--- /dev/null
+From 9e37b1784f2be9397a903307574ee565bbadfd75 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Thu, 24 Aug 2017 15:16:40 -0700
+Subject: CIFS: Fix maximum SMB2 header size
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream.
+
+Currently the maximum size of SMB2/3 header is set incorrectly which
+leads to hanging of directory listing operations on encrypted SMB3
+connections. Fix this by setting the maximum size to 170 bytes that
+is calculated as RFC1002 length field size (4) + transform header
+size (52) + SMB2 header size (64) + create response size (56).
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Acked-by: Sachin Prabhu <sprabhu@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.h
++++ b/fs/cifs/smb2pdu.h
+@@ -82,8 +82,8 @@
+
+ #define NUMBER_OF_SMB2_COMMANDS 0x0013
+
+-/* BB FIXME - analyze following length BB */
+-#define MAX_SMB2_HDR_SIZE 0x78 /* 4 len + 64 hdr + (2*24 wct) + 2 bct + 2 pad */
++/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */
++#define MAX_SMB2_HDR_SIZE 0x00b0
+
+ #define SMB2_PROTO_NUMBER __constant_cpu_to_le32(0x424d53fe)
+
--- /dev/null
+From 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Sun, 27 Aug 2017 16:56:08 -0500
+Subject: CIFS: remove endian related sparse warning
+
+From: Steve French <smfrench@gmail.com>
+
+commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream.
+
+Recent patch had an endian warning ie
+cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+CC: Ronnie Sahlberg <lsahlber@redhat.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -194,7 +194,7 @@ check_name(struct dentry *direntry, stru
+ int i;
+
+ if (unlikely(direntry->d_name.len >
+- tcon->fsAttrInfo.MaxPathNameComponentLength))
++ le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength)))
+ return -ENAMETOOLONG;
+
+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {
--- /dev/null
+From b339752d054fb32863418452dff350a1086885b1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 28 Aug 2017 14:51:27 -0700
+Subject: cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
+
+From: Tejun Heo <tj@kernel.org>
+
+commit b339752d054fb32863418452dff350a1086885b1 upstream.
+
+When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of
+@node. The assumption seems that if !NUMA, there shouldn't be more than
+one node and thus reporting cpu_online_mask regardless of @node is
+correct. However, that assumption was broken years ago to support
+DISCONTIGMEM and whether a system has multiple nodes or not is
+separately controlled by NEED_MULTIPLE_NODES.
+
+This means that, on a system with !NUMA && NEED_MULTIPLE_NODES,
+cpumask_of_node() will report cpu_online_mask for all possible nodes,
+indicating that the CPUs are associated with multiple nodes which is an
+impossible configuration.
+
+This bug has been around forever but doesn't look like it has caused any
+noticeable symptoms. However, it triggers a WARN recently added to
+workqueue to verify NUMA affinity configuration.
+
+Fix it by reporting empty cpumask on non-zero nodes if !NUMA.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-and-tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/asm-generic/topology.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/asm-generic/topology.h
++++ b/include/asm-generic/topology.h
+@@ -48,7 +48,11 @@
+ #define parent_node(node) ((void)(node),0)
+ #endif
+ #ifndef cpumask_of_node
+-#define cpumask_of_node(node) ((void)node, cpu_online_mask)
++ #ifdef CONFIG_NEED_MULTIPLE_NODES
++ #define cpumask_of_node(node) ((node) == 0 ? cpu_online_mask : cpu_none_mask)
++ #else
++ #define cpumask_of_node(node) ((void)node, cpu_online_mask)
++ #endif
+ #endif
+ #ifndef pcibus_to_node
+ #define pcibus_to_node(bus) ((void)(bus), -1)
--- /dev/null
+From 9afae2719273fa1d406829bf3498f82dbdba71c7 Mon Sep 17 00:00:00 2001
+From: "Xiangliang.Yu" <Xiangliang.Yu@amd.com>
+Date: Wed, 16 Aug 2017 14:25:51 +0800
+Subject: drm/ttm: Fix accounting error when fail to get pages for pool
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiangliang.Yu <Xiangliang.Yu@amd.com>
+
+commit 9afae2719273fa1d406829bf3498f82dbdba71c7 upstream.
+
+When fail to get needed page for pool, need to put allocated pages
+into pool. But current code has a miscalculation of allocated pages,
+correct it.
+
+Signed-off-by: Xiangliang.Yu <Xiangliang.Yu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Monk Liu <monk.liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+@@ -612,7 +612,7 @@ static void ttm_page_pool_fill_locked(st
+ } else {
+ pr_err("Failed to fill pool (%p)\n", pool);
+ /* If we have any pages left put them to the pool. */
+- list_for_each_entry(p, &pool->list, lru) {
++ list_for_each_entry(p, &new_pages, lru) {
+ ++cpages;
+ }
+ list_splice(&new_pages, &pool->list);
i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
+cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch
+cifs-fix-maximum-smb2-header-size.patch
+cifs-remove-endian-related-sparse-warning.patch
+wl1251-add-a-missing-spin_lock_init.patch
+xfrm-policy-check-policy-direction-value.patch
+drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch
--- /dev/null
+From f581a0dd744fe32b0a8805e279c59ec1ac676d60 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 31 Aug 2017 16:47:43 +0200
+Subject: wl1251: add a missing spin_lock_init()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream.
+
+wl1251: add a missing spin_lock_init()
+
+This fixes the following kernel warning:
+
+ [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745
+ [ 5668.771850] lock: 0xce63ef20, .magic: 00000000, .owner: <none>/-1,
+ .owner_cpu: 0
+ [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W
+ 4.12.0-03002-gec979a4-dirty #40
+ [ 5668.772796] Hardware name: Nokia RX-51 board
+ [ 5668.773071] Workqueue: phy1 wl1251_irq_work
+ [ 5668.773345] [<c010c9e4>] (unwind_backtrace) from [<c010a274>]
+ (show_stack+0x10/0x14)
+ [ 5668.773803] [<c010a274>] (show_stack) from [<c01545a4>]
+ (do_raw_spin_lock+0x6c/0xa0)
+ [ 5668.774230] [<c01545a4>] (do_raw_spin_lock) from [<c06ca578>]
+ (_raw_spin_lock_irqsave+0x10/0x18)
+ [ 5668.774658] [<c06ca578>] (_raw_spin_lock_irqsave) from [<c048c010>]
+ (wl1251_op_tx+0x38/0x5c)
+ [ 5668.775115] [<c048c010>] (wl1251_op_tx) from [<c06a12e8>]
+ (ieee80211_tx_frags+0x188/0x1c0)
+ [ 5668.775543] [<c06a12e8>] (ieee80211_tx_frags) from [<c06a138c>]
+ (__ieee80211_tx+0x6c/0x130)
+ [ 5668.775970] [<c06a138c>] (__ieee80211_tx) from [<c06a3dbc>]
+ (ieee80211_tx+0xdc/0x104)
+ [ 5668.776367] [<c06a3dbc>] (ieee80211_tx) from [<c06a4af0>]
+ (__ieee80211_subif_start_xmit+0x454/0x8c8)
+ [ 5668.776824] [<c06a4af0>] (__ieee80211_subif_start_xmit) from
+ [<c06a4f94>] (ieee80211_subif_start_xmit+0x30/0x2fc)
+ [ 5668.777343] [<c06a4f94>] (ieee80211_subif_start_xmit) from
+ [<c0578848>] (dev_hard_start_xmit+0x80/0x118)
+...
+
+ by adding the missing spin_lock_init().
+
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wl1251/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ti/wl1251/main.c
++++ b/drivers/net/wireless/ti/wl1251/main.c
+@@ -1572,6 +1572,7 @@ struct ieee80211_hw *wl1251_alloc_hw(voi
+
+ wl->state = WL1251_STATE_OFF;
+ mutex_init(&wl->mutex);
++ spin_lock_init(&wl->wl_lock);
+
+ wl->tx_mgmt_frm_rate = DEFAULT_HW_GEN_TX_RATE;
+ wl->tx_mgmt_frm_mod = DEFAULT_HW_GEN_MODULATION_TYPE;
--- /dev/null
+From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Wed, 2 Aug 2017 19:50:14 +0200
+Subject: xfrm: policy: check policy direction value
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream.
+
+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
+as an array index. This can lead to an out-of-bound access, kernel lockup and
+DoS. Add a check for the 'dir' value.
+
+This fixes CVE-2017-11600.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3248,9 +3248,15 @@ int xfrm_migrate(const struct xfrm_selec
+ struct xfrm_state *x_new[XFRM_MAX_DEPTH];
+ struct xfrm_migrate *mp;
+
++ /* Stage 0 - sanity checks */
+ if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
+ goto out;
+
++ if (dir >= XFRM_POLICY_MAX) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ /* Stage 1 - find policy */
+ if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
+ err = -ENOENT;
--- /dev/null
+drm-vgem-pin-our-pages-for-dmabuf-exports.patch
+drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch
+drm-dp-mst-handle-errors-from-drm_atomic_get_private_obj_state-correctly.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
