--- /dev/null
+From 3943b040f11ed0cc6d4585fd286a623ca8634547 Mon Sep 17 00:00:00 2001
+From: Shan Hai <shan.hai@oracle.com>
+Date: Thu, 23 Aug 2018 02:02:56 +0800
+Subject: bcache: release dc->writeback_lock properly in bch_writeback_thread()
+
+From: Shan Hai <shan.hai@oracle.com>
+
+commit 3943b040f11ed0cc6d4585fd286a623ca8634547 upstream.
+
+The writeback thread would exit with a lock held when the cache device
+is detached via sysfs interface, fix it by releasing the held lock
+before exiting the while-loop.
+
+Fixes: fadd94e05c02 (bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set)
+Signed-off-by: Shan Hai <shan.hai@oracle.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Tested-by: Shenghui Wang <shhuiw@foxmail.com>
+Cc: stable@vger.kernel.org #4.17+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/bcache/writeback.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -462,8 +462,10 @@ static int bch_writeback_thread(void *ar
+ * data on cache. BCACHE_DEV_DETACHING flag is set in
+ * bch_cached_dev_detach().
+ */
+- if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags))
++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) {
++ up_write(&dc->writeback_lock);
+ break;
++ }
+ }
+
+ up_write(&dc->writeback_lock);
--- /dev/null
+From 8c5b044299951acd91e830a688dd920477ea1eda Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:54 +0200
+Subject: fb: fix lost console when the user unplugs a USB adapter
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 8c5b044299951acd91e830a688dd920477ea1eda upstream.
+
+I have a USB display adapter using the udlfb driver and I use it on an ARM
+board that doesn't have any graphics card. When I plug the adapter in, the
+console is properly displayed, however when I unplug and re-plug the
+adapter, the console is not displayed and I can't access it until I reboot
+the board.
+
+The reason is this:
+When the adapter is unplugged, dlfb_usb_disconnect calls
+unlink_framebuffer, then it waits until the reference count drops to zero
+and then it deallocates the framebuffer. However, the console that is
+attached to the framebuffer device keeps the reference count non-zero, so
+the framebuffer device is never destroyed. When the USB adapter is plugged
+again, it creates a new device /dev/fb1 and the console is not attached to
+it.
+
+This patch fixes the bug by unbinding the console from unlink_framebuffer.
+The code to unbind the console is moved from do_unregister_framebuffer to
+a function unbind_console. When the console is unbound, the reference
+count drops to zero and the udlfb driver frees the framebuffer. When the
+adapter is plugged back, a new framebuffer is created and the console is
+attached to it.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Bernie Thompson <bernie@plugable.com>
+Cc: Ladislav Michl <ladis@linux-mips.org>
+Cc: stable@vger.kernel.org
+[b.zolnierkie: preserve old behavior for do_unregister_framebuffer()]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/core/fbmem.c | 38 ++++++++++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -1687,12 +1687,12 @@ static int do_register_framebuffer(struc
+ return 0;
+ }
+
+-static int do_unregister_framebuffer(struct fb_info *fb_info)
++static int unbind_console(struct fb_info *fb_info)
+ {
+ struct fb_event event;
+- int i, ret = 0;
++ int ret;
++ int i = fb_info->node;
+
+- i = fb_info->node;
+ if (i < 0 || i >= FB_MAX || registered_fb[i] != fb_info)
+ return -EINVAL;
+
+@@ -1707,17 +1707,29 @@ static int do_unregister_framebuffer(str
+ unlock_fb_info(fb_info);
+ console_unlock();
+
++ return ret;
++}
++
++static int __unlink_framebuffer(struct fb_info *fb_info);
++
++static int do_unregister_framebuffer(struct fb_info *fb_info)
++{
++ struct fb_event event;
++ int ret;
++
++ ret = unbind_console(fb_info);
++
+ if (ret)
+ return -EINVAL;
+
+ pm_vt_switch_unregister(fb_info->dev);
+
+- unlink_framebuffer(fb_info);
++ __unlink_framebuffer(fb_info);
+ if (fb_info->pixmap.addr &&
+ (fb_info->pixmap.flags & FB_PIXMAP_DEFAULT))
+ kfree(fb_info->pixmap.addr);
+ fb_destroy_modelist(&fb_info->modelist);
+- registered_fb[i] = NULL;
++ registered_fb[fb_info->node] = NULL;
+ num_registered_fb--;
+ fb_cleanup_device(fb_info);
+ event.info = fb_info;
+@@ -1730,7 +1742,7 @@ static int do_unregister_framebuffer(str
+ return 0;
+ }
+
+-int unlink_framebuffer(struct fb_info *fb_info)
++static int __unlink_framebuffer(struct fb_info *fb_info)
+ {
+ int i;
+
+@@ -1742,6 +1754,20 @@ int unlink_framebuffer(struct fb_info *f
+ device_destroy(fb_class, MKDEV(FB_MAJOR, i));
+ fb_info->dev = NULL;
+ }
++
++ return 0;
++}
++
++int unlink_framebuffer(struct fb_info *fb_info)
++{
++ int ret;
++
++ ret = __unlink_framebuffer(fb_info);
++ if (ret)
++ return ret;
++
++ unbind_console(fb_info);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(unlink_framebuffer);
--- /dev/null
+From 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Tue, 31 Jul 2018 01:37:31 +0000
+Subject: fs/quota: Fix spectre gadget in do_quotactl
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit 7b6924d94a60c6b8c1279ca003e8744e6cd9e8b1 upstream.
+
+'type' is user-controlled, so sanitize it after the bounds check to
+avoid using it in speculative execution. This covers the following
+potential gadgets detected with the help of smatch:
+
+* fs/ext4/super.c:5741 ext4_quota_read() warn: potential spectre issue
+ 'sb_dqopt(sb)->files' [r]
+* fs/ext4/super.c:5778 ext4_quota_write() warn: potential spectre issue
+ 'sb_dqopt(sb)->files' [r]
+* fs/f2fs/super.c:1552 f2fs_quota_read() warn: potential spectre issue
+ 'sb_dqopt(sb)->files' [r]
+* fs/f2fs/super.c:1608 f2fs_quota_write() warn: potential spectre issue
+ 'sb_dqopt(sb)->files' [r]
+* fs/quota/dquot.c:412 mark_info_dirty() warn: potential spectre issue
+ 'sb_dqopt(sb)->info' [w]
+* fs/quota/dquot.c:933 dqinit_needed() warn: potential spectre issue
+ 'dquots' [r]
+* fs/quota/dquot.c:2112 dquot_commit_info() warn: potential spectre
+ issue 'dqopt->ops' [r]
+* fs/quota/dquot.c:2362 vfs_load_quota_inode() warn: potential spectre
+ issue 'dqopt->files' [w] (local cap)
+* fs/quota/dquot.c:2369 vfs_load_quota_inode() warn: potential spectre
+ issue 'dqopt->ops' [w] (local cap)
+* fs/quota/dquot.c:2370 vfs_load_quota_inode() warn: potential spectre
+ issue 'dqopt->info' [w] (local cap)
+* fs/quota/quota.c:110 quota_getfmt() warn: potential spectre issue
+ 'sb_dqopt(sb)->info' [r]
+* fs/quota/quota_v2.c:84 v2_check_quota_file() warn: potential spectre
+ issue 'quota_magics' [w]
+* fs/quota/quota_v2.c:85 v2_check_quota_file() warn: potential spectre
+ issue 'quota_versions' [w]
+* fs/quota/quota_v2.c:96 v2_read_file_info() warn: potential spectre
+ issue 'dqopt->info' [r]
+* fs/quota/quota_v2.c:172 v2_write_file_info() warn: potential spectre
+ issue 'dqopt->info' [r]
+
+Additionally, a quick inspection indicates there are array accesses with
+'type' in quota_on() and quota_off() functions which are also addressed
+by this.
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/quota/quota.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/quota/quota.c
++++ b/fs/quota/quota.c
+@@ -17,6 +17,7 @@
+ #include <linux/quotaops.h>
+ #include <linux/types.h>
+ #include <linux/writeback.h>
++#include <linux/nospec.h>
+
+ static int check_quotactl_permission(struct super_block *sb, int type, int cmd,
+ qid_t id)
+@@ -644,6 +645,7 @@ static int do_quotactl(struct super_bloc
+
+ if (type >= (XQM_COMMAND(cmd) ? XQM_MAXQUOTAS : MAXQUOTAS))
+ return -EINVAL;
++ type = array_index_nospec(type, MAXQUOTAS);
+ /*
+ * Quota not supported on this fs? Check this before s_quota_types
+ * since they needn't be set if quota is not supported at all.
--- /dev/null
+From 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian@brauner.io>
+Date: Thu, 7 Jun 2018 13:43:48 +0200
+Subject: getxattr: use correct xattr length
+
+From: Christian Brauner <christian@brauner.io>
+
+commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 upstream.
+
+When running in a container with a user namespace, if you call getxattr
+with name = "system.posix_acl_access" and size % 8 != 4, then getxattr
+silently skips the user namespace fixup that it normally does resulting in
+un-fixed-up data being returned.
+This is caused by posix_acl_fix_xattr_to_user() being passed the total
+buffer size and not the actual size of the xattr as returned by
+vfs_getxattr().
+This commit passes the actual length of the xattr as returned by
+vfs_getxattr() down.
+
+A reproducer for the issue is:
+
+ touch acl_posix
+
+ setfacl -m user:0:rwx acl_posix
+
+and the compile:
+
+ #define _GNU_SOURCE
+ #include <errno.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
+ #include <unistd.h>
+ #include <attr/xattr.h>
+
+ /* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */
+ int main(int argc, void **argv)
+ {
+ ssize_t ret1, ret2;
+ char buf1[128], buf2[132];
+ int fret = EXIT_SUCCESS;
+ char *file;
+
+ if (argc < 2) {
+ fprintf(stderr,
+ "Please specify a file with "
+ "\"system.posix_acl_access\" permissions set\n");
+ _exit(EXIT_FAILURE);
+ }
+ file = argv[1];
+
+ ret1 = getxattr(file, "system.posix_acl_access",
+ buf1, sizeof(buf1));
+ if (ret1 < 0) {
+ fprintf(stderr, "%s - Failed to retrieve "
+ "\"system.posix_acl_access\" "
+ "from \"%s\"\n", strerror(errno), file);
+ _exit(EXIT_FAILURE);
+ }
+
+ ret2 = getxattr(file, "system.posix_acl_access",
+ buf2, sizeof(buf2));
+ if (ret2 < 0) {
+ fprintf(stderr, "%s - Failed to retrieve "
+ "\"system.posix_acl_access\" "
+ "from \"%s\"\n", strerror(errno), file);
+ _exit(EXIT_FAILURE);
+ }
+
+ if (ret1 != ret2) {
+ fprintf(stderr, "The value of \"system.posix_acl_"
+ "access\" for file \"%s\" changed "
+ "between two successive calls\n", file);
+ _exit(EXIT_FAILURE);
+ }
+
+ for (ssize_t i = 0; i < ret2; i++) {
+ if (buf1[i] == buf2[i])
+ continue;
+
+ fprintf(stderr,
+ "Unexpected different in byte %zd: "
+ "%02x != %02x\n", i, buf1[i], buf2[i]);
+ fret = EXIT_FAILURE;
+ }
+
+ if (fret == EXIT_SUCCESS)
+ fprintf(stderr, "Test passed\n");
+ else
+ fprintf(stderr, "Test failed\n");
+
+ _exit(fret);
+ }
+and run:
+
+ ./tester acl_posix
+
+On a non-fixed up kernel this should return something like:
+
+ root@c1:/# ./t
+ Unexpected different in byte 16: ffffffa0 != 00
+ Unexpected different in byte 17: ffffff86 != 00
+ Unexpected different in byte 18: 01 != 00
+
+and on a fixed kernel:
+
+ root@c1:~# ./t
+ Test passed
+
+Cc: stable@vger.kernel.org
+Fixes: 2f6f0654ab61 ("userns: Convert vfs posix_acl support to use kuids and kgids")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945
+Reported-by: Colin Watson <cjwatson@ubuntu.com>
+Signed-off-by: Christian Brauner <christian@brauner.io>
+Acked-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -453,7 +453,7 @@ getxattr(struct dentry *d, const char __
+ if (error > 0) {
+ if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+ (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
+- posix_acl_fix_xattr_to_user(kvalue, size);
++ posix_acl_fix_xattr_to_user(kvalue, error);
+ if (size && copy_to_user(value, kvalue, error))
+ error = -EFAULT;
+ } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
--- /dev/null
+From 0f725561e168485eff7277d683405c05b192f537 Mon Sep 17 00:00:00 2001
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Date: Thu, 7 Jun 2018 09:56:59 -0700
+Subject: iommu/vt-d: Add definitions for PFSID
+
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+
+commit 0f725561e168485eff7277d683405c05b192f537 upstream.
+
+When SRIOV VF device IOTLB is invalidated, we need to provide
+the PF source ID such that IOMMU hardware can gauge the depth
+of invalidation queue which is shared among VFs. This is needed
+when device invalidation throttle (DIT) capability is supported.
+
+This patch adds bit definitions for checking and tracking PFSID.
+
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Cc: stable@vger.kernel.org
+Cc: "Ashok Raj" <ashok.raj@intel.com>
+Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 1 +
+ include/linux/intel-iommu.h | 3 +++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -419,6 +419,7 @@ struct device_domain_info {
+ struct list_head global; /* link to global list */
+ u8 bus; /* PCI bus number */
+ u8 devfn; /* PCI devfn number */
++ u16 pfsid; /* SRIOV physical function source ID */
+ u8 pasid_supported:3;
+ u8 pasid_enabled:1;
+ u8 pri_supported:1;
+--- a/include/linux/intel-iommu.h
++++ b/include/linux/intel-iommu.h
+@@ -125,6 +125,7 @@ static inline void dmar_writeq(void __io
+ * Extended Capability Register
+ */
+
++#define ecap_dit(e) ((e >> 41) & 0x1)
+ #define ecap_pasid(e) ((e >> 40) & 0x1)
+ #define ecap_pss(e) ((e >> 35) & 0x1f)
+ #define ecap_eafs(e) ((e >> 34) & 0x1)
+@@ -294,6 +295,7 @@ enum {
+ #define QI_DEV_IOTLB_SID(sid) ((u64)((sid) & 0xffff) << 32)
+ #define QI_DEV_IOTLB_QDEP(qdep) (((qdep) & 0x1f) << 16)
+ #define QI_DEV_IOTLB_ADDR(addr) ((u64)(addr) & VTD_PAGE_MASK)
++#define QI_DEV_IOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52))
+ #define QI_DEV_IOTLB_SIZE 1
+ #define QI_DEV_IOTLB_MAX_INVS 32
+
+@@ -318,6 +320,7 @@ enum {
+ #define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32)
+ #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16)
+ #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4)
++#define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | ((u64)(pfsid & 0xfff) << 52))
+ #define QI_DEV_EIOTLB_MAX_INVS 32
+
+ #define QI_PGRP_IDX(idx) (((u64)(idx)) << 55)
--- /dev/null
+From 1c48db44924298ad0cb5a6386b88017539be8822 Mon Sep 17 00:00:00 2001
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Date: Thu, 7 Jun 2018 09:57:00 -0700
+Subject: iommu/vt-d: Fix dev iotlb pfsid use
+
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+
+commit 1c48db44924298ad0cb5a6386b88017539be8822 upstream.
+
+PFSID should be used in the invalidation descriptor for flushing
+device IOTLBs on SRIOV VFs.
+
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Cc: stable@vger.kernel.org
+Cc: "Ashok Raj" <ashok.raj@intel.com>
+Cc: "Lu Baolu" <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/dmar.c | 6 +++---
+ drivers/iommu/intel-iommu.c | 17 ++++++++++++++++-
+ include/linux/intel-iommu.h | 5 ++---
+ 3 files changed, 21 insertions(+), 7 deletions(-)
+
+--- a/drivers/iommu/dmar.c
++++ b/drivers/iommu/dmar.c
+@@ -1315,8 +1315,8 @@ void qi_flush_iotlb(struct intel_iommu *
+ qi_submit_sync(&desc, iommu);
+ }
+
+-void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
+- u64 addr, unsigned mask)
++void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid,
++ u16 qdep, u64 addr, unsigned mask)
+ {
+ struct qi_desc desc;
+
+@@ -1331,7 +1331,7 @@ void qi_flush_dev_iotlb(struct intel_iom
+ qdep = 0;
+
+ desc.low = QI_DEV_IOTLB_SID(sid) | QI_DEV_IOTLB_QDEP(qdep) |
+- QI_DIOTLB_TYPE;
++ QI_DIOTLB_TYPE | QI_DEV_IOTLB_PFSID(pfsid);
+
+ qi_submit_sync(&desc, iommu);
+ }
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -1480,6 +1480,20 @@ static void iommu_enable_dev_iotlb(struc
+ return;
+
+ pdev = to_pci_dev(info->dev);
++ /* For IOMMU that supports device IOTLB throttling (DIT), we assign
++ * PFSID to the invalidation desc of a VF such that IOMMU HW can gauge
++ * queue depth at PF level. If DIT is not set, PFSID will be treated as
++ * reserved, which should be set to 0.
++ */
++ if (!ecap_dit(info->iommu->ecap))
++ info->pfsid = 0;
++ else {
++ struct pci_dev *pf_pdev;
++
++ /* pdev will be returned if device is not a vf */
++ pf_pdev = pci_physfn(pdev);
++ info->pfsid = PCI_DEVID(pf_pdev->bus->number, pf_pdev->devfn);
++ }
+
+ #ifdef CONFIG_INTEL_IOMMU_SVM
+ /* The PCIe spec, in its wisdom, declares that the behaviour of
+@@ -1538,7 +1552,8 @@ static void iommu_flush_dev_iotlb(struct
+
+ sid = info->bus << 8 | info->devfn;
+ qdep = info->ats_qdep;
+- qi_flush_dev_iotlb(info->iommu, sid, qdep, addr, mask);
++ qi_flush_dev_iotlb(info->iommu, sid, info->pfsid,
++ qdep, addr, mask);
+ }
+ spin_unlock_irqrestore(&device_domain_lock, flags);
+ }
+--- a/include/linux/intel-iommu.h
++++ b/include/linux/intel-iommu.h
+@@ -466,9 +466,8 @@ extern void qi_flush_context(struct inte
+ u8 fm, u64 type);
+ extern void qi_flush_iotlb(struct intel_iommu *iommu, u16 did, u64 addr,
+ unsigned int size_order, u64 type);
+-extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
+- u64 addr, unsigned mask);
+-
++extern void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 pfsid,
++ u16 qdep, u64 addr, unsigned mask);
+ extern int qi_submit_sync(struct qi_desc *desc, struct intel_iommu *iommu);
+
+ extern int dmar_ir_support(void);
--- /dev/null
+From a6f572084fbee8b30f91465f4a085d7a90901c57 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 22 Aug 2018 17:30:14 +0200
+Subject: mm/tlb: Remove tlb_remove_table() non-concurrent condition
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit a6f572084fbee8b30f91465f4a085d7a90901c57 upstream.
+
+Will noted that only checking mm_users is incorrect; we should also
+check mm_count in order to cover CPUs that have a lazy reference to
+this mm (and could do speculative TLB operations).
+
+If removing this turns out to be a performance issue, we can
+re-instate a more complete check, but in tlb_table_flush() eliding the
+call_rcu_sched().
+
+Fixes: 267239116987 ("mm, powerpc: move the RCU page-table freeing into generic code")
+Reported-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Rik van Riel <riel@surriel.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: David Miller <davem@davemloft.net>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: stable@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -361,15 +361,6 @@ void tlb_remove_table(struct mmu_gather
+ {
+ struct mmu_table_batch **batch = &tlb->batch;
+
+- /*
+- * When there's less then two users of this mm there cannot be a
+- * concurrent page-table walk.
+- */
+- if (atomic_read(&tlb->mm->mm_users) < 2) {
+- __tlb_remove_table(table);
+- return;
+- }
+-
+ if (*batch == NULL) {
+ *batch = (struct mmu_table_batch *)__get_free_page(GFP_NOWAIT | __GFP_NOWARN);
+ if (*batch == NULL) {
--- /dev/null
+From 9ba3eb5103cf56f0daaf07de4507df76e7813ed7 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 13 May 2017 21:39:49 -0400
+Subject: osf_getdomainname(): use copy_to_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 9ba3eb5103cf56f0daaf07de4507df76e7813ed7 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/kernel/osf_sys.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -561,25 +561,20 @@ SYSCALL_DEFINE0(getdtablesize)
+ */
+ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
+ {
+- unsigned len;
+- int i;
++ int len, err = 0;
++ char *kname;
+
+- if (!access_ok(VERIFY_WRITE, name, namelen))
+- return -EFAULT;
+-
+- len = namelen;
+- if (len > 32)
+- len = 32;
++ if (namelen > 32)
++ namelen = 32;
+
+ down_read(&uts_sem);
+- for (i = 0; i < len; ++i) {
+- __put_user(utsname()->domainname[i], name + i);
+- if (utsname()->domainname[i] == '\0')
+- break;
+- }
++ kname = utsname()->domainname;
++ len = strnlen(kname, namelen);
++ if (copy_to_user(name, kname, min(len + 1, namelen)))
++ err = -EFAULT;
+ up_read(&uts_sem);
+
+- return 0;
++ return err;
+ }
+
+ /*
--- /dev/null
+From 99cbbe56eb8bede625f410ab62ba34673ffa7d21 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 14 Aug 2018 11:46:08 +0300
+Subject: perf auxtrace: Fix queue resize
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 99cbbe56eb8bede625f410ab62ba34673ffa7d21 upstream.
+
+When the number of queues grows beyond 32, the array of queues is
+resized but not all members were being copied. Fix by also copying
+'tid', 'cpu' and 'set'.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: e502789302a6e ("perf auxtrace: Add helpers for queuing AUX area tracing data")
+Link: http://lkml.kernel.org/r/20180814084608.6563-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/auxtrace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/tools/perf/util/auxtrace.c
++++ b/tools/perf/util/auxtrace.c
+@@ -186,6 +186,9 @@ static int auxtrace_queues__grow(struct
+ for (i = 0; i < queues->nr_queues; i++) {
+ list_splice_tail(&queues->queue_array[i].head,
+ &queue_array[i].head);
++ queue_array[i].tid = queues->queue_array[i].tid;
++ queue_array[i].cpu = queues->queue_array[i].cpu;
++ queue_array[i].set = queues->queue_array[i].set;
+ queue_array[i].priv = queues->queue_array[i].priv;
+ }
+
--- /dev/null
+From 38dabd91ff0bde33352ca3cc65ef515599b77a05 Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Mon, 11 Jun 2018 11:39:56 +0530
+Subject: pwm: tiehrpwm: Fix disabling of output of PWMs
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit 38dabd91ff0bde33352ca3cc65ef515599b77a05 upstream.
+
+pwm-tiehrpwm driver disables PWM output by putting it in low output
+state via active AQCSFRC register in ehrpwm_pwm_disable(). But, the
+AQCSFRC shadow register is not updated. Therefore, when shadow AQCSFRC
+register is re-enabled in ehrpwm_pwm_enable() (say to enable second PWM
+output), previous settings are lost as shadow register value is loaded
+into active register. This results in things like PWMA getting enabled
+automatically, when PWMB is enabled and vice versa. Fix this by
+updating AQCSFRC shadow register as well during ehrpwm_pwm_disable().
+
+Fixes: 19891b20e7c2 ("pwm: pwm-tiehrpwm: PWM driver support for EHRPWM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pwm/pwm-tiehrpwm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pwm/pwm-tiehrpwm.c
++++ b/drivers/pwm/pwm-tiehrpwm.c
+@@ -384,6 +384,8 @@ static void ehrpwm_pwm_disable(struct pw
+ aqcsfrc_mask = AQCSFRC_CSFA_MASK;
+ }
+
++ /* Update shadow register first before modifying active register */
++ ehrpwm_modify(pc->mmio_base, AQCSFRC, aqcsfrc_mask, aqcsfrc_val);
+ /*
+ * Changes to immediate action on Action Qualifier. This puts
+ * Action Qualifier control on PWM output from next TBCLK
--- /dev/null
+From 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sun, 1 Jul 2018 23:20:50 +0200
+Subject: Revert "UBIFS: Fix potential integer overflow in allocation"
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 upstream.
+
+This reverts commit 353748a359f1821ee934afc579cf04572406b420.
+It bypassed the linux-mtd review process and fixes the issue not as it
+should.
+
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Silvio Cesare <silvio.cesare@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -1107,7 +1107,7 @@ static int recomp_data_node(const struct
+ int err, len, compr_type, out_len;
+
+ out_len = le32_to_cpu(dn->size);
+- buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
++ buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
+ if (!buf)
+ return -ENOMEM;
+
pm-sleep-wakeup-fix-build-error-caused-by-missing-srcu-support.patch
pnfs-blocklayout-off-by-one-in-bl_map_stripe.patch
arm-tegra-fix-tegra30-cardhu-pca954x-reset.patch
+mm-tlb-remove-tlb_remove_table-non-concurrent-condition.patch
+iommu-vt-d-add-definitions-for-pfsid.patch
+iommu-vt-d-fix-dev-iotlb-pfsid-use.patch
+osf_getdomainname-use-copy_to_user.patch
+sys-don-t-hold-uts_sem-while-accessing-userspace-memory.patch
+userns-move-user-access-out-of-the-mutex.patch
+ubifs-fix-memory-leak-in-lprobs-self-check.patch
+revert-ubifs-fix-potential-integer-overflow-in-allocation.patch
+ubifs-check-data-node-size-before-truncate.patch
+ubifs-fix-synced_i_size-calculation-for-xattr-inodes.patch
+pwm-tiehrpwm-fix-disabling-of-output-of-pwms.patch
+fb-fix-lost-console-when-the-user-unplugs-a-usb-adapter.patch
+udlfb-set-optimal-write-delay.patch
+getxattr-use-correct-xattr-length.patch
+bcache-release-dc-writeback_lock-properly-in-bch_writeback_thread.patch
+perf-auxtrace-fix-queue-resize.patch
+fs-quota-fix-spectre-gadget-in-do_quotactl.patch
--- /dev/null
+From 42a0cc3478584d4d63f68f2f5af021ddbea771fa Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 25 Jun 2018 18:34:10 +0200
+Subject: sys: don't hold uts_sem while accessing userspace memory
+
+From: Jann Horn <jannh@google.com>
+
+commit 42a0cc3478584d4d63f68f2f5af021ddbea771fa upstream.
+
+Holding uts_sem as a writer while accessing userspace memory allows a
+namespace admin to stall all processes that attempt to take uts_sem.
+Instead, move data through stack buffers and don't access userspace memory
+while uts_sem is held.
+
+Cc: stable@vger.kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/kernel/osf_sys.c | 51 +++++++++-----------
+ arch/sparc/kernel/sys_sparc_32.c | 22 +++++----
+ arch/sparc/kernel/sys_sparc_64.c | 20 ++++----
+ kernel/sys.c | 95 ++++++++++++++++++---------------------
+ kernel/utsname_sysctl.c | 41 ++++++++++------
+ 5 files changed, 119 insertions(+), 110 deletions(-)
+
+--- a/arch/alpha/kernel/osf_sys.c
++++ b/arch/alpha/kernel/osf_sys.c
+@@ -526,24 +526,19 @@ SYSCALL_DEFINE4(osf_mount, unsigned long
+ SYSCALL_DEFINE1(osf_utsname, char __user *, name)
+ {
+ int error;
++ char tmp[5 * 32];
+
+ down_read(&uts_sem);
+- error = -EFAULT;
+- if (copy_to_user(name + 0, utsname()->sysname, 32))
+- goto out;
+- if (copy_to_user(name + 32, utsname()->nodename, 32))
+- goto out;
+- if (copy_to_user(name + 64, utsname()->release, 32))
+- goto out;
+- if (copy_to_user(name + 96, utsname()->version, 32))
+- goto out;
+- if (copy_to_user(name + 128, utsname()->machine, 32))
+- goto out;
++ memcpy(tmp + 0 * 32, utsname()->sysname, 32);
++ memcpy(tmp + 1 * 32, utsname()->nodename, 32);
++ memcpy(tmp + 2 * 32, utsname()->release, 32);
++ memcpy(tmp + 3 * 32, utsname()->version, 32);
++ memcpy(tmp + 4 * 32, utsname()->machine, 32);
++ up_read(&uts_sem);
+
+- error = 0;
+- out:
+- up_read(&uts_sem);
+- return error;
++ if (copy_to_user(name, tmp, sizeof(tmp)))
++ return -EFAULT;
++ return 0;
+ }
+
+ SYSCALL_DEFINE0(getpagesize)
+@@ -563,18 +558,21 @@ SYSCALL_DEFINE2(osf_getdomainname, char
+ {
+ int len, err = 0;
+ char *kname;
++ char tmp[32];
+
+- if (namelen > 32)
++ if (namelen < 0 || namelen > 32)
+ namelen = 32;
+
+ down_read(&uts_sem);
+ kname = utsname()->domainname;
+ len = strnlen(kname, namelen);
+- if (copy_to_user(name, kname, min(len + 1, namelen)))
+- err = -EFAULT;
++ len = min(len + 1, namelen);
++ memcpy(tmp, kname, len);
+ up_read(&uts_sem);
+
+- return err;
++ if (copy_to_user(name, tmp, len))
++ return -EFAULT;
++ return 0;
+ }
+
+ /*
+@@ -736,13 +734,14 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
+ };
+ unsigned long offset;
+ const char *res;
+- long len, err = -EINVAL;
++ long len;
++ char tmp[__NEW_UTS_LEN + 1];
+
+ offset = command-1;
+ if (offset >= ARRAY_SIZE(sysinfo_table)) {
+ /* Digital UNIX has a few unpublished interfaces here */
+ printk("sysinfo(%d)", command);
+- goto out;
++ return -EINVAL;
+ }
+
+ down_read(&uts_sem);
+@@ -750,13 +749,11 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
+ len = strlen(res)+1;
+ if ((unsigned long)len > (unsigned long)count)
+ len = count;
+- if (copy_to_user(buf, res, len))
+- err = -EFAULT;
+- else
+- err = 0;
++ memcpy(tmp, res, len);
+ up_read(&uts_sem);
+- out:
+- return err;
++ if (copy_to_user(buf, tmp, len))
++ return -EFAULT;
++ return 0;
+ }
+
+ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
+--- a/arch/sparc/kernel/sys_sparc_32.c
++++ b/arch/sparc/kernel/sys_sparc_32.c
+@@ -201,23 +201,27 @@ SYSCALL_DEFINE5(rt_sigaction, int, sig,
+
+ asmlinkage long sys_getdomainname(char __user *name, int len)
+ {
+- int nlen, err;
+-
++ int nlen, err;
++ char tmp[__NEW_UTS_LEN + 1];
++
+ if (len < 0)
+ return -EINVAL;
+
+- down_read(&uts_sem);
+-
++ down_read(&uts_sem);
++
+ nlen = strlen(utsname()->domainname) + 1;
+ err = -EINVAL;
+ if (nlen > len)
+- goto out;
++ goto out_unlock;
++ memcpy(tmp, utsname()->domainname, nlen);
++
++ up_read(&uts_sem);
+
+- err = -EFAULT;
+- if (!copy_to_user(name, utsname()->domainname, nlen))
+- err = 0;
++ if (copy_to_user(name, tmp, nlen))
++ return -EFAULT;
++ return 0;
+
+-out:
++out_unlock:
+ up_read(&uts_sem);
+ return err;
+ }
+--- a/arch/sparc/kernel/sys_sparc_64.c
++++ b/arch/sparc/kernel/sys_sparc_64.c
+@@ -524,23 +524,27 @@ extern void check_pending(int signum);
+
+ SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
+ {
+- int nlen, err;
++ int nlen, err;
++ char tmp[__NEW_UTS_LEN + 1];
+
+ if (len < 0)
+ return -EINVAL;
+
+- down_read(&uts_sem);
+-
++ down_read(&uts_sem);
++
+ nlen = strlen(utsname()->domainname) + 1;
+ err = -EINVAL;
+ if (nlen > len)
+- goto out;
++ goto out_unlock;
++ memcpy(tmp, utsname()->domainname, nlen);
++
++ up_read(&uts_sem);
+
+- err = -EFAULT;
+- if (!copy_to_user(name, utsname()->domainname, nlen))
+- err = 0;
++ if (copy_to_user(name, tmp, nlen))
++ return -EFAULT;
++ return 0;
+
+-out:
++out_unlock:
+ up_read(&uts_sem);
+ return err;
+ }
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1142,18 +1142,19 @@ static int override_release(char __user
+
+ SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
+ {
+- int errno = 0;
++ struct new_utsname tmp;
+
+ down_read(&uts_sem);
+- if (copy_to_user(name, utsname(), sizeof *name))
+- errno = -EFAULT;
++ memcpy(&tmp, utsname(), sizeof(tmp));
+ up_read(&uts_sem);
++ if (copy_to_user(name, &tmp, sizeof(tmp)))
++ return -EFAULT;
+
+- if (!errno && override_release(name->release, sizeof(name->release)))
+- errno = -EFAULT;
+- if (!errno && override_architecture(name))
+- errno = -EFAULT;
+- return errno;
++ if (override_release(name->release, sizeof(name->release)))
++ return -EFAULT;
++ if (override_architecture(name))
++ return -EFAULT;
++ return 0;
+ }
+
+ #ifdef __ARCH_WANT_SYS_OLD_UNAME
+@@ -1162,55 +1163,46 @@ SYSCALL_DEFINE1(newuname, struct new_uts
+ */
+ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
+ {
+- int error = 0;
++ struct old_utsname tmp;
+
+ if (!name)
+ return -EFAULT;
+
+ down_read(&uts_sem);
+- if (copy_to_user(name, utsname(), sizeof(*name)))
+- error = -EFAULT;
++ memcpy(&tmp, utsname(), sizeof(tmp));
+ up_read(&uts_sem);
++ if (copy_to_user(name, &tmp, sizeof(tmp)))
++ return -EFAULT;
+
+- if (!error && override_release(name->release, sizeof(name->release)))
+- error = -EFAULT;
+- if (!error && override_architecture(name))
+- error = -EFAULT;
+- return error;
++ if (override_release(name->release, sizeof(name->release)))
++ return -EFAULT;
++ if (override_architecture(name))
++ return -EFAULT;
++ return 0;
+ }
+
+ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
+ {
+- int error;
++ struct oldold_utsname tmp = {};
+
+ if (!name)
+ return -EFAULT;
+- if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname)))
+- return -EFAULT;
+
+ down_read(&uts_sem);
+- error = __copy_to_user(&name->sysname, &utsname()->sysname,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
+- error |= __copy_to_user(&name->nodename, &utsname()->nodename,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
+- error |= __copy_to_user(&name->release, &utsname()->release,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->release + __OLD_UTS_LEN);
+- error |= __copy_to_user(&name->version, &utsname()->version,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->version + __OLD_UTS_LEN);
+- error |= __copy_to_user(&name->machine, &utsname()->machine,
+- __OLD_UTS_LEN);
+- error |= __put_user(0, name->machine + __OLD_UTS_LEN);
++ memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
++ memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
++ memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
++ memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
++ memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
+ up_read(&uts_sem);
++ if (copy_to_user(name, &tmp, sizeof(tmp)))
++ return -EFAULT;
+
+- if (!error && override_architecture(name))
+- error = -EFAULT;
+- if (!error && override_release(name->release, sizeof(name->release)))
+- error = -EFAULT;
+- return error ? -EFAULT : 0;
++ if (override_architecture(name))
++ return -EFAULT;
++ if (override_release(name->release, sizeof(name->release)))
++ return -EFAULT;
++ return 0;
+ }
+ #endif
+
+@@ -1224,17 +1216,18 @@ SYSCALL_DEFINE2(sethostname, char __user
+
+ if (len < 0 || len > __NEW_UTS_LEN)
+ return -EINVAL;
+- down_write(&uts_sem);
+ errno = -EFAULT;
+ if (!copy_from_user(tmp, name, len)) {
+- struct new_utsname *u = utsname();
++ struct new_utsname *u;
+
++ down_write(&uts_sem);
++ u = utsname();
+ memcpy(u->nodename, tmp, len);
+ memset(u->nodename + len, 0, sizeof(u->nodename) - len);
+ errno = 0;
+ uts_proc_notify(UTS_PROC_HOSTNAME);
++ up_write(&uts_sem);
+ }
+- up_write(&uts_sem);
+ return errno;
+ }
+
+@@ -1242,8 +1235,9 @@ SYSCALL_DEFINE2(sethostname, char __user
+
+ SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
+ {
+- int i, errno;
++ int i;
+ struct new_utsname *u;
++ char tmp[__NEW_UTS_LEN + 1];
+
+ if (len < 0)
+ return -EINVAL;
+@@ -1252,11 +1246,11 @@ SYSCALL_DEFINE2(gethostname, char __user
+ i = 1 + strlen(u->nodename);
+ if (i > len)
+ i = len;
+- errno = 0;
+- if (copy_to_user(name, u->nodename, i))
+- errno = -EFAULT;
++ memcpy(tmp, u->nodename, i);
+ up_read(&uts_sem);
+- return errno;
++ if (copy_to_user(name, tmp, i))
++ return -EFAULT;
++ return 0;
+ }
+
+ #endif
+@@ -1275,17 +1269,18 @@ SYSCALL_DEFINE2(setdomainname, char __us
+ if (len < 0 || len > __NEW_UTS_LEN)
+ return -EINVAL;
+
+- down_write(&uts_sem);
+ errno = -EFAULT;
+ if (!copy_from_user(tmp, name, len)) {
+- struct new_utsname *u = utsname();
++ struct new_utsname *u;
+
++ down_write(&uts_sem);
++ u = utsname();
+ memcpy(u->domainname, tmp, len);
+ memset(u->domainname + len, 0, sizeof(u->domainname) - len);
+ errno = 0;
+ uts_proc_notify(UTS_PROC_DOMAINNAME);
++ up_write(&uts_sem);
+ }
+- up_write(&uts_sem);
+ return errno;
+ }
+
+--- a/kernel/utsname_sysctl.c
++++ b/kernel/utsname_sysctl.c
+@@ -17,7 +17,7 @@
+
+ #ifdef CONFIG_PROC_SYSCTL
+
+-static void *get_uts(struct ctl_table *table, int write)
++static void *get_uts(struct ctl_table *table)
+ {
+ char *which = table->data;
+ struct uts_namespace *uts_ns;
+@@ -25,21 +25,9 @@ static void *get_uts(struct ctl_table *t
+ uts_ns = current->nsproxy->uts_ns;
+ which = (which - (char *)&init_uts_ns) + (char *)uts_ns;
+
+- if (!write)
+- down_read(&uts_sem);
+- else
+- down_write(&uts_sem);
+ return which;
+ }
+
+-static void put_uts(struct ctl_table *table, int write, void *which)
+-{
+- if (!write)
+- up_read(&uts_sem);
+- else
+- up_write(&uts_sem);
+-}
+-
+ /*
+ * Special case of dostring for the UTS structure. This has locks
+ * to observe. Should this be in kernel/sys.c ????
+@@ -49,13 +37,34 @@ static int proc_do_uts_string(struct ctl
+ {
+ struct ctl_table uts_table;
+ int r;
++ char tmp_data[__NEW_UTS_LEN + 1];
++
+ memcpy(&uts_table, table, sizeof(uts_table));
+- uts_table.data = get_uts(table, write);
++ uts_table.data = tmp_data;
++
++ /*
++ * Buffer the value in tmp_data so that proc_dostring() can be called
++ * without holding any locks.
++ * We also need to read the original value in the write==1 case to
++ * support partial writes.
++ */
++ down_read(&uts_sem);
++ memcpy(tmp_data, get_uts(table), sizeof(tmp_data));
++ up_read(&uts_sem);
+ r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
+- put_uts(table, write, uts_table.data);
+
+- if (write)
++ if (write) {
++ /*
++ * Write back the new value.
++ * Note that, since we dropped uts_sem, the result can
++ * theoretically be incorrect if there are two parallel writes
++ * at non-zero offsets to the same sysctl.
++ */
++ down_write(&uts_sem);
++ memcpy(get_uts(table), tmp_data, sizeof(tmp_data));
++ up_write(&uts_sem);
+ proc_sys_poll_notify(table->poll);
++ }
+
+ return r;
+ }
--- /dev/null
+From 95a22d2084d72ea067d8323cc85677dba5d97cae Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sun, 1 Jul 2018 23:20:51 +0200
+Subject: ubifs: Check data node size before truncate
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 95a22d2084d72ea067d8323cc85677dba5d97cae upstream.
+
+Check whether the size is within bounds before using it.
+If the size is not correct, abort and dump the bad data node.
+
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Silvio Cesare <silvio.cesare@gmail.com>
+Cc: stable@vger.kernel.org
+Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
+Reported-by: Silvio Cesare <silvio.cesare@gmail.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -1186,7 +1186,16 @@ int ubifs_jnl_truncate(struct ubifs_info
+ else if (err)
+ goto out_free;
+ else {
+- if (le32_to_cpu(dn->size) <= dlen)
++ int dn_len = le32_to_cpu(dn->size);
++
++ if (dn_len <= 0 || dn_len > UBIFS_BLOCK_SIZE) {
++ ubifs_err(c, "bad data node (block %u, inode %lu)",
++ blk, inode->i_ino);
++ ubifs_dump_node(c, dn);
++ goto out_free;
++ }
++
++ if (dn_len <= dlen)
+ dlen = 0; /* Nothing to do */
+ else {
+ int compr_type = le16_to_cpu(dn->compr_type);
--- /dev/null
+From eef19816ada3abd56d9f20c88794cc2fea83ebb2 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 12 Jun 2018 20:49:45 +0200
+Subject: ubifs: Fix memory leak in lprobs self-check
+
+From: Richard Weinberger <richard@nod.at>
+
+commit eef19816ada3abd56d9f20c88794cc2fea83ebb2 upstream.
+
+Allocate the buffer after we return early.
+Otherwise memory is being leaked.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/lprops.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/ubifs/lprops.c
++++ b/fs/ubifs/lprops.c
+@@ -1091,10 +1091,6 @@ static int scan_check_cb(struct ubifs_in
+ }
+ }
+
+- buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL);
+- if (!buf)
+- return -ENOMEM;
+-
+ /*
+ * After an unclean unmount, empty and freeable LEBs
+ * may contain garbage - do not scan them.
+@@ -1113,6 +1109,10 @@ static int scan_check_cb(struct ubifs_in
+ return LPT_SCAN_CONTINUE;
+ }
+
++ buf = __vmalloc(c->leb_size, GFP_NOFS, PAGE_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
+ sleb = ubifs_scan(c, lnum, 0, buf, 0);
+ if (IS_ERR(sleb)) {
+ ret = PTR_ERR(sleb);
--- /dev/null
+From 59965593205fa4044850d35ee3557cf0b7edcd14 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Tue, 12 Jun 2018 00:52:28 +0200
+Subject: ubifs: Fix synced_i_size calculation for xattr inodes
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 59965593205fa4044850d35ee3557cf0b7edcd14 upstream.
+
+In ubifs_jnl_update() we sync parent and child inodes to the flash,
+in case of xattrs, the parent inode (AKA host inode) has a non-zero
+data_len. Therefore we need to adjust synced_i_size too.
+
+This issue was reported by ubifs self tests unter a xattr related work
+load.
+UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: ui_size is 4, synced_i_size is 0, but inode is clean
+UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: i_ino 65, i_mode 0x81a4, i_size 4
+
+Cc: <stable@vger.kernel.org>
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -661,6 +661,11 @@ int ubifs_jnl_update(struct ubifs_info *
+ spin_lock(&ui->ui_lock);
+ ui->synced_i_size = ui->ui_size;
+ spin_unlock(&ui->ui_lock);
++ if (xent) {
++ spin_lock(&host_ui->ui_lock);
++ host_ui->synced_i_size = host_ui->ui_size;
++ spin_unlock(&host_ui->ui_lock);
++ }
+ mark_inode_clean(c, ui);
+ mark_inode_clean(c, host_ui);
+ return 0;
--- /dev/null
+From bb24153a3f13dd0dbc1f8055ad97fe346d598f66 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 25 Jul 2018 15:41:55 +0200
+Subject: udlfb: set optimal write delay
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit bb24153a3f13dd0dbc1f8055ad97fe346d598f66 upstream.
+
+The default delay 5 jiffies is too much when the kernel is compiled with
+HZ=100 - it results in jumpy cursor in Xwindow.
+
+In order to find out the optimal delay, I benchmarked the driver on
+1280x720x30fps video. I found out that with HZ=1000, 10ms is acceptable,
+but with HZ=250 or HZ=300, we need 4ms, so that the video is played
+without any frame skips.
+
+This patch changes the delay to this value.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/video/udlfb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/video/udlfb.h
++++ b/include/video/udlfb.h
+@@ -87,7 +87,7 @@ struct dlfb_data {
+ #define MIN_RAW_PIX_BYTES 2
+ #define MIN_RAW_CMD_BYTES (RAW_HEADER_BYTES + MIN_RAW_PIX_BYTES)
+
+-#define DL_DEFIO_WRITE_DELAY 5 /* fb_deferred_io.delay in jiffies */
++#define DL_DEFIO_WRITE_DELAY msecs_to_jiffies(HZ <= 300 ? 4 : 10) /* optimal value for 720p video */
+ #define DL_DEFIO_WRITE_DISABLE (HZ*60) /* "disable" with long delay */
+
+ /* remove these once align.h patch is taken into kernel */
--- /dev/null
+From 5820f140edef111a9ea2ef414ab2428b8cb805b1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 25 Jun 2018 18:34:19 +0200
+Subject: userns: move user access out of the mutex
+
+From: Jann Horn <jannh@google.com>
+
+commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
+
+The old code would hold the userns_state_mutex indefinitely if
+memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
+moving the memdup_user_nul in front of the mutex_lock().
+
+Note: This changes the error precedence of invalid buf/count/*ppos vs
+map already written / capabilities missing.
+
+Fixes: 22d917d80e84 ("userns: Rework the user_namespace adding uid/gid...")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Christian Brauner <christian@brauner.io>
+Acked-by: Serge Hallyn <serge@hallyn.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/user_namespace.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -604,7 +604,16 @@ static ssize_t map_write(struct file *fi
+ struct uid_gid_extent *extent = NULL;
+ unsigned long page = 0;
+ char *kbuf, *pos, *next_line;
+- ssize_t ret = -EINVAL;
++ ssize_t ret;
++
++ /* Only allow < page size writes at the beginning of the file */
++ if ((*ppos != 0) || (count >= PAGE_SIZE))
++ return -EINVAL;
++
++ /* Slurp in the user data */
++ if (copy_from_user(kbuf, buf, count))
++ return -EFAULT;
++ kbuf[count] = '\0';
+
+ /*
+ * The userns_state_mutex serializes all writes to any given map.
+@@ -645,17 +654,6 @@ static ssize_t map_write(struct file *fi
+ if (!page)
+ goto out;
+
+- /* Only allow < page size writes at the beginning of the file */
+- ret = -EINVAL;
+- if ((*ppos != 0) || (count >= PAGE_SIZE))
+- goto out;
+-
+- /* Slurp in the user data */
+- ret = -EFAULT;
+- if (copy_from_user(kbuf, buf, count))
+- goto out;
+- kbuf[count] = '\0';
+-
+ /* Parse the user data */
+ ret = -EINVAL;
+ pos = kbuf;
projects / thirdparty / kernel / stable-queue.git / commitdiff
