--- /dev/null
+From 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 9 Nov 2018 11:59:45 +0100
+Subject: ALSA: oss: Use kvzalloc() for local buffer allocations
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 upstream.
+
+PCM OSS layer may allocate a few temporary buffers, one for the core
+read/write and another for the conversions via plugins. Currently
+both are allocated via vmalloc(). But as the allocation size is
+equivalent with the PCM period size, the required size might be quite
+small, depending on the application.
+
+This patch replaces these vmalloc() calls with kvzalloc() for covering
+small period sizes better. Also, we use "z"-alloc variant here for
+addressing the possible uninitialized access reported by syzkaller.
+
+Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c | 6 +++---
+ sound/core/oss/pcm_plugin.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -1073,8 +1073,8 @@ static int snd_pcm_oss_change_params_loc
+ runtime->oss.channels = params_channels(params);
+ runtime->oss.rate = params_rate(params);
+
+- vfree(runtime->oss.buffer);
+- runtime->oss.buffer = vmalloc(runtime->oss.period_bytes);
++ kvfree(runtime->oss.buffer);
++ runtime->oss.buffer = kvzalloc(runtime->oss.period_bytes, GFP_KERNEL);
+ if (!runtime->oss.buffer) {
+ err = -ENOMEM;
+ goto failure;
+@@ -2380,7 +2380,7 @@ static void snd_pcm_oss_release_substrea
+ {
+ struct snd_pcm_runtime *runtime;
+ runtime = substream->runtime;
+- vfree(runtime->oss.buffer);
++ kvfree(runtime->oss.buffer);
+ runtime->oss.buffer = NULL;
+ #ifdef CONFIG_SND_PCM_OSS_PLUGINS
+ snd_pcm_oss_plugin_clear(substream);
+--- a/sound/core/oss/pcm_plugin.c
++++ b/sound/core/oss/pcm_plugin.c
+@@ -66,8 +66,8 @@ static int snd_pcm_plugin_alloc(struct s
+ return -ENXIO;
+ size /= 8;
+ if (plugin->buf_frames < frames) {
+- vfree(plugin->buf);
+- plugin->buf = vmalloc(size);
++ kvfree(plugin->buf);
++ plugin->buf = kvzalloc(size, GFP_KERNEL);
+ plugin->buf_frames = frames;
+ }
+ if (!plugin->buf) {
+@@ -191,7 +191,7 @@ int snd_pcm_plugin_free(struct snd_pcm_p
+ if (plugin->private_free)
+ plugin->private_free(plugin);
+ kfree(plugin->buf_channels);
+- vfree(plugin->buf);
++ kvfree(plugin->buf);
+ kfree(plugin);
+ return 0;
+ }
--- /dev/null
+From 9f2df09a33aa2c76ce6385d382693f98d7f2f07e Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Fri, 2 Nov 2018 15:48:42 -0700
+Subject: bfs: add sanity check at bfs_fill_super()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream.
+
+syzbot is reporting too large memory allocation at bfs_fill_super() [1].
+Since file system image is corrupted such that bfs_sb->s_start == 0,
+bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix
+this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and
+printf().
+
+[1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96
+
+Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+71c6b5d68e91149fc8a4@syzkaller.appspotmail.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tigran Aivazian <aivazian.tigran@gmail.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/bfs/inode.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/fs/bfs/inode.c
++++ b/fs/bfs/inode.c
+@@ -349,7 +349,8 @@ static int bfs_fill_super(struct super_b
+
+ s->s_magic = BFS_MAGIC;
+
+- if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) {
++ if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) ||
++ le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) {
+ printf("Superblock is corrupted\n");
+ goto out1;
+ }
+@@ -358,9 +359,11 @@ static int bfs_fill_super(struct super_b
+ sizeof(struct bfs_inode)
+ + BFS_ROOT_INO - 1;
+ imap_len = (info->si_lasti / 8) + 1;
+- info->si_imap = kzalloc(imap_len, GFP_KERNEL);
+- if (!info->si_imap)
++ info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN);
++ if (!info->si_imap) {
++ printf("Cannot allocate %u bytes\n", imap_len);
+ goto out1;
++ }
+ for (i = 0; i < BFS_ROOT_INO; i++)
+ set_bit(i, info->si_imap);
+
--- /dev/null
+From e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 14:05:26 +0100
+Subject: can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc upstream.
+
+If the "struct can_priv::echo_skb" is accessed out of bounds would lead
+to a kernel crash. Better print a sensible warning message instead and
+try to recover.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -347,7 +347,11 @@ struct sk_buff *__can_get_echo_skb(struc
+ {
+ struct can_priv *priv = netdev_priv(dev);
+
+- BUG_ON(idx >= priv->echo_skb_max);
++ if (idx >= priv->echo_skb_max) {
++ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
++ __func__, idx, priv->echo_skb_max);
++ return NULL;
++ }
+
+ if (priv->echo_skb[idx]) {
+ /* Using "struct canfd_frame::len" for the frame
--- /dev/null
+From 7da11ba5c5066dadc2e96835a6233d56d7b7764a Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 14:15:13 +0100
+Subject: can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 7da11ba5c5066dadc2e96835a6233d56d7b7764a upstream.
+
+Prior to echoing a successfully transmitted CAN frame (by calling
+can_get_echo_skb()), CAN drivers have to put the CAN frame (by calling
+can_put_echo_skb() in the transmit function). These put and get function
+take an index as parameter, which is used to identify the CAN frame.
+
+A driver calling can_get_echo_skb() with a index not pointing to a skb
+is a BUG, so add an appropriate error message.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -346,6 +346,8 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ struct can_priv *priv = netdev_priv(dev);
++ struct sk_buff *skb = priv->echo_skb[idx];
++ struct canfd_frame *cf;
+
+ if (idx >= priv->echo_skb_max) {
+ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+@@ -353,21 +355,20 @@ struct sk_buff *__can_get_echo_skb(struc
+ return NULL;
+ }
+
+- if (priv->echo_skb[idx]) {
+- /* Using "struct canfd_frame::len" for the frame
+- * length is supported on both CAN and CANFD frames.
+- */
+- struct sk_buff *skb = priv->echo_skb[idx];
+- struct canfd_frame *cf = (struct canfd_frame *)skb->data;
+- u8 len = cf->len;
+-
+- *len_ptr = len;
+- priv->echo_skb[idx] = NULL;
+-
+- return skb;
++ if (!skb) {
++ netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
++ __func__, idx);
++ return NULL;
+ }
+
+- return NULL;
++ /* Using "struct canfd_frame::len" for the frame
++ * length is supported on both CAN and CANFD frames.
++ */
++ cf = (struct canfd_frame *)skb->data;
++ *len_ptr = cf->len;
++ priv->echo_skb[idx] = NULL;
++
++ return skb;
+ }
+
+ /*
--- /dev/null
+From 200f5c49f7a2cd694436bfc6cb0662b794c96736 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 11:08:21 +0100
+Subject: can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 200f5c49f7a2cd694436bfc6cb0662b794c96736 upstream.
+
+This patch replaces the use of "struct can_frame::can_dlc" by "struct
+canfd_frame::len" to access the frame's length. As it is ensured that
+both structures have a compatible memory layout for this member this is
+no functional change. Futher, this compatibility is documented in a
+comment.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -350,11 +350,14 @@ struct sk_buff *__can_get_echo_skb(struc
+ BUG_ON(idx >= priv->echo_skb_max);
+
+ if (priv->echo_skb[idx]) {
++ /* Using "struct canfd_frame::len" for the frame
++ * length is supported on both CAN and CANFD frames.
++ */
+ struct sk_buff *skb = priv->echo_skb[idx];
+- struct can_frame *cf = (struct can_frame *)skb->data;
+- u8 dlc = cf->can_dlc;
++ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
++ u8 len = cf->len;
+
+- *len_ptr = dlc;
++ *len_ptr = len;
+ priv->echo_skb[idx] = NULL;
+
+ return skb;
--- /dev/null
+From a4310fa2f24687888ce80fdb0e88583561a23700 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Wed, 31 Oct 2018 10:37:46 +0100
+Subject: can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit a4310fa2f24687888ce80fdb0e88583561a23700 upstream.
+
+This patch factors out all non sending parts of can_get_echo_skb() into
+a seperate function __can_get_echo_skb(), so that it can be re-used in
+an upcoming patch.
+
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 36 +++++++++++++++++++++++++-----------
+ include/linux/can/dev.h | 1 +
+ 2 files changed, 26 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -343,14 +343,7 @@ void can_put_echo_skb(struct sk_buff *sk
+ }
+ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+
+-/*
+- * Get the skb from the stack and loop it back locally
+- *
+- * The function is typically called when the TX done interrupt
+- * is handled in the device driver. The driver must protect
+- * access to priv->echo_skb, if necessary.
+- */
+-unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ struct can_priv *priv = netdev_priv(dev);
+
+@@ -361,13 +354,34 @@ unsigned int can_get_echo_skb(struct net
+ struct can_frame *cf = (struct can_frame *)skb->data;
+ u8 dlc = cf->can_dlc;
+
+- netif_rx(priv->echo_skb[idx]);
++ *len_ptr = dlc;
+ priv->echo_skb[idx] = NULL;
+
+- return dlc;
++ return skb;
+ }
+
+- return 0;
++ return NULL;
++}
++
++/*
++ * Get the skb from the stack and loop it back locally
++ *
++ * The function is typically called when the TX done interrupt
++ * is handled in the device driver. The driver must protect
++ * access to priv->echo_skb, if necessary.
++ */
++unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
++{
++ struct sk_buff *skb;
++ u8 len;
++
++ skb = __can_get_echo_skb(dev, idx, &len);
++ if (!skb)
++ return 0;
++
++ netif_rx(skb);
++
++ return len;
+ }
+ EXPORT_SYMBOL_GPL(can_get_echo_skb);
+
+--- a/include/linux/can/dev.h
++++ b/include/linux/can/dev.h
+@@ -148,6 +148,7 @@ void can_bus_off(struct net_device *dev)
+
+ void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev,
+ unsigned int idx);
++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr);
+ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx);
+ void can_free_echo_skb(struct net_device *dev, unsigned int idx);
+
--- /dev/null
+From 1a37bd823891568f8721989aed0615835632d81a Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Wed, 3 Oct 2018 14:57:47 +0800
+Subject: drm/ast: change resolution may cause screen blurred
+
+From: Y.C. Chen <yc_chen@aspeedtech.com>
+
+commit 1a37bd823891568f8721989aed0615835632d81a upstream.
+
+The value of pitches is not correct while calling mode_set.
+The issue we found so far on following system:
+- Debian8 with XFCE Desktop
+- Ubuntu with KDE Desktop
+- SUSE15 with KDE Desktop
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Cc: <stable@vger.kernel.org>
+Tested-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_mode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -549,6 +549,7 @@ static int ast_crtc_do_set_base(struct d
+ }
+ ast_bo_unreserve(bo);
+
++ ast_set_offset_reg(crtc);
+ ast_set_start_address_crt1(crtc, (u32)gpu_addr);
+
+ return 0;
--- /dev/null
+From 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 Mon Sep 17 00:00:00 2001
+From: "Y.C. Chen" <yc_chen@aspeedtech.com>
+Date: Tue, 30 Oct 2018 11:34:46 +0800
+Subject: drm/ast: fixed cursor may disappear sometimes
+
+From: Y.C. Chen <yc_chen@aspeedtech.com>
+
+commit 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 upstream.
+
+Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_mode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -1246,7 +1246,7 @@ static int ast_cursor_move(struct drm_cr
+ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xc7, ((y >> 8) & 0x07));
+
+ /* dummy write to fire HWC */
+- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xCB, 0xFF, 0x00);
++ ast_show_cursor(crtc);
+
+ return 0;
+ }
--- /dev/null
+From 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Thu, 15 Nov 2018 11:42:16 +0100
+Subject: drm/ast: Remove existing framebuffers before loading driver
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a upstream.
+
+If vesafb attaches to the AST device, it configures the framebuffer memory
+for uncached access by default. When ast.ko later tries to attach itself to
+the device, it wants to use write-combining on the framebuffer memory, but
+vesefb's existing configuration for uncached access takes precedence. This
+results in reduced performance.
+
+Removing the framebuffer's configuration before loding the AST driver fixes
+the problem. Other DRM drivers already contain equivalent code.
+
+Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1112963
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: <stable@vger.kernel.org>
+Tested-by: Y.C. Chen <yc_chen@aspeedtech.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Tested-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ast/ast_drv.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/gpu/drm/ast/ast_drv.c
++++ b/drivers/gpu/drm/ast/ast_drv.c
+@@ -60,8 +60,29 @@ static const struct pci_device_id pciidl
+
+ MODULE_DEVICE_TABLE(pci, pciidlist);
+
++static void ast_kick_out_firmware_fb(struct pci_dev *pdev)
++{
++ struct apertures_struct *ap;
++ bool primary = false;
++
++ ap = alloc_apertures(1);
++ if (!ap)
++ return;
++
++ ap->ranges[0].base = pci_resource_start(pdev, 0);
++ ap->ranges[0].size = pci_resource_len(pdev, 0);
++
++#ifdef CONFIG_X86
++ primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW;
++#endif
++ drm_fb_helper_remove_conflicting_framebuffers(ap, "astdrmfb", primary);
++ kfree(ap);
++}
++
+ static int ast_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
++ ast_kick_out_firmware_fb(pdev);
++
+ return drm_get_pci_dev(pdev, ent, &driver);
+ }
+
--- /dev/null
+From 4c62bd9cea7bcf10292f7e4c57a2bca332942697 Mon Sep 17 00:00:00 2001
+From: Andrew Price <anprice@redhat.com>
+Date: Mon, 8 Oct 2018 07:52:43 -0500
+Subject: gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
+
+From: Andrew Price <anprice@redhat.com>
+
+commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream.
+
+When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points
+to the same address. Move the assignment after that error check so that
+s_fs_info can only point to a valid sdp or NULL, which is checked for
+later in the error path, in gfs2_kill_super().
+
+Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com
+Signed-off-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/ops_fstype.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/ops_fstype.c
++++ b/fs/gfs2/ops_fstype.c
+@@ -71,13 +71,13 @@ static struct gfs2_sbd *init_sbd(struct
+ if (!sdp)
+ return NULL;
+
+- sb->s_fs_info = sdp;
+ sdp->sd_vfs = sb;
+ sdp->sd_lkstats = alloc_percpu(struct gfs2_pcpu_lkstats);
+ if (!sdp->sd_lkstats) {
+ kfree(sdp);
+ return NULL;
+ }
++ sb->s_fs_info = sdp;
+
+ set_bit(SDF_NOJOURNALID, &sdp->sd_flags);
+ gfs2_tune_init(&sdp->sd_tune);
--- /dev/null
+From 604d415e2bd642b7e02c80e719e0396b9d4a77a6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 22 Oct 2018 09:24:27 -0700
+Subject: llc: do not use sk_eat_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream.
+
+syzkaller triggered a use-after-free [1], caused by a combination of
+skb_get() in llc_conn_state_process() and usage of sk_eat_skb()
+
+sk_eat_skb() is assuming the skb about to be freed is only used by
+the current thread. TCP/DCCP stacks enforce this because current
+thread holds the socket lock.
+
+llc_conn_state_process() wants to make sure skb does not disappear,
+and holds a reference on the skb it manipulates. But as soon as this
+skb is added to socket receive queue, another thread can consume it.
+
+This means that llc must use regular skb_unlink() and kfree_skb()
+so that both producer and consumer can safely work on the same skb.
+
+[1]
+BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
+BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
+BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline]
+BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655
+Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18
+
+CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113
+ print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
+ atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
+ refcount_read include/linux/refcount.h:43 [inline]
+ skb_unref include/linux/skbuff.h:967 [inline]
+ kfree_skb+0xb7/0x580 net/core/skbuff.c:655
+ llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224
+ llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297
+ llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438
+ llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ process_backlog+0x218/0x6f0 net/core/dev.c:5829
+ napi_poll net/core/dev.c:6249 [inline]
+ net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
+ __do_softirq+0x30c/0xb03 kernel/softirq.c:292
+ run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
+ smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
+ kthread+0x35a/0x420 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
+
+Allocated by task 18:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
+ kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644
+ __alloc_skb+0x119/0x770 net/core/skbuff.c:193
+ alloc_skb include/linux/skbuff.h:995 [inline]
+ llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54
+ llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline]
+ llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111
+ llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220
+ __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
+ __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
+ process_backlog+0x218/0x6f0 net/core/dev.c:5829
+ napi_poll net/core/dev.c:6249 [inline]
+ net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
+ __do_softirq+0x30c/0xb03 kernel/softirq.c:292
+
+Freed by task 16383:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:448
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
+ __cache_free mm/slab.c:3498 [inline]
+ kmem_cache_free+0x83/0x290 mm/slab.c:3756
+ kfree_skbmem+0x154/0x230 net/core/skbuff.c:582
+ __kfree_skb+0x1d/0x20 net/core/skbuff.c:642
+ sk_eat_skb include/net/sock.h:2366 [inline]
+ llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882
+ sock_recvmsg_nosec net/socket.c:794 [inline]
+ sock_recvmsg+0xd0/0x110 net/socket.c:801
+ ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278
+ __sys_recvmmsg+0x303/0xb90 net/socket.c:2390
+ do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466
+ __do_sys_recvmmsg net/socket.c:2484 [inline]
+ __se_sys_recvmmsg net/socket.c:2480 [inline]
+ __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8801d1f6fac0
+ which belongs to the cache skbuff_head_cache of size 232
+The buggy address is located 228 bytes inside of
+ 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8)
+The buggy address belongs to the page:
+page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680
+raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/llc/af_llc.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -726,7 +726,6 @@ static int llc_ui_recvmsg(struct kiocb *
+ struct sk_buff *skb = NULL;
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc = llc_sk(sk);
+- unsigned long cpu_flags;
+ size_t copied = 0;
+ u32 peek_seq = 0;
+ u32 *seq, skb_len;
+@@ -852,9 +851,8 @@ static int llc_ui_recvmsg(struct kiocb *
+ goto copy_uaddr;
+
+ if (!(flags & MSG_PEEK)) {
+- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+- sk_eat_skb(sk, skb);
+- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
++ skb_unlink(skb, &sk->sk_receive_queue);
++ kfree_skb(skb);
+ *seq = 0;
+ }
+
+@@ -875,9 +873,8 @@ copy_uaddr:
+ llc_cmsg_rcv(msg, skb);
+
+ if (!(flags & MSG_PEEK)) {
+- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags);
+- sk_eat_skb(sk, skb);
+- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags);
++ skb_unlink(skb, &sk->sk_receive_queue);
++ kfree_skb(skb);
+ *seq = 0;
+ }
+
--- /dev/null
+From df132eff463873e14e019a07f387b4d577d6d1f9 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 29 Oct 2018 23:10:29 +0800
+Subject: sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream.
+
+If a transport is removed by asconf but there still are some chunks with
+this transport queuing on out_chunk_list, later an use-after-free issue
+will be caused when accessing this transport from these chunks in
+sctp_outq_flush().
+
+This is an old bug, we fix it by clearing the transport of these chunks
+in out_chunk_list when removing a transport in sctp_assoc_rm_peer().
+
+Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/associola.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -487,8 +487,9 @@ void sctp_assoc_set_primary(struct sctp_
+ void sctp_assoc_rm_peer(struct sctp_association *asoc,
+ struct sctp_transport *peer)
+ {
+- struct list_head *pos;
+- struct sctp_transport *transport;
++ struct sctp_transport *transport;
++ struct list_head *pos;
++ struct sctp_chunk *ch;
+
+ pr_debug("%s: association:%p addr:%pISpc\n",
+ __func__, asoc, &peer->ipaddr.sa);
+@@ -544,7 +545,6 @@ void sctp_assoc_rm_peer(struct sctp_asso
+ */
+ if (!list_empty(&peer->transmitted)) {
+ struct sctp_transport *active = asoc->peer.active_path;
+- struct sctp_chunk *ch;
+
+ /* Reset the transport of each chunk on this list */
+ list_for_each_entry(ch, &peer->transmitted,
+@@ -566,6 +566,10 @@ void sctp_assoc_rm_peer(struct sctp_asso
+ sctp_transport_hold(active);
+ }
+
++ list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list)
++ if (ch->transport == peer)
++ ch->transport = NULL;
++
+ asoc->peer.transport_count--;
+
+ sctp_transport_free(peer);
--- /dev/null
+usb-core-fix-hub-port-connection-events-lost.patch
+alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch
+v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch
+bfs-add-sanity-check-at-bfs_fill_super.patch
+sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch
+gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch
+llc-do-not-use-sk_eat_skb.patch
+drm-ast-fixed-cursor-may-disappear-sometimes.patch
+drm-ast-change-resolution-may-cause-screen-blurred.patch
+drm-ast-remove-existing-framebuffers-before-loading-driver.patch
+can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch
+can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch
+can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch
+can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch
--- /dev/null
+From 22454b79e6de05fa61a2a72d00d2eed798abbb75 Mon Sep 17 00:00:00 2001
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Date: Tue, 13 Nov 2018 14:40:34 +0100
+Subject: usb: core: Fix hub port connection events lost
+
+From: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+
+commit 22454b79e6de05fa61a2a72d00d2eed798abbb75 upstream.
+
+This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset
+only if a device is was attached to the hub port before resetting the hub port.
+
+Using a Lenovo T480s attached to the ultra dock it was not possible to detect
+some usb-c devices at the dock usb-c ports because the hub_port_reset code
+will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset.
+Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the
+actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit.
+This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the
+new device was attached such that it was not detected.
+
+This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is
+currently no device attached to the port before the hub port reset.
+This will avoid clearing the connection bit for new attached devices.
+
+Signed-off-by: Dennis Wassenberg <dennis.wassenberg@secunet.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2765,7 +2765,9 @@ static int hub_port_reset(struct usb_hub
+ USB_PORT_FEAT_C_BH_PORT_RESET);
+ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_PORT_LINK_STATE);
+- usb_clear_port_feature(hub->hdev, port1,
++
++ if (udev)
++ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_CONNECTION);
+
+ /*
--- /dev/null
+From 81c99089bce693b94b775b6eb888115d2d540086 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <dominique.martinet@cea.fr>
+Date: Mon, 27 Aug 2018 15:12:05 +0900
+Subject: v9fs_dir_readdir: fix double-free on p9stat_read error
+
+From: Dominique Martinet <dominique.martinet@cea.fr>
+
+commit 81c99089bce693b94b775b6eb888115d2d540086 upstream.
+
+p9stat_read will call p9stat_free on error, we should only free the
+struct content on success.
+
+There also is no need to "p9stat_init" st as the read function will
+zero the whole struct for us anyway, so clean up the code a bit while
+we are here.
+
+Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_dir.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/fs/9p/vfs_dir.c
++++ b/fs/9p/vfs_dir.c
+@@ -75,15 +75,6 @@ static inline int dt_type(struct p9_wsta
+ return rettype;
+ }
+
+-static void p9stat_init(struct p9_wstat *stbuf)
+-{
+- stbuf->name = NULL;
+- stbuf->uid = NULL;
+- stbuf->gid = NULL;
+- stbuf->muid = NULL;
+- stbuf->extension = NULL;
+-}
+-
+ /**
+ * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir
+ * @filp: opened file structure
+@@ -136,12 +127,10 @@ static int v9fs_dir_readdir(struct file
+ rdir->tail = err;
+ }
+ while (rdir->head < rdir->tail) {
+- p9stat_init(&st);
+ err = p9stat_read(fid->clnt, rdir->buf + rdir->head,
+ rdir->tail - rdir->head, &st);
+ if (err) {
+ p9_debug(P9_DEBUG_VFS, "returned %d\n", err);
+- p9stat_free(&st);
+ return -EIO;
+ }
+ reclen = st.size+2;
projects / thirdparty / kernel / stable-queue.git / commitdiff
