--- /dev/null
+From b2ca374f33bd33fd822eb871876e4888cf79dc97 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Tue, 24 Apr 2018 15:44:16 -0600
+Subject: f2fs: sanity check on sit entry
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit b2ca374f33bd33fd822eb871876e4888cf79dc97 upstream.
+
+syzbot hit the following crash on upstream commit
+87ef12027b9b1dd0e0b12cf311fbcb19f9d92539 (Wed Apr 18 19:48:17 2018 +0000)
+Merge tag 'ceph-for-4.17-rc2' of git://github.com/ceph/ceph-client
+syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=83699adeb2d13579c31e
+
+C reproducer: https://syzkaller.appspot.com/x/repro.c?id=5805208181407744
+syzkaller reproducer: https://syzkaller.appspot.com/x/repro.syz?id=6005073343676416
+Raw console output: https://syzkaller.appspot.com/x/log.txt?id=6555047731134464
+Kernel config: https://syzkaller.appspot.com/x/.config?id=1808800213120130118
+compiler: gcc (GCC) 8.0.1 20180413 (experimental)
+
+IMPORTANT: if you fix the bug, please add the following tag to the commit:
+Reported-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
+It will help syzbot understand when the bug is fixed. See footer for details.
+If you forward the report, please keep this part and the footer.
+
+F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
+F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
+F2FS-fs (loop0): invalid crc value
+BUG: unable to handle kernel paging request at ffffed006b2a50c0
+PGD 21ffee067 P4D 21ffee067 PUD 21fbeb067 PMD 0
+Oops: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 4514 Comm: syzkaller989480 Not tainted 4.17.0-rc1+ #8
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:build_sit_entries fs/f2fs/segment.c:3653 [inline]
+RIP: 0010:build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852
+RSP: 0018:ffff8801b102e5b0 EFLAGS: 00010a06
+RAX: 1ffff1006b2a50c0 RBX: 0000000000000004 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801ac74243e
+RBP: ffff8801b102f410 R08: ffff8801acbd46c0 R09: fffffbfff14d9af8
+R10: fffffbfff14d9af8 R11: ffff8801acbd46c0 R12: ffff8801ac742a80
+R13: ffff8801d9519100 R14: dffffc0000000000 R15: ffff880359528600
+FS: 0000000001e04880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffed006b2a50c0 CR3: 00000001ac6ac000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ f2fs_fill_super+0x4095/0x7bf0 fs/f2fs/super.c:2803
+ mount_bdev+0x30c/0x3e0 fs/super.c:1165
+ f2fs_mount+0x34/0x40 fs/f2fs/super.c:3020
+ mount_fs+0xae/0x328 fs/super.c:1268
+ vfs_kern_mount.part.34+0xd4/0x4d0 fs/namespace.c:1037
+ vfs_kern_mount fs/namespace.c:1027 [inline]
+ do_new_mount fs/namespace.c:2517 [inline]
+ do_mount+0x564/0x3070 fs/namespace.c:2847
+ ksys_mount+0x12d/0x140 fs/namespace.c:3063
+ __do_sys_mount fs/namespace.c:3077 [inline]
+ __se_sys_mount fs/namespace.c:3074 [inline]
+ __x64_sys_mount+0xbe/0x150 fs/namespace.c:3074
+ do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x443d6a
+RSP: 002b:00007ffd312813c8 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
+RAX: ffffffffffffffda RBX: 0000000020000c00 RCX: 0000000000443d6a
+RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffd312813d0
+RBP: 0000000000000003 R08: 0000000020016a00 R09: 000000000000000a
+R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000004
+R13: 0000000000402c60 R14: 0000000000000000 R15: 0000000000000000
+RIP: build_sit_entries fs/f2fs/segment.c:3653 [inline] RSP: ffff8801b102e5b0
+RIP: build_segment_manager+0x7ef7/0xbf70 fs/f2fs/segment.c:3852 RSP: ffff8801b102e5b0
+CR2: ffffed006b2a50c0
+---[ end trace a2034989e196ff17 ]---
+
+Reported-and-tested-by: syzbot+83699adeb2d13579c31e@syzkaller.appspotmail.com
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/segment.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2365,6 +2365,15 @@ static void build_sit_entries(struct f2f
+ unsigned int old_valid_blocks;
+
+ start = le32_to_cpu(segno_in_journal(journal, i));
++ if (start >= MAIN_SEGS(sbi)) {
++ f2fs_msg(sbi->sb, KERN_ERR,
++ "Wrong journal entry on segno %u",
++ start);
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ err = -EINVAL;
++ break;
++ }
++
+ se = &sit_i->sentries[start];
+ sit = sit_in_journal(journal, i);
+
--- /dev/null
+From 0447378a4a793da008451fad50bc0f93e9675ae6 Mon Sep 17 00:00:00 2001
+From: Marc Orr <marcorr@google.com>
+Date: Wed, 20 Jun 2018 17:21:29 -0700
+Subject: kvm: vmx: Nested VM-entry prereqs for event inj.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marc Orr <marcorr@google.com>
+
+commit 0447378a4a793da008451fad50bc0f93e9675ae6 upstream.
+
+This patch extends the checks done prior to a nested VM entry.
+Specifically, it extends the check_vmentry_prereqs function with checks
+for fields relevant to the VM-entry event injection information, as
+described in the Intel SDM, volume 3.
+
+This patch is motivated by a syzkaller bug, where a bad VM-entry
+interruption information field is generated in the VMCS02, which causes
+the nested VM launch to fail. Then, KVM fails to resume L1.
+
+While KVM should be improved to correctly resume L1 execution after a
+failed nested launch, this change is justified because the existing code
+to resume L1 is flaky/ad-hoc and the test coverage for resuming L1 is
+sparse.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Marc Orr <marcorr@google.com>
+[Removed comment whose parts were describing previous revisions and the
+ rest was obvious from function/variable naming. - Radim]
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/vmx.h | 3 ++
+ arch/x86/kvm/vmx.c | 67 +++++++++++++++++++++++++++++++++++++++++++++
+ arch/x86/kvm/x86.h | 9 ++++++
+ 3 files changed, 79 insertions(+)
+
+--- a/arch/x86/include/asm/vmx.h
++++ b/arch/x86/include/asm/vmx.h
+@@ -109,6 +109,7 @@
+ #define VMX_MISC_PREEMPTION_TIMER_RATE_MASK 0x0000001f
+ #define VMX_MISC_SAVE_EFER_LMA 0x00000020
+ #define VMX_MISC_ACTIVITY_HLT 0x00000040
++#define VMX_MISC_ZERO_LEN_INS 0x40000000
+
+ /* VMCS Encodings */
+ enum vmcs_field {
+@@ -306,11 +307,13 @@ enum vmcs_field {
+ #define VECTORING_INFO_VALID_MASK INTR_INFO_VALID_MASK
+
+ #define INTR_TYPE_EXT_INTR (0 << 8) /* external interrupt */
++#define INTR_TYPE_RESERVED (1 << 8) /* reserved */
+ #define INTR_TYPE_NMI_INTR (2 << 8) /* NMI */
+ #define INTR_TYPE_HARD_EXCEPTION (3 << 8) /* processor exception */
+ #define INTR_TYPE_SOFT_INTR (4 << 8) /* software interrupt */
+ #define INTR_TYPE_PRIV_SW_EXCEPTION (5 << 8) /* ICE breakpoint - undocumented */
+ #define INTR_TYPE_SOFT_EXCEPTION (6 << 8) /* software exception */
++#define INTR_TYPE_OTHER_EVENT (7 << 8) /* other event */
+
+ /* GUEST_INTERRUPTIBILITY_INFO flags. */
+ #define GUEST_INTR_STATE_STI 0x00000001
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1312,6 +1312,17 @@ static inline bool report_flexpriority(v
+ return flexpriority_enabled;
+ }
+
++static inline bool nested_cpu_has_zero_length_injection(struct kvm_vcpu *vcpu)
++{
++ return to_vmx(vcpu)->nested.msrs.misc_low & VMX_MISC_ZERO_LEN_INS;
++}
++
++static inline bool nested_cpu_supports_monitor_trap_flag(struct kvm_vcpu *vcpu)
++{
++ return to_vmx(vcpu)->nested.msrs.procbased_ctls_high &
++ CPU_BASED_MONITOR_TRAP_FLAG;
++}
++
+ static inline bool nested_cpu_has(struct vmcs12 *vmcs12, u32 bit)
+ {
+ return vmcs12->cpu_based_vm_exec_control & bit;
+@@ -11235,6 +11246,62 @@ static int vmx_pre_block(struct kvm_vcpu
+ if (kvm_lapic_hv_timer_in_use(vcpu))
+ kvm_lapic_switch_to_sw_timer(vcpu);
+
++ /*
++ * From the Intel SDM, volume 3:
++ * Fields relevant to VM-entry event injection must be set properly.
++ * These fields are the VM-entry interruption-information field, the
++ * VM-entry exception error code, and the VM-entry instruction length.
++ */
++ if (vmcs12->vm_entry_intr_info_field & INTR_INFO_VALID_MASK) {
++ u32 intr_info = vmcs12->vm_entry_intr_info_field;
++ u8 vector = intr_info & INTR_INFO_VECTOR_MASK;
++ u32 intr_type = intr_info & INTR_INFO_INTR_TYPE_MASK;
++ bool has_error_code = intr_info & INTR_INFO_DELIVER_CODE_MASK;
++ bool should_have_error_code;
++ bool urg = nested_cpu_has2(vmcs12,
++ SECONDARY_EXEC_UNRESTRICTED_GUEST);
++ bool prot_mode = !urg || vmcs12->guest_cr0 & X86_CR0_PE;
++
++ /* VM-entry interruption-info field: interruption type */
++ if (intr_type == INTR_TYPE_RESERVED ||
++ (intr_type == INTR_TYPE_OTHER_EVENT &&
++ !nested_cpu_supports_monitor_trap_flag(vcpu)))
++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
++
++ /* VM-entry interruption-info field: vector */
++ if ((intr_type == INTR_TYPE_NMI_INTR && vector != NMI_VECTOR) ||
++ (intr_type == INTR_TYPE_HARD_EXCEPTION && vector > 31) ||
++ (intr_type == INTR_TYPE_OTHER_EVENT && vector != 0))
++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
++
++ /* VM-entry interruption-info field: deliver error code */
++ should_have_error_code =
++ intr_type == INTR_TYPE_HARD_EXCEPTION && prot_mode &&
++ x86_exception_has_error_code(vector);
++ if (has_error_code != should_have_error_code)
++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
++
++ /* VM-entry exception error code */
++ if (has_error_code &&
++ vmcs12->vm_entry_exception_error_code & GENMASK(31, 15))
++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
++
++ /* VM-entry interruption-info field: reserved bits */
++ if (intr_info & INTR_INFO_RESVD_BITS_MASK)
++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
++
++ /* VM-entry instruction length */
++ switch (intr_type) {
++ case INTR_TYPE_SOFT_EXCEPTION:
++ case INTR_TYPE_SOFT_INTR:
++ case INTR_TYPE_PRIV_SW_EXCEPTION:
++ if ((vmcs12->vm_entry_instruction_len > 15) ||
++ (vmcs12->vm_entry_instruction_len == 0 &&
++ !nested_cpu_has_zero_length_injection(vcpu)))
++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD;
++ }
++ }
++
+ return 0;
+ }
+
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -60,6 +60,15 @@ static inline bool is_64_bit_mode(struct
+ return cs_l;
+ }
+
++static inline bool x86_exception_has_error_code(unsigned int vector)
++{
++ static u32 exception_has_error_code = BIT(DF_VECTOR) | BIT(TS_VECTOR) |
++ BIT(NP_VECTOR) | BIT(SS_VECTOR) | BIT(GP_VECTOR) |
++ BIT(PF_VECTOR) | BIT(AC_VECTOR);
++
++ return (1U << vector) & exception_has_error_code;
++}
++
+ static inline bool mmu_is_nested(struct kvm_vcpu *vcpu)
+ {
+ return vcpu->arch.walk_mmu == &vcpu->arch.nested_mmu;
--- /dev/null
+From d2ac838e4cd7e5e9891ecc094d626734b0245c99 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 7 May 2018 11:37:58 -0400
+Subject: loop: add recursion validation to LOOP_CHANGE_FD
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit d2ac838e4cd7e5e9891ecc094d626734b0245c99 upstream.
+
+Refactor the validation code used in LOOP_SET_FD so it is also used in
+LOOP_CHANGE_FD. Otherwise it is possible to construct a set of loop
+devices that all refer to each other. This can lead to a infinite
+loop in starting with "while (is_loop_device(f)) .." in loop_set_fd().
+
+Fix this by refactoring out the validation code and using it for
+LOOP_CHANGE_FD as well as LOOP_SET_FD.
+
+Reported-by: syzbot+4349872271ece473a7c91190b68b4bac7c5dbc87@syzkaller.appspotmail.com
+Reported-by: syzbot+40bd32c4d9a3cc12a339@syzkaller.appspotmail.com
+Reported-by: syzbot+769c54e66f994b041be7@syzkaller.appspotmail.com
+Reported-by: syzbot+0a89a9ce473936c57065@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 68 ++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 38 insertions(+), 30 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -640,6 +640,36 @@ static void loop_reread_partitions(struc
+ __func__, lo->lo_number, lo->lo_file_name, rc);
+ }
+
++static inline int is_loop_device(struct file *file)
++{
++ struct inode *i = file->f_mapping->host;
++
++ return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR;
++}
++
++static int loop_validate_file(struct file *file, struct block_device *bdev)
++{
++ struct inode *inode = file->f_mapping->host;
++ struct file *f = file;
++
++ /* Avoid recursion */
++ while (is_loop_device(f)) {
++ struct loop_device *l;
++
++ if (f->f_mapping->host->i_bdev == bdev)
++ return -EBADF;
++
++ l = f->f_mapping->host->i_bdev->bd_disk->private_data;
++ if (l->lo_state == Lo_unbound) {
++ return -EINVAL;
++ }
++ f = l->lo_backing_file;
++ }
++ if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
++ return -EINVAL;
++ return 0;
++}
++
+ /*
+ * loop_change_fd switched the backing store of a loopback device to
+ * a new file. This is useful for operating system installers to free up
+@@ -669,14 +699,15 @@ static int loop_change_fd(struct loop_de
+ if (!file)
+ goto out;
+
++ error = loop_validate_file(file, bdev);
++ if (error)
++ goto out_putf;
++
+ inode = file->f_mapping->host;
+ old_file = lo->lo_backing_file;
+
+ error = -EINVAL;
+
+- if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
+- goto out_putf;
+-
+ /* size of the new backing store needs to be the same */
+ if (get_loop_size(lo, file) != get_loop_size(lo, old_file))
+ goto out_putf;
+@@ -697,13 +728,6 @@ static int loop_change_fd(struct loop_de
+ return error;
+ }
+
+-static inline int is_loop_device(struct file *file)
+-{
+- struct inode *i = file->f_mapping->host;
+-
+- return i && S_ISBLK(i->i_mode) && MAJOR(i->i_rdev) == LOOP_MAJOR;
+-}
+-
+ /* loop sysfs attributes */
+
+ static ssize_t loop_attr_show(struct device *dev, char *page,
+@@ -861,7 +885,7 @@ static int loop_prepare_queue(struct loo
+ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
+ struct block_device *bdev, unsigned int arg)
+ {
+- struct file *file, *f;
++ struct file *file;
+ struct inode *inode;
+ struct address_space *mapping;
+ unsigned lo_blocksize;
+@@ -881,29 +905,13 @@ static int loop_set_fd(struct loop_devic
+ if (lo->lo_state != Lo_unbound)
+ goto out_putf;
+
+- /* Avoid recursion */
+- f = file;
+- while (is_loop_device(f)) {
+- struct loop_device *l;
+-
+- if (f->f_mapping->host->i_bdev == bdev)
+- goto out_putf;
+-
+- l = f->f_mapping->host->i_bdev->bd_disk->private_data;
+- if (l->lo_state == Lo_unbound) {
+- error = -EINVAL;
+- goto out_putf;
+- }
+- f = l->lo_backing_file;
+- }
++ error = loop_validate_file(file, bdev);
++ if (error)
++ goto out_putf;
+
+ mapping = file->f_mapping;
+ inode = mapping->host;
+
+- error = -EINVAL;
+- if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))
+- goto out_putf;
+-
+ if (!(file->f_mode & FMODE_WRITE) || !(mode & FMODE_WRITE) ||
+ !file->f_op->write_iter)
+ lo_flags |= LO_FLAGS_READ_ONLY;
--- /dev/null
+From d3349b6b3c373ac1fbfb040b810fcee5e2adc7e0 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 4 May 2018 10:58:09 -0600
+Subject: loop: remember whether sysfs_create_group() was done
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit d3349b6b3c373ac1fbfb040b810fcee5e2adc7e0 upstream.
+
+syzbot is hitting WARN() triggered by memory allocation fault
+injection [1] because loop module is calling sysfs_remove_group()
+when sysfs_create_group() failed.
+Fix this by remembering whether sysfs_create_group() succeeded.
+
+[1] https://syzkaller.appspot.com/bug?id=3f86c0edf75c86d2633aeb9dd69eccc70bc7e90b
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+9f03168400f56df89dbc6f1751f4458fe739ff29@syzkaller.appspotmail.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Renamed sysfs_ready -> sysfs_inited.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+
+---
+ drivers/block/loop.c | 11 ++++++-----
+ drivers/block/loop.h | 1 +
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -824,16 +824,17 @@ static struct attribute_group loop_attri
+ .attrs= loop_attrs,
+ };
+
+-static int loop_sysfs_init(struct loop_device *lo)
++static void loop_sysfs_init(struct loop_device *lo)
+ {
+- return sysfs_create_group(&disk_to_dev(lo->lo_disk)->kobj,
+- &loop_attribute_group);
++ lo->sysfs_inited = !sysfs_create_group(&disk_to_dev(lo->lo_disk)->kobj,
++ &loop_attribute_group);
+ }
+
+ static void loop_sysfs_exit(struct loop_device *lo)
+ {
+- sysfs_remove_group(&disk_to_dev(lo->lo_disk)->kobj,
+- &loop_attribute_group);
++ if (lo->sysfs_inited)
++ sysfs_remove_group(&disk_to_dev(lo->lo_disk)->kobj,
++ &loop_attribute_group);
+ }
+
+ static void loop_config_discard(struct loop_device *lo)
+--- a/drivers/block/loop.h
++++ b/drivers/block/loop.h
+@@ -59,6 +59,7 @@ struct loop_device {
+ struct kthread_worker worker;
+ struct task_struct *worker_task;
+ bool use_dio;
++ bool sysfs_inited;
+
+ struct request_queue *lo_queue;
+ struct blk_mq_tag_set tag_set;
--- /dev/null
+From ba062ebb2cd561d404e0fba8ee4b3f5ebce7cbfc Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 13 Jun 2018 09:13:39 -0700
+Subject: netfilter: nf_queue: augment nfqa_cfg_policy
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit ba062ebb2cd561d404e0fba8ee4b3f5ebce7cbfc upstream.
+
+Three attributes are currently not verified, thus can trigger KMSAN
+warnings such as :
+
+BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
+BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
+BUG: KMSAN: uninit-value in nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268
+CPU: 1 PID: 4521 Comm: syz-executor120 Not tainted 4.17.0+ #5
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1117
+ __msan_warning_32+0x70/0xc0 mm/kmsan/kmsan_instr.c:620
+ __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
+ __fswab32 include/uapi/linux/swab.h:59 [inline]
+ nfqnl_recv_config+0x939/0x17d0 net/netfilter/nfnetlink_queue.c:1268
+ nfnetlink_rcv_msg+0xb2e/0xc80 net/netfilter/nfnetlink.c:212
+ netlink_rcv_skb+0x37e/0x600 net/netlink/af_netlink.c:2448
+ nfnetlink_rcv+0x2fe/0x680 net/netfilter/nfnetlink.c:513
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1680/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x43fd59
+RSP: 002b:00007ffde0e30d28 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd59
+RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401680
+R13: 0000000000401710 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
+ kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
+ slab_post_alloc_hook mm/slab.h:446 [inline]
+ slab_alloc_node mm/slub.c:2753 [inline]
+ __kmalloc_node_track_caller+0xb35/0x11b0 mm/slub.c:4395
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:988 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec8/0x1320 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x15b/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: fdb694a01f1f ("netfilter: Add fail-open support")
+Fixes: 829e17a1a602 ("[NETFILTER]: nfnetlink_queue: allow changing queue length through netlink")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_queue.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -1210,6 +1210,9 @@ static int nfqnl_recv_unsupp(struct net
+ static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = {
+ [NFQA_CFG_CMD] = { .len = sizeof(struct nfqnl_msg_config_cmd) },
+ [NFQA_CFG_PARAMS] = { .len = sizeof(struct nfqnl_msg_config_params) },
++ [NFQA_CFG_QUEUE_MAXLEN] = { .type = NLA_U32 },
++ [NFQA_CFG_MASK] = { .type = NLA_U32 },
++ [NFQA_CFG_FLAGS] = { .type = NLA_U32 },
+ };
+
+ static const struct nf_queue_handler nfqh = {
--- /dev/null
+From c568503ef02030f169c9e19204def610a3510918 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 7 Jun 2018 21:34:43 +0200
+Subject: netfilter: x_tables: initialise match/target check parameter struct
+
+From: Florian Westphal <fw@strlen.de>
+
+commit c568503ef02030f169c9e19204def610a3510918 upstream.
+
+syzbot reports following splat:
+
+BUG: KMSAN: uninit-value in ebt_stp_mt_check+0x24b/0x450
+ net/bridge/netfilter/ebt_stp.c:162
+ ebt_stp_mt_check+0x24b/0x450 net/bridge/netfilter/ebt_stp.c:162
+ xt_check_match+0x1438/0x1650 net/netfilter/x_tables.c:506
+ ebt_check_match net/bridge/netfilter/ebtables.c:372 [inline]
+ ebt_check_entry net/bridge/netfilter/ebtables.c:702 [inline]
+
+The uninitialised access is
+ xt_mtchk_param->nft_compat
+
+... which should be set to 0.
+Fix it by zeroing the struct beforehand, same for tgchk.
+
+ip(6)tables targetinfo uses c99-style initialiser, so no change
+needed there.
+
+Reported-by: syzbot+da4494182233c23a5fcf@syzkaller.appspotmail.com
+Fixes: 55917a21d0cc0 ("netfilter: x_tables: add context to know if extension runs from nft_compat")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 2 ++
+ net/ipv4/netfilter/ip_tables.c | 1 +
+ net/ipv6/netfilter/ip6_tables.c | 1 +
+ 3 files changed, 4 insertions(+)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -704,6 +704,8 @@ ebt_check_entry(struct ebt_entry *e, str
+ }
+ i = 0;
+
++ memset(&mtpar, 0, sizeof(mtpar));
++ memset(&tgpar, 0, sizeof(tgpar));
+ mtpar.net = tgpar.net = net;
+ mtpar.table = tgpar.table = name;
+ mtpar.entryinfo = tgpar.entryinfo = e;
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -554,6 +554,7 @@ find_check_entry(struct ipt_entry *e, st
+ return -ENOMEM;
+
+ j = 0;
++ memset(&mtpar, 0, sizeof(mtpar));
+ mtpar.net = net;
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ip;
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -584,6 +584,7 @@ find_check_entry(struct ip6t_entry *e, s
+ return -ENOMEM;
+
+ j = 0;
++ memset(&mtpar, 0, sizeof(mtpar));
+ mtpar.net = net;
+ mtpar.table = name;
+ mtpar.entryinfo = &e->ipv6;
--- /dev/null
+From 815c6704bf9f1c59f3a6be380a4032b9c57b12f1 Mon Sep 17 00:00:00 2001
+From: Keith Busch <keith.busch@intel.com>
+Date: Tue, 13 Feb 2018 05:44:44 -0700
+Subject: nvme-pci: Remap CMB SQ entries on every controller reset
+
+From: Keith Busch <keith.busch@intel.com>
+
+commit 815c6704bf9f1c59f3a6be380a4032b9c57b12f1 upstream.
+
+The controller memory buffer is remapped into a kernel address on each
+reset, but the driver was setting the submission queue base address
+only on the very first queue creation. The remapped address is likely to
+change after a reset, so accessing the old address will hit a kernel bug.
+
+This patch fixes that by setting the queue's CMB base address each time
+the queue is created.
+
+Fixes: f63572dff1421 ("nvme: unmap CMB and remove sysfs file in reset path")
+Reported-by: Christian Black <christian.d.black@intel.com>
+Cc: Jon Derrick <jonathan.derrick@intel.com>
+Cc: <stable@vger.kernel.org> # 4.9+
+Signed-off-by: Keith Busch <keith.busch@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Scott Bauer <scott.bauer@intel.com>
+Reviewed-by: Jon Derrick <jonathan.derrick@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvme/host/pci.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1034,17 +1034,15 @@ static int nvme_cmb_qdepth(struct nvme_d
+ static int nvme_alloc_sq_cmds(struct nvme_dev *dev, struct nvme_queue *nvmeq,
+ int qid, int depth)
+ {
+- if (qid && dev->cmb && use_cmb_sqes && NVME_CMB_SQS(dev->cmbsz)) {
+- unsigned offset = (qid - 1) * roundup(SQ_SIZE(depth),
+- dev->ctrl.page_size);
+- nvmeq->sq_dma_addr = dev->cmb_bus_addr + offset;
+- nvmeq->sq_cmds_io = dev->cmb + offset;
+- } else {
+- nvmeq->sq_cmds = dma_alloc_coherent(dev->dev, SQ_SIZE(depth),
+- &nvmeq->sq_dma_addr, GFP_KERNEL);
+- if (!nvmeq->sq_cmds)
+- return -ENOMEM;
+- }
++
++ /* CMB SQEs will be mapped before creation */
++ if (qid && dev->cmb && use_cmb_sqes && NVME_CMB_SQS(dev->cmbsz))
++ return 0;
++
++ nvmeq->sq_cmds = dma_alloc_coherent(dev->dev, SQ_SIZE(depth),
++ &nvmeq->sq_dma_addr, GFP_KERNEL);
++ if (!nvmeq->sq_cmds)
++ return -ENOMEM;
+
+ return 0;
+ }
+@@ -1117,6 +1115,13 @@ static int nvme_create_queue(struct nvme
+ struct nvme_dev *dev = nvmeq->dev;
+ int result;
+
++ if (qid && dev->cmb && use_cmb_sqes && NVME_CMB_SQS(dev->cmbsz)) {
++ unsigned offset = (qid - 1) * roundup(SQ_SIZE(nvmeq->q_depth),
++ dev->ctrl.page_size);
++ nvmeq->sq_dma_addr = dev->cmb_bus_addr + offset;
++ nvmeq->sq_cmds_io = dev->cmb + offset;
++ }
++
+ nvmeq->cq_vector = qid - 1;
+ result = adapter_alloc_cq(dev, qid, nvmeq);
+ if (result < 0)
--- /dev/null
+From fc14eebfc20854a38fd9f1d93a42b1783dad4d17 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 26 May 2018 09:59:36 +0900
+Subject: PM / hibernate: Fix oops at snapshot_write()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit fc14eebfc20854a38fd9f1d93a42b1783dad4d17 upstream.
+
+syzbot is reporting NULL pointer dereference at snapshot_write() [1].
+This is because data->handle is zero-cleared by ioctl(SNAPSHOT_FREE).
+Fix this by checking data_of(data->handle) != NULL before using it.
+
+[1] https://syzkaller.appspot.com/bug?id=828a3c71bd344a6de8b6a31233d51a72099f27fd
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+ae590932da6e45d6564d@syzkaller.appspotmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/user.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/power/user.c
++++ b/kernel/power/user.c
+@@ -186,6 +186,11 @@ static ssize_t snapshot_write(struct fil
+ res = PAGE_SIZE - pg_offp;
+ }
+
++ if (!data_of(data->handle)) {
++ res = -EINVAL;
++ goto unlock;
++ }
++
+ res = simple_write_to_buffer(data_of(data->handle), res, &pg_offp,
+ buf, count);
+ if (res > 0)
--- /dev/null
+From 7a8690ed6f5346f6738971892205e91d39b6b901 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Wed, 23 May 2018 08:22:11 +0300
+Subject: RDMA/ucm: Mark UCM interface as BROKEN
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 7a8690ed6f5346f6738971892205e91d39b6b901 upstream.
+
+In commit 357d23c811a7 ("Remove the obsolete libibcm library")
+in rdma-core [1], we removed obsolete library which used the
+/dev/infiniband/ucmX interface.
+
+Following multiple syzkaller reports about non-sanitized
+user input in the UCMA module, the short audit reveals the same
+issues in UCM module too.
+
+It is better to disable this interface in the kernel,
+before syzkaller team invests time and energy to harden
+this unused interface.
+
+[1] https://github.com/linux-rdma/rdma-core/pull/279
+
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/Kconfig | 12 ++++++++++++
+ drivers/infiniband/core/Makefile | 4 ++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/Kconfig
++++ b/drivers/infiniband/Kconfig
+@@ -34,6 +34,18 @@ config INFINIBAND_USER_ACCESS
+ libibverbs, libibcm and a hardware driver library from
+ <http://www.openfabrics.org/git/>.
+
++config INFINIBAND_USER_ACCESS_UCM
++ bool "Userspace CM (UCM, DEPRECATED)"
++ depends on BROKEN
++ depends on INFINIBAND_USER_ACCESS
++ help
++ The UCM module has known security flaws, which no one is
++ interested to fix. The user-space part of this code was
++ dropped from the upstream a long time ago.
++
++ This option is DEPRECATED and planned to be removed.
++
++
+ config INFINIBAND_USER_MEM
+ bool
+ depends on INFINIBAND_USER_ACCESS != n
+--- a/drivers/infiniband/core/Makefile
++++ b/drivers/infiniband/core/Makefile
+@@ -4,8 +4,8 @@ user_access-$(CONFIG_INFINIBAND_ADDR_TRA
+ obj-$(CONFIG_INFINIBAND) += ib_core.o ib_cm.o iw_cm.o \
+ $(infiniband-y)
+ obj-$(CONFIG_INFINIBAND_USER_MAD) += ib_umad.o
+-obj-$(CONFIG_INFINIBAND_USER_ACCESS) += ib_uverbs.o ib_ucm.o \
+- $(user_access-y)
++obj-$(CONFIG_INFINIBAND_USER_ACCESS) += ib_uverbs.o $(user_access-y)
++obj-$(CONFIG_INFINIBAND_USER_ACCESS_UCM) += ib_ucm.o $(user_access-y)
+
+ ib_core-y := packer.o ud_header.o verbs.o cq.o rw.o sysfs.o \
+ device.o fmr_pool.o cache.o netlink.o \
tools-build-fix-escaping-in-.cmd-files-for-future-make.patch
i2c-tegra-fix-nack-error-handling.patch
iw_cxgb4-correctly-enforce-the-max-reg_mr-depth.patch
+nvme-pci-remap-cmb-sq-entries-on-every-controller-reset.patch
+uprobes-x86-remove-incorrect-warn_on-in-uprobe_init_insn.patch
+netfilter-nf_queue-augment-nfqa_cfg_policy.patch
+netfilter-x_tables-initialise-match-target-check-parameter-struct.patch
+loop-add-recursion-validation-to-loop_change_fd.patch
+pm-hibernate-fix-oops-at-snapshot_write.patch
+rdma-ucm-mark-ucm-interface-as-broken.patch
+loop-remember-whether-sysfs_create_group-was-done.patch
+kvm-vmx-nested-vm-entry-prereqs-for-event-inj.patch
+f2fs-sanity-check-on-sit-entry.patch
--- /dev/null
+From 90718e32e1dcc2479acfa208ccfc6442850b594c Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Fri, 18 May 2018 18:27:39 +0200
+Subject: uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 90718e32e1dcc2479acfa208ccfc6442850b594c upstream.
+
+insn_get_length() has the side-effect of processing the entire instruction
+but only if it was decoded successfully, otherwise insn_complete() can fail
+and in this case we need to just return an error without warning.
+
+Reported-by: syzbot+30d675e3ca03c1c351e7@syzkaller.appspotmail.com
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: syzkaller-bugs@googlegroups.com
+Link: https://lkml.kernel.org/lkml/20180518162739.GA5559@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/uprobes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/uprobes.c
++++ b/arch/x86/kernel/uprobes.c
+@@ -290,7 +290,7 @@ static int uprobe_init_insn(struct arch_
+ insn_init(insn, auprobe->insn, sizeof(auprobe->insn), x86_64);
+ /* has the side-effect of processing the entire instruction */
+ insn_get_length(insn);
+- if (WARN_ON_ONCE(!insn_complete(insn)))
++ if (!insn_complete(insn))
+ return -ENOEXEC;
+
+ if (is_prefix_bad(insn))
projects / thirdparty / kernel / stable-queue.git / commitdiff
