--- /dev/null
+From b88c5049219a7f322bb1fd65fc30d17472a23563 Mon Sep 17 00:00:00 2001
+From: Lei YU <mine260309@gmail.com>
+Date: Mon, 15 Apr 2019 18:37:20 +0800
+Subject: hwmon: (occ) Fix extended status bits
+
+From: Lei YU <mine260309@gmail.com>
+
+commit b88c5049219a7f322bb1fd65fc30d17472a23563 upstream.
+
+The occ's extended status is checked and shown as sysfs attributes. But
+the code was incorrectly checking the "status" bits.
+Fix it by checking the "ext_status" bits.
+
+Cc: stable@vger.kernel.org
+Fixes: df04ced684d4 ("hwmon (occ): Add sysfs attributes for additional OCC data")
+Signed-off-by: Lei YU <mine260309@gmail.com>
+Reviewed-by: Eddie James <eajames@linux.ibm.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/occ/sysfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/hwmon/occ/sysfs.c
++++ b/drivers/hwmon/occ/sysfs.c
+@@ -51,16 +51,16 @@ static ssize_t occ_sysfs_show(struct dev
+ val = !!(header->status & OCC_STAT_ACTIVE);
+ break;
+ case 2:
+- val = !!(header->status & OCC_EXT_STAT_DVFS_OT);
++ val = !!(header->ext_status & OCC_EXT_STAT_DVFS_OT);
+ break;
+ case 3:
+- val = !!(header->status & OCC_EXT_STAT_DVFS_POWER);
++ val = !!(header->ext_status & OCC_EXT_STAT_DVFS_POWER);
+ break;
+ case 4:
+- val = !!(header->status & OCC_EXT_STAT_MEM_THROTTLE);
++ val = !!(header->ext_status & OCC_EXT_STAT_MEM_THROTTLE);
+ break;
+ case 5:
+- val = !!(header->status & OCC_EXT_STAT_QUICK_DROP);
++ val = !!(header->ext_status & OCC_EXT_STAT_QUICK_DROP);
+ break;
+ case 6:
+ val = header->occ_state;
--- /dev/null
+From 53f1647da3e8fb3e89066798f0fdc045064d353d Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Wed, 3 Apr 2019 14:48:33 +0200
+Subject: hwmon: (pwm-fan) Disable PWM if fetching cooling data fails
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit 53f1647da3e8fb3e89066798f0fdc045064d353d upstream.
+
+In case pwm_fan_of_get_cooling_data() fails we should disable the PWM
+just like in the other error cases.
+
+Fixes: 2e5219c77183 ("hwmon: (pwm-fan) Read PWM FAN configuration from device tree")
+Cc: <stable@vger.kernel.org> # 4.14+
+Reported-by: Guenter Rock <linux@roeck-us.net>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/pwm-fan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/pwm-fan.c
++++ b/drivers/hwmon/pwm-fan.c
+@@ -254,7 +254,7 @@ static int pwm_fan_probe(struct platform
+
+ ret = pwm_fan_of_get_cooling_data(&pdev->dev, ctx);
+ if (ret)
+- return ret;
++ goto err_pwm_disable;
+
+ ctx->pwm_fan_state = ctx->pwm_fan_max_state;
+ if (IS_ENABLED(CONFIG_THERMAL)) {
--- /dev/null
+From 998267900cee901c5d1dfa029a6304d00acbc29f Mon Sep 17 00:00:00 2001
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+Date: Tue, 16 Apr 2019 14:17:11 +0200
+Subject: kernfs: fix barrier usage in __kernfs_new_node()
+
+From: Andrea Parri <andrea.parri@amarulasolutions.com>
+
+commit 998267900cee901c5d1dfa029a6304d00acbc29f upstream.
+
+smp_mb__before_atomic() can not be applied to atomic_set(). Remove the
+barrier and rely on RELEASE synchronization.
+
+Fixes: ba16b2846a8c6 ("kernfs: add an API to get kernfs node from inode number")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/kernfs/dir.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/kernfs/dir.c
++++ b/fs/kernfs/dir.c
+@@ -650,11 +650,10 @@ static struct kernfs_node *__kernfs_new_
+ kn->id.generation = gen;
+
+ /*
+- * set ino first. This barrier is paired with atomic_inc_not_zero in
++ * set ino first. This RELEASE is paired with atomic_inc_not_zero in
+ * kernfs_find_and_get_node_by_ino
+ */
+- smp_mb__before_atomic();
+- atomic_set(&kn->count, 1);
++ atomic_set_release(&kn->count, 1);
+ atomic_set(&kn->active, KN_DEACTIVATED_BIAS);
+ RB_CLEAR_NODE(&kn->rb);
+
--- /dev/null
+From 6cc13c28da5beee0f706db6450e190709700b34a Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@dell.com>
+Date: Wed, 27 Mar 2019 09:25:34 -0500
+Subject: platform/x86: dell-laptop: fix rfkill functionality
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@dell.com>
+
+commit 6cc13c28da5beee0f706db6450e190709700b34a upstream.
+
+When converting the driver two arguments were transposed leading
+to rfkill not working.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201427
+Reported-by: Pepijn de Vos <pepijndevos@gmail.com>
+Fixes: 549b49 ("platform/x86: dell-smbios: Introduce dispatcher for SMM calls")
+Signed-off-by: Mario Limonciello <mario.limonciello@dell.com>
+Acked-by: Pali Rohár <pali.rohar@gmail.com>
+Cc: <stable@vger.kernel.org> # 4.14.x
+Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/dell-laptop.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/x86/dell-laptop.c
++++ b/drivers/platform/x86/dell-laptop.c
+@@ -531,7 +531,7 @@ static void dell_rfkill_query(struct rfk
+ return;
+ }
+
+- dell_fill_request(&buffer, 0, 0x2, 0, 0);
++ dell_fill_request(&buffer, 0x2, 0, 0, 0);
+ ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL);
+ hwswitch = buffer.output[1];
+
+@@ -562,7 +562,7 @@ static int dell_debugfs_show(struct seq_
+ return ret;
+ status = buffer.output[1];
+
+- dell_fill_request(&buffer, 0, 0x2, 0, 0);
++ dell_fill_request(&buffer, 0x2, 0, 0, 0);
+ hwswitch_ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL);
+ if (hwswitch_ret)
+ return hwswitch_ret;
+@@ -647,7 +647,7 @@ static void dell_update_rfkill(struct wo
+ if (ret != 0)
+ return;
+
+- dell_fill_request(&buffer, 0, 0x2, 0, 0);
++ dell_fill_request(&buffer, 0x2, 0, 0, 0);
+ ret = dell_send_request(&buffer, CLASS_INFO, SELECT_RFKILL);
+
+ if (ret == 0 && (status & BIT(0)))
--- /dev/null
+From 1cbd7a64959d33e7a2a1fa2bf36a62b350a9fcbd Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 24 Apr 2019 13:09:34 -0500
+Subject: platform/x86: sony-laptop: Fix unintentional fall-through
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 1cbd7a64959d33e7a2a1fa2bf36a62b350a9fcbd upstream.
+
+It seems that the default case should return AE_CTRL_TERMINATE, instead
+of falling through to case ACPI_RESOURCE_TYPE_END_TAG and returning AE_OK;
+otherwise the line of code at the end of the function is unreachable and
+makes no sense:
+
+return AE_CTRL_TERMINATE;
+
+This fix is based on the following thread of discussion:
+
+https://lore.kernel.org/patchwork/patch/959782/
+
+Fixes: 33a04454527e ("sony-laptop: Add SNY6001 device handling (sonypi reimplementation)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/sony-laptop.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/x86/sony-laptop.c
++++ b/drivers/platform/x86/sony-laptop.c
+@@ -4424,14 +4424,16 @@ sony_pic_read_possible_resource(struct a
+ }
+ return AE_OK;
+ }
++
++ case ACPI_RESOURCE_TYPE_END_TAG:
++ return AE_OK;
++
+ default:
+ dprintk("Resource %d isn't an IRQ nor an IO port\n",
+ resource->type);
++ return AE_CTRL_TERMINATE;
+
+- case ACPI_RESOURCE_TYPE_END_TAG:
+- return AE_OK;
+ }
+- return AE_CTRL_TERMINATE;
+ }
+
+ static int sony_pic_possible_resources(struct acpi_device *device)
--- /dev/null
+From f7db839fccf087664e5587966220821289b6a9cb Mon Sep 17 00:00:00 2001
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Date: Thu, 7 Mar 2019 17:37:16 +0800
+Subject: platform/x86: thinkpad_acpi: Disable Bluetooth for some machines
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+commit f7db839fccf087664e5587966220821289b6a9cb upstream.
+
+Some AMD based ThinkPads have a firmware bug that calling
+"GBDC" will cause Bluetooth on Intel wireless cards blocked.
+
+Probe these models by DMI match and disable Bluetooth subdriver
+if specified Intel wireless card exist.
+
+Cc: stable <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/thinkpad_acpi.c | 72 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 70 insertions(+), 2 deletions(-)
+
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -79,7 +79,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/workqueue.h>
+ #include <linux/acpi.h>
+-#include <linux/pci_ids.h>
++#include <linux/pci.h>
+ #include <linux/power_supply.h>
+ #include <sound/core.h>
+ #include <sound/control.h>
+@@ -4501,6 +4501,74 @@ static void bluetooth_exit(void)
+ bluetooth_shutdown();
+ }
+
++static const struct dmi_system_id bt_fwbug_list[] __initconst = {
++ {
++ .ident = "ThinkPad E485",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_BOARD_NAME, "20KU"),
++ },
++ },
++ {
++ .ident = "ThinkPad E585",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_BOARD_NAME, "20KV"),
++ },
++ },
++ {
++ .ident = "ThinkPad A285 - 20MW",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_BOARD_NAME, "20MW"),
++ },
++ },
++ {
++ .ident = "ThinkPad A285 - 20MX",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_BOARD_NAME, "20MX"),
++ },
++ },
++ {
++ .ident = "ThinkPad A485 - 20MU",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_BOARD_NAME, "20MU"),
++ },
++ },
++ {
++ .ident = "ThinkPad A485 - 20MV",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_BOARD_NAME, "20MV"),
++ },
++ },
++ {}
++};
++
++static const struct pci_device_id fwbug_cards_ids[] __initconst = {
++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x24F3) },
++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x24FD) },
++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x2526) },
++ {}
++};
++
++
++static int __init have_bt_fwbug(void)
++{
++ /*
++ * Some AMD based ThinkPads have a firmware bug that calling
++ * "GBDC" will cause bluetooth on Intel wireless cards blocked
++ */
++ if (dmi_check_system(bt_fwbug_list) && pci_dev_present(fwbug_cards_ids)) {
++ vdbg_printk(TPACPI_DBG_INIT | TPACPI_DBG_RFKILL,
++ FW_BUG "disable bluetooth subdriver for Intel cards\n");
++ return 1;
++ } else
++ return 0;
++}
++
+ static int __init bluetooth_init(struct ibm_init_struct *iibm)
+ {
+ int res;
+@@ -4513,7 +4581,7 @@ static int __init bluetooth_init(struct
+
+ /* bluetooth not supported on 570, 600e/x, 770e, 770x, A21e, A2xm/p,
+ G4x, R30, R31, R40e, R50e, T20-22, X20-21 */
+- tp_features.bluetooth = hkey_handle &&
++ tp_features.bluetooth = !have_bt_fwbug() && hkey_handle &&
+ acpi_evalf(hkey_handle, &status, "GBDC", "qd");
+
+ vdbg_printk(TPACPI_DBG_INIT | TPACPI_DBG_RFKILL,
--- /dev/null
+From 9dd3fcb0ab73cb1e00b8562ef027a38521aaff87 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 11 Apr 2019 16:56:31 -0700
+Subject: selftests/seccomp: Handle namespace failures gracefully
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 9dd3fcb0ab73cb1e00b8562ef027a38521aaff87 upstream.
+
+When running without USERNS or PIDNS the seccomp test would hang since
+it was waiting forever for the child to trigger the user notification
+since it seems the glibc() abort handler makes a call to getpid(),
+which would trap again. This changes the getpid filter to getppid, and
+makes sure ASSERTs execute to stop from spawning the listener.
+
+Reported-by: Shuah Khan <shuah@kernel.org>
+Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
+Cc: stable@vger.kernel.org # > 5.0
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Tycho Andersen <tycho@tycho.ws>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 43 +++++++++++++-------------
+ 1 file changed, 23 insertions(+), 20 deletions(-)
+
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -3089,9 +3089,9 @@ TEST(user_notification_basic)
+
+ /* Check that we get -ENOSYS with no listener attached */
+ if (pid == 0) {
+- if (user_trap_syscall(__NR_getpid, 0) < 0)
++ if (user_trap_syscall(__NR_getppid, 0) < 0)
+ exit(1);
+- ret = syscall(__NR_getpid);
++ ret = syscall(__NR_getppid);
+ exit(ret >= 0 || errno != ENOSYS);
+ }
+
+@@ -3106,12 +3106,12 @@ TEST(user_notification_basic)
+ EXPECT_EQ(seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog), 0);
+
+ /* Check that the basic notification machinery works */
+- listener = user_trap_syscall(__NR_getpid,
++ listener = user_trap_syscall(__NR_getppid,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+ /* Installing a second listener in the chain should EBUSY */
+- EXPECT_EQ(user_trap_syscall(__NR_getpid,
++ EXPECT_EQ(user_trap_syscall(__NR_getppid,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER),
+ -1);
+ EXPECT_EQ(errno, EBUSY);
+@@ -3120,7 +3120,7 @@ TEST(user_notification_basic)
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0) {
+- ret = syscall(__NR_getpid);
++ ret = syscall(__NR_getppid);
+ exit(ret != USER_NOTIF_MAGIC);
+ }
+
+@@ -3138,7 +3138,7 @@ TEST(user_notification_basic)
+ EXPECT_GT(poll(&pollfd, 1, -1), 0);
+ EXPECT_EQ(pollfd.revents, POLLOUT);
+
+- EXPECT_EQ(req.data.nr, __NR_getpid);
++ EXPECT_EQ(req.data.nr, __NR_getppid);
+
+ resp.id = req.id;
+ resp.error = 0;
+@@ -3165,7 +3165,7 @@ TEST(user_notification_kill_in_middle)
+ struct seccomp_notif req = {};
+ struct seccomp_notif_resp resp = {};
+
+- listener = user_trap_syscall(__NR_getpid,
++ listener = user_trap_syscall(__NR_getppid,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+@@ -3177,7 +3177,7 @@ TEST(user_notification_kill_in_middle)
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0) {
+- ret = syscall(__NR_getpid);
++ ret = syscall(__NR_getppid);
+ exit(ret != USER_NOTIF_MAGIC);
+ }
+
+@@ -3277,7 +3277,7 @@ TEST(user_notification_closed_listener)
+ long ret;
+ int status, listener;
+
+- listener = user_trap_syscall(__NR_getpid,
++ listener = user_trap_syscall(__NR_getppid,
+ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+@@ -3288,7 +3288,7 @@ TEST(user_notification_closed_listener)
+ ASSERT_GE(pid, 0);
+ if (pid == 0) {
+ close(listener);
+- ret = syscall(__NR_getpid);
++ ret = syscall(__NR_getppid);
+ exit(ret != -1 && errno != ENOSYS);
+ }
+
+@@ -3311,14 +3311,15 @@ TEST(user_notification_child_pid_ns)
+
+ ASSERT_EQ(unshare(CLONE_NEWPID), 0);
+
+- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
++ listener = user_trap_syscall(__NR_getppid,
++ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+ pid = fork();
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0)
+- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC);
++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
+
+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
+ EXPECT_EQ(req.pid, pid);
+@@ -3346,7 +3347,8 @@ TEST(user_notification_sibling_pid_ns)
+ struct seccomp_notif req = {};
+ struct seccomp_notif_resp resp = {};
+
+- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
++ listener = user_trap_syscall(__NR_getppid,
++ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+ pid = fork();
+@@ -3359,7 +3361,7 @@ TEST(user_notification_sibling_pid_ns)
+ ASSERT_GE(pid2, 0);
+
+ if (pid2 == 0)
+- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC);
++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
+
+ EXPECT_EQ(waitpid(pid2, &status, 0), pid2);
+ EXPECT_EQ(true, WIFEXITED(status));
+@@ -3368,11 +3370,11 @@ TEST(user_notification_sibling_pid_ns)
+ }
+
+ /* Create the sibling ns, and sibling in it. */
+- EXPECT_EQ(unshare(CLONE_NEWPID), 0);
+- EXPECT_EQ(errno, 0);
++ ASSERT_EQ(unshare(CLONE_NEWPID), 0);
++ ASSERT_EQ(errno, 0);
+
+ pid2 = fork();
+- EXPECT_GE(pid2, 0);
++ ASSERT_GE(pid2, 0);
+
+ if (pid2 == 0) {
+ ASSERT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
+@@ -3380,7 +3382,7 @@ TEST(user_notification_sibling_pid_ns)
+ * The pid should be 0, i.e. the task is in some namespace that
+ * we can't "see".
+ */
+- ASSERT_EQ(req.pid, 0);
++ EXPECT_EQ(req.pid, 0);
+
+ resp.id = req.id;
+ resp.error = 0;
+@@ -3408,14 +3410,15 @@ TEST(user_notification_fault_recv)
+ struct seccomp_notif req = {};
+ struct seccomp_notif_resp resp = {};
+
+- listener = user_trap_syscall(__NR_getpid, SECCOMP_FILTER_FLAG_NEW_LISTENER);
++ listener = user_trap_syscall(__NR_getppid,
++ SECCOMP_FILTER_FLAG_NEW_LISTENER);
+ ASSERT_GE(listener, 0);
+
+ pid = fork();
+ ASSERT_GE(pid, 0);
+
+ if (pid == 0)
+- exit(syscall(__NR_getpid) != USER_NOTIF_MAGIC);
++ exit(syscall(__NR_getppid) != USER_NOTIF_MAGIC);
+
+ /* Do a bad recv() */
+ EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, NULL), -1);
bfq-update-internal-depth-state-when-queue-depth-cha.patch
+platform-x86-sony-laptop-fix-unintentional-fall-through.patch
+platform-x86-thinkpad_acpi-disable-bluetooth-for-some-machines.patch
+platform-x86-dell-laptop-fix-rfkill-functionality.patch
+hwmon-pwm-fan-disable-pwm-if-fetching-cooling-data-fails.patch
+hwmon-occ-fix-extended-status-bits.patch
+selftests-seccomp-handle-namespace-failures-gracefully.patch
+kernfs-fix-barrier-usage-in-__kernfs_new_node.patch
+virt-vbox-sanity-check-parameter-types-for-hgcm-calls-coming-from-userspace.patch
--- /dev/null
+From cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 4 Apr 2019 14:39:09 +0200
+Subject: virt: vbox: Sanity-check parameter types for hgcm-calls coming from userspace
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit cf4f2ad6b87dda2dbe0573b1ebeb0273f8d4aac6 upstream.
+
+Userspace can make host function calls, called hgcm-calls through the
+/dev/vboxguest device.
+
+In this case we should not accept all hgcm-function-parameter-types, some
+are only valid for in kernel calls.
+
+This commit adds proper hgcm-function-parameter-type validation to the
+ioctl for doing a hgcm-call from userspace.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/vboxguest/vboxguest_core.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+--- a/drivers/virt/vboxguest/vboxguest_core.c
++++ b/drivers/virt/vboxguest/vboxguest_core.c
+@@ -1263,6 +1263,20 @@ static int vbg_ioctl_hgcm_disconnect(str
+ return ret;
+ }
+
++static bool vbg_param_valid(enum vmmdev_hgcm_function_parameter_type type)
++{
++ switch (type) {
++ case VMMDEV_HGCM_PARM_TYPE_32BIT:
++ case VMMDEV_HGCM_PARM_TYPE_64BIT:
++ case VMMDEV_HGCM_PARM_TYPE_LINADDR:
++ case VMMDEV_HGCM_PARM_TYPE_LINADDR_IN:
++ case VMMDEV_HGCM_PARM_TYPE_LINADDR_OUT:
++ return true;
++ default:
++ return false;
++ }
++}
++
+ static int vbg_ioctl_hgcm_call(struct vbg_dev *gdev,
+ struct vbg_session *session, bool f32bit,
+ struct vbg_ioctl_hgcm_call *call)
+@@ -1298,6 +1312,23 @@ static int vbg_ioctl_hgcm_call(struct vb
+ }
+ call->hdr.size_out = actual_size;
+
++ /* Validate parameter types */
++ if (f32bit) {
++ struct vmmdev_hgcm_function_parameter32 *parm =
++ VBG_IOCTL_HGCM_CALL_PARMS32(call);
++
++ for (i = 0; i < call->parm_count; i++)
++ if (!vbg_param_valid(parm[i].type))
++ return -EINVAL;
++ } else {
++ struct vmmdev_hgcm_function_parameter *parm =
++ VBG_IOCTL_HGCM_CALL_PARMS(call);
++
++ for (i = 0; i < call->parm_count; i++)
++ if (!vbg_param_valid(parm[i].type))
++ return -EINVAL;
++ }
++
+ /*
+ * Validate the client id.
+ */
projects / thirdparty / kernel / stable-queue.git / commitdiff
