--- /dev/null
+From 791229f1d530a0f0a680a4c09f98199792485f33 Mon Sep 17 00:00:00 2001
+From: Murali Karicheri <m-karicheri2@ti.com>
+Date: Wed, 29 Mar 2017 16:02:18 +0530
+Subject: ARM: dts: keystone-k2l: fix broken Ethernet due to disabled OSR
+
+From: Murali Karicheri <m-karicheri2@ti.com>
+
+commit 791229f1d530a0f0a680a4c09f98199792485f33 upstream.
+
+Ethernet networking on K2L has been broken since v4.11-rc1. This was
+caused by commit 32a34441a9bd ("ARM: keystone: dts: fix netcp clocks
+and add names"). This commit inadvertently moves on-chip static RAM
+clock to the end of list of clocks provided for netcp. Since keystone
+PM domain support does not have a list of recognized con_ids, only the
+first clock in the list comes under runtime PM management. This means
+the OSR (On-chip Static RAM) clock remains disabled and that broke
+networking on K2L.
+
+The OSR is used by QMSS on K2L as an external linking RAM. However this
+is a standalone RAM that can be used for non-QMSS usage (as well as from
+DSP side). So add a SRAM device node for the same and add the OSR clock
+to the node.
+
+Remove the now redundant OSR clock node from netcp.
+
+To manage all clocks defined for netCP's use by runtime PM needs keystone
+generic power domain (genpd) driver support which is under works.
+Meanwhile, this patch restores K2L networking and is correct irrespective
+of any future genpd work since OSR is an independent module and not part
+of NetCP anyway.
+
+Signed-off-by: Murali Karicheri <m-karicheri2@ti.com>
+Acked-by: Tero Kristo <t-kristo@ti.com>
+[nsekhar@ti.com: commit message updates, port to latest mainline]
+Signed-off-by: Sekhar Nori <nsekhar@ti.com>
+Acked-by: Santosh Shilimkar <ssantosh@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/keystone-k2l-netcp.dtsi | 4 ++--
+ arch/arm/boot/dts/keystone-k2l.dtsi | 8 ++++++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/keystone-k2l-netcp.dtsi
++++ b/arch/arm/boot/dts/keystone-k2l-netcp.dtsi
+@@ -137,8 +137,8 @@ netcp: netcp@26000000 {
+ /* NetCP address range */
+ ranges = <0 0x26000000 0x1000000>;
+
+- clocks = <&clkpa>, <&clkcpgmac>, <&chipclk12>, <&clkosr>;
+- clock-names = "pa_clk", "ethss_clk", "cpts", "osr_clk";
++ clocks = <&clkpa>, <&clkcpgmac>, <&chipclk12>;
++ clock-names = "pa_clk", "ethss_clk", "cpts";
+ dma-coherent;
+
+ ti,navigator-dmas = <&dma_gbe 0>,
+--- a/arch/arm/boot/dts/keystone-k2l.dtsi
++++ b/arch/arm/boot/dts/keystone-k2l.dtsi
+@@ -232,6 +232,14 @@
+ };
+ };
+
++ osr: sram@70000000 {
++ compatible = "mmio-sram";
++ reg = <0x70000000 0x10000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
++ clocks = <&clkosr>;
++ };
++
+ dspgpio0: keystone_dsp_gpio@02620240 {
+ compatible = "ti,keystone-dsp-gpio";
+ gpio-controller;
--- /dev/null
+From e68368aed56324e2e38d4f6b044bb8cf82077fc2 Mon Sep 17 00:00:00 2001
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+Date: Thu, 18 May 2017 16:29:23 +0300
+Subject: crypto: asymmetric_keys - handle EBUSY due to backlog correctly
+
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+
+commit e68368aed56324e2e38d4f6b044bb8cf82077fc2 upstream.
+
+public_key_verify_signature() was passing the CRYPTO_TFM_REQ_MAY_BACKLOG
+flag to akcipher_request_set_callback() but was not handling correctly
+the case where a -EBUSY error could be returned from the call to
+crypto_akcipher_verify() if backlog was used, possibly casuing
+data corruption due to use-after-free of buffers.
+
+Resolve this by handling -EBUSY correctly.
+
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/public_key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/asymmetric_keys/public_key.c
++++ b/crypto/asymmetric_keys/public_key.c
+@@ -141,7 +141,7 @@ int public_key_verify_signature(const st
+ * signature and returns that to us.
+ */
+ ret = crypto_akcipher_verify(req);
+- if (ret == -EINPROGRESS) {
++ if ((ret == -EINPROGRESS) || (ret == -EBUSY)) {
+ wait_for_completion(&compl.completion);
+ ret = compl.err;
+ }
--- /dev/null
+From a5dfefb1c3f3db81662556393fd9283511e08430 Mon Sep 17 00:00:00 2001
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+Date: Thu, 18 May 2017 16:29:24 +0300
+Subject: crypto: drbg - wait for crypto op not signal safe
+
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+
+commit a5dfefb1c3f3db81662556393fd9283511e08430 upstream.
+
+drbg_kcapi_sym_ctr() was using wait_for_completion_interruptible() to
+wait for completion of async crypto op but if a signal occurs it
+may return before DMA ops of HW crypto provider finish, thus
+corrupting the output buffer.
+
+Resolve this by using wait_for_completion() instead.
+
+Reported-by: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/drbg.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/crypto/drbg.c
++++ b/crypto/drbg.c
+@@ -1768,9 +1768,8 @@ static int drbg_kcapi_sym_ctr(struct drb
+ break;
+ case -EINPROGRESS:
+ case -EBUSY:
+- ret = wait_for_completion_interruptible(
+- &drbg->ctr_completion);
+- if (!ret && !drbg->ctr_async_err) {
++ wait_for_completion(&drbg->ctr_completion);
++ if (!drbg->ctr_async_err) {
+ reinit_completion(&drbg->ctr_completion);
+ break;
+ }
--- /dev/null
+From f3ad587070d6bd961ab942b3fd7a85d00dfc934b Mon Sep 17 00:00:00 2001
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+Date: Thu, 18 May 2017 16:29:25 +0300
+Subject: crypto: gcm - wait for crypto op not signal safe
+
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+
+commit f3ad587070d6bd961ab942b3fd7a85d00dfc934b upstream.
+
+crypto_gcm_setkey() was using wait_for_completion_interruptible() to
+wait for completion of async crypto op but if a signal occurs it
+may return before DMA ops of HW crypto provider finish, thus
+corrupting the data buffer that is kfree'ed in this case.
+
+Resolve this by using wait_for_completion() instead.
+
+Reported-by: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/gcm.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -152,10 +152,8 @@ static int crypto_gcm_setkey(struct cryp
+
+ err = crypto_skcipher_encrypt(&data->req);
+ if (err == -EINPROGRESS || err == -EBUSY) {
+- err = wait_for_completion_interruptible(
+- &data->result.completion);
+- if (!err)
+- err = data->result.err;
++ wait_for_completion(&data->result.completion);
++ err = data->result.err;
+ }
+
+ if (err)
--- /dev/null
+From 0a646f331db0eb9efc8d3a95a44872036d441d58 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 11 May 2017 13:10:02 -0400
+Subject: drm/amdgpu/ci: disable mclk switching for high refresh rates (v2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 0a646f331db0eb9efc8d3a95a44872036d441d58 upstream.
+
+Even if the vblank period would allow it, it still seems to
+be problematic on some cards.
+
+v2: fix logic inversion (Nils)
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/ci_dpm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/ci_dpm.c
++++ b/drivers/gpu/drm/amd/amdgpu/ci_dpm.c
+@@ -906,6 +906,12 @@ static bool ci_dpm_vblank_too_short(stru
+ u32 vblank_time = amdgpu_dpm_get_vblank_time(adev);
+ u32 switch_limit = adev->mc.vram_type == AMDGPU_VRAM_TYPE_GDDR5 ? 450 : 300;
+
++ /* disable mclk switching if the refresh is >120Hz, even if the
++ * blanking period would allow it
++ */
++ if (amdgpu_dpm_get_vrefresh(adev) > 120)
++ return true;
++
+ if (vblank_time < switch_limit)
+ return true;
+ else
--- /dev/null
+From 7425826f4f7ac60f2538b06a7f0a5d1006405159 Mon Sep 17 00:00:00 2001
+From: Dave Young <dyoung@redhat.com>
+Date: Fri, 26 May 2017 12:36:51 +0100
+Subject: efi/bgrt: Skip efi_bgrt_init() in case of non-EFI boot
+
+From: Dave Young <dyoung@redhat.com>
+
+commit 7425826f4f7ac60f2538b06a7f0a5d1006405159 upstream.
+
+Sabrina Dubroca reported an early panic:
+
+ BUG: unable to handle kernel paging request at ffffffffff240001
+ IP: efi_bgrt_init+0xdc/0x134
+
+ [...]
+
+ ---[ end Kernel panic - not syncing: Attempted to kill the idle task!
+
+... which was introduced by:
+
+ 7b0a911478c7 ("efi/x86: Move the EFI BGRT init code to early init code")
+
+The cause is that on this machine the firmware provides the EFI ACPI BGRT
+table even on legacy non-EFI bootups - which table should be EFI only.
+
+The garbage BGRT data causes the efi_bgrt_init() panic.
+
+Add a check to skip efi_bgrt_init() in case non-EFI bootup to work around
+this firmware bug.
+
+Tested-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Fixes: 7b0a911478c7 ("efi/x86: Move the EFI BGRT init code to early init code")
+Link: http://lkml.kernel.org/r/20170526113652.21339-6-matt@codeblueprint.co.uk
+[ Rewrote the changelog to be more readable. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/efi/efi-bgrt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/platform/efi/efi-bgrt.c
++++ b/arch/x86/platform/efi/efi-bgrt.c
+@@ -36,6 +36,9 @@ void __init efi_bgrt_init(struct acpi_ta
+ if (acpi_disabled)
+ return;
+
++ if (!efi_enabled(EFI_BOOT))
++ return;
++
+ if (table->length < sizeof(bgrt_tab)) {
+ pr_notice("Ignoring BGRT: invalid length %u (expected %zu)\n",
+ table->length, sizeof(bgrt_tab));
--- /dev/null
+From 1ea34adb87c969b89dfd83f1905a79161e9ada26 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 26 May 2017 12:36:47 +0100
+Subject: efi: Don't issue error message when booted under Xen
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 1ea34adb87c969b89dfd83f1905a79161e9ada26 upstream.
+
+When booted as Xen dom0 there won't be an EFI memmap allocated. Avoid
+issuing an error message in this case:
+
+ [ 0.144079] efi: Failed to allocate new EFI memmap
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20170526113652.21339-2-matt@codeblueprint.co.uk
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/efi/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/platform/efi/quirks.c
++++ b/arch/x86/platform/efi/quirks.c
+@@ -358,6 +358,9 @@ void __init efi_free_boot_services(void)
+ free_bootmem_late(start, size);
+ }
+
++ if (!num_entries)
++ return;
++
+ new_size = efi.memmap.desc_size * num_entries;
+ new_phys = efi_memmap_alloc(num_entries);
+ if (!new_phys) {
--- /dev/null
+From 0f0b9b63e14fc3f66e4d342df016c9b071c5abed Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 2 May 2017 13:14:13 +0200
+Subject: gfs2: Make flush bios explicitely sync
+
+From: Jan Kara <jack@suse.cz>
+
+commit 0f0b9b63e14fc3f66e4d342df016c9b071c5abed upstream.
+
+Commit b685d3d65ac7 "block: treat REQ_FUA and REQ_PREFLUSH as
+synchronous" removed REQ_SYNC flag from WRITE_{FUA|PREFLUSH|...}
+definitions. generic_make_request_checks() however strips REQ_FUA and
+REQ_PREFLUSH flags from a bio when the storage doesn't report volatile
+write cache and thus write effectively becomes asynchronous which can
+lead to performance regressions
+
+Fix the problem by making sure all bios which are synchronous are
+properly marked with REQ_SYNC.
+
+Fixes: b685d3d65ac791406e0dfd8779cc9b3707fea5a3
+CC: Steven Whitehouse <swhiteho@redhat.com>
+CC: cluster-devel@redhat.com
+Acked-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@ -659,7 +659,7 @@ static void log_write_header(struct gfs2
+ struct gfs2_log_header *lh;
+ unsigned int tail;
+ u32 hash;
+- int op_flags = REQ_PREFLUSH | REQ_FUA | REQ_META;
++ int op_flags = REQ_PREFLUSH | REQ_FUA | REQ_META | REQ_SYNC;
+ struct page *page = mempool_alloc(gfs2_page_pool, GFP_NOIO);
+ enum gfs2_freeze_state state = atomic_read(&sdp->sd_freeze_state);
+ lh = page_address(page);
--- /dev/null
+From e9ff56ac352446f55141aaef1553cee662b2e310 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 8 Jun 2017 14:48:10 +0100
+Subject: KEYS: encrypted: avoid encrypting/decrypting stack buffers
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e9ff56ac352446f55141aaef1553cee662b2e310 upstream.
+
+Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt
+stack buffers because the stack may be virtually mapped. Fix this for
+the padding buffers in encrypted-keys by using ZERO_PAGE for the
+encryption padding and by allocating a temporary heap buffer for the
+decryption padding.
+
+Tested with CONFIG_DEBUG_SG=y:
+ keyctl new_session
+ keyctl add user master "abcdefghijklmnop" @s
+ keyid=$(keyctl add encrypted desc "new user:master 25" @s)
+ datablob="$(keyctl pipe $keyid)"
+ keyctl unlink $keyid
+ keyid=$(keyctl add encrypted desc "load $datablob" @s)
+ datablob2="$(keyctl pipe $keyid)"
+ [ "$datablob" = "$datablob2" ] && echo "Success!"
+
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/encrypted-keys/encrypted.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -480,12 +480,9 @@ static int derived_key_encrypt(struct en
+ struct skcipher_request *req;
+ unsigned int encrypted_datalen;
+ u8 iv[AES_BLOCK_SIZE];
+- unsigned int padlen;
+- char pad[16];
+ int ret;
+
+ encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
+- padlen = encrypted_datalen - epayload->decrypted_datalen;
+
+ req = init_skcipher_req(derived_key, derived_keylen);
+ ret = PTR_ERR(req);
+@@ -493,11 +490,10 @@ static int derived_key_encrypt(struct en
+ goto out;
+ dump_decrypted_data(epayload);
+
+- memset(pad, 0, sizeof pad);
+ sg_init_table(sg_in, 2);
+ sg_set_buf(&sg_in[0], epayload->decrypted_data,
+ epayload->decrypted_datalen);
+- sg_set_buf(&sg_in[1], pad, padlen);
++ sg_set_page(&sg_in[1], ZERO_PAGE(0), AES_BLOCK_SIZE, 0);
+
+ sg_init_table(sg_out, 1);
+ sg_set_buf(sg_out, epayload->encrypted_data, encrypted_datalen);
+@@ -584,9 +580,14 @@ static int derived_key_decrypt(struct en
+ struct skcipher_request *req;
+ unsigned int encrypted_datalen;
+ u8 iv[AES_BLOCK_SIZE];
+- char pad[16];
++ u8 *pad;
+ int ret;
+
++ /* Throwaway buffer to hold the unused zero padding at the end */
++ pad = kmalloc(AES_BLOCK_SIZE, GFP_KERNEL);
++ if (!pad)
++ return -ENOMEM;
++
+ encrypted_datalen = roundup(epayload->decrypted_datalen, blksize);
+ req = init_skcipher_req(derived_key, derived_keylen);
+ ret = PTR_ERR(req);
+@@ -594,13 +595,12 @@ static int derived_key_decrypt(struct en
+ goto out;
+ dump_encrypted_data(epayload, encrypted_datalen);
+
+- memset(pad, 0, sizeof pad);
+ sg_init_table(sg_in, 1);
+ sg_init_table(sg_out, 2);
+ sg_set_buf(sg_in, epayload->encrypted_data, encrypted_datalen);
+ sg_set_buf(&sg_out[0], epayload->decrypted_data,
+ epayload->decrypted_datalen);
+- sg_set_buf(&sg_out[1], pad, sizeof pad);
++ sg_set_buf(&sg_out[1], pad, AES_BLOCK_SIZE);
+
+ memcpy(iv, epayload->iv, sizeof(iv));
+ skcipher_request_set_crypt(req, sg_in, sg_out, encrypted_datalen, iv);
+@@ -612,6 +612,7 @@ static int derived_key_decrypt(struct en
+ goto out;
+ dump_decrypted_data(epayload);
+ out:
++ kfree(pad);
+ return ret;
+ }
+
--- /dev/null
+From 5649645d725c73df4302428ee4e02c869248b4c5 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 8 Jun 2017 14:48:40 +0100
+Subject: KEYS: fix dereferencing NULL payload with nonzero length
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 5649645d725c73df4302428ee4e02c869248b4c5 upstream.
+
+sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
+NULL payload with nonzero length to be passed to the key type's
+->preparse(), ->instantiate(), and/or ->update() methods. Various key
+types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
+not handle this case, allowing an unprivileged user to trivially cause a
+NULL pointer dereference (kernel oops) if one of these key types was
+present. Fix it by doing the copy_from_user() when 'plen' is nonzero
+rather than when '_payload' is non-NULL, causing the syscall to fail
+with EFAULT as expected when an invalid buffer is specified.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -99,7 +99,7 @@ SYSCALL_DEFINE5(add_key, const char __us
+ /* pull the payload in if one was supplied */
+ payload = NULL;
+
+- if (_payload) {
++ if (plen) {
+ ret = -ENOMEM;
+ payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN);
+ if (!payload) {
+@@ -329,7 +329,7 @@ long keyctl_update_key(key_serial_t id,
+
+ /* pull the payload in if one was supplied */
+ payload = NULL;
+- if (_payload) {
++ if (plen) {
+ ret = -ENOMEM;
+ payload = kmalloc(plen, GFP_KERNEL);
+ if (!payload)
--- /dev/null
+From 63a0b0509e700717a59f049ec6e4e04e903c7fe2 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 8 Jun 2017 14:48:47 +0100
+Subject: KEYS: fix freeing uninitialized memory in key_update()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 63a0b0509e700717a59f049ec6e4e04e903c7fe2 upstream.
+
+key_update() freed the key_preparsed_payload even if it was not
+initialized first. This would cause a crash if userspace called
+keyctl_update() on a key with type like "asymmetric" that has a
+->preparse() method but not an ->update() method. Possibly it could
+even be triggered for other key types by racing with keyctl_setperm() to
+make the KEY_NEED_WRITE check fail (the permission was already checked,
+so normally it wouldn't fail there).
+
+Reproducer with key type "asymmetric", given a valid cert.der:
+
+keyctl new_session
+keyid=$(keyctl padd asymmetric desc @s < cert.der)
+keyctl setperm $keyid 0x3f000000
+keyctl update $keyid data
+
+[ 150.686666] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
+[ 150.687601] IP: asymmetric_key_free_kids+0x12/0x30
+[ 150.688139] PGD 38a3d067
+[ 150.688141] PUD 3b3de067
+[ 150.688447] PMD 0
+[ 150.688745]
+[ 150.689160] Oops: 0000 [#1] SMP
+[ 150.689455] Modules linked in:
+[ 150.689769] CPU: 1 PID: 2478 Comm: keyctl Not tainted 4.11.0-rc4-xfstests-00187-ga9f6b6b8cd2f #742
+[ 150.690916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
+[ 150.692199] task: ffff88003b30c480 task.stack: ffffc90000350000
+[ 150.692952] RIP: 0010:asymmetric_key_free_kids+0x12/0x30
+[ 150.693556] RSP: 0018:ffffc90000353e58 EFLAGS: 00010202
+[ 150.694142] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000004
+[ 150.694845] RDX: ffffffff81ee3920 RSI: ffff88003d4b0700 RDI: 0000000000000001
+[ 150.697569] RBP: ffffc90000353e60 R08: ffff88003d5d2140 R09: 0000000000000000
+[ 150.702483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
+[ 150.707393] R13: 0000000000000004 R14: ffff880038a4d2d8 R15: 000000000040411f
+[ 150.709720] FS: 00007fcbcee35700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
+[ 150.711504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 150.712733] CR2: 0000000000000001 CR3: 0000000039eab000 CR4: 00000000003406e0
+[ 150.714487] Call Trace:
+[ 150.714975] asymmetric_key_free_preparse+0x2f/0x40
+[ 150.715907] key_update+0xf7/0x140
+[ 150.716560] ? key_default_cmp+0x20/0x20
+[ 150.717319] keyctl_update_key+0xb0/0xe0
+[ 150.718066] SyS_keyctl+0x109/0x130
+[ 150.718663] entry_SYSCALL_64_fastpath+0x1f/0xc2
+[ 150.719440] RIP: 0033:0x7fcbce75ff19
+[ 150.719926] RSP: 002b:00007ffd5d167088 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
+[ 150.720918] RAX: ffffffffffffffda RBX: 0000000000404d80 RCX: 00007fcbce75ff19
+[ 150.721874] RDX: 00007ffd5d16785e RSI: 000000002866cd36 RDI: 0000000000000002
+[ 150.722827] RBP: 0000000000000006 R08: 000000002866cd36 R09: 00007ffd5d16785e
+[ 150.723781] R10: 0000000000000004 R11: 0000000000000206 R12: 0000000000404d80
+[ 150.724650] R13: 00007ffd5d16784d R14: 00007ffd5d167238 R15: 000000000040411f
+[ 150.725447] Code: 83 c4 08 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 23 55 48 89 e5 53 48 89 fb <48> 8b 3f e8 06 21 c5 ff 48 8b 7b 08 e8 fd 20 c5 ff 48 89 df e8
+[ 150.727489] RIP: asymmetric_key_free_kids+0x12/0x30 RSP: ffffc90000353e58
+[ 150.728117] CR2: 0000000000000001
+[ 150.728430] ---[ end trace f7f8fe1da2d5ae8d ]---
+
+Fixes: 4d8c0250b841 ("KEYS: Call ->free_preparse() even after ->preparse() returns an error")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/key.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -962,12 +962,11 @@ int key_update(key_ref_t key_ref, const
+ /* the key must be writable */
+ ret = key_permission(key_ref, KEY_NEED_WRITE);
+ if (ret < 0)
+- goto error;
++ return ret;
+
+ /* attempt to update it if supported */
+- ret = -EOPNOTSUPP;
+ if (!key->type->update)
+- goto error;
++ return -EOPNOTSUPP;
+
+ memset(&prep, 0, sizeof(prep));
+ prep.data = payload;
--- /dev/null
+From 4d6501dce079c1eb6bf0b1d8f528a5e81770109e Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Tue, 9 May 2017 09:39:59 +0200
+Subject: kthread: Fix use-after-free if kthread fork fails
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 4d6501dce079c1eb6bf0b1d8f528a5e81770109e upstream.
+
+If a kthread forks (e.g. usermodehelper since commit 1da5c46fa965) but
+fails in copy_process() between calling dup_task_struct() and setting
+p->set_child_tid, then the value of p->set_child_tid will be inherited
+from the parent and get prematurely freed by free_kthread_struct().
+
+ kthread()
+ - worker_thread()
+ - process_one_work()
+ | - call_usermodehelper_exec_work()
+ | - kernel_thread()
+ | - _do_fork()
+ | - copy_process()
+ | - dup_task_struct()
+ | - arch_dup_task_struct()
+ | - tsk->set_child_tid = current->set_child_tid // implied
+ | - ...
+ | - goto bad_fork_*
+ | - ...
+ | - free_task(tsk)
+ | - free_kthread_struct(tsk)
+ | - kfree(tsk->set_child_tid)
+ - ...
+ - schedule()
+ - __schedule()
+ - wq_worker_sleeping()
+ - kthread_data(task)->flags // UAF
+
+The problem started showing up with commit 1da5c46fa965 since it reused
+->set_child_tid for the kthread worker data.
+
+A better long-term solution might be to get rid of the ->set_child_tid
+abuse. The comment in set_kthread_struct() also looks slightly wrong.
+
+Debugged-by: Jamie Iles <jamie.iles@oracle.com>
+Fixes: 1da5c46fa965 ("kthread: Make struct kthread kmalloc'ed")
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jamie Iles <jamie.iles@oracle.com>
+Link: http://lkml.kernel.org/r/20170509073959.17858-1-vegard.nossum@oracle.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1552,6 +1552,18 @@ static __latent_entropy struct task_stru
+ if (!p)
+ goto fork_out;
+
++ /*
++ * This _must_ happen before we call free_task(), i.e. before we jump
++ * to any of the bad_fork_* labels. This is to avoid freeing
++ * p->set_child_tid which is (ab)used as a kthread's data pointer for
++ * kernel threads (PF_KTHREAD).
++ */
++ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
++ /*
++ * Clear TID on mm_release()?
++ */
++ p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
++
+ ftrace_graph_init_task(p);
+
+ rt_mutex_init_task(p);
+@@ -1715,11 +1727,6 @@ static __latent_entropy struct task_stru
+ }
+ }
+
+- p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
+- /*
+- * Clear TID on mm_release()?
+- */
+- p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
+ #ifdef CONFIG_BLOCK
+ p->plug = NULL;
+ #endif
--- /dev/null
+From 9a307403d374b993061f5992a6e260c944920d0b Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 23 May 2017 12:24:40 -0400
+Subject: nfsd4: fix null dereference on replay
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 9a307403d374b993061f5992a6e260c944920d0b upstream.
+
+if we receive a compound such that:
+
+ - the sessionid, slot, and sequence number in the SEQUENCE op
+ match a cached succesful reply with N ops, and
+ - the Nth operation of the compound is a PUTFH, PUTPUBFH,
+ PUTROOTFH, or RESTOREFH,
+
+then nfsd4_sequence will return 0 and set cstate->status to
+nfserr_replay_cache. The current filehandle will not be set. This will
+cause us to call check_nfsd_access with first argument NULL.
+
+To nfsd4_compound it looks like we just succesfully executed an
+operation that set a filehandle, but the current filehandle is not set.
+
+Fix this by moving the nfserr_replay_cache earlier. There was never any
+reason to have it after the encode_op label, since the only case where
+he hit that is when opdesc->op_func sets it.
+
+Note that there are two ways we could hit this case:
+
+ - a client is resending a previously sent compound that ended
+ with one of the four PUTFH-like operations, or
+ - a client is sending a *new* compound that (incorrectly) shares
+ sessionid, slot, and sequence number with a previously sent
+ compound, and the length of the previously sent compound
+ happens to match the position of a PUTFH-like operation in the
+ new compound.
+
+The second is obviously incorrect client behavior. The first is also
+very strange--the only purpose of a PUTFH-like operation is to set the
+current filehandle to be used by the following operation, so there's no
+point in having it as the last in a compound.
+
+So it's likely this requires a buggy or malicious client to reproduce.
+
+Reported-by: Scott Mayhew <smayhew@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4proc.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1769,6 +1769,12 @@ nfsd4_proc_compound(struct svc_rqst *rqs
+ opdesc->op_get_currentstateid(cstate, &op->u);
+ op->status = opdesc->op_func(rqstp, cstate, &op->u);
+
++ /* Only from SEQUENCE */
++ if (cstate->status == nfserr_replay_cache) {
++ dprintk("%s NFS4.1 replay from cache\n", __func__);
++ status = op->status;
++ goto out;
++ }
+ if (!op->status) {
+ if (opdesc->op_set_currentstateid)
+ opdesc->op_set_currentstateid(cstate, &op->u);
+@@ -1779,14 +1785,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs
+ if (need_wrongsec_check(rqstp))
+ op->status = check_nfsd_access(current_fh->fh_export, rqstp);
+ }
+-
+ encode_op:
+- /* Only from SEQUENCE */
+- if (cstate->status == nfserr_replay_cache) {
+- dprintk("%s NFS4.1 replay from cache\n", __func__);
+- status = op->status;
+- goto out;
+- }
+ if (op->status == nfserr_replay_me) {
+ op->replay = &cstate->replay_owner->so_replay;
+ nfsd4_encode_replay(&resp->xdr, op);
--- /dev/null
+From 8137ae26d25303e7b5cfb418fd28b976461e5b6e Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Tue, 16 May 2017 08:45:46 +0300
+Subject: ovl: fix creds leak in copy up error path
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 8137ae26d25303e7b5cfb418fd28b976461e5b6e upstream.
+
+Fixes: 42f269b92540 ("ovl: rearrange code in ovl_copy_up_locked()")
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/overlayfs/copy_up.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -269,12 +269,13 @@ static int ovl_copy_up_locked(struct den
+ temp = ovl_do_tmpfile(upperdir, stat->mode);
+ else
+ temp = ovl_lookup_temp(workdir, dentry);
+- err = PTR_ERR(temp);
+- if (IS_ERR(temp))
+- goto out1;
+-
+ err = 0;
+- if (!tmpfile)
++ if (IS_ERR(temp)) {
++ err = PTR_ERR(temp);
++ temp = NULL;
++ }
++
++ if (!err && !tmpfile)
+ err = ovl_create_real(wdir, temp, &cattr, NULL, true);
+
+ if (new_creds) {
serial-ifx6x60-fix-use-after-free-on-module-unload.patch
serial-core-fix-crash-in-uart_suspend_port.patch
ptrace-properly-initialize-ptracer_cred-on-fork.patch
+arm-dts-keystone-k2l-fix-broken-ethernet-due-to-disabled-osr.patch
+crypto-asymmetric_keys-handle-ebusy-due-to-backlog-correctly.patch
+keys-fix-dereferencing-null-payload-with-nonzero-length.patch
+keys-fix-freeing-uninitialized-memory-in-key_update.patch
+keys-encrypted-avoid-encrypting-decrypting-stack-buffers.patch
+crypto-drbg-wait-for-crypto-op-not-signal-safe.patch
+crypto-gcm-wait-for-crypto-op-not-signal-safe.patch
+ovl-fix-creds-leak-in-copy-up-error-path.patch
+kthread-fix-use-after-free-if-kthread-fork-fails.patch
+drm-amdgpu-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch
+nfsd4-fix-null-dereference-on-replay.patch
+gfs2-make-flush-bios-explicitely-sync.patch
+efi-don-t-issue-error-message-when-booted-under-xen.patch
+efi-bgrt-skip-efi_bgrt_init-in-case-of-non-efi-boot.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
