--- /dev/null
+From fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 13 Sep 2018 10:51:31 +0200
+Subject: crypto: lrw - Fix out-of bounds access on counter overflow
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream.
+
+When the LRW block counter overflows, the current implementation returns
+128 as the index to the precomputed multiplication table, which has 128
+entries. This patch fixes it to return the correct value (127).
+
+Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
+Cc: <stable@vger.kernel.org> # 2.6.20+
+Reported-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/lrw.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -132,7 +132,12 @@ static inline int get_index128(be128 *bl
+ return x + ffz(val);
+ }
+
+- return x;
++ /*
++ * If we get here, then x == 128 and we are incrementing the counter
++ * from all ones to all zeros. This means we must return index 127, i.e.
++ * the one corresponding to key2*{ 1,...,1 }.
++ */
++ return 127;
+ }
+
+ static int crypt(struct blkcipher_desc *d,
--- /dev/null
+From fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Sun, 23 Sep 2018 21:10:43 +0000
+Subject: Drivers: hv: kvp: Fix two "this statement may fall through" warnings
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d upstream.
+
+We don't need to call process_ib_ipinfo() if message->kvp_hdr.operation is
+KVP_OP_GET_IP_INFO in kvp_send_key(), because here we just need to pass on
+the op code from the host to the userspace; when the userspace returns
+the info requested by the host, we pass the info on to the host in
+kvp_respond_to_host() -> process_ob_ipinfo(). BTW, the current buggy code
+actually doesn't cause any harm, because only message->kvp_hdr.operation
+is used by the userspace, in the case of KVP_OP_GET_IP_INFO.
+
+The patch also adds a missing "break;" in kvp_send_key(). BTW, the current
+buggy code actually doesn't cause any harm, because in the case of
+KVP_OP_SET, the unexpected fall-through corrupts
+message->body.kvp_set.data.key_size, but that is not really used: see
+the definition of struct hv_kvp_exchg_msg_value.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_kvp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/hv/hv_kvp.c
++++ b/drivers/hv/hv_kvp.c
+@@ -326,7 +326,6 @@ static void process_ib_ipinfo(void *in_m
+
+ out->body.kvp_ip_val.dhcp_enabled = in->kvp_ip_val.dhcp_enabled;
+
+- default:
+ utf16s_to_utf8s((wchar_t *)in->kvp_ip_val.adapter_id,
+ MAX_ADAPTER_ID_SIZE,
+ UTF16_LITTLE_ENDIAN,
+@@ -379,7 +378,7 @@ kvp_send_key(struct work_struct *dummy)
+ process_ib_ipinfo(in_msg, message, KVP_OP_SET_IP_INFO);
+ break;
+ case KVP_OP_GET_IP_INFO:
+- process_ib_ipinfo(in_msg, message, KVP_OP_GET_IP_INFO);
++ /* We only need to pass on message->kvp_hdr.operation. */
+ break;
+ case KVP_OP_SET:
+ switch (in_msg->body.kvp_set.data.value_type) {
+@@ -419,6 +418,9 @@ kvp_send_key(struct work_struct *dummy)
+ break;
+
+ }
++
++ break;
++
+ case KVP_OP_GET:
+ message->body.kvp_set.data.key_size =
+ utf16s_to_utf8s(
--- /dev/null
+From 625ef8a3acd111d5f496d190baf99d1a815bd03e Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Tue, 2 Oct 2018 21:18:45 -0400
+Subject: ext4: initialize retries variable in ext4_da_write_inline_data_begin()
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 625ef8a3acd111d5f496d190baf99d1a815bd03e upstream.
+
+Variable retries is not initialized in ext4_da_write_inline_data_begin()
+which can lead to nondeterministic number of retries in case we hit
+ENOSPC. Initialize retries to zero as we do everywhere else.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Fixes: bc0ca9df3b2a ("ext4: retry allocation when inline->extent conversion failed")
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -850,7 +850,7 @@ int ext4_da_write_inline_data_begin(stru
+ handle_t *handle;
+ struct page *page;
+ struct ext4_iloc iloc;
+- int retries;
++ int retries = 0;
+
+ ret = ext4_get_inode_loc(inode, &iloc);
+ if (ret)
--- /dev/null
+From 3df629d873f8683af6f0d34dfc743f637966d483 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 13 Oct 2018 00:19:13 -0400
+Subject: gfs2_meta: ->mount() can get NULL dev_name
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3df629d873f8683af6f0d34dfc743f637966d483 upstream.
+
+get in sync with mount_bdev() handling of the same
+
+Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -1358,6 +1358,9 @@ static struct dentry *gfs2_mount_meta(st
+ struct path path;
+ int error;
+
++ if (!dev_name || !*dev_name)
++ return ERR_PTR(-EINVAL);
++
+ error = kern_path(dev_name, LOOKUP_FOLLOW, &path);
+ if (error) {
+ pr_warn("path_lookup on %s returned error %d\n",
--- /dev/null
+From bc1b45326223e7e890053cf6266357adfa61942d Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Mon, 24 Sep 2018 10:51:43 +0300
+Subject: iio: adc: at91: fix acking DRDY irq on simple conversions
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+commit bc1b45326223e7e890053cf6266357adfa61942d upstream.
+
+When doing simple conversions, the driver did not acknowledge the DRDY irq.
+If this irq status is not acked, it will be left pending, and as soon as a
+trigger is enabled, the irq handler will be called, it doesn't know why
+this status has occurred because no channel is pending, and then it will go
+int a irq loop and board will hang.
+To avoid this situation, read the LCDR after a raw conversion is done.
+
+Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
+Cc: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -276,6 +276,8 @@ static void handle_adc_eoc_trigger(int i
+ iio_trigger_poll(idev->trig);
+ } else {
+ st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb));
++ /* Needed to ACK the DRDY interruption */
++ at91_adc_readl(st, AT91_ADC_LCDR);
+ st->done = true;
+ wake_up_interruptible(&st->wq_data_avail);
+ }
--- /dev/null
+From aea835f2dc8a682942b859179c49ad1841a6c8b9 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Mon, 24 Sep 2018 10:51:44 +0300
+Subject: iio: adc: at91: fix wrong channel number in triggered buffer mode
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+commit aea835f2dc8a682942b859179c49ad1841a6c8b9 upstream.
+
+When channels are registered, the hardware channel number is not the
+actual iio channel number.
+This is because the driver is probed with a certain number of accessible
+channels. Some pins are routed and some not, depending on the description of
+the board in the DT.
+Because of that, channels 0,1,2,3 can correspond to hardware channels
+2,3,4,5 for example.
+In the buffered triggered case, we need to do the translation accordingly.
+Fixed the channel number to stop reading the wrong channel.
+
+Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
+Cc: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -245,12 +245,14 @@ static irqreturn_t at91_adc_trigger_hand
+ struct iio_poll_func *pf = p;
+ struct iio_dev *idev = pf->indio_dev;
+ struct at91_adc_state *st = iio_priv(idev);
++ struct iio_chan_spec const *chan;
+ int i, j = 0;
+
+ for (i = 0; i < idev->masklength; i++) {
+ if (!test_bit(i, idev->active_scan_mask))
+ continue;
+- st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i));
++ chan = idev->channels + i;
++ st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel));
+ j++;
+ }
+
--- /dev/null
+From 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 7 Sep 2018 14:33:24 -0700
+Subject: ima: fix showing large 'violations' or 'runtime_measurements_count'
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream.
+
+The 12 character temporary buffer is not necessarily long enough to hold
+a 'long' value. Increase it.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_fs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/integrity/ima/ima_fs.c
++++ b/security/integrity/ima/ima_fs.c
+@@ -26,14 +26,14 @@
+ #include "ima.h"
+
+ static int valid_policy = 1;
+-#define TMPBUFLEN 12
++
+ static ssize_t ima_show_htable_value(char __user *buf, size_t count,
+ loff_t *ppos, atomic_long_t *val)
+ {
+- char tmpbuf[TMPBUFLEN];
++ char tmpbuf[32]; /* greater than largest 'long' string value */
+ ssize_t len;
+
+- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
++ len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
+ }
+
--- /dev/null
+From ccd3c4373eacb044eb3832966299d13d2631f66f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 5 Oct 2018 18:44:40 -0400
+Subject: jbd2: fix use after free in jbd2_log_do_checkpoint()
+
+From: Jan Kara <jack@suse.cz>
+
+commit ccd3c4373eacb044eb3832966299d13d2631f66f upstream.
+
+The code cleaning transaction's lists of checkpoint buffers has a bug
+where it increases bh refcount only after releasing
+journal->j_list_lock. Thus the following race is possible:
+
+CPU0 CPU1
+jbd2_log_do_checkpoint()
+ jbd2_journal_try_to_free_buffers()
+ __journal_try_to_free_buffer(bh)
+ ...
+ while (transaction->t_checkpoint_io_list)
+ ...
+ if (buffer_locked(bh)) {
+
+<-- IO completes now, buffer gets unlocked -->
+
+ spin_unlock(&journal->j_list_lock);
+ spin_lock(&journal->j_list_lock);
+ __jbd2_journal_remove_checkpoint(jh);
+ spin_unlock(&journal->j_list_lock);
+ try_to_free_buffers(page);
+ get_bh(bh) <-- accesses freed bh
+
+Fix the problem by grabbing bh reference before unlocking
+journal->j_list_lock.
+
+Fixes: dc6e8d669cf5 ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()")
+Fixes: be1158cc615f ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()")
+Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/checkpoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -254,8 +254,8 @@ restart:
+ bh = jh2bh(jh);
+
+ if (buffer_locked(bh)) {
+- spin_unlock(&journal->j_list_lock);
+ get_bh(bh);
++ spin_unlock(&journal->j_list_lock);
+ wait_on_buffer(bh);
+ /* the journal_head may have gone by now */
+ BUFFER_TRACE(bh, "brelse");
+@@ -336,8 +336,8 @@ restart2:
+ jh = transaction->t_checkpoint_io_list;
+ bh = jh2bh(jh);
+ if (buffer_locked(bh)) {
+- spin_unlock(&journal->j_list_lock);
+ get_bh(bh);
++ spin_unlock(&journal->j_list_lock);
+ wait_on_buffer(bh);
+ /* the journal_head may have gone by now */
+ BUFFER_TRACE(bh, "brelse");
--- /dev/null
+From 6a32c2469c3fbfee8f25bcd20af647326650a6cf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 30 Oct 2018 15:07:32 -0700
+Subject: kbuild: fix kernel/bounds.c 'W=1' warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6a32c2469c3fbfee8f25bcd20af647326650a6cf upstream.
+
+Building any configuration with 'make W=1' produces a warning:
+
+kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes]
+
+When also passing -Werror, this prevents us from building any other files.
+Nobody ever calls the function, but we can't make it 'static' either
+since we want the compiler output.
+
+Calling it 'main' instead however avoids the warning, because gcc
+does not insist on having a declaration for main.
+
+Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reported-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bounds.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/bounds.c
++++ b/kernel/bounds.c
+@@ -12,7 +12,7 @@
+ #include <linux/log2.h>
+ #include <linux/spinlock_types.h>
+
+-void foo(void)
++int main(void)
+ {
+ /* The enum constants to put into include/generated/bounds.h */
+ DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS);
+@@ -22,4 +22,6 @@ void foo(void)
+ #endif
+ DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t));
+ /* End of constants */
++
++ return 0;
+ }
--- /dev/null
+From 076ed3da0c9b2f88d9157dbe7044a45641ae369e Mon Sep 17 00:00:00 2001
+From: Stefan Nuernberger <snu@amazon.com>
+Date: Mon, 17 Sep 2018 19:46:53 +0200
+Subject: net/ipv4: defensive cipso option parsing
+
+From: Stefan Nuernberger <snu@amazon.com>
+
+commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream.
+
+commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
+a possible infinite loop in the IP option parsing of CIPSO. The fix
+assumes that ip_options_compile filtered out all zero length options and
+that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
+While this assumption currently holds true, add explicit checks for zero
+length and invalid length options to be safe for the future. Even though
+ip_options_compile should have validated the options, the introduction of
+new one-byte options can still confuse this code without the additional
+checks.
+
+Signed-off-by: Stefan Nuernberger <snu@amazon.com>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: Simon Veith <sveith@amazon.de>
+Cc: stable@vger.kernel.org
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/cipso_ipv4.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1580,7 +1580,7 @@ static int cipso_v4_parsetag_loc(const s
+ *
+ * Description:
+ * Parse the packet's IP header looking for a CIPSO option. Returns a pointer
+- * to the start of the CIPSO option on success, NULL if one if not found.
++ * to the start of the CIPSO option on success, NULL if one is not found.
+ *
+ */
+ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+@@ -1590,10 +1590,8 @@ unsigned char *cipso_v4_optptr(const str
+ int optlen;
+ int taglen;
+
+- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
+ switch (optptr[0]) {
+- case IPOPT_CIPSO:
+- return optptr;
+ case IPOPT_END:
+ return NULL;
+ case IPOPT_NOOP:
+@@ -1602,6 +1600,11 @@ unsigned char *cipso_v4_optptr(const str
+ default:
+ taglen = optptr[1];
+ }
++ if (!taglen || taglen > optlen)
++ return NULL;
++ if (optptr[0] == IPOPT_CIPSO)
++ return optptr;
++
+ optlen -= taglen;
+ optptr += taglen;
+ }
--- /dev/null
+From 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Sun, 30 Sep 2018 00:45:50 +0800
+Subject: printk: Fix panic caused by passing log_buf_len to command line
+
+From: He Zhe <zhe.he@windriver.com>
+
+commit 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 upstream.
+
+log_buf_len_setup does not check input argument before passing it to
+simple_strtoull. The argument would be a NULL pointer if "log_buf_len",
+without its value, is set in command line and thus causes the following
+panic.
+
+PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0
+[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1
+[ 0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70
+...
+[ 0.000000] Call Trace:
+[ 0.000000] simple_strtoull+0x29/0x70
+[ 0.000000] memparse+0x26/0x90
+[ 0.000000] log_buf_len_setup+0x17/0x22
+[ 0.000000] do_early_param+0x57/0x8e
+[ 0.000000] parse_args+0x208/0x320
+[ 0.000000] ? rdinit_setup+0x30/0x30
+[ 0.000000] parse_early_options+0x29/0x2d
+[ 0.000000] ? rdinit_setup+0x30/0x30
+[ 0.000000] parse_early_param+0x36/0x4d
+[ 0.000000] setup_arch+0x336/0x99e
+[ 0.000000] start_kernel+0x6f/0x4ee
+[ 0.000000] x86_64_start_reservations+0x24/0x26
+[ 0.000000] x86_64_start_kernel+0x6f/0x72
+[ 0.000000] secondary_startup_64+0xa4/0xb0
+
+This patch adds a check to prevent the panic.
+
+Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com
+Cc: stable@vger.kernel.org
+Cc: rostedt@goodmis.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/printk.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -844,7 +844,12 @@ static void __init log_buf_len_update(un
+ /* save requested log_buf_len since it's too early to process it */
+ static int __init log_buf_len_setup(char *str)
+ {
+- unsigned size = memparse(str, &str);
++ unsigned int size;
++
++ if (!str)
++ return -EINVAL;
++
++ size = memparse(str, &str);
+
+ log_buf_len_update(size);
+
uio-ensure-class-is-registered-before-devices.patch
scsi-lpfc-correct-soft-lockup-when-running-mds-diagnostics.patch
signal-always-deliver-the-kernel-s-sigkill-and-sigstop-to-a-pid-namespace-init.patch
+xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch
+net-ipv4-defensive-cipso-option-parsing.patch
+jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch
+gfs2_meta-mount-can-get-null-dev_name.patch
+ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch
+signal-genwqe-fix-sending-of-sigkill.patch
+crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch
+ima-fix-showing-large-violations-or-runtime_measurements_count.patch
+kbuild-fix-kernel-bounds.c-w-1-warning.patch
+iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch
+iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch
+drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch
+w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch
+smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch
+smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch
+smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch
+printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch
--- /dev/null
+From 0ab93e9c99f8208c0a1a7b7170c827936268c996 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 13 Sep 2018 11:28:01 +0200
+Subject: signal/GenWQE: Fix sending of SIGKILL
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream.
+
+The genweq_add_file and genwqe_del_file by caching current without
+using reference counting embed the assumption that a file descriptor
+will never be passed from one process to another. It even embeds the
+assumption that the the thread that opened the file will be in
+existence when the process terminates. Neither of which are
+guaranteed to be true.
+
+Therefore replace caching the task_struct of the opener with
+pid of the openers thread group id. All the knowledge of the
+opener is used for is as the target of SIGKILL and a SIGKILL
+will kill the entire process group.
+
+Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
+signal argument, update it's ownly caller, and use kill_pid
+instead of force_sig.
+
+The work force_sig does in changing signal handling state is not
+relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess
+will be killed just with less work, and less confusion. The work done
+by force_sig is really only needed for handling syncrhonous
+exceptions.
+
+It will still be possible to cause genwqe_device_remove to wait
+8 seconds by passing a file descriptor to another process but
+the possible user after free is fixed.
+
+Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
+Cc: stable@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Frank Haverkamp <haver@linux.vnet.ibm.com>
+Cc: Joerg-Stephan Vogt <jsvogt@de.ibm.com>
+Cc: Michael Jung <mijung@gmx.net>
+Cc: Michael Ruettger <michael@ibmra.de>
+Cc: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
+Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Cc: Eberhard S. Amann <esa@linux.vnet.ibm.com>
+Cc: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Cc: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/genwqe/card_base.h | 2 +-
+ drivers/misc/genwqe/card_dev.c | 9 +++++----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/misc/genwqe/card_base.h
++++ b/drivers/misc/genwqe/card_base.h
+@@ -405,7 +405,7 @@ struct genwqe_file {
+ struct file *filp;
+
+ struct fasync_struct *async_queue;
+- struct task_struct *owner;
++ struct pid *opener;
+ struct list_head list; /* entry in list of open files */
+
+ spinlock_t map_lock; /* lock for dma_mappings */
+--- a/drivers/misc/genwqe/card_dev.c
++++ b/drivers/misc/genwqe/card_dev.c
+@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq
+ {
+ unsigned long flags;
+
+- cfile->owner = current;
++ cfile->opener = get_pid(task_tgid(current));
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_add(&cfile->list, &cd->file_list);
+ spin_unlock_irqrestore(&cd->file_lock, flags);
+@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_del(&cfile->list);
+ spin_unlock_irqrestore(&cd->file_lock, flags);
++ put_pid(cfile->opener);
+
+ return 0;
+ }
+@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen
+ return files;
+ }
+
+-static int genwqe_force_sig(struct genwqe_dev *cd, int sig)
++static int genwqe_terminate(struct genwqe_dev *cd)
+ {
+ unsigned int files = 0;
+ unsigned long flags;
+@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq
+
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_for_each_entry(cfile, &cd->file_list, list) {
+- force_sig(sig, cfile->owner);
++ kill_pid(cfile->opener, SIGKILL, 1);
+ files++;
+ }
+ spin_unlock_irqrestore(&cd->file_lock, flags);
+@@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces
+ dev_warn(&pci_dev->dev,
+ "[%s] send SIGKILL and wait ...\n", __func__);
+
+- rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */
++ rc = genwqe_terminate(cd);
+ if (rc) {
+ /* Give kill_timout more seconds to end processes */
+ for (i = 0; (i < genwqe_kill_timeout) &&
--- /dev/null
+From 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sat, 15 Sep 2018 23:04:41 -0500
+Subject: smb3: allow stats which track session and share reconnects to be reset
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 upstream.
+
+Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats
+except the session and share reconnect counts. Fix it to
+reset those as well.
+
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_debug.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/cifs/cifs_debug.c
++++ b/fs/cifs/cifs_debug.c
+@@ -271,6 +271,9 @@ static ssize_t cifs_stats_proc_write(str
+ atomic_set(&totBufAllocCount, 0);
+ atomic_set(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
++ atomic_set(&tcpSesReconnectCount, 0);
++ atomic_set(&tconInfoReconnectCount, 0);
++
+ spin_lock(&GlobalMid_Lock);
+ GlobalMaxActiveXid = 0;
+ GlobalCurrentXid = 0;
--- /dev/null
+From 1e77a8c204c9d1b655c61751b8ad0fde22421dbb Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Fri, 19 Oct 2018 00:45:21 -0500
+Subject: smb3: do not attempt cifs operation in smb3 query info error path
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 1e77a8c204c9d1b655c61751b8ad0fde22421dbb upstream.
+
+If backupuid mount option is sent, we can incorrectly retry
+(on access denied on query info) with a cifs (FindFirst) operation
+on an smb3 mount which causes the server to force the session close.
+
+We set backup intent on open so no need for this fallback.
+
+See kernel bugzilla 201435
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -741,7 +741,15 @@ cifs_get_inode_info(struct inode **inode
+ } else if (rc == -EREMOTE) {
+ cifs_create_dfs_fattr(&fattr, sb);
+ rc = 0;
+- } else if (rc == -EACCES && backup_cred(cifs_sb)) {
++ } else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
++ (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
++ == 0)) {
++ /*
++ * For SMB2 and later the backup intent flag is already
++ * sent if needed on open and there is no path based
++ * FindFirst operation to use to retry with
++ */
++
+ srchinf = kzalloc(sizeof(struct cifs_search_info),
+ GFP_KERNEL);
+ if (srchinf == NULL) {
--- /dev/null
+From 926674de6705f0f1dbf29a62fd758d0977f535d6 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sun, 28 Oct 2018 13:13:23 -0500
+Subject: smb3: on kerberos mount if server doesn't specify auth type use krb5
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 926674de6705f0f1dbf29a62fd758d0977f535d6 upstream.
+
+Some servers (e.g. Azure) do not include a spnego blob in the SMB3
+negotiate protocol response, so on kerberos mounts ("sec=krb5")
+we can fail, as we expected the server to list its supported
+auth types (OIDs in the spnego blob in the negprot response).
+Change this so that on krb5 mounts we default to trying krb5 if the
+server doesn't list its supported protocol mechanisms.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_spnego.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifs_spnego.c
++++ b/fs/cifs/cifs_spnego.c
+@@ -147,8 +147,10 @@ cifs_get_spnego_key(struct cifs_ses *ses
+ sprintf(dp, ";sec=krb5");
+ else if (server->sec_mskerberos)
+ sprintf(dp, ";sec=mskrb5");
+- else
+- goto out;
++ else {
++ cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");
++ sprintf(dp, ";sec=krb5");
++ }
+
+ dp = description + strlen(description);
+ sprintf(dp, ";uid=0x%x",
--- /dev/null
+From a007734618fee1bf35556c04fa498d41d42c7301 Mon Sep 17 00:00:00 2001
+From: Andreas Kemnade <andreas@kemnade.info>
+Date: Sat, 22 Sep 2018 21:20:54 +0200
+Subject: w1: omap-hdq: fix missing bus unregister at removal
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+commit a007734618fee1bf35556c04fa498d41d42c7301 upstream.
+
+The bus master was not removed after unloading the module
+or unbinding the driver. That lead to oopses like this
+
+[ 127.842987] Unable to handle kernel paging request at virtual address bf01d04c
+[ 127.850646] pgd = 70e3cd9a
+[ 127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000
+[ 127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
+[ 127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq]
+[ 127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12
+[ 127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree)
+[ 127.890441] PC is at 0xbf01d04c
+[ 127.893798] LR is at w1_search_process_cb+0x4c/0xfc
+[ 127.898956] pc : [<bf01d04c>] lr : [<c05f9580>] psr: a0070013
+[ 127.905609] sp : cf885f48 ip : bf01d04c fp : ddf1e11c
+[ 127.911132] r10: cf8fe040 r9 : c05f8d00 r8 : cf8fe040
+[ 127.916656] r7 : 000000f0 r6 : cf8fe02c r5 : cf8fe000 r4 : cf8fe01c
+[ 127.923553] r3 : c05f8d00 r2 : 000000f0 r1 : cf8fe000 r0 : dde1ef10
+[ 127.930450] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+[ 127.938018] Control: 10c5387d Table: 8f8f0019 DAC: 00000051
+[ 127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f)
+[ 127.951171] Stack: (0xcf885f48 to 0xcf886000)
+[ 127.955810] 5f40: cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00
+[ 127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000
+[ 127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000
+[ 127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+[ 127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[ 128.007781] [<c05f9580>] (w1_search_process_cb) from [<c05f9700>] (w1_process+0x6c/0x118)
+[ 128.016479] [<c05f9700>] (w1_process) from [<c01499a4>] (kthread+0x130/0x148)
+[ 128.024047] [<c01499a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+[ 128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8)
+[ 128.037017] 5fa0: 00000000 00000000 00000000 00000000
+[ 128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[ 128.061340] Code: bad PC value
+[ 128.064697] ---[ end trace af066e33c0e14119 ]---
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/w1/masters/omap_hdq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/w1/masters/omap_hdq.c
++++ b/drivers/w1/masters/omap_hdq.c
+@@ -622,6 +622,8 @@ static int omap_hdq_remove(struct platfo
+ /* remove module dependency */
+ pm_runtime_disable(&pdev->dev);
+
++ w1_remove_master_device(&omap_w1_master);
++
+ return 0;
+ }
+
--- /dev/null
+From 7250f422da0480d8512b756640f131b9b893ccda Mon Sep 17 00:00:00 2001
+From: Joe Jin <joe.jin@oracle.com>
+Date: Tue, 16 Oct 2018 15:21:16 -0700
+Subject: xen-swiotlb: use actually allocated size on check physical continuous
+
+From: Joe Jin <joe.jin@oracle.com>
+
+commit 7250f422da0480d8512b756640f131b9b893ccda upstream.
+
+xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the
+order of the pages and not size argument (bytes). This is inconsistent with
+range_straddles_page_boundary and memset which use the 'size' value,
+which may lead to not exchanging memory with Xen (range_straddles_page_boundary()
+returned true). And then the call to xen_swiotlb_free_coherent() would
+actually try to exchange the memory with Xen, leading to the kernel
+hitting an BUG (as the hypercall returned an error).
+
+This patch fixes it by making the 'size' variable be of the same size
+as the amount of memory allocated.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Joe Jin <joe.jin@oracle.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Christoph Helwig <hch@lst.de>
+Cc: Dongli Zhang <dongli.zhang@oracle.com>
+Cc: John Sobecki <john.sobecki@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/swiotlb-xen.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -314,6 +314,9 @@ xen_swiotlb_alloc_coherent(struct device
+ if (dma_alloc_from_coherent(hwdev, size, dma_handle, &ret))
+ return ret;
+
++ /* Convert the size to actually allocated. */
++ size = 1UL << (order + XEN_PAGE_SHIFT);
++
+ /* On ARM this function returns an ioremap'ped virtual address for
+ * which virt_to_phys doesn't return the corresponding physical
+ * address. In fact on ARM virt_to_phys only works for kernel direct
+@@ -366,6 +369,9 @@ xen_swiotlb_free_coherent(struct device
+ * physical address */
+ phys = xen_bus_to_phys(dev_addr);
+
++ /* Convert the size to actually allocated. */
++ size = 1UL << (order + XEN_PAGE_SHIFT);
++
+ if (((dev_addr + size - 1 <= dma_mask)) ||
+ range_straddles_page_boundary(phys, size))
+ xen_destroy_contiguous_region(phys, order);
projects / thirdparty / kernel / stable-queue.git / commitdiff
