--- /dev/null
+From 3510c7aa069aa83a2de6dab2b41401a198317bdc Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 6 Nov 2017 20:16:50 +0100
+Subject: ALSA: seq: Avoid invalid lockdep class warning
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3510c7aa069aa83a2de6dab2b41401a198317bdc upstream.
+
+The recent fix for adding rwsem nesting annotation was using the given
+"hop" argument as the lock subclass key. Although the idea itself
+works, it may trigger a kernel warning like:
+ BUG: looking up invalid subclass: 8
+ ....
+since the lockdep has a smaller number of subclasses (8) than we
+currently allow for the hops there (10).
+
+The current definition is merely a sanity check for avoiding the too
+deep delivery paths, and the 8 hops are already enough. So, as a
+quick fix, just follow the max hops as same as the max lockdep
+subclasses.
+
+Fixes: 1f20f9ff57ca ("ALSA: seq: Fix nested rwsem annotation for lockdep splat")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/sound/seq_kernel.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/sound/seq_kernel.h
++++ b/include/sound/seq_kernel.h
+@@ -55,7 +55,8 @@ typedef union snd_seq_timestamp snd_seq_
+ #define SNDRV_SEQ_DEFAULT_CLIENT_EVENTS 200
+
+ /* max delivery path length */
+-#define SNDRV_SEQ_MAX_HOPS 10
++/* NOTE: this shouldn't be greater than MAX_LOCKDEP_SUBCLASSES */
++#define SNDRV_SEQ_MAX_HOPS 8
+
+ /* max size of event size */
+ #define SNDRV_SEQ_MAX_EVENT_LEN 0x3fffffff
--- /dev/null
+From 132d358b183ac6ad8b3fea32ad5e0663456d18d1 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 7 Nov 2017 16:05:24 +0100
+Subject: ALSA: seq: Fix OSS sysex delivery in OSS emulation
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 132d358b183ac6ad8b3fea32ad5e0663456d18d1 upstream.
+
+The SYSEX event delivery in OSS sequencer emulation assumed that the
+event is encoded in the variable-length data with the straight
+buffering. This was the normal behavior in the past, but during the
+development, the chained buffers were introduced for carrying more
+data, while the OSS code was left intact. As a result, when a SYSEX
+event with the chained buffer data is passed to OSS sequencer port,
+it may end up with the wrong memory access, as if it were having a too
+large buffer.
+
+This patch addresses the bug, by applying the buffer data expansion by
+the generic snd_seq_dump_var_event() helper function.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Mark Salyzyn <salyzyn@android.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/oss/seq_oss_midi.c | 4 +---
+ sound/core/seq/oss/seq_oss_readq.c | 29 +++++++++++++++++++++++++++++
+ sound/core/seq/oss/seq_oss_readq.h | 2 ++
+ 3 files changed, 32 insertions(+), 3 deletions(-)
+
+--- a/sound/core/seq/oss/seq_oss_midi.c
++++ b/sound/core/seq/oss/seq_oss_midi.c
+@@ -615,9 +615,7 @@ send_midi_event(struct seq_oss_devinfo *
+ if (!dp->timer->running)
+ len = snd_seq_oss_timer_start(dp->timer);
+ if (ev->type == SNDRV_SEQ_EVENT_SYSEX) {
+- if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) == SNDRV_SEQ_EVENT_LENGTH_VARIABLE)
+- snd_seq_oss_readq_puts(dp->readq, mdev->seq_device,
+- ev->data.ext.ptr, ev->data.ext.len);
++ snd_seq_oss_readq_sysex(dp->readq, mdev->seq_device, ev);
+ } else {
+ len = snd_midi_event_decode(mdev->coder, msg, sizeof(msg), ev);
+ if (len > 0)
+--- a/sound/core/seq/oss/seq_oss_readq.c
++++ b/sound/core/seq/oss/seq_oss_readq.c
+@@ -120,6 +120,35 @@ snd_seq_oss_readq_puts(struct seq_oss_re
+ }
+
+ /*
++ * put MIDI sysex bytes; the event buffer may be chained, thus it has
++ * to be expanded via snd_seq_dump_var_event().
++ */
++struct readq_sysex_ctx {
++ struct seq_oss_readq *readq;
++ int dev;
++};
++
++static int readq_dump_sysex(void *ptr, void *buf, int count)
++{
++ struct readq_sysex_ctx *ctx = ptr;
++
++ return snd_seq_oss_readq_puts(ctx->readq, ctx->dev, buf, count);
++}
++
++int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev,
++ struct snd_seq_event *ev)
++{
++ struct readq_sysex_ctx ctx = {
++ .readq = q,
++ .dev = dev
++ };
++
++ if ((ev->flags & SNDRV_SEQ_EVENT_LENGTH_MASK) != SNDRV_SEQ_EVENT_LENGTH_VARIABLE)
++ return 0;
++ return snd_seq_dump_var_event(ev, readq_dump_sysex, &ctx);
++}
++
++/*
+ * copy an event to input queue:
+ * return zero if enqueued
+ */
+--- a/sound/core/seq/oss/seq_oss_readq.h
++++ b/sound/core/seq/oss/seq_oss_readq.h
+@@ -44,6 +44,8 @@ void snd_seq_oss_readq_delete(struct seq
+ void snd_seq_oss_readq_clear(struct seq_oss_readq *readq);
+ unsigned int snd_seq_oss_readq_poll(struct seq_oss_readq *readq, struct file *file, poll_table *wait);
+ int snd_seq_oss_readq_puts(struct seq_oss_readq *readq, int dev, unsigned char *data, int len);
++int snd_seq_oss_readq_sysex(struct seq_oss_readq *q, int dev,
++ struct snd_seq_event *ev);
+ int snd_seq_oss_readq_put_event(struct seq_oss_readq *readq, union evrec *ev);
+ int snd_seq_oss_readq_put_timestamp(struct seq_oss_readq *readq, unsigned long curt, int seq_mode);
+ int snd_seq_oss_readq_pick(struct seq_oss_readq *q, union evrec *rec);
--- /dev/null
+From b9dd05c7002ee0ca8b676428b2268c26399b5e31 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 2 Nov 2017 18:44:28 +0100
+Subject: ARM: 8720/1: ensure dump_instr() checks addr_limit
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit b9dd05c7002ee0ca8b676428b2268c26399b5e31 upstream.
+
+When CONFIG_DEBUG_USER is enabled, it's possible for a user to
+deliberately trigger dump_instr() with a chosen kernel address.
+
+Let's avoid problems resulting from this by using get_user() rather than
+__get_user(), ensuring that we don't erroneously access kernel memory.
+
+So that we can use the same code to dump user instructions and kernel
+instructions, the common dumping code is factored out to __dump_instr(),
+with the fs manipulated appropriately in dump_instr() around calls to
+this.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/traps.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/arch/arm/kernel/traps.c
++++ b/arch/arm/kernel/traps.c
+@@ -132,30 +132,26 @@ static void dump_mem(const char *lvl, co
+ set_fs(fs);
+ }
+
+-static void dump_instr(const char *lvl, struct pt_regs *regs)
++static void __dump_instr(const char *lvl, struct pt_regs *regs)
+ {
+ unsigned long addr = instruction_pointer(regs);
+ const int thumb = thumb_mode(regs);
+ const int width = thumb ? 4 : 8;
+- mm_segment_t fs;
+ char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str;
+ int i;
+
+ /*
+- * We need to switch to kernel mode so that we can use __get_user
+- * to safely read from kernel space. Note that we now dump the
+- * code first, just in case the backtrace kills us.
++ * Note that we now dump the code first, just in case the backtrace
++ * kills us.
+ */
+- fs = get_fs();
+- set_fs(KERNEL_DS);
+
+ for (i = -4; i < 1 + !!thumb; i++) {
+ unsigned int val, bad;
+
+ if (thumb)
+- bad = __get_user(val, &((u16 *)addr)[i]);
++ bad = get_user(val, &((u16 *)addr)[i]);
+ else
+- bad = __get_user(val, &((u32 *)addr)[i]);
++ bad = get_user(val, &((u32 *)addr)[i]);
+
+ if (!bad)
+ p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ",
+@@ -166,8 +162,20 @@ static void dump_instr(const char *lvl,
+ }
+ }
+ printk("%sCode: %s\n", lvl, str);
++}
+
+- set_fs(fs);
++static void dump_instr(const char *lvl, struct pt_regs *regs)
++{
++ mm_segment_t fs;
++
++ if (!user_mode(regs)) {
++ fs = get_fs();
++ set_fs(KERNEL_DS);
++ __dump_instr(lvl, regs);
++ set_fs(fs);
++ } else {
++ __dump_instr(lvl, regs);
++ }
+ }
+
+ #ifdef CONFIG_ARM_UNWIND
--- /dev/null
+From d041b557792c85677f17e08eee535eafbd6b9aa2 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Mon, 16 Oct 2017 18:51:31 +0300
+Subject: crypto: x86/sha1-mb - fix panic due to unaligned access
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit d041b557792c85677f17e08eee535eafbd6b9aa2 upstream.
+
+struct sha1_ctx_mgr allocated in sha1_mb_mod_init() via kzalloc()
+and later passed in sha1_mb_flusher_mgr_flush_avx2() function where
+instructions vmovdqa used to access the struct. vmovdqa requires
+16-bytes aligned argument, but nothing guarantees that struct
+sha1_ctx_mgr will have that alignment. Unaligned vmovdqa will
+generate GP fault.
+
+Fix this by replacing vmovdqa with vmovdqu which doesn't have alignment
+requirements.
+
+Fixes: 2249cbb53ead ("crypto: sha-mb - SHA1 multibuffer submit and flush routines for AVX2")
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/crypto/sha-mb/sha1_mb_mgr_flush_avx2.S | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/crypto/sha-mb/sha1_mb_mgr_flush_avx2.S
++++ b/arch/x86/crypto/sha-mb/sha1_mb_mgr_flush_avx2.S
+@@ -174,8 +174,8 @@ LABEL skip_ %I
+ .endr
+
+ # Find min length
+- vmovdqa _lens+0*16(state), %xmm0
+- vmovdqa _lens+1*16(state), %xmm1
++ vmovdqu _lens+0*16(state), %xmm0
++ vmovdqu _lens+1*16(state), %xmm1
+
+ vpminud %xmm1, %xmm0, %xmm2 # xmm2 has {D,C,B,A}
+ vpalignr $8, %xmm2, %xmm3, %xmm3 # xmm3 has {x,x,D,C}
+@@ -195,8 +195,8 @@ LABEL skip_ %I
+ vpsubd %xmm2, %xmm0, %xmm0
+ vpsubd %xmm2, %xmm1, %xmm1
+
+- vmovdqa %xmm0, _lens+0*16(state)
+- vmovdqa %xmm1, _lens+1*16(state)
++ vmovdqu %xmm0, _lens+0*16(state)
++ vmovdqu %xmm1, _lens+1*16(state)
+
+ # "state" and "args" are the same address, arg1
+ # len is arg2
+@@ -260,8 +260,8 @@ ENTRY(sha1_mb_mgr_get_comp_job_avx2)
+ jc .return_null
+
+ # Find min length
+- vmovdqa _lens(state), %xmm0
+- vmovdqa _lens+1*16(state), %xmm1
++ vmovdqu _lens(state), %xmm0
++ vmovdqu _lens+1*16(state), %xmm1
+
+ vpminud %xmm1, %xmm0, %xmm2 # xmm2 has {D,C,B,A}
+ vpalignr $8, %xmm2, %xmm3, %xmm3 # xmm3 has {x,x,D,C}
--- /dev/null
+From 624f5ab8720b3371367327a822c267699c1823b8 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 7 Nov 2017 22:29:02 +0000
+Subject: KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 624f5ab8720b3371367327a822c267699c1823b8 upstream.
+
+syzkaller reported a NULL pointer dereference in asn1_ber_decoder(). It
+can be reproduced by the following command, assuming
+CONFIG_PKCS7_TEST_KEY=y:
+
+ keyctl add pkcs7_test desc '' @s
+
+The bug is that if the data buffer is empty, an integer underflow occurs
+in the following check:
+
+ if (unlikely(dp >= datalen - 1))
+ goto data_overrun_error;
+
+This results in the NULL data pointer being dereferenced.
+
+Fix it by checking for 'datalen - dp < 2' instead.
+
+Also fix the similar check for 'dp >= datalen - n' later in the same
+function. That one possibly could result in a buffer overread.
+
+The NULL pointer dereference was reproducible using the "pkcs7_test" key
+type but not the "asymmetric" key type because the "asymmetric" key type
+checks for a 0-length payload before calling into the ASN.1 decoder but
+the "pkcs7_test" key type does not.
+
+The bug report was:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
+ PGD 7b708067 P4D 7b708067 PUD 7b6ee067 PMD 0
+ Oops: 0000 [#1] SMP
+ Modules linked in:
+ CPU: 0 PID: 522 Comm: syz-executor1 Not tainted 4.14.0-rc8 #7
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
+ task: ffff9b6b3798c040 task.stack: ffff9b6b37970000
+ RIP: 0010:asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233
+ RSP: 0018:ffff9b6b37973c78 EFLAGS: 00010216
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000021c
+ RDX: ffffffff814a04ed RSI: ffffb1524066e000 RDI: ffffffff910759e0
+ RBP: ffff9b6b37973d60 R08: 0000000000000001 R09: ffff9b6b3caa4180
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ FS: 00007f10ed1f2700(0000) GS:ffff9b6b3ea00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 000000007b6f3000 CR4: 00000000000006f0
+ Call Trace:
+ pkcs7_parse_message+0xee/0x240 crypto/asymmetric_keys/pkcs7_parser.c:139
+ verify_pkcs7_signature+0x33/0x180 certs/system_keyring.c:216
+ pkcs7_preparse+0x41/0x70 crypto/asymmetric_keys/pkcs7_key_type.c:63
+ key_create_or_update+0x180/0x530 security/keys/key.c:855
+ SYSC_add_key security/keys/keyctl.c:122 [inline]
+ SyS_add_key+0xbf/0x250 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+ RIP: 0033:0x4585c9
+ RSP: 002b:00007f10ed1f1bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000f8
+ RAX: ffffffffffffffda RBX: 00007f10ed1f2700 RCX: 00000000004585c9
+ RDX: 0000000020000000 RSI: 0000000020008ffb RDI: 0000000020008000
+ RBP: 0000000000000000 R08: ffffffffffffffff R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff1b2260ae
+ R13: 00007fff1b2260af R14: 00007f10ed1f2700 R15: 0000000000000000
+ Code: dd ca ff 48 8b 45 88 48 83 e8 01 4c 39 f0 0f 86 a8 07 00 00 e8 53 dd ca ff 49 8d 46 01 48 89 85 58 ff ff ff 48 8b 85 60 ff ff ff <42> 0f b6 0c 30 89 c8 88 8d 75 ff ff ff 83 e0 1f 89 8d 28 ff ff
+ RIP: asn1_ber_decoder+0x17f/0xe60 lib/asn1_decoder.c:233 RSP: ffff9b6b37973c78
+ CR2: 0000000000000000
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/asn1_decoder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -220,7 +220,7 @@ next_op:
+ hdr = 2;
+
+ /* Extract a tag from the data */
+- if (unlikely(dp >= datalen - 1))
++ if (unlikely(datalen - dp < 2))
+ goto data_overrun_error;
+ tag = data[dp++];
+ if (unlikely((tag & 0x1f) == ASN1_LONG_TAG))
+@@ -266,7 +266,7 @@ next_op:
+ int n = len - 0x80;
+ if (unlikely(n > 2))
+ goto length_too_long;
+- if (unlikely(dp >= datalen - n))
++ if (unlikely(n > datalen - dp))
+ goto data_overrun_error;
+ hdr += n;
+ for (len = 0; n > 0; n--) {
--- /dev/null
+From 6a6cba1d945a7511cdfaf338526871195e420762 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paul.burton@mips.com>
+Date: Tue, 31 Oct 2017 15:09:22 -0700
+Subject: MIPS: Fix CM region target definitions
+
+From: Paul Burton <paul.burton@mips.com>
+
+commit 6a6cba1d945a7511cdfaf338526871195e420762 upstream.
+
+The default CM target field in the GCR_BASE register is encoded with 0
+meaning memory & 1 being reserved. However the definitions we use for
+those bits effectively get these two values backwards - likely because
+they were copied from the definitions for the CM regions where the
+target is encoded differently. This results in use setting up GCR_BASE
+with the reserved target value by default, rather than targeting memory
+as intended. Although we currently seem to get away with this it's not a
+great idea to rely upon.
+
+Fix this by changing our macros to match the documentated target values.
+
+The incorrect encoding became used as of commit 9f98f3dd0c51 ("MIPS: Add
+generic CM probe & access code") in the Linux v3.15 cycle, and was
+likely carried forwards from older but unused code introduced by
+commit 39b8d5254246 ("[MIPS] Add support for MIPS CMP platform.") in the
+v2.6.26 cycle.
+
+Fixes: 9f98f3dd0c51 ("MIPS: Add generic CM probe & access code")
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Reported-by: Matt Redfearn <matt.redfearn@mips.com>
+Reviewed-by: James Hogan <jhogan@kernel.org>
+Cc: Matt Redfearn <matt.redfearn@mips.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # v3.15+
+Patchwork: https://patchwork.linux-mips.org/patch/17562/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+[jhogan@kernel.org: Backported 3.15..4.13]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/mips-cm.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/include/asm/mips-cm.h
++++ b/arch/mips/include/asm/mips-cm.h
+@@ -173,8 +173,8 @@ BUILD_CM_Cx_R_(tcid_8_priority, 0x80)
+ #define CM_GCR_BASE_GCRBASE_MSK (_ULCAST_(0x1ffff) << 15)
+ #define CM_GCR_BASE_CMDEFTGT_SHF 0
+ #define CM_GCR_BASE_CMDEFTGT_MSK (_ULCAST_(0x3) << 0)
+-#define CM_GCR_BASE_CMDEFTGT_DISABLED 0
+-#define CM_GCR_BASE_CMDEFTGT_MEM 1
++#define CM_GCR_BASE_CMDEFTGT_MEM 0
++#define CM_GCR_BASE_CMDEFTGT_RESERVED 1
+ #define CM_GCR_BASE_CMDEFTGT_IOCU0 2
+ #define CM_GCR_BASE_CMDEFTGT_IOCU1 3
+
--- /dev/null
+From 77238e76b9156d28d86c1e31c00ed2960df0e4de Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Tue, 31 Oct 2017 00:35:03 -0500
+Subject: MIPS: microMIPS: Fix incorrect mask in insn_table_MM
+
+From: Gustavo A. R. Silva <garsilva@embeddedor.com>
+
+commit 77238e76b9156d28d86c1e31c00ed2960df0e4de upstream.
+
+It seems that this is a typo error and the proper bit masking is
+"RT | RS" instead of "RS | RS".
+
+This issue was detected with the help of Coccinelle.
+
+Fixes: d6b3314b49e1 ("MIPS: uasm: Add lh uam instruction")
+Reported-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Reviewed-by: James Hogan <jhogan@kernel.org>
+Patchwork: https://patchwork.linux-mips.org/patch/17551/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+[jhogan@kernel.org: Backported 3.16..4.12]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/uasm-micromips.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/mm/uasm-micromips.c
++++ b/arch/mips/mm/uasm-micromips.c
+@@ -83,7 +83,7 @@ static struct insn insn_table_MM[] = {
+ { insn_jr, M(mm_pool32a_op, 0, 0, 0, mm_jalr_op, mm_pool32axf_op), RS },
+ { insn_lb, M(mm_lb32_op, 0, 0, 0, 0, 0), RT | RS | SIMM },
+ { insn_ld, 0, 0 },
+- { insn_lh, M(mm_lh32_op, 0, 0, 0, 0, 0), RS | RS | SIMM },
++ { insn_lh, M(mm_lh32_op, 0, 0, 0, 0, 0), RT | RS | SIMM },
+ { insn_ll, M(mm_pool32c_op, 0, 0, (mm_ll_func << 1), 0, 0), RS | RT | SIMM },
+ { insn_lld, 0, 0 },
+ { insn_lui, M(mm_pool32i_op, mm_lui_op, 0, 0, 0, 0), RS | SIMM },
input-mpr121-set-missing-event-capability.patch
ib-ipoib-change-list_del-to-list_del_init-in-the-tx-object.patch
keys-trusted-sanitize-all-key-material.patch
+workqueue-fix-null-pointer-dereference.patch
+crypto-x86-sha1-mb-fix-panic-due-to-unaligned-access.patch
+keys-fix-null-pointer-dereference-during-asn.1-parsing.patch
+arm-8720-1-ensure-dump_instr-checks-addr_limit.patch
+alsa-seq-fix-oss-sysex-delivery-in-oss-emulation.patch
+alsa-seq-avoid-invalid-lockdep-class-warning.patch
+mips-micromips-fix-incorrect-mask-in-insn_table_mm.patch
+mips-fix-cm-region-target-definitions.patch
--- /dev/null
+From cef572ad9bd7f85035ba8272e5352040e8be0152 Mon Sep 17 00:00:00 2001
+From: Li Bin <huawei.libin@huawei.com>
+Date: Sat, 28 Oct 2017 11:07:28 +0800
+Subject: workqueue: Fix NULL pointer dereference
+
+From: Li Bin <huawei.libin@huawei.com>
+
+commit cef572ad9bd7f85035ba8272e5352040e8be0152 upstream.
+
+When queue_work() is used in irq (not in task context), there is
+a potential case that trigger NULL pointer dereference.
+----------------------------------------------------------------
+worker_thread()
+|-spin_lock_irq()
+|-process_one_work()
+ |-worker->current_pwq = pwq
+ |-spin_unlock_irq()
+ |-worker->current_func(work)
+ |-spin_lock_irq()
+ |-worker->current_pwq = NULL
+|-spin_unlock_irq()
+
+ //interrupt here
+ |-irq_handler
+ |-__queue_work()
+ //assuming that the wq is draining
+ |-is_chained_work(wq)
+ |-current_wq_worker()
+ //Here, 'current' is the interrupted worker!
+ |-current->current_pwq is NULL here!
+|-schedule()
+----------------------------------------------------------------
+
+Avoid it by checking for task context in current_wq_worker(), and
+if not in task context, we shouldn't use the 'current' to check the
+condition.
+
+Reported-by: Xiaofei Tan <tanxiaofei@huawei.com>
+Signed-off-by: Li Bin <huawei.libin@huawei.com>
+Reviewed-by: Lai Jiangshan <jiangshanlai@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: 8d03ecfe4718 ("workqueue: reimplement is_chained_work() using current_wq_worker()")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/workqueue_internal.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/workqueue_internal.h
++++ b/kernel/workqueue_internal.h
+@@ -9,6 +9,7 @@
+
+ #include <linux/workqueue.h>
+ #include <linux/kthread.h>
++#include <linux/preempt.h>
+
+ struct worker_pool;
+
+@@ -59,7 +60,7 @@ struct worker {
+ */
+ static inline struct worker *current_wq_worker(void)
+ {
+- if (current->flags & PF_WQ_WORKER)
++ if (in_task() && (current->flags & PF_WQ_WORKER))
+ return kthread_data(current);
+ return NULL;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
