--- /dev/null
+From 673b4271665a12fa839a12abb50e6f6e9953c081 Mon Sep 17 00:00:00 2001
+From: Jouke Witteveen <j.witteveen@gmail.com>
+Date: Wed, 4 Jul 2018 12:27:15 +0200
+Subject: ACPI / battery: Safe unregistering of hooks
+
+From: Jouke Witteveen <j.witteveen@gmail.com>
+
+commit 673b4271665a12fa839a12abb50e6f6e9953c081 upstream.
+
+A hooking API was implemented for 4.17 in fa93854f7a7ed63d followed
+by hooks for Thinkpad laptops in 2801b9683f740012. The Thinkpad
+drivers did not support the Thinkpad 13 and the hooking API crashes
+on unsupported batteries by altering a list of hooks during unsafe
+iteration. Thus, Thinkpad 13 laptops could no longer boot.
+
+Additionally, a lock was kept in place and debugging information was
+printed out of order.
+
+Fixes: fa93854f7a7e (battery: Add the battery hooking API)
+Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
+Signed-off-by: Jouke Witteveen <j.witteveen@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/battery.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -709,10 +709,11 @@ void battery_hook_register(struct acpi_b
+ */
+ pr_err("extension failed to load: %s", hook->name);
+ __battery_hook_unregister(hook, 0);
+- return;
++ goto end;
+ }
+ }
+ pr_info("new extension: %s\n", hook->name);
++end:
+ mutex_unlock(&hook_mutex);
+ }
+ EXPORT_SYMBOL_GPL(battery_hook_register);
+@@ -724,7 +725,7 @@ EXPORT_SYMBOL_GPL(battery_hook_register)
+ */
+ static void battery_hook_add_battery(struct acpi_battery *battery)
+ {
+- struct acpi_battery_hook *hook_node;
++ struct acpi_battery_hook *hook_node, *tmp;
+
+ mutex_lock(&hook_mutex);
+ INIT_LIST_HEAD(&battery->list);
+@@ -736,15 +737,15 @@ static void battery_hook_add_battery(str
+ * when a battery gets hotplugged or initialized
+ * during the battery module initialization.
+ */
+- list_for_each_entry(hook_node, &battery_hook_list, list) {
++ list_for_each_entry_safe(hook_node, tmp, &battery_hook_list, list) {
+ if (hook_node->add_battery(battery->bat)) {
+ /*
+ * The notification of the extensions has failed, to
+ * prevent further errors we will unload the extension.
+ */
+- __battery_hook_unregister(hook_node, 0);
+ pr_err("error in extension, unloading: %s",
+ hook_node->name);
++ __battery_hook_unregister(hook_node, 0);
+ }
+ }
+ mutex_unlock(&hook_mutex);
--- /dev/null
+From a0d5f3b69af7733f3173a8e19d51f68a08017c76 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Sat, 30 Jun 2018 23:24:04 +0200
+Subject: ACPICA: Drop leading newlines from error messages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit a0d5f3b69af7733f3173a8e19d51f68a08017c76 upstream.
+
+Commit 5088814a6e93 (ACPICA: AML parser: attempt to continue loading
+table after error) unintentionally added leading newlines to error
+messages emitted by ACPICA which caused unexpected things to be
+printed to the kernel log. Drop these newlines (which effectively
+reverts the part of commit 5088814a6e93 adding them).
+
+Fixes: 5088814a6e93 (ACPICA: AML parser: attempt to continue loading table after error)
+Reported-by: Toralf Förster <toralf.foerster@gmx.de>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Cc: 4.17+ <stable@vger.kernel.org> # 4.17+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpica/uterror.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/acpica/uterror.c
++++ b/drivers/acpi/acpica/uterror.c
+@@ -182,19 +182,19 @@ acpi_ut_prefixed_namespace_error(const c
+ switch (lookup_status) {
+ case AE_ALREADY_EXISTS:
+
+- acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR);
++ acpi_os_printf(ACPI_MSG_BIOS_ERROR);
+ message = "Failure creating";
+ break;
+
+ case AE_NOT_FOUND:
+
+- acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR);
++ acpi_os_printf(ACPI_MSG_BIOS_ERROR);
+ message = "Could not resolve";
+ break;
+
+ default:
+
+- acpi_os_printf("\n" ACPI_MSG_ERROR);
++ acpi_os_printf(ACPI_MSG_ERROR);
+ message = "Failure resolving";
+ break;
+ }
--- /dev/null
+From 2cd5fe22d9a45cdf11c62bbe8db3ce9101207510 Mon Sep 17 00:00:00 2001
+From: Lyude Paul <lyude@redhat.com>
+Date: Mon, 25 Jun 2018 21:09:04 -0400
+Subject: drm/amdgpu: Make struct amdgpu_atif private to amdgpu_acpi.c
+
+From: Lyude Paul <lyude@redhat.com>
+
+commit 2cd5fe22d9a45cdf11c62bbe8db3ce9101207510 upstream.
+
+Currently, there is nothing in amdgpu that actually uses these structs
+other than amdgpu_acpi.c. Additionally, since we're about to start
+saving the correct ACPI handle to use for calling ATIF in this struct
+this saves us from having to handle making sure that the acpi_handle
+(and by proxy, the type definition for acpi_handle and all of the other
+acpi headers) doesn't need to be included within the amdgpu_drv struct
+itself. This follows the example set by amdgpu_atpx_handler.c.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 40 +---------------------
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 54 +++++++++++++++++++++++++++++--
+ 2 files changed, 53 insertions(+), 41 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -188,6 +188,7 @@ struct amdgpu_job;
+ struct amdgpu_irq_src;
+ struct amdgpu_fpriv;
+ struct amdgpu_bo_va_mapping;
++struct amdgpu_atif;
+
+ enum amdgpu_cp_irq {
+ AMDGPU_CP_IRQ_GFX_EOP = 0,
+@@ -1246,43 +1247,6 @@ struct amdgpu_vram_scratch {
+ /*
+ * ACPI
+ */
+-struct amdgpu_atif_notification_cfg {
+- bool enabled;
+- int command_code;
+-};
+-
+-struct amdgpu_atif_notifications {
+- bool display_switch;
+- bool expansion_mode_change;
+- bool thermal_state;
+- bool forced_power_state;
+- bool system_power_state;
+- bool display_conf_change;
+- bool px_gfx_switch;
+- bool brightness_change;
+- bool dgpu_display_event;
+-};
+-
+-struct amdgpu_atif_functions {
+- bool system_params;
+- bool sbios_requests;
+- bool select_active_disp;
+- bool lid_state;
+- bool get_tv_standard;
+- bool set_tv_standard;
+- bool get_panel_expansion_mode;
+- bool set_panel_expansion_mode;
+- bool temperature_change;
+- bool graphics_device_types;
+-};
+-
+-struct amdgpu_atif {
+- struct amdgpu_atif_notifications notifications;
+- struct amdgpu_atif_functions functions;
+- struct amdgpu_atif_notification_cfg notification_cfg;
+- struct amdgpu_encoder *encoder_for_bl;
+-};
+-
+ struct amdgpu_atcs_functions {
+ bool get_ext_state;
+ bool pcie_perf_req;
+@@ -1430,7 +1394,7 @@ struct amdgpu_device {
+ #if defined(CONFIG_DEBUG_FS)
+ struct dentry *debugfs_regs[AMDGPU_DEBUGFS_MAX_COMPONENTS];
+ #endif
+- struct amdgpu_atif atif;
++ struct amdgpu_atif *atif;
+ struct amdgpu_atcs atcs;
+ struct mutex srbm_mutex;
+ /* GRBM index mutex. Protects concurrent access to GRBM index */
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -34,6 +34,43 @@
+ #include "amd_acpi.h"
+ #include "atom.h"
+
++struct amdgpu_atif_notification_cfg {
++ bool enabled;
++ int command_code;
++};
++
++struct amdgpu_atif_notifications {
++ bool display_switch;
++ bool expansion_mode_change;
++ bool thermal_state;
++ bool forced_power_state;
++ bool system_power_state;
++ bool display_conf_change;
++ bool px_gfx_switch;
++ bool brightness_change;
++ bool dgpu_display_event;
++};
++
++struct amdgpu_atif_functions {
++ bool system_params;
++ bool sbios_requests;
++ bool select_active_disp;
++ bool lid_state;
++ bool get_tv_standard;
++ bool set_tv_standard;
++ bool get_panel_expansion_mode;
++ bool set_panel_expansion_mode;
++ bool temperature_change;
++ bool graphics_device_types;
++};
++
++struct amdgpu_atif {
++ struct amdgpu_atif_notifications notifications;
++ struct amdgpu_atif_functions functions;
++ struct amdgpu_atif_notification_cfg notification_cfg;
++ struct amdgpu_encoder *encoder_for_bl;
++};
++
+ /* Call the ATIF method
+ */
+ /**
+@@ -292,7 +329,7 @@ out:
+ static int amdgpu_atif_handler(struct amdgpu_device *adev,
+ struct acpi_bus_event *event)
+ {
+- struct amdgpu_atif *atif = &adev->atif;
++ struct amdgpu_atif *atif = adev->atif;
+ struct atif_sbios_requests req;
+ acpi_handle handle;
+ int count;
+@@ -303,7 +340,8 @@ static int amdgpu_atif_handler(struct am
+ if (strcmp(event->device_class, ACPI_VIDEO_CLASS) != 0)
+ return NOTIFY_DONE;
+
+- if (!atif->notification_cfg.enabled ||
++ if (!atif ||
++ !atif->notification_cfg.enabled ||
+ event->type != atif->notification_cfg.command_code)
+ /* Not our event */
+ return NOTIFY_DONE;
+@@ -642,7 +680,7 @@ static int amdgpu_acpi_event(struct noti
+ int amdgpu_acpi_init(struct amdgpu_device *adev)
+ {
+ acpi_handle handle;
+- struct amdgpu_atif *atif = &adev->atif;
++ struct amdgpu_atif *atif;
+ struct amdgpu_atcs *atcs = &adev->atcs;
+ int ret;
+
+@@ -659,11 +697,19 @@ int amdgpu_acpi_init(struct amdgpu_devic
+ }
+
+ /* Call the ATIF method */
++ atif = kzalloc(sizeof(*atif), GFP_KERNEL);
++ if (!atif) {
++ DRM_WARN("Not enough memory to initialize ATIF\n");
++ goto out;
++ }
++
+ ret = amdgpu_atif_verify_interface(handle, atif);
+ if (ret) {
+ DRM_DEBUG_DRIVER("Call to ATIF verify_interface failed: %d\n", ret);
++ kfree(atif);
+ goto out;
+ }
++ adev->atif = atif;
+
+ if (atif->notifications.brightness_change) {
+ struct drm_encoder *tmp;
+@@ -720,4 +766,6 @@ out:
+ void amdgpu_acpi_fini(struct amdgpu_device *adev)
+ {
+ unregister_acpi_notifier(&adev->acpi_nb);
++ if (adev->atif)
++ kfree(adev->atif);
+ }
--- /dev/null
+From 520495fe96d74e05db585fc748351e0504d8f40d Mon Sep 17 00:00:00 2001
+From: Cannon Matthews <cannonmatthews@google.com>
+Date: Tue, 3 Jul 2018 17:02:43 -0700
+Subject: mm: hugetlb: yield when prepping struct pages
+
+From: Cannon Matthews <cannonmatthews@google.com>
+
+commit 520495fe96d74e05db585fc748351e0504d8f40d upstream.
+
+When booting with very large numbers of gigantic (i.e. 1G) pages, the
+operations in the loop of gather_bootmem_prealloc, and specifically
+prep_compound_gigantic_page, takes a very long time, and can cause a
+softlockup if enough pages are requested at boot.
+
+For example booting with 3844 1G pages requires prepping
+(set_compound_head, init the count) over 1 billion 4K tail pages, which
+takes considerable time.
+
+Add a cond_resched() to the outer loop in gather_bootmem_prealloc() to
+prevent this lockup.
+
+Tested: Booted with softlockup_panic=1 hugepagesz=1G hugepages=3844 and
+no softlockup is reported, and the hugepages are reported as
+successfully setup.
+
+Link: http://lkml.kernel.org/r/20180627214447.260804-1-cannonmatthews@google.com
+Signed-off-by: Cannon Matthews <cannonmatthews@google.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Andres Lagar-Cavilla <andreslc@google.com>
+Cc: Peter Feiner <pfeiner@google.com>
+Cc: Greg Thelen <gthelen@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2163,6 +2163,7 @@ static void __init gather_bootmem_preall
+ */
+ if (hstate_is_gigantic(h))
+ adjust_managed_page_count(page, 1 << h->order);
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From fc36def997cfd6cbff3eda4f82853a5c311c5466 Mon Sep 17 00:00:00 2001
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+Date: Tue, 3 Jul 2018 17:02:53 -0700
+Subject: mm: teach dump_page() to correctly output poisoned struct pages
+
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+
+commit fc36def997cfd6cbff3eda4f82853a5c311c5466 upstream.
+
+If struct page is poisoned, and uninitialized access is detected via
+PF_POISONED_CHECK(page) dump_page() is called to output the page. But,
+the dump_page() itself accesses struct page to determine how to print
+it, and therefore gets into a recursive loop.
+
+For example:
+
+ dump_page()
+ __dump_page()
+ PageSlab(page)
+ PF_POISONED_CHECK(page)
+ VM_BUG_ON_PGFLAGS(PagePoisoned(page), page)
+ dump_page() recursion loop.
+
+Link: http://lkml.kernel.org/r/20180702180536.2552-1-pasha.tatashin@oracle.com
+Fixes: f165b378bbdf ("mm: uninitialized struct page poisoning sanity checking")
+Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/debug.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/mm/debug.c
++++ b/mm/debug.c
+@@ -43,12 +43,25 @@ const struct trace_print_flags vmaflag_n
+
+ void __dump_page(struct page *page, const char *reason)
+ {
++ bool page_poisoned = PagePoisoned(page);
++ int mapcount;
++
++ /*
++ * If struct page is poisoned don't access Page*() functions as that
++ * leads to recursive loop. Page*() check for poisoned pages, and calls
++ * dump_page() when detected.
++ */
++ if (page_poisoned) {
++ pr_emerg("page:%px is uninitialized and poisoned", page);
++ goto hex_only;
++ }
++
+ /*
+ * Avoid VM_BUG_ON() in page_mapcount().
+ * page->_mapcount space in struct page is used by sl[aou]b pages to
+ * encode own info.
+ */
+- int mapcount = PageSlab(page) ? 0 : page_mapcount(page);
++ mapcount = PageSlab(page) ? 0 : page_mapcount(page);
+
+ pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx",
+ page, page_ref_count(page), mapcount,
+@@ -60,6 +73,7 @@ void __dump_page(struct page *page, cons
+
+ pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags);
+
++hex_only:
+ print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32,
+ sizeof(unsigned long), page,
+ sizeof(struct page), false);
+@@ -68,7 +82,7 @@ void __dump_page(struct page *page, cons
+ pr_alert("page dumped because: %s\n", reason);
+
+ #ifdef CONFIG_MEMCG
+- if (page->mem_cgroup)
++ if (!page_poisoned && page->mem_cgroup)
+ pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup);
+ #endif
+ }
--- /dev/null
+From 26112ddc254c98681b224aa9ededefc01b6e02d2 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Sat, 30 Jun 2018 23:19:33 +0200
+Subject: PCI / ACPI / PM: Resume bridges w/o drivers on suspend-to-RAM
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 26112ddc254c98681b224aa9ededefc01b6e02d2 upstream.
+
+It is reported that commit c62ec4610c40 (PM / core: Fix direct_complete
+handling for devices with no callbacks) introduced a system suspend
+regression on Samsung 305V4A by allowing a PCI bridge (not a PCIe
+port) to stay in D3 over suspend-to-RAM, which is a side effect of
+setting power.direct_complete for the children of that bridge that
+have no PM callbacks.
+
+On the majority of systems PCI bridges are not allowed to be
+runtime-suspended (the power/control sysfs attribute is set to "on"
+for them by default), but user space can change that setting and if
+it does so and a given bridge has no children with PM callbacks, the
+direct_complete optimization will be applied to it and it will stay
+in suspend over system suspend. Apparently, that confuses the
+platform firmware on the affected machine and that may very well
+happen elsewhere, so avoid the direct_complete optimization for
+PCI bridges with no drivers (if there is a driver, it should take
+care of the PM handling) on suspend-to-RAM altogether (that should
+not matter for suspend-to-idle as platform firmware is not involved
+in it).
+
+Fixes: c62ec4610c40 (PM / core: Fix direct_complete handling for devices with no callbacks)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199941
+Reported-by: n0000b.n000b@gmail.com
+Tested-by: n0000b.n000b@gmail.com
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: 4.15+ <stable@vger.kernel.org> # 4.15+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-acpi.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/pci/pci-acpi.c
++++ b/drivers/pci/pci-acpi.c
+@@ -598,6 +598,18 @@ static bool acpi_pci_need_resume(struct
+ {
+ struct acpi_device *adev = ACPI_COMPANION(&dev->dev);
+
++ /*
++ * In some cases (eg. Samsung 305V4A) leaving a bridge in suspend over
++ * system-wide suspend/resume confuses the platform firmware, so avoid
++ * doing that, unless the bridge has a driver that should take care of
++ * the PM handling. According to Section 16.1.6 of ACPI 6.2, endpoint
++ * devices are expected to be in D3 before invoking the S3 entry path
++ * from the firmware, so they should not be affected by this issue.
++ */
++ if (pci_is_bridge(dev) && !dev->driver &&
++ acpi_target_system_state() != ACPI_STATE_S0)
++ return true;
++
+ if (!adev || !acpi_device_power_manageable(adev))
+ return false;
+
--- /dev/null
+From 26b5b874aff5659a7e26e5b1997e3df2c41fa7fd Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 25 Jun 2018 16:25:44 +0200
+Subject: scsi: sg: mitigate read/write abuse
+
+From: Jann Horn <jannh@google.com>
+
+commit 26b5b874aff5659a7e26e5b1997e3df2c41fa7fd upstream.
+
+As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit
+to be called under KERNEL_DS"), sg improperly accesses userspace memory
+outside the provided buffer, permitting kernel memory corruption via
+splice(). But it doesn't just do it on ->write(), also on ->read().
+
+As a band-aid, make sure that the ->read() and ->write() handlers can not
+be called in weird contexts (kernel context or credentials different from
+file opener), like for ib_safe_file_access().
+
+If someone needs to use these interfaces from different security contexts,
+a new interface should be written that goes through the ->ioctl() handler.
+
+I've mostly copypasted ib_safe_file_access() over as sg_safe_file_access()
+because I couldn't find a good common header - please tell me if you know a
+better way.
+
+[mkp: s/_safe_/_check_/]
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 42 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 40 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -51,6 +51,7 @@ static int sg_version_num = 30536; /* 2
+ #include <linux/atomic.h>
+ #include <linux/ratelimit.h>
+ #include <linux/uio.h>
++#include <linux/cred.h> /* for sg_check_file_access() */
+
+ #include "scsi.h"
+ #include <scsi/scsi_dbg.h>
+@@ -210,6 +211,33 @@ static void sg_device_destroy(struct kre
+ sdev_prefix_printk(prefix, (sdp)->device, \
+ (sdp)->disk->disk_name, fmt, ##a)
+
++/*
++ * The SCSI interfaces that use read() and write() as an asynchronous variant of
++ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways
++ * to trigger read() and write() calls from various contexts with elevated
++ * privileges. This can lead to kernel memory corruption (e.g. if these
++ * interfaces are called through splice()) and privilege escalation inside
++ * userspace (e.g. if a process with access to such a device passes a file
++ * descriptor to a SUID binary as stdin/stdout/stderr).
++ *
++ * This function provides protection for the legacy API by restricting the
++ * calling context.
++ */
++static int sg_check_file_access(struct file *filp, const char *caller)
++{
++ if (filp->f_cred != current_real_cred()) {
++ pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n",
++ caller, task_tgid_vnr(current), current->comm);
++ return -EPERM;
++ }
++ if (uaccess_kernel()) {
++ pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n",
++ caller, task_tgid_vnr(current), current->comm);
++ return -EACCES;
++ }
++ return 0;
++}
++
+ static int sg_allow_access(struct file *filp, unsigned char *cmd)
+ {
+ struct sg_fd *sfp = filp->private_data;
+@@ -394,6 +422,14 @@ sg_read(struct file *filp, char __user *
+ struct sg_header *old_hdr = NULL;
+ int retval = 0;
+
++ /*
++ * This could cause a response to be stranded. Close the associated
++ * file descriptor to free up any resources being held.
++ */
++ retval = sg_check_file_access(filp, __func__);
++ if (retval)
++ return retval;
++
+ if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
+ return -ENXIO;
+ SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
+@@ -581,9 +617,11 @@ sg_write(struct file *filp, const char _
+ struct sg_header old_hdr;
+ sg_io_hdr_t *hp;
+ unsigned char cmnd[SG_MAX_CDB_SIZE];
++ int retval;
+
+- if (unlikely(uaccess_kernel()))
+- return -EINVAL;
++ retval = sg_check_file_access(filp, __func__);
++ if (retval)
++ return retval;
+
+ if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
+ return -ENXIO;
--- /dev/null
+From cf4d418e653afc84c9c873236033e06be5d58f1c Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 28 Mar 2018 16:09:10 +0200
+Subject: tracing: Avoid string overflow
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit cf4d418e653afc84c9c873236033e06be5d58f1c upstream.
+
+'err' is used as a NUL-terminated string, but using strncpy() with the length
+equal to the buffer size may result in lack of the termination:
+
+kernel/trace/trace_events_hist.c: In function 'hist_err_event':
+kernel/trace/trace_events_hist.c:396:3: error: 'strncpy' specified bound 256 equals destination size [-Werror=stringop-truncation]
+ strncpy(err, var, MAX_FILTER_STR_VAL);
+
+This changes it to use the safer strscpy() instead.
+
+Link: http://lkml.kernel.org/r/20180328140920.2842153-1-arnd@arndb.de
+
+Cc: stable@vger.kernel.org
+Fixes: f404da6e1d46 ("tracing: Add 'last error' error facility for hist triggers")
+Acked-by: Tom Zanussi <tom.zanussi@linux.intel.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_hist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -393,7 +393,7 @@ static void hist_err_event(char *str, ch
+ else if (system)
+ snprintf(err, MAX_FILTER_STR_VAL, "%s.%s", system, event);
+ else
+- strncpy(err, var, MAX_FILTER_STR_VAL);
++ strscpy(err, var, MAX_FILTER_STR_VAL);
+
+ hist_err(str, err);
+ }
--- /dev/null
+From 1fe4293f4b8de75824935f8d8e9a99c7fc6873da Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@intel.com>
+Date: Wed, 31 Jan 2018 23:48:49 +0800
+Subject: tracing: Fix missing return symbol in function_graph output
+
+From: Changbin Du <changbin.du@intel.com>
+
+commit 1fe4293f4b8de75824935f8d8e9a99c7fc6873da upstream.
+
+The function_graph tracer does not show the interrupt return marker for the
+leaf entry. On leaf entries, we see an unbalanced interrupt marker (the
+interrupt was entered, but nevern left).
+
+Before:
+ 1) | SyS_write() {
+ 1) | __fdget_pos() {
+ 1) 0.061 us | __fget_light();
+ 1) 0.289 us | }
+ 1) | vfs_write() {
+ 1) 0.049 us | rw_verify_area();
+ 1) + 15.424 us | __vfs_write();
+ 1) ==========> |
+ 1) 6.003 us | smp_apic_timer_interrupt();
+ 1) 0.055 us | __fsnotify_parent();
+ 1) 0.073 us | fsnotify();
+ 1) + 23.665 us | }
+ 1) + 24.501 us | }
+
+After:
+ 0) | SyS_write() {
+ 0) | __fdget_pos() {
+ 0) 0.052 us | __fget_light();
+ 0) 0.328 us | }
+ 0) | vfs_write() {
+ 0) 0.057 us | rw_verify_area();
+ 0) | __vfs_write() {
+ 0) ==========> |
+ 0) 8.548 us | smp_apic_timer_interrupt();
+ 0) <========== |
+ 0) + 36.507 us | } /* __vfs_write */
+ 0) 0.049 us | __fsnotify_parent();
+ 0) 0.066 us | fsnotify();
+ 0) + 50.064 us | }
+ 0) + 50.952 us | }
+
+Link: http://lkml.kernel.org/r/1517413729-20411-1-git-send-email-changbin.du@intel.com
+
+Cc: stable@vger.kernel.org
+Fixes: f8b755ac8e0cc ("tracing/function-graph-tracer: Output arrows signal on hardirq call/return")
+Signed-off-by: Changbin Du <changbin.du@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_functions_graph.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -831,6 +831,7 @@ print_graph_entry_leaf(struct trace_iter
+ struct ftrace_graph_ret *graph_ret;
+ struct ftrace_graph_ent *call;
+ unsigned long long duration;
++ int cpu = iter->cpu;
+ int i;
+
+ graph_ret = &ret_entry->ret;
+@@ -839,7 +840,6 @@ print_graph_entry_leaf(struct trace_iter
+
+ if (data) {
+ struct fgraph_cpu_data *cpu_data;
+- int cpu = iter->cpu;
+
+ cpu_data = per_cpu_ptr(data->cpu_data, cpu);
+
+@@ -869,6 +869,9 @@ print_graph_entry_leaf(struct trace_iter
+
+ trace_seq_printf(s, "%ps();\n", (void *)call->func);
+
++ print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET,
++ cpu, iter->ent->pid, flags);
++
+ return trace_handle_return(s);
+ }
+
--- /dev/null
+From 1e2c043628c7736dd56536d16c0ce009bc834ae7 Mon Sep 17 00:00:00 2001
+From: Janosch Frank <frankja@linux.ibm.com>
+Date: Tue, 3 Jul 2018 17:02:39 -0700
+Subject: userfaultfd: hugetlbfs: fix userfaultfd_huge_must_wait() pte access
+
+From: Janosch Frank <frankja@linux.ibm.com>
+
+commit 1e2c043628c7736dd56536d16c0ce009bc834ae7 upstream.
+
+Use huge_ptep_get() to translate huge ptes to normal ptes so we can
+check them with the huge_pte_* functions. Otherwise some architectures
+will check the wrong values and will not wait for userspace to bring in
+the memory.
+
+Link: http://lkml.kernel.org/r/20180626132421.78084-1-frankja@linux.ibm.com
+Fixes: 369cd2121be4 ("userfaultfd: hugetlbfs: userfaultfd_huge_must_wait for hugepmd ranges")
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/userfaultfd.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -220,24 +220,26 @@ static inline bool userfaultfd_huge_must
+ unsigned long reason)
+ {
+ struct mm_struct *mm = ctx->mm;
+- pte_t *pte;
++ pte_t *ptep, pte;
+ bool ret = true;
+
+ VM_BUG_ON(!rwsem_is_locked(&mm->mmap_sem));
+
+- pte = huge_pte_offset(mm, address, vma_mmu_pagesize(vma));
+- if (!pte)
++ ptep = huge_pte_offset(mm, address, vma_mmu_pagesize(vma));
++
++ if (!ptep)
+ goto out;
+
+ ret = false;
++ pte = huge_ptep_get(ptep);
+
+ /*
+ * Lockless access: we're in a wait_event so it's ok if it
+ * changes under us.
+ */
+- if (huge_pte_none(*pte))
++ if (huge_pte_none(pte))
+ ret = true;
+- if (!huge_pte_write(*pte) && (reason & VM_UFFD_WP))
++ if (!huge_pte_write(pte) && (reason & VM_UFFD_WP))
+ ret = true;
+ out:
+ return ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
