--- /dev/null
+From foo@baz Mon Jul 3 13:41:44 CEST 2017
+From: Ivan Vecera <cera@cera.cz>
+Date: Fri, 13 Jan 2017 22:38:27 +0100
+Subject: be2net: fix status check in be_cmd_pmac_add()
+
+From: Ivan Vecera <cera@cera.cz>
+
+
+[ Upstream commit fe68d8bfe59c561664aa87d827aa4b320eb08895 ]
+
+Return value from be_mcc_notify_wait() contains a base completion status
+together with an additional status. The base_status() macro need to be
+used to access base status.
+
+Fixes: e3a7ae2 be2net: Changing MAC Address of a VF was broken
+Cc: Sathya Perla <sathya.perla@broadcom.com>
+Cc: Ajit Khaparde <ajit.khaparde@broadcom.com>
+Cc: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
+Cc: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Ivan Vecera <cera@cera.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
+@@ -1052,7 +1052,7 @@ int be_cmd_pmac_add(struct be_adapter *a
+ err:
+ spin_unlock_bh(&adapter->mcc_lock);
+
+- if (status == MCC_STATUS_UNAUTHORIZED_REQUEST)
++ if (base_status(status) == MCC_STATUS_UNAUTHORIZED_REQUEST)
+ status = -EPERM;
+
+ return status;
--- /dev/null
+From foo@baz Mon Jul 3 13:34:03 CEST 2017
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Wed, 11 Jan 2017 13:25:00 -0600
+Subject: coredump: Ensure proper size of sparse core files
+
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+
+[ Upstream commit 4d22c75d4c7b5c5f4bd31054f09103ee490878fd ]
+
+If the last section of a core file ends with an unmapped or zero page,
+the size of the file does not correspond with the last dump_skip() call.
+gdb complains that the file is truncated and can be confusing to users.
+
+After all of the vma sections are written, make sure that the file size
+is no smaller than the current file position.
+
+This problem can be demonstrated with gdb's bigcore testcase on the
+sparc architecture.
+
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: linux-fsdevel@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/binfmt_elf.c | 1 +
+ fs/coredump.c | 18 ++++++++++++++++++
+ include/linux/coredump.h | 1 +
+ 3 files changed, 20 insertions(+)
+
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -2295,6 +2295,7 @@ static int elf_core_dump(struct coredump
+ goto end_coredump;
+ }
+ }
++ dump_truncate(cprm);
+
+ if (!elf_core_write_extra_data(cprm))
+ goto end_coredump;
+--- a/fs/coredump.c
++++ b/fs/coredump.c
+@@ -810,3 +810,21 @@ int dump_align(struct coredump_params *c
+ return mod ? dump_skip(cprm, align - mod) : 1;
+ }
+ EXPORT_SYMBOL(dump_align);
++
++/*
++ * Ensures that file size is big enough to contain the current file
++ * postion. This prevents gdb from complaining about a truncated file
++ * if the last "write" to the file was dump_skip.
++ */
++void dump_truncate(struct coredump_params *cprm)
++{
++ struct file *file = cprm->file;
++ loff_t offset;
++
++ if (file->f_op->llseek && file->f_op->llseek != no_llseek) {
++ offset = file->f_op->llseek(file, 0, SEEK_CUR);
++ if (i_size_read(file->f_mapping->host) < offset)
++ do_truncate(file->f_path.dentry, offset, 0, file);
++ }
++}
++EXPORT_SYMBOL(dump_truncate);
+--- a/include/linux/coredump.h
++++ b/include/linux/coredump.h
+@@ -14,6 +14,7 @@ struct coredump_params;
+ extern int dump_skip(struct coredump_params *cprm, size_t nr);
+ extern int dump_emit(struct coredump_params *cprm, const void *addr, int nr);
+ extern int dump_align(struct coredump_params *cprm, int align);
++extern void dump_truncate(struct coredump_params *cprm);
+ #ifdef CONFIG_COREDUMP
+ extern void do_coredump(const siginfo_t *siginfo);
+ #else
--- /dev/null
+From 7292ae3d5a18fb922be496e6bb687647193569b4 Mon Sep 17 00:00:00 2001
+From: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Date: Mon, 20 Mar 2017 20:15:53 +0300
+Subject: jump label: fix passing kbuild_cflags when checking for asm goto support
+
+From: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+
+commit 7292ae3d5a18fb922be496e6bb687647193569b4 upstream.
+
+The latest change of asm goto support check added passing of KBUILD_CFLAGS
+to compiler. When these flags reference gcc plugins that are not built yet,
+the check fails.
+
+When one runs "make bzImage" followed by "make modules", the kernel is always
+built with HAVE_JUMP_LABEL disabled, while the modules are built depending on
+CONFIG_JUMP_LABEL. If HAVE_JUMP_LABEL macro happens to be different, modules
+are built with undefined references, e.g.:
+
+ERROR: "static_key_slow_inc" [net/netfilter/xt_TEE.ko] undefined!
+ERROR: "static_key_slow_dec" [net/netfilter/xt_TEE.ko] undefined!
+ERROR: "static_key_slow_dec" [net/netfilter/nft_meta.ko] undefined!
+ERROR: "static_key_slow_inc" [net/netfilter/nft_meta.ko] undefined!
+ERROR: "nf_hooks_needed" [net/netfilter/ipvs/ip_vs.ko] undefined!
+ERROR: "nf_hooks_needed" [net/ipv6/ipv6.ko] undefined!
+ERROR: "static_key_count" [net/ipv6/ipv6.ko] undefined!
+ERROR: "static_key_slow_inc" [net/ipv6/ipv6.ko] undefined!
+
+This change moves the check before all these references are added
+to KBUILD_CFLAGS. This is correct because subsequent KBUILD_CFLAGS
+modifications are not relevant to this check.
+
+Reported-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
+Fixes: 35f860f9ba6a ("jump label: pass kbuild_cflags when checking for asm goto support")
+Signed-off-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: David Lin <dtwlin@google.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Makefile | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -633,6 +633,12 @@ endif
+ # Tell gcc to never replace conditional load with a non-conditional one
+ KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
+
++# check for 'asm goto'
++ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y)
++ KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO
++ KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO
++endif
++
+ ifdef CONFIG_READABLE_ASM
+ # Disable optimizations that make assembler listings hard to read.
+ # reorder blocks reorders the control in the function
+@@ -788,12 +794,6 @@ KBUILD_CFLAGS += $(call cc-option,-Wer
+ # use the deterministic mode of AR if available
+ KBUILD_ARFLAGS := $(call ar-option,D)
+
+-# check for 'asm goto'
+-ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y)
+- KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO
+- KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO
+-endif
+-
+ include scripts/Makefile.kasan
+ include scripts/Makefile.extrawarn
+
--- /dev/null
+From foo@baz Mon Jul 3 13:34:03 CEST 2017
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 13 Jan 2017 11:28:25 +0100
+Subject: mac80211: initialize SMPS field in HT capabilities
+
+From: Felix Fietkau <nbd@nbd.name>
+
+
+[ Upstream commit 43071d8fb3b7f589d72663c496a6880fb097533c ]
+
+ibss and mesh modes copy the ht capabilites from the band without
+overriding the SMPS state. Unfortunately the default value 0 for the
+SMPS field means static SMPS instead of disabled.
+
+This results in HT ibss and mesh setups using only single-stream rates,
+even though SMPS is not supposed to be active.
+
+Initialize SMPS to disabled for all bands on ieee80211_hw_register to
+ensure that the value is sane where it is not overriden with the real
+SMPS state.
+
+Reported-by: Elektra Wagenrad <onelektra@gmx.net>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+[move VHT TODO comment to a better place]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/main.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -891,12 +891,17 @@ int ieee80211_register_hw(struct ieee802
+ supp_ht = supp_ht || sband->ht_cap.ht_supported;
+ supp_vht = supp_vht || sband->vht_cap.vht_supported;
+
+- if (sband->ht_cap.ht_supported)
+- local->rx_chains =
+- max(ieee80211_mcs_to_chains(&sband->ht_cap.mcs),
+- local->rx_chains);
++ if (!sband->ht_cap.ht_supported)
++ continue;
+
+ /* TODO: consider VHT for RX chains, hopefully it's the same */
++ local->rx_chains =
++ max(ieee80211_mcs_to_chains(&sband->ht_cap.mcs),
++ local->rx_chains);
++
++ /* no need to mask, SM_PS_DISABLED has all bits set */
++ sband->ht_cap.cap |= WLAN_HT_CAP_SM_PS_DISABLED <<
++ IEEE80211_HT_CAP_SM_PS_SHIFT;
+ }
+
+ /* if low-level driver supports AP, we also support VLAN */
--- /dev/null
+From foo@baz Mon Jul 3 13:41:44 CEST 2017
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Mon, 16 Jan 2017 18:31:39 +0200
+Subject: net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+
+[ Upstream commit 9577b174cd0323d287c994ef0891db71666d0765 ]
+
+When running SRIOV, warnings for SRQ LIMIT events flood the Hypervisor's
+message log when (correct, normally operating) apps use SRQ LIMIT events
+as a trigger to post WQEs to SRQs.
+
+Add more information to the existing debug printout for SRQ_LIMIT, and
+output the warning messages only for the SRQ CATAS ERROR event.
+
+Fixes: acba2420f9d2 ("mlx4_core: Add wrapper functions and comm channel and slave event support to EQs")
+Fixes: e0debf9cb50d ("mlx4_core: Reduce warning message for SRQ_LIMIT event to debug level")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/eq.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
+@@ -542,8 +542,9 @@ static int mlx4_eq_int(struct mlx4_dev *
+ break;
+
+ case MLX4_EVENT_TYPE_SRQ_LIMIT:
+- mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT\n",
+- __func__);
++ mlx4_dbg(dev, "%s: MLX4_EVENT_TYPE_SRQ_LIMIT. srq_no=0x%x, eq 0x%x\n",
++ __func__, be32_to_cpu(eqe->event.srq.srqn),
++ eq->eqn);
+ case MLX4_EVENT_TYPE_SRQ_CATAS_ERROR:
+ if (mlx4_is_master(dev)) {
+ /* forward only to slave owning the SRQ */
+@@ -558,15 +559,19 @@ static int mlx4_eq_int(struct mlx4_dev *
+ eq->eqn, eq->cons_index, ret);
+ break;
+ }
+- mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n",
+- __func__, slave,
+- be32_to_cpu(eqe->event.srq.srqn),
+- eqe->type, eqe->subtype);
++ if (eqe->type ==
++ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR)
++ mlx4_warn(dev, "%s: slave:%d, srq_no:0x%x, event: %02x(%02x)\n",
++ __func__, slave,
++ be32_to_cpu(eqe->event.srq.srqn),
++ eqe->type, eqe->subtype);
+
+ if (!ret && slave != dev->caps.function) {
+- mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n",
+- __func__, eqe->type,
+- eqe->subtype, slave);
++ if (eqe->type ==
++ MLX4_EVENT_TYPE_SRQ_CATAS_ERROR)
++ mlx4_warn(dev, "%s: sending event %02x(%02x) to slave:%d\n",
++ __func__, eqe->type,
++ eqe->subtype, slave);
+ mlx4_slave_event(dev, slave, eqe);
+ break;
+ }
--- /dev/null
+From foo@baz Mon Jul 3 13:41:44 CEST 2017
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Wed, 11 Jan 2017 14:59:38 +0900
+Subject: perf probe: Fix to show correct locations for events on modules
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+
+[ Upstream commit d2d4edbebe07ddb77980656abe7b9bc7a9e0cdf7 ]
+
+Fix to show correct locations for events on modules by relocating given
+address instead of retrying after failure.
+
+This happens when the module text size is big enough, bigger than
+sh_addr, because the original code retries with given address + sh_addr
+if it failed to find CU DIE at the given address.
+
+Any address smaller than sh_addr always fails and it retries with the
+correct address, but addresses bigger than sh_addr will get a CU DIE
+which is on the given address (not adjusted by sh_addr).
+
+In my environment(x86-64), the sh_addr of ".text" section is 0x10030.
+Since i915 is a huge kernel module, we can see this issue as below.
+
+ $ grep "[Tt] .*\[i915\]" /proc/kallsyms | sort | head -n1
+ ffffffffc0270000 t i915_switcheroo_can_switch [i915]
+
+ffffffffc0270000 + 0x10030 = ffffffffc0280030, so we'll check
+symbols cross this boundary.
+
+ $ grep "[Tt] .*\[i915\]" /proc/kallsyms | grep -B1 ^ffffffffc028\
+ | head -n 2
+ ffffffffc027ff80 t haswell_init_clock_gating [i915]
+ ffffffffc0280110 t valleyview_init_clock_gating [i915]
+
+So setup probes on both function and see what happen.
+
+ $ sudo ./perf probe -m i915 -a haswell_init_clock_gating \
+ -a valleyview_init_clock_gating
+ Added new events:
+ probe:haswell_init_clock_gating (on haswell_init_clock_gating in i915)
+ probe:valleyview_init_clock_gating (on valleyview_init_clock_gating in i915)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:valleyview_init_clock_gating -aR sleep 1
+
+ $ sudo ./perf probe -l
+ probe:haswell_init_clock_gating (on haswell_init_clock_gating@gpu/drm/i915/intel_pm.c in i915)
+ probe:valleyview_init_clock_gating (on i915_vga_set_decode:4@gpu/drm/i915/i915_drv.c in i915)
+
+As you can see, haswell_init_clock_gating is correctly shown,
+but valleyview_init_clock_gating is not.
+
+With this patch, both events are shown correctly.
+
+ $ sudo ./perf probe -l
+ probe:haswell_init_clock_gating (on haswell_init_clock_gating@gpu/drm/i915/intel_pm.c in i915)
+ probe:valleyview_init_clock_gating (on valleyview_init_clock_gating@gpu/drm/i915/intel_pm.c in i915)
+
+Committer notes:
+
+In my case:
+
+ # perf probe -m i915 -a haswell_init_clock_gating -a valleyview_init_clock_gating
+ Added new events:
+ probe:haswell_init_clock_gating (on haswell_init_clock_gating in i915)
+ probe:valleyview_init_clock_gating (on valleyview_init_clock_gating in i915)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:valleyview_init_clock_gating -aR sleep 1
+
+ # perf probe -l
+ probe:haswell_init_clock_gating (on i915_getparam+432@gpu/drm/i915/i915_drv.c in i915)
+ probe:valleyview_init_clock_gating (on __i915_printk+240@gpu/drm/i915/i915_drv.c in i915)
+ #
+
+ # readelf -SW /lib/modules/4.9.0+/build/vmlinux | egrep -w '.text|Name'
+ [Nr] Name Type Address Off Size ES Flg Lk Inf Al
+ [ 1] .text PROGBITS ffffffff81000000 200000 822fd3 00 AX 0 0 4096
+ #
+
+ So both are b0rked, now with the fix:
+
+ # perf probe -m i915 -a haswell_init_clock_gating -a valleyview_init_clock_gating
+ Added new events:
+ probe:haswell_init_clock_gating (on haswell_init_clock_gating in i915)
+ probe:valleyview_init_clock_gating (on valleyview_init_clock_gating in i915)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:valleyview_init_clock_gating -aR sleep 1
+
+ # perf probe -l
+ probe:haswell_init_clock_gating (on haswell_init_clock_gating@gpu/drm/i915/intel_pm.c in i915)
+ probe:valleyview_init_clock_gating (on valleyview_init_clock_gating@gpu/drm/i915/intel_pm.c in i915)
+ #
+
+Both looks correct.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/148411436777.9978.1440275861947194930.stgit@devbox
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/probe-finder.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -1460,16 +1460,12 @@ int debuginfo__find_probe_point(struct d
+ Dwarf_Addr _addr = 0, baseaddr = 0;
+ const char *fname = NULL, *func = NULL, *basefunc = NULL, *tmp;
+ int baseline = 0, lineno = 0, ret = 0;
+- bool reloc = false;
+
+-retry:
++ /* We always need to relocate the address for aranges */
++ if (debuginfo__get_text_offset(dbg, &baseaddr) == 0)
++ addr += baseaddr;
+ /* Find cu die */
+ if (!dwarf_addrdie(dbg->dbg, (Dwarf_Addr)addr, &cudie)) {
+- if (!reloc && debuginfo__get_text_offset(dbg, &baseaddr) == 0) {
+- addr += baseaddr;
+- reloc = true;
+- goto retry;
+- }
+ pr_warning("Failed to find debug information for address %lx\n",
+ addr);
+ ret = -EINVAL;
--- /dev/null
+From foo@baz Mon Jul 3 13:41:44 CEST 2017
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+Date: Tue, 6 Jun 2017 00:08:10 +0200
+Subject: ravb: Fix use-after-free on `ifconfig eth0 down`
+
+From: Eugeniu Rosca <erosca@de.adit-jv.com>
+
+
+[ Upstream commit 79514ef670e9e575a1fe36922268c439d0f0ca8a ]
+
+Commit a47b70ea86bd ("ravb: unmap descriptors when freeing rings") has
+introduced the issue seen in [1] reproduced on H3ULCB board.
+
+Fix this by relocating the RX skb ringbuffer free operation, so that
+swiotlb page unmapping can be done first. Freeing of aligned TX buffers
+is not relevant to the issue seen in [1]. Still, reposition TX free
+calls as well, to have all kfree() operations performed consistently
+_after_ dma_unmap_*()/dma_free_*().
+
+[1] Console screenshot with the problem reproduced:
+
+salvator-x login: root
+root@salvator-x:~# ifconfig eth0 up
+Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \
+ attached PHY driver [Micrel KSZ9031 Gigabit PHY] \
+ (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235)
+IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
+root@salvator-x:~#
+root@salvator-x:~# ifconfig eth0 down
+
+==================================================================
+BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c
+Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649
+
+CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb07287d1 #32
+Hardware name: Renesas H3ULCB board based on r8a7795 (DT)
+Call trace:
+[<ffff20000808f11c>] dump_backtrace+0x0/0x3a4
+[<ffff20000808f4d4>] show_stack+0x14/0x1c
+[<ffff20000865970c>] dump_stack+0xf8/0x150
+[<ffff20000831f8b0>] print_address_description+0x7c/0x330
+[<ffff200008320010>] kasan_report+0x2e0/0x2f4
+[<ffff20000831eac0>] check_memory_region+0x20/0x14c
+[<ffff20000831f054>] memcpy+0x48/0x68
+[<ffff20000869ed50>] swiotlb_tbl_unmap_single+0xc4/0x35c
+[<ffff20000869fcf4>] unmap_single+0x90/0xa4
+[<ffff20000869fd14>] swiotlb_unmap_page+0xc/0x14
+[<ffff2000080a2974>] __swiotlb_unmap_page+0xcc/0xe4
+[<ffff2000088acdb8>] ravb_ring_free+0x514/0x870
+[<ffff2000088b25dc>] ravb_close+0x288/0x36c
+[<ffff200008aaf8c4>] __dev_close_many+0x14c/0x174
+[<ffff200008aaf9b4>] __dev_close+0xc8/0x144
+[<ffff200008ac2100>] __dev_change_flags+0xd8/0x194
+[<ffff200008ac221c>] dev_change_flags+0x60/0xb0
+[<ffff200008ba2dec>] devinet_ioctl+0x484/0x9d4
+[<ffff200008ba7b78>] inet_ioctl+0x190/0x194
+[<ffff200008a78c44>] sock_do_ioctl+0x78/0xa8
+[<ffff200008a7a128>] sock_ioctl+0x110/0x3c4
+[<ffff200008365a70>] vfs_ioctl+0x90/0xa0
+[<ffff200008365dbc>] do_vfs_ioctl+0x148/0xc38
+[<ffff2000083668f0>] SyS_ioctl+0x44/0x74
+[<ffff200008083770>] el0_svc_naked+0x24/0x28
+
+The buggy address belongs to the page:
+page:ffff7e001b6213c0 count:0 mapcount:0 mapping: (null) index:0x0
+flags: 0x4000000000000000()
+raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+>ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+==================================================================
+Disabling lock debugging due to kernel taint
+root@salvator-x:~#
+
+Fixes: a47b70ea86bd ("ravb: unmap descriptors when freeing rings")
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -221,18 +221,6 @@ static void ravb_ring_free(struct net_de
+ int ring_size;
+ int i;
+
+- /* Free RX skb ringbuffer */
+- if (priv->rx_skb[q]) {
+- for (i = 0; i < priv->num_rx_ring[q]; i++)
+- dev_kfree_skb(priv->rx_skb[q][i]);
+- }
+- kfree(priv->rx_skb[q]);
+- priv->rx_skb[q] = NULL;
+-
+- /* Free aligned TX buffers */
+- kfree(priv->tx_align[q]);
+- priv->tx_align[q] = NULL;
+-
+ if (priv->rx_ring[q]) {
+ for (i = 0; i < priv->num_rx_ring[q]; i++) {
+ struct ravb_ex_rx_desc *desc = &priv->rx_ring[q][i];
+@@ -261,6 +249,18 @@ static void ravb_ring_free(struct net_de
+ priv->tx_ring[q] = NULL;
+ }
+
++ /* Free RX skb ringbuffer */
++ if (priv->rx_skb[q]) {
++ for (i = 0; i < priv->num_rx_ring[q]; i++)
++ dev_kfree_skb(priv->rx_skb[q][i]);
++ }
++ kfree(priv->rx_skb[q]);
++ priv->rx_skb[q] = NULL;
++
++ /* Free aligned TX buffers */
++ kfree(priv->tx_align[q]);
++ priv->tx_align[q] = NULL;
++
+ /* Free TX skb ringbuffer.
+ * SKBs are freed by ravb_tx_free() call above.
+ */
--- /dev/null
+From foo@baz Mon Jul 3 13:41:44 CEST 2017
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Wed, 28 Dec 2016 11:33:48 +0100
+Subject: s390/ctl_reg: make __ctl_load a full memory barrier
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+
+[ Upstream commit e991c24d68b8c0ba297eeb7af80b1e398e98c33f ]
+
+We have quite a lot of code that depends on the order of the
+__ctl_load inline assemby and subsequent memory accesses, like
+e.g. disabling lowcore protection and the writing to lowcore.
+
+Since the __ctl_load macro does not have memory barrier semantics, nor
+any other dependencies the compiler is, theoretically, free to shuffle
+code around. Or in other words: storing to lowcore could happen before
+lowcore protection is disabled.
+
+In order to avoid this class of potential bugs simply add a full
+memory barrier to the __ctl_load macro.
+
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/ctl_reg.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/include/asm/ctl_reg.h
++++ b/arch/s390/include/asm/ctl_reg.h
+@@ -15,7 +15,9 @@
+ BUILD_BUG_ON(sizeof(addrtype) != (high - low + 1) * sizeof(long));\
+ asm volatile( \
+ " lctlg %1,%2,%0\n" \
+- : : "Q" (*(addrtype *)(&array)), "i" (low), "i" (high));\
++ : \
++ : "Q" (*(addrtype *)(&array)), "i" (low), "i" (high) \
++ : "memory"); \
+ }
+
+ #define __ctl_store(array, low, high) { \
--- /dev/null
+From foo@baz Mon Jul 3 13:41:44 CEST 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 7 Feb 2017 20:56:08 +0800
+Subject: sctp: check af before verify address in sctp_addr_id2transport
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 912964eacb111551db73429719eb5fadcab0ff8a ]
+
+Commit 6f29a1306131 ("sctp: sctp_addr_id2transport should verify the
+addr before looking up assoc") invoked sctp_verify_addr to verify the
+addr.
+
+But it didn't check af variable beforehand, once users pass an address
+with family = 0 through sockopt, sctp_get_af_specific will return NULL
+and NULL pointer dereference will be caused by af->sockaddr_len.
+
+This patch is to fix it by returning NULL if af variable is NULL.
+
+Fixes: 6f29a1306131 ("sctp: sctp_addr_id2transport should verify the addr before looking up assoc")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -239,7 +239,7 @@ static struct sctp_transport *sctp_addr_
+ union sctp_addr *laddr = (union sctp_addr *)addr;
+ struct sctp_transport *transport;
+
+- if (sctp_verify_addr(sk, laddr, af->sockaddr_len))
++ if (!af || sctp_verify_addr(sk, laddr, af->sockaddr_len))
+ return NULL;
+
+ addr_asoc = sctp_endpoint_lookup_assoc(sctp_sk(sk)->ep,
scsi-lpfc-avoid-double-free-of-resource-identifiers.patch
spi-davinci-use-dma_mapping_error.patch
arm64-assembler-make-adr_l-work-in-modules-under-kaslr.patch
+mac80211-initialize-smps-field-in-ht-capabilities.patch
+x86-mpx-use-compatible-types-in-comparison-to-fix-sparse-error.patch
+coredump-ensure-proper-size-of-sparse-core-files.patch
+swiotlb-ensure-that-page-sized-mappings-are-page-aligned.patch
+s390-ctl_reg-make-__ctl_load-a-full-memory-barrier.patch
+be2net-fix-status-check-in-be_cmd_pmac_add.patch
+perf-probe-fix-to-show-correct-locations-for-events-on-modules.patch
+net-mlx4_core-eliminate-warning-messages-for-srq_limit-under-sriov.patch
+sctp-check-af-before-verify-address-in-sctp_addr_id2transport.patch
+ravb-fix-use-after-free-on-ifconfig-eth0-down.patch
+jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch
+xfrm-fix-stack-access-out-of-bounds-with-config_xfrm_sub_policy.patch
+xfrm-null-dereference-on-allocation-failure.patch
+xfrm-oops-on-error-in-pfkey_msg2xfrm_state.patch
--- /dev/null
+From foo@baz Mon Jul 3 13:41:44 CEST 2017
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Date: Wed, 11 Jan 2017 21:56:31 +0300
+Subject: swiotlb: ensure that page-sized mappings are page-aligned
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+
+[ Upstream commit 602d9858f07c72eab64f5f00e2fae55f9902cfbe ]
+
+Some drivers do depend on page mappings to be page aligned.
+
+Swiotlb already enforces such alignment for mappings greater than page,
+extend that to page-sized mappings as well.
+
+Without this fix, nvme hits BUG() in nvme_setup_prps(), because that routine
+assumes page-aligned mappings.
+
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/swiotlb.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/lib/swiotlb.c
++++ b/lib/swiotlb.c
+@@ -452,11 +452,11 @@ phys_addr_t swiotlb_tbl_map_single(struc
+ : 1UL << (BITS_PER_LONG - IO_TLB_SHIFT);
+
+ /*
+- * For mappings greater than a page, we limit the stride (and
+- * hence alignment) to a page size.
++ * For mappings greater than or equal to a page, we limit the stride
++ * (and hence alignment) to a page size.
+ */
+ nslots = ALIGN(size, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT;
+- if (size > PAGE_SIZE)
++ if (size >= PAGE_SIZE)
+ stride = (1 << (PAGE_SHIFT - IO_TLB_SHIFT));
+ else
+ stride = 1;
--- /dev/null
+From foo@baz Mon Jul 3 13:34:03 CEST 2017
+From: Tobias Klauser <tklauser@distanz.ch>
+Date: Thu, 12 Jan 2017 16:53:11 +0100
+Subject: x86/mpx: Use compatible types in comparison to fix sparse error
+
+From: Tobias Klauser <tklauser@distanz.ch>
+
+
+[ Upstream commit 453828625731d0ba7218242ef6ec88f59408f368 ]
+
+info->si_addr is of type void __user *, so it should be compared against
+something from the same address space.
+
+This fixes the following sparse error:
+
+ arch/x86/mm/mpx.c:296:27: error: incompatible types in comparison expression (different address spaces)
+
+Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/mpx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/mm/mpx.c
++++ b/arch/x86/mm/mpx.c
+@@ -293,7 +293,7 @@ siginfo_t *mpx_generate_siginfo(struct p
+ * We were not able to extract an address from the instruction,
+ * probably because there was something invalid in it.
+ */
+- if (info->si_addr == (void *)-1) {
++ if (info->si_addr == (void __user *)-1) {
+ err = -EINVAL;
+ goto err_out;
+ }
--- /dev/null
+From 9b3eb54106cf6acd03f07cf0ab01c13676a226c2 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 3 May 2017 16:43:19 +0200
+Subject: xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+commit 9b3eb54106cf6acd03f07cf0ab01c13676a226c2 upstream.
+
+When CONFIG_XFRM_SUB_POLICY=y, xfrm_dst stores a copy of the flowi for
+that dst. Unfortunately, the code that allocates and fills this copy
+doesn't care about what type of flowi (flowi, flowi4, flowi6) gets
+passed. In multiple code paths (from raw_sendmsg, from TCP when
+replying to a FIN, in vxlan, geneve, and gre), the flowi that gets
+passed to xfrm is actually an on-stack flowi4, so we end up reading
+stuff from the stack past the end of the flowi4 struct.
+
+Since xfrm_dst->origin isn't used anywhere following commit
+ca116922afa8 ("xfrm: Eliminate "fl" and "pol" args to
+xfrm_bundle_ok()."), just get rid of it. xfrm_dst->partner isn't used
+either, so get rid of that too.
+
+Fixes: 9d6ec938019c ("ipv4: Use flowi4 in public route lookup interfaces.")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/xfrm.h | 10 ----------
+ net/xfrm/xfrm_policy.c | 47 -----------------------------------------------
+ 2 files changed, 57 deletions(-)
+
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -948,10 +948,6 @@ struct xfrm_dst {
+ struct flow_cache_object flo;
+ struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
+ int num_pols, num_xfrms;
+-#ifdef CONFIG_XFRM_SUB_POLICY
+- struct flowi *origin;
+- struct xfrm_selector *partner;
+-#endif
+ u32 xfrm_genid;
+ u32 policy_genid;
+ u32 route_mtu_cached;
+@@ -967,12 +963,6 @@ static inline void xfrm_dst_destroy(stru
+ dst_release(xdst->route);
+ if (likely(xdst->u.dst.xfrm))
+ xfrm_state_put(xdst->u.dst.xfrm);
+-#ifdef CONFIG_XFRM_SUB_POLICY
+- kfree(xdst->origin);
+- xdst->origin = NULL;
+- kfree(xdst->partner);
+- xdst->partner = NULL;
+-#endif
+ }
+ #endif
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1776,43 +1776,6 @@ free_dst:
+ goto out;
+ }
+
+-#ifdef CONFIG_XFRM_SUB_POLICY
+-static int xfrm_dst_alloc_copy(void **target, const void *src, int size)
+-{
+- if (!*target) {
+- *target = kmalloc(size, GFP_ATOMIC);
+- if (!*target)
+- return -ENOMEM;
+- }
+-
+- memcpy(*target, src, size);
+- return 0;
+-}
+-#endif
+-
+-static int xfrm_dst_update_parent(struct dst_entry *dst,
+- const struct xfrm_selector *sel)
+-{
+-#ifdef CONFIG_XFRM_SUB_POLICY
+- struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
+- return xfrm_dst_alloc_copy((void **)&(xdst->partner),
+- sel, sizeof(*sel));
+-#else
+- return 0;
+-#endif
+-}
+-
+-static int xfrm_dst_update_origin(struct dst_entry *dst,
+- const struct flowi *fl)
+-{
+-#ifdef CONFIG_XFRM_SUB_POLICY
+- struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
+- return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl));
+-#else
+- return 0;
+-#endif
+-}
+-
+ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
+ struct xfrm_policy **pols,
+ int *num_pols, int *num_xfrms)
+@@ -1884,16 +1847,6 @@ xfrm_resolve_and_create_bundle(struct xf
+
+ xdst = (struct xfrm_dst *)dst;
+ xdst->num_xfrms = err;
+- if (num_pols > 1)
+- err = xfrm_dst_update_parent(dst, &pols[1]->selector);
+- else
+- err = xfrm_dst_update_origin(dst, fl);
+- if (unlikely(err)) {
+- dst_free(dst);
+- XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
+- return ERR_PTR(err);
+- }
+-
+ xdst->num_pols = num_pols;
+ memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
+ xdst->policy_genid = atomic_read(&pols[0]->genid);
--- /dev/null
+From e747f64336fc15e1c823344942923195b800aa1e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 14 Jun 2017 13:35:37 +0300
+Subject: xfrm: NULL dereference on allocation failure
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit e747f64336fc15e1c823344942923195b800aa1e upstream.
+
+The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We
+added a new call to security_xfrm_state_alloc() which sets "err" to zero
+so there several places where we can return ERR_PTR(0) if kmalloc()
+fails. The caller is expecting error pointers so it leads to a NULL
+dereference.
+
+Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1135,6 +1135,7 @@ static struct xfrm_state * pfkey_msg2xfr
+ goto out;
+ }
+
++ err = -ENOBUFS;
+ key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
+ if (sa->sadb_sa_auth) {
+ int keysize = 0;
--- /dev/null
+From 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 14 Jun 2017 13:34:05 +0300
+Subject: xfrm: Oops on error in pfkey_msg2xfrm_state()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 upstream.
+
+There are some missing error codes here so we accidentally return NULL
+instead of an error pointer. It results in a NULL pointer dereference.
+
+Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1147,8 +1147,10 @@ static struct xfrm_state * pfkey_msg2xfr
+ if (key)
+ keysize = (key->sadb_key_bits + 7) / 8;
+ x->aalg = kmalloc(sizeof(*x->aalg) + keysize, GFP_KERNEL);
+- if (!x->aalg)
++ if (!x->aalg) {
++ err = -ENOMEM;
+ goto out;
++ }
+ strcpy(x->aalg->alg_name, a->name);
+ x->aalg->alg_key_len = 0;
+ if (key) {
+@@ -1167,8 +1169,10 @@ static struct xfrm_state * pfkey_msg2xfr
+ goto out;
+ }
+ x->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL);
+- if (!x->calg)
++ if (!x->calg) {
++ err = -ENOMEM;
+ goto out;
++ }
+ strcpy(x->calg->alg_name, a->name);
+ x->props.calgo = sa->sadb_sa_encrypt;
+ } else {
+@@ -1182,8 +1186,10 @@ static struct xfrm_state * pfkey_msg2xfr
+ if (key)
+ keysize = (key->sadb_key_bits + 7) / 8;
+ x->ealg = kmalloc(sizeof(*x->ealg) + keysize, GFP_KERNEL);
+- if (!x->ealg)
++ if (!x->ealg) {
++ err = -ENOMEM;
+ goto out;
++ }
+ strcpy(x->ealg->alg_name, a->name);
+ x->ealg->alg_key_len = 0;
+ if (key) {
+@@ -1228,8 +1234,10 @@ static struct xfrm_state * pfkey_msg2xfr
+ struct xfrm_encap_tmpl *natt;
+
+ x->encap = kmalloc(sizeof(*x->encap), GFP_KERNEL);
+- if (!x->encap)
++ if (!x->encap) {
++ err = -ENOMEM;
+ goto out;
++ }
+
+ natt = x->encap;
+ n_type = ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1];
projects / thirdparty / kernel / stable-queue.git / commitdiff
