--- /dev/null
+From 8404d7a674c49278607d19726e0acc0cae299357 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 May 2019 17:32:26 +0200
+Subject: apparmor: enforce nullbyte at end of tag string
+
+From: Jann Horn <jannh@google.com>
+
+commit 8404d7a674c49278607d19726e0acc0cae299357 upstream.
+
+A packed AppArmor policy contains null-terminated tag strings that are read
+by unpack_nameX(). However, unpack_nameX() uses string functions on them
+without ensuring that they are actually null-terminated, potentially
+leading to out-of-bounds accesses.
+
+Make sure that the tag string is null-terminated before passing it to
+strcmp().
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -276,7 +276,7 @@ static bool unpack_nameX(struct aa_ext *
+ char *tag = NULL;
+ size_t size = unpack_u16_chunk(e, &tag);
+ /* if a name is specified it must match. otherwise skip tag */
+- if (name && (!size || strcmp(name, tag)))
++ if (name && (!size || tag[size-1] != '\0' || strcmp(name, tag)))
+ goto fail;
+ } else if (name) {
+ /* if a name is specified and there is no name tag fail */
--- /dev/null
+From 23375b13f98c5464c2b4d15f983cc062940f1f4e Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Sun, 26 May 2019 06:42:23 -0700
+Subject: apparmor: fix PROFILE_MEDIATES for untrusted input
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 23375b13f98c5464c2b4d15f983cc062940f1f4e upstream.
+
+While commit 11c236b89d7c2 ("apparmor: add a default null dfa") ensure
+every profile has a policy.dfa it does not resize the policy.start[]
+to have entries for every possible start value. Which means
+PROFILE_MEDIATES is not safe to use on untrusted input. Unforunately
+commit b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE") did not
+take into account the start value usage.
+
+The input string in profile_query_cb() is user controlled and is not
+properly checked to be within the limited start[] entries, even worse
+it can't be as userspace policy is allowed to make us of entries types
+the kernel does not know about. This mean usespace can currently cause
+the kernel to access memory up to 240 entries beyond the start array
+bounds.
+
+Cc: stable@vger.kernel.org
+Fixes: b9590ad4c4f2 ("apparmor: remove POLICY_MEDIATES_SAFE")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/include/policy.h | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -217,7 +217,16 @@ static inline struct aa_profile *aa_get_
+ return labels_profile(aa_get_newest_label(&p->label));
+ }
+
+-#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)])
++static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
++ unsigned char class)
++{
++ if (class <= AA_CLASS_LAST)
++ return profile->policy.start[class];
++ else
++ return aa_dfa_match_len(profile->policy.dfa,
++ profile->policy.start[0], &class, 1);
++}
++
+ static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
+ u16 AF) {
+ unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
--- /dev/null
+From 156e42996bd84eccb6acf319f19ce0cb140d00e3 Mon Sep 17 00:00:00 2001
+From: Mike Salvatore <mike.salvatore@canonical.com>
+Date: Wed, 12 Jun 2019 14:55:14 -0700
+Subject: apparmor: reset pos on failure to unpack for various functions
+
+From: Mike Salvatore <mike.salvatore@canonical.com>
+
+commit 156e42996bd84eccb6acf319f19ce0cb140d00e3 upstream.
+
+Each function that manipulates the aa_ext struct should reset it's "pos"
+member on failure. This ensures that, on failure, no changes are made to
+the state of the aa_ext struct.
+
+There are paths were elements are optional and the error path is
+used to indicate the optional element is not present. This means
+instead of just aborting on error the unpack stream can become
+unsynchronized on optional elements, if using one of the affected
+functions.
+
+Cc: stable@vger.kernel.org
+Fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
+Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/policy_unpack.c | 47 +++++++++++++++++++++++++++++++-------
+ 1 file changed, 39 insertions(+), 8 deletions(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -223,16 +223,21 @@ static void *kvmemdup(const void *src, s
+ static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
+ {
+ size_t size = 0;
++ void *pos = e->pos;
+
+ if (!inbounds(e, sizeof(u16)))
+- return 0;
++ goto fail;
+ size = le16_to_cpu(get_unaligned((__le16 *) e->pos));
+ e->pos += sizeof(__le16);
+ if (!inbounds(e, size))
+- return 0;
++ goto fail;
+ *chunk = e->pos;
+ e->pos += size;
+ return size;
++
++fail:
++ e->pos = pos;
++ return 0;
+ }
+
+ /* unpack control byte */
+@@ -294,62 +299,84 @@ fail:
+
+ static bool unpack_u8(struct aa_ext *e, u8 *data, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_U8, name)) {
+ if (!inbounds(e, sizeof(u8)))
+- return 0;
++ goto fail;
+ if (data)
+ *data = get_unaligned((u8 *)e->pos);
+ e->pos += sizeof(u8);
+ return 1;
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_U32, name)) {
+ if (!inbounds(e, sizeof(u32)))
+- return 0;
++ goto fail;
+ if (data)
+ *data = le32_to_cpu(get_unaligned((__le32 *) e->pos));
+ e->pos += sizeof(u32);
+ return 1;
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+ static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_U64, name)) {
+ if (!inbounds(e, sizeof(u64)))
+- return 0;
++ goto fail;
+ if (data)
+ *data = le64_to_cpu(get_unaligned((__le64 *) e->pos));
+ e->pos += sizeof(u64);
+ return 1;
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+ static size_t unpack_array(struct aa_ext *e, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_ARRAY, name)) {
+ int size;
+ if (!inbounds(e, sizeof(u16)))
+- return 0;
++ goto fail;
+ size = (int)le16_to_cpu(get_unaligned((__le16 *) e->pos));
+ e->pos += sizeof(u16);
+ return size;
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+ static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
+ {
++ void *pos = e->pos;
++
+ if (unpack_nameX(e, AA_BLOB, name)) {
+ u32 size;
+ if (!inbounds(e, sizeof(u32)))
+- return 0;
++ goto fail;
+ size = le32_to_cpu(get_unaligned((__le32 *) e->pos));
+ e->pos += sizeof(u32);
+ if (inbounds(e, (size_t) size)) {
+@@ -358,6 +385,9 @@ static size_t unpack_blob(struct aa_ext
+ return size;
+ }
+ }
++
++fail:
++ e->pos = pos;
+ return 0;
+ }
+
+@@ -374,9 +404,10 @@ static int unpack_str(struct aa_ext *e,
+ if (src_str[size - 1] != 0)
+ goto fail;
+ *string = src_str;
++
++ return size;
+ }
+ }
+- return size;
+
+ fail:
+ e->pos = pos;
--- /dev/null
+From 2de0b42da263c97d330d276f5ccf7c4470e3324f Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:51 -0700
+Subject: brcmfmac: sdio: Disable auto-tuning around commands expected to fail
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 2de0b42da263c97d330d276f5ccf7c4470e3324f upstream.
+
+There are certain cases, notably when transitioning between sleep and
+active state, when Broadcom SDIO WiFi cards will produce errors on the
+SDIO bus. This is evident from the source code where you can see that
+we try commands in a loop until we either get success or we've tried
+too many times. The comment in the code reinforces this by saying
+"just one write attempt may fail"
+
+Unfortunately these failures sometimes end up causing an "-EILSEQ"
+back to the core which triggers a retuning of the SDIO card and that
+blocks all traffic to the card until it's done.
+
+Let's disable retuning around the commands we expect might fail.
+
+Cc: stable@vger.kernel.org #v4.18+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -676,6 +676,8 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+
+ brcmf_dbg(TRACE, "Enter: on=%d\n", on);
+
++ sdio_retune_crc_disable(bus->sdiodev->func1);
++
+ wr_val = (on << SBSDIO_FUNC1_SLEEPCSR_KSO_SHIFT);
+ /* 1st KSO write goes to AOS wake up core if device is asleep */
+ brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err);
+@@ -736,6 +738,8 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+ if (try_cnt > MAX_KSO_ATTEMPTS)
+ brcmf_err("max tries: rd_val=0x%x err=%d\n", rd_val, err);
+
++ sdio_retune_crc_enable(bus->sdiodev->func1);
++
+ return err;
+ }
+
--- /dev/null
+From 65dade6044079a5c206fd1803642ff420061417a Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:53 -0700
+Subject: brcmfmac: sdio: Don't tune while the card is off
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 65dade6044079a5c206fd1803642ff420061417a upstream.
+
+When Broadcom SDIO cards are idled they go to sleep and a whole
+separate subsystem takes over their SDIO communication. This is the
+Always-On-Subsystem (AOS) and it can't handle tuning requests.
+
+Specifically, as tested on rk3288-veyron-minnie (which reports having
+BCM4354/1 in dmesg), if I force a retune in brcmf_sdio_kso_control()
+when "on = 1" (aka we're transition from sleep to wake) by whacking:
+ bus->sdiodev->func1->card->host->need_retune = 1
+...then I can often see tuning fail. In this case dw_mmc reports "All
+phases bad!"). Note that I don't get 100% failure, presumably because
+sometimes the card itself has already transitioned away from the AOS
+itself by the time we try to wake it up. If I force retuning when "on
+= 0" (AKA force retuning right before sending the command to go to
+sleep) then retuning is always OK.
+
+NOTE: we need _both_ this patch and the patch to avoid triggering
+tuning due to CRC errors in the sleep/wake transition, AKA ("brcmfmac:
+sdio: Disable auto-tuning around commands expected to fail"). Though
+both patches handle issues with Broadcom's AOS, the problems are
+distinct:
+1. We want to defer (but not ignore) asynchronous (like
+ timer-requested) tuning requests till the card is awake. However,
+ we want to ignore CRC errors during the transition, we don't want
+ to queue deferred tuning request.
+2. You could imagine that the AOS could implement retuning but we
+ could still get errors while transitioning in and out of the AOS.
+ Similarly you could imagine a seamless transition into and out of
+ the AOS (with no CRC errors) even if the AOS couldn't handle
+ tuning.
+
+ALSO NOTE: presumably there is never a desperate need to retune in
+order to wake up the card, since doing so is impossible. Luckily the
+only way the card can get into sleep state is if we had a good enough
+tuning to send it the command to put it into sleep, so presumably that
+"good enough" tuning is enough to wake us up, at least with a few
+retries.
+
+Cc: stable@vger.kernel.org #v4.18+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -678,6 +678,10 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+
+ sdio_retune_crc_disable(bus->sdiodev->func1);
+
++ /* Cannot re-tune if device is asleep; defer till we're awake */
++ if (on)
++ sdio_retune_hold_now(bus->sdiodev->func1);
++
+ wr_val = (on << SBSDIO_FUNC1_SLEEPCSR_KSO_SHIFT);
+ /* 1st KSO write goes to AOS wake up core if device is asleep */
+ brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err);
+@@ -738,6 +742,9 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+ if (try_cnt > MAX_KSO_ATTEMPTS)
+ brcmf_err("max tries: rd_val=0x%x err=%d\n", rd_val, err);
+
++ if (on)
++ sdio_retune_release(bus->sdiodev->func1);
++
+ sdio_retune_crc_enable(bus->sdiodev->func1);
+
+ return err;
--- /dev/null
+From 487317c99477d00f22370625d53be3239febabbe Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 5 Jun 2019 10:38:38 +1000
+Subject: cifs: add spinlock for the openFileList to cifsInodeInfo
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 487317c99477d00f22370625d53be3239febabbe upstream.
+
+We can not depend on the tcon->open_file_lock here since in multiuser mode
+we may have the same file/inode open via multiple different tcons.
+
+The current code is race prone and will crash if one user deletes a file
+at the same time a different user opens/create the file.
+
+To avoid this we need to have a spinlock attached to the inode and not the tcon.
+
+RHBZ: 1580165
+
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsfs.c | 1 +
+ fs/cifs/cifsglob.h | 5 +++++
+ fs/cifs/file.c | 8 ++++++--
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -303,6 +303,7 @@ cifs_alloc_inode(struct super_block *sb)
+ cifs_inode->uniqueid = 0;
+ cifs_inode->createtime = 0;
+ cifs_inode->epoch = 0;
++ spin_lock_init(&cifs_inode->open_file_lock);
+ generate_random_uuid(cifs_inode->lease_key);
+
+ /*
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -1357,6 +1357,7 @@ struct cifsInodeInfo {
+ struct rw_semaphore lock_sem; /* protect the fields above */
+ /* BB add in lists for dirty pages i.e. write caching info for oplock */
+ struct list_head openFileList;
++ spinlock_t open_file_lock; /* protects openFileList */
+ __u32 cifsAttrs; /* e.g. DOS archive bit, sparse, compressed, system */
+ unsigned int oplock; /* oplock/lease level we have */
+ unsigned int epoch; /* used to track lease state changes */
+@@ -1760,10 +1761,14 @@ require use of the stronger protocol */
+ * tcp_ses_lock protects:
+ * list operations on tcp and SMB session lists
+ * tcon->open_file_lock protects the list of open files hanging off the tcon
++ * inode->open_file_lock protects the openFileList hanging off the inode
+ * cfile->file_info_lock protects counters and fields in cifs file struct
+ * f_owner.lock protects certain per file struct operations
+ * mapping->page_lock protects certain per page operations
+ *
++ * Note that the cifs_tcon.open_file_lock should be taken before
++ * not after the cifsInodeInfo.open_file_lock
++ *
+ * Semaphores
+ * ----------
+ * sesSem operations on smb session
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -338,10 +338,12 @@ cifs_new_fileinfo(struct cifs_fid *fid,
+ atomic_inc(&tcon->num_local_opens);
+
+ /* if readable file instance put first in list*/
++ spin_lock(&cinode->open_file_lock);
+ if (file->f_mode & FMODE_READ)
+ list_add(&cfile->flist, &cinode->openFileList);
+ else
+ list_add_tail(&cfile->flist, &cinode->openFileList);
++ spin_unlock(&cinode->open_file_lock);
+ spin_unlock(&tcon->open_file_lock);
+
+ if (fid->purge_cache)
+@@ -413,7 +415,9 @@ void _cifsFileInfo_put(struct cifsFileIn
+ cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open);
+
+ /* remove it from the lists */
++ spin_lock(&cifsi->open_file_lock);
+ list_del(&cifs_file->flist);
++ spin_unlock(&cifsi->open_file_lock);
+ list_del(&cifs_file->tlist);
+ atomic_dec(&tcon->num_local_opens);
+
+@@ -1950,9 +1954,9 @@ refind_writable:
+ return 0;
+ }
+
+- spin_lock(&tcon->open_file_lock);
++ spin_lock(&cifs_inode->open_file_lock);
+ list_move_tail(&inv_file->flist, &cifs_inode->openFileList);
+- spin_unlock(&tcon->open_file_lock);
++ spin_unlock(&cifs_inode->open_file_lock);
+ cifsFileInfo_put(inv_file);
+ ++refind;
+ inv_file = NULL;
--- /dev/null
+From 61cabc7b0a5cf0d3c532cfa96594c801743fe7f6 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Fri, 14 Jun 2019 13:02:29 +1000
+Subject: cifs: fix GlobalMid_Lock bug in cifs_reconnect
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 61cabc7b0a5cf0d3c532cfa96594c801743fe7f6 upstream.
+
+We can not hold the GlobalMid_Lock spinlock during the
+dfs processing in cifs_reconnect since it invokes things that may sleep
+and thus trigger :
+
+BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:23
+
+Thus we need to drop the spinlock during this code block.
+
+RHBZ: 1716743
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/connect.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -478,6 +478,7 @@ cifs_reconnect(struct TCP_Server_Info *s
+ spin_lock(&GlobalMid_Lock);
+ server->nr_targets = 1;
+ #ifdef CONFIG_CIFS_DFS_UPCALL
++ spin_unlock(&GlobalMid_Lock);
+ cifs_sb = find_super_by_tcp(server);
+ if (IS_ERR(cifs_sb)) {
+ rc = PTR_ERR(cifs_sb);
+@@ -495,6 +496,7 @@ cifs_reconnect(struct TCP_Server_Info *s
+ }
+ cifs_dbg(FYI, "%s: will retry %d target(s)\n", __func__,
+ server->nr_targets);
++ spin_lock(&GlobalMid_Lock);
+ #endif
+ if (server->tcpStatus == CifsExiting) {
+ /* the demux thread will exit normally
--- /dev/null
+From 0ff2b018b02f89da26a616e0148582321a00fd99 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 5 Jun 2019 10:15:34 +1000
+Subject: cifs: fix panic in smb2_reconnect
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 0ff2b018b02f89da26a616e0148582321a00fd99 upstream.
+
+RH Bugzilla: 1702264
+
+We need to protect so that the call to smb2_reconnect() in
+smb2_reconnect_server() does not end up freeing the session
+because it can lead to a use after free and crash.
+
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3049,9 +3049,14 @@ void smb2_reconnect_server(struct work_s
+ tcon_exist = true;
+ }
+ }
++ /*
++ * IPC has the same lifetime as its session and uses its
++ * refcount.
++ */
+ if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) {
+ list_add_tail(&ses->tcon_ipc->rlist, &tmp_list);
+ tcon_exist = true;
++ ses->ses_count++;
+ }
+ }
+ /*
+@@ -3070,7 +3075,10 @@ void smb2_reconnect_server(struct work_s
+ else
+ resched = true;
+ list_del_init(&tcon->rlist);
+- cifs_put_tcon(tcon);
++ if (tcon->ipc)
++ cifs_put_smb_ses(tcon->ses);
++ else
++ cifs_put_tcon(tcon);
+ }
+
+ cifs_dbg(FYI, "Reconnecting tcons finished\n");
--- /dev/null
+From cf131a81967583ae737df6383a0893b9fee75b4e Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:26 -0400
+Subject: IB/hfi1: Avoid hardlockup with flushlist_lock
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit cf131a81967583ae737df6383a0893b9fee75b4e upstream.
+
+Heavy contention of the sde flushlist_lock can cause hard lockups at
+extreme scale when the flushing logic is under stress.
+
+Mitigate by replacing the item at a time copy to the local list with
+an O(1) list_splice_init() and using the high priority work queue to
+do the flushes.
+
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/sdma.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/sdma.c
++++ b/drivers/infiniband/hw/hfi1/sdma.c
+@@ -410,10 +410,7 @@ static void sdma_flush(struct sdma_engin
+ sdma_flush_descq(sde);
+ spin_lock_irqsave(&sde->flushlist_lock, flags);
+ /* copy flush list */
+- list_for_each_entry_safe(txp, txp_next, &sde->flushlist, list) {
+- list_del_init(&txp->list);
+- list_add_tail(&txp->list, &flushlist);
+- }
++ list_splice_init(&sde->flushlist, &flushlist);
+ spin_unlock_irqrestore(&sde->flushlist_lock, flags);
+ /* flush from flush list */
+ list_for_each_entry_safe(txp, txp_next, &flushlist, list)
+@@ -2413,7 +2410,7 @@ unlock_noconn:
+ list_add_tail(&tx->list, &sde->flushlist);
+ spin_unlock(&sde->flushlist_lock);
+ iowait_inc_wait_count(wait, tx->num_desc);
+- schedule_work(&sde->flush_worker);
++ queue_work_on(sde->cpu, system_highpri_wq, &sde->flush_worker);
+ ret = -ECOMM;
+ goto unlock;
+ nodesc:
+@@ -2511,7 +2508,7 @@ unlock_noconn:
+ iowait_inc_wait_count(wait, tx->num_desc);
+ }
+ spin_unlock(&sde->flushlist_lock);
+- schedule_work(&sde->flush_worker);
++ queue_work_on(sde->cpu, system_highpri_wq, &sde->flush_worker);
+ ret = -ECOMM;
+ goto update_tail;
+ nodesc:
--- /dev/null
+From da9de5f8527f4b9efc82f967d29a583318c034c7 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 7 Jun 2019 08:25:31 -0400
+Subject: IB/hfi1: Close PSM sdma_progress sleep window
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit da9de5f8527f4b9efc82f967d29a583318c034c7 upstream.
+
+The call to sdma_progress() is called outside the wait lock.
+
+In this case, there is a race condition where sdma_progress() can return
+false and the sdma_engine can idle. If that happens, there will be no
+more sdma interrupts to cause the wakeup and the user_sdma xmit will hang.
+
+Fix by moving the lock to enclose the sdma_progress() call.
+
+Also, delete busycount. The need for this was removed by:
+commit bcad29137a97 ("IB/hfi1: Serve the most starved iowait entry first")
+
+Cc: <stable@vger.kernel.org>
+Fixes: 7724105686e7 ("IB/hfi1: add driver files")
+Reviewed-by: Gary Leshner <Gary.S.Leshner@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/user_sdma.c | 12 ++++--------
+ drivers/infiniband/hw/hfi1/user_sdma.h | 1 -
+ 2 files changed, 4 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/user_sdma.c
++++ b/drivers/infiniband/hw/hfi1/user_sdma.c
+@@ -130,20 +130,16 @@ static int defer_packet_queue(
+ {
+ struct hfi1_user_sdma_pkt_q *pq =
+ container_of(wait->iow, struct hfi1_user_sdma_pkt_q, busy);
+- struct user_sdma_txreq *tx =
+- container_of(txreq, struct user_sdma_txreq, txreq);
+
+- if (sdma_progress(sde, seq, txreq)) {
+- if (tx->busycount++ < MAX_DEFER_RETRY_COUNT)
+- goto eagain;
+- }
++ write_seqlock(&sde->waitlock);
++ if (sdma_progress(sde, seq, txreq))
++ goto eagain;
+ /*
+ * We are assuming that if the list is enqueued somewhere, it
+ * is to the dmawait list since that is the only place where
+ * it is supposed to be enqueued.
+ */
+ xchg(&pq->state, SDMA_PKT_Q_DEFERRED);
+- write_seqlock(&sde->waitlock);
+ if (list_empty(&pq->busy.list)) {
+ iowait_get_priority(&pq->busy);
+ iowait_queue(pkts_sent, &pq->busy, &sde->dmawait);
+@@ -151,6 +147,7 @@ static int defer_packet_queue(
+ write_sequnlock(&sde->waitlock);
+ return -EBUSY;
+ eagain:
++ write_sequnlock(&sde->waitlock);
+ return -EAGAIN;
+ }
+
+@@ -804,7 +801,6 @@ static int user_sdma_send_pkts(struct us
+
+ tx->flags = 0;
+ tx->req = req;
+- tx->busycount = 0;
+ INIT_LIST_HEAD(&tx->list);
+
+ /*
+--- a/drivers/infiniband/hw/hfi1/user_sdma.h
++++ b/drivers/infiniband/hw/hfi1/user_sdma.h
+@@ -245,7 +245,6 @@ struct user_sdma_txreq {
+ struct list_head list;
+ struct user_sdma_request *req;
+ u16 flags;
+- unsigned int busycount;
+ u16 seqnum;
+ };
+
--- /dev/null
+From cc78076af14e1478c1a8fb18997674b5f8cbe3c8 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Mon, 10 Jun 2019 12:28:18 -0400
+Subject: IB/hfi1: Correct tid qp rcd to match verbs context
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit cc78076af14e1478c1a8fb18997674b5f8cbe3c8 upstream.
+
+The qp priv rcd pointer doesn't match the context being used for verbs
+causing issues when 9B and kdeth packets are processed by different
+receive contexts and hence different CPUs.
+
+When running on different CPUs the following panic can occur:
+
+ WARNING: CPU: 3 PID: 2584 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0
+ list_del corruption. prev->next should be ffff9a7ac31f7a30, but was ffff9a7c3bc89230
+ CPU: 3 PID: 2584 Comm: z_wr_iss Kdump: loaded Tainted: P OE ------------ 3.10.0-862.2.3.el7_lustre.x86_64 #1
+ Call Trace:
+ <IRQ> [<ffffffffb7b0d78e>] dump_stack+0x19/0x1b
+ [<ffffffffb74916d8>] __warn+0xd8/0x100
+ [<ffffffffb749175f>] warn_slowpath_fmt+0x5f/0x80
+ [<ffffffffb7768671>] __list_del_entry+0xa1/0xd0
+ [<ffffffffc0c7a945>] process_rcv_qp_work+0xb5/0x160 [hfi1]
+ [<ffffffffc0c7bc2b>] handle_receive_interrupt_nodma_rtail+0x20b/0x2b0 [hfi1]
+ [<ffffffffc0c70683>] receive_context_interrupt+0x23/0x40 [hfi1]
+ [<ffffffffb7540a94>] __handle_irq_event_percpu+0x44/0x1c0
+ [<ffffffffb7540c42>] handle_irq_event_percpu+0x32/0x80
+ [<ffffffffb7540ccc>] handle_irq_event+0x3c/0x60
+ [<ffffffffb7543a1f>] handle_edge_irq+0x7f/0x150
+ [<ffffffffb742d504>] handle_irq+0xe4/0x1a0
+ [<ffffffffb7b23f7d>] do_IRQ+0x4d/0xf0
+ [<ffffffffb7b16362>] common_interrupt+0x162/0x162
+ <EOI> [<ffffffffb775a326>] ? memcpy+0x6/0x110
+ [<ffffffffc109210d>] ? abd_copy_from_buf_off_cb+0x1d/0x30 [zfs]
+ [<ffffffffc10920f0>] ? abd_copy_to_buf_off_cb+0x30/0x30 [zfs]
+ [<ffffffffc1093257>] abd_iterate_func+0x97/0x120 [zfs]
+ [<ffffffffc10934d9>] abd_copy_from_buf_off+0x39/0x60 [zfs]
+ [<ffffffffc109b828>] arc_write_ready+0x178/0x300 [zfs]
+ [<ffffffffb7b11032>] ? mutex_lock+0x12/0x2f
+ [<ffffffffb7b11032>] ? mutex_lock+0x12/0x2f
+ [<ffffffffc1164d05>] zio_ready+0x65/0x3d0 [zfs]
+ [<ffffffffc04d725e>] ? tsd_get_by_thread+0x2e/0x50 [spl]
+ [<ffffffffc04d1318>] ? taskq_member+0x18/0x30 [spl]
+ [<ffffffffc115ef22>] zio_execute+0xa2/0x100 [zfs]
+ [<ffffffffc04d1d2c>] taskq_thread+0x2ac/0x4f0 [spl]
+ [<ffffffffb74cee80>] ? wake_up_state+0x20/0x20
+ [<ffffffffc115ee80>] ? zio_taskq_member.isra.7.constprop.10+0x80/0x80 [zfs]
+ [<ffffffffc04d1a80>] ? taskq_thread_spawn+0x60/0x60 [spl]
+ [<ffffffffb74bae31>] kthread+0xd1/0xe0
+ [<ffffffffb74bad60>] ? insert_kthread_work+0x40/0x40
+ [<ffffffffb7b1f5f7>] ret_from_fork_nospec_begin+0x21/0x21
+ [<ffffffffb74bad60>] ? insert_kthread_work+0x40/0x40
+
+Fix by reading the map entry in the same manner as the hardware so that
+the kdeth and verbs contexts match.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5190f052a365 ("IB/hfi1: Allow the driver to initialize QP priv struct")
+Reviewed-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/chip.c | 13 +++++++++++++
+ drivers/infiniband/hw/hfi1/chip.h | 1 +
+ drivers/infiniband/hw/hfi1/tid_rdma.c | 4 +---
+ 3 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/chip.c
++++ b/drivers/infiniband/hw/hfi1/chip.c
+@@ -14028,6 +14028,19 @@ static void init_kdeth_qp(struct hfi1_de
+ }
+
+ /**
++ * hfi1_get_qp_map
++ * @dd: device data
++ * @idx: index to read
++ */
++u8 hfi1_get_qp_map(struct hfi1_devdata *dd, u8 idx)
++{
++ u64 reg = read_csr(dd, RCV_QP_MAP_TABLE + (idx / 8) * 8);
++
++ reg >>= (idx % 8) * 8;
++ return reg;
++}
++
++/**
+ * init_qpmap_table
+ * @dd - device data
+ * @first_ctxt - first context
+--- a/drivers/infiniband/hw/hfi1/chip.h
++++ b/drivers/infiniband/hw/hfi1/chip.h
+@@ -1442,6 +1442,7 @@ void clear_all_interrupts(struct hfi1_de
+ void remap_intr(struct hfi1_devdata *dd, int isrc, int msix_intr);
+ void remap_sdma_interrupts(struct hfi1_devdata *dd, int engine, int msix_intr);
+ void reset_interrupts(struct hfi1_devdata *dd);
++u8 hfi1_get_qp_map(struct hfi1_devdata *dd, u8 idx);
+
+ /*
+ * Interrupt source table.
+--- a/drivers/infiniband/hw/hfi1/tid_rdma.c
++++ b/drivers/infiniband/hw/hfi1/tid_rdma.c
+@@ -305,9 +305,7 @@ static struct hfi1_ctxtdata *qp_to_rcd(s
+ if (qp->ibqp.qp_num == 0)
+ ctxt = 0;
+ else
+- ctxt = ((qp->ibqp.qp_num >> dd->qos_shift) %
+- (dd->n_krcv_queues - 1)) + 1;
+-
++ ctxt = hfi1_get_qp_map(dd, qp->ibqp.qp_num >> dd->qos_shift);
+ return dd->rcd[ctxt];
+ }
+
--- /dev/null
+From 3230f4a8d44e4a0bb7afea814b280b5129521f52 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 14 Jun 2019 12:32:32 -0400
+Subject: IB/hfi1: Silence txreq allocation warnings
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 3230f4a8d44e4a0bb7afea814b280b5129521f52 upstream.
+
+The following warning can happen when a memory shortage
+occurs during txreq allocation:
+
+[10220.939246] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+[10220.939246] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016
+[10220.939247] cache: mnt_cache, object size: 384, buffer size: 384, default order: 2, min order: 0
+[10220.939260] Workqueue: hfi0_0 _hfi1_do_send [hfi1]
+[10220.939261] node 0: slabs: 1026568, objs: 43115856, free: 0
+[10220.939262] Call Trace:
+[10220.939262] node 1: slabs: 820872, objs: 34476624, free: 0
+[10220.939263] dump_stack+0x5a/0x73
+[10220.939265] warn_alloc+0x103/0x190
+[10220.939267] ? wake_all_kswapds+0x54/0x8b
+[10220.939268] __alloc_pages_slowpath+0x86c/0xa2e
+[10220.939270] ? __alloc_pages_nodemask+0x2fe/0x320
+[10220.939271] __alloc_pages_nodemask+0x2fe/0x320
+[10220.939273] new_slab+0x475/0x550
+[10220.939275] ___slab_alloc+0x36c/0x520
+[10220.939287] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939299] ? __get_txreq+0x54/0x160 [hfi1]
+[10220.939310] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939312] __slab_alloc+0x40/0x61
+[10220.939323] ? hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939325] kmem_cache_alloc+0x181/0x1b0
+[10220.939336] hfi1_make_rc_req+0x90/0x18b0 [hfi1]
+[10220.939348] ? hfi1_verbs_send_dma+0x386/0xa10 [hfi1]
+[10220.939359] ? find_prev_entry+0xb0/0xb0 [hfi1]
+[10220.939371] hfi1_do_send+0x1d9/0x3f0 [hfi1]
+[10220.939372] process_one_work+0x171/0x380
+[10220.939374] worker_thread+0x49/0x3f0
+[10220.939375] kthread+0xf8/0x130
+[10220.939377] ? max_active_store+0x80/0x80
+[10220.939378] ? kthread_bind+0x10/0x10
+[10220.939379] ret_from_fork+0x35/0x40
+[10220.939381] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
+
+The shortage is handled properly so the message isn't needed. Silence by
+adding the no warn option to the slab allocation.
+
+Fixes: 45842abbb292 ("staging/rdma/hfi1: move txreq header code")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/verbs_txreq.c | 2 +-
+ drivers/infiniband/hw/hfi1/verbs_txreq.h | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.c
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.c
+@@ -100,7 +100,7 @@ struct verbs_txreq *__get_txreq(struct h
+ if (ib_rvt_state_ops[qp->state] & RVT_PROCESS_RECV_OK) {
+ struct hfi1_qp_priv *priv;
+
+- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ if (tx)
+ goto out;
+ priv = qp->priv;
+--- a/drivers/infiniband/hw/hfi1/verbs_txreq.h
++++ b/drivers/infiniband/hw/hfi1/verbs_txreq.h
+@@ -72,6 +72,7 @@ struct hfi1_ibdev;
+ struct verbs_txreq *__get_txreq(struct hfi1_ibdev *dev,
+ struct rvt_qp *qp);
+
++#define VERBS_TXREQ_GFP (GFP_ATOMIC | __GFP_NOWARN)
+ static inline struct verbs_txreq *get_txreq(struct hfi1_ibdev *dev,
+ struct rvt_qp *qp)
+ __must_hold(&qp->slock)
+@@ -79,7 +80,7 @@ static inline struct verbs_txreq *get_tx
+ struct verbs_txreq *tx;
+ struct hfi1_qp_priv *priv = qp->priv;
+
+- tx = kmem_cache_alloc(dev->verbs_txreq_cache, GFP_ATOMIC);
++ tx = kmem_cache_alloc(dev->verbs_txreq_cache, VERBS_TXREQ_GFP);
+ if (unlikely(!tx)) {
+ /* call slow path to get the lock */
+ tx = __get_txreq(dev, qp);
--- /dev/null
+From 5f90677ed31963abb184ee08ebee4a4a68225dd8 Mon Sep 17 00:00:00 2001
+From: Kaike Wan <kaike.wan@intel.com>
+Date: Fri, 7 Jun 2019 08:25:25 -0400
+Subject: IB/hfi1: Validate fault injection opcode user input
+
+From: Kaike Wan <kaike.wan@intel.com>
+
+commit 5f90677ed31963abb184ee08ebee4a4a68225dd8 upstream.
+
+The opcode range for fault injection from user should be validated before
+it is applied to the fault->opcodes[] bitmap to avoid out-of-bound
+error.
+
+Cc: <stable@vger.kernel.org>
+Fixes: a74d5307caba ("IB/hfi1: Rework fault injection machinery")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/fault.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/infiniband/hw/hfi1/fault.c
++++ b/drivers/infiniband/hw/hfi1/fault.c
+@@ -153,6 +153,7 @@ static ssize_t fault_opcodes_write(struc
+ char *dash;
+ unsigned long range_start, range_end, i;
+ bool remove = false;
++ unsigned long bound = 1U << BITS_PER_BYTE;
+
+ end = strchr(ptr, ',');
+ if (end)
+@@ -178,6 +179,10 @@ static ssize_t fault_opcodes_write(struc
+ BITS_PER_BYTE);
+ break;
+ }
++ /* Check the inputs */
++ if (range_start >= bound || range_end >= bound)
++ break;
++
+ for (i = range_start; i <= range_end; i++) {
+ if (remove)
+ clear_bit(i, fault->opcodes);
--- /dev/null
+From bce0d57db388cdb1c1931d0aa7d31c77b590e0f0 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Sun, 19 May 2019 10:58:23 +0200
+Subject: iio: imu: st_lsm6dsx: fix PM support for st_lsm6dsx i2c controller
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+commit bce0d57db388cdb1c1931d0aa7d31c77b590e0f0 upstream.
+
+Properly suspend/resume i2c slaves connected to st_lsm6dsx master
+controller if the CPU goes in suspended state
+
+Fixes: c91c1c844ebd ("imu: st_lsm6dsx: add i2c embedded controller support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 2 ++
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 25 +++++++++++++++++--------
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+@@ -265,6 +265,7 @@ struct st_lsm6dsx_sensor {
+ * @conf_lock: Mutex to prevent concurrent FIFO configuration update.
+ * @page_lock: Mutex to prevent concurrent memory page configuration.
+ * @fifo_mode: FIFO operating mode supported by the device.
++ * @suspend_mask: Suspended sensor bitmask.
+ * @enable_mask: Enabled sensor bitmask.
+ * @ts_sip: Total number of timestamp samples in a given pattern.
+ * @sip: Total number of samples (acc/gyro/ts) in a given pattern.
+@@ -282,6 +283,7 @@ struct st_lsm6dsx_hw {
+ struct mutex page_lock;
+
+ enum st_lsm6dsx_fifo_mode fifo_mode;
++ u8 suspend_mask;
+ u8 enable_mask;
+ u8 ts_sip;
+ u8 sip;
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+@@ -1023,8 +1023,6 @@ static int __maybe_unused st_lsm6dsx_sus
+ {
+ struct st_lsm6dsx_hw *hw = dev_get_drvdata(dev);
+ struct st_lsm6dsx_sensor *sensor;
+- const struct st_lsm6dsx_reg *reg;
+- unsigned int data;
+ int i, err = 0;
+
+ for (i = 0; i < ST_LSM6DSX_ID_MAX; i++) {
+@@ -1035,12 +1033,16 @@ static int __maybe_unused st_lsm6dsx_sus
+ if (!(hw->enable_mask & BIT(sensor->id)))
+ continue;
+
+- reg = &st_lsm6dsx_odr_table[sensor->id].reg;
+- data = ST_LSM6DSX_SHIFT_VAL(0, reg->mask);
+- err = st_lsm6dsx_update_bits_locked(hw, reg->addr, reg->mask,
+- data);
++ if (sensor->id == ST_LSM6DSX_ID_EXT0 ||
++ sensor->id == ST_LSM6DSX_ID_EXT1 ||
++ sensor->id == ST_LSM6DSX_ID_EXT2)
++ err = st_lsm6dsx_shub_set_enable(sensor, false);
++ else
++ err = st_lsm6dsx_sensor_set_enable(sensor, false);
+ if (err < 0)
+ return err;
++
++ hw->suspend_mask |= BIT(sensor->id);
+ }
+
+ if (hw->fifo_mode != ST_LSM6DSX_FIFO_BYPASS)
+@@ -1060,12 +1062,19 @@ static int __maybe_unused st_lsm6dsx_res
+ continue;
+
+ sensor = iio_priv(hw->iio_devs[i]);
+- if (!(hw->enable_mask & BIT(sensor->id)))
++ if (!(hw->suspend_mask & BIT(sensor->id)))
+ continue;
+
+- err = st_lsm6dsx_set_odr(sensor, sensor->odr);
++ if (sensor->id == ST_LSM6DSX_ID_EXT0 ||
++ sensor->id == ST_LSM6DSX_ID_EXT1 ||
++ sensor->id == ST_LSM6DSX_ID_EXT2)
++ err = st_lsm6dsx_shub_set_enable(sensor, true);
++ else
++ err = st_lsm6dsx_sensor_set_enable(sensor, true);
+ if (err < 0)
+ return err;
++
++ hw->suspend_mask &= ~BIT(sensor->id);
+ }
+
+ if (hw->enable_mask)
--- /dev/null
+From 389fc70b60f534d679aea9a3f05146040ce20d77 Mon Sep 17 00:00:00 2001
+From: Crt Mori <cmo@melexis.com>
+Date: Thu, 23 May 2019 14:07:22 +0200
+Subject: iio: temperature: mlx90632 Relax the compatibility check
+
+From: Crt Mori <cmo@melexis.com>
+
+commit 389fc70b60f534d679aea9a3f05146040ce20d77 upstream.
+
+Register EE_VERSION contains mixture of calibration information and DSP
+version. So far, because calibrations were definite, the driver
+compatibility depended on whole contents, but in the newer production
+process the calibration part changes. Because of that, value in EE_VERSION
+will be changed and to avoid that calibration value is same as DSP version
+the MSB in calibration part was fixed to 1.
+That means existing calibrations (medical and consumer) will now have
+hex values (bits 8 to 15) of 83 and 84 respectively. Driver compatibility
+should be based only on DSP version part of the EE_VERSION (bits 0 to 7)
+register.
+
+Signed-off-by: Crt Mori <cmo@melexis.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/temperature/mlx90632.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/temperature/mlx90632.c
++++ b/drivers/iio/temperature/mlx90632.c
+@@ -81,6 +81,8 @@
+ /* Magic constants */
+ #define MLX90632_ID_MEDICAL 0x0105 /* EEPROM DSPv5 Medical device id */
+ #define MLX90632_ID_CONSUMER 0x0205 /* EEPROM DSPv5 Consumer device id */
++#define MLX90632_DSP_VERSION 5 /* DSP version */
++#define MLX90632_DSP_MASK GENMASK(7, 0) /* DSP version in EE_VERSION */
+ #define MLX90632_RESET_CMD 0x0006 /* Reset sensor (address or global) */
+ #define MLX90632_REF_12 12LL /**< ResCtrlRef value of Ch 1 or Ch 2 */
+ #define MLX90632_REF_3 12LL /**< ResCtrlRef value of Channel 3 */
+@@ -667,10 +669,13 @@ static int mlx90632_probe(struct i2c_cli
+ } else if (read == MLX90632_ID_CONSUMER) {
+ dev_dbg(&client->dev,
+ "Detected Consumer EEPROM calibration %x\n", read);
++ } else if ((read & MLX90632_DSP_MASK) == MLX90632_DSP_VERSION) {
++ dev_dbg(&client->dev,
++ "Detected Unknown EEPROM calibration %x\n", read);
+ } else {
+ dev_err(&client->dev,
+- "EEPROM version mismatch %x (expected %x or %x)\n",
+- read, MLX90632_ID_CONSUMER, MLX90632_ID_MEDICAL);
++ "Wrong DSP version %x (expected %x)\n",
++ read, MLX90632_DSP_VERSION);
+ return -EPROTONOSUPPORT;
+ }
+
--- /dev/null
+From 0e658060e5fc50dc282885dc424a94b5d95547e5 Mon Sep 17 00:00:00 2001
+From: Daniel Smith <danct12@disroot.org>
+Date: Thu, 23 May 2019 12:54:18 -0700
+Subject: Input: silead - add MSSL0017 to acpi_device_id
+
+From: Daniel Smith <danct12@disroot.org>
+
+commit 0e658060e5fc50dc282885dc424a94b5d95547e5 upstream.
+
+On Chuwi Hi10 Plus, the Silead device id is MSSL0017.
+
+Signed-off-by: Daniel Smith <danct12@disroot.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/silead.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/touchscreen/silead.c
++++ b/drivers/input/touchscreen/silead.c
+@@ -617,6 +617,7 @@ static const struct acpi_device_id silea
+ { "MSSL1680", 0 },
+ { "MSSL0001", 0 },
+ { "MSSL0002", 0 },
++ { "MSSL0017", 0 },
+ { }
+ };
+ MODULE_DEVICE_TABLE(acpi, silead_ts_acpi_match);
--- /dev/null
+From 9843f3e08e2144724be7148e08d77a195dea257a Mon Sep 17 00:00:00 2001
+From: Alexander Mikhaylenko <exalm7659@gmail.com>
+Date: Wed, 12 Jun 2019 14:59:46 -0700
+Subject: Input: synaptics - enable SMBus on ThinkPad E480 and E580
+
+From: Alexander Mikhaylenko <exalm7659@gmail.com>
+
+commit 9843f3e08e2144724be7148e08d77a195dea257a upstream.
+
+They are capable of using intertouch and it works well with
+psmouse.synaptics_intertouch=1, so add them to the list.
+
+Without it, scrolling and gestures are jumpy, three-finger pinch gesture
+doesn't work and three- or four-finger swipes sometimes get stuck.
+
+Signed-off-by: Alexander Mikhaylenko <exalm7659@gmail.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -179,6 +179,8 @@ static const char * const smbus_pnp_ids[
+ "LEN0096", /* X280 */
+ "LEN0097", /* X280 -> ALPS trackpoint */
+ "LEN200f", /* T450s */
++ "LEN2054", /* E480 */
++ "LEN2055", /* E580 */
+ "SYN3052", /* HP EliteBook 840 G4 */
+ "SYN3221", /* HP 15-ay000 */
+ NULL
--- /dev/null
+From 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Thu, 23 May 2019 12:55:26 -0700
+Subject: Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
+
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+
+commit 7c7da40da1640ce6814dab1e8031b44e19e5a3f6 upstream.
+
+In the case of compat syscall ioctl numbers for UI_BEGIN_FF_UPLOAD and
+UI_END_FF_UPLOAD need to be adjusted before being passed on
+uinput_ioctl_handler() since code built with -m32 will be passing
+slightly different values. Extend the code already covering
+UI_SET_PHYS to cover UI_BEGIN_FF_UPLOAD and UI_END_FF_UPLOAD as well.
+
+Reported-by: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/uinput.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -1051,13 +1051,31 @@ static long uinput_ioctl(struct file *fi
+
+ #ifdef CONFIG_COMPAT
+
+-#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++/*
++ * These IOCTLs change their size and thus their numbers between
++ * 32 and 64 bits.
++ */
++#define UI_SET_PHYS_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
++#define UI_BEGIN_FF_UPLOAD_COMPAT \
++ _IOWR(UINPUT_IOCTL_BASE, 200, struct uinput_ff_upload_compat)
++#define UI_END_FF_UPLOAD_COMPAT \
++ _IOW(UINPUT_IOCTL_BASE, 201, struct uinput_ff_upload_compat)
+
+ static long uinput_compat_ioctl(struct file *file,
+ unsigned int cmd, unsigned long arg)
+ {
+- if (cmd == UI_SET_PHYS_COMPAT)
++ switch (cmd) {
++ case UI_SET_PHYS_COMPAT:
+ cmd = UI_SET_PHYS;
++ break;
++ case UI_BEGIN_FF_UPLOAD_COMPAT:
++ cmd = UI_BEGIN_FF_UPLOAD;
++ break;
++ case UI_END_FF_UPLOAD_COMPAT:
++ cmd = UI_END_FF_UPLOAD;
++ break;
++ }
+
+ return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
+ }
--- /dev/null
+From abdd5dcc00207e7c38680f3754d1bfffafff1093 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Mon, 17 Jun 2019 10:56:49 -0700
+Subject: Revert "brcmfmac: disable command decode in sdio_aos"
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit abdd5dcc00207e7c38680f3754d1bfffafff1093 upstream.
+
+This reverts commit 29f6589140a10ece8c1d73f58043ea5b3473ab3e.
+
+After that patch landed I find that my kernel log on
+rk3288-veyron-minnie and rk3288-veyron-speedy is filled with:
+brcmfmac: brcmf_sdio_bus_sleep: error while changing bus sleep state -110
+
+This seems to happen every time the Broadcom WiFi transitions out of
+sleep mode. Reverting the commit fixes the problem for me, so that's
+what this patch does.
+
+Note that, in general, the justification in the original commit seemed
+a little weak. It looked like someone was testing on a SD card
+controller that would sometimes die if there were CRC errors on the
+bus. This used to happen back in early days of dw_mmc (the controller
+on my boards), but we fixed it. Disabling a feature on all boards
+just because one SD card controller is broken seems bad.
+
+Fixes: 29f6589140a1 ("brcmfmac: disable command decode in sdio_aos")
+Cc: Wright Feng <wright.feng@cypress.com>
+Cc: Double Lo <double.lo@cypress.com>
+Cc: Madhan Mohan R <madhanmohan.r@cypress.com>
+Cc: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Cc: stable@vger.kernel.org
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -3373,11 +3373,7 @@ err:
+
+ static bool brcmf_sdio_aos_no_decode(struct brcmf_sdio *bus)
+ {
+- if (bus->ci->chip == CY_CC_43012_CHIP_ID ||
+- bus->ci->chip == CY_CC_4373_CHIP_ID ||
+- bus->ci->chip == BRCM_CC_4339_CHIP_ID ||
+- bus->ci->chip == BRCM_CC_4345_CHIP_ID ||
+- bus->ci->chip == BRCM_CC_4354_CHIP_ID)
++ if (bus->ci->chip == CY_CC_43012_CHIP_ID)
+ return true;
+ else
+ return false;
usb-chipidea-udc-workaround-for-endpoint-conflict-issue.patch
xhci-detect-usb-3.2-capable-host-controllers-correctly.patch
usb-xhci-don-t-try-to-recover-an-endpoint-if-port-is-in-error-state.patch
+cifs-fix-panic-in-smb2_reconnect.patch
+cifs-add-spinlock-for-the-openfilelist-to-cifsinodeinfo.patch
+cifs-fix-globalmid_lock-bug-in-cifs_reconnect.patch
+ib-hfi1-validate-fault-injection-opcode-user-input.patch
+ib-hfi1-close-psm-sdma_progress-sleep-window.patch
+ib-hfi1-avoid-hardlockup-with-flushlist_lock.patch
+ib-hfi1-correct-tid-qp-rcd-to-match-verbs-context.patch
+ib-hfi1-silence-txreq-allocation-warnings.patch
+iio-imu-st_lsm6dsx-fix-pm-support-for-st_lsm6dsx-i2c-controller.patch
+iio-temperature-mlx90632-relax-the-compatibility-check.patch
+input-synaptics-enable-smbus-on-thinkpad-e480-and-e580.patch
+input-uinput-add-compat-ioctl-number-translation-for-ui_-_ff_upload.patch
+input-silead-add-mssl0017-to-acpi_device_id.patch
+apparmor-fix-profile_mediates-for-untrusted-input.patch
+apparmor-enforce-nullbyte-at-end-of-tag-string.patch
+apparmor-reset-pos-on-failure-to-unpack-for-various-functions.patch
+revert-brcmfmac-disable-command-decode-in-sdio_aos.patch
+brcmfmac-sdio-disable-auto-tuning-around-commands-expected-to-fail.patch
+brcmfmac-sdio-don-t-tune-while-the-card-is-off.patch