--- /dev/null
+From 362bca57f5d78220f8b5907b875961af9436e229 Mon Sep 17 00:00:00 2001
+From: Robb Glasser <rglasser@google.com>
+Date: Tue, 5 Dec 2017 09:16:55 -0800
+Subject: ALSA: pcm: prevent UAF in snd_pcm_info
+
+From: Robb Glasser <rglasser@google.com>
+
+commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.
+
+When the device descriptor is closed, the `substream->runtime` pointer
+is freed. But another thread may be in the ioctl handler, case
+SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
+calls snd_pcm_info() which accesses the now freed `substream->runtime`.
+
+Note: this fixes CVE-2017-0861
+
+Signed-off-by: Robb Glasser <rglasser@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -150,7 +150,9 @@ static int snd_pcm_control_ioctl(struct
+ err = -ENXIO;
+ goto _error;
+ }
++ mutex_lock(&pcm->open_mutex);
+ err = snd_pcm_info_user(substream, info);
++ mutex_unlock(&pcm->open_mutex);
+ _error:
+ mutex_unlock(®ister_mutex);
+ return err;
--- /dev/null
+From 43a3542870328601be02fcc9d27b09db467336ef Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 30 Nov 2017 10:08:28 +0100
+Subject: ALSA: seq: Remove spurious WARN_ON() at timer check
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 43a3542870328601be02fcc9d27b09db467336ef upstream.
+
+The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
+WARN_ON() when a slave timer is deployed as its backend and a
+corresponding master timer stops meanwhile. The symptom was triggered
+by syzkaller spontaneously.
+
+Since the NULL timer is valid there, rip off snd_BUG_ON().
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_s
+ unsigned long freq;
+
+ t = tmr->timeri->timer;
+- if (snd_BUG_ON(!t))
++ if (!t)
+ return -EINVAL;
+
+ freq = tmr->preferred_resolution;
--- /dev/null
+From 89b89d121ffcf8d9546633b98ded9d18b8f75891 Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Mon, 4 Dec 2017 15:31:49 +0900
+Subject: ALSA: usb-audio: Add check return value for usb_string()
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit 89b89d121ffcf8d9546633b98ded9d18b8f75891 upstream.
+
+snd_usb_copy_string_desc() returns zero if usb_string() fails.
+In case of failure, we need to check the snd_usb_copy_string_desc()'s
+return value and add an exception case
+
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2099,13 +2099,14 @@ static int parse_audio_selector_unit(str
+ if (len)
+ ;
+ else if (nameid)
+- snd_usb_copy_string_desc(state, nameid, kctl->id.name,
++ len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+ sizeof(kctl->id.name));
+- else {
++ else
+ len = get_term_name(state, &state->oterm,
+ kctl->id.name, sizeof(kctl->id.name), 0);
+- if (!len)
+- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
++
++ if (!len) {
++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
+ if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
+ append_ctl_name(kctl, " Clock Source");
--- /dev/null
+From 251552a2b0d454badc8f486e6d79100970c744b0 Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Mon, 4 Dec 2017 15:31:48 +0900
+Subject: ALSA: usb-audio: Fix out-of-bound error
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream.
+
+The snd_usb_copy_string_desc() retrieves the usb string corresponding to
+the index number through the usb_string(). The problem is that the
+usb_string() returns the length of the string (>= 0) when successful, but
+it can also return a negative value about the error case or status of
+usb_control_msg().
+
+If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
+This will result in '0' being inserted into buf[-22], and the following
+KASAN out-of-bound error message will be output.
+
+AudioControl Interface Descriptor:
+ bLength 8
+ bDescriptorType 36
+ bDescriptorSubtype 10 (CLOCK_SOURCE)
+ bClockID 1
+ bmAttributes 0x07 Internal programmable Clock (synced to SOF)
+ bmControls 0x07
+ Clock Frequency Control (read/write)
+ Clock Validity Control (read-only)
+ bAssocTerminal 0
+ iClockSource 0
+
+To fix it, check usb_string()'return value and bail out.
+
+==================================================================
+BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376
+
+CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
+Hardware name: LG Electronics 15N540-RFLGL/White Tip Mountain, BIOS 15N5
+Call Trace:
+dump_stack+0x63/0x8d
+print_address_description+0x70/0x290
+? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+kasan_report+0x265/0x350
+__asan_store1+0x4a/0x50
+parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+? save_stack+0xb5/0xd0
+? save_stack_trace+0x1b/0x20
+? save_stack+0x46/0xd0
+? kasan_kmalloc+0xad/0xe0
+? kmem_cache_alloc_trace+0xff/0x230
+? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
+? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
+? usb_probe_interface+0x1f5/0x440
+? driver_probe_device+0x3ed/0x660
+? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
+? save_stack_trace+0x1b/0x20
+? init_object+0x69/0xa0
+? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
+snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
+? build_audio_procunit+0x890/0x890 [snd_usb_audio]
+? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
+? kmem_cache_alloc_trace+0xff/0x230
+? usb_ifnum_to_if+0xbd/0xf0
+snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
+? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
+usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
+? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
+? __pm_runtime_idle+0x90/0x90
+? kernfs_activate+0xa6/0xc0
+? usb_match_one_id_intf+0xdc/0x130
+? __pm_runtime_set_status+0x2d4/0x450
+usb_probe_interface+0x1f5/0x440
+
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -199,6 +199,10 @@ static int snd_usb_copy_string_desc(stru
+ int index, char *buf, int maxlen)
+ {
+ int len = usb_string(state->chip->dev, index, buf, maxlen - 1);
++
++ if (len < 0)
++ return 0;
++
+ buf[len] = 0;
+ return len;
+ }
--- /dev/null
+From 071b6d4a5d343046f253a5a8835d477d93992002 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Tue, 5 Dec 2017 14:56:42 +0000
+Subject: arm64: fpsimd: Prevent registers leaking from dead tasks
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream.
+
+Currently, loading of a task's fpsimd state into the CPU registers
+is skipped if that task's state is already present in the registers
+of that CPU.
+
+However, the code relies on the struct fpsimd_state * (and by
+extension struct task_struct *) to unambiguously identify a task.
+
+There is a particular case in which this doesn't work reliably:
+when a task exits, its task_struct may be recycled to describe a
+new task.
+
+Consider the following scenario:
+
+ 1) Task P loads its fpsimd state onto cpu C.
+ per_cpu(fpsimd_last_state, C) := P;
+ P->thread.fpsimd_state.cpu := C;
+
+ 2) Task X is scheduled onto C and loads its fpsimd state on C.
+ per_cpu(fpsimd_last_state, C) := X;
+ X->thread.fpsimd_state.cpu := C;
+
+ 3) X exits, causing X's task_struct to be freed.
+
+ 4) P forks a new child T, which obtains X's recycled task_struct.
+ T == X.
+ T->thread.fpsimd_state.cpu == C (inherited from P).
+
+ 5) T is scheduled on C.
+ T's fpsimd state is not loaded, because
+ per_cpu(fpsimd_last_state, C) == T (== X) &&
+ T->thread.fpsimd_state.cpu == C.
+
+ (This is the check performed by fpsimd_thread_switch().)
+
+So, T gets X's registers because the last registers loaded onto C
+were those of X, in (2).
+
+This patch fixes the problem by ensuring that the sched-in check
+fails in (5): fpsimd_flush_task_state(T) is called when T is
+forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
+This relies on the fact that T is not schedulable until after
+copy_thread() completes.
+
+Once T's fpsimd state has been loaded on some CPU C there may still
+be other cpus D for which per_cpu(fpsimd_last_state, D) ==
+&X->thread.fpsimd_state. But D is necessarily != C in this case,
+and the check in (5) must fail.
+
+An alternative fix would be to do refcounting on task_struct. This
+would result in each CPU holding a reference to the last task whose
+fpsimd state was loaded there. It's not clear whether this is
+preferable, and it involves higher overhead than the fix proposed
+in this patch. It would also move all the task_struct freeing
+work into the context switch critical section, or otherwise some
+deferred cleanup mechanism would need to be introduced, neither of
+which seems obviously justified.
+
+Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: word-smithed the comment so it makes more sense]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/process.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -250,6 +250,15 @@ int copy_thread(unsigned long clone_flag
+
+ memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context));
+
++ /*
++ * In case p was allocated the same task_struct pointer as some
++ * other recently-exited task, make sure p is disassociated from
++ * any cpu that may have run that now-exited task recently.
++ * Otherwise we could erroneously skip reloading the FPSIMD
++ * registers for p.
++ */
++ fpsimd_flush_task_state(p);
++
+ if (likely(!(p->flags & PF_KTHREAD))) {
+ *childregs = *current_pt_regs();
+ childregs->regs[0] = 0;
--- /dev/null
+From 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 Mon Sep 17 00:00:00 2001
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+Date: Thu, 16 Nov 2017 17:58:20 +0000
+Subject: arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
+
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+
+commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream.
+
+VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
+VTTBR address. It seems to currently be off by one, thereby only
+allowing up to 47-bit addresses (instead of 48-bit) and also
+insufficiently checking the alignment. This patch fixes it.
+
+As an example, with 4k pages, before this patch we have:
+
+ PHYS_MASK_SHIFT = 48
+ VTTBR_X = 37 - 24 = 13
+ VTTBR_BADDR_SHIFT = 13 - 1 = 12
+ VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000
+
+Which is wrong, because the mask doesn't allow bit 47 of the VTTBR
+address to be set, and only requires the address to be 12-bit (4k)
+aligned, while it actually needs to be 13-bit (8k) aligned because we
+concatenate two 4k tables.
+
+With this patch, the mask becomes 0x0000ffffffffe000, which is what we
+want.
+
+Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions")
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_arm.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -160,8 +160,7 @@
+ #define VTTBR_X (37 - VTCR_EL2_T0SZ_40B)
+ #endif
+
+-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
+-#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
++#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X)
+ #define VTTBR_VMID_SHIFT (UL(48))
+ #define VTTBR_VMID_MASK (UL(0xFF) << VTTBR_VMID_SHIFT)
+
--- /dev/null
+From 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: ASN.1: check for error from ASN1_OP_END__ACT actions
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.
+
+asn1_ber_decoder() was ignoring errors from actions associated with the
+opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
+ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT. In practice, this
+meant the pkcs7_note_signed_info() action (since that was the only user
+of those opcodes). Fix it by checking for the error, just like the
+decoder does for actions associated with the other opcodes.
+
+This bug allowed users to leak slab memory by repeatedly trying to add a
+specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).
+
+In theory, this bug could also be used to bypass module signature
+verification, by providing a PKCS#7 message that is misparsed such that
+a signature's ->authattrs do not contain its ->msgdigest. But it
+doesn't seem practical in normal cases, due to restrictions on the
+format of the ->authattrs.
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/asn1_decoder.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -422,6 +422,8 @@ next_op:
+ else
+ act = machine[pc + 1];
+ ret = actions[act](context, hdr, 0, data + tdp, len);
++ if (ret < 0)
++ return ret;
+ }
+ pc += asn1_op_lengths[op];
+ goto next_op;
--- /dev/null
+From af97a77bc01ce49a466f9d4c0125479e2e2230b6 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 6 Dec 2017 09:50:08 +0000
+Subject: efi: Move some sysfs files to be read-only by root
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream.
+
+Thanks to the scripts/leaking_addresses.pl script, it was found that
+some EFI values should not be readable by non-root users.
+
+So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to
+make this easier, and use it in other places at the same time.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Tested-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/efi.c | 3 +--
+ drivers/firmware/efi/runtime-map.c | 10 +++++-----
+ include/linux/sysfs.h | 6 ++++++
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -96,8 +96,7 @@ static ssize_t systab_show(struct kobjec
+ return str - buf;
+ }
+
+-static struct kobj_attribute efi_attr_systab =
+- __ATTR(systab, 0400, systab_show, NULL);
++static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400);
+
+ #define EFI_FIELD(var) efi.var
+
+--- a/drivers/firmware/efi/runtime-map.c
++++ b/drivers/firmware/efi/runtime-map.c
+@@ -67,11 +67,11 @@ static ssize_t map_attr_show(struct kobj
+ return map_attr->show(entry, buf);
+ }
+
+-static struct map_attribute map_type_attr = __ATTR_RO(type);
+-static struct map_attribute map_phys_addr_attr = __ATTR_RO(phys_addr);
+-static struct map_attribute map_virt_addr_attr = __ATTR_RO(virt_addr);
+-static struct map_attribute map_num_pages_attr = __ATTR_RO(num_pages);
+-static struct map_attribute map_attribute_attr = __ATTR_RO(attribute);
++static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400);
++static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400);
++static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400);
++static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400);
++static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400);
+
+ /*
+ * These are default attributes that are added for every memmap entry.
+--- a/include/linux/sysfs.h
++++ b/include/linux/sysfs.h
+@@ -82,6 +82,12 @@ struct attribute_group {
+ .show = _name##_show, \
+ }
+
++#define __ATTR_RO_MODE(_name, _mode) { \
++ .attr = { .name = __stringify(_name), \
++ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \
++ .show = _name##_show, \
++}
++
+ #define __ATTR_WO(_name) { \
+ .attr = { .name = __stringify(_name), .mode = S_IWUSR }, \
+ .store = _name##_store, \
--- /dev/null
+From 297d6b6e56c2977fc504c61bbeeaa21296923f89 Mon Sep 17 00:00:00 2001
+From: Paul Meyer <Paul.Meyer@microsoft.com>
+Date: Tue, 14 Nov 2017 13:06:47 -0700
+Subject: hv: kvp: Avoid reading past allocated blocks from KVP file
+
+From: Paul Meyer <Paul.Meyer@microsoft.com>
+
+commit 297d6b6e56c2977fc504c61bbeeaa21296923f89 upstream.
+
+While reading in more than one block (50) of KVP records, the allocation
+goes per block, but the reads used the total number of allocated records
+(without resetting the pointer/stream). This causes the records buffer to
+overrun when the refresh reads more than one block over the previous
+capacity (e.g. reading more than 100 KVP records whereas the in-memory
+database was empty before).
+
+Fix this by reading the correct number of KVP records from file each time.
+
+Signed-off-by: Paul Meyer <Paul.Meyer@microsoft.com>
+Signed-off-by: Long Li <longli@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/hv/hv_kvp_daemon.c | 70 +++++++++--------------------------------------
+ 1 file changed, 14 insertions(+), 56 deletions(-)
+
+--- a/tools/hv/hv_kvp_daemon.c
++++ b/tools/hv/hv_kvp_daemon.c
+@@ -196,11 +196,14 @@ static void kvp_update_mem_state(int poo
+ for (;;) {
+ readp = &record[records_read];
+ records_read += fread(readp, sizeof(struct kvp_record),
+- ENTRIES_PER_BLOCK * num_blocks,
+- filep);
++ ENTRIES_PER_BLOCK * num_blocks - records_read,
++ filep);
+
+ if (ferror(filep)) {
+- syslog(LOG_ERR, "Failed to read file, pool: %d", pool);
++ syslog(LOG_ERR,
++ "Failed to read file, pool: %d; error: %d %s",
++ pool, errno, strerror(errno));
++ kvp_release_lock(pool);
+ exit(EXIT_FAILURE);
+ }
+
+@@ -213,6 +216,7 @@ static void kvp_update_mem_state(int poo
+
+ if (record == NULL) {
+ syslog(LOG_ERR, "malloc failed");
++ kvp_release_lock(pool);
+ exit(EXIT_FAILURE);
+ }
+ continue;
+@@ -227,15 +231,11 @@ static void kvp_update_mem_state(int poo
+ fclose(filep);
+ kvp_release_lock(pool);
+ }
++
+ static int kvp_file_init(void)
+ {
+ int fd;
+- FILE *filep;
+- size_t records_read;
+ char *fname;
+- struct kvp_record *record;
+- struct kvp_record *readp;
+- int num_blocks;
+ int i;
+ int alloc_unit = sizeof(struct kvp_record) * ENTRIES_PER_BLOCK;
+
+@@ -249,61 +249,19 @@ static int kvp_file_init(void)
+
+ for (i = 0; i < KVP_POOL_COUNT; i++) {
+ fname = kvp_file_info[i].fname;
+- records_read = 0;
+- num_blocks = 1;
+ sprintf(fname, "%s/.kvp_pool_%d", KVP_CONFIG_LOC, i);
+ fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0644 /* rw-r--r-- */);
+
+ if (fd == -1)
+ return 1;
+
+-
+- filep = fopen(fname, "re");
+- if (!filep) {
+- close(fd);
+- return 1;
+- }
+-
+- record = malloc(alloc_unit * num_blocks);
+- if (record == NULL) {
+- fclose(filep);
+- close(fd);
+- return 1;
+- }
+- for (;;) {
+- readp = &record[records_read];
+- records_read += fread(readp, sizeof(struct kvp_record),
+- ENTRIES_PER_BLOCK,
+- filep);
+-
+- if (ferror(filep)) {
+- syslog(LOG_ERR, "Failed to read file, pool: %d",
+- i);
+- exit(EXIT_FAILURE);
+- }
+-
+- if (!feof(filep)) {
+- /*
+- * We have more data to read.
+- */
+- num_blocks++;
+- record = realloc(record, alloc_unit *
+- num_blocks);
+- if (record == NULL) {
+- fclose(filep);
+- close(fd);
+- return 1;
+- }
+- continue;
+- }
+- break;
+- }
+ kvp_file_info[i].fd = fd;
+- kvp_file_info[i].num_blocks = num_blocks;
+- kvp_file_info[i].records = record;
+- kvp_file_info[i].num_records = records_read;
+- fclose(filep);
+-
++ kvp_file_info[i].num_blocks = 1;
++ kvp_file_info[i].records = malloc(alloc_unit);
++ if (kvp_file_info[i].records == NULL)
++ return 1;
++ kvp_file_info[i].num_records = 0;
++ kvp_update_mem_state(i);
+ }
+
+ return 0;
--- /dev/null
+From 29a90b70893817e2f2bb3cea40a29f5308e21b21 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 28 Sep 2017 15:14:01 +0100
+Subject: iommu/vt-d: Fix scatterlist offset handling
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 29a90b70893817e2f2bb3cea40a29f5308e21b21 upstream.
+
+The intel-iommu DMA ops fail to correctly handle scatterlists where
+sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed
+appropriately based on the page-aligned portion of the offset, but the
+mapping is set up relative to sg->page, which means it fails to actually
+cover the whole buffer (and in the worst case doesn't cover it at all):
+
+ (sg->dma_address + sg->dma_len) ----+
+ sg->dma_address ---------+ |
+ iov_pfn------+ | |
+ | | |
+ v v v
+iova: a b c d e f
+ |--------|--------|--------|--------|--------|
+ <...calculated....>
+ [_____mapped______]
+pfn: 0 1 2 3 4 5
+ |--------|--------|--------|--------|--------|
+ ^ ^ ^
+ | | |
+ sg->page ----+ | |
+ sg->offset --------------+ |
+ (sg->offset + sg->length) ----------+
+
+As a result, the caller ends up overrunning the mapping into whatever
+lies beyond, which usually goes badly:
+
+[ 429.645492] DMAR: DRHD: handling fault status reg 2
+[ 429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ...
+
+Whilst this is a fairly rare occurrence, it can happen from the result
+of intermediate scatterlist processing such as scatterwalk_ffwd() in the
+crypto layer. Whilst that particular site could be fixed up, it still
+seems worthwhile to bring intel-iommu in line with other DMA API
+implementations in handling this robustly.
+
+To that end, fix the intel_map_sg() path to line up the mapping
+correctly (in units of MM pages rather than VT-d pages to match the
+aligned_nrpages() calculation) regardless of the offset, and use
+sg_phys() consistently for clarity.
+
+Reported-by: Harsh Jain <Harsh@chelsio.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed by: Ashok Raj <ashok.raj@intel.com>
+Tested by: Jacob Pan <jacob.jun.pan@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -2016,10 +2016,12 @@ static int __domain_mapping(struct dmar_
+ uint64_t tmp;
+
+ if (!sg_res) {
++ unsigned int pgoff = sg->offset & ~PAGE_MASK;
++
+ sg_res = aligned_nrpages(sg->offset, sg->length);
+- sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset;
++ sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + pgoff;
+ sg->dma_length = sg->length;
+- pteval = page_to_phys(sg_page(sg)) | prot;
++ pteval = (sg_phys(sg) - pgoff) | prot;
+ phys_pfn = pteval >> VTD_PAGE_SHIFT;
+ }
+
+@@ -3326,7 +3328,7 @@ static int intel_nontranslate_map_sg(str
+
+ for_each_sg(sglist, sg, nelems, i) {
+ BUG_ON(!sg_page(sg));
+- sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset;
++ sg->dma_address = sg_phys(sg);
+ sg->dma_length = sg->length;
+ }
+ return nelems;
--- /dev/null
+From 5a244727f428a06634f22bb890e78024ab0c89f3 Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+Date: Wed, 8 Nov 2017 10:23:11 -0500
+Subject: isa: Prevent NULL dereference in isa_bus driver callbacks
+
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+
+commit 5a244727f428a06634f22bb890e78024ab0c89f3 upstream.
+
+The isa_driver structure for an isa_bus device is stored in the device
+platform_data member of the respective device structure. This
+platform_data member may be reset to NULL if isa_driver match callback
+for the device fails, indicating a device unsupported by the ISA driver.
+
+This patch fixes a possible NULL pointer dereference if one of the
+isa_driver callbacks to attempted for an unsupported device. This error
+should not occur in practice since ISA devices are typically manually
+configured and loaded by the users, but we may as well prevent this
+error from popping up for the 0day testers.
+
+Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus")
+Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/isa.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/base/isa.c
++++ b/drivers/base/isa.c
+@@ -39,7 +39,7 @@ static int isa_bus_probe(struct device *
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->probe)
++ if (isa_driver && isa_driver->probe)
+ return isa_driver->probe(dev, to_isa_dev(dev)->id);
+
+ return 0;
+@@ -49,7 +49,7 @@ static int isa_bus_remove(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->remove)
++ if (isa_driver && isa_driver->remove)
+ return isa_driver->remove(dev, to_isa_dev(dev)->id);
+
+ return 0;
+@@ -59,7 +59,7 @@ static void isa_bus_shutdown(struct devi
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->shutdown)
++ if (isa_driver && isa_driver->shutdown)
+ isa_driver->shutdown(dev, to_isa_dev(dev)->id);
+ }
+
+@@ -67,7 +67,7 @@ static int isa_bus_suspend(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->suspend)
++ if (isa_driver && isa_driver->suspend)
+ return isa_driver->suspend(dev, to_isa_dev(dev)->id, state);
+
+ return 0;
+@@ -77,7 +77,7 @@ static int isa_bus_resume(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->resume)
++ if (isa_driver && isa_driver->resume)
+ return isa_driver->resume(dev, to_isa_dev(dev)->id);
+
+ return 0;
--- /dev/null
+From c07d35338081d107e57cf37572d8cc931a8e32e2 Mon Sep 17 00:00:00 2001
+From: Daniel Thompson <daniel.thompson@linaro.org>
+Date: Mon, 2 Mar 2015 14:13:36 +0000
+Subject: kdb: Fix handling of kallsyms_symbol_next() return value
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+commit c07d35338081d107e57cf37572d8cc931a8e32e2 upstream.
+
+kallsyms_symbol_next() returns a boolean (true on success). Currently
+kdb_read() tests the return value with an inequality that
+unconditionally evaluates to true.
+
+This is fixed in the obvious way and, since the conditional branch is
+supposed to be unreachable, we also add a WARN_ON().
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/debug/kdb/kdb_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -349,7 +349,7 @@ poll_again:
+ }
+ kdb_printf("\n");
+ for (i = 0; i < count; i++) {
+- if (kallsyms_symbol_next(p_tmp, i) < 0)
++ if (WARN_ON(!kallsyms_symbol_next(p_tmp, i)))
+ break;
+ kdb_printf("%s ", p_tmp);
+ *(p_tmp + len) = '\0';
--- /dev/null
+From 4dca6ea1d9432052afb06baf2e3ae78188a4410b Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: KEYS: add missing permission check for request_key() destination
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.
+
+When the request_key() syscall is not passed a destination keyring, it
+links the requested key (if constructed) into the "default" request-key
+keyring. This should require Write permission to the keyring. However,
+there is actually no permission check.
+
+This can be abused to add keys to any keyring to which only Search
+permission is granted. This is because Search permission allows joining
+the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
+then will set the default request-key keyring to the session keyring.
+Then, request_key() can be used to add keys to the keyring.
+
+Both negatively and positively instantiated keys can be added using this
+method. Adding negative keys is trivial. Adding a positive key is a
+bit trickier. It requires that either /sbin/request-key positively
+instantiates the key, or that another thread adds the key to the process
+keyring at just the right time, such that request_key() misses it
+initially but then finds it in construct_alloc_key().
+
+Fix this bug by checking for Write permission to the keyring in
+construct_get_dest_keyring() when the default keyring is being used.
+
+We don't do the permission check for non-default keyrings because that
+was already done by the earlier call to lookup_user_key(). Also,
+request_key_and_link() is currently passed a 'struct key *' rather than
+a key_ref_t, so the "possessed" bit is unavailable.
+
+We also don't do the permission check for the "requestor keyring", to
+continue to support the use case described by commit 8bbf4976b59f
+("KEYS: Alter use of key instantiation link-to-keyring argument") where
+/sbin/request-key recursively calls request_key() to add keys to the
+original requestor's destination keyring. (I don't know of any users
+who actually do that, though...)
+
+Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/request_key.c | 46 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -250,11 +250,12 @@ static int construct_key(struct key *key
+ * The keyring selected is returned with an extra reference upon it which the
+ * caller must release.
+ */
+-static void construct_get_dest_keyring(struct key **_dest_keyring)
++static int construct_get_dest_keyring(struct key **_dest_keyring)
+ {
+ struct request_key_auth *rka;
+ const struct cred *cred = current_cred();
+ struct key *dest_keyring = *_dest_keyring, *authkey;
++ int ret;
+
+ kenter("%p", dest_keyring);
+
+@@ -263,6 +264,8 @@ static void construct_get_dest_keyring(s
+ /* the caller supplied one */
+ key_get(dest_keyring);
+ } else {
++ bool do_perm_check = true;
++
+ /* use a default keyring; falling through the cases until we
+ * find one that we actually have */
+ switch (cred->jit_keyring) {
+@@ -277,8 +280,10 @@ static void construct_get_dest_keyring(s
+ dest_keyring =
+ key_get(rka->dest_keyring);
+ up_read(&authkey->sem);
+- if (dest_keyring)
++ if (dest_keyring) {
++ do_perm_check = false;
+ break;
++ }
+ }
+
+ case KEY_REQKEY_DEFL_THREAD_KEYRING:
+@@ -313,11 +318,29 @@ static void construct_get_dest_keyring(s
+ default:
+ BUG();
+ }
++
++ /*
++ * Require Write permission on the keyring. This is essential
++ * because the default keyring may be the session keyring, and
++ * joining a keyring only requires Search permission.
++ *
++ * However, this check is skipped for the "requestor keyring" so
++ * that /sbin/request-key can itself use request_key() to add
++ * keys to the original requestor's destination keyring.
++ */
++ if (dest_keyring && do_perm_check) {
++ ret = key_permission(make_key_ref(dest_keyring, 1),
++ KEY_NEED_WRITE);
++ if (ret) {
++ key_put(dest_keyring);
++ return ret;
++ }
++ }
+ }
+
+ *_dest_keyring = dest_keyring;
+ kleave(" [dk %d]", key_serial(dest_keyring));
+- return;
++ return 0;
+ }
+
+ /*
+@@ -439,11 +462,15 @@ static struct key *construct_key_and_lin
+
+ kenter("");
+
+- user = key_user_lookup(current_fsuid());
+- if (!user)
+- return ERR_PTR(-ENOMEM);
++ ret = construct_get_dest_keyring(&dest_keyring);
++ if (ret)
++ goto error;
+
+- construct_get_dest_keyring(&dest_keyring);
++ user = key_user_lookup(current_fsuid());
++ if (!user) {
++ ret = -ENOMEM;
++ goto error_put_dest_keyring;
++ }
+
+ ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
+ key_user_put(user);
+@@ -458,7 +485,7 @@ static struct key *construct_key_and_lin
+ } else if (ret == -EINPROGRESS) {
+ ret = 0;
+ } else {
+- goto couldnt_alloc_key;
++ goto error_put_dest_keyring;
+ }
+
+ key_put(dest_keyring);
+@@ -468,8 +495,9 @@ static struct key *construct_key_and_lin
+ construction_failed:
+ key_negate_and_link(key, key_negative_timeout, NULL, NULL);
+ key_put(key);
+-couldnt_alloc_key:
++error_put_dest_keyring:
+ key_put(dest_keyring);
++error:
+ kleave(" = %d", ret);
+ return ERR_PTR(ret);
+ }
--- /dev/null
+From d59d51f088014f25c2562de59b9abff4f42a7468 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig@google.com>
+Date: Fri, 1 Dec 2017 10:21:09 -0800
+Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrew Honig <ahonig@google.com>
+
+commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream.
+
+This fixes CVE-2017-1000407.
+
+KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
+the guest floods this port with writes it generates exceptions and
+instability in the host kernel, leading to a crash. With this change
+guest writes to port 0x80 on Intel will behave the same as they
+currently behave on AMD systems.
+
+Prevent the flooding by removing the code that sets port 0x80 as a
+passthrough port. This is essentially the same as upstream patch
+99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
+for AMD chipsets and this patch is for Intel.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -9280,12 +9280,7 @@ static int __init vmx_init(void)
+ memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
+ memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
+
+- /*
+- * Allow direct access to the PC debug port (it is often used for I/O
+- * delays, but the vmexits simply slow things down).
+- */
+ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
+- clear_bit(0x80, vmx_io_bitmap_a);
+
+ memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+
--- /dev/null
+From 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a Mon Sep 17 00:00:00 2001
+From: Laurent Caumont <lcaumont2@gmail.com>
+Date: Sat, 11 Nov 2017 12:44:46 -0500
+Subject: media: dvb: i2c transfers over usb cannot be done from stack
+
+From: Laurent Caumont <lcaumont2@gmail.com>
+
+commit 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a upstream.
+
+Signed-off-by: Laurent Caumont <lcaumont2@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dibusb-common.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dibusb-common.c
++++ b/drivers/media/usb/dvb-usb/dibusb-common.c
+@@ -179,8 +179,20 @@ EXPORT_SYMBOL(dibusb_i2c_algo);
+
+ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
+ {
+- u8 wbuf[1] = { offs };
+- return dibusb_i2c_msg(d, 0x50, wbuf, 1, val, 1);
++ u8 *buf;
++ int rc;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ buf[0] = offs;
++
++ rc = dibusb_i2c_msg(d, 0x50, &buf[0], 1, &buf[1], 1);
++ *val = buf[1];
++ kfree(buf);
++
++ return rc;
+ }
+ EXPORT_SYMBOL(dibusb_read_eeprom_byte);
+
--- /dev/null
+From 860dd4424f344400b491b212ee4acb3a358ba9d9 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 21 Nov 2017 14:23:37 +0100
+Subject: scsi: dma-mapping: always provide dma_get_cache_alignment
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 860dd4424f344400b491b212ee4acb3a358ba9d9 upstream.
+
+Provide the dummy version of dma_get_cache_alignment that always returns
+1 even if CONFIG_HAS_DMA is not set, so that drivers and subsystems can
+use it without ifdefs.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/dma-mapping.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/include/linux/dma-mapping.h
++++ b/include/linux/dma-mapping.h
+@@ -181,7 +181,6 @@ static inline void *dma_zalloc_coherent(
+ return ret;
+ }
+
+-#ifdef CONFIG_HAS_DMA
+ static inline int dma_get_cache_alignment(void)
+ {
+ #ifdef ARCH_DMA_MINALIGN
+@@ -189,7 +188,6 @@ static inline int dma_get_cache_alignmen
+ #endif
+ return 1;
+ }
+-#endif
+
+ /* flags for the coherent memory api */
+ #define DMA_MEMORY_MAP 0x01
--- /dev/null
+From 90addc6b3c9cda0146fbd62a08e234c2b224a80c Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 21 Nov 2017 14:23:38 +0100
+Subject: scsi: use dma_get_cache_alignment() as minimum DMA alignment
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 90addc6b3c9cda0146fbd62a08e234c2b224a80c upstream.
+
+In non-coherent DMA mode, kernel uses cache flushing operations to
+maintain I/O coherency, so scsi's block queue should be aligned to the
+value returned by dma_get_cache_alignment(). Otherwise, If a DMA buffer
+and a kernel structure share a same cache line, and if the kernel
+structure has dirty data, cache_invalidate (no writeback) will cause
+data corruption.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+[hch: rebased and updated the comment and changelog]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -2028,11 +2028,13 @@ static void __scsi_init_queue(struct Scs
+ q->limits.cluster = 0;
+
+ /*
+- * set a reasonable default alignment on word boundaries: the
+- * host and device may alter it using
+- * blk_queue_update_dma_alignment() later.
++ * Set a reasonable default alignment: The larger of 32-byte (dword),
++ * which is a common minimum for HBAs, and the minimum DMA alignment,
++ * which is set by the platform.
++ *
++ * Devices that require a bigger alignment can increase it later.
+ */
+- blk_queue_dma_alignment(q, 0x03);
++ blk_queue_dma_alignment(q, max(4, dma_get_cache_alignment()) - 1);
+ }
+
+ struct request_queue *__scsi_alloc_queue(struct Scsi_Host *shost,
can-ems_usb-cancel-urb-on-epipe-and-eproto.patch
can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch
can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch
+virtio-release-virtio-index-when-fail-to-device_register.patch
+hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch
+isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch
+scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch
+scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch
+efi-move-some-sysfs-files-to-be-read-only-by-root.patch
+asn.1-check-for-error-from-asn1_op_end__act-actions.patch
+keys-add-missing-permission-check-for-request_key-destination.patch
+x.509-reject-invalid-bit-string-for-subjectpublickey.patch
+x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch
+alsa-pcm-prevent-uaf-in-snd_pcm_info.patch
+alsa-seq-remove-spurious-warn_on-at-timer-check.patch
+alsa-usb-audio-fix-out-of-bound-error.patch
+alsa-usb-audio-add-check-return-value-for-usb_string.patch
+iommu-vt-d-fix-scatterlist-offset-handling.patch
+kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch
+media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch
+arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
+kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
+arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch
--- /dev/null
+From e60ea67bb60459b95a50a156296041a13e0e380e Mon Sep 17 00:00:00 2001
+From: weiping zhang <zwp10758@gmail.com>
+Date: Wed, 29 Nov 2017 09:23:01 +0800
+Subject: virtio: release virtio index when fail to device_register
+
+From: weiping zhang <zwp10758@gmail.com>
+
+commit e60ea67bb60459b95a50a156296041a13e0e380e upstream.
+
+index can be reused by other virtio device.
+
+Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -268,6 +268,8 @@ int register_virtio_device(struct virtio
+ /* device_register() causes the bus infrastructure to look for a
+ * matching driver. */
+ err = device_register(&dev->dev);
++ if (err)
++ ida_simple_remove(&virtio_index_ida, dev->index);
+ out:
+ if (err)
+ add_status(dev, VIRTIO_CONFIG_S_FAILED);
--- /dev/null
+From 0f30cbea005bd3077bd98cd29277d7fc2699c1da Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: X.509: reject invalid BIT STRING for subjectPublicKey
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream.
+
+Adding a specially crafted X.509 certificate whose subjectPublicKey
+ASN.1 value is zero-length caused x509_extract_key_data() to set the
+public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
+metadata byte. Then, x509_cert_parse() called kmemdup() with that bogus
+size, triggering the WARN_ON_ONCE() in kmalloc_slab().
+
+This appears to be harmless, but it still must be fixed since WARNs are
+never supposed to be user-triggerable.
+
+Fix it by updating x509_cert_parse() to validate that the value has a
+BIT STRING metadata byte, and that the byte is 0 which indicates that
+the number of bits in the bitstring is a multiple of 8.
+
+It would be nice to handle the metadata byte in asn1_ber_decoder()
+instead. But that would be tricky because in the general case a BIT
+STRING could be implicitly tagged, and/or could legitimately have a
+length that is not a whole number of bytes.
+
+Here was the WARN (cleaned up slightly):
+
+ WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
+ Modules linked in:
+ CPU: 1 PID: 202 Comm: keyctl Tainted: G B 4.14.0-09238-g1d3b78bbc6e9 #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
+ task: ffff880033014180 task.stack: ffff8800305c8000
+ Call Trace:
+ __do_kmalloc mm/slab.c:3706 [inline]
+ __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
+ kmemdup+0x17/0x40 mm/util.c:118
+ kmemdup include/linux/string.h:414 [inline]
+ x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
+ x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
+ asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
+ key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
+ SYSC_add_key security/keys/keyctl.c:122 [inline]
+ SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_cert_parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -381,6 +381,8 @@ int x509_extract_key_data(void *context,
+ ctx->cert->pub->pkey_algo = PKEY_ALGO_RSA;
+
+ /* Discard the BIT STRING metadata */
++ if (vlen < 1 || *(const u8 *)value != 0)
++ return -EBADMSG;
+ ctx->key = value + 1;
+ ctx->key_size = vlen - 1;
+ return 0;
--- /dev/null
+From ddec3bdee05b06f1dda20ded003c3e10e4184cab Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 1 Dec 2017 15:08:12 +0100
+Subject: x86/PCI: Make broadcom_postcore_init() check acpi_disabled
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit ddec3bdee05b06f1dda20ded003c3e10e4184cab upstream.
+
+acpi_os_get_root_pointer() may return a valid address even if acpi_disabled
+is set, but the host bridge information from the ACPI tables is not going
+to be used in that case and the Broadcom host bridge initialization should
+not be skipped then, So make broadcom_postcore_init() check acpi_disabled
+too to avoid this issue.
+
+Fixes: 6361d72b04d1 (x86/PCI: read Broadcom CNB20LE host bridge info before PCI scan)
+Reported-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Linux PCI <linux-pci@vger.kernel.org>
+Link: https://lkml.kernel.org/r/3186627.pxZj1QbYNg@aspire.rjw.lan
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/pci/broadcom_bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/pci/broadcom_bus.c
++++ b/arch/x86/pci/broadcom_bus.c
+@@ -97,7 +97,7 @@ static int __init broadcom_postcore_init
+ * We should get host bridge information from ACPI unless the BIOS
+ * doesn't support it.
+ */
+- if (acpi_os_get_root_pointer())
++ if (!acpi_disabled && acpi_os_get_root_pointer())
+ return 0;
+ #endif
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
