--- /dev/null
+From 9a6249d2a145226ec1b294116fcb08744cf7ab56 Mon Sep 17 00:00:00 2001
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Date: Mon, 16 Jul 2018 15:50:08 +0800
+Subject: ALSA: hda: add mute led support for HP ProBook 455 G5
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+commit 9a6249d2a145226ec1b294116fcb08744cf7ab56 upstream.
+
+Audio mute led does not work on HP ProBook 455 G5,
+this can be fixed by using CXT_FIXUP_MUTE_LED_GPIO to support it.
+
+BugLink: https://bugs.launchpad.net/bugs/1781763
+Reported-by: James Buren
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -965,6 +965,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
+ SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
++ SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE),
--- /dev/null
+From 0fca97a29b83e3f315c14ed2372cfd0f9ee0a006 Mon Sep 17 00:00:00 2001
+From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
+Date: Sun, 1 Jul 2018 18:30:01 +0900
+Subject: ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk
+
+From: YOKOTA Hiroshi <yokota.hgml@gmail.com>
+
+commit 0fca97a29b83e3f315c14ed2372cfd0f9ee0a006 upstream.
+
+This adds some required quirk when uses headset or headphone on
+Panasonic CF-SZ6.
+
+Signed-off-by: YOKOTA Hiroshi <yokota.hgml@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6543,6 +6543,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC),
+ SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC),
+ SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE),
++ SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE),
+ SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8),
+ SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC),
--- /dev/null
+From f3d737b6340b0c7bacd8bc751605f0ed6203f146 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 17 Jul 2018 17:08:32 +0200
+Subject: ALSA: hda/realtek - Yet another Clevo P950 quirk entry
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f3d737b6340b0c7bacd8bc751605f0ed6203f146 upstream.
+
+The PCI SSID 1558:95e1 needs the same quirk for other Clevo P950
+models, too. Otherwise no sound comes out of speakers.
+
+Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1101143
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2363,6 +2363,7 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3),
+ SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX),
+ SND_PCI_QUIRK(0x1558, 0x9501, "Clevo P950HR", ALC1220_FIXUP_CLEVO_P950),
++ SND_PCI_QUIRK(0x1558, 0x95e1, "Clevo P95xER", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK(0x1558, 0x95e2, "Clevo P950ER", ALC1220_FIXUP_CLEVO_P950),
+ SND_PCI_QUIRK_VENDOR(0x1558, "Clevo laptop", ALC882_FIXUP_EAPD),
+ SND_PCI_QUIRK(0x161f, 0x2054, "Medion laptop", ALC883_FIXUP_EAPD),
--- /dev/null
+From 39675f7a7c7e7702f7d5341f1e0d01db746543a0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 17 Jul 2018 17:26:43 +0200
+Subject: ALSA: rawmidi: Change resized buffers atomically
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 39675f7a7c7e7702f7d5341f1e0d01db746543a0 upstream.
+
+The SNDRV_RAWMIDI_IOCTL_PARAMS ioctl may resize the buffers and the
+current code is racy. For example, the sequencer client may write to
+buffer while it being resized.
+
+As a simple workaround, let's switch to the resized buffer inside the
+stream runtime lock.
+
+Reported-by: syzbot+52f83f0ea8df16932f7f@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -635,7 +635,7 @@ static int snd_rawmidi_info_select_user(
+ int snd_rawmidi_output_params(struct snd_rawmidi_substream *substream,
+ struct snd_rawmidi_params * params)
+ {
+- char *newbuf;
++ char *newbuf, *oldbuf;
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+
+ if (substream->append && substream->use_count > 1)
+@@ -648,13 +648,17 @@ int snd_rawmidi_output_params(struct snd
+ return -EINVAL;
+ }
+ if (params->buffer_size != runtime->buffer_size) {
+- newbuf = krealloc(runtime->buffer, params->buffer_size,
+- GFP_KERNEL);
++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
+ if (!newbuf)
+ return -ENOMEM;
++ spin_lock_irq(&runtime->lock);
++ oldbuf = runtime->buffer;
+ runtime->buffer = newbuf;
+ runtime->buffer_size = params->buffer_size;
+ runtime->avail = runtime->buffer_size;
++ runtime->appl_ptr = runtime->hw_ptr = 0;
++ spin_unlock_irq(&runtime->lock);
++ kfree(oldbuf);
+ }
+ runtime->avail_min = params->avail_min;
+ substream->active_sensing = !params->no_active_sensing;
+@@ -665,7 +669,7 @@ EXPORT_SYMBOL(snd_rawmidi_output_params)
+ int snd_rawmidi_input_params(struct snd_rawmidi_substream *substream,
+ struct snd_rawmidi_params * params)
+ {
+- char *newbuf;
++ char *newbuf, *oldbuf;
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
+
+ snd_rawmidi_drain_input(substream);
+@@ -676,12 +680,16 @@ int snd_rawmidi_input_params(struct snd_
+ return -EINVAL;
+ }
+ if (params->buffer_size != runtime->buffer_size) {
+- newbuf = krealloc(runtime->buffer, params->buffer_size,
+- GFP_KERNEL);
++ newbuf = kmalloc(params->buffer_size, GFP_KERNEL);
+ if (!newbuf)
+ return -ENOMEM;
++ spin_lock_irq(&runtime->lock);
++ oldbuf = runtime->buffer;
+ runtime->buffer = newbuf;
+ runtime->buffer_size = params->buffer_size;
++ runtime->appl_ptr = runtime->hw_ptr = 0;
++ spin_unlock_irq(&runtime->lock);
++ kfree(oldbuf);
+ }
+ runtime->avail_min = params->avail_min;
+ return 0;
--- /dev/null
+From 64234961c145606b36eaa82c47b11be842b21049 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
+Date: Wed, 6 Jun 2018 15:59:38 +0300
+Subject: ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
+
+From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
+
+commit 64234961c145606b36eaa82c47b11be842b21049 upstream.
+
+We used to have pre-set CONFIG_INITRAMFS_SOURCE with local path
+to intramfs in ARC defconfigs. This was quite convenient for
+in-house development but not that convenient for newcomers
+who obviusly don't have folders like "arc_initramfs" next to
+the Linux source tree. Which leads to quite surprising failure
+of defconfig building:
+------------------------------->8-----------------------------
+ ../scripts/gen_initramfs_list.sh: Cannot open '../../arc_initramfs_hs/'
+../usr/Makefile:57: recipe for target 'usr/initramfs_data.cpio.gz' failed
+make[2]: *** [usr/initramfs_data.cpio.gz] Error 1
+------------------------------->8-----------------------------
+
+So now when more and more people start to deal with our defconfigs
+let's make their life easier with removal of CONFIG_INITRAMFS_SOURCE.
+
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Cc: Kevin Hilman <khilman@baylibre.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/configs/axs101_defconfig | 1 -
+ arch/arc/configs/axs103_defconfig | 1 -
+ arch/arc/configs/axs103_smp_defconfig | 1 -
+ arch/arc/configs/haps_hs_defconfig | 1 -
+ arch/arc/configs/haps_hs_smp_defconfig | 1 -
+ arch/arc/configs/hsdk_defconfig | 1 -
+ arch/arc/configs/nsim_700_defconfig | 1 -
+ arch/arc/configs/nsim_hs_defconfig | 1 -
+ arch/arc/configs/nsim_hs_smp_defconfig | 1 -
+ arch/arc/configs/nsimosci_defconfig | 1 -
+ arch/arc/configs/nsimosci_hs_defconfig | 1 -
+ arch/arc/configs/nsimosci_hs_smp_defconfig | 1 -
+ 12 files changed, 12 deletions(-)
+
+--- a/arch/arc/configs/axs101_defconfig
++++ b/arch/arc/configs/axs101_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/"
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_VM_EVENT_COUNTERS is not set
+--- a/arch/arc/configs/axs103_defconfig
++++ b/arch/arc/configs/axs103_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/"
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_VM_EVENT_COUNTERS is not set
+--- a/arch/arc/configs/axs103_smp_defconfig
++++ b/arch/arc/configs/axs103_smp_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/"
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_VM_EVENT_COUNTERS is not set
+--- a/arch/arc/configs/haps_hs_defconfig
++++ b/arch/arc/configs/haps_hs_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/"
+ CONFIG_EXPERT=y
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_COMPAT_BRK is not set
+--- a/arch/arc/configs/haps_hs_smp_defconfig
++++ b/arch/arc/configs/haps_hs_smp_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/"
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_VM_EVENT_COUNTERS is not set
+--- a/arch/arc/configs/hsdk_defconfig
++++ b/arch/arc/configs/hsdk_defconfig
+@@ -9,7 +9,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/"
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_VM_EVENT_COUNTERS is not set
+--- a/arch/arc/configs/nsim_700_defconfig
++++ b/arch/arc/configs/nsim_700_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/"
+ CONFIG_KALLSYMS_ALL=y
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+--- a/arch/arc/configs/nsim_hs_defconfig
++++ b/arch/arc/configs/nsim_hs_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../../arc_initramfs_hs/"
+ CONFIG_KALLSYMS_ALL=y
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+--- a/arch/arc/configs/nsim_hs_smp_defconfig
++++ b/arch/arc/configs/nsim_hs_smp_defconfig
+@@ -9,7 +9,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/"
+ CONFIG_KALLSYMS_ALL=y
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+--- a/arch/arc/configs/nsimosci_defconfig
++++ b/arch/arc/configs/nsimosci_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../arc_initramfs/"
+ CONFIG_KALLSYMS_ALL=y
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+--- a/arch/arc/configs/nsimosci_hs_defconfig
++++ b/arch/arc/configs/nsimosci_hs_defconfig
+@@ -11,7 +11,6 @@ CONFIG_NAMESPACES=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/"
+ CONFIG_KALLSYMS_ALL=y
+ CONFIG_EMBEDDED=y
+ CONFIG_PERF_EVENTS=y
+--- a/arch/arc/configs/nsimosci_hs_smp_defconfig
++++ b/arch/arc/configs/nsimosci_hs_smp_defconfig
+@@ -9,7 +9,6 @@ CONFIG_IKCONFIG_PROC=y
+ # CONFIG_UTS_NS is not set
+ # CONFIG_PID_NS is not set
+ CONFIG_BLK_DEV_INITRD=y
+-CONFIG_INITRAMFS_SOURCE="../arc_initramfs_hs/"
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_COMPAT_BRK is not set
+ CONFIG_KPROBES=y
--- /dev/null
+From 6e3761145a9ba3ce267c330b6bff51cf6a057b06 Mon Sep 17 00:00:00 2001
+From: Alexey Brodkin <abrodkin@synopsys.com>
+Date: Thu, 28 Jun 2018 16:59:14 -0700
+Subject: ARC: Fix CONFIG_SWAP
+
+From: Alexey Brodkin <abrodkin@synopsys.com>
+
+commit 6e3761145a9ba3ce267c330b6bff51cf6a057b06 upstream.
+
+swap was broken on ARC due to silly copy-paste issue.
+
+We encode offset from swapcache page in __swp_entry() as (off << 13) but
+were not decoding back in __swp_offset() as (off >> 13) - it was still
+(off << 13).
+
+This finally fixes swap usage on ARC.
+
+| # mkswap /dev/sda2
+|
+| # swapon -a -e /dev/sda2
+| Adding 500728k swap on /dev/sda2. Priority:-2 extents:1 across:500728k
+|
+| # free
+| total used free shared buffers cached
+| Mem: 765104 13456 751648 4736 8 4736
+| -/+ buffers/cache: 8712 756392
+| Swap: 500728 0 500728
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/pgtable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/pgtable.h
++++ b/arch/arc/include/asm/pgtable.h
+@@ -379,7 +379,7 @@ void update_mmu_cache(struct vm_area_str
+
+ /* Decode a PTE containing swap "identifier "into constituents */
+ #define __swp_type(pte_lookalike) (((pte_lookalike).val) & 0x1f)
+-#define __swp_offset(pte_lookalike) ((pte_lookalike).val << 13)
++#define __swp_offset(pte_lookalike) ((pte_lookalike).val >> 13)
+
+ /* NOPs, to keep generic kernel happy */
+ #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) })
--- /dev/null
+From 93312b6da4df31e4102ce5420e6217135a16c7ea Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Wed, 11 Jul 2018 10:42:20 -0700
+Subject: ARC: mm: allow mprotect to make stack mappings executable
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 93312b6da4df31e4102ce5420e6217135a16c7ea upstream.
+
+mprotect(EXEC) was failing for stack mappings as default vm flags was
+missing MAYEXEC.
+
+This was triggered by glibc test suite nptl/tst-execstack testcase
+
+What is surprising is that despite running LTP for years on, we didn't
+catch this issue as it lacks a directed test case.
+
+gcc dejagnu tests with nested functions also requiring exec stack work
+fine though because they rely on the GNU_STACK segment spit out by
+compiler and handled in kernel elf loader.
+
+This glibc case is different as the stack is non exec to begin with and
+a dlopen of shared lib with GNU_STACK segment triggers the exec stack
+proceedings using a mprotect(PROT_EXEC) which was broken.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/page.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/page.h
++++ b/arch/arc/include/asm/page.h
+@@ -105,7 +105,7 @@ typedef pte_t * pgtable_t;
+ #define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr))
+
+ /* Default Permissions for stack/heaps pages (Non Executable) */
+-#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE)
++#define VM_DATA_DEFAULT_FLAGS (VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
+
+ #define WANT_PAGE_VIRTUAL 1
+
--- /dev/null
+From af1fc5baa724c63ce1733dfcf855bad5ef6078e3 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Tue, 17 Jul 2018 15:21:56 -0700
+Subject: ARCv2: [plat-hsdk]: Save accl reg pair by default
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit af1fc5baa724c63ce1733dfcf855bad5ef6078e3 upstream.
+
+This manifsted as strace segfaulting on HSDK because gcc was targetting
+the accumulator registers as GPRs, which kernek was not saving/restoring
+by default.
+
+Cc: stable@vger.kernel.org #4.14+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/Kconfig | 2 +-
+ arch/arc/plat-hsdk/Kconfig | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/arc/Kconfig
++++ b/arch/arc/Kconfig
+@@ -408,7 +408,7 @@ config ARC_HAS_DIV_REM
+
+ config ARC_HAS_ACCL_REGS
+ bool "Reg Pair ACCL:ACCH (FPU and/or MPY > 6)"
+- default n
++ default y
+ help
+ Depending on the configuration, CPU can contain accumulator reg-pair
+ (also referred to as r58:r59). These can also be used by gcc as GPR so
+--- a/arch/arc/plat-hsdk/Kconfig
++++ b/arch/arc/plat-hsdk/Kconfig
+@@ -7,5 +7,7 @@
+
+ menuconfig ARC_SOC_HSDK
+ bool "ARC HS Development Kit SOC"
++ depends on ISA_ARCV2
++ select ARC_HAS_ACCL_REGS
+ select CLK_HSDK
+ select RESET_HSDK
--- /dev/null
+From 35033ab988c396ad7bce3b6d24060c16a9066db8 Mon Sep 17 00:00:00 2001
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Date: Fri, 20 Jul 2018 17:53:42 -0700
+Subject: fat: fix memory allocation failure handling of match_strdup()
+
+From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+
+commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream.
+
+In parse_options(), if match_strdup() failed, parse_options() leaves
+opts->iocharset in unexpected state (i.e. still pointing the freed
+string). And this can be the cause of double free.
+
+To fix, this initialize opts->iocharset always when freeing.
+
+Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp
+Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
+Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fat/inode.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/fs/fat/inode.c
++++ b/fs/fat/inode.c
+@@ -697,13 +697,21 @@ static void fat_set_state(struct super_b
+ brelse(bh);
+ }
+
++static void fat_reset_iocharset(struct fat_mount_options *opts)
++{
++ if (opts->iocharset != fat_default_iocharset) {
++ /* Note: opts->iocharset can be NULL here */
++ kfree(opts->iocharset);
++ opts->iocharset = fat_default_iocharset;
++ }
++}
++
+ static void delayed_free(struct rcu_head *p)
+ {
+ struct msdos_sb_info *sbi = container_of(p, struct msdos_sb_info, rcu);
+ unload_nls(sbi->nls_disk);
+ unload_nls(sbi->nls_io);
+- if (sbi->options.iocharset != fat_default_iocharset)
+- kfree(sbi->options.iocharset);
++ fat_reset_iocharset(&sbi->options);
+ kfree(sbi);
+ }
+
+@@ -1118,7 +1126,7 @@ static int parse_options(struct super_bl
+ opts->fs_fmask = opts->fs_dmask = current_umask();
+ opts->allow_utime = -1;
+ opts->codepage = fat_default_codepage;
+- opts->iocharset = fat_default_iocharset;
++ fat_reset_iocharset(opts);
+ if (is_vfat) {
+ opts->shortname = VFAT_SFN_DISPLAY_WINNT|VFAT_SFN_CREATE_WIN95;
+ opts->rodir = 0;
+@@ -1275,8 +1283,7 @@ static int parse_options(struct super_bl
+
+ /* vfat specific */
+ case Opt_charset:
+- if (opts->iocharset != fat_default_iocharset)
+- kfree(opts->iocharset);
++ fat_reset_iocharset(opts);
+ iocharset = match_strdup(&args[0]);
+ if (!iocharset)
+ return -ENOMEM;
+@@ -1867,8 +1874,7 @@ out_fail:
+ iput(fat_inode);
+ unload_nls(sbi->nls_io);
+ unload_nls(sbi->nls_disk);
+- if (sbi->options.iocharset != fat_default_iocharset)
+- kfree(sbi->options.iocharset);
++ fat_reset_iocharset(&sbi->options);
+ sb->s_fs_info = NULL;
+ kfree(sbi);
+ return error;
--- /dev/null
+From b5020a8e6b54d2ece80b1e7dedb33c79a40ebd47 Mon Sep 17 00:00:00 2001
+From: Lan Tianyu <tianyu.lan@intel.com>
+Date: Thu, 21 Dec 2017 21:10:36 -0500
+Subject: KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lan Tianyu <tianyu.lan@intel.com>
+
+commit b5020a8e6b54d2ece80b1e7dedb33c79a40ebd47 upstream.
+
+Syzbot reports crashes in kvm_irqfd_assign(), caused by use-after-free
+when kvm_irqfd_assign() and kvm_irqfd_deassign() run in parallel
+for one specific eventfd. When the assign path hasn't finished but irqfd
+has been added to kvm->irqfds.items list, another thead may deassign the
+eventfd and free struct kvm_kernel_irqfd(). The assign path then uses
+the struct kvm_kernel_irqfd that has been freed by deassign path. To avoid
+such issue, keep irqfd under kvm->irq_srcu protection after the irqfd
+has been added to kvm->irqfds.items list, and call synchronize_srcu()
+in irq_shutdown() to make sure that irqfd has been fully initialized in
+the assign path.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Tianyu Lan <tianyu.lan@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/eventfd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -119,8 +119,12 @@ irqfd_shutdown(struct work_struct *work)
+ {
+ struct kvm_kernel_irqfd *irqfd =
+ container_of(work, struct kvm_kernel_irqfd, shutdown);
++ struct kvm *kvm = irqfd->kvm;
+ u64 cnt;
+
++ /* Make sure irqfd has been initalized in assign path. */
++ synchronize_srcu(&kvm->irq_srcu);
++
+ /*
+ * Synchronize with the wait-queue and unhook ourselves to prevent
+ * further events.
+@@ -387,7 +391,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+
+ idx = srcu_read_lock(&kvm->irq_srcu);
+ irqfd_update(kvm, irqfd);
+- srcu_read_unlock(&kvm->irq_srcu, idx);
+
+ list_add_tail(&irqfd->list, &kvm->irqfds.items);
+
+@@ -421,6 +424,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+ }
+ #endif
+
++ srcu_read_unlock(&kvm->irq_srcu, idx);
+ return 0;
+
+ fail:
--- /dev/null
+From 9432a3175770e06cb83eada2d91fac90c977cb99 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 28 May 2018 13:31:13 +0200
+Subject: KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 9432a3175770e06cb83eada2d91fac90c977cb99 upstream.
+
+A comment warning against this bug is there, but the code is not doing what
+the comment says. Therefore it is possible that an EPOLLHUP races against
+irq_bypass_register_consumer. The EPOLLHUP handler schedules irqfd_shutdown,
+and if that runs soon enough, you get a use-after-free.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/eventfd.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -405,11 +405,6 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+ if (events & EPOLLIN)
+ schedule_work(&irqfd->inject);
+
+- /*
+- * do not drop the file until the irqfd is fully initialized, otherwise
+- * we might race against the EPOLLHUP
+- */
+- fdput(f);
+ #ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
+ if (kvm_arch_has_irq_bypass()) {
+ irqfd->consumer.token = (void *)irqfd->eventfd;
+@@ -425,6 +420,12 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+ #endif
+
+ srcu_read_unlock(&kvm->irq_srcu, idx);
++
++ /*
++ * do not drop the file until the irqfd is fully initialized, otherwise
++ * we might race against the EPOLLHUP
++ */
++ fdput(f);
+ return 0;
+
+ fail:
--- /dev/null
+From 2307af1c4b2e0ad886f30e31739845322cbd328b Mon Sep 17 00:00:00 2001
+From: Liran Alon <liran.alon@oracle.com>
+Date: Fri, 29 Jun 2018 22:59:04 +0300
+Subject: KVM: VMX: Mark VMXArea with revision_id of physical CPU even when eVMCS enabled
+
+From: Liran Alon <liran.alon@oracle.com>
+
+commit 2307af1c4b2e0ad886f30e31739845322cbd328b upstream.
+
+When eVMCS is enabled, all VMCS allocated to be used by KVM are marked
+with revision_id of KVM_EVMCS_VERSION instead of revision_id reported
+by MSR_IA32_VMX_BASIC.
+
+However, even though not explictly documented by TLFS, VMXArea passed
+as VMXON argument should still be marked with revision_id reported by
+physical CPU.
+
+This issue was found by the following setup:
+* L0 = KVM which expose eVMCS to it's L1 guest.
+* L1 = KVM which consume eVMCS reported by L0.
+This setup caused the following to occur:
+1) L1 execute hardware_enable().
+2) hardware_enable() calls kvm_cpu_vmxon() to execute VMXON.
+3) L0 intercept L1 VMXON and execute handle_vmon() which notes
+vmxarea->revision_id != VMCS12_REVISION and therefore fails with
+nested_vmx_failInvalid() which sets RFLAGS.CF.
+4) L1 kvm_cpu_vmxon() don't check RFLAGS.CF for failure and therefore
+hardware_enable() continues as usual.
+5) L1 hardware_enable() then calls ept_sync_global() which executes
+INVEPT.
+6) L0 intercept INVEPT and execute handle_invept() which notes
+!vmx->nested.vmxon and thus raise a #UD to L1.
+7) Raised #UD caused L1 to panic.
+
+Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com>
+Cc: stable@vger.kernel.org
+Fixes: 773e8a0425c923bc02668a2d6534a5ef5a43cc69
+Signed-off-by: Liran Alon <liran.alon@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -4110,11 +4110,7 @@ static __init int setup_vmcs_config(stru
+ vmcs_conf->order = get_order(vmcs_conf->size);
+ vmcs_conf->basic_cap = vmx_msr_high & ~0x1fff;
+
+- /* KVM supports Enlightened VMCS v1 only */
+- if (static_branch_unlikely(&enable_evmcs))
+- vmcs_conf->revision_id = KVM_EVMCS_VERSION;
+- else
+- vmcs_conf->revision_id = vmx_msr_low;
++ vmcs_conf->revision_id = vmx_msr_low;
+
+ vmcs_conf->pin_based_exec_ctrl = _pin_based_exec_control;
+ vmcs_conf->cpu_based_exec_ctrl = _cpu_based_exec_control;
+@@ -4184,7 +4180,13 @@ static struct vmcs *alloc_vmcs_cpu(int c
+ return NULL;
+ vmcs = page_address(pages);
+ memset(vmcs, 0, vmcs_config.size);
+- vmcs->revision_id = vmcs_config.revision_id; /* vmcs revision id */
++
++ /* KVM supports Enlightened VMCS v1 only */
++ if (static_branch_unlikely(&enable_evmcs))
++ vmcs->revision_id = KVM_EVMCS_VERSION;
++ else
++ vmcs->revision_id = vmcs_config.revision_id;
++
+ return vmcs;
+ }
+
+@@ -4343,6 +4345,19 @@ static __init int alloc_kvm_area(void)
+ return -ENOMEM;
+ }
+
++ /*
++ * When eVMCS is enabled, alloc_vmcs_cpu() sets
++ * vmcs->revision_id to KVM_EVMCS_VERSION instead of
++ * revision_id reported by MSR_IA32_VMX_BASIC.
++ *
++ * However, even though not explictly documented by
++ * TLFS, VMXArea passed as VMXON argument should
++ * still be marked with revision_id reported by
++ * physical CPU.
++ */
++ if (static_branch_unlikely(&enable_evmcs))
++ vmcs->revision_id = vmcs_config.revision_id;
++
+ per_cpu(vmxarea, cpu) = vmcs;
+ }
+ return 0;
--- /dev/null
+From b5f3bc39a0e815a30005da246dd4ad47fd2f88ff Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quin.tran@cavium.com>
+Date: Mon, 2 Jul 2018 13:01:58 -0700
+Subject: scsi: qla2xxx: Fix inconsistent DMA mem alloc/free
+
+From: Quinn Tran <quin.tran@cavium.com>
+
+commit b5f3bc39a0e815a30005da246dd4ad47fd2f88ff upstream.
+
+GPNFT command allocates 2 buffer for switch query. On completion, the same
+buffers were freed using different size, instead of using original size at
+the time of allocation.
+
+This patch saves the size of the request and response buffers and uses that
+to free them.
+
+Following stack trace can be seen when using debug kernel
+
+dump_stack+0x19/0x1b
+__warn+0xd8/0x100
+warn_slowpath_fmt+0x5f/0x80
+check_unmap+0xfb/0xa20
+debug_dma_free_coherent+0x110/0x160
+qla24xx_sp_unmap+0x131/0x1e0 [qla2xxx]
+qla24xx_async_gnnft_done+0xb6/0x550 [qla2xxx]
+qla2x00_do_work+0x1ec/0x9f0 [qla2xxx]
+
+Cc: <stable@vger.kernel.org> # v4.17+
+Fixes: 33b28357dd00 ("scsi: qla2xxx: Fix Async GPN_FT for FCP and FC-NVMe scan")
+Reported-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Himanshu Madhani <hmadhani@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_def.h | 2 ++
+ drivers/scsi/qla2xxx/qla_gs.c | 40 ++++++++++++++++++++++++++--------------
+ 2 files changed, 28 insertions(+), 14 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -361,6 +361,8 @@ struct ct_arg {
+ dma_addr_t rsp_dma;
+ u32 req_size;
+ u32 rsp_size;
++ u32 req_allocated_size;
++ u32 rsp_allocated_size;
+ void *req;
+ void *rsp;
+ port_id_t id;
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -556,7 +556,7 @@ err2:
+ /* please ignore kernel warning. otherwise, we have mem leak. */
+ if (sp->u.iocb_cmd.u.ctarg.req) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.req,
+ sp->u.iocb_cmd.u.ctarg.req_dma);
+ sp->u.iocb_cmd.u.ctarg.req = NULL;
+@@ -564,7 +564,7 @@ err2:
+
+ if (sp->u.iocb_cmd.u.ctarg.rsp) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.rsp,
+ sp->u.iocb_cmd.u.ctarg.rsp_dma);
+ sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+@@ -617,6 +617,7 @@ static int qla_async_rftid(scsi_qla_host
+ sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.req) {
+ ql_log(ql_log_warn, vha, 0xd041,
+ "%s: Failed to allocate ct_sns request.\n",
+@@ -627,6 +628,7 @@ static int qla_async_rftid(scsi_qla_host
+ sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.rsp) {
+ ql_log(ql_log_warn, vha, 0xd042,
+ "%s: Failed to allocate ct_sns request.\n",
+@@ -712,6 +714,7 @@ static int qla_async_rffid(scsi_qla_host
+ sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.req) {
+ ql_log(ql_log_warn, vha, 0xd041,
+ "%s: Failed to allocate ct_sns request.\n",
+@@ -722,6 +725,7 @@ static int qla_async_rffid(scsi_qla_host
+ sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.rsp) {
+ ql_log(ql_log_warn, vha, 0xd042,
+ "%s: Failed to allocate ct_sns request.\n",
+@@ -802,6 +806,7 @@ static int qla_async_rnnid(scsi_qla_host
+ sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.req) {
+ ql_log(ql_log_warn, vha, 0xd041,
+ "%s: Failed to allocate ct_sns request.\n",
+@@ -812,6 +817,7 @@ static int qla_async_rnnid(scsi_qla_host
+ sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.rsp) {
+ ql_log(ql_log_warn, vha, 0xd042,
+ "%s: Failed to allocate ct_sns request.\n",
+@@ -909,6 +915,7 @@ static int qla_async_rsnn_nn(scsi_qla_ho
+ sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.req) {
+ ql_log(ql_log_warn, vha, 0xd041,
+ "%s: Failed to allocate ct_sns request.\n",
+@@ -919,6 +926,7 @@ static int qla_async_rsnn_nn(scsi_qla_ho
+ sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.rsp) {
+ ql_log(ql_log_warn, vha, 0xd042,
+ "%s: Failed to allocate ct_sns request.\n",
+@@ -3392,14 +3400,14 @@ void qla24xx_sp_unmap(scsi_qla_host_t *v
+ {
+ if (sp->u.iocb_cmd.u.ctarg.req) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.req,
+ sp->u.iocb_cmd.u.ctarg.req_dma);
+ sp->u.iocb_cmd.u.ctarg.req = NULL;
+ }
+ if (sp->u.iocb_cmd.u.ctarg.rsp) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.rsp,
+ sp->u.iocb_cmd.u.ctarg.rsp_dma);
+ sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+@@ -3600,14 +3608,14 @@ static void qla2x00_async_gpnid_sp_done(
+ /* please ignore kernel warning. otherwise, we have mem leak. */
+ if (sp->u.iocb_cmd.u.ctarg.req) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.req,
+ sp->u.iocb_cmd.u.ctarg.req_dma);
+ sp->u.iocb_cmd.u.ctarg.req = NULL;
+ }
+ if (sp->u.iocb_cmd.u.ctarg.rsp) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.rsp,
+ sp->u.iocb_cmd.u.ctarg.rsp_dma);
+ sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+@@ -3658,6 +3666,7 @@ int qla24xx_async_gpnid(scsi_qla_host_t
+ sp->u.iocb_cmd.u.ctarg.req = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.req_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.req) {
+ ql_log(ql_log_warn, vha, 0xd041,
+ "Failed to allocate ct_sns request.\n");
+@@ -3667,6 +3676,7 @@ int qla24xx_async_gpnid(scsi_qla_host_t
+ sp->u.iocb_cmd.u.ctarg.rsp = dma_alloc_coherent(&vha->hw->pdev->dev,
+ sizeof(struct ct_sns_pkt), &sp->u.iocb_cmd.u.ctarg.rsp_dma,
+ GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.rsp) {
+ ql_log(ql_log_warn, vha, 0xd042,
+ "Failed to allocate ct_sns request.\n");
+@@ -4125,14 +4135,14 @@ static void qla2x00_async_gpnft_gnnft_sp
+ */
+ if (sp->u.iocb_cmd.u.ctarg.req) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.req,
+ sp->u.iocb_cmd.u.ctarg.req_dma);
+ sp->u.iocb_cmd.u.ctarg.req = NULL;
+ }
+ if (sp->u.iocb_cmd.u.ctarg.rsp) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.rsp,
+ sp->u.iocb_cmd.u.ctarg.rsp_dma);
+ sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+@@ -4162,14 +4172,14 @@ static void qla2x00_async_gpnft_gnnft_sp
+ /* please ignore kernel warning. Otherwise, we have mem leak. */
+ if (sp->u.iocb_cmd.u.ctarg.req) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.req,
+ sp->u.iocb_cmd.u.ctarg.req_dma);
+ sp->u.iocb_cmd.u.ctarg.req = NULL;
+ }
+ if (sp->u.iocb_cmd.u.ctarg.rsp) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.rsp,
+ sp->u.iocb_cmd.u.ctarg.rsp_dma);
+ sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+@@ -4264,14 +4274,14 @@ static int qla24xx_async_gnnft(scsi_qla_
+ done_free_sp:
+ if (sp->u.iocb_cmd.u.ctarg.req) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.req,
+ sp->u.iocb_cmd.u.ctarg.req_dma);
+ sp->u.iocb_cmd.u.ctarg.req = NULL;
+ }
+ if (sp->u.iocb_cmd.u.ctarg.rsp) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.rsp,
+ sp->u.iocb_cmd.u.ctarg.rsp_dma);
+ sp->u.iocb_cmd.u.ctarg.rsp = NULL;
+@@ -4332,6 +4342,7 @@ int qla24xx_async_gpnft(scsi_qla_host_t
+ sp->u.iocb_cmd.u.ctarg.req = dma_zalloc_coherent(
+ &vha->hw->pdev->dev, sizeof(struct ct_sns_pkt),
+ &sp->u.iocb_cmd.u.ctarg.req_dma, GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.req) {
+ ql_log(ql_log_warn, vha, 0xffff,
+ "Failed to allocate ct_sns request.\n");
+@@ -4349,6 +4360,7 @@ int qla24xx_async_gpnft(scsi_qla_host_t
+ sp->u.iocb_cmd.u.ctarg.rsp = dma_zalloc_coherent(
+ &vha->hw->pdev->dev, rspsz,
+ &sp->u.iocb_cmd.u.ctarg.rsp_dma, GFP_KERNEL);
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size = sizeof(struct ct_sns_pkt);
+ if (!sp->u.iocb_cmd.u.ctarg.rsp) {
+ ql_log(ql_log_warn, vha, 0xffff,
+ "Failed to allocate ct_sns request.\n");
+@@ -4408,14 +4420,14 @@ int qla24xx_async_gpnft(scsi_qla_host_t
+ done_free_sp:
+ if (sp->u.iocb_cmd.u.ctarg.req) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.req_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.req,
+ sp->u.iocb_cmd.u.ctarg.req_dma);
+ sp->u.iocb_cmd.u.ctarg.req = NULL;
+ }
+ if (sp->u.iocb_cmd.u.ctarg.rsp) {
+ dma_free_coherent(&vha->hw->pdev->dev,
+- sizeof(struct ct_sns_pkt),
++ sp->u.iocb_cmd.u.ctarg.rsp_allocated_size,
+ sp->u.iocb_cmd.u.ctarg.rsp,
+ sp->u.iocb_cmd.u.ctarg.rsp_dma);
+ sp->u.iocb_cmd.u.ctarg.rsp = NULL;
--- /dev/null
+From d48cc67cd4406d589fdbfa8c7d51c86532f86feb Mon Sep 17 00:00:00 2001
+From: "himanshu.madhani@cavium.com" <himanshu.madhani@cavium.com>
+Date: Mon, 2 Jul 2018 13:01:59 -0700
+Subject: scsi: qla2xxx: Fix kernel crash due to late workqueue allocation
+
+From: himanshu.madhani@cavium.com <himanshu.madhani@cavium.com>
+
+commit d48cc67cd4406d589fdbfa8c7d51c86532f86feb upstream.
+
+This patch fixes crash for FCoE adapter. Once driver initialization is
+complete, firmware will start posting Asynchronous Event, However driver
+has not yet allocated workqueue to process and queue up work. This delay
+of allocating workqueue results into NULL pointer access.
+
+The following stack trace is seen:
+
+[ 24.577259] BUG: unable to handle kernel NULL pointer dereference at 0000000000000102
+[ 24.623133] PGD 0 P4D 0
+[ 24.636760] Oops: 0000 [#1] SMP NOPTI
+[ 24.656942] Modules linked in: i2c_algo_bit drm_kms_helper sr_mod(+) syscopyarea sysfillrect sysimgblt cdrom fb_sys_fops ata_generic ttm pata_acpi sd_mod ahci pata_atiixp sfc(+) qla2xxx(+) libahci drm qla4xxx(+) nvme_fc hpsa mdio libiscsi qlcnic(+) nvme_fabrics scsi_transport_sas serio_raw mtd crc32c_intel libata nvme_core i2c_core scsi_transport_iscsi tg3 scsi_transport_fc bnx2 iscsi_boot_sysfs dm_multipath dm_mirror dm_region_hash dm_log dm_mod
+[ 24.887449] CPU: 0 PID: 177 Comm: kworker/0:3 Not tainted 4.17.0-rc6 #1
+[ 24.925119] Hardware name: HP ProLiant DL385 G7, BIOS A18 08/15/2012
+[ 24.962106] Workqueue: events work_for_cpu_fn
+[ 24.987098] RIP: 0010:__queue_work+0x1f/0x3a0
+[ 25.011672] RSP: 0018:ffff992642ceba10 EFLAGS: 00010082
+[ 25.042116] RAX: 0000000000000082 RBX: 0000000000000082 RCX: 0000000000000000
+[ 25.083293] RDX: ffff8cf9abc6d7d0 RSI: 0000000000000000 RDI: 0000000000002000
+[ 25.123094] RBP: 0000000000000000 R08: 0000000000025a40 R09: ffff8cf9aade2880
+[ 25.164087] R10: 0000000000000000 R11: ffff992642ceb6f0 R12: ffff8cf9abc6d7d0
+[ 25.202280] R13: 0000000000002000 R14: ffff8cf9abc6d7b8 R15: 0000000000002000
+[ 25.242050] FS: 0000000000000000(0000) f9b5c00000(0000) knlGS:0000000000000000
+[ 25.977565] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 26.010457] CR2: 0000000000000102 CR3: 000000030760a000 CR4: 00000000000406f0
+[ 26.051048] Call Trace:
+[ 26.063572] ? __switch_to_asm+0x34/0x70
+[ 26.086079] queue_work_on+0x24/0x40
+[ 26.107090] qla2x00_post_work+0x81/0xb0 [qla2xxx]
+[ 26.133356] qla2x00_async_event+0x1ad/0x1a20 [qla2xxx]
+[ 26.164075] ? lock_timer_base+0x67/0x80
+[ 26.186420] ? try_to_del_timer_sync+0x4d/0x80
+[ 26.212284] ? del_timer_sync+0x35/0x40
+[ 26.234080] ? schedule_timeout+0x165/0x2f0
+[ 26.259575] qla82xx_poll+0x13e/0x180 [qla2xxx]
+[ 26.285740] qla2x00_mailbox_command+0x74b/0xf50 [qla2xxx]
+[ 26.319040] qla82xx_set_driver_version+0x13b/0x1c0 [qla2xxx]
+[ 26.352108] ? qla2x00_init_rings+0x206/0x3f0 [qla2xxx]
+[ 26.381733] qla2x00_initialize_adapter+0x35c/0x7f0 [qla2xxx]
+[ 26.413240] qla2x00_probe_one+0x1479/0x2390 [qla2xxx]
+[ 26.442055] local_pci_probe+0x3f/0xa0
+[ 26.463108] work_for_cpu_fn+0x10/0x20
+[ 26.483295] process_one_work+0x152/0x350
+[ 26.505730] worker_thread+0x1cf/0x3e0
+[ 26.527090] kthread+0xf5/0x130
+[ 26.545085] ? max_active_store+0x80/0x80
+[ 26.568085] ? kthread_bind+0x10/0x10
+[ 26.589533] ret_from_fork+0x22/0x40
+[ 26.610192] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 89 ff 41 56 41 55 41 89 fd 41 54 49 89 d4 55 48 89 f5 53 48 83 ec 0 86 02 01 00 00 01 0f 85 80 02 00 00 49 c7 c6 c0 ec 01 00 41
+[ 27.308540] RIP: __queue_work+0x1f/0x3a0 RSP: ffff992642ceba10
+[ 27.341591] CR2: 0000000000000102
+[ 27.360208] ---[ end trace 01b7b7ae2c005cf3 ]---
+
+Cc: <stable@vger.kernel.org> # v4.17+
+Fixes: 9b3e0f4d4147 ("scsi: qla2xxx: Move work element processing out of DPC thread"
+Reported-by: Li Wang <liwang@redhat.com>
+Tested-by: Li Wang <liwang@redhat.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -3180,6 +3180,8 @@ qla2x00_probe_one(struct pci_dev *pdev,
+ "req->req_q_in=%p req->req_q_out=%p rsp->rsp_q_in=%p rsp->rsp_q_out=%p.\n",
+ req->req_q_in, req->req_q_out, rsp->rsp_q_in, rsp->rsp_q_out);
+
++ ha->wq = alloc_workqueue("qla2xxx_wq", 0, 0);
++
+ if (ha->isp_ops->initialize_adapter(base_vha)) {
+ ql_log(ql_log_fatal, base_vha, 0x00d6,
+ "Failed to initialize adapter - Adapter flags %x.\n",
+@@ -3216,8 +3218,6 @@ qla2x00_probe_one(struct pci_dev *pdev,
+ host->can_queue, base_vha->req,
+ base_vha->mgmt_svr_loop_id, host->sg_tablesize);
+
+- ha->wq = alloc_workqueue("qla2xxx_wq", 0, 0);
+-
+ if (ha->mqenable) {
+ bool mq = false;
+ bool startit = false;
--- /dev/null
+From 36eb8ff672faee83ccce60c191f0fef07c6adce6 Mon Sep 17 00:00:00 2001
+From: Chuck Anderson <chuck.anderson@oracle.com>
+Date: Mon, 2 Jul 2018 13:02:00 -0700
+Subject: scsi: qla2xxx: Fix NULL pointer dereference for fcport search
+
+From: Chuck Anderson <chuck.anderson@oracle.com>
+
+commit 36eb8ff672faee83ccce60c191f0fef07c6adce6 upstream.
+
+Crash dump shows following instructions
+
+crash> bt
+PID: 0 TASK: ffffffffbe412480 CPU: 0 COMMAND: "swapper/0"
+ #0 [ffff891ee0003868] machine_kexec at ffffffffbd063ef1
+ #1 [ffff891ee00038c8] __crash_kexec at ffffffffbd12b6f2
+ #2 [ffff891ee0003998] crash_kexec at ffffffffbd12c84c
+ #3 [ffff891ee00039b8] oops_end at ffffffffbd030f0a
+ #4 [ffff891ee00039e0] no_context at ffffffffbd074643
+ #5 [ffff891ee0003a40] __bad_area_nosemaphore at ffffffffbd07496e
+ #6 [ffff891ee0003a90] bad_area_nosemaphore at ffffffffbd074a64
+ #7 [ffff891ee0003aa0] __do_page_fault at ffffffffbd074b0a
+ #8 [ffff891ee0003b18] do_page_fault at ffffffffbd074fc8
+ #9 [ffff891ee0003b50] page_fault at ffffffffbda01925
+ [exception RIP: qlt_schedule_sess_for_deletion+15]
+ RIP: ffffffffc02e526f RSP: ffff891ee0003c08 RFLAGS: 00010046
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffc0307847
+ RDX: 00000000000020e6 RSI: ffff891edbc377c8 RDI: 0000000000000000
+ RBP: ffff891ee0003c18 R8: ffffffffc02f0b20 R9: 0000000000000250
+ R10: 0000000000000258 R11: 000000000000b780 R12: ffff891ed9b43000
+ R13: 00000000000000f0 R14: 0000000000000006 R15: ffff891edbc377c8
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ #10 [ffff891ee0003c20] qla2x00_fcport_event_handler at ffffffffc02853d3 [qla2xxx]
+ #11 [ffff891ee0003cf0] __dta_qla24xx_async_gnl_sp_done_333 at ffffffffc0285a1d [qla2xxx]
+ #12 [ffff891ee0003de8] qla24xx_process_response_queue at ffffffffc02a2eb5 [qla2xxx]
+ #13 [ffff891ee0003e88] qla24xx_msix_rsp_q at ffffffffc02a5403 [qla2xxx]
+ #14 [ffff891ee0003ec0] __handle_irq_event_percpu at ffffffffbd0f4c59
+ #15 [ffff891ee0003f10] handle_irq_event_percpu at ffffffffbd0f4e02
+ #16 [ffff891ee0003f40] handle_irq_event at ffffffffbd0f4e90
+ #17 [ffff891ee0003f68] handle_edge_irq at ffffffffbd0f8984
+ #18 [ffff891ee0003f88] handle_irq at ffffffffbd0305d5
+ #19 [ffff891ee0003fb8] do_IRQ at ffffffffbda02a18
+ --- <IRQ stack> ---
+ #20 [ffffffffbe403d30] ret_from_intr at ffffffffbda0094e
+ [exception RIP: unknown or invalid address]
+ RIP: 000000000000001f RSP: 0000000000000000 RFLAGS: fff3b8c2091ebb3f
+ RAX: ffffbba5a0000200 RBX: 0000be8cdfa8f9fa RCX: 0000000000000018
+ RDX: 0000000000000101 RSI: 000000000000015d RDI: 0000000000000193
+ RBP: 0000000000000083 R8: ffffffffbe403e38 R9: 0000000000000002
+ R10: 0000000000000000 R11: ffffffffbe56b820 R12: ffff891ee001cf00
+ R13: ffffffffbd11c0a4 R14: ffffffffbe403d60 R15: 0000000000000001
+ ORIG_RAX: ffff891ee0022ac0 CS: 0000 SS: ffffffffffffffb9
+ bt: WARNING: possibly bogus exception frame
+ #21 [ffffffffbe403dd8] cpuidle_enter_state at ffffffffbd67c6fd
+ #22 [ffffffffbe403e40] cpuidle_enter at ffffffffbd67c907
+ #23 [ffffffffbe403e50] call_cpuidle at ffffffffbd0d98f3
+ #24 [ffffffffbe403e60] do_idle at ffffffffbd0d9b42
+ #25 [ffffffffbe403e98] cpu_startup_entry at ffffffffbd0d9da3
+ #26 [ffffffffbe403ec0] rest_init at ffffffffbd81d4aa
+ #27 [ffffffffbe403ed0] start_kernel at ffffffffbe67d2ca
+ #28 [ffffffffbe403f28] x86_64_start_reservations at ffffffffbe67c675
+ #29 [ffffffffbe403f38] x86_64_start_kernel at ffffffffbe67c6eb
+ #30 [ffffffffbe403f50] secondary_startup_64 at ffffffffbd0000d5
+
+Fixes: 040036bb0bc1 ("scsi: qla2xxx: Delay loop id allocation at login")
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_init.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -591,12 +591,14 @@ static void qla24xx_handle_gnl_done_even
+ conflict_fcport =
+ qla2x00_find_fcport_by_wwpn(vha,
+ e->port_name, 0);
+- ql_dbg(ql_dbg_disc, vha, 0x20e6,
+- "%s %d %8phC post del sess\n",
+- __func__, __LINE__,
+- conflict_fcport->port_name);
+- qlt_schedule_sess_for_deletion
+- (conflict_fcport);
++ if (conflict_fcport) {
++ qlt_schedule_sess_for_deletion
++ (conflict_fcport);
++ ql_dbg(ql_dbg_disc, vha, 0x20e6,
++ "%s %d %8phC post del sess\n",
++ __func__, __LINE__,
++ conflict_fcport->port_name);
++ }
+ }
+
+ /* FW already picked this loop id for another fcport */
--- /dev/null
+From f13cff6c25bd8986627365346d123312ee7baa78 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Tue, 3 Jul 2018 15:23:58 +0900
+Subject: scsi: sd_zbc: Fix variable type and bogus comment
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit f13cff6c25bd8986627365346d123312ee7baa78 upstream.
+
+Fix the description of sd_zbc_check_zone_size() to correctly explain that
+the returned value is a number of device blocks, not bytes. Additionally,
+the 32 bits "ret" variable used in this function may truncate the 64 bits
+zone_blocks variable value upon return. To fix this, change "ret" type to
+s64.
+
+Fixes: ccce20fc79 ("sd_zbc: Avoid that resetting a zone fails sporadically")
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Cc: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: stable@kernel.org
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd_zbc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sd_zbc.c
++++ b/drivers/scsi/sd_zbc.c
+@@ -401,7 +401,8 @@ static int sd_zbc_check_capacity(struct
+ * Check that all zones of the device are equal. The last zone can however
+ * be smaller. The zone size must also be a power of two number of LBAs.
+ *
+- * Returns the zone size in bytes upon success or an error code upon failure.
++ * Returns the zone size in number of blocks upon success or an error code
++ * upon failure.
+ */
+ static s64 sd_zbc_check_zone_size(struct scsi_disk *sdkp)
+ {
+@@ -411,7 +412,7 @@ static s64 sd_zbc_check_zone_size(struct
+ unsigned char *rec;
+ unsigned int buf_len;
+ unsigned int list_length;
+- int ret;
++ s64 ret;
+ u8 same;
+
+ /* Get a buffer */
--- /dev/null
+From 6f6060a5c9cc76fdbc22748264e6aa3779ec2427 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Mon, 9 Jul 2018 16:35:34 +0300
+Subject: x86/apm: Don't access __preempt_count with zeroed fs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 6f6060a5c9cc76fdbc22748264e6aa3779ec2427 upstream.
+
+APM_DO_POP_SEGS does not restore fs/gs which were zeroed by
+APM_DO_ZERO_SEGS. Trying to access __preempt_count with
+zeroed fs doesn't really work.
+
+Move the ibrs call outside the APM_DO_SAVE_SEGS/APM_DO_RESTORE_SEGS
+invocations so that fs is actually restored before calling
+preempt_enable().
+
+Fixes the following sort of oopses:
+[ 0.313581] general protection fault: 0000 [#1] PREEMPT SMP
+[ 0.313803] Modules linked in:
+[ 0.314040] CPU: 0 PID: 268 Comm: kapmd Not tainted 4.16.0-rc1-triton-bisect-00090-gdd84441a7971 #19
+[ 0.316161] EIP: __apm_bios_call_simple+0xc8/0x170
+[ 0.316161] EFLAGS: 00210016 CPU: 0
+[ 0.316161] EAX: 00000102 EBX: 00000000 ECX: 00000102 EDX: 00000000
+[ 0.316161] ESI: 0000530e EDI: dea95f64 EBP: dea95f18 ESP: dea95ef0
+[ 0.316161] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
+[ 0.316161] CR0: 80050033 CR2: 00000000 CR3: 015d3000 CR4: 000006d0
+[ 0.316161] Call Trace:
+[ 0.316161] ? cpumask_weight.constprop.15+0x20/0x20
+[ 0.316161] on_cpu0+0x44/0x70
+[ 0.316161] apm+0x54e/0x720
+[ 0.316161] ? __switch_to_asm+0x26/0x40
+[ 0.316161] ? __schedule+0x17d/0x590
+[ 0.316161] kthread+0xc0/0xf0
+[ 0.316161] ? proc_apm_show+0x150/0x150
+[ 0.316161] ? kthread_create_worker_on_cpu+0x20/0x20
+[ 0.316161] ret_from_fork+0x2e/0x38
+[ 0.316161] Code: da 8e c2 8e e2 8e ea 57 55 2e ff 1d e0 bb 5d b1 0f 92 c3 5d 5f 07 1f 89 47 0c 90 8d b4 26 00 00 00 00 90 8d b4 26 00 00 00 00 90 <64> ff 0d 84 16 5c b1 74 7f 8b 45 dc 8e e0 8b 45 d8 8e e8 8b 45
+[ 0.316161] EIP: __apm_bios_call_simple+0xc8/0x170 SS:ESP: 0068:dea95ef0
+[ 0.316161] ---[ end trace 656253db2deaa12c ]---
+
+Fixes: dd84441a7971 ("x86/speculation: Use IBRS if available before calling into firmware")
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: x86@kernel.org
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Link: https://lkml.kernel.org/r/20180709133534.5963-1-ville.syrjala@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/apm.h | 6 ------
+ arch/x86/kernel/apm_32.c | 5 +++++
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/apm.h
++++ b/arch/x86/include/asm/apm.h
+@@ -7,8 +7,6 @@
+ #ifndef _ASM_X86_MACH_DEFAULT_APM_H
+ #define _ASM_X86_MACH_DEFAULT_APM_H
+
+-#include <asm/nospec-branch.h>
+-
+ #ifdef APM_ZERO_SEGS
+ # define APM_DO_ZERO_SEGS \
+ "pushl %%ds\n\t" \
+@@ -34,7 +32,6 @@ static inline void apm_bios_call_asm(u32
+ * N.B. We do NOT need a cld after the BIOS call
+ * because we always save and restore the flags.
+ */
+- firmware_restrict_branch_speculation_start();
+ __asm__ __volatile__(APM_DO_ZERO_SEGS
+ "pushl %%edi\n\t"
+ "pushl %%ebp\n\t"
+@@ -47,7 +44,6 @@ static inline void apm_bios_call_asm(u32
+ "=S" (*esi)
+ : "a" (func), "b" (ebx_in), "c" (ecx_in)
+ : "memory", "cc");
+- firmware_restrict_branch_speculation_end();
+ }
+
+ static inline bool apm_bios_call_simple_asm(u32 func, u32 ebx_in,
+@@ -60,7 +56,6 @@ static inline bool apm_bios_call_simple_
+ * N.B. We do NOT need a cld after the BIOS call
+ * because we always save and restore the flags.
+ */
+- firmware_restrict_branch_speculation_start();
+ __asm__ __volatile__(APM_DO_ZERO_SEGS
+ "pushl %%edi\n\t"
+ "pushl %%ebp\n\t"
+@@ -73,7 +68,6 @@ static inline bool apm_bios_call_simple_
+ "=S" (si)
+ : "a" (func), "b" (ebx_in), "c" (ecx_in)
+ : "memory", "cc");
+- firmware_restrict_branch_speculation_end();
+ return error;
+ }
+
+--- a/arch/x86/kernel/apm_32.c
++++ b/arch/x86/kernel/apm_32.c
+@@ -240,6 +240,7 @@
+ #include <asm/olpc.h>
+ #include <asm/paravirt.h>
+ #include <asm/reboot.h>
++#include <asm/nospec-branch.h>
+
+ #if defined(CONFIG_APM_DISPLAY_BLANK) && defined(CONFIG_VT)
+ extern int (*console_blank_hook)(int);
+@@ -614,11 +615,13 @@ static long __apm_bios_call(void *_call)
+ gdt[0x40 / 8] = bad_bios_desc;
+
+ apm_irq_save(flags);
++ firmware_restrict_branch_speculation_start();
+ APM_DO_SAVE_SEGS;
+ apm_bios_call_asm(call->func, call->ebx, call->ecx,
+ &call->eax, &call->ebx, &call->ecx, &call->edx,
+ &call->esi);
+ APM_DO_RESTORE_SEGS;
++ firmware_restrict_branch_speculation_end();
+ apm_irq_restore(flags);
+ gdt[0x40 / 8] = save_desc_40;
+ put_cpu();
+@@ -690,10 +693,12 @@ static long __apm_bios_call_simple(void
+ gdt[0x40 / 8] = bad_bios_desc;
+
+ apm_irq_save(flags);
++ firmware_restrict_branch_speculation_start();
+ APM_DO_SAVE_SEGS;
+ error = apm_bios_call_simple_asm(call->func, call->ebx, call->ecx,
+ &call->eax);
+ APM_DO_RESTORE_SEGS;
++ firmware_restrict_branch_speculation_end();
+ apm_irq_restore(flags);
+ gdt[0x40 / 8] = save_desc_40;
+ put_cpu();
--- /dev/null
+From 2c991e408df6a407476dbc453d725e1e975479e7 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Sat, 14 Jul 2018 12:58:07 -0700
+Subject: x86/events/intel/ds: Fix bts_interrupt_threshold alignment
+
+From: Hugh Dickins <hughd@google.com>
+
+commit 2c991e408df6a407476dbc453d725e1e975479e7 upstream.
+
+Markus reported that BTS is sporadically missing the tail of the trace
+in the perf_event data buffer: [decode error (1): instruction overflow]
+shown in GDB; and bisected it to the conversion of debug_store to PTI.
+
+A little "optimization" crept into alloc_bts_buffer(), which mistakenly
+placed bts_interrupt_threshold away from the 24-byte record boundary.
+Intel SDM Vol 3B 17.4.9 says "This address must point to an offset from
+the BTS buffer base that is a multiple of the BTS record size."
+
+Revert "max" from a byte count to a record count, to calculate the
+bts_interrupt_threshold correctly: which turns out to fix problem seen.
+
+Fixes: c1961a4631da ("x86/events/intel/ds: Map debug buffers in cpu_entry_area")
+Reported-and-tested-by: Markus T Metzger <markus.t.metzger@intel.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@intel.com>
+Cc: Andi Kleen <andi.kleen@intel.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: stable@vger.kernel.org # v4.14+
+Link: https://lkml.kernel.org/r/alpine.LSU.2.11.1807141248290.1614@eggly.anvils
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/ds.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -408,9 +408,11 @@ static int alloc_bts_buffer(int cpu)
+ ds->bts_buffer_base = (unsigned long) cea;
+ ds_update_cea(cea, buffer, BTS_BUFFER_SIZE, PAGE_KERNEL);
+ ds->bts_index = ds->bts_buffer_base;
+- max = BTS_RECORD_SIZE * (BTS_BUFFER_SIZE / BTS_RECORD_SIZE);
+- ds->bts_absolute_maximum = ds->bts_buffer_base + max;
+- ds->bts_interrupt_threshold = ds->bts_absolute_maximum - (max / 16);
++ max = BTS_BUFFER_SIZE / BTS_RECORD_SIZE;
++ ds->bts_absolute_maximum = ds->bts_buffer_base +
++ max * BTS_RECORD_SIZE;
++ ds->bts_interrupt_threshold = ds->bts_absolute_maximum -
++ (max / 16) * BTS_RECORD_SIZE;
+ return 0;
+ }
+
--- /dev/null
+From b062b794c7831a70bda4dfac202c1a9418e06ac0 Mon Sep 17 00:00:00 2001
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+Date: Wed, 11 Jul 2018 19:37:18 +0200
+Subject: x86/kvm/vmx: don't read current->thread.{fs,gs}base of legacy tasks
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+commit b062b794c7831a70bda4dfac202c1a9418e06ac0 upstream.
+
+When we switched from doing rdmsr() to reading FS/GS base values from
+current->thread we completely forgot about legacy 32-bit userspaces which
+we still support in KVM (why?). task->thread.{fsbase,gsbase} are only
+synced for 64-bit processes, calling save_fsgs_for_kvm() and using
+its result from current is illegal for legacy processes.
+
+There's no ARCH_SET_FS/GS prctls for legacy applications. Base MSRs are,
+however, not always equal to zero. Intel's manual says (3.4.4 Segment
+Loading Instructions in IA-32e Mode):
+
+"In order to set up compatibility mode for an application, segment-load
+instructions (MOV to Sreg, POP Sreg) work normally in 64-bit mode. An
+entry is read from the system descriptor table (GDT or LDT) and is loaded
+in the hidden portion of the segment register.
+...
+The hidden descriptor register fields for FS.base and GS.base are
+physically mapped to MSRs in order to load all address bits supported by
+a 64-bit implementation.
+"
+
+The issue was found by strace test suite where 32-bit ioctl_kvm_run test
+started segfaulting.
+
+Reported-by: Dmitry V. Levin <ldv@altlinux.org>
+Bisected-by: Masatake YAMATO <yamato@redhat.com>
+Fixes: 42b933b59721 ("x86/kvm/vmx: read MSR_{FS,KERNEL_GS}_BASE from current->thread")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2376,6 +2376,7 @@ static void vmx_save_host_state(struct k
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ #ifdef CONFIG_X86_64
+ int cpu = raw_smp_processor_id();
++ unsigned long fs_base, kernel_gs_base;
+ #endif
+ int i;
+
+@@ -2391,12 +2392,20 @@ static void vmx_save_host_state(struct k
+ vmx->host_state.gs_ldt_reload_needed = vmx->host_state.ldt_sel;
+
+ #ifdef CONFIG_X86_64
+- save_fsgs_for_kvm();
+- vmx->host_state.fs_sel = current->thread.fsindex;
+- vmx->host_state.gs_sel = current->thread.gsindex;
+-#else
+- savesegment(fs, vmx->host_state.fs_sel);
+- savesegment(gs, vmx->host_state.gs_sel);
++ if (likely(is_64bit_mm(current->mm))) {
++ save_fsgs_for_kvm();
++ vmx->host_state.fs_sel = current->thread.fsindex;
++ vmx->host_state.gs_sel = current->thread.gsindex;
++ fs_base = current->thread.fsbase;
++ kernel_gs_base = current->thread.gsbase;
++ } else {
++#endif
++ savesegment(fs, vmx->host_state.fs_sel);
++ savesegment(gs, vmx->host_state.gs_sel);
++#ifdef CONFIG_X86_64
++ fs_base = read_msr(MSR_FS_BASE);
++ kernel_gs_base = read_msr(MSR_KERNEL_GS_BASE);
++ }
+ #endif
+ if (!(vmx->host_state.fs_sel & 7)) {
+ vmcs_write16(HOST_FS_SELECTOR, vmx->host_state.fs_sel);
+@@ -2416,10 +2425,10 @@ static void vmx_save_host_state(struct k
+ savesegment(ds, vmx->host_state.ds_sel);
+ savesegment(es, vmx->host_state.es_sel);
+
+- vmcs_writel(HOST_FS_BASE, current->thread.fsbase);
++ vmcs_writel(HOST_FS_BASE, fs_base);
+ vmcs_writel(HOST_GS_BASE, cpu_kernelmode_gs_base(cpu));
+
+- vmx->msr_host_kernel_gs_base = current->thread.gsbase;
++ vmx->msr_host_kernel_gs_base = kernel_gs_base;
+ if (is_long_mode(&vmx->vcpu))
+ wrmsrl(MSR_KERNEL_GS_BASE, vmx->msr_guest_kernel_gs_base);
+ #else
--- /dev/null
+From 94ffba484663ab3fc695ce2a34871e8c3db499f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Sun, 15 Jul 2018 17:43:11 +0200
+Subject: x86/kvmclock: set pvti_cpu0_va after enabling kvmclock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit 94ffba484663ab3fc695ce2a34871e8c3db499f7 upstream.
+
+pvti_cpu0_va is the address of shared kvmclock data structure.
+
+pvti_cpu0_va is currently kept unset (1) on 32 bit systems, (2) when
+kvmclock vsyscall is disabled, and (3) if kvmclock is not stable.
+This poses a problem, because kvm_ptp needs pvti_cpu0_va, but (1) can
+work on 32 bit, (2) has little relation to the vsyscall, and (3) does
+not need stable kvmclock (although kvmclock won't be used for system
+clock if it's not stable, so kvm_ptp is pointless in that case).
+
+Expose pvti_cpu0_va whenever kvmclock is enabled to allow all users to
+work with it.
+
+This fixes a regression found on Gentoo: https://bugs.gentoo.org/658544.
+
+Fixes: 9f08890ab906 ("x86/pvclock: add setter for pvclock_pvti_cpu0_va")
+Cc: stable@vger.kernel.org
+Reported-by: Andreas Steinmetz <ast@domdv.de>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kvmclock.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -319,6 +319,8 @@ void __init kvmclock_init(void)
+ printk(KERN_INFO "kvm-clock: Using msrs %x and %x",
+ msr_kvm_system_time, msr_kvm_wall_clock);
+
++ pvclock_set_pvti_cpu0_va(hv_clock);
++
+ if (kvm_para_has_feature(KVM_FEATURE_CLOCKSOURCE_STABLE_BIT))
+ pvclock_set_flags(PVCLOCK_TSC_STABLE_BIT);
+
+@@ -366,14 +368,11 @@ int __init kvm_setup_vsyscall_timeinfo(v
+ vcpu_time = &hv_clock[cpu].pvti;
+ flags = pvclock_read_flags(vcpu_time);
+
+- if (!(flags & PVCLOCK_TSC_STABLE_BIT)) {
+- put_cpu();
+- return 1;
+- }
+-
+- pvclock_set_pvti_cpu0_va(hv_clock);
+ put_cpu();
+
++ if (!(flags & PVCLOCK_TSC_STABLE_BIT))
++ return 1;
++
+ kvm_clock.archdata.vclock_mode = VCLOCK_PVCLOCK;
+ #endif
+ return 0;
--- /dev/null
+From fbdb328c6bae0a7c78d75734a738b66b86dffc96 Mon Sep 17 00:00:00 2001
+From: Dewet Thibaut <thibaut.dewet@nokia.com>
+Date: Mon, 16 Jul 2018 10:49:27 +0200
+Subject: x86/MCE: Remove min interval polling limitation
+
+From: Dewet Thibaut <thibaut.dewet@nokia.com>
+
+commit fbdb328c6bae0a7c78d75734a738b66b86dffc96 upstream.
+
+commit b3b7c4795c ("x86/MCE: Serialize sysfs changes") introduced a min
+interval limitation when setting the check interval for polled MCEs.
+However, the logic is that 0 disables polling for corrected MCEs, see
+Documentation/x86/x86_64/machinecheck. The limitation prevents disabling.
+
+Remove this limitation and allow the value 0 to disable polling again.
+
+Fixes: b3b7c4795c ("x86/MCE: Serialize sysfs changes")
+Signed-off-by: Dewet Thibaut <thibaut.dewet@nokia.com>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+[ Massage commit message. ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180716084927.24869-1-alexander.sverdlin@nokia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce.c
++++ b/arch/x86/kernel/cpu/mcheck/mce.c
+@@ -2147,9 +2147,6 @@ static ssize_t store_int_with_restart(st
+ if (check_interval == old_check_interval)
+ return ret;
+
+- if (check_interval < 1)
+- check_interval = 1;
+-
+ mutex_lock(&mce_sysfs_mutex);
+ mce_restart();
+ mutex_unlock(&mce_sysfs_mutex);
projects / thirdparty / kernel / stable-queue.git / commitdiff
