--- /dev/null
+From 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 29 Dec 2017 18:15:23 -0600
+Subject: af_key: fix buffer overread in parse_exthdrs()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 upstream.
+
+If a message sent to a PF_KEY socket ended with an incomplete extension
+header (fewer than 4 bytes remaining), then parse_exthdrs() read past
+the end of the message, into uninitialized memory. Fix it by returning
+-EINVAL in this case.
+
+Reproducer:
+
+ #include <linux/pfkeyv2.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ char buf[17] = { 0 };
+ struct sadb_msg *msg = (void *)buf;
+
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_len = 2;
+
+ write(sock, buf, 17);
+ }
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -516,6 +516,9 @@ static int parse_exthdrs(struct sk_buff
+ uint16_t ext_type;
+ int ext_len;
+
++ if (len < sizeof(*ehdr))
++ return -EINVAL;
++
+ ext_len = ehdr->sadb_ext_len;
+ ext_len *= sizeof(uint64_t);
+ ext_type = ehdr->sadb_ext_type;
--- /dev/null
+From 06b335cb51af018d5feeff5dd4fd53847ddb675a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Fri, 29 Dec 2017 18:13:05 -0600
+Subject: af_key: fix buffer overread in verify_address_len()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 06b335cb51af018d5feeff5dd4fd53847ddb675a upstream.
+
+If a message sent to a PF_KEY socket ended with one of the extensions
+that takes a 'struct sadb_address' but there were not enough bytes
+remaining in the message for the ->sa_family member of the 'struct
+sockaddr' which is supposed to follow, then verify_address_len() read
+past the end of the message, into uninitialized memory. Fix it by
+returning -EINVAL in this case.
+
+This bug was found using syzkaller with KMSAN.
+
+Reproducer:
+
+ #include <linux/pfkeyv2.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
+ char buf[24] = { 0 };
+ struct sadb_msg *msg = (void *)buf;
+ struct sadb_address *addr = (void *)(msg + 1);
+
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_DELETE;
+ msg->sadb_msg_len = 3;
+ addr->sadb_address_len = 1;
+ addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
+
+ write(sock, buf, 24);
+ }
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/key/af_key.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -401,6 +401,11 @@ static int verify_address_len(const void
+ #endif
+ int len;
+
++ if (sp->sadb_address_len <
++ DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
++ sizeof(uint64_t)))
++ return -EINVAL;
++
+ switch (addr->sa_family) {
+ case AF_INET:
+ len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));
--- /dev/null
+From e4c9fd10eb21376f44723c40ad12395089251c28 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2018 08:34:28 +0100
+Subject: ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit e4c9fd10eb21376f44723c40ad12395089251c28 upstream.
+
+There is another Dell XPS 13 variant (SSID 1028:082a) that requires
+the existing fixup for reducing the headphone noise.
+This patch adds the quirk entry for that.
+
+BugLink: http://lkml.kernel.org/r/CAHXyb9ZCZJzVisuBARa+UORcjRERV8yokez=DP1_5O5isTz0ZA@mail.gmail.com
+Reported-and-tested-by: Francisco G. <frangio.1@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6173,6 +6173,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
+ SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
++ SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
--- /dev/null
+From 031f335cda879450095873003abb03ae8ed3b74a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2018 10:53:18 +0100
+Subject: ALSA: hda - Apply the existing quirk to iMac 14,1
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 031f335cda879450095873003abb03ae8ed3b74a upstream.
+
+iMac 14,1 requires the same quirk as iMac 12,2, using GPIO 2 and 3 for
+headphone and speaker output amps. Add the codec SSID quirk entry
+(106b:0600) accordingly.
+
+BugLink: http://lkml.kernel.org/r/CAEw6Zyteav09VGHRfD5QwsfuWv5a43r0tFBNbfcHXoNrxVz7ew@mail.gmail.com
+Reported-by: Freaky <freaky2000@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -408,6 +408,7 @@ static const struct snd_pci_quirk cs420x
+ /*SND_PCI_QUIRK(0x8086, 0x7270, "IMac 27 Inch", CS420X_IMAC27),*/
+
+ /* codec SSID */
++ SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122),
+ SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
+ SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
+ SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),
--- /dev/null
+From 23b19b7b50fe1867da8d431eea9cd3e4b6328c2c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 10 Jan 2018 23:48:05 +0100
+Subject: ALSA: pcm: Remove yet superfluous WARN_ON()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 23b19b7b50fe1867da8d431eea9cd3e4b6328c2c upstream.
+
+muldiv32() contains a snd_BUG_ON() (which is morphed as WARN_ON() with
+debug option) for checking the case of 0 / 0. This would be helpful
+if this happens only as a logical error; however, since the hw refine
+is performed with any data set provided by user, the inconsistent
+values that can trigger such a condition might be passed easily.
+Actually, syzbot caught this by passing some zero'ed old hw_params
+ioctl.
+
+So, having snd_BUG_ON() there is simply superfluous and rather
+harmful to give unnecessary confusions. Let's get rid of it.
+
+Reported-by: syzbot+7e6ee55011deeebce15d@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_lib.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -560,7 +560,6 @@ static inline unsigned int muldiv32(unsi
+ {
+ u_int64_t n = (u_int64_t) a * b;
+ if (c == 0) {
+- snd_BUG_ON(!n);
+ *r = 0;
+ return UINT_MAX;
+ }
--- /dev/null
+From b3defb791b26ea0683a93a4f49c77ec45ec96f10 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Jan 2018 23:11:03 +0100
+Subject: ALSA: seq: Make ioctls race-free
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream.
+
+The ALSA sequencer ioctls have no protection against racy calls while
+the concurrent operations may lead to interfere with each other. As
+reported recently, for example, the concurrent calls of setting client
+pool with a combination of write calls may lead to either the
+unkillable dead-lock or UAF.
+
+As a slightly big hammer solution, this patch introduces the mutex to
+make each ioctl exclusive. Although this may reduce performance via
+parallel ioctl calls, usually it's not demanded for sequencer usages,
+hence it should be negligible.
+
+Reported-by: Luo Quan <a4651386@163.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 3 +++
+ sound/core/seq/seq_clientmgr.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create
+ rwlock_init(&client->ports_lock);
+ mutex_init(&client->ports_mutex);
+ INIT_LIST_HEAD(&client->ports_list_head);
++ mutex_init(&client->ioctl_mutex);
+
+ /* find free slot in the client table */
+ spin_lock_irqsave(&clients_lock, flags);
+@@ -2126,7 +2127,9 @@ static long snd_seq_ioctl(struct file *f
+ return -EFAULT;
+ }
+
++ mutex_lock(&client->ioctl_mutex);
+ err = handler->func(client, &buf);
++ mutex_unlock(&client->ioctl_mutex);
+ if (err >= 0) {
+ /* Some commands includes a bug in 'dir' field. */
+ if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT ||
+--- a/sound/core/seq/seq_clientmgr.h
++++ b/sound/core/seq/seq_clientmgr.h
+@@ -61,6 +61,7 @@ struct snd_seq_client {
+ struct list_head ports_list_head;
+ rwlock_t ports_lock;
+ struct mutex ports_mutex;
++ struct mutex ioctl_mutex;
+ int convert32; /* convert 32->64bit */
+
+ /* output pool */
--- /dev/null
+From c96f5471ce7d2aefd0dda560cc23f08ab00bc65d Mon Sep 17 00:00:00 2001
+From: Josh Snyder <joshs@netflix.com>
+Date: Mon, 18 Dec 2017 16:15:10 +0000
+Subject: delayacct: Account blkio completion on the correct task
+
+From: Josh Snyder <joshs@netflix.com>
+
+commit c96f5471ce7d2aefd0dda560cc23f08ab00bc65d upstream.
+
+Before commit:
+
+ e33a9bba85a8 ("sched/core: move IO scheduling accounting from io_schedule_timeout() into scheduler")
+
+delayacct_blkio_end() was called after context-switching into the task which
+completed I/O.
+
+This resulted in double counting: the task would account a delay both waiting
+for I/O and for time spent in the runqueue.
+
+With e33a9bba85a8, delayacct_blkio_end() is called by try_to_wake_up().
+In ttwu, we have not yet context-switched. This is more correct, in that
+the delay accounting ends when the I/O is complete.
+
+But delayacct_blkio_end() relies on 'get_current()', and we have not yet
+context-switched into the task whose I/O completed. This results in the
+wrong task having its delay accounting statistics updated.
+
+Instead of doing that, pass the task_struct being woken to delayacct_blkio_end(),
+so that it can update the statistics of the correct task.
+
+Signed-off-by: Josh Snyder <joshs@netflix.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Acked-by: Balbir Singh <bsingharora@gmail.com>
+Cc: Brendan Gregg <bgregg@netflix.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-block@vger.kernel.org
+Fixes: e33a9bba85a8 ("sched/core: move IO scheduling accounting from io_schedule_timeout() into scheduler")
+Link: http://lkml.kernel.org/r/1513613712-571-1-git-send-email-joshs@netflix.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/delayacct.h | 8 ++++----
+ kernel/delayacct.c | 42 ++++++++++++++++++++++++++----------------
+ kernel/sched/core.c | 6 +++---
+ 3 files changed, 33 insertions(+), 23 deletions(-)
+
+--- a/include/linux/delayacct.h
++++ b/include/linux/delayacct.h
+@@ -71,7 +71,7 @@ extern void delayacct_init(void);
+ extern void __delayacct_tsk_init(struct task_struct *);
+ extern void __delayacct_tsk_exit(struct task_struct *);
+ extern void __delayacct_blkio_start(void);
+-extern void __delayacct_blkio_end(void);
++extern void __delayacct_blkio_end(struct task_struct *);
+ extern int __delayacct_add_tsk(struct taskstats *, struct task_struct *);
+ extern __u64 __delayacct_blkio_ticks(struct task_struct *);
+ extern void __delayacct_freepages_start(void);
+@@ -122,10 +122,10 @@ static inline void delayacct_blkio_start
+ __delayacct_blkio_start();
+ }
+
+-static inline void delayacct_blkio_end(void)
++static inline void delayacct_blkio_end(struct task_struct *p)
+ {
+ if (current->delays)
+- __delayacct_blkio_end();
++ __delayacct_blkio_end(p);
+ delayacct_clear_flag(DELAYACCT_PF_BLKIO);
+ }
+
+@@ -169,7 +169,7 @@ static inline void delayacct_tsk_free(st
+ {}
+ static inline void delayacct_blkio_start(void)
+ {}
+-static inline void delayacct_blkio_end(void)
++static inline void delayacct_blkio_end(struct task_struct *p)
+ {}
+ static inline int delayacct_add_tsk(struct taskstats *d,
+ struct task_struct *tsk)
+--- a/kernel/delayacct.c
++++ b/kernel/delayacct.c
+@@ -51,16 +51,16 @@ void __delayacct_tsk_init(struct task_st
+ * Finish delay accounting for a statistic using its timestamps (@start),
+ * accumalator (@total) and @count
+ */
+-static void delayacct_end(u64 *start, u64 *total, u32 *count)
++static void delayacct_end(spinlock_t *lock, u64 *start, u64 *total, u32 *count)
+ {
+ s64 ns = ktime_get_ns() - *start;
+ unsigned long flags;
+
+ if (ns > 0) {
+- spin_lock_irqsave(¤t->delays->lock, flags);
++ spin_lock_irqsave(lock, flags);
+ *total += ns;
+ (*count)++;
+- spin_unlock_irqrestore(¤t->delays->lock, flags);
++ spin_unlock_irqrestore(lock, flags);
+ }
+ }
+
+@@ -69,17 +69,25 @@ void __delayacct_blkio_start(void)
+ current->delays->blkio_start = ktime_get_ns();
+ }
+
+-void __delayacct_blkio_end(void)
++/*
++ * We cannot rely on the `current` macro, as we haven't yet switched back to
++ * the process being woken.
++ */
++void __delayacct_blkio_end(struct task_struct *p)
+ {
+- if (current->delays->flags & DELAYACCT_PF_SWAPIN)
+- /* Swapin block I/O */
+- delayacct_end(¤t->delays->blkio_start,
+- ¤t->delays->swapin_delay,
+- ¤t->delays->swapin_count);
+- else /* Other block I/O */
+- delayacct_end(¤t->delays->blkio_start,
+- ¤t->delays->blkio_delay,
+- ¤t->delays->blkio_count);
++ struct task_delay_info *delays = p->delays;
++ u64 *total;
++ u32 *count;
++
++ if (p->delays->flags & DELAYACCT_PF_SWAPIN) {
++ total = &delays->swapin_delay;
++ count = &delays->swapin_count;
++ } else {
++ total = &delays->blkio_delay;
++ count = &delays->blkio_count;
++ }
++
++ delayacct_end(&delays->lock, &delays->blkio_start, total, count);
+ }
+
+ int __delayacct_add_tsk(struct taskstats *d, struct task_struct *tsk)
+@@ -153,8 +161,10 @@ void __delayacct_freepages_start(void)
+
+ void __delayacct_freepages_end(void)
+ {
+- delayacct_end(¤t->delays->freepages_start,
+- ¤t->delays->freepages_delay,
+- ¤t->delays->freepages_count);
++ delayacct_end(
++ ¤t->delays->lock,
++ ¤t->delays->freepages_start,
++ ¤t->delays->freepages_delay,
++ ¤t->delays->freepages_count);
+ }
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -2046,7 +2046,7 @@ try_to_wake_up(struct task_struct *p, un
+ p->state = TASK_WAKING;
+
+ if (p->in_iowait) {
+- delayacct_blkio_end();
++ delayacct_blkio_end(p);
+ atomic_dec(&task_rq(p)->nr_iowait);
+ }
+
+@@ -2059,7 +2059,7 @@ try_to_wake_up(struct task_struct *p, un
+ #else /* CONFIG_SMP */
+
+ if (p->in_iowait) {
+- delayacct_blkio_end();
++ delayacct_blkio_end(p);
+ atomic_dec(&task_rq(p)->nr_iowait);
+ }
+
+@@ -2112,7 +2112,7 @@ static void try_to_wake_up_local(struct
+
+ if (!task_on_rq_queued(p)) {
+ if (p->in_iowait) {
+- delayacct_blkio_end();
++ delayacct_blkio_end(p);
+ atomic_dec(&rq->nr_iowait);
+ }
+ ttwu_activate(rq, p, ENQUEUE_WAKEUP | ENQUEUE_NOCLOCK);
--- /dev/null
+From c1e2f0eaf015fb7076d51a339011f2383e6dd389 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Fri, 8 Dec 2017 13:49:39 +0100
+Subject: futex: Avoid violating the 10th rule of futex
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit c1e2f0eaf015fb7076d51a339011f2383e6dd389 upstream.
+
+Julia reported futex state corruption in the following scenario:
+
+ waiter waker stealer (prio > waiter)
+
+ futex(WAIT_REQUEUE_PI, uaddr, uaddr2,
+ timeout=[N ms])
+ futex_wait_requeue_pi()
+ futex_wait_queue_me()
+ freezable_schedule()
+ <scheduled out>
+ futex(LOCK_PI, uaddr2)
+ futex(CMP_REQUEUE_PI, uaddr,
+ uaddr2, 1, 0)
+ /* requeues waiter to uaddr2 */
+ futex(UNLOCK_PI, uaddr2)
+ wake_futex_pi()
+ cmp_futex_value_locked(uaddr2, waiter)
+ wake_up_q()
+ <woken by waker>
+ <hrtimer_wakeup() fires,
+ clears sleeper->task>
+ futex(LOCK_PI, uaddr2)
+ __rt_mutex_start_proxy_lock()
+ try_to_take_rt_mutex() /* steals lock */
+ rt_mutex_set_owner(lock, stealer)
+ <preempted>
+ <scheduled in>
+ rt_mutex_wait_proxy_lock()
+ __rt_mutex_slowlock()
+ try_to_take_rt_mutex() /* fails, lock held by stealer */
+ if (timeout && !timeout->task)
+ return -ETIMEDOUT;
+ fixup_owner()
+ /* lock wasn't acquired, so,
+ fixup_pi_state_owner skipped */
+
+ return -ETIMEDOUT;
+
+ /* At this point, we've returned -ETIMEDOUT to userspace, but the
+ * futex word shows waiter to be the owner, and the pi_mutex has
+ * stealer as the owner */
+
+ futex_lock(LOCK_PI, uaddr2)
+ -> bails with EDEADLK, futex word says we're owner.
+
+And suggested that what commit:
+
+ 73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state")
+
+removes from fixup_owner() looks to be just what is needed. And indeed
+it is -- I completely missed that requeue_pi could also result in this
+case. So we need to restore that, except that subsequent patches, like
+commit:
+
+ 16ffa12d7425 ("futex: Pull rt_mutex_futex_unlock() out from under hb->lock")
+
+changed all the locking rules. Even without that, the sequence:
+
+- if (rt_mutex_futex_trylock(&q->pi_state->pi_mutex)) {
+- locked = 1;
+- goto out;
+- }
+
+- raw_spin_lock_irq(&q->pi_state->pi_mutex.wait_lock);
+- owner = rt_mutex_owner(&q->pi_state->pi_mutex);
+- if (!owner)
+- owner = rt_mutex_next_owner(&q->pi_state->pi_mutex);
+- raw_spin_unlock_irq(&q->pi_state->pi_mutex.wait_lock);
+- ret = fixup_pi_state_owner(uaddr, q, owner);
+
+already suggests there were races; otherwise we'd never have to look
+at next_owner.
+
+So instead of doing 3 consecutive wait_lock sections with who knows
+what races, we do it all in a single section. Additionally, the usage
+of pi_state->owner in fixup_owner() was only safe because only the
+rt_mutex owner would modify it, which this additional case wrecks.
+
+Luckily the values can only change away and not to the value we're
+testing, this means we can do a speculative test and double check once
+we have the wait_lock.
+
+Fixes: 73d786bd043e ("futex: Rework inconsistent rt_mutex/futex_q state")
+Reported-by: Julia Cartwright <julia@ni.com>
+Reported-by: Gratian Crisan <gratian.crisan@ni.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Julia Cartwright <julia@ni.com>
+Tested-by: Gratian Crisan <gratian.crisan@ni.com>
+Cc: Darren Hart <dvhart@infradead.org>
+Link: https://lkml.kernel.org/r/20171208124939.7livp7no2ov65rrc@hirez.programming.kicks-ass.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 83 ++++++++++++++++++++++++++++++++--------
+ kernel/locking/rtmutex.c | 26 +++++++++---
+ kernel/locking/rtmutex_common.h | 1
+ 3 files changed, 87 insertions(+), 23 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2294,21 +2294,17 @@ static void unqueue_me_pi(struct futex_q
+ spin_unlock(q->lock_ptr);
+ }
+
+-/*
+- * Fixup the pi_state owner with the new owner.
+- *
+- * Must be called with hash bucket lock held and mm->sem held for non
+- * private futexes.
+- */
+ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
+- struct task_struct *newowner)
++ struct task_struct *argowner)
+ {
+- u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
+ struct futex_pi_state *pi_state = q->pi_state;
+ u32 uval, uninitialized_var(curval), newval;
+- struct task_struct *oldowner;
++ struct task_struct *oldowner, *newowner;
++ u32 newtid;
+ int ret;
+
++ lockdep_assert_held(q->lock_ptr);
++
+ raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
+
+ oldowner = pi_state->owner;
+@@ -2317,11 +2313,17 @@ static int fixup_pi_state_owner(u32 __us
+ newtid |= FUTEX_OWNER_DIED;
+
+ /*
+- * We are here either because we stole the rtmutex from the
+- * previous highest priority waiter or we are the highest priority
+- * waiter but have failed to get the rtmutex the first time.
++ * We are here because either:
++ *
++ * - we stole the lock and pi_state->owner needs updating to reflect
++ * that (@argowner == current),
++ *
++ * or:
+ *
+- * We have to replace the newowner TID in the user space variable.
++ * - someone stole our lock and we need to fix things to point to the
++ * new owner (@argowner == NULL).
++ *
++ * Either way, we have to replace the TID in the user space variable.
+ * This must be atomic as we have to preserve the owner died bit here.
+ *
+ * Note: We write the user space value _before_ changing the pi_state
+@@ -2334,6 +2336,42 @@ static int fixup_pi_state_owner(u32 __us
+ * in the PID check in lookup_pi_state.
+ */
+ retry:
++ if (!argowner) {
++ if (oldowner != current) {
++ /*
++ * We raced against a concurrent self; things are
++ * already fixed up. Nothing to do.
++ */
++ ret = 0;
++ goto out_unlock;
++ }
++
++ if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) {
++ /* We got the lock after all, nothing to fix. */
++ ret = 0;
++ goto out_unlock;
++ }
++
++ /*
++ * Since we just failed the trylock; there must be an owner.
++ */
++ newowner = rt_mutex_owner(&pi_state->pi_mutex);
++ BUG_ON(!newowner);
++ } else {
++ WARN_ON_ONCE(argowner != current);
++ if (oldowner == current) {
++ /*
++ * We raced against a concurrent self; things are
++ * already fixed up. Nothing to do.
++ */
++ ret = 0;
++ goto out_unlock;
++ }
++ newowner = argowner;
++ }
++
++ newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
++
+ if (get_futex_value_locked(&uval, uaddr))
+ goto handle_fault;
+
+@@ -2434,15 +2472,28 @@ static int fixup_owner(u32 __user *uaddr
+ * Got the lock. We might not be the anticipated owner if we
+ * did a lock-steal - fix up the PI-state in that case:
+ *
+- * We can safely read pi_state->owner without holding wait_lock
+- * because we now own the rt_mutex, only the owner will attempt
+- * to change it.
++ * Speculative pi_state->owner read (we don't hold wait_lock);
++ * since we own the lock pi_state->owner == current is the
++ * stable state, anything else needs more attention.
+ */
+ if (q->pi_state->owner != current)
+ ret = fixup_pi_state_owner(uaddr, q, current);
+ goto out;
+ }
+
++ /*
++ * If we didn't get the lock; check if anybody stole it from us. In
++ * that case, we need to fix up the uval to point to them instead of
++ * us, otherwise bad things happen. [10]
++ *
++ * Another speculative read; pi_state->owner == current is unstable
++ * but needs our attention.
++ */
++ if (q->pi_state->owner == current) {
++ ret = fixup_pi_state_owner(uaddr, q, NULL);
++ goto out;
++ }
++
+ /*
+ * Paranoia check. If we did not take the lock, then we should not be
+ * the owner of the rt_mutex.
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -1290,6 +1290,19 @@ rt_mutex_slowlock(struct rt_mutex *lock,
+ return ret;
+ }
+
++static inline int __rt_mutex_slowtrylock(struct rt_mutex *lock)
++{
++ int ret = try_to_take_rt_mutex(lock, current, NULL);
++
++ /*
++ * try_to_take_rt_mutex() sets the lock waiters bit
++ * unconditionally. Clean this up.
++ */
++ fixup_rt_mutex_waiters(lock);
++
++ return ret;
++}
++
+ /*
+ * Slow path try-lock function:
+ */
+@@ -1312,13 +1325,7 @@ static inline int rt_mutex_slowtrylock(s
+ */
+ raw_spin_lock_irqsave(&lock->wait_lock, flags);
+
+- ret = try_to_take_rt_mutex(lock, current, NULL);
+-
+- /*
+- * try_to_take_rt_mutex() sets the lock waiters bit
+- * unconditionally. Clean this up.
+- */
+- fixup_rt_mutex_waiters(lock);
++ ret = __rt_mutex_slowtrylock(lock);
+
+ raw_spin_unlock_irqrestore(&lock->wait_lock, flags);
+
+@@ -1505,6 +1512,11 @@ int __sched rt_mutex_futex_trylock(struc
+ return rt_mutex_slowtrylock(lock);
+ }
+
++int __sched __rt_mutex_futex_trylock(struct rt_mutex *lock)
++{
++ return __rt_mutex_slowtrylock(lock);
++}
++
+ /**
+ * rt_mutex_timed_lock - lock a rt_mutex interruptible
+ * the timeout structure is provided
+--- a/kernel/locking/rtmutex_common.h
++++ b/kernel/locking/rtmutex_common.h
+@@ -148,6 +148,7 @@ extern bool rt_mutex_cleanup_proxy_lock(
+ struct rt_mutex_waiter *waiter);
+
+ extern int rt_mutex_futex_trylock(struct rt_mutex *l);
++extern int __rt_mutex_futex_trylock(struct rt_mutex *l);
+
+ extern void rt_mutex_futex_unlock(struct rt_mutex *lock);
+ extern bool __rt_mutex_futex_unlock(struct rt_mutex *lock,
--- /dev/null
+From fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a Mon Sep 17 00:00:00 2001
+From: Li Jinyue <lijinyue@huawei.com>
+Date: Thu, 14 Dec 2017 17:04:54 +0800
+Subject: futex: Prevent overflow by strengthen input validation
+
+From: Li Jinyue <lijinyue@huawei.com>
+
+commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream.
+
+UBSAN reports signed integer overflow in kernel/futex.c:
+
+ UBSAN: Undefined behaviour in kernel/futex.c:2041:18
+ signed integer overflow:
+ 0 - -2147483648 cannot be represented in type 'int'
+
+Add a sanity check to catch negative values of nr_wake and nr_requeue.
+
+Signed-off-by: Li Jinyue <lijinyue@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: dvhart@infradead.org
+Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uad
+ struct futex_q *this, *next;
+ DEFINE_WAKE_Q(wake_q);
+
++ if (nr_wake < 0 || nr_requeue < 0)
++ return -EINVAL;
++
+ /*
+ * When PI not supported: return -ENOSYS if requeue_pi is true,
+ * consequently the compiler knows requeue_pi is always false past
--- /dev/null
+From 57194fa763bfa1a0908f30d4c77835beaa118fcb Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 9 Jan 2018 23:03:46 +0300
+Subject: IB/hfi1: Prevent a NULL dereference
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 57194fa763bfa1a0908f30d4c77835beaa118fcb upstream.
+
+In the original code, we set "fd->uctxt" to NULL and then dereference it
+which will cause an Oops.
+
+Fixes: f2a3bc00a03c ("IB/hfi1: Protect context array set/clear with spinlock")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/file_ops.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/file_ops.c
++++ b/drivers/infiniband/hw/hfi1/file_ops.c
+@@ -881,11 +881,11 @@ static int complete_subctxt(struct hfi1_
+ }
+
+ if (ret) {
+- hfi1_rcd_put(fd->uctxt);
+- fd->uctxt = NULL;
+ spin_lock_irqsave(&fd->dd->uctxt_lock, flags);
+ __clear_bit(fd->subctxt, fd->uctxt->in_use_ctxts);
+ spin_unlock_irqrestore(&fd->dd->uctxt_lock, flags);
++ hfi1_rcd_put(fd->uctxt);
++ fd->uctxt = NULL;
+ }
+
+ return ret;
--- /dev/null
+From cd52cb26e7ead5093635e98e07e221e4df482d34 Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Sun, 26 Nov 2017 15:31:04 +0200
+Subject: iser-target: Fix possible use-after-free in connection establishment error
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+commit cd52cb26e7ead5093635e98e07e221e4df482d34 upstream.
+
+In case we fail to establish the connection we must drain our pre-posted
+login recieve work request before continuing safely with connection
+teardown.
+
+Fixes: a060b5629ab0 ("IB/core: generic RDMA READ/WRITE API")
+Reported-by: Amrani, Ram <Ram.Amrani@cavium.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -741,6 +741,7 @@ isert_connect_error(struct rdma_cm_id *c
+ {
+ struct isert_conn *isert_conn = cma_id->qp->qp_context;
+
++ ib_drain_qp(isert_conn->qp);
+ list_del_init(&isert_conn->node);
+ isert_conn->cm_id = NULL;
+ isert_put_conn(isert_conn);
--- /dev/null
+From ae59c3f0b6cfd472fed96e50548a799b8971d876 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Fri, 12 Jan 2018 07:58:39 +0200
+Subject: RDMA/mlx5: Fix out-of-bound access while querying AH
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit ae59c3f0b6cfd472fed96e50548a799b8971d876 upstream.
+
+The rdma_ah_find_type() accesses the port array based on an index
+controlled by userspace. The existing bounds check is after the first use
+of the index, so userspace can generate an out of bounds access, as shown
+by the KASN report below.
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in to_rdma_ah_attr+0xa8/0x3b0
+Read of size 4 at addr ffff880019ae2268 by task ibv_rc_pingpong/409
+
+CPU: 0 PID: 409 Comm: ibv_rc_pingpong Not tainted 4.15.0-rc2-00031-gb60a3faf5b83-dirty #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
+Call Trace:
+ dump_stack+0xe9/0x18f
+ print_address_description+0xa2/0x350
+ kasan_report+0x3a5/0x400
+ to_rdma_ah_attr+0xa8/0x3b0
+ mlx5_ib_query_qp+0xd35/0x1330
+ ib_query_qp+0x8a/0xb0
+ ib_uverbs_query_qp+0x237/0x7f0
+ ib_uverbs_write+0x617/0xd80
+ __vfs_write+0xf7/0x500
+ vfs_write+0x149/0x310
+ SyS_write+0xca/0x190
+ entry_SYSCALL_64_fastpath+0x18/0x85
+RIP: 0033:0x7fe9c7a275a0
+RSP: 002b:00007ffee5498738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fe9c7ce4b00 RCX: 00007fe9c7a275a0
+RDX: 0000000000000018 RSI: 00007ffee5498800 RDI: 0000000000000003
+RBP: 000055d0c8d3f010 R08: 00007ffee5498800 R09: 0000000000000018
+R10: 00000000000000ba R11: 0000000000000246 R12: 0000000000008000
+R13: 0000000000004fb0 R14: 000055d0c8d3f050 R15: 00007ffee5498560
+
+Allocated by task 1:
+ __kmalloc+0x3f9/0x430
+ alloc_mad_private+0x25/0x50
+ ib_mad_post_receive_mads+0x204/0xa60
+ ib_mad_init_device+0xa59/0x1020
+ ib_register_device+0x83a/0xbc0
+ mlx5_ib_add+0x50e/0x5c0
+ mlx5_add_device+0x142/0x410
+ mlx5_register_interface+0x18f/0x210
+ mlx5_ib_init+0x56/0x63
+ do_one_initcall+0x15b/0x270
+ kernel_init_freeable+0x2d8/0x3d0
+ kernel_init+0x14/0x190
+ ret_from_fork+0x24/0x30
+
+Freed by task 0:
+(stack is not available)
+
+The buggy address belongs to the object at ffff880019ae2000
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 104 bytes to the right of
+ 512-byte region [ffff880019ae2000, ffff880019ae2200)
+The buggy address belongs to the page:
+page:000000005d674e18 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
+flags: 0x4000000000008100(slab|head)
+raw: 4000000000008100 0000000000000000 0000000000000000 00000001000c000c
+raw: dead000000000100 dead000000000200 ffff88001a402000 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff880019ae2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff880019ae2180: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
+>ffff880019ae2200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff880019ae2280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff880019ae2300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+==================================================================
+Disabling lock debugging due to kernel taint
+
+Fixes: 44c58487d51a ("IB/core: Define 'ib' and 'roce' rdma_ah_attr types")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -4303,12 +4303,11 @@ static void to_rdma_ah_attr(struct mlx5_
+
+ memset(ah_attr, 0, sizeof(*ah_attr));
+
+- ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, path->port);
+- rdma_ah_set_port_num(ah_attr, path->port);
+- if (rdma_ah_get_port_num(ah_attr) == 0 ||
+- rdma_ah_get_port_num(ah_attr) > MLX5_CAP_GEN(dev, num_ports))
++ if (!path->port || path->port > MLX5_CAP_GEN(dev, num_ports))
+ return;
+
++ ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, path->port);
++
+ rdma_ah_set_port_num(ah_attr, path->port);
+ rdma_ah_set_sl(ah_attr, path->dci_cfi_prio_sl & 0xf);
+
powerpc-64s-support-disabling-rfi-flush-with-no_rfi_flush-and-nopti.patch
powerpc-pseries-query-hypervisor-for-rfi-flush-settings.patch
powerpc-powernv-check-device-tree-for-rfi-flush-settings.patch
+futex-avoid-violating-the-10th-rule-of-futex.patch
+futex-prevent-overflow-by-strengthen-input-validation.patch
+alsa-seq-make-ioctls-race-free.patch
+alsa-pcm-remove-yet-superfluous-warn_on.patch
+alsa-hda-apply-headphone-noise-quirk-for-another-dell-xps-13-variant.patch
+alsa-hda-apply-the-existing-quirk-to-imac-14-1.patch
+ib-hfi1-prevent-a-null-dereference.patch
+rdma-mlx5-fix-out-of-bound-access-while-querying-ah.patch
+timers-unconditionally-check-deferrable-base.patch
+af_key-fix-buffer-overread-in-verify_address_len.patch
+af_key-fix-buffer-overread-in-parse_exthdrs.patch
+iser-target-fix-possible-use-after-free-in-connection-establishment-error.patch
+delayacct-account-blkio-completion-on-the-correct-task.patch
--- /dev/null
+From ed4bbf7910b28ce3c691aef28d245585eaabda06 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 14 Jan 2018 23:19:49 +0100
+Subject: timers: Unconditionally check deferrable base
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit ed4bbf7910b28ce3c691aef28d245585eaabda06 upstream.
+
+When the timer base is checked for expired timers then the deferrable base
+must be checked as well. This was missed when making the deferrable base
+independent of base::nohz_active.
+
+Fixes: ced6d5c11d3e ("timers: Use deferrable base independent of base::nohz_active")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sebastian Siewior <bigeasy@linutronix.de>
+Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
+Cc: rt@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -1656,7 +1656,7 @@ void run_local_timers(void)
+ hrtimer_run_queues();
+ /* Raise the softirq only if required. */
+ if (time_before(jiffies, base->clk)) {
+- if (!IS_ENABLED(CONFIG_NO_HZ_COMMON) || !base->nohz_active)
++ if (!IS_ENABLED(CONFIG_NO_HZ_COMMON))
+ return;
+ /* CPU is awake, so check the deferrable base. */
+ base++;
projects / thirdparty / kernel / stable-queue.git / commitdiff
