--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:37:09 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:35:01 -0400
+Subject: [PATCH 4.4 08/16] cred: Reject inodes with invalid ids in set_create_file_as()
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-9-git-send-email-alexander.levin@verizon.com>
+
+
+From: Seth Forshee <seth.forshee@canonical.com>
+
+[ Upstream commit 5f65e5ca286126a60f62c8421b77c2018a482b8a ]
+
+Using INVALID_[UG]ID for the LSM file creation context doesn't
+make sense, so return an error if the inode passed to
+set_create_file_as() has an invalid id.
+
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cred.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -689,6 +689,8 @@ EXPORT_SYMBOL(set_security_override_from
+ */
+ int set_create_files_as(struct cred *new, struct inode *inode)
+ {
++ if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
++ return -EINVAL;
+ new->fsuid = inode->i_uid;
+ new->fsgid = inode->i_gid;
+ return security_kernel_create_files_as(new, inode);
--- /dev/null
+From alexander.levin@verizon.com Tue Aug 30 06:37:51 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:34:57 -0400
+Subject: [PATCH 4.4 04/16] crypto: nx-842 - Mask XERS0 bit in return value
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-5-git-send-email-alexander.levin@verizon.com>
+
+
+From: Haren Myneni <haren@linux.vnet.ibm.com>
+
+[ Upstream commit 6333ed8f26cf77311088d2e2b7cf16d8480bcbb2 ]
+
+NX842 coprocessor sets 3rd bit in CR register with XER[S0] which is
+nothing to do with NX request. Since this bit can be set with other
+valuable return status, mast this bit.
+
+One of other bits (INITIATED, BUSY or REJECTED) will be returned for
+any given NX request.
+
+Signed-off-by: Haren Myneni <haren@us.ibm.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/icswx.h | 1 +
+ drivers/crypto/nx/nx-842-powernv.c | 12 ++++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/include/asm/icswx.h
++++ b/arch/powerpc/include/asm/icswx.h
+@@ -164,6 +164,7 @@ struct coprocessor_request_block {
+ #define ICSWX_INITIATED (0x8)
+ #define ICSWX_BUSY (0x4)
+ #define ICSWX_REJECTED (0x2)
++#define ICSWX_XERS0 (0x1) /* undefined or set from XERSO. */
+
+ static inline int icswx(__be32 ccw, struct coprocessor_request_block *crb)
+ {
+--- a/drivers/crypto/nx/nx-842-powernv.c
++++ b/drivers/crypto/nx/nx-842-powernv.c
+@@ -442,6 +442,14 @@ static int nx842_powernv_function(const
+ (unsigned int)ccw,
+ (unsigned int)be32_to_cpu(crb->ccw));
+
++ /*
++ * NX842 coprocessor sets 3rd bit in CR register with XER[S0].
++ * XER[S0] is the integer summary overflow bit which is nothing
++ * to do NX. Since this bit can be set with other return values,
++ * mask this bit.
++ */
++ ret &= ~ICSWX_XERS0;
++
+ switch (ret) {
+ case ICSWX_INITIATED:
+ ret = wait_for_csb(wmem, csb);
+@@ -454,10 +462,6 @@ static int nx842_powernv_function(const
+ pr_err_ratelimited("ICSWX rejected\n");
+ ret = -EPROTO;
+ break;
+- default:
+- pr_err_ratelimited("Invalid ICSWX return code %x\n", ret);
+- ret = -EPROTO;
+- break;
+ }
+
+ if (!ret)
--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:36:44 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:34:55 -0400
+Subject: [PATCH 4.4 02/16] cxlflash: Fix to avoid virtual LUN failover failure
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-3-git-send-email-alexander.levin@verizon.com>
+
+
+From: "Matthew R. Ochs" <mrochs@linux.vnet.ibm.com>
+
+[ Upstream commit d5e26bb1d812ba74f29b6bcbc88c3dbfb3eed824 ]
+
+Applications which use virtual LUN's that are backed by a physical LUN
+over both adapter ports may experience an I/O failure in the event of a
+link loss (e.g. cable pull).
+
+Virtual LUNs may be accessed through one or both ports of the adapter.
+This access is encoded in the translation entries that comprise the
+virtual LUN and used by the AFU for load-balancing I/O and handling
+failover scenarios. In a link loss scenario, even though the AFU is able
+to maintain connectivity to the LUN, it is up to the application to
+retry the failed I/O. When applications are unaware of the virtual LUN's
+underlying topology, they are unable to make a sound decision of when to
+retry an I/O and therefore are forced to make their reaction to a failed
+I/O absolute. The result is either a failure to retry I/O or increased
+latency for scenarios where a retry is pointless.
+
+To remedy this scenario, provide feedback back to the application on
+virtual LUN creation as to which ports the LUN may be accessed. LUN's
+spanning both ports are candidates for a retry in a presence of an I/O
+failure.
+
+Signed-off-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
+Acked-by: Manoj Kumar <manoj@linux.vnet.ibm.com>
+Reviewed-by: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/cxlflash/vlun.c | 2 ++
+ include/uapi/scsi/cxlflash_ioctl.h | 10 ++++++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/drivers/scsi/cxlflash/vlun.c
++++ b/drivers/scsi/cxlflash/vlun.c
+@@ -1008,6 +1008,8 @@ int cxlflash_disk_virtual_open(struct sc
+ virt->last_lba = last_lba;
+ virt->rsrc_handle = rsrc_handle;
+
++ if (lli->port_sel == BOTH_PORTS)
++ virt->hdr.return_flags |= DK_CXLFLASH_ALL_PORTS_ACTIVE;
+ out:
+ if (likely(ctxi))
+ put_context(ctxi);
+--- a/include/uapi/scsi/cxlflash_ioctl.h
++++ b/include/uapi/scsi/cxlflash_ioctl.h
+@@ -31,6 +31,16 @@ struct dk_cxlflash_hdr {
+ };
+
+ /*
++ * Return flag definitions available to all ioctls
++ *
++ * Similar to the input flags, these are grown from the bottom-up with the
++ * intention that ioctl-specific return flag definitions would grow from the
++ * top-down, allowing the two sets to co-exist. While not required/enforced
++ * at this time, this provides future flexibility.
++ */
++#define DK_CXLFLASH_ALL_PORTS_ACTIVE 0x0000000000000001ULL
++
++/*
+ * Notes:
+ * -----
+ * The 'context_id' field of all ioctl structures contains the context
--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:36:46 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:34:54 -0400
+Subject: [PATCH 4.4 01/16] cxlflash: Fix to escalate LINK_RESET also on port 1
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-2-git-send-email-alexander.levin@verizon.com>
+
+From: Manoj Kumar <manoj@linux.vnet.ibm.com>
+
+[ Upstream commit a9be294ecb3b9dc82b15625631b153f871181d16 ]
+
+The original fix to escalate a 'login timed out' error to a LINK_RESET
+was only made for one of the two ports on the card. This fix resolves
+the same issue for the second port (port 1).
+
+Signed-off-by: Manoj N. Kumar <manoj@linux.vnet.ibm.com>
+Acked-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
+Reviewed-by: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/cxlflash/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/cxlflash/main.c
++++ b/drivers/scsi/cxlflash/main.c
+@@ -1141,7 +1141,7 @@ static const struct asyc_intr_info ainfo
+ {SISL_ASTATUS_FC1_OTHER, "other error", 1, CLR_FC_ERROR | LINK_RESET},
+ {SISL_ASTATUS_FC1_LOGO, "target initiated LOGO", 1, 0},
+ {SISL_ASTATUS_FC1_CRC_T, "CRC threshold exceeded", 1, LINK_RESET},
+- {SISL_ASTATUS_FC1_LOGI_R, "login timed out, retrying", 1, 0},
++ {SISL_ASTATUS_FC1_LOGI_R, "login timed out, retrying", 1, LINK_RESET},
+ {SISL_ASTATUS_FC1_LOGI_F, "login failed", 1, CLR_FC_ERROR},
+ {SISL_ASTATUS_FC1_LOGI_S, "login succeeded", 1, SCAN_HOST},
+ {SISL_ASTATUS_FC1_LINK_DN, "link down", 1, 0},
--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:36:51 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:35:05 -0400
+Subject: [PATCH 4.4 12/16] cxlflash: Move to exponential back-off when cmd_room is not available
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-13-git-send-email-alexander.levin@verizon.com>
+
+
+From: "Manoj N. Kumar" <manoj@linux.vnet.ibm.com>
+
+[ Upstream commit ea76543127da32dec28af0a13ea1b06625fc085e ]
+
+While profiling the cxlflash_queuecommand() path under a heavy load it
+was found that number of retries to find cmd_room was fairly high.
+
+There are two problems with the current back-off:
+a) It starts with a udelay of 0
+b) It backs-off linearly
+
+Tried several approaches (a higher multiple 10*n, 100*n, as well as n^2,
+2^n) and found that the exponential back-off(2^n) approach had the least
+overall cost. Cost as being defined as overall time spent waiting.
+
+The fix is to change the linear back-off to an exponential back-off.
+This solution also takes care of the problem with the initial
+delay (starts with 1 usec).
+
+Signed-off-by: Manoj N. Kumar <manoj@linux.vnet.ibm.com>
+Acked-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/cxlflash/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/cxlflash/main.c
++++ b/drivers/scsi/cxlflash/main.c
+@@ -289,7 +289,7 @@ static void context_reset(struct afu_cmd
+ atomic64_set(&afu->room, room);
+ if (room)
+ goto write_rrin;
+- udelay(nretry);
++ udelay(1 << nretry);
+ } while (nretry++ < MC_ROOM_RETRY_CNT);
+
+ pr_err("%s: no cmd_room to send reset\n", __func__);
+@@ -303,7 +303,7 @@ write_rrin:
+ if (rrin != 0x1)
+ break;
+ /* Double delay each time */
+- udelay(2 << nretry);
++ udelay(1 << nretry);
+ } while (nretry++ < MC_ROOM_RETRY_CNT);
+ }
+
+@@ -338,7 +338,7 @@ retry:
+ atomic64_set(&afu->room, room);
+ if (room)
+ goto write_ioarrin;
+- udelay(nretry);
++ udelay(1 << nretry);
+ } while (nretry++ < MC_ROOM_RETRY_CNT);
+
+ dev_err(dev, "%s: no cmd_room to send 0x%X\n",
+@@ -352,7 +352,7 @@ retry:
+ * afu->room.
+ */
+ if (nretry++ < MC_ROOM_RETRY_CNT) {
+- udelay(nretry);
++ udelay(1 << nretry);
+ goto retry;
+ }
+
--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:36:05 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:35:06 -0400
+Subject: [PATCH 4.4 13/16] drivers:hv: Lock access to hyperv_mmio resource tree
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-14-git-send-email-alexander.levin@verizon.com>
+
+
+From: Jake Oshins <jakeo@microsoft.com>
+
+[ Upstream commit e16dad6bfe1437aaee565f875a6713ca7ce81bdf ]
+
+In existing code, this tree of resources is created
+in single-threaded code and never modified after it is
+created, and thus needs no locking. This patch introduces
+a semaphore for tree access, as other patches in this
+series introduce run-time modifications of this resource
+tree which can happen on multiple threads.
+
+Signed-off-by: Jake Oshins <jakeo@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+---
+ drivers/hv/vmbus_drv.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -105,6 +105,7 @@ static struct notifier_block hyperv_pani
+ };
+
+ struct resource *hyperv_mmio;
++DEFINE_SEMAPHORE(hyperv_mmio_lock);
+
+ static int vmbus_exists(void)
+ {
+@@ -1140,7 +1141,10 @@ int vmbus_allocate_mmio(struct resource
+ resource_size_t range_min, range_max, start, local_min, local_max;
+ const char *dev_n = dev_name(&device_obj->device);
+ u32 fb_end = screen_info.lfb_base + (screen_info.lfb_size << 1);
+- int i;
++ int i, retval;
++
++ retval = -ENXIO;
++ down(&hyperv_mmio_lock);
+
+ for (iter = hyperv_mmio; iter; iter = iter->sibling) {
+ if ((iter->start >= max) || (iter->end <= min))
+@@ -1177,13 +1181,17 @@ int vmbus_allocate_mmio(struct resource
+ for (; start + size - 1 <= local_max; start += align) {
+ *new = request_mem_region_exclusive(start, size,
+ dev_n);
+- if (*new)
+- return 0;
++ if (*new) {
++ retval = 0;
++ goto exit;
++ }
+ }
+ }
+ }
+
+- return -ENXIO;
++exit:
++ up(&hyperv_mmio_lock);
++ return retval;
+ }
+ EXPORT_SYMBOL_GPL(vmbus_allocate_mmio);
+
--- /dev/null
+dos2unix: Binary symbol 0x1F found at line 42
+dos2unix: Skipping binary file stdin
+From stable-owner@vger.kernel.org Tue Aug 30 06:36:47 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:35:03 -0400
+Subject: [PATCH 4.4 10/16] drm/amdgpu/cz: enable/disable vce dpm even if vce pg is disabled
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-11-git-send-email-alexander.levin@verizon.com>
+
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit b3dae7828399ef316e3fabf7e82c6415cb03a02e ]
+
+I missed this when cleaning up the vce pg handling.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Rex Zhu <Rex.Zhu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/cz_dpm.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/cz_dpm.c
++++ b/drivers/gpu/drm/amd/amdgpu/cz_dpm.c
+@@ -1955,10 +1955,8 @@ static void cz_dpm_powergate_vce(struct
+ }
+ } else { /*pi->caps_vce_pg*/
+ cz_update_vce_dpm(adev);
+- cz_enable_vce_dpm(adev, true);
++ cz_enable_vce_dpm(adev, !gate);
+ }
+-
+- return;
+ }
+
+ const struct amd_ip_funcs cz_dpm_ip_funcs = {
--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:36:53 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:35:00 -0400
+Subject: [PATCH 4.4 07/16] fs: Check for invalid i_uid in may_follow_link()
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-8-git-send-email-alexander.levin@verizon.com>
+
+
+From: Seth Forshee <seth.forshee@canonical.com>
+
+[ Upstream commit 2d7f9e2ad35e4e7a3086231f19bfab33c6a8a64a ]
+
+Filesystem uids which don't map into a user namespace may result
+in inode->i_uid being INVALID_UID. A symlink and its parent
+could have different owners in the filesystem can both get
+mapped to INVALID_UID, which may result in following a symlink
+when this would not have otherwise been permitted when protected
+symlinks are enabled.
+
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namei.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -887,6 +887,7 @@ static inline int may_follow_link(struct
+ {
+ const struct inode *inode;
+ const struct inode *parent;
++ kuid_t puid;
+
+ if (!sysctl_protected_symlinks)
+ return 0;
+@@ -902,7 +903,8 @@ static inline int may_follow_link(struct
+ return 0;
+
+ /* Allowed if parent directory and link owner match. */
+- if (uid_eq(parent->i_uid, inode->i_uid))
++ puid = parent->i_uid;
++ if (uid_valid(puid) && uid_eq(puid, inode->i_uid))
+ return 0;
+
+ if (nd->flags & LOOKUP_RCU)
--- /dev/null
+From alexander.levin@verizon.com Tue Aug 30 06:37:53 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:34:59 -0400
+Subject: [PATCH 4.4 06/16] IB/IPoIB: Do not set skb truesize since using one linearskb
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-7-git-send-email-alexander.levin@verizon.com>
+
+
+From: Carol L Soto <clsoto@linux.vnet.ibm.com>
+
+[ Upstream commit bb6a777369449d15a4a890306d2f925cae720e1c ]
+
+We are seeing this warning: at net/core/skbuff.c:4174
+and before commit a44878d10063 ("IB/ipoib: Use one linear skb in RX flow")
+skb truesize was not being set when ipoib was using just one skb.
+Removing this line avoids the warning when running tcp tests like iperf.
+
+Fixes: a44878d10063 ("IB/ipoib: Use one linear skb in RX flow")
+Signed-off-by: Carol L Soto <clsoto@linux.vnet.ibm.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -245,8 +245,6 @@ static void ipoib_ib_handle_rx_wc(struct
+ skb_reset_mac_header(skb);
+ skb_pull(skb, IPOIB_ENCAP_LEN);
+
+- skb->truesize = SKB_TRUESIZE(skb->len);
+-
+ ++dev->stats.rx_packets;
+ dev->stats.rx_bytes += skb->len;
+
--- /dev/null
+From 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 2 Jun 2016 23:43:21 -0500
+Subject: kernel: Add noaudit variant of ns_capable()
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 upstream.
+
+When checking the current cred for a capability in a specific user
+namespace, it isn't always desirable to have the LSMs audit the check.
+This patch adds a noaudit variant of ns_capable() for when those
+situations arise.
+
+The common logic between ns_capable() and the new ns_capable_noaudit()
+is moved into a single, shared function to keep duplicated code to a
+minimum and ease maintainability.
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/capability.h | 5 ++++
+ kernel/capability.c | 46 +++++++++++++++++++++++++++++++++++----------
+ 2 files changed, 41 insertions(+), 10 deletions(-)
+
+--- a/include/linux/capability.h
++++ b/include/linux/capability.h
+@@ -214,6 +214,7 @@ extern bool has_ns_capability_noaudit(st
+ struct user_namespace *ns, int cap);
+ extern bool capable(int cap);
+ extern bool ns_capable(struct user_namespace *ns, int cap);
++extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
+ #else
+ static inline bool has_capability(struct task_struct *t, int cap)
+ {
+@@ -241,6 +242,10 @@ static inline bool ns_capable(struct use
+ {
+ return true;
+ }
++static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
++{
++ return true;
++}
+ #endif /* CONFIG_MULTIUSER */
+ extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
+ extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
+--- a/kernel/capability.c
++++ b/kernel/capability.c
+@@ -361,6 +361,24 @@ bool has_capability_noaudit(struct task_
+ return has_ns_capability_noaudit(t, &init_user_ns, cap);
+ }
+
++static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
++{
++ int capable;
++
++ if (unlikely(!cap_valid(cap))) {
++ pr_crit("capable() called with invalid cap=%u\n", cap);
++ BUG();
++ }
++
++ capable = audit ? security_capable(current_cred(), ns, cap) :
++ security_capable_noaudit(current_cred(), ns, cap);
++ if (capable == 0) {
++ current->flags |= PF_SUPERPRIV;
++ return true;
++ }
++ return false;
++}
++
+ /**
+ * ns_capable - Determine if the current task has a superior capability in effect
+ * @ns: The usernamespace we want the capability in
+@@ -374,19 +392,27 @@ bool has_capability_noaudit(struct task_
+ */
+ bool ns_capable(struct user_namespace *ns, int cap)
+ {
+- if (unlikely(!cap_valid(cap))) {
+- pr_crit("capable() called with invalid cap=%u\n", cap);
+- BUG();
+- }
+-
+- if (security_capable(current_cred(), ns, cap) == 0) {
+- current->flags |= PF_SUPERPRIV;
+- return true;
+- }
+- return false;
++ return ns_capable_common(ns, cap, true);
+ }
+ EXPORT_SYMBOL(ns_capable);
+
++/**
++ * ns_capable_noaudit - Determine if the current task has a superior capability
++ * (unaudited) in effect
++ * @ns: The usernamespace we want the capability in
++ * @cap: The capability to be tested for
++ *
++ * Return true if the current task has the given superior capability currently
++ * available for use, false if not.
++ *
++ * This sets PF_SUPERPRIV on the task if the capability is available on the
++ * assumption that it's about to be used.
++ */
++bool ns_capable_noaudit(struct user_namespace *ns, int cap)
++{
++ return ns_capable_common(ns, cap, false);
++}
++EXPORT_SYMBOL(ns_capable_noaudit);
+
+ /**
+ * capable - Determine if the current task has a superior capability in effect
--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:36:08 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:35:07 -0400
+Subject: [PATCH 4.4 14/16] KEYS: Fix ASN.1 indefinite length object parsing
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-15-git-send-email-alexander.levin@verizon.com>
+
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa ]
+
+This fixes CVE-2016-0758.
+
+In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
+it isn't validated against the remaining amount of data before being added
+to the cursor. With a sufficiently large size indicated, the check:
+
+ datalen - dp < 2
+
+may then fail due to integer overflow.
+
+Fix this by checking the length indicated against the amount of remaining
+data in both places a definite length is determined.
+
+Whilst we're at it, make the following changes:
+
+ (1) Check the maximum size of extended length does not exceed the capacity
+ of the variable it's being stored in (len) rather than the type that
+ variable is assumed to be (size_t).
+
+ (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
+ integer 0.
+
+ (3) To reduce confusion, move the initialisation of len outside of:
+
+ for (len = 0; n > 0; n--) {
+
+ since it doesn't have anything to do with the loop counter n.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Acked-by: David Woodhouse <David.Woodhouse@intel.com>
+Acked-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/asn1_decoder.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -74,7 +74,7 @@ next_tag:
+
+ /* Extract a tag from the data */
+ tag = data[dp++];
+- if (tag == 0) {
++ if (tag == ASN1_EOC) {
+ /* It appears to be an EOC. */
+ if (data[dp++] != 0)
+ goto invalid_eoc;
+@@ -96,10 +96,8 @@ next_tag:
+
+ /* Extract the length */
+ len = data[dp++];
+- if (len <= 0x7f) {
+- dp += len;
+- goto next_tag;
+- }
++ if (len <= 0x7f)
++ goto check_length;
+
+ if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
+ /* Indefinite length */
+@@ -110,14 +108,18 @@ next_tag:
+ }
+
+ n = len - 0x80;
+- if (unlikely(n > sizeof(size_t) - 1))
++ if (unlikely(n > sizeof(len) - 1))
+ goto length_too_long;
+ if (unlikely(n > datalen - dp))
+ goto data_overrun_error;
+- for (len = 0; n > 0; n--) {
++ len = 0;
++ for (; n > 0; n--) {
+ len <<= 8;
+ len |= data[dp++];
+ }
++check_length:
++ if (len > datalen - dp)
++ goto data_overrun_error;
+ dp += len;
+ goto next_tag;
+
--- /dev/null
+From d6e0d306449bcb5fa3c80e7a3edf11d45abf9ae9 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 2 Jun 2016 23:43:22 -0500
+Subject: net: Use ns_capable_noaudit() when determining net sysctl permissions
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit d6e0d306449bcb5fa3c80e7a3edf11d45abf9ae9 upstream.
+
+The capability check should not be audited since it is only being used
+to determine the inode permissions. A failed check does not indicate a
+violation of security policy but, when an LSM is enabled, a denial audit
+message was being generated.
+
+The denial audit message caused confusion for some application authors
+because root-running Go applications always triggered the denial. To
+prevent this confusion, the capability check in net_ctl_permissions() is
+switched to the noaudit variant.
+
+BugLink: https://launchpad.net/bugs/1465724
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sysctl_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sysctl_net.c
++++ b/net/sysctl_net.c
+@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
+ kgid_t root_gid = make_kgid(net->user_ns, 0);
+
+ /* Allow network administrator to have same access as root. */
+- if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
++ if (ns_capable_noaudit(net->user_ns, CAP_NET_ADMIN) ||
+ uid_eq(root_uid, current_euid())) {
+ int mode = (table->mode >> 6) & 7;
+ return (mode << 6) | (mode << 3) | mode;
--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:37:09 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:35:04 -0400
+Subject: [PATCH 4.4 11/16] netfilter: x_tables: check for size overflow
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-12-git-send-email-alexander.levin@verizon.com>
+
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit d157bd761585605b7882935ffb86286919f62ea1 ]
+
+Ben Hawkes says:
+ integer overflow in xt_alloc_table_info, which on 32-bit systems can
+ lead to small structure allocation and a copy_from_user based heap
+ corruption.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/x_tables.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -900,6 +900,9 @@ struct xt_table_info *xt_alloc_table_inf
+ if (sz < sizeof(*info))
+ return NULL;
+
++ if (sz < sizeof(*info))
++ return NULL;
++
+ /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
+ if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
+ return NULL;
0133-netfilter-x_tables-check-for-size-overflow.patch
0134-tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
0135-tipc-fix-nl-compat-regression-for-link-statistics.patch
+cxlflash-fix-to-escalate-link_reset-also-on-port-1.patch
+cxlflash-fix-to-avoid-virtual-lun-failover-failure.patch
+crypto-nx-842-mask-xers0-bit-in-return-value.patch
+udp-properly-support-msg_peek-with-truncated-buffers.patch
+ib-ipoib-do-not-set-skb-truesize-since-using-one-linearskb.patch
+fs-check-for-invalid-i_uid-in-may_follow_link.patch
+cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch
+drm-amdgpu-cz-enable-disable-vce-dpm-even-if-vce-pg-is-disabled.patch
+netfilter-x_tables-check-for-size-overflow.patch
+cxlflash-move-to-exponential-back-off-when-cmd_room-is-not-available.patch
+drivers-hv-lock-access-to-hyperv_mmio-resource-tree.patch
+keys-fix-asn.1-indefinite-length-object-parsing.patch
+kernel-add-noaudit-variant-of-ns_capable.patch
+net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch
--- /dev/null
+From stable-owner@vger.kernel.org Tue Aug 30 06:36:52 2016
+From: "Levin, Alexander" <alexander.levin@verizon.com>
+Date: Tue, 30 Aug 2016 00:34:58 -0400
+Subject: [PATCH 4.4 05/16] udp: properly support MSG_PEEK with truncated buffers
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>
+Message-ID: <1472531709-18002-6-git-send-email-alexander.levin@verizon.com>
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 ]
+
+Backport of this upstream commit into stable kernels :
+89c22d8c3b27 ("net: Fix skb csum races when peeking")
+exposed a bug in udp stack vs MSG_PEEK support, when user provides
+a buffer smaller than skb payload.
+
+In this case,
+skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
+ msg->msg_iov);
+returns -EFAULT.
+
+This bug does not happen in upstream kernels since Al Viro did a great
+job to replace this into :
+skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
+This variant is safe vs short buffers.
+
+For the time being, instead reverting Herbert Xu patch and add back
+skb->ip_summed invalid changes, simply store the result of
+udp_lib_checksum_complete() so that we avoid computing the checksum a
+second time, and avoid the problematic
+skb_copy_and_csum_datagram_iovec() call.
+
+This patch can be applied on recent kernels as it avoids a double
+checksumming, then backported to stable kernels as a bug fix.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 6 ++++--
+ net/ipv6/udp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1275,6 +1275,7 @@ int udp_recvmsg(struct sock *sk, struct
+ int peeked, off = 0;
+ int err;
+ int is_udplite = IS_UDPLITE(sk);
++ bool checksum_valid = false;
+ bool slow;
+
+ if (flags & MSG_ERRQUEUE)
+@@ -1300,11 +1301,12 @@ try_again:
+ */
+
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+- if (udp_lib_checksum_complete(skb))
++ checksum_valid = !udp_lib_checksum_complete(skb);
++ if (!checksum_valid)
+ goto csum_copy_err;
+ }
+
+- if (skb_csum_unnecessary(skb))
++ if (checksum_valid || skb_csum_unnecessary(skb))
+ err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
+ msg, copied);
+ else {
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struc
+ int peeked, off = 0;
+ int err;
+ int is_udplite = IS_UDPLITE(sk);
++ bool checksum_valid = false;
+ int is_udp4;
+ bool slow;
+
+@@ -433,11 +434,12 @@ try_again:
+ */
+
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+- if (udp_lib_checksum_complete(skb))
++ checksum_valid = !udp_lib_checksum_complete(skb);
++ if (!checksum_valid)
+ goto csum_copy_err;
+ }
+
+- if (skb_csum_unnecessary(skb))
++ if (checksum_valid || skb_csum_unnecessary(skb))
+ err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
+ msg, copied);
+ else {
projects / thirdparty / kernel / stable-queue.git / commitdiff
