All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.9 00/64] 4.9.53-stable review
@ 2017-10-03 12:22 Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 01/64] cifs: release cifs root_cred after exit_cifs Greg Kroah-Hartman
                   ` (60 more replies)
  0 siblings, 61 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, stable

This is the start of the stable review cycle for the 4.9.53 release.
There are 64 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu Oct  5 11:42:06 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.53-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.9.53-rc1

Stefano Stabellini <stefano.stabellini@eu.citrix.com>
    swiotlb-xen: implement xen_swiotlb_dma_mmap callback

Vladis Dronov <vdronov@redhat.com>
    video: fbdev: aty: do not leak uninitialized padding in clk to userspace

Paolo Bonzini <pbonzini@redhat.com>
    KVM: VMX: use cmpxchg64

Frederic Barrat <fbarrat@linux.vnet.ibm.com>
    cxl: Fix driver use count

Haozhong Zhang <haozhong.zhang@intel.com>
    KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt

Haozhong Zhang <haozhong.zhang@intel.com>
    KVM: VMX: do not change SN bit in vmx_update_pi_irte()

Myungho Jung <mhjungk@gmail.com>
    timer/sysclt: Restrict timer migration sysctl values to 0 and 1

Andreas Gruenbacher <agruenba@redhat.com>
    gfs2: Fix debugfs glocks dump

Eric Biggers <ebiggers@google.com>
    x86/fpu: Don't let userspace set bogus xcomp_bv

Laurent Dufour <ldufour@linux.vnet.ibm.com>
    x86/mm: Fix fault error path using unsafe vma pointer

satoru takeuchi <satoru.takeuchi@gmail.com>
    btrfs: prevent to set invalid default subvolid

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: propagate error to btrfs_cmp_data_prepare caller

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: fix NULL pointer dereference from free_reloc_roots()

Nicolai Stange <nstange@suse.de>
    PCI: Fix race condition with driver_override

Lucas Stach <l.stach@pengutronix.de>
    etnaviv: fix gem object list corruption

Ross Zwisler <ross.zwisler@linux.intel.com>
    xfs: validate bdev support for DAX inode flag

Jim Mattson <jmattson@google.com>
    kvm: nVMX: Don't allow L2 to access the hardware CR8

Jan H. Schönherr <jschoenh@amazon.de>
    KVM: VMX: Do not BUG() on out-of-bounds guest IRQ

Boqun Feng <boqun.feng@gmail.com>
    kvm/x86: Handle async PF in RCU read-side critical sections

Paolo Bonzini <pbonzini@redhat.com>
    KVM: VMX: simplify and fix vmx_vcpu_pi_load

Paolo Bonzini <pbonzini@redhat.com>
    KVM: VMX: avoid double list add with VT-d posted interrupts

Paolo Bonzini <pbonzini@redhat.com>
    KVM: VMX: extract __pi_post_block

Will Deacon <will.deacon@arm.com>
    arm64: fault: Route pte translation faults via do_translation_fault

Marc Zyngier <marc.zyngier@arm.com>
    arm64: Make sure SPsel is always set

Oleg Nesterov <oleg@redhat.com>
    seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

Kees Cook <keescook@chromium.org>
    selftests/seccomp: Support glibc 2.26 siginfo_t.h

Steve Wise <swise@opengridcomputing.com>
    iw_cxgb4: put ep reference in pass_accept_req()

Steve Wise <swise@opengridcomputing.com>
    iw_cxgb4: remove the stid on listen create failure

Christoph Hellwig <hch@lst.de>
    bsg-lib: don't free job in bsg_prepare_job

Vladis Dronov <vdronov@redhat.com>
    nl80211: check for the required netlink attributes presence

Andreas Gruenbacher <agruenba@redhat.com>
    vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets

Steve French <smfrench@gmail.com>
    SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags

Steve French <smfrench@gmail.com>
    SMB: Validate negotiate (to protect against downgrade) even if signing off

Steve French <smfrench@gmail.com>
    SMB3: Warn user if trying to sign connection that authenticated as guest

Steve French <smfrench@gmail.com>
    Fix SMB3.1.1 guest authentication to Samba

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    PM: core: Fix device_pm_check_callbacks()

Gerald Schaefer <gerald.schaefer@de.ibm.com>
    s390/mm: fix write access check in gup_huge_pmd()

Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS

Gustavo Romero <gromero@linux.vnet.ibm.com>
    powerpc/tm: Flush TM only if CPU has TM feature

Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
    powerpc/pseries: Fix parent_dn reference leak in add_dt_node()

Eric Biggers <ebiggers@google.com>
    KEYS: prevent KEYCTL_READ on negative key

Eric Biggers <ebiggers@google.com>
    KEYS: prevent creating a different user's keyrings

Eric Biggers <ebiggers@google.com>
    KEYS: fix writing past end of user-supplied buffer in keyring_read()

Jason A. Donenfeld <Jason@zx2c4.com>
    security/keys: rewrite all of big_key crypto

Jason A. Donenfeld <Jason@zx2c4.com>
    security/keys: properly zero out sensitive key material in big_key

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix hashing

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix sha224

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - Don't provide setkey for non hmac hashing algs.

Stephan Mueller <smueller@chronox.de>
    crypto: drbg - fix freeing of resources

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: disable hard reset in hibernate for APUs

Xin Long <lucien.xin@gmail.com>
    scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly

Dennis Yang <dennisyang@qnap.com>
    md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list

Shaohua Li <shli@fb.com>
    md/raid5: fix a race condition in stripe batch

Bo Yan <byan@nvidia.com>
    tracing: Erase irqsoff trace with empty write

Tahsin Erdogan <tahsin@google.com>
    tracing: Fix trace_pipe behavior for instance traces

Paul Mackerras <paulus@ozlabs.org>
    KVM: PPC: Book3S HV: Protect updates to spapr_tce_tables list

Paul Mackerras <paulus@ozlabs.org>
    KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()

Thomas Gleixner <tglx@linutronix.de>
    genirq: Make sparse_irq_lock protect what it should protect

Avraham Stern <avraham.stern@intel.com>
    mac80211: flush hw_roc_start work before cancelling the ROC

Beni Lev <beni.lev@intel.com>
    mac80211_hwsim: Use proper TX power

Johannes Berg <johannes.berg@intel.com>
    mac80211: fix VLAN handling with TXQs

John Ogness <john.ogness@linutronix.de>
    fs/proc: Report eip/esp in /prod/PID/stat for coredumping

Shu Wang <shuwang@redhat.com>
    cifs: release auth_key.response for reconnect.

Shu Wang <shuwang@redhat.com>
    cifs: release cifs root_cred after exit_cifs


-------------

Diffstat:

 Makefile                                      |   4 +-
 arch/arm/xen/mm.c                             |   1 +
 arch/arm64/kernel/head.S                      |   1 +
 arch/arm64/mm/fault.c                         |   2 +-
 arch/powerpc/kernel/entry_64.S                |  20 ++-
 arch/powerpc/kernel/ptrace.c                  |   2 +-
 arch/powerpc/kvm/book3s_64_vio.c              |  57 +++---
 arch/powerpc/platforms/pseries/mobility.c     |   4 +-
 arch/s390/mm/gup.c                            |   7 +-
 arch/x86/kernel/fpu/regset.c                  |   9 +-
 arch/x86/kernel/fpu/signal.c                  |   4 +
 arch/x86/kernel/kvm.c                         |   3 +-
 arch/x86/kvm/vmx.c                            | 240 ++++++++++++++------------
 arch/x86/mm/fault.c                           |  47 ++---
 block/bsg-lib.c                               |   1 -
 crypto/drbg.c                                 |   8 +-
 drivers/base/power/main.c                     |   9 +-
 drivers/crypto/talitos.c                      |   9 +-
 drivers/gpu/drm/etnaviv/etnaviv_gem.c         |   3 +
 drivers/gpu/drm/radeon/radeon_device.c        |   2 +-
 drivers/infiniband/hw/cxgb4/cm.c              |   4 +-
 drivers/md/raid5.c                            |  13 +-
 drivers/misc/cxl/api.c                        |   4 +
 drivers/misc/cxl/file.c                       |   8 +-
 drivers/net/wireless/mac80211_hwsim.c         |   2 -
 drivers/pci/pci-sysfs.c                       |  11 +-
 drivers/scsi/scsi_transport_iscsi.c           |   2 +-
 drivers/video/fbdev/aty/atyfb_base.c          |   2 +-
 drivers/xen/swiotlb-xen.c                     |  19 ++
 fs/btrfs/ioctl.c                              |   6 +-
 fs/btrfs/relocation.c                         |   2 +-
 fs/cifs/cifsfs.c                              |   2 +-
 fs/cifs/connect.c                             |   8 +
 fs/cifs/file.c                                |   7 +
 fs/cifs/smb2pdu.c                             |  21 ++-
 fs/gfs2/glock.c                               |  16 +-
 fs/proc/array.c                               |   9 +
 fs/read_write.c                               |   4 +-
 fs/xfs/xfs_ioctl.c                            |   3 +-
 include/linux/key.h                           |   2 +
 include/net/mac80211.h                        |  15 +-
 include/xen/swiotlb-xen.h                     |   5 +
 kernel/irq/irqdesc.c                          |  24 +--
 kernel/seccomp.c                              |  23 ++-
 kernel/sysctl.c                               |   2 +
 kernel/time/timer.c                           |   2 +-
 kernel/trace/trace.c                          |  12 +-
 net/mac80211/iface.c                          |  17 +-
 net/mac80211/offchannel.c                     |   2 +
 net/mac80211/tx.c                             |  36 +++-
 net/wireless/nl80211.c                        |   3 +
 security/keys/Kconfig                         |   4 +-
 security/keys/big_key.c                       | 138 +++++++--------
 security/keys/internal.h                      |   2 +-
 security/keys/key.c                           |   2 +
 security/keys/keyctl.c                        |   5 +
 security/keys/keyring.c                       |  37 ++--
 security/keys/process_keys.c                  |   6 +-
 tools/testing/selftests/seccomp/seccomp_bpf.c |  18 +-
 59 files changed, 549 insertions(+), 382 deletions(-)

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 01/64] cifs: release cifs root_cred after exit_cifs
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
@ 2017-10-03 12:22 ` Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 02/64] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shu Wang, Steve French, Ronnie Sahlberg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shu Wang <shuwang@redhat.com>

commit 94183331e815617246b1baa97e0916f358c794bb upstream.

memory leak was found by kmemleak. exit_cifs_spnego
should be called before cifs module removed, or
cifs root_cred will not be released.

kmemleak report:
unreferenced object 0xffff880070a3ce40 (size 192):
  backtrace:
     kmemleak_alloc+0x4a/0xa0
     kmem_cache_alloc+0xc7/0x1d0
     prepare_kernel_cred+0x20/0x120
     init_cifs_spnego+0x2d/0x170 [cifs]
     0xffffffffc07801f3
     do_one_initcall+0x51/0x1b0
     do_init_module+0x60/0x1fd
     load_module+0x161e/0x1b60
     SYSC_finit_module+0xa9/0x100
     SyS_finit_module+0xe/0x10

Signed-off-by: Shu Wang <shuwang@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifsfs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -1360,7 +1360,7 @@ exit_cifs(void)
 	exit_cifs_idmap();
 #endif
 #ifdef CONFIG_CIFS_UPCALL
-	unregister_key_type(&cifs_spnego_key_type);
+	exit_cifs_spnego();
 #endif
 	cifs_destroy_request_bufs();
 	cifs_destroy_mids();

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 02/64] cifs: release auth_key.response for reconnect.
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 01/64] cifs: release cifs root_cred after exit_cifs Greg Kroah-Hartman
@ 2017-10-03 12:22 ` Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 03/64] fs/proc: Report eip/esp in /prod/PID/stat for coredumping Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shu Wang, Steve French, Ronnie Sahlberg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shu Wang <shuwang@redhat.com>

commit f5c4ba816315d3b813af16f5571f86c8d4e897bd upstream.

There is a race that cause cifs reconnect in cifs_mount,
- cifs_mount
  - cifs_get_tcp_session
    - [ start thread cifs_demultiplex_thread
      - cifs_read_from_socket: -ECONNABORTED
        - DELAY_WORK smb2_reconnect_server ]
  - cifs_setup_session
  - [ smb2_reconnect_server ]

auth_key.response was allocated in cifs_setup_session, and
will release when the session destoried. So when session re-
connect, auth_key.response should be check and released.

Tested with my system:
CIFS VFS: Free previous auth_key.response = ffff8800320bbf80

A simple auth_key.response allocation call trace:
- cifs_setup_session
- SMB2_sess_setup
- SMB2_sess_auth_rawntlmssp_authenticate
- build_ntlmssp_auth_blob
- setup_ntlmv2_rsp

Signed-off-by: Shu Wang <shuwang@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/connect.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -4071,6 +4071,14 @@ cifs_setup_session(const unsigned int xi
 	cifs_dbg(FYI, "Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d\n",
 		 server->sec_mode, server->capabilities, server->timeAdj);
 
+	if (ses->auth_key.response) {
+		cifs_dbg(VFS, "Free previous auth_key.response = %p\n",
+			 ses->auth_key.response);
+		kfree(ses->auth_key.response);
+		ses->auth_key.response = NULL;
+		ses->auth_key.len = 0;
+	}
+
 	if (server->ops->sess_setup)
 		rc = server->ops->sess_setup(xid, ses, nls_info);
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 03/64] fs/proc: Report eip/esp in /prod/PID/stat for coredumping
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 01/64] cifs: release cifs root_cred after exit_cifs Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 02/64] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
@ 2017-10-03 12:22 ` Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 04/64] mac80211: fix VLAN handling with TXQs Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marco Felsch, John Ogness,
	Andy Lutomirski, Tycho Andersen, Kees Cook, Peter Zijlstra,
	Brian Gerst, Tetsuo Handa, Borislav Petkov, Al Viro, Linux API,
	Andrew Morton, Linus Torvalds, Thomas Gleixner

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Ogness <john.ogness@linutronix.de>

commit fd7d56270b526ca3ed0c224362e3c64a0f86687a upstream.

Commit 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in
/proc/PID/stat") stopped reporting eip/esp because it is
racy and dangerous for executing tasks. The comment adds:

    As far as I know, there are no use programs that make any
    material use of these fields, so just get rid of them.

However, existing userspace core-dump-handler applications (for
example, minicoredumper) are using these fields since they
provide an excellent cross-platform interface to these valuable
pointers. So that commit introduced a user space visible
regression.

Partially revert the change and make the readout possible for
tasks with the proper permissions and only if the target task
has the PF_DUMPCORE flag set.

Fixes: 0a1eb2d474ed ("fs/proc: Stop reporting eip and esp in> /proc/PID/stat")
Reported-by: Marco Felsch <marco.felsch@preh.de>
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: Tycho Andersen <tycho.andersen@canonical.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Linux API <linux-api@vger.kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/87poatfwg6.fsf@linutronix.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/array.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -60,6 +60,7 @@
 #include <linux/tty.h>
 #include <linux/string.h>
 #include <linux/mman.h>
+#include <linux/sched.h>
 #include <linux/proc_fs.h>
 #include <linux/ioport.h>
 #include <linux/uaccess.h>
@@ -416,7 +417,15 @@ static int do_task_stat(struct seq_file
 		 * esp and eip are intentionally zeroed out.  There is no
 		 * non-racy way to read them without freezing the task.
 		 * Programs that need reliable values can use ptrace(2).
+		 *
+		 * The only exception is if the task is core dumping because
+		 * a program is not able to use ptrace(2) in that case. It is
+		 * safe because the task has stopped executing permanently.
 		 */
+		if (permitted && (task->flags & PF_DUMPCORE)) {
+			eip = KSTK_EIP(task);
+			esp = KSTK_ESP(task);
+		}
 	}
 
 	get_task_comm(tcomm, task);

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 04/64] mac80211: fix VLAN handling with TXQs
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2017-10-03 12:22 ` [PATCH 4.9 03/64] fs/proc: Report eip/esp in /prod/PID/stat for coredumping Greg Kroah-Hartman
@ 2017-10-03 12:22 ` Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 05/64] mac80211_hwsim: Use proper TX power Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 53168215909281a09d3afc6fb51a9d4f81f74d39 upstream.

With TXQs, the AP_VLAN interfaces are resolved to their owner AP
interface when enqueuing the frame, which makes sense since the
frame really goes out on that as far as the driver is concerned.

However, this introduces a problem: frames to be encrypted with
a VLAN-specific GTK will now be encrypted with the AP GTK, since
the information about which virtual interface to use to select
the key is taken from the TXQ.

Fix this by preserving info->control.vif and using that in the
dequeue function. This now requires doing the driver-mapping
in the dequeue as well.

Since there's no way to filter the frames that are sitting on a
TXQ, drop all frames, which may affect other interfaces, when an
AP_VLAN is removed.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/net/mac80211.h |   15 ++-------------
 net/mac80211/iface.c   |   17 +++++++++++++++--
 net/mac80211/tx.c      |   36 +++++++++++++++++++++++++++++-------
 3 files changed, 46 insertions(+), 22 deletions(-)

--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -902,21 +902,10 @@ struct ieee80211_tx_info {
 				unsigned long jiffies;
 			};
 			/* NB: vif can be NULL for injected frames */
-			union {
-				/* NB: vif can be NULL for injected frames */
-				struct ieee80211_vif *vif;
-
-				/* When packets are enqueued on txq it's easy
-				 * to re-construct the vif pointer. There's no
-				 * more space in tx_info so it can be used to
-				 * store the necessary enqueue time for packet
-				 * sojourn time computation.
-				 */
-				codel_time_t enqueue_time;
-			};
+			struct ieee80211_vif *vif;
 			struct ieee80211_key_conf *hw_key;
 			u32 flags;
-			/* 4 bytes free */
+			codel_time_t enqueue_time;
 		} control;
 		struct {
 			u64 cookie;
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -791,6 +791,7 @@ static int ieee80211_open(struct net_dev
 static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
 			      bool going_down)
 {
+	struct ieee80211_sub_if_data *txq_sdata = sdata;
 	struct ieee80211_local *local = sdata->local;
 	struct fq *fq = &local->fq;
 	unsigned long flags;
@@ -931,6 +932,9 @@ static void ieee80211_do_stop(struct iee
 
 	switch (sdata->vif.type) {
 	case NL80211_IFTYPE_AP_VLAN:
+		txq_sdata = container_of(sdata->bss,
+					 struct ieee80211_sub_if_data, u.ap);
+
 		mutex_lock(&local->mtx);
 		list_del(&sdata->u.vlan.list);
 		mutex_unlock(&local->mtx);
@@ -1001,8 +1005,17 @@ static void ieee80211_do_stop(struct iee
 	}
 	spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
 
-	if (sdata->vif.txq) {
-		struct txq_info *txqi = to_txq_info(sdata->vif.txq);
+	if (txq_sdata->vif.txq) {
+		struct txq_info *txqi = to_txq_info(txq_sdata->vif.txq);
+
+		/*
+		 * FIXME FIXME
+		 *
+		 * We really shouldn't purge the *entire* txqi since that
+		 * contains frames for the other AP_VLANs (and possibly
+		 * the AP itself) as well, but there's no API in FQ now
+		 * to be able to filter.
+		 */
 
 		spin_lock_bh(&fq->lock);
 		ieee80211_txq_purge(local, txqi);
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1277,11 +1277,6 @@ static void ieee80211_set_skb_enqueue_ti
 	IEEE80211_SKB_CB(skb)->control.enqueue_time = codel_get_time();
 }
 
-static void ieee80211_set_skb_vif(struct sk_buff *skb, struct txq_info *txqi)
-{
-	IEEE80211_SKB_CB(skb)->control.vif = txqi->txq.vif;
-}
-
 static u32 codel_skb_len_func(const struct sk_buff *skb)
 {
 	return skb->len;
@@ -3388,6 +3383,7 @@ struct sk_buff *ieee80211_tx_dequeue(str
 	struct ieee80211_tx_info *info;
 	struct ieee80211_tx_data tx;
 	ieee80211_tx_result r;
+	struct ieee80211_vif *vif;
 
 	spin_lock_bh(&fq->lock);
 
@@ -3404,8 +3400,6 @@ begin:
 	if (!skb)
 		goto out;
 
-	ieee80211_set_skb_vif(skb, txqi);
-
 	hdr = (struct ieee80211_hdr *)skb->data;
 	info = IEEE80211_SKB_CB(skb);
 
@@ -3462,6 +3456,34 @@ begin:
 		}
 	}
 
+	switch (tx.sdata->vif.type) {
+	case NL80211_IFTYPE_MONITOR:
+		if (tx.sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE) {
+			vif = &tx.sdata->vif;
+			break;
+		}
+		tx.sdata = rcu_dereference(local->monitor_sdata);
+		if (tx.sdata) {
+			vif = &tx.sdata->vif;
+			info->hw_queue =
+				vif->hw_queue[skb_get_queue_mapping(skb)];
+		} else if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL)) {
+			ieee80211_free_txskb(&local->hw, skb);
+			goto begin;
+		} else {
+			vif = NULL;
+		}
+		break;
+	case NL80211_IFTYPE_AP_VLAN:
+		tx.sdata = container_of(tx.sdata->bss,
+					struct ieee80211_sub_if_data, u.ap);
+		/* fall through */
+	default:
+		vif = &tx.sdata->vif;
+		break;
+	}
+
+	IEEE80211_SKB_CB(skb)->control.vif = vif;
 out:
 	spin_unlock_bh(&fq->lock);
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 05/64] mac80211_hwsim: Use proper TX power
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2017-10-03 12:22 ` [PATCH 4.9 04/64] mac80211: fix VLAN handling with TXQs Greg Kroah-Hartman
@ 2017-10-03 12:22 ` Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 06/64] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Beni Lev, Luca Coelho, Johannes Berg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Beni Lev <beni.lev@intel.com>

commit 9de981f507474f326e42117858dc9a9321331ae5 upstream.

In struct ieee80211_tx_info, control.vif pointer and rate_driver_data[0]
falls on the same place, depending on the union usage.
During the whole TX process, the union is referred to as a control struct,
which holds the vif that is later used in the tx flow, especially in order
to derive the used tx power.
Referring direcly to rate_driver_data[0] and assigning a value to it,
overwrites the vif pointer, hence making all later references irrelevant.
Moreover, rate_driver_data[0] isn't used later in the flow in order to
retrieve the channel that it is pointing to.

Signed-off-by: Beni Lev <beni.lev@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/mac80211_hwsim.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1357,8 +1357,6 @@ static void mac80211_hwsim_tx(struct iee
 				       txi->control.rates,
 				       ARRAY_SIZE(txi->control.rates));
 
-	txi->rate_driver_data[0] = channel;
-
 	if (skb->len >= 24 + 8 &&
 	    ieee80211_is_probe_resp(hdr->frame_control)) {
 		/* fake header transmission time */

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 06/64] mac80211: flush hw_roc_start work before cancelling the ROC
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2017-10-03 12:22 ` [PATCH 4.9 05/64] mac80211_hwsim: Use proper TX power Greg Kroah-Hartman
@ 2017-10-03 12:22 ` Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 07/64] genirq: Make sparse_irq_lock protect what it should protect Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:22 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Avraham Stern, Luca Coelho, Johannes Berg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Avraham Stern <avraham.stern@intel.com>

commit 6e46d8ce894374fc135c96a8d1057c6af1fef237 upstream.

When HW ROC is supported it is possible that after the HW notified
that the ROC has started, the ROC was cancelled and another ROC was
added while the hw_roc_start worker is waiting on the mutex (since
cancelling the ROC and adding another one also holds the same mutex).
As a result, the hw_roc_start worker will continue to run after the
new ROC is added but before it is actually started by the HW.
This may result in notifying userspace that the ROC has started before
it actually does, or in case of management tx ROC, in an attempt to
tx while not on the right channel.

In addition, when the driver will notify mac80211 that the second ROC
has started, mac80211 will warn that this ROC has already been
notified.

Fix this by flushing the hw_roc_start work before cancelling an ROC.

Cc: stable@vger.kernel.org
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/offchannel.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -707,6 +707,8 @@ static int ieee80211_cancel_roc(struct i
 	if (!cookie)
 		return -ENOENT;
 
+	flush_work(&local->hw_roc_start);
+
 	mutex_lock(&local->mtx);
 	list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
 		if (!mgmt_tx && roc->cookie != cookie)

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 07/64] genirq: Make sparse_irq_lock protect what it should protect
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2017-10-03 12:22 ` [PATCH 4.9 06/64] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
@ 2017-10-03 12:22 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 08/64] KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:22 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Gleixner

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 12ac1d0f6c3e95732d144ffa65c8b20fbd9aa462 upstream.

for_each_active_irq() iterates the sparse irq allocation bitmap. The caller
must hold sparse_irq_lock. Several code pathes expect that an active bit in
the sparse bitmap also has a valid interrupt descriptor.

Unfortunately that's not true. The (de)allocation is a two step process,
which holds the sparse_irq_lock only across the queue/remove from the radix
tree and the set/clear in the allocation bitmap.

If a iteration locks sparse_irq_lock between the two steps, then it might
see an active bit but the corresponding irq descriptor is NULL. If that is
dereferenced unconditionally, then the kernel oopses. Of course, all
iterator sites could be audited and fixed, but....

There is no reason why the sparse_irq_lock needs to be dropped between the
two steps, in fact the code becomes simpler when the mutex is held across
both and the semantics become more straight forward, so future problems of
missing NULL pointer checks in the iteration are avoided and all existing
sites are fixed in one go.

Expand the lock held sections so both operations are covered and the bitmap
and the radixtree are in sync.

Fixes: a05a900a51c7 ("genirq: Make sparse_lock a mutex")
Reported-and-tested-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/irq/irqdesc.c |   24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -405,10 +405,8 @@ static void free_desc(unsigned int irq)
 	 * The sysfs entry must be serialized against a concurrent
 	 * irq_sysfs_init() as well.
 	 */
-	mutex_lock(&sparse_irq_lock);
 	kobject_del(&desc->kobj);
 	delete_irq_desc(irq);
-	mutex_unlock(&sparse_irq_lock);
 
 	/*
 	 * We free the descriptor, masks and stat fields via RCU. That
@@ -446,20 +444,15 @@ static int alloc_descs(unsigned int star
 		desc = alloc_desc(start + i, node, flags, mask, owner);
 		if (!desc)
 			goto err;
-		mutex_lock(&sparse_irq_lock);
 		irq_insert_desc(start + i, desc);
 		irq_sysfs_add(start + i, desc);
-		mutex_unlock(&sparse_irq_lock);
 	}
+	bitmap_set(allocated_irqs, start, cnt);
 	return start;
 
 err:
 	for (i--; i >= 0; i--)
 		free_desc(start + i);
-
-	mutex_lock(&sparse_irq_lock);
-	bitmap_clear(allocated_irqs, start, cnt);
-	mutex_unlock(&sparse_irq_lock);
 	return -ENOMEM;
 }
 
@@ -558,6 +551,7 @@ static inline int alloc_descs(unsigned i
 
 		desc->owner = owner;
 	}
+	bitmap_set(allocated_irqs, start, cnt);
 	return start;
 }
 
@@ -653,10 +647,10 @@ void irq_free_descs(unsigned int from, u
 	if (from >= nr_irqs || (from + cnt) > nr_irqs)
 		return;
 
+	mutex_lock(&sparse_irq_lock);
 	for (i = 0; i < cnt; i++)
 		free_desc(from + i);
 
-	mutex_lock(&sparse_irq_lock);
 	bitmap_clear(allocated_irqs, from, cnt);
 	mutex_unlock(&sparse_irq_lock);
 }
@@ -703,19 +697,15 @@ __irq_alloc_descs(int irq, unsigned int
 					   from, cnt, 0);
 	ret = -EEXIST;
 	if (irq >=0 && start != irq)
-		goto err;
+		goto unlock;
 
 	if (start + cnt > nr_irqs) {
 		ret = irq_expand_nr_irqs(start + cnt);
 		if (ret)
-			goto err;
+			goto unlock;
 	}
-
-	bitmap_set(allocated_irqs, start, cnt);
-	mutex_unlock(&sparse_irq_lock);
-	return alloc_descs(start, cnt, node, affinity, owner);
-
-err:
+	ret = alloc_descs(start, cnt, node, affinity, owner);
+unlock:
 	mutex_unlock(&sparse_irq_lock);
 	return ret;
 }

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 08/64] KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2017-10-03 12:22 ` [PATCH 4.9 07/64] genirq: Make sparse_irq_lock protect what it should protect Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 09/64] KVM: PPC: Book3S HV: Protect updates to spapr_tce_tables list Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Nixiaoming, David Hildenbrand, Paul Mackerras

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Mackerras <paulus@ozlabs.org>

commit 47c5310a8dbe7c2cb9f0083daa43ceed76c257fa upstream, with part
of commit edd03602d97236e8fea13cd76886c576186aa307 folded in.

Nixiaoming pointed out that there is a memory leak in
kvm_vm_ioctl_create_spapr_tce() if the call to anon_inode_getfd()
fails; the memory allocated for the kvmppc_spapr_tce_table struct
is not freed, and nor are the pages allocated for the iommu
tables.  In addition, we have already incremented the process's
count of locked memory pages, and this doesn't get restored on
error.

David Hildenbrand pointed out that there is a race in that the
function checks early on that there is not already an entry in the
stt->iommu_tables list with the same LIOBN, but an entry with the
same LIOBN could get added between then and when the new entry is
added to the list.

This fixes all three problems.  To simplify things, we now call
anon_inode_getfd() before placing the new entry in the list.  The
check for an existing entry is done while holding the kvm->lock
mutex, immediately before adding the new entry to the list.
Finally, on failure we now call kvmppc_account_memlimit to
decrement the process's count of locked memory pages.

[paulus@ozlabs.org - folded in that part of edd03602d972 ("KVM:
 PPC: Book3S HV: Protect updates to spapr_tce_tables list", 2017-08-28)
 which restructured the code that 47c5310a8dbe modified, to avoid
 a build failure caused by the absence of put_unused_fd().]

Fixes: 54738c097163 ("KVM: PPC: Accelerate H_PUT_TCE by implementing it in real mode")
Fixes: f8626985c7c2 ("KVM: PPC: Account TCE-containing pages in locked_vm")
Reported-by: Nixiaoming <nixiaoming@huawei.com>
Reported-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/book3s_64_vio.c |   56 ++++++++++++++++++++++-----------------
 1 file changed, 32 insertions(+), 24 deletions(-)

--- a/arch/powerpc/kvm/book3s_64_vio.c
+++ b/arch/powerpc/kvm/book3s_64_vio.c
@@ -150,6 +150,7 @@ long kvm_vm_ioctl_create_spapr_tce(struc
 				   struct kvm_create_spapr_tce_64 *args)
 {
 	struct kvmppc_spapr_tce_table *stt = NULL;
+	struct kvmppc_spapr_tce_table *siter;
 	unsigned long npages, size;
 	int ret = -ENOMEM;
 	int i;
@@ -157,24 +158,16 @@ long kvm_vm_ioctl_create_spapr_tce(struc
 	if (!args->size)
 		return -EINVAL;
 
-	/* Check this LIOBN hasn't been previously allocated */
-	list_for_each_entry(stt, &kvm->arch.spapr_tce_tables, list) {
-		if (stt->liobn == args->liobn)
-			return -EBUSY;
-	}
-
 	size = args->size;
 	npages = kvmppc_tce_pages(size);
 	ret = kvmppc_account_memlimit(kvmppc_stt_pages(npages), true);
-	if (ret) {
-		stt = NULL;
-		goto fail;
-	}
+	if (ret)
+		return ret;
 
 	stt = kzalloc(sizeof(*stt) + npages * sizeof(struct page *),
 		      GFP_KERNEL);
 	if (!stt)
-		goto fail;
+		goto fail_acct;
 
 	stt->liobn = args->liobn;
 	stt->page_shift = args->page_shift;
@@ -188,24 +181,39 @@ long kvm_vm_ioctl_create_spapr_tce(struc
 			goto fail;
 	}
 
-	kvm_get_kvm(kvm);
-
 	mutex_lock(&kvm->lock);
-	list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
 
-	mutex_unlock(&kvm->lock);
+	/* Check this LIOBN hasn't been previously allocated */
+	ret = 0;
+	list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
+		if (siter->liobn == args->liobn) {
+			ret = -EBUSY;
+			break;
+		}
+	}
+
+	if (!ret)
+		ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
+				       stt, O_RDWR | O_CLOEXEC);
+
+	if (ret >= 0) {
+		list_add_rcu(&stt->list, &kvm->arch.spapr_tce_tables);
+		kvm_get_kvm(kvm);
+	}
 
-	return anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
-				stt, O_RDWR | O_CLOEXEC);
+	mutex_unlock(&kvm->lock);
 
-fail:
-	if (stt) {
-		for (i = 0; i < npages; i++)
-			if (stt->pages[i])
-				__free_page(stt->pages[i]);
+	if (ret >= 0)
+		return ret;
 
-		kfree(stt);
-	}
+ fail:
+	for (i = 0; i < npages; i++)
+		if (stt->pages[i])
+			__free_page(stt->pages[i]);
+
+	kfree(stt);
+ fail_acct:
+	kvmppc_account_memlimit(kvmppc_stt_pages(npages), false);
 	return ret;
 }
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 09/64] KVM: PPC: Book3S HV: Protect updates to spapr_tce_tables list
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 08/64] KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 10/64] tracing: Fix trace_pipe behavior for instance traces Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Greg Kroah-Hartman, David Gibson, Paul Mackerras

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Mackerras <paulus@ozlabs.org>

commit edd03602d97236e8fea13cd76886c576186aa307 upstream.

Al Viro pointed out that while one thread of a process is executing
in kvm_vm_ioctl_create_spapr_tce(), another thread could guess the
file descriptor returned by anon_inode_getfd() and close() it before
the first thread has added it to the kvm->arch.spapr_tce_tables list.
That highlights a more general problem: there is no mutual exclusion
between writers to the spapr_tce_tables list, leading to the
possibility of the list becoming corrupted, which could cause a
host kernel crash.

To fix the mutual exclusion problem, we add a mutex_lock/unlock
pair around the list_del_rce in kvm_spapr_tce_release().

If another thread does guess the file descriptor returned by the
anon_inode_getfd() call in kvm_vm_ioctl_create_spapr_tce() and closes
it, its call to kvm_spapr_tce_release() will not do any harm because
it will have to wait until the first thread has released kvm->lock.

The other things that the second thread could do with the guessed
file descriptor are to mmap it or to pass it as a parameter to a
KVM_DEV_VFIO_GROUP_SET_SPAPR_TCE ioctl on a KVM device fd.  An mmap
call won't cause any harm because kvm_spapr_tce_mmap() and
kvm_spapr_tce_fault() don't access the spapr_tce_tables list or
the kvmppc_spapr_tce_table.list field, and the fields that they do use
have been properly initialized by the time of the anon_inode_getfd()
call.

The KVM_DEV_VFIO_GROUP_SET_SPAPR_TCE ioctl calls
kvm_spapr_tce_attach_iommu_group(), which scans the spapr_tce_tables
list looking for the kvmppc_spapr_tce_table struct corresponding to
the fd given as the parameter.  Either it will find the new entry
or it won't; if it doesn't, it just returns an error, and if it
does, it will function normally.  So, in each case there is no
harmful effect.

[paulus@ozlabs.org - moved parts of the upstream patch into the backport
 of 47c5310a8dbe, adjusted this commit message accordingly.]

Fixes: 366baf28ee3f ("KVM: PPC: Use RCU for arch.spapr_tce_tables")
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/book3s_64_vio.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/powerpc/kvm/book3s_64_vio.c
+++ b/arch/powerpc/kvm/book3s_64_vio.c
@@ -129,8 +129,11 @@ static int kvm_spapr_tce_mmap(struct fil
 static int kvm_spapr_tce_release(struct inode *inode, struct file *filp)
 {
 	struct kvmppc_spapr_tce_table *stt = filp->private_data;
+	struct kvm *kvm = stt->kvm;
 
+	mutex_lock(&kvm->lock);
 	list_del_rcu(&stt->list);
+	mutex_unlock(&kvm->lock);
 
 	kvm_put_kvm(stt->kvm);
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 10/64] tracing: Fix trace_pipe behavior for instance traces
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 09/64] KVM: PPC: Book3S HV: Protect updates to spapr_tce_tables list Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 11/64] tracing: Erase irqsoff trace with empty write Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tahsin Erdogan, Steven Rostedt (VMware)

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tahsin Erdogan <tahsin@google.com>

commit 75df6e688ccd517e339a7c422ef7ad73045b18a2 upstream.

When reading data from trace_pipe, tracing_wait_pipe() performs a
check to see if tracing has been turned off after some data was read.
Currently, this check always looks at global trace state, but it
should be checking the trace instance where trace_pipe is located at.

Because of this bug, cat instances/i1/trace_pipe in the following
script will immediately exit instead of waiting for data:

cd /sys/kernel/debug/tracing
echo 0 > tracing_on
mkdir -p instances/i1
echo 1 > instances/i1/tracing_on
echo 1 > instances/i1/events/sched/sched_process_exec/enable
cat instances/i1/trace_pipe

Link: http://lkml.kernel.org/r/20170917102348.1615-1-tahsin@google.com

Fixes: 10246fa35d4f ("tracing: give easy way to clear trace buffer")
Signed-off-by: Tahsin Erdogan <tahsin@google.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -5128,7 +5128,7 @@ static int tracing_wait_pipe(struct file
 		 *
 		 * iter->pos will be 0 if we haven't read anything.
 		 */
-		if (!tracing_is_on() && iter->pos)
+		if (!tracer_tracing_is_on(iter->tr) && iter->pos)
 			break;
 
 		mutex_unlock(&iter->mutex);

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 11/64] tracing: Erase irqsoff trace with empty write
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 10/64] tracing: Fix trace_pipe behavior for instance traces Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 12/64] md/raid5: fix a race condition in stripe batch Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, mingo, Bo Yan, Steven Rostedt (VMware)

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bo Yan <byan@nvidia.com>

commit 8dd33bcb7050dd6f8c1432732f930932c9d3a33e upstream.

One convenient way to erase trace is "echo > trace". However, this
is currently broken if the current tracer is irqsoff tracer. This
is because irqsoff tracer use max_buffer as the default trace
buffer.

Set the max_buffer as the one to be cleared when it's the trace
buffer currently in use.

Link: http://lkml.kernel.org/r/1505754215-29411-1-git-send-email-byan@nvidia.com

Cc: <mingo@redhat.com>
Fixes: 4acd4d00f ("tracing: give easy way to clear trace buffer")
Signed-off-by: Bo Yan <byan@nvidia.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3569,11 +3569,17 @@ static int tracing_open(struct inode *in
 	/* If this file was open for write, then erase contents */
 	if ((file->f_mode & FMODE_WRITE) && (file->f_flags & O_TRUNC)) {
 		int cpu = tracing_get_cpu(inode);
+		struct trace_buffer *trace_buf = &tr->trace_buffer;
+
+#ifdef CONFIG_TRACER_MAX_TRACE
+		if (tr->current_trace->print_max)
+			trace_buf = &tr->max_buffer;
+#endif
 
 		if (cpu == RING_BUFFER_ALL_CPUS)
-			tracing_reset_online_cpus(&tr->trace_buffer);
+			tracing_reset_online_cpus(trace_buf);
 		else
-			tracing_reset(&tr->trace_buffer, cpu);
+			tracing_reset(trace_buf, cpu);
 	}
 
 	if (file->f_mode & FMODE_READ) {

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 12/64] md/raid5: fix a race condition in stripe batch
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 11/64] tracing: Erase irqsoff trace with empty write Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 13/64] md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shaohua Li

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shaohua Li <shli@fb.com>

commit 3664847d95e60a9a943858b7800f8484669740fc upstream.

We have a race condition in below scenario, say have 3 continuous stripes, sh1,
sh2 and sh3, sh1 is the stripe_head of sh2 and sh3:

CPU1				CPU2				CPU3
handle_stripe(sh3)
				stripe_add_to_batch_list(sh3)
				-> lock(sh2, sh3)
				-> lock batch_lock(sh1)
				-> add sh3 to batch_list of sh1
				-> unlock batch_lock(sh1)
								clear_batch_ready(sh1)
								-> lock(sh1) and batch_lock(sh1)
								-> clear STRIPE_BATCH_READY for all stripes in batch_list
								-> unlock(sh1) and batch_lock(sh1)
->clear_batch_ready(sh3)
-->test_and_clear_bit(STRIPE_BATCH_READY, sh3)
--->return 0 as sh->batch == NULL
				-> sh3->batch_head = sh1
				-> unlock (sh2, sh3)

In CPU1, handle_stripe will continue handle sh3 even it's in batch stripe list
of sh1. By moving sh3->batch_head assignment in to batch_lock, we make it
impossible to clear STRIPE_BATCH_READY before batch_head is set.

Thanks Stephane for helping debug this tricky issue.

Reported-and-tested-by: Stephane Thiell <sthiell@stanford.edu>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid5.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -829,6 +829,14 @@ static void stripe_add_to_batch_list(str
 			spin_unlock(&head->batch_head->batch_lock);
 			goto unlock_out;
 		}
+		/*
+		 * We must assign batch_head of this stripe within the
+		 * batch_lock, otherwise clear_batch_ready of batch head
+		 * stripe could clear BATCH_READY bit of this stripe and
+		 * this stripe->batch_head doesn't get assigned, which
+		 * could confuse clear_batch_ready for this stripe
+		 */
+		sh->batch_head = head->batch_head;
 
 		/*
 		 * at this point, head's BATCH_READY could be cleared, but we
@@ -836,8 +844,6 @@ static void stripe_add_to_batch_list(str
 		 */
 		list_add(&sh->batch_list, &head->batch_list);
 		spin_unlock(&head->batch_head->batch_lock);
-
-		sh->batch_head = head->batch_head;
 	} else {
 		head->batch_head = head;
 		sh->batch_head = head->batch_head;

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 13/64] md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 12/64] md/raid5: fix a race condition in stripe batch Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 14/64] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dennis Yang, Shaohua Li

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dennis Yang <dennisyang@qnap.com>

commit 184a09eb9a2fe425e49c9538f1604b05ed33cfef upstream.

In release_stripe_plug(), if a stripe_head has its STRIPE_ON_UNPLUG_LIST
set, it indicates that this stripe_head is already in the raid5_plug_cb
list and release_stripe() would be called instead to drop a reference
count. Otherwise, the STRIPE_ON_UNPLUG_LIST bit would be set for this
stripe_head and it will get queued into the raid5_plug_cb list.

Since break_stripe_batch_list() did not preserve STRIPE_ON_UNPLUG_LIST,
A stripe could be re-added to plug list while it is still on that list
in the following situation. If stripe_head A is added to another
stripe_head B's batch list, in this case A will have its
batch_head != NULL and be added into the plug list. After that,
stripe_head B gets handled and called break_stripe_batch_list() to
reset all the batched stripe_head(including A which is still on
the plug list)'s state and reset their batch_head to NULL.
Before the plug list gets processed, if there is another write request
comes in and get stripe_head A, A will have its batch_head == NULL
(cleared by calling break_stripe_batch_list() on B) and be added to
plug list once again.

Signed-off-by: Dennis Yang <dennisyang@qnap.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid5.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -4283,7 +4283,8 @@ static void break_stripe_batch_list(stru
 
 		set_mask_bits(&sh->state, ~(STRIPE_EXPAND_SYNC_FLAGS |
 					    (1 << STRIPE_PREREAD_ACTIVE) |
-					    (1 << STRIPE_DEGRADED)),
+					    (1 << STRIPE_DEGRADED) |
+					    (1 << STRIPE_ON_UNPLUG_LIST)),
 			      head_sh->state & (1 << STRIPE_INSYNC));
 
 		sh->check_state = head_sh->check_state;

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 14/64] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 13/64] md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 15/64] drm/radeon: disable hard reset in hibernate for APUs Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, ChunYu Wang, Xin Long, Chris Leech,
	Martin K. Petersen

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit c88f0e6b06f4092995688211a631bb436125d77b upstream.

ChunYu found a kernel crash by syzkaller:

[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  651.618731] general protection fault: 0000 [#1] SMP KASAN
[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
[...]
[  651.627260] Call Trace:
[  651.629156]  skb_release_all+0x4f/0x60
[  651.629450]  consume_skb+0x1a5/0x600
[  651.630705]  netlink_unicast+0x505/0x720
[  651.632345]  netlink_sendmsg+0xab2/0xe70
[  651.633704]  sock_sendmsg+0xcf/0x110
[  651.633942]  ___sys_sendmsg+0x833/0x980
[  651.637117]  __sys_sendmsg+0xf3/0x240
[  651.638820]  SyS_sendmsg+0x32/0x50
[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2

It's caused by skb_shared_info at the end of sk_buff was overwritten by
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.

During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
new value to skb_shinfo(SKB)->nr_frags by ev->type.

This patch is to fix it by checking nlh->nlmsg_len properly there to
avoid over accessing sk_buff.

Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_transport_iscsi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3696,7 +3696,7 @@ iscsi_if_rx(struct sk_buff *skb)
 		uint32_t group;
 
 		nlh = nlmsg_hdr(skb);
-		if (nlh->nlmsg_len < sizeof(*nlh) ||
+		if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
 		    skb->len < nlh->nlmsg_len) {
 			break;
 		}

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 15/64] drm/radeon: disable hard reset in hibernate for APUs
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 14/64] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 16/64] crypto: drbg - fix freeing of resources Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 820608548737e315c6f93e3099b4e65bde062334 upstream.

Fixes a hibernation regression on APUs.

Bug: https://bugzilla.kernel.org/show_bug.cgi?id=191571
Fixes: 274ad65c9d02bdc (drm/radeon: hard reset r600 and newer GPU when hibernating.)
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/radeon_device.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -1674,7 +1674,7 @@ int radeon_suspend_kms(struct drm_device
 	radeon_agp_suspend(rdev);
 
 	pci_save_state(dev->pdev);
-	if (freeze && rdev->family >= CHIP_CEDAR) {
+	if (freeze && rdev->family >= CHIP_CEDAR && !(rdev->flags & RADEON_IS_IGP)) {
 		rdev->asic->asic_reset(rdev, true);
 		pci_restore_state(dev->pdev);
 	} else if (suspend) {

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 16/64] crypto: drbg - fix freeing of resources
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 15/64] drm/radeon: disable hard reset in hibernate for APUs Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 17/64] crypto: talitos - Dont provide setkey for non hmac hashing algs Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Herbert Xu, Stephan Mueller

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@chronox.de>

commit bd6227a150fdb56e7bb734976ef6e53a2c1cb334 upstream.

During the change to use aligned buffers, the deallocation code path was
not updated correctly. The current code tries to free the aligned buffer
pointer and not the original buffer pointer as it is supposed to.

Thus, the code is updated to free the original buffer pointer and set
the aligned buffer pointer that is used throughout the code to NULL.

Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
CC: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/drbg.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1133,10 +1133,10 @@ static inline void drbg_dealloc_state(st
 {
 	if (!drbg)
 		return;
-	kzfree(drbg->V);
-	drbg->Vbuf = NULL;
-	kzfree(drbg->C);
-	drbg->Cbuf = NULL;
+	kzfree(drbg->Vbuf);
+	drbg->V = NULL;
+	kzfree(drbg->Cbuf);
+	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
 	drbg->reseed_ctr = 0;

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 17/64] crypto: talitos - Dont provide setkey for non hmac hashing algs.
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 16/64] crypto: drbg - fix freeing of resources Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 18/64] crypto: talitos - fix sha224 Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit 56136631573baa537a15e0012055ffe8cfec1a33 upstream.

Today, md5sum fails with error -ENOKEY because a setkey
function is set for non hmac hashing algs, see strace output below:

mmap(NULL, 378880, PROT_READ, MAP_SHARED, 6, 0) = 0x77f50000
accept(3, 0, NULL)                      = 7
vmsplice(5, [{"bin/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 378880}], 1, SPLICE_F_MORE|SPLICE_F_GIFT) = 262144
splice(4, NULL, 7, NULL, 262144, SPLICE_F_MORE) = -1 ENOKEY (Required key not available)
write(2, "Generation of hash for file kcap"..., 50) = 50
munmap(0x77f50000, 378880)              = 0

This patch ensures that setkey() function is set only
for hmac hashing.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -3057,7 +3057,8 @@ static struct talitos_crypto_alg *talito
 		t_alg->algt.alg.hash.final = ahash_final;
 		t_alg->algt.alg.hash.finup = ahash_finup;
 		t_alg->algt.alg.hash.digest = ahash_digest;
-		t_alg->algt.alg.hash.setkey = ahash_setkey;
+		if (!strncmp(alg->cra_name, "hmac", 4))
+			t_alg->algt.alg.hash.setkey = ahash_setkey;
 		t_alg->algt.alg.hash.import = ahash_import;
 		t_alg->algt.alg.hash.export = ahash_export;
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 18/64] crypto: talitos - fix sha224
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 17/64] crypto: talitos - Dont provide setkey for non hmac hashing algs Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 19/64] crypto: talitos - fix hashing Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit afd62fa26343be6445479e75de9f07092a061459 upstream.

Kernel crypto tests report the following error at startup

[    2.752626] alg: hash: Test 4 failed for sha224-talitos
[    2.757907] 00000000: 30 e2 86 e2 e7 8a dd 0d d7 eb 9f d5 83 fe f1 b0
00000010: 2d 5a 6c a5 f9 55 ea fd 0e 72 05 22

This patch fixes it

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1756,9 +1756,9 @@ static int common_nonsnoop_hash(struct t
 		req_ctx->swinit = 0;
 	} else {
 		desc->ptr[1] = zero_entry;
-		/* Indicate next op is not the first. */
-		req_ctx->first = 0;
 	}
+	/* Indicate next op is not the first. */
+	req_ctx->first = 0;
 
 	/* HMAC key */
 	if (ctx->keylen)

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 19/64] crypto: talitos - fix hashing
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 18/64] crypto: talitos - fix sha224 Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 20/64] security/keys: properly zero out sensitive key material in big_key Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit 886a27c0fc8a34633aadb0986dba11d8c150ae2e upstream.

md5sum on some files gives wrong result

Exemple:

With the md5sum from libkcapi:
c15115c05bad51113f81bdaee735dd09  test

With the original md5sum:
bbdf41d80ba7e8b2b7be3a0772be76cb  test

This patch fixes this issue

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1769,7 +1769,7 @@ static int common_nonsnoop_hash(struct t
 
 	sg_count = edesc->src_nents ?: 1;
 	if (is_sec1 && sg_count > 1)
-		sg_copy_to_buffer(areq->src, sg_count, edesc->buf, length);
+		sg_copy_to_buffer(req_ctx->psrc, sg_count, edesc->buf, length);
 	else
 		sg_count = dma_map_sg(dev, req_ctx->psrc, sg_count,
 				      DMA_TO_DEVICE);

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 20/64] security/keys: properly zero out sensitive key material in big_key
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 19/64] crypto: talitos - fix hashing Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 21/64] security/keys: rewrite all of big_key crypto Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason A. Donenfeld, David Howells,
	Eric Biggers, Herbert Xu, Kirill Marinushkin, security

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason A. Donenfeld <Jason@zx2c4.com>

commit 910801809b2e40a4baedd080ef5d80b4a180e70e upstream.

Error paths forgot to zero out sensitive material, so this patch changes
some kfrees into a kzfrees.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/keys/big_key.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/security/keys/big_key.c
+++ b/security/keys/big_key.c
@@ -194,7 +194,7 @@ int big_key_preparse(struct key_preparse
 		*path = file->f_path;
 		path_get(path);
 		fput(file);
-		kfree(data);
+		kzfree(data);
 	} else {
 		/* Just store the data in a buffer */
 		void *data = kmalloc(datalen, GFP_KERNEL);
@@ -210,9 +210,9 @@ int big_key_preparse(struct key_preparse
 err_fput:
 	fput(file);
 err_enckey:
-	kfree(enckey);
+	kzfree(enckey);
 error:
-	kfree(data);
+	kzfree(data);
 	return ret;
 }
 
@@ -226,7 +226,7 @@ void big_key_free_preparse(struct key_pr
 
 		path_put(path);
 	}
-	kfree(prep->payload.data[big_key_data]);
+	kzfree(prep->payload.data[big_key_data]);
 }
 
 /*
@@ -258,7 +258,7 @@ void big_key_destroy(struct key *key)
 		path->mnt = NULL;
 		path->dentry = NULL;
 	}
-	kfree(key->payload.data[big_key_data]);
+	kzfree(key->payload.data[big_key_data]);
 	key->payload.data[big_key_data] = NULL;
 }
 
@@ -326,7 +326,7 @@ long big_key_read(const struct key *key,
 err_fput:
 		fput(file);
 error:
-		kfree(data);
+		kzfree(data);
 	} else {
 		ret = datalen;
 		if (copy_to_user(buffer, key->payload.data[big_key_data],

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 21/64] security/keys: rewrite all of big_key crypto
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 20/64] security/keys: properly zero out sensitive key material in big_key Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 22/64] KEYS: fix writing past end of user-supplied buffer in keyring_read() Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Jason A. Donenfeld, Eric Biggers,
	David Howells, Herbert Xu, Kirill Marinushkin, security

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

commit 428490e38b2e352812e0b765d8bceafab0ec441d upstream.

This started out as just replacing the use of crypto/rng with
get_random_bytes_wait, so that we wouldn't use bad randomness at boot
time. But, upon looking further, it appears that there were even deeper
underlying cryptographic problems, and that this seems to have been
committed with very little crypto review. So, I rewrote the whole thing,
trying to keep to the conventions introduced by the previous author, to
fix these cryptographic flaws.

It makes no sense to seed crypto/rng at boot time and then keep
using it like this, when in fact there's already get_random_bytes_wait,
which can ensure there's enough entropy and be a much more standard way
of generating keys. Since this sensitive material is being stored
untrusted, using ECB and no authentication is simply not okay at all. I
find it surprising and a bit horrifying that this code even made it past
basic crypto review, which perhaps points to some larger issues. This
patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely
generated each time, we can set the nonce to zero. There was also a race
condition in which the same key would be reused at the same time in
different threads. A mutex fixes this issue now.

So, to summarize, this commit fixes the following vulnerabilities:

  * Low entropy key generation, allowing an attacker to potentially
    guess or predict keys.
  * Unauthenticated encryption, allowing an attacker to modify the
    cipher text in particular ways in order to manipulate the plaintext,
    which is is even more frightening considering the next point.
  * Use of ECB mode, allowing an attacker to trivially swap blocks or
    compare identical plaintext blocks.
  * Key re-use.
  * Faulty memory zeroing.

[Note that in backporting this commit to 4.9, get_random_bytes_wait was
replaced with get_random_bytes, since 4.9 does not have the former
function. This might result in slightly worse entropy in key generation,
but common use cases of big_keys makes that likely not a huge deal. And,
this is the best we can do with this old kernel. Alas.]

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
Cc: security@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
The current patch in queue-4.9 is broken. This is a better backport.

 security/keys/Kconfig   |    4 -
 security/keys/big_key.c |  124 ++++++++++++++++++++++--------------------------
 2 files changed, 58 insertions(+), 70 deletions(-)

--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -41,10 +41,8 @@ config BIG_KEYS
 	bool "Large payload keys"
 	depends on KEYS
 	depends on TMPFS
-	depends on (CRYPTO_ANSI_CPRNG = y || CRYPTO_DRBG = y)
 	select CRYPTO_AES
-	select CRYPTO_ECB
-	select CRYPTO_RNG
+	select CRYPTO_GCM
 	help
 	  This option provides support for holding large keys within the kernel
 	  (for example Kerberos ticket caches).  The data may be stored out to
--- a/security/keys/big_key.c
+++ b/security/keys/big_key.c
@@ -1,5 +1,6 @@
 /* Large capacity key type
  *
+ * Copyright (C) 2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
  * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
  * Written by David Howells (dhowells@redhat.com)
  *
@@ -16,10 +17,10 @@
 #include <linux/shmem_fs.h>
 #include <linux/err.h>
 #include <linux/scatterlist.h>
+#include <linux/random.h>
 #include <keys/user-type.h>
 #include <keys/big_key-type.h>
-#include <crypto/rng.h>
-#include <crypto/skcipher.h>
+#include <crypto/aead.h>
 
 /*
  * Layout of key payload words.
@@ -49,7 +50,12 @@ enum big_key_op {
 /*
  * Key size for big_key data encryption
  */
-#define ENC_KEY_SIZE	16
+#define ENC_KEY_SIZE 32
+
+/*
+ * Authentication tag length
+ */
+#define ENC_AUTHTAG_SIZE 16
 
 /*
  * big_key defined keys take an arbitrary string as the description and an
@@ -64,57 +70,62 @@ struct key_type key_type_big_key = {
 	.destroy		= big_key_destroy,
 	.describe		= big_key_describe,
 	.read			= big_key_read,
+	/* no ->update(); don't add it without changing big_key_crypt() nonce */
 };
 
 /*
- * Crypto names for big_key data encryption
+ * Crypto names for big_key data authenticated encryption
  */
-static const char big_key_rng_name[] = "stdrng";
-static const char big_key_alg_name[] = "ecb(aes)";
+static const char big_key_alg_name[] = "gcm(aes)";
 
 /*
- * Crypto algorithms for big_key data encryption
+ * Crypto algorithms for big_key data authenticated encryption
  */
-static struct crypto_rng *big_key_rng;
-static struct crypto_skcipher *big_key_skcipher;
+static struct crypto_aead *big_key_aead;
 
 /*
- * Generate random key to encrypt big_key data
+ * Since changing the key affects the entire object, we need a mutex.
  */
-static inline int big_key_gen_enckey(u8 *key)
-{
-	return crypto_rng_get_bytes(big_key_rng, key, ENC_KEY_SIZE);
-}
+static DEFINE_MUTEX(big_key_aead_lock);
 
 /*
  * Encrypt/decrypt big_key data
  */
 static int big_key_crypt(enum big_key_op op, u8 *data, size_t datalen, u8 *key)
 {
-	int ret = -EINVAL;
+	int ret;
 	struct scatterlist sgio;
-	SKCIPHER_REQUEST_ON_STACK(req, big_key_skcipher);
+	struct aead_request *aead_req;
+	/* We always use a zero nonce. The reason we can get away with this is
+	 * because we're using a different randomly generated key for every
+	 * different encryption. Notably, too, key_type_big_key doesn't define
+	 * an .update function, so there's no chance we'll wind up reusing the
+	 * key to encrypt updated data. Simply put: one key, one encryption.
+	 */
+	u8 zero_nonce[crypto_aead_ivsize(big_key_aead)];
+
+	aead_req = aead_request_alloc(big_key_aead, GFP_KERNEL);
+	if (!aead_req)
+		return -ENOMEM;
+
+	memset(zero_nonce, 0, sizeof(zero_nonce));
+	sg_init_one(&sgio, data, datalen + (op == BIG_KEY_ENC ? ENC_AUTHTAG_SIZE : 0));
+	aead_request_set_crypt(aead_req, &sgio, &sgio, datalen, zero_nonce);
+	aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL);
+	aead_request_set_ad(aead_req, 0);
 
-	if (crypto_skcipher_setkey(big_key_skcipher, key, ENC_KEY_SIZE)) {
+	mutex_lock(&big_key_aead_lock);
+	if (crypto_aead_setkey(big_key_aead, key, ENC_KEY_SIZE)) {
 		ret = -EAGAIN;
 		goto error;
 	}
-
-	skcipher_request_set_tfm(req, big_key_skcipher);
-	skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP,
-				      NULL, NULL);
-
-	sg_init_one(&sgio, data, datalen);
-	skcipher_request_set_crypt(req, &sgio, &sgio, datalen, NULL);
-
 	if (op == BIG_KEY_ENC)
-		ret = crypto_skcipher_encrypt(req);
+		ret = crypto_aead_encrypt(aead_req);
 	else
-		ret = crypto_skcipher_decrypt(req);
-
-	skcipher_request_zero(req);
-
+		ret = crypto_aead_decrypt(aead_req);
 error:
+	mutex_unlock(&big_key_aead_lock);
+	aead_request_free(aead_req);
 	return ret;
 }
 
@@ -146,15 +157,13 @@ int big_key_preparse(struct key_preparse
 		 *
 		 * File content is stored encrypted with randomly generated key.
 		 */
-		size_t enclen = ALIGN(datalen, crypto_skcipher_blocksize(big_key_skcipher));
+		size_t enclen = datalen + ENC_AUTHTAG_SIZE;
 
-		/* prepare aligned data to encrypt */
 		data = kmalloc(enclen, GFP_KERNEL);
 		if (!data)
 			return -ENOMEM;
 
 		memcpy(data, prep->data, datalen);
-		memset(data + datalen, 0x00, enclen - datalen);
 
 		/* generate random key */
 		enckey = kmalloc(ENC_KEY_SIZE, GFP_KERNEL);
@@ -162,13 +171,10 @@ int big_key_preparse(struct key_preparse
 			ret = -ENOMEM;
 			goto error;
 		}
-
-		ret = big_key_gen_enckey(enckey);
-		if (ret)
-			goto err_enckey;
+		get_random_bytes(enckey, ENC_KEY_SIZE);
 
 		/* encrypt aligned data */
-		ret = big_key_crypt(BIG_KEY_ENC, data, enclen, enckey);
+		ret = big_key_crypt(BIG_KEY_ENC, data, datalen, enckey);
 		if (ret)
 			goto err_enckey;
 
@@ -294,7 +300,7 @@ long big_key_read(const struct key *key,
 		struct file *file;
 		u8 *data;
 		u8 *enckey = (u8 *)key->payload.data[big_key_data];
-		size_t enclen = ALIGN(datalen, crypto_skcipher_blocksize(big_key_skcipher));
+		size_t enclen = datalen + ENC_AUTHTAG_SIZE;
 
 		data = kmalloc(enclen, GFP_KERNEL);
 		if (!data)
@@ -342,47 +348,31 @@ error:
  */
 static int __init big_key_init(void)
 {
-	struct crypto_skcipher *cipher;
-	struct crypto_rng *rng;
 	int ret;
 
-	rng = crypto_alloc_rng(big_key_rng_name, 0, 0);
-	if (IS_ERR(rng)) {
-		pr_err("Can't alloc rng: %ld\n", PTR_ERR(rng));
-		return PTR_ERR(rng);
-	}
-
-	big_key_rng = rng;
-
-	/* seed RNG */
-	ret = crypto_rng_reset(rng, NULL, crypto_rng_seedsize(rng));
-	if (ret) {
-		pr_err("Can't reset rng: %d\n", ret);
-		goto error_rng;
-	}
-
 	/* init block cipher */
-	cipher = crypto_alloc_skcipher(big_key_alg_name, 0, CRYPTO_ALG_ASYNC);
-	if (IS_ERR(cipher)) {
-		ret = PTR_ERR(cipher);
+	big_key_aead = crypto_alloc_aead(big_key_alg_name, 0, CRYPTO_ALG_ASYNC);
+	if (IS_ERR(big_key_aead)) {
+		ret = PTR_ERR(big_key_aead);
 		pr_err("Can't alloc crypto: %d\n", ret);
-		goto error_rng;
+		return ret;
+	}
+	ret = crypto_aead_setauthsize(big_key_aead, ENC_AUTHTAG_SIZE);
+	if (ret < 0) {
+		pr_err("Can't set crypto auth tag len: %d\n", ret);
+		goto free_aead;
 	}
-
-	big_key_skcipher = cipher;
 
 	ret = register_key_type(&key_type_big_key);
 	if (ret < 0) {
 		pr_err("Can't register type: %d\n", ret);
-		goto error_cipher;
+		goto free_aead;
 	}
 
 	return 0;
 
-error_cipher:
-	crypto_free_skcipher(big_key_skcipher);
-error_rng:
-	crypto_free_rng(big_key_rng);
+free_aead:
+	crypto_free_aead(big_key_aead);
 	return ret;
 }
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 22/64] KEYS: fix writing past end of user-supplied buffer in keyring_read()
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 21/64] security/keys: rewrite all of big_key crypto Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 23/64] KEYS: prevent creating a different users keyrings Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.

Userspace can call keyctl_read() on a keyring to get the list of IDs of
keys in the keyring.  But if the user-supplied buffer is too small, the
kernel would write the full list anyway --- which will corrupt whatever
userspace memory happened to be past the end of the buffer.  Fix it by
only filling the space that is available.

Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/keys/keyring.c |   14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -416,7 +416,7 @@ static void keyring_describe(const struc
 }
 
 struct keyring_read_iterator_context {
-	size_t			qty;
+	size_t			buflen;
 	size_t			count;
 	key_serial_t __user	*buffer;
 };
@@ -428,9 +428,9 @@ static int keyring_read_iterator(const v
 	int ret;
 
 	kenter("{%s,%d},,{%zu/%zu}",
-	       key->type->name, key->serial, ctx->count, ctx->qty);
+	       key->type->name, key->serial, ctx->count, ctx->buflen);
 
-	if (ctx->count >= ctx->qty)
+	if (ctx->count >= ctx->buflen)
 		return 1;
 
 	ret = put_user(key->serial, ctx->buffer);
@@ -465,16 +465,12 @@ static long keyring_read(const struct ke
 		return 0;
 
 	/* Calculate how much data we could return */
-	ctx.qty = nr_keys * sizeof(key_serial_t);
-
 	if (!buffer || !buflen)
-		return ctx.qty;
-
-	if (buflen > ctx.qty)
-		ctx.qty = buflen;
+		return nr_keys * sizeof(key_serial_t);
 
 	/* Copy the IDs of the subscribed keys into the buffer */
 	ctx.buffer = (key_serial_t __user *)buffer;
+	ctx.buflen = buflen;
 	ctx.count = 0;
 	ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
 	if (ret < 0) {

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 23/64] KEYS: prevent creating a different users keyrings
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 22/64] KEYS: fix writing past end of user-supplied buffer in keyring_read() Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 24/64] KEYS: prevent KEYCTL_READ on negative key Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.

It was possible for an unprivileged user to create the user and user
session keyrings for another user.  For example:

    sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
                           keyctl add keyring _uid_ses.4000 "" @u
                           sleep 15' &
    sleep 1
    sudo -u '#4000' keyctl describe @u
    sudo -u '#4000' keyctl describe @us

This is problematic because these "fake" keyrings won't have the right
permissions.  In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:

    -4: alswrv-----v------------  3000     0 keyring: _uid.4000
    -5: alswrv-----v------------  3000     0 keyring: _uid_ses.4000

Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING.  Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.

Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/key.h          |    2 ++
 security/keys/internal.h     |    2 +-
 security/keys/key.c          |    2 ++
 security/keys/keyring.c      |   23 ++++++++++++++---------
 security/keys/process_keys.c |    6 ++++--
 5 files changed, 23 insertions(+), 12 deletions(-)

--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -176,6 +176,7 @@ struct key {
 #define KEY_FLAG_BUILTIN	8	/* set if key is built in to the kernel */
 #define KEY_FLAG_ROOT_CAN_INVAL	9	/* set if key can be invalidated by root without permission */
 #define KEY_FLAG_KEEP		10	/* set if key should not be removed */
+#define KEY_FLAG_UID_KEYRING	11	/* set if key is a user or user session keyring */
 
 	/* the key type and key description string
 	 * - the desc is used to match a key against search criteria
@@ -235,6 +236,7 @@ extern struct key *key_alloc(struct key_
 #define KEY_ALLOC_NOT_IN_QUOTA		0x0002	/* not in quota */
 #define KEY_ALLOC_BUILT_IN		0x0004	/* Key is built into kernel */
 #define KEY_ALLOC_BYPASS_RESTRICTION	0x0008	/* Override the check on restricted keyrings */
+#define KEY_ALLOC_UID_KEYRING		0x0010	/* allocating a user or user session keyring */
 
 extern void key_revoke(struct key *key);
 extern void key_invalidate(struct key *key);
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -137,7 +137,7 @@ extern key_ref_t keyring_search_aux(key_
 extern key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx);
 extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
 
-extern struct key *find_keyring_by_name(const char *name, bool skip_perm_check);
+extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
 
 extern int install_user_keyrings(void);
 extern int install_thread_keyring_to_cred(struct cred *);
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -301,6 +301,8 @@ struct key *key_alloc(struct key_type *t
 		key->flags |= 1 << KEY_FLAG_IN_QUOTA;
 	if (flags & KEY_ALLOC_BUILT_IN)
 		key->flags |= 1 << KEY_FLAG_BUILTIN;
+	if (flags & KEY_ALLOC_UID_KEYRING)
+		key->flags |= 1 << KEY_FLAG_UID_KEYRING;
 
 #ifdef KEY_DEBUGGING
 	key->magic = KEY_DEBUG_MAGIC;
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -985,15 +985,15 @@ found:
 /*
  * Find a keyring with the specified name.
  *
- * All named keyrings in the current user namespace are searched, provided they
- * grant Search permission directly to the caller (unless this check is
- * skipped).  Keyrings whose usage points have reached zero or who have been
- * revoked are skipped.
+ * Only keyrings that have nonzero refcount, are not revoked, and are owned by a
+ * user in the current user namespace are considered.  If @uid_keyring is %true,
+ * the keyring additionally must have been allocated as a user or user session
+ * keyring; otherwise, it must grant Search permission directly to the caller.
  *
  * Returns a pointer to the keyring with the keyring's refcount having being
  * incremented on success.  -ENOKEY is returned if a key could not be found.
  */
-struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
+struct key *find_keyring_by_name(const char *name, bool uid_keyring)
 {
 	struct key *keyring;
 	int bucket;
@@ -1021,10 +1021,15 @@ struct key *find_keyring_by_name(const c
 			if (strcmp(keyring->description, name) != 0)
 				continue;
 
-			if (!skip_perm_check &&
-			    key_permission(make_key_ref(keyring, 0),
-					   KEY_NEED_SEARCH) < 0)
-				continue;
+			if (uid_keyring) {
+				if (!test_bit(KEY_FLAG_UID_KEYRING,
+					      &keyring->flags))
+					continue;
+			} else {
+				if (key_permission(make_key_ref(keyring, 0),
+						   KEY_NEED_SEARCH) < 0)
+					continue;
+			}
 
 			/* we've got a match but we might end up racing with
 			 * key_cleanup() if the keyring is currently 'dead'
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -76,7 +76,8 @@ int install_user_keyrings(void)
 		if (IS_ERR(uid_keyring)) {
 			uid_keyring = keyring_alloc(buf, user->uid, INVALID_GID,
 						    cred, user_keyring_perm,
-						    KEY_ALLOC_IN_QUOTA,
+						    KEY_ALLOC_UID_KEYRING |
+							KEY_ALLOC_IN_QUOTA,
 						    NULL, NULL);
 			if (IS_ERR(uid_keyring)) {
 				ret = PTR_ERR(uid_keyring);
@@ -93,7 +94,8 @@ int install_user_keyrings(void)
 			session_keyring =
 				keyring_alloc(buf, user->uid, INVALID_GID,
 					      cred, user_keyring_perm,
-					      KEY_ALLOC_IN_QUOTA,
+					      KEY_ALLOC_UID_KEYRING |
+						  KEY_ALLOC_IN_QUOTA,
 					      NULL, NULL);
 			if (IS_ERR(session_keyring)) {
 				ret = PTR_ERR(session_keyring);

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 24/64] KEYS: prevent KEYCTL_READ on negative key
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 23/64] KEYS: prevent creating a different users keyrings Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 25/64] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 37863c43b2c6464f252862bf2e9768264e961678 upstream.

Because keyctl_read_key() looks up the key with no permissions
requested, it may find a negatively instantiated key.  If the key is
also possessed, we went ahead and called ->read() on the key.  But the
key payload will actually contain the ->reject_error rather than the
normal payload.  Thus, the kernel oopses trying to read the
user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.

Fortunately the payload data is stored inline, so it shouldn't be
possible to abuse this as an arbitrary memory read primitive...

Reproducer:
    keyctl new_session
    keyctl request2 user desc '' @s
    keyctl read $(keyctl show | awk '/user: desc/ {print $1}')

It causes a crash like the following:
     BUG: unable to handle kernel paging request at 00000000ffffff92
     IP: user_read+0x33/0xa0
     PGD 36a54067 P4D 36a54067 PUD 0
     Oops: 0000 [#1] SMP
     CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
     task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
     RIP: 0010:user_read+0x33/0xa0
     RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
     RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
     RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
     RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
     R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
     R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
     FS:  00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
     Call Trace:
      keyctl_read_key+0xac/0xe0
      SyS_keyctl+0x99/0x120
      entry_SYSCALL_64_fastpath+0x1f/0xbe
     RIP: 0033:0x7f58ec787bb9
     RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
     RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
     RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
     RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
     R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
     R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
     Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
     RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
     CR2: 00000000ffffff92

Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/keys/keyctl.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -766,6 +766,11 @@ long keyctl_read_key(key_serial_t keyid,
 
 	key = key_ref_to_ptr(key_ref);
 
+	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
+		ret = -ENOKEY;
+		goto error2;
+	}
+
 	/* see if we can read it directly */
 	ret = key_permission(key_ref, KEY_NEED_READ);
 	if (ret == 0)

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 25/64] powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 24/64] KEYS: prevent KEYCTL_READ on negative key Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 26/64] powerpc/tm: Flush TM only if CPU has TM feature Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tyrel Datwyler, Michael Ellerman

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>

commit b537ca6fede69a281dc524983e5e633d79a10a08 upstream.

A reference to the parent device node is held by add_dt_node() for the
node to be added. If the call to dlpar_configure_connector() fails
add_dt_node() returns ENOENT and that reference is not freed.

Add a call to of_node_put(parent_dn) prior to bailing out after a
failed dlpar_configure_connector() call.

Fixes: 8d5ff320766f ("powerpc/pseries: Make dlpar_configure_connector parent node aware")
Signed-off-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/platforms/pseries/mobility.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/powerpc/platforms/pseries/mobility.c
+++ b/arch/powerpc/platforms/pseries/mobility.c
@@ -225,8 +225,10 @@ static int add_dt_node(__be32 parent_pha
 		return -ENOENT;
 
 	dn = dlpar_configure_connector(drc_index, parent_dn);
-	if (!dn)
+	if (!dn) {
+		of_node_put(parent_dn);
 		return -ENOENT;
+	}
 
 	rc = dlpar_attach_node(dn);
 	if (rc)

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 26/64] powerpc/tm: Flush TM only if CPU has TM feature
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 25/64] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 27/64] powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo Romero, Cyril Bur, Michael Ellerman

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gustavo Romero <gromero@linux.vnet.ibm.com>

commit c1fa0768a8713b135848f78fd43ffc208d8ded70 upstream.

Commit cd63f3c ("powerpc/tm: Fix saving of TM SPRs in core dump")
added code to access TM SPRs in flush_tmregs_to_thread(). However
flush_tmregs_to_thread() does not check if TM feature is available on
CPU before trying to access TM SPRs in order to copy live state to
thread structures. flush_tmregs_to_thread() is indeed guarded by
CONFIG_PPC_TRANSACTIONAL_MEM but it might be the case that kernel
was compiled with CONFIG_PPC_TRANSACTIONAL_MEM enabled and ran on
a CPU without TM feature available, thus rendering the execution
of TM instructions that are treated by the CPU as illegal instructions.

The fix is just to add proper checking in flush_tmregs_to_thread()
if CPU has the TM feature before accessing any TM-specific resource,
returning immediately if TM is no available on the CPU. Adding
that checking in flush_tmregs_to_thread() instead of in places
where it is called, like in vsr_get() and vsr_set(), is better because
avoids the same problem cropping up elsewhere.

Fixes: cd63f3c ("powerpc/tm: Fix saving of TM SPRs in core dump")
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
Reviewed-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
index 07cd22e35405..f52ad5bb7109 100644
--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -131,7 +131,7 @@ static void flush_tmregs_to_thread(struct task_struct *tsk)
 	 * in the appropriate thread structures from live.
 	 */
 
-	if (tsk != current)
+	if ((!cpu_has_feature(CPU_FTR_TM)) || (tsk != current))
 		return;
 
 	if (MSR_TM_SUSPENDED(mfmsr())) {

^ permalink raw reply related	[flat|nested] 65+ messages in thread

* [PATCH 4.9 27/64] powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 26/64] powerpc/tm: Flush TM only if CPU has TM feature Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 28/64] s390/mm: fix write access check in gup_huge_pmd() Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Naveen N. Rao, Michael Ellerman

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>

commit a4979a7e71eb8da976cbe4a0a1fa50636e76b04f upstream.

For DYNAMIC_FTRACE_WITH_REGS, we should be passing-in the original set
of registers in pt_regs, to capture the state _before_ ftrace_caller.
However, we are instead passing the stack pointer *after* allocating a
stack frame in ftrace_caller. Fix this by saving the proper value of r1
in pt_regs. Also, use SAVE_10GPRS() to simplify the code.

Fixes: 153086644fd1 ("powerpc/ftrace: Add support for -mprofile-kernel ftrace ABI")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 arch/powerpc/kernel/entry_64.S |   20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -1235,10 +1235,14 @@ _GLOBAL(ftrace_caller)
 	stdu	r1,-SWITCH_FRAME_SIZE(r1)
 
 	/* Save all gprs to pt_regs */
-	SAVE_8GPRS(0,r1)
-	SAVE_8GPRS(8,r1)
-	SAVE_8GPRS(16,r1)
-	SAVE_8GPRS(24,r1)
+	SAVE_GPR(0, r1)
+	SAVE_10GPRS(2, r1)
+	SAVE_10GPRS(12, r1)
+	SAVE_10GPRS(22, r1)
+
+	/* Save previous stack pointer (r1) */
+	addi	r8, r1, SWITCH_FRAME_SIZE
+	std	r8, GPR1(r1)
 
 	/* Load special regs for save below */
 	mfmsr   r8
@@ -1292,10 +1296,10 @@ ftrace_call:
 #endif
 
 	/* Restore gprs */
-	REST_8GPRS(0,r1)
-	REST_8GPRS(8,r1)
-	REST_8GPRS(16,r1)
-	REST_8GPRS(24,r1)
+	REST_GPR(0,r1)
+	REST_10GPRS(2,r1)
+	REST_10GPRS(12,r1)
+	REST_10GPRS(22,r1)
 
 	/* Restore callee's TOC */
 	ld	r2, 24(r1)

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 28/64] s390/mm: fix write access check in gup_huge_pmd()
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 27/64] powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 29/64] PM: core: Fix device_pm_check_callbacks() Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gerald Schaefer, Martin Schwidefsky

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gerald Schaefer <gerald.schaefer@de.ibm.com>

commit ba385c0594e723d41790ecfb12c610e6f90c7785 upstream.

The check for the _SEGMENT_ENTRY_PROTECT bit in gup_huge_pmd() is the
wrong way around. It must not be set for write==1, and not be checked for
write==0. Fix this similar to how it was fixed for ptes long time ago in
commit 25591b070336 ("[S390] fix get_user_pages_fast").

One impact of this bug would be unnecessarily using the gup slow path for
write==0 on r/w mappings. A potentially more severe impact would be that
gup_huge_pmd() will succeed for write==1 on r/o mappings.

Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/mm/gup.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/arch/s390/mm/gup.c
+++ b/arch/s390/mm/gup.c
@@ -56,13 +56,12 @@ static inline int gup_pte_range(pmd_t *p
 static inline int gup_huge_pmd(pmd_t *pmdp, pmd_t pmd, unsigned long addr,
 		unsigned long end, int write, struct page **pages, int *nr)
 {
-	unsigned long mask, result;
 	struct page *head, *page;
+	unsigned long mask;
 	int refs;
 
-	result = write ? 0 : _SEGMENT_ENTRY_PROTECT;
-	mask = result | _SEGMENT_ENTRY_INVALID;
-	if ((pmd_val(pmd) & mask) != result)
+	mask = (write ? _SEGMENT_ENTRY_PROTECT : 0) | _SEGMENT_ENTRY_INVALID;
+	if ((pmd_val(pmd) & mask) != 0)
 		return 0;
 	VM_BUG_ON(!pfn_valid(pmd_val(pmd) >> PAGE_SHIFT));
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 29/64] PM: core: Fix device_pm_check_callbacks()
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 28/64] s390/mm: fix write access check in gup_huge_pmd() Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 30/64] Fix SMB3.1.1 guest authentication to Samba Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rafael J. Wysocki

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit 157c460e10cb6eca29ccbd0f023db159d0c55ec7 upstream.

The device_pm_check_callbacks() function doesn't check legacy
->suspend and ->resume callback pointers under the device's
bus type, class and driver, so in some cases it may set the
no_pm_callbacks flag for the device incorrectly and then the
callbacks may be skipped during system suspend/resume, which
shouldn't happen.

Fixes: aa8e54b55947 (PM / sleep: Go direct_complete if driver has no callbacks)
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/power/main.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -1757,10 +1757,13 @@ void device_pm_check_callbacks(struct de
 {
 	spin_lock_irq(&dev->power.lock);
 	dev->power.no_pm_callbacks =
-		(!dev->bus || pm_ops_is_empty(dev->bus->pm)) &&
-		(!dev->class || pm_ops_is_empty(dev->class->pm)) &&
+		(!dev->bus || (pm_ops_is_empty(dev->bus->pm) &&
+		 !dev->bus->suspend && !dev->bus->resume)) &&
+		(!dev->class || (pm_ops_is_empty(dev->class->pm) &&
+		 !dev->class->suspend && !dev->class->resume)) &&
 		(!dev->type || pm_ops_is_empty(dev->type->pm)) &&
 		(!dev->pm_domain || pm_ops_is_empty(&dev->pm_domain->ops)) &&
-		(!dev->driver || pm_ops_is_empty(dev->driver->pm));
+		(!dev->driver || (pm_ops_is_empty(dev->driver->pm) &&
+		 !dev->driver->suspend && !dev->driver->resume));
 	spin_unlock_irq(&dev->power.lock);
 }

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 30/64] Fix SMB3.1.1 guest authentication to Samba
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 29/64] PM: core: Fix device_pm_check_callbacks() Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 31/64] SMB3: Warn user if trying to sign connection that authenticated as guest Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steve French, Ronnie Sahlberg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <smfrench@gmail.com>

commit 23586b66d84ba3184b8820277f3fc42761640f87 upstream.

Samba rejects SMB3.1.1 dialect (vers=3.1.1) negotiate requests from
the kernel client due to the two byte pad at the end of the negotiate
contexts.

Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -366,7 +366,7 @@ assemble_neg_contexts(struct smb2_negoti
 	build_encrypt_ctxt((struct smb2_encryption_neg_context *)pneg_ctxt);
 	req->NegotiateContextOffset = cpu_to_le32(OFFSET_OF_NEG_CONTEXT);
 	req->NegotiateContextCount = cpu_to_le16(2);
-	inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context) + 2
+	inc_rfc1001_len(req, 4 + sizeof(struct smb2_preauth_neg_context)
 			+ sizeof(struct smb2_encryption_neg_context)); /* calculate hash */
 }
 #else

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 31/64] SMB3: Warn user if trying to sign connection that authenticated as guest
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 30/64] Fix SMB3.1.1 guest authentication to Samba Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 32/64] SMB: Validate negotiate (to protect against downgrade) even if signing off Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steve French, Ronnie Sahlberg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <smfrench@gmail.com>

commit c721c38957fb19982416f6be71aae7b30630d83b upstream.

It can be confusing if user ends up authenticated as guest but they
requested signing (server will return error validating signed packets)
so add log message for this.

Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1010,6 +1010,8 @@ SMB2_sess_setup(const unsigned int xid,
 	while (sess_data->func)
 		sess_data->func(sess_data);
 
+	if ((ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST) && (ses->sign))
+		cifs_dbg(VFS, "signing requested but authenticated as guest\n");
 	rc = sess_data->result;
 out:
 	kfree(sess_data);

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 32/64] SMB: Validate negotiate (to protect against downgrade) even if signing off
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 31/64] SMB3: Warn user if trying to sign connection that authenticated as guest Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 33/64] SMB3: Dont ignore O_SYNC/O_DSYNC and O_DIRECT flags Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve French, Jeremy Allison,
	Stefan Metzmacher, Ronnie Sahlberg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <smfrench@gmail.com>

commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream.

As long as signing is supported (ie not a guest user connection) and
connection is SMB3 or SMB3.02, then validate negotiate (protect
against man in the middle downgrade attacks).  We had been doing this
only when signing was required, not when signing was just enabled,
but this more closely matches recommended SMB3 behavior and is
better security.  Suggested by Metze.

Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Acked-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |   17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -531,15 +531,22 @@ int smb3_validate_negotiate(const unsign
 
 	/*
 	 * validation ioctl must be signed, so no point sending this if we
-	 * can not sign it.  We could eventually change this to selectively
+	 * can not sign it (ie are not known user).  Even if signing is not
+	 * required (enabled but not negotiated), in those cases we selectively
 	 * sign just this, the first and only signed request on a connection.
-	 * This is good enough for now since a user who wants better security
-	 * would also enable signing on the mount. Having validation of
-	 * negotiate info for signed connections helps reduce attack vectors
+	 * Having validation of negotiate info  helps reduce attack vectors.
 	 */
-	if (tcon->ses->server->sign == false)
+	if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST)
 		return 0; /* validation requires signing */
 
+	if (tcon->ses->user_name == NULL) {
+		cifs_dbg(FYI, "Can't validate negotiate: null user mount\n");
+		return 0; /* validation requires signing */
+	}
+
+	if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
+		cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
+
 	vneg_inbuf.Capabilities =
 			cpu_to_le32(tcon->ses->server->vals->req_capabilities);
 	memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 33/64] SMB3: Dont ignore O_SYNC/O_DSYNC and O_DIRECT flags
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 32/64] SMB: Validate negotiate (to protect against downgrade) even if signing off Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 34/64] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve French, Ronnie Sahlberg,
	Pavel Shilovsky

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <smfrench@gmail.com>

commit 1013e760d10e614dc10b5624ce9fc41563ba2e65 upstream.

Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/file.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -224,6 +224,13 @@ cifs_nt_open(char *full_path, struct ino
 	if (backup_cred(cifs_sb))
 		create_options |= CREATE_OPEN_BACKUP_INTENT;
 
+	/* O_SYNC also has bit for O_DSYNC so following check picks up either */
+	if (f_flags & O_SYNC)
+		create_options |= CREATE_WRITE_THROUGH;
+
+	if (f_flags & O_DIRECT)
+		create_options |= CREATE_NO_BUFFER;
+
 	oparms.tcon = tcon;
 	oparms.cifs_sb = cifs_sb;
 	oparms.desired_access = desired_access;

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 34/64] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 33/64] SMB3: Dont ignore O_SYNC/O_DSYNC and O_DIRECT flags Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 35/64] nl80211: check for the required netlink attributes presence Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andreas Gruenbacher, Linus Torvalds

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Gruenbacher <agruenba@redhat.com>

commit fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 upstream.

In generic_file_llseek_size, return -ENXIO for negative offsets as well
as offsets beyond EOF.  This affects filesystems which don't implement
SEEK_HOLE / SEEK_DATA internally, possibly because they don't support
holes.

Fixes xfstest generic/448.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/read_write.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -114,7 +114,7 @@ generic_file_llseek_size(struct file *fi
 		 * In the generic case the entire file is data, so as long as
 		 * offset isn't at the end of the file then the offset is data.
 		 */
-		if (offset >= eof)
+		if ((unsigned long long)offset >= eof)
 			return -ENXIO;
 		break;
 	case SEEK_HOLE:
@@ -122,7 +122,7 @@ generic_file_llseek_size(struct file *fi
 		 * There is a virtual hole at the end of the file, so as long as
 		 * offset isn't i_size or larger, return i_size.
 		 */
-		if (offset >= eof)
+		if ((unsigned long long)offset >= eof)
 			return -ENXIO;
 		offset = eof;
 		break;

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 35/64] nl80211: check for the required netlink attributes presence
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 34/64] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 36/64] bsg-lib: dont free job in bsg_prepare_job Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, bo Zhang, Vladis Dronov, Johannes Berg

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vladis Dronov <vdronov@redhat.com>

commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.

nl80211_set_rekey_data() does not check if the required attributes
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
users with CAP_NET_ADMIN privilege and may result in NULL dereference
and a system crash. Add a check for the required attributes presence.
This patch is based on the patch by bo Zhang.

This fixes CVE-2017-12153.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/nl80211.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10385,6 +10385,9 @@ static int nl80211_set_rekey_data(struct
 	if (err)
 		return err;
 
+	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
+	    !tb[NL80211_REKEY_DATA_KCK])
+		return -EINVAL;
 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
 		return -ERANGE;
 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 36/64] bsg-lib: dont free job in bsg_prepare_job
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 35/64] nl80211: check for the required netlink attributes presence Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 37/64] iw_cxgb4: remove the stid on listen create failure Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Ming Lei, Jens Axboe

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <hch@lst.de>

commit f507b54dccfd8000c517d740bc45f20c74532d18 upstream.

The job structure is allocated as part of the request, so we should not
free it in the error path of bsg_prepare_job.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/bsg-lib.c |    1 -
 1 file changed, 1 deletion(-)

--- a/block/bsg-lib.c
+++ b/block/bsg-lib.c
@@ -147,7 +147,6 @@ static int bsg_create_job(struct device
 failjob_rls_rqst_payload:
 	kfree(job->request_payload.sg_list);
 failjob_rls_job:
-	kfree(job);
 	return -ENOMEM;
 }
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 37/64] iw_cxgb4: remove the stid on listen create failure
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 36/64] bsg-lib: dont free job in bsg_prepare_job Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 38/64] iw_cxgb4: put ep reference in pass_accept_req() Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steve Wise, Doug Ledford

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve Wise <swise@opengridcomputing.com>

commit 8b1bbf36b7452c4acb20e91948eaa5e225ea6978 upstream.

If a listen create fails, then the server tid (stid) is incorrectly left
in the stid idr table, which can cause a touch-after-free if the stid
is looked up and the already freed endpoint is touched.  So make sure
and remove it in the error path.

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/cxgb4/cm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -3441,7 +3441,7 @@ int c4iw_create_listen(struct iw_cm_id *
 		cm_id->provider_data = ep;
 		goto out;
 	}
-
+	remove_handle(ep->com.dev, &ep->com.dev->stid_idr, ep->stid);
 	cxgb4_free_stid(ep->com.dev->rdev.lldi.tids, ep->stid,
 			ep->com.local_addr.ss_family);
 fail2:

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 38/64] iw_cxgb4: put ep reference in pass_accept_req()
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 37/64] iw_cxgb4: remove the stid on listen create failure Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 39/64] selftests/seccomp: Support glibc 2.26 siginfo_t.h Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steve Wise, Doug Ledford

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve Wise <swise@opengridcomputing.com>

commit 3d318605f5e32ff44fb290d9b67573b34213c4c8 upstream.

The listening endpoint should always be dereferenced at the end of
pass_accept_req().

Fixes: f86fac79afec ("RDMA/iw_cxgb4: atomic find and reference for listening endpoints")

Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/cxgb4/cm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -2577,9 +2577,9 @@ fail:
 	c4iw_put_ep(&child_ep->com);
 reject:
 	reject_cr(dev, hwtid, skb);
+out:
 	if (parent_ep)
 		c4iw_put_ep(&parent_ep->com);
-out:
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 39/64] selftests/seccomp: Support glibc 2.26 siginfo_t.h
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 38/64] iw_cxgb4: put ep reference in pass_accept_req() Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 40/64] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Seth Forshee, Andy Lutomirski,
	Will Drewry, Shuah Khan, linux-kselftest, Kees Cook, Shuah Khan

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keescook@chromium.org>

commit 10859f3855db4c6f10dc7974ff4b3a292f3de8e0 upstream.

The 2.26 release of glibc changed how siginfo_t is defined, and the earlier
work-around to using the kernel definition are no longer needed. The old
way needs to stay around for a while, though.

Reported-by: Seth Forshee <seth.forshee@canonical.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Will Drewry <wad@chromium.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/testing/selftests/seccomp/seccomp_bpf.c |   18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -6,10 +6,18 @@
  */
 
 #include <sys/types.h>
-#include <asm/siginfo.h>
-#define __have_siginfo_t 1
-#define __have_sigval_t 1
-#define __have_sigevent_t 1
+
+/*
+ * glibc 2.26 and later have SIGSYS in siginfo_t. Before that,
+ * we need to use the kernel's siginfo.h file and trick glibc
+ * into accepting it.
+ */
+#if !__GLIBC_PREREQ(2, 26)
+# include <asm/siginfo.h>
+# define __have_siginfo_t 1
+# define __have_sigval_t 1
+# define __have_sigevent_t 1
+#endif
 
 #include <errno.h>
 #include <linux/filter.h>
@@ -676,7 +684,7 @@ TEST_F_SIGNAL(TRAP, ign, SIGSYS)
 	syscall(__NR_getpid);
 }
 
-static struct siginfo TRAP_info;
+static siginfo_t TRAP_info;
 static volatile int TRAP_nr;
 static void TRAP_action(int nr, siginfo_t *info, void *void_context)
 {

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 40/64] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 39/64] selftests/seccomp: Support glibc 2.26 siginfo_t.h Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 41/64] arm64: Make sure SPsel is always set Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Salls, Oleg Nesterov,
	Tycho Andersen, Kees Cook

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov <oleg@redhat.com>

commit 66a733ea6b611aecf0119514d2dddab5f9d6c01e upstream.

As Chris explains, get_seccomp_filter() and put_seccomp_filter() can end
up using different filters. Once we drop ->siglock it is possible for
task->seccomp.filter to have been replaced by SECCOMP_FILTER_FLAG_TSYNC.

Fixes: f8e529ed941b ("seccomp, ptrace: add support for dumping seccomp filters")
Reported-by: Chris Salls <chrissalls5@gmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
[tycho: add __get_seccomp_filter vs. open coding refcount_inc()]
Signed-off-by: Tycho Andersen <tycho@docker.com>
[kees: tweak commit log]
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/seccomp.c |   23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -457,14 +457,19 @@ static long seccomp_attach_filter(unsign
 	return 0;
 }
 
+void __get_seccomp_filter(struct seccomp_filter *filter)
+{
+	/* Reference count is bounded by the number of total processes. */
+	atomic_inc(&filter->usage);
+}
+
 /* get_seccomp_filter - increments the reference count of the filter on @tsk */
 void get_seccomp_filter(struct task_struct *tsk)
 {
 	struct seccomp_filter *orig = tsk->seccomp.filter;
 	if (!orig)
 		return;
-	/* Reference count is bounded by the number of total processes. */
-	atomic_inc(&orig->usage);
+	__get_seccomp_filter(orig);
 }
 
 static inline void seccomp_filter_free(struct seccomp_filter *filter)
@@ -475,10 +480,8 @@ static inline void seccomp_filter_free(s
 	}
 }
 
-/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
-void put_seccomp_filter(struct task_struct *tsk)
+static void __put_seccomp_filter(struct seccomp_filter *orig)
 {
-	struct seccomp_filter *orig = tsk->seccomp.filter;
 	/* Clean up single-reference branches iteratively. */
 	while (orig && atomic_dec_and_test(&orig->usage)) {
 		struct seccomp_filter *freeme = orig;
@@ -487,6 +490,12 @@ void put_seccomp_filter(struct task_stru
 	}
 }
 
+/* put_seccomp_filter - decrements the ref count of tsk->seccomp.filter */
+void put_seccomp_filter(struct task_struct *tsk)
+{
+	__put_seccomp_filter(tsk->seccomp.filter);
+}
+
 /**
  * seccomp_send_sigsys - signals the task to allow in-process syscall emulation
  * @syscall: syscall number to send to userland
@@ -892,13 +901,13 @@ long seccomp_get_filter(struct task_stru
 	if (!data)
 		goto out;
 
-	get_seccomp_filter(task);
+	__get_seccomp_filter(filter);
 	spin_unlock_irq(&task->sighand->siglock);
 
 	if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog)))
 		ret = -EFAULT;
 
-	put_seccomp_filter(task);
+	__put_seccomp_filter(filter);
 	return ret;
 
 out:

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 41/64] arm64: Make sure SPsel is always set
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 40/64] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 42/64] arm64: fault: Route pte translation faults via do_translation_fault Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Marc Zyngier,
	Will Deacon, Catalin Marinas

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 5371513fb338fb9989c569dc071326d369d6ade8 upstream.

When the kernel is entered at EL2 on an ARMv8.0 system, we construct
the EL1 pstate and make sure this uses the the EL1 stack pointer
(we perform an exception return to EL1h).

But if the kernel is either entered at EL1 or stays at EL2 (because
we're on a VHE-capable system), we fail to set SPsel, and use whatever
stack selection the higher exception level has choosen for us.

Let's not take any chance, and make sure that SPsel is set to one
before we decide the mode we're going to run in.

Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/head.S |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -486,6 +486,7 @@ ENTRY(kimage_vaddr)
  * booted in EL1 or EL2 respectively.
  */
 ENTRY(el2_setup)
+	msr	SPsel, #1			// We want to use SP_EL{1,2}
 	mrs	x0, CurrentEL
 	cmp	x0, #CurrentEL_EL2
 	b.ne	1f

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 42/64] arm64: fault: Route pte translation faults via do_translation_fault
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 41/64] arm64: Make sure SPsel is always set Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 46/64] kvm/x86: Handle async PF in RCU read-side critical sections Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ankit Jain, Will Deacon, Catalin Marinas

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 760bfb47c36a07741a089bf6a28e854ffbee7dc9 upstream.

We currently route pte translation faults via do_page_fault, which elides
the address check against TASK_SIZE before invoking the mm fault handling
code. However, this can cause issues with the path walking code in
conjunction with our word-at-a-time implementation because
load_unaligned_zeropad can end up faulting in kernel space if it reads
across a page boundary and runs into a page fault (e.g. by attempting to
read from a guard region).

In the case of such a fault, load_unaligned_zeropad has registered a
fixup to shift the valid data and pad with zeroes, however the abort is
reported as a level 3 translation fault and we dispatch it straight to
do_page_fault, despite it being a kernel address. This results in calling
a sleeping function from atomic context:

  BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313
  in_atomic(): 0, irqs_disabled(): 0, pid: 10290
  Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
  [...]
  [<ffffff8e016cd0cc>] ___might_sleep+0x134/0x144
  [<ffffff8e016cd158>] __might_sleep+0x7c/0x8c
  [<ffffff8e016977f0>] do_page_fault+0x140/0x330
  [<ffffff8e01681328>] do_mem_abort+0x54/0xb0
  Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0)
  [...]
  [<ffffff8e016844fc>] el1_da+0x18/0x78
  [<ffffff8e017f399c>] path_parentat+0x44/0x88
  [<ffffff8e017f4c9c>] filename_parentat+0x5c/0xd8
  [<ffffff8e017f5044>] filename_create+0x4c/0x128
  [<ffffff8e017f59e4>] SyS_mkdirat+0x50/0xc8
  [<ffffff8e01684e30>] el0_svc_naked+0x24/0x28
  Code: 36380080 d5384100 f9400800 9402566d (d4210000)
  ---[ end trace 2d01889f2bca9b9f ]---

Fix this by dispatching all translation faults to do_translation_faults,
which avoids invoking the page fault logic for faults on kernel addresses.

Reported-by: Ankit Jain <ankijain@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/mm/fault.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -509,7 +509,7 @@ static const struct fault_info fault_inf
 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 0 translation fault"	},
 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 1 translation fault"	},
 	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 2 translation fault"	},
-	{ do_page_fault,	SIGSEGV, SEGV_MAPERR,	"level 3 translation fault"	},
+	{ do_translation_fault,	SIGSEGV, SEGV_MAPERR,	"level 3 translation fault"	},
 	{ do_bad,		SIGBUS,  0,		"unknown 8"			},
 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 1 access flag fault"	},
 	{ do_page_fault,	SIGSEGV, SEGV_ACCERR,	"level 2 access flag fault"	},

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 46/64] kvm/x86: Handle async PF in RCU read-side critical sections
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 42/64] arm64: fault: Route pte translation faults via do_translation_fault Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 48/64] kvm: nVMX: Dont allow L2 to access the hardware CR8 Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sasha Levin, Paul E. McKenney,
	Peter Zijlstra, Boqun Feng, Paolo Bonzini

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Boqun Feng <boqun.feng@gmail.com>

commit b862789aa5186d5ea3a024b7cfe0f80c3a38b980 upstream.

Sasha Levin reported a WARNING:

| WARNING: CPU: 0 PID: 6974 at kernel/rcu/tree_plugin.h:329
| rcu_preempt_note_context_switch kernel/rcu/tree_plugin.h:329 [inline]
| WARNING: CPU: 0 PID: 6974 at kernel/rcu/tree_plugin.h:329
| rcu_note_context_switch+0x16c/0x2210 kernel/rcu/tree.c:458
...
| CPU: 0 PID: 6974 Comm: syz-fuzzer Not tainted 4.13.0-next-20170908+ #246
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
| 1.10.1-1ubuntu1 04/01/2014
| Call Trace:
...
| RIP: 0010:rcu_preempt_note_context_switch kernel/rcu/tree_plugin.h:329 [inline]
| RIP: 0010:rcu_note_context_switch+0x16c/0x2210 kernel/rcu/tree.c:458
| RSP: 0018:ffff88003b2debc8 EFLAGS: 00010002
| RAX: 0000000000000001 RBX: 1ffff1000765bd85 RCX: 0000000000000000
| RDX: 1ffff100075d7882 RSI: ffffffffb5c7da20 RDI: ffff88003aebc410
| RBP: ffff88003b2def30 R08: dffffc0000000000 R09: 0000000000000001
| R10: 0000000000000000 R11: 0000000000000000 R12: ffff88003b2def08
| R13: 0000000000000000 R14: ffff88003aebc040 R15: ffff88003aebc040
| __schedule+0x201/0x2240 kernel/sched/core.c:3292
| schedule+0x113/0x460 kernel/sched/core.c:3421
| kvm_async_pf_task_wait+0x43f/0x940 arch/x86/kernel/kvm.c:158
| do_async_page_fault+0x72/0x90 arch/x86/kernel/kvm.c:271
| async_page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1069
| RIP: 0010:format_decode+0x240/0x830 lib/vsprintf.c:1996
| RSP: 0018:ffff88003b2df520 EFLAGS: 00010283
| RAX: 000000000000003f RBX: ffffffffb5d1e141 RCX: ffff88003b2df670
| RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffffb5d1e140
| RBP: ffff88003b2df560 R08: dffffc0000000000 R09: 0000000000000000
| R10: ffff88003b2df718 R11: 0000000000000000 R12: ffff88003b2df5d8
| R13: 0000000000000064 R14: ffffffffb5d1e140 R15: 0000000000000000
| vsnprintf+0x173/0x1700 lib/vsprintf.c:2136
| sprintf+0xbe/0xf0 lib/vsprintf.c:2386
| proc_self_get_link+0xfb/0x1c0 fs/proc/self.c:23
| get_link fs/namei.c:1047 [inline]
| link_path_walk+0x1041/0x1490 fs/namei.c:2127
...

This happened when the host hit a page fault, and delivered it as in an
async page fault, while the guest was in an RCU read-side critical
section.  The guest then tries to reschedule in kvm_async_pf_task_wait(),
but rcu_preempt_note_context_switch() would treat the reschedule as a
sleep in RCU read-side critical section, which is not allowed (even in
preemptible RCU).  Thus the WARN.

To cure this, make kvm_async_pf_task_wait() go to the halt path if the
PF happens in a RCU read-side critical section.

Reported-by: Sasha Levin <levinsasha928@gmail.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/kvm.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -141,7 +141,8 @@ void kvm_async_pf_task_wait(u32 token)
 
 	n.token = token;
 	n.cpu = smp_processor_id();
-	n.halted = is_idle_task(current) || preempt_count() > 1;
+	n.halted = is_idle_task(current) || preempt_count() > 1 ||
+		   rcu_preempt_depth();
 	init_swait_queue_head(&n.wq);
 	hlist_add_head(&n.link, &b->list);
 	raw_spin_unlock(&b->lock);

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 48/64] kvm: nVMX: Dont allow L2 to access the hardware CR8
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 46/64] kvm/x86: Handle async PF in RCU read-side critical sections Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 49/64] xfs: validate bdev support for DAX inode flag Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jim Mattson, David Hildenbrand,
	Paolo Bonzini

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jim Mattson <jmattson@google.com>

commit 51aa68e7d57e3217192d88ce90fd5b8ef29ec94f upstream.

If L1 does not specify the "use TPR shadow" VM-execution control in
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
exiting" VM-execution controls in vmcs02. Failure to do so will give
the L2 VM unrestricted read/write access to the hardware CR8.

This fixes CVE-2017-12154.

Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/vmx.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -10001,6 +10001,11 @@ static void prepare_vmcs02(struct kvm_vc
 		vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
 				page_to_phys(vmx->nested.virtual_apic_page));
 		vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
+	} else {
+#ifdef CONFIG_X86_64
+		exec_control |= CPU_BASED_CR8_LOAD_EXITING |
+				CPU_BASED_CR8_STORE_EXITING;
+#endif
 	}
 
 	if (cpu_has_vmx_msr_bitmap() &&

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 49/64] xfs: validate bdev support for DAX inode flag
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 48/64] kvm: nVMX: Dont allow L2 to access the hardware CR8 Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 50/64] etnaviv: fix gem object list corruption Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ross Zwisler, Christoph Hellwig,
	Darrick J. Wong

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Zwisler <ross.zwisler@linux.intel.com>

commit 6851a3db7e224bbb85e23b3c64a506c9e0904382 upstream.

Currently only the blocksize is checked, but we should really be calling
bdev_dax_supported() which also tests to make sure we can get a
struct dax_device and that the dax_direct_access() path is working.

This is the same check that we do for the "-o dax" mount option in
xfs_fs_fill_super().

This does not fix the race issues that caused the XFS DAX inode option to
be disabled, so that option will still be disabled.  If/when we re-enable
it, though, I think we will want this issue to have been fixed.  I also do
think that we want to fix this in stable kernels.

Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/xfs_ioctl.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1085,6 +1085,7 @@ xfs_ioctl_setattr_dax_invalidate(
 	int			*join_flags)
 {
 	struct inode		*inode = VFS_I(ip);
+	struct super_block	*sb = inode->i_sb;
 	int			error;
 
 	*join_flags = 0;
@@ -1097,7 +1098,7 @@ xfs_ioctl_setattr_dax_invalidate(
 	if (fa->fsx_xflags & FS_XFLAG_DAX) {
 		if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)))
 			return -EINVAL;
-		if (ip->i_mount->m_sb.sb_blocksize != PAGE_SIZE)
+		if (bdev_dax_supported(sb, sb->s_blocksize) < 0)
 			return -EINVAL;
 	}
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 50/64] etnaviv: fix gem object list corruption
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 49/64] xfs: validate bdev support for DAX inode flag Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 51/64] PCI: Fix race condition with driver_override Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lucas Stach

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lucas Stach <l.stach@pengutronix.de>

commit 518417525f3652c12fb5fad6da4ade66c0072fa3 upstream.

All manipulations of the gem_object list need to be protected by
the list mutex, as GEM objects can be created and freed in parallel.
This fixes a kernel memory corruption.

Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/etnaviv/etnaviv_gem.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
@@ -549,12 +549,15 @@ static const struct etnaviv_gem_ops etna
 void etnaviv_gem_free_object(struct drm_gem_object *obj)
 {
 	struct etnaviv_gem_object *etnaviv_obj = to_etnaviv_bo(obj);
+	struct etnaviv_drm_private *priv = obj->dev->dev_private;
 	struct etnaviv_vram_mapping *mapping, *tmp;
 
 	/* object should not be active */
 	WARN_ON(is_active(etnaviv_obj));
 
+	mutex_lock(&priv->gem_lock);
 	list_del(&etnaviv_obj->gem_node);
+	mutex_unlock(&priv->gem_lock);
 
 	list_for_each_entry_safe(mapping, tmp, &etnaviv_obj->vram_list,
 				 obj_node) {

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 51/64] PCI: Fix race condition with driver_override
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 50/64] etnaviv: fix gem object list corruption Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 52/64] btrfs: fix NULL pointer dereference from free_reloc_roots() Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nicolai Stange, Bjorn Helgaas

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolai Stange <nstange@suse.de>

commit 9561475db680f7144d2223a409dd3d7e322aca03 upstream.

The driver_override implementation is susceptible to a race condition when
different threads are reading vs. storing a different driver override.  Add
locking to avoid the race condition.

This is in close analogy to commit 6265539776a0 ("driver core: platform:
fix race condition with driver_override") from Adrian Salido.

Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using pci_dev.driver_override")
Signed-off-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/pci-sysfs.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -527,7 +527,7 @@ static ssize_t driver_override_store(str
 				     const char *buf, size_t count)
 {
 	struct pci_dev *pdev = to_pci_dev(dev);
-	char *driver_override, *old = pdev->driver_override, *cp;
+	char *driver_override, *old, *cp;
 
 	/* We need to keep extra room for a newline */
 	if (count >= (PAGE_SIZE - 1))
@@ -541,12 +541,15 @@ static ssize_t driver_override_store(str
 	if (cp)
 		*cp = '\0';
 
+	device_lock(dev);
+	old = pdev->driver_override;
 	if (strlen(driver_override)) {
 		pdev->driver_override = driver_override;
 	} else {
 		kfree(driver_override);
 		pdev->driver_override = NULL;
 	}
+	device_unlock(dev);
 
 	kfree(old);
 
@@ -557,8 +560,12 @@ static ssize_t driver_override_show(stru
 				    struct device_attribute *attr, char *buf)
 {
 	struct pci_dev *pdev = to_pci_dev(dev);
+	ssize_t len;
 
-	return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
+	device_lock(dev);
+	len = snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
+	device_unlock(dev);
+	return len;
 }
 static DEVICE_ATTR_RW(driver_override);
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 52/64] btrfs: fix NULL pointer dereference from free_reloc_roots()
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 51/64] PCI: Fix race condition with driver_override Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 53/64] btrfs: propagate error to btrfs_cmp_data_prepare caller Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naohiro Aota, Nikolay Borisov, David Sterba

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naohiro Aota <naohiro.aota@wdc.com>

commit bb166d7207432d3c7d10c45dc052f12ba3a2121d upstream.

__del_reloc_root should be called before freeing up reloc_root->node.
If not, calling __del_reloc_root() dereference reloc_root->node, causing
the system BUG.

Fixes: 6bdf131fac23 ("Btrfs: don't leak reloc root nodes on error")
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/relocation.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -2367,11 +2367,11 @@ void free_reloc_roots(struct list_head *
 	while (!list_empty(list)) {
 		reloc_root = list_entry(list->next, struct btrfs_root,
 					root_list);
+		__del_reloc_root(reloc_root);
 		free_extent_buffer(reloc_root->node);
 		free_extent_buffer(reloc_root->commit_root);
 		reloc_root->node = NULL;
 		reloc_root->commit_root = NULL;
-		__del_reloc_root(reloc_root);
 	}
 }
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 53/64] btrfs: propagate error to btrfs_cmp_data_prepare caller
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 52/64] btrfs: fix NULL pointer dereference from free_reloc_roots() Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 54/64] btrfs: prevent to set invalid default subvolid Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Naohiro Aota, David Sterba

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naohiro Aota <naohiro.aota@wdc.com>

commit 78ad4ce014d025f41b8dde3a81876832ead643cf upstream.

btrfs_cmp_data_prepare() (almost) always returns 0 i.e. ignoring errors
from gather_extent_pages(). While the pages are freed by
btrfs_cmp_data_free(), cmp->num_pages still has > 0. Then,
btrfs_extent_same() try to access the already freed pages causing faults
(or violates PageLocked assertion).

This patch just return the error as is so that the caller stop the process.

Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Fixes: f441460202cb ("btrfs: fix deadlock with extent-same and readpage")
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ioctl.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3052,7 +3052,7 @@ static int btrfs_cmp_data_prepare(struct
 out:
 	if (ret)
 		btrfs_cmp_data_free(cmp);
-	return 0;
+	return ret;
 }
 
 static int btrfs_cmp_data(struct inode *src, u64 loff, struct inode *dst,

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 54/64] btrfs: prevent to set invalid default subvolid
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 53/64] btrfs: propagate error to btrfs_cmp_data_prepare caller Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23   ` Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Satoru Takeuchi, Qu Wenruo, David Sterba

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: satoru takeuchi <satoru.takeuchi@gmail.com>

commit 6d6d282932d1a609e60dc4467677e0e863682f57 upstream.

`btrfs sub set-default` succeeds to set an ID which isn't corresponding to any
fs/file tree. If such the bad ID is set to a filesystem, we can't mount this
filesystem without specifying `subvol` or `subvolid` mount options.

Fixes: 6ef5ed0d386b ("Btrfs: add ioctl and incompat flag to set the default mount subvol")
Signed-off-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
Reviewed-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ioctl.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4082,6 +4082,10 @@ static long btrfs_ioctl_default_subvol(s
 		ret = PTR_ERR(new_root);
 		goto out;
 	}
+	if (!is_fstree(new_root->objectid)) {
+		ret = -ENOENT;
+		goto out;
+	}
 
 	path = btrfs_alloc_path();
 	if (!path) {

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 55/64] x86/mm: Fix fault error path using unsafe vma pointer
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
@ 2017-10-03 12:23   ` Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 02/64] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
                     ` (59 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laurent Dufour, Thomas Gleixner,
	linux-mm, Dave Hansen

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Laurent Dufour <ldufour@linux.vnet.ibm.com>

commit a3c4fb7c9c2ebfd50b8c60f6c069932bb319bc37 upstream.

commit 7b2d0dbac489 ("x86/mm/pkeys: Pass VMA down in to fault signal
generation code") passes down a vma pointer to the error path, but that is
done once the mmap_sem is released when calling mm_fault_error() from
__do_page_fault().

This is dangerous as the vma structure is no more safe to be used once the
mmap_sem has been released. As only the protection key value is required in
the error processing, we could just pass down this value.

Fix it by passing a pointer to a protection key value down to the fault
signal generation code. The use of a pointer allows to keep the check
generating a warning message in fill_sig_info_pkey() when the vma was not
known. If the pointer is valid, the protection value can be accessed by
deferencing the pointer.

[ tglx: Made *pkey u32 as that's the type which is passed in siginfo ]

Fixes: 7b2d0dbac489 ("x86/mm/pkeys: Pass VMA down in to fault signal generation code")
Signed-off-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Link: http://lkml.kernel.org/r/1504513935-12742-1-git-send-email-ldufour@linux.vnet.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/fault.c |   47 ++++++++++++++++++++++++-----------------------
 1 file changed, 24 insertions(+), 23 deletions(-)

--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -191,8 +191,7 @@ is_prefetch(struct pt_regs *regs, unsign
  * 6. T1   : reaches here, sees vma_pkey(vma)=5, when we really
  *	     faulted on a pte with its pkey=4.
  */
-static void fill_sig_info_pkey(int si_code, siginfo_t *info,
-		struct vm_area_struct *vma)
+static void fill_sig_info_pkey(int si_code, siginfo_t *info, u32 *pkey)
 {
 	/* This is effectively an #ifdef */
 	if (!boot_cpu_has(X86_FEATURE_OSPKE))
@@ -208,7 +207,7 @@ static void fill_sig_info_pkey(int si_co
 	 * valid VMA, so we should never reach this without a
 	 * valid VMA.
 	 */
-	if (!vma) {
+	if (!pkey) {
 		WARN_ONCE(1, "PKU fault with no VMA passed in");
 		info->si_pkey = 0;
 		return;
@@ -218,13 +217,12 @@ static void fill_sig_info_pkey(int si_co
 	 * absolutely guranteed to be 100% accurate because of
 	 * the race explained above.
 	 */
-	info->si_pkey = vma_pkey(vma);
+	info->si_pkey = *pkey;
 }
 
 static void
 force_sig_info_fault(int si_signo, int si_code, unsigned long address,
-		     struct task_struct *tsk, struct vm_area_struct *vma,
-		     int fault)
+		     struct task_struct *tsk, u32 *pkey, int fault)
 {
 	unsigned lsb = 0;
 	siginfo_t info;
@@ -239,7 +237,7 @@ force_sig_info_fault(int si_signo, int s
 		lsb = PAGE_SHIFT;
 	info.si_addr_lsb = lsb;
 
-	fill_sig_info_pkey(si_code, &info, vma);
+	fill_sig_info_pkey(si_code, &info, pkey);
 
 	force_sig_info(si_signo, &info, tsk);
 }
@@ -718,8 +716,6 @@ no_context(struct pt_regs *regs, unsigne
 	struct task_struct *tsk = current;
 	unsigned long flags;
 	int sig;
-	/* No context means no VMA to pass down */
-	struct vm_area_struct *vma = NULL;
 
 	/* Are we prepared to handle this kernel fault? */
 	if (fixup_exception(regs, X86_TRAP_PF)) {
@@ -744,7 +740,7 @@ no_context(struct pt_regs *regs, unsigne
 
 			/* XXX: hwpoison faults will set the wrong code. */
 			force_sig_info_fault(signal, si_code, address,
-					     tsk, vma, 0);
+					     tsk, NULL, 0);
 		}
 
 		/*
@@ -853,8 +849,7 @@ show_signal_msg(struct pt_regs *regs, un
 
 static void
 __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
-		       unsigned long address, struct vm_area_struct *vma,
-		       int si_code)
+		       unsigned long address, u32 *pkey, int si_code)
 {
 	struct task_struct *tsk = current;
 
@@ -902,7 +897,7 @@ __bad_area_nosemaphore(struct pt_regs *r
 		tsk->thread.error_code	= error_code;
 		tsk->thread.trap_nr	= X86_TRAP_PF;
 
-		force_sig_info_fault(SIGSEGV, si_code, address, tsk, vma, 0);
+		force_sig_info_fault(SIGSEGV, si_code, address, tsk, pkey, 0);
 
 		return;
 	}
@@ -915,9 +910,9 @@ __bad_area_nosemaphore(struct pt_regs *r
 
 static noinline void
 bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
-		     unsigned long address, struct vm_area_struct *vma)
+		     unsigned long address, u32 *pkey)
 {
-	__bad_area_nosemaphore(regs, error_code, address, vma, SEGV_MAPERR);
+	__bad_area_nosemaphore(regs, error_code, address, pkey, SEGV_MAPERR);
 }
 
 static void
@@ -925,6 +920,10 @@ __bad_area(struct pt_regs *regs, unsigne
 	   unsigned long address,  struct vm_area_struct *vma, int si_code)
 {
 	struct mm_struct *mm = current->mm;
+	u32 pkey;
+
+	if (vma)
+		pkey = vma_pkey(vma);
 
 	/*
 	 * Something tried to access memory that isn't in our memory map..
@@ -932,7 +931,8 @@ __bad_area(struct pt_regs *regs, unsigne
 	 */
 	up_read(&mm->mmap_sem);
 
-	__bad_area_nosemaphore(regs, error_code, address, vma, si_code);
+	__bad_area_nosemaphore(regs, error_code, address,
+			       (vma) ? &pkey : NULL, si_code);
 }
 
 static noinline void
@@ -975,7 +975,7 @@ bad_area_access_error(struct pt_regs *re
 
 static void
 do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
-	  struct vm_area_struct *vma, unsigned int fault)
+	  u32 *pkey, unsigned int fault)
 {
 	struct task_struct *tsk = current;
 	int code = BUS_ADRERR;
@@ -1002,13 +1002,12 @@ do_sigbus(struct pt_regs *regs, unsigned
 		code = BUS_MCEERR_AR;
 	}
 #endif
-	force_sig_info_fault(SIGBUS, code, address, tsk, vma, fault);
+	force_sig_info_fault(SIGBUS, code, address, tsk, pkey, fault);
 }
 
 static noinline void
 mm_fault_error(struct pt_regs *regs, unsigned long error_code,
-	       unsigned long address, struct vm_area_struct *vma,
-	       unsigned int fault)
+	       unsigned long address, u32 *pkey, unsigned int fault)
 {
 	if (fatal_signal_pending(current) && !(error_code & PF_USER)) {
 		no_context(regs, error_code, address, 0, 0);
@@ -1032,9 +1031,9 @@ mm_fault_error(struct pt_regs *regs, uns
 	} else {
 		if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
 			     VM_FAULT_HWPOISON_LARGE))
-			do_sigbus(regs, error_code, address, vma, fault);
+			do_sigbus(regs, error_code, address, pkey, fault);
 		else if (fault & VM_FAULT_SIGSEGV)
-			bad_area_nosemaphore(regs, error_code, address, vma);
+			bad_area_nosemaphore(regs, error_code, address, pkey);
 		else
 			BUG();
 	}
@@ -1220,6 +1219,7 @@ __do_page_fault(struct pt_regs *regs, un
 	struct mm_struct *mm;
 	int fault, major = 0;
 	unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
+	u32 pkey;
 
 	tsk = current;
 	mm = tsk->mm;
@@ -1420,9 +1420,10 @@ good_area:
 		return;
 	}
 
+	pkey = vma_pkey(vma);
 	up_read(&mm->mmap_sem);
 	if (unlikely(fault & VM_FAULT_ERROR)) {
-		mm_fault_error(regs, error_code, address, vma, fault);
+		mm_fault_error(regs, error_code, address, &pkey, fault);
 		return;
 	}
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 55/64] x86/mm: Fix fault error path using unsafe vma pointer
@ 2017-10-03 12:23   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laurent Dufour, Thomas Gleixner,
	linux-mm, Dave Hansen

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Laurent Dufour <ldufour@linux.vnet.ibm.com>

commit a3c4fb7c9c2ebfd50b8c60f6c069932bb319bc37 upstream.

commit 7b2d0dbac489 ("x86/mm/pkeys: Pass VMA down in to fault signal
generation code") passes down a vma pointer to the error path, but that is
done once the mmap_sem is released when calling mm_fault_error() from
__do_page_fault().

This is dangerous as the vma structure is no more safe to be used once the
mmap_sem has been released. As only the protection key value is required in
the error processing, we could just pass down this value.

Fix it by passing a pointer to a protection key value down to the fault
signal generation code. The use of a pointer allows to keep the check
generating a warning message in fill_sig_info_pkey() when the vma was not
known. If the pointer is valid, the protection value can be accessed by
deferencing the pointer.

[ tglx: Made *pkey u32 as that's the type which is passed in siginfo ]

Fixes: 7b2d0dbac489 ("x86/mm/pkeys: Pass VMA down in to fault signal generation code")
Signed-off-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Link: http://lkml.kernel.org/r/1504513935-12742-1-git-send-email-ldufour@linux.vnet.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/fault.c |   47 ++++++++++++++++++++++++-----------------------
 1 file changed, 24 insertions(+), 23 deletions(-)

--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -191,8 +191,7 @@ is_prefetch(struct pt_regs *regs, unsign
  * 6. T1   : reaches here, sees vma_pkey(vma)=5, when we really
  *	     faulted on a pte with its pkey=4.
  */
-static void fill_sig_info_pkey(int si_code, siginfo_t *info,
-		struct vm_area_struct *vma)
+static void fill_sig_info_pkey(int si_code, siginfo_t *info, u32 *pkey)
 {
 	/* This is effectively an #ifdef */
 	if (!boot_cpu_has(X86_FEATURE_OSPKE))
@@ -208,7 +207,7 @@ static void fill_sig_info_pkey(int si_co
 	 * valid VMA, so we should never reach this without a
 	 * valid VMA.
 	 */
-	if (!vma) {
+	if (!pkey) {
 		WARN_ONCE(1, "PKU fault with no VMA passed in");
 		info->si_pkey = 0;
 		return;
@@ -218,13 +217,12 @@ static void fill_sig_info_pkey(int si_co
 	 * absolutely guranteed to be 100% accurate because of
 	 * the race explained above.
 	 */
-	info->si_pkey = vma_pkey(vma);
+	info->si_pkey = *pkey;
 }
 
 static void
 force_sig_info_fault(int si_signo, int si_code, unsigned long address,
-		     struct task_struct *tsk, struct vm_area_struct *vma,
-		     int fault)
+		     struct task_struct *tsk, u32 *pkey, int fault)
 {
 	unsigned lsb = 0;
 	siginfo_t info;
@@ -239,7 +237,7 @@ force_sig_info_fault(int si_signo, int s
 		lsb = PAGE_SHIFT;
 	info.si_addr_lsb = lsb;
 
-	fill_sig_info_pkey(si_code, &info, vma);
+	fill_sig_info_pkey(si_code, &info, pkey);
 
 	force_sig_info(si_signo, &info, tsk);
 }
@@ -718,8 +716,6 @@ no_context(struct pt_regs *regs, unsigne
 	struct task_struct *tsk = current;
 	unsigned long flags;
 	int sig;
-	/* No context means no VMA to pass down */
-	struct vm_area_struct *vma = NULL;
 
 	/* Are we prepared to handle this kernel fault? */
 	if (fixup_exception(regs, X86_TRAP_PF)) {
@@ -744,7 +740,7 @@ no_context(struct pt_regs *regs, unsigne
 
 			/* XXX: hwpoison faults will set the wrong code. */
 			force_sig_info_fault(signal, si_code, address,
-					     tsk, vma, 0);
+					     tsk, NULL, 0);
 		}
 
 		/*
@@ -853,8 +849,7 @@ show_signal_msg(struct pt_regs *regs, un
 
 static void
 __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
-		       unsigned long address, struct vm_area_struct *vma,
-		       int si_code)
+		       unsigned long address, u32 *pkey, int si_code)
 {
 	struct task_struct *tsk = current;
 
@@ -902,7 +897,7 @@ __bad_area_nosemaphore(struct pt_regs *r
 		tsk->thread.error_code	= error_code;
 		tsk->thread.trap_nr	= X86_TRAP_PF;
 
-		force_sig_info_fault(SIGSEGV, si_code, address, tsk, vma, 0);
+		force_sig_info_fault(SIGSEGV, si_code, address, tsk, pkey, 0);
 
 		return;
 	}
@@ -915,9 +910,9 @@ __bad_area_nosemaphore(struct pt_regs *r
 
 static noinline void
 bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
-		     unsigned long address, struct vm_area_struct *vma)
+		     unsigned long address, u32 *pkey)
 {
-	__bad_area_nosemaphore(regs, error_code, address, vma, SEGV_MAPERR);
+	__bad_area_nosemaphore(regs, error_code, address, pkey, SEGV_MAPERR);
 }
 
 static void
@@ -925,6 +920,10 @@ __bad_area(struct pt_regs *regs, unsigne
 	   unsigned long address,  struct vm_area_struct *vma, int si_code)
 {
 	struct mm_struct *mm = current->mm;
+	u32 pkey;
+
+	if (vma)
+		pkey = vma_pkey(vma);
 
 	/*
 	 * Something tried to access memory that isn't in our memory map..
@@ -932,7 +931,8 @@ __bad_area(struct pt_regs *regs, unsigne
 	 */
 	up_read(&mm->mmap_sem);
 
-	__bad_area_nosemaphore(regs, error_code, address, vma, si_code);
+	__bad_area_nosemaphore(regs, error_code, address,
+			       (vma) ? &pkey : NULL, si_code);
 }
 
 static noinline void
@@ -975,7 +975,7 @@ bad_area_access_error(struct pt_regs *re
 
 static void
 do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
-	  struct vm_area_struct *vma, unsigned int fault)
+	  u32 *pkey, unsigned int fault)
 {
 	struct task_struct *tsk = current;
 	int code = BUS_ADRERR;
@@ -1002,13 +1002,12 @@ do_sigbus(struct pt_regs *regs, unsigned
 		code = BUS_MCEERR_AR;
 	}
 #endif
-	force_sig_info_fault(SIGBUS, code, address, tsk, vma, fault);
+	force_sig_info_fault(SIGBUS, code, address, tsk, pkey, fault);
 }
 
 static noinline void
 mm_fault_error(struct pt_regs *regs, unsigned long error_code,
-	       unsigned long address, struct vm_area_struct *vma,
-	       unsigned int fault)
+	       unsigned long address, u32 *pkey, unsigned int fault)
 {
 	if (fatal_signal_pending(current) && !(error_code & PF_USER)) {
 		no_context(regs, error_code, address, 0, 0);
@@ -1032,9 +1031,9 @@ mm_fault_error(struct pt_regs *regs, uns
 	} else {
 		if (fault & (VM_FAULT_SIGBUS|VM_FAULT_HWPOISON|
 			     VM_FAULT_HWPOISON_LARGE))
-			do_sigbus(regs, error_code, address, vma, fault);
+			do_sigbus(regs, error_code, address, pkey, fault);
 		else if (fault & VM_FAULT_SIGSEGV)
-			bad_area_nosemaphore(regs, error_code, address, vma);
+			bad_area_nosemaphore(regs, error_code, address, pkey);
 		else
 			BUG();
 	}
@@ -1220,6 +1219,7 @@ __do_page_fault(struct pt_regs *regs, un
 	struct mm_struct *mm;
 	int fault, major = 0;
 	unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE;
+	u32 pkey;
 
 	tsk = current;
 	mm = tsk->mm;
@@ -1420,9 +1420,10 @@ good_area:
 		return;
 	}
 
+	pkey = vma_pkey(vma);
 	up_read(&mm->mmap_sem);
 	if (unlikely(fault & VM_FAULT_ERROR)) {
-		mm_fault_error(regs, error_code, address, vma, fault);
+		mm_fault_error(regs, error_code, address, &pkey, fault);
 		return;
 	}
 


--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 56/64] x86/fpu: Dont let userspace set bogus xcomp_bv
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
@ 2017-10-03 12:23   ` Greg Kroah-Hartman
  2017-10-03 12:22 ` [PATCH 4.9 02/64] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
                     ` (59 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov, Eric Biggers,
	Kees Cook, Rik van Riel, Dave Hansen, Andrew Morton,
	Andy Lutomirski, Andy Lutomirski, Borislav Petkov, Eric Biggers,
	Fenghua Yu, Kevin Hao, Linus Torvalds, Michael Halcrow,
	Oleg Nesterov, Peter Zijlstra, Thomas Gleixner, Wanpeng Li,
	Yu-cheng Yu, kernel-hardening, Ingo Molnar

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------


From: Eric Biggers <ebiggers@google.com>

commit 814fb7bb7db5433757d76f4c4502c96fc53b0b5e upstream.

On x86, userspace can use the ptrace() or rt_sigreturn() system calls to
set a task's extended state (xstate) or "FPU" registers.  ptrace() can
set them for another task using the PTRACE_SETREGSET request with
NT_X86_XSTATE, while rt_sigreturn() can set them for the current task.
In either case, registers can be set to any value, but the kernel
assumes that the XSAVE area itself remains valid in the sense that the
CPU can restore it.

However, in the case where the kernel is using the uncompacted xstate
format (which it does whenever the XSAVES instruction is unavailable),
it was possible for userspace to set the xcomp_bv field in the
xstate_header to an arbitrary value.  However, all bits in that field
are reserved in the uncompacted case, so when switching to a task with
nonzero xcomp_bv, the XRSTOR instruction failed with a #GP fault.  This
caused the WARN_ON_FPU(err) in copy_kernel_to_xregs() to be hit.  In
addition, since the error is otherwise ignored, the FPU registers from
the task previously executing on the CPU were leaked.

Fix the bug by checking that the user-supplied value of xcomp_bv is 0 in
the uncompacted case, and returning an error otherwise.

The reason for validating xcomp_bv rather than simply overwriting it
with 0 is that we want userspace to see an error if it (incorrectly)
provides an XSAVE area in compacted format rather than in uncompacted
format.

Note that as before, in case of error we clear the task's FPU state.
This is perhaps non-ideal, especially for PTRACE_SETREGSET; it might be
better to return an error before changing anything.  But it seems the
"clear on error" behavior is fine for now, and it's a little tricky to
do otherwise because it would mean we couldn't simply copy the full
userspace state into kernel memory in one __copy_from_user().

This bug was found by syzkaller, which hit the above-mentioned
WARN_ON_FPU():

    WARNING: CPU: 1 PID: 0 at ./arch/x86/include/asm/fpu/internal.h:373 __switch_to+0x5b5/0x5d0
    CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.13.0 #453
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    task: ffff9ba2bc8e42c0 task.stack: ffffa78cc036c000
    RIP: 0010:__switch_to+0x5b5/0x5d0
    RSP: 0000:ffffa78cc08bbb88 EFLAGS: 00010082
    RAX: 00000000fffffffe RBX: ffff9ba2b8bf2180 RCX: 00000000c0000100
    RDX: 00000000ffffffff RSI: 000000005cb10700 RDI: ffff9ba2b8bf36c0
    RBP: ffffa78cc08bbbd0 R08: 00000000929fdf46 R09: 0000000000000001
    R10: 0000000000000000 R11: 0000000000000000 R12: ffff9ba2bc8e42c0
    R13: 0000000000000000 R14: ffff9ba2b8bf3680 R15: ffff9ba2bf5d7b40
    FS:  00007f7e5cb10700(0000) GS:ffff9ba2bf400000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00000000004005cc CR3: 0000000079fd5000 CR4: 00000000001406e0
    Call Trace:
    Code: 84 00 00 00 00 00 e9 11 fd ff ff 0f ff 66 0f 1f 84 00 00 00 00 00 e9 e7 fa ff ff 0f ff 66 0f 1f 84 00 00 00 00 00 e9 c2 fa ff ff <0f> ff 66 0f 1f 84 00 00 00 00 00 e9 d4 fc ff ff 66 66 2e 0f 1f

Here is a C reproducer.  The expected behavior is that the program spin
forever with no output.  However, on a buggy kernel running on a
processor with the "xsave" feature but without the "xsaves" feature
(e.g. Sandy Bridge through Broadwell for Intel), within a second or two
the program reports that the xmm registers were corrupted, i.e. were not
restored correctly.  With CONFIG_X86_DEBUG_FPU=y it also hits the above
kernel warning.

    #define _GNU_SOURCE
    #include <stdbool.h>
    #include <inttypes.h>
    #include <linux/elf.h>
    #include <stdio.h>
    #include <sys/ptrace.h>
    #include <sys/uio.h>
    #include <sys/wait.h>
    #include <unistd.h>

    int main(void)
    {
        int pid = fork();
        uint64_t xstate[512];
        struct iovec iov = { .iov_base = xstate, .iov_len = sizeof(xstate) };

        if (pid == 0) {
            bool tracee = true;
            for (int i = 0; i < sysconf(_SC_NPROCESSORS_ONLN) && tracee; i++)
                tracee = (fork() != 0);
            uint32_t xmm0[4] = { [0 ... 3] = tracee ? 0x00000000 : 0xDEADBEEF };
            asm volatile("   movdqu %0, %%xmm0\n"
                         "   mov %0, %%rbx\n"
                         "1: movdqu %%xmm0, %0\n"
                         "   mov %0, %%rax\n"
                         "   cmp %%rax, %%rbx\n"
                         "   je 1b\n"
                         : "+m" (xmm0) : : "rax", "rbx", "xmm0");
            printf("BUG: xmm registers corrupted!  tracee=%d, xmm0=%08X%08X%08X%08X\n",
                   tracee, xmm0[0], xmm0[1], xmm0[2], xmm0[3]);
        } else {
            usleep(100000);
            ptrace(PTRACE_ATTACH, pid, 0, 0);
            wait(NULL);
            ptrace(PTRACE_GETREGSET, pid, NT_X86_XSTATE, &iov);
            xstate[65] = -1;
            ptrace(PTRACE_SETREGSET, pid, NT_X86_XSTATE, &iov);
            ptrace(PTRACE_CONT, pid, 0, 0);
            wait(NULL);
        }
        return 1;
    }

Note: the program only tests for the bug using the ptrace() system call.
The bug can also be reproduced using the rt_sigreturn() system call, but
only when called from a 32-bit program, since for 64-bit programs the
kernel restores the FPU state from the signal frame by doing XRSTOR
directly from userspace memory (with proper error checking).

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Rik van Riel <riel@redhat.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Kevin Hao <haokexin@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michael Halcrow <mhalcrow@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
Cc: kernel-hardening@lists.openwall.com
Fixes: 0b29643a5843 ("x86/xsaves: Change compacted format xsave area header")
Link: http://lkml.kernel.org/r/20170922174156.16780-2-ebiggers3@gmail.com
Link: http://lkml.kernel.org/r/20170923130016.21448-25-mingo@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/fpu/regset.c |    9 +++++++--
 arch/x86/kernel/fpu/signal.c |    4 ++++
 2 files changed, 11 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/fpu/regset.c
+++ b/arch/x86/kernel/fpu/regset.c
@@ -130,11 +130,16 @@ int xstateregs_set(struct task_struct *t
 
 	fpu__activate_fpstate_write(fpu);
 
-	if (boot_cpu_has(X86_FEATURE_XSAVES))
+	if (boot_cpu_has(X86_FEATURE_XSAVES)) {
 		ret = copyin_to_xsaves(kbuf, ubuf, xsave);
-	else
+	} else {
 		ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
 
+		/* xcomp_bv must be 0 when using uncompacted format */
+		if (!ret && xsave->header.xcomp_bv)
+			ret = -EINVAL;
+	}
+
 	/*
 	 * In case of failure, mark all states as init:
 	 */
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -329,6 +329,10 @@ static int __fpu__restore_sig(void __use
 		} else {
 			err = __copy_from_user(&fpu->state.xsave,
 					       buf_fx, state_size);
+
+			/* xcomp_bv must be 0 when using uncompacted format */
+			if (!err && state_size > offsetof(struct xregs_state, header) && fpu->state.xsave.header.xcomp_bv)
+				err = -EINVAL;
 		}
 
 		if (err || __copy_from_user(&env, buf, sizeof(env))) {

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [kernel-hardening] [PATCH 4.9 56/64] x86/fpu: Dont let userspace set bogus xcomp_bv
@ 2017-10-03 12:23   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov, Eric Biggers,
	Kees Cook, Rik van Riel, Dave Hansen, Andrew Morton,
	Andy Lutomirski, Andy Lutomirski, Borislav Petkov, Eric Biggers,
	Fenghua Yu, Kevin Hao, Linus Torvalds, Michael Halcrow,
	Oleg Nesterov, Peter Zijlstra, Thomas Gleixner, Wanpeng Li,
	Yu-cheng Yu, kernel-hardening, Ingo Molnar

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------


From: Eric Biggers <ebiggers@google.com>

commit 814fb7bb7db5433757d76f4c4502c96fc53b0b5e upstream.

On x86, userspace can use the ptrace() or rt_sigreturn() system calls to
set a task's extended state (xstate) or "FPU" registers.  ptrace() can
set them for another task using the PTRACE_SETREGSET request with
NT_X86_XSTATE, while rt_sigreturn() can set them for the current task.
In either case, registers can be set to any value, but the kernel
assumes that the XSAVE area itself remains valid in the sense that the
CPU can restore it.

However, in the case where the kernel is using the uncompacted xstate
format (which it does whenever the XSAVES instruction is unavailable),
it was possible for userspace to set the xcomp_bv field in the
xstate_header to an arbitrary value.  However, all bits in that field
are reserved in the uncompacted case, so when switching to a task with
nonzero xcomp_bv, the XRSTOR instruction failed with a #GP fault.  This
caused the WARN_ON_FPU(err) in copy_kernel_to_xregs() to be hit.  In
addition, since the error is otherwise ignored, the FPU registers from
the task previously executing on the CPU were leaked.

Fix the bug by checking that the user-supplied value of xcomp_bv is 0 in
the uncompacted case, and returning an error otherwise.

The reason for validating xcomp_bv rather than simply overwriting it
with 0 is that we want userspace to see an error if it (incorrectly)
provides an XSAVE area in compacted format rather than in uncompacted
format.

Note that as before, in case of error we clear the task's FPU state.
This is perhaps non-ideal, especially for PTRACE_SETREGSET; it might be
better to return an error before changing anything.  But it seems the
"clear on error" behavior is fine for now, and it's a little tricky to
do otherwise because it would mean we couldn't simply copy the full
userspace state into kernel memory in one __copy_from_user().

This bug was found by syzkaller, which hit the above-mentioned
WARN_ON_FPU():

    WARNING: CPU: 1 PID: 0 at ./arch/x86/include/asm/fpu/internal.h:373 __switch_to+0x5b5/0x5d0
    CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.13.0 #453
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    task: ffff9ba2bc8e42c0 task.stack: ffffa78cc036c000
    RIP: 0010:__switch_to+0x5b5/0x5d0
    RSP: 0000:ffffa78cc08bbb88 EFLAGS: 00010082
    RAX: 00000000fffffffe RBX: ffff9ba2b8bf2180 RCX: 00000000c0000100
    RDX: 00000000ffffffff RSI: 000000005cb10700 RDI: ffff9ba2b8bf36c0
    RBP: ffffa78cc08bbbd0 R08: 00000000929fdf46 R09: 0000000000000001
    R10: 0000000000000000 R11: 0000000000000000 R12: ffff9ba2bc8e42c0
    R13: 0000000000000000 R14: ffff9ba2b8bf3680 R15: ffff9ba2bf5d7b40
    FS:  00007f7e5cb10700(0000) GS:ffff9ba2bf400000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00000000004005cc CR3: 0000000079fd5000 CR4: 00000000001406e0
    Call Trace:
    Code: 84 00 00 00 00 00 e9 11 fd ff ff 0f ff 66 0f 1f 84 00 00 00 00 00 e9 e7 fa ff ff 0f ff 66 0f 1f 84 00 00 00 00 00 e9 c2 fa ff ff <0f> ff 66 0f 1f 84 00 00 00 00 00 e9 d4 fc ff ff 66 66 2e 0f 1f

Here is a C reproducer.  The expected behavior is that the program spin
forever with no output.  However, on a buggy kernel running on a
processor with the "xsave" feature but without the "xsaves" feature
(e.g. Sandy Bridge through Broadwell for Intel), within a second or two
the program reports that the xmm registers were corrupted, i.e. were not
restored correctly.  With CONFIG_X86_DEBUG_FPU=y it also hits the above
kernel warning.

    #define _GNU_SOURCE
    #include <stdbool.h>
    #include <inttypes.h>
    #include <linux/elf.h>
    #include <stdio.h>
    #include <sys/ptrace.h>
    #include <sys/uio.h>
    #include <sys/wait.h>
    #include <unistd.h>

    int main(void)
    {
        int pid = fork();
        uint64_t xstate[512];
        struct iovec iov = { .iov_base = xstate, .iov_len = sizeof(xstate) };

        if (pid == 0) {
            bool tracee = true;
            for (int i = 0; i < sysconf(_SC_NPROCESSORS_ONLN) && tracee; i++)
                tracee = (fork() != 0);
            uint32_t xmm0[4] = { [0 ... 3] = tracee ? 0x00000000 : 0xDEADBEEF };
            asm volatile("   movdqu %0, %%xmm0\n"
                         "   mov %0, %%rbx\n"
                         "1: movdqu %%xmm0, %0\n"
                         "   mov %0, %%rax\n"
                         "   cmp %%rax, %%rbx\n"
                         "   je 1b\n"
                         : "+m" (xmm0) : : "rax", "rbx", "xmm0");
            printf("BUG: xmm registers corrupted!  tracee=%d, xmm0=%08X%08X%08X%08X\n",
                   tracee, xmm0[0], xmm0[1], xmm0[2], xmm0[3]);
        } else {
            usleep(100000);
            ptrace(PTRACE_ATTACH, pid, 0, 0);
            wait(NULL);
            ptrace(PTRACE_GETREGSET, pid, NT_X86_XSTATE, &iov);
            xstate[65] = -1;
            ptrace(PTRACE_SETREGSET, pid, NT_X86_XSTATE, &iov);
            ptrace(PTRACE_CONT, pid, 0, 0);
            wait(NULL);
        }
        return 1;
    }

Note: the program only tests for the bug using the ptrace() system call.
The bug can also be reproduced using the rt_sigreturn() system call, but
only when called from a 32-bit program, since for 64-bit programs the
kernel restores the FPU state from the signal frame by doing XRSTOR
directly from userspace memory (with proper error checking).

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Rik van Riel <riel@redhat.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Kevin Hao <haokexin@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michael Halcrow <mhalcrow@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
Cc: kernel-hardening@lists.openwall.com
Fixes: 0b29643a5843 ("x86/xsaves: Change compacted format xsave area header")
Link: http://lkml.kernel.org/r/20170922174156.16780-2-ebiggers3@gmail.com
Link: http://lkml.kernel.org/r/20170923130016.21448-25-mingo@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/fpu/regset.c |    9 +++++++--
 arch/x86/kernel/fpu/signal.c |    4 ++++
 2 files changed, 11 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/fpu/regset.c
+++ b/arch/x86/kernel/fpu/regset.c
@@ -130,11 +130,16 @@ int xstateregs_set(struct task_struct *t
 
 	fpu__activate_fpstate_write(fpu);
 
-	if (boot_cpu_has(X86_FEATURE_XSAVES))
+	if (boot_cpu_has(X86_FEATURE_XSAVES)) {
 		ret = copyin_to_xsaves(kbuf, ubuf, xsave);
-	else
+	} else {
 		ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
 
+		/* xcomp_bv must be 0 when using uncompacted format */
+		if (!ret && xsave->header.xcomp_bv)
+			ret = -EINVAL;
+	}
+
 	/*
 	 * In case of failure, mark all states as init:
 	 */
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -329,6 +329,10 @@ static int __fpu__restore_sig(void __use
 		} else {
 			err = __copy_from_user(&fpu->state.xsave,
 					       buf_fx, state_size);
+
+			/* xcomp_bv must be 0 when using uncompacted format */
+			if (!err && state_size > offsetof(struct xregs_state, header) && fpu->state.xsave.header.xcomp_bv)
+				err = -EINVAL;
 		}
 
 		if (err || __copy_from_user(&env, buf, sizeof(env))) {

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 57/64] gfs2: Fix debugfs glocks dump
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2017-10-03 12:23   ` [kernel-hardening] " Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 58/64] timer/sysclt: Restrict timer migration sysctl values to 0 and 1 Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andreas Gruenbacher, Bob Peterson

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Gruenbacher <agruenba@redhat.com>

commit 10201655b085df8e000822e496e5d4016a167a36 upstream.

The switch to rhashtables (commit 88ffbf3e03) broke the debugfs glock
dump (/sys/kernel/debug/gfs2/<device>/glocks) for dumps bigger than a
single buffer: the right function for restarting an rhashtable iteration
from the beginning of the hash table is rhashtable_walk_enter;
rhashtable_walk_stop + rhashtable_walk_start will just resume from the
current position.

The upstream commit doesn't directly apply to 4.9.y because 4.9.y
doesn't have the following mainline commits:

  92ecd73a887c4a2b94daf5fc35179d75d1c4ef95
    gfs2: Deduplicate gfs2_{glocks,glstats}_open
  cc37a62785a584f4875788689f3fd1fa6e4eb291
    gfs2: Replace rhashtable_walk_init with rhashtable_walk_enter

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/gfs2/glock.c |   16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -1836,13 +1836,9 @@ static void *gfs2_glock_seq_start(struct
 {
 	struct gfs2_glock_iter *gi = seq->private;
 	loff_t n = *pos;
-	int ret;
 
-	if (gi->last_pos <= *pos)
-		n = (*pos - gi->last_pos);
-
-	ret = rhashtable_walk_start(&gi->hti);
-	if (ret)
+	rhashtable_walk_enter(&gl_hash_table, &gi->hti);
+	if (rhashtable_walk_start(&gi->hti) != 0)
 		return NULL;
 
 	do {
@@ -1850,6 +1846,7 @@ static void *gfs2_glock_seq_start(struct
 	} while (gi->gl && n--);
 
 	gi->last_pos = *pos;
+
 	return gi->gl;
 }
 
@@ -1861,6 +1858,7 @@ static void *gfs2_glock_seq_next(struct
 	(*pos)++;
 	gi->last_pos = *pos;
 	gfs2_glock_iter_next(gi);
+
 	return gi->gl;
 }
 
@@ -1870,6 +1868,7 @@ static void gfs2_glock_seq_stop(struct s
 
 	gi->gl = NULL;
 	rhashtable_walk_stop(&gi->hti);
+	rhashtable_walk_exit(&gi->hti);
 }
 
 static int gfs2_glock_seq_show(struct seq_file *seq, void *iter_ptr)
@@ -1932,12 +1931,10 @@ static int gfs2_glocks_open(struct inode
 		struct gfs2_glock_iter *gi = seq->private;
 
 		gi->sdp = inode->i_private;
-		gi->last_pos = 0;
 		seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
 		if (seq->buf)
 			seq->size = GFS2_SEQ_GOODSIZE;
 		gi->gl = NULL;
-		ret = rhashtable_walk_init(&gl_hash_table, &gi->hti, GFP_KERNEL);
 	}
 	return ret;
 }
@@ -1948,7 +1945,6 @@ static int gfs2_glocks_release(struct in
 	struct gfs2_glock_iter *gi = seq->private;
 
 	gi->gl = NULL;
-	rhashtable_walk_exit(&gi->hti);
 	return seq_release_private(inode, file);
 }
 
@@ -1960,12 +1956,10 @@ static int gfs2_glstats_open(struct inod
 		struct seq_file *seq = file->private_data;
 		struct gfs2_glock_iter *gi = seq->private;
 		gi->sdp = inode->i_private;
-		gi->last_pos = 0;
 		seq->buf = kmalloc(GFS2_SEQ_GOODSIZE, GFP_KERNEL | __GFP_NOWARN);
 		if (seq->buf)
 			seq->size = GFS2_SEQ_GOODSIZE;
 		gi->gl = NULL;
-		ret = rhashtable_walk_init(&gl_hash_table, &gi->hti, GFP_KERNEL);
 	}
 	return ret;
 }

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 58/64] timer/sysclt: Restrict timer migration sysctl values to 0 and 1
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 57/64] gfs2: Fix debugfs glocks dump Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 61/64] cxl: Fix driver use count Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Myungho Jung, Thomas Gleixner,
	Kazuhiro Hayashi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Myungho Jung <mhjungk@gmail.com>

commit b94bf594cf8ed67cdd0439e70fa939783471597a upstream.

timer_migration sysctl acts as a boolean switch, so the allowed values
should be restricted to 0 and 1.

Add the necessary extra fields to the sysctl table entry to enforce that.

[ tglx: Rewrote changelog ]

Signed-off-by: Myungho Jung <mhjungk@gmail.com>
Link: http://lkml.kernel.org/r/1492640690-3550-1-git-send-email-mhjungk@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sysctl.c     |    2 ++
 kernel/time/timer.c |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1189,6 +1189,8 @@ static struct ctl_table kern_table[] = {
 		.maxlen		= sizeof(unsigned int),
 		.mode		= 0644,
 		.proc_handler	= timer_migration_handler,
+		.extra1		= &zero,
+		.extra2		= &one,
 	},
 #endif
 #ifdef CONFIG_BPF_SYSCALL
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -240,7 +240,7 @@ int timer_migration_handler(struct ctl_t
 	int ret;
 
 	mutex_lock(&mutex);
-	ret = proc_dointvec(table, write, buffer, lenp, ppos);
+	ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
 	if (!ret && write)
 		timers_update_migration(false);
 	mutex_unlock(&mutex);

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 61/64] cxl: Fix driver use count
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 58/64] timer/sysclt: Restrict timer migration sysctl values to 0 and 1 Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 62/64] KVM: VMX: use cmpxchg64 Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Frederic Barrat, Andrew Donnellan,
	Michael Ellerman

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>

commit 197267d0356004a31c4d6b6336598f5dff3301e1 upstream.

cxl keeps a driver use count, which is used with the hash memory model
on p8 to know when to upgrade local TLBIs to global and to trigger
callbacks to manage the MMU for PSL8.

If a process opens a context and closes without attaching or fails the
attachment, the driver use count is never decremented. As a
consequence, TLB invalidations remain global, even if there are no
active cxl contexts.

We should increment the driver use count when the process is attaching
to the cxl adapter, and not on open. It's not needed before the
adapter starts using the context and the use count is decremented on
the detach path, so it makes more sense.

It affects only the user api. The kernel api is already doing The
Right Thing.

Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org # v4.2+
Fixes: 7bb5d91a4dda ("cxl: Rework context lifetimes")
Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[ajd: backport to stable v4.9 tree]
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/cxl/api.c  |    4 ++++
 drivers/misc/cxl/file.c |    8 +++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/misc/cxl/api.c
+++ b/drivers/misc/cxl/api.c
@@ -244,6 +244,10 @@ int cxl_start_context(struct cxl_context
 		ctx->real_mode = false;
 	}
 
+	/*
+	 * Increment driver use count. Enables global TLBIs for hash
+	 * and callbacks to handle the segment table
+	 */
 	cxl_ctx_get();
 
 	if ((rc = cxl_ops->attach_process(ctx, kernel, wed, 0))) {
--- a/drivers/misc/cxl/file.c
+++ b/drivers/misc/cxl/file.c
@@ -91,7 +91,6 @@ static int __afu_open(struct inode *inod
 
 	pr_devel("afu_open pe: %i\n", ctx->pe);
 	file->private_data = ctx;
-	cxl_ctx_get();
 
 	/* indicate success */
 	rc = 0;
@@ -213,6 +212,12 @@ static long afu_ioctl_start_work(struct
 	ctx->glpid = get_task_pid(current->group_leader, PIDTYPE_PID);
 
 
+	/*
+	 * Increment driver use count. Enables global TLBIs for hash
+	 * and callbacks to handle the segment table
+	 */
+	cxl_ctx_get();
+
 	trace_cxl_attach(ctx, work.work_element_descriptor, work.num_interrupts, amr);
 
 	if ((rc = cxl_ops->attach_process(ctx, false, work.work_element_descriptor,
@@ -222,6 +227,7 @@ static long afu_ioctl_start_work(struct
 		put_pid(ctx->glpid);
 		put_pid(ctx->pid);
 		ctx->glpid = ctx->pid = NULL;
+		cxl_ctx_put();
 		goto out;
 	}
 

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 62/64] KVM: VMX: use cmpxchg64
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 61/64] cxl: Fix driver use count Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 63/64] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Bonzini

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit c0a1666bcb2a33e84187a15eabdcd54056be9a97 upstream.

This fixes a compilation failure on 32-bit systems.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/vmx.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2203,8 +2203,8 @@ static void vmx_vcpu_pi_load(struct kvm_
 			new.ndst = (dest << 8) & 0xFF00;
 
 		new.sn = 0;
-	} while (cmpxchg(&pi_desc->control, old.control,
-			new.control) != old.control);
+	} while (cmpxchg64(&pi_desc->control, old.control,
+			   new.control) != old.control);
 }
 
 static void decache_tsc_multiplier(struct vcpu_vmx *vmx)
@@ -11039,8 +11039,8 @@ static void __pi_post_block(struct kvm_v
 
 		/* set 'NV' to 'notification vector' */
 		new.nv = POSTED_INTR_VECTOR;
-	} while (cmpxchg(&pi_desc->control, old.control,
-			new.control) != old.control);
+	} while (cmpxchg64(&pi_desc->control, old.control,
+			   new.control) != old.control);
 
 	if (!WARN_ON_ONCE(vcpu->pre_pcpu == -1)) {
 		spin_lock(&per_cpu(blocked_vcpu_on_cpu_lock, vcpu->pre_pcpu));
@@ -11109,8 +11109,8 @@ static int pi_pre_block(struct kvm_vcpu
 
 		/* set 'NV' to 'wakeup vector' */
 		new.nv = POSTED_INTR_WAKEUP_VECTOR;
-	} while (cmpxchg(&pi_desc->control, old.control,
-			new.control) != old.control);
+	} while (cmpxchg64(&pi_desc->control, old.control,
+			   new.control) != old.control);
 
 	/* We should not block the vCPU if an interrupt is posted for it.  */
 	if (pi_test_on(pi_desc) == 1)

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 63/64] video: fbdev: aty: do not leak uninitialized padding in clk to userspace
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 62/64] KVM: VMX: use cmpxchg64 Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 12:23 ` [PATCH 4.9 64/64] swiotlb-xen: implement xen_swiotlb_dma_mmap callback Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, sohu0106, Vladis Dronov,
	Bartlomiej Zolnierkiewicz

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vladis Dronov <vdronov@redhat.com>

commit 8e75f7a7a00461ef6d91797a60b606367f6e344d upstream.

'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.

References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/fbdev/aty/atyfb_base.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/video/fbdev/aty/atyfb_base.c
+++ b/drivers/video/fbdev/aty/atyfb_base.c
@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
 #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
 	case ATYIO_CLKR:
 		if (M64_HAS(INTEGRATED)) {
-			struct atyclk clk;
+			struct atyclk clk = { 0 };
 			union aty_pll *pll = &par->pll;
 			u32 dsp_config = pll->ct.dsp_config;
 			u32 dsp_on_off = pll->ct.dsp_on_off;

^ permalink raw reply	[flat|nested] 65+ messages in thread

* [PATCH 4.9 64/64] swiotlb-xen: implement xen_swiotlb_dma_mmap callback
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 63/64] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Greg Kroah-Hartman
@ 2017-10-03 12:23 ` Greg Kroah-Hartman
  2017-10-03 19:27 ` [PATCH 4.9 00/64] 4.9.53-stable review Shuah Khan
                   ` (2 subsequent siblings)
  60 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-03 12:23 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefano Stabellini,
	Oleksandr Dmytryshyn, Andrii Anisov, Konrad Rzeszutek Wilk

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>

commit 7e91c7df29b5e196de3dc6f086c8937973bd0b88 upstream.

This function creates userspace mapping for the DMA-coherent memory.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com>
Signed-off-by: Andrii Anisov <andrii_anisov@epam.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/xen/mm.c         |    1 +
 drivers/xen/swiotlb-xen.c |   19 +++++++++++++++++++
 include/xen/swiotlb-xen.h |    5 +++++
 3 files changed, 25 insertions(+)

--- a/arch/arm/xen/mm.c
+++ b/arch/arm/xen/mm.c
@@ -199,6 +199,7 @@ static struct dma_map_ops xen_swiotlb_dm
 	.unmap_page = xen_swiotlb_unmap_page,
 	.dma_supported = xen_swiotlb_dma_supported,
 	.set_dma_mask = xen_swiotlb_set_dma_mask,
+	.mmap = xen_swiotlb_dma_mmap,
 };
 
 int __init xen_mm_init(void)
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -680,3 +680,22 @@ xen_swiotlb_set_dma_mask(struct device *
 	return 0;
 }
 EXPORT_SYMBOL_GPL(xen_swiotlb_set_dma_mask);
+
+/*
+ * Create userspace mapping for the DMA-coherent memory.
+ * This function should be called with the pages from the current domain only,
+ * passing pages mapped from other domains would lead to memory corruption.
+ */
+int
+xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
+		     void *cpu_addr, dma_addr_t dma_addr, size_t size,
+		     unsigned long attrs)
+{
+#if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
+	if (__generic_dma_ops(dev)->mmap)
+		return __generic_dma_ops(dev)->mmap(dev, vma, cpu_addr,
+						    dma_addr, size, attrs);
+#endif
+	return dma_common_mmap(dev, vma, cpu_addr, dma_addr, size);
+}
+EXPORT_SYMBOL_GPL(xen_swiotlb_dma_mmap);
--- a/include/xen/swiotlb-xen.h
+++ b/include/xen/swiotlb-xen.h
@@ -58,4 +58,9 @@ xen_swiotlb_dma_supported(struct device
 
 extern int
 xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask);
+
+extern int
+xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
+		     void *cpu_addr, dma_addr_t dma_addr, size_t size,
+		     unsigned long attrs);
 #endif /* __LINUX_SWIOTLB_XEN_H */

^ permalink raw reply	[flat|nested] 65+ messages in thread

* Re: [PATCH 4.9 00/64] 4.9.53-stable review
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2017-10-03 12:23 ` [PATCH 4.9 64/64] swiotlb-xen: implement xen_swiotlb_dma_mmap callback Greg Kroah-Hartman
@ 2017-10-03 19:27 ` Shuah Khan
  2017-10-03 20:29 ` Tom Gall
  2017-10-03 20:42 ` Guenter Roeck
  60 siblings, 0 replies; 65+ messages in thread
From: Shuah Khan @ 2017-10-03 19:27 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, stable, Shuah Khan

On 10/03/2017 06:22 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.53 release.
> There are 64 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Oct  5 11:42:06 UTC 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.53-rc1.gz
> or in the git tree and branch at:
>   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 65+ messages in thread

* Re: [PATCH 4.9 00/64] 4.9.53-stable review
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2017-10-03 19:27 ` [PATCH 4.9 00/64] 4.9.53-stable review Shuah Khan
@ 2017-10-03 20:29 ` Tom Gall
  2017-10-04  7:56   ` Greg Kroah-Hartman
  2017-10-03 20:42 ` Guenter Roeck
  60 siblings, 1 reply; 65+ messages in thread
From: Tom Gall @ 2017-10-03 20:29 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, linux- stable


> On Oct 3, 2017, at 7:22 AM, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> 
> This is the start of the stable review cycle for the 4.9.53 release.
> There are 64 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Oct  5 11:42:06 UTC 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.53-rc1.gz
> or in the git tree and branch at:
>  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 


Test results from the linaro linux kernel functional test farm:

kernel: 4.9.53-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.9.y
git commit: aceea42c68d96c58958954e4c8c23a26f8883d62
git describe: v4.9.52-65-gaceea42c68d9
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.9-oe/build/v4.9.52-65-gaceea42c68d9


No regressions (compared to build v4.9.51-78-ge009129d09cb)

Boards, architectures and test suites:
-------------------------------------

hi6220-hikey - arm64 
* boot - 1 pass
* kselftest - 38 pass - 1 skip - 15 known failures
* libhugetlbfs - 90 pass - 1 skip
* ltp-syscalls-tests - 964 pass - 136 skip

juno-r2 - arm64 
* boot - 1 pass
* kselftest - 37 pass - 1 skip - 14 known failures
* libhugetlbfs - 90 pass - 1 skip

dell-poweredge-r200 - x86_64 
* boot - 1 pass
* kselftest - 52 pass - 15 known failures
* libhugetlbfs - 76 pass - 1 skip
* ltp-syscalls-tests - 941 pass - 175 skip - 11known failures

Tom

Director, Linaro Mobile Group
Linaro.org │ Open source software for ARM SoCs
irc: tgall_foo | skype : tom_gall  

"Where's the kaboom!? There was supposed to be an earth-shattering kaboom!" Marvin Martian

^ permalink raw reply	[flat|nested] 65+ messages in thread

* Re: [PATCH 4.9 00/64] 4.9.53-stable review
  2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2017-10-03 20:29 ` Tom Gall
@ 2017-10-03 20:42 ` Guenter Roeck
  60 siblings, 0 replies; 65+ messages in thread
From: Guenter Roeck @ 2017-10-03 20:42 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuahkh, patches, ben.hutchings, stable

On Tue, Oct 03, 2017 at 02:22:52PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.53 release.
> There are 64 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Oct  5 11:42:06 UTC 2017.
> Anything received after that time might be too late.
> 

Build results:
	total: 145 pass: 145 fail: 0
Qemu test results:
	total: 123 pass: 123 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

^ permalink raw reply	[flat|nested] 65+ messages in thread

* Re: [PATCH 4.9 00/64] 4.9.53-stable review
  2017-10-03 20:29 ` Tom Gall
@ 2017-10-04  7:56   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 65+ messages in thread
From: Greg Kroah-Hartman @ 2017-10-04  7:56 UTC (permalink / raw)
  To: Tom Gall
  Cc: linux-kernel, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, linux- stable

On Tue, Oct 03, 2017 at 03:29:46PM -0500, Tom Gall wrote:
> 
> > On Oct 3, 2017, at 7:22 AM, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> > 
> > This is the start of the stable review cycle for the 4.9.53 release.
> > There are 64 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu Oct  5 11:42:06 UTC 2017.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.53-rc1.gz
> > or in the git tree and branch at:
> >  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> 
> Test results from the linaro linux kernel functional test farm:
> 
> kernel: 4.9.53-rc1
> git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> git branch: linux-4.9.y
> git commit: aceea42c68d96c58958954e4c8c23a26f8883d62
> git describe: v4.9.52-65-gaceea42c68d9
> Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.9-oe/build/v4.9.52-65-gaceea42c68d9
> 
> 
> No regressions (compared to build v4.9.51-78-ge009129d09cb)
> 
> Boards, architectures and test suites:
> -------------------------------------
> 
> hi6220-hikey - arm64 
> * boot - 1 pass
> * kselftest - 38 pass - 1 skip - 15 known failures
> * libhugetlbfs - 90 pass - 1 skip
> * ltp-syscalls-tests - 964 pass - 136 skip
> 
> juno-r2 - arm64 
> * boot - 1 pass
> * kselftest - 37 pass - 1 skip - 14 known failures
> * libhugetlbfs - 90 pass - 1 skip
> 
> dell-poweredge-r200 - x86_64 
> * boot - 1 pass
> * kselftest - 52 pass - 15 known failures
> * libhugetlbfs - 76 pass - 1 skip
> * ltp-syscalls-tests - 941 pass - 175 skip - 11known failures

Looks like you lost a ' ' in that last line somehow :)

Anyway, again, lots of "known failures", do these also show up in
4.13-stable?

thanks for testing and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 65+ messages in thread

end of thread, other threads:[~2017-10-04  7:56 UTC | newest]

Thread overview: 65+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-03 12:22 [PATCH 4.9 00/64] 4.9.53-stable review Greg Kroah-Hartman
2017-10-03 12:22 ` [PATCH 4.9 01/64] cifs: release cifs root_cred after exit_cifs Greg Kroah-Hartman
2017-10-03 12:22 ` [PATCH 4.9 02/64] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
2017-10-03 12:22 ` [PATCH 4.9 03/64] fs/proc: Report eip/esp in /prod/PID/stat for coredumping Greg Kroah-Hartman
2017-10-03 12:22 ` [PATCH 4.9 04/64] mac80211: fix VLAN handling with TXQs Greg Kroah-Hartman
2017-10-03 12:22 ` [PATCH 4.9 05/64] mac80211_hwsim: Use proper TX power Greg Kroah-Hartman
2017-10-03 12:22 ` [PATCH 4.9 06/64] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
2017-10-03 12:22 ` [PATCH 4.9 07/64] genirq: Make sparse_irq_lock protect what it should protect Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 08/64] KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 09/64] KVM: PPC: Book3S HV: Protect updates to spapr_tce_tables list Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 10/64] tracing: Fix trace_pipe behavior for instance traces Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 11/64] tracing: Erase irqsoff trace with empty write Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 12/64] md/raid5: fix a race condition in stripe batch Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 13/64] md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 14/64] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 15/64] drm/radeon: disable hard reset in hibernate for APUs Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 16/64] crypto: drbg - fix freeing of resources Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 17/64] crypto: talitos - Dont provide setkey for non hmac hashing algs Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 18/64] crypto: talitos - fix sha224 Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 19/64] crypto: talitos - fix hashing Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 20/64] security/keys: properly zero out sensitive key material in big_key Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 21/64] security/keys: rewrite all of big_key crypto Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 22/64] KEYS: fix writing past end of user-supplied buffer in keyring_read() Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 23/64] KEYS: prevent creating a different users keyrings Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 24/64] KEYS: prevent KEYCTL_READ on negative key Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 25/64] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 26/64] powerpc/tm: Flush TM only if CPU has TM feature Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 27/64] powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 28/64] s390/mm: fix write access check in gup_huge_pmd() Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 29/64] PM: core: Fix device_pm_check_callbacks() Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 30/64] Fix SMB3.1.1 guest authentication to Samba Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 31/64] SMB3: Warn user if trying to sign connection that authenticated as guest Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 32/64] SMB: Validate negotiate (to protect against downgrade) even if signing off Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 33/64] SMB3: Dont ignore O_SYNC/O_DSYNC and O_DIRECT flags Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 34/64] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 35/64] nl80211: check for the required netlink attributes presence Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 36/64] bsg-lib: dont free job in bsg_prepare_job Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 37/64] iw_cxgb4: remove the stid on listen create failure Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 38/64] iw_cxgb4: put ep reference in pass_accept_req() Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 39/64] selftests/seccomp: Support glibc 2.26 siginfo_t.h Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 40/64] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 41/64] arm64: Make sure SPsel is always set Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 42/64] arm64: fault: Route pte translation faults via do_translation_fault Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 46/64] kvm/x86: Handle async PF in RCU read-side critical sections Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 48/64] kvm: nVMX: Dont allow L2 to access the hardware CR8 Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 49/64] xfs: validate bdev support for DAX inode flag Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 50/64] etnaviv: fix gem object list corruption Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 51/64] PCI: Fix race condition with driver_override Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 52/64] btrfs: fix NULL pointer dereference from free_reloc_roots() Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 53/64] btrfs: propagate error to btrfs_cmp_data_prepare caller Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 54/64] btrfs: prevent to set invalid default subvolid Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 55/64] x86/mm: Fix fault error path using unsafe vma pointer Greg Kroah-Hartman
2017-10-03 12:23   ` Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 56/64] x86/fpu: Dont let userspace set bogus xcomp_bv Greg Kroah-Hartman
2017-10-03 12:23   ` [kernel-hardening] " Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 57/64] gfs2: Fix debugfs glocks dump Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 58/64] timer/sysclt: Restrict timer migration sysctl values to 0 and 1 Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 61/64] cxl: Fix driver use count Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 62/64] KVM: VMX: use cmpxchg64 Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 63/64] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Greg Kroah-Hartman
2017-10-03 12:23 ` [PATCH 4.9 64/64] swiotlb-xen: implement xen_swiotlb_dma_mmap callback Greg Kroah-Hartman
2017-10-03 19:27 ` [PATCH 4.9 00/64] 4.9.53-stable review Shuah Khan
2017-10-03 20:29 ` Tom Gall
2017-10-04  7:56   ` Greg Kroah-Hartman
2017-10-03 20:42 ` Guenter Roeck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.