--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+Date: Wed, 13 Dec 2017 17:07:20 +0000
+Subject: arm64: don't open code page table entry creation
+
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+
+commit 193383043f14a398393dc18bae8380f7fe665ec3 upstream.
+
+Instead of open coding the generation of page table entries, use the
+macros/functions that exist for this - pfn_p*d and p*d_populate. Most
+code in the kernel already uses these macros, this patch tries to fix
+up the few places that don't. This is useful for the next patch in this
+series, which needs to change the page table entry logic, and it's
+better to have that logic in one place.
+
+The KVM extended ID map is special, since we're creating a level above
+CONFIG_PGTABLE_LEVELS and the required function isn't available. Leave
+it as is and add a comment to explain it. (The normal kernel ID map code
+doesn't need this change because its page tables are created in assembly
+(__create_page_tables)).
+
+Tested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Tested-by: Bob Picco <bob.picco@oracle.com>
+Reviewed-by: Bob Picco <bob.picco@oracle.com>
+Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_mmu.h | 5 +++++
+ arch/arm64/include/asm/pgtable.h | 1 +
+ arch/arm64/kernel/hibernate.c | 3 +--
+ arch/arm64/mm/mmu.c | 14 +++++++++-----
+ 4 files changed, 16 insertions(+), 7 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -296,6 +296,11 @@ static inline bool __kvm_cpu_uses_extend
+ return __cpu_uses_extended_idmap();
+ }
+
++/*
++ * Can't use pgd_populate here, because the extended idmap adds an extra level
++ * above CONFIG_PGTABLE_LEVELS (which is 2 or 3 if we're using the extended
++ * idmap), and pgd_populate is only available if CONFIG_PGTABLE_LEVELS = 4.
++ */
+ static inline void __kvm_extend_hypmap(pgd_t *boot_hyp_pgd,
+ pgd_t *hyp_pgd,
+ pgd_t *merged_hyp_pgd,
+--- a/arch/arm64/include/asm/pgtable.h
++++ b/arch/arm64/include/asm/pgtable.h
+@@ -343,6 +343,7 @@ static inline int pmd_protnone(pmd_t pmd
+
+ #define pud_write(pud) pte_write(pud_pte(pud))
+ #define pud_pfn(pud) (((pud_val(pud) & PUD_MASK) & PHYS_MASK) >> PAGE_SHIFT)
++#define pfn_pud(pfn,prot) (__pud(((phys_addr_t)(pfn) << PAGE_SHIFT) | pgprot_val(prot)))
+
+ #define set_pmd_at(mm, addr, pmdp, pmd) set_pte_at(mm, addr, (pte_t *)pmdp, pmd_pte(pmd))
+
+--- a/arch/arm64/kernel/hibernate.c
++++ b/arch/arm64/kernel/hibernate.c
+@@ -246,8 +246,7 @@ static int create_safe_exec_page(void *s
+ }
+
+ pte = pte_offset_kernel(pmd, dst_addr);
+- set_pte(pte, __pte(virt_to_phys((void *)dst) |
+- pgprot_val(PAGE_KERNEL_EXEC)));
++ set_pte(pte, pfn_pte(virt_to_pfn(dst), PAGE_KERNEL_EXEC));
+
+ /*
+ * Load our new page tables. A strict BBM approach requires that we
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -605,8 +605,8 @@ static void __init map_kernel(pgd_t *pgd
+ * entry instead.
+ */
+ BUG_ON(!IS_ENABLED(CONFIG_ARM64_16K_PAGES));
+- set_pud(pud_set_fixmap_offset(pgd, FIXADDR_START),
+- __pud(__pa_symbol(bm_pmd) | PUD_TYPE_TABLE));
++ pud_populate(&init_mm, pud_set_fixmap_offset(pgd, FIXADDR_START),
++ lm_alias(bm_pmd));
+ pud_clear_fixmap();
+ } else {
+ BUG();
+@@ -721,7 +721,7 @@ int __meminit vmemmap_populate(unsigned
+ if (!p)
+ return -ENOMEM;
+
+- set_pmd(pmd, __pmd(__pa(p) | PROT_SECT_NORMAL));
++ pmd_set_huge(pmd, __pa(p), __pgprot(PROT_SECT_NORMAL));
+ } else
+ vmemmap_verify((pte_t *)pmd, node, addr, next);
+ } while (addr = next, addr != end);
+@@ -915,15 +915,19 @@ int __init arch_ioremap_pmd_supported(vo
+
+ int pud_set_huge(pud_t *pud, phys_addr_t phys, pgprot_t prot)
+ {
++ pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT |
++ pgprot_val(mk_sect_prot(prot)));
+ BUG_ON(phys & ~PUD_MASK);
+- set_pud(pud, __pud(phys | PUD_TYPE_SECT | pgprot_val(mk_sect_prot(prot))));
++ set_pud(pud, pfn_pud(__phys_to_pfn(phys), sect_prot));
+ return 1;
+ }
+
+ int pmd_set_huge(pmd_t *pmd, phys_addr_t phys, pgprot_t prot)
+ {
++ pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT |
++ pgprot_val(mk_sect_prot(prot)));
+ BUG_ON(phys & ~PMD_MASK);
+- set_pmd(pmd, __pmd(phys | PMD_TYPE_SECT | pgprot_val(mk_sect_prot(prot))));
++ set_pmd(pmd, pfn_pmd(__phys_to_pfn(phys), sect_prot));
+ return 1;
+ }
+
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Will Deacon <will.deacon@arm.com>
+Date: Wed, 21 Feb 2018 12:59:27 +0000
+Subject: arm64: Enforce BBM for huge IO/VMAP mappings
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 15122ee2c515a253b0c66a3e618bc7ebe35105eb upstream.
+
+ioremap_page_range doesn't honour break-before-make and attempts to put
+down huge mappings (using p*d_set_huge) over the top of pre-existing
+table entries. This leads to us leaking page table memory and also gives
+rise to TLB conflicts and spurious aborts, which have been seen in
+practice on Cortex-A75.
+
+Until this has been resolved, refuse to put block mappings when the
+existing entry is found to be present.
+
+Fixes: 324420bf91f60 ("arm64: add support for ioremap() block mappings")
+Reported-by: Hanjun Guo <hanjun.guo@linaro.org>
+Reported-by: Lei Li <lious.lilei@hisilicon.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/mmu.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -917,6 +917,11 @@ int pud_set_huge(pud_t *pudp, phys_addr_
+ {
+ pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT |
+ pgprot_val(mk_sect_prot(prot)));
++
++ /* ioremap_page_range doesn't honour BBM */
++ if (pud_present(READ_ONCE(*pudp)))
++ return 0;
++
+ BUG_ON(phys & ~PUD_MASK);
+ set_pud(pudp, pfn_pud(__phys_to_pfn(phys), sect_prot));
+ return 1;
+@@ -926,6 +931,11 @@ int pmd_set_huge(pmd_t *pmdp, phys_addr_
+ {
+ pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT |
+ pgprot_val(mk_sect_prot(prot)));
++
++ /* ioremap_page_range doesn't honour BBM */
++ if (pmd_present(READ_ONCE(*pmdp)))
++ return 0;
++
+ BUG_ON(phys & ~PMD_MASK);
+ set_pmd(pmdp, pfn_pmd(__phys_to_pfn(phys), sect_prot));
+ return 1;
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Laura Abbott <labbott@redhat.com>
+Date: Wed, 23 May 2018 11:43:46 -0700
+Subject: arm64: Make sure permission updates happen for pmd/pud
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 82034c23fcbc2389c73d97737f61fa2dd6526413 upstream.
+
+Commit 15122ee2c515 ("arm64: Enforce BBM for huge IO/VMAP mappings")
+disallowed block mappings for ioremap since that code does not honor
+break-before-make. The same APIs are also used for permission updating
+though and the extra checks prevent the permission updates from happening,
+even though this should be permitted. This results in read-only permissions
+not being fully applied. Visibly, this can occasionaly be seen as a failure
+on the built in rodata test when the test data ends up in a section or
+as an odd RW gap on the page table dump. Fix this by using
+pgattr_change_is_safe instead of p*d_present for determining if the
+change is permitted.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Peter Robinson <pbrobinson@gmail.com>
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Fixes: 15122ee2c515 ("arm64: Enforce BBM for huge IO/VMAP mappings")
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/mmu.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -917,13 +917,15 @@ int pud_set_huge(pud_t *pudp, phys_addr_
+ {
+ pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT |
+ pgprot_val(mk_sect_prot(prot)));
++ pud_t new_pud = pfn_pud(__phys_to_pfn(phys), sect_prot);
+
+- /* ioremap_page_range doesn't honour BBM */
+- if (pud_present(READ_ONCE(*pudp)))
++ /* Only allow permission changes for now */
++ if (!pgattr_change_is_safe(READ_ONCE(pud_val(*pudp)),
++ pud_val(new_pud)))
+ return 0;
+
+ BUG_ON(phys & ~PUD_MASK);
+- set_pud(pudp, pfn_pud(__phys_to_pfn(phys), sect_prot));
++ set_pud(pudp, new_pud);
+ return 1;
+ }
+
+@@ -931,13 +933,15 @@ int pmd_set_huge(pmd_t *pmdp, phys_addr_
+ {
+ pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT |
+ pgprot_val(mk_sect_prot(prot)));
++ pmd_t new_pmd = pfn_pmd(__phys_to_pfn(phys), sect_prot);
+
+- /* ioremap_page_range doesn't honour BBM */
+- if (pmd_present(READ_ONCE(*pmdp)))
++ /* Only allow permission changes for now */
++ if (!pgattr_change_is_safe(READ_ONCE(pmd_val(*pmdp)),
++ pmd_val(new_pmd)))
+ return 0;
+
+ BUG_ON(phys & ~PMD_MASK);
+- set_pmd(pmdp, pfn_pmd(__phys_to_pfn(phys), sect_prot));
++ set_pmd(pmdp, new_pmd);
+ return 1;
+ }
+
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 14 Jan 2020 15:44:11 +0000
+Subject: arm64: mm: Change page table pointer name in p[md]_set_huge()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+This is preparation for the following backported fixes. It was done
+upstream as part of commit 20a004e7b017 "arm64: mm: Use
+READ_ONCE/WRITE_ONCE when accessing page tables", the rest of which
+does not seem suitable for stable.
+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/mmu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/mm/mmu.c
++++ b/arch/arm64/mm/mmu.c
+@@ -913,21 +913,21 @@ int __init arch_ioremap_pmd_supported(vo
+ return !IS_ENABLED(CONFIG_ARM64_PTDUMP_DEBUGFS);
+ }
+
+-int pud_set_huge(pud_t *pud, phys_addr_t phys, pgprot_t prot)
++int pud_set_huge(pud_t *pudp, phys_addr_t phys, pgprot_t prot)
+ {
+ pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT |
+ pgprot_val(mk_sect_prot(prot)));
+ BUG_ON(phys & ~PUD_MASK);
+- set_pud(pud, pfn_pud(__phys_to_pfn(phys), sect_prot));
++ set_pud(pudp, pfn_pud(__phys_to_pfn(phys), sect_prot));
+ return 1;
+ }
+
+-int pmd_set_huge(pmd_t *pmd, phys_addr_t phys, pgprot_t prot)
++int pmd_set_huge(pmd_t *pmdp, phys_addr_t phys, pgprot_t prot)
+ {
+ pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT |
+ pgprot_val(mk_sect_prot(prot)));
+ BUG_ON(phys & ~PMD_MASK);
+- set_pmd(pmd, pfn_pmd(__phys_to_pfn(phys), sect_prot));
++ set_pmd(pmdp, pfn_pmd(__phys_to_pfn(phys), sect_prot));
+ return 1;
+ }
+
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Dedy Lansky <dlansky@codeaurora.org>
+Date: Sun, 29 Jul 2018 14:59:16 +0300
+Subject: cfg80211/mac80211: make ieee80211_send_layer2_update a public function
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+commit 30ca1aa536211f5ac3de0173513a7a99a98a97f3 upstream.
+
+Make ieee80211_send_layer2_update() a common function so other drivers
+can re-use it.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[bwh: Backported to 4.14 as dependency of commit 3e493173b784
+ "mac80211: Do not send Layer 2 Update frame before authorization"]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 11 +++++++++++
+ net/mac80211/cfg.c | 48 ++----------------------------------------------
+ net/wireless/util.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 58 insertions(+), 46 deletions(-)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -4480,6 +4480,17 @@ const u8 *cfg80211_find_vendor_ie(unsign
+ const u8 *ies, int len);
+
+ /**
++ * cfg80211_send_layer2_update - send layer 2 update frame
++ *
++ * @dev: network device
++ * @addr: STA MAC address
++ *
++ * Wireless drivers can use this function to update forwarding tables in bridge
++ * devices upon STA association.
++ */
++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr);
++
++/**
+ * DOC: Regulatory enforcement infrastructure
+ *
+ * TODO
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1089,50 +1089,6 @@ static int ieee80211_stop_ap(struct wiph
+ return 0;
+ }
+
+-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
+-struct iapp_layer2_update {
+- u8 da[ETH_ALEN]; /* broadcast */
+- u8 sa[ETH_ALEN]; /* STA addr */
+- __be16 len; /* 6 */
+- u8 dsap; /* 0 */
+- u8 ssap; /* 0 */
+- u8 control;
+- u8 xid_info[3];
+-} __packed;
+-
+-static void ieee80211_send_layer2_update(struct sta_info *sta)
+-{
+- struct iapp_layer2_update *msg;
+- struct sk_buff *skb;
+-
+- /* Send Level 2 Update Frame to update forwarding tables in layer 2
+- * bridge devices */
+-
+- skb = dev_alloc_skb(sizeof(*msg));
+- if (!skb)
+- return;
+- msg = skb_put(skb, sizeof(*msg));
+-
+- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
+- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
+-
+- eth_broadcast_addr(msg->da);
+- memcpy(msg->sa, sta->sta.addr, ETH_ALEN);
+- msg->len = htons(6);
+- msg->dsap = 0;
+- msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */
+- msg->control = 0xaf; /* XID response lsb.1111F101.
+- * F=0 (no poll command; unsolicited frame) */
+- msg->xid_info[0] = 0x81; /* XID format identifier */
+- msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
+- msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
+-
+- skb->dev = sta->sdata->dev;
+- skb->protocol = eth_type_trans(skb, sta->sdata->dev);
+- memset(skb->cb, 0, sizeof(skb->cb));
+- netif_rx_ni(skb);
+-}
+-
+ static int sta_apply_auth_flags(struct ieee80211_local *local,
+ struct sta_info *sta,
+ u32 mask, u32 set)
+@@ -1496,7 +1452,7 @@ static int ieee80211_add_station(struct
+ }
+
+ if (layer2_update)
+- ieee80211_send_layer2_update(sta);
++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+
+ rcu_read_unlock();
+
+@@ -1598,7 +1554,7 @@ static int ieee80211_change_station(stru
+ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ ieee80211_vif_inc_num_mcast(sta->sdata);
+
+- ieee80211_send_layer2_update(sta);
++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+ }
+
+ err = sta_apply_parameters(local, sta, params);
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1873,3 +1873,48 @@ EXPORT_SYMBOL(rfc1042_header);
+ const unsigned char bridge_tunnel_header[] __aligned(2) =
+ { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 };
+ EXPORT_SYMBOL(bridge_tunnel_header);
++
++/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
++struct iapp_layer2_update {
++ u8 da[ETH_ALEN]; /* broadcast */
++ u8 sa[ETH_ALEN]; /* STA addr */
++ __be16 len; /* 6 */
++ u8 dsap; /* 0 */
++ u8 ssap; /* 0 */
++ u8 control;
++ u8 xid_info[3];
++} __packed;
++
++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr)
++{
++ struct iapp_layer2_update *msg;
++ struct sk_buff *skb;
++
++ /* Send Level 2 Update Frame to update forwarding tables in layer 2
++ * bridge devices */
++
++ skb = dev_alloc_skb(sizeof(*msg));
++ if (!skb)
++ return;
++ msg = skb_put(skb, sizeof(*msg));
++
++ /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
++ * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
++
++ eth_broadcast_addr(msg->da);
++ ether_addr_copy(msg->sa, addr);
++ msg->len = htons(6);
++ msg->dsap = 0;
++ msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */
++ msg->control = 0xaf; /* XID response lsb.1111F101.
++ * F=0 (no poll command; unsolicited frame) */
++ msg->xid_info[0] = 0x81; /* XID format identifier */
++ msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
++ msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
++
++ skb->dev = dev;
++ skb->protocol = eth_type_trans(skb, dev);
++ memset(skb->cb, 0, sizeof(skb->cb));
++ netif_rx_ni(skb);
++}
++EXPORT_SYMBOL(cfg80211_send_layer2_update);
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Date: Sat, 6 Apr 2019 15:30:38 +0800
+Subject: cifs: Fix lease buffer length error
+
+From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+
+commit b57a55e2200ede754e4dc9cce4ba9402544b9365 upstream.
+
+There is a KASAN slab-out-of-bounds:
+BUG: KASAN: slab-out-of-bounds in _copy_from_iter_full+0x783/0xaa0
+Read of size 80 at addr ffff88810c35e180 by task mount.cifs/539
+
+CPU: 1 PID: 539 Comm: mount.cifs Not tainted 4.19 #10
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+ rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ dump_stack+0xdd/0x12a
+ print_address_description+0xa7/0x540
+ kasan_report+0x1ff/0x550
+ check_memory_region+0x2f1/0x310
+ memcpy+0x2f/0x80
+ _copy_from_iter_full+0x783/0xaa0
+ tcp_sendmsg_locked+0x1840/0x4140
+ tcp_sendmsg+0x37/0x60
+ inet_sendmsg+0x18c/0x490
+ sock_sendmsg+0xae/0x130
+ smb_send_kvec+0x29c/0x520
+ __smb_send_rqst+0x3ef/0xc60
+ smb_send_rqst+0x25a/0x2e0
+ compound_send_recv+0x9e8/0x2af0
+ cifs_send_recv+0x24/0x30
+ SMB2_open+0x35e/0x1620
+ open_shroot+0x27b/0x490
+ smb2_open_op_close+0x4e1/0x590
+ smb2_query_path_info+0x2ac/0x650
+ cifs_get_inode_info+0x1058/0x28f0
+ cifs_root_iget+0x3bb/0xf80
+ cifs_smb3_do_mount+0xe00/0x14c0
+ cifs_do_mount+0x15/0x20
+ mount_fs+0x5e/0x290
+ vfs_kern_mount+0x88/0x460
+ do_mount+0x398/0x31e0
+ ksys_mount+0xc6/0x150
+ __x64_sys_mount+0xea/0x190
+ do_syscall_64+0x122/0x590
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+It can be reproduced by the following step:
+ 1. samba configured with: server max protocol = SMB2_10
+ 2. mount -o vers=default
+
+When parse the mount version parameter, the 'ops' and 'vals'
+was setted to smb30, if negotiate result is smb21, just
+update the 'ops' to smb21, but the 'vals' is still smb30.
+When add lease context, the iov_base is allocated with smb21
+ops, but the iov_len is initiallited with the smb30. Because
+the iov_len is longer than iov_base, when send the message,
+copy array out of bounds.
+
+we need to keep the 'ops' and 'vals' consistent.
+
+Fixes: 9764c02fcbad ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)")
+Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list")
+
+Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+[bwh: Backported to 4.14: We never switch to SMB3.1.1 here]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -575,6 +575,7 @@ SMB2_negotiate(const unsigned int xid, s
+ } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
+ /* ops set to 3.0 by default for default so update */
+ ses->server->ops = &smb21_operations;
++ ses->server->vals = &smb21_values;
+ }
+ } else if (le16_to_cpu(rsp->DialectRevision) !=
+ ses->server->vals->protocol_id) {
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 1 Apr 2019 09:35:54 +0800
+Subject: dccp: Fix memleak in __feat_register_sp
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream.
+
+If dccp_feat_push_change fails, we forget free the mem
+which is alloced by kmemdup in dccp_feat_clone_sp_val.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values")
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/feat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/dccp/feat.c
++++ b/net/dccp/feat.c
+@@ -738,7 +738,12 @@ static int __feat_register_sp(struct lis
+ if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
+ return -ENOMEM;
+
+- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
++ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
++ kfree(fval.sp.vec);
++ return -ENOMEM;
++ }
++
++ return 0;
+ }
+
+ /**
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 12 Sep 2019 23:23:27 -0500
+Subject: iwlwifi: dbg_ini: fix memory leak in alloc_sgtable
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit b4b814fec1a5a849383f7b3886b654a13abbda7d upstream.
+
+In alloc_sgtable if alloc_page fails, the alocated table should be
+released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -532,6 +532,7 @@ static struct scatterlist *alloc_sgtable
+ if (new_page)
+ __free_page(new_page);
+ }
++ kfree(table);
+ return NULL;
+ }
+ alloc_size = min_t(int, size, PAGE_SIZE);
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 11 Sep 2019 16:03:05 +0300
+Subject: mac80211: Do not send Layer 2 Update frame before authorization
+
+From: Jouni Malinen <jouni@codeaurora.org>
+
+commit 3e493173b7841259a08c5c8e5cbe90adb349da7e upstream.
+
+The Layer 2 Update frame is used to update bridges when a station roams
+to another AP even if that STA does not transmit any frames after the
+reassociation. This behavior was described in IEEE Std 802.11F-2003 as
+something that would happen based on MLME-ASSOCIATE.indication, i.e.,
+before completing 4-way handshake. However, this IEEE trial-use
+recommended practice document was published before RSN (IEEE Std
+802.11i-2004) and as such, did not consider RSN use cases. Furthermore,
+IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been
+maintained amd should not be used anymore.
+
+Sending out the Layer 2 Update frame immediately after association is
+fine for open networks (and also when using SAE, FT protocol, or FILS
+authentication when the station is actually authenticated by the time
+association completes). However, it is not appropriate for cases where
+RSN is used with PSK or EAP authentication since the station is actually
+fully authenticated only once the 4-way handshake completes after
+authentication and attackers might be able to use the unauthenticated
+triggering of Layer 2 Update frame transmission to disrupt bridge
+behavior.
+
+Fix this by postponing transmission of the Layer 2 Update frame from
+station entry addition to the point when the station entry is marked
+authorized. Similarly, send out the VLAN binding update only if the STA
+entry has already been authorized.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 14 ++++----------
+ net/mac80211/sta_info.c | 4 ++++
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1398,7 +1398,6 @@ static int ieee80211_add_station(struct
+ struct sta_info *sta;
+ struct ieee80211_sub_if_data *sdata;
+ int err;
+- int layer2_update;
+
+ if (params->vlan) {
+ sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
+@@ -1442,18 +1441,12 @@ static int ieee80211_add_station(struct
+ test_sta_flag(sta, WLAN_STA_ASSOC))
+ rate_control_rate_init(sta);
+
+- layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
+- sdata->vif.type == NL80211_IFTYPE_AP;
+-
+ err = sta_info_insert_rcu(sta);
+ if (err) {
+ rcu_read_unlock();
+ return err;
+ }
+
+- if (layer2_update)
+- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+-
+ rcu_read_unlock();
+
+ return 0;
+@@ -1551,10 +1544,11 @@ static int ieee80211_change_station(stru
+ sta->sdata = vlansdata;
+ ieee80211_check_fast_xmit(sta);
+
+- if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
++ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
+ ieee80211_vif_inc_num_mcast(sta->sdata);
+-
+- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
++ cfg80211_send_layer2_update(sta->sdata->dev,
++ sta->sta.addr);
++ }
+ }
+
+ err = sta_apply_parameters(local, sta, params);
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1899,6 +1899,10 @@ int sta_info_move_state(struct sta_info
+ ieee80211_check_fast_xmit(sta);
+ ieee80211_check_fast_rx(sta);
+ }
++ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
++ sta->sdata->vif.type == NL80211_IFTYPE_AP)
++ cfg80211_send_layer2_update(sta->sdata->dev,
++ sta->sta.addr);
+ break;
+ default:
+ break;
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Vandana BN <bnvandana@gmail.com>
+Date: Wed, 22 May 2019 04:34:15 -0400
+Subject: media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
+
+From: Vandana BN <bnvandana@gmail.com>
+
+commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e upstream.
+
+SyzKaller hit the null pointer deref while reading from uninitialized
+udev->product in zr364xx_vidioc_querycap().
+
+==================================================================
+BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
+include/linux/compiler.h:274
+Read of size 1 at addr 0000000000000000 by task v4l_id/5287
+
+CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe8/0x16e lib/dump_stack.c:113
+ kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
+ read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
+ strscpy+0x8a/0x280 lib/string.c:207
+ zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
+ v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
+ __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
+ video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
+ v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
+ ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f3b56d8b347
+Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
+ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
+RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
+RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
+R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
+==================================================================
+
+For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
+
+The fix is to check for NULL before strscpy() and copy empty string, if
+product is NULL
+
+Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
+Signed-off-by: Vandana BN <bnvandana@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+[bwh: Backported to 4.14: This function uses strlcpy() instead of strscpy()]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -706,7 +706,8 @@ static int zr364xx_vidioc_querycap(struc
+ struct zr364xx_camera *cam = video_drvdata(file);
+
+ strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver));
+- strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
++ if (cam->udev->product)
++ strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
+ strlcpy(cap->bus_info, dev_name(&cam->udev->dev),
+ sizeof(cap->bus_info));
+ cap->device_caps = V4L2_CAP_VIDEO_CAPTURE |
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+Date: Tue, 15 May 2018 14:34:30 +0530
+Subject: rsi: add fix for crash during assertions
+
+From: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+
+commit abd39c6ded9db53aa44c2540092bdd5fb6590fa8 upstream.
+
+Observed crash in some scenarios when assertion has occurred,
+this is because hw structure is freed and is tried to get
+accessed in some functions where null check is already
+present. So, avoided the crash by making the hw to NULL after
+freeing.
+
+Signed-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+Signed-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+@@ -218,6 +218,7 @@ void rsi_mac80211_detach(struct rsi_hw *
+ ieee80211_stop_queues(hw);
+ ieee80211_unregister_hw(hw);
+ ieee80211_free_hw(hw);
++ adapter->hw = NULL;
+ }
+
+ for (band = 0; band < NUM_NL80211_BANDS; band++) {
hid-hidraw-uhid-always-report-epollout.patch
ethtool-reduce-stack-usage-with-clang.patch
fs-select-avoid-clang-stack-usage-warning.patch
+rsi-add-fix-for-crash-during-assertions.patch
+arm64-don-t-open-code-page-table-entry-creation.patch
+arm64-mm-change-page-table-pointer-name-in-p_set_huge.patch
+arm64-enforce-bbm-for-huge-io-vmap-mappings.patch
+arm64-make-sure-permission-updates-happen-for-pmd-pud.patch
+cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch
+mac80211-do-not-send-layer-2-update-frame-before-authorization.patch
+media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch
+cifs-fix-lease-buffer-length-error.patch
+wimax-i2400-fix-memory-leak.patch
+wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
+iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch
+dccp-fix-memleak-in-__feat_register_sp.patch
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 25 Oct 2019 23:53:30 -0500
+Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 6f3ef5c25cc762687a7341c18cbea5af54461407 upstream.
+
+In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
+buffer for cmd should be released before returning. The
+documentation for i2400m_msg_to_dev() says when it returns the buffer
+can be reused. Meaning cmd should be released in either case. Move
+kfree(cmd) before return to be reached by all execution paths.
+
+Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -142,12 +142,12 @@ int i2400m_op_rfkill_sw_toggle(struct wi
+ "%d\n", result);
+ result = 0;
+ error_cmd:
+- kfree(cmd);
+ kfree_skb(ack_skb);
+ error_msg_to_dev:
+ error_alloc:
+ d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n",
+ wimax_dev, state, result);
++ kfree(cmd);
+ return result;
+ }
+
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:12 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 10 Sep 2019 18:01:40 -0500
+Subject: wimax: i2400: fix memory leak
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 2507e6ab7a9a440773be476141a255934468c5ef upstream.
+
+In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with
+skb response.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -142,6 +142,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi
+ "%d\n", result);
+ result = 0;
+ error_cmd:
++ kfree(cmd);
+ kfree_skb(ack_skb);
+ error_msg_to_dev:
+ error_alloc:
projects / thirdparty / kernel / stable-queue.git / commitdiff
