--- /dev/null
+From 1524f4e47f90b27a3ac84efbdd94c63172246a6f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 8 Jan 2019 10:43:30 +0300
+Subject: ALSA: cs46xx: Potential NULL dereference in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 1524f4e47f90b27a3ac84efbdd94c63172246a6f upstream.
+
+The "chip->dsp_spos_instance" can be NULL on some of the ealier error
+paths in snd_cs46xx_create().
+
+Reported-by: "Yavuz, Tuba" <tuba@ece.ufl.edu>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/cs46xx/dsp_spos.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/cs46xx/dsp_spos.c
++++ b/sound/pci/cs46xx/dsp_spos.c
+@@ -903,6 +903,9 @@ int cs46xx_dsp_proc_done (struct snd_cs4
+ struct dsp_spos_instance * ins = chip->dsp_spos_instance;
+ int i;
+
++ if (!ins)
++ return 0;
++
+ snd_info_free_entry(ins->proc_sym_info_entry);
+ ins->proc_sym_info_entry = NULL;
+
--- /dev/null
+From 3e96d7280f16e2f787307f695a31296b9e4a1cd7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 2 Jan 2019 17:12:21 +0100
+Subject: ALSA: usb-audio: Always check descriptor sizes in parser code
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3e96d7280f16e2f787307f695a31296b9e4a1cd7 upstream.
+
+There are a few places where we access the data without checking the
+actual object size from the USB audio descriptor. This may result in
+OOB access, as recently reported.
+
+This patch addresses these missing checks. Most of added codes are
+simple bLength checks in the caller side. For the input and output
+terminal parsers, we put the length check in the parser functions.
+For the input terminal, a new argument is added to distinguish between
+UAC1 and the rest, as they treat different objects.
+
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Reported-by: Hui Peng <benquike@163.com>
+Tested-by: Hui Peng <benquike@163.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/card.c | 2 +-
+ sound/usb/mixer.c | 4 ++++
+ sound/usb/stream.c | 36 +++++++++++++++++++++++++-----------
+ 3 files changed, 30 insertions(+), 12 deletions(-)
+
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -246,7 +246,7 @@ static int snd_usb_create_streams(struct
+ h1 = snd_usb_find_csint_desc(host_iface->extra,
+ host_iface->extralen,
+ NULL, UAC_HEADER);
+- if (!h1) {
++ if (!h1 || h1->bLength < sizeof(*h1)) {
+ dev_err(&dev->dev, "cannot find UAC_HEADER\n");
+ return -EINVAL;
+ }
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2075,11 +2075,15 @@ static int parse_audio_input_terminal(st
+
+ if (state->mixer->protocol == UAC_VERSION_2) {
+ struct uac2_input_terminal_descriptor *d_v2 = raw_desc;
++ if (d_v2->bLength < sizeof(*d_v2))
++ return -EINVAL;
+ control = UAC2_TE_CONNECTOR;
+ term_id = d_v2->bTerminalID;
+ bmctls = le16_to_cpu(d_v2->bmControls);
+ } else if (state->mixer->protocol == UAC_VERSION_3) {
+ struct uac3_input_terminal_descriptor *d_v3 = raw_desc;
++ if (d_v3->bLength < sizeof(*d_v3))
++ return -EINVAL;
+ control = UAC3_TE_INSERTION;
+ term_id = d_v3->bTerminalID;
+ bmctls = le32_to_cpu(d_v3->bmControls);
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -596,12 +596,8 @@ static int parse_uac_endpoint_attributes
+ csep = snd_usb_find_desc(alts->extra, alts->extralen, NULL, USB_DT_CS_ENDPOINT);
+
+ if (!csep || csep->bLength < 7 ||
+- csep->bDescriptorSubtype != UAC_EP_GENERAL) {
+- usb_audio_warn(chip,
+- "%u:%d : no or invalid class specific endpoint descriptor\n",
+- iface_no, altsd->bAlternateSetting);
+- return 0;
+- }
++ csep->bDescriptorSubtype != UAC_EP_GENERAL)
++ goto error;
+
+ if (protocol == UAC_VERSION_1) {
+ attributes = csep->bmAttributes;
+@@ -609,6 +605,8 @@ static int parse_uac_endpoint_attributes
+ struct uac2_iso_endpoint_descriptor *csep2 =
+ (struct uac2_iso_endpoint_descriptor *) csep;
+
++ if (csep2->bLength < sizeof(*csep2))
++ goto error;
+ attributes = csep->bmAttributes & UAC_EP_CS_ATTR_FILL_MAX;
+
+ /* emulate the endpoint attributes of a v1 device */
+@@ -618,12 +616,20 @@ static int parse_uac_endpoint_attributes
+ struct uac3_iso_endpoint_descriptor *csep3 =
+ (struct uac3_iso_endpoint_descriptor *) csep;
+
++ if (csep3->bLength < sizeof(*csep3))
++ goto error;
+ /* emulate the endpoint attributes of a v1 device */
+ if (le32_to_cpu(csep3->bmControls) & UAC2_CONTROL_PITCH)
+ attributes |= UAC_EP_CS_ATTR_PITCH_CONTROL;
+ }
+
+ return attributes;
++
++ error:
++ usb_audio_warn(chip,
++ "%u:%d : no or invalid class specific endpoint descriptor\n",
++ iface_no, altsd->bAlternateSetting);
++ return 0;
+ }
+
+ /* find an input terminal descriptor (either UAC1 or UAC2) with the given
+@@ -631,13 +637,17 @@ static int parse_uac_endpoint_attributes
+ */
+ static void *
+ snd_usb_find_input_terminal_descriptor(struct usb_host_interface *ctrl_iface,
+- int terminal_id)
++ int terminal_id, bool uac23)
+ {
+ struct uac2_input_terminal_descriptor *term = NULL;
++ size_t minlen = uac23 ? sizeof(struct uac2_input_terminal_descriptor) :
++ sizeof(struct uac_input_terminal_descriptor);
+
+ while ((term = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ term, UAC_INPUT_TERMINAL))) {
++ if (term->bLength < minlen)
++ continue;
+ if (term->bTerminalID == terminal_id)
+ return term;
+ }
+@@ -655,7 +665,8 @@ snd_usb_find_output_terminal_descriptor(
+ while ((term = snd_usb_find_csint_desc(ctrl_iface->extra,
+ ctrl_iface->extralen,
+ term, UAC_OUTPUT_TERMINAL))) {
+- if (term->bTerminalID == terminal_id)
++ if (term->bLength >= sizeof(*term) &&
++ term->bTerminalID == terminal_id)
+ return term;
+ }
+
+@@ -729,7 +740,8 @@ snd_usb_get_audioformat_uac12(struct snd
+ format = le16_to_cpu(as->wFormatTag); /* remember the format value */
+
+ iterm = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
+- as->bTerminalLink);
++ as->bTerminalLink,
++ false);
+ if (iterm) {
+ num_channels = iterm->bNrChannels;
+ chconfig = le16_to_cpu(iterm->wChannelConfig);
+@@ -764,7 +776,8 @@ snd_usb_get_audioformat_uac12(struct snd
+ * to extract the clock
+ */
+ input_term = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
+- as->bTerminalLink);
++ as->bTerminalLink,
++ true);
+ if (input_term) {
+ clock = input_term->bCSourceID;
+ if (!chconfig && (num_channels == input_term->bNrChannels))
+@@ -998,7 +1011,8 @@ snd_usb_get_audioformat_uac3(struct snd_
+ * to extract the clock
+ */
+ input_term = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
+- as->bTerminalLink);
++ as->bTerminalLink,
++ true);
+ if (input_term) {
+ clock = input_term->bCSourceID;
+ goto found_clock;
--- /dev/null
+From f4351a199cc120ff9d59e06d02e8657d08e6cc46 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 19 Dec 2018 12:36:27 +0100
+Subject: ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.
+
+The parser for the processing unit reads bNrInPins field before the
+bLength sanity check, which may lead to an out-of-bound access when a
+malformed descriptor is given. Fix it by assignment after the bLength
+check.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2314,7 +2314,7 @@ static int build_audio_procunit(struct m
+ char *name)
+ {
+ struct uac_processing_unit_descriptor *desc = raw_desc;
+- int num_ins = desc->bNrInPins;
++ int num_ins;
+ struct usb_mixer_elem_info *cval;
+ struct snd_kcontrol *kctl;
+ int i, err, nameid, type, len;
+@@ -2329,7 +2329,13 @@ static int build_audio_procunit(struct m
+ 0, NULL, default_value_info
+ };
+
+- if (desc->bLength < 13 || desc->bLength < 13 + num_ins ||
++ if (desc->bLength < 13) {
++ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
++ return -EINVAL;
++ }
++
++ num_ins = desc->bNrInPins;
++ if (desc->bLength < 13 + num_ins ||
+ desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) {
+ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
+ return -EINVAL;
--- /dev/null
+From 0bfe5e434e6665b3590575ec3c5e4f86a1ce51c9 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 19 Dec 2018 14:04:47 +0100
+Subject: ALSA: usb-audio: Check mixer unit descriptors more strictly
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0bfe5e434e6665b3590575ec3c5e4f86a1ce51c9 upstream.
+
+We've had some sanity checks of the mixer unit descriptors but they
+are too loose and some corner cases are overlooked. Add more strict
+checks in uac_mixer_unit_get_channels() for avoiding possible OOB
+accesses by malformed descriptors.
+
+This also changes the semantics of uac_mixer_unit_get_channels()
+slightly. Now it returns zero for the cases where the descriptor
+lacks of bmControls instead of -EINVAL. Then the caller side skips
+the mixer creation for such unit while it keeps parsing it.
+This corresponds to the case like Maya44.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -753,8 +753,9 @@ static int uac_mixer_unit_get_channels(s
+ struct uac_mixer_unit_descriptor *desc)
+ {
+ int mu_channels;
++ void *c;
+
+- if (desc->bLength < 11)
++ if (desc->bLength < sizeof(*desc))
+ return -EINVAL;
+ if (!desc->bNrInPins)
+ return -EINVAL;
+@@ -763,6 +764,8 @@ static int uac_mixer_unit_get_channels(s
+ case UAC_VERSION_1:
+ case UAC_VERSION_2:
+ default:
++ if (desc->bLength < sizeof(*desc) + desc->bNrInPins + 1)
++ return 0; /* no bmControls -> skip */
+ mu_channels = uac_mixer_unit_bNrChannels(desc);
+ break;
+ case UAC_VERSION_3:
+@@ -772,7 +775,11 @@ static int uac_mixer_unit_get_channels(s
+ }
+
+ if (!mu_channels)
+- return -EINVAL;
++ return 0;
++
++ c = uac_mixer_unit_bmControls(desc, state->mixer->protocol);
++ if (c - (void *)desc + (mu_channels - 1) / 8 >= desc->bLength)
++ return 0; /* no bmControls -> skip */
+
+ return mu_channels;
+ }
+@@ -944,7 +951,7 @@ static int check_input_term(struct mixer
+ struct uac_mixer_unit_descriptor *d = p1;
+
+ err = uac_mixer_unit_get_channels(state, d);
+- if (err < 0)
++ if (err <= 0)
+ return err;
+
+ term->channels = err;
+@@ -2118,7 +2125,7 @@ static int parse_audio_mixer_unit(struct
+ if (err < 0)
+ continue;
+ /* no bmControls field (e.g. Maya44) -> ignore */
+- if (desc->bLength <= 10 + input_pins)
++ if (!num_outs)
+ continue;
+ err = check_input_term(state, desc->baSourceID[pin], &iterm);
+ if (err < 0)
--- /dev/null
+From cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@163.com>
+Date: Tue, 25 Dec 2018 18:11:52 -0500
+Subject: ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
+
+From: Hui Peng <benquike@163.com>
+
+commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream.
+
+In `create_composite_quirk`, the terminating condition of for loops is
+`quirk->ifnum < 0`. So any composite quirks should end with `struct
+snd_usb_audio_quirk` object with ifnum < 0.
+
+ for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) {
+
+ .....
+ }
+
+the data field of Bower's & Wilkins PX headphones usb device device quirks
+do not end with {.ifnum = -1}, wihch may result in out-of-bound read.
+
+This Patch fix the bug by adding an ending quirk object.
+
+Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones")
+Signed-off-by: Hui Peng <benquike@163.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks-table.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3326,6 +3326,9 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ }
+ }
+ },
++ {
++ .ifnum = -1
++ },
+ }
+ }
+ },
+@@ -3369,6 +3372,9 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ }
+ }
+ },
++ {
++ .ifnum = -1
++ },
+ }
+ }
+ },
--- /dev/null
+From 8ea3819c0bbef57a51d8abe579e211033e861677 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 19 Nov 2018 20:01:24 +0200
+Subject: b43: Fix error in cordic routine
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 8ea3819c0bbef57a51d8abe579e211033e861677 upstream.
+
+The cordic routine for calculating sines and cosines that was added in
+commit 6f98e62a9f1b ("b43: update cordic code to match current specs")
+contains an error whereby a quantity declared u32 can in fact go negative.
+
+This problem was detected by Priit Laes who is switching b43 to use the
+routine in the library functions of the kernel.
+
+Fixes: 986504540306 ("b43: make cordic common (LP-PHY and N-PHY need it)")
+Reported-by: Priit Laes <plaes@plaes.org>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Cc: Stable <stable@vger.kernel.org> # 2.6.34
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Priit Laes <plaes@plaes.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/b43/phy_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43/phy_common.c
++++ b/drivers/net/wireless/broadcom/b43/phy_common.c
+@@ -616,7 +616,7 @@ struct b43_c32 b43_cordic(int theta)
+ u8 i;
+ s32 tmp;
+ s8 signx = 1;
+- u32 angle = 0;
++ s32 angle = 0;
+ struct b43_c32 ret = { .i = 39797, .q = 0, };
+
+ while (theta > (180 << 16))
--- /dev/null
+From 544fbd16a461a318cd80537d1331c0df5c6cf930 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Wed, 12 Dec 2018 19:44:34 +0800
+Subject: block: deactivate blk_stat timer in wbt_disable_default()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 544fbd16a461a318cd80537d1331c0df5c6cf930 upstream.
+
+rwb_enabled() can't be changed when there is any inflight IO.
+
+wbt_disable_default() may set rwb->wb_normal as zero, however the
+blk_stat timer may still be pending, and the timer function will update
+wrb->wb_normal again.
+
+This patch introduces blk_stat_deactivate() and applies it in
+wbt_disable_default(), then the following IO hang triggered when running
+parted & switching io scheduler can be fixed:
+
+[ 369.937806] INFO: task parted:3645 blocked for more than 120 seconds.
+[ 369.938941] Not tainted 4.20.0-rc6-00284-g906c801e5248 #498
+[ 369.939797] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 369.940768] parted D 0 3645 3239 0x00000000
+[ 369.941500] Call Trace:
+[ 369.941874] ? __schedule+0x6d9/0x74c
+[ 369.942392] ? wbt_done+0x5e/0x5e
+[ 369.942864] ? wbt_cleanup_cb+0x16/0x16
+[ 369.943404] ? wbt_done+0x5e/0x5e
+[ 369.943874] schedule+0x67/0x78
+[ 369.944298] io_schedule+0x12/0x33
+[ 369.944771] rq_qos_wait+0xb5/0x119
+[ 369.945193] ? karma_partition+0x1c2/0x1c2
+[ 369.945691] ? wbt_cleanup_cb+0x16/0x16
+[ 369.946151] wbt_wait+0x85/0xb6
+[ 369.946540] __rq_qos_throttle+0x23/0x2f
+[ 369.947014] blk_mq_make_request+0xe6/0x40a
+[ 369.947518] generic_make_request+0x192/0x2fe
+[ 369.948042] ? submit_bio+0x103/0x11f
+[ 369.948486] ? __radix_tree_lookup+0x35/0xb5
+[ 369.949011] submit_bio+0x103/0x11f
+[ 369.949436] ? blkg_lookup_slowpath+0x25/0x44
+[ 369.949962] submit_bio_wait+0x53/0x7f
+[ 369.950469] blkdev_issue_flush+0x8a/0xae
+[ 369.951032] blkdev_fsync+0x2f/0x3a
+[ 369.951502] do_fsync+0x2e/0x47
+[ 369.951887] __x64_sys_fsync+0x10/0x13
+[ 369.952374] do_syscall_64+0x89/0x149
+[ 369.952819] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 369.953492] RIP: 0033:0x7f95a1e729d4
+[ 369.953996] Code: Bad RIP value.
+[ 369.954456] RSP: 002b:00007ffdb570dd48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a
+[ 369.955506] RAX: ffffffffffffffda RBX: 000055c2139c6be0 RCX: 00007f95a1e729d4
+[ 369.956389] RDX: 0000000000000001 RSI: 0000000000001261 RDI: 0000000000000004
+[ 369.957325] RBP: 0000000000000002 R08: 0000000000000000 R09: 000055c2139c6ce0
+[ 369.958199] R10: 0000000000000000 R11: 0000000000000246 R12: 000055c2139c0380
+[ 369.959143] R13: 0000000000000004 R14: 0000000000000100 R15: 0000000000000008
+
+Cc: stable@vger.kernel.org
+Cc: Paolo Valente <paolo.valente@linaro.org>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-stat.h | 5 +++++
+ block/blk-wbt.c | 4 +++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/block/blk-stat.h
++++ b/block/blk-stat.h
+@@ -145,6 +145,11 @@ static inline void blk_stat_activate_nse
+ mod_timer(&cb->timer, jiffies + nsecs_to_jiffies(nsecs));
+ }
+
++static inline void blk_stat_deactivate(struct blk_stat_callback *cb)
++{
++ del_timer_sync(&cb->timer);
++}
++
+ /**
+ * blk_stat_activate_msecs() - Gather block statistics during a time window in
+ * milliseconds.
+--- a/block/blk-wbt.c
++++ b/block/blk-wbt.c
+@@ -760,8 +760,10 @@ void wbt_disable_default(struct request_
+ if (!rqos)
+ return;
+ rwb = RQWB(rqos);
+- if (rwb->enable_state == WBT_STATE_ON_DEFAULT)
++ if (rwb->enable_state == WBT_STATE_ON_DEFAULT) {
++ blk_stat_deactivate(rwb->cb);
+ rwb->wb_normal = 0;
++ }
+ }
+ EXPORT_SYMBOL_GPL(wbt_disable_default);
+
--- /dev/null
+From 7211aef86f79583e59b88a0aba0bc830566f7e8e Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Mon, 17 Dec 2018 15:14:05 +0900
+Subject: block: mq-deadline: Fix write completion handling
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit 7211aef86f79583e59b88a0aba0bc830566f7e8e upstream.
+
+For a zoned block device using mq-deadline, if a write request for a
+zone is received while another write was already dispatched for the same
+zone, dd_dispatch_request() will return NULL and the newly inserted
+write request is kept in the scheduler queue waiting for the ongoing
+zone write to complete. With this behavior, when no other request has
+been dispatched, rq_list in blk_mq_sched_dispatch_requests() is empty
+and blk_mq_sched_mark_restart_hctx() not called. This in turn leads to
+__blk_mq_free_request() call of blk_mq_sched_restart() to not run the
+queue when the already dispatched write request completes. The newly
+dispatched request stays stuck in the scheduler queue until eventually
+another request is submitted.
+
+This problem does not affect SCSI disk as the SCSI stack handles queue
+restart on request completion. However, this problem is can be triggered
+the nullblk driver with zoned mode enabled.
+
+Fix this by always requesting a queue restart in dd_dispatch_request()
+if no request was dispatched while WRITE requests are queued.
+
+Fixes: 5700f69178e9 ("mq-deadline: Introduce zone locking support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Add missing export of blk_mq_sched_restart()
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+---
+ block/blk-mq-sched.c | 3 ++-
+ block/blk-mq-sched.h | 1 +
+ block/mq-deadline.c | 12 +++++++++++-
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/block/blk-mq-sched.c
++++ b/block/blk-mq-sched.c
+@@ -54,13 +54,14 @@ void blk_mq_sched_assign_ioc(struct requ
+ * Mark a hardware queue as needing a restart. For shared queues, maintain
+ * a count of how many hardware queues are marked for restart.
+ */
+-static void blk_mq_sched_mark_restart_hctx(struct blk_mq_hw_ctx *hctx)
++void blk_mq_sched_mark_restart_hctx(struct blk_mq_hw_ctx *hctx)
+ {
+ if (test_bit(BLK_MQ_S_SCHED_RESTART, &hctx->state))
+ return;
+
+ set_bit(BLK_MQ_S_SCHED_RESTART, &hctx->state);
+ }
++EXPORT_SYMBOL_GPL(blk_mq_sched_mark_restart_hctx);
+
+ void blk_mq_sched_restart(struct blk_mq_hw_ctx *hctx)
+ {
+--- a/block/blk-mq-sched.h
++++ b/block/blk-mq-sched.h
+@@ -15,6 +15,7 @@ bool blk_mq_sched_try_merge(struct reque
+ struct request **merged_request);
+ bool __blk_mq_sched_bio_merge(struct request_queue *q, struct bio *bio);
+ bool blk_mq_sched_try_insert_merge(struct request_queue *q, struct request *rq);
++void blk_mq_sched_mark_restart_hctx(struct blk_mq_hw_ctx *hctx);
+ void blk_mq_sched_restart(struct blk_mq_hw_ctx *hctx);
+
+ void blk_mq_sched_insert_request(struct request *rq, bool at_head,
+--- a/block/mq-deadline.c
++++ b/block/mq-deadline.c
+@@ -373,9 +373,16 @@ done:
+
+ /*
+ * One confusing aspect here is that we get called for a specific
+- * hardware queue, but we return a request that may not be for a
++ * hardware queue, but we may return a request that is for a
+ * different hardware queue. This is because mq-deadline has shared
+ * state for all hardware queues, in terms of sorting, FIFOs, etc.
++ *
++ * For a zoned block device, __dd_dispatch_request() may return NULL
++ * if all the queued write requests are directed at zones that are already
++ * locked due to on-going write requests. In this case, make sure to mark
++ * the queue as needing a restart to ensure that the queue is run again
++ * and the pending writes dispatched once the target zones for the ongoing
++ * write requests are unlocked in dd_finish_request().
+ */
+ static struct request *dd_dispatch_request(struct blk_mq_hw_ctx *hctx)
+ {
+@@ -384,6 +391,9 @@ static struct request *dd_dispatch_reque
+
+ spin_lock(&dd->lock);
+ rq = __dd_dispatch_request(dd);
++ if (!rq && blk_queue_is_zoned(hctx->queue) &&
++ !list_empty(&dd->fifo_list[WRITE]))
++ blk_mq_sched_mark_restart_hctx(hctx);
+ spin_unlock(&dd->lock);
+
+ return rq;
--- /dev/null
+From b982896cdb6e6a6b89d86dfb39df489d9df51e14 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:15:05 +0300
+Subject: dlm: fixed memory leaks after failed ls_remove_names allocation
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit b982896cdb6e6a6b89d86dfb39df489d9df51e14 upstream.
+
+If allocation fails on last elements of array need to free already
+allocated elements.
+
+v2: just move existing out_rsbtbl label to right place
+
+Fixes 789924ba635f ("dlm: fix race between remove and lookup")
+Cc: stable@kernel.org # 3.6
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -680,11 +680,11 @@ static int new_lockspace(const char *nam
+ kfree(ls->ls_recover_buf);
+ out_lkbidr:
+ idr_destroy(&ls->ls_lkbidr);
++ out_rsbtbl:
+ for (i = 0; i < DLM_REMOVE_NAMES_MAX; i++) {
+ if (ls->ls_remove_names[i])
+ kfree(ls->ls_remove_names[i]);
+ }
+- out_rsbtbl:
+ vfree(ls->ls_rsbtbl);
+ out_lsfree:
+ if (do_unreg)
--- /dev/null
+From c0174726c3976e67da8649ac62cae43220ae173a Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:24 +0300
+Subject: dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit c0174726c3976e67da8649ac62cae43220ae173a upstream.
+
+Fixes 6d40c4a708e0 ("dlm: improve error and debug messages")
+Cc: stable@kernel.org # 3.5
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -4180,6 +4180,7 @@ static int receive_convert(struct dlm_ls
+ (unsigned long long)lkb->lkb_recover_seq,
+ ms->m_header.h_nodeid, ms->m_lkid);
+ error = -ENOENT;
++ dlm_put_lkb(lkb);
+ goto fail;
+ }
+
+@@ -4233,6 +4234,7 @@ static int receive_unlock(struct dlm_ls
+ lkb->lkb_id, lkb->lkb_remid,
+ ms->m_header.h_nodeid, ms->m_lkid);
+ error = -ENOENT;
++ dlm_put_lkb(lkb);
+ goto fail;
+ }
+
--- /dev/null
+From d47b41aceeadc6b58abc9c7c6485bef7cfb75636 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:56 +0300
+Subject: dlm: memory leaks on error path in dlm_user_request()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit d47b41aceeadc6b58abc9c7c6485bef7cfb75636 upstream.
+
+According to comment in dlm_user_request() ua should be freed
+in dlm_free_lkb() after successful attach to lkb.
+
+However ua is attached to lkb not in set_lock_args() but later,
+inside request_lock().
+
+Fixes 597d0cae0f99 ("[DLM] dlm: user locks")
+Cc: stable@kernel.org # 2.6.19
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -5795,20 +5795,20 @@ int dlm_user_request(struct dlm_ls *ls,
+ goto out;
+ }
+ }
+-
+- /* After ua is attached to lkb it will be freed by dlm_free_lkb().
+- When DLM_IFL_USER is set, the dlm knows that this is a userspace
+- lock and that lkb_astparam is the dlm_user_args structure. */
+-
+ error = set_lock_args(mode, &ua->lksb, flags, namelen, timeout_cs,
+ fake_astfn, ua, fake_bastfn, &args);
+- lkb->lkb_flags |= DLM_IFL_USER;
+-
+ if (error) {
++ kfree(ua->lksb.sb_lvbptr);
++ ua->lksb.sb_lvbptr = NULL;
++ kfree(ua);
+ __put_lkb(ls, lkb);
+ goto out;
+ }
+
++ /* After ua is attached to lkb it will be freed by dlm_free_lkb().
++ When DLM_IFL_USER is set, the dlm knows that this is a userspace
++ lock and that lkb_astparam is the dlm_user_args structure. */
++ lkb->lkb_flags |= DLM_IFL_USER;
+ error = request_lock(ls, lkb, name, namelen, &args);
+
+ switch (error) {
--- /dev/null
+From 23851e978f31eda8b2d01bd410d3026659ca06c7 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:18 +0300
+Subject: dlm: possible memory leak on error path in create_lkb()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 23851e978f31eda8b2d01bd410d3026659ca06c7 upstream.
+
+Fixes 3d6aa675fff9 ("dlm: keep lkbs in idr")
+Cc: stable@kernel.org # 3.1
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -1209,6 +1209,7 @@ static int create_lkb(struct dlm_ls *ls,
+
+ if (rv < 0) {
+ log_error(ls, "create_lkb idr error %d", rv);
++ dlm_free_lkb(lkb);
+ return rv;
+ }
+
--- /dev/null
+From c6d6e9b0f6b4201c77f2cea3964dd122697e3543 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Tue, 18 Dec 2018 09:25:37 -0800
+Subject: dm: do not allow readahead to limit IO size
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit c6d6e9b0f6b4201c77f2cea3964dd122697e3543 upstream.
+
+Update DM to set the bdi's io_pages. This fixes reads to be capped at
+the device's max request size (even if user's read IO exceeds the
+established readahead setting).
+
+Fixes: 9491ae4a ("mm: don't cap request size based on read-ahead setting")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-table.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -1927,6 +1927,9 @@ void dm_table_set_restrictions(struct dm
+ */
+ if (blk_queue_is_zoned(q))
+ blk_revalidate_disk_zones(t->md->disk);
++
++ /* Allow reads to exceed readahead limits */
++ q->backing_dev_info->io_pages = limits->max_sectors >> (PAGE_SHIFT - 9);
+ }
+
+ unsigned int dm_table_get_num_targets(struct dm_table *t)
--- /dev/null
+From e121a833745b4708b660e3fe6776129c2956b041 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 13 Dec 2018 19:27:47 +0100
+Subject: driver core: Add missing dev->bus->need_parent_lock checks
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit e121a833745b4708b660e3fe6776129c2956b041 upstream.
+
+__device_release_driver() has to check dev->bus->need_parent_lock
+before dropping the parent lock and acquiring it again as it may
+attempt to drop a lock that hasn't been acquired or lock a device
+that shouldn't be locked and create a lock imbalance.
+
+Fixes: 8c97a46af04b (driver core: hold dev's parent lock when needed)
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/dd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -933,11 +933,11 @@ static void __device_release_driver(stru
+
+ while (device_links_busy(dev)) {
+ device_unlock(dev);
+- if (parent)
++ if (parent && dev->bus->need_parent_lock)
+ device_unlock(parent);
+
+ device_links_unbind_consumers(dev);
+- if (parent)
++ if (parent && dev->bus->need_parent_lock)
+ device_lock(parent);
+
+ device_lock(dev);
--- /dev/null
+From 1a80dade010c7a7f4885a4c4c2a7ac22cc7b34df Mon Sep 17 00:00:00 2001
+From: Matthew Wilcox <willy@infradead.org>
+Date: Fri, 28 Dec 2018 07:22:26 -0800
+Subject: Fix failure path in alloc_pid()
+
+From: Matthew Wilcox <willy@infradead.org>
+
+commit 1a80dade010c7a7f4885a4c4c2a7ac22cc7b34df upstream.
+
+The failure path removes the allocated PIDs from the wrong namespace.
+This could lead to us inadvertently reusing PIDs in the leaf namespace
+and leaking PIDs in parent namespaces.
+
+Fixes: 95846ecf9dac ("pid: replace pid bitmap implementation with IDR API")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Matthew Wilcox <willy@infradead.org>
+Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Reviewed-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/pid.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/pid.c
++++ b/kernel/pid.c
+@@ -233,8 +233,10 @@ out_unlock:
+
+ out_free:
+ spin_lock_irq(&pidmap_lock);
+- while (++i <= ns->level)
+- idr_remove(&ns->idr, (pid->numbers + i)->nr);
++ while (++i <= ns->level) {
++ upid = pid->numbers + i;
++ idr_remove(&upid->ns->idr, upid->nr);
++ }
+
+ /* On failure to allocate the first pid, reset the state */
+ if (ns->pid_allocated == PIDNS_ADDING)
--- /dev/null
+From 2d29f6b96d8f80322ed2dd895bca590491c38d34 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 4 Dec 2018 15:06:27 +0100
+Subject: gfs2: Fix loop in gfs2_rbm_find
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 2d29f6b96d8f80322ed2dd895bca590491c38d34 upstream.
+
+Fix the resource group wrap-around logic in gfs2_rbm_find that commit
+e579ed4f44 broke. The bug can lead to unnecessary repeated scanning of the
+same bitmaps; there is a risk that future changes will turn this into an
+endless loop.
+
+Fixes: e579ed4f44 ("GFS2: Introduce rbm field bii")
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/rgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1780,9 +1780,9 @@ static int gfs2_rbm_find(struct gfs2_rbm
+ goto next_iter;
+ }
+ if (ret == -E2BIG) {
++ n += rbm->bii - initial_bii;
+ rbm->bii = 0;
+ rbm->offset = 0;
+- n += (rbm->bii - initial_bii);
+ goto res_covered_end_of_rgrp;
+ }
+ return ret;
--- /dev/null
+From 6ff9b09e00a441599f3aacdf577254455a048bc9 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 26 Nov 2018 18:45:35 +0100
+Subject: gfs2: Get rid of potential double-freeing in gfs2_create_inode
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 6ff9b09e00a441599f3aacdf577254455a048bc9 upstream.
+
+In gfs2_create_inode, after setting and releasing the acl / default_acl, the
+acl / default_acl pointers are not set to NULL as they should be. In that
+state, when the function reaches label fail_free_acls, gfs2_create_inode will
+try to release the same acls again.
+
+Fix that by setting the pointers to NULL after releasing the acls. Slightly
+simplify the logic. Also, posix_acl_release checks for NULL already, so
+there is no need to duplicate those checks here.
+
+Fixes: e01580bf9e4d ("gfs2: use generic posix ACL infrastructure")
+Reported-by: Pan Bian <bianpan2016@163.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/inode.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/fs/gfs2/inode.c
++++ b/fs/gfs2/inode.c
+@@ -744,17 +744,19 @@ static int gfs2_create_inode(struct inod
+ the gfs2 structures. */
+ if (default_acl) {
+ error = __gfs2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
++ if (error)
++ goto fail_gunlock3;
+ posix_acl_release(default_acl);
++ default_acl = NULL;
+ }
+ if (acl) {
+- if (!error)
+- error = __gfs2_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ error = __gfs2_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ if (error)
++ goto fail_gunlock3;
+ posix_acl_release(acl);
++ acl = NULL;
+ }
+
+- if (error)
+- goto fail_gunlock3;
+-
+ error = security_inode_init_security(&ip->i_inode, &dip->i_inode, name,
+ &gfs2_initxattrs, NULL);
+ if (error)
+@@ -789,10 +791,8 @@ fail_free_inode:
+ }
+ gfs2_rsqa_delete(ip, NULL);
+ fail_free_acls:
+- if (default_acl)
+- posix_acl_release(default_acl);
+- if (acl)
+- posix_acl_release(acl);
++ posix_acl_release(default_acl);
++ posix_acl_release(acl);
+ fail_gunlock:
+ gfs2_dir_no_add(&da);
+ gfs2_glock_dq_uninit(ghs);
--- /dev/null
+From b8eee0e90f9797b747113638bc75e739b192ad38 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Thu, 1 Nov 2018 13:39:49 -0400
+Subject: lockd: Show pid of lockd for remote locks
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit b8eee0e90f9797b747113638bc75e739b192ad38 upstream.
+
+Commit 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid
+for remote locks") specified that the l_pid returned for F_GETLK on a local
+file that has a remote lock should be the pid of the lock manager process.
+That commit, while updating other filesystems, failed to update lockd, such
+that locks created by lockd had their fl_pid set to that of the remote
+process holding the lock. Fix that here to be the pid of lockd.
+
+Also, fix the client case so that the returned lock pid is negative, which
+indicates a remote lock on a remote file.
+
+Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific...")
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/clntproc.c | 2 +-
+ fs/lockd/xdr.c | 4 ++--
+ fs/lockd/xdr4.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/lockd/clntproc.c
++++ b/fs/lockd/clntproc.c
+@@ -442,7 +442,7 @@ nlmclnt_test(struct nlm_rqst *req, struc
+ fl->fl_start = req->a_res.lock.fl.fl_start;
+ fl->fl_end = req->a_res.lock.fl.fl_end;
+ fl->fl_type = req->a_res.lock.fl.fl_type;
+- fl->fl_pid = 0;
++ fl->fl_pid = -req->a_res.lock.fl.fl_pid;
+ break;
+ default:
+ status = nlm_stat_to_errno(req->a_res.status);
+--- a/fs/lockd/xdr.c
++++ b/fs/lockd/xdr.c
+@@ -127,7 +127,7 @@ nlm_decode_lock(__be32 *p, struct nlm_lo
+
+ locks_init_lock(fl);
+ fl->fl_owner = current->files;
+- fl->fl_pid = (pid_t)lock->svid;
++ fl->fl_pid = current->tgid;
+ fl->fl_flags = FL_POSIX;
+ fl->fl_type = F_RDLCK; /* as good as anything else */
+ start = ntohl(*p++);
+@@ -269,7 +269,7 @@ nlmsvc_decode_shareargs(struct svc_rqst
+ memset(lock, 0, sizeof(*lock));
+ locks_init_lock(&lock->fl);
+ lock->svid = ~(u32) 0;
+- lock->fl.fl_pid = (pid_t)lock->svid;
++ lock->fl.fl_pid = current->tgid;
+
+ if (!(p = nlm_decode_cookie(p, &argp->cookie))
+ || !(p = xdr_decode_string_inplace(p, &lock->caller,
+--- a/fs/lockd/xdr4.c
++++ b/fs/lockd/xdr4.c
+@@ -119,7 +119,7 @@ nlm4_decode_lock(__be32 *p, struct nlm_l
+
+ locks_init_lock(fl);
+ fl->fl_owner = current->files;
+- fl->fl_pid = (pid_t)lock->svid;
++ fl->fl_pid = current->tgid;
+ fl->fl_flags = FL_POSIX;
+ fl->fl_type = F_RDLCK; /* as good as anything else */
+ p = xdr_decode_hyper(p, &start);
+@@ -266,7 +266,7 @@ nlm4svc_decode_shareargs(struct svc_rqst
+ memset(lock, 0, sizeof(*lock));
+ locks_init_lock(&lock->fl);
+ lock->svid = ~(u32) 0;
+- lock->fl.fl_pid = (pid_t)lock->svid;
++ lock->fl.fl_pid = current->tgid;
+
+ if (!(p = nlm4_decode_cookie(p, &argp->cookie))
+ || !(p = xdr_decode_string_inplace(p, &lock->caller,
--- /dev/null
+From fdec6114ee1f0f43b1ad081ad8d46b23ba126d70 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 15 Nov 2018 11:21:40 -0500
+Subject: nfsd4: zero-length WRITE should succeed
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit fdec6114ee1f0f43b1ad081ad8d46b23ba126d70 upstream.
+
+Zero-length writes are legal; from 5661 section 18.32.3: "If the count
+is zero, the WRITE will succeed and return a count of zero subject to
+permissions checking".
+
+This check is unnecessary and is causing zero-length reads to return
+EINVAL.
+
+Cc: stable@vger.kernel.org
+Fixes: 3fd9557aec91 "NFSD: Refactor the generic write vector fill helper"
+Cc: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4proc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1016,8 +1016,6 @@ nfsd4_write(struct svc_rqst *rqstp, stru
+
+ nvecs = svc_fill_write_vector(rqstp, write->wr_pagelist,
+ &write->wr_head, write->wr_buflen);
+- if (!nvecs)
+- return nfserr_io;
+ WARN_ON_ONCE(nvecs > ARRAY_SIZE(rqstp->rq_vec));
+
+ status = nfsd_vfs_write(rqstp, &cstate->current_fh, filp,
--- /dev/null
+From c5eb1190074cfb14c5d9cac692f1912eecf1a5e4 Mon Sep 17 00:00:00 2001
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Date: Tue, 23 Oct 2018 14:45:52 +0300
+Subject: PCI / PM: Allow runtime PM without callback functions
+
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+
+commit c5eb1190074cfb14c5d9cac692f1912eecf1a5e4 upstream.
+
+a9c8088c7988 ("i2c: i801: Don't restore config registers on runtime PM")
+nullified the runtime PM suspend/resume callback pointers while keeping the
+runtime PM enabled.
+
+This caused the SMBus PCI device to stay in D0 with
+/sys/devices/.../power/runtime_status showing "error" when the runtime PM
+framework attempted to autosuspend the device. This is due to PCI bus
+runtime PM, which checks for driver runtime PM callbacks and returns
+-ENOSYS if they are not set.
+
+Since i2c-i801.c doesn't need to do anything device-specific for runtime
+PM, Jean Delvare proposed this be fixed in the PCI core rather than adding
+dummy runtime PM callback functions in the PCI drivers.
+
+Change pci_pm_runtime_suspend()/pci_pm_runtime_resume() so they allow
+changing the PCI device power state during runtime PM transitions even if
+the driver supplies no runtime PM callbacks.
+
+This fixes the runtime PM regression on i2c-i801.c.
+
+It is not obvious why the code previously required the runtime PM
+callbacks. The test has been there since the code was introduced by
+6cbf82148ff2 ("PCI PM: Run-time callbacks for PCI bus type").
+
+On the other hand, a similar change was done to generic runtime PM
+callbacks in 05aa55dddb9e ("PM / Runtime: Lenient generic runtime pm
+callbacks").
+
+Fixes: a9c8088c7988 ("i2c: i801: Don't restore config registers on runtime PM")
+Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-driver.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -1251,30 +1251,29 @@ static int pci_pm_runtime_suspend(struct
+ return 0;
+ }
+
+- if (!pm || !pm->runtime_suspend)
+- return -ENOSYS;
+-
+ pci_dev->state_saved = false;
+- error = pm->runtime_suspend(dev);
+- if (error) {
++ if (pm && pm->runtime_suspend) {
++ error = pm->runtime_suspend(dev);
+ /*
+ * -EBUSY and -EAGAIN is used to request the runtime PM core
+ * to schedule a new suspend, so log the event only with debug
+ * log level.
+ */
+- if (error == -EBUSY || error == -EAGAIN)
++ if (error == -EBUSY || error == -EAGAIN) {
+ dev_dbg(dev, "can't suspend now (%pf returned %d)\n",
+ pm->runtime_suspend, error);
+- else
++ return error;
++ } else if (error) {
+ dev_err(dev, "can't suspend (%pf returned %d)\n",
+ pm->runtime_suspend, error);
+-
+- return error;
++ return error;
++ }
+ }
+
+ pci_fixup_device(pci_fixup_suspend, pci_dev);
+
+- if (!pci_dev->state_saved && pci_dev->current_state != PCI_D0
++ if (pm && pm->runtime_suspend
++ && !pci_dev->state_saved && pci_dev->current_state != PCI_D0
+ && pci_dev->current_state != PCI_UNKNOWN) {
+ WARN_ONCE(pci_dev->current_state != prev,
+ "PCI PM: State of device not saved by %pF\n",
+@@ -1292,7 +1291,7 @@ static int pci_pm_runtime_suspend(struct
+
+ static int pci_pm_runtime_resume(struct device *dev)
+ {
+- int rc;
++ int rc = 0;
+ struct pci_dev *pci_dev = to_pci_dev(dev);
+ const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
+
+@@ -1306,14 +1305,12 @@ static int pci_pm_runtime_resume(struct
+ if (!pci_dev->driver)
+ return 0;
+
+- if (!pm || !pm->runtime_resume)
+- return -ENOSYS;
+-
+ pci_fixup_device(pci_fixup_resume_early, pci_dev);
+ pci_enable_wake(pci_dev, PCI_D0, false);
+ pci_fixup_device(pci_fixup_resume, pci_dev);
+
+- rc = pm->runtime_resume(dev);
++ if (pm && pm->runtime_resume)
++ rc = pm->runtime_resume(dev);
+
+ pci_dev->runtime_d3cold = false;
+
--- /dev/null
+From 5df275cd4cf51c86d49009f1397132f284ba515e Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 23 Oct 2018 09:02:17 +0200
+Subject: selinux: policydb - fix byte order and alignment issues
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit 5df275cd4cf51c86d49009f1397132f284ba515e upstream.
+
+Do the LE conversions before doing the Infiniband-related range checks.
+The incorrect checks are otherwise causing a failure to load any policy
+with an ibendportcon rule on BE systems. This can be reproduced by
+running (on e.g. ppc64):
+
+cat >my_module.cil <<EOF
+(type test_ibendport_t)
+(roletype object_r test_ibendport_t)
+(ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0))))
+EOF
+semodule -i my_module.cil
+
+Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
+use a correctly aligned buffer.
+
+Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
+should be used instead.
+
+Tested internally on a ppc64 machine with a RHEL 7 kernel with this
+patch applied.
+
+Cc: Daniel Jurgens <danielj@mellanox.com>
+Cc: Eli Cohen <eli@mellanox.com>
+Cc: James Morris <jmorris@namei.org>
+Cc: Doug Ledford <dledford@redhat.com>
+Cc: <stable@vger.kernel.org> # 4.13+
+Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/policydb.c | 51 ++++++++++++++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 15 deletions(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -2108,6 +2108,7 @@ static int ocontext_read(struct policydb
+ {
+ int i, j, rc;
+ u32 nel, len;
++ __be64 prefixbuf[1];
+ __le32 buf[3];
+ struct ocontext *l, *c;
+ u32 nodebuf[8];
+@@ -2217,21 +2218,30 @@ static int ocontext_read(struct policydb
+ goto out;
+ break;
+ }
+- case OCON_IBPKEY:
+- rc = next_entry(nodebuf, fp, sizeof(u32) * 4);
++ case OCON_IBPKEY: {
++ u32 pkey_lo, pkey_hi;
++
++ rc = next_entry(prefixbuf, fp, sizeof(u64));
++ if (rc)
++ goto out;
++
++ /* we need to have subnet_prefix in CPU order */
++ c->u.ibpkey.subnet_prefix = be64_to_cpu(prefixbuf[0]);
++
++ rc = next_entry(buf, fp, sizeof(u32) * 2);
+ if (rc)
+ goto out;
+
+- c->u.ibpkey.subnet_prefix = be64_to_cpu(*((__be64 *)nodebuf));
++ pkey_lo = le32_to_cpu(buf[0]);
++ pkey_hi = le32_to_cpu(buf[1]);
+
+- if (nodebuf[2] > 0xffff ||
+- nodebuf[3] > 0xffff) {
++ if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+- c->u.ibpkey.low_pkey = le32_to_cpu(nodebuf[2]);
+- c->u.ibpkey.high_pkey = le32_to_cpu(nodebuf[3]);
++ c->u.ibpkey.low_pkey = pkey_lo;
++ c->u.ibpkey.high_pkey = pkey_hi;
+
+ rc = context_read_and_validate(&c->context[0],
+ p,
+@@ -2239,7 +2249,10 @@ static int ocontext_read(struct policydb
+ if (rc)
+ goto out;
+ break;
+- case OCON_IBENDPORT:
++ }
++ case OCON_IBENDPORT: {
++ u32 port;
++
+ rc = next_entry(buf, fp, sizeof(u32) * 2);
+ if (rc)
+ goto out;
+@@ -2249,12 +2262,13 @@ static int ocontext_read(struct policydb
+ if (rc)
+ goto out;
+
+- if (buf[1] > 0xff || buf[1] == 0) {
++ port = le32_to_cpu(buf[1]);
++ if (port > U8_MAX || port == 0) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+- c->u.ibendport.port = le32_to_cpu(buf[1]);
++ c->u.ibendport.port = port;
+
+ rc = context_read_and_validate(&c->context[0],
+ p,
+@@ -2262,7 +2276,8 @@ static int ocontext_read(struct policydb
+ if (rc)
+ goto out;
+ break;
+- }
++ } /* end case */
++ } /* end switch */
+ }
+ }
+ rc = 0;
+@@ -3105,6 +3120,7 @@ static int ocontext_write(struct policyd
+ {
+ unsigned int i, j, rc;
+ size_t nel, len;
++ __be64 prefixbuf[1];
+ __le32 buf[3];
+ u32 nodebuf[8];
+ struct ocontext *c;
+@@ -3192,12 +3208,17 @@ static int ocontext_write(struct policyd
+ return rc;
+ break;
+ case OCON_IBPKEY:
+- *((__be64 *)nodebuf) = cpu_to_be64(c->u.ibpkey.subnet_prefix);
++ /* subnet_prefix is in CPU order */
++ prefixbuf[0] = cpu_to_be64(c->u.ibpkey.subnet_prefix);
+
+- nodebuf[2] = cpu_to_le32(c->u.ibpkey.low_pkey);
+- nodebuf[3] = cpu_to_le32(c->u.ibpkey.high_pkey);
++ rc = put_entry(prefixbuf, sizeof(u64), 1, fp);
++ if (rc)
++ return rc;
++
++ buf[0] = cpu_to_le32(c->u.ibpkey.low_pkey);
++ buf[1] = cpu_to_le32(c->u.ibpkey.high_pkey);
+
+- rc = put_entry(nodebuf, sizeof(u32), 4, fp);
++ rc = put_entry(buf, sizeof(u32), 2, fp);
+ if (rc)
+ return rc;
+ rc = context_write(p, &c->context[0], fp);
mm-hmm-mark-hmm_devmem_-add-add_resource-export_symbol_gpl.patch
mm-swap-fix-swapoff-with-ksm-pages.patch
media-cx23885-only-reset-dma-on-problematic-cpus.patch
+alsa-cs46xx-potential-null-dereference-in-probe.patch
+alsa-usb-audio-avoid-access-before-blength-check-in-build_audio_procunit.patch
+alsa-usb-audio-check-mixer-unit-descriptors-more-strictly.patch
+alsa-usb-audio-fix-an-out-of-bound-read-in-create_composite_quirks.patch
+alsa-usb-audio-always-check-descriptor-sizes-in-parser-code.patch
+srcu-lock-srcu_data-structure-in-srcu_gp_start.patch
+driver-core-add-missing-dev-bus-need_parent_lock-checks.patch
+fix-failure-path-in-alloc_pid.patch
+block-deactivate-blk_stat-timer-in-wbt_disable_default.patch
+block-mq-deadline-fix-write-completion-handling.patch
+dm-do-not-allow-readahead-to-limit-io-size.patch
+dlm-fixed-memory-leaks-after-failed-ls_remove_names-allocation.patch
+dlm-possible-memory-leak-on-error-path-in-create_lkb.patch
+dlm-lost-put_lkb-on-error-path-in-receive_convert-and-receive_unlock.patch
+dlm-memory-leaks-on-error-path-in-dlm_user_request.patch
+gfs2-get-rid-of-potential-double-freeing-in-gfs2_create_inode.patch
+gfs2-fix-loop-in-gfs2_rbm_find.patch
+b43-fix-error-in-cordic-routine.patch
+selinux-policydb-fix-byte-order-and-alignment-issues.patch
+pci-pm-allow-runtime-pm-without-callback-functions.patch
+lockd-show-pid-of-lockd-for-remote-locks.patch
+xprtrdma-yet-another-double-dma-unmap.patch
+nfsd4-zero-length-write-should-succeed.patch
--- /dev/null
+From eb4c2382272ae7ae5d81fdfa5b7a6c86146eaaa4 Mon Sep 17 00:00:00 2001
+From: Dennis Krein <Dennis.Krein@netapp.com>
+Date: Fri, 26 Oct 2018 07:38:24 -0700
+Subject: srcu: Lock srcu_data structure in srcu_gp_start()
+
+From: Dennis Krein <Dennis.Krein@netapp.com>
+
+commit eb4c2382272ae7ae5d81fdfa5b7a6c86146eaaa4 upstream.
+
+The srcu_gp_start() function is called with the srcu_struct structure's
+->lock held, but not with the srcu_data structure's ->lock. This is
+problematic because this function accesses and updates the srcu_data
+structure's ->srcu_cblist, which is protected by that lock. Failing to
+hold this lock can result in corruption of the SRCU callback lists,
+which in turn can result in arbitrarily bad results.
+
+This commit therefore makes srcu_gp_start() acquire the srcu_data
+structure's ->lock across the calls to rcu_segcblist_advance() and
+rcu_segcblist_accelerate(), thus preventing this corruption.
+
+Reported-by: Bart Van Assche <bvanassche@acm.org>
+Reported-by: Christoph Hellwig <hch@infradead.org>
+Reported-by: Sebastian Kuzminsky <seb.kuzminsky@gmail.com>
+Signed-off-by: Dennis Krein <Dennis.Krein@netapp.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Tested-by: Dennis Krein <Dennis.Krein@netapp.com>
+Cc: <stable@vger.kernel.org> # 4.16.x
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/rcu/srcutree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/rcu/srcutree.c
++++ b/kernel/rcu/srcutree.c
+@@ -451,10 +451,12 @@ static void srcu_gp_start(struct srcu_st
+
+ lockdep_assert_held(&ACCESS_PRIVATE(sp, lock));
+ WARN_ON_ONCE(ULONG_CMP_GE(sp->srcu_gp_seq, sp->srcu_gp_seq_needed));
++ spin_lock_rcu_node(sdp); /* Interrupts already disabled. */
+ rcu_segcblist_advance(&sdp->srcu_cblist,
+ rcu_seq_current(&sp->srcu_gp_seq));
+ (void)rcu_segcblist_accelerate(&sdp->srcu_cblist,
+ rcu_seq_snap(&sp->srcu_gp_seq));
++ spin_unlock_rcu_node(sdp); /* Interrupts remain disabled. */
+ smp_mb(); /* Order prior store to ->srcu_gp_seq_needed vs. GP start. */
+ rcu_seq_start(&sp->srcu_gp_seq);
+ state = rcu_seq_state(READ_ONCE(sp->srcu_gp_seq));
--- /dev/null
+From e2f34e26710bfaa545a9d9cd0c70137406401467 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 19 Dec 2018 10:58:13 -0500
+Subject: xprtrdma: Yet another double DMA-unmap
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit e2f34e26710bfaa545a9d9cd0c70137406401467 upstream.
+
+While chasing yet another set of DMAR fault reports, I noticed that
+the frwr recycler conflates whether or not an MR has been DMA
+unmapped with frwr->fr_state. Actually the two have only an indirect
+relationship. It's in fact impossible to guess reliably whether the
+MR has been DMA unmapped based on its fr_state field, especially as
+the surrounding code and its assumptions have changed over time.
+
+A better approach is to track the DMA mapping status explicitly so
+that the recycler is less brittle to unexpected situations, and
+attempts to DMA-unmap a second time are prevented.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: stable@vger.kernel.org # v4.20
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/frwr_ops.c | 6 ++++--
+ net/sunrpc/xprtrdma/verbs.c | 9 ++++++---
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/sunrpc/xprtrdma/frwr_ops.c
++++ b/net/sunrpc/xprtrdma/frwr_ops.c
+@@ -117,15 +117,15 @@ static void
+ frwr_mr_recycle_worker(struct work_struct *work)
+ {
+ struct rpcrdma_mr *mr = container_of(work, struct rpcrdma_mr, mr_recycle);
+- enum rpcrdma_frwr_state state = mr->frwr.fr_state;
+ struct rpcrdma_xprt *r_xprt = mr->mr_xprt;
+
+ trace_xprtrdma_mr_recycle(mr);
+
+- if (state != FRWR_FLUSHED_LI) {
++ if (mr->mr_dir != DMA_NONE) {
+ trace_xprtrdma_mr_unmap(mr);
+ ib_dma_unmap_sg(r_xprt->rx_ia.ri_device,
+ mr->mr_sg, mr->mr_nents, mr->mr_dir);
++ mr->mr_dir = DMA_NONE;
+ }
+
+ spin_lock(&r_xprt->rx_buf.rb_mrlock);
+@@ -150,6 +150,8 @@ frwr_op_init_mr(struct rpcrdma_ia *ia, s
+ if (!mr->mr_sg)
+ goto out_list_err;
+
++ frwr->fr_state = FRWR_IS_INVALID;
++ mr->mr_dir = DMA_NONE;
+ INIT_LIST_HEAD(&mr->mr_list);
+ INIT_WORK(&mr->mr_recycle, frwr_mr_recycle_worker);
+ sg_init_table(mr->mr_sg, depth);
+--- a/net/sunrpc/xprtrdma/verbs.c
++++ b/net/sunrpc/xprtrdma/verbs.c
+@@ -1329,9 +1329,12 @@ rpcrdma_mr_unmap_and_put(struct rpcrdma_
+ {
+ struct rpcrdma_xprt *r_xprt = mr->mr_xprt;
+
+- trace_xprtrdma_mr_unmap(mr);
+- ib_dma_unmap_sg(r_xprt->rx_ia.ri_device,
+- mr->mr_sg, mr->mr_nents, mr->mr_dir);
++ if (mr->mr_dir != DMA_NONE) {
++ trace_xprtrdma_mr_unmap(mr);
++ ib_dma_unmap_sg(r_xprt->rx_ia.ri_device,
++ mr->mr_sg, mr->mr_nents, mr->mr_dir);
++ mr->mr_dir = DMA_NONE;
++ }
+ __rpcrdma_mr_put(&r_xprt->rx_buf, mr);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
