--- /dev/null
+From 83442a4d7bc6c61299498e38575a4b2027f02d9e Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Thu, 11 Oct 2018 20:32:05 +0200
+Subject: ASoC: sta32x: set ->component pointer in private struct
+
+[ Upstream commit 747df19747bc9752cd40b9cce761e17a033aa5c2 ]
+
+The ESD watchdog code in sta32x_watchdog() dereferences the pointer
+which is never assigned.
+
+This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct
+regmap API usage.") which went unnoticed since nobody seems to use that ESD
+workaround.
+
+Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.")
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/sta32x.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/codecs/sta32x.c b/sound/soc/codecs/sta32x.c
+index 0790ae8530d9..7b8b2de02846 100644
+--- a/sound/soc/codecs/sta32x.c
++++ b/sound/soc/codecs/sta32x.c
+@@ -880,6 +880,9 @@ static int sta32x_probe(struct snd_soc_codec *codec)
+ struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec);
+ struct sta32x_platform_data *pdata = sta32x->pdata;
+ int i, ret = 0, thermal = 0;
++
++ sta32x->component = component;
++
+ ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies),
+ sta32x->supplies);
+ if (ret != 0) {
+--
+2.19.1
+
--- /dev/null
+From 13fca93572ec2e133fb44110cf04a6c93e5e9ffa Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 8 May 2018 15:09:41 -0600
+Subject: block: break discard submissions into the user defined size
+
+[ Upstream commit af097f5d199e2aa3ab3ef777f0716e487b8f7b08 ]
+
+Don't build discards bigger than what the user asked for, if the
+user decided to limit the size by writing to 'discard_max_bytes'.
+
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-lib.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/block/blk-lib.c b/block/blk-lib.c
+index 46fe9248410d..d8b89c58af3d 100644
+--- a/block/blk-lib.c
++++ b/block/blk-lib.c
+@@ -63,10 +63,16 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector,
+ unsigned int req_sects;
+ sector_t end_sect, tmp;
+
+- /* Make sure bi_size doesn't overflow */
+- req_sects = min_t(sector_t, nr_sects, UINT_MAX >> 9);
++ /*
++ * Issue in chunks of the user defined max discard setting,
++ * ensuring that bi_size doesn't overflow
++ */
++ req_sects = min_t(sector_t, nr_sects,
++ q->limits.max_discard_sectors);
++ if (req_sects > UINT_MAX >> 9)
++ req_sects = UINT_MAX >> 9;
+
+- /**
++ /*
+ * If splitting a request, and the next starting sector would be
+ * misaligned, stop the discard at the previous aligned sector.
+ */
+--
+2.19.1
+
--- /dev/null
+From 226ddc1c876b7c3f110dda56a62560477760fbfb Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 3 Jul 2018 13:34:22 -0400
+Subject: block: fix infinite loop if the device loses discard capability
+
+[ Upstream commit b88aef36b87c9787a4db724923ec4f57dfd513f3 ]
+
+If __blkdev_issue_discard is in progress and a device mapper device is
+reloaded with a table that doesn't support discard,
+q->limits.max_discard_sectors is set to zero. This results in infinite
+loop in __blkdev_issue_discard.
+
+This patch checks if max_discard_sectors is zero and aborts with
+-EOPNOTSUPP.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Tested-by: Zdenek Kabelac <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-lib.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/block/blk-lib.c b/block/blk-lib.c
+index d8b89c58af3d..af1d26f79878 100644
+--- a/block/blk-lib.c
++++ b/block/blk-lib.c
+@@ -69,6 +69,8 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector,
+ */
+ req_sects = min_t(sector_t, nr_sects,
+ q->limits.max_discard_sectors);
++ if (!req_sects)
++ goto fail;
+ if (req_sects > UINT_MAX >> 9)
+ req_sects = UINT_MAX >> 9;
+
+@@ -106,6 +108,14 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector,
+
+ *biop = bio;
+ return 0;
++
++fail:
++ if (bio) {
++ submit_bio_wait(bio);
++ bio_put(bio);
++ }
++ *biop = NULL;
++ return -EOPNOTSUPP;
+ }
+ EXPORT_SYMBOL(__blkdev_issue_discard);
+
+--
+2.19.1
+
--- /dev/null
+From d36213fb2022ea7e97b880f0925c29efdbbcca1e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 10 Sep 2018 14:12:07 +0300
+Subject: cifs: integer overflow in in SMB2_ioctl()
+
+[ Upstream commit 2d204ee9d671327915260071c19350d84344e096 ]
+
+The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
+wrap around to a smaller value which looks like it would lead to an
+information leak.
+
+Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 50251a8af0ce..eae97d169351 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1742,14 +1742,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
+ /* We check for obvious errors in the output buffer length and offset */
+ if (*plen == 0)
+ goto ioctl_exit; /* server returned no data */
+- else if (*plen > 0xFF00) {
++ else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
+ cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
+ *plen = 0;
+ rc = -EIO;
+ goto ioctl_exit;
+ }
+
+- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
++ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
+ cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
+ le32_to_cpu(rsp->OutputOffset));
+ *plen = 0;
+--
+2.19.1
+
--- /dev/null
+From 6181dbba2b33f19939b5784d9fe782ddc1a40589 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Mon, 2 Jul 2018 14:08:45 -0700
+Subject: ib_srpt: Fix a use-after-free in __srpt_close_all_ch()
+
+[ Upstream commit 14d15c2b278011056482eb015dff89f9cbf2b841 ]
+
+BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
+Read of size 4 at addr ffff8801269d23f8 by task check/29726
+
+CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+Call Trace:
+ dump_stack+0xa4/0xf5
+ print_address_description+0x6f/0x270
+ kasan_report+0x241/0x360
+ __asan_load4+0x78/0x80
+ srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
+ srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
+ configfs_write_file+0x14e/0x1d0 [configfs]
+ __vfs_write+0xd2/0x3b0
+ vfs_write+0x101/0x270
+ ksys_write+0xab/0x120
+ __x64_sys_write+0x43/0x50
+ do_syscall_64+0x77/0x230
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f235cfe6154
+
+Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably")
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index fe7c6ec67d98..2a44a2c3e859 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -1763,8 +1763,8 @@ static void __srpt_close_all_ch(struct srpt_device *sdev)
+
+ list_for_each_entry(ch, &sdev->rch_list, list) {
+ if (srpt_disconnect_ch(ch) >= 0)
+- pr_info("Closing channel %s-%d because target %s has been disabled\n",
+- ch->sess_name, ch->qp->qp_num,
++ pr_info("Closing channel %s because target %s has been disabled\n",
++ ch->sess_name,
+ sdev->device->name);
+ srpt_close_ch(ch);
+ }
+--
+2.19.1
+
--- /dev/null
+block-break-discard-submissions-into-the-user-define.patch
+block-fix-infinite-loop-if-the-device-loses-discard-.patch
+asoc-sta32x-set-component-pointer-in-private-struct.patch
+ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch
+cifs-integer-overflow-in-in-smb2_ioctl.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
