Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- sound/core/seq/seq_clientmgr.c | 9 ++++-----
+ sound/core/seq/seq_clientmgr.c | 13 ++++---------
sound/core/seq/seq_queue.c | 14 +++++++++-----
sound/core/seq/seq_queue.h | 2 +-
- 3 files changed, 14 insertions(+), 11 deletions(-)
+ 3 files changed, 14 insertions(+), 15 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
-@@ -1530,15 +1530,14 @@ static int snd_seq_ioctl_create_queue(st
+@@ -1530,19 +1530,14 @@ static int snd_seq_ioctl_create_queue(st
void __user *arg)
{
struct snd_seq_queue_info info;
- result = snd_seq_queue_alloc(client->number, info.locked, info.flags);
- if (result < 0)
- return result;
-+ q = snd_seq_queue_alloc(client->number, info->locked, info->flags);
+-
+- q = queueptr(result);
+- if (q == NULL)
+- return -EINVAL;
++ q = snd_seq_queue_alloc(client->number, info.locked, info.flags);
+ if (IS_ERR(q))
+ return PTR_ERR(q);
- q = queueptr(result);
- if (q == NULL)
-@@ -1552,7 +1551,7 @@ static int snd_seq_ioctl_create_queue(st
+ info.queue = q->queue;
+ info.locked = q->locked;
+@@ -1552,7 +1547,7 @@ static int snd_seq_ioctl_create_queue(st
if (! info.name[0])
snprintf(info.name, sizeof(info.name), "Queue-%d", q->queue);
strlcpy(q->name, info.name, sizeof(q->name));
--- /dev/null
+From 469bcef53c546bb792aa66303933272991b7831d Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 4 Jul 2017 11:10:39 +0200
+Subject: irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup()
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 469bcef53c546bb792aa66303933272991b7831d upstream.
+
+aic_common_irq_fixup() is calling twice of_node_put() on the same node
+thus leading to an unbalanced refcount on the root node.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Reported-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Fixes: b2f579b58e93 ("irqchip: atmel-aic: Add irq fixup infrastructure")
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-atmel-aic-common.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/irqchip/irq-atmel-aic-common.c
++++ b/drivers/irqchip/irq-atmel-aic-common.c
+@@ -202,7 +202,6 @@ void __init aic_common_irq_fixup(const s
+ return;
+
+ match = of_match_node(matches, root);
+- of_node_put(root);
+
+ if (match) {
+ void (*fixup)(struct device_node *) = match->data;
--- /dev/null
+From 277867ade8262583f4280cadbe90e0031a3706a7 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 4 Jul 2017 11:10:40 +0200
+Subject: irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup()
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 277867ade8262583f4280cadbe90e0031a3706a7 upstream.
+
+of_find_compatible_node() is calling of_node_put() on its first argument
+thus leading to an unbalanced of_node_get/put() issue if the node has not
+been retained before that.
+
+Instead of passing the root node, pass NULL, which does exactly the same:
+iterate over all DT nodes, starting from the root node.
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Reported-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Fixes: 3d61467f9bab ("irqchip: atmel-aic: Implement RTC irq fixup")
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-atmel-aic-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/irqchip/irq-atmel-aic-common.c
++++ b/drivers/irqchip/irq-atmel-aic-common.c
+@@ -148,9 +148,9 @@ void __init aic_common_rtc_irq_fixup(str
+ struct device_node *np;
+ void __iomem *regs;
+
+- np = of_find_compatible_node(root, NULL, "atmel,at91rm9200-rtc");
++ np = of_find_compatible_node(NULL, NULL, "atmel,at91rm9200-rtc");
+ if (!np)
+- np = of_find_compatible_node(root, NULL,
++ np = of_find_compatible_node(NULL, NULL,
+ "atmel,at91sam9x5-rtc");
+
+ if (!np)
--- /dev/null
+From 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 Mon Sep 17 00:00:00 2001
+From: zhong jiang <zhongjiang@huawei.com>
+Date: Fri, 18 Aug 2017 15:16:24 -0700
+Subject: mm/mempolicy: fix use after free when calling get_mempolicy
+
+From: zhong jiang <zhongjiang@huawei.com>
+
+commit 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 upstream.
+
+I hit a use after free issue when executing trinity and repoduced it
+with KASAN enabled. The related call trace is as follows.
+
+ BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
+ Read of size 2 by task syz-executor1/798
+
+ INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
+ __slab_alloc+0x768/0x970
+ kmem_cache_alloc+0x2e7/0x450
+ mpol_new.part.2+0x74/0x160
+ mpol_new+0x66/0x80
+ SyS_mbind+0x267/0x9f0
+ system_call_fastpath+0x16/0x1b
+ INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
+ __slab_free+0x495/0x8e0
+ kmem_cache_free+0x2f3/0x4c0
+ __mpol_put+0x2b/0x40
+ SyS_mbind+0x383/0x9f0
+ system_call_fastpath+0x16/0x1b
+ INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
+ INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600
+
+ Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
+ Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+ Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkk.
+ Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb ........
+ Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+ Memory state around the buggy address:
+ ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc
+
+!shared memory policy is not protected against parallel removal by other
+thread which is normally protected by the mmap_sem. do_get_mempolicy,
+however, drops the lock midway while we can still access it later.
+
+Early premature up_read is a historical artifact from times when
+put_user was called in this path see https://lwn.net/Articles/124754/
+but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
+layering in the memory policy layer."). but when we have the the
+current mempolicy ref count model. The issue was introduced
+accordingly.
+
+Fix the issue by removing the premature release.
+
+Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -894,11 +894,6 @@ static long do_get_mempolicy(int *policy
+ *policy |= (pol->flags & MPOL_MODE_FLAGS);
+ }
+
+- if (vma) {
+- up_read(¤t->mm->mmap_sem);
+- vma = NULL;
+- }
+-
+ err = 0;
+ if (nmask) {
+ if (mpol_store_user_nodemask(pol)) {
--- /dev/null
+From c715b72c1ba406f133217b509044c38d8e714a37 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 18 Aug 2017 15:16:31 -0700
+Subject: mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
+
+From: Kees Cook <keescook@chromium.org>
+
+commit c715b72c1ba406f133217b509044c38d8e714a37 upstream.
+
+Moving the x86_64 and arm64 PIE base from 0x555555554000 to 0x000100000000
+broke AddressSanitizer. This is a partial revert of:
+
+ eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
+ 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB")
+
+The AddressSanitizer tool has hard-coded expectations about where
+executable mappings are loaded.
+
+The motivation for changing the PIE base in the above commits was to
+avoid the Stack-Clash CVEs that allowed executable mappings to get too
+close to heap and stack. This was mainly a problem on 32-bit, but the
+64-bit bases were moved too, in an effort to proactively protect those
+systems (proofs of concept do exist that show 64-bit collisions, but
+other recent changes to fix stack accounting and setuid behaviors will
+minimize the impact).
+
+The new 32-bit PIE base is fine for ASan (since it matches the ET_EXEC
+base), so only the 64-bit PIE base needs to be reverted to let x86 and
+arm64 ASan binaries run again. Future changes to the 64-bit PIE base on
+these architectures can be made optional once a more dynamic method for
+dealing with AddressSanitizer is found. (e.g. always loading PIE into
+the mmap region for marked binaries.)
+
+Link: http://lkml.kernel.org/r/20170807201542.GA21271@beast
+Fixes: eab09532d400 ("binfmt_elf: use ELF_ET_DYN_BASE only for PIE")
+Fixes: 02445990a96e ("arm64: move ELF_ET_DYN_BASE to 4GB / 4MB")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Kostya Serebryany <kcc@google.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/elf.h | 4 ++--
+ arch/x86/include/asm/elf.h | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -121,10 +121,10 @@ typedef struct user_fpsimd_state elf_fpr
+
+ /*
+ * This is the base location for PIE (ET_DYN with INTERP) loads. On
+- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
++ * 64-bit, this is above 4GB to leave the entire 32-bit address
+ * space open for things that want to use the area for 32-bit pointers.
+ */
+-#define ELF_ET_DYN_BASE 0x100000000UL
++#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3)
+
+ /*
+ * When the program starts, a1 contains a pointer to a function to be
+--- a/arch/x86/include/asm/elf.h
++++ b/arch/x86/include/asm/elf.h
+@@ -247,11 +247,11 @@ extern int force_personality32;
+
+ /*
+ * This is the base location for PIE (ET_DYN with INTERP) loads. On
+- * 64-bit, this is raised to 4GB to leave the entire 32-bit address
++ * 64-bit, this is above 4GB to leave the entire 32-bit address
+ * space open for things that want to use the area for 32-bit pointers.
+ */
+ #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \
+- 0x100000000UL)
++ (TASK_SIZE / 3 * 2))
+
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this CPU supports. This could be done in user space,
alsa-seq-2nd-attempt-at-fixing-race-creating-a-queue.patch
alsa-usb-audio-apply-sample-rate-quirk-to-sennheiser-headset.patch
alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-c-media-devices.patch
+mm-mempolicy-fix-use-after-free-when-calling-get_mempolicy.patch
+mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-changes.patch
+xen-fix-bio-vec-merging.patch
+x86-asm-64-clear-ac-on-nmi-entries.patch
+irqchip-atmel-aic-fix-unbalanced-of_node_put-in-aic_common_irq_fixup.patch
+irqchip-atmel-aic-fix-unbalanced-refcount-in-aic_common_rtc_irq_fixup.patch
--- /dev/null
+From e93c17301ac55321fc18e0f8316e924e58a83c8c Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 7 Aug 2017 19:43:13 -0700
+Subject: x86/asm/64: Clear AC on NMI entries
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit e93c17301ac55321fc18e0f8316e924e58a83c8c upstream.
+
+This closes a hole in our SMAP implementation.
+
+This patch comes from grsecurity. Good catch!
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/314cc9f294e8f14ed85485727556ad4f15bb1659.1502159503.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/entry/entry_64.S
++++ b/arch/x86/entry/entry_64.S
+@@ -1190,6 +1190,8 @@ ENTRY(nmi)
+ * other IST entries.
+ */
+
++ ASM_CLAC
++
+ /* Use %rdx as our temp variable throughout */
+ pushq %rdx
+
--- /dev/null
+From 462cdace790ac2ed6aad1b19c9c0af0143b6aab0 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Tue, 18 Jul 2017 15:01:00 +0100
+Subject: xen: fix bio vec merging
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 462cdace790ac2ed6aad1b19c9c0af0143b6aab0 upstream.
+
+The current test for bio vec merging is not fully accurate and can be
+tricked into merging bios when certain grant combinations are used.
+The result of these malicious bio merges is a bio that extends past
+the memory page used by any of the originating bios.
+
+Take into account the following scenario, where a guest creates two
+grant references that point to the same mfn, ie: grant 1 -> mfn A,
+grant 2 -> mfn A.
+
+These references are then used in a PV block request, and mapped by
+the backend domain, thus obtaining two different pfns that point to
+the same mfn, pfn B -> mfn A, pfn C -> mfn A.
+
+If those grants happen to be used in two consecutive sectors of a disk
+IO operation becoming two different bios in the backend domain, the
+checks in xen_biovec_phys_mergeable will succeed, because bfn1 == bfn2
+(they both point to the same mfn). However due to the bio merging,
+the backend domain will end up with a bio that expands past mfn A into
+mfn A + 1.
+
+Fix this by making sure the check in xen_biovec_phys_mergeable takes
+into account the offset and the length of the bio, this basically
+replicates whats done in __BIOVEC_PHYS_MERGEABLE using mfns (bus
+addresses). While there also remove the usage of
+__BIOVEC_PHYS_MERGEABLE, since that's already checked by the callers
+of xen_biovec_phys_mergeable.
+
+Reported-by: "Jan H. Schönherr" <jschoenh@amazon.de>
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/biomerge.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/xen/biomerge.c
++++ b/drivers/xen/biomerge.c
+@@ -10,8 +10,7 @@ bool xen_biovec_phys_mergeable(const str
+ unsigned long bfn1 = pfn_to_bfn(page_to_pfn(vec1->bv_page));
+ unsigned long bfn2 = pfn_to_bfn(page_to_pfn(vec2->bv_page));
+
+- return __BIOVEC_PHYS_MERGEABLE(vec1, vec2) &&
+- ((bfn1 == bfn2) || ((bfn1+1) == bfn2));
++ return bfn1 + PFN_DOWN(vec1->bv_offset + vec1->bv_len) == bfn2;
+ #else
+ /*
+ * XXX: Add support for merging bio_vec when using different page
projects / thirdparty / kernel / stable-queue.git / commitdiff
