--- /dev/null
+From 6d0af44a82be87c13f2320821e9fbb8b8cf5a56f Mon Sep 17 00:00:00 2001
+From: Vignesh R <vigneshr@ti.com>
+Date: Tue, 25 Sep 2018 10:51:51 +0530
+Subject: ARM: dts: dra7: Fix up unaligned access setting for PCIe EP
+
+From: Vignesh R <vigneshr@ti.com>
+
+commit 6d0af44a82be87c13f2320821e9fbb8b8cf5a56f upstream.
+
+Bit positions of PCIE_SS1_AXI2OCP_LEGACY_MODE_ENABLE and
+PCIE_SS1_AXI2OCP_LEGACY_MODE_ENABLE in CTRL_CORE_SMA_SW_7 are
+incorrectly documented in the TRM. In fact, the bit positions are
+swapped. Update the DT bindings for PCIe EP to reflect the same.
+
+Fixes: d23f3839fe97 ("ARM: dts: DRA7: Add pcie1 dt node for EP mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/dra7.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -333,7 +333,7 @@
+ ti,hwmods = "pcie1";
+ phys = <&pcie1_phy>;
+ phy-names = "pcie-phy0";
+- ti,syscon-unaligned-access = <&scm_conf1 0x14 2>;
++ ti,syscon-unaligned-access = <&scm_conf1 0x14 1>;
+ status = "disabled";
+ };
+ };
--- /dev/null
+From 672f33198bee21ee91e6af2cb8f67cfc8bc97ec1 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 25 May 2018 16:01:53 +0530
+Subject: arm: dts: exynos: Add missing cooling device properties for CPUs
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 672f33198bee21ee91e6af2cb8f67cfc8bc97ec1 upstream.
+
+The cooling device properties, like "#cooling-cells" and
+"dynamic-power-coefficient", should either be present for all the CPUs
+of a cluster or none. If these are present only for a subset of CPUs of
+a cluster then things will start falling apart as soon as the CPUs are
+brought online in a different order. For example, this will happen
+because the operating system looks for such properties in the CPU node
+it is trying to bring up, so that it can register a cooling device.
+
+Add such missing properties.
+
+Fix other missing properties (clocks, OPP, clock latency) as well to
+make it all work.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/exynos3250.dtsi | 16 ++++++++++++++++
+ arch/arm/boot/dts/exynos4210.dtsi | 13 +++++++++++++
+ arch/arm/boot/dts/exynos5250.dtsi | 23 +++++++++++++++++++++++
+ 3 files changed, 52 insertions(+)
+
+--- a/arch/arm/boot/dts/exynos3250.dtsi
++++ b/arch/arm/boot/dts/exynos3250.dtsi
+@@ -82,6 +82,22 @@
+ compatible = "arm,cortex-a7";
+ reg = <1>;
+ clock-frequency = <1000000000>;
++ clocks = <&cmu CLK_ARM_CLK>;
++ clock-names = "cpu";
++ #cooling-cells = <2>;
++
++ operating-points = <
++ 1000000 1150000
++ 900000 1112500
++ 800000 1075000
++ 700000 1037500
++ 600000 1000000
++ 500000 962500
++ 400000 925000
++ 300000 887500
++ 200000 850000
++ 100000 850000
++ >;
+ };
+ };
+
+--- a/arch/arm/boot/dts/exynos4210.dtsi
++++ b/arch/arm/boot/dts/exynos4210.dtsi
+@@ -59,6 +59,19 @@
+ device_type = "cpu";
+ compatible = "arm,cortex-a9";
+ reg = <0x901>;
++ clocks = <&clock CLK_ARM_CLK>;
++ clock-names = "cpu";
++ clock-latency = <160000>;
++
++ operating-points = <
++ 1200000 1250000
++ 1000000 1150000
++ 800000 1075000
++ 500000 975000
++ 400000 975000
++ 200000 950000
++ >;
++ #cooling-cells = <2>; /* min followed by max */
+ };
+ };
+
+--- a/arch/arm/boot/dts/exynos5250.dtsi
++++ b/arch/arm/boot/dts/exynos5250.dtsi
+@@ -87,6 +87,29 @@
+ compatible = "arm,cortex-a15";
+ reg = <1>;
+ clock-frequency = <1700000000>;
++ clocks = <&clock CLK_ARM_CLK>;
++ clock-names = "cpu";
++ clock-latency = <140000>;
++
++ operating-points = <
++ 1700000 1300000
++ 1600000 1250000
++ 1500000 1225000
++ 1400000 1200000
++ 1300000 1150000
++ 1200000 1125000
++ 1100000 1100000
++ 1000000 1075000
++ 900000 1050000
++ 800000 1025000
++ 700000 1012500
++ 600000 1000000
++ 500000 975000
++ 400000 950000
++ 300000 937500
++ 200000 925000
++ >;
++ #cooling-cells = <2>; /* min followed by max */
+ };
+ };
+
--- /dev/null
+From eb9e16d8573e243f8175647f851eb5085dbe97a4 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Tue, 7 Aug 2018 12:48:48 +0200
+Subject: ARM: dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit eb9e16d8573e243f8175647f851eb5085dbe97a4 upstream.
+
+Convert Exynos5250 to OPP-v2 bindings. This is a preparation to add proper
+support for suspend operation point, which cannot be marked in opp-v1.
+
+Cc: <stable@vger.kernel.org> # 4.3.x: cd6f55457eb4: ARM: dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes
+Cc: <stable@vger.kernel.org> # 4.3.x: 672f33198bee: arm: dts: exynos: Add missing cooling device properties for CPUs
+Cc: <stable@vger.kernel.org> # 4.3.x
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/exynos5250.dtsi | 130 +++++++++++++++++++++++++-------------
+ 1 file changed, 88 insertions(+), 42 deletions(-)
+
+--- a/arch/arm/boot/dts/exynos5250.dtsi
++++ b/arch/arm/boot/dts/exynos5250.dtsi
+@@ -57,62 +57,108 @@
+ device_type = "cpu";
+ compatible = "arm,cortex-a15";
+ reg = <0>;
+- clock-frequency = <1700000000>;
+ clocks = <&clock CLK_ARM_CLK>;
+ clock-names = "cpu";
+- clock-latency = <140000>;
+-
+- operating-points = <
+- 1700000 1300000
+- 1600000 1250000
+- 1500000 1225000
+- 1400000 1200000
+- 1300000 1150000
+- 1200000 1125000
+- 1100000 1100000
+- 1000000 1075000
+- 900000 1050000
+- 800000 1025000
+- 700000 1012500
+- 600000 1000000
+- 500000 975000
+- 400000 950000
+- 300000 937500
+- 200000 925000
+- >;
++ operating-points-v2 = <&cpu0_opp_table>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+ cpu@1 {
+ device_type = "cpu";
+ compatible = "arm,cortex-a15";
+ reg = <1>;
+- clock-frequency = <1700000000>;
+ clocks = <&clock CLK_ARM_CLK>;
+ clock-names = "cpu";
+- clock-latency = <140000>;
+-
+- operating-points = <
+- 1700000 1300000
+- 1600000 1250000
+- 1500000 1225000
+- 1400000 1200000
+- 1300000 1150000
+- 1200000 1125000
+- 1100000 1100000
+- 1000000 1075000
+- 900000 1050000
+- 800000 1025000
+- 700000 1012500
+- 600000 1000000
+- 500000 975000
+- 400000 950000
+- 300000 937500
+- 200000 925000
+- >;
++ operating-points-v2 = <&cpu0_opp_table>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+ };
+
++ cpu0_opp_table: opp_table0 {
++ compatible = "operating-points-v2";
++ opp-shared;
++
++ opp-200000000 {
++ opp-hz = /bits/ 64 <200000000>;
++ opp-microvolt = <925000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-300000000 {
++ opp-hz = /bits/ 64 <300000000>;
++ opp-microvolt = <937500>;
++ clock-latency-ns = <140000>;
++ };
++ opp-400000000 {
++ opp-hz = /bits/ 64 <400000000>;
++ opp-microvolt = <950000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-500000000 {
++ opp-hz = /bits/ 64 <500000000>;
++ opp-microvolt = <975000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-600000000 {
++ opp-hz = /bits/ 64 <600000000>;
++ opp-microvolt = <1000000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-700000000 {
++ opp-hz = /bits/ 64 <700000000>;
++ opp-microvolt = <1012500>;
++ clock-latency-ns = <140000>;
++ };
++ opp-800000000 {
++ opp-hz = /bits/ 64 <800000000>;
++ opp-microvolt = <1025000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-900000000 {
++ opp-hz = /bits/ 64 <900000000>;
++ opp-microvolt = <1050000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-1000000000 {
++ opp-hz = /bits/ 64 <1000000000>;
++ opp-microvolt = <1075000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-1100000000 {
++ opp-hz = /bits/ 64 <1100000000>;
++ opp-microvolt = <1100000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-1200000000 {
++ opp-hz = /bits/ 64 <1200000000>;
++ opp-microvolt = <1125000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-1300000000 {
++ opp-hz = /bits/ 64 <1300000000>;
++ opp-microvolt = <1150000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-1400000000 {
++ opp-hz = /bits/ 64 <1400000000>;
++ opp-microvolt = <1200000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-1500000000 {
++ opp-hz = /bits/ 64 <1500000000>;
++ opp-microvolt = <1225000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-1600000000 {
++ opp-hz = /bits/ 64 <1600000000>;
++ opp-microvolt = <1250000>;
++ clock-latency-ns = <140000>;
++ };
++ opp-1700000000 {
++ opp-hz = /bits/ 64 <1700000000>;
++ opp-microvolt = <1300000>;
++ clock-latency-ns = <140000>;
++ };
++ };
++
+ soc: soc {
+ sysram@02020000 {
+ compatible = "mmio-sram";
--- /dev/null
+From 645b23da6f8b47f295fa87051335d41d139717a5 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Tue, 7 Aug 2018 12:48:49 +0200
+Subject: ARM: dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 645b23da6f8b47f295fa87051335d41d139717a5 upstream.
+
+1 GHz CPU OPP is the default boot value for the Exynos5250 SOC, so mark it
+as suspend OPP. This fixes suspend/resume on Samsung Exynos5250 Snow
+Chomebook, which was broken since switching to generic cpufreq-dt driver
+in v4.3.
+
+Cc: <stable@vger.kernel.org> # 4.3.x: cd6f55457eb4: ARM: dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes
+Cc: <stable@vger.kernel.org> # 4.3.x: 672f33198bee: arm: dts: exynos: Add missing cooling device properties for CPUs
+Cc: <stable@vger.kernel.org> # 4.3.x
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/exynos5250.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/exynos5250.dtsi
++++ b/arch/arm/boot/dts/exynos5250.dtsi
+@@ -121,6 +121,7 @@
+ opp-hz = /bits/ 64 <1000000000>;
+ opp-microvolt = <1075000>;
+ clock-latency-ns = <140000>;
++ opp-suspend;
+ };
+ opp-1100000000 {
+ opp-hz = /bits/ 64 <1100000000>;
--- /dev/null
+From cd6f55457eb449a388e793abd676e3a5b73510bc Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 9 Feb 2018 14:28:01 +0530
+Subject: ARM: dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit cd6f55457eb449a388e793abd676e3a5b73510bc upstream.
+
+The "cooling-min-level" and "cooling-max-level" properties are not
+parsed by any part of the kernel currently and the max cooling state of
+a CPU cooling device is found by referring to the cpufreq table instead.
+
+Remove the unused properties from the CPU nodes.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/exynos4210.dtsi | 2 --
+ arch/arm/boot/dts/exynos4412.dtsi | 2 --
+ arch/arm/boot/dts/exynos5250.dtsi | 2 --
+ arch/arm/boot/dts/exynos5420-cpus.dtsi | 16 ----------------
+ arch/arm/boot/dts/exynos5422-cpus.dtsi | 16 ----------------
+ 5 files changed, 38 deletions(-)
+
+--- a/arch/arm/boot/dts/exynos4210.dtsi
++++ b/arch/arm/boot/dts/exynos4210.dtsi
+@@ -52,8 +52,6 @@
+ 400000 975000
+ 200000 950000
+ >;
+- cooling-min-level = <4>;
+- cooling-max-level = <2>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+--- a/arch/arm/boot/dts/exynos4412.dtsi
++++ b/arch/arm/boot/dts/exynos4412.dtsi
+@@ -45,8 +45,6 @@
+ clocks = <&clock CLK_ARM_CLK>;
+ clock-names = "cpu";
+ operating-points-v2 = <&cpu0_opp_table>;
+- cooling-min-level = <13>;
+- cooling-max-level = <7>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+--- a/arch/arm/boot/dts/exynos5250.dtsi
++++ b/arch/arm/boot/dts/exynos5250.dtsi
+@@ -80,8 +80,6 @@
+ 300000 937500
+ 200000 925000
+ >;
+- cooling-min-level = <15>;
+- cooling-max-level = <9>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+ cpu@1 {
+--- a/arch/arm/boot/dts/exynos5420-cpus.dtsi
++++ b/arch/arm/boot/dts/exynos5420-cpus.dtsi
+@@ -33,8 +33,6 @@
+ clock-frequency = <1800000000>;
+ cci-control-port = <&cci_control1>;
+ operating-points-v2 = <&cluster_a15_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <11>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -45,8 +43,6 @@
+ clock-frequency = <1800000000>;
+ cci-control-port = <&cci_control1>;
+ operating-points-v2 = <&cluster_a15_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <11>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -57,8 +53,6 @@
+ clock-frequency = <1800000000>;
+ cci-control-port = <&cci_control1>;
+ operating-points-v2 = <&cluster_a15_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <11>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -69,8 +63,6 @@
+ clock-frequency = <1800000000>;
+ cci-control-port = <&cci_control1>;
+ operating-points-v2 = <&cluster_a15_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <11>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -82,8 +74,6 @@
+ clock-frequency = <1000000000>;
+ cci-control-port = <&cci_control0>;
+ operating-points-v2 = <&cluster_a7_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <7>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -94,8 +84,6 @@
+ clock-frequency = <1000000000>;
+ cci-control-port = <&cci_control0>;
+ operating-points-v2 = <&cluster_a7_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <7>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -106,8 +94,6 @@
+ clock-frequency = <1000000000>;
+ cci-control-port = <&cci_control0>;
+ operating-points-v2 = <&cluster_a7_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <7>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -118,8 +104,6 @@
+ clock-frequency = <1000000000>;
+ cci-control-port = <&cci_control0>;
+ operating-points-v2 = <&cluster_a7_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <7>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+ };
+--- a/arch/arm/boot/dts/exynos5422-cpus.dtsi
++++ b/arch/arm/boot/dts/exynos5422-cpus.dtsi
+@@ -32,8 +32,6 @@
+ clock-frequency = <1000000000>;
+ cci-control-port = <&cci_control0>;
+ operating-points-v2 = <&cluster_a7_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <11>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -44,8 +42,6 @@
+ clock-frequency = <1000000000>;
+ cci-control-port = <&cci_control0>;
+ operating-points-v2 = <&cluster_a7_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <11>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -56,8 +52,6 @@
+ clock-frequency = <1000000000>;
+ cci-control-port = <&cci_control0>;
+ operating-points-v2 = <&cluster_a7_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <11>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -68,8 +62,6 @@
+ clock-frequency = <1000000000>;
+ cci-control-port = <&cci_control0>;
+ operating-points-v2 = <&cluster_a7_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <11>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -81,8 +73,6 @@
+ clock-frequency = <1800000000>;
+ cci-control-port = <&cci_control1>;
+ operating-points-v2 = <&cluster_a15_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <15>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -93,8 +83,6 @@
+ clock-frequency = <1800000000>;
+ cci-control-port = <&cci_control1>;
+ operating-points-v2 = <&cluster_a15_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <15>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -105,8 +93,6 @@
+ clock-frequency = <1800000000>;
+ cci-control-port = <&cci_control1>;
+ operating-points-v2 = <&cluster_a15_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <15>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+
+@@ -117,8 +103,6 @@
+ clock-frequency = <1800000000>;
+ cci-control-port = <&cci_control1>;
+ operating-points-v2 = <&cluster_a15_opp_table>;
+- cooling-min-level = <0>;
+- cooling-max-level = <15>;
+ #cooling-cells = <2>; /* min followed by max */
+ };
+ };
--- /dev/null
+From 9c80c5a8831471e0a3e139aad1b0d4c0fdc50b2f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 3 Oct 2018 19:31:44 +0200
+Subject: ASoC: intel: skylake: Add missing break in skl_tplg_get_token()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 9c80c5a8831471e0a3e139aad1b0d4c0fdc50b2f upstream.
+
+skl_tplg_get_token() misses a break in the big switch() block for
+SKL_TKN_U8_CORE_ID entry.
+Spotted nicely by -Wimplicit-fallthrough compiler option.
+
+Fixes: 6277e83292a2 ("ASoC: Intel: Skylake: Parse vendor tokens to build module data")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/intel/skylake/skl-topology.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/intel/skylake/skl-topology.c
++++ b/sound/soc/intel/skylake/skl-topology.c
+@@ -2360,6 +2360,7 @@ static int skl_tplg_get_token(struct dev
+
+ case SKL_TKN_U8_CORE_ID:
+ mconfig->core_id = tkn_elem->value;
++ break;
+
+ case SKL_TKN_U8_MOD_TYPE:
+ mconfig->m_type = tkn_elem->value;
--- /dev/null
+From 747df19747bc9752cd40b9cce761e17a033aa5c2 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Thu, 11 Oct 2018 20:32:05 +0200
+Subject: ASoC: sta32x: set ->component pointer in private struct
+
+From: Daniel Mack <daniel@zonque.org>
+
+commit 747df19747bc9752cd40b9cce761e17a033aa5c2 upstream.
+
+The ESD watchdog code in sta32x_watchdog() dereferences the pointer
+which is never assigned.
+
+This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct
+regmap API usage.") which went unnoticed since nobody seems to use that ESD
+workaround.
+
+Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.")
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/sta32x.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/soc/codecs/sta32x.c
++++ b/sound/soc/codecs/sta32x.c
+@@ -879,6 +879,9 @@ static int sta32x_probe(struct snd_soc_c
+ struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec);
+ struct sta32x_platform_data *pdata = sta32x->pdata;
+ int i, ret = 0, thermal = 0;
++
++ sta32x->component = component;
++
+ ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies),
+ sta32x->supplies);
+ if (ret != 0) {
--- /dev/null
+From fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 13 Sep 2018 10:51:31 +0200
+Subject: crypto: lrw - Fix out-of bounds access on counter overflow
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream.
+
+When the LRW block counter overflows, the current implementation returns
+128 as the index to the precomputed multiplication table, which has 128
+entries. This patch fixes it to return the correct value (127).
+
+Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
+Cc: <stable@vger.kernel.org> # 2.6.20+
+Reported-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/lrw.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -139,7 +139,12 @@ static inline int get_index128(be128 *bl
+ return x + ffz(val);
+ }
+
+- return x;
++ /*
++ * If we get here, then x == 128 and we are incrementing the counter
++ * from all ones to all zeros. This means we must return index 127, i.e.
++ * the one corresponding to key2*{ 1,...,1 }.
++ */
++ return 127;
+ }
+
+ static int post_crypt(struct skcipher_request *req)
--- /dev/null
+From 331351f89c36bf7d03561a28b6f64fa10a9f6f3a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Wed, 12 Sep 2018 16:20:48 +0300
+Subject: crypto: tcrypt - fix ghash-generic speed test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit 331351f89c36bf7d03561a28b6f64fa10a9f6f3a upstream.
+
+ghash is a keyed hash algorithm, thus setkey needs to be called.
+Otherwise the following error occurs:
+$ modprobe tcrypt mode=318 sec=1
+testing speed of async ghash-generic (ghash-generic)
+tcrypt: test 0 ( 16 byte blocks, 16 bytes per update, 1 updates):
+tcrypt: hashing failed ret=-126
+
+Cc: <stable@vger.kernel.org> # 4.6+
+Fixes: 0660511c0bee ("crypto: tcrypt - Use ahash")
+Tested-by: Franck Lenormand <franck.lenormand@nxp.com>
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/tcrypt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/tcrypt.c
++++ b/crypto/tcrypt.c
+@@ -727,6 +727,9 @@ static void test_ahash_speed_common(cons
+ break;
+ }
+
++ if (speed[i].klen)
++ crypto_ahash_setkey(tfm, tvmem[0], speed[i].klen);
++
+ pr_info("test%3u "
+ "(%5u byte blocks,%5u bytes per update,%4u updates): ",
+ i, speed[i].blen, speed[i].plen, speed[i].blen / speed[i].plen);
--- /dev/null
+From 27d8d2d7a9b7eb05c4484b74b749eaee7b50b845 Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Sun, 14 Oct 2018 23:28:50 +0200
+Subject: dmaengine: ppc4xx: fix off-by-one build failure
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+commit 27d8d2d7a9b7eb05c4484b74b749eaee7b50b845 upstream.
+
+There are two poly_store, but one should have been poly_show.
+
+|adma.c:4382:16: error: conflicting types for 'poly_store'
+| static ssize_t poly_store(struct device_driver *dev, const char *buf,
+| ^~~~~~~~~~
+|adma.c:4363:16: note: previous definition of 'poly_store' was here
+| static ssize_t poly_store(struct device_driver *dev, char *buf)
+| ^~~~~~~~~~
+
+CC: stable@vger.kernel.org
+Fixes: 13efe1a05384 ("dmaengine: ppc4xx: remove DRIVER_ATTR() usage")
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/ppc4xx/adma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/ppc4xx/adma.c
++++ b/drivers/dma/ppc4xx/adma.c
+@@ -4360,7 +4360,7 @@ static ssize_t enable_store(struct devic
+ }
+ static DRIVER_ATTR_RW(enable);
+
+-static ssize_t poly_store(struct device_driver *dev, char *buf)
++static ssize_t poly_show(struct device_driver *dev, char *buf)
+ {
+ ssize_t size = 0;
+ u32 reg;
--- /dev/null
+From e57cb3b3f10d005410f09d4598cc6d62b833f2b0 Mon Sep 17 00:00:00 2001
+From: Pierre Yves MORDRET <pierre-yves.mordret@st.com>
+Date: Tue, 13 Mar 2018 17:42:06 +0100
+Subject: dmaengine: stm32-dma: fix incomplete configuration in cyclic mode
+
+From: Pierre Yves MORDRET <pierre-yves.mordret@st.com>
+
+commit e57cb3b3f10d005410f09d4598cc6d62b833f2b0 upstream.
+
+When in cyclic mode, the configuration is updated after having started the
+DMA hardware (STM32_DMA_SCR_EN) leading to incomplete configuration of
+SMxAR registers.
+
+Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
+Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Cc: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/stm32-dma.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/stm32-dma.c
++++ b/drivers/dma/stm32-dma.c
+@@ -429,6 +429,8 @@ static void stm32_dma_dump_reg(struct st
+ dev_dbg(chan2dev(chan), "SFCR: 0x%08x\n", sfcr);
+ }
+
++static void stm32_dma_configure_next_sg(struct stm32_dma_chan *chan);
++
+ static void stm32_dma_start_transfer(struct stm32_dma_chan *chan)
+ {
+ struct stm32_dma_device *dmadev = stm32_dma_get_dev(chan);
+@@ -471,6 +473,9 @@ static void stm32_dma_start_transfer(str
+ if (status)
+ stm32_dma_irq_clear(chan, status);
+
++ if (chan->desc->cyclic)
++ stm32_dma_configure_next_sg(chan);
++
+ stm32_dma_dump_reg(chan);
+
+ /* Start DMA */
+@@ -564,8 +569,7 @@ static void stm32_dma_issue_pending(stru
+ if (vchan_issue_pending(&chan->vchan) && !chan->desc && !chan->busy) {
+ dev_dbg(chan2dev(chan), "vchan %p: issued\n", &chan->vchan);
+ stm32_dma_start_transfer(chan);
+- if (chan->desc->cyclic)
+- stm32_dma_configure_next_sg(chan);
++
+ }
+ spin_unlock_irqrestore(&chan->vchan.lock, flags);
+ }
--- /dev/null
+From fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Sun, 23 Sep 2018 21:10:43 +0000
+Subject: Drivers: hv: kvp: Fix two "this statement may fall through" warnings
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit fc62c3b1977d62e6374fd6e28d371bb42dfa5c9d upstream.
+
+We don't need to call process_ib_ipinfo() if message->kvp_hdr.operation is
+KVP_OP_GET_IP_INFO in kvp_send_key(), because here we just need to pass on
+the op code from the host to the userspace; when the userspace returns
+the info requested by the host, we pass the info on to the host in
+kvp_respond_to_host() -> process_ob_ipinfo(). BTW, the current buggy code
+actually doesn't cause any harm, because only message->kvp_hdr.operation
+is used by the userspace, in the case of KVP_OP_GET_IP_INFO.
+
+The patch also adds a missing "break;" in kvp_send_key(). BTW, the current
+buggy code actually doesn't cause any harm, because in the case of
+KVP_OP_SET, the unexpected fall-through corrupts
+message->body.kvp_set.data.key_size, but that is not really used: see
+the definition of struct hv_kvp_exchg_msg_value.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/hv_kvp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/hv/hv_kvp.c
++++ b/drivers/hv/hv_kvp.c
+@@ -353,7 +353,6 @@ static void process_ib_ipinfo(void *in_m
+
+ out->body.kvp_ip_val.dhcp_enabled = in->kvp_ip_val.dhcp_enabled;
+
+- default:
+ utf16s_to_utf8s((wchar_t *)in->kvp_ip_val.adapter_id,
+ MAX_ADAPTER_ID_SIZE,
+ UTF16_LITTLE_ENDIAN,
+@@ -406,7 +405,7 @@ kvp_send_key(struct work_struct *dummy)
+ process_ib_ipinfo(in_msg, message, KVP_OP_SET_IP_INFO);
+ break;
+ case KVP_OP_GET_IP_INFO:
+- process_ib_ipinfo(in_msg, message, KVP_OP_GET_IP_INFO);
++ /* We only need to pass on message->kvp_hdr.operation. */
+ break;
+ case KVP_OP_SET:
+ switch (in_msg->body.kvp_set.data.value_type) {
+@@ -446,6 +445,9 @@ kvp_send_key(struct work_struct *dummy)
+ break;
+
+ }
++
++ break;
++
+ case KVP_OP_GET:
+ message->body.kvp_set.data.key_size =
+ utf16s_to_utf8s(
--- /dev/null
+From 8960de4a5ca7980ed1e19e7ca5a774d3b7a55c38 Mon Sep 17 00:00:00 2001
+From: Michael Jin <mikhail.jin@gmail.com>
+Date: Thu, 16 Aug 2018 15:28:40 -0400
+Subject: EDAC, amd64: Add Family 17h, models 10h-2fh support
+
+From: Michael Jin <mikhail.jin@gmail.com>
+
+commit 8960de4a5ca7980ed1e19e7ca5a774d3b7a55c38 upstream.
+
+Add new device IDs for family 17h, models 10h-2fh.
+
+This is required by amd64_edac_mod in order to properly detect PCI
+device functions 0 and 6.
+
+Signed-off-by: Michael Jin <mikhail.jin@gmail.com>
+Reviewed-by: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180816192840.31166-1-mikhail.jin@gmail.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/amd64_edac.c | 14 ++++++++++++++
+ drivers/edac/amd64_edac.h | 3 +++
+ 2 files changed, 17 insertions(+)
+
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -2200,6 +2200,15 @@ static struct amd64_family_type family_t
+ .dbam_to_cs = f17_base_addr_to_cs_size,
+ }
+ },
++ [F17_M10H_CPUS] = {
++ .ctl_name = "F17h_M10h",
++ .f0_id = PCI_DEVICE_ID_AMD_17H_M10H_DF_F0,
++ .f6_id = PCI_DEVICE_ID_AMD_17H_M10H_DF_F6,
++ .ops = {
++ .early_channel_count = f17_early_channel_count,
++ .dbam_to_cs = f17_base_addr_to_cs_size,
++ }
++ },
+ };
+
+ /*
+@@ -3188,6 +3197,11 @@ static struct amd64_family_type *per_fam
+ break;
+
+ case 0x17:
++ if (pvt->model >= 0x10 && pvt->model <= 0x2f) {
++ fam_type = &family_types[F17_M10H_CPUS];
++ pvt->ops = &family_types[F17_M10H_CPUS].ops;
++ break;
++ }
+ fam_type = &family_types[F17_CPUS];
+ pvt->ops = &family_types[F17_CPUS].ops;
+ break;
+--- a/drivers/edac/amd64_edac.h
++++ b/drivers/edac/amd64_edac.h
+@@ -115,6 +115,8 @@
+ #define PCI_DEVICE_ID_AMD_16H_M30H_NB_F2 0x1582
+ #define PCI_DEVICE_ID_AMD_17H_DF_F0 0x1460
+ #define PCI_DEVICE_ID_AMD_17H_DF_F6 0x1466
++#define PCI_DEVICE_ID_AMD_17H_M10H_DF_F0 0x15e8
++#define PCI_DEVICE_ID_AMD_17H_M10H_DF_F6 0x15ee
+
+ /*
+ * Function 1 - Address Map
+@@ -281,6 +283,7 @@ enum amd_families {
+ F16_CPUS,
+ F16_M30H_CPUS,
+ F17_CPUS,
++ F17_M10H_CPUS,
+ NUM_FAMILIES,
+ };
+
--- /dev/null
+From 432de7fd7630c84ad24f1c2acd1e3bb4ce3741ca Mon Sep 17 00:00:00 2001
+From: Tony Luck <tony.luck@intel.com>
+Date: Fri, 28 Sep 2018 14:39:34 -0700
+Subject: EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting
+
+From: Tony Luck <tony.luck@intel.com>
+
+commit 432de7fd7630c84ad24f1c2acd1e3bb4ce3741ca upstream.
+
+The count of errors is picked up from bits 52:38 of the machine check
+bank status register. But this is the count of *corrected* errors. If an
+uncorrected error is being logged, the h/w sets this field to 0. Which
+means that when edac_mc_handle_error() is called, the EDAC core will
+carefully add zero to the appropriate uncorrected error counts.
+
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+[ Massage commit message. ]
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: stable@vger.kernel.org
+Cc: Aristeu Rozanski <aris@redhat.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20180928213934.19890-1-tony.luck@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/i7core_edac.c | 1 +
+ drivers/edac/sb_edac.c | 1 +
+ drivers/edac/skx_edac.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/drivers/edac/i7core_edac.c
++++ b/drivers/edac/i7core_edac.c
+@@ -1711,6 +1711,7 @@ static void i7core_mce_output_error(stru
+ u32 errnum = find_first_bit(&error, 32);
+
+ if (uncorrected_error) {
++ core_err_cnt = 1;
+ if (ripv)
+ tp_event = HW_EVENT_ERR_FATAL;
+ else
+--- a/drivers/edac/sb_edac.c
++++ b/drivers/edac/sb_edac.c
+@@ -2891,6 +2891,7 @@ static void sbridge_mce_output_error(str
+ recoverable = GET_BITFIELD(m->status, 56, 56);
+
+ if (uncorrected_error) {
++ core_err_cnt = 1;
+ if (ripv) {
+ type = "FATAL";
+ tp_event = HW_EVENT_ERR_FATAL;
+--- a/drivers/edac/skx_edac.c
++++ b/drivers/edac/skx_edac.c
+@@ -895,6 +895,7 @@ static void skx_mce_output_error(struct
+ recoverable = GET_BITFIELD(m->status, 56, 56);
+
+ if (uncorrected_error) {
++ core_err_cnt = 1;
+ if (ripv) {
+ type = "FATAL";
+ tp_event = HW_EVENT_ERR_FATAL;
--- /dev/null
+From 8f18973877204dc8ca4ce1004a5d28683b9a7086 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Tue, 9 Oct 2018 10:20:25 -0700
+Subject: EDAC, skx_edac: Fix logical channel intermediate decoding
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+commit 8f18973877204dc8ca4ce1004a5d28683b9a7086 upstream.
+
+The code "lchan = (lchan << 1) | ~lchan" for logical channel
+intermediate decoding is wrong. The wrong intermediate decoding
+result is {0xffffffff, 0xfffffffe}.
+
+Fix it by replacing '~' with '!'. The correct intermediate
+decoding result is {0x1, 0x2}.
+
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+CC: Aristeu Rozanski <aris@redhat.com>
+CC: Mauro Carvalho Chehab <mchehab@kernel.org>
+CC: linux-edac <linux-edac@vger.kernel.org>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181009172025.18594-1-tony.luck@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/skx_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/skx_edac.c
++++ b/drivers/edac/skx_edac.c
+@@ -604,7 +604,7 @@ sad_found:
+ break;
+ case 2:
+ lchan = (addr >> shift) % 2;
+- lchan = (lchan << 1) | ~lchan;
++ lchan = (lchan << 1) | !lchan;
+ break;
+ case 3:
+ lchan = ((addr >> shift) % 2) << 1;
--- /dev/null
+From dc7ac6c4cae3b58724c2f1e21a7c05ce19ecd5a8 Mon Sep 17 00:00:00 2001
+From: Wang Shilong <wangshilong1991@gmail.com>
+Date: Wed, 3 Oct 2018 10:33:32 -0400
+Subject: ext4: fix setattr project check in fssetxattr ioctl
+
+From: Wang Shilong <wangshilong1991@gmail.com>
+
+commit dc7ac6c4cae3b58724c2f1e21a7c05ce19ecd5a8 upstream.
+
+Currently, project quota could be changed by fssetxattr
+ioctl, and existed permission check inode_owner_or_capable()
+is obviously not enough, just think that common users could
+change project id of file, that could make users to
+break project quota easily.
+
+This patch try to follow same regular of xfs project
+quota:
+
+"Project Quota ID state is only allowed to change from
+within the init namespace. Enforce that restriction only
+if we are trying to change the quota ID state.
+Everything else is allowed in user namespaces."
+
+Besides that, check and set project id'state should
+be an atomic operation, protect whole operation with
+inode lock, ext4_ioctl_setproject() is only used for
+ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
+before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
+is called after ext4_ioctl_setflags(), we could share
+codes, so remove it inside ext4_ioctl_setproject().
+
+Signed-off-by: Wang Shilong <wshilong@ddn.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ioctl.c | 60 ++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 37 insertions(+), 23 deletions(-)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -344,19 +344,14 @@ static int ext4_ioctl_setproject(struct
+ if (projid_eq(kprojid, EXT4_I(inode)->i_projid))
+ return 0;
+
+- err = mnt_want_write_file(filp);
+- if (err)
+- return err;
+-
+ err = -EPERM;
+- inode_lock(inode);
+ /* Is it quota file? Do not allow user to mess with it */
+ if (ext4_is_quota_file(inode))
+- goto out_unlock;
++ return err;
+
+ err = ext4_get_inode_loc(inode, &iloc);
+ if (err)
+- goto out_unlock;
++ return err;
+
+ raw_inode = ext4_raw_inode(&iloc);
+ if (!EXT4_FITS_IN_INODE(raw_inode, ei, i_projid)) {
+@@ -364,7 +359,7 @@ static int ext4_ioctl_setproject(struct
+ EXT4_SB(sb)->s_want_extra_isize,
+ &iloc);
+ if (err)
+- goto out_unlock;
++ return err;
+ } else {
+ brelse(iloc.bh);
+ }
+@@ -374,10 +369,8 @@ static int ext4_ioctl_setproject(struct
+ handle = ext4_journal_start(inode, EXT4_HT_QUOTA,
+ EXT4_QUOTA_INIT_BLOCKS(sb) +
+ EXT4_QUOTA_DEL_BLOCKS(sb) + 3);
+- if (IS_ERR(handle)) {
+- err = PTR_ERR(handle);
+- goto out_unlock;
+- }
++ if (IS_ERR(handle))
++ return PTR_ERR(handle);
+
+ err = ext4_reserve_inode_write(handle, inode, &iloc);
+ if (err)
+@@ -405,9 +398,6 @@ out_dirty:
+ err = rc;
+ out_stop:
+ ext4_journal_stop(handle);
+-out_unlock:
+- inode_unlock(inode);
+- mnt_drop_write_file(filp);
+ return err;
+ }
+ #else
+@@ -592,6 +582,30 @@ static int ext4_ioc_getfsmap(struct supe
+ return 0;
+ }
+
++static int ext4_ioctl_check_project(struct inode *inode, struct fsxattr *fa)
++{
++ /*
++ * Project Quota ID state is only allowed to change from within the init
++ * namespace. Enforce that restriction only if we are trying to change
++ * the quota ID state. Everything else is allowed in user namespaces.
++ */
++ if (current_user_ns() == &init_user_ns)
++ return 0;
++
++ if (__kprojid_val(EXT4_I(inode)->i_projid) != fa->fsx_projid)
++ return -EINVAL;
++
++ if (ext4_test_inode_flag(inode, EXT4_INODE_PROJINHERIT)) {
++ if (!(fa->fsx_xflags & FS_XFLAG_PROJINHERIT))
++ return -EINVAL;
++ } else {
++ if (fa->fsx_xflags & FS_XFLAG_PROJINHERIT)
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ {
+ struct inode *inode = file_inode(filp);
+@@ -1029,19 +1043,19 @@ resizefs_out:
+ return err;
+
+ inode_lock(inode);
++ err = ext4_ioctl_check_project(inode, &fa);
++ if (err)
++ goto out;
+ flags = (ei->i_flags & ~EXT4_FL_XFLAG_VISIBLE) |
+ (flags & EXT4_FL_XFLAG_VISIBLE);
+ err = ext4_ioctl_setflags(inode, flags);
+- inode_unlock(inode);
+- mnt_drop_write_file(filp);
+ if (err)
+- return err;
+-
++ goto out;
+ err = ext4_ioctl_setproject(filp, fa.fsx_projid);
+- if (err)
+- return err;
+-
+- return 0;
++out:
++ inode_unlock(inode);
++ mnt_drop_write_file(filp);
++ return err;
+ }
+ case EXT4_IOC_SHUTDOWN:
+ return ext4_shutdown(sb, arg);
--- /dev/null
+From 33458eaba4dfe778a426df6a19b7aad2ff9f7eec Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 12 Oct 2018 09:28:09 -0400
+Subject: ext4: fix use-after-free race in ext4_remount()'s error path
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 33458eaba4dfe778a426df6a19b7aad2ff9f7eec upstream.
+
+It's possible for ext4_show_quota_options() to try reading
+s_qf_names[i] while it is being modified by ext4_remount() --- most
+notably, in ext4_remount's error path when the original values of the
+quota file name gets restored.
+
+Reported-by: syzbot+a2872d6feea6918008a9@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org # 3.2+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4.h | 3 +-
+ fs/ext4/super.c | 73 ++++++++++++++++++++++++++++++++++++--------------------
+ 2 files changed, 50 insertions(+), 26 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1421,7 +1421,8 @@ struct ext4_sb_info {
+ u32 s_min_batch_time;
+ struct block_device *journal_bdev;
+ #ifdef CONFIG_QUOTA
+- char *s_qf_names[EXT4_MAXQUOTAS]; /* Names of quota files with journalled quota */
++ /* Names of quota files with journalled quota */
++ char __rcu *s_qf_names[EXT4_MAXQUOTAS];
+ int s_jquota_fmt; /* Format of quota to use */
+ #endif
+ unsigned int s_want_extra_isize; /* New inodes should reserve # bytes */
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -855,6 +855,18 @@ static inline void ext4_quota_off_umount
+ for (type = 0; type < EXT4_MAXQUOTAS; type++)
+ ext4_quota_off(sb, type);
+ }
++
++/*
++ * This is a helper function which is used in the mount/remount
++ * codepaths (which holds s_umount) to fetch the quota file name.
++ */
++static inline char *get_qf_name(struct super_block *sb,
++ struct ext4_sb_info *sbi,
++ int type)
++{
++ return rcu_dereference_protected(sbi->s_qf_names[type],
++ lockdep_is_held(&sb->s_umount));
++}
+ #else
+ static inline void ext4_quota_off_umount(struct super_block *sb)
+ {
+@@ -907,7 +919,7 @@ static void ext4_put_super(struct super_
+ percpu_free_rwsem(&sbi->s_journal_flag_rwsem);
+ #ifdef CONFIG_QUOTA
+ for (i = 0; i < EXT4_MAXQUOTAS; i++)
+- kfree(sbi->s_qf_names[i]);
++ kfree(get_qf_name(sb, sbi, i));
+ #endif
+
+ /* Debugging code just in case the in-memory inode orphan list
+@@ -1473,11 +1485,10 @@ static const char deprecated_msg[] =
+ static int set_qf_name(struct super_block *sb, int qtype, substring_t *args)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+- char *qname;
++ char *qname, *old_qname = get_qf_name(sb, sbi, qtype);
+ int ret = -1;
+
+- if (sb_any_quota_loaded(sb) &&
+- !sbi->s_qf_names[qtype]) {
++ if (sb_any_quota_loaded(sb) && !old_qname) {
+ ext4_msg(sb, KERN_ERR,
+ "Cannot change journaled "
+ "quota options when quota turned on");
+@@ -1494,8 +1505,8 @@ static int set_qf_name(struct super_bloc
+ "Not enough memory for storing quotafile name");
+ return -1;
+ }
+- if (sbi->s_qf_names[qtype]) {
+- if (strcmp(sbi->s_qf_names[qtype], qname) == 0)
++ if (old_qname) {
++ if (strcmp(old_qname, qname) == 0)
+ ret = 1;
+ else
+ ext4_msg(sb, KERN_ERR,
+@@ -1508,7 +1519,7 @@ static int set_qf_name(struct super_bloc
+ "quotafile must be on filesystem root");
+ goto errout;
+ }
+- sbi->s_qf_names[qtype] = qname;
++ rcu_assign_pointer(sbi->s_qf_names[qtype], qname);
+ set_opt(sb, QUOTA);
+ return 1;
+ errout:
+@@ -1520,15 +1531,16 @@ static int clear_qf_name(struct super_bl
+ {
+
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ char *old_qname = get_qf_name(sb, sbi, qtype);
+
+- if (sb_any_quota_loaded(sb) &&
+- sbi->s_qf_names[qtype]) {
++ if (sb_any_quota_loaded(sb) && old_qname) {
+ ext4_msg(sb, KERN_ERR, "Cannot change journaled quota options"
+ " when quota turned on");
+ return -1;
+ }
+- kfree(sbi->s_qf_names[qtype]);
+- sbi->s_qf_names[qtype] = NULL;
++ rcu_assign_pointer(sbi->s_qf_names[qtype], NULL);
++ synchronize_rcu();
++ kfree(old_qname);
+ return 1;
+ }
+ #endif
+@@ -1901,7 +1913,7 @@ static int parse_options(char *options,
+ int is_remount)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+- char *p;
++ char *p, __maybe_unused *usr_qf_name, __maybe_unused *grp_qf_name;
+ substring_t args[MAX_OPT_ARGS];
+ int token;
+
+@@ -1932,11 +1944,13 @@ static int parse_options(char *options,
+ "Cannot enable project quota enforcement.");
+ return 0;
+ }
+- if (sbi->s_qf_names[USRQUOTA] || sbi->s_qf_names[GRPQUOTA]) {
+- if (test_opt(sb, USRQUOTA) && sbi->s_qf_names[USRQUOTA])
++ usr_qf_name = get_qf_name(sb, sbi, USRQUOTA);
++ grp_qf_name = get_qf_name(sb, sbi, GRPQUOTA);
++ if (usr_qf_name || grp_qf_name) {
++ if (test_opt(sb, USRQUOTA) && usr_qf_name)
+ clear_opt(sb, USRQUOTA);
+
+- if (test_opt(sb, GRPQUOTA) && sbi->s_qf_names[GRPQUOTA])
++ if (test_opt(sb, GRPQUOTA) && grp_qf_name)
+ clear_opt(sb, GRPQUOTA);
+
+ if (test_opt(sb, GRPQUOTA) || test_opt(sb, USRQUOTA)) {
+@@ -1970,6 +1984,7 @@ static inline void ext4_show_quota_optio
+ {
+ #if defined(CONFIG_QUOTA)
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ char *usr_qf_name, *grp_qf_name;
+
+ if (sbi->s_jquota_fmt) {
+ char *fmtname = "";
+@@ -1988,11 +2003,14 @@ static inline void ext4_show_quota_optio
+ seq_printf(seq, ",jqfmt=%s", fmtname);
+ }
+
+- if (sbi->s_qf_names[USRQUOTA])
+- seq_show_option(seq, "usrjquota", sbi->s_qf_names[USRQUOTA]);
+-
+- if (sbi->s_qf_names[GRPQUOTA])
+- seq_show_option(seq, "grpjquota", sbi->s_qf_names[GRPQUOTA]);
++ rcu_read_lock();
++ usr_qf_name = rcu_dereference(sbi->s_qf_names[USRQUOTA]);
++ grp_qf_name = rcu_dereference(sbi->s_qf_names[GRPQUOTA]);
++ if (usr_qf_name)
++ seq_show_option(seq, "usrjquota", usr_qf_name);
++ if (grp_qf_name)
++ seq_show_option(seq, "grpjquota", grp_qf_name);
++ rcu_read_unlock();
+ #endif
+ }
+
+@@ -5038,6 +5056,7 @@ static int ext4_remount(struct super_blo
+ int err = 0;
+ #ifdef CONFIG_QUOTA
+ int i, j;
++ char *to_free[EXT4_MAXQUOTAS];
+ #endif
+ char *orig_data = kstrdup(data, GFP_KERNEL);
+
+@@ -5054,8 +5073,9 @@ static int ext4_remount(struct super_blo
+ old_opts.s_jquota_fmt = sbi->s_jquota_fmt;
+ for (i = 0; i < EXT4_MAXQUOTAS; i++)
+ if (sbi->s_qf_names[i]) {
+- old_opts.s_qf_names[i] = kstrdup(sbi->s_qf_names[i],
+- GFP_KERNEL);
++ char *qf_name = get_qf_name(sb, sbi, i);
++
++ old_opts.s_qf_names[i] = kstrdup(qf_name, GFP_KERNEL);
+ if (!old_opts.s_qf_names[i]) {
+ for (j = 0; j < i; j++)
+ kfree(old_opts.s_qf_names[j]);
+@@ -5277,9 +5297,12 @@ restore_opts:
+ #ifdef CONFIG_QUOTA
+ sbi->s_jquota_fmt = old_opts.s_jquota_fmt;
+ for (i = 0; i < EXT4_MAXQUOTAS; i++) {
+- kfree(sbi->s_qf_names[i]);
+- sbi->s_qf_names[i] = old_opts.s_qf_names[i];
++ to_free[i] = get_qf_name(sb, sbi, i);
++ rcu_assign_pointer(sbi->s_qf_names[i], old_opts.s_qf_names[i]);
+ }
++ synchronize_rcu();
++ for (i = 0; i < EXT4_MAXQUOTAS; i++)
++ kfree(to_free[i]);
+ #endif
+ kfree(orig_data);
+ return err;
+@@ -5469,7 +5492,7 @@ static int ext4_write_info(struct super_
+ */
+ static int ext4_quota_on_mount(struct super_block *sb, int type)
+ {
+- return dquot_quota_on_mount(sb, EXT4_SB(sb)->s_qf_names[type],
++ return dquot_quota_on_mount(sb, get_qf_name(sb, EXT4_SB(sb), type),
+ EXT4_SB(sb)->s_jquota_fmt, type);
+ }
+
--- /dev/null
+From 625ef8a3acd111d5f496d190baf99d1a815bd03e Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Tue, 2 Oct 2018 21:18:45 -0400
+Subject: ext4: initialize retries variable in ext4_da_write_inline_data_begin()
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 625ef8a3acd111d5f496d190baf99d1a815bd03e upstream.
+
+Variable retries is not initialized in ext4_da_write_inline_data_begin()
+which can lead to nondeterministic number of retries in case we hit
+ENOSPC. Initialize retries to zero as we do everywhere else.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Fixes: bc0ca9df3b2a ("ext4: retry allocation when inline->extent conversion failed")
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -869,7 +869,7 @@ int ext4_da_write_inline_data_begin(stru
+ handle_t *handle;
+ struct page *page;
+ struct ext4_iloc iloc;
+- int retries;
++ int retries = 0;
+
+ ret = ext4_get_inode_loc(inode, &iloc);
+ if (ret)
--- /dev/null
+From 182a79e0c17147d2c2d3990a9a7b6b58a1561c7a Mon Sep 17 00:00:00 2001
+From: Wang Shilong <wshilong@ddn.com>
+Date: Wed, 3 Oct 2018 12:19:21 -0400
+Subject: ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR
+
+From: Wang Shilong <wshilong@ddn.com>
+
+commit 182a79e0c17147d2c2d3990a9a7b6b58a1561c7a upstream.
+
+We return most failure of dquota_initialize() except
+inode evict, this could make a bit sense, for example
+we allow file removal even quota files are broken?
+
+But it dosen't make sense to allow setting project
+if quota files etc are broken.
+
+Signed-off-by: Wang Shilong <wshilong@ddn.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ioctl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -364,7 +364,9 @@ static int ext4_ioctl_setproject(struct
+ brelse(iloc.bh);
+ }
+
+- dquot_initialize(inode);
++ err = dquot_initialize(inode);
++ if (err)
++ return err;
+
+ handle = ext4_journal_start(inode, EXT4_HT_QUOTA,
+ EXT4_QUOTA_INIT_BLOCKS(sb) +
--- /dev/null
+From 4c58ed076875f36dae0f240da1e25e99e5d4afb8 Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Mon, 22 Oct 2018 09:12:51 +0800
+Subject: f2fs: fix to account IO correctly
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit 4c58ed076875f36dae0f240da1e25e99e5d4afb8 upstream.
+
+Below race can cause reversed reference on dirty count, fix it by
+relocating __submit_bio() and inc_page_count().
+
+Thread A Thread B
+- f2fs_inplace_write_data
+ - f2fs_submit_page_bio
+ - __submit_bio
+ - f2fs_write_end_io
+ - dec_page_count
+ - inc_page_count
+
+Cc: <stable@vger.kernel.org>
+Fixes: d1b3e72d5490 ("f2fs: submit bio of in-place-update pages")
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/data.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -381,10 +381,10 @@ int f2fs_submit_page_bio(struct f2fs_io_
+ }
+ bio_set_op_attrs(bio, fio->op, fio->op_flags);
+
+- __submit_bio(fio->sbi, bio, fio->type);
+-
+ if (!is_read_io(fio->op))
+ inc_page_count(fio->sbi, WB_DATA_TYPE(fio->page));
++
++ __submit_bio(fio->sbi, bio, fio->type);
+ return 0;
+ }
+
--- /dev/null
+From 746a923b863a1065ef77324e1e43f19b1a3eab5c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 18 Oct 2018 15:15:05 +0200
+Subject: genirq: Fix race on spurious interrupt detection
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 746a923b863a1065ef77324e1e43f19b1a3eab5c upstream.
+
+Commit 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of
+threaded irqs") made detection of spurious interrupts work for threaded
+handlers by:
+
+a) incrementing a counter every time the thread returns IRQ_HANDLED, and
+b) checking whether that counter has increased every time the thread is
+ woken.
+
+However for oneshot interrupts, the commit unmasks the interrupt before
+incrementing the counter. If another interrupt occurs right after
+unmasking but before the counter is incremented, that interrupt is
+incorrectly considered spurious:
+
+time
+ | irq_thread()
+ | irq_thread_fn()
+ | action->thread_fn()
+ | irq_finalize_oneshot()
+ | unmask_threaded_irq() /* interrupt is unmasked */
+ |
+ | /* interrupt fires, incorrectly deemed spurious */
+ |
+ | atomic_inc(&desc->threads_handled); /* counter is incremented */
+ v
+
+This is observed with a hi3110 CAN controller receiving data at high volume
+(from a separate machine sending with "cangen -g 0 -i -x"): The controller
+signals a huge number of interrupts (hundreds of millions per day) and
+every second there are about a dozen which are deemed spurious.
+
+In theory with high CPU load and the presence of higher priority tasks, the
+number of incorrectly detected spurious interrupts might increase beyond
+the 99,900 threshold and cause disablement of the interrupt.
+
+In practice it just increments the spurious interrupt count. But that can
+cause people to waste time investigating it over and over.
+
+Fix it by moving the accounting before the invocation of
+irq_finalize_oneshot().
+
+[ tglx: Folded change log update ]
+
+Fixes: 1e77d0a1ed74 ("genirq: Sanitize spurious interrupt detection of threaded irqs")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Mathias Duckeck <m.duckeck@kunbus.de>
+Cc: Akshay Bhat <akshay.bhat@timesys.com>
+Cc: Casey Fitzpatrick <casey.fitzpatrick@timesys.com>
+Cc: stable@vger.kernel.org # v3.16+
+Link: https://lkml.kernel.org/r/1dfd8bbd16163940648045495e3e9698e63b50ad.1539867047.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/manage.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -882,6 +882,9 @@ irq_forced_thread_fn(struct irq_desc *de
+
+ local_bh_disable();
+ ret = action->thread_fn(action->irq, action->dev_id);
++ if (ret == IRQ_HANDLED)
++ atomic_inc(&desc->threads_handled);
++
+ irq_finalize_oneshot(desc, action);
+ local_bh_enable();
+ return ret;
+@@ -898,6 +901,9 @@ static irqreturn_t irq_thread_fn(struct
+ irqreturn_t ret;
+
+ ret = action->thread_fn(action->irq, action->dev_id);
++ if (ret == IRQ_HANDLED)
++ atomic_inc(&desc->threads_handled);
++
+ irq_finalize_oneshot(desc, action);
+ return ret;
+ }
+@@ -975,8 +981,6 @@ static int irq_thread(void *data)
+ irq_thread_check_affinity(desc, action);
+
+ action_ret = handler_fn(desc, action);
+- if (action_ret == IRQ_HANDLED)
+- atomic_inc(&desc->threads_handled);
+ if (action_ret == IRQ_WAKE_THREAD)
+ irq_wake_secondary(desc, action);
+
--- /dev/null
+From 3df629d873f8683af6f0d34dfc743f637966d483 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 13 Oct 2018 00:19:13 -0400
+Subject: gfs2_meta: ->mount() can get NULL dev_name
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3df629d873f8683af6f0d34dfc743f637966d483 upstream.
+
+get in sync with mount_bdev() handling of the same
+
+Reported-by: syzbot+c54f8e94e6bba03b04e9@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -1352,6 +1352,9 @@ static struct dentry *gfs2_mount_meta(st
+ struct path path;
+ int error;
+
++ if (!dev_name || !*dev_name)
++ return ERR_PTR(-EINVAL);
++
+ error = kern_path(dev_name, LOOKUP_FOLLOW, &path);
+ if (error) {
+ pr_warn("path_lookup on %s returned error %d\n",
--- /dev/null
+From f11274396a538b31bc010f782e05c2ce3f804c13 Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Fri, 19 Oct 2018 17:01:33 -0300
+Subject: HID: hiddev: fix potential Spectre v1
+
+From: Breno Leitao <leitao@debian.org>
+
+commit f11274396a538b31bc010f782e05c2ce3f804c13 upstream.
+
+uref->usage_index can be indirectly controlled by userspace, hence leading
+to a potential exploitation of the Spectre variant 1 vulnerability.
+
+This field is used as an array index by the hiddev_ioctl_usage() function,
+when 'cmd' is either HIDIOCGCOLLECTIONINDEX, HIDIOCGUSAGES or
+HIDIOCSUSAGES.
+
+For cmd == HIDIOCGCOLLECTIONINDEX case, uref->usage_index is compared to
+field->maxusage and then used as an index to dereference field->usage
+array. The same thing happens to the cmd == HIDIOC{G,S}USAGES cases, where
+uref->usage_index is checked against an array maximum value and then it is
+used as an index in an array.
+
+This is a summary of the HIDIOCGCOLLECTIONINDEX case, which matches the
+traditional Spectre V1 first load:
+
+ copy_from_user(uref, user_arg, sizeof(*uref))
+ if (uref->usage_index >= field->maxusage)
+ goto inval;
+ i = field->usage[uref->usage_index].collection_index;
+ return i;
+
+This patch fixes this by sanitizing field uref->usage_index before using it
+to index field->usage (HIDIOCGCOLLECTIONINDEX) or field->value in
+HIDIOC{G,S}USAGES arrays, thus, avoiding speculation in the first load.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+v2: Contemplate cmd == HIDIOC{G,S}USAGES case
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -512,14 +512,24 @@ static noinline int hiddev_ioctl_usage(s
+ if (cmd == HIDIOCGCOLLECTIONINDEX) {
+ if (uref->usage_index >= field->maxusage)
+ goto inval;
++ uref->usage_index =
++ array_index_nospec(uref->usage_index,
++ field->maxusage);
+ } else if (uref->usage_index >= field->report_count)
+ goto inval;
+ }
+
+- if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+- uref->usage_index + uref_multi->num_values > field->report_count))
+- goto inval;
++ if (cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) {
++ if (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
++ uref->usage_index + uref_multi->num_values >
++ field->report_count)
++ goto inval;
++
++ uref->usage_index =
++ array_index_nospec(uref->usage_index,
++ field->report_count -
++ uref_multi->num_values);
++ }
+
+ switch (cmd) {
+ case HIDIOCGUSAGE:
--- /dev/null
+From 22146c3ce98962436e401f7b7016a6f664c9ffb5 Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri, 26 Oct 2018 15:10:58 -0700
+Subject: hugetlbfs: dirty pages as they are added to pagecache
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 22146c3ce98962436e401f7b7016a6f664c9ffb5 upstream.
+
+Some test systems were experiencing negative huge page reserve counts and
+incorrect file block counts. This was traced to /proc/sys/vm/drop_caches
+removing clean pages from hugetlbfs file pagecaches. When non-hugetlbfs
+explicit code removes the pages, the appropriate accounting is not
+performed.
+
+This can be recreated as follows:
+ fallocate -l 2M /dev/hugepages/foo
+ echo 1 > /proc/sys/vm/drop_caches
+ fallocate -l 2M /dev/hugepages/foo
+ grep -i huge /proc/meminfo
+ AnonHugePages: 0 kB
+ ShmemHugePages: 0 kB
+ HugePages_Total: 2048
+ HugePages_Free: 2047
+ HugePages_Rsvd: 18446744073709551615
+ HugePages_Surp: 0
+ Hugepagesize: 2048 kB
+ Hugetlb: 4194304 kB
+ ls -lsh /dev/hugepages/foo
+ 4.0M -rw-r--r--. 1 root root 2.0M Oct 17 20:05 /dev/hugepages/foo
+
+To address this issue, dirty pages as they are added to pagecache. This
+can easily be reproduced with fallocate as shown above. Read faulted
+pages will eventually end up being marked dirty. But there is a window
+where they are clean and could be impacted by code such as drop_caches.
+So, just dirty them all as they are added to the pagecache.
+
+Link: http://lkml.kernel.org/r/b5be45b8-5afe-56cd-9482-28384699a049@oracle.com
+Fixes: 6bda666a03f0 ("hugepages: fold find_or_alloc_pages into huge_no_page()")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Acked-by: Mihcla Hocko <mhocko@suse.com>
+Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3644,6 +3644,12 @@ int huge_add_to_page_cache(struct page *
+ return err;
+ ClearPagePrivate(page);
+
++ /*
++ * set page dirty so that it will not be removed from cache/file
++ * by non-hugetlbfs specific code paths.
++ */
++ set_page_dirty(page);
++
+ spin_lock(&inode->i_lock);
+ inode->i_blocks += blocks_per_huge_page(h);
+ spin_unlock(&inode->i_lock);
--- /dev/null
+From 013c2403bf32e48119aeb13126929f81352cc7ac Mon Sep 17 00:00:00 2001
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Mon, 15 Oct 2018 14:13:35 +0300
+Subject: IB/mlx5: Fix MR cache initialization
+
+From: Artemy Kovalyov <artemyko@mellanox.com>
+
+commit 013c2403bf32e48119aeb13126929f81352cc7ac upstream.
+
+Schedule MR cache work only after bucket was initialized.
+
+Cc: <stable@vger.kernel.org> # 4.10
+Fixes: 49780d42dfc9 ("IB/mlx5: Expose MR cache for mlx5_ib")
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -675,7 +675,6 @@ int mlx5_mr_cache_init(struct mlx5_ib_de
+ init_completion(&ent->compl);
+ INIT_WORK(&ent->work, cache_work_func);
+ INIT_DELAYED_WORK(&ent->dwork, delayed_cache_work_func);
+- queue_work(cache->wq, &ent->work);
+
+ if (i > MR_CACHE_LAST_STD_ENTRY) {
+ mlx5_odp_init_mr_cache_entry(ent);
+@@ -694,6 +693,7 @@ int mlx5_mr_cache_init(struct mlx5_ib_de
+ ent->limit = dev->mdev->profile->mr_cache[i].limit;
+ else
+ ent->limit = 0;
++ queue_work(cache->wq, &ent->work);
+ }
+
+ err = mlx5_mr_cache_debugfs_init(dev);
--- /dev/null
+From 8911a43bc198877fad9f4b0246a866b26bb547ab Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 28 Sep 2018 11:23:40 +0200
+Subject: iio: ad5064: Fix regulator handling
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit 8911a43bc198877fad9f4b0246a866b26bb547ab upstream.
+
+The correct way to handle errors returned by regualtor_get() and friends is
+to propagate the error since that means that an regulator was specified,
+but something went wrong when requesting it.
+
+For handling optional regulators, e.g. when the device has an internal
+vref, regulator_get_optional() should be used to avoid getting the dummy
+regulator that the regulator core otherwise provides.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/dac/ad5064.c | 53 +++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 38 insertions(+), 15 deletions(-)
+
+--- a/drivers/iio/dac/ad5064.c
++++ b/drivers/iio/dac/ad5064.c
+@@ -809,6 +809,40 @@ static int ad5064_set_config(struct ad50
+ return ad5064_write(st, cmd, 0, val, 0);
+ }
+
++static int ad5064_request_vref(struct ad5064_state *st, struct device *dev)
++{
++ unsigned int i;
++ int ret;
++
++ for (i = 0; i < ad5064_num_vref(st); ++i)
++ st->vref_reg[i].supply = ad5064_vref_name(st, i);
++
++ if (!st->chip_info->internal_vref)
++ return devm_regulator_bulk_get(dev, ad5064_num_vref(st),
++ st->vref_reg);
++
++ /*
++ * This assumes that when the regulator has an internal VREF
++ * there is only one external VREF connection, which is
++ * currently the case for all supported devices.
++ */
++ st->vref_reg[0].consumer = devm_regulator_get_optional(dev, "vref");
++ if (!IS_ERR(st->vref_reg[0].consumer))
++ return 0;
++
++ ret = PTR_ERR(st->vref_reg[0].consumer);
++ if (ret != -ENODEV)
++ return ret;
++
++ /* If no external regulator was supplied use the internal VREF */
++ st->use_internal_vref = true;
++ ret = ad5064_set_config(st, AD5064_CONFIG_INT_VREF_ENABLE);
++ if (ret)
++ dev_err(dev, "Failed to enable internal vref: %d\n", ret);
++
++ return ret;
++}
++
+ static int ad5064_probe(struct device *dev, enum ad5064_type type,
+ const char *name, ad5064_write_func write)
+ {
+@@ -829,22 +863,11 @@ static int ad5064_probe(struct device *d
+ st->dev = dev;
+ st->write = write;
+
+- for (i = 0; i < ad5064_num_vref(st); ++i)
+- st->vref_reg[i].supply = ad5064_vref_name(st, i);
++ ret = ad5064_request_vref(st, dev);
++ if (ret)
++ return ret;
+
+- ret = devm_regulator_bulk_get(dev, ad5064_num_vref(st),
+- st->vref_reg);
+- if (ret) {
+- if (!st->chip_info->internal_vref)
+- return ret;
+- st->use_internal_vref = true;
+- ret = ad5064_set_config(st, AD5064_CONFIG_INT_VREF_ENABLE);
+- if (ret) {
+- dev_err(dev, "Failed to enable internal vref: %d\n",
+- ret);
+- return ret;
+- }
+- } else {
++ if (!st->use_internal_vref) {
+ ret = regulator_bulk_enable(ad5064_num_vref(st), st->vref_reg);
+ if (ret)
+ return ret;
--- /dev/null
+From bc1b45326223e7e890053cf6266357adfa61942d Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Mon, 24 Sep 2018 10:51:43 +0300
+Subject: iio: adc: at91: fix acking DRDY irq on simple conversions
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+commit bc1b45326223e7e890053cf6266357adfa61942d upstream.
+
+When doing simple conversions, the driver did not acknowledge the DRDY irq.
+If this irq status is not acked, it will be left pending, and as soon as a
+trigger is enabled, the irq handler will be called, it doesn't know why
+this status has occurred because no channel is pending, and then it will go
+int a irq loop and board will hang.
+To avoid this situation, read the LCDR after a raw conversion is done.
+
+Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
+Cc: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -279,6 +279,8 @@ static void handle_adc_eoc_trigger(int i
+ iio_trigger_poll(idev->trig);
+ } else {
+ st->last_value = at91_adc_readl(st, AT91_ADC_CHAN(st, st->chnb));
++ /* Needed to ACK the DRDY interruption */
++ at91_adc_readl(st, AT91_ADC_LCDR);
+ st->done = true;
+ wake_up_interruptible(&st->wq_data_avail);
+ }
--- /dev/null
+From aea835f2dc8a682942b859179c49ad1841a6c8b9 Mon Sep 17 00:00:00 2001
+From: Eugen Hristev <eugen.hristev@microchip.com>
+Date: Mon, 24 Sep 2018 10:51:44 +0300
+Subject: iio: adc: at91: fix wrong channel number in triggered buffer mode
+
+From: Eugen Hristev <eugen.hristev@microchip.com>
+
+commit aea835f2dc8a682942b859179c49ad1841a6c8b9 upstream.
+
+When channels are registered, the hardware channel number is not the
+actual iio channel number.
+This is because the driver is probed with a certain number of accessible
+channels. Some pins are routed and some not, depending on the description of
+the board in the DT.
+Because of that, channels 0,1,2,3 can correspond to hardware channels
+2,3,4,5 for example.
+In the buffered triggered case, we need to do the translation accordingly.
+Fixed the channel number to stop reading the wrong channel.
+
+Fixes: 0e589d5fb ("ARM: AT91: IIO: Add AT91 ADC driver.")
+Cc: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/at91_adc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -248,12 +248,14 @@ static irqreturn_t at91_adc_trigger_hand
+ struct iio_poll_func *pf = p;
+ struct iio_dev *idev = pf->indio_dev;
+ struct at91_adc_state *st = iio_priv(idev);
++ struct iio_chan_spec const *chan;
+ int i, j = 0;
+
+ for (i = 0; i < idev->masklength; i++) {
+ if (!test_bit(i, idev->active_scan_mask))
+ continue;
+- st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, i));
++ chan = idev->channels + i;
++ st->buffer[j] = at91_adc_readl(st, AT91_ADC_CHAN(st, chan->channel));
+ j++;
+ }
+
--- /dev/null
+From d3fa21c73c391975488818b085b894c2980ea052 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 22 Sep 2018 00:58:02 +0300
+Subject: iio: adc: imx25-gcq: Fix leak of device_node in mx25_gcq_setup_cfgs()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit d3fa21c73c391975488818b085b894c2980ea052 upstream.
+
+Leaving for_each_child_of_node loop we should release child device node,
+if it is not stored for future use.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+JC: I'm not sending this as a quick fix as it's been wrong for years,
+but good to pick up for stable after the merge window.
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Fixes: 6df2e98c3ea56 ("iio: adc: Add imx25-gcq ADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/fsl-imx25-gcq.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/iio/adc/fsl-imx25-gcq.c
++++ b/drivers/iio/adc/fsl-imx25-gcq.c
+@@ -209,12 +209,14 @@ static int mx25_gcq_setup_cfgs(struct pl
+ ret = of_property_read_u32(child, "reg", ®);
+ if (ret) {
+ dev_err(dev, "Failed to get reg property\n");
++ of_node_put(child);
+ return ret;
+ }
+
+ if (reg >= MX25_NUM_CFGS) {
+ dev_err(dev,
+ "reg value is greater than the number of available configuration registers\n");
++ of_node_put(child);
+ return -EINVAL;
+ }
+
+@@ -228,6 +230,7 @@ static int mx25_gcq_setup_cfgs(struct pl
+ if (IS_ERR(priv->vref[refp])) {
+ dev_err(dev, "Error, trying to use external voltage reference without a vref-%s regulator.",
+ mx25_gcq_refp_names[refp]);
++ of_node_put(child);
+ return PTR_ERR(priv->vref[refp]);
+ }
+ priv->channel_vref_mv[reg] =
+@@ -240,6 +243,7 @@ static int mx25_gcq_setup_cfgs(struct pl
+ break;
+ default:
+ dev_err(dev, "Invalid positive reference %d\n", refp);
++ of_node_put(child);
+ return -EINVAL;
+ }
+
+@@ -254,10 +258,12 @@ static int mx25_gcq_setup_cfgs(struct pl
+
+ if ((refp & MX25_ADCQ_CFG_REFP_MASK) != refp) {
+ dev_err(dev, "Invalid fsl,adc-refp property value\n");
++ of_node_put(child);
+ return -EINVAL;
+ }
+ if ((refn & MX25_ADCQ_CFG_REFN_MASK) != refn) {
+ dev_err(dev, "Invalid fsl,adc-refn property value\n");
++ of_node_put(child);
+ return -EINVAL;
+ }
+
--- /dev/null
+From 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 7 Sep 2018 14:33:24 -0700
+Subject: ima: fix showing large 'violations' or 'runtime_measurements_count'
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream.
+
+The 12 character temporary buffer is not necessarily long enough to hold
+a 'long' value. Increase it.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_fs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/integrity/ima/ima_fs.c
++++ b/security/integrity/ima/ima_fs.c
+@@ -39,14 +39,14 @@ static int __init default_canonical_fmt_
+ __setup("ima_canonical_fmt", default_canonical_fmt_setup);
+
+ static int valid_policy = 1;
+-#define TMPBUFLEN 12
++
+ static ssize_t ima_show_htable_value(char __user *buf, size_t count,
+ loff_t *ppos, atomic_long_t *val)
+ {
+- char tmpbuf[TMPBUFLEN];
++ char tmpbuf[32]; /* greater than largest 'long' string value */
+ ssize_t len;
+
+- len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
++ len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
+ return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
+ }
+
--- /dev/null
+From 3d71c3f1f50cf309bd20659422af549bc784bfff Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Sat, 13 Oct 2018 09:46:08 +0300
+Subject: iwlwifi: mvm: check return value of rs_rate_from_ucode_rate()
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 3d71c3f1f50cf309bd20659422af549bc784bfff upstream.
+
+The rs_rate_from_ucode_rate() function may return -EINVAL if the rate
+is invalid, but none of the callsites check for the error, potentially
+making us access arrays with index IWL_RATE_INVALID, which is larger
+than the arrays, causing an out-of-bounds access. This will trigger
+KASAN warnings, such as the one reported in the bugzilla issue
+mentioned below.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=200659
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c
+@@ -1226,7 +1226,11 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm
+ !(info->flags & IEEE80211_TX_STAT_AMPDU))
+ return;
+
+- rs_rate_from_ucode_rate(tx_resp_hwrate, info->band, &tx_resp_rate);
++ if (rs_rate_from_ucode_rate(tx_resp_hwrate, info->band,
++ &tx_resp_rate)) {
++ WARN_ON_ONCE(1);
++ return;
++ }
+
+ #ifdef CONFIG_MAC80211_DEBUGFS
+ /* Disable last tx check if we are debugging with fixed rate but
+@@ -1277,7 +1281,10 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm
+ */
+ table = &lq_sta->lq;
+ lq_hwrate = le32_to_cpu(table->rs_table[0]);
+- rs_rate_from_ucode_rate(lq_hwrate, info->band, &lq_rate);
++ if (rs_rate_from_ucode_rate(lq_hwrate, info->band, &lq_rate)) {
++ WARN_ON_ONCE(1);
++ return;
++ }
+
+ /* Here we actually compare this rate to the latest LQ command */
+ if (lq_color != LQ_FLAG_COLOR_GET(table->flags)) {
+@@ -1379,8 +1386,12 @@ void iwl_mvm_rs_tx_status(struct iwl_mvm
+ /* Collect data for each rate used during failed TX attempts */
+ for (i = 0; i <= retries; ++i) {
+ lq_hwrate = le32_to_cpu(table->rs_table[i]);
+- rs_rate_from_ucode_rate(lq_hwrate, info->band,
+- &lq_rate);
++ if (rs_rate_from_ucode_rate(lq_hwrate, info->band,
++ &lq_rate)) {
++ WARN_ON_ONCE(1);
++ return;
++ }
++
+ /*
+ * Only collect stats if retried rate is in the same RS
+ * table as active/search.
+@@ -3244,7 +3255,10 @@ static void rs_build_rates_table_from_fi
+ for (i = 0; i < num_rates; i++)
+ lq_cmd->rs_table[i] = ucode_rate_le32;
+
+- rs_rate_from_ucode_rate(ucode_rate, band, &rate);
++ if (rs_rate_from_ucode_rate(ucode_rate, band, &rate)) {
++ WARN_ON_ONCE(1);
++ return;
++ }
+
+ if (is_mimo(&rate))
+ lq_cmd->mimo_delim = num_rates - 1;
--- /dev/null
+From ccd3c4373eacb044eb3832966299d13d2631f66f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 5 Oct 2018 18:44:40 -0400
+Subject: jbd2: fix use after free in jbd2_log_do_checkpoint()
+
+From: Jan Kara <jack@suse.cz>
+
+commit ccd3c4373eacb044eb3832966299d13d2631f66f upstream.
+
+The code cleaning transaction's lists of checkpoint buffers has a bug
+where it increases bh refcount only after releasing
+journal->j_list_lock. Thus the following race is possible:
+
+CPU0 CPU1
+jbd2_log_do_checkpoint()
+ jbd2_journal_try_to_free_buffers()
+ __journal_try_to_free_buffer(bh)
+ ...
+ while (transaction->t_checkpoint_io_list)
+ ...
+ if (buffer_locked(bh)) {
+
+<-- IO completes now, buffer gets unlocked -->
+
+ spin_unlock(&journal->j_list_lock);
+ spin_lock(&journal->j_list_lock);
+ __jbd2_journal_remove_checkpoint(jh);
+ spin_unlock(&journal->j_list_lock);
+ try_to_free_buffers(page);
+ get_bh(bh) <-- accesses freed bh
+
+Fix the problem by grabbing bh reference before unlocking
+journal->j_list_lock.
+
+Fixes: dc6e8d669cf5 ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()")
+Fixes: be1158cc615f ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()")
+Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/checkpoint.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -254,8 +254,8 @@ restart:
+ bh = jh2bh(jh);
+
+ if (buffer_locked(bh)) {
+- spin_unlock(&journal->j_list_lock);
+ get_bh(bh);
++ spin_unlock(&journal->j_list_lock);
+ wait_on_buffer(bh);
+ /* the journal_head may have gone by now */
+ BUFFER_TRACE(bh, "brelse");
+@@ -336,8 +336,8 @@ restart2:
+ jh = transaction->t_checkpoint_io_list;
+ bh = jh2bh(jh);
+ if (buffer_locked(bh)) {
+- spin_unlock(&journal->j_list_lock);
+ get_bh(bh);
++ spin_unlock(&journal->j_list_lock);
+ wait_on_buffer(bh);
+ /* the journal_head may have gone by now */
+ BUFFER_TRACE(bh, "brelse");
--- /dev/null
+From 6a32c2469c3fbfee8f25bcd20af647326650a6cf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 30 Oct 2018 15:07:32 -0700
+Subject: kbuild: fix kernel/bounds.c 'W=1' warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6a32c2469c3fbfee8f25bcd20af647326650a6cf upstream.
+
+Building any configuration with 'make W=1' produces a warning:
+
+kernel/bounds.c:16:6: warning: no previous prototype for 'foo' [-Wmissing-prototypes]
+
+When also passing -Werror, this prevents us from building any other files.
+Nobody ever calls the function, but we can't make it 'static' either
+since we want the compiler output.
+
+Calling it 'main' instead however avoids the warning, because gcc
+does not insist on having a declaration for main.
+
+Link: http://lkml.kernel.org/r/20181005083313.2088252-1-arnd@arndb.de
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reported-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bounds.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/bounds.c
++++ b/kernel/bounds.c
+@@ -13,7 +13,7 @@
+ #include <linux/log2.h>
+ #include <linux/spinlock_types.h>
+
+-void foo(void)
++int main(void)
+ {
+ /* The enum constants to put into include/generated/bounds.h */
+ DEFINE(NR_PAGEFLAGS, __NR_PAGEFLAGS);
+@@ -23,4 +23,6 @@ void foo(void)
+ #endif
+ DEFINE(SPINLOCK_SIZE, sizeof(spinlock_t));
+ /* End of constants */
++
++ return 0;
+ }
--- /dev/null
+From da5a3ce66b8bb51b0ea8a89f42aac153903f90fb Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Wed, 17 Oct 2018 17:42:10 +0100
+Subject: KVM: arm64: Fix caching of host MDCR_EL2 value
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit da5a3ce66b8bb51b0ea8a89f42aac153903f90fb upstream.
+
+At boot time, KVM stashes the host MDCR_EL2 value, but only does this
+when the kernel is not running in hyp mode (i.e. is non-VHE). In these
+cases, the stashed value of MDCR_EL2.HPMN happens to be zero, which can
+lead to CONSTRAINED UNPREDICTABLE behaviour.
+
+Since we use this value to derive the MDCR_EL2 value when switching
+to/from a guest, after a guest have been run, the performance counters
+do not behave as expected. This has been observed to result in accesses
+via PMXEVTYPER_EL0 and PMXEVCNTR_EL0 not affecting the relevant
+counters, resulting in events not being counted. In these cases, only
+the fixed-purpose cycle counter appears to work as expected.
+
+Fix this by always stashing the host MDCR_EL2 value, regardless of VHE.
+
+Cc: Christopher Dall <christoffer.dall@arm.com>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: 1e947bad0b63b351 ("arm64: KVM: Skip HYP setup when already running in HYP")
+Tested-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/arm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/arm.c
++++ b/virt/kvm/arm/arm.c
+@@ -1148,8 +1148,6 @@ static void cpu_init_hyp_mode(void *dumm
+
+ __cpu_init_hyp_mode(pgd_ptr, hyp_stack_ptr, vector_ptr);
+ __cpu_init_stage2();
+-
+- kvm_arm_init_debug();
+ }
+
+ static void cpu_hyp_reset(void)
+@@ -1173,6 +1171,8 @@ static void cpu_hyp_reinit(void)
+ cpu_init_hyp_mode(NULL);
+ }
+
++ kvm_arm_init_debug();
++
+ if (vgic_present)
+ kvm_vgic_init_cpu_hardware();
+ }
--- /dev/null
+From 6528d88047801b80d2a5370ad46fb6eff2f509e0 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sat, 6 Oct 2018 22:12:32 +0200
+Subject: libertas: don't set URB_ZERO_PACKET on IN USB transfer
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+commit 6528d88047801b80d2a5370ad46fb6eff2f509e0 upstream.
+
+The USB core gets rightfully upset:
+
+ usb 1-1: BOGUS urb flags, 240 --> 200
+ WARNING: CPU: 0 PID: 60 at drivers/usb/core/urb.c:503 usb_submit_urb+0x2f8/0x3ed
+ Modules linked in:
+ CPU: 0 PID: 60 Comm: kworker/0:3 Not tainted 4.19.0-rc6-00319-g5206d00a45c7 #39
+ Hardware name: OLPC XO/XO, BIOS OLPC Ver 1.00.01 06/11/2014
+ Workqueue: events request_firmware_work_func
+ EIP: usb_submit_urb+0x2f8/0x3ed
+ Code: 75 06 8b 8f 80 00 00 00 8d 47 78 89 4d e4 89 55 e8 e8 35 1c f6 ff 8b 55 e8 56 52 8b 4d e4 51 50 68 e3 ce c7 c0 e8 ed 18 c6 ff <0f> 0b 83 c4 14 80 7d ef 01 74 0a 80 7d ef 03 0f 85 b8 00 00 00 8b
+ EAX: 00000025 EBX: ce7d4980 ECX: 00000000 EDX: 00000001
+ ESI: 00000200 EDI: ce7d8800 EBP: ce7f5ea8 ESP: ce7f5e70
+ DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 EFLAGS: 00210292
+ CR0: 80050033 CR2: 00000000 CR3: 00e80000 CR4: 00000090
+ Call Trace:
+ ? if_usb_fw_timeo+0x64/0x64
+ __if_usb_submit_rx_urb+0x85/0xe6
+ ? if_usb_fw_timeo+0x64/0x64
+ if_usb_submit_rx_urb_fwload+0xd/0xf
+ if_usb_prog_firmware+0xc0/0x3db
+ ? _request_firmware+0x54/0x47b
+ ? _request_firmware+0x89/0x47b
+ ? if_usb_probe+0x412/0x412
+ lbs_fw_loaded+0x55/0xa6
+ ? debug_smp_processor_id+0x12/0x14
+ helper_firmware_cb+0x3c/0x3f
+ request_firmware_work_func+0x37/0x6f
+ process_one_work+0x164/0x25a
+ worker_thread+0x1c4/0x284
+ kthread+0xec/0xf1
+ ? cancel_delayed_work_sync+0xf/0xf
+ ? kthread_create_on_node+0x1a/0x1a
+ ret_from_fork+0x2e/0x38
+ ---[ end trace 3ef1e3b2dd53852f ]---
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/libertas/if_usb.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/marvell/libertas/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas/if_usb.c
+@@ -456,8 +456,6 @@ static int __if_usb_submit_rx_urb(struct
+ MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn,
+ cardp);
+
+- cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET;
+-
+ lbs_deb_usb2(&cardp->udev->dev, "Pointer for rx_urb %p\n", cardp->rx_urb);
+ if ((ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC))) {
+ lbs_deb_usbd(&cardp->udev->dev, "Submit Rx URB failed: %d\n", ret);
--- /dev/null
+From b6eae0f61db27748606cc00dafcfd1e2c032f0a5 Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Date: Tue, 25 Sep 2018 13:53:02 -0700
+Subject: libnvdimm: Hold reference on parent while scheduling async init
+
+From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+
+commit b6eae0f61db27748606cc00dafcfd1e2c032f0a5 upstream.
+
+Unlike asynchronous initialization in the core we have not yet associated
+the device with the parent, and as such the device doesn't hold a reference
+to the parent.
+
+In order to resolve that we should be holding a reference on the parent
+until the asynchronous initialization has completed.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 4d88a97aa9e8 ("libnvdimm: ...base ... infrastructure")
+Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/bus.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -484,6 +484,8 @@ static void nd_async_device_register(voi
+ put_device(dev);
+ }
+ put_device(dev);
++ if (dev->parent)
++ put_device(dev->parent);
+ }
+
+ static void nd_async_device_unregister(void *d, async_cookie_t cookie)
+@@ -503,6 +505,8 @@ void __nd_device_register(struct device
+ if (!dev)
+ return;
+ dev->bus = &nvdimm_bus_type;
++ if (dev->parent)
++ get_device(dev->parent);
+ get_device(dev);
+ async_schedule_domain(nd_async_device_register, dev,
+ &nd_async_domain);
--- /dev/null
+From 5d394eee2c102453278d81d9a7cf94c80253486a Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 27 Sep 2018 15:01:55 -0700
+Subject: libnvdimm, region: Fail badblocks listing for inactive regions
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 5d394eee2c102453278d81d9a7cf94c80253486a upstream.
+
+While experimenting with region driver loading the following backtrace
+was triggered:
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ [..]
+ Call Trace:
+ dump_stack+0x85/0xcb
+ register_lock_class+0x571/0x580
+ ? __lock_acquire+0x2ba/0x1310
+ ? kernfs_seq_start+0x2a/0x80
+ __lock_acquire+0xd4/0x1310
+ ? dev_attr_show+0x1c/0x50
+ ? __lock_acquire+0x2ba/0x1310
+ ? kernfs_seq_start+0x2a/0x80
+ ? lock_acquire+0x9e/0x1a0
+ lock_acquire+0x9e/0x1a0
+ ? dev_attr_show+0x1c/0x50
+ badblocks_show+0x70/0x190
+ ? dev_attr_show+0x1c/0x50
+ dev_attr_show+0x1c/0x50
+
+This results from a missing successful call to devm_init_badblocks()
+from nd_region_probe(). Block attempts to show badblocks while the
+region is not enabled.
+
+Fixes: 6a6bef90425e ("libnvdimm: add mechanism to publish badblocks...")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/region_devs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvdimm/region_devs.c
++++ b/drivers/nvdimm/region_devs.c
+@@ -513,10 +513,17 @@ static ssize_t region_badblocks_show(str
+ struct device_attribute *attr, char *buf)
+ {
+ struct nd_region *nd_region = to_nd_region(dev);
++ ssize_t rc;
+
+- return badblocks_show(&nd_region->bb, buf, 0);
+-}
++ device_lock(dev);
++ if (dev->driver)
++ rc = badblocks_show(&nd_region->bb, buf, 0);
++ else
++ rc = -ENXIO;
++ device_unlock(dev);
+
++ return rc;
++}
+ static DEVICE_ATTR(badblocks, 0444, region_badblocks_show, NULL);
+
+ static ssize_t resource_show(struct device *dev,
--- /dev/null
+From fa76da461bb0be13c8339d984dcf179151167c8f Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Fri, 26 Oct 2018 15:02:16 -0700
+Subject: mm: /proc/pid/smaps_rollup: fix NULL pointer deref in smaps_pte_range()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit fa76da461bb0be13c8339d984dcf179151167c8f upstream.
+
+Leonardo reports an apparent regression in 4.19-rc7:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000000f0
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP PTI
+ CPU: 3 PID: 6032 Comm: python Not tainted 4.19.0-041900rc7-lowlatency #201810071631
+ Hardware name: LENOVO 80UG/Toronto 4A2, BIOS 0XCN45WW 08/09/2018
+ RIP: 0010:smaps_pte_range+0x32d/0x540
+ Code: 80 00 00 00 00 74 a9 48 89 de 41 f6 40 52 40 0f 85 04 02 00 00 49 2b 30 48 c1 ee 0c 49 03 b0 98 00 00 00 49 8b 80 a0 00 00 00 <48> 8b b8 f0 00 00 00 e8 b7 ef ec ff 48 85 c0 0f 84 71 ff ff ff a8
+ RSP: 0018:ffffb0cbc484fb88 EFLAGS: 00010202
+ RAX: 0000000000000000 RBX: 0000560ddb9e9000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000560ddb9e9 RDI: 0000000000000001
+ RBP: ffffb0cbc484fbc0 R08: ffff94a5a227a578 R09: ffff94a5a227a578
+ R10: 0000000000000000 R11: 0000560ddbbe7000 R12: ffffe903098ba728
+ R13: ffffb0cbc484fc78 R14: ffffb0cbc484fcf8 R15: ffff94a5a2e9cf48
+ FS: 00007f6dfb683740(0000) GS:ffff94a5aaf80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00000000000000f0 CR3: 000000011c118001 CR4: 00000000003606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ __walk_page_range+0x3c2/0x6f0
+ walk_page_vma+0x42/0x60
+ smap_gather_stats+0x79/0xe0
+ ? gather_pte_stats+0x320/0x320
+ ? gather_hugetlb_stats+0x70/0x70
+ show_smaps_rollup+0xcd/0x1c0
+ seq_read+0x157/0x400
+ __vfs_read+0x3a/0x180
+ ? security_file_permission+0x93/0xc0
+ ? security_file_permission+0x93/0xc0
+ vfs_read+0x8f/0x140
+ ksys_read+0x55/0xc0
+ __x64_sys_read+0x1a/0x20
+ do_syscall_64+0x5a/0x110
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Decoded code matched to local compilation+disassembly points to
+smaps_pte_entry():
+
+ } else if (unlikely(IS_ENABLED(CONFIG_SHMEM) && mss->check_shmem_swap
+ && pte_none(*pte))) {
+ page = find_get_entry(vma->vm_file->f_mapping,
+ linear_page_index(vma, addr));
+
+Here, vma->vm_file is NULL. mss->check_shmem_swap should be false in that
+case, however for smaps_rollup, smap_gather_stats() can set the flag true
+for one vma and leave it true for subsequent vma's where it should be
+false.
+
+To fix, reset the check_shmem_swap flag to false. There's also related
+bug which sets mss->swap to shmem_swapped, which in the context of
+smaps_rollup overwrites any value accumulated from previous vma's. Fix
+that as well.
+
+Note that the report suggests a regression between 4.17.19 and 4.19-rc7,
+which makes the 4.19 series ending with commit 258f669e7e88 ("mm:
+/proc/pid/smaps_rollup: convert to single value seq_file") suspicious.
+But the mss was reused for rollup since 493b0e9d945f ("mm: add
+/proc/pid/smaps_rollup") so let's play it safe with the stable backport.
+
+Link: http://lkml.kernel.org/r/555fbd1f-4ac9-0b58-dcd4-5dc4380ff7ca@suse.cz
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=201377
+Fixes: 493b0e9d945f ("mm: add /proc/pid/smaps_rollup")
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Reported-by: Leonardo Soares MĂ¼ller <leozinho29_eu@hotmail.com>
+Tested-by: Leonardo Soares MĂ¼ller <leozinho29_eu@hotmail.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Daniel Colascione <dancol@google.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/task_mmu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -768,6 +768,8 @@ static int show_smap(struct seq_file *m,
+ smaps_walk.private = mss;
+
+ #ifdef CONFIG_SHMEM
++ /* In case of smaps_rollup, reset the value from previous vma */
++ mss->check_shmem_swap = false;
+ if (vma->vm_file && shmem_mapping(vma->vm_file->f_mapping)) {
+ /*
+ * For shared or readonly shmem mappings we know that all
+@@ -783,7 +785,7 @@ static int show_smap(struct seq_file *m,
+
+ if (!shmem_swapped || (vma->vm_flags & VM_SHARED) ||
+ !(vma->vm_flags & VM_WRITE)) {
+- mss->swap = shmem_swapped;
++ mss->swap += shmem_swapped;
+ } else {
+ mss->check_shmem_swap = true;
+ smaps_walk.pte_hole = smaps_pte_hole;
--- /dev/null
+From aab8d0520e6e7c2a61f71195e6ce7007a4843afb Mon Sep 17 00:00:00 2001
+From: Ralph Campbell <rcampbell@nvidia.com>
+Date: Tue, 30 Oct 2018 15:04:11 -0700
+Subject: mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ralph Campbell <rcampbell@nvidia.com>
+
+commit aab8d0520e6e7c2a61f71195e6ce7007a4843afb upstream.
+
+Private ZONE_DEVICE pages use a special pte entry and thus are not
+present. Properly handle this case in map_pte(), it is already handled in
+check_pte(), the map_pte() part was lost in some rebase most probably.
+
+Without this patch the slow migration path can not migrate back to any
+private ZONE_DEVICE memory to regular memory. This was found after stress
+testing migration back to system memory. This ultimatly can lead to the
+CPU constantly page fault looping on the special swap entry.
+
+Link: http://lkml.kernel.org/r/20181019160442.18723-3-jglisse@redhat.com
+Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
+Signed-off-by: JĂ©rĂ´me Glisse <jglisse@redhat.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_vma_mapped.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/mm/page_vma_mapped.c
++++ b/mm/page_vma_mapped.c
+@@ -21,7 +21,29 @@ static bool map_pte(struct page_vma_mapp
+ if (!is_swap_pte(*pvmw->pte))
+ return false;
+ } else {
+- if (!pte_present(*pvmw->pte))
++ /*
++ * We get here when we are trying to unmap a private
++ * device page from the process address space. Such
++ * page is not CPU accessible and thus is mapped as
++ * a special swap entry, nonetheless it still does
++ * count as a valid regular mapping for the page (and
++ * is accounted as such in page maps count).
++ *
++ * So handle this special case as if it was a normal
++ * page mapping ie lock CPU page table and returns
++ * true.
++ *
++ * For more details on device private memory see HMM
++ * (include/linux/hmm.h or mm/hmm.c).
++ */
++ if (is_swap_pte(*pvmw->pte)) {
++ swp_entry_t entry;
++
++ /* Handle un-addressable ZONE_DEVICE memory */
++ entry = pte_to_swp_entry(*pvmw->pte);
++ if (!is_device_private_entry(entry))
++ return false;
++ } else if (!pte_present(*pvmw->pte))
+ return false;
+ }
+ }
--- /dev/null
+From 076ed3da0c9b2f88d9157dbe7044a45641ae369e Mon Sep 17 00:00:00 2001
+From: Stefan Nuernberger <snu@amazon.com>
+Date: Mon, 17 Sep 2018 19:46:53 +0200
+Subject: net/ipv4: defensive cipso option parsing
+
+From: Stefan Nuernberger <snu@amazon.com>
+
+commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream.
+
+commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
+a possible infinite loop in the IP option parsing of CIPSO. The fix
+assumes that ip_options_compile filtered out all zero length options and
+that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
+While this assumption currently holds true, add explicit checks for zero
+length and invalid length options to be safe for the future. Even though
+ip_options_compile should have validated the options, the introduction of
+new one-byte options can still confuse this code without the additional
+checks.
+
+Signed-off-by: Stefan Nuernberger <snu@amazon.com>
+Cc: David Woodhouse <dwmw@amazon.co.uk>
+Cc: Simon Veith <sveith@amazon.de>
+Cc: stable@vger.kernel.org
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/cipso_ipv4.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1512,7 +1512,7 @@ static int cipso_v4_parsetag_loc(const s
+ *
+ * Description:
+ * Parse the packet's IP header looking for a CIPSO option. Returns a pointer
+- * to the start of the CIPSO option on success, NULL if one if not found.
++ * to the start of the CIPSO option on success, NULL if one is not found.
+ *
+ */
+ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+@@ -1522,10 +1522,8 @@ unsigned char *cipso_v4_optptr(const str
+ int optlen;
+ int taglen;
+
+- for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
++ for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 1; ) {
+ switch (optptr[0]) {
+- case IPOPT_CIPSO:
+- return optptr;
+ case IPOPT_END:
+ return NULL;
+ case IPOPT_NOOP:
+@@ -1534,6 +1532,11 @@ unsigned char *cipso_v4_optptr(const str
+ default:
+ taglen = optptr[1];
+ }
++ if (!taglen || taglen > optlen)
++ return NULL;
++ if (optptr[0] == IPOPT_CIPSO)
++ return optptr;
++
+ optlen -= taglen;
+ optptr += taglen;
+ }
--- /dev/null
+From d0c9606b31a21028fb5b753c8ad79626292accfd Mon Sep 17 00:00:00 2001
+From: Bin Meng <bmeng.cn@gmail.com>
+Date: Wed, 26 Sep 2018 08:14:01 -0700
+Subject: PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
+
+From: Bin Meng <bmeng.cn@gmail.com>
+
+commit d0c9606b31a21028fb5b753c8ad79626292accfd upstream.
+
+Add Device IDs to the Intel GPU "spurious interrupt" quirk table.
+
+For these devices, unplugging the VGA cable and plugging it in again causes
+spurious interrupts from the IGD. Linux eventually disables the interrupt,
+but of course that disables any other devices sharing the interrupt.
+
+The theory is that this is a VGA BIOS defect: it should have disabled the
+IGD interrupt but failed to do so.
+
+See f67fd55fa96f ("PCI: Add quirk for still enabled interrupts on Intel
+Sandy Bridge GPUs") and 7c82126a94e6 ("PCI: Add new ID for Intel GPU
+"spurious interrupt" quirk") for some history.
+
+[bhelgaas: See link below for discussion about how to fix this more
+generically instead of adding device IDs for every new Intel GPU. I hope
+this is the last patch to add device IDs.]
+
+Link: https://lore.kernel.org/linux-pci/1537974841-29928-1-git-send-email-bmeng.cn@gmail.com
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+[bhelgaas: changelog]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3163,7 +3163,11 @@ static void disable_igfx_irq(struct pci_
+
+ pci_iounmap(dev, regs);
+ }
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0042, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0046, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x004a, disable_igfx_irq);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0102, disable_igfx_irq);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0106, disable_igfx_irq);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x010a, disable_igfx_irq);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x0152, disable_igfx_irq);
+
--- /dev/null
+From aeae4f3e5c38d47bdaef50446dc0ec857307df68 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Tue, 4 Sep 2018 12:34:18 -0500
+Subject: PCI/ASPM: Fix link_state teardown on device removal
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit aeae4f3e5c38d47bdaef50446dc0ec857307df68 upstream.
+
+Upon removal of the last device on a bus, the link_state of the bridge
+leading to that bus is sought to be torn down by having pci_stop_dev()
+call pcie_aspm_exit_link_state().
+
+When ASPM was originally introduced by commit 7d715a6c1ae5 ("PCI: add
+PCI Express ASPM support"), it determined whether the device being
+removed is the last one by calling list_empty() on the bridge's
+subordinate devices list. That didn't work because the device is only
+removed from the list slightly later in pci_destroy_dev().
+
+Commit 3419c75e15f8 ("PCI: properly clean up ASPM link state on device
+remove") attempted to fix it by calling list_is_last(), but that's not
+correct either because it checks whether the device is at the *end* of
+the list, not whether it's the last one *left* in the list. If the user
+removes the device which happens to be at the end of the list via sysfs
+but other devices are preceding the device in the list, the link_state
+is torn down prematurely.
+
+The real fix is to move the invocation of pcie_aspm_exit_link_state() to
+pci_destroy_dev() and reinstate the call to list_empty(). Remove a
+duplicate check for dev->bus->self because pcie_aspm_exit_link_state()
+already contains an identical check.
+
+Fixes: 7d715a6c1ae5 ("PCI: add PCI Express ASPM support")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Shaohua Li <shaohua.li@intel.com>
+Cc: stable@vger.kernel.org # v2.6.26
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pcie/aspm.c | 2 +-
+ drivers/pci/remove.c | 4 +---
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -937,7 +937,7 @@ void pcie_aspm_exit_link_state(struct pc
+ * All PCIe functions are in one slot, remove one function will remove
+ * the whole slot, so just wait until we are the last function left.
+ */
+- if (!list_is_last(&pdev->bus_list, &parent->subordinate->devices))
++ if (!list_empty(&parent->subordinate->devices))
+ goto out;
+
+ link = parent->link_state;
+--- a/drivers/pci/remove.c
++++ b/drivers/pci/remove.c
+@@ -24,9 +24,6 @@ static void pci_stop_dev(struct pci_dev
+ pci_remove_sysfs_dev_files(dev);
+ dev->is_added = 0;
+ }
+-
+- if (dev->bus->self)
+- pcie_aspm_exit_link_state(dev);
+ }
+
+ static void pci_destroy_dev(struct pci_dev *dev)
+@@ -40,6 +37,7 @@ static void pci_destroy_dev(struct pci_d
+ list_del(&dev->bus_list);
+ up_write(&pci_bus_sem);
+
++ pcie_aspm_exit_link_state(dev);
+ pci_bridge_d3_update(dev);
+ pci_free_resources(dev);
+ put_device(&dev->dev);
--- /dev/null
+From a7f58b9ecfd3c0f63703ec10f4a592cc38dbd1b8 Mon Sep 17 00:00:00 2001
+From: Keith Busch <keith.busch@intel.com>
+Date: Tue, 8 May 2018 10:00:22 -0600
+Subject: PCI: vmd: White list for fast interrupt handlers
+
+From: Keith Busch <keith.busch@intel.com>
+
+commit a7f58b9ecfd3c0f63703ec10f4a592cc38dbd1b8 upstream.
+
+Devices with slow interrupt handlers are significantly harming
+performance when their interrupt vector is shared with a fast device.
+
+Create a class code white list for devices with known fast interrupt
+handlers and let all other devices share a single vector so that they
+don't interfere with performance.
+
+At the moment, only the NVM Express class code is on the list, but more
+may be added if VMD users desire to use other low-latency devices in
+these domains.
+
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+[lorenzo.pieralisi@arm.com: changelog]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Acked-by: Jon Derrick: <jonathan.derrick@intel.com>
+Cc: "Heitke, Kenneth" <kenneth.heitke@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/host/vmd.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/host/vmd.c
++++ b/drivers/pci/host/vmd.c
+@@ -183,9 +183,20 @@ static struct vmd_irq_list *vmd_next_irq
+ int i, best = 1;
+ unsigned long flags;
+
+- if (pci_is_bridge(msi_desc_to_pci_dev(desc)) || vmd->msix_count == 1)
++ if (vmd->msix_count == 1)
+ return &vmd->irqs[0];
+
++ /*
++ * White list for fast-interrupt handlers. All others will share the
++ * "slow" interrupt vector.
++ */
++ switch (msi_desc_to_pci_dev(desc)->class) {
++ case PCI_CLASS_STORAGE_EXPRESS:
++ break;
++ default:
++ return &vmd->irqs[0];
++ }
++
+ raw_spin_lock_irqsave(&list_lock, flags);
+ for (i = 1; i < vmd->msix_count; i++)
+ if (vmd->irqs[i].count < vmd->irqs[best].count)
--- /dev/null
+From 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 Mon Sep 17 00:00:00 2001
+From: He Zhe <zhe.he@windriver.com>
+Date: Sun, 30 Sep 2018 00:45:50 +0800
+Subject: printk: Fix panic caused by passing log_buf_len to command line
+
+From: He Zhe <zhe.he@windriver.com>
+
+commit 277fcdb2cfee38ccdbe07e705dbd4896ba0c9930 upstream.
+
+log_buf_len_setup does not check input argument before passing it to
+simple_strtoull. The argument would be a NULL pointer if "log_buf_len",
+without its value, is set in command line and thus causes the following
+panic.
+
+PANIC: early exception 0xe3 IP 10:ffffffffaaeacd0d error 0 cr2 0x0
+[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.0-rc4-yocto-standard+ #1
+[ 0.000000] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70
+...
+[ 0.000000] Call Trace:
+[ 0.000000] simple_strtoull+0x29/0x70
+[ 0.000000] memparse+0x26/0x90
+[ 0.000000] log_buf_len_setup+0x17/0x22
+[ 0.000000] do_early_param+0x57/0x8e
+[ 0.000000] parse_args+0x208/0x320
+[ 0.000000] ? rdinit_setup+0x30/0x30
+[ 0.000000] parse_early_options+0x29/0x2d
+[ 0.000000] ? rdinit_setup+0x30/0x30
+[ 0.000000] parse_early_param+0x36/0x4d
+[ 0.000000] setup_arch+0x336/0x99e
+[ 0.000000] start_kernel+0x6f/0x4ee
+[ 0.000000] x86_64_start_reservations+0x24/0x26
+[ 0.000000] x86_64_start_kernel+0x6f/0x72
+[ 0.000000] secondary_startup_64+0xa4/0xb0
+
+This patch adds a check to prevent the panic.
+
+Link: http://lkml.kernel.org/r/1538239553-81805-1-git-send-email-zhe.he@windriver.com
+Cc: stable@vger.kernel.org
+Cc: rostedt@goodmis.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/printk.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -1043,7 +1043,12 @@ static void __init log_buf_len_update(un
+ /* save requested log_buf_len since it's too early to process it */
+ static int __init log_buf_len_setup(char *str)
+ {
+- unsigned size = memparse(str, &str);
++ unsigned int size;
++
++ if (!str)
++ return -EINVAL;
++
++ size = memparse(str, &str);
+
+ log_buf_len_update(size);
+
--- /dev/null
+From 164a63fa6b384e30ceb96ed80bc7dc3379bc0960 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Tue, 16 Oct 2018 19:30:13 -0700
+Subject: Revert "f2fs: fix to clear PG_checked flag in set_page_dirty()"
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 164a63fa6b384e30ceb96ed80bc7dc3379bc0960 upstream.
+
+This reverts commit 66110abc4c931f879d70e83e1281f891699364bf.
+
+If we clear the cold data flag out of the writeback flow, we can miscount
+-1 by end_io, which incurs a deadlock caused by all I/Os being blocked during
+heavy GC.
+
+Balancing F2FS Async:
+ - IO (CP: 1, Data: -1, Flush: ( 0 0 1), Discard: ( ...
+
+GC thread: IRQ
+- move_data_page()
+ - set_page_dirty()
+ - clear_cold_data()
+ - f2fs_write_end_io()
+ - type = WB_DATA_TYPE(page);
+ here, we get wrong type
+ - dec_page_count(sbi, type);
+ - f2fs_wait_on_page_writeback()
+
+Cc: <stable@vger.kernel.org>
+Reported-and-Tested-by: Park Ju Hyung <qkrwngud825@gmail.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/data.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2190,10 +2190,6 @@ static int f2fs_set_data_page_dirty(stru
+ if (!PageUptodate(page))
+ SetPageUptodate(page);
+
+- /* don't remain PG_checked flag which was set during GC */
+- if (is_cold_data(page))
+- clear_cold_data(page);
+-
+ if (f2fs_is_atomic_file(inode) && !f2fs_is_commit_atomic_write(inode)) {
+ if (!IS_ATOMIC_WRITTEN_PAGE(page)) {
+ register_inmem_page(inode, page);
ib-rxe-fix-for-duplicate-request-processing-and-ack-psns.patch
alsa-hda-check-the-non-cached-stream-buffers-more-explicitly.patch
cpupower-fix-amd-family-0x17-msr_pstate-size.patch
+revert-f2fs-fix-to-clear-pg_checked-flag-in-set_page_dirty.patch
+f2fs-fix-to-account-io-correctly.patch
+arm-dts-exynos-remove-cooling-min-max-level-for-cpu-nodes.patch
+arm-dts-exynos-add-missing-cooling-device-properties-for-cpus.patch
+arm-dts-exynos-convert-exynos5250.dtsi-to-opp-v2-bindings.patch
+arm-dts-exynos-mark-1-ghz-cpu-opp-as-suspend-opp-on-exynos5250.patch
+xen-swiotlb-use-actually-allocated-size-on-check-physical-continuous.patch
+tpm-restore-functionality-to-xen-vtpm-driver.patch
+xen-blkfront-avoid-null-blkfront_info-dereference-on-device-removal.patch
+xen-balloon-support-xend-based-toolstack.patch
+xen-fix-race-in-xen_qlock_wait.patch
+xen-make-xen_qlock_wait-nestable.patch
+xen-pvh-increase-early-stack-size.patch
+xen-pvh-don-t-try-to-unplug-emulated-devices.patch
+libertas-don-t-set-urb_zero_packet-on-in-usb-transfer.patch
+usbip-vudc-bug-kmalloc-2048-not-tainted-poison-overwritten.patch
+usb-gadget-udc-renesas_usb3-fix-b-device-mode-for-workaround.patch
+iwlwifi-mvm-check-return-value-of-rs_rate_from_ucode_rate.patch
+net-ipv4-defensive-cipso-option-parsing.patch
+dmaengine-ppc4xx-fix-off-by-one-build-failure.patch
+dmaengine-stm32-dma-fix-incomplete-configuration-in-cyclic-mode.patch
+libnvdimm-hold-reference-on-parent-while-scheduling-async-init.patch
+libnvdimm-region-fail-badblocks-listing-for-inactive-regions.patch
+asoc-intel-skylake-add-missing-break-in-skl_tplg_get_token.patch
+asoc-sta32x-set-component-pointer-in-private-struct.patch
+ib-mlx5-fix-mr-cache-initialization.patch
+jbd2-fix-use-after-free-in-jbd2_log_do_checkpoint.patch
+gfs2_meta-mount-can-get-null-dev_name.patch
+ext4-initialize-retries-variable-in-ext4_da_write_inline_data_begin.patch
+ext4-fix-setattr-project-check-in-fssetxattr-ioctl.patch
+ext4-propagate-error-from-dquot_initialize-in-ext4_ioc_fssetxattr.patch
+ext4-fix-use-after-free-race-in-ext4_remount-s-error-path.patch
+hid-hiddev-fix-potential-spectre-v1.patch
+edac-amd64-add-family-17h-models-10h-2fh-support.patch
+edac-i7core-sb-skx-_edac-fix-uncorrected-error-counting.patch
+edac-skx_edac-fix-logical-channel-intermediate-decoding.patch
+arm-dts-dra7-fix-up-unaligned-access-setting-for-pcie-ep.patch
+pci-aspm-fix-link_state-teardown-on-device-removal.patch
+pci-add-device-ids-for-intel-gpu-spurious-interrupt-quirk.patch
+pci-vmd-white-list-for-fast-interrupt-handlers.patch
+signal-genwqe-fix-sending-of-sigkill.patch
+signal-guard-against-negative-signal-numbers-in-copy_siginfo_from_user32.patch
+crypto-lrw-fix-out-of-bounds-access-on-counter-overflow.patch
+crypto-tcrypt-fix-ghash-generic-speed-test.patch
+mm-proc-pid-smaps_rollup-fix-null-pointer-deref-in-smaps_pte_range.patch
+ima-fix-showing-large-violations-or-runtime_measurements_count.patch
+hugetlbfs-dirty-pages-as-they-are-added-to-pagecache.patch
+mm-rmap-map_pte-was-not-handling-private-zone_device-page-properly.patch
+kvm-arm64-fix-caching-of-host-mdcr_el2-value.patch
+kbuild-fix-kernel-bounds.c-w-1-warning.patch
+iio-ad5064-fix-regulator-handling.patch
+iio-adc-imx25-gcq-fix-leak-of-device_node-in-mx25_gcq_setup_cfgs.patch
+iio-adc-at91-fix-acking-drdy-irq-on-simple-conversions.patch
+iio-adc-at91-fix-wrong-channel-number-in-triggered-buffer-mode.patch
+drivers-hv-kvp-fix-two-this-statement-may-fall-through-warnings.patch
+w1-omap-hdq-fix-missing-bus-unregister-at-removal.patch
+smb3-allow-stats-which-track-session-and-share-reconnects-to-be-reset.patch
+smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch
+smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch
+printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch
+genirq-fix-race-on-spurious-interrupt-detection.patch
--- /dev/null
+From 0ab93e9c99f8208c0a1a7b7170c827936268c996 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 13 Sep 2018 11:28:01 +0200
+Subject: signal/GenWQE: Fix sending of SIGKILL
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream.
+
+The genweq_add_file and genwqe_del_file by caching current without
+using reference counting embed the assumption that a file descriptor
+will never be passed from one process to another. It even embeds the
+assumption that the the thread that opened the file will be in
+existence when the process terminates. Neither of which are
+guaranteed to be true.
+
+Therefore replace caching the task_struct of the opener with
+pid of the openers thread group id. All the knowledge of the
+opener is used for is as the target of SIGKILL and a SIGKILL
+will kill the entire process group.
+
+Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
+signal argument, update it's ownly caller, and use kill_pid
+instead of force_sig.
+
+The work force_sig does in changing signal handling state is not
+relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess
+will be killed just with less work, and less confusion. The work done
+by force_sig is really only needed for handling syncrhonous
+exceptions.
+
+It will still be possible to cause genwqe_device_remove to wait
+8 seconds by passing a file descriptor to another process but
+the possible user after free is fixed.
+
+Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
+Cc: stable@vger.kernel.org
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Frank Haverkamp <haver@linux.vnet.ibm.com>
+Cc: Joerg-Stephan Vogt <jsvogt@de.ibm.com>
+Cc: Michael Jung <mijung@gmx.net>
+Cc: Michael Ruettger <michael@ibmra.de>
+Cc: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
+Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
+Cc: Eberhard S. Amann <esa@linux.vnet.ibm.com>
+Cc: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
+Cc: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/genwqe/card_base.h | 2 +-
+ drivers/misc/genwqe/card_dev.c | 9 +++++----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/misc/genwqe/card_base.h
++++ b/drivers/misc/genwqe/card_base.h
+@@ -403,7 +403,7 @@ struct genwqe_file {
+ struct file *filp;
+
+ struct fasync_struct *async_queue;
+- struct task_struct *owner;
++ struct pid *opener;
+ struct list_head list; /* entry in list of open files */
+
+ spinlock_t map_lock; /* lock for dma_mappings */
+--- a/drivers/misc/genwqe/card_dev.c
++++ b/drivers/misc/genwqe/card_dev.c
+@@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq
+ {
+ unsigned long flags;
+
+- cfile->owner = current;
++ cfile->opener = get_pid(task_tgid(current));
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_add(&cfile->list, &cd->file_list);
+ spin_unlock_irqrestore(&cd->file_lock, flags);
+@@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_del(&cfile->list);
+ spin_unlock_irqrestore(&cd->file_lock, flags);
++ put_pid(cfile->opener);
+
+ return 0;
+ }
+@@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen
+ return files;
+ }
+
+-static int genwqe_force_sig(struct genwqe_dev *cd, int sig)
++static int genwqe_terminate(struct genwqe_dev *cd)
+ {
+ unsigned int files = 0;
+ unsigned long flags;
+@@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq
+
+ spin_lock_irqsave(&cd->file_lock, flags);
+ list_for_each_entry(cfile, &cd->file_list, list) {
+- force_sig(sig, cfile->owner);
++ kill_pid(cfile->opener, SIGKILL, 1);
+ files++;
+ }
+ spin_unlock_irqrestore(&cd->file_lock, flags);
+@@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces
+ dev_warn(&pci_dev->dev,
+ "[%s] send SIGKILL and wait ...\n", __func__);
+
+- rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */
++ rc = genwqe_terminate(cd);
+ if (rc) {
+ /* Give kill_timout more seconds to end processes */
+ for (i = 0; (i < genwqe_kill_timeout) &&
--- /dev/null
+From a36700589b85443e28170be59fa11c8a104130a5 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 10 Oct 2018 20:29:44 -0500
+Subject: signal: Guard against negative signal numbers in copy_siginfo_from_user32
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit a36700589b85443e28170be59fa11c8a104130a5 upstream.
+
+While fixing an out of bounds array access in known_siginfo_layout
+reported by the kernel test robot it became apparent that the same bug
+exists in siginfo_layout and affects copy_siginfo_from_user32.
+
+The straight forward fix that makes guards against making this mistake
+in the future and should keep the code size small is to just take an
+unsigned signal number instead of a signed signal number, as I did to
+fix known_siginfo_layout.
+
+Cc: stable@vger.kernel.org
+Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/signal.h | 2 +-
+ kernel/signal.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/signal.h
++++ b/include/linux/signal.h
+@@ -34,7 +34,7 @@ enum siginfo_layout {
+ #endif
+ };
+
+-enum siginfo_layout siginfo_layout(int sig, int si_code);
++enum siginfo_layout siginfo_layout(unsigned sig, int si_code);
+
+ /*
+ * Define some primitives to manipulate sigset_t.
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2700,7 +2700,7 @@ COMPAT_SYSCALL_DEFINE2(rt_sigpending, co
+ }
+ #endif
+
+-enum siginfo_layout siginfo_layout(int sig, int si_code)
++enum siginfo_layout siginfo_layout(unsigned sig, int si_code)
+ {
+ enum siginfo_layout layout = SIL_KILL;
+ if ((si_code > SI_USER) && (si_code < SI_KERNEL)) {
--- /dev/null
+From 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sat, 15 Sep 2018 23:04:41 -0500
+Subject: smb3: allow stats which track session and share reconnects to be reset
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 2c887635cd6ab3af619dc2be94e5bf8f2e172b78 upstream.
+
+Currently, "echo 0 > /proc/fs/cifs/Stats" resets all of the stats
+except the session and share reconnect counts. Fix it to
+reset those as well.
+
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_debug.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/cifs/cifs_debug.c
++++ b/fs/cifs/cifs_debug.c
+@@ -289,6 +289,9 @@ static ssize_t cifs_stats_proc_write(str
+ atomic_set(&totBufAllocCount, 0);
+ atomic_set(&totSmBufAllocCount, 0);
+ #endif /* CONFIG_CIFS_STATS2 */
++ atomic_set(&tcpSesReconnectCount, 0);
++ atomic_set(&tconInfoReconnectCount, 0);
++
+ spin_lock(&GlobalMid_Lock);
+ GlobalMaxActiveXid = 0;
+ GlobalCurrentXid = 0;
--- /dev/null
+From 1e77a8c204c9d1b655c61751b8ad0fde22421dbb Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Fri, 19 Oct 2018 00:45:21 -0500
+Subject: smb3: do not attempt cifs operation in smb3 query info error path
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 1e77a8c204c9d1b655c61751b8ad0fde22421dbb upstream.
+
+If backupuid mount option is sent, we can incorrectly retry
+(on access denied on query info) with a cifs (FindFirst) operation
+on an smb3 mount which causes the server to force the session close.
+
+We set backup intent on open so no need for this fallback.
+
+See kernel bugzilla 201435
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/inode.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/inode.c
++++ b/fs/cifs/inode.c
+@@ -776,7 +776,15 @@ cifs_get_inode_info(struct inode **inode
+ } else if (rc == -EREMOTE) {
+ cifs_create_dfs_fattr(&fattr, sb);
+ rc = 0;
+- } else if (rc == -EACCES && backup_cred(cifs_sb)) {
++ } else if ((rc == -EACCES) && backup_cred(cifs_sb) &&
++ (strcmp(server->vals->version_string, SMB1_VERSION_STRING)
++ == 0)) {
++ /*
++ * For SMB2 and later the backup intent flag is already
++ * sent if needed on open and there is no path based
++ * FindFirst operation to use to retry with
++ */
++
+ srchinf = kzalloc(sizeof(struct cifs_search_info),
+ GFP_KERNEL);
+ if (srchinf == NULL) {
--- /dev/null
+From 926674de6705f0f1dbf29a62fd758d0977f535d6 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sun, 28 Oct 2018 13:13:23 -0500
+Subject: smb3: on kerberos mount if server doesn't specify auth type use krb5
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 926674de6705f0f1dbf29a62fd758d0977f535d6 upstream.
+
+Some servers (e.g. Azure) do not include a spnego blob in the SMB3
+negotiate protocol response, so on kerberos mounts ("sec=krb5")
+we can fail, as we expected the server to list its supported
+auth types (OIDs in the spnego blob in the negprot response).
+Change this so that on krb5 mounts we default to trying krb5 if the
+server doesn't list its supported protocol mechanisms.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifs_spnego.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifs_spnego.c
++++ b/fs/cifs/cifs_spnego.c
+@@ -147,8 +147,10 @@ cifs_get_spnego_key(struct cifs_ses *ses
+ sprintf(dp, ";sec=krb5");
+ else if (server->sec_mskerberos)
+ sprintf(dp, ";sec=mskrb5");
+- else
+- goto out;
++ else {
++ cifs_dbg(VFS, "unknown or missing server auth type, use krb5\n");
++ sprintf(dp, ";sec=krb5");
++ }
+
+ dp = description + strlen(description);
+ sprintf(dp, ";uid=0x%x",
--- /dev/null
+From e487a0f52301293152a6f8c4e217f2a11dd808e3 Mon Sep 17 00:00:00 2001
+From: "Dr. Greg Wettstein" <greg@wind.enjellic.com>
+Date: Mon, 17 Sep 2018 18:53:33 -0400
+Subject: tpm: Restore functionality to xen vtpm driver.
+
+From: Dr. Greg Wettstein <greg@wind.enjellic.com>
+
+commit e487a0f52301293152a6f8c4e217f2a11dd808e3 upstream.
+
+Functionality of the xen-tpmfront driver was lost secondary to
+the introduction of xenbus multi-page support in commit ccc9d90a9a8b
+("xenbus_client: Extend interface to support multi-page ring").
+
+In this commit pointer to location of where the shared page address
+is stored was being passed to the xenbus_grant_ring() function rather
+then the address of the shared page itself. This resulted in a situation
+where the driver would attach to the vtpm-stubdom but any attempt
+to send a command to the stub domain would timeout.
+
+A diagnostic finding for this regression is the following error
+message being generated when the xen-tpmfront driver probes for a
+device:
+
+<3>vtpm vtpm-0: tpm_transmit: tpm_send: error -62
+
+<3>vtpm vtpm-0: A TPM error (-62) occurred attempting to determine
+the timeouts
+
+This fix is relevant to all kernels from 4.1 forward which is the
+release in which multi-page xenbus support was introduced.
+
+Daniel De Graaf formulated the fix by code inspection after the
+regression point was located.
+
+Fixes: ccc9d90a9a8b ("xenbus_client: Extend interface to support multi-page ring")
+Signed-off-by: Dr. Greg Wettstein <greg@enjellic.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[boris: Updated commit message, added Fixes tag]
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: stable@vger.kernel.org # v4.1+
+Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+
+---
+ drivers/char/tpm/xen-tpmfront.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/xen-tpmfront.c
++++ b/drivers/char/tpm/xen-tpmfront.c
+@@ -203,7 +203,7 @@ static int setup_ring(struct xenbus_devi
+ return -ENOMEM;
+ }
+
+- rv = xenbus_grant_ring(dev, &priv->shr, 1, &gref);
++ rv = xenbus_grant_ring(dev, priv->shr, 1, &gref);
+ if (rv < 0)
+ return rv;
+
--- /dev/null
+From afc92514a34c7414b28047b1205a6b709103c699 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 2 Oct 2018 20:57:44 +0900
+Subject: usb: gadget: udc: renesas_usb3: Fix b-device mode for "workaround"
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit afc92514a34c7414b28047b1205a6b709103c699 upstream.
+
+If the "workaround_for_vbus" is true, the driver will not call
+usb_disconnect(). So, since the controller keeps some registers'
+value, the driver doesn't re-enumarate suitable speed after
+the b-device mode is disabled. To fix the issue, this patch
+adds usb_disconnect() calling in renesas_usb3_b_device_write()
+if workaround_for_vbus is true.
+
+Fixes: 43ba968b00ea ("usb: gadget: udc: renesas_usb3: add debugfs to set the b-device mode")
+Cc: <stable@vger.kernel.org> # v4.14+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -2374,6 +2374,9 @@ static ssize_t renesas_usb3_b_device_wri
+ else
+ usb3->forced_b_device = false;
+
++ if (usb3->workaround_for_vbus)
++ usb3_disconnect(usb3);
++
+ /* Let this driver call usb3_connect() anyway */
+ usb3_check_id(usb3);
+
--- /dev/null
+From e28fd56ad5273be67d0fae5bedc7e1680e729952 Mon Sep 17 00:00:00 2001
+From: "Shuah Khan (Samsung OSG)" <shuah@kernel.org>
+Date: Thu, 18 Oct 2018 10:19:29 -0600
+Subject: usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten
+
+From: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+
+commit e28fd56ad5273be67d0fae5bedc7e1680e729952 upstream.
+
+In rmmod path, usbip_vudc does platform_device_put() twice once from
+platform_device_unregister() and then from put_vudc_device().
+
+The second put results in:
+
+BUG kmalloc-2048 (Not tainted): Poison overwritten error or
+BUG: KASAN: use-after-free in kobject_put+0x1e/0x230 if KASAN is
+enabled.
+
+[ 169.042156] calling init+0x0/0x1000 [usbip_vudc] @ 1697
+[ 169.042396] =============================================================================
+[ 169.043678] probe of usbip-vudc.0 returned 1 after 350 usecs
+[ 169.044508] BUG kmalloc-2048 (Not tainted): Poison overwritten
+[ 169.044509] -----------------------------------------------------------------------------
+...
+[ 169.057849] INFO: Freed in device_release+0x2b/0x80 age=4223 cpu=3 pid=1693
+[ 169.057852] kobject_put+0x86/0x1b0
+[ 169.057853] 0xffffffffc0c30a96
+[ 169.057855] __x64_sys_delete_module+0x157/0x240
+
+Fix it to call platform_device_del() instead and let put_vudc_device() do
+the platform_device_put().
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/vudc_main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/vudc_main.c
++++ b/drivers/usb/usbip/vudc_main.c
+@@ -85,6 +85,10 @@ static int __init init(void)
+ cleanup:
+ list_for_each_entry_safe(udc_dev, udc_dev2, &vudc_devices, dev_entry) {
+ list_del(&udc_dev->dev_entry);
++ /*
++ * Just do platform_device_del() here, put_vudc_device()
++ * calls the platform_device_put()
++ */
+ platform_device_del(udc_dev->pdev);
+ put_vudc_device(udc_dev);
+ }
+@@ -101,7 +105,11 @@ static void __exit cleanup(void)
+
+ list_for_each_entry_safe(udc_dev, udc_dev2, &vudc_devices, dev_entry) {
+ list_del(&udc_dev->dev_entry);
+- platform_device_unregister(udc_dev->pdev);
++ /*
++ * Just do platform_device_del() here, put_vudc_device()
++ * calls the platform_device_put()
++ */
++ platform_device_del(udc_dev->pdev);
+ put_vudc_device(udc_dev);
+ }
+ platform_driver_unregister(&vudc_driver);
--- /dev/null
+From a007734618fee1bf35556c04fa498d41d42c7301 Mon Sep 17 00:00:00 2001
+From: Andreas Kemnade <andreas@kemnade.info>
+Date: Sat, 22 Sep 2018 21:20:54 +0200
+Subject: w1: omap-hdq: fix missing bus unregister at removal
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+commit a007734618fee1bf35556c04fa498d41d42c7301 upstream.
+
+The bus master was not removed after unloading the module
+or unbinding the driver. That lead to oopses like this
+
+[ 127.842987] Unable to handle kernel paging request at virtual address bf01d04c
+[ 127.850646] pgd = 70e3cd9a
+[ 127.853698] [bf01d04c] *pgd=8f908811, *pte=00000000, *ppte=00000000
+[ 127.860412] Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
+[ 127.866668] Modules linked in: bq27xxx_battery overlay [last unloaded: omap_hdq]
+[ 127.874542] CPU: 0 PID: 1022 Comm: w1_bus_master1 Not tainted 4.19.0-rc4-00001-g2d51da718324 #12
+[ 127.883819] Hardware name: Generic OMAP36xx (Flattened Device Tree)
+[ 127.890441] PC is at 0xbf01d04c
+[ 127.893798] LR is at w1_search_process_cb+0x4c/0xfc
+[ 127.898956] pc : [<bf01d04c>] lr : [<c05f9580>] psr: a0070013
+[ 127.905609] sp : cf885f48 ip : bf01d04c fp : ddf1e11c
+[ 127.911132] r10: cf8fe040 r9 : c05f8d00 r8 : cf8fe040
+[ 127.916656] r7 : 000000f0 r6 : cf8fe02c r5 : cf8fe000 r4 : cf8fe01c
+[ 127.923553] r3 : c05f8d00 r2 : 000000f0 r1 : cf8fe000 r0 : dde1ef10
+[ 127.930450] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+[ 127.938018] Control: 10c5387d Table: 8f8f0019 DAC: 00000051
+[ 127.944091] Process w1_bus_master1 (pid: 1022, stack limit = 0x9135699f)
+[ 127.951171] Stack: (0xcf885f48 to 0xcf886000)
+[ 127.955810] 5f40: cf8fe000 00000000 cf884000 cf8fe090 000003e8 c05f8d00
+[ 127.964477] 5f60: dde5fc34 c05f9700 ddf1e100 ddf1e540 cf884000 cf8fe000 c05f9694 00000000
+[ 127.973114] 5f80: dde5fc34 c01499a4 00000000 ddf1e540 c0149874 00000000 00000000 00000000
+[ 127.981781] 5fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+[ 127.990447] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 127.999114] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[ 128.007781] [<c05f9580>] (w1_search_process_cb) from [<c05f9700>] (w1_process+0x6c/0x118)
+[ 128.016479] [<c05f9700>] (w1_process) from [<c01499a4>] (kthread+0x130/0x148)
+[ 128.024047] [<c01499a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+[ 128.031677] Exception stack(0xcf885fb0 to 0xcf885ff8)
+[ 128.037017] 5fa0: 00000000 00000000 00000000 00000000
+[ 128.045684] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 128.054351] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[ 128.061340] Code: bad PC value
+[ 128.064697] ---[ end trace af066e33c0e14119 ]---
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/w1/masters/omap_hdq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/w1/masters/omap_hdq.c
++++ b/drivers/w1/masters/omap_hdq.c
+@@ -763,6 +763,8 @@ static int omap_hdq_remove(struct platfo
+ /* remove module dependency */
+ pm_runtime_disable(&pdev->dev);
+
++ w1_remove_master_device(&omap_w1_master);
++
+ return 0;
+ }
+
--- /dev/null
+From 3aa6c19d2f38be9c6e9a8ad5fa8e3c9d29ee3c35 Mon Sep 17 00:00:00 2001
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Sun, 7 Oct 2018 16:05:38 -0400
+Subject: xen/balloon: Support xend-based toolstack
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+commit 3aa6c19d2f38be9c6e9a8ad5fa8e3c9d29ee3c35 upstream.
+
+Xend-based toolstacks don't have static-max entry in xenstore. The
+equivalent node for those toolstacks is memory_static_max.
+
+Fixes: 5266b8e4445c (xen: fix booting ballooned down hvm guest)
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: <stable@vger.kernel.org> # 4.13
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-balloon.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/xen/xen-balloon.c
++++ b/drivers/xen/xen-balloon.c
+@@ -75,12 +75,15 @@ static void watch_target(struct xenbus_w
+
+ if (!watch_fired) {
+ watch_fired = true;
+- err = xenbus_scanf(XBT_NIL, "memory", "static-max", "%llu",
+- &static_max);
+- if (err != 1)
+- static_max = new_target;
+- else
++
++ if ((xenbus_scanf(XBT_NIL, "memory", "static-max",
++ "%llu", &static_max) == 1) ||
++ (xenbus_scanf(XBT_NIL, "memory", "memory_static_max",
++ "%llu", &static_max) == 1))
+ static_max >>= PAGE_SHIFT - 10;
++ else
++ static_max = new_target;
++
+ target_diff = (xen_pv_domain() || xen_initial_domain()) ? 0
+ : static_max - balloon_stats.target_pages;
+ }
--- /dev/null
+From f92898e7f32e3533bfd95be174044bc349d416ca Mon Sep 17 00:00:00 2001
+From: Vasilis Liaskovitis <vliaskovitis@suse.com>
+Date: Mon, 15 Oct 2018 15:25:08 +0200
+Subject: xen/blkfront: avoid NULL blkfront_info dereference on device removal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vasilis Liaskovitis <vliaskovitis@suse.com>
+
+commit f92898e7f32e3533bfd95be174044bc349d416ca upstream.
+
+If a block device is hot-added when we are out of grants,
+gnttab_grant_foreign_access fails with -ENOSPC (log message "28
+granting access to ring page") in this code path:
+
+ talk_to_blkback ->
+ setup_blkring ->
+ xenbus_grant_ring ->
+ gnttab_grant_foreign_access
+
+and the failing path in talk_to_blkback sets the driver_data to NULL:
+
+ destroy_blkring:
+ blkif_free(info, 0);
+
+ mutex_lock(&blkfront_mutex);
+ free_info(info);
+ mutex_unlock(&blkfront_mutex);
+
+ dev_set_drvdata(&dev->dev, NULL);
+
+This results in a NULL pointer BUG when blkfront_remove and blkif_free
+try to access the failing device's NULL struct blkfront_info.
+
+Cc: stable@vger.kernel.org # 4.5 and later
+Signed-off-by: Vasilis Liaskovitis <vliaskovitis@suse.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkfront.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/block/xen-blkfront.c
++++ b/drivers/block/xen-blkfront.c
+@@ -2471,6 +2471,9 @@ static int blkfront_remove(struct xenbus
+
+ dev_dbg(&xbdev->dev, "%s removed", xbdev->nodename);
+
++ if (!info)
++ return 0;
++
+ blkif_free(info, 0);
+
+ mutex_lock(&info->mutex);
--- /dev/null
+From 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 1 Oct 2018 07:57:42 +0200
+Subject: xen: fix race in xen_qlock_wait()
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 2ac2a7d4d9ff4e01e36f9c3d116582f6f655ab47 upstream.
+
+In the following situation a vcpu waiting for a lock might not be
+woken up from xen_poll_irq():
+
+CPU 1: CPU 2: CPU 3:
+takes a spinlock
+ tries to get lock
+ -> xen_qlock_wait()
+frees the lock
+-> xen_qlock_kick(cpu2)
+ -> xen_clear_irq_pending()
+
+takes lock again
+ tries to get lock
+ -> *lock = _Q_SLOW_VAL
+ -> *lock == _Q_SLOW_VAL ?
+ -> xen_poll_irq()
+frees the lock
+-> xen_qlock_kick(cpu3)
+
+And cpu 2 will sleep forever.
+
+This can be avoided easily by modifying xen_qlock_wait() to call
+xen_poll_irq() only if the related irq was not pending and to call
+xen_clear_irq_pending() only if it was pending.
+
+Cc: stable@vger.kernel.org
+Cc: Waiman.Long@hp.com
+Cc: peterz@infradead.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/spinlock.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+--- a/arch/x86/xen/spinlock.c
++++ b/arch/x86/xen/spinlock.c
+@@ -46,17 +46,12 @@ static void xen_qlock_wait(u8 *byte, u8
+ if (irq == -1)
+ return;
+
+- /* clear pending */
+- xen_clear_irq_pending(irq);
+- barrier();
++ /* If irq pending already clear it and return. */
++ if (xen_test_irq_pending(irq)) {
++ xen_clear_irq_pending(irq);
++ return;
++ }
+
+- /*
+- * We check the byte value after clearing pending IRQ to make sure
+- * that we won't miss a wakeup event because of the clearing.
+- *
+- * The sync_clear_bit() call in xen_clear_irq_pending() is atomic.
+- * So it is effectively a memory barrier for x86.
+- */
+ if (READ_ONCE(*byte) != val)
+ return;
+
--- /dev/null
+From a856531951dc8094359dfdac21d59cee5969c18e Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 1 Oct 2018 07:57:42 +0200
+Subject: xen: make xen_qlock_wait() nestable
+
+From: Juergen Gross <jgross@suse.com>
+
+commit a856531951dc8094359dfdac21d59cee5969c18e upstream.
+
+xen_qlock_wait() isn't safe for nested calls due to interrupts. A call
+of xen_qlock_kick() might be ignored in case a deeper nesting level
+was active right before the call of xen_poll_irq():
+
+CPU 1: CPU 2:
+spin_lock(lock1)
+ spin_lock(lock1)
+ -> xen_qlock_wait()
+ -> xen_clear_irq_pending()
+ Interrupt happens
+spin_unlock(lock1)
+-> xen_qlock_kick(CPU 2)
+spin_lock_irqsave(lock2)
+ spin_lock_irqsave(lock2)
+ -> xen_qlock_wait()
+ -> xen_clear_irq_pending()
+ clears kick for lock1
+ -> xen_poll_irq()
+spin_unlock_irq_restore(lock2)
+-> xen_qlock_kick(CPU 2)
+ wakes up
+ spin_unlock_irq_restore(lock2)
+ IRET
+ resumes in xen_qlock_wait()
+ -> xen_poll_irq()
+ never wakes up
+
+The solution is to disable interrupts in xen_qlock_wait() and not to
+poll for the irq in case xen_qlock_wait() is called in nmi context.
+
+Cc: stable@vger.kernel.org
+Cc: Waiman.Long@hp.com
+Cc: peterz@infradead.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/spinlock.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/xen/spinlock.c
++++ b/arch/x86/xen/spinlock.c
+@@ -40,29 +40,25 @@ static void xen_qlock_kick(int cpu)
+ */
+ static void xen_qlock_wait(u8 *byte, u8 val)
+ {
++ unsigned long flags;
+ int irq = __this_cpu_read(lock_kicker_irq);
+
+ /* If kicker interrupts not initialized yet, just spin */
+- if (irq == -1)
++ if (irq == -1 || in_nmi())
+ return;
+
+- /* If irq pending already clear it and return. */
++ /* Guard against reentry. */
++ local_irq_save(flags);
++
++ /* If irq pending already clear it. */
+ if (xen_test_irq_pending(irq)) {
+ xen_clear_irq_pending(irq);
+- return;
++ } else if (READ_ONCE(*byte) == val) {
++ /* Block until irq becomes pending (or a spurious wakeup) */
++ xen_poll_irq(irq);
+ }
+
+- if (READ_ONCE(*byte) != val)
+- return;
+-
+- /*
+- * If an interrupt happens here, it will leave the wakeup irq
+- * pending, which will cause xen_poll_irq() to return
+- * immediately.
+- */
+-
+- /* Block until irq becomes pending (or perhaps a spurious wakeup) */
+- xen_poll_irq(irq);
++ local_irq_restore(flags);
+ }
+
+ static irqreturn_t dummy_handler(int irq, void *dev_id)
--- /dev/null
+From e6111161c0a02d58919d776eec94b313bb57911f Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 25 Oct 2018 09:54:15 +0200
+Subject: xen/pvh: don't try to unplug emulated devices
+
+From: Juergen Gross <jgross@suse.com>
+
+commit e6111161c0a02d58919d776eec94b313bb57911f upstream.
+
+A Xen PVH guest has no associated qemu device model, so trying to
+unplug any emulated devices is making no sense at all.
+
+Bail out early from xen_unplug_emulated_devices() when running as PVH
+guest. This will avoid issuing the boot message:
+
+[ 0.000000] Xen Platform PCI: unrecognised magic value
+
+Cc: <stable@vger.kernel.org> # 4.11
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/platform-pci-unplug.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/xen/platform-pci-unplug.c
++++ b/arch/x86/xen/platform-pci-unplug.c
+@@ -146,6 +146,10 @@ void xen_unplug_emulated_devices(void)
+ {
+ int r;
+
++ /* PVH guests don't have emulated devices. */
++ if (xen_pvh_domain())
++ return;
++
+ /* user explicitly requested no unplug */
+ if (xen_emul_unplug & XEN_UNPLUG_NEVER)
+ return;
--- /dev/null
+From 7deecbda3026f5e2a8cc095d7ef7261a920efcf2 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Tue, 9 Oct 2018 12:32:37 +0200
+Subject: xen/pvh: increase early stack size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 7deecbda3026f5e2a8cc095d7ef7261a920efcf2 upstream.
+
+While booting on an AMD EPYC box the stack canary would detect stack
+overflows when using the current PVH early stack size (256). Switch to
+using the value defined by BOOT_STACK_SIZE, which prevents the stack
+overflow.
+
+Cc: <stable@vger.kernel.org> # 4.11
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/xen-pvh.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/xen/xen-pvh.S
++++ b/arch/x86/xen/xen-pvh.S
+@@ -178,7 +178,7 @@ canary:
+ .fill 48, 1, 0
+
+ early_stack:
+- .fill 256, 1, 0
++ .fill BOOT_STACK_SIZE, 1, 0
+ early_stack_end:
+
+ ELFNOTE(Xen, XEN_ELFNOTE_PHYS32_ENTRY,
--- /dev/null
+From 7250f422da0480d8512b756640f131b9b893ccda Mon Sep 17 00:00:00 2001
+From: Joe Jin <joe.jin@oracle.com>
+Date: Tue, 16 Oct 2018 15:21:16 -0700
+Subject: xen-swiotlb: use actually allocated size on check physical continuous
+
+From: Joe Jin <joe.jin@oracle.com>
+
+commit 7250f422da0480d8512b756640f131b9b893ccda upstream.
+
+xen_swiotlb_{alloc,free}_coherent() allocate/free memory based on the
+order of the pages and not size argument (bytes). This is inconsistent with
+range_straddles_page_boundary and memset which use the 'size' value,
+which may lead to not exchanging memory with Xen (range_straddles_page_boundary()
+returned true). And then the call to xen_swiotlb_free_coherent() would
+actually try to exchange the memory with Xen, leading to the kernel
+hitting an BUG (as the hypercall returned an error).
+
+This patch fixes it by making the 'size' variable be of the same size
+as the amount of memory allocated.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Joe Jin <joe.jin@oracle.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Christoph Helwig <hch@lst.de>
+Cc: Dongli Zhang <dongli.zhang@oracle.com>
+Cc: John Sobecki <john.sobecki@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/swiotlb-xen.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -317,6 +317,9 @@ xen_swiotlb_alloc_coherent(struct device
+ */
+ flags &= ~(__GFP_DMA | __GFP_HIGHMEM);
+
++ /* Convert the size to actually allocated. */
++ size = 1UL << (order + XEN_PAGE_SHIFT);
++
+ /* On ARM this function returns an ioremap'ped virtual address for
+ * which virt_to_phys doesn't return the corresponding physical
+ * address. In fact on ARM virt_to_phys only works for kernel direct
+@@ -365,6 +368,9 @@ xen_swiotlb_free_coherent(struct device
+ * physical address */
+ phys = xen_bus_to_phys(dev_addr);
+
++ /* Convert the size to actually allocated. */
++ size = 1UL << (order + XEN_PAGE_SHIFT);
++
+ if (((dev_addr + size - 1 <= dma_mask)) ||
+ range_straddles_page_boundary(phys, size))
+ xen_destroy_contiguous_region(phys, order);
projects / thirdparty / kernel / stable-queue.git / commitdiff
