--- /dev/null
+From 1524f4e47f90b27a3ac84efbdd94c63172246a6f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 8 Jan 2019 10:43:30 +0300
+Subject: ALSA: cs46xx: Potential NULL dereference in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 1524f4e47f90b27a3ac84efbdd94c63172246a6f upstream.
+
+The "chip->dsp_spos_instance" can be NULL on some of the ealier error
+paths in snd_cs46xx_create().
+
+Reported-by: "Yavuz, Tuba" <tuba@ece.ufl.edu>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/cs46xx/dsp_spos.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/cs46xx/dsp_spos.c
++++ b/sound/pci/cs46xx/dsp_spos.c
+@@ -900,6 +900,9 @@ int cs46xx_dsp_proc_done (struct snd_cs4
+ struct dsp_spos_instance * ins = chip->dsp_spos_instance;
+ int i;
+
++ if (!ins)
++ return 0;
++
+ snd_info_free_entry(ins->proc_sym_info_entry);
+ ins->proc_sym_info_entry = NULL;
+
--- /dev/null
+From f4351a199cc120ff9d59e06d02e8657d08e6cc46 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 19 Dec 2018 12:36:27 +0100
+Subject: ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f4351a199cc120ff9d59e06d02e8657d08e6cc46 upstream.
+
+The parser for the processing unit reads bNrInPins field before the
+bLength sanity check, which may lead to an out-of-bound access when a
+malformed descriptor is given. Fix it by assignment after the bLength
+check.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1888,7 +1888,7 @@ static int build_audio_procunit(struct m
+ char *name)
+ {
+ struct uac_processing_unit_descriptor *desc = raw_desc;
+- int num_ins = desc->bNrInPins;
++ int num_ins;
+ struct usb_mixer_elem_info *cval;
+ struct snd_kcontrol *kctl;
+ int i, err, nameid, type, len;
+@@ -1903,7 +1903,13 @@ static int build_audio_procunit(struct m
+ 0, NULL, default_value_info
+ };
+
+- if (desc->bLength < 13 || desc->bLength < 13 + num_ins ||
++ if (desc->bLength < 13) {
++ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
++ return -EINVAL;
++ }
++
++ num_ins = desc->bNrInPins;
++ if (desc->bLength < 13 + num_ins ||
+ desc->bLength < num_ins + uac_processing_unit_bControlSize(desc, state->mixer->protocol)) {
+ usb_audio_err(state->chip, "invalid %s descriptor (id %d)\n", name, unitid);
+ return -EINVAL;
--- /dev/null
+From cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@163.com>
+Date: Tue, 25 Dec 2018 18:11:52 -0500
+Subject: ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
+
+From: Hui Peng <benquike@163.com>
+
+commit cbb2ebf70daf7f7d97d3811a2ff8e39655b8c184 upstream.
+
+In `create_composite_quirk`, the terminating condition of for loops is
+`quirk->ifnum < 0`. So any composite quirks should end with `struct
+snd_usb_audio_quirk` object with ifnum < 0.
+
+ for (quirk = quirk_comp->data; quirk->ifnum >= 0; ++quirk) {
+
+ .....
+ }
+
+the data field of Bower's & Wilkins PX headphones usb device device quirks
+do not end with {.ifnum = -1}, wihch may result in out-of-bound read.
+
+This Patch fix the bug by adding an ending quirk object.
+
+Fixes: 240a8af929c7 ("ALSA: usb-audio: Add a quirck for B&W PX headphones")
+Signed-off-by: Hui Peng <benquike@163.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks-table.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3321,6 +3321,9 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ }
+ }
+ },
++ {
++ .ifnum = -1
++ },
+ }
+ }
+ },
--- /dev/null
+From 8ea3819c0bbef57a51d8abe579e211033e861677 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 19 Nov 2018 20:01:24 +0200
+Subject: b43: Fix error in cordic routine
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 8ea3819c0bbef57a51d8abe579e211033e861677 upstream.
+
+The cordic routine for calculating sines and cosines that was added in
+commit 6f98e62a9f1b ("b43: update cordic code to match current specs")
+contains an error whereby a quantity declared u32 can in fact go negative.
+
+This problem was detected by Priit Laes who is switching b43 to use the
+routine in the library functions of the kernel.
+
+Fixes: 986504540306 ("b43: make cordic common (LP-PHY and N-PHY need it)")
+Reported-by: Priit Laes <plaes@plaes.org>
+Cc: Rafał Miłecki <zajec5@gmail.com>
+Cc: Stable <stable@vger.kernel.org> # 2.6.34
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Priit Laes <plaes@plaes.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/b43/phy_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43/phy_common.c
++++ b/drivers/net/wireless/broadcom/b43/phy_common.c
+@@ -616,7 +616,7 @@ struct b43_c32 b43_cordic(int theta)
+ u8 i;
+ s32 tmp;
+ s8 signx = 1;
+- u32 angle = 0;
++ s32 angle = 0;
+ struct b43_c32 ret = { .i = 39797, .q = 0, };
+
+ while (theta > (180 << 16))
--- /dev/null
+From b982896cdb6e6a6b89d86dfb39df489d9df51e14 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:15:05 +0300
+Subject: dlm: fixed memory leaks after failed ls_remove_names allocation
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit b982896cdb6e6a6b89d86dfb39df489d9df51e14 upstream.
+
+If allocation fails on last elements of array need to free already
+allocated elements.
+
+v2: just move existing out_rsbtbl label to right place
+
+Fixes 789924ba635f ("dlm: fix race between remove and lookup")
+Cc: stable@kernel.org # 3.6
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -680,11 +680,11 @@ static int new_lockspace(const char *nam
+ kfree(ls->ls_recover_buf);
+ out_lkbidr:
+ idr_destroy(&ls->ls_lkbidr);
++ out_rsbtbl:
+ for (i = 0; i < DLM_REMOVE_NAMES_MAX; i++) {
+ if (ls->ls_remove_names[i])
+ kfree(ls->ls_remove_names[i]);
+ }
+- out_rsbtbl:
+ vfree(ls->ls_rsbtbl);
+ out_lsfree:
+ if (do_unreg)
--- /dev/null
+From c0174726c3976e67da8649ac62cae43220ae173a Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:24 +0300
+Subject: dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit c0174726c3976e67da8649ac62cae43220ae173a upstream.
+
+Fixes 6d40c4a708e0 ("dlm: improve error and debug messages")
+Cc: stable@kernel.org # 3.5
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -4177,6 +4177,7 @@ static int receive_convert(struct dlm_ls
+ (unsigned long long)lkb->lkb_recover_seq,
+ ms->m_header.h_nodeid, ms->m_lkid);
+ error = -ENOENT;
++ dlm_put_lkb(lkb);
+ goto fail;
+ }
+
+@@ -4230,6 +4231,7 @@ static int receive_unlock(struct dlm_ls
+ lkb->lkb_id, lkb->lkb_remid,
+ ms->m_header.h_nodeid, ms->m_lkid);
+ error = -ENOENT;
++ dlm_put_lkb(lkb);
+ goto fail;
+ }
+
--- /dev/null
+From d47b41aceeadc6b58abc9c7c6485bef7cfb75636 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:56 +0300
+Subject: dlm: memory leaks on error path in dlm_user_request()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit d47b41aceeadc6b58abc9c7c6485bef7cfb75636 upstream.
+
+According to comment in dlm_user_request() ua should be freed
+in dlm_free_lkb() after successful attach to lkb.
+
+However ua is attached to lkb not in set_lock_args() but later,
+inside request_lock().
+
+Fixes 597d0cae0f99 ("[DLM] dlm: user locks")
+Cc: stable@kernel.org # 2.6.19
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -5792,20 +5792,20 @@ int dlm_user_request(struct dlm_ls *ls,
+ goto out;
+ }
+ }
+-
+- /* After ua is attached to lkb it will be freed by dlm_free_lkb().
+- When DLM_IFL_USER is set, the dlm knows that this is a userspace
+- lock and that lkb_astparam is the dlm_user_args structure. */
+-
+ error = set_lock_args(mode, &ua->lksb, flags, namelen, timeout_cs,
+ fake_astfn, ua, fake_bastfn, &args);
+- lkb->lkb_flags |= DLM_IFL_USER;
+-
+ if (error) {
++ kfree(ua->lksb.sb_lvbptr);
++ ua->lksb.sb_lvbptr = NULL;
++ kfree(ua);
+ __put_lkb(ls, lkb);
+ goto out;
+ }
+
++ /* After ua is attached to lkb it will be freed by dlm_free_lkb().
++ When DLM_IFL_USER is set, the dlm knows that this is a userspace
++ lock and that lkb_astparam is the dlm_user_args structure. */
++ lkb->lkb_flags |= DLM_IFL_USER;
+ error = request_lock(ls, lkb, name, namelen, &args);
+
+ switch (error) {
--- /dev/null
+From 23851e978f31eda8b2d01bd410d3026659ca06c7 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 15 Nov 2018 13:18:18 +0300
+Subject: dlm: possible memory leak on error path in create_lkb()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 23851e978f31eda8b2d01bd410d3026659ca06c7 upstream.
+
+Fixes 3d6aa675fff9 ("dlm: keep lkbs in idr")
+Cc: stable@kernel.org # 3.1
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dlm/lock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -1210,6 +1210,7 @@ static int create_lkb(struct dlm_ls *ls,
+
+ if (rv < 0) {
+ log_error(ls, "create_lkb idr error %d", rv);
++ dlm_free_lkb(lkb);
+ return rv;
+ }
+
--- /dev/null
+From 2d29f6b96d8f80322ed2dd895bca590491c38d34 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Tue, 4 Dec 2018 15:06:27 +0100
+Subject: gfs2: Fix loop in gfs2_rbm_find
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 2d29f6b96d8f80322ed2dd895bca590491c38d34 upstream.
+
+Fix the resource group wrap-around logic in gfs2_rbm_find that commit
+e579ed4f44 broke. The bug can lead to unnecessary repeated scanning of the
+same bitmaps; there is a risk that future changes will turn this into an
+endless loop.
+
+Fixes: e579ed4f44 ("GFS2: Introduce rbm field bii")
+Cc: stable@vger.kernel.org # v3.13+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/rgrp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/gfs2/rgrp.c
++++ b/fs/gfs2/rgrp.c
+@@ -1695,9 +1695,9 @@ static int gfs2_rbm_find(struct gfs2_rbm
+ goto next_iter;
+ }
+ if (ret == -E2BIG) {
++ n += rbm->bii - initial_bii;
+ rbm->bii = 0;
+ rbm->offset = 0;
+- n += (rbm->bii - initial_bii);
+ goto res_covered_end_of_rgrp;
+ }
+ return ret;
--- /dev/null
+From 6ff9b09e00a441599f3aacdf577254455a048bc9 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruenba@redhat.com>
+Date: Mon, 26 Nov 2018 18:45:35 +0100
+Subject: gfs2: Get rid of potential double-freeing in gfs2_create_inode
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+commit 6ff9b09e00a441599f3aacdf577254455a048bc9 upstream.
+
+In gfs2_create_inode, after setting and releasing the acl / default_acl, the
+acl / default_acl pointers are not set to NULL as they should be. In that
+state, when the function reaches label fail_free_acls, gfs2_create_inode will
+try to release the same acls again.
+
+Fix that by setting the pointers to NULL after releasing the acls. Slightly
+simplify the logic. Also, posix_acl_release checks for NULL already, so
+there is no need to duplicate those checks here.
+
+Fixes: e01580bf9e4d ("gfs2: use generic posix ACL infrastructure")
+Reported-by: Pan Bian <bianpan2016@163.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/gfs2/inode.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/fs/gfs2/inode.c
++++ b/fs/gfs2/inode.c
+@@ -743,17 +743,19 @@ static int gfs2_create_inode(struct inod
+ the gfs2 structures. */
+ if (default_acl) {
+ error = __gfs2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
++ if (error)
++ goto fail_gunlock3;
+ posix_acl_release(default_acl);
++ default_acl = NULL;
+ }
+ if (acl) {
+- if (!error)
+- error = __gfs2_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ error = __gfs2_set_acl(inode, acl, ACL_TYPE_ACCESS);
++ if (error)
++ goto fail_gunlock3;
+ posix_acl_release(acl);
++ acl = NULL;
+ }
+
+- if (error)
+- goto fail_gunlock3;
+-
+ error = security_inode_init_security(&ip->i_inode, &dip->i_inode, name,
+ &gfs2_initxattrs, NULL);
+ if (error)
+@@ -788,10 +790,8 @@ fail_free_inode:
+ }
+ gfs2_rsqa_delete(ip, NULL);
+ fail_free_acls:
+- if (default_acl)
+- posix_acl_release(default_acl);
+- if (acl)
+- posix_acl_release(acl);
++ posix_acl_release(default_acl);
++ posix_acl_release(acl);
+ fail_gunlock:
+ gfs2_dir_no_add(&da);
+ gfs2_glock_dq_uninit(ghs);
--- /dev/null
+From b8eee0e90f9797b747113638bc75e739b192ad38 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Thu, 1 Nov 2018 13:39:49 -0400
+Subject: lockd: Show pid of lockd for remote locks
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit b8eee0e90f9797b747113638bc75e739b192ad38 upstream.
+
+Commit 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid
+for remote locks") specified that the l_pid returned for F_GETLK on a local
+file that has a remote lock should be the pid of the lock manager process.
+That commit, while updating other filesystems, failed to update lockd, such
+that locks created by lockd had their fl_pid set to that of the remote
+process holding the lock. Fix that here to be the pid of lockd.
+
+Also, fix the client case so that the returned lock pid is negative, which
+indicates a remote lock on a remote file.
+
+Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific...")
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/clntproc.c | 2 +-
+ fs/lockd/xdr.c | 4 ++--
+ fs/lockd/xdr4.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/lockd/clntproc.c
++++ b/fs/lockd/clntproc.c
+@@ -442,7 +442,7 @@ nlmclnt_test(struct nlm_rqst *req, struc
+ fl->fl_start = req->a_res.lock.fl.fl_start;
+ fl->fl_end = req->a_res.lock.fl.fl_end;
+ fl->fl_type = req->a_res.lock.fl.fl_type;
+- fl->fl_pid = 0;
++ fl->fl_pid = -req->a_res.lock.fl.fl_pid;
+ break;
+ default:
+ status = nlm_stat_to_errno(req->a_res.status);
+--- a/fs/lockd/xdr.c
++++ b/fs/lockd/xdr.c
+@@ -127,7 +127,7 @@ nlm_decode_lock(__be32 *p, struct nlm_lo
+
+ locks_init_lock(fl);
+ fl->fl_owner = current->files;
+- fl->fl_pid = (pid_t)lock->svid;
++ fl->fl_pid = current->tgid;
+ fl->fl_flags = FL_POSIX;
+ fl->fl_type = F_RDLCK; /* as good as anything else */
+ start = ntohl(*p++);
+@@ -269,7 +269,7 @@ nlmsvc_decode_shareargs(struct svc_rqst
+ memset(lock, 0, sizeof(*lock));
+ locks_init_lock(&lock->fl);
+ lock->svid = ~(u32) 0;
+- lock->fl.fl_pid = (pid_t)lock->svid;
++ lock->fl.fl_pid = current->tgid;
+
+ if (!(p = nlm_decode_cookie(p, &argp->cookie))
+ || !(p = xdr_decode_string_inplace(p, &lock->caller,
+--- a/fs/lockd/xdr4.c
++++ b/fs/lockd/xdr4.c
+@@ -119,7 +119,7 @@ nlm4_decode_lock(__be32 *p, struct nlm_l
+
+ locks_init_lock(fl);
+ fl->fl_owner = current->files;
+- fl->fl_pid = (pid_t)lock->svid;
++ fl->fl_pid = current->tgid;
+ fl->fl_flags = FL_POSIX;
+ fl->fl_type = F_RDLCK; /* as good as anything else */
+ p = xdr_decode_hyper(p, &start);
+@@ -266,7 +266,7 @@ nlm4svc_decode_shareargs(struct svc_rqst
+ memset(lock, 0, sizeof(*lock));
+ locks_init_lock(&lock->fl);
+ lock->svid = ~(u32) 0;
+- lock->fl.fl_pid = (pid_t)lock->svid;
++ lock->fl.fl_pid = current->tgid;
+
+ if (!(p = nlm4_decode_cookie(p, &argp->cookie))
+ || !(p = xdr_decode_string_inplace(p, &lock->caller,
--- /dev/null
+From 5df275cd4cf51c86d49009f1397132f284ba515e Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 23 Oct 2018 09:02:17 +0200
+Subject: selinux: policydb - fix byte order and alignment issues
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit 5df275cd4cf51c86d49009f1397132f284ba515e upstream.
+
+Do the LE conversions before doing the Infiniband-related range checks.
+The incorrect checks are otherwise causing a failure to load any policy
+with an ibendportcon rule on BE systems. This can be reproduced by
+running (on e.g. ppc64):
+
+cat >my_module.cil <<EOF
+(type test_ibendport_t)
+(roletype object_r test_ibendport_t)
+(ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0))))
+EOF
+semodule -i my_module.cil
+
+Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
+use a correctly aligned buffer.
+
+Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
+should be used instead.
+
+Tested internally on a ppc64 machine with a RHEL 7 kernel with this
+patch applied.
+
+Cc: Daniel Jurgens <danielj@mellanox.com>
+Cc: Eli Cohen <eli@mellanox.com>
+Cc: James Morris <jmorris@namei.org>
+Cc: Doug Ledford <dledford@redhat.com>
+Cc: <stable@vger.kernel.org> # 4.13+
+Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/ss/policydb.c | 51 ++++++++++++++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 15 deletions(-)
+
+--- a/security/selinux/ss/policydb.c
++++ b/security/selinux/ss/policydb.c
+@@ -2107,6 +2107,7 @@ static int ocontext_read(struct policydb
+ {
+ int i, j, rc;
+ u32 nel, len;
++ __be64 prefixbuf[1];
+ __le32 buf[3];
+ struct ocontext *l, *c;
+ u32 nodebuf[8];
+@@ -2216,21 +2217,30 @@ static int ocontext_read(struct policydb
+ goto out;
+ break;
+ }
+- case OCON_IBPKEY:
+- rc = next_entry(nodebuf, fp, sizeof(u32) * 4);
++ case OCON_IBPKEY: {
++ u32 pkey_lo, pkey_hi;
++
++ rc = next_entry(prefixbuf, fp, sizeof(u64));
++ if (rc)
++ goto out;
++
++ /* we need to have subnet_prefix in CPU order */
++ c->u.ibpkey.subnet_prefix = be64_to_cpu(prefixbuf[0]);
++
++ rc = next_entry(buf, fp, sizeof(u32) * 2);
+ if (rc)
+ goto out;
+
+- c->u.ibpkey.subnet_prefix = be64_to_cpu(*((__be64 *)nodebuf));
++ pkey_lo = le32_to_cpu(buf[0]);
++ pkey_hi = le32_to_cpu(buf[1]);
+
+- if (nodebuf[2] > 0xffff ||
+- nodebuf[3] > 0xffff) {
++ if (pkey_lo > U16_MAX || pkey_hi > U16_MAX) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+- c->u.ibpkey.low_pkey = le32_to_cpu(nodebuf[2]);
+- c->u.ibpkey.high_pkey = le32_to_cpu(nodebuf[3]);
++ c->u.ibpkey.low_pkey = pkey_lo;
++ c->u.ibpkey.high_pkey = pkey_hi;
+
+ rc = context_read_and_validate(&c->context[0],
+ p,
+@@ -2238,7 +2248,10 @@ static int ocontext_read(struct policydb
+ if (rc)
+ goto out;
+ break;
+- case OCON_IBENDPORT:
++ }
++ case OCON_IBENDPORT: {
++ u32 port;
++
+ rc = next_entry(buf, fp, sizeof(u32) * 2);
+ if (rc)
+ goto out;
+@@ -2248,12 +2261,13 @@ static int ocontext_read(struct policydb
+ if (rc)
+ goto out;
+
+- if (buf[1] > 0xff || buf[1] == 0) {
++ port = le32_to_cpu(buf[1]);
++ if (port > U8_MAX || port == 0) {
+ rc = -EINVAL;
+ goto out;
+ }
+
+- c->u.ibendport.port = le32_to_cpu(buf[1]);
++ c->u.ibendport.port = port;
+
+ rc = context_read_and_validate(&c->context[0],
+ p,
+@@ -2261,7 +2275,8 @@ static int ocontext_read(struct policydb
+ if (rc)
+ goto out;
+ break;
+- }
++ } /* end case */
++ } /* end switch */
+ }
+ }
+ rc = 0;
+@@ -3104,6 +3119,7 @@ static int ocontext_write(struct policyd
+ {
+ unsigned int i, j, rc;
+ size_t nel, len;
++ __be64 prefixbuf[1];
+ __le32 buf[3];
+ u32 nodebuf[8];
+ struct ocontext *c;
+@@ -3191,12 +3207,17 @@ static int ocontext_write(struct policyd
+ return rc;
+ break;
+ case OCON_IBPKEY:
+- *((__be64 *)nodebuf) = cpu_to_be64(c->u.ibpkey.subnet_prefix);
++ /* subnet_prefix is in CPU order */
++ prefixbuf[0] = cpu_to_be64(c->u.ibpkey.subnet_prefix);
+
+- nodebuf[2] = cpu_to_le32(c->u.ibpkey.low_pkey);
+- nodebuf[3] = cpu_to_le32(c->u.ibpkey.high_pkey);
++ rc = put_entry(prefixbuf, sizeof(u64), 1, fp);
++ if (rc)
++ return rc;
++
++ buf[0] = cpu_to_le32(c->u.ibpkey.low_pkey);
++ buf[1] = cpu_to_le32(c->u.ibpkey.high_pkey);
+
+- rc = put_entry(nodebuf, sizeof(u32), 4, fp);
++ rc = put_entry(buf, sizeof(u32), 2, fp);
+ if (rc)
+ return rc;
+ rc = context_write(p, &c->context[0], fp);
vhost-vsock-fix-uninitialized-vhost_vsock-guest_cid.patch
dm-verity-fix-crash-on-bufio-buffer-that-was-allocated-with-vmalloc.patch
dm-zoned-fix-target-bio-completion-handling.patch
+alsa-cs46xx-potential-null-dereference-in-probe.patch
+alsa-usb-audio-avoid-access-before-blength-check-in-build_audio_procunit.patch
+alsa-usb-audio-fix-an-out-of-bound-read-in-create_composite_quirks.patch
+dlm-fixed-memory-leaks-after-failed-ls_remove_names-allocation.patch
+dlm-possible-memory-leak-on-error-path-in-create_lkb.patch
+dlm-lost-put_lkb-on-error-path-in-receive_convert-and-receive_unlock.patch
+dlm-memory-leaks-on-error-path-in-dlm_user_request.patch
+gfs2-get-rid-of-potential-double-freeing-in-gfs2_create_inode.patch
+gfs2-fix-loop-in-gfs2_rbm_find.patch
+b43-fix-error-in-cordic-routine.patch
+selinux-policydb-fix-byte-order-and-alignment-issues.patch
+lockd-show-pid-of-lockd-for-remote-locks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
