--- /dev/null
+From 4e7655fd4f47c23e5249ea260dc802f909a64611 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 9 Apr 2017 10:41:27 +0200
+Subject: ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4e7655fd4f47c23e5249ea260dc802f909a64611 upstream.
+
+The snd_use_lock_sync() (thus its implementation
+snd_use_lock_sync_helper()) has the 5 seconds timeout to break out of
+the sync loop. It was introduced from the beginning, just to be
+"safer", in terms of avoiding the stupid bugs.
+
+However, as Ben Hutchings suggested, this timeout rather introduces a
+potential leak or use-after-free that was apparently fixed by the
+commit 2d7d54002e39 ("ALSA: seq: Fix race during FIFO resize"):
+for example, snd_seq_fifo_event_in() -> snd_seq_event_dup() ->
+copy_from_user() could block for a long time, and snd_use_lock_sync()
+goes timeout and still leaves the cell at releasing the pool.
+
+For fixing such a problem, we remove the break by the timeout while
+still keeping the warning.
+
+Suggested-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_lock.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/sound/core/seq/seq_lock.c
++++ b/sound/core/seq/seq_lock.c
+@@ -28,19 +28,16 @@
+ /* wait until all locks are released */
+ void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line)
+ {
+- int max_count = 5 * HZ;
++ int warn_count = 5 * HZ;
+
+ if (atomic_read(lockp) < 0) {
+ pr_warn("ALSA: seq_lock: lock trouble [counter = %d] in %s:%d\n", atomic_read(lockp), file, line);
+ return;
+ }
+ while (atomic_read(lockp) > 0) {
+- if (max_count == 0) {
+- pr_warn("ALSA: seq_lock: timeout [%d left] in %s:%d\n", atomic_read(lockp), file, line);
+- break;
+- }
++ if (warn_count-- == 0)
++ pr_warn("ALSA: seq_lock: waiting [%d left] in %s:%d\n", atomic_read(lockp), file, line);
+ schedule_timeout_uninterruptible(1);
+- max_count--;
+ }
+ }
+
--- /dev/null
+From 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 13 Apr 2017 15:36:31 -0700
+Subject: Input: i8042 - add Clevo P650RS to the i8042 reset list
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 upstream.
+
+Clevo P650RS and other similar devices require i8042 to be reset in order
+to detect Synaptics touchpad.
+
+Reported-by: Paweł Bylica <chfast@gmail.com>
+Tested-by: Ed Bordin <edbordin@gmail.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -595,6 +595,13 @@ static const struct dmi_system_id __init
+ DMI_MATCH(DMI_PRODUCT_NAME, "20046"),
+ },
+ },
++ {
++ /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "P65xRP"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Fri, 21 Apr 2017 20:42:16 +0300
+Subject: ip6mr: fix notification device destruction
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+
+[ Upstream commit 723b929ca0f79c0796f160c2eeda4597ee98d2b8 ]
+
+Andrey Konovalov reported a BUG caused by the ip6mr code which is caused
+because we call unregister_netdevice_many for a device that is already
+being destroyed. In IPv4's ipmr that has been resolved by two commits
+long time ago by introducing the "notify" parameter to the delete
+function and avoiding the unregister when called from a notifier, so
+let's do the same for ip6mr.
+
+The trace from Andrey:
+------------[ cut here ]------------
+kernel BUG at net/core/dev.c:6813!
+invalid opcode: 0000 [#1] SMP KASAN
+Modules linked in:
+CPU: 1 PID: 1165 Comm: kworker/u4:3 Not tainted 4.11.0-rc7+ #251
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
+01/01/2011
+Workqueue: netns cleanup_net
+task: ffff880069208000 task.stack: ffff8800692d8000
+RIP: 0010:rollback_registered_many+0x348/0xeb0 net/core/dev.c:6813
+RSP: 0018:ffff8800692de7f0 EFLAGS: 00010297
+RAX: ffff880069208000 RBX: 0000000000000002 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88006af90569
+RBP: ffff8800692de9f0 R08: ffff8800692dec60 R09: 0000000000000000
+R10: 0000000000000006 R11: 0000000000000000 R12: ffff88006af90070
+R13: ffff8800692debf0 R14: dffffc0000000000 R15: ffff88006af90000
+FS: 0000000000000000(0000) GS:ffff88006cb00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fe7e897d870 CR3: 00000000657e7000 CR4: 00000000000006e0
+Call Trace:
+ unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881
+ unregister_netdevice_many+0xc8/0x120 net/core/dev.c:7880
+ ip6mr_device_event+0x362/0x3f0 net/ipv6/ip6mr.c:1346
+ notifier_call_chain+0x145/0x2f0 kernel/notifier.c:93
+ __raw_notifier_call_chain kernel/notifier.c:394
+ raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
+ call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647
+ call_netdevice_notifiers net/core/dev.c:1663
+ rollback_registered_many+0x919/0xeb0 net/core/dev.c:6841
+ unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881
+ unregister_netdevice_many net/core/dev.c:7880
+ default_device_exit_batch+0x4fa/0x640 net/core/dev.c:8333
+ ops_exit_list.isra.4+0x100/0x150 net/core/net_namespace.c:144
+ cleanup_net+0x5a8/0xb40 net/core/net_namespace.c:463
+ process_one_work+0xc04/0x1c10 kernel/workqueue.c:2097
+ worker_thread+0x223/0x19c0 kernel/workqueue.c:2231
+ kthread+0x35e/0x430 kernel/kthread.c:231
+ ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
+Code: 3c 32 00 0f 85 70 0b 00 00 48 b8 00 02 00 00 00 00 ad de 49 89
+47 78 e9 93 fe ff ff 49 8d 57 70 49 8d 5f 78 eb 9e e8 88 7a 14 fe <0f>
+0b 48 8b 9d 28 fe ff ff e8 7a 7a 14 fe 48 b8 00 00 00 00 00
+RIP: rollback_registered_many+0x348/0xeb0 RSP: ffff8800692de7f0
+---[ end trace e0b29c57e9b3292c ]---
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -776,7 +776,8 @@ failure:
+ * Delete a VIF entry
+ */
+
+-static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head)
++static int mif6_delete(struct mr6_table *mrt, int vifi, int notify,
++ struct list_head *head)
+ {
+ struct mif_device *v;
+ struct net_device *dev;
+@@ -822,7 +823,7 @@ static int mif6_delete(struct mr6_table
+ dev->ifindex, &in6_dev->cnf);
+ }
+
+- if (v->flags & MIFF_REGISTER)
++ if ((v->flags & MIFF_REGISTER) && !notify)
+ unregister_netdevice_queue(dev, head);
+
+ dev_put(dev);
+@@ -1331,7 +1332,6 @@ static int ip6mr_device_event(struct not
+ struct mr6_table *mrt;
+ struct mif_device *v;
+ int ct;
+- LIST_HEAD(list);
+
+ if (event != NETDEV_UNREGISTER)
+ return NOTIFY_DONE;
+@@ -1340,10 +1340,9 @@ static int ip6mr_device_event(struct not
+ v = &mrt->vif6_table[0];
+ for (ct = 0; ct < mrt->maxvif; ct++, v++) {
+ if (v->dev == dev)
+- mif6_delete(mrt, ct, &list);
++ mif6_delete(mrt, ct, 1, NULL);
+ }
+ }
+- unregister_netdevice_many(&list);
+
+ return NOTIFY_DONE;
+ }
+@@ -1552,7 +1551,7 @@ static void mroute_clean_tables(struct m
+ for (i = 0; i < mrt->maxvif; i++) {
+ if (!all && (mrt->vif6_table[i].flags & VIFF_STATIC))
+ continue;
+- mif6_delete(mrt, i, &list);
++ mif6_delete(mrt, i, 0, &list);
+ }
+ unregister_netdevice_many(&list);
+
+@@ -1705,7 +1704,7 @@ int ip6_mroute_setsockopt(struct sock *s
+ if (copy_from_user(&mifi, optval, sizeof(mifi_t)))
+ return -EFAULT;
+ rtnl_lock();
+- ret = mif6_delete(mrt, mifi, NULL);
++ ret = mif6_delete(mrt, mifi, 0, NULL);
+ rtnl_unlock();
+ return ret;
+
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed, 29 Mar 2017 08:45:29 +0200
+Subject: l2tp: purge socket queues in the .destruct() callback
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit e91793bb615cf6cdd59c0b6749fe173687bb0947 ]
+
+The Rx path may grab the socket right before pppol2tp_release(), but
+nothing guarantees that it will enqueue packets before
+skb_queue_purge(). Therefore, the socket can be destroyed without its
+queues fully purged.
+
+Fix this by purging queues in pppol2tp_session_destruct() where we're
+guaranteed nothing is still referencing the socket.
+
+Fixes: 9e9cb6221aa7 ("l2tp: fix userspace reception on plain L2TP sockets")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -469,6 +469,10 @@ static void pppol2tp_session_close(struc
+ static void pppol2tp_session_destruct(struct sock *sk)
+ {
+ struct l2tp_session *session = sk->sk_user_data;
++
++ skb_queue_purge(&sk->sk_receive_queue);
++ skb_queue_purge(&sk->sk_write_queue);
++
+ if (session) {
+ sk->sk_user_data = NULL;
+ BUG_ON(session->magic != L2TP_SESSION_MAGIC);
+@@ -507,9 +511,6 @@ static int pppol2tp_release(struct socke
+ l2tp_session_queue_purge(session);
+ sock_put(sk);
+ }
+- skb_queue_purge(&sk->sk_receive_queue);
+- skb_queue_purge(&sk->sk_write_queue);
+-
+ release_sock(sk);
+
+ /* This will delete the session context via
--- /dev/null
+From 162b270c664dca2e0944308e92f9fcc887151a72 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 30 Mar 2017 16:06:02 +0100
+Subject: MIPS: KGDB: Use kernel context for sleeping threads
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 162b270c664dca2e0944308e92f9fcc887151a72 upstream.
+
+KGDB is a kernel debug stub and it can't be used to debug userland as it
+can only safely access kernel memory.
+
+On MIPS however KGDB has always got the register state of sleeping
+processes from the userland register context at the beginning of the
+kernel stack. This is meaningless for kernel threads (which never enter
+userland), and for user threads it prevents the user seeing what it is
+doing while in the kernel:
+
+(gdb) info threads
+ Id Target Id Frame
+ ...
+ 3 Thread 2 (kthreadd) 0x0000000000000000 in ?? ()
+ 2 Thread 1 (init) 0x000000007705c4b4 in ?? ()
+ 1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201
+
+Get the register state instead from the (partial) kernel register
+context stored in the task's thread_struct for resume() to restore. All
+threads now correctly appear to be in context_switch():
+
+(gdb) info threads
+ Id Target Id Frame
+ ...
+ 3 Thread 2 (kthreadd) context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
+ 2 Thread 1 (init) context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
+ 1 Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201
+
+Call clobbered registers which aren't saved and exception registers
+(BadVAddr & Cause) which can't be easily determined without stack
+unwinding are reported as 0. The PC is taken from the return address,
+such that the state presented matches that found immediately after
+returning from resume().
+
+Fixes: 8854700115ec ("[MIPS] kgdb: add arch support for the kernel's kgdb core")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/15829/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/kgdb.c | 48 +++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+--- a/arch/mips/kernel/kgdb.c
++++ b/arch/mips/kernel/kgdb.c
+@@ -244,9 +244,6 @@ static int compute_signal(int tt)
+ void sleeping_thread_to_gdb_regs(unsigned long *gdb_regs, struct task_struct *p)
+ {
+ int reg;
+- struct thread_info *ti = task_thread_info(p);
+- unsigned long ksp = (unsigned long)ti + THREAD_SIZE - 32;
+- struct pt_regs *regs = (struct pt_regs *)ksp - 1;
+ #if (KGDB_GDB_REG_SIZE == 32)
+ u32 *ptr = (u32 *)gdb_regs;
+ #else
+@@ -254,25 +251,46 @@ void sleeping_thread_to_gdb_regs(unsigne
+ #endif
+
+ for (reg = 0; reg < 16; reg++)
+- *(ptr++) = regs->regs[reg];
++ *(ptr++) = 0;
+
+ /* S0 - S7 */
+- for (reg = 16; reg < 24; reg++)
+- *(ptr++) = regs->regs[reg];
++ *(ptr++) = p->thread.reg16;
++ *(ptr++) = p->thread.reg17;
++ *(ptr++) = p->thread.reg18;
++ *(ptr++) = p->thread.reg19;
++ *(ptr++) = p->thread.reg20;
++ *(ptr++) = p->thread.reg21;
++ *(ptr++) = p->thread.reg22;
++ *(ptr++) = p->thread.reg23;
+
+ for (reg = 24; reg < 28; reg++)
+ *(ptr++) = 0;
+
+ /* GP, SP, FP, RA */
+- for (reg = 28; reg < 32; reg++)
+- *(ptr++) = regs->regs[reg];
+-
+- *(ptr++) = regs->cp0_status;
+- *(ptr++) = regs->lo;
+- *(ptr++) = regs->hi;
+- *(ptr++) = regs->cp0_badvaddr;
+- *(ptr++) = regs->cp0_cause;
+- *(ptr++) = regs->cp0_epc;
++ *(ptr++) = (long)p;
++ *(ptr++) = p->thread.reg29;
++ *(ptr++) = p->thread.reg30;
++ *(ptr++) = p->thread.reg31;
++
++ *(ptr++) = p->thread.cp0_status;
++
++ /* lo, hi */
++ *(ptr++) = 0;
++ *(ptr++) = 0;
++
++ /*
++ * BadVAddr, Cause
++ * Ideally these would come from the last exception frame up the stack
++ * but that requires unwinding, otherwise we can't know much for sure.
++ */
++ *(ptr++) = 0;
++ *(ptr++) = 0;
++
++ /*
++ * PC
++ * use return address (RA), i.e. the moment after return from resume()
++ */
++ *(ptr++) = p->thread.reg31;
+ }
+
+ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Florian Larysch <fl@n621.de>
+Date: Mon, 3 Apr 2017 16:46:09 +0200
+Subject: net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
+
+From: Florian Larysch <fl@n621.de>
+
+
+[ Upstream commit a8801799c6975601fd58ae62f48964caec2eb83f ]
+
+inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
+ip_route_input when iif is given. If a multipath route is present for
+the designated destination, ip_multipath_icmp_hash ends up being called,
+which uses the source/destination addresses within the skb to calculate
+a hash. However, those are not set in the synthetic skb, causing it to
+return an arbitrary and incorrect result.
+
+Instead, use UDP, which gets no such special treatment.
+
+Signed-off-by: Florian Larysch <fl@n621.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2436,7 +2436,7 @@ static int inet_rtm_getroute(struct sk_b
+ skb_reset_network_header(skb);
+
+ /* Bugfix: need to give ip_route_input enough of an IP header to not gag. */
+- ip_hdr(skb)->protocol = IPPROTO_ICMP;
++ ip_hdr(skb)->protocol = IPPROTO_UDP;
+ skb_reserve(skb, MAX_HEADER + sizeof(struct iphdr));
+
+ src = tb[RTA_SRC] ? nla_get_be32(tb[RTA_SRC]) : 0;
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 23 Mar 2017 12:39:21 -0700
+Subject: net: neigh: guard against NULL solicit() method
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 48481c8fa16410ffa45939b13b6c53c2ca609e5f ]
+
+Dmitry posted a nice reproducer of a bug triggering in neigh_probe()
+when dereferencing a NULL neigh->ops->solicit method.
+
+This can happen for arp_direct_ops/ndisc_direct_ops and similar,
+which can be used for NUD_NOARP neighbours (created when dev->header_ops
+is NULL). Admin can then force changing nud_state to some other state
+that would fire neigh timer.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -875,7 +875,8 @@ static void neigh_probe(struct neighbour
+ if (skb)
+ skb = skb_copy(skb, GFP_ATOMIC);
+ write_unlock(&neigh->lock);
+- neigh->ops->solicit(neigh, skb);
++ if (neigh->ops->solicit)
++ neigh->ops->solicit(neigh, skb);
+ atomic_inc(&neigh->probes);
+ kfree_skb(skb);
+ }
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 29 Mar 2017 16:11:21 +0200
+Subject: net/packet: fix overflow in check for tp_frame_nr
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+
+[ Upstream commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b ]
+
+When calculating rb->frames_per_block * req->tp_block_nr the result
+can overflow.
+
+Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
+
+Since frames_per_block <= tp_block_size, the expression would
+never overflow.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3820,6 +3820,8 @@ static int packet_set_ring(struct sock *
+ rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
+ if (unlikely(rb->frames_per_block <= 0))
+ goto out;
++ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
++ goto out;
+ if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
+ req->tp_frame_nr))
+ goto out;
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 29 Mar 2017 16:11:22 +0200
+Subject: net/packet: fix overflow in check for tp_reserve
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+
+[ Upstream commit bcc5364bdcfe131e6379363f089e7b4108d35b70 ]
+
+When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
+
+Fix by checking that tp_reserve <= INT_MAX on assign.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3314,6 +3314,8 @@ packet_setsockopt(struct socket *sock, i
+ return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
++ if (val > INT_MAX)
++ return -EINVAL;
+ po->tp_reserve = val;
+ return 0;
+ }
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Nathan Sullivan <nathan.sullivan@ni.com>
+Date: Wed, 22 Mar 2017 15:27:01 -0500
+Subject: net: phy: handle state correctly in phy_stop_machine
+
+From: Nathan Sullivan <nathan.sullivan@ni.com>
+
+
+[ Upstream commit 49d52e8108a21749dc2114b924c907db43358984 ]
+
+If the PHY is halted on stop, then do not set the state to PHY_UP. This
+ensures the phy will be restarted later in phy_start when the machine is
+started again.
+
+Fixes: 00db8189d984 ("This patch adds a PHY Abstraction Layer to the Linux Kernel, enabling ethernet drivers to remain as ignorant as is reasonable of the connected PHY's design and operation details.")
+Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
+Signed-off-by: Brad Mouring <brad.mouring@ni.com>
+Acked-by: Xander Huff <xander.huff@ni.com>
+Acked-by: Kyle Roeschley <kyle.roeschley@ni.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/phy.c
++++ b/drivers/net/phy/phy.c
+@@ -506,7 +506,7 @@ void phy_stop_machine(struct phy_device
+ cancel_delayed_work_sync(&phydev->state_queue);
+
+ mutex_lock(&phydev->lock);
+- if (phydev->state > PHY_UP)
++ if (phydev->state > PHY_UP && phydev->state != PHY_HALTED)
+ phydev->state = PHY_UP;
+ mutex_unlock(&phydev->lock);
+ }
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Tushar Dave <tushar.n.dave@oracle.com>
+Date: Thu, 20 Apr 2017 15:57:31 -0700
+Subject: netpoll: Check for skb->queue_mapping
+
+From: Tushar Dave <tushar.n.dave@oracle.com>
+
+
+[ Upstream commit c70b17b775edb21280e9de7531acf6db3b365274 ]
+
+Reducing real_num_tx_queues needs to be in sync with skb queue_mapping
+otherwise skbs with queue_mapping greater than real_num_tx_queues
+can be sent to the underlying driver and can result in kernel panic.
+
+One such event is running netconsole and enabling VF on the same
+device. Or running netconsole and changing number of tx queues via
+ethtool on same device.
+
+e.g.
+Unable to handle kernel NULL pointer dereference
+tsk->{mm,active_mm}->context = 0000000000001525
+tsk->{mm,active_mm}->pgd = fff800130ff9a000
+ \|/ ____ \|/
+ "@'/ .. \`@"
+ /_| \__/ |_\
+ \__U_/
+kworker/48:1(475): Oops [#1]
+CPU: 48 PID: 475 Comm: kworker/48:1 Tainted: G OE
+4.11.0-rc3-davem-net+ #7
+Workqueue: events queue_process
+task: fff80013113299c0 task.stack: fff800131132c000
+TSTATE: 0000004480e01600 TPC: 00000000103f9e3c TNPC: 00000000103f9e40 Y:
+00000000 Tainted: G OE
+TPC: <ixgbe_xmit_frame_ring+0x7c/0x6c0 [ixgbe]>
+g0: 0000000000000000 g1: 0000000000003fff g2: 0000000000000000 g3:
+0000000000000001
+g4: fff80013113299c0 g5: fff8001fa6808000 g6: fff800131132c000 g7:
+00000000000000c0
+o0: fff8001fa760c460 o1: fff8001311329a50 o2: fff8001fa7607504 o3:
+0000000000000003
+o4: fff8001f96e63a40 o5: fff8001311d77ec0 sp: fff800131132f0e1 ret_pc:
+000000000049ed94
+RPC: <set_next_entity+0x34/0xb80>
+l0: 0000000000000000 l1: 0000000000000800 l2: 0000000000000000 l3:
+0000000000000000
+l4: 000b2aa30e34b10d l5: 0000000000000000 l6: 0000000000000000 l7:
+fff8001fa7605028
+i0: fff80013111a8a00 i1: fff80013155a0780 i2: 0000000000000000 i3:
+0000000000000000
+i4: 0000000000000000 i5: 0000000000100000 i6: fff800131132f1a1 i7:
+00000000103fa4b0
+I7: <ixgbe_xmit_frame+0x30/0xa0 [ixgbe]>
+Call Trace:
+ [00000000103fa4b0] ixgbe_xmit_frame+0x30/0xa0 [ixgbe]
+ [0000000000998c74] netpoll_start_xmit+0xf4/0x200
+ [0000000000998e10] queue_process+0x90/0x160
+ [0000000000485fa8] process_one_work+0x188/0x480
+ [0000000000486410] worker_thread+0x170/0x4c0
+ [000000000048c6b8] kthread+0xd8/0x120
+ [0000000000406064] ret_from_fork+0x1c/0x2c
+ [0000000000000000] (null)
+Disabling lock debugging due to kernel taint
+Caller[00000000103fa4b0]: ixgbe_xmit_frame+0x30/0xa0 [ixgbe]
+Caller[0000000000998c74]: netpoll_start_xmit+0xf4/0x200
+Caller[0000000000998e10]: queue_process+0x90/0x160
+Caller[0000000000485fa8]: process_one_work+0x188/0x480
+Caller[0000000000486410]: worker_thread+0x170/0x4c0
+Caller[000000000048c6b8]: kthread+0xd8/0x120
+Caller[0000000000406064]: ret_from_fork+0x1c/0x2c
+Caller[0000000000000000]: (null)
+
+Signed-off-by: Tushar Dave <tushar.n.dave@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/netpoll.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/core/netpoll.c
++++ b/net/core/netpoll.c
+@@ -105,15 +105,21 @@ static void queue_process(struct work_st
+ while ((skb = skb_dequeue(&npinfo->txq))) {
+ struct net_device *dev = skb->dev;
+ struct netdev_queue *txq;
++ unsigned int q_index;
+
+ if (!netif_device_present(dev) || !netif_running(dev)) {
+ kfree_skb(skb);
+ continue;
+ }
+
+- txq = skb_get_tx_queue(dev, skb);
+-
+ local_irq_save(flags);
++ /* check if skb->queue_mapping is still valid */
++ q_index = skb_get_queue_mapping(skb);
++ if (unlikely(q_index >= dev->real_num_tx_queues)) {
++ q_index = q_index % dev->real_num_tx_queues;
++ skb_set_queue_mapping(skb, q_index);
++ }
++ txq = netdev_get_tx_queue(dev, q_index);
+ HARD_TX_LOCK(dev, txq, smp_processor_id());
+ if (netif_xmit_frozen_or_stopped(txq) ||
+ netpoll_start_xmit(skb, dev, txq) != NETDEV_TX_OK) {
--- /dev/null
+From e6838a29ecb484c97e4efef9429643b9851fba6e Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Fri, 21 Apr 2017 16:10:18 -0400
+Subject: nfsd: check for oversized NFSv2/v3 arguments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream.
+
+A client can append random data to the end of an NFSv2 or NFSv3 RPC call
+without our complaining; we'll just stop parsing at the end of the
+expected data and ignore the rest.
+
+Encoded arguments and replies are stored together in an array of pages,
+and if a call is too large it could leave inadequate space for the
+reply. This is normally OK because NFS RPC's typically have either
+short arguments and long replies (like READ) or long arguments and short
+replies (like WRITE). But a client that sends an incorrectly long reply
+can violate those assumptions. This was observed to cause crashes.
+
+Also, several operations increment rq_next_page in the decode routine
+before checking the argument size, which can leave rq_next_page pointing
+well past the end of the page array, causing trouble later in
+svc_free_pages.
+
+So, following a suggestion from Neil Brown, add a central check to
+enforce our expectation that no NFSv2/v3 call has both a large call and
+a large reply.
+
+As followup we may also want to rewrite the encoding routines to check
+more carefully that they aren't running off the end of the page array.
+
+We may also consider rejecting calls that have any extra garbage
+appended. That would be safer, and within our rights by spec, but given
+the age of our server and the NFS protocol, and the fact that we've
+never enforced this before, we may need to balance that against the
+possibility of breaking some oddball client.
+
+Reported-by: Tuomas Haanpää <thaan@synopsys.com>
+Reported-by: Ari Kauppi <ari@synopsys.com>
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -646,6 +646,37 @@ static __be32 map_new_errors(u32 vers, _
+ return nfserr;
+ }
+
++/*
++ * A write procedure can have a large argument, and a read procedure can
++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
++ * reply that can both be larger than a page. The xdr code has taken
++ * advantage of this assumption to be a sloppy about bounds checking in
++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
++ * problem, we enforce these assumptions here:
++ */
++static bool nfs_request_too_big(struct svc_rqst *rqstp,
++ struct svc_procedure *proc)
++{
++ /*
++ * The ACL code has more careful bounds-checking and is not
++ * susceptible to this problem:
++ */
++ if (rqstp->rq_prog != NFS_PROGRAM)
++ return false;
++ /*
++ * Ditto NFSv4 (which can in theory have argument and reply both
++ * more than a page):
++ */
++ if (rqstp->rq_vers >= 4)
++ return false;
++ /* The reply will be small, we're OK: */
++ if (proc->pc_xdrressize > 0 &&
++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
++ return false;
++
++ return rqstp->rq_arg.len > PAGE_SIZE;
++}
++
+ int
+ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
+ {
+@@ -658,6 +689,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __
+ rqstp->rq_vers, rqstp->rq_proc);
+ proc = rqstp->rq_procinfo;
+
++ if (nfs_request_too_big(rqstp, proc)) {
++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
++ *statp = rpc_garbage_args;
++ return 1;
++ }
+ /*
+ * Give the xdr decoder a chance to change this if it wants
+ * (necessary in the NFSv4.0 compound case)
--- /dev/null
+From 71d6ad08379304128e4bdfaf0b4185d54375423e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 14 Apr 2017 17:22:18 -0400
+Subject: p9_client_readdir() fix
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 71d6ad08379304128e4bdfaf0b4185d54375423e upstream.
+
+Don't assume that server is sane and won't return more data than
+asked for.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -2106,6 +2106,10 @@ int p9_client_readdir(struct p9_fid *fid
+ trace_9p_protocol_dump(clnt, req->rc);
+ goto free_and_error;
+ }
++ if (rsize < count) {
++ pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize);
++ count = rsize;
++ }
+
+ p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count);
+
--- /dev/null
+From foo@baz Sun Apr 30 15:50:51 CEST 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 6 Apr 2017 13:10:52 +0800
+Subject: sctp: listen on the sock only when it's state is listening or closed
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 34b2789f1d9bf8dcca9b5cb553d076ca2cd898ee ]
+
+Now sctp doesn't check sock's state before listening on it. It could
+even cause changing a sock with any state to become a listening sock
+when doing sctp_listen.
+
+This patch is to fix it by checking sock's state in sctp_listen, so
+that it will listen on the sock with right state.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -6400,6 +6400,9 @@ int sctp_inet_listen(struct socket *sock
+ if (sock->state != SS_UNCONNECTED)
+ goto out;
+
++ if (!sctp_sstate(sk, LISTENING) && !sctp_sstate(sk, CLOSED))
++ goto out;
++
+ /* If backlog is zero, disable listening. */
+ if (!backlog) {
+ if (sctp_sstate(sk, CLOSED))
xen-x86-don-t-lose-event-interrupts.patch
sparc64-kern_addr_valid-regression.patch
sparc64-fix-kernel-panic-due-to-erroneous-ifdef-surrounding-pmd_write.patch
+net-neigh-guard-against-null-solicit-method.patch
+net-phy-handle-state-correctly-in-phy_stop_machine.patch
+l2tp-purge-socket-queues-in-the-.destruct-callback.patch
+net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+net-packet-fix-overflow-in-check-for-tp_reserve.patch
+net-ipv4-fix-multipath-rtm_getroute-behavior-when-iif-is-given.patch
+sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch
+netpoll-check-for-skb-queue_mapping.patch
+ip6mr-fix-notification-device-destruction.patch
+alsa-seq-don-t-break-snd_use_lock_sync-loop-by-timeout.patch
+mips-kgdb-use-kernel-context-for-sleeping-threads.patch
+p9_client_readdir-fix.patch
+input-i8042-add-clevo-p650rs-to-the-i8042-reset-list.patch
+nfsd-check-for-oversized-nfsv2-v3-arguments.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
