--- /dev/null
+From 362bca57f5d78220f8b5907b875961af9436e229 Mon Sep 17 00:00:00 2001
+From: Robb Glasser <rglasser@google.com>
+Date: Tue, 5 Dec 2017 09:16:55 -0800
+Subject: ALSA: pcm: prevent UAF in snd_pcm_info
+
+From: Robb Glasser <rglasser@google.com>
+
+commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.
+
+When the device descriptor is closed, the `substream->runtime` pointer
+is freed. But another thread may be in the ioctl handler, case
+SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
+calls snd_pcm_info() which accesses the now freed `substream->runtime`.
+
+Note: this fixes CVE-2017-0861
+
+Signed-off-by: Robb Glasser <rglasser@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -149,7 +149,9 @@ static int snd_pcm_control_ioctl(struct
+ err = -ENXIO;
+ goto _error;
+ }
++ mutex_lock(&pcm->open_mutex);
+ err = snd_pcm_info_user(substream, info);
++ mutex_unlock(&pcm->open_mutex);
+ _error:
+ mutex_unlock(®ister_mutex);
+ return err;
--- /dev/null
+From 43a3542870328601be02fcc9d27b09db467336ef Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 30 Nov 2017 10:08:28 +0100
+Subject: ALSA: seq: Remove spurious WARN_ON() at timer check
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 43a3542870328601be02fcc9d27b09db467336ef upstream.
+
+The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
+WARN_ON() when a slave timer is deployed as its backend and a
+corresponding master timer stops meanwhile. The symptom was triggered
+by syzkaller spontaneously.
+
+Since the NULL timer is valid there, rip off snd_BUG_ON().
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_s
+ unsigned long freq;
+
+ t = tmr->timeri->timer;
+- if (snd_BUG_ON(!t))
++ if (!t)
+ return -EINVAL;
+
+ freq = tmr->preferred_resolution;
--- /dev/null
+From 89b89d121ffcf8d9546633b98ded9d18b8f75891 Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Mon, 4 Dec 2017 15:31:49 +0900
+Subject: ALSA: usb-audio: Add check return value for usb_string()
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit 89b89d121ffcf8d9546633b98ded9d18b8f75891 upstream.
+
+snd_usb_copy_string_desc() returns zero if usb_string() fails.
+In case of failure, we need to check the snd_usb_copy_string_desc()'s
+return value and add an exception case
+
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -2172,13 +2172,14 @@ static int parse_audio_selector_unit(str
+ if (len)
+ ;
+ else if (nameid)
+- snd_usb_copy_string_desc(state, nameid, kctl->id.name,
++ len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+ sizeof(kctl->id.name));
+- else {
++ else
+ len = get_term_name(state, &state->oterm,
+ kctl->id.name, sizeof(kctl->id.name), 0);
+- if (!len)
+- strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
++
++ if (!len) {
++ strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
+ if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
+ append_ctl_name(kctl, " Clock Source");
--- /dev/null
+From 251552a2b0d454badc8f486e6d79100970c744b0 Mon Sep 17 00:00:00 2001
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+Date: Mon, 4 Dec 2017 15:31:48 +0900
+Subject: ALSA: usb-audio: Fix out-of-bound error
+
+From: Jaejoong Kim <climbbb.kim@gmail.com>
+
+commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream.
+
+The snd_usb_copy_string_desc() retrieves the usb string corresponding to
+the index number through the usb_string(). The problem is that the
+usb_string() returns the length of the string (>= 0) when successful, but
+it can also return a negative value about the error case or status of
+usb_control_msg().
+
+If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
+This will result in '0' being inserted into buf[-22], and the following
+KASAN out-of-bound error message will be output.
+
+AudioControl Interface Descriptor:
+ bLength 8
+ bDescriptorType 36
+ bDescriptorSubtype 10 (CLOCK_SOURCE)
+ bClockID 1
+ bmAttributes 0x07 Internal programmable Clock (synced to SOF)
+ bmControls 0x07
+ Clock Frequency Control (read/write)
+ Clock Validity Control (read-only)
+ bAssocTerminal 0
+ iClockSource 0
+
+To fix it, check usb_string()'return value and bail out.
+
+==================================================================
+BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376
+
+CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
+Hardware name: LG Electronics 15N540-RFLGL/White Tip Mountain, BIOS 15N5
+Call Trace:
+dump_stack+0x63/0x8d
+print_address_description+0x70/0x290
+? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+kasan_report+0x265/0x350
+__asan_store1+0x4a/0x50
+parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
+? save_stack+0xb5/0xd0
+? save_stack_trace+0x1b/0x20
+? save_stack+0x46/0xd0
+? kasan_kmalloc+0xad/0xe0
+? kmem_cache_alloc_trace+0xff/0x230
+? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
+? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
+? usb_probe_interface+0x1f5/0x440
+? driver_probe_device+0x3ed/0x660
+? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
+? save_stack_trace+0x1b/0x20
+? init_object+0x69/0xa0
+? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
+snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
+? build_audio_procunit+0x890/0x890 [snd_usb_audio]
+? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
+? kmem_cache_alloc_trace+0xff/0x230
+? usb_ifnum_to_if+0xbd/0xf0
+snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
+? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
+usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
+? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
+? __pm_runtime_idle+0x90/0x90
+? kernfs_activate+0xa6/0xc0
+? usb_match_one_id_intf+0xdc/0x130
+? __pm_runtime_set_status+0x2d4/0x450
+usb_probe_interface+0x1f5/0x440
+
+Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -204,6 +204,10 @@ static int snd_usb_copy_string_desc(stru
+ int index, char *buf, int maxlen)
+ {
+ int len = usb_string(state->chip->dev, index, buf, maxlen - 1);
++
++ if (len < 0)
++ return 0;
++
+ buf[len] = 0;
+ return len;
+ }
--- /dev/null
+From 5553b142be11e794ebc0805950b2e8313f93d718 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Nov 2017 17:58:21 +0000
+Subject: arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream.
+
+VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
+VTTBR address. It seems to currently be off by one, thereby only
+allowing up to 39-bit addresses (instead of 40-bit) and also
+insufficiently checking the alignment. This patch fixes it.
+
+This patch is the 32bit pendent of Kristina's arm64 fix, and
+she deserves the actual kudos for pinpointing that one.
+
+Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation")
+Reported-by: Kristina Martsenko <kristina.martsenko@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/kvm_arm.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_arm.h
++++ b/arch/arm/include/asm/kvm_arm.h
+@@ -161,8 +161,7 @@
+ #else
+ #define VTTBR_X (5 - KVM_T0SZ)
+ #endif
+-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
+-#define VTTBR_BADDR_MASK (((_AC(1, ULL) << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
++#define VTTBR_BADDR_MASK (((_AC(1, ULL) << (40 - VTTBR_X)) - 1) << VTTBR_X)
+ #define VTTBR_VMID_SHIFT _AC(48, ULL)
+ #define VTTBR_VMID_MASK(size) (_AT(u64, (1 << size) - 1) << VTTBR_VMID_SHIFT)
+
--- /dev/null
+From 071b6d4a5d343046f253a5a8835d477d93992002 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Tue, 5 Dec 2017 14:56:42 +0000
+Subject: arm64: fpsimd: Prevent registers leaking from dead tasks
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream.
+
+Currently, loading of a task's fpsimd state into the CPU registers
+is skipped if that task's state is already present in the registers
+of that CPU.
+
+However, the code relies on the struct fpsimd_state * (and by
+extension struct task_struct *) to unambiguously identify a task.
+
+There is a particular case in which this doesn't work reliably:
+when a task exits, its task_struct may be recycled to describe a
+new task.
+
+Consider the following scenario:
+
+ 1) Task P loads its fpsimd state onto cpu C.
+ per_cpu(fpsimd_last_state, C) := P;
+ P->thread.fpsimd_state.cpu := C;
+
+ 2) Task X is scheduled onto C and loads its fpsimd state on C.
+ per_cpu(fpsimd_last_state, C) := X;
+ X->thread.fpsimd_state.cpu := C;
+
+ 3) X exits, causing X's task_struct to be freed.
+
+ 4) P forks a new child T, which obtains X's recycled task_struct.
+ T == X.
+ T->thread.fpsimd_state.cpu == C (inherited from P).
+
+ 5) T is scheduled on C.
+ T's fpsimd state is not loaded, because
+ per_cpu(fpsimd_last_state, C) == T (== X) &&
+ T->thread.fpsimd_state.cpu == C.
+
+ (This is the check performed by fpsimd_thread_switch().)
+
+So, T gets X's registers because the last registers loaded onto C
+were those of X, in (2).
+
+This patch fixes the problem by ensuring that the sched-in check
+fails in (5): fpsimd_flush_task_state(T) is called when T is
+forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
+This relies on the fact that T is not schedulable until after
+copy_thread() completes.
+
+Once T's fpsimd state has been loaded on some CPU C there may still
+be other cpus D for which per_cpu(fpsimd_last_state, D) ==
+&X->thread.fpsimd_state. But D is necessarily != C in this case,
+and the check in (5) must fail.
+
+An alternative fix would be to do refcounting on task_struct. This
+would result in each CPU holding a reference to the last task whose
+fpsimd state was loaded there. It's not clear whether this is
+preferable, and it involves higher overhead than the fix proposed
+in this patch. It would also move all the task_struct freeing
+work into the context switch critical section, or otherwise some
+deferred cleanup mechanism would need to be introduced, neither of
+which seems obviously justified.
+
+Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume")
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+[will: word-smithed the comment so it makes more sense]
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/process.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -255,6 +255,15 @@ int copy_thread(unsigned long clone_flag
+
+ memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context));
+
++ /*
++ * In case p was allocated the same task_struct pointer as some
++ * other recently-exited task, make sure p is disassociated from
++ * any cpu that may have run that now-exited task recently.
++ * Otherwise we could erroneously skip reloading the FPSIMD
++ * registers for p.
++ */
++ fpsimd_flush_task_state(p);
++
+ if (likely(!(p->flags & PF_KTHREAD))) {
+ *childregs = *current_pt_regs();
+ childregs->regs[0] = 0;
--- /dev/null
+From 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 Mon Sep 17 00:00:00 2001
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+Date: Thu, 16 Nov 2017 17:58:20 +0000
+Subject: arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
+
+From: Kristina Martsenko <kristina.martsenko@arm.com>
+
+commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream.
+
+VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
+VTTBR address. It seems to currently be off by one, thereby only
+allowing up to 47-bit addresses (instead of 48-bit) and also
+insufficiently checking the alignment. This patch fixes it.
+
+As an example, with 4k pages, before this patch we have:
+
+ PHYS_MASK_SHIFT = 48
+ VTTBR_X = 37 - 24 = 13
+ VTTBR_BADDR_SHIFT = 13 - 1 = 12
+ VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000
+
+Which is wrong, because the mask doesn't allow bit 47 of the VTTBR
+address to be set, and only requires the address to be 12-bit (4k)
+aligned, while it actually needs to be 13-bit (8k) aligned because we
+concatenate two 4k tables.
+
+With this patch, the mask becomes 0x0000ffffffffe000, which is what we
+want.
+
+Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions")
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_arm.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -170,8 +170,7 @@
+ #define VTCR_EL2_FLAGS (VTCR_EL2_COMMON_BITS | VTCR_EL2_TGRAN_FLAGS)
+ #define VTTBR_X (VTTBR_X_TGRAN_MAGIC - VTCR_EL2_T0SZ_IPA)
+
+-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
+-#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
++#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X)
+ #define VTTBR_VMID_SHIFT (UL(48))
+ #define VTTBR_VMID_MASK(size) (_AT(u64, (1 << size) - 1) << VTTBR_VMID_SHIFT)
+
--- /dev/null
+From 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: ASN.1: check for error from ASN1_OP_END__ACT actions
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.
+
+asn1_ber_decoder() was ignoring errors from actions associated with the
+opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
+ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT. In practice, this
+meant the pkcs7_note_signed_info() action (since that was the only user
+of those opcodes). Fix it by checking for the error, just like the
+decoder does for actions associated with the other opcodes.
+
+This bug allowed users to leak slab memory by repeatedly trying to add a
+specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).
+
+In theory, this bug could also be used to bypass module signature
+verification, by providing a PKCS#7 message that is misparsed such that
+a signature's ->authattrs do not contain its ->msgdigest. But it
+doesn't seem practical in normal cases, due to restrictions on the
+format of the ->authattrs.
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/asn1_decoder.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -439,6 +439,8 @@ next_op:
+ else
+ act = machine[pc + 1];
+ ret = actions[act](context, hdr, 0, data + tdp, len);
++ if (ret < 0)
++ return ret;
+ }
+ pc += asn1_op_lengths[op];
+ goto next_op;
--- /dev/null
+From e0058f3a874ebb48b25be7ff79bc3b4e59929f90 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: ASN.1: fix out-of-bounds read when parsing indefinite length item
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream.
+
+In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
+to the action functions before their lengths had been computed, using
+the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH). This resulted in
+reading data past the end of the input buffer, when given a specially
+crafted message.
+
+Fix it by rearranging the code so that the indefinite length is resolved
+before the action is called.
+
+This bug was originally found by fuzzing the X.509 parser in userspace
+using libFuzzer from the LLVM project.
+
+KASAN report (cleaned up slightly):
+
+ BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
+ BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
+ Read of size 128 at addr ffff880035dd9eaf by task keyctl/195
+
+ CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0xd1/0x175 lib/dump_stack.c:53
+ print_address_description+0x78/0x260 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x23f/0x350 mm/kasan/report.c:409
+ memcpy+0x1f/0x50 mm/kasan/kasan.c:302
+ memcpy ./include/linux/string.h:341 [inline]
+ x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
+ asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
+ x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
+ x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
+ asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
+ key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
+ SYSC_add_key security/keys/keyctl.c:122 [inline]
+ SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+ Allocated by task 195:
+ __do_kmalloc_node mm/slab.c:3675 [inline]
+ __kmalloc_node+0x47/0x60 mm/slab.c:3682
+ kvmalloc ./include/linux/mm.h:540 [inline]
+ SYSC_add_key security/keys/keyctl.c:104 [inline]
+ SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Reported-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/asn1_decoder.c | 47 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 26 insertions(+), 21 deletions(-)
+
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -313,42 +313,47 @@ next_op:
+
+ /* Decide how to handle the operation */
+ switch (op) {
+- case ASN1_OP_MATCH_ANY_ACT:
+- case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
+- case ASN1_OP_COND_MATCH_ANY_ACT:
+- case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
+- ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len);
+- if (ret < 0)
+- return ret;
+- goto skip_data;
+-
+- case ASN1_OP_MATCH_ACT:
+- case ASN1_OP_MATCH_ACT_OR_SKIP:
+- case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
+- ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len);
+- if (ret < 0)
+- return ret;
+- goto skip_data;
+-
+ case ASN1_OP_MATCH:
+ case ASN1_OP_MATCH_OR_SKIP:
++ case ASN1_OP_MATCH_ACT:
++ case ASN1_OP_MATCH_ACT_OR_SKIP:
+ case ASN1_OP_MATCH_ANY:
+ case ASN1_OP_MATCH_ANY_OR_SKIP:
++ case ASN1_OP_MATCH_ANY_ACT:
++ case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
+ case ASN1_OP_COND_MATCH_OR_SKIP:
++ case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
+ case ASN1_OP_COND_MATCH_ANY:
+ case ASN1_OP_COND_MATCH_ANY_OR_SKIP:
+- skip_data:
++ case ASN1_OP_COND_MATCH_ANY_ACT:
++ case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
++
+ if (!(flags & FLAG_CONS)) {
+ if (flags & FLAG_INDEFINITE_LENGTH) {
++ size_t tmp = dp;
++
+ ret = asn1_find_indefinite_length(
+- data, datalen, &dp, &len, &errmsg);
++ data, datalen, &tmp, &len, &errmsg);
+ if (ret < 0)
+ goto error;
+- } else {
+- dp += len;
+ }
+ pr_debug("- LEAF: %zu\n", len);
+ }
++
++ if (op & ASN1_OP_MATCH__ACT) {
++ unsigned char act;
++
++ if (op & ASN1_OP_MATCH__ANY)
++ act = machine[pc + 1];
++ else
++ act = machine[pc + 2];
++ ret = actions[act](context, hdr, tag, data + dp, len);
++ if (ret < 0)
++ return ret;
++ }
++
++ if (!(flags & FLAG_CONS))
++ dp += len;
+ pc += asn1_op_lengths[op];
+ goto next_op;
+
--- /dev/null
+From 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Sat, 25 Nov 2017 21:39:25 +0100
+Subject: brcmfmac: change driver unbind order of the sdio function devices
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 upstream.
+
+In the function brcmf_sdio_firmware_callback() the driver is
+unbound from the sdio function devices in the error path.
+However, the order in which it is done resulted in a use-after-free
+issue (see brcmf_ops_sdio_remove() in bcmsdh.c). Hence change
+the order and first unbind sdio function #2 device and then
+unbind sdio function #1 device.
+
+Fixes: 7a51461fc2da ("brcmfmac: unbind all devices upon failure in firmware callback")
+Reported-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -4080,8 +4080,8 @@ release:
+ sdio_release_host(sdiodev->func[1]);
+ fail:
+ brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err);
+- device_release_driver(dev);
+ device_release_driver(&sdiodev->func[2]->dev);
++ device_release_driver(dev);
+ }
+
+ struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)
--- /dev/null
+From e19182c0fff451e3744c1107d98f072e7ca377a0 Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Mon, 4 Dec 2017 13:11:45 -0500
+Subject: btrfs: fix missing error return in btrfs_drop_snapshot
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit e19182c0fff451e3744c1107d98f072e7ca377a0 upstream.
+
+If btrfs_del_root fails in btrfs_drop_snapshot, we'll pick up the
+error but then return 0 anyway due to mixing err and ret.
+
+Fixes: 79787eaab4612 ("btrfs: replace many BUG_ONs with proper error handling")
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -9362,6 +9362,7 @@ int btrfs_drop_snapshot(struct btrfs_roo
+ ret = btrfs_del_root(trans, tree_root, &root->root_key);
+ if (ret) {
+ btrfs_abort_transaction(trans, ret);
++ err = ret;
+ goto out_end_trans;
+ }
+
--- /dev/null
+From 4608af8aa53e7f3922ddee695d023b7bcd5cb35b Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 3 Oct 2017 18:14:13 +0100
+Subject: bus: arm-cci: Fix use of smp_processor_id() in preemptible context
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 4608af8aa53e7f3922ddee695d023b7bcd5cb35b upstream.
+
+The ARM CCI driver seem to be using smp_processor_id() in a
+preemptible context, which is likely to make a DEBUG_PREMPT
+kernel scream at boot time.
+
+Turn this into a get_cpu()/put_cpu() that extends over the CPU
+hotplug registration, making sure that we don't race against
+a CPU down operation.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-cci.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/bus/arm-cci.c
++++ b/drivers/bus/arm-cci.c
+@@ -1755,14 +1755,17 @@ static int cci_pmu_probe(struct platform
+ raw_spin_lock_init(&cci_pmu->hw_events.pmu_lock);
+ mutex_init(&cci_pmu->reserve_mutex);
+ atomic_set(&cci_pmu->active_events, 0);
+- cpumask_set_cpu(smp_processor_id(), &cci_pmu->cpus);
++ cpumask_set_cpu(get_cpu(), &cci_pmu->cpus);
+
+ ret = cci_pmu_init(cci_pmu, pdev);
+- if (ret)
++ if (ret) {
++ put_cpu();
+ return ret;
++ }
+
+ cpuhp_state_add_instance_nocalls(CPUHP_AP_PERF_ARM_CCI_ONLINE,
+ &cci_pmu->node);
++ put_cpu();
+ pr_info("ARM %s PMU driver probed", cci_pmu->model->name);
+ return 0;
+ }
--- /dev/null
+From 24771179c5c138f0ea3ef88b7972979f62f2d5db Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 27 Aug 2017 11:06:50 +0100
+Subject: bus: arm-ccn: Check memory allocation failure
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 24771179c5c138f0ea3ef88b7972979f62f2d5db upstream.
+
+Check memory allocation failures and return -ENOMEM in such cases
+
+This avoids a potential NULL pointer dereference.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Scott Branden <scott.branden@broadcom.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1271,6 +1271,10 @@ static int arm_ccn_pmu_init(struct arm_c
+ int len = snprintf(NULL, 0, "ccn_%d", ccn->dt.id);
+
+ name = devm_kzalloc(ccn->dev, len + 1, GFP_KERNEL);
++ if (!name) {
++ err = -ENOMEM;
++ goto error_choose_name;
++ }
+ snprintf(name, len + 1, "ccn_%d", ccn->dt.id);
+ }
+
+@@ -1318,6 +1322,7 @@ static int arm_ccn_pmu_init(struct arm_c
+
+ error_pmu_register:
+ error_set_affinity:
++error_choose_name:
+ ida_simple_remove(&arm_ccn_pmu_ida, ccn->dt.id);
+ for (i = 0; i < ccn->num_xps; i++)
+ writel(0, ccn->xp[i].base + CCN_XP_DT_CONTROL);
--- /dev/null
+From b69f63ebf553504739cc8534cbed31bd530c6f0b Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@arm.com>
+Date: Wed, 11 Oct 2017 22:33:24 +0100
+Subject: bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
+
+From: Kim Phillips <kim.phillips@arm.com>
+
+commit b69f63ebf553504739cc8534cbed31bd530c6f0b upstream.
+
+Unregistering the driver before calling cpuhp_remove_multi_state() removes
+any remaining hotplug cpu instances so __cpuhp_remove_state_cpuslocked()
+doesn't emit this warning:
+
+[ 268.748362] Error: Removing state 147 which has instances left.
+[ 268.748373] ------------[ cut here ]------------
+[ 268.748386] WARNING: CPU: 2 PID: 5476 at kernel/cpu.c:1734 __cpuhp_remove_state_cpuslocked+0x454/0x4f0
+[ 268.748389] Modules linked in: arm_ccn(-) [last unloaded: arm_ccn]
+[ 268.748403] CPU: 2 PID: 5476 Comm: rmmod Tainted: G W 4.14.0-rc4+ #3
+[ 268.748406] Hardware name: AMD Seattle/Seattle, BIOS 10:18:39 Dec 8 2016
+[ 268.748410] task: ffff8001a18ca000 task.stack: ffff80019c120000
+[ 268.748416] PC is at __cpuhp_remove_state_cpuslocked+0x454/0x4f0
+[ 268.748421] LR is at __cpuhp_remove_state_cpuslocked+0x448/0x4f0
+[ 268.748425] pc : [<ffff2000081729ec>] lr : [<ffff2000081729e0>] pstate: 60000145
+[ 268.748427] sp : ffff80019c127d30
+[ 268.748430] x29: ffff80019c127d30 x28: ffff8001a18ca000
+[ 268.748437] x27: ffff20000c2cb000 x26: 1fffe4000042d490
+[ 268.748443] x25: ffff20000216a480 x24: 0000000000000000
+[ 268.748449] x23: ffff20000b08e000 x22: 0000000000000001
+[ 268.748455] x21: 0000000000000093 x20: 00000000000016f8
+[ 268.748460] x19: ffff20000c2cbb80 x18: 0000ffffb5fe7c58
+[ 268.748466] x17: 00000000004402d0 x16: 1fffe40001864f01
+[ 268.748472] x15: ffff20000c4bf8b0 x14: 0000000000000000
+[ 268.748477] x13: 0000000000007032 x12: ffff20000829ae48
+[ 268.748483] x11: ffff20000c4bf000 x10: 0000000000000004
+[ 268.748488] x9 : 0000000000006fbc x8 : ffff20000c318a40
+[ 268.748494] x7 : 0000000000000000 x6 : ffff040001864f02
+[ 268.748500] x5 : 0000000000000000 x4 : 0000000000000000
+[ 268.748505] x3 : 0000000000000007 x2 : dfff200000000000
+[ 268.748510] x1 : 000000000000ad3d x0 : 00000000000001f0
+[ 268.748516] Call trace:
+[ 268.748521] Exception stack(0xffff80019c127bf0 to 0xffff80019c127d30)
+[ 268.748526] 7be0: 00000000000001f0 000000000000ad3d
+[ 268.748531] 7c00: dfff200000000000 0000000000000007 0000000000000000 0000000000000000
+[ 268.748535] 7c20: ffff040001864f02 0000000000000000 ffff20000c318a40 0000000000006fbc
+[ 268.748539] 7c40: 0000000000000004 ffff20000c4bf000 ffff20000829ae48 0000000000007032
+[ 268.748544] 7c60: 0000000000000000 ffff20000c4bf8b0 1fffe40001864f01 00000000004402d0
+[ 268.748548] 7c80: 0000ffffb5fe7c58 ffff20000c2cbb80 00000000000016f8 0000000000000093
+[ 268.748553] 7ca0: 0000000000000001 ffff20000b08e000 0000000000000000 ffff20000216a480
+[ 268.748557] 7cc0: 1fffe4000042d490 ffff20000c2cb000 ffff8001a18ca000 ffff80019c127d30
+[ 268.748562] 7ce0: ffff2000081729e0 ffff80019c127d30 ffff2000081729ec 0000000060000145
+[ 268.748566] 7d00: 00000000000001f0 0000000000000000 0001000000000000 0000000000000000
+[ 268.748569] 7d20: ffff80019c127d30 ffff2000081729ec
+[ 268.748575] [<ffff2000081729ec>] __cpuhp_remove_state_cpuslocked+0x454/0x4f0
+[ 268.748580] [<ffff200008172adc>] __cpuhp_remove_state+0x54/0x80
+[ 268.748597] [<ffff20000215dd84>] arm_ccn_exit+0x2c/0x70 [arm_ccn]
+[ 268.748604] [<ffff20000834cfbc>] SyS_delete_module+0x5a4/0x708
+[ 268.748607] Exception stack(0xffff80019c127ec0 to 0xffff80019c128000)
+[ 268.748612] 7ec0: 0000000019bb7258 0000000000000800 ba64d0fb3d26a800 00000000000000da
+[ 268.748616] 7ee0: 0000ffffb6144e28 0000ffffcd95b409 fefefefefefefeff 7f7f7f7f7f7f7f7f
+[ 268.748621] 7f00: 000000000000006a 1999999999999999 0000ffffb6179000 0000000000bbcc6d
+[ 268.748625] 7f20: 0000ffffb6176b98 0000ffffcd95c2d0 0000ffffb5fe7b58 0000ffffb6163000
+[ 268.748630] 7f40: 0000ffffb60ad3e0 00000000004402d0 0000ffffb5fe7c58 0000000019bb71f0
+[ 268.748634] 7f60: 0000ffffcd95c740 0000000000000000 0000000019bb71f0 0000000000416700
+[ 268.748639] 7f80: 0000000000000000 00000000004402e8 0000000019bb6010 0000ffffcd95c748
+[ 268.748643] 7fa0: 0000000000000000 0000ffffcd95c460 00000000004113a8 0000ffffcd95c460
+[ 268.748648] 7fc0: 0000ffffb60ad3e8 0000000080000000 0000000019bb7258 000000000000006a
+[ 268.748652] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+[ 268.748657] [<ffff200008084f9c>] __sys_trace_return+0x0/0x4
+[ 268.748661] ---[ end trace a996d358dcaa7f9c ]---
+
+Fixes: 8df038725ad5 ("bus/arm-ccn: Use cpu-hp's multi instance support instead custom list")
+Signed-off-by: Kim Phillips <kim.phillips@arm.com>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1585,8 +1585,8 @@ static int __init arm_ccn_init(void)
+
+ static void __exit arm_ccn_exit(void)
+ {
+- cpuhp_remove_multi_state(CPUHP_AP_PERF_ARM_CCN_ONLINE);
+ platform_driver_unregister(&arm_ccn_driver);
++ cpuhp_remove_multi_state(CPUHP_AP_PERF_ARM_CCN_ONLINE);
+ }
+
+ module_init(arm_ccn_init);
--- /dev/null
+From b18c2b9487d8e797fc0a757e57ac3645348c5fba Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Tue, 3 Oct 2017 18:14:12 +0100
+Subject: bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit b18c2b9487d8e797fc0a757e57ac3645348c5fba upstream.
+
+Booting a DEBUG_PREEMPT enabled kernel on a CCN-based system
+results in the following splat:
+
+[...]
+arm-ccn e8000000.ccn: No access to interrupts, using timer.
+BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
+caller is debug_smp_processor_id+0x1c/0x28
+CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.13.0 #6111
+Hardware name: AMD Seattle/Seattle, BIOS 17:08:23 Jun 26 2017
+Call trace:
+[<ffff000008089e78>] dump_backtrace+0x0/0x278
+[<ffff00000808a22c>] show_stack+0x24/0x30
+[<ffff000008bc3bc4>] dump_stack+0x8c/0xb0
+[<ffff00000852b534>] check_preemption_disabled+0xfc/0x100
+[<ffff00000852b554>] debug_smp_processor_id+0x1c/0x28
+[<ffff000008551bd8>] arm_ccn_probe+0x358/0x4f0
+[...]
+
+as we use smp_processor_id() in the wrong context.
+
+Turn this into a get_cpu()/put_cpu() that extends over the CPU hotplug
+registration, making sure that we don't race against a CPU down operation.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Pawel Moll <pawel.moll@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/arm-ccn.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1301,7 +1301,7 @@ static int arm_ccn_pmu_init(struct arm_c
+ }
+
+ /* Pick one CPU which we will use to collect data from CCN... */
+- cpumask_set_cpu(smp_processor_id(), &ccn->dt.cpu);
++ cpumask_set_cpu(get_cpu(), &ccn->dt.cpu);
+
+ /* Also make sure that the overflow interrupt is handled by this CPU */
+ if (ccn->irq) {
+@@ -1318,10 +1318,12 @@ static int arm_ccn_pmu_init(struct arm_c
+
+ cpuhp_state_add_instance_nocalls(CPUHP_AP_PERF_ARM_CCN_ONLINE,
+ &ccn->dt.node);
++ put_cpu();
+ return 0;
+
+ error_pmu_register:
+ error_set_affinity:
++ put_cpu();
+ error_choose_name:
+ ida_simple_remove(&arm_ccn_pmu_ida, ccn->dt.id);
+ for (i = 0; i < ccn->num_xps; i++)
--- /dev/null
+From 120a264f9c2782682027d931d83dcbd22e01da80 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 22 Nov 2017 14:14:47 +0100
+Subject: drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 120a264f9c2782682027d931d83dcbd22e01da80 upstream.
+
+When no IOMMU is available, all GEM buffers allocated by Exynos DRM driver
+are contiguous, because of the underlying dma_alloc_attrs() function
+provides only such buffers. In such case it makes no sense to keep
+BO_NONCONTIG flag for the allocated GEM buffers. This allows to avoid
+failures for buffer contiguity checks in the subsequent operations on GEM
+objects.
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/exynos/exynos_drm_gem.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_gem.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_gem.c
+@@ -246,6 +246,15 @@ struct exynos_drm_gem *exynos_drm_gem_cr
+ if (IS_ERR(exynos_gem))
+ return exynos_gem;
+
++ if (!is_drm_iommu_supported(dev) && (flags & EXYNOS_BO_NONCONTIG)) {
++ /*
++ * when no IOMMU is available, all allocated buffers are
++ * contiguous anyway, so drop EXYNOS_BO_NONCONTIG flag
++ */
++ flags &= ~EXYNOS_BO_NONCONTIG;
++ DRM_WARN("Non-contiguous allocation is not supported without IOMMU, falling back to contiguous buffer\n");
++ }
++
+ /* set memory type and cache attribute from user side. */
+ exynos_gem->flags = flags;
+
--- /dev/null
+From 89c5a2d34bda58319e3075e8e7dd727ea25a435c Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 6 Dec 2017 09:50:09 +0000
+Subject: efi/esrt: Use memunmap() instead of kfree() to free the remapping
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 89c5a2d34bda58319e3075e8e7dd727ea25a435c upstream.
+
+The remapping result of memremap() should be freed with memunmap(), not kfree().
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20171206095010.24170-3-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/esrt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -428,7 +428,7 @@ err_remove_group:
+ err_remove_esrt:
+ kobject_put(esrt_kobj);
+ err:
+- kfree(esrt);
++ memunmap(esrt);
+ esrt = NULL;
+ return error;
+ }
--- /dev/null
+From af97a77bc01ce49a466f9d4c0125479e2e2230b6 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 6 Dec 2017 09:50:08 +0000
+Subject: efi: Move some sysfs files to be read-only by root
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream.
+
+Thanks to the scripts/leaking_addresses.pl script, it was found that
+some EFI values should not be readable by non-root users.
+
+So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to
+make this easier, and use it in other places at the same time.
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Tested-by: Dave Young <dyoung@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/efi.c | 3 +--
+ drivers/firmware/efi/esrt.c | 15 ++++++---------
+ drivers/firmware/efi/runtime-map.c | 10 +++++-----
+ include/linux/sysfs.h | 6 ++++++
+ 4 files changed, 18 insertions(+), 16 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -120,8 +120,7 @@ static ssize_t systab_show(struct kobjec
+ return str - buf;
+ }
+
+-static struct kobj_attribute efi_attr_systab =
+- __ATTR(systab, 0400, systab_show, NULL);
++static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400);
+
+ #define EFI_FIELD(var) efi.var
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -106,7 +106,7 @@ static const struct sysfs_ops esre_attr_
+ };
+
+ /* Generic ESRT Entry ("ESRE") support. */
+-static ssize_t esre_fw_class_show(struct esre_entry *entry, char *buf)
++static ssize_t fw_class_show(struct esre_entry *entry, char *buf)
+ {
+ char *str = buf;
+
+@@ -117,18 +117,16 @@ static ssize_t esre_fw_class_show(struct
+ return str - buf;
+ }
+
+-static struct esre_attribute esre_fw_class = __ATTR(fw_class, 0400,
+- esre_fw_class_show, NULL);
++static struct esre_attribute esre_fw_class = __ATTR_RO_MODE(fw_class, 0400);
+
+ #define esre_attr_decl(name, size, fmt) \
+-static ssize_t esre_##name##_show(struct esre_entry *entry, char *buf) \
++static ssize_t name##_show(struct esre_entry *entry, char *buf) \
+ { \
+ return sprintf(buf, fmt "\n", \
+ le##size##_to_cpu(entry->esre.esre1->name)); \
+ } \
+ \
+-static struct esre_attribute esre_##name = __ATTR(name, 0400, \
+- esre_##name##_show, NULL)
++static struct esre_attribute esre_##name = __ATTR_RO_MODE(name, 0400)
+
+ esre_attr_decl(fw_type, 32, "%u");
+ esre_attr_decl(fw_version, 32, "%u");
+@@ -193,14 +191,13 @@ static int esre_create_sysfs_entry(void
+
+ /* support for displaying ESRT fields at the top level */
+ #define esrt_attr_decl(name, size, fmt) \
+-static ssize_t esrt_##name##_show(struct kobject *kobj, \
++static ssize_t name##_show(struct kobject *kobj, \
+ struct kobj_attribute *attr, char *buf)\
+ { \
+ return sprintf(buf, fmt "\n", le##size##_to_cpu(esrt->name)); \
+ } \
+ \
+-static struct kobj_attribute esrt_##name = __ATTR(name, 0400, \
+- esrt_##name##_show, NULL)
++static struct kobj_attribute esrt_##name = __ATTR_RO_MODE(name, 0400)
+
+ esrt_attr_decl(fw_resource_count, 32, "%u");
+ esrt_attr_decl(fw_resource_count_max, 32, "%u");
+--- a/drivers/firmware/efi/runtime-map.c
++++ b/drivers/firmware/efi/runtime-map.c
+@@ -63,11 +63,11 @@ static ssize_t map_attr_show(struct kobj
+ return map_attr->show(entry, buf);
+ }
+
+-static struct map_attribute map_type_attr = __ATTR_RO(type);
+-static struct map_attribute map_phys_addr_attr = __ATTR_RO(phys_addr);
+-static struct map_attribute map_virt_addr_attr = __ATTR_RO(virt_addr);
+-static struct map_attribute map_num_pages_attr = __ATTR_RO(num_pages);
+-static struct map_attribute map_attribute_attr = __ATTR_RO(attribute);
++static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400);
++static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400);
++static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400);
++static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400);
++static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400);
+
+ /*
+ * These are default attributes that are added for every memmap entry.
+--- a/include/linux/sysfs.h
++++ b/include/linux/sysfs.h
+@@ -116,6 +116,12 @@ struct attribute_group {
+ .show = _name##_show, \
+ }
+
++#define __ATTR_RO_MODE(_name, _mode) { \
++ .attr = { .name = __stringify(_name), \
++ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \
++ .show = _name##_show, \
++}
++
+ #define __ATTR_WO(_name) { \
+ .attr = { .name = __stringify(_name), .mode = S_IWUSR }, \
+ .store = _name##_store, \
--- /dev/null
+From 297d6b6e56c2977fc504c61bbeeaa21296923f89 Mon Sep 17 00:00:00 2001
+From: Paul Meyer <Paul.Meyer@microsoft.com>
+Date: Tue, 14 Nov 2017 13:06:47 -0700
+Subject: hv: kvp: Avoid reading past allocated blocks from KVP file
+
+From: Paul Meyer <Paul.Meyer@microsoft.com>
+
+commit 297d6b6e56c2977fc504c61bbeeaa21296923f89 upstream.
+
+While reading in more than one block (50) of KVP records, the allocation
+goes per block, but the reads used the total number of allocated records
+(without resetting the pointer/stream). This causes the records buffer to
+overrun when the refresh reads more than one block over the previous
+capacity (e.g. reading more than 100 KVP records whereas the in-memory
+database was empty before).
+
+Fix this by reading the correct number of KVP records from file each time.
+
+Signed-off-by: Paul Meyer <Paul.Meyer@microsoft.com>
+Signed-off-by: Long Li <longli@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/hv/hv_kvp_daemon.c | 70 +++++++++--------------------------------------
+ 1 file changed, 14 insertions(+), 56 deletions(-)
+
+--- a/tools/hv/hv_kvp_daemon.c
++++ b/tools/hv/hv_kvp_daemon.c
+@@ -193,11 +193,14 @@ static void kvp_update_mem_state(int poo
+ for (;;) {
+ readp = &record[records_read];
+ records_read += fread(readp, sizeof(struct kvp_record),
+- ENTRIES_PER_BLOCK * num_blocks,
+- filep);
++ ENTRIES_PER_BLOCK * num_blocks - records_read,
++ filep);
+
+ if (ferror(filep)) {
+- syslog(LOG_ERR, "Failed to read file, pool: %d", pool);
++ syslog(LOG_ERR,
++ "Failed to read file, pool: %d; error: %d %s",
++ pool, errno, strerror(errno));
++ kvp_release_lock(pool);
+ exit(EXIT_FAILURE);
+ }
+
+@@ -210,6 +213,7 @@ static void kvp_update_mem_state(int poo
+
+ if (record == NULL) {
+ syslog(LOG_ERR, "malloc failed");
++ kvp_release_lock(pool);
+ exit(EXIT_FAILURE);
+ }
+ continue;
+@@ -224,15 +228,11 @@ static void kvp_update_mem_state(int poo
+ fclose(filep);
+ kvp_release_lock(pool);
+ }
++
+ static int kvp_file_init(void)
+ {
+ int fd;
+- FILE *filep;
+- size_t records_read;
+ char *fname;
+- struct kvp_record *record;
+- struct kvp_record *readp;
+- int num_blocks;
+ int i;
+ int alloc_unit = sizeof(struct kvp_record) * ENTRIES_PER_BLOCK;
+
+@@ -246,61 +246,19 @@ static int kvp_file_init(void)
+
+ for (i = 0; i < KVP_POOL_COUNT; i++) {
+ fname = kvp_file_info[i].fname;
+- records_read = 0;
+- num_blocks = 1;
+ sprintf(fname, "%s/.kvp_pool_%d", KVP_CONFIG_LOC, i);
+ fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0644 /* rw-r--r-- */);
+
+ if (fd == -1)
+ return 1;
+
+-
+- filep = fopen(fname, "re");
+- if (!filep) {
+- close(fd);
+- return 1;
+- }
+-
+- record = malloc(alloc_unit * num_blocks);
+- if (record == NULL) {
+- fclose(filep);
+- close(fd);
+- return 1;
+- }
+- for (;;) {
+- readp = &record[records_read];
+- records_read += fread(readp, sizeof(struct kvp_record),
+- ENTRIES_PER_BLOCK,
+- filep);
+-
+- if (ferror(filep)) {
+- syslog(LOG_ERR, "Failed to read file, pool: %d",
+- i);
+- exit(EXIT_FAILURE);
+- }
+-
+- if (!feof(filep)) {
+- /*
+- * We have more data to read.
+- */
+- num_blocks++;
+- record = realloc(record, alloc_unit *
+- num_blocks);
+- if (record == NULL) {
+- fclose(filep);
+- close(fd);
+- return 1;
+- }
+- continue;
+- }
+- break;
+- }
+ kvp_file_info[i].fd = fd;
+- kvp_file_info[i].num_blocks = num_blocks;
+- kvp_file_info[i].records = record;
+- kvp_file_info[i].num_records = records_read;
+- fclose(filep);
+-
++ kvp_file_info[i].num_blocks = 1;
++ kvp_file_info[i].records = malloc(alloc_unit);
++ if (kvp_file_info[i].records == NULL)
++ return 1;
++ kvp_file_info[i].num_records = 0;
++ kvp_update_mem_state(i);
+ }
+
+ return 0;
--- /dev/null
+From 29a90b70893817e2f2bb3cea40a29f5308e21b21 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 28 Sep 2017 15:14:01 +0100
+Subject: iommu/vt-d: Fix scatterlist offset handling
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 29a90b70893817e2f2bb3cea40a29f5308e21b21 upstream.
+
+The intel-iommu DMA ops fail to correctly handle scatterlists where
+sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed
+appropriately based on the page-aligned portion of the offset, but the
+mapping is set up relative to sg->page, which means it fails to actually
+cover the whole buffer (and in the worst case doesn't cover it at all):
+
+ (sg->dma_address + sg->dma_len) ----+
+ sg->dma_address ---------+ |
+ iov_pfn------+ | |
+ | | |
+ v v v
+iova: a b c d e f
+ |--------|--------|--------|--------|--------|
+ <...calculated....>
+ [_____mapped______]
+pfn: 0 1 2 3 4 5
+ |--------|--------|--------|--------|--------|
+ ^ ^ ^
+ | | |
+ sg->page ----+ | |
+ sg->offset --------------+ |
+ (sg->offset + sg->length) ----------+
+
+As a result, the caller ends up overrunning the mapping into whatever
+lies beyond, which usually goes badly:
+
+[ 429.645492] DMAR: DRHD: handling fault status reg 2
+[ 429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ...
+
+Whilst this is a fairly rare occurrence, it can happen from the result
+of intermediate scatterlist processing such as scatterwalk_ffwd() in the
+crypto layer. Whilst that particular site could be fixed up, it still
+seems worthwhile to bring intel-iommu in line with other DMA API
+implementations in handling this robustly.
+
+To that end, fix the intel_map_sg() path to line up the mapping
+correctly (in units of MM pages rather than VT-d pages to match the
+aligned_nrpages() calculation) regardless of the offset, and use
+sg_phys() consistently for clarity.
+
+Reported-by: Harsh Jain <Harsh@chelsio.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed by: Ashok Raj <ashok.raj@intel.com>
+Tested by: Jacob Pan <jacob.jun.pan@intel.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -2245,10 +2245,12 @@ static int __domain_mapping(struct dmar_
+ uint64_t tmp;
+
+ if (!sg_res) {
++ unsigned int pgoff = sg->offset & ~PAGE_MASK;
++
+ sg_res = aligned_nrpages(sg->offset, sg->length);
+- sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset;
++ sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + pgoff;
+ sg->dma_length = sg->length;
+- pteval = page_to_phys(sg_page(sg)) | prot;
++ pteval = (sg_phys(sg) - pgoff) | prot;
+ phys_pfn = pteval >> VTD_PAGE_SHIFT;
+ }
+
+@@ -3894,7 +3896,7 @@ static int intel_nontranslate_map_sg(str
+
+ for_each_sg(sglist, sg, nelems, i) {
+ BUG_ON(!sg_page(sg));
+- sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset;
++ sg->dma_address = sg_phys(sg);
+ sg->dma_length = sg->length;
+ }
+ return nelems;
--- /dev/null
+From 5a244727f428a06634f22bb890e78024ab0c89f3 Mon Sep 17 00:00:00 2001
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+Date: Wed, 8 Nov 2017 10:23:11 -0500
+Subject: isa: Prevent NULL dereference in isa_bus driver callbacks
+
+From: William Breathitt Gray <vilhelm.gray@gmail.com>
+
+commit 5a244727f428a06634f22bb890e78024ab0c89f3 upstream.
+
+The isa_driver structure for an isa_bus device is stored in the device
+platform_data member of the respective device structure. This
+platform_data member may be reset to NULL if isa_driver match callback
+for the device fails, indicating a device unsupported by the ISA driver.
+
+This patch fixes a possible NULL pointer dereference if one of the
+isa_driver callbacks to attempted for an unsupported device. This error
+should not occur in practice since ISA devices are typically manually
+configured and loaded by the users, but we may as well prevent this
+error from popping up for the 0day testers.
+
+Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus")
+Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/isa.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/base/isa.c
++++ b/drivers/base/isa.c
+@@ -39,7 +39,7 @@ static int isa_bus_probe(struct device *
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->probe)
++ if (isa_driver && isa_driver->probe)
+ return isa_driver->probe(dev, to_isa_dev(dev)->id);
+
+ return 0;
+@@ -49,7 +49,7 @@ static int isa_bus_remove(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->remove)
++ if (isa_driver && isa_driver->remove)
+ return isa_driver->remove(dev, to_isa_dev(dev)->id);
+
+ return 0;
+@@ -59,7 +59,7 @@ static void isa_bus_shutdown(struct devi
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->shutdown)
++ if (isa_driver && isa_driver->shutdown)
+ isa_driver->shutdown(dev, to_isa_dev(dev)->id);
+ }
+
+@@ -67,7 +67,7 @@ static int isa_bus_suspend(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->suspend)
++ if (isa_driver && isa_driver->suspend)
+ return isa_driver->suspend(dev, to_isa_dev(dev)->id, state);
+
+ return 0;
+@@ -77,7 +77,7 @@ static int isa_bus_resume(struct device
+ {
+ struct isa_driver *isa_driver = dev->platform_data;
+
+- if (isa_driver->resume)
++ if (isa_driver && isa_driver->resume)
+ return isa_driver->resume(dev, to_isa_dev(dev)->id);
+
+ return 0;
--- /dev/null
+From c07d35338081d107e57cf37572d8cc931a8e32e2 Mon Sep 17 00:00:00 2001
+From: Daniel Thompson <daniel.thompson@linaro.org>
+Date: Mon, 2 Mar 2015 14:13:36 +0000
+Subject: kdb: Fix handling of kallsyms_symbol_next() return value
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+commit c07d35338081d107e57cf37572d8cc931a8e32e2 upstream.
+
+kallsyms_symbol_next() returns a boolean (true on success). Currently
+kdb_read() tests the return value with an inequality that
+unconditionally evaluates to true.
+
+This is fixed in the obvious way and, since the conditional branch is
+supposed to be unreachable, we also add a WARN_ON().
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/debug/kdb/kdb_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -349,7 +349,7 @@ poll_again:
+ }
+ kdb_printf("\n");
+ for (i = 0; i < count; i++) {
+- if (kallsyms_symbol_next(p_tmp, i) < 0)
++ if (WARN_ON(!kallsyms_symbol_next(p_tmp, i)))
+ break;
+ kdb_printf("%s ", p_tmp);
+ *(p_tmp + len) = '\0';
--- /dev/null
+From 4dca6ea1d9432052afb06baf2e3ae78188a4410b Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: KEYS: add missing permission check for request_key() destination
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.
+
+When the request_key() syscall is not passed a destination keyring, it
+links the requested key (if constructed) into the "default" request-key
+keyring. This should require Write permission to the keyring. However,
+there is actually no permission check.
+
+This can be abused to add keys to any keyring to which only Search
+permission is granted. This is because Search permission allows joining
+the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
+then will set the default request-key keyring to the session keyring.
+Then, request_key() can be used to add keys to the keyring.
+
+Both negatively and positively instantiated keys can be added using this
+method. Adding negative keys is trivial. Adding a positive key is a
+bit trickier. It requires that either /sbin/request-key positively
+instantiates the key, or that another thread adds the key to the process
+keyring at just the right time, such that request_key() misses it
+initially but then finds it in construct_alloc_key().
+
+Fix this bug by checking for Write permission to the keyring in
+construct_get_dest_keyring() when the default keyring is being used.
+
+We don't do the permission check for non-default keyrings because that
+was already done by the earlier call to lookup_user_key(). Also,
+request_key_and_link() is currently passed a 'struct key *' rather than
+a key_ref_t, so the "possessed" bit is unavailable.
+
+We also don't do the permission check for the "requestor keyring", to
+continue to support the use case described by commit 8bbf4976b59f
+("KEYS: Alter use of key instantiation link-to-keyring argument") where
+/sbin/request-key recursively calls request_key() to add keys to the
+original requestor's destination keyring. (I don't know of any users
+who actually do that, though...)
+
+Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/request_key.c | 46 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -250,11 +250,12 @@ static int construct_key(struct key *key
+ * The keyring selected is returned with an extra reference upon it which the
+ * caller must release.
+ */
+-static void construct_get_dest_keyring(struct key **_dest_keyring)
++static int construct_get_dest_keyring(struct key **_dest_keyring)
+ {
+ struct request_key_auth *rka;
+ const struct cred *cred = current_cred();
+ struct key *dest_keyring = *_dest_keyring, *authkey;
++ int ret;
+
+ kenter("%p", dest_keyring);
+
+@@ -263,6 +264,8 @@ static void construct_get_dest_keyring(s
+ /* the caller supplied one */
+ key_get(dest_keyring);
+ } else {
++ bool do_perm_check = true;
++
+ /* use a default keyring; falling through the cases until we
+ * find one that we actually have */
+ switch (cred->jit_keyring) {
+@@ -277,8 +280,10 @@ static void construct_get_dest_keyring(s
+ dest_keyring =
+ key_get(rka->dest_keyring);
+ up_read(&authkey->sem);
+- if (dest_keyring)
++ if (dest_keyring) {
++ do_perm_check = false;
+ break;
++ }
+ }
+
+ case KEY_REQKEY_DEFL_THREAD_KEYRING:
+@@ -313,11 +318,29 @@ static void construct_get_dest_keyring(s
+ default:
+ BUG();
+ }
++
++ /*
++ * Require Write permission on the keyring. This is essential
++ * because the default keyring may be the session keyring, and
++ * joining a keyring only requires Search permission.
++ *
++ * However, this check is skipped for the "requestor keyring" so
++ * that /sbin/request-key can itself use request_key() to add
++ * keys to the original requestor's destination keyring.
++ */
++ if (dest_keyring && do_perm_check) {
++ ret = key_permission(make_key_ref(dest_keyring, 1),
++ KEY_NEED_WRITE);
++ if (ret) {
++ key_put(dest_keyring);
++ return ret;
++ }
++ }
+ }
+
+ *_dest_keyring = dest_keyring;
+ kleave(" [dk %d]", key_serial(dest_keyring));
+- return;
++ return 0;
+ }
+
+ /*
+@@ -443,11 +466,15 @@ static struct key *construct_key_and_lin
+ if (ctx->index_key.type == &key_type_keyring)
+ return ERR_PTR(-EPERM);
+
+- user = key_user_lookup(current_fsuid());
+- if (!user)
+- return ERR_PTR(-ENOMEM);
++ ret = construct_get_dest_keyring(&dest_keyring);
++ if (ret)
++ goto error;
+
+- construct_get_dest_keyring(&dest_keyring);
++ user = key_user_lookup(current_fsuid());
++ if (!user) {
++ ret = -ENOMEM;
++ goto error_put_dest_keyring;
++ }
+
+ ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
+ key_user_put(user);
+@@ -462,7 +489,7 @@ static struct key *construct_key_and_lin
+ } else if (ret == -EINPROGRESS) {
+ ret = 0;
+ } else {
+- goto couldnt_alloc_key;
++ goto error_put_dest_keyring;
+ }
+
+ key_put(dest_keyring);
+@@ -472,8 +499,9 @@ static struct key *construct_key_and_lin
+ construction_failed:
+ key_negate_and_link(key, key_negative_timeout, NULL, NULL);
+ key_put(key);
+-couldnt_alloc_key:
++error_put_dest_keyring:
+ key_put(dest_keyring);
++error:
+ kleave(" = %d", ret);
+ return ERR_PTR(ret);
+ }
--- /dev/null
+From fc396e066318c0a02208c1d3f0b62950a7714999 Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Sun, 3 Dec 2017 23:54:41 +0100
+Subject: KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion
+
+From: Christoffer Dall <christoffer.dall@linaro.org>
+
+commit fc396e066318c0a02208c1d3f0b62950a7714999 upstream.
+
+We are incorrectly rearranging 32-bit words inside a 64-bit typed value
+for big endian systems, which would result in never marking a virtual
+interrupt as inactive on big endian systems (assuming 32 or fewer LRs on
+the hardware). Fix this by not doing any word order manipulation for
+the typed values.
+
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/hyp/vgic-v2-sr.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/virt/kvm/arm/hyp/vgic-v2-sr.c
++++ b/virt/kvm/arm/hyp/vgic-v2-sr.c
+@@ -77,11 +77,7 @@ static void __hyp_text save_elrsr(struct
+ else
+ elrsr1 = 0;
+
+-#ifdef CONFIG_CPU_BIG_ENDIAN
+- cpu_if->vgic_elrsr = ((u64)elrsr0 << 32) | elrsr1;
+-#else
+ cpu_if->vgic_elrsr = ((u64)elrsr1 << 32) | elrsr0;
+-#endif
+ }
+
+ static void __hyp_text save_lrs(struct kvm_vcpu *vcpu, void __iomem *base)
--- /dev/null
+From 150009e2c70cc3c6e97f00e7595055765d32fb85 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Nov 2017 17:58:15 +0000
+Subject: KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 150009e2c70cc3c6e97f00e7595055765d32fb85 upstream.
+
+Using the size of the structure we're allocating is a good idea
+and avoids any surprise... In this case, we're happilly confusing
+kvm_kernel_irq_routing_entry and kvm_irq_routing_entry...
+
+Fixes: 95b110ab9a09 ("KVM: arm/arm64: Enable irqchip routing")
+Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-irqfd.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-irqfd.c
++++ b/virt/kvm/arm/vgic/vgic-irqfd.c
+@@ -112,8 +112,7 @@ int kvm_vgic_setup_default_irq_routing(s
+ u32 nr = dist->nr_spis;
+ int i, ret;
+
+- entries = kcalloc(nr, sizeof(struct kvm_kernel_irq_routing_entry),
+- GFP_KERNEL);
++ entries = kcalloc(nr, sizeof(*entries), GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
+
--- /dev/null
+From 686f294f2f1ae40705283dd413ca1e4c14f20f93 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Nov 2017 17:58:18 +0000
+Subject: KVM: arm/arm64: vgic-its: Check result of allocation before use
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 686f294f2f1ae40705283dd413ca1e4c14f20f93 upstream.
+
+We miss a test against NULL after allocation.
+
+Fixes: 6d03a68f8054 ("KVM: arm64: vgic-its: Turn device_id validation into generic ID validation")
+Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-its.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -687,6 +687,8 @@ static int vgic_its_alloc_collection(str
+ return E_ITS_MAPC_COLLECTION_OOR;
+
+ collection = kzalloc(sizeof(*collection), GFP_KERNEL);
++ if (!collection)
++ return -ENOMEM;
+
+ collection->collection_id = coll_id;
+ collection->target_addr = COLLECTION_NOT_MAPPED;
--- /dev/null
+From ca76ec9ca871e67d8cd0b6caba24aca3d3ac4546 Mon Sep 17 00:00:00 2001
+From: Janosch Frank <frankja@linux.vnet.ibm.com>
+Date: Mon, 4 Dec 2017 12:19:11 +0100
+Subject: KVM: s390: Fix skey emulation permission check
+
+From: Janosch Frank <frankja@linux.vnet.ibm.com>
+
+commit ca76ec9ca871e67d8cd0b6caba24aca3d3ac4546 upstream.
+
+All skey functions call skey_check_enable at their start, which checks
+if we are in the PSTATE and injects a privileged operation exception
+if we are.
+
+Unfortunately they continue processing afterwards and perform the
+operation anyhow as skey_check_enable does not deliver an error if the
+exception injection was successful.
+
+Let's move the PSTATE check into the skey functions and exit them on
+such an occasion, also we now do not enable skey handling anymore in
+such a case.
+
+Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Fixes: a7e19ab ("KVM: s390: handle missing storage-key facility")
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/priv.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/priv.c
++++ b/arch/s390/kvm/priv.c
+@@ -197,8 +197,6 @@ static int try_handle_skey(struct kvm_vc
+ VCPU_EVENT(vcpu, 4, "%s", "retrying storage key operation");
+ return -EAGAIN;
+ }
+- if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
+- return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
+ return 0;
+ }
+
+@@ -209,6 +207,9 @@ static int handle_iske(struct kvm_vcpu *
+ int reg1, reg2;
+ int rc;
+
++ if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
++ return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
++
+ rc = try_handle_skey(vcpu);
+ if (rc)
+ return rc != -EAGAIN ? rc : 0;
+@@ -238,6 +239,9 @@ static int handle_rrbe(struct kvm_vcpu *
+ int reg1, reg2;
+ int rc;
+
++ if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
++ return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
++
+ rc = try_handle_skey(vcpu);
+ if (rc)
+ return rc != -EAGAIN ? rc : 0;
+@@ -273,6 +277,9 @@ static int handle_sske(struct kvm_vcpu *
+ int reg1, reg2;
+ int rc;
+
++ if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
++ return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
++
+ rc = try_handle_skey(vcpu);
+ if (rc)
+ return rc != -EAGAIN ? rc : 0;
--- /dev/null
+From d59d51f088014f25c2562de59b9abff4f42a7468 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig@google.com>
+Date: Fri, 1 Dec 2017 10:21:09 -0800
+Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrew Honig <ahonig@google.com>
+
+commit d59d51f088014f25c2562de59b9abff4f42a7468 upstream.
+
+This fixes CVE-2017-1000407.
+
+KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
+the guest floods this port with writes it generates exceptions and
+instability in the host kernel, leading to a crash. With this change
+guest writes to port 0x80 on Intel will behave the same as they
+currently behave on AMD systems.
+
+Prevent the flooding by removing the code that sets port 0x80 as a
+passthrough port. This is essentially the same as upstream patch
+99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
+for AMD chipsets and this patch is for Intel.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6413,12 +6413,7 @@ static __init int hardware_setup(void)
+ memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
+ memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
+
+- /*
+- * Allow direct access to the PC debug port (it is often used for I/O
+- * delays, but the vmexits simply slow things down).
+- */
+ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
+- clear_bit(0x80, vmx_io_bitmap_a);
+
+ memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+
--- /dev/null
+From b1394e745b9453dcb5b0671c205b770e87dedb87 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 30 Nov 2017 19:05:45 +0100
+Subject: KVM: x86: fix APIC page invalidation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit b1394e745b9453dcb5b0671c205b770e87dedb87 upstream.
+
+Implementation of the unpinned APIC page didn't update the VMCS address
+cache when invalidation was done through range mmu notifiers.
+This became a problem when the page notifier was removed.
+
+Re-introduce the arch-specific helper and call it from ...range_start.
+
+Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Fixes: 38b9917350cb ("kvm: vmx: Implement set_apic_access_page_addr")
+Fixes: 369ea8242c0f ("mm/rmap: update to new mmu_notifier semantic v2")
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+Tested-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Tested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 3 +++
+ arch/x86/kvm/x86.c | 14 ++++++++++++++
+ virt/kvm/kvm_main.c | 8 ++++++++
+ 3 files changed, 25 insertions(+)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1397,4 +1397,7 @@ static inline int kvm_cpu_get_apicid(int
+ #endif
+ }
+
++void kvm_arch_mmu_notifier_invalidate_range(struct kvm *kvm,
++ unsigned long start, unsigned long end);
++
+ #endif /* _ASM_X86_KVM_HOST_H */
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6526,6 +6526,20 @@ static void kvm_vcpu_flush_tlb(struct kv
+ kvm_x86_ops->tlb_flush(vcpu);
+ }
+
++void kvm_arch_mmu_notifier_invalidate_range(struct kvm *kvm,
++ unsigned long start, unsigned long end)
++{
++ unsigned long apic_address;
++
++ /*
++ * The physical address of apic access page is stored in the VMCS.
++ * Update it when it becomes invalid.
++ */
++ apic_address = gfn_to_hva(kvm, APIC_DEFAULT_PHYS_BASE >> PAGE_SHIFT);
++ if (start <= apic_address && apic_address < end)
++ kvm_make_all_cpus_request(kvm, KVM_REQ_APIC_PAGE_RELOAD);
++}
++
+ void kvm_vcpu_reload_apic_access_page(struct kvm_vcpu *vcpu)
+ {
+ struct page *page = NULL;
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -125,6 +125,11 @@ EXPORT_SYMBOL_GPL(kvm_rebooting);
+
+ static bool largepages_enabled = true;
+
++__weak void kvm_arch_mmu_notifier_invalidate_range(struct kvm *kvm,
++ unsigned long start, unsigned long end)
++{
++}
++
+ bool kvm_is_reserved_pfn(kvm_pfn_t pfn)
+ {
+ if (pfn_valid(pfn))
+@@ -361,6 +366,9 @@ static void kvm_mmu_notifier_invalidate_
+ kvm_flush_remote_tlbs(kvm);
+
+ spin_unlock(&kvm->mmu_lock);
++
++ kvm_arch_mmu_notifier_invalidate_range(kvm, start, end);
++
+ srcu_read_unlock(&kvm->srcu, idx);
+ }
+
--- /dev/null
+From 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a Mon Sep 17 00:00:00 2001
+From: Laurent Caumont <lcaumont2@gmail.com>
+Date: Sat, 11 Nov 2017 12:44:46 -0500
+Subject: media: dvb: i2c transfers over usb cannot be done from stack
+
+From: Laurent Caumont <lcaumont2@gmail.com>
+
+commit 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a upstream.
+
+Signed-off-by: Laurent Caumont <lcaumont2@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dibusb-common.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dibusb-common.c
++++ b/drivers/media/usb/dvb-usb/dibusb-common.c
+@@ -223,8 +223,20 @@ EXPORT_SYMBOL(dibusb_i2c_algo);
+
+ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
+ {
+- u8 wbuf[1] = { offs };
+- return dibusb_i2c_msg(d, 0x50, wbuf, 1, val, 1);
++ u8 *buf;
++ int rc;
++
++ buf = kmalloc(2, GFP_KERNEL);
++ if (!buf)
++ return -ENOMEM;
++
++ buf[0] = offs;
++
++ rc = dibusb_i2c_msg(d, 0x50, &buf[0], 1, &buf[1], 1);
++ *val = buf[1];
++ kfree(buf);
++
++ return rc;
+ }
+ EXPORT_SYMBOL(dibusb_read_eeprom_byte);
+
--- /dev/null
+From 371b80447ff33ddac392c189cf884a5a3e18faeb Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 6 Dec 2017 18:21:14 +1000
+Subject: powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 371b80447ff33ddac392c189cf884a5a3e18faeb upstream.
+
+kexec can leave MMU registers set when booting into a new kernel,
+the PIDR (Process Identification Register) in particular. The boot
+sequence does not zero PIDR, so it only gets set when CPUs first
+switch to a userspace processes (until then it's running a kernel
+thread with effective PID = 0).
+
+This leaves a window where a process table entry and page tables are
+set up due to user processes running on other CPUs, that happen to
+match with a stale PID. The CPU with that PID may cause speculative
+accesses that address quadrant 0 (aka userspace addresses), which will
+result in cached translations and PWC (Page Walk Cache) for that
+process, on a CPU which is not in the mm_cpumask and so they will not
+be invalidated properly.
+
+The most common result is the kernel hanging in infinite page fault
+loops soon after kexec (usually in schedule_tail, which is usually the
+first non-speculative quadrant 0 access to a new PID) due to a stale
+PWC. However being a stale translation error, it could result in
+anything up to security and data corruption problems.
+
+Fix this by zeroing out PIDR at boot and kexec.
+
+Fixes: 7e381c0ff618 ("powerpc/mm/radix: Add mmu context handling callback for radix")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/cpu_setup_power.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/powerpc/kernel/cpu_setup_power.S
++++ b/arch/powerpc/kernel/cpu_setup_power.S
+@@ -97,6 +97,7 @@ _GLOBAL(__setup_cpu_power9)
+ beqlr
+ li r0,0
+ mtspr SPRN_LPID,r0
++ mtspr SPRN_PID,r0
+ mfspr r3,SPRN_LPCR
+ LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE)
+ or r3, r3, r4
+@@ -119,6 +120,7 @@ _GLOBAL(__restore_cpu_power9)
+ beqlr
+ li r0,0
+ mtspr SPRN_LPID,r0
++ mtspr SPRN_PID,r0
+ mfspr r3,SPRN_LPCR
+ LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE)
+ or r3, r3, r4
--- /dev/null
+From e779498df587dd2189b30fe5b9245aefab870eb8 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Wed, 6 Dec 2017 16:11:27 +0100
+Subject: s390: fix compat system call table
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit e779498df587dd2189b30fe5b9245aefab870eb8 upstream.
+
+When wiring up the socket system calls the compat entries were
+incorrectly set. Not all of them point to the corresponding compat
+wrapper functions, which clear the upper 33 bits of user space
+pointers, like it is required.
+
+Fixes: 977108f89c989 ("s390: wire up separate socketcalls system calls")
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/syscalls.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/syscalls.S
++++ b/arch/s390/kernel/syscalls.S
+@@ -369,10 +369,10 @@ SYSCALL(sys_recvmmsg,compat_sys_recvmmsg
+ SYSCALL(sys_sendmmsg,compat_sys_sendmmsg)
+ SYSCALL(sys_socket,sys_socket)
+ SYSCALL(sys_socketpair,compat_sys_socketpair) /* 360 */
+-SYSCALL(sys_bind,sys_bind)
+-SYSCALL(sys_connect,sys_connect)
++SYSCALL(sys_bind,compat_sys_bind)
++SYSCALL(sys_connect,compat_sys_connect)
+ SYSCALL(sys_listen,sys_listen)
+-SYSCALL(sys_accept4,sys_accept4)
++SYSCALL(sys_accept4,compat_sys_accept4)
+ SYSCALL(sys_getsockopt,compat_sys_getsockopt) /* 365 */
+ SYSCALL(sys_setsockopt,compat_sys_setsockopt)
+ SYSCALL(sys_getsockname,compat_sys_getsockname)
--- /dev/null
+From 860dd4424f344400b491b212ee4acb3a358ba9d9 Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 21 Nov 2017 14:23:37 +0100
+Subject: scsi: dma-mapping: always provide dma_get_cache_alignment
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 860dd4424f344400b491b212ee4acb3a358ba9d9 upstream.
+
+Provide the dummy version of dma_get_cache_alignment that always returns
+1 even if CONFIG_HAS_DMA is not set, so that drivers and subsystems can
+use it without ifdefs.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/dma-mapping.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/include/linux/dma-mapping.h
++++ b/include/linux/dma-mapping.h
+@@ -659,7 +659,6 @@ static inline void *dma_zalloc_coherent(
+ return ret;
+ }
+
+-#ifdef CONFIG_HAS_DMA
+ static inline int dma_get_cache_alignment(void)
+ {
+ #ifdef ARCH_DMA_MINALIGN
+@@ -667,7 +666,6 @@ static inline int dma_get_cache_alignmen
+ #endif
+ return 1;
+ }
+-#endif
+
+ /* flags for the coherent memory api */
+ #define DMA_MEMORY_MAP 0x01
--- /dev/null
+From c2e8fbf908afd81ad502b567a6639598f92c9b9d Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 21 Nov 2017 14:23:39 +0100
+Subject: scsi: libsas: align sata_device's rps_resp on a cacheline
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit c2e8fbf908afd81ad502b567a6639598f92c9b9d upstream.
+
+The rps_resp buffer in ata_device is a DMA target, but it isn't
+explicitly cacheline aligned. Due to this, adjacent fields can be
+overwritten with stale data from memory on non-coherent architectures.
+As a result, the kernel is sometimes unable to communicate with an SATA
+device behind a SAS expander.
+
+Fix this by ensuring that the rps_resp buffer is cacheline aligned.
+
+This issue is similar to that fixed by Commit 84bda12af31f93 ("libata:
+align ap->sector_buf") and Commit 4ee34ea3a12396f35b26 ("libata: Align
+ata_device's id on a cacheline").
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/scsi/libsas.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/scsi/libsas.h
++++ b/include/scsi/libsas.h
+@@ -165,11 +165,11 @@ struct expander_device {
+
+ struct sata_device {
+ unsigned int class;
+- struct smp_resp rps_resp; /* report_phy_sata_resp */
+ u8 port_no; /* port number, if this is a PM (Port) */
+
+ struct ata_port *ap;
+ struct ata_host ata_host;
++ struct smp_resp rps_resp ____cacheline_aligned; /* report_phy_sata_resp */
+ u8 fis[ATA_RESP_FIS_SIZE];
+ };
+
--- /dev/null
+From 90addc6b3c9cda0146fbd62a08e234c2b224a80c Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Tue, 21 Nov 2017 14:23:38 +0100
+Subject: scsi: use dma_get_cache_alignment() as minimum DMA alignment
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit 90addc6b3c9cda0146fbd62a08e234c2b224a80c upstream.
+
+In non-coherent DMA mode, kernel uses cache flushing operations to
+maintain I/O coherency, so scsi's block queue should be aligned to the
+value returned by dma_get_cache_alignment(). Otherwise, If a DMA buffer
+and a kernel structure share a same cache line, and if the kernel
+structure has dirty data, cache_invalidate (no writeback) will cause
+data corruption.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+[hch: rebased and updated the comment and changelog]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -2041,11 +2041,13 @@ static void __scsi_init_queue(struct Scs
+ q->limits.cluster = 0;
+
+ /*
+- * set a reasonable default alignment on word boundaries: the
+- * host and device may alter it using
+- * blk_queue_update_dma_alignment() later.
++ * Set a reasonable default alignment: The larger of 32-byte (dword),
++ * which is a common minimum for HBAs, and the minimum DMA alignment,
++ * which is set by the platform.
++ *
++ * Devices that require a bigger alignment can increase it later.
+ */
+- blk_queue_dma_alignment(q, 0x03);
++ blk_queue_dma_alignment(q, max(4, dma_get_cache_alignment()) - 1);
+ }
+
+ struct request_queue *__scsi_alloc_queue(struct Scsi_Host *shost,
can-ems_usb-cancel-urb-on-epipe-and-eproto.patch
can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch
can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch
+virtio-release-virtio-index-when-fail-to-device_register.patch
+hv-kvp-avoid-reading-past-allocated-blocks-from-kvp-file.patch
+isa-prevent-null-dereference-in-isa_bus-driver-callbacks.patch
+scsi-dma-mapping-always-provide-dma_get_cache_alignment.patch
+scsi-use-dma_get_cache_alignment-as-minimum-dma-alignment.patch
+scsi-libsas-align-sata_device-s-rps_resp-on-a-cacheline.patch
+efi-move-some-sysfs-files-to-be-read-only-by-root.patch
+efi-esrt-use-memunmap-instead-of-kfree-to-free-the-remapping.patch
+asn.1-fix-out-of-bounds-read-when-parsing-indefinite-length-item.patch
+asn.1-check-for-error-from-asn1_op_end__act-actions.patch
+keys-add-missing-permission-check-for-request_key-destination.patch
+x.509-reject-invalid-bit-string-for-subjectpublickey.patch
+x.509-fix-comparisons-of-pkey_algo.patch
+x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch
+kvm-x86-fix-apic-page-invalidation.patch
+btrfs-fix-missing-error-return-in-btrfs_drop_snapshot.patch
+alsa-pcm-prevent-uaf-in-snd_pcm_info.patch
+alsa-seq-remove-spurious-warn_on-at-timer-check.patch
+alsa-usb-audio-fix-out-of-bound-error.patch
+alsa-usb-audio-add-check-return-value-for-usb_string.patch
+iommu-vt-d-fix-scatterlist-offset-handling.patch
+smp-hotplug-move-step-cpuhp_ap_smpcfd_dying-to-the-correct-place.patch
+s390-fix-compat-system-call-table.patch
+kvm-s390-fix-skey-emulation-permission-check.patch
+powerpc-64s-initialize-isav3-mmu-registers-before-setting-partition-table.patch
+brcmfmac-change-driver-unbind-order-of-the-sdio-function-devices.patch
+kdb-fix-handling-of-kallsyms_symbol_next-return-value.patch
+drm-exynos-gem-drop-noncontig-flag-for-buffers-allocated-without-iommu.patch
+media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch
+arm64-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
+arm-kvm-fix-vttbr_baddr_mask-bug_on-off-by-one.patch
+kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
+kvm-arm-arm64-fix-broken-gich_elrsr-big-endian-conversion.patch
+kvm-arm-arm64-vgic-irqfd-fix-msi-entry-allocation.patch
+kvm-arm-arm64-vgic-its-check-result-of-allocation-before-use.patch
+arm64-fpsimd-prevent-registers-leaking-from-dead-tasks.patch
+bus-arm-cci-fix-use-of-smp_processor_id-in-preemptible-context.patch
+bus-arm-ccn-check-memory-allocation-failure.patch
+bus-arm-ccn-fix-use-of-smp_processor_id-in-preemptible-context.patch
+bus-arm-ccn-fix-module-unloading-error-removing-state-147-which-has-instances-left.patch
--- /dev/null
+From 46febd37f9c758b05cd25feae8512f22584742fe Mon Sep 17 00:00:00 2001
+From: Lai Jiangshan <jiangshanlai@gmail.com>
+Date: Tue, 28 Nov 2017 21:19:53 +0800
+Subject: smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place
+
+From: Lai Jiangshan <jiangshanlai@gmail.com>
+
+commit 46febd37f9c758b05cd25feae8512f22584742fe upstream.
+
+Commit 31487f8328f2 ("smp/cfd: Convert core to hotplug state machine")
+accidently put this step on the wrong place. The step should be at the
+cpuhp_ap_states[] rather than the cpuhp_bp_states[].
+
+grep smpcfd /sys/devices/system/cpu/hotplug/states
+ 40: smpcfd:prepare
+129: smpcfd:dying
+
+"smpcfd:dying" was missing before.
+So was the invocation of the function smpcfd_dying_cpu().
+
+Fixes: 31487f8328f2 ("smp/cfd: Convert core to hotplug state machine")
+Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lkml.kernel.org/r/20171128131954.81229-1-jiangshanlai@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpu.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1321,11 +1321,6 @@ static struct cpuhp_step cpuhp_bp_states
+ .teardown.single = NULL,
+ .cant_stop = true,
+ },
+- [CPUHP_AP_SMPCFD_DYING] = {
+- .name = "smpcfd:dying",
+- .startup.single = NULL,
+- .teardown.single = smpcfd_dying_cpu,
+- },
+ /*
+ * Handled on controll processor until the plugged processor manages
+ * this itself.
+@@ -1367,6 +1362,11 @@ static struct cpuhp_step cpuhp_ap_states
+ .startup.single = NULL,
+ .teardown.single = rcutree_dying_cpu,
+ },
++ [CPUHP_AP_SMPCFD_DYING] = {
++ .name = "smpcfd:dying",
++ .startup.single = NULL,
++ .teardown.single = smpcfd_dying_cpu,
++ },
+ /* Entry state on starting. Interrupts enabled from here on. Transient
+ * state for synchronsization */
+ [CPUHP_AP_ONLINE] = {
--- /dev/null
+From e60ea67bb60459b95a50a156296041a13e0e380e Mon Sep 17 00:00:00 2001
+From: weiping zhang <zwp10758@gmail.com>
+Date: Wed, 29 Nov 2017 09:23:01 +0800
+Subject: virtio: release virtio index when fail to device_register
+
+From: weiping zhang <zwp10758@gmail.com>
+
+commit e60ea67bb60459b95a50a156296041a13e0e380e upstream.
+
+index can be reused by other virtio device.
+
+Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -323,6 +323,8 @@ int register_virtio_device(struct virtio
+ /* device_register() causes the bus infrastructure to look for a
+ * matching driver. */
+ err = device_register(&dev->dev);
++ if (err)
++ ida_simple_remove(&virtio_index_ida, dev->index);
+ out:
+ if (err)
+ add_status(dev, VIRTIO_CONFIG_S_FAILED);
--- /dev/null
+From 54c1fb39fe0495f846539ab765925b008f86801c Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:29 +0000
+Subject: X.509: fix comparisons of ->pkey_algo
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 54c1fb39fe0495f846539ab765925b008f86801c upstream.
+
+->pkey_algo used to be an enum, but was changed to a string by commit
+4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum"). But
+two comparisons were not updated. Fix them to use strcmp().
+
+This bug broke signature verification in certain configurations,
+depending on whether the string constants were deduplicated or not.
+
+Fixes: 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/pkcs7_verify.c | 2 +-
+ crypto/asymmetric_keys/x509_public_key.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/crypto/asymmetric_keys/pkcs7_verify.c
++++ b/crypto/asymmetric_keys/pkcs7_verify.c
+@@ -150,7 +150,7 @@ static int pkcs7_find_key(struct pkcs7_m
+ pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
+ sinfo->index, certix);
+
+- if (x509->pub->pkey_algo != sinfo->sig->pkey_algo) {
++ if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0) {
+ pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
+ sinfo->index);
+ continue;
+--- a/crypto/asymmetric_keys/x509_public_key.c
++++ b/crypto/asymmetric_keys/x509_public_key.c
+@@ -125,7 +125,7 @@ int x509_check_for_self_signed(struct x5
+ }
+
+ ret = -EKEYREJECTED;
+- if (cert->pub->pkey_algo != cert->sig->pkey_algo)
++ if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
+ goto out;
+
+ ret = public_key_verify_signature(cert->pub, cert->sig);
--- /dev/null
+From 0f30cbea005bd3077bd98cd29277d7fc2699c1da Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: X.509: reject invalid BIT STRING for subjectPublicKey
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream.
+
+Adding a specially crafted X.509 certificate whose subjectPublicKey
+ASN.1 value is zero-length caused x509_extract_key_data() to set the
+public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
+metadata byte. Then, x509_cert_parse() called kmemdup() with that bogus
+size, triggering the WARN_ON_ONCE() in kmalloc_slab().
+
+This appears to be harmless, but it still must be fixed since WARNs are
+never supposed to be user-triggerable.
+
+Fix it by updating x509_cert_parse() to validate that the value has a
+BIT STRING metadata byte, and that the byte is 0 which indicates that
+the number of bits in the bitstring is a multiple of 8.
+
+It would be nice to handle the metadata byte in asn1_ber_decoder()
+instead. But that would be tricky because in the general case a BIT
+STRING could be implicitly tagged, and/or could legitimately have a
+length that is not a whole number of bytes.
+
+Here was the WARN (cleaned up slightly):
+
+ WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
+ Modules linked in:
+ CPU: 1 PID: 202 Comm: keyctl Tainted: G B 4.14.0-09238-g1d3b78bbc6e9 #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
+ task: ffff880033014180 task.stack: ffff8800305c8000
+ Call Trace:
+ __do_kmalloc mm/slab.c:3706 [inline]
+ __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
+ kmemdup+0x17/0x40 mm/util.c:118
+ kmemdup include/linux/string.h:414 [inline]
+ x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
+ x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
+ asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
+ key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
+ SYSC_add_key security/keys/keyctl.c:122 [inline]
+ SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/x509_cert_parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/asymmetric_keys/x509_cert_parser.c
++++ b/crypto/asymmetric_keys/x509_cert_parser.c
+@@ -408,6 +408,8 @@ int x509_extract_key_data(void *context,
+ ctx->cert->pub->pkey_algo = "rsa";
+
+ /* Discard the BIT STRING metadata */
++ if (vlen < 1 || *(const u8 *)value != 0)
++ return -EBADMSG;
+ ctx->key = value + 1;
+ ctx->key_size = vlen - 1;
+ return 0;
--- /dev/null
+From ddec3bdee05b06f1dda20ded003c3e10e4184cab Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 1 Dec 2017 15:08:12 +0100
+Subject: x86/PCI: Make broadcom_postcore_init() check acpi_disabled
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit ddec3bdee05b06f1dda20ded003c3e10e4184cab upstream.
+
+acpi_os_get_root_pointer() may return a valid address even if acpi_disabled
+is set, but the host bridge information from the ACPI tables is not going
+to be used in that case and the Broadcom host bridge initialization should
+not be skipped then, So make broadcom_postcore_init() check acpi_disabled
+too to avoid this issue.
+
+Fixes: 6361d72b04d1 (x86/PCI: read Broadcom CNB20LE host bridge info before PCI scan)
+Reported-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Linux PCI <linux-pci@vger.kernel.org>
+Link: https://lkml.kernel.org/r/3186627.pxZj1QbYNg@aspire.rjw.lan
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/pci/broadcom_bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/pci/broadcom_bus.c
++++ b/arch/x86/pci/broadcom_bus.c
+@@ -97,7 +97,7 @@ static int __init broadcom_postcore_init
+ * We should get host bridge information from ACPI unless the BIOS
+ * doesn't support it.
+ */
+- if (acpi_os_get_root_pointer())
++ if (!acpi_disabled && acpi_os_get_root_pointer())
+ return 0;
+ #endif
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
