--- /dev/null
+From 505b5240329b922f21f91d5b5d1e535c805eca6d Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 19 Dec 2018 18:00:15 -0600
+Subject: drm/ioctl: Fix Spectre v1 vulnerabilities
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.
+
+nr is indirectly controlled by user-space, hence leading to a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r]
+drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+
+Fix this by sanitizing nr before using it to index dev->driver->ioctls
+and drm_ioctls.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_ioctl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -37,6 +37,7 @@
+
+ #include <linux/pci.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+
+ /**
+ * DOC: getunique and setversion story
+@@ -794,13 +795,17 @@ long drm_ioctl(struct file *filp,
+
+ if (is_driver_ioctl) {
+ /* driver ioctl */
+- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
++ unsigned int index = nr - DRM_COMMAND_BASE;
++
++ if (index >= dev->driver->num_ioctls)
+ goto err_i1;
+- ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
++ index = array_index_nospec(index, dev->driver->num_ioctls);
++ ioctl = &dev->driver->ioctls[index];
+ } else {
+ /* core ioctl */
+ if (nr >= DRM_CORE_IOCTL_COUNT)
+ goto err_i1;
++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+ ioctl = &drm_ioctls[nr];
+ }
+
+@@ -882,6 +887,7 @@ bool drm_ioctl_flags(unsigned int nr, un
+
+ if (nr >= DRM_CORE_IOCTL_COUNT)
+ return false;
++ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+
+ *flags = drm_ioctls[nr].flags;
+ return true;
--- /dev/null
+From d21ff5d7f8c397261e095393a1a8e199934720bc Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Fri, 21 Dec 2018 00:42:38 -0800
+Subject: Input: elantech - disable elan-i2c for P52 and P72
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit d21ff5d7f8c397261e095393a1a8e199934720bc upstream.
+
+The current implementation of elan_i2c is known to not support those
+2 laptops.
+
+A proper fix is to tweak both elantech and elan_i2c to transmit the
+correct information from PS/2, which would make a bad candidate for
+stable.
+
+So to give us some time for fixing the root of the problem, disable
+elan_i2c for the devices we know are not behaving properly.
+
+Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1803600
+Link: https://bugs.archlinux.org/task/59714
+Fixes: df077237cf55 Input: elantech - detect new ICs and setup Host Notify for them
+
+Cc: stable@vger.kernel.org # v4.18+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1767,6 +1767,18 @@ static int elantech_smbus = IS_ENABLED(C
+ module_param_named(elantech_smbus, elantech_smbus, int, 0644);
+ MODULE_PARM_DESC(elantech_smbus, "Use a secondary bus for the Elantech device.");
+
++static const char * const i2c_blacklist_pnp_ids[] = {
++ /*
++ * These are known to not be working properly as bits are missing
++ * in elan_i2c.
++ */
++ "LEN2131", /* ThinkPad P52 w/ NFC */
++ "LEN2132", /* ThinkPad P52 */
++ "LEN2133", /* ThinkPad P72 w/ NFC */
++ "LEN2134", /* ThinkPad P72 */
++ NULL
++};
++
+ static int elantech_create_smbus(struct psmouse *psmouse,
+ struct elantech_device_info *info,
+ bool leave_breadcrumbs)
+@@ -1802,10 +1814,12 @@ static int elantech_setup_smbus(struct p
+
+ if (elantech_smbus == ELANTECH_SMBUS_NOT_SET) {
+ /*
+- * New ICs are enabled by default.
++ * New ICs are enabled by default, unless mentioned in
++ * i2c_blacklist_pnp_ids.
+ * Old ICs are up to the user to decide.
+ */
+- if (!ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version))
++ if (!ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version) ||
++ psmouse_matches_pnp_id(psmouse, i2c_blacklist_pnp_ids))
+ return -ENXIO;
+ }
+
--- /dev/null
+From 68600f623d69da428c6163275f97ca126e1a8ec5 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 26 Oct 2018 15:03:27 -0700
+Subject: mm: don't miss the last page because of round-off error
+
+From: Roman Gushchin <guro@fb.com>
+
+commit 68600f623d69da428c6163275f97ca126e1a8ec5 upstream.
+
+I've noticed, that dying memory cgroups are often pinned in memory by a
+single pagecache page. Even under moderate memory pressure they sometimes
+stayed in such state for a long time. That looked strange.
+
+My investigation showed that the problem is caused by applying the LRU
+pressure balancing math:
+
+ scan = div64_u64(scan * fraction[lru], denominator),
+
+where
+
+ denominator = fraction[anon] + fraction[file] + 1.
+
+Because fraction[lru] is always less than denominator, if the initial scan
+size is 1, the result is always 0.
+
+This means the last page is not scanned and has
+no chances to be reclaimed.
+
+Fix this by rounding up the result of the division.
+
+In practice this change significantly improves the speed of dying cgroups
+reclaim.
+
+[guro@fb.com: prevent double calculation of DIV64_U64_ROUND_UP() arguments]
+ Link: http://lkml.kernel.org/r/20180829213311.GA13501@castle
+Link: http://lkml.kernel.org/r/20180827162621.30187-3-guro@fb.com
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Konstantin Khlebnikov <koct9i@gmail.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/math64.h | 3 +++
+ mm/vmscan.c | 6 ++++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/math64.h
++++ b/include/linux/math64.h
+@@ -281,4 +281,7 @@ static inline u64 mul_u64_u32_div(u64 a,
+ }
+ #endif /* mul_u64_u32_div */
+
++#define DIV64_U64_ROUND_UP(ll, d) \
++ ({ u64 _tmp = (d); div64_u64((ll) + _tmp - 1, _tmp); })
++
+ #endif /* _LINUX_MATH64_H */
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2456,9 +2456,11 @@ out:
+ /*
+ * Scan types proportional to swappiness and
+ * their relative recent reclaim efficiency.
++ * Make sure we don't miss the last page
++ * because of a round-off error.
+ */
+- scan = div64_u64(scan * fraction[file],
+- denominator);
++ scan = DIV64_U64_ROUND_UP(scan * fraction[file],
++ denominator);
+ break;
+ case SCAN_FILE:
+ case SCAN_ANON:
--- /dev/null
+From 2830bf6f05fb3e05bc4743274b806c821807a684 Mon Sep 17 00:00:00 2001
+From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Date: Fri, 21 Dec 2018 14:30:46 -0800
+Subject: mm, memory_hotplug: initialize struct pages for the full memory section
+
+From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+
+commit 2830bf6f05fb3e05bc4743274b806c821807a684 upstream.
+
+If memory end is not aligned with the sparse memory section boundary,
+the mapping of such a section is only partly initialized. This may lead
+to VM_BUG_ON due to uninitialized struct page access from
+is_mem_section_removable() or test_pages_in_a_zone() function triggered
+by memory_hotplug sysfs handlers:
+
+Here are the the panic examples:
+ CONFIG_DEBUG_VM=y
+ CONFIG_DEBUG_VM_PGFLAGS=y
+
+ kernel parameter mem=2050M
+ --------------------------
+ page:000003d082008000 is uninitialized and poisoned
+ page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+ Call Trace:
+ ( test_pages_in_a_zone+0xde/0x160)
+ show_valid_zones+0x5c/0x190
+ dev_attr_show+0x34/0x70
+ sysfs_kf_seq_show+0xc8/0x148
+ seq_read+0x204/0x480
+ __vfs_read+0x32/0x178
+ vfs_read+0x82/0x138
+ ksys_read+0x5a/0xb0
+ system_call+0xdc/0x2d8
+ Last Breaking-Event-Address:
+ test_pages_in_a_zone+0xde/0x160
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+ kernel parameter mem=3075M
+ --------------------------
+ page:000003d08300c000 is uninitialized and poisoned
+ page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+ Call Trace:
+ ( is_mem_section_removable+0xb4/0x190)
+ show_mem_removable+0x9a/0xd8
+ dev_attr_show+0x34/0x70
+ sysfs_kf_seq_show+0xc8/0x148
+ seq_read+0x204/0x480
+ __vfs_read+0x32/0x178
+ vfs_read+0x82/0x138
+ ksys_read+0x5a/0xb0
+ system_call+0xdc/0x2d8
+ Last Breaking-Event-Address:
+ is_mem_section_removable+0xb4/0x190
+ Kernel panic - not syncing: Fatal exception: panic_on_oops
+
+Fix the problem by initializing the last memory section of each zone in
+memmap_init_zone() till the very end, even if it goes beyond the zone end.
+
+Michal said:
+
+: This has alwways been problem AFAIU. It just went unnoticed because we
+: have zeroed memmaps during allocation before f7f99100d8d9 ("mm: stop
+: zeroing memory during allocation in vmemmap") and so the above test
+: would simply skip these ranges as belonging to zone 0 or provided a
+: garbage.
+:
+: So I guess we do care for post f7f99100d8d9 kernels mostly and
+: therefore Fixes: f7f99100d8d9 ("mm: stop zeroing memory during
+: allocation in vmemmap")
+
+Link: http://lkml.kernel.org/r/20181212172712.34019-2-zaslonko@linux.ibm.com
+Fixes: f7f99100d8d9 ("mm: stop zeroing memory during allocation in vmemmap")
+Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
+Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+Suggested-by: Michal Hocko <mhocko@kernel.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Cc: Pasha Tatashin <Pavel.Tatashin@microsoft.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -5538,6 +5538,18 @@ not_early:
+ cond_resched();
+ }
+ }
++#ifdef CONFIG_SPARSEMEM
++ /*
++ * If the zone does not span the rest of the section then
++ * we should at least initialize those pages. Otherwise we
++ * could blow up on a poisoned page in some paths which depend
++ * on full sections being initialized (e.g. memory hotplug).
++ */
++ while (end_pfn % PAGES_PER_SECTION) {
++ __init_single_page(pfn_to_page(end_pfn), end_pfn, zone, nid);
++ end_pfn++;
++ }
++#endif
+ }
+
+ static void __meminit zone_init_free_lists(struct zone *zone)
--- /dev/null
+From 17e2e7d7e1b83fa324b3f099bfe426659aa3c2a4 Mon Sep 17 00:00:00 2001
+From: Oscar Salvador <osalvador@suse.de>
+Date: Fri, 21 Dec 2018 14:31:00 -0800
+Subject: mm, page_alloc: fix has_unmovable_pages for HugePages
+
+From: Oscar Salvador <osalvador@suse.de>
+
+commit 17e2e7d7e1b83fa324b3f099bfe426659aa3c2a4 upstream.
+
+While playing with gigantic hugepages and memory_hotplug, I triggered
+the following #PF when "cat memoryX/removable":
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ #PF error: [normal kernel read fault]
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 1 PID: 1481 Comm: cat Tainted: G E 4.20.0-rc6-mm1-1-default+ #18
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+ RIP: 0010:has_unmovable_pages+0x154/0x210
+ Call Trace:
+ is_mem_section_removable+0x7d/0x100
+ removable_show+0x90/0xb0
+ dev_attr_show+0x1c/0x50
+ sysfs_kf_seq_show+0xca/0x1b0
+ seq_read+0x133/0x380
+ __vfs_read+0x26/0x180
+ vfs_read+0x89/0x140
+ ksys_read+0x42/0x90
+ do_syscall_64+0x5b/0x180
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The reason is we do not pass the Head to page_hstate(), and so, the call
+to compound_order() in page_hstate() returns 0, so we end up checking
+all hstates's size to match PAGE_SIZE.
+
+Obviously, we do not find any hstate matching that size, and we return
+NULL. Then, we dereference that NULL pointer in
+hugepage_migration_supported() and we got the #PF from above.
+
+Fix that by getting the head page before calling page_hstate().
+
+Also, since gigantic pages span several pageblocks, re-adjust the logic
+for skipping pages. While are it, we can also get rid of the
+round_up().
+
+[osalvador@suse.de: remove round_up(), adjust skip pages logic per Michal]
+ Link: http://lkml.kernel.org/r/20181221062809.31771-1-osalvador@suse.de
+Link: http://lkml.kernel.org/r/20181217225113.17864-1-osalvador@suse.de
+Signed-off-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -7716,11 +7716,14 @@ bool has_unmovable_pages(struct zone *zo
+ * handle each tail page individually in migration.
+ */
+ if (PageHuge(page)) {
++ struct page *head = compound_head(page);
++ unsigned int skip_pages;
+
+- if (!hugepage_migration_supported(page_hstate(page)))
++ if (!hugepage_migration_supported(page_hstate(head)))
+ goto unmovable;
+
+- iter = round_up(iter + 1, 1<<compound_order(page)) - 1;
++ skip_pages = (1 << compound_order(head)) - (page - head);
++ iter += skip_pages - 1;
+ continue;
+ }
+
--- /dev/null
+From 2e83ee1d8694a61d0d95a5b694f2e61e8dde8627 Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Fri, 21 Dec 2018 14:30:50 -0800
+Subject: mm: thp: fix flags for pmd migration when split
+
+From: Peter Xu <peterx@redhat.com>
+
+commit 2e83ee1d8694a61d0d95a5b694f2e61e8dde8627 upstream.
+
+When splitting a huge migrating PMD, we'll transfer all the existing PMD
+bits and apply them again onto the small PTEs. However we are fetching
+the bits unconditionally via pmd_soft_dirty(), pmd_write() or
+pmd_yound() while actually they don't make sense at all when it's a
+migration entry. Fix them up. Since at it, drop the ifdef together as
+not needed.
+
+Note that if my understanding is correct about the problem then if
+without the patch there is chance to lose some of the dirty bits in the
+migrating pmd pages (on x86_64 we're fetching bit 11 which is part of
+swap offset instead of bit 2) and it could potentially corrupt the
+memory of an userspace program which depends on the dirty bit.
+
+Link: http://lkml.kernel.org/r/20181213051510.20306-1-peterx@redhat.com
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Reviewed-by: William Kucharski <william.kucharski@oracle.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Souptick Joarder <jrdr.linux@gmail.com>
+Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Cc: Zi Yan <zi.yan@cs.rutgers.edu>
+Cc: <stable@vger.kernel.org> [4.14+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/huge_memory.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2127,23 +2127,25 @@ static void __split_huge_pmd_locked(stru
+ */
+ old_pmd = pmdp_invalidate(vma, haddr, pmd);
+
+-#ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION
+ pmd_migration = is_pmd_migration_entry(old_pmd);
+- if (pmd_migration) {
++ if (unlikely(pmd_migration)) {
+ swp_entry_t entry;
+
+ entry = pmd_to_swp_entry(old_pmd);
+ page = pfn_to_page(swp_offset(entry));
+- } else
+-#endif
++ write = is_write_migration_entry(entry);
++ young = false;
++ soft_dirty = pmd_swp_soft_dirty(old_pmd);
++ } else {
+ page = pmd_page(old_pmd);
++ if (pmd_dirty(old_pmd))
++ SetPageDirty(page);
++ write = pmd_write(old_pmd);
++ young = pmd_young(old_pmd);
++ soft_dirty = pmd_soft_dirty(old_pmd);
++ }
+ VM_BUG_ON_PAGE(!page_count(page), page);
+ page_ref_add(page, HPAGE_PMD_NR - 1);
+- if (pmd_dirty(old_pmd))
+- SetPageDirty(page);
+- write = pmd_write(old_pmd);
+- young = pmd_young(old_pmd);
+- soft_dirty = pmd_soft_dirty(old_pmd);
+
+ /*
+ * Withdraw the table only after we mark the pmd entry invalid.
--- /dev/null
+From ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 Mon Sep 17 00:00:00 2001
+From: Ivan Delalande <colona@arista.com>
+Date: Thu, 13 Dec 2018 15:20:52 -0800
+Subject: proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
+
+From: Ivan Delalande <colona@arista.com>
+
+commit ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 upstream.
+
+proc_sys_lookup can fail with ENOMEM instead of ENOENT when the
+corresponding sysctl table is being unregistered. In our case we see
+this upon opening /proc/sys/net/*/conf files while network interfaces
+are being deleted, which confuses our configuration daemon.
+
+The problem was successfully reproduced and this fix tested on v4.9.122
+and v4.20-rc6.
+
+v2: return ERR_PTRs in all cases when proc_sys_make_inode fails instead
+of mixing them with NULL. Thanks Al Viro for the feedback.
+
+Fixes: ace0c791e6c3 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Delalande <colona@arista.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/proc_sysctl.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -464,7 +464,7 @@ static struct inode *proc_sys_make_inode
+
+ inode = new_inode(sb);
+ if (!inode)
+- goto out;
++ return ERR_PTR(-ENOMEM);
+
+ inode->i_ino = get_next_ino();
+
+@@ -474,8 +474,7 @@ static struct inode *proc_sys_make_inode
+ if (unlikely(head->unregistering)) {
+ spin_unlock(&sysctl_lock);
+ iput(inode);
+- inode = NULL;
+- goto out;
++ return ERR_PTR(-ENOENT);
+ }
+ ei->sysctl = head;
+ ei->sysctl_entry = table;
+@@ -500,7 +499,6 @@ static struct inode *proc_sys_make_inode
+ if (root->set_ownership)
+ root->set_ownership(head, table, &inode->i_uid, &inode->i_gid);
+
+-out:
+ return inode;
+ }
+
+@@ -549,10 +547,11 @@ static struct dentry *proc_sys_lookup(st
+ goto out;
+ }
+
+- err = ERR_PTR(-ENOMEM);
+ inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
+- if (!inode)
++ if (IS_ERR(inode)) {
++ err = ERR_CAST(inode);
+ goto out;
++ }
+
+ d_set_d_op(dentry, &proc_sys_dentry_operations);
+ err = d_splice_alias(inode, dentry);
+@@ -685,7 +684,7 @@ static bool proc_sys_fill_cache(struct f
+ if (d_in_lookup(child)) {
+ struct dentry *res;
+ inode = proc_sys_make_inode(dir->d_sb, head, table);
+- if (!inode) {
++ if (IS_ERR(inode)) {
+ d_lookup_done(child);
+ dput(child);
+ return false;
revert-mwifiex-restructure-rx_reorder_tbl_lock-usage.patch
iwlwifi-add-new-cards-for-9560-9462-9461-and-killer-series.patch
media-ov5640-fix-set-format-regression.patch
+mm-memory_hotplug-initialize-struct-pages-for-the-full-memory-section.patch
+mm-thp-fix-flags-for-pmd-migration-when-split.patch
+mm-page_alloc-fix-has_unmovable_pages-for-hugepages.patch
+mm-don-t-miss-the-last-page-because-of-round-off-error.patch
+input-elantech-disable-elan-i2c-for-p52-and-p72.patch
+proc-sysctl-don-t-return-enomem-on-lookup-when-a-table-is-unregistering.patch
+drm-ioctl-fix-spectre-v1-vulnerabilities.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
