--- /dev/null
+From 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 29 Dec 2017 18:15:23 -0600
+Subject: af_key: fix buffer overread in parse_exthdrs()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 upstream.
+
+If a message sent to a PF_KEY socket ended with an incomplete extension
+header (fewer than 4 bytes remaining), then parse_exthdrs() read past
+the end of the message, into uninitialized memory. Fix it by returning
+-EINVAL in this case.
+
+Reproducer:
+
+ #include <linux/pfkeyv2.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ char buf[17] = { 0 };
+ struct sadb_msg *msg = (void *)buf;
+
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_len = 2;
+
+ write(sock, buf, 17);
+ }
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -516,6 +516,9 @@ static int parse_exthdrs(struct sk_buff
+ uint16_t ext_type;
+ int ext_len;
+
++ if (len < sizeof(*ehdr))
++ return -EINVAL;
++
+ ext_len = ehdr->sadb_ext_len;
+ ext_len *= sizeof(uint64_t);
+ ext_type = ehdr->sadb_ext_type;
--- /dev/null
+From 06b335cb51af018d5feeff5dd4fd53847ddb675a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 29 Dec 2017 18:13:05 -0600
+Subject: af_key: fix buffer overread in verify_address_len()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 06b335cb51af018d5feeff5dd4fd53847ddb675a upstream.
+
+If a message sent to a PF_KEY socket ended with one of the extensions
+that takes a 'struct sadb_address' but there were not enough bytes
+remaining in the message for the ->sa_family member of the 'struct
+sockaddr' which is supposed to follow, then verify_address_len() read
+past the end of the message, into uninitialized memory. Fix it by
+returning -EINVAL in this case.
+
+This bug was found using syzkaller with KMSAN.
+
+Reproducer:
+
+ #include <linux/pfkeyv2.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ char buf[24] = { 0 };
+ struct sadb_msg *msg = (void *)buf;
+ struct sadb_address *addr = (void *)(msg + 1);
+
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_len = 3;
+ addr->sadb_address_len = 1;
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+
+ write(sock, buf, 24);
+ }
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -401,6 +401,11 @@ static int verify_address_len(const void
+ #endif
+ int len;
+
++ if (sp->sadb_address_len <
++ DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
++ sizeof(uint64_t)))
++ return -EINVAL;
++
+ switch (addr->sa_family) {
+ case AF_INET:
+ len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));
--- /dev/null
+From e4c9fd10eb21376f44723c40ad12395089251c28 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2018 08:34:28 +0100
+Subject: ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit e4c9fd10eb21376f44723c40ad12395089251c28 upstream.
+
+There is another Dell XPS 13 variant (SSID 1028:082a) that requires
+the existing fixup for reducing the headphone noise.
+This patch adds the quirk entry for that.
+
+BugLink: http://lkml.kernel.org/r/CAHXyb9ZCZJzVisuBARa+UORcjRERV8yokez=DP1_5O5isTz0ZA@mail.gmail.com
+Reported-and-tested-by: Francisco G. <frangio.1@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5617,6 +5617,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
+ SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
++ SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
--- /dev/null
+From 031f335cda879450095873003abb03ae8ed3b74a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2018 10:53:18 +0100
+Subject: ALSA: hda - Apply the existing quirk to iMac 14,1
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 031f335cda879450095873003abb03ae8ed3b74a upstream.
+
+iMac 14,1 requires the same quirk as iMac 12,2, using GPIO 2 and 3 for
+headphone and speaker output amps. Add the codec SSID quirk entry
+(106b:0600) accordingly.
+
+BugLink: http://lkml.kernel.org/r/CAEw6Zyteav09VGHRfD5QwsfuWv5a43r0tFBNbfcHXoNrxVz7ew@mail.gmail.com
+Reported-by: Freaky <freaky2000@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -408,6 +408,7 @@ static const struct snd_pci_quirk cs420x
+ /*SND_PCI_QUIRK(0x8086, 0x7270, "IMac 27 Inch", CS420X_IMAC27),*/
+
+ /* codec SSID */
++ SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122),
+ SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
+ SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
+ SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),
--- /dev/null
+From 23b19b7b50fe1867da8d431eea9cd3e4b6328c2c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2018 23:48:05 +0100
+Subject: ALSA: pcm: Remove yet superfluous WARN_ON()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 23b19b7b50fe1867da8d431eea9cd3e4b6328c2c upstream.
+
+muldiv32() contains a snd_BUG_ON() (which is morphed as WARN_ON() with
+debug option) for checking the case of 0 / 0. This would be helpful
+if this happens only as a logical error; however, since the hw refine
+is performed with any data set provided by user, the inconsistent
+values that can trigger such a condition might be passed easily.
+Actually, syzbot caught this by passing some zero'ed old hw_params
+ioctl.
+
+So, having snd_BUG_ON() there is simply superfluous and rather
+harmful to give unnecessary confusions. Let's get rid of it.
+
+Reported-by: syzbot+7e6ee55011deeebce15d@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_lib.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -578,7 +578,6 @@ static inline unsigned int muldiv32(unsi
+ {
+ u_int64_t n = (u_int64_t) a * b;
+ if (c == 0) {
+- snd_BUG_ON(!n);
+ *r = 0;
+ return UINT_MAX;
+ }
--- /dev/null
+From b3defb791b26ea0683a93a4f49c77ec45ec96f10 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Jan 2018 23:11:03 +0100
+Subject: ALSA: seq: Make ioctls race-free
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream.
+
+The ALSA sequencer ioctls have no protection against racy calls while
+the concurrent operations may lead to interfere with each other. As
+reported recently, for example, the concurrent calls of setting client
+pool with a combination of write calls may lead to either the
+unkillable dead-lock or UAF.
+
+As a slightly big hammer solution, this patch introduces the mutex to
+make each ioctl exclusive. Although this may reduce performance via
+parallel ioctl calls, usually it's not demanded for sequencer usages,
+hence it should be negligible.
+
+Reported-by: Luo Quan <a4651386@163.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 3 +++
+ sound/core/seq/seq_clientmgr.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create
+ rwlock_init(&client->ports_lock);
+ mutex_init(&client->ports_mutex);
+ INIT_LIST_HEAD(&client->ports_list_head);
++ mutex_init(&client->ioctl_mutex);
+
+ /* find free slot in the client table */
+ spin_lock_irqsave(&clients_lock, flags);
+@@ -2127,7 +2128,9 @@ static long snd_seq_ioctl(struct file *f
+ return -EFAULT;
+ }
+
++ mutex_lock(&client->ioctl_mutex);
+ err = handler->func(client, &buf);
++ mutex_unlock(&client->ioctl_mutex);
+ if (err >= 0) {
+ /* Some commands includes a bug in 'dir' field. */
+ if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT ||
+--- a/sound/core/seq/seq_clientmgr.h
++++ b/sound/core/seq/seq_clientmgr.h
+@@ -61,6 +61,7 @@ struct snd_seq_client {
+ struct list_head ports_list_head;
+ rwlock_t ports_lock;
+ struct mutex ports_mutex;
++ struct mutex ioctl_mutex;
+ int convert32; /* convert 32->64bit */
+
+ /* output pool */
--- /dev/null
+From fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a Mon Sep 17 00:00:00 2001
+From: Li Jinyue <lijinyue@huawei.com>
+Date: Thu, 14 Dec 2017 17:04:54 +0800
+Subject: futex: Prevent overflow by strengthen input validation
+
+From: Li Jinyue <lijinyue@huawei.com>
+
+commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream.
+
+UBSAN reports signed integer overflow in kernel/futex.c:
+
+ UBSAN: Undefined behaviour in kernel/futex.c:2041:18
+ signed integer overflow:
+ 0 - -2147483648 cannot be represented in type 'int'
+
+Add a sanity check to catch negative values of nr_wake and nr_requeue.
+
+Signed-off-by: Li Jinyue <lijinyue@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: dvhart@infradead.org
+Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1711,6 +1711,9 @@ static int futex_requeue(u32 __user *uad
+ struct futex_q *this, *next;
+ WAKE_Q(wake_q);
+
++ if (nr_wake < 0 || nr_requeue < 0)
++ return -EINVAL;
++
+ if (requeue_pi) {
+ /*
+ * Requeue PI only works on two distinct uaddrs. This
--- /dev/null
+From cd52cb26e7ead5093635e98e07e221e4df482d34 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Sun, 26 Nov 2017 15:31:04 +0200
+Subject: iser-target: Fix possible use-after-free in connection establishment error
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit cd52cb26e7ead5093635e98e07e221e4df482d34 upstream.
+
+In case we fail to establish the connection we must drain our pre-posted
+login recieve work request before continuing safely with connection
+teardown.
+
+Fixes: a060b5629ab0 ("IB/core: generic RDMA READ/WRITE API")
+Reported-by: Amrani, Ram <Ram.Amrani@cavium.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -747,6 +747,7 @@ isert_connect_error(struct rdma_cm_id *c
+ {
+ struct isert_conn *isert_conn = cma_id->qp->qp_context;
+
++ ib_drain_qp(isert_conn->qp);
+ list_del_init(&isert_conn->node);
+ isert_conn->cm_id = NULL;
+ isert_put_conn(isert_conn);
libnvdimm-btt-fix-an-incompatibility-in-the-log-layout.patch
scsi-sg-disable-set_force_low_dma.patch
+futex-prevent-overflow-by-strengthen-input-validation.patch
+alsa-seq-make-ioctls-race-free.patch
+alsa-pcm-remove-yet-superfluous-warn_on.patch
+alsa-hda-apply-headphone-noise-quirk-for-another-dell-xps-13-variant.patch
+alsa-hda-apply-the-existing-quirk-to-imac-14-1.patch
+timers-unconditionally-check-deferrable-base.patch
+af_key-fix-buffer-overread-in-verify_address_len.patch
+af_key-fix-buffer-overread-in-parse_exthdrs.patch
+iser-target-fix-possible-use-after-free-in-connection-establishment-error.patch
--- /dev/null
+From ed4bbf7910b28ce3c691aef28d245585eaabda06 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 14 Jan 2018 23:19:49 +0100
+Subject: timers: Unconditionally check deferrable base
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit ed4bbf7910b28ce3c691aef28d245585eaabda06 upstream.
+
+When the timer base is checked for expired timers then the deferrable base
+must be checked as well. This was missed when making the deferrable base
+independent of base::nohz_active.
+
+Fixes: ced6d5c11d3e ("timers: Use deferrable base independent of base::nohz_active")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
+Cc: rt@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -1696,7 +1696,7 @@ void run_local_timers(void)
+ hrtimer_run_queues();
+ /* Raise the softirq only if required. */
+ if (time_before(jiffies, base->clk)) {
+- if (!IS_ENABLED(CONFIG_NO_HZ_COMMON) || !base->nohz_active)
++ if (!IS_ENABLED(CONFIG_NO_HZ_COMMON))
+ return;
+ /* CPU is awake, so check the deferrable base. */
+ base++;
projects / thirdparty / kernel / stable-queue.git / commitdiff
