--- /dev/null
+From 9361df14d1cbf966409d5d6f48bb334384fbe138 Mon Sep 17 00:00:00 2001
+From: Srinivas Dasari <dasaris@qti.qualcomm.com>
+Date: Fri, 7 Jul 2017 01:43:39 +0300
+Subject: cfg80211: Check if PMKID attribute is of expected size
+
+From: Srinivas Dasari <dasaris@qti.qualcomm.com>
+
+commit 9361df14d1cbf966409d5d6f48bb334384fbe138 upstream.
+
+nla policy checks for only maximum length of the attribute data
+when the attribute type is NLA_BINARY. If userspace sends less
+data than specified, the wireless drivers may access illegal
+memory. When type is NLA_UNSPEC, nla policy check ensures that
+userspace sends minimum specified length number of bytes.
+
+Remove type assignment to NLA_BINARY from nla_policy of
+NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
+WLAN_PMKID_LEN bytes are received from userspace with
+NL80211_ATTR_PMKID.
+
+Fixes: 67fbb16be69d ("nl80211: PMKSA caching support")
+Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -301,8 +301,7 @@ static const struct nla_policy nl80211_p
+ [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
+ [NL80211_ATTR_PID] = { .type = NLA_U32 },
+ [NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
+- [NL80211_ATTR_PMKID] = { .type = NLA_BINARY,
+- .len = WLAN_PMKID_LEN },
++ [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
+ [NL80211_ATTR_DURATION] = { .type = NLA_U32 },
+ [NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
+ [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
--- /dev/null
+From 8feb69c7bd89513be80eb19198d48f154b254021 Mon Sep 17 00:00:00 2001
+From: Srinivas Dasari <dasaris@qti.qualcomm.com>
+Date: Fri, 7 Jul 2017 01:43:41 +0300
+Subject: cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE
+
+From: Srinivas Dasari <dasaris@qti.qualcomm.com>
+
+commit 8feb69c7bd89513be80eb19198d48f154b254021 upstream.
+
+Buffer overread may happen as nl80211_set_station() reads 4 bytes
+from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
+validating the size of data received when userspace sends less
+than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
+Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
+the buffer overread.
+
+Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
+Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -358,6 +358,7 @@ static const struct nla_policy nl80211_p
+ [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
+ [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
+ [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
++ [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
+ [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
+ [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
+ [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
--- /dev/null
+From d7f13f7450369281a5d0ea463cc69890a15923ae Mon Sep 17 00:00:00 2001
+From: Srinivas Dasari <dasaris@qti.qualcomm.com>
+Date: Fri, 7 Jul 2017 01:43:42 +0300
+Subject: cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
+
+From: Srinivas Dasari <dasaris@qti.qualcomm.com>
+
+commit d7f13f7450369281a5d0ea463cc69890a15923ae upstream.
+
+validate_scan_freqs() retrieves frequencies from attributes
+nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with
+nla_get_u32(), which reads 4 bytes from each attribute
+without validating the size of data received. Attributes
+nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy.
+
+Validate size of each attribute before parsing to avoid potential buffer
+overread.
+
+Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
+Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -5348,6 +5348,10 @@ static int validate_scan_freqs(struct nl
+ struct nlattr *attr1, *attr2;
+ int n_channels = 0, tmp1, tmp2;
+
++ nla_for_each_nested(attr1, freqs, tmp1)
++ if (nla_len(attr1) != sizeof(u32))
++ return 0;
++
+ nla_for_each_nested(attr1, freqs, tmp1) {
+ n_channels++;
+ /*
--- /dev/null
+From 8d81ae05d0176da1c54aeaed697fa34be5c5575e Mon Sep 17 00:00:00 2001
+From: Cyril Bur <cyrilbur@gmail.com>
+Date: Mon, 10 Jul 2017 15:52:21 -0700
+Subject: checkpatch: silence perl 5.26.0 unescaped left brace warnings
+
+From: Cyril Bur <cyrilbur@gmail.com>
+
+commit 8d81ae05d0176da1c54aeaed697fa34be5c5575e upstream.
+
+As of perl 5, version 26, subversion 0 (v5.26.0) some new warnings have
+occurred when running checkpatch.
+
+Unescaped left brace in regex is deprecated here (and will be fatal in
+Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){
+<-- HERE \s*/ at scripts/checkpatch.pl line 3544.
+
+Unescaped left brace in regex is deprecated here (and will be fatal in
+Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){
+<-- HERE \s*/ at scripts/checkpatch.pl line 3885.
+
+Unescaped left brace in regex is deprecated here (and will be fatal in
+Perl 5.30), passed through in regex; marked by <-- HERE in
+m/^(\+.*(?:do|\))){ <-- HERE / at scripts/checkpatch.pl line 4374.
+
+It seems perfectly reasonable to do as the warning suggests and simply
+escape the left brace in these three locations.
+
+Link: http://lkml.kernel.org/r/20170607060135.17384-1-cyrilbur@gmail.com
+Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
+Acked-by: Joe Perches <joe@perches.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/checkpatch.pl | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/scripts/checkpatch.pl
++++ b/scripts/checkpatch.pl
+@@ -2985,7 +2985,7 @@ sub process {
+ $fixedline =~ s/\s*=\s*$/ = {/;
+ fix_insert_line($fixlinenr, $fixedline);
+ $fixedline = $line;
+- $fixedline =~ s/^(.\s*){\s*/$1/;
++ $fixedline =~ s/^(.\s*)\{\s*/$1/;
+ fix_insert_line($fixlinenr, $fixedline);
+ }
+ }
+@@ -3301,7 +3301,7 @@ sub process {
+ my $fixedline = rtrim($prevrawline) . " {";
+ fix_insert_line($fixlinenr, $fixedline);
+ $fixedline = $rawline;
+- $fixedline =~ s/^(.\s*){\s*/$1\t/;
++ $fixedline =~ s/^(.\s*)\{\s*/$1\t/;
+ if ($fixedline !~ /^\+\s*$/) {
+ fix_insert_line($fixlinenr, $fixedline);
+ }
+@@ -3748,7 +3748,7 @@ sub process {
+ if (ERROR("SPACING",
+ "space required before the open brace '{'\n" . $herecurr) &&
+ $fix) {
+- $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\))){/$1 {/;
++ $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\)))\{/$1 {/;
+ }
+ }
+
--- /dev/null
+From da029c11e6b12f321f36dac8771e833b65cec962 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 7 Jul 2017 11:57:29 -0700
+Subject: exec: Limit arg stack to at most 75% of _STK_LIM
+
+From: Kees Cook <keescook@chromium.org>
+
+commit da029c11e6b12f321f36dac8771e833b65cec962 upstream.
+
+To avoid pathological stack usage or the need to special-case setuid
+execs, just limit all arg stack usage to at most 75% of _STK_LIM (6MB).
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/exec.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -199,8 +199,7 @@ static struct page *get_arg_page(struct
+
+ if (write) {
+ unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
+- unsigned long ptr_size;
+- struct rlimit *rlim;
++ unsigned long ptr_size, limit;
+
+ /*
+ * Since the stack will hold pointers to the strings, we
+@@ -229,14 +228,16 @@ static struct page *get_arg_page(struct
+ return page;
+
+ /*
+- * Limit to 1/4-th the stack size for the argv+env strings.
++ * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM
++ * (whichever is smaller) for the argv+env strings.
+ * This ensures that:
+ * - the remaining binfmt code will not run out of stack space,
+ * - the program will have a reasonable amount of stack left
+ * to work from.
+ */
+- rlim = current->signal->rlim;
+- if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
++ limit = _STK_LIM / 4 * 3;
++ limit = min(limit, rlimit(RLIMIT_STACK) / 4);
++ if (size > limit)
+ goto fail;
+ }
+
--- /dev/null
+From b17c070fb624cf10162cf92ea5e1ec25cd8ac176 Mon Sep 17 00:00:00 2001
+From: Sahitya Tummala <stummala@codeaurora.org>
+Date: Mon, 10 Jul 2017 15:50:00 -0700
+Subject: fs/dcache.c: fix spin lockup issue on nlru->lock
+
+From: Sahitya Tummala <stummala@codeaurora.org>
+
+commit b17c070fb624cf10162cf92ea5e1ec25cd8ac176 upstream.
+
+__list_lru_walk_one() acquires nlru spin lock (nlru->lock) for longer
+duration if there are more number of items in the lru list. As per the
+current code, it can hold the spin lock for upto maximum UINT_MAX
+entries at a time. So if there are more number of items in the lru
+list, then "BUG: spinlock lockup suspected" is observed in the below
+path:
+
+ spin_bug+0x90
+ do_raw_spin_lock+0xfc
+ _raw_spin_lock+0x28
+ list_lru_add+0x28
+ dput+0x1c8
+ path_put+0x20
+ terminate_walk+0x3c
+ path_lookupat+0x100
+ filename_lookup+0x6c
+ user_path_at_empty+0x54
+ SyS_faccessat+0xd0
+ el0_svc_naked+0x24
+
+This nlru->lock is acquired by another CPU in this path -
+
+ d_lru_shrink_move+0x34
+ dentry_lru_isolate_shrink+0x48
+ __list_lru_walk_one.isra.10+0x94
+ list_lru_walk_node+0x40
+ shrink_dcache_sb+0x60
+ do_remount_sb+0xbc
+ do_emergency_remount+0xb0
+ process_one_work+0x228
+ worker_thread+0x2e0
+ kthread+0xf4
+ ret_from_fork+0x10
+
+Fix this lockup by reducing the number of entries to be shrinked from
+the lru list to 1024 at once. Also, add cond_resched() before
+processing the lru list again.
+
+Link: http://marc.info/?t=149722864900001&r=1&w=2
+Link: http://lkml.kernel.org/r/1498707575-2472-1-git-send-email-stummala@codeaurora.org
+Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
+Suggested-by: Jan Kara <jack@suse.cz>
+Suggested-by: Vladimir Davydov <vdavydov.dev@gmail.com>
+Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Alexander Polakov <apolyakov@beget.ru>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1104,11 +1104,12 @@ void shrink_dcache_sb(struct super_block
+ LIST_HEAD(dispose);
+
+ freed = list_lru_walk(&sb->s_dentry_lru,
+- dentry_lru_isolate_shrink, &dispose, UINT_MAX);
++ dentry_lru_isolate_shrink, &dispose, 1024);
+
+ this_cpu_sub(nr_dentry_unused, freed);
+ shrink_dentry_list(&dispose);
+- } while (freed > 0);
++ cond_resched();
++ } while (list_lru_count(&sb->s_dentry_lru) > 0);
+ }
+ EXPORT_SYMBOL(shrink_dcache_sb);
+
--- /dev/null
+From 866d7c1b0a3c70387646c4e455e727a58c5d465a Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Fri, 30 Jun 2017 10:58:28 +0100
+Subject: irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 866d7c1b0a3c70387646c4e455e727a58c5d465a upstream.
+
+The GICv3 driver doesn't check if the target CPU for gic_set_affinity
+is valid before going ahead and making the changes. This triggers the
+following splat with KASAN:
+
+[ 141.189434] BUG: KASAN: global-out-of-bounds in gic_set_affinity+0x8c/0x140
+[ 141.189704] Read of size 8 at addr ffff200009741d20 by task swapper/1/0
+[ 141.189958]
+[ 141.190158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.12.0-rc7
+[ 141.190458] Hardware name: Foundation-v8A (DT)
+[ 141.190658] Call trace:
+[ 141.190908] [<ffff200008089d70>] dump_backtrace+0x0/0x328
+[ 141.191224] [<ffff20000808a1b4>] show_stack+0x14/0x20
+[ 141.191507] [<ffff200008504c3c>] dump_stack+0xa4/0xc8
+[ 141.191858] [<ffff20000826c19c>] print_address_description+0x13c/0x250
+[ 141.192219] [<ffff20000826c5c8>] kasan_report+0x210/0x300
+[ 141.192547] [<ffff20000826ad54>] __asan_load8+0x84/0x98
+[ 141.192874] [<ffff20000854eeec>] gic_set_affinity+0x8c/0x140
+[ 141.193158] [<ffff200008148b14>] irq_do_set_affinity+0x54/0xb8
+[ 141.193473] [<ffff200008148d2c>] irq_set_affinity_locked+0x64/0xf0
+[ 141.193828] [<ffff200008148e00>] __irq_set_affinity+0x48/0x78
+[ 141.194158] [<ffff200008bc48a4>] arm_perf_starting_cpu+0x104/0x150
+[ 141.194513] [<ffff2000080d73bc>] cpuhp_invoke_callback+0x17c/0x1f8
+[ 141.194783] [<ffff2000080d94ec>] notify_cpu_starting+0x8c/0xb8
+[ 141.195130] [<ffff2000080911ec>] secondary_start_kernel+0x15c/0x200
+[ 141.195390] [<0000000080db81b4>] 0x80db81b4
+[ 141.195603]
+[ 141.195685] The buggy address belongs to the variable:
+[ 141.196012] __cpu_logical_map+0x200/0x220
+[ 141.196176]
+[ 141.196315] Memory state around the buggy address:
+[ 141.196586] ffff200009741c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 141.196913] ffff200009741c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 141.197158] >ffff200009741d00: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
+[ 141.197487] ^
+[ 141.197758] ffff200009741d80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
+[ 141.198060] ffff200009741e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 141.198358] ==================================================================
+[ 141.198609] Disabling lock debugging due to kernel taint
+[ 141.198961] CPU1: Booted secondary processor [410fd051]
+
+This patch adds the check to make sure the cpu is valid.
+
+Fixes: commit 021f653791ad17e03f98 ("irqchip: gic-v3: Initial support for GICv3")
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -531,6 +531,9 @@ static int gic_set_affinity(struct irq_d
+ int enabled;
+ u64 val;
+
++ if (cpu >= nr_cpu_ids)
++ return -EINVAL;
++
+ if (gic_irq_in_rdist(d))
+ return -EINVAL;
+
--- /dev/null
+From c0d80ddab89916273cb97114889d3f337bc370ae Mon Sep 17 00:00:00 2001
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Date: Thu, 6 Jul 2017 15:35:31 -0700
+Subject: kernel/extable.c: mark core_kernel_text notrace
+
+From: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+
+commit c0d80ddab89916273cb97114889d3f337bc370ae upstream.
+
+core_kernel_text is used by MIPS in its function graph trace processing,
+so having this method traced leads to an infinite set of recursive calls
+such as:
+
+ Call Trace:
+ ftrace_return_to_handler+0x50/0x128
+ core_kernel_text+0x10/0x1b8
+ prepare_ftrace_return+0x6c/0x114
+ ftrace_graph_caller+0x20/0x44
+ return_to_handler+0x10/0x30
+ return_to_handler+0x0/0x30
+ return_to_handler+0x0/0x30
+ ftrace_ops_no_ops+0x114/0x1bc
+ core_kernel_text+0x10/0x1b8
+ core_kernel_text+0x10/0x1b8
+ core_kernel_text+0x10/0x1b8
+ ftrace_ops_no_ops+0x114/0x1bc
+ core_kernel_text+0x10/0x1b8
+ prepare_ftrace_return+0x6c/0x114
+ ftrace_graph_caller+0x20/0x44
+ (...)
+
+Mark the function notrace to avoid it being traced.
+
+Link: http://lkml.kernel.org/r/1498028607-6765-1-git-send-email-marcin.nowakowski@imgtec.com
+Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Meyer <thomas@m3y3r.de>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/extable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/extable.c
++++ b/kernel/extable.c
+@@ -66,7 +66,7 @@ static inline int init_kernel_text(unsig
+ return 0;
+ }
+
+-int core_kernel_text(unsigned long addr)
++int notrace core_kernel_text(unsigned long addr)
+ {
+ if (addr >= (unsigned long)_stext &&
+ addr < (unsigned long)_etext)
--- /dev/null
+From 37511fb5c91db93d8bd6e3f52f86e5a7ff7cfcdf Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 14 Jul 2017 14:49:38 -0700
+Subject: mm: fix overflow check in expand_upwards()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Helge Deller <deller@gmx.de>
+
+commit 37511fb5c91db93d8bd6e3f52f86e5a7ff7cfcdf upstream.
+
+Jörn Engel noticed that the expand_upwards() function might not return
+-ENOMEM in case the requested address is (unsigned long)-PAGE_SIZE and
+if the architecture didn't defined TASK_SIZE as multiple of PAGE_SIZE.
+
+Affected architectures are arm, frv, m68k, blackfin, h8300 and xtensa
+which all define TASK_SIZE as 0xffffffff, but since none of those have
+an upwards-growing stack we currently have no actual issue.
+
+Nevertheless let's fix this just in case any of the architectures with
+an upward-growing stack (currently parisc, metag and partly ia64) define
+TASK_SIZE similar.
+
+Link: http://lkml.kernel.org/r/20170702192452.GA11868@p100.box
+Fixes: bd726c90b6b8 ("Allow stack to grow up to address space limit")
+Signed-off-by: Helge Deller <deller@gmx.de>
+Reported-by: Jörn Engel <joern@purestorage.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2179,7 +2179,7 @@ int expand_upwards(struct vm_area_struct
+
+ /* Guard against exceeding limits of the address space. */
+ address &= PAGE_MASK;
+- if (address >= TASK_SIZE)
++ if (address >= (TASK_SIZE & PAGE_MASK))
+ return -ENOMEM;
+ address += PAGE_SIZE;
+
--- /dev/null
+From 33f9e02495d15a061f0c94ef46f5103a2d0c20f3 Mon Sep 17 00:00:00 2001
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Date: Mon, 3 Jul 2017 10:38:05 +0200
+Subject: parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs
+
+From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+
+commit 33f9e02495d15a061f0c94ef46f5103a2d0c20f3 upstream.
+
+Enabling parport pc driver on a B2600 (and probably other 64bit PARISC
+systems) produced following BUG:
+
+CPU: 0 PID: 1 Comm: swapper Not tainted 4.12.0-rc5-30198-g1132d5e #156
+task: 000000009e050000 task.stack: 000000009e04c000
+
+ YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
+PSW: 00001000000001101111111100001111 Not tainted
+r00-03 000000ff0806ff0f 000000009e04c990 0000000040871b78 000000009e04cac0
+r04-07 0000000040c14de0 ffffffffffffffff 000000009e07f098 000000009d82d200
+r08-11 000000009d82d210 0000000000000378 0000000000000000 0000000040c345e0
+r12-15 0000000000000005 0000000040c345e0 0000000000000000 0000000040c9d5e0
+r16-19 0000000040c345e0 00000000f00001c4 00000000f00001bc 0000000000000061
+r20-23 000000009e04ce28 0000000000000010 0000000000000010 0000000040b89e40
+r24-27 0000000000000003 0000000000ffffff 000000009d82d210 0000000040c14de0
+r28-31 0000000000000000 000000009e04ca90 000000009e04cb40 0000000000000000
+sr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+
+IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000404aece0 00000000404aece4
+ IIR: 03ffe01f ISR: 0000000010340000 IOR: 000001781304cac8
+ CPU: 0 CR30: 000000009e04c000 CR31: 00000000e2976de2
+ ORIG_R28: 0000000000000200
+ IAOQ[0]: sba_dma_supported+0x80/0xd0
+ IAOQ[1]: sba_dma_supported+0x84/0xd0
+ RP(r2): parport_pc_probe_port+0x178/0x1200
+
+Cause is a call to dma_coerce_mask_and_coherenet in parport_pc_probe_port,
+which PARISC DMA API doesn't handle very nicely. This commit gives back
+DMA_ERROR_CODE for DMA API calls, if device isn't capable of DMA
+transaction.
+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/dma-mapping.h | 11 +++++++----
+ drivers/parisc/ccio-dma.c | 12 ++++++++++++
+ drivers/parisc/dino.c | 5 ++++-
+ drivers/parisc/lba_pci.c | 6 ++++--
+ drivers/parisc/sba_iommu.c | 14 ++++++++++++++
+ 5 files changed, 41 insertions(+), 7 deletions(-)
+
+--- a/arch/parisc/include/asm/dma-mapping.h
++++ b/arch/parisc/include/asm/dma-mapping.h
+@@ -39,6 +39,8 @@ struct hppa_dma_ops {
+ ** flush/purge and allocate "regular" cacheable pages for everything.
+ */
+
++#define DMA_ERROR_CODE (~(dma_addr_t)0)
++
+ #ifdef CONFIG_PA11
+ extern struct hppa_dma_ops pcxl_dma_ops;
+ extern struct hppa_dma_ops pcx_dma_ops;
+@@ -209,12 +211,13 @@ parisc_walk_tree(struct device *dev)
+ break;
+ }
+ }
+- BUG_ON(!dev->platform_data);
+ return dev->platform_data;
+ }
+-
+-#define GET_IOC(dev) (HBA_DATA(parisc_walk_tree(dev))->iommu)
+-
++
++#define GET_IOC(dev) ({ \
++ void *__pdata = parisc_walk_tree(dev); \
++ __pdata ? HBA_DATA(__pdata)->iommu : NULL; \
++})
+
+ #ifdef CONFIG_IOMMU_CCIO
+ struct parisc_device;
+--- a/drivers/parisc/ccio-dma.c
++++ b/drivers/parisc/ccio-dma.c
+@@ -743,6 +743,8 @@ ccio_map_single(struct device *dev, void
+
+ BUG_ON(!dev);
+ ioc = GET_IOC(dev);
++ if (!ioc)
++ return DMA_ERROR_CODE;
+
+ BUG_ON(size <= 0);
+
+@@ -807,6 +809,10 @@ ccio_unmap_single(struct device *dev, dm
+
+ BUG_ON(!dev);
+ ioc = GET_IOC(dev);
++ if (!ioc) {
++ WARN_ON(!ioc);
++ return;
++ }
+
+ DBG_RUN("%s() iovp 0x%lx/%x\n",
+ __func__, (long)iova, size);
+@@ -910,6 +916,8 @@ ccio_map_sg(struct device *dev, struct s
+
+ BUG_ON(!dev);
+ ioc = GET_IOC(dev);
++ if (!ioc)
++ return 0;
+
+ DBG_RUN_SG("%s() START %d entries\n", __func__, nents);
+
+@@ -982,6 +990,10 @@ ccio_unmap_sg(struct device *dev, struct
+
+ BUG_ON(!dev);
+ ioc = GET_IOC(dev);
++ if (!ioc) {
++ WARN_ON(!ioc);
++ return;
++ }
+
+ DBG_RUN_SG("%s() START %d entries, %08lx,%x\n",
+ __func__, nents, sg_virt_addr(sglist), sglist->length);
+--- a/drivers/parisc/dino.c
++++ b/drivers/parisc/dino.c
+@@ -154,7 +154,10 @@ struct dino_device
+ };
+
+ /* Looks nice and keeps the compiler happy */
+-#define DINO_DEV(d) ((struct dino_device *) d)
++#define DINO_DEV(d) ({ \
++ void *__pdata = d; \
++ BUG_ON(!__pdata); \
++ (struct dino_device *)__pdata; })
+
+
+ /*
+--- a/drivers/parisc/lba_pci.c
++++ b/drivers/parisc/lba_pci.c
+@@ -111,8 +111,10 @@ static u32 lba_t32;
+
+
+ /* Looks nice and keeps the compiler happy */
+-#define LBA_DEV(d) ((struct lba_device *) (d))
+-
++#define LBA_DEV(d) ({ \
++ void *__pdata = d; \
++ BUG_ON(!__pdata); \
++ (struct lba_device *)__pdata; })
+
+ /*
+ ** Only allow 8 subsidiary busses per LBA
+--- a/drivers/parisc/sba_iommu.c
++++ b/drivers/parisc/sba_iommu.c
+@@ -691,6 +691,8 @@ static int sba_dma_supported( struct dev
+ return 0;
+
+ ioc = GET_IOC(dev);
++ if (!ioc)
++ return 0;
+
+ /*
+ * check if mask is >= than the current max IO Virt Address
+@@ -722,6 +724,8 @@ sba_map_single(struct device *dev, void
+ int pide;
+
+ ioc = GET_IOC(dev);
++ if (!ioc)
++ return DMA_ERROR_CODE;
+
+ /* save offset bits */
+ offset = ((dma_addr_t) (long) addr) & ~IOVP_MASK;
+@@ -803,6 +807,10 @@ sba_unmap_single(struct device *dev, dma
+ DBG_RUN("%s() iovp 0x%lx/%x\n", __func__, (long) iova, size);
+
+ ioc = GET_IOC(dev);
++ if (!ioc) {
++ WARN_ON(!ioc);
++ return;
++ }
+ offset = iova & ~IOVP_MASK;
+ iova ^= offset; /* clear offset bits */
+ size += offset;
+@@ -942,6 +950,8 @@ sba_map_sg(struct device *dev, struct sc
+ DBG_RUN_SG("%s() START %d entries\n", __func__, nents);
+
+ ioc = GET_IOC(dev);
++ if (!ioc)
++ return 0;
+
+ /* Fast path single entry scatterlists. */
+ if (nents == 1) {
+@@ -1028,6 +1038,10 @@ sba_unmap_sg(struct device *dev, struct
+ __func__, nents, sg_virt_addr(sglist), sglist->length);
+
+ ioc = GET_IOC(dev);
++ if (!ioc) {
++ WARN_ON(!ioc);
++ return;
++ }
+
+ #ifdef SBA_COLLECT_STATS
+ ioc->usg_calls++;
--- /dev/null
+From 649aa24254e85bf6bd7807dd372d083707852b1f Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 29 May 2017 17:14:16 +0200
+Subject: parisc/mm: Ensure IRQs are off in switch_mm()
+
+From: Helge Deller <deller@gmx.de>
+
+commit 649aa24254e85bf6bd7807dd372d083707852b1f upstream.
+
+This is because of commit f98db6013c55 ("sched/core: Add switch_mm_irqs_off()
+and use it in the scheduler") in which switch_mm_irqs_off() is called by the
+scheduler, vs switch_mm() which is used by use_mm().
+
+This patch lets the parisc code mirror the x86 and powerpc code, ie. it
+disables interrupts in switch_mm(), and optimises the scheduler case by
+defining switch_mm_irqs_off().
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/mmu_context.h | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/include/asm/mmu_context.h
++++ b/arch/parisc/include/asm/mmu_context.h
+@@ -49,15 +49,26 @@ static inline void load_context(mm_conte
+ mtctl(__space_to_prot(context), 8);
+ }
+
+-static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, struct task_struct *tsk)
++static inline void switch_mm_irqs_off(struct mm_struct *prev,
++ struct mm_struct *next, struct task_struct *tsk)
+ {
+-
+ if (prev != next) {
+ mtctl(__pa(next->pgd), 25);
+ load_context(next->context);
+ }
+ }
+
++static inline void switch_mm(struct mm_struct *prev,
++ struct mm_struct *next, struct task_struct *tsk)
++{
++ unsigned long flags;
++
++ local_irq_save(flags);
++ switch_mm_irqs_off(prev, next, tsk);
++ local_irq_restore(flags);
++}
++#define switch_mm_irqs_off switch_mm_irqs_off
++
+ #define deactivate_mm(tsk,mm) do { } while (0)
+
+ static inline void activate_mm(struct mm_struct *prev, struct mm_struct *next)
--- /dev/null
+From 247462316f85a9e0479445c1a4223950b68ffac1 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 2 Jul 2017 22:00:41 +0200
+Subject: parisc: Report SIGSEGV instead of SIGBUS when running out of stack
+
+From: Helge Deller <deller@gmx.de>
+
+commit 247462316f85a9e0479445c1a4223950b68ffac1 upstream.
+
+When a process runs out of stack the parisc kernel wrongly faults with SIGBUS
+instead of the expected SIGSEGV signal.
+
+This example shows how the kernel faults:
+do_page_fault() command='a.out' type=15 address=0xfaac2000 in libc-2.24.so[f8308000+16c000]
+trap #15: Data TLB miss fault, vm_start = 0xfa2c2000, vm_end = 0xfaac2000
+
+The vma->vm_end value is the first address which does not belong to the vma, so
+adjust the check to include vma->vm_end to the range for which to send the
+SIGSEGV signal.
+
+This patch unbreaks building the debian libsigsegv package.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/mm/fault.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/mm/fault.c
++++ b/arch/parisc/mm/fault.c
+@@ -303,7 +303,7 @@ bad_area:
+ case 15: /* Data TLB miss fault/Data page fault */
+ /* send SIGSEGV when outside of vma */
+ if (!vma ||
+- address < vma->vm_start || address > vma->vm_end) {
++ address < vma->vm_start || address >= vma->vm_end) {
+ si.si_signo = SIGSEGV;
+ si.si_code = SEGV_MAPERR;
+ break;
--- /dev/null
+From b0f94efd5aa8daa8a07d7601714c2573266cd4c9 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 12 Jun 2017 23:18:30 -0700
+Subject: parisc: use compat_sys_keyctl()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit b0f94efd5aa8daa8a07d7601714c2573266cd4c9 upstream.
+
+Architectures with a compat syscall table must put compat_sys_keyctl()
+in it, not sys_keyctl(). The parisc architecture was not doing this;
+fix it.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/syscall_table.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/syscall_table.S
++++ b/arch/parisc/kernel/syscall_table.S
+@@ -361,7 +361,7 @@
+ ENTRY_SAME(ni_syscall) /* 263: reserved for vserver */
+ ENTRY_SAME(add_key)
+ ENTRY_SAME(request_key) /* 265 */
+- ENTRY_SAME(keyctl)
++ ENTRY_COMP(keyctl)
+ ENTRY_SAME(ioprio_set)
+ ENTRY_SAME(ioprio_get)
+ ENTRY_SAME(inotify_init)
net-prevent-sign-extension-in-dev_get_stats.patch
ipv6-dad-don-t-remove-dynamic-addresses-if-link-is-down.patch
brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80211_mgmt_tx.patch
+cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch
+cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch
+cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch
+irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch
+parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch
+parisc-use-compat_sys_keyctl.patch
+parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch
+parisc-mm-ensure-irqs-are-off-in-switch_mm.patch
+tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch
+kernel-extable.c-mark-core_kernel_text-notrace.patch
+fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch
+checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch
+exec-limit-arg-stack-to-at-most-75-of-_stk_lim.patch
+vt-fix-unchecked-__put_user-in-tioclinux-ioctls.patch
+mm-fix-overflow-check-in-expand_upwards.patch
--- /dev/null
+From 98dcea0cfd04e083ac74137ceb9a632604740e2d Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 25 May 2017 12:58:33 +0000
+Subject: tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 98dcea0cfd04e083ac74137ceb9a632604740e2d upstream.
+
+liblockdep has been broken since commit 75dd602a5198 ("lockdep: Fix
+lock_chain::base size"), as that adds a check that MAX_LOCK_DEPTH is
+within the range of lock_chain::depth and in liblockdep it is much
+too large.
+
+That should have resulted in a compiler error, but didn't because:
+
+- the check uses ARRAY_SIZE(), which isn't yet defined in liblockdep
+ so is assumed to be an (undeclared) function
+- putting a function call inside a BUILD_BUG_ON() expression quietly
+ turns it into some nonsense involving a variable-length array
+
+It did produce a compiler warning, but I didn't notice because
+liblockdep already produces too many warnings if -Wall is enabled
+(which I'll fix shortly).
+
+Even before that commit, which reduced lock_chain::depth from 8 bits
+to 6, MAX_LOCK_DEPTH was too large.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: a.p.zijlstra@chello.nl
+Link: http://lkml.kernel.org/r/20170525130005.5947-3-alexander.levin@verizon.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/lockdep/uinclude/linux/lockdep.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/lib/lockdep/uinclude/linux/lockdep.h
++++ b/tools/lib/lockdep/uinclude/linux/lockdep.h
+@@ -8,7 +8,7 @@
+ #include <linux/utsname.h>
+
+
+-#define MAX_LOCK_DEPTH 2000UL
++#define MAX_LOCK_DEPTH 255UL
+
+ #define asmlinkage
+ #define __visible
--- /dev/null
+From 6987dc8a70976561d22450b5858fc9767788cc1c Mon Sep 17 00:00:00 2001
+From: Adam Borowski <kilobyte@angband.pl>
+Date: Sat, 3 Jun 2017 09:35:06 +0200
+Subject: vt: fix unchecked __put_user() in tioclinux ioctls
+
+From: Adam Borowski <kilobyte@angband.pl>
+
+commit 6987dc8a70976561d22450b5858fc9767788cc1c upstream.
+
+Only read access is checked before this call.
+
+Actually, at the moment this is not an issue, as every in-tree arch does
+the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU
+to tell them apart, but this wasn't the case in the past and may happen
+again on some odd arch in the future.
+
+If anyone cares about 3.7 and earlier, this is a security hole (untested)
+on real 80386 CPUs.
+
+Signed-off-by: Adam Borowski <kilobyte@angband.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -2687,13 +2687,13 @@ int tioclinux(struct tty_struct *tty, un
+ * related to the kernel should not use this.
+ */
+ data = vt_get_shift_state();
+- ret = __put_user(data, p);
++ ret = put_user(data, p);
+ break;
+ case TIOCL_GETMOUSEREPORTING:
+ console_lock(); /* May be overkill */
+ data = mouse_reporting();
+ console_unlock();
+- ret = __put_user(data, p);
++ ret = put_user(data, p);
+ break;
+ case TIOCL_SETVESABLANK:
+ console_lock();
+@@ -2702,7 +2702,7 @@ int tioclinux(struct tty_struct *tty, un
+ break;
+ case TIOCL_GETKMSGREDIRECT:
+ data = vt_get_kmsg_redirect();
+- ret = __put_user(data, p);
++ ret = put_user(data, p);
+ break;
+ case TIOCL_SETKMSGREDIRECT:
+ if (!capable(CAP_SYS_ADMIN)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
