ }
+
++static inline bool fat_valid_entry(struct msdos_sb_info *sbi, int entry)
++{
++ return FAT_START_ENT <= entry && entry < sbi->max_cluster;
++}
++
+ extern void fat_ent_access_init(struct super_block *sb);
+ extern int fat_ent_read(struct inode *inode, struct fat_entry *fatent,
+ int entry);
+--- a/fs/fat/fatent.c
++++ b/fs/fat/fatent.c
+@@ -26,7 +26,7 @@ static void fat12_ent_blocknr(struct sup
+ {
+ struct msdos_sb_info *sbi = MSDOS_SB(sb);
+ int bytes = entry + (entry >> 1);
+- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry);
++ WARN_ON(!fat_valid_entry(sbi, entry));
+ *offset = bytes & (sb->s_blocksize - 1);
+ *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits);
+ }
+@@ -36,7 +36,7 @@ static void fat_ent_blocknr(struct super
+ {
+ struct msdos_sb_info *sbi = MSDOS_SB(sb);
+ int bytes = (entry << sbi->fatent_shift);
+- WARN_ON(entry < FAT_START_ENT || sbi->max_cluster <= entry);
++ WARN_ON(!fat_valid_entry(sbi, entry));
+ *offset = bytes & (sb->s_blocksize - 1);
+ *blocknr = sbi->fat_start + (bytes >> sb->s_blocksize_bits);
+ }
+@@ -356,7 +356,7 @@ int fat_ent_read(struct inode *inode, st
+ int err, offset;
+ sector_t blocknr;
+
+- if (entry < FAT_START_ENT || sbi->max_cluster <= entry) {
++ if (!fat_valid_entry(sbi, entry)) {
+ fatent_brelse(fatent);
+ fat_fs_error(sb, "invalid access to FAT (entry 0x%08x)", entry);
+ return -EIO;
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Tue, 21 Aug 2018 22:00:58 -0700
+Subject: fork: don't copy inconsistent signal handler state to child
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 06e62a46bbba20aa5286102016a04214bb446141 ]
+
+Before this change, if a multithreaded process forks while one of its
+threads is changing a signal handler using sigaction(), the memcpy() in
+copy_sighand() can race with the struct assignment in do_sigaction(). It
+isn't clear whether this can cause corruption of the userspace signal
+handler pointer, but it definitely can cause inconsistency between
+different fields of struct sigaction.
+
+Take the appropriate spinlock to avoid this.
+
+I have tested that this patch prevents inconsistency between sa_sigaction
+and sa_flags, which is possible before this patch.
+
+Link: http://lkml.kernel.org/r/20180702145108.73189-1-jannh@google.com
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/fork.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1014,7 +1014,9 @@ static int copy_sighand(unsigned long cl
+ if (!sig)
+ return -ENOMEM;
+ atomic_set(&sig->count, 1);
++ spin_lock_irq(¤t->sighand->siglock);
+ memcpy(sig->action, current->sighand->action, sizeof(sig->action));
++ spin_unlock_irq(¤t->sighand->siglock);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: "Ernesto A. Fernández" <ernesto.mnd.fernandez@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:31 -0700
+Subject: hfs: prevent crash on exit from failed search
+
+From: "Ernesto A. Fernández" <ernesto.mnd.fernandez@gmail.com>
+
+[ Upstream commit dc2572791d3a41bab94400af2b6bca9d71ccd303 ]
+
+hfs_find_exit() expects fd->bnode to be NULL after a search has failed.
+hfs_brec_insert() may instead set it to an error-valued pointer. Fix
+this to prevent a crash.
+
+Link: http://lkml.kernel.org/r/53d9749a029c41b4016c495fc5838c9dba3afc52.1530294815.git.ernesto.mnd.fernandez@gmail.com
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Cc: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfs/brec.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/hfs/brec.c
++++ b/fs/hfs/brec.c
+@@ -74,9 +74,10 @@ int hfs_brec_insert(struct hfs_find_data
+ if (!fd->bnode) {
+ if (!tree->root)
+ hfs_btree_inc_height(tree);
+- fd->bnode = hfs_bnode_find(tree, tree->leaf_head);
+- if (IS_ERR(fd->bnode))
+- return PTR_ERR(fd->bnode);
++ node = hfs_bnode_find(tree, tree->leaf_head);
++ if (IS_ERR(node))
++ return PTR_ERR(node);
++ fd->bnode = node;
+ fd->record = -1;
+ }
+ new_node = NULL;
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Tue, 21 Aug 2018 21:59:12 -0700
+Subject: hfsplus: don't return 0 when fill_super() failed
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 7464726cb5998846306ed0a7d6714afb2e37b25d ]
+
+syzbot is reporting NULL pointer dereference at mount_fs() [1]. This is
+because hfsplus_fill_super() is by error returning 0 when
+hfsplus_fill_super() detected invalid filesystem image, and mount_bdev()
+is returning NULL because dget(s->s_root) == NULL if s->s_root == NULL,
+and mount_fs() is accessing root->d_sb because IS_ERR(root) == false if
+root == NULL. Fix this by returning -EINVAL when hfsplus_fill_super()
+detected invalid filesystem image.
+
+[1] https://syzkaller.appspot.com/bug?id=21acb6850cecbc960c927229e597158cf35f33d0
+
+Link: http://lkml.kernel.org/r/d83ce31a-874c-dd5b-f790-41405983a5be@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+01ffaf5d9568dd1609f7@syzkaller.appspotmail.com>
+Reviewed-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfsplus/super.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/hfsplus/super.c
++++ b/fs/hfsplus/super.c
+@@ -518,8 +518,10 @@ static int hfsplus_fill_super(struct sup
+ hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
+ if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ hfs_find_exit(&fd);
+- if (entry.type != cpu_to_be16(HFSPLUS_FOLDER))
++ if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
++ err = -EINVAL;
+ goto out_put_root;
++ }
+ inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id));
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Tan Hu <tan.hu@zte.com.cn>
+Date: Wed, 25 Jul 2018 15:23:07 +0800
+Subject: ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
+
+From: Tan Hu <tan.hu@zte.com.cn>
+
+[ Upstream commit a53b42c11815d2357e31a9403ae3950517525894 ]
+
+We came across infinite loop in ipvs when using ipvs in docker
+env.
+
+When ipvs receives new packets and cannot find an ipvs connection,
+it will create a new connection, then if the dest is unavailable
+(i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently.
+
+But if the dropped packet is the first packet of this connection,
+the connection control timer never has a chance to start and the
+ipvs connection cannot be released. This will lead to memory leak, or
+infinite loop in cleanup_net() when net namespace is released like
+this:
+
+ ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs]
+ __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs]
+ ops_exit_list at ffffffff81567a49
+ cleanup_net at ffffffff81568b40
+ process_one_work at ffffffff810a851b
+ worker_thread at ffffffff810a9356
+ kthread at ffffffff810b0b6f
+ ret_from_fork at ffffffff81697a18
+
+race condition:
+ CPU1 CPU2
+ ip_vs_in()
+ ip_vs_conn_new()
+ ip_vs_del_dest()
+ __ip_vs_unlink_dest()
+ ~IP_VS_DEST_F_AVAILABLE
+ cp->dest && !IP_VS_DEST_F_AVAILABLE
+ __ip_vs_conn_put
+ ...
+ cleanup_net ---> infinite looping
+
+Fix this by checking whether the timer already started.
+
+Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
+Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1692,13 +1692,20 @@ ip_vs_in(unsigned int hooknum, struct sk
+ if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
+ /* the destination server is not available */
+
+- if (sysctl_expire_nodest_conn(ipvs)) {
++ __u32 flags = cp->flags;
++
++ /* when timer already started, silently drop the packet.*/
++ if (timer_pending(&cp->timer))
++ __ip_vs_conn_put(cp);
++ else
++ ip_vs_conn_put(cp);
++
++ if (sysctl_expire_nodest_conn(ipvs) &&
++ !(flags & IP_VS_CONN_F_ONE_PACKET)) {
+ /* try to expire the connection immediately */
+ ip_vs_conn_expire_now(cp);
+ }
+- /* don't restart its timer, and silently
+- drop the packet. */
+- __ip_vs_conn_put(cp);
++
+ return NF_DROP;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 3 Aug 2018 20:59:51 -0700
+Subject: mfd: sm501: Set coherent_dma_mask when creating subdevices
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 2f606da78230f09cf1a71fde6ee91d0c710fa2b2 ]
+
+Instantiating the sm501 OHCI subdevice results in a kernel warning.
+
+sm501-usb sm501-usb: SM501 OHCI
+sm501-usb sm501-usb: new USB bus registered, assigned bus number 1
+WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516
+ohci_init+0x194/0x2d8
+Modules linked in:
+
+CPU: 0 PID: 1 Comm: swapper Tainted: G W
+4.18.0-rc7-00178-g0b5b1f9a78b5 #1
+PC is at ohci_init+0x194/0x2d8
+PR is at ohci_init+0x168/0x2d8
+PC : 8c27844c SP : 8f81dd94 SR : 40008001
+TEA : 29613060
+R0 : 00000000 R1 : 00000000 R2 : 00000000 R3 : 00000202
+R4 : 8fa98b88 R5 : 8c277e68 R6 : 00000000 R7 : 00000000
+R8 : 8f965814 R9 : 8c388100 R10 : 8fa98800 R11 : 8fa98928
+R12 : 8c48302c R13 : 8fa98920 R14 : 8c48302c
+MACH: 00000096 MACL: 0000017c GBR : 00000000 PR : 8c278420
+
+Call trace:
+ [<(ptrval)>] usb_add_hcd+0x1e8/0x6ec
+ [<(ptrval)>] _dev_info+0x0/0x54
+ [<(ptrval)>] arch_local_save_flags+0x0/0x8
+ [<(ptrval)>] arch_local_irq_restore+0x0/0x24
+ [<(ptrval)>] ohci_hcd_sm501_drv_probe+0x114/0x2d8
+...
+
+Initialize coherent_dma_mask when creating SM501 subdevices to fix
+the problem.
+
+Fixes: b6d6454fdb66f ("mfd: SM501 core driver")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/sm501.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -714,6 +714,7 @@ sm501_create_subdev(struct sm501_devdata
+ smdev->pdev.name = name;
+ smdev->pdev.id = sm->pdev_id;
+ smdev->pdev.dev.parent = sm->dev;
++ smdev->pdev.dev.coherent_dma_mask = 0xffffffff;
+
+ if (res_count) {
+ smdev->pdev.resource = (struct resource *)(smdev+1);
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Fri, 17 Aug 2018 15:46:57 -0700
+Subject: mm/fadvise.c: fix signed overflow UBSAN complaint
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+[ Upstream commit a718e28f538441a3b6612da9ff226973376cdf0f ]
+
+Signed integer overflow is undefined according to the C standard. The
+overflow in ksys_fadvise64_64() is deliberate, but since it is signed
+overflow, UBSAN complains:
+
+ UBSAN: Undefined behaviour in mm/fadvise.c:76:10
+ signed integer overflow:
+ 4 + 9223372036854775805 cannot be represented in type 'long long int'
+
+Use unsigned types to do math. Unsigned overflow is defined so UBSAN
+will not complain about it. This patch doesn't change generated code.
+
+[akpm@linux-foundation.org: add comment explaining the casts]
+Link: http://lkml.kernel.org/r/20180629184453.7614-1-aryabinin@virtuozzo.com
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reported-by: <icytxw@gmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/fadvise.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/fadvise.c
++++ b/mm/fadvise.c
+@@ -66,8 +66,12 @@ SYSCALL_DEFINE4(fadvise64_64, int, fd, l
+ goto out;
+ }
+
+- /* Careful about overflows. Len == 0 means "as much as possible" */
+- endbyte = offset + len;
++ /*
++ * Careful about overflows. Len == 0 means "as much as possible". Use
++ * unsigned math because signed overflows are undefined and UBSan
++ * complains.
++ */
++ endbyte = (u64)offset + (u64)len;
+ if (!len || endbyte < len)
+ endbyte = -1;
+ else
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Tue, 17 Jul 2018 19:14:45 -0700
+Subject: net/9p: fix error path of p9_virtio_probe
+
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+
+[ Upstream commit 92aef4675d5b1b55404e1532379e343bed0e5cf2 ]
+
+Currently when virtio_find_single_vq fails, we go through del_vqs which
+throws a warning (Trying to free already-free IRQ). Skip del_vqs if vq
+allocation failed.
+
+Link: http://lkml.kernel.org/r/20180524101021.49880-1-jean-philippe.brucker@arm.com
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Cc: Eric Van Hensbergen <ericvh@gmail.com>
+Cc: Ron Minnich <rminnich@sandia.gov>
+Cc: Latchesar Ionkov <lucho@ionkov.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_virtio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -537,7 +537,7 @@ static int p9_virtio_probe(struct virtio
+ chan->vq = virtio_find_single_vq(vdev, req_done, "requests");
+ if (IS_ERR(chan->vq)) {
+ err = PTR_ERR(chan->vq);
+- goto out_free_vq;
++ goto out_free_chan;
+ }
+ chan->vq->vdev->priv = chan;
+ spin_lock_init(&chan->lock);
+@@ -590,6 +590,7 @@ out_free_tag:
+ kfree(tag);
+ out_free_vq:
+ vdev->config->del_vqs(vdev);
++out_free_chan:
+ kfree(chan);
+ fail:
+ return err;
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Fri, 3 Aug 2018 16:38:44 +0200
+Subject: PCI: mvebu: Fix I/O space end address calculation
+
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+
+[ Upstream commit dfd0309fd7b30a5baffaf47b2fccb88b46d64d69 ]
+
+pcie->realio.end should be the address of last byte of the area,
+therefore using resource_size() of another resource is not correct, we
+must substract 1 to get the address of the last byte.
+
+Fixes: 11be65472a427 ("PCI: mvebu: Adapt to the new device tree layout")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/host/pci-mvebu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/host/pci-mvebu.c
++++ b/drivers/pci/host/pci-mvebu.c
+@@ -940,7 +940,7 @@ static int mvebu_pcie_probe(struct platf
+ pcie->realio.start = PCIBIOS_MIN_IO;
+ pcie->realio.end = min_t(resource_size_t,
+ IO_SPACE_LIMIT,
+- resource_size(&pcie->io));
++ resource_size(&pcie->io) - 1);
+ } else
+ pcie->realio = pcie->io;
+
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Aleh Filipovich <aleh@vaolix.com>
+Date: Fri, 10 Aug 2018 22:07:25 +0200
+Subject: platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
+
+From: Aleh Filipovich <aleh@vaolix.com>
+
+[ Upstream commit 880b29ac107d15644bf4da228376ba3cd6af6d71 ]
+
+Add entry to WMI keymap for lid flip event on Asus UX360.
+
+On Asus Zenbook ux360 flipping lid from/to tablet mode triggers
+keyscan code 0xfa which cannot be handled and results in kernel
+log message "Unknown key fa pressed".
+
+Signed-off-by: Aleh Filipovich<aleh@appnexus.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -365,6 +365,7 @@ static const struct key_entry asus_nb_wm
+ { KE_KEY, 0xC4, { KEY_KBDILLUMUP } },
+ { KE_KEY, 0xC5, { KEY_KBDILLUMDOWN } },
+ { KE_IGNORE, 0xC6, }, /* Ambient Light Sensor notification */
++ { KE_KEY, 0xFA, { KEY_PROG2 } }, /* Lid flip action */
+ { KE_END, 0},
+ };
+
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Aug 2018 14:57:24 +0300
+Subject: powerpc: Fix size calculation using resource_size()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c42d3be0c06f0c1c416054022aa535c08a1f9b39 ]
+
+The problem is the the calculation should be "end - start + 1" but the
+plus one is missing in this calculation.
+
+Fixes: 8626816e905e ("powerpc: add support for MPIC message register API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/mpic_msgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/mpic_msgr.c
++++ b/arch/powerpc/sysdev/mpic_msgr.c
+@@ -196,7 +196,7 @@ static int mpic_msgr_probe(struct platfo
+
+ /* IO map the message register block. */
+ of_address_to_resource(np, 0, &rsrc);
+- msgr_block_addr = ioremap(rsrc.start, rsrc.end - rsrc.start);
++ msgr_block_addr = ioremap(rsrc.start, resource_size(&rsrc));
+ if (!msgr_block_addr) {
+ dev_err(&dev->dev, "Failed to iomap MPIC message registers");
+ return -EFAULT;
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Date: Wed, 4 Jul 2018 23:27:02 +0530
+Subject: powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
+
+From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+
+[ Upstream commit 74e96bf44f430cf7a01de19ba6cf49b361cdfd6e ]
+
+The global mce data buffer that used to copy rtas error log is of 2048
+(RTAS_ERROR_LOG_MAX) bytes in size. Before the copy we read
+extended_log_length from rtas error log header, then use max of
+extended_log_length and RTAS_ERROR_LOG_MAX as a size of data to be copied.
+Ideally the platform (phyp) will never send extended error log with
+size > 2048. But if that happens, then we have a risk of buffer overrun
+and corruption. Fix this by using min_t instead.
+
+Fixes: d368514c3097 ("powerpc: Fix corruption when grabbing FWNMI data")
+Reported-by: Michal Suchanek <msuchanek@suse.com>
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/ras.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/ras.c
++++ b/arch/powerpc/platforms/pseries/ras.c
+@@ -309,7 +309,7 @@ static struct rtas_error_log *fwnmi_get_
+ int len, error_log_length;
+
+ error_log_length = 8 + rtas_error_extended_log_length(h);
+- len = max_t(int, error_log_length, RTAS_ERROR_LOG_MAX);
++ len = min_t(int, error_log_length, RTAS_ERROR_LOG_MAX);
+ memset(global_mce_data_buf, 0, RTAS_ERROR_LOG_MAX);
+ memcpy(global_mce_data_buf, h, len);
+ errhdr = (struct rtas_error_log *)global_mce_data_buf;
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 21 Aug 2018 21:59:34 -0700
+Subject: reiserfs: change j_timestamp type to time64_t
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8b73ce6a4bae4fe12bcb2c361c0da4183c2e1b6f ]
+
+This uses the deprecated time_t type but is write-only, and could be
+removed, but as Jeff explains, having a timestamp can be usefule for
+post-mortem analysis in crash dumps.
+
+In order to remove one of the last instances of time_t, this changes the
+type to time64_t, same as j_trans_start_time.
+
+Link: http://lkml.kernel.org/r/20180622133315.221210-1-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/reiserfs/reiserfs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/reiserfs/reiserfs.h
++++ b/fs/reiserfs/reiserfs.h
+@@ -266,7 +266,7 @@ struct reiserfs_journal_list {
+
+ struct mutex j_commit_mutex;
+ unsigned int j_trans_id;
+- time_t j_timestamp;
++ time64_t j_timestamp; /* write-only but useful for crash dump analysis */
+ struct reiserfs_list_bitmap *j_list_bitmap;
+ struct buffer_head *j_commit_bh; /* commit buffer head */
+ struct reiserfs_journal_cnode *j_realblock;
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 25 Jul 2018 14:00:47 +0200
+Subject: s390/dasd: fix hanging offline processing due to canceled worker
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 669f3765b755fd8739ab46ce3a9c6292ce8b3d2a ]
+
+During offline processing two worker threads are canceled without
+freeing the device reference which leads to a hanging offline process.
+
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd_eckd.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -2066,8 +2066,11 @@ static int dasd_eckd_basic_to_ready(stru
+
+ static int dasd_eckd_online_to_ready(struct dasd_device *device)
+ {
+- cancel_work_sync(&device->reload_device);
+- cancel_work_sync(&device->kick_validate);
++ if (cancel_work_sync(&device->reload_device))
++ dasd_put_device(device);
++ if (cancel_work_sync(&device->kick_validate))
++ dasd_put_device(device);
++
+ return 0;
+ };
+
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 15 Aug 2018 12:30:38 -0700
+Subject: scripts: modpost: check memory allocation results
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 1f3aa9002dc6a0d59a4b599b4fc8f01cf43ef014 ]
+
+Fix missing error check for memory allocation functions in
+scripts/mod/modpost.c.
+
+Fixes kernel bugzilla #200319:
+https://bugzilla.kernel.org/show_bug.cgi?id=200319
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Yuexing Wang <wangyxlandq@gmail.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/mod/modpost.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -647,7 +647,7 @@ static void handle_modversions(struct mo
+ if (ELF_ST_TYPE(sym->st_info) == STT_SPARC_REGISTER)
+ break;
+ if (symname[0] == '.') {
+- char *munged = strdup(symname);
++ char *munged = NOFAIL(strdup(symname));
+ munged[0] = '_';
+ munged[1] = toupper(munged[1]);
+ symname = munged;
+@@ -1248,7 +1248,7 @@ static Elf_Sym *find_elf_symbol2(struct
+ static char *sec2annotation(const char *s)
+ {
+ if (match(s, init_exit_sections)) {
+- char *p = malloc(20);
++ char *p = NOFAIL(malloc(20));
+ char *r = p;
+
+ *p++ = '_';
+@@ -1268,7 +1268,7 @@ static char *sec2annotation(const char *
+ strcat(p, " ");
+ return r;
+ } else {
+- return strdup("");
++ return NOFAIL(strdup(""));
+ }
+ }
+
+@@ -1826,7 +1826,7 @@ void buf_write(struct buffer *buf, const
+ {
+ if (buf->size - buf->pos < len) {
+ buf->size += len + SZ;
+- buf->p = realloc(buf->p, buf->size);
++ buf->p = NOFAIL(realloc(buf->p, buf->size));
+ }
+ strncpy(buf->p + buf->pos, s, len);
+ buf->pos += len;
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Aug 2018 17:29:09 +0300
+Subject: scsi: aic94xx: fix an error code in aic94xx_init()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 0756c57bce3d26da2592d834d8910b6887021701 ]
+
+We accidentally return success instead of -ENOMEM on this error path.
+
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/aic94xx/aic94xx_init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aic94xx/aic94xx_init.c
++++ b/drivers/scsi/aic94xx/aic94xx_init.c
+@@ -1047,8 +1047,10 @@ static int __init aic94xx_init(void)
+
+ aic94xx_transport_template =
+ sas_domain_attach_transport(&aic94xx_transport_functions);
+- if (!aic94xx_transport_template)
++ if (!aic94xx_transport_template) {
++ err = -ENOMEM;
+ goto out_destroy_caches;
++ }
+
+ err = pci_register_driver(&aic94xx_pci_driver);
+ if (err)
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 7 Aug 2018 11:15:39 -0300
+Subject: selftests/powerpc: Kill child processes on SIGINT
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 7c27a26e1ed5a7dd709aa19685d2c98f64e1cf0c ]
+
+There are some powerpc selftests, as tm/tm-unavailable, that run for a long
+period (>120 seconds), and if it is interrupted, as pressing CRTL-C
+(SIGINT), the foreground process (harness) dies but the child process and
+threads continue to execute (with PPID = 1 now) in background.
+
+In this case, you'd think the whole test exited, but there are remaining
+threads and processes being executed in background. Sometimes these
+zombies processes are doing annoying things, as consuming the whole CPU or
+dumping things to STDOUT.
+
+This patch fixes this problem by attaching an empty signal handler to
+SIGINT in the harness process. This handler will interrupt (EINTR) the
+parent process waitpid() call, letting the code to follow through the
+normal flow, which will kill all the processes in the child process group.
+
+This patch also fixes a typo.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/harness.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/tools/testing/selftests/powerpc/harness.c
++++ b/tools/testing/selftests/powerpc/harness.c
+@@ -81,13 +81,13 @@ wait:
+ return status;
+ }
+
+-static void alarm_handler(int signum)
++static void sig_handler(int signum)
+ {
+- /* Jut wake us up from waitpid */
++ /* Just wake us up from waitpid */
+ }
+
+-static struct sigaction alarm_action = {
+- .sa_handler = alarm_handler,
++static struct sigaction sig_action = {
++ .sa_handler = sig_handler,
+ };
+
+ int test_harness(int (test_function)(void), char *name)
+@@ -97,8 +97,14 @@ int test_harness(int (test_function)(voi
+ test_start(name);
+ test_set_git_version(GIT_VERSION);
+
+- if (sigaction(SIGALRM, &alarm_action, NULL)) {
+- perror("sigaction");
++ if (sigaction(SIGINT, &sig_action, NULL)) {
++ perror("sigaction (sigint)");
++ test_error(name);
++ return 1;
++ }
++
++ if (sigaction(SIGALRM, &sig_action, NULL)) {
++ perror("sigaction (sigalrm)");
+ test_error(name);
+ return 1;
+ }
+cifs-check-if-smb2-pdu-size-has-been-padded-and-suppress-the-warning.patch
+hfsplus-don-t-return-0-when-fill_super-failed.patch
+hfs-prevent-crash-on-exit-from-failed-search.patch
+fork-don-t-copy-inconsistent-signal-handler-state-to-child.patch
+reiserfs-change-j_timestamp-type-to-time64_t.patch
+fat-validate-i_start-before-using.patch
+scripts-modpost-check-memory-allocation-results.patch
+mm-fadvise.c-fix-signed-overflow-ubsan-complaint.patch
+ipvs-fix-race-between-ip_vs_conn_new-and-ip_vs_del_dest.patch
+mfd-sm501-set-coherent_dma_mask-when-creating-subdevices.patch
+platform-x86-asus-nb-wmi-add-keymap-entry-for-lid-flip-action-on-ux360.patch
+net-9p-fix-error-path-of-p9_virtio_probe.patch
+powerpc-fix-size-calculation-using-resource_size.patch
+s390-dasd-fix-hanging-offline-processing-due-to-canceled-worker.patch
+scsi-aic94xx-fix-an-error-code-in-aic94xx_init.patch
+pci-mvebu-fix-i-o-space-end-address-calculation.patch
+dm-kcopyd-avoid-softlockup-in-run_complete_job.patch
+staging-comedi-ni_mio_common-fix-subdevice-flags-for-pfi-subdevice.patch
+selftests-powerpc-kill-child-processes-on-sigint.patch
+smb3-fix-reset-of-bytes-read-and-written-stats.patch
+smb3-number-of-requests-sent-should-be-displayed-for-smb3-not-just-cifs.patch
+powerpc-pseries-avoid-using-the-size-greater-than-rtas_error_log_max.patch
+btrfs-replace-reset-on-disk-dev-stats-value-after-replace.patch
+btrfs-relocation-only-remove-reloc-rb_trees-if-reloc-control-has-been-initialized.patch
+btrfs-don-t-remove-block-group-that-still-has-pinned-down-bytes.patch
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 1 Aug 2018 00:56:12 -0500
+Subject: smb3: fix reset of bytes read and written stats
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit c281bc0c7412308c7ec0888904f7c99353da4796 ]
+
+echo 0 > /proc/fs/cifs/Stats is supposed to reset the stats
+but there were four (see example below) that were not reset
+(bytes read and witten, total vfs ops and max ops
+at one time).
+
+...
+0 session 0 share reconnects
+Total vfs operations: 100 maximum at one time: 2
+
+1) \\localhost\test
+SMBs: 0
+Bytes read: 502092 Bytes written: 31457286
+TreeConnects: 0 total 0 failed
+TreeDisconnects: 0 total 0 failed
+...
+
+This patch fixes cifs_stats_proc_write to properly reset
+those four.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifs_debug.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/cifs/cifs_debug.c
++++ b/fs/cifs/cifs_debug.c
+@@ -271,6 +271,10 @@ static ssize_t cifs_stats_proc_write(str
+ atomic_set(&totBufAllocCount, 0);
+ atomic_set(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
++ spin_lock(&GlobalMid_Lock);
++ GlobalMaxActiveXid = 0;
++ GlobalCurrentXid = 0;
++ spin_unlock(&GlobalMid_Lock);
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each(tmp1, &cifs_tcp_ses_list) {
+ server = list_entry(tmp1, struct TCP_Server_Info,
+@@ -283,6 +287,10 @@ static ssize_t cifs_stats_proc_write(str
+ struct cifs_tcon,
+ tcon_list);
+ atomic_set(&tcon->num_smbs_sent, 0);
++ spin_lock(&tcon->stat_lock);
++ tcon->bytes_read = 0;
++ tcon->bytes_written = 0;
++ spin_unlock(&tcon->stat_lock);
+ if (server->ops->clear_stats)
+ server->ops->clear_stats(tcon);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Steve French <stfrench@microsoft.com>
+Date: Mon, 23 Jul 2018 09:15:18 -0500
+Subject: SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit 289131e1f1e6ad8c661ec05e176b8f0915672059 ]
+
+For SMB2/SMB3 the number of requests sent was not displayed
+in /proc/fs/cifs/Stats unless CONFIG_CIFS_STATS2 was
+enabled (only number of failed requests displayed). As
+with earlier dialects, we should be displaying these
+counters if CONFIG_CIFS_STATS is enabled. They
+are important for debugging.
+
+e.g. when you cat /proc/fs/cifs/Stats (before the patch)
+Resources in use
+CIFS Session: 1
+Share (unique mount targets): 2
+SMB Request/Response Buffer: 1 Pool size: 5
+SMB Small Req/Resp Buffer: 1 Pool size: 30
+Operations (MIDs): 0
+
+0 session 0 share reconnects
+Total vfs operations: 690 maximum at one time: 2
+
+1) \\localhost\test
+SMBs: 975
+Negotiates: 0 sent 0 failed
+SessionSetups: 0 sent 0 failed
+Logoffs: 0 sent 0 failed
+TreeConnects: 0 sent 0 failed
+TreeDisconnects: 0 sent 0 failed
+Creates: 0 sent 2 failed
+Closes: 0 sent 0 failed
+Flushes: 0 sent 0 failed
+Reads: 0 sent 0 failed
+Writes: 0 sent 0 failed
+Locks: 0 sent 0 failed
+IOCTLs: 0 sent 1 failed
+Cancels: 0 sent 0 failed
+Echos: 0 sent 0 failed
+QueryDirectories: 0 sent 63 failed
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -301,7 +301,7 @@ small_smb2_init(__le16 smb2_command, str
+ smb2_hdr_assemble((struct smb2_hdr *) *request_buf, smb2_command, tcon);
+
+ if (tcon != NULL) {
+-#ifdef CONFIG_CIFS_STATS2
++#ifdef CONFIG_CIFS_STATS
+ uint16_t com_code = le16_to_cpu(smb2_command);
+ cifs_stats_inc(&tcon->stats.smb2_stats.smb2_com_sent[com_code]);
+ #endif
--- /dev/null
+From foo@baz Tue Sep 11 12:12:06 CEST 2018
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 6 Aug 2018 11:05:13 +0100
+Subject: staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+[ Upstream commit e083926b3e269d4064825dcf2ad50c636fddf8cf ]
+
+The PFI subdevice flags indicate that the subdevice is readable and
+writeable, but that is only true for the supported "M-series" boards,
+not the older "E-series" boards. Only set the SDF_READABLE and
+SDF_WRITABLE subdevice flags for the M-series boards. These two flags
+are mainly for informational purposes.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/ni_mio_common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/ni_mio_common.c
++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
+@@ -5601,11 +5601,11 @@ static int ni_E_init(struct comedi_devic
+ /* Digital I/O (PFI) subdevice */
+ s = &dev->subdevices[NI_PFI_DIO_SUBDEV];
+ s->type = COMEDI_SUBD_DIO;
+- s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL;
+ s->maxdata = 1;
+ if (devpriv->is_m_series) {
+ s->n_chan = 16;
+ s->insn_bits = ni_pfi_insn_bits;
++ s->subdev_flags = SDF_READABLE | SDF_WRITABLE | SDF_INTERNAL;
+
+ ni_writew(dev, s->state, M_Offset_PFI_DO);
+ for (i = 0; i < NUM_PFI_OUTPUT_SELECT_REGS; ++i) {
+@@ -5614,6 +5614,7 @@ static int ni_E_init(struct comedi_devic
+ }
+ } else {
+ s->n_chan = 10;
++ s->subdev_flags = SDF_INTERNAL;
+ }
+ s->insn_config = ni_pfi_insn_config;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
