--- /dev/null
+From c463a158cb6c5d9a85b7d894cd4f8116e8bd6be0 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 12 Aug 2018 12:53:20 +0200
+Subject: i2c: core: ACPI: Properly set status byte to 0 for multi-byte writes
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit c463a158cb6c5d9a85b7d894cd4f8116e8bd6be0 upstream.
+
+acpi_gsb_i2c_write_bytes() returns i2c_transfer()'s return value, which
+is the number of transfers executed on success, so 1.
+
+The ACPI code expects us to store 0 in gsb->status for success, not 1.
+
+Specifically this breaks the following code in the Thinkpad 8 DSDT:
+
+ ECWR = I2CW = ECWR /* \_SB_.I2C1.BAT0.ECWR */
+ If ((ECST == Zero))
+ {
+ ECRD = I2CR /* \_SB_.I2C1.I2CR */
+ }
+
+Before this commit we set ECST to 1, causing the read to never happen
+breaking battery monitoring on the Thinkpad 8.
+
+This commit makes acpi_gsb_i2c_write_bytes() return 0 when i2c_transfer()
+returns 1, so the single write transfer completed successfully, and
+makes it return -EIO on for other (unexpected) return values >= 0.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/i2c-core-acpi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -482,11 +482,16 @@ static int acpi_gsb_i2c_write_bytes(stru
+ msgs[0].buf = buffer;
+
+ ret = i2c_transfer(client->adapter, msgs, ARRAY_SIZE(msgs));
+- if (ret < 0)
+- dev_err(&client->adapter->dev, "i2c write failed\n");
+
+ kfree(buffer);
+- return ret;
++
++ if (ret < 0) {
++ dev_err(&client->adapter->dev, "i2c write failed: %d\n", ret);
++ return ret;
++ }
++
++ /* 1 transfer must have completed successfully */
++ return (ret == 1) ? 0 : -EIO;
+ }
+
+ static acpi_status
--- /dev/null
+From bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <eha@deif.com>
+Date: Thu, 16 Aug 2018 10:43:12 +0200
+Subject: i2c: imx: Fix race condition in dma read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Esben Haabendal <eha@deif.com>
+
+commit bed4ff1ed4d8f2ef5007c5c6ae1b29c5677a3632 upstream.
+
+This fixes a race condition, where the DMAEN bit ends up being set after
+I2C slave has transmitted a byte following the dummy read. When that
+happens, an interrupt is generated instead, and no DMA request is generated
+to kickstart the DMA read, and a timeout happens after DMA_TIMEOUT (1 sec).
+
+Fixed by setting the DMAEN bit before the dummy read.
+
+Signed-off-by: Esben Haabendal <eha@deif.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-imx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx.c
++++ b/drivers/i2c/busses/i2c-imx.c
+@@ -677,9 +677,6 @@ static int i2c_imx_dma_read(struct imx_i
+ struct imx_i2c_dma *dma = i2c_imx->dma;
+ struct device *dev = &i2c_imx->adapter.dev;
+
+- temp = imx_i2c_read_reg(i2c_imx, IMX_I2C_I2CR);
+- temp |= I2CR_DMAEN;
+- imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+
+ dma->chan_using = dma->chan_rx;
+ dma->dma_transfer_dir = DMA_DEV_TO_MEM;
+@@ -792,6 +789,7 @@ static int i2c_imx_read(struct imx_i2c_s
+ int i, result;
+ unsigned int temp;
+ int block_data = msgs->flags & I2C_M_RECV_LEN;
++ int use_dma = i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data;
+
+ dev_dbg(&i2c_imx->adapter.dev,
+ "<%s> write slave address: addr=0x%x\n",
+@@ -818,12 +816,14 @@ static int i2c_imx_read(struct imx_i2c_s
+ */
+ if ((msgs->len - 1) || block_data)
+ temp &= ~I2CR_TXAK;
++ if (use_dma)
++ temp |= I2CR_DMAEN;
+ imx_i2c_write_reg(temp, i2c_imx, IMX_I2C_I2CR);
+ imx_i2c_read_reg(i2c_imx, IMX_I2C_I2DR); /* dummy read */
+
+ dev_dbg(&i2c_imx->adapter.dev, "<%s> read data\n", __func__);
+
+- if (i2c_imx->dma && msgs->len >= DMA_THRESHOLD && !block_data)
++ if (use_dma)
+ return i2c_imx_dma_read(i2c_imx, msgs, is_lastmsg);
+
+ /* read data */
--- /dev/null
+From 9d64b539b738fc181442caab95f1f76d9bd58539 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 16 Aug 2018 12:56:46 +0200
+Subject: PCI / ACPI / PM: Resume all bridges on suspend-to-RAM
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 9d64b539b738fc181442caab95f1f76d9bd58539 upstream.
+
+Commit 26112ddc254c (PCI / ACPI / PM: Resume bridges w/o drivers on
+suspend-to-RAM) attempted to fix a functional regression resulting
+from commit c62ec4610c40 (PM / core: Fix direct_complete handling
+for devices with no callbacks) by resuming PCI bridges without
+drivers (that is, "parallel PCI" ones) during system-wide suspend if
+the target system state is not ACPI S0 (working state).
+
+That turns out insufficient, however, as it is reported that, at
+least in one case, the platform firmware gets confused if a PCIe
+root port is suspended before entering the ACPI S3 sleep state.
+That issue was exposed by commit 77b3729ca03 (PCI / PM: Use
+SMART_SUSPEND and LEAVE_SUSPENDED flags for PCIe ports) that allowed
+PCIe ports to stay in runtime suspend during system-wide suspend
+(which is OK for suspend-to-idle, but turns out to be problematic
+otherwise).
+
+For this reason, drop the driver check from acpi_pci_need_resume()
+and resume all bridges (including PCIe ports with drivers) during
+system-wide suspend if the target system state is not ACPI S0.
+
+[If the target system state is ACPI S0, it means suspend-to-idle
+ and the platform firmware is not going to be invoked to actually
+ suspend the system, so there is no need to resume the bridges in
+ that case.]
+
+Fixes: 77b3729ca03 (PCI / PM: Use SMART_SUSPEND and LEAVE_SUSPENDED flags for PCIe ports)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200675
+Reported-by: teika kazura <teika@gmx.com>
+Tested-by: teika kazura <teika@gmx.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: 4.16+ <stable@vger.kernel.org> # 4.16+: 26112ddc254c (PCI / ACPI / PM: Resume bridges ...)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-acpi.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/pci-acpi.c
++++ b/drivers/pci/pci-acpi.c
+@@ -601,13 +601,11 @@ static bool acpi_pci_need_resume(struct
+ /*
+ * In some cases (eg. Samsung 305V4A) leaving a bridge in suspend over
+ * system-wide suspend/resume confuses the platform firmware, so avoid
+- * doing that, unless the bridge has a driver that should take care of
+- * the PM handling. According to Section 16.1.6 of ACPI 6.2, endpoint
++ * doing that. According to Section 16.1.6 of ACPI 6.2, endpoint
+ * devices are expected to be in D3 before invoking the S3 entry path
+ * from the firmware, so they should not be affected by this issue.
+ */
+- if (pci_is_bridge(dev) && !dev->driver &&
+- acpi_target_system_state() != ACPI_STATE_S0)
++ if (pci_is_bridge(dev) && acpi_target_system_state() != ACPI_STATE_S0)
+ return true;
+
+ if (!adev || !acpi_device_power_manageable(adev))
--- /dev/null
+From 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:31 -0500
+Subject: PCI: hotplug: Don't leak pci_slot on registration failure
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 4ce6435820d1f1cc2c2788e232735eb244bcc8a3 upstream.
+
+If addition of sysfs files fails on registration of a hotplug slot, the
+struct pci_slot as well as the entry in the slot_list is leaked. The
+issue has been present since the hotplug core was introduced in 2002:
+https://git.kernel.org/tglx/history/c/a8a2069f432c
+
+Perhaps the idea was that even though sysfs addition fails, the slot
+should still be usable. But that's not how drivers use the interface,
+they abort probe if a non-zero value is returned.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v2.4.15+
+Cc: Greg Kroah-Hartman <greg@kroah.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pci_hotplug_core.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/pci/hotplug/pci_hotplug_core.c
++++ b/drivers/pci/hotplug/pci_hotplug_core.c
+@@ -438,8 +438,17 @@ int __pci_hp_register(struct hotplug_slo
+ list_add(&slot->slot_list, &pci_hotplug_slot_list);
+
+ result = fs_add_slot(pci_slot);
++ if (result)
++ goto err_list_del;
++
+ kobject_uevent(&pci_slot->kobj, KOBJ_ADD);
+ dbg("Added slot %s to the list\n", name);
++ goto out;
++
++err_list_del:
++ list_del(&slot->slot_list);
++ pci_slot->hotplug = NULL;
++ pci_destroy_slot(pci_slot);
+ out:
+ mutex_unlock(&pci_hp_mutex);
+ return result;
--- /dev/null
+From 1204e35bedf4e5015cda559ed8c84789a6dae24e Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:34 -0500
+Subject: PCI: pciehp: Fix unprotected list iteration in IRQ handler
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 1204e35bedf4e5015cda559ed8c84789a6dae24e upstream.
+
+Commit b440bde74f04 ("PCI: Add pci_ignore_hotplug() to ignore hotplug
+events for a device") iterates over the devices on a hotplug port's
+subordinate bus in pciehp's IRQ handler without acquiring pci_bus_sem.
+It is thus possible for a user to cause a crash by concurrently
+manipulating the device list, e.g. by disabling slot power via sysfs
+on a different CPU or by initiating a remove/rescan via sysfs.
+
+This can't be fixed by acquiring pci_bus_sem because it may sleep.
+The simplest fix is to avoid the list iteration altogether and just
+check the ignore_hotplug flag on the port itself. This works because
+pci_ignore_hotplug() sets the flag both on the device as well as on its
+parent bridge.
+
+We do lose the ability to print the name of the device blocking hotplug
+in the debug message, but that's probably bearable.
+
+Fixes: b440bde74f04 ("PCI: Add pci_ignore_hotplug() to ignore hotplug events for a device")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pciehp_hpc.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -545,8 +545,6 @@ static irqreturn_t pciehp_isr(int irq, v
+ {
+ struct controller *ctrl = (struct controller *)dev_id;
+ struct pci_dev *pdev = ctrl_dev(ctrl);
+- struct pci_bus *subordinate = pdev->subordinate;
+- struct pci_dev *dev;
+ struct slot *slot = ctrl->slot;
+ u16 status, events;
+ u8 present;
+@@ -594,14 +592,9 @@ static irqreturn_t pciehp_isr(int irq, v
+ wake_up(&ctrl->queue);
+ }
+
+- if (subordinate) {
+- list_for_each_entry(dev, &subordinate->devices, bus_list) {
+- if (dev->ignore_hotplug) {
+- ctrl_dbg(ctrl, "ignoring hotplug event %#06x (%s requested no hotplug)\n",
+- events, pci_name(dev));
+- return IRQ_HANDLED;
+- }
+- }
++ if (pdev->ignore_hotplug) {
++ ctrl_dbg(ctrl, "ignoring hotplug event %#06x\n", events);
++ return IRQ_HANDLED;
+ }
+
+ /* Check Attention Button Pressed */
--- /dev/null
+From 281e878eab191cce4259abbbf1a0322e3adae02c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 19 Jul 2018 17:27:32 -0500
+Subject: PCI: pciehp: Fix use-after-free on unplug
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 281e878eab191cce4259abbbf1a0322e3adae02c upstream.
+
+When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
+hotplug_slot struct is deregistered and thus freed before freeing the
+IRQ. The IRQ handler and the work items it schedules print the slot
+name referenced from the freed structure in various informational and
+debug log messages, each time resulting in a quadruple dereference of
+freed pointers (hotplug_slot -> pci_slot -> kobject -> name).
+
+At best the slot name is logged as "(null)", at worst kernel memory is
+exposed in logs or the driver crashes:
+
+ pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present
+
+An attacker may provoke the bug by unplugging multiple devices on a
+Thunderbolt daisy chain at once. Unplugging can also be simulated by
+powering down slots via sysfs. The bug is particularly easy to trigger
+in poll mode.
+
+It has been present since the driver's introduction in 2004:
+https://git.kernel.org/tglx/history/c/c16b4b14d980
+
+Fix by rearranging teardown such that the IRQ is freed first. Run the
+work items queued by the IRQ handler to completion before freeing the
+hotplug_slot struct by draining the work queue from the ->release_slot
+callback which is invoked by pci_hp_deregister().
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v2.6.4
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/pciehp.h | 1 +
+ drivers/pci/hotplug/pciehp_core.c | 7 +++++++
+ drivers/pci/hotplug/pciehp_hpc.c | 5 ++---
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/hotplug/pciehp.h
++++ b/drivers/pci/hotplug/pciehp.h
+@@ -119,6 +119,7 @@ int pciehp_unconfigure_device(struct slo
+ void pciehp_queue_pushbutton_work(struct work_struct *work);
+ struct controller *pcie_init(struct pcie_device *dev);
+ int pcie_init_notification(struct controller *ctrl);
++void pcie_shutdown_notification(struct controller *ctrl);
+ int pciehp_enable_slot(struct slot *p_slot);
+ int pciehp_disable_slot(struct slot *p_slot);
+ void pcie_reenable_notification(struct controller *ctrl);
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -62,6 +62,12 @@ static int reset_slot(struct hotplug_slo
+ */
+ static void release_slot(struct hotplug_slot *hotplug_slot)
+ {
++ struct slot *slot = hotplug_slot->private;
++
++ /* queued work needs hotplug_slot name */
++ cancel_delayed_work(&slot->work);
++ drain_workqueue(slot->wq);
++
+ kfree(hotplug_slot->ops);
+ kfree(hotplug_slot->info);
+ kfree(hotplug_slot);
+@@ -264,6 +270,7 @@ static void pciehp_remove(struct pcie_de
+ {
+ struct controller *ctrl = get_service_data(dev);
+
++ pcie_shutdown_notification(ctrl);
+ cleanup_slot(ctrl);
+ pciehp_release_ctrl(ctrl);
+ }
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -771,7 +771,7 @@ int pcie_init_notification(struct contro
+ return 0;
+ }
+
+-static void pcie_shutdown_notification(struct controller *ctrl)
++void pcie_shutdown_notification(struct controller *ctrl)
+ {
+ if (ctrl->notification_enabled) {
+ pcie_disable_notification(ctrl);
+@@ -806,7 +806,7 @@ abort:
+ static void pcie_cleanup_slot(struct controller *ctrl)
+ {
+ struct slot *slot = ctrl->slot;
+- cancel_delayed_work(&slot->work);
++
+ destroy_workqueue(slot->wq);
+ kfree(slot);
+ }
+@@ -898,7 +898,6 @@ abort:
+
+ void pciehp_release_ctrl(struct controller *ctrl)
+ {
+- pcie_shutdown_notification(ctrl);
+ pcie_cleanup_slot(ctrl);
+ kfree(ctrl);
+ }
--- /dev/null
+From d3252ace0bc652a1a244455556b6a549f969bf99 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <ckoenig.leichtzumerken@gmail.com>
+Date: Fri, 29 Jun 2018 19:54:55 -0500
+Subject: PCI: Restore resized BAR state on resume
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <ckoenig.leichtzumerken@gmail.com>
+
+commit d3252ace0bc652a1a244455556b6a549f969bf99 upstream.
+
+Resize BARs after resume to the expected size again.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199959
+Fixes: d6895ad39f3b ("drm/amdgpu: resize VRAM BAR for CPU access v6")
+Fixes: 276b738deb5b ("PCI: Add resizable BAR infrastructure")
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+CC: stable@vger.kernel.org # v4.15+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1163,6 +1163,33 @@ static void pci_restore_config_space(str
+ }
+ }
+
++static void pci_restore_rebar_state(struct pci_dev *pdev)
++{
++ unsigned int pos, nbars, i;
++ u32 ctrl;
++
++ pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_REBAR);
++ if (!pos)
++ return;
++
++ pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
++ nbars = (ctrl & PCI_REBAR_CTRL_NBAR_MASK) >>
++ PCI_REBAR_CTRL_NBAR_SHIFT;
++
++ for (i = 0; i < nbars; i++, pos += 8) {
++ struct resource *res;
++ int bar_idx, size;
++
++ pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
++ bar_idx = ctrl & PCI_REBAR_CTRL_BAR_IDX;
++ res = pdev->resource + bar_idx;
++ size = order_base_2((resource_size(res) >> 20) | 1) - 1;
++ ctrl &= ~PCI_REBAR_CTRL_BAR_SIZE;
++ ctrl |= size << 8;
++ pci_write_config_dword(pdev, pos + PCI_REBAR_CTRL, ctrl);
++ }
++}
++
+ /**
+ * pci_restore_state - Restore the saved state of a PCI device
+ * @dev: - PCI device that we're dealing with
+@@ -1178,6 +1205,7 @@ void pci_restore_state(struct pci_dev *d
+ pci_restore_pri_state(dev);
+ pci_restore_ats_state(dev);
+ pci_restore_vc_state(dev);
++ pci_restore_rebar_state(dev);
+
+ pci_cleanup_aer_error_status_regs(dev);
+
--- /dev/null
+From 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 Mon Sep 17 00:00:00 2001
+From: Myron Stowe <myron.stowe@redhat.com>
+Date: Mon, 13 Aug 2018 12:19:39 -0600
+Subject: PCI: Skip MPS logic for Virtual Functions (VFs)
+
+From: Myron Stowe <myron.stowe@redhat.com>
+
+commit 3dbe97efe8bf450b183d6dee2305cbc032e6b8a4 upstream.
+
+PCIe r4.0, sec 9.3.5.4, "Device Control Register", shows both
+Max_Payload_Size (MPS) and Max_Read_request_Size (MRRS) to be 'RsvdP' for
+VFs. Just prior to the table it states:
+
+ "PF and VF functionality is defined in Section 7.5.3.4 except where
+ noted in Table 9-16. For VF fields marked 'RsvdP', the PF setting
+ applies to the VF."
+
+All of which implies that with respect to Max_Payload_Size Supported
+(MPSS), MPS, and MRRS values, we should not be paying any attention to the
+VF's fields, but rather only to the PF's. Only looking at the PF's fields
+also logically makes sense as it's the sole physical interface to the PCIe
+bus.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200527
+Fixes: 27d868b5e6cf ("PCI: Set MPS to match upstream bridge")
+Signed-off-by: Myron Stowe <myron.stowe@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # 4.3+
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Sinan Kaya <okaya@kernel.org>
+Cc: Dongdong Liu <liudongdong3@huawei.com>
+Cc: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/probe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1677,6 +1677,10 @@ static void pci_configure_mps(struct pci
+ if (!pci_is_pcie(dev) || !bridge || !pci_is_pcie(bridge))
+ return;
+
++ /* MPS and MRRS fields are of type 'RsvdP' for VFs, short-circuit out */
++ if (dev->is_virtfn)
++ return;
++
+ mps = pcie_get_mps(dev);
+ p_mps = pcie_get_mps(bridge);
+
--- /dev/null
+From a13f085d111e90469faf2d9965eb39b11c114d7e Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 21 Aug 2018 21:59:37 -0700
+Subject: reiserfs: fix broken xattr handling (heap corruption, bad retval)
+
+From: Jann Horn <jannh@google.com>
+
+commit a13f085d111e90469faf2d9965eb39b11c114d7e upstream.
+
+This fixes the following issues:
+
+- When a buffer size is supplied to reiserfs_listxattr() such that each
+ individual name fits, but the concatenation of all names doesn't fit,
+ reiserfs_listxattr() overflows the supplied buffer. This leads to a
+ kernel heap overflow (verified using KASAN) followed by an out-of-bounds
+ usercopy and is therefore a security bug.
+
+- When a buffer size is supplied to reiserfs_listxattr() such that a
+ name doesn't fit, -ERANGE should be returned. But reiserfs instead just
+ truncates the list of names; I have verified that if the only xattr on a
+ file has a longer name than the supplied buffer length, listxattr()
+ incorrectly returns zero.
+
+With my patch applied, -ERANGE is returned in both cases and the memory
+corruption doesn't happen anymore.
+
+Credit for making me clean this code up a bit goes to Al Viro, who pointed
+out that the ->actor calling convention is suboptimal and should be
+changed.
+
+Link: http://lkml.kernel.org/r/20180802151539.5373-1-jannh@google.com
+Fixes: 48b32a3553a5 ("reiserfs: use generic xattr handlers")
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Cc: Eric Biggers <ebiggers@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/xattr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/reiserfs/xattr.c
++++ b/fs/reiserfs/xattr.c
+@@ -792,8 +792,10 @@ static int listxattr_filler(struct dir_c
+ return 0;
+ size = namelen + 1;
+ if (b->buf) {
+- if (size > b->size)
++ if (b->pos + size > b->size) {
++ b->pos = -ERANGE;
+ return -ERANGE;
++ }
+ memcpy(b->buf + b->pos, name, namelen);
+ b->buf[b->pos + namelen] = 0;
+ }
netfilter-conntrack-dccp-treat-sync-syncack-as-invalid-if-no-prior-state.patch
packet-refine-ring-v3-block-size-test-to-hold-one-frame.patch
net-smc-no-shutdown-in-state-smc_listen.patch
+pci-restore-resized-bar-state-on-resume.patch
+pci-acpi-pm-resume-all-bridges-on-suspend-to-ram.patch
+pci-hotplug-don-t-leak-pci_slot-on-registration-failure.patch
+pci-skip-mps-logic-for-virtual-functions-vfs.patch
+pci-pciehp-fix-use-after-free-on-unplug.patch
+pci-pciehp-fix-unprotected-list-iteration-in-irq-handler.patch
+i2c-core-acpi-properly-set-status-byte-to-0-for-multi-byte-writes.patch
+i2c-imx-fix-race-condition-in-dma-read.patch
+reiserfs-fix-broken-xattr-handling-heap-corruption-bad-retval.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
