--- /dev/null
+From cec80d82142ab25c71eee24b529cfeaf17c43062 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 1 Oct 2015 01:35:55 +0100
+Subject: alpha: uapi: Add support for __SANE_USERSPACE_TYPES__
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit cec80d82142ab25c71eee24b529cfeaf17c43062 upstream.
+
+This fixes compiler errors in perf such as:
+
+tests/attr.c: In function 'store_event':
+tests/attr.c:66:27: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64 {aka long unsigned int}' [-Werror=format=]
+ snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir,
+ ^
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Tested-by: Michael Cree <mcree@orcon.net.nz>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/include/asm/types.h | 2 +-
+ arch/alpha/include/uapi/asm/types.h | 12 +++++++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/alpha/include/asm/types.h
++++ b/arch/alpha/include/asm/types.h
+@@ -1,6 +1,6 @@
+ #ifndef _ALPHA_TYPES_H
+ #define _ALPHA_TYPES_H
+
+-#include <asm-generic/int-ll64.h>
++#include <uapi/asm/types.h>
+
+ #endif /* _ALPHA_TYPES_H */
+--- a/arch/alpha/include/uapi/asm/types.h
++++ b/arch/alpha/include/uapi/asm/types.h
+@@ -9,8 +9,18 @@
+ * need to be careful to avoid a name clashes.
+ */
+
+-#ifndef __KERNEL__
++/*
++ * This is here because we used to use l64 for alpha
++ * and we don't want to impact user mode with our change to ll64
++ * in the kernel.
++ *
++ * However, some user programs are fine with this. They can
++ * flag __SANE_USERSPACE_TYPES__ to get int-ll64.h here.
++ */
++#if !defined(__SANE_USERSPACE_TYPES__) && !defined(__KERNEL__)
+ #include <asm-generic/int-l64.h>
++#else
++#include <asm-generic/int-ll64.h>
+ #endif
+
+ #endif /* _UAPI_ALPHA_TYPES_H */
--- /dev/null
+From dd2bc473482eedc60c29cf00ad12568ce40ce511 Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Fri, 4 Aug 2017 11:22:31 +0800
+Subject: ceph: fix readpage from fscache
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit dd2bc473482eedc60c29cf00ad12568ce40ce511 upstream.
+
+ceph_readpage() unlocks page prematurely prematurely in the case
+that page is reading from fscache. Caller of readpage expects that
+page is uptodate when it get unlocked. So page shoule get locked
+by completion callback of fscache_read_or_alloc_pages()
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/addr.c | 24 +++++++++++++++---------
+ fs/ceph/cache.c | 12 +++---------
+ 2 files changed, 18 insertions(+), 18 deletions(-)
+
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -188,7 +188,7 @@ static int ceph_releasepage(struct page
+ /*
+ * read a single page, without unlocking it.
+ */
+-static int readpage_nounlock(struct file *filp, struct page *page)
++static int ceph_do_readpage(struct file *filp, struct page *page)
+ {
+ struct inode *inode = file_inode(filp);
+ struct ceph_inode_info *ci = ceph_inode(inode);
+@@ -218,7 +218,7 @@ static int readpage_nounlock(struct file
+
+ err = ceph_readpage_from_fscache(inode, page);
+ if (err == 0)
+- goto out;
++ return -EINPROGRESS;
+
+ dout("readpage inode %p file %p page %p index %lu\n",
+ inode, filp, page, page->index);
+@@ -248,8 +248,11 @@ out:
+
+ static int ceph_readpage(struct file *filp, struct page *page)
+ {
+- int r = readpage_nounlock(filp, page);
+- unlock_page(page);
++ int r = ceph_do_readpage(filp, page);
++ if (r != -EINPROGRESS)
++ unlock_page(page);
++ else
++ r = 0;
+ return r;
+ }
+
+@@ -1235,7 +1238,7 @@ retry_locked:
+ goto retry_locked;
+ r = writepage_nounlock(page, NULL);
+ if (r < 0)
+- goto fail_nosnap;
++ goto fail_unlock;
+ goto retry_locked;
+ }
+
+@@ -1263,11 +1266,14 @@ retry_locked:
+ }
+
+ /* we need to read it. */
+- r = readpage_nounlock(file, page);
+- if (r < 0)
+- goto fail_nosnap;
++ r = ceph_do_readpage(file, page);
++ if (r < 0) {
++ if (r == -EINPROGRESS)
++ return -EAGAIN;
++ goto fail_unlock;
++ }
+ goto retry_locked;
+-fail_nosnap:
++fail_unlock:
+ unlock_page(page);
+ return r;
+ }
+--- a/fs/ceph/cache.c
++++ b/fs/ceph/cache.c
+@@ -240,13 +240,7 @@ void ceph_fscache_file_set_cookie(struct
+ }
+ }
+
+-static void ceph_vfs_readpage_complete(struct page *page, void *data, int error)
+-{
+- if (!error)
+- SetPageUptodate(page);
+-}
+-
+-static void ceph_vfs_readpage_complete_unlock(struct page *page, void *data, int error)
++static void ceph_readpage_from_fscache_complete(struct page *page, void *data, int error)
+ {
+ if (!error)
+ SetPageUptodate(page);
+@@ -274,7 +268,7 @@ int ceph_readpage_from_fscache(struct in
+ return -ENOBUFS;
+
+ ret = fscache_read_or_alloc_page(ci->fscache, page,
+- ceph_vfs_readpage_complete, NULL,
++ ceph_readpage_from_fscache_complete, NULL,
+ GFP_KERNEL);
+
+ switch (ret) {
+@@ -303,7 +297,7 @@ int ceph_readpages_from_fscache(struct i
+ return -ENOBUFS;
+
+ ret = fscache_read_or_alloc_pages(ci->fscache, mapping, pages, nr_pages,
+- ceph_vfs_readpage_complete_unlock,
++ ceph_readpage_from_fscache_complete,
+ NULL, mapping_gfp_mask(mapping));
+
+ switch (ret) {
--- /dev/null
+From 9e37b1784f2be9397a903307574ee565bbadfd75 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Thu, 24 Aug 2017 15:16:40 -0700
+Subject: CIFS: Fix maximum SMB2 header size
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream.
+
+Currently the maximum size of SMB2/3 header is set incorrectly which
+leads to hanging of directory listing operations on encrypted SMB3
+connections. Fix this by setting the maximum size to 170 bytes that
+is calculated as RFC1002 length field size (4) + transform header
+size (52) + SMB2 header size (64) + create response size (56).
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Acked-by: Sachin Prabhu <sprabhu@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.h
++++ b/fs/cifs/smb2pdu.h
+@@ -84,8 +84,8 @@
+
+ #define NUMBER_OF_SMB2_COMMANDS 0x0013
+
+-/* BB FIXME - analyze following length BB */
+-#define MAX_SMB2_HDR_SIZE 0x78 /* 4 len + 64 hdr + (2*24 wct) + 2 bct + 2 pad */
++/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */
++#define MAX_SMB2_HDR_SIZE 0x00b0
+
+ #define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe)
+ #define SMB2_TRANSFORM_PROTO_NUM cpu_to_le32(0x424d53fd)
--- /dev/null
+From 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Sun, 27 Aug 2017 16:56:08 -0500
+Subject: CIFS: remove endian related sparse warning
+
+From: Steve French <smfrench@gmail.com>
+
+commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream.
+
+Recent patch had an endian warning ie
+cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+CC: Ronnie Sahlberg <lsahlber@redhat.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -194,7 +194,7 @@ check_name(struct dentry *direntry, stru
+ int i;
+
+ if (unlikely(direntry->d_name.len >
+- tcon->fsAttrInfo.MaxPathNameComponentLength))
++ le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength)))
+ return -ENAMETOOLONG;
+
+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {
--- /dev/null
+From b339752d054fb32863418452dff350a1086885b1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 28 Aug 2017 14:51:27 -0700
+Subject: cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
+
+From: Tejun Heo <tj@kernel.org>
+
+commit b339752d054fb32863418452dff350a1086885b1 upstream.
+
+When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of
+@node. The assumption seems that if !NUMA, there shouldn't be more than
+one node and thus reporting cpu_online_mask regardless of @node is
+correct. However, that assumption was broken years ago to support
+DISCONTIGMEM and whether a system has multiple nodes or not is
+separately controlled by NEED_MULTIPLE_NODES.
+
+This means that, on a system with !NUMA && NEED_MULTIPLE_NODES,
+cpumask_of_node() will report cpu_online_mask for all possible nodes,
+indicating that the CPUs are associated with multiple nodes which is an
+impossible configuration.
+
+This bug has been around forever but doesn't look like it has caused any
+noticeable symptoms. However, it triggers a WARN recently added to
+workqueue to verify NUMA affinity configuration.
+
+Fix it by reporting empty cpumask on non-zero nodes if !NUMA.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-and-tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/asm-generic/topology.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/asm-generic/topology.h
++++ b/include/asm-generic/topology.h
+@@ -48,7 +48,11 @@
+ #define parent_node(node) ((void)(node),0)
+ #endif
+ #ifndef cpumask_of_node
+-#define cpumask_of_node(node) ((void)node, cpu_online_mask)
++ #ifdef CONFIG_NEED_MULTIPLE_NODES
++ #define cpumask_of_node(node) ((node) == 0 ? cpu_online_mask : cpu_none_mask)
++ #else
++ #define cpumask_of_node(node) ((void)node, cpu_online_mask)
++ #endif
+ #endif
+ #ifndef pcibus_to_node
+ #define pcibus_to_node(bus) ((void)(bus), -1)
--- /dev/null
+From 1c08c22c874ac88799cab1f78c40f46110274915 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Thu, 24 Aug 2017 12:04:29 -0400
+Subject: cpuset: Fix incorrect memory_pressure control file mapping
+
+From: Waiman Long <longman@redhat.com>
+
+commit 1c08c22c874ac88799cab1f78c40f46110274915 upstream.
+
+The memory_pressure control file was incorrectly set up without
+a private value (0, by default). As a result, this control
+file was treated like memory_migrate on read. By adding back the
+FILE_MEMORY_PRESSURE private value, the correct memory pressure value
+will be returned.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: 7dbdb199d3bf ("cgroup: replace cftype->mode with CFTYPE_WORLD_WRITABLE")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpuset.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -1905,6 +1905,7 @@ static struct cftype files[] = {
+ {
+ .name = "memory_pressure",
+ .read_u64 = cpuset_read_u64,
++ .private = FILE_MEMORY_PRESSURE,
+ },
+
+ {
--- /dev/null
+From 9afae2719273fa1d406829bf3498f82dbdba71c7 Mon Sep 17 00:00:00 2001
+From: "Xiangliang.Yu" <Xiangliang.Yu@amd.com>
+Date: Wed, 16 Aug 2017 14:25:51 +0800
+Subject: drm/ttm: Fix accounting error when fail to get pages for pool
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiangliang.Yu <Xiangliang.Yu@amd.com>
+
+commit 9afae2719273fa1d406829bf3498f82dbdba71c7 upstream.
+
+When fail to get needed page for pool, need to put allocated pages
+into pool. But current code has a miscalculation of allocated pages,
+correct it.
+
+Signed-off-by: Xiangliang.Yu <Xiangliang.Yu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Monk Liu <monk.liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+@@ -612,7 +612,7 @@ static void ttm_page_pool_fill_locked(st
+ } else {
+ pr_err("Failed to fill pool (%p)\n", pool);
+ /* If we have any pages left put them to the pool. */
+- list_for_each_entry(p, &pool->list, lru) {
++ list_for_each_entry(p, &new_pages, lru) {
+ ++cpages;
+ }
+ list_splice(&new_pages, &pool->list);
--- /dev/null
+From dea3eb8b452e36cf2dd572b0a797915ccf452ae6 Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Thu, 10 Aug 2017 08:06:18 +0200
+Subject: lib/mpi: kunmap after finishing accessing buffer
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit dea3eb8b452e36cf2dd572b0a797915ccf452ae6 upstream.
+
+Using sg_miter_start and sg_miter_next, the buffer of an SG is kmap'ed
+to *buff. The current code calls sg_miter_stop (and thus kunmap) on the
+SG entry before the last access of *buff.
+
+The patch moves the sg_miter_stop call after the last access to *buff to
+ensure that the memory pointed to by *buff is still mapped.
+
+Fixes: 4816c9406430 ("lib/mpi: Fix SG miter leak")
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/mpi/mpicoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/mpi/mpicoder.c
++++ b/lib/mpi/mpicoder.c
+@@ -364,11 +364,11 @@ MPI mpi_read_raw_from_sgl(struct scatter
+ }
+
+ miter.consumed = lzeros;
+- sg_miter_stop(&miter);
+
+ nbytes -= lzeros;
+ nbits = nbytes * 8;
+ if (nbits > MAX_EXTERN_MPI_BITS) {
++ sg_miter_stop(&miter);
+ pr_info("MPI: mpi too large (%u bits)\n", nbits);
+ return NULL;
+ }
+@@ -376,6 +376,8 @@ MPI mpi_read_raw_from_sgl(struct scatter
+ if (nbytes > 0)
+ nbits -= count_leading_zeros(*buff) - (BITS_PER_LONG - 8);
+
++ sg_miter_stop(&miter);
++
+ nlimbs = DIV_ROUND_UP(nbytes, BYTES_PER_MPI_LIMB);
+ val = mpi_alloc(nlimbs);
+ if (!val)
--- /dev/null
+From c461ad6a63b37ba74632e90c063d14823c884247 Mon Sep 17 00:00:00 2001
+From: Mel Gorman <mgorman@techsingularity.net>
+Date: Thu, 31 Aug 2017 16:15:30 -0700
+Subject: mm, madvise: ensure poisoned pages are removed from per-cpu lists
+
+From: Mel Gorman <mgorman@techsingularity.net>
+
+commit c461ad6a63b37ba74632e90c063d14823c884247 upstream.
+
+Wendy Wang reported off-list that a RAS HWPOISON-SOFT test case failed
+and bisected it to the commit 479f854a207c ("mm, page_alloc: defer
+debugging checks of pages allocated from the PCP").
+
+The problem is that a page that was poisoned with madvise() is reused.
+The commit removed a check that would trigger if DEBUG_VM was enabled
+but re-enabling the check only fixes the problem as a side-effect by
+printing a bad_page warning and recovering.
+
+The root of the problem is that an madvise() can leave a poisoned page
+on the per-cpu list. This patch drains all per-cpu lists after pages
+are poisoned so that they will not be reused. Wendy reports that the
+test case in question passes with this patch applied. While this could
+be done in a targeted fashion, it is over-complicated for such a rare
+operation.
+
+Link: http://lkml.kernel.org/r/20170828133414.7qro57jbepdcyz5x@techsingularity.net
+Fixes: 479f854a207c ("mm, page_alloc: defer debugging checks of pages allocated from the PCP")
+Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
+Reported-by: Wang, Wendy <wendy.wang@intel.com>
+Tested-by: Wang, Wendy <wendy.wang@intel.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: "Hansen, Dave" <dave.hansen@intel.com>
+Cc: "Luck, Tony" <tony.luck@intel.com>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/madvise.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -533,6 +533,8 @@ static long madvise_remove(struct vm_are
+ static int madvise_hwpoison(int bhv, unsigned long start, unsigned long end)
+ {
+ struct page *p;
++ struct zone *zone;
++
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ for (; start < end; start += PAGE_SIZE <<
+@@ -561,6 +563,11 @@ static int madvise_hwpoison(int bhv, uns
+ if (ret)
+ return ret;
+ }
++
++ /* Ensure that all poisoned pages are removed from per-cpu lists */
++ for_each_populated_zone(zone)
++ drain_all_pages(zone);
++
+ return 0;
+ }
+ #endif
--- /dev/null
+From 355627f518978b5167256d27492fe0b343aaf2f2 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 31 Aug 2017 16:15:26 -0700
+Subject: mm, uprobes: fix multiple free of ->uprobes_state.xol_area
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 355627f518978b5167256d27492fe0b343aaf2f2 upstream.
+
+Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
+write killable") made it possible to kill a forking task while it is
+waiting to acquire its ->mmap_sem for write, in dup_mmap().
+
+However, it was overlooked that this introduced an new error path before
+the new mm_struct's ->uprobes_state.xol_area has been set to NULL after
+being copied from the old mm_struct by the memcpy in dup_mm(). For a
+task that has previously hit a uprobe tracepoint, this resulted in the
+'struct xol_area' being freed multiple times if the task was killed at
+just the right time while forking.
+
+Fix it by setting ->uprobes_state.xol_area to NULL in mm_init() rather
+than in uprobe_dup_mmap().
+
+With CONFIG_UPROBE_EVENTS=y, the bug can be reproduced by the same C
+program given by commit 2b7e8665b4ff ("fork: fix incorrect fput of
+->exe_file causing use-after-free"), provided that a uprobe tracepoint
+has been set on the fork_thread() function. For example:
+
+ $ gcc reproducer.c -o reproducer -lpthread
+ $ nm reproducer | grep fork_thread
+ 0000000000400719 t fork_thread
+ $ echo "p $PWD/reproducer:0x719" > /sys/kernel/debug/tracing/uprobe_events
+ $ echo 1 > /sys/kernel/debug/tracing/events/uprobes/enable
+ $ ./reproducer
+
+Here is the use-after-free reported by KASAN:
+
+ BUG: KASAN: use-after-free in uprobe_clear_state+0x1c4/0x200
+ Read of size 8 at addr ffff8800320a8b88 by task reproducer/198
+
+ CPU: 1 PID: 198 Comm: reproducer Not tainted 4.13.0-rc7-00015-g36fde05f3fb5 #255
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
+ Call Trace:
+ dump_stack+0xdb/0x185
+ print_address_description+0x7e/0x290
+ kasan_report+0x23b/0x350
+ __asan_report_load8_noabort+0x19/0x20
+ uprobe_clear_state+0x1c4/0x200
+ mmput+0xd6/0x360
+ do_exit+0x740/0x1670
+ do_group_exit+0x13f/0x380
+ get_signal+0x597/0x17d0
+ do_signal+0x99/0x1df0
+ exit_to_usermode_loop+0x166/0x1e0
+ syscall_return_slowpath+0x258/0x2c0
+ entry_SYSCALL_64_fastpath+0xbc/0xbe
+
+ ...
+
+ Allocated by task 199:
+ save_stack_trace+0x1b/0x20
+ kasan_kmalloc+0xfc/0x180
+ kmem_cache_alloc_trace+0xf3/0x330
+ __create_xol_area+0x10f/0x780
+ uprobe_notify_resume+0x1674/0x2210
+ exit_to_usermode_loop+0x150/0x1e0
+ prepare_exit_to_usermode+0x14b/0x180
+ retint_user+0x8/0x20
+
+ Freed by task 199:
+ save_stack_trace+0x1b/0x20
+ kasan_slab_free+0xa8/0x1a0
+ kfree+0xba/0x210
+ uprobe_clear_state+0x151/0x200
+ mmput+0xd6/0x360
+ copy_process.part.8+0x605f/0x65d0
+ _do_fork+0x1a5/0xbd0
+ SyS_clone+0x19/0x20
+ do_syscall_64+0x22f/0x660
+ return_from_SYSCALL_64+0x0/0x7a
+
+Note: without KASAN, you may instead see a "Bad page state" message, or
+simply a general protection fault.
+
+Link: http://lkml.kernel.org/r/20170830033303.17927-1-ebiggers3@gmail.com
+Fixes: 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for write killable")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reported-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Konstantin Khlebnikov <koct9i@gmail.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/uprobes.c | 2 --
+ kernel/fork.c | 8 ++++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -1254,8 +1254,6 @@ void uprobe_end_dup_mmap(void)
+
+ void uprobe_dup_mmap(struct mm_struct *oldmm, struct mm_struct *newmm)
+ {
+- newmm->uprobes_state.xol_area = NULL;
+-
+ if (test_bit(MMF_HAS_UPROBES, &oldmm->flags)) {
+ set_bit(MMF_HAS_UPROBES, &newmm->flags);
+ /* unconditionally, dup_mmap() skips VM_DONTCOPY vmas */
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -745,6 +745,13 @@ static void mm_init_owner(struct mm_stru
+ #endif
+ }
+
++static void mm_init_uprobes_state(struct mm_struct *mm)
++{
++#ifdef CONFIG_UPROBES
++ mm->uprobes_state.xol_area = NULL;
++#endif
++}
++
+ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
+ struct user_namespace *user_ns)
+ {
+@@ -772,6 +779,7 @@ static struct mm_struct *mm_init(struct
+ #if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
+ mm->pmd_huge_pte = NULL;
+ #endif
++ mm_init_uprobes_state(mm);
+
+ if (current->mm) {
+ mm->flags = current->mm->flags & MMF_INIT_MASK;
i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
+mm-uprobes-fix-multiple-free-of-uprobes_state.xol_area.patch
+mm-madvise-ensure-poisoned-pages-are-removed-from-per-cpu-lists.patch
+ceph-fix-readpage-from-fscache.patch
+cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch
+cpuset-fix-incorrect-memory_pressure-control-file-mapping.patch
+alpha-uapi-add-support-for-__sane_userspace_types__.patch
+cifs-fix-maximum-smb2-header-size.patch
+cifs-remove-endian-related-sparse-warning.patch
+wl1251-add-a-missing-spin_lock_init.patch
+lib-mpi-kunmap-after-finishing-accessing-buffer.patch
+xfrm-policy-check-policy-direction-value.patch
+drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch
--- /dev/null
+From f581a0dd744fe32b0a8805e279c59ec1ac676d60 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 31 Aug 2017 16:47:43 +0200
+Subject: wl1251: add a missing spin_lock_init()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream.
+
+wl1251: add a missing spin_lock_init()
+
+This fixes the following kernel warning:
+
+ [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745
+ [ 5668.771850] lock: 0xce63ef20, .magic: 00000000, .owner: <none>/-1,
+ .owner_cpu: 0
+ [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W
+ 4.12.0-03002-gec979a4-dirty #40
+ [ 5668.772796] Hardware name: Nokia RX-51 board
+ [ 5668.773071] Workqueue: phy1 wl1251_irq_work
+ [ 5668.773345] [<c010c9e4>] (unwind_backtrace) from [<c010a274>]
+ (show_stack+0x10/0x14)
+ [ 5668.773803] [<c010a274>] (show_stack) from [<c01545a4>]
+ (do_raw_spin_lock+0x6c/0xa0)
+ [ 5668.774230] [<c01545a4>] (do_raw_spin_lock) from [<c06ca578>]
+ (_raw_spin_lock_irqsave+0x10/0x18)
+ [ 5668.774658] [<c06ca578>] (_raw_spin_lock_irqsave) from [<c048c010>]
+ (wl1251_op_tx+0x38/0x5c)
+ [ 5668.775115] [<c048c010>] (wl1251_op_tx) from [<c06a12e8>]
+ (ieee80211_tx_frags+0x188/0x1c0)
+ [ 5668.775543] [<c06a12e8>] (ieee80211_tx_frags) from [<c06a138c>]
+ (__ieee80211_tx+0x6c/0x130)
+ [ 5668.775970] [<c06a138c>] (__ieee80211_tx) from [<c06a3dbc>]
+ (ieee80211_tx+0xdc/0x104)
+ [ 5668.776367] [<c06a3dbc>] (ieee80211_tx) from [<c06a4af0>]
+ (__ieee80211_subif_start_xmit+0x454/0x8c8)
+ [ 5668.776824] [<c06a4af0>] (__ieee80211_subif_start_xmit) from
+ [<c06a4f94>] (ieee80211_subif_start_xmit+0x30/0x2fc)
+ [ 5668.777343] [<c06a4f94>] (ieee80211_subif_start_xmit) from
+ [<c0578848>] (dev_hard_start_xmit+0x80/0x118)
+...
+
+ by adding the missing spin_lock_init().
+
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wl1251/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ti/wl1251/main.c
++++ b/drivers/net/wireless/ti/wl1251/main.c
+@@ -1571,6 +1571,7 @@ struct ieee80211_hw *wl1251_alloc_hw(voi
+
+ wl->state = WL1251_STATE_OFF;
+ mutex_init(&wl->mutex);
++ spin_lock_init(&wl->wl_lock);
+
+ wl->tx_mgmt_frm_rate = DEFAULT_HW_GEN_TX_RATE;
+ wl->tx_mgmt_frm_mod = DEFAULT_HW_GEN_MODULATION_TYPE;
--- /dev/null
+From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Wed, 2 Aug 2017 19:50:14 +0200
+Subject: xfrm: policy: check policy direction value
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream.
+
+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
+as an array index. This can lead to an out-of-bound access, kernel lockup and
+DoS. Add a check for the 'dir' value.
+
+This fixes CVE-2017-11600.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3308,9 +3308,15 @@ int xfrm_migrate(const struct xfrm_selec
+ struct xfrm_state *x_new[XFRM_MAX_DEPTH];
+ struct xfrm_migrate *mp;
+
++ /* Stage 0 - sanity checks */
+ if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
+ goto out;
+
++ if (dir >= XFRM_POLICY_MAX) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ /* Stage 1 - find policy */
+ if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
+ err = -ENOENT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
