--- /dev/null
+From 0a1d52994d440e21def1c2174932410b4f2a98a1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 27 Feb 2019 21:29:52 +0100
+Subject: mm: enforce min addr even if capable() in expand_downwards()
+
+From: Jann Horn <jannh@google.com>
+
+commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
+
+security_mmap_addr() does a capability check with current_cred(), but
+we can reach this code from contexts like a VFS write handler where
+current_cred() must not be used.
+
+This can be abused on systems without SMAP to make NULL pointer
+dereferences exploitable again.
+
+Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2345,12 +2345,11 @@ int expand_downwards(struct vm_area_stru
+ struct mm_struct *mm = vma->vm_mm;
+ struct vm_area_struct *prev;
+ unsigned long gap_addr;
+- int error;
++ int error = 0;
+
+ address &= PAGE_MASK;
+- error = security_mmap_addr(address);
+- if (error)
+- return error;
++ if (address < mmap_min_addr)
++ return -EPERM;
+
+ /* Enforce stack_guard_gap */
+ gap_addr = address - stack_guard_gap;
--- /dev/null
+From c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonathan=20Neusch=C3=A4fer?= <j.neuschaefer@gmx.net>
+Date: Sun, 10 Feb 2019 18:31:07 +0100
+Subject: mmc: spi: Fix card detection during probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+
+commit c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 upstream.
+
+When using the mmc_spi driver with a card-detect pin, I noticed that the
+card was not detected immediately after probe, but only after it was
+unplugged and plugged back in (and the CD IRQ fired).
+
+The call tree looks something like this:
+
+mmc_spi_probe
+ mmc_add_host
+ mmc_start_host
+ _mmc_detect_change
+ mmc_schedule_delayed_work(&host->detect, 0)
+ mmc_rescan
+ host->bus_ops->detect(host)
+ mmc_detect
+ _mmc_detect_card_removed
+ host->ops->get_cd(host)
+ mmc_gpio_get_cd -> -ENOSYS (ctx->cd_gpio not set)
+ mmc_gpiod_request_cd
+ ctx->cd_gpio = desc
+
+To fix this issue, call mmc_detect_change after the card-detect GPIO/IRQ
+is registered.
+
+Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/mmc_spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -1450,6 +1450,7 @@ static int mmc_spi_probe(struct spi_devi
+ mmc->caps &= ~MMC_CAP_NEEDS_POLL;
+ mmc_gpiod_request_cd_irq(mmc);
+ }
++ mmc_detect_change(mmc, 0);
+
+ if (host->pdata && host->pdata->flags & MMC_SPI_USE_RO_GPIO) {
+ has_ro = true;