--- /dev/null
+From 362bca57f5d78220f8b5907b875961af9436e229 Mon Sep 17 00:00:00 2001
+From: Robb Glasser <rglasser@google.com>
+Date: Tue, 5 Dec 2017 09:16:55 -0800
+Subject: ALSA: pcm: prevent UAF in snd_pcm_info
+
+From: Robb Glasser <rglasser@google.com>
+
+commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.
+
+When the device descriptor is closed, the `substream->runtime` pointer
+is freed. But another thread may be in the ioctl handler, case
+SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
+calls snd_pcm_info() which accesses the now freed `substream->runtime`.
+
+Note: this fixes CVE-2017-0861
+
+Signed-off-by: Robb Glasser <rglasser@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -149,7 +149,9 @@ static int snd_pcm_control_ioctl(struct
+ err = -ENXIO;
+ goto _error;
+ }
++ mutex_lock(&pcm->open_mutex);
+ err = snd_pcm_info_user(substream, info);
++ mutex_unlock(&pcm->open_mutex);
+ _error:
+ mutex_unlock(®ister_mutex);
+ return err;
--- /dev/null
+From 43a3542870328601be02fcc9d27b09db467336ef Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 30 Nov 2017 10:08:28 +0100
+Subject: ALSA: seq: Remove spurious WARN_ON() at timer check
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 43a3542870328601be02fcc9d27b09db467336ef upstream.
+
+The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
+WARN_ON() when a slave timer is deployed as its backend and a
+corresponding master timer stops meanwhile. The symptom was triggered
+by syzkaller spontaneously.
+
+Since the NULL timer is valid there, rip off snd_BUG_ON().
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_s
+ unsigned long freq;
+
+ t = tmr->timeri->timer;
+- if (snd_BUG_ON(!t))
++ if (!t)
+ return -EINVAL;
+
+ freq = tmr->preferred_resolution;
--- /dev/null
+From 89b89d121ffcf8d9546633b98ded9d18b8f75891 Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Mon, 4 Dec 2017 15:31:49 +0900
+Subject: ALSA: usb-audio: Add check return value for usb_string()
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit 89b89d121ffcf8d9546633b98ded9d18b8f75891 upstream.
+
+snd_usb_copy_string_desc() returns zero if usb_string() fails.
+In case of failure, we need to check the snd_usb_copy_string_desc()'s
+return value and add an exception case
+
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2106,13 +2106,14 @@ static int parse_audio_selector_unit(str
+ if (len)
+ ;
+ else if (nameid)
+- snd_usb_copy_string_desc(state, nameid, kctl->id.name,
++ len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+ sizeof(kctl->id.name));
+- else {
++ else
+ len = get_term_name(state, &state->oterm,
+ kctl->id.name, sizeof(kctl->id.name), 0);
+- if (!len)
+- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
++
++ if (!len) {
++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
+ if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
+ append_ctl_name(kctl, " Clock Source");
--- /dev/null
+From 251552a2b0d454badc8f486e6d79100970c744b0 Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Mon, 4 Dec 2017 15:31:48 +0900
+Subject: ALSA: usb-audio: Fix out-of-bound error
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream.
+
+The snd_usb_copy_string_desc() retrieves the usb string corresponding to
+the index number through the usb_string(). The problem is that the
+usb_string() returns the length of the string (>= 0) when successful, but
+it can also return a negative value about the error case or status of
+usb_control_msg().
+
+If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
+This will result in '0' being inserted into buf[-22], and the following
+KASAN out-of-bound error message will be output.
+
+AudioControl Interface Descriptor:
+ bLength 8
+ bDescriptorType 36
+ bDescriptorSubtype 10 (CLOCK_SOURCE)
+ bClockID 1
+ bmAttributes 0x07 Internal programmable Clock (synced to SOF)
+ bmControls 0x07
+ Clock Frequency Control (read/write)
+ Clock Validity Control (read-only)
+ bAssocTerminal 0
+ iClockSource 0
+
+To fix it, check usb_string()'return value and bail out.
+
+==================================================================
+BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376
+
+CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
+Hardware name: LG Electronics 15N540-RFLGL/White Tip Mountain, BIOS 15N5
+Call Trace:
+dump_stack+0x63/0x8d
+print_address_description+0x70/0x290
+? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+kasan_report+0x265/0x350
+__asan_store1+0x4a/0x50
+parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+? save_stack+0xb5/0xd0
+? save_stack_trace+0x1b/0x20
+? save_stack+0x46/0xd0
+? kasan_kmalloc+0xad/0xe0
+? kmem_cache_alloc_trace+0xff/0x230
+? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
+? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
+? usb_probe_interface+0x1f5/0x440
+? driver_probe_device+0x3ed/0x660
+? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
+? save_stack_trace+0x1b/0x20
+? init_object+0x69/0xa0
+? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
+snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
+? build_audio_procunit+0x890/0x890 [snd_usb_audio]
+? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
+? kmem_cache_alloc_trace+0xff/0x230
+? usb_ifnum_to_if+0xbd/0xf0
+snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
+? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
+usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
+? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
+? __pm_runtime_idle+0x90/0x90
+? kernfs_activate+0xa6/0xc0
+? usb_match_one_id_intf+0xdc/0x130
+? __pm_runtime_set_status+0x2d4/0x450
+usb_probe_interface+0x1f5/0x440
+
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -203,6 +203,10 @@ static int snd_usb_copy_string_desc(stru
+ int index, char *buf, int maxlen)
+ {
+ int len = usb_string(state->chip->dev, index, buf, maxlen - 1);
++
++ if (len < 0)
++ return 0;
++
+ buf[len] = 0;
+ return len;
+ }
--- /dev/null
+From 071b6d4a5d343046f253a5a8835d477d93992002 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Tue, 5 Dec 2017 14:56:42 +0000
+Subject: arm64: fpsimd: Prevent registers leaking from dead tasks
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream.
+
+Currently, loading of a task's fpsimd state into the CPU registers
+is skipped if that task's state is already present in the registers
+of that CPU.
+
+However, the code relies on the struct fpsimd_state * (and by
+extension struct task_struct *) to unambiguously identify a task.
+
+There is a particular case in which this doesn't work reliably:
+when a task exits, its task_struct may be recycled to describe a
+new task.
+
+Consider the following scenario:
+
+ 1) Task P loads its fpsimd state onto cpu C.
+ per_cpu(fpsimd_last_state, C) := P;
+ P->thread.fpsimd_state.cpu := C;
+
+ 2) Task X is scheduled onto C and loads its fpsimd state on C.
+ per_cpu(fpsimd_last_state, C) := X;
+ X->thread.fpsimd_state.cpu := C;
+
+ 3) X exits, causing X's task_struct to be freed.
+
+ 4) P forks a new child T, which obtains X's recycled task_struct.
+ T == X.
+ T->thread.fpsimd_state.cpu == C (inherited from P).
+
+ 5) T is scheduled on C.
+ T's fpsimd state is not loaded, because
+ per_cpu(fpsimd_last_state, C) == T (== X) &&
+ T->thread.fpsimd_state.cpu == C.
+
+ (This is the check performed by fpsimd_thread_switch().)
+
+So, T gets X's registers because the last registers loaded onto C
+were those of X, in (2).
+
+This patch fixes the problem by ensuring that the sched-in check
+fails in (5): fpsimd_flush_task_state(T) is called when T is
+forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
+This relies on the fact that T is not schedulable until after
+copy_thread() completes.
+
+Once T's fpsimd state has been loaded on some CPU C there may still
+be other cpus D for which per_cpu(fpsimd_last_state, D) ==
+&X->thread.fpsimd_state. But D is necessarily != C in this case,
+and the check in (5) must fail.
+
+An alternative fix would be to do refcounting on task_struct. This
+would result in each CPU holding a reference to the last task whose
+fpsimd state was loaded there. It's not clear whether this is
+preferable, and it involves higher overhead than the fix proposed
+in this patch. It would also move all the task_struct freeing
+work into the context switch critical section, or otherwise some
+deferred cleanup mechanism would need to be introduced, neither of
+which seems obviously justified.
+
+Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: word-smithed the comment so it makes more sense]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/process.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -251,6 +251,15 @@ int copy_thread(unsigned long clone_flag
+
+ memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context));
+
++ /*
++ * In case p was allocated the same task_struct pointer as some
++ * other recently-exited task, make sure p is disassociated from
++ * any cpu that may have run that now-exited task recently.
++ * Otherwise we could erroneously skip reloading the FPSIMD
++ * registers for p.
++ */
++ fpsimd_flush_task_state(p);
++
+ if (likely(!(p->flags & PF_KTHREAD))) {
+ *childregs = *current_pt_regs();
+ childregs->regs[0] = 0;
--- /dev/null
+From 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 Mon Sep 17 00:00:00 2001
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+Date: Thu, 16 Nov 2017 17:58:20 +0000
+Subject: arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
+
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+
+commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream.
+
+VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
+VTTBR address. It seems to currently be off by one, thereby only
+allowing up to 47-bit addresses (instead of 48-bit) and also
+insufficiently checking the alignment. This patch fixes it.
+
+As an example, with 4k pages, before this patch we have:
+
+ PHYS_MASK_SHIFT = 48
+ VTTBR_X = 37 - 24 = 13
+ VTTBR_BADDR_SHIFT = 13 - 1 = 12
+ VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000
+
+Which is wrong, because the mask doesn't allow bit 47 of the VTTBR
+address to be set, and only requires the address to be 12-bit (4k)
+aligned, while it actually needs to be 13-bit (8k) aligned because we
+concatenate two 4k tables.
+
+With this patch, the mask becomes 0x0000ffffffffe000, which is what we
+want.
+
+Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions")
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_arm.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -164,8 +164,7 @@
+ #define VTTBR_X (37 - VTCR_EL2_T0SZ_40B)
+ #endif
+
+-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
+-#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
++#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X)
+ #define VTTBR_VMID_SHIFT (UL(48))
+ #define VTTBR_VMID_MASK (UL(0xFF) << VTTBR_VMID_SHIFT)
+
--- /dev/null
+From 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: ASN.1: check for error from ASN1_OP_END__ACT actions
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.
+
+asn1_ber_decoder() was ignoring errors from actions associated with the
+opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
+ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT. In practice, this
+meant the pkcs7_note_signed_info() action (since that was the only user
+of those opcodes). Fix it by checking for the error, just like the
+decoder does for actions associated with the other opcodes.
+
+This bug allowed users to leak slab memory by repeatedly trying to add a
+specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).
+
+In theory, this bug could also be used to bypass module signature
+verification, by providing a PKCS#7 message that is misparsed such that
+a signature's ->authattrs do not contain its ->msgdigest. But it
+doesn't seem practical in normal cases, due to restrictions on the
+format of the ->authattrs.
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/asn1_decoder.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -438,6 +438,8 @@ next_op:
+ else
+ act = machine[pc + 1];
+ ret = actions[act](context, hdr, 0, data + tdp, len);
++ if (ret < 0)
++ return ret;
+ }
+ pc += asn1_op_lengths[op];
+ goto next_op;
--- /dev/null
+From e0058f3a874ebb48b25be7ff79bc3b4e59929f90 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: ASN.1: fix out-of-bounds read when parsing indefinite length item
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream.
+
+In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
+to the action functions before their lengths had been computed, using
+the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH). This resulted in
+reading data past the end of the input buffer, when given a specially
+crafted message.
+
+Fix it by rearranging the code so that the indefinite length is resolved
+before the action is called.
+
+This bug was originally found by fuzzing the X.509 parser in userspace
+using libFuzzer from the LLVM project.
+
+KASAN report (cleaned up slightly):
+
+ BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
+ BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
+ Read of size 128 at addr ffff880035dd9eaf by task keyctl/195
+
+ CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0xd1/0x175 lib/dump_stack.c:53
+ print_address_description+0x78/0x260 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x23f/0x350 mm/kasan/report.c:409
+ memcpy+0x1f/0x50 mm/kasan/kasan.c:302
+ memcpy ./include/linux/string.h:341 [inline]
+ x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
+ asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
+ x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
+ x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
+ asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
+ key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
+ SYSC_add_key security/keys/keyctl.c:122 [inline]
+ SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+ Allocated by task 195:
+ __do_kmalloc_node mm/slab.c:3675 [inline]
+ __kmalloc_node+0x47/0x60 mm/slab.c:3682
+ kvmalloc ./include/linux/mm.h:540 [inline]
+ SYSC_add_key security/keys/keyctl.c:104 [inline]
+ SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Reported-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/asn1_decoder.c | 47 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -312,42 +312,47 @@ next_op:
+
+ /* Decide how to handle the operation */
+ switch (op) {
+- case ASN1_OP_MATCH_ANY_ACT:
+- case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
+- case ASN1_OP_COND_MATCH_ANY_ACT:
+- case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
+- ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len);
+- if (ret < 0)
+- return ret;
+- goto skip_data;
+-
+- case ASN1_OP_MATCH_ACT:
+- case ASN1_OP_MATCH_ACT_OR_SKIP:
+- case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
+- ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len);
+- if (ret < 0)
+- return ret;
+- goto skip_data;
+-
+ case ASN1_OP_MATCH:
+ case ASN1_OP_MATCH_OR_SKIP:
++ case ASN1_OP_MATCH_ACT:
++ case ASN1_OP_MATCH_ACT_OR_SKIP:
+ case ASN1_OP_MATCH_ANY:
+ case ASN1_OP_MATCH_ANY_OR_SKIP:
++ case ASN1_OP_MATCH_ANY_ACT:
++ case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
+ case ASN1_OP_COND_MATCH_OR_SKIP:
++ case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
+ case ASN1_OP_COND_MATCH_ANY:
+ case ASN1_OP_COND_MATCH_ANY_OR_SKIP:
+- skip_data:
++ case ASN1_OP_COND_MATCH_ANY_ACT:
++ case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
++
+ if (!(flags & FLAG_CONS)) {
+ if (flags & FLAG_INDEFINITE_LENGTH) {
++ size_t tmp = dp;
++
+ ret = asn1_find_indefinite_length(
+- data, datalen, &dp, &len, &errmsg);
++ data, datalen, &tmp, &len, &errmsg);
+ if (ret < 0)
+ goto error;
+- } else {
+- dp += len;
+ }
+ pr_debug("- LEAF: %zu\n", len);
+ }
++
++ if (op & ASN1_OP_MATCH__ACT) {
++ unsigned char act;
++
++ if (op & ASN1_OP_MATCH__ANY)
++ act = machine[pc + 1];
++ else
++ act = machine[pc + 2];
++ ret = actions[act](context, hdr, tag, data + dp, len);
++ if (ret < 0)
++ return ret;
++ }
++
++ if (!(flags & FLAG_CONS))
++ dp += len;
+ pc += asn1_op_lengths[op];
+ goto next_op;
+
--- /dev/null
+From 120a264f9c2782682027d931d83dcbd22e01da80 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 22 Nov 2017 14:14:47 +0100
+Subject: drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 120a264f9c2782682027d931d83dcbd22e01da80 upstream.
+
+When no IOMMU is available, all GEM buffers allocated by Exynos DRM driver
+are contiguous, because of the underlying dma_alloc_attrs() function
+provides only such buffers. In such case it makes no sense to keep
+BO_NONCONTIG flag for the allocated GEM buffers. This allows to avoid
+failures for buffer contiguity checks in the subsequent operations on GEM
+objects.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/exynos/exynos_drm_gem.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_gem.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_gem.c
+@@ -245,6 +245,15 @@ struct exynos_drm_gem *exynos_drm_gem_cr
+ if (IS_ERR(exynos_gem))
+ return exynos_gem;
+
++ if (!is_drm_iommu_supported(dev) && (flags & EXYNOS_BO_NONCONTIG)) {
++ /*
++ * when no IOMMU is available, all allocated buffers are
++ * contiguous anyway, so drop EXYNOS_BO_NONCONTIG flag
++ */
++ flags &= ~EXYNOS_BO_NONCONTIG;
++ DRM_WARN("Non-contiguous allocation is not supported without IOMMU, falling back to contiguous buffer\n");
++ }
++
+ /* set memory type and cache attribute from user side. */
+ exynos_gem->flags = flags;
+
--- /dev/null
+From 89c5a2d34bda58319e3075e8e7dd727ea25a435c Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 6 Dec 2017 09:50:09 +0000
+Subject: efi/esrt: Use memunmap() instead of kfree() to free the remapping
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 89c5a2d34bda58319e3075e8e7dd727ea25a435c upstream.
+
+The remapping result of memremap() should be freed with memunmap(), not kfree().
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20171206095010.24170-3-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/esrt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -442,7 +442,7 @@ err_remove_group:
+ err_remove_esrt:
+ kobject_put(esrt_kobj);
+ err:
+- kfree(esrt);
++ memunmap(esrt);
+ esrt = NULL;
+ return error;
+ }
--- /dev/null
+From af97a77bc01ce49a466f9d4c0125479e2e2230b6 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 6 Dec 2017 09:50:08 +0000
+Subject: efi: Move some sysfs files to be read-only by root
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream.
+
+Thanks to the scripts/leaking_addresses.pl script, it was found that
+some EFI values should not be readable by non-root users.
+
+So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to
+make this easier, and use it in other places at the same time.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Tested-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/efi.c | 3 +--
+ drivers/firmware/efi/esrt.c | 15 ++++++---------
+ drivers/firmware/efi/runtime-map.c | 10 +++++-----
+ include/linux/sysfs.h | 6 ++++++
+ 4 files changed, 18 insertions(+), 16 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -113,8 +113,7 @@ static ssize_t systab_show(struct kobjec
+ return str - buf;
+ }
+
+-static struct kobj_attribute efi_attr_systab =
+- __ATTR(systab, 0400, systab_show, NULL);
++static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400);
+
+ #define EFI_FIELD(var) efi.var
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -105,7 +105,7 @@ static const struct sysfs_ops esre_attr_
+ };
+
+ /* Generic ESRT Entry ("ESRE") support. */
+-static ssize_t esre_fw_class_show(struct esre_entry *entry, char *buf)
++static ssize_t fw_class_show(struct esre_entry *entry, char *buf)
+ {
+ char *str = buf;
+
+@@ -116,18 +116,16 @@ static ssize_t esre_fw_class_show(struct
+ return str - buf;
+ }
+
+-static struct esre_attribute esre_fw_class = __ATTR(fw_class, 0400,
+- esre_fw_class_show, NULL);
++static struct esre_attribute esre_fw_class = __ATTR_RO_MODE(fw_class, 0400);
+
+ #define esre_attr_decl(name, size, fmt) \
+-static ssize_t esre_##name##_show(struct esre_entry *entry, char *buf) \
++static ssize_t name##_show(struct esre_entry *entry, char *buf) \
+ { \
+ return sprintf(buf, fmt "\n", \
+ le##size##_to_cpu(entry->esre.esre1->name)); \
+ } \
+ \
+-static struct esre_attribute esre_##name = __ATTR(name, 0400, \
+- esre_##name##_show, NULL)
++static struct esre_attribute esre_##name = __ATTR_RO_MODE(name, 0400)
+
+ esre_attr_decl(fw_type, 32, "%u");
+ esre_attr_decl(fw_version, 32, "%u");
+@@ -195,14 +193,13 @@ static int esre_create_sysfs_entry(void
+
+ /* support for displaying ESRT fields at the top level */
+ #define esrt_attr_decl(name, size, fmt) \
+-static ssize_t esrt_##name##_show(struct kobject *kobj, \
++static ssize_t name##_show(struct kobject *kobj, \
+ struct kobj_attribute *attr, char *buf)\
+ { \
+ return sprintf(buf, fmt "\n", le##size##_to_cpu(esrt->name)); \
+ } \
+ \
+-static struct kobj_attribute esrt_##name = __ATTR(name, 0400, \
+- esrt_##name##_show, NULL)
++static struct kobj_attribute esrt_##name = __ATTR_RO_MODE(name, 0400)
+
+ esrt_attr_decl(fw_resource_count, 32, "%u");
+ esrt_attr_decl(fw_resource_count_max, 32, "%u");
+--- a/drivers/firmware/efi/runtime-map.c
++++ b/drivers/firmware/efi/runtime-map.c
+@@ -67,11 +67,11 @@ static ssize_t map_attr_show(struct kobj
+ return map_attr->show(entry, buf);
+ }
+
+-static struct map_attribute map_type_attr = __ATTR_RO(type);
+-static struct map_attribute map_phys_addr_attr = __ATTR_RO(phys_addr);
+-static struct map_attribute map_virt_addr_attr = __ATTR_RO(virt_addr);
+-static struct map_attribute map_num_pages_attr = __ATTR_RO(num_pages);
+-static struct map_attribute map_attribute_attr = __ATTR_RO(attribute);
++static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400);
++static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400);
++static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400);
++static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400);
++static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400);
+
+ /*
+ * These are default attributes that are added for every memmap entry.
+--- a/include/linux/sysfs.h
++++ b/include/linux/sysfs.h
+@@ -116,6 +116,12 @@ struct attribute_group {
+ .show = _name##_show, \
+ }
+
++#define __ATTR_RO_MODE(_name, _mode) { \
++ .attr = { .name = __stringify(_name), \
++ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \
++ .show = _name##_show, \
++}
++
+ #define __ATTR_WO(_name) { \
+ .attr = { .name = __stringify(_name), .mode = S_IWUSR }, \
+ .store = _name##_store, \
--- /dev/null
+From 297d6b6e56c2977fc504c61bbeeaa21296923f89 Mon Sep 17 00:00:00 2001
+From: Paul Meyer <Paul.Meyer@microsoft.com>
+Date: Tue, 14 Nov 2017 13:06:47 -0700
+Subject: hv: kvp: Avoid reading past allocated blocks from KVP file
+
+From: Paul Meyer <Paul.Meyer@microsoft.com>
+
+commit 297d6b6e56c2977fc504c61bbeeaa21296923f89 upstream.
+
+While reading in more than one block (50) of KVP records, the allocation
+goes per block, but the reads used the total number of allocated records
+(without resetting the pointer/stream). This causes the records buffer to
+overrun when the refresh reads more than one block over the previous
+capacity (e.g. reading more than 100 KVP records whereas the in-memory
+database was empty before).
+
+Fix this by reading the correct number of KVP records from file each time.
+
+Signed-off-by: Paul Meyer <Paul.Meyer@microsoft.com>
+Signed-off-by: Long Li <longli@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/hv/hv_kvp_daemon.c | 70 +++++++++--------------------------------------
+ 1 file changed, 14 insertions(+), 56 deletions(-)
+
+--- a/tools/hv/hv_kvp_daemon.c
++++ b/tools/hv/hv_kvp_daemon.c
+@@ -193,11 +193,14 @@ static void kvp_update_mem_state(int poo
+ for (;;) {
+ readp = &record[records_read];
+ records_read += fread(readp, sizeof(struct kvp_record),
+- ENTRIES_PER_BLOCK * num_blocks,
+- filep);
++ ENTRIES_PER_BLOCK * num_blocks - records_read,
++ filep);
+
+ if (ferror(filep)) {
+- syslog(LOG_ERR, "Failed to read file, pool: %d", pool);
++ syslog(LOG_ERR,
++ "Failed to read file, pool: %d; error: %d %s",
++ pool, errno, strerror(errno));
++ kvp_release_lock(pool);
+ exit(EXIT_FAILURE);
+ }
+
+@@ -210,6 +213,7 @@ static void kvp_update_mem_state(int poo
+
+ if (record == NULL) {
+ syslog(LOG_ERR, "malloc failed");
++ kvp_release_lock(pool);
+ exit(EXIT_FAILURE);
+ }
+ continue;
+@@ -224,15 +228,11 @@ static void kvp_update_mem_state(int poo
+ fclose(filep);
+ kvp_release_lock(pool);
+ }
++
+ static int kvp_file_init(void)
+ {
+ int fd;
+- FILE *filep;
+- size_t records_read;
+ char *fname;
+- struct kvp_record *record;
+- struct kvp_record *readp;
+- int num_blocks;
+ int i;
+ int alloc_unit = sizeof(struct kvp_record) * ENTRIES_PER_BLOCK;
+
+@@ -246,61 +246,19 @@ static int kvp_file_init(void)
+
+ for (i = 0; i < KVP_POOL_COUNT; i++) {
+ fname = kvp_file_info[i].fname;
+- records_read = 0;
+- num_blocks = 1;
+ sprintf(fname, "%s/.kvp_pool_%d", KVP_CONFIG_LOC, i);
+ fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0644 /* rw-r--r-- */);
+
+ if (fd == -1)
+ return 1;
+
+-
+- filep = fopen(fname, "re");
+- if (!filep) {
+- close(fd);
+- return 1;
+- }
+-
+- record = malloc(alloc_unit * num_blocks);
+- if (record == NULL) {
+- fclose(filep);
+- close(fd);
+- return 1;
+- }
+- for (;;) {
+- readp = &record[records_read];
+- records_read += fread(readp, sizeof(struct kvp_record),
+- ENTRIES_PER_BLOCK,
+- filep);
+-
+- if (ferror(filep)) {
+- syslog(LOG_ERR, "Failed to read file, pool: %d",
+- i);
+- exit(EXIT_FAILURE);
+- }
+-
+- if (!feof(filep)) {
+- /*
+- * We have more data to read.
+- */
+- num_blocks++;
+- record = realloc(record, alloc_unit *
+- num_blocks);
+- if (record == NULL) {
+- fclose(filep);
+- close(fd);
+- return 1;
+- }
+- continue;
+- }
+- break;
+- }
+ kvp_file_info[i].fd = fd;
+- kvp_file_info[i].num_blocks = num_blocks;
+- kvp_file_info[i].records = record;
+- kvp_file_info[i].num_records = records_read;
+- fclose(filep);
+-
++ kvp_file_info[i].num_blocks = 1;
++ kvp_file_info[i].records = malloc(alloc_unit);
++ if (kvp_file_info[i].records == NULL)
++ return 1;
++ kvp_file_info[i].num_records = 0;
++ kvp_update_mem_state(i);
+ }
+
+ return 0;
--- /dev/null
+From 29a90b70893817e2f2bb3cea40a29f5308e21b21 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 28 Sep 2017 15:14:01 +0100
+Subject: iommu/vt-d: Fix scatterlist offset handling
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 29a90b70893817e2f2bb3cea40a29f5308e21b21 upstream.
+
+The intel-iommu DMA ops fail to correctly handle scatterlists where
+sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed
+appropriately based on the page-aligned portion of the offset, but the
+mapping is set up relative to sg->page, which means it fails to actually
+cover the whole buffer (and in the worst case doesn't cover it at all):
+
+ (sg->dma_address + sg->dma_len) ----+
+ sg->dma_address ---------+ |
+ iov_pfn------+ | |
+ | | |
+ v v v
+iova: a b c d e f
+ |--------|--------|--------|--------|--------|
+ <...calculated....>
+ [_____mapped______]
+pfn: 0 1 2 3 4 5
+ |--------|--------|--------|--------|--------|
+ ^ ^ ^
+ | | |
+ sg->page ----+ | |
+ sg->offset --------------+ |
+ (sg->offset + sg->length) ----------+
+
+As a result, the caller ends up overrunning the mapping into whatever
+lies beyond, which usually goes badly:
+
+[ 429.645492] DMAR: DRHD: handling fault status reg 2
+[ 429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ...
+
+Whilst this is a fairly rare occurrence, it can happen from the result
+of intermediate scatterlist processing such as scatterwalk_ffwd() in the
+crypto layer. Whilst that particular site could be fixed up, it still
+seems worthwhile to bring intel-iommu in line with other DMA API
+implementations in handling this robustly.
+
+To that end, fix the intel_map_sg() path to line up the mapping
+correctly (in units of MM pages rather than VT-d pages to match the
+aligned_nrpages() calculation) regardless of the offset, and use
+sg_phys() consistently for clarity.
+
+Reported-by: Harsh Jain <Harsh@chelsio.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed by: Ashok Raj <ashok.raj@intel.com>
+Tested by: Jacob Pan <jacob.jun.pan@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -2201,10 +2201,12 @@ static int __domain_mapping(struct dmar_
+ uint64_t tmp;
+
+ if (!sg_res) {
++ unsigned int pgoff = sg->offset & ~PAGE_MASK;
++
+ sg_res = aligned_nrpages(sg->offset, sg->length);
+- sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset;
++ sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + pgoff;
+ sg->dma_length = sg->length;
+- pteval = page_to_phys(sg_page(sg)) | prot;
++ pteval = (sg_phys(sg) - pgoff) | prot;
+ phys_pfn = pteval >> VTD_PAGE_SHIFT;
+ }
+
+@@ -3757,7 +3759,7 @@ static int intel_nontranslate_map_sg(str
+
+ for_each_sg(sglist, sg, nelems, i) {
+ BUG_ON(!sg_page(sg));
+- sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset;
++ sg->dma_address = sg_phys(sg);
+ sg->dma_length = sg->length;
+ }
+ return nelems;
--- /dev/null
+From 5a244727f428a06634f22bb890e78024ab0c89f3 Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+Date: Wed, 8 Nov 2017 10:23:11 -0500
+Subject: isa: Prevent NULL dereference in isa_bus driver callbacks
+
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+
+commit 5a244727f428a06634f22bb890e78024ab0c89f3 upstream.
+
+The isa_driver structure for an isa_bus device is stored in the device
+platform_data member of the respective device structure. This
+platform_data member may be reset to NULL if isa_driver match callback
+for the device fails, indicating a device unsupported by the ISA driver.
+
+This patch fixes a possible NULL pointer dereference if one of the
+isa_driver callbacks to attempted for an unsupported device. This error
+should not occur in practice since ISA devices are typically manually
+configured and loaded by the users, but we may as well prevent this
+error from popping up for the 0day testers.
+
+Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus")
+Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/isa.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/base/isa.c
++++ b/drivers/base/isa.c
+@@ -39,7 +39,7 @@ static int isa_bus_probe(struct device *
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->probe)
++ if (isa_driver && isa_driver->probe)
+ return isa_driver->probe(dev, to_isa_dev(dev)->id);
+
+ return 0;
+@@ -49,7 +49,7 @@ static int isa_bus_remove(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->remove)
++ if (isa_driver && isa_driver->remove)
+ return isa_driver->remove(dev, to_isa_dev(dev)->id);
+
+ return 0;
+@@ -59,7 +59,7 @@ static void isa_bus_shutdown(struct devi
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->shutdown)
++ if (isa_driver && isa_driver->shutdown)
+ isa_driver->shutdown(dev, to_isa_dev(dev)->id);
+ }
+
+@@ -67,7 +67,7 @@ static int isa_bus_suspend(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->suspend)
++ if (isa_driver && isa_driver->suspend)
+ return isa_driver->suspend(dev, to_isa_dev(dev)->id, state);
+
+ return 0;
+@@ -77,7 +77,7 @@ static int isa_bus_resume(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->resume)
++ if (isa_driver && isa_driver->resume)
+ return isa_driver->resume(dev, to_isa_dev(dev)->id);
+
+ return 0;
--- /dev/null
+From c07d35338081d107e57cf37572d8cc931a8e32e2 Mon Sep 17 00:00:00 2001
+From: Daniel Thompson <daniel.thompson@linaro.org>
+Date: Mon, 2 Mar 2015 14:13:36 +0000
+Subject: kdb: Fix handling of kallsyms_symbol_next() return value
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+commit c07d35338081d107e57cf37572d8cc931a8e32e2 upstream.
+
+kallsyms_symbol_next() returns a boolean (true on success). Currently
+kdb_read() tests the return value with an inequality that
+unconditionally evaluates to true.
+
+This is fixed in the obvious way and, since the conditional branch is
+supposed to be unreachable, we also add a WARN_ON().
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/debug/kdb/kdb_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -349,7 +349,7 @@ poll_again:
+ }
+ kdb_printf("\n");
+ for (i = 0; i < count; i++) {
+- if (kallsyms_symbol_next(p_tmp, i) < 0)
++ if (WARN_ON(!kallsyms_symbol_next(p_tmp, i)))
+ break;
+ kdb_printf("%s ", p_tmp);
+ *(p_tmp + len) = '\0';
--- /dev/null
+From d59d51f088014f25c2562de59b9abff4f42a7468 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig@google.com>
+Date: Fri, 1 Dec 2017 10:21:09 -0800
+Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrew Honig <ahonig@google.com>
+
+commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream.
+
+This fixes CVE-2017-1000407.
+
+KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
+the guest floods this port with writes it generates exceptions and
+instability in the host kernel, leading to a crash. With this change
+guest writes to port 0x80 on Intel will behave the same as they
+currently behave on AMD systems.
+
+Prevent the flooding by removing the code that sets port 0x80 as a
+passthrough port. This is essentially the same as upstream patch
+99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
+for AMD chipsets and this patch is for Intel.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6182,12 +6182,7 @@ static __init int hardware_setup(void)
+ memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
+ memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
+
+- /*
+- * Allow direct access to the PC debug port (it is often used for I/O
+- * delays, but the vmexits simply slow things down).
+- */
+ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
+- clear_bit(0x80, vmx_io_bitmap_a);
+
+ memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+
--- /dev/null
+From 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a Mon Sep 17 00:00:00 2001
+From: Laurent Caumont <lcaumont2@gmail.com>
+Date: Sat, 11 Nov 2017 12:44:46 -0500
+Subject: media: dvb: i2c transfers over usb cannot be done from stack
+
+From: Laurent Caumont <lcaumont2@gmail.com>
+
+commit 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a upstream.
+
+Signed-off-by: Laurent Caumont <lcaumont2@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dibusb-common.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dibusb-common.c
++++ b/drivers/media/usb/dvb-usb/dibusb-common.c
+@@ -179,8 +179,20 @@ EXPORT_SYMBOL(dibusb_i2c_algo);
+
+ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
+ {
+- u8 wbuf[1] = { offs };
+- return dibusb_i2c_msg(d, 0x50, wbuf, 1, val, 1);
++ u8 *buf;
++ int rc;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ buf[0] = offs;
++
++ rc = dibusb_i2c_msg(d, 0x50, &buf[0], 1, &buf[1], 1);
++ *val = buf[1];
++ kfree(buf);
++
++ return rc;
+ }
+ EXPORT_SYMBOL(dibusb_read_eeprom_byte);
+
--- /dev/null
+From e779498df587dd2189b30fe5b9245aefab870eb8 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Wed, 6 Dec 2017 16:11:27 +0100
+Subject: s390: fix compat system call table
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit e779498df587dd2189b30fe5b9245aefab870eb8 upstream.
+
+When wiring up the socket system calls the compat entries were
+incorrectly set. Not all of them point to the corresponding compat
+wrapper functions, which clear the upper 33 bits of user space
+pointers, like it is required.
+
+Fixes: 977108f89c989 ("s390: wire up separate socketcalls system calls")
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/syscalls.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/syscalls.S
++++ b/arch/s390/kernel/syscalls.S
+@@ -369,10 +369,10 @@ SYSCALL(sys_recvmmsg,compat_sys_recvmmsg
+ SYSCALL(sys_sendmmsg,compat_sys_sendmmsg)
+ SYSCALL(sys_socket,sys_socket)
+ SYSCALL(sys_socketpair,compat_sys_socketpair) /* 360 */
+-SYSCALL(sys_bind,sys_bind)
+-SYSCALL(sys_connect,sys_connect)
++SYSCALL(sys_bind,compat_sys_bind)
++SYSCALL(sys_connect,compat_sys_connect)
+ SYSCALL(sys_listen,sys_listen)
+-SYSCALL(sys_accept4,sys_accept4)
++SYSCALL(sys_accept4,compat_sys_accept4)
+ SYSCALL(sys_getsockopt,compat_sys_getsockopt) /* 365 */
+ SYSCALL(sys_setsockopt,compat_sys_setsockopt)
+ SYSCALL(sys_getsockname,compat_sys_getsockname)
--- /dev/null
+From 860dd4424f344400b491b212ee4acb3a358ba9d9 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 21 Nov 2017 14:23:37 +0100
+Subject: scsi: dma-mapping: always provide dma_get_cache_alignment
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 860dd4424f344400b491b212ee4acb3a358ba9d9 upstream.
+
+Provide the dummy version of dma_get_cache_alignment that always returns
+1 even if CONFIG_HAS_DMA is not set, so that drivers and subsystems can
+use it without ifdefs.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/dma-mapping.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/include/linux/dma-mapping.h
++++ b/include/linux/dma-mapping.h
+@@ -192,7 +192,6 @@ static inline void *dma_zalloc_coherent(
+ return ret;
+ }
+
+-#ifdef CONFIG_HAS_DMA
+ static inline int dma_get_cache_alignment(void)
+ {
+ #ifdef ARCH_DMA_MINALIGN
+@@ -200,7 +199,6 @@ static inline int dma_get_cache_alignmen
+ #endif
+ return 1;
+ }
+-#endif
+
+ /* flags for the coherent memory api */
+ #define DMA_MEMORY_MAP 0x01
--- /dev/null
+From c2e8fbf908afd81ad502b567a6639598f92c9b9d Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 21 Nov 2017 14:23:39 +0100
+Subject: scsi: libsas: align sata_device's rps_resp on a cacheline
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit c2e8fbf908afd81ad502b567a6639598f92c9b9d upstream.
+
+The rps_resp buffer in ata_device is a DMA target, but it isn't
+explicitly cacheline aligned. Due to this, adjacent fields can be
+overwritten with stale data from memory on non-coherent architectures.
+As a result, the kernel is sometimes unable to communicate with an SATA
+device behind a SAS expander.
+
+Fix this by ensuring that the rps_resp buffer is cacheline aligned.
+
+This issue is similar to that fixed by Commit 84bda12af31f93 ("libata:
+align ap->sector_buf") and Commit 4ee34ea3a12396f35b26 ("libata: Align
+ata_device's id on a cacheline").
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/scsi/libsas.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/scsi/libsas.h
++++ b/include/scsi/libsas.h
+@@ -165,11 +165,11 @@ struct expander_device {
+
+ struct sata_device {
+ unsigned int class;
+- struct smp_resp rps_resp; /* report_phy_sata_resp */
+ u8 port_no; /* port number, if this is a PM (Port) */
+
+ struct ata_port *ap;
+ struct ata_host ata_host;
++ struct smp_resp rps_resp ____cacheline_aligned; /* report_phy_sata_resp */
+ u8 fis[ATA_RESP_FIS_SIZE];
+ };
+
--- /dev/null
+From 90addc6b3c9cda0146fbd62a08e234c2b224a80c Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 21 Nov 2017 14:23:38 +0100
+Subject: scsi: use dma_get_cache_alignment() as minimum DMA alignment
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 90addc6b3c9cda0146fbd62a08e234c2b224a80c upstream.
+
+In non-coherent DMA mode, kernel uses cache flushing operations to
+maintain I/O coherency, so scsi's block queue should be aligned to the
+value returned by dma_get_cache_alignment(). Otherwise, If a DMA buffer
+and a kernel structure share a same cache line, and if the kernel
+structure has dirty data, cache_invalidate (no writeback) will cause
+data corruption.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+[hch: rebased and updated the comment and changelog]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -2128,11 +2128,13 @@ static void __scsi_init_queue(struct Scs
+ q->limits.cluster = 0;
+
+ /*
+- * set a reasonable default alignment on word boundaries: the
+- * host and device may alter it using
+- * blk_queue_update_dma_alignment() later.
++ * Set a reasonable default alignment: The larger of 32-byte (dword),
++ * which is a common minimum for HBAs, and the minimum DMA alignment,
++ * which is set by the platform.
++ *
++ * Devices that require a bigger alignment can increase it later.
+ */
+- blk_queue_dma_alignment(q, 0x03);
++ blk_queue_dma_alignment(q, max(4, dma_get_cache_alignment()) - 1);
+ }
+
+ struct request_queue *__scsi_alloc_queue(struct Scsi_Host *shost,
can-ems_usb-cancel-urb-on-epipe-and-eproto.patch
can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch
can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch
+virtio-release-virtio-index-when-fail-to-device_register.patch
+hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch
+isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch
+scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch
+scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch
+scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch
+efi-move-some-sysfs-files-to-be-read-only-by-root.patch
+efi-esrt-use-memunmap-instead-of-kfree-to-free-the-remapping.patch
+asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch
+asn.1-check-for-error-from-asn1_op_end__act-actions.patch
+x.509-reject-invalid-bit-string-for-subjectpublickey.patch
+x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch
+alsa-pcm-prevent-uaf-in-snd_pcm_info.patch
+alsa-seq-remove-spurious-warn_on-at-timer-check.patch
+alsa-usb-audio-fix-out-of-bound-error.patch
+alsa-usb-audio-add-check-return-value-for-usb_string.patch
+iommu-vt-d-fix-scatterlist-offset-handling.patch
+s390-fix-compat-system-call-table.patch
+kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch
+drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch
+media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch
+arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
+kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
+arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch
--- /dev/null
+From e60ea67bb60459b95a50a156296041a13e0e380e Mon Sep 17 00:00:00 2001
+From: weiping zhang <zwp10758@gmail.com>
+Date: Wed, 29 Nov 2017 09:23:01 +0800
+Subject: virtio: release virtio index when fail to device_register
+
+From: weiping zhang <zwp10758@gmail.com>
+
+commit e60ea67bb60459b95a50a156296041a13e0e380e upstream.
+
+index can be reused by other virtio device.
+
+Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -323,6 +323,8 @@ int register_virtio_device(struct virtio
+ /* device_register() causes the bus infrastructure to look for a
+ * matching driver. */
+ err = device_register(&dev->dev);
++ if (err)
++ ida_simple_remove(&virtio_index_ida, dev->index);
+ out:
+ if (err)
+ add_status(dev, VIRTIO_CONFIG_S_FAILED);
--- /dev/null
+From 0f30cbea005bd3077bd98cd29277d7fc2699c1da Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: X.509: reject invalid BIT STRING for subjectPublicKey
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream.
+
+Adding a specially crafted X.509 certificate whose subjectPublicKey
+ASN.1 value is zero-length caused x509_extract_key_data() to set the
+public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
+metadata byte. Then, x509_cert_parse() called kmemdup() with that bogus
+size, triggering the WARN_ON_ONCE() in kmalloc_slab().
+
+This appears to be harmless, but it still must be fixed since WARNs are
+never supposed to be user-triggerable.
+
+Fix it by updating x509_cert_parse() to validate that the value has a
+BIT STRING metadata byte, and that the byte is 0 which indicates that
+the number of bits in the bitstring is a multiple of 8.
+
+It would be nice to handle the metadata byte in asn1_ber_decoder()
+instead. But that would be tricky because in the general case a BIT
+STRING could be implicitly tagged, and/or could legitimately have a
+length that is not a whole number of bytes.
+
+Here was the WARN (cleaned up slightly):
+
+ WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
+ Modules linked in:
+ CPU: 1 PID: 202 Comm: keyctl Tainted: G B 4.14.0-09238-g1d3b78bbc6e9 #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
+ task: ffff880033014180 task.stack: ffff8800305c8000
+ Call Trace:
+ __do_kmalloc mm/slab.c:3706 [inline]
+ __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
+ kmemdup+0x17/0x40 mm/util.c:118
+ kmemdup include/linux/string.h:414 [inline]
+ x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
+ x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
+ asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
+ key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
+ SYSC_add_key security/keys/keyctl.c:122 [inline]
+ SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_cert_parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -399,6 +399,8 @@ int x509_extract_key_data(void *context,
+ ctx->cert->pub->pkey_algo = PKEY_ALGO_RSA;
+
+ /* Discard the BIT STRING metadata */
++ if (vlen < 1 || *(const u8 *)value != 0)
++ return -EBADMSG;
+ ctx->key = value + 1;
+ ctx->key_size = vlen - 1;
+ return 0;
--- /dev/null
+From ddec3bdee05b06f1dda20ded003c3e10e4184cab Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 1 Dec 2017 15:08:12 +0100
+Subject: x86/PCI: Make broadcom_postcore_init() check acpi_disabled
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit ddec3bdee05b06f1dda20ded003c3e10e4184cab upstream.
+
+acpi_os_get_root_pointer() may return a valid address even if acpi_disabled
+is set, but the host bridge information from the ACPI tables is not going
+to be used in that case and the Broadcom host bridge initialization should
+not be skipped then, So make broadcom_postcore_init() check acpi_disabled
+too to avoid this issue.
+
+Fixes: 6361d72b04d1 (x86/PCI: read Broadcom CNB20LE host bridge info before PCI scan)
+Reported-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Linux PCI <linux-pci@vger.kernel.org>
+Link: https://lkml.kernel.org/r/3186627.pxZj1QbYNg@aspire.rjw.lan
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/pci/broadcom_bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/pci/broadcom_bus.c
++++ b/arch/x86/pci/broadcom_bus.c
+@@ -97,7 +97,7 @@ static int __init broadcom_postcore_init
+ * We should get host bridge information from ACPI unless the BIOS
+ * doesn't support it.
+ */
+- if (acpi_os_get_root_pointer())
++ if (!acpi_disabled && acpi_os_get_root_pointer())
+ return 0;
+ #endif
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
