--- /dev/null
+From 99652a469df19086d594e8e89757d4081a812789 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Wed, 14 Feb 2018 14:43:36 +0100
+Subject: clk: migrate the count of orphaned clocks at init
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+commit 99652a469df19086d594e8e89757d4081a812789 upstream.
+
+The orphan clocks reparents should migrate any existing count from the
+orphan clock to its new acestor clocks, otherwise we may have
+inconsistent counts in the tree and end-up with gated critical clocks
+
+Assuming we have two clocks, A and B.
+* Clock A has CLK_IS_CRITICAL flag set.
+* Clock B is an ancestor of A which can gate. Clock B gate is left
+ enabled by the bootloader.
+
+Step 1: Clock A is registered. Since it is a critical clock, it is
+enabled. The clock being still an orphan, no parent are enabled.
+
+Step 2: Clock B is registered and reparented to clock A (potentially
+through several other clocks). We are now in situation where the enable
+count of clock A is 1 while the enable count of its ancestors is 0, which
+is not good.
+
+Step 3: in lateinit, clk_disable_unused() is called, the enable_count of
+clock B being 0, clock B is gated and and critical clock A actually gets
+disabled.
+
+This situation was found while adding fdiv_clk gates to the meson8b
+platform. These clocks parent clk81 critical clock, which is the mother
+of all peripheral clocks in this system. Because of the issue described
+here, the system is crashing when clk_disable_unused() is called.
+
+The situation is solved by reverting
+commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting during registration").
+To avoid breaking again the situation described in this commit
+description, enabling critical clock should be done before walking the
+orphan list. This way, a parent critical clock may not be accidentally
+disabled due to the CLK_OPS_PARENT_ENABLE mechanism.
+
+Fixes: f8f8f1d04494 ("clk: Don't touch hardware when reparenting during registration")
+Cc: Stephen Boyd <sboyd@codeaurora.org>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: Dong Aisheng <aisheng.dong@nxp.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Michael Turquette <mturquette@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/clk.c | 37 +++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -2592,22 +2592,37 @@ static int __clk_core_init(struct clk_co
+ core->rate = core->req_rate = rate;
+
+ /*
++ * Enable CLK_IS_CRITICAL clocks so newly added critical clocks
++ * don't get accidentally disabled when walking the orphan tree and
++ * reparenting clocks
++ */
++ if (core->flags & CLK_IS_CRITICAL) {
++ unsigned long flags;
++
++ clk_core_prepare(core);
++
++ flags = clk_enable_lock();
++ clk_core_enable(core);
++ clk_enable_unlock(flags);
++ }
++
++ /*
+ * walk the list of orphan clocks and reparent any that newly finds a
+ * parent.
+ */
+ hlist_for_each_entry_safe(orphan, tmp2, &clk_orphan_list, child_node) {
+ struct clk_core *parent = __clk_init_parent(orphan);
+- unsigned long flags;
+
+ /*
+- * we could call __clk_set_parent, but that would result in a
+- * redundant call to the .set_rate op, if it exists
++ * We need to use __clk_set_parent_before() and _after() to
++ * to properly migrate any prepare/enable count of the orphan
++ * clock. This is important for CLK_IS_CRITICAL clocks, which
++ * are enabled during init but might not have a parent yet.
+ */
+ if (parent) {
+ /* update the clk tree topology */
+- flags = clk_enable_lock();
+- clk_reparent(orphan, parent);
+- clk_enable_unlock(flags);
++ __clk_set_parent_before(orphan, parent);
++ __clk_set_parent_after(orphan, parent, NULL);
+ __clk_recalc_accuracies(orphan);
+ __clk_recalc_rates(orphan, 0);
+ }
+@@ -2624,16 +2639,6 @@ static int __clk_core_init(struct clk_co
+ if (core->ops->init)
+ core->ops->init(core->hw);
+
+- if (core->flags & CLK_IS_CRITICAL) {
+- unsigned long flags;
+-
+- clk_core_prepare(core);
+-
+- flags = clk_enable_lock();
+- clk_core_enable(core);
+- clk_enable_unlock(flags);
+- }
+-
+ kref_init(&core->ref);
+ out:
+ clk_pm_runtime_put(core);
--- /dev/null
+From c2b37f76485f073f020e60b5954b6dc4e55f693c Mon Sep 17 00:00:00 2001
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Thu, 8 Mar 2018 15:51:41 +0200
+Subject: IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+commit c2b37f76485f073f020e60b5954b6dc4e55f693c upstream.
+
+This patch validates user provided input to prevent integer overflow due
+to integer manipulation in the mlx5_ib_create_srq function.
+
+Cc: syzkaller <syzkaller@googlegroups.com>
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/srq.c | 15 +++++++++------
+ include/linux/mlx5/driver.h | 4 ++--
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/srq.c
++++ b/drivers/infiniband/hw/mlx5/srq.c
+@@ -241,8 +241,8 @@ struct ib_srq *mlx5_ib_create_srq(struct
+ {
+ struct mlx5_ib_dev *dev = to_mdev(pd->device);
+ struct mlx5_ib_srq *srq;
+- int desc_size;
+- int buf_size;
++ size_t desc_size;
++ size_t buf_size;
+ int err;
+ struct mlx5_srq_attr in = {0};
+ __u32 max_srq_wqes = 1 << MLX5_CAP_GEN(dev->mdev, log_max_srq_sz);
+@@ -266,15 +266,18 @@ struct ib_srq *mlx5_ib_create_srq(struct
+
+ desc_size = sizeof(struct mlx5_wqe_srq_next_seg) +
+ srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg);
++ if (desc_size == 0 || srq->msrq.max_gs > desc_size)
++ return ERR_PTR(-EINVAL);
+ desc_size = roundup_pow_of_two(desc_size);
+- desc_size = max_t(int, 32, desc_size);
++ desc_size = max_t(size_t, 32, desc_size);
++ if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg))
++ return ERR_PTR(-EINVAL);
+ srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) /
+ sizeof(struct mlx5_wqe_data_seg);
+ srq->msrq.wqe_shift = ilog2(desc_size);
+ buf_size = srq->msrq.max * desc_size;
+- mlx5_ib_dbg(dev, "desc_size 0x%x, req wr 0x%x, srq size 0x%x, max_gs 0x%x, max_avail_gather 0x%x\n",
+- desc_size, init_attr->attr.max_wr, srq->msrq.max, srq->msrq.max_gs,
+- srq->msrq.max_avail_gather);
++ if (buf_size < desc_size)
++ return ERR_PTR(-EINVAL);
+ in.type = init_attr->srq_type;
+
+ if (pd->uobject)
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -442,8 +442,8 @@ struct mlx5_core_srq {
+ struct mlx5_core_rsc_common common; /* must be first */
+ u32 srqn;
+ int max;
+- int max_gs;
+- int max_avail_gather;
++ size_t max_gs;
++ size_t max_avail_gather;
+ int wqe_shift;
+ void (*event) (struct mlx5_core_srq *, enum mlx5_event);
+
--- /dev/null
+From 2c292dbb398ee46fc1343daf6c3cf9715a75688e Mon Sep 17 00:00:00 2001
+From: Boris Pismenny <borisp@mellanox.com>
+Date: Thu, 8 Mar 2018 15:51:40 +0200
+Subject: IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq
+
+From: Boris Pismenny <borisp@mellanox.com>
+
+commit 2c292dbb398ee46fc1343daf6c3cf9715a75688e upstream.
+
+Add a check for the length of the qpin structure to prevent out-of-bounds reads
+
+BUG: KASAN: slab-out-of-bounds in create_raw_packet_qp+0x114c/0x15e2
+Read of size 8192 at addr ffff880066b99290 by task syz-executor3/549
+
+CPU: 3 PID: 549 Comm: syz-executor3 Not tainted 4.15.0-rc2+ #27 Hardware
+name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
+Call Trace:
+ dump_stack+0x8d/0xd4
+ print_address_description+0x73/0x290
+ kasan_report+0x25c/0x370
+ ? create_raw_packet_qp+0x114c/0x15e2
+ memcpy+0x1f/0x50
+ create_raw_packet_qp+0x114c/0x15e2
+ ? create_raw_packet_qp_tis.isra.28+0x13d/0x13d
+ ? lock_acquire+0x370/0x370
+ create_qp_common+0x2245/0x3b50
+ ? destroy_qp_user.isra.47+0x100/0x100
+ ? kasan_kmalloc+0x13d/0x170
+ ? sched_clock_cpu+0x18/0x180
+ ? fs_reclaim_acquire.part.15+0x5/0x30
+ ? __lock_acquire+0xa11/0x1da0
+ ? sched_clock_cpu+0x18/0x180
+ ? kmem_cache_alloc_trace+0x17e/0x310
+ ? mlx5_ib_create_qp+0x30e/0x17b0
+ mlx5_ib_create_qp+0x33d/0x17b0
+ ? sched_clock_cpu+0x18/0x180
+ ? create_qp_common+0x3b50/0x3b50
+ ? lock_acquire+0x370/0x370
+ ? __radix_tree_lookup+0x180/0x220
+ ? uverbs_try_lock_object+0x68/0xc0
+ ? rdma_lookup_get_uobject+0x114/0x240
+ create_qp.isra.5+0xce4/0x1e20
+ ? ib_uverbs_ex_create_cq_cb+0xa0/0xa0
+ ? copy_ah_attr_from_uverbs.isra.2+0xa00/0xa00
+ ? ib_uverbs_cq_event_handler+0x160/0x160
+ ? __might_fault+0x17c/0x1c0
+ ib_uverbs_create_qp+0x21b/0x2a0
+ ? ib_uverbs_destroy_cq+0x2e0/0x2e0
+ ib_uverbs_write+0x55a/0xad0
+ ? ib_uverbs_destroy_cq+0x2e0/0x2e0
+ ? ib_uverbs_destroy_cq+0x2e0/0x2e0
+ ? ib_uverbs_open+0x760/0x760
+ ? futex_wake+0x147/0x410
+ ? check_prev_add+0x1680/0x1680
+ ? do_futex+0x3d3/0xa60
+ ? sched_clock_cpu+0x18/0x180
+ __vfs_write+0xf7/0x5c0
+ ? ib_uverbs_open+0x760/0x760
+ ? kernel_read+0x110/0x110
+ ? lock_acquire+0x370/0x370
+ ? __fget+0x264/0x3b0
+ vfs_write+0x18a/0x460
+ SyS_write+0xc7/0x1a0
+ ? SyS_read+0x1a0/0x1a0
+ ? trace_hardirqs_on_thunk+0x1a/0x1c
+ entry_SYSCALL_64_fastpath+0x18/0x85
+RIP: 0033:0x4477b9
+RSP: 002b:00007f1822cadc18 EFLAGS: 00000292 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004477b9
+RDX: 0000000000000070 RSI: 000000002000a000 RDI: 0000000000000005
+RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000292 R12: 00000000ffffffff
+R13: 0000000000005d70 R14: 00000000006e6e30 R15: 0000000020010ff0
+
+Allocated by task 549:
+ __kmalloc+0x15e/0x340
+ kvmalloc_node+0xa1/0xd0
+ create_user_qp.isra.46+0xd42/0x1610
+ create_qp_common+0x2e63/0x3b50
+ mlx5_ib_create_qp+0x33d/0x17b0
+ create_qp.isra.5+0xce4/0x1e20
+ ib_uverbs_create_qp+0x21b/0x2a0
+ ib_uverbs_write+0x55a/0xad0
+ __vfs_write+0xf7/0x5c0
+ vfs_write+0x18a/0x460
+ SyS_write+0xc7/0x1a0
+ entry_SYSCALL_64_fastpath+0x18/0x85
+
+Freed by task 368:
+ kfree+0xeb/0x2f0
+ kernfs_fop_release+0x140/0x180
+ __fput+0x266/0x700
+ task_work_run+0x104/0x180
+ exit_to_usermode_loop+0xf7/0x110
+ syscall_return_slowpath+0x298/0x370
+ entry_SYSCALL_64_fastpath+0x83/0x85
+
+The buggy address belongs to the object at ffff880066b99180 which
+belongs to the cache kmalloc-512 of size 512 The buggy address is
+located 272 bytes inside of 512-byte region [ffff880066b99180,
+ffff880066b99380) The buggy address belongs to the page:
+page:000000006040eedd count:1 mapcount:0 mapping: (null)
+index:0x0 compound_mapcount: 0
+flags: 0x4000000000008100(slab|head)
+raw: 4000000000008100 0000000000000000 0000000000000000 0000000180190019
+raw: ffffea00019a7500 0000000b0000000b ffff88006c403080 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff880066b99180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff880066b99200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff880066b99280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff880066b99300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff880066b99380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Cc: syzkaller <syzkaller@googlegroups.com>
+Fixes: 0fb2ed66a14c ("IB/mlx5: Add create and destroy functionality for Raw Packet QP")
+Signed-off-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -1130,7 +1130,7 @@ static void destroy_raw_packet_qp_sq(str
+ ib_umem_release(sq->ubuffer.umem);
+ }
+
+-static int get_rq_pas_size(void *qpc)
++static size_t get_rq_pas_size(void *qpc)
+ {
+ u32 log_page_size = MLX5_GET(qpc, qpc, log_page_size) + 12;
+ u32 log_rq_stride = MLX5_GET(qpc, qpc, log_rq_stride);
+@@ -1146,7 +1146,8 @@ static int get_rq_pas_size(void *qpc)
+ }
+
+ static int create_raw_packet_qp_rq(struct mlx5_ib_dev *dev,
+- struct mlx5_ib_rq *rq, void *qpin)
++ struct mlx5_ib_rq *rq, void *qpin,
++ size_t qpinlen)
+ {
+ struct mlx5_ib_qp *mqp = rq->base.container_mibqp;
+ __be64 *pas;
+@@ -1155,9 +1156,12 @@ static int create_raw_packet_qp_rq(struc
+ void *rqc;
+ void *wq;
+ void *qpc = MLX5_ADDR_OF(create_qp_in, qpin, qpc);
+- int inlen;
++ size_t rq_pas_size = get_rq_pas_size(qpc);
++ size_t inlen;
+ int err;
+- u32 rq_pas_size = get_rq_pas_size(qpc);
++
++ if (qpinlen < rq_pas_size + MLX5_BYTE_OFF(create_qp_in, pas))
++ return -EINVAL;
+
+ inlen = MLX5_ST_SZ_BYTES(create_rq_in) + rq_pas_size;
+ in = kvzalloc(inlen, GFP_KERNEL);
+@@ -1246,7 +1250,7 @@ static void destroy_raw_packet_qp_tir(st
+ }
+
+ static int create_raw_packet_qp(struct mlx5_ib_dev *dev, struct mlx5_ib_qp *qp,
+- u32 *in,
++ u32 *in, size_t inlen,
+ struct ib_pd *pd)
+ {
+ struct mlx5_ib_raw_packet_qp *raw_packet_qp = &qp->raw_packet_qp;
+@@ -1278,7 +1282,7 @@ static int create_raw_packet_qp(struct m
+ rq->flags |= MLX5_IB_RQ_CVLAN_STRIPPING;
+ if (qp->flags & MLX5_IB_QP_PCI_WRITE_END_PADDING)
+ rq->flags |= MLX5_IB_RQ_PCI_WRITE_END_PADDING;
+- err = create_raw_packet_qp_rq(dev, rq, in);
++ err = create_raw_packet_qp_rq(dev, rq, in, inlen);
+ if (err)
+ goto err_destroy_sq;
+
+@@ -1836,11 +1840,16 @@ static int create_qp_common(struct mlx5_
+ }
+ }
+
++ if (inlen < 0) {
++ err = -EINVAL;
++ goto err;
++ }
++
+ if (init_attr->qp_type == IB_QPT_RAW_PACKET ||
+ qp->flags & MLX5_IB_QP_UNDERLAY) {
+ qp->raw_packet_qp.sq.ubuffer.buf_addr = ucmd.sq_buf_addr;
+ raw_packet_qp_copy_info(qp, &qp->raw_packet_qp);
+- err = create_raw_packet_qp(dev, qp, in, pd);
++ err = create_raw_packet_qp(dev, qp, in, inlen, pd);
+ } else {
+ err = mlx5_core_create_qp(dev->mdev, &base->mqp, in, inlen);
+ }
--- /dev/null
+From 9dea9a2ff61c5efb4d4937ae23b14babd25a5547 Mon Sep 17 00:00:00 2001
+From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+Date: Mon, 12 Mar 2018 17:14:02 -0500
+Subject: RDMA/core: Do not use invalid destination in determining port reuse
+
+From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+
+commit 9dea9a2ff61c5efb4d4937ae23b14babd25a5547 upstream.
+
+cma_port_is_unique() allows local port reuse if the quad (source
+address and port, destination address and port) for this connection
+is unique. However, if the destination info is zero or unspecified, it
+can't make a correct decision but still allows port reuse. For example,
+sometimes rdma_bind_addr() is called with unspecified destination and
+reusing the port can lead to creating a connection with a duplicate quad,
+after the destination is resolved. The issue manifests when MPI scale-up
+tests hang after the duplicate quad is used.
+
+Set the destination address family and add checks for zero destination
+address and port to prevent source port reuse based on invalid destination.
+
+Fixes: 19b752a19dce ("IB/cma: Allow port reuse for rdma_id")
+Reviewed-by: Sean Hefty <sean.hefty@intel.com>
+Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -3013,7 +3013,8 @@ static int cma_port_is_unique(struct rdm
+ continue;
+
+ /* different dest port -> unique */
+- if (!cma_any_port(cur_daddr) &&
++ if (!cma_any_port(daddr) &&
++ !cma_any_port(cur_daddr) &&
+ (dport != cur_dport))
+ continue;
+
+@@ -3024,7 +3025,8 @@ static int cma_port_is_unique(struct rdm
+ continue;
+
+ /* different dst address -> unique */
+- if (!cma_any_addr(cur_daddr) &&
++ if (!cma_any_addr(daddr) &&
++ !cma_any_addr(cur_daddr) &&
+ cma_addr_cmp(daddr, cur_daddr))
+ continue;
+
+@@ -3322,13 +3324,13 @@ int rdma_bind_addr(struct rdma_cm_id *id
+ }
+ #endif
+ }
++ daddr = cma_dst_addr(id_priv);
++ daddr->sa_family = addr->sa_family;
++
+ ret = cma_get_port(id_priv);
+ if (ret)
+ goto err2;
+
+- daddr = cma_dst_addr(id_priv);
+- daddr->sa_family = addr->sa_family;
+-
+ return 0;
+ err2:
+ if (id_priv->cma_dev)
--- /dev/null
+From 0c81ffc60d5280991773d17e84bda605387148b1 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 13 Mar 2018 18:37:27 +0200
+Subject: RDMA/ucma: Don't allow join attempts for unsupported AF family
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 0c81ffc60d5280991773d17e84bda605387148b1 upstream.
+
+Users can provide garbage while calling to ucma_join_ip_multicast(),
+it will indirectly cause to rdma_addr_size() return 0, making the
+call to ucma_process_join(), which had the right checks, but it is
+better to check the input as early as possible.
+
+The following crash from syzkaller revealed it.
+
+kernel BUG at lib/string.c:1052!
+invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 4113 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #261
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
+RSP: 0018:ffff8801ca81f8f0 EFLAGS: 00010286
+RAX: 0000000000000022 RBX: 1ffff10039503f23 RCX: 0000000000000000
+RDX: 0000000000000022 RSI: 1ffff10039503ed3 RDI: ffffed0039503f12
+RBP: ffff8801ca81f8f0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000006 R11: 0000000000000000 R12: ffff8801ca81f998
+R13: ffff8801ca81f938 R14: ffff8801ca81fa58 R15: 000000000000fa00
+FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000a12a900
+CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+CR2: 0000000008138024 CR3: 00000001cbb58004 CR4: 00000000001606f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ memcpy include/linux/string.h:344 [inline]
+ ucma_join_ip_multicast+0x36b/0x3b0 drivers/infiniband/core/ucma.c:1421
+ ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1633
+ __vfs_write+0xef/0x970 fs/read_write.c:480
+ vfs_write+0x189/0x510 fs/read_write.c:544
+ SYSC_write fs/read_write.c:589 [inline]
+ SyS_write+0xef/0x220 fs/read_write.c:581
+ do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
+ do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f9ec99
+RSP: 002b:00000000ff8172cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000100
+RDX: 0000000000000063 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 42 2c e3 fb eb de
+55 48 89 fe 48 c7 c7 80 75 98 86 48 89 e5 e8 85 95 94 fb <0f> 0b 90 90 90 90
+90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
+RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801ca81f8f0
+
+Fixes: 5bc2b7b397b0 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast")
+Reported-by: <syzbot+2287ac532caa81900a4e@syzkaller.appspotmail.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Sean Hefty <sean.hefty@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -1348,7 +1348,7 @@ static ssize_t ucma_process_join(struct
+ return -ENOSPC;
+
+ addr = (struct sockaddr *) &cmd->addr;
+- if (!cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr)))
++ if (cmd->addr_size != rdma_addr_size(addr))
+ return -EINVAL;
+
+ if (cmd->join_flags == RDMA_MC_JOIN_FLAG_FULLMEMBER)
+@@ -1416,6 +1416,9 @@ static ssize_t ucma_join_ip_multicast(st
+ join_cmd.uid = cmd.uid;
+ join_cmd.id = cmd.id;
+ join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
++ if (!join_cmd.addr_size)
++ return -EINVAL;
++
+ join_cmd.join_flags = RDMA_MC_JOIN_FLAG_FULLMEMBER;
+ memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size);
+
+@@ -1431,6 +1434,9 @@ static ssize_t ucma_join_multicast(struc
+ if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+ return -EFAULT;
+
++ if (!rdma_addr_size((struct sockaddr *)&cmd.addr))
++ return -EINVAL;
++
+ return ucma_process_join(file, &cmd, out_len);
+ }
+
--- /dev/null
+From 7688f2c3bbf55e52388e37ac5d63ca471a7712e1 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Tue, 13 Mar 2018 11:43:23 +0200
+Subject: RDMA/ucma: Fix access to non-initialized CM_ID object
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 7688f2c3bbf55e52388e37ac5d63ca471a7712e1 upstream.
+
+The attempt to join multicast group without ensuring that CMA device
+exists will lead to the following crash reported by syzkaller.
+
+[ 64.076794] BUG: KASAN: null-ptr-deref in rdma_join_multicast+0x26e/0x12c0
+[ 64.076797] Read of size 8 at addr 00000000000000b0 by task join/691
+[ 64.076797]
+[ 64.076800] CPU: 1 PID: 691 Comm: join Not tainted 4.16.0-rc1-00219-gb97853b65b93 #23
+[ 64.076802] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
+[ 64.076803] Call Trace:
+[ 64.076809] dump_stack+0x5c/0x77
+[ 64.076817] kasan_report+0x163/0x380
+[ 64.085859] ? rdma_join_multicast+0x26e/0x12c0
+[ 64.086634] rdma_join_multicast+0x26e/0x12c0
+[ 64.087370] ? rdma_disconnect+0xf0/0xf0
+[ 64.088579] ? __radix_tree_replace+0xc3/0x110
+[ 64.089132] ? node_tag_clear+0x81/0xb0
+[ 64.089606] ? idr_alloc_u32+0x12e/0x1a0
+[ 64.090517] ? __fprop_inc_percpu_max+0x150/0x150
+[ 64.091768] ? tracing_record_taskinfo+0x10/0xc0
+[ 64.092340] ? idr_alloc+0x76/0xc0
+[ 64.092951] ? idr_alloc_u32+0x1a0/0x1a0
+[ 64.093632] ? ucma_process_join+0x23d/0x460
+[ 64.094510] ucma_process_join+0x23d/0x460
+[ 64.095199] ? ucma_migrate_id+0x440/0x440
+[ 64.095696] ? futex_wake+0x10b/0x2a0
+[ 64.096159] ucma_join_multicast+0x88/0xe0
+[ 64.096660] ? ucma_process_join+0x460/0x460
+[ 64.097540] ? _copy_from_user+0x5e/0x90
+[ 64.098017] ucma_write+0x174/0x1f0
+[ 64.098640] ? ucma_resolve_route+0xf0/0xf0
+[ 64.099343] ? rb_erase_cached+0x6c7/0x7f0
+[ 64.099839] __vfs_write+0xc4/0x350
+[ 64.100622] ? perf_syscall_enter+0xe4/0x5f0
+[ 64.101335] ? kernel_read+0xa0/0xa0
+[ 64.103525] ? perf_sched_cb_inc+0xc0/0xc0
+[ 64.105510] ? syscall_exit_register+0x2a0/0x2a0
+[ 64.107359] ? __switch_to+0x351/0x640
+[ 64.109285] ? fsnotify+0x899/0x8f0
+[ 64.111610] ? fsnotify_unmount_inodes+0x170/0x170
+[ 64.113876] ? __fsnotify_update_child_dentry_flags+0x30/0x30
+[ 64.115813] ? ring_buffer_record_is_on+0xd/0x20
+[ 64.117824] ? __fget+0xa8/0xf0
+[ 64.119869] vfs_write+0xf7/0x280
+[ 64.122001] SyS_write+0xa1/0x120
+[ 64.124213] ? SyS_read+0x120/0x120
+[ 64.126644] ? SyS_read+0x120/0x120
+[ 64.128563] do_syscall_64+0xeb/0x250
+[ 64.130732] entry_SYSCALL_64_after_hwframe+0x21/0x86
+[ 64.132984] RIP: 0033:0x7f5c994ade99
+[ 64.135699] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 64.138740] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
+[ 64.141056] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
+[ 64.143536] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
+[ 64.146017] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
+[ 64.148608] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
+[ 64.151060]
+[ 64.153703] Disabling lock debugging due to kernel taint
+[ 64.156032] BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
+[ 64.159066] IP: rdma_join_multicast+0x26e/0x12c0
+[ 64.161451] PGD 80000001d0298067 P4D 80000001d0298067 PUD 1dea39067 PMD 0
+[ 64.164442] Oops: 0000 [#1] SMP KASAN PTI
+[ 64.166817] CPU: 1 PID: 691 Comm: join Tainted: G B 4.16.0-rc1-00219-gb97853b65b93 #23
+[ 64.170004] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-proj4
+[ 64.174985] RIP: 0010:rdma_join_multicast+0x26e/0x12c0
+[ 64.177246] RSP: 0018:ffff8801c8207860 EFLAGS: 00010282
+[ 64.179901] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff94789522
+[ 64.183344] RDX: 1ffffffff2d50fa5 RSI: 0000000000000297 RDI: 0000000000000297
+[ 64.186237] RBP: ffff8801c8207a50 R08: 0000000000000000 R09: ffffed0039040ea7
+[ 64.189328] R10: 0000000000000001 R11: ffffed0039040ea6 R12: 0000000000000000
+[ 64.192634] R13: 0000000000000000 R14: ffff8801e2022800 R15: ffff8801d4ac2400
+[ 64.196105] FS: 00007f5c99b98700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
+[ 64.199211] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 64.202046] CR2: 00000000000000b0 CR3: 00000001d1c48004 CR4: 00000000003606a0
+[ 64.205032] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 64.208221] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 64.211554] Call Trace:
+[ 64.213464] ? rdma_disconnect+0xf0/0xf0
+[ 64.216124] ? __radix_tree_replace+0xc3/0x110
+[ 64.219337] ? node_tag_clear+0x81/0xb0
+[ 64.222140] ? idr_alloc_u32+0x12e/0x1a0
+[ 64.224422] ? __fprop_inc_percpu_max+0x150/0x150
+[ 64.226588] ? tracing_record_taskinfo+0x10/0xc0
+[ 64.229763] ? idr_alloc+0x76/0xc0
+[ 64.232186] ? idr_alloc_u32+0x1a0/0x1a0
+[ 64.234505] ? ucma_process_join+0x23d/0x460
+[ 64.237024] ucma_process_join+0x23d/0x460
+[ 64.240076] ? ucma_migrate_id+0x440/0x440
+[ 64.243284] ? futex_wake+0x10b/0x2a0
+[ 64.245302] ucma_join_multicast+0x88/0xe0
+[ 64.247783] ? ucma_process_join+0x460/0x460
+[ 64.250841] ? _copy_from_user+0x5e/0x90
+[ 64.253878] ucma_write+0x174/0x1f0
+[ 64.257008] ? ucma_resolve_route+0xf0/0xf0
+[ 64.259877] ? rb_erase_cached+0x6c7/0x7f0
+[ 64.262746] __vfs_write+0xc4/0x350
+[ 64.265537] ? perf_syscall_enter+0xe4/0x5f0
+[ 64.267792] ? kernel_read+0xa0/0xa0
+[ 64.270358] ? perf_sched_cb_inc+0xc0/0xc0
+[ 64.272575] ? syscall_exit_register+0x2a0/0x2a0
+[ 64.275367] ? __switch_to+0x351/0x640
+[ 64.277700] ? fsnotify+0x899/0x8f0
+[ 64.280530] ? fsnotify_unmount_inodes+0x170/0x170
+[ 64.283156] ? __fsnotify_update_child_dentry_flags+0x30/0x30
+[ 64.286182] ? ring_buffer_record_is_on+0xd/0x20
+[ 64.288749] ? __fget+0xa8/0xf0
+[ 64.291136] vfs_write+0xf7/0x280
+[ 64.292972] SyS_write+0xa1/0x120
+[ 64.294965] ? SyS_read+0x120/0x120
+[ 64.297474] ? SyS_read+0x120/0x120
+[ 64.299751] do_syscall_64+0xeb/0x250
+[ 64.301826] entry_SYSCALL_64_after_hwframe+0x21/0x86
+[ 64.304352] RIP: 0033:0x7f5c994ade99
+[ 64.306711] RSP: 002b:00007f5c99b97d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 64.309577] RAX: ffffffffffffffda RBX: 00000000200001e4 RCX: 00007f5c994ade99
+[ 64.312334] RDX: 00000000000000a0 RSI: 00000000200001c0 RDI: 0000000000000015
+[ 64.315783] RBP: 00007f5c99b97ec0 R08: 0000000000000000 R09: 0000000000000000
+[ 64.318365] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5c99b97fc0
+[ 64.320980] R13: 0000000000000000 R14: 00007fff660e1c40 R15: 00007f5c99b989c0
+[ 64.323515] Code: e8 e8 79 08 ff 4c 89 ff 45 0f b6 a7 b8 01 00 00 e8 68 7c 08 ff 49 8b 1f 4d 89 e5 49 c1 e4 04 48 8
+[ 64.330753] RIP: rdma_join_multicast+0x26e/0x12c0 RSP: ffff8801c8207860
+[ 64.332979] CR2: 00000000000000b0
+[ 64.335550] ---[ end trace 0c00c17a408849c1 ]---
+
+Reported-by: <syzbot+e6aba77967bd72cbc9d6@syzkaller.appspotmail.com>
+Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Sean Hefty <sean.hefty@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -4116,6 +4116,9 @@ int rdma_join_multicast(struct rdma_cm_i
+ struct cma_multicast *mc;
+ int ret;
+
++ if (!id->device)
++ return -EINVAL;
++
+ id_priv = container_of(id, struct rdma_id_private, id);
+ if (!cma_comp(id_priv, RDMA_CM_ADDR_BOUND) &&
+ !cma_comp(id_priv, RDMA_CM_ADDR_RESOLVED))
--- /dev/null
+From e7f3e99cb1a667d04d60d02957fbed58b50d4e5a Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 2 Feb 2018 20:39:13 +0200
+Subject: serial: 8250_pci: Don't fail on multiport card class
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit e7f3e99cb1a667d04d60d02957fbed58b50d4e5a upstream.
+
+Do not fail on multiport cards in serial_pci_is_class_communication().
+
+It restores behaviour for SUNIX multiport cards, that enumerated by
+class and have a custom board data.
+
+Moreover it allows users to reenumerate port-by-port from user space.
+
+Fixes: 7d8905d06405 ("serial: 8250_pci: Enable device after we check black list")
+Reported-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_pci.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_pci.c
++++ b/drivers/tty/serial/8250/8250_pci.c
+@@ -3387,11 +3387,9 @@ static int serial_pci_is_class_communica
+ /*
+ * If it is not a communications device or the programming
+ * interface is greater than 6, give up.
+- *
+- * (Should we try to make guesses for multiport serial devices
+- * later?)
+ */
+ if ((((dev->class >> 8) != PCI_CLASS_COMMUNICATION_SERIAL) &&
++ ((dev->class >> 8) != PCI_CLASS_COMMUNICATION_MULTISERIAL) &&
+ ((dev->class >> 8) != PCI_CLASS_COMMUNICATION_MODEM)) ||
+ (dev->class & 0xff) > 6)
+ return -ENODEV;
+@@ -3428,6 +3426,12 @@ serial_pci_guess_board(struct pci_dev *d
+ {
+ int num_iomem, num_port, first_port = -1, i;
+
++ /*
++ * Should we try to make guesses for multiport serial devices later?
++ */
++ if ((dev->class >> 8) == PCI_CLASS_COMMUNICATION_MULTISERIAL)
++ return -ENODEV;
++
+ num_iomem = num_port = 0;
+ for (i = 0; i < PCI_NUM_BAR_RESOURCES; i++) {
+ if (pci_resource_flags(dev, i) & IORESOURCE_IO) {
crypto-artpec6-set-correct-iv-size-for-gcm-aes.patch
hwrng-core-clean-up-rng-list-when-last-hwrng-is-unregistered.patch
dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch
+ib-mlx5-fix-integer-overflows-in-mlx5_ib_create_srq.patch
+ib-mlx5-fix-out-of-bounds-read-in-create_raw_packet_qp_rq.patch
+serial-8250_pci-don-t-fail-on-multiport-card-class.patch
+rdma-core-do-not-use-invalid-destination-in-determining-port-reuse.patch
+clk-migrate-the-count-of-orphaned-clocks-at-init.patch
+rdma-ucma-fix-access-to-non-initialized-cm_id-object.patch
+rdma-ucma-don-t-allow-join-attempts-for-unsupported-af-family.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
