commit cb6621858813522e62fcba835541e4fcf57b3cb3 Author: Greg Kroah-Hartman Date: Wed Jul 12 16:55:36 2017 +0200 Linux 4.12.1 commit ead4cb80dbe1e24b8372dd3faa5211adfaa832f9 Author: Stephan Mueller Date: Fri May 26 12:11:31 2017 +0200 crypto: drbg - Fixes panic in wait_for_completion call commit b61929c654f2e725644935737c4c1ea9c741e2f8 upstream. Initialise ctr_completion variable before use. Cc: Signed-off-by: Harsh Jain Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 618ebd550b54da09fac69df5464680a419961075 Author: Juergen Gross Date: Thu Jun 8 16:03:42 2017 +0200 xen: avoid deadlock in xenbus driver commit 1a3fc2c402810bf336882e695abd1678dbc8d279 upstream. There has been a report about a deadlock in the xenbus driver: [ 247.979498] ====================================================== [ 247.985688] WARNING: possible circular locking dependency detected [ 247.991882] 4.12.0-rc4-00022-gc4b25c0 #575 Not tainted [ 247.997040] ------------------------------------------------------ [ 248.003232] xenbus/91 is trying to acquire lock: [ 248.007875] (&u->msgbuffer_mutex){+.+.+.}, at: [] xenbus_dev_queue_reply+0x3c/0x230 [ 248.017163] [ 248.017163] but task is already holding lock: [ 248.023096] (xb_write_mutex){+.+...}, at: [] xenbus_thread+0x5f0/0x798 [ 248.031267] [ 248.031267] which lock already depends on the new lock. [ 248.031267] [ 248.039615] [ 248.039615] the existing dependency chain (in reverse order) is: [ 248.047176] [ 248.047176] -> #1 (xb_write_mutex){+.+...}: [ 248.052943] __lock_acquire+0x1728/0x1778 [ 248.057498] lock_acquire+0xc4/0x288 [ 248.061630] __mutex_lock+0x84/0x868 [ 248.065755] mutex_lock_nested+0x3c/0x50 [ 248.070227] xs_send+0x164/0x1f8 [ 248.074015] xenbus_dev_request_and_reply+0x6c/0x88 [ 248.079427] xenbus_file_write+0x260/0x420 [ 248.084073] __vfs_write+0x48/0x138 [ 248.088113] vfs_write+0xa8/0x1b8 [ 248.091983] SyS_write+0x54/0xb0 [ 248.095768] el0_svc_naked+0x24/0x28 [ 248.099897] [ 248.099897] -> #0 (&u->msgbuffer_mutex){+.+.+.}: [ 248.106088] print_circular_bug+0x80/0x2e0 [ 248.110730] __lock_acquire+0x1768/0x1778 [ 248.115288] lock_acquire+0xc4/0x288 [ 248.119417] __mutex_lock+0x84/0x868 [ 248.123545] mutex_lock_nested+0x3c/0x50 [ 248.128016] xenbus_dev_queue_reply+0x3c/0x230 [ 248.133005] xenbus_thread+0x788/0x798 [ 248.137306] kthread+0x110/0x140 [ 248.141087] ret_from_fork+0x10/0x40 It is rather easy to avoid by dropping xb_write_mutex before calling xenbus_dev_queue_reply(). Fixes: fd8aa9095a95c02dcc35540a263267c29b8fda9d ("xen: optimize xenbus driver for multiple concurrent xenstore accesses"). Reported-by: Andre Przywara Signed-off-by: Juergen Gross Tested-by: Andre Przywara Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 1b4ba31bb80fa6b9c21fa28dcfee7dd0e3091b53 Author: Thomas Gleixner Date: Thu Jun 29 08:25:52 2017 +0200 sched/numa: Hide numa_wake_affine() from UP build commit ff801b716effd652f420204eddb36f6e4a716819 upstream. Stephen reported the following build warning in UP: kernel/sched/fair.c:2657:9: warning: 'struct sched_domain' declared inside parameter list ^ /home/sfr/next/next/kernel/sched/fair.c:2657:9: warning: its scope is only this definition or declaration, which is probably not what you want Hide the numa_wake_affine() inline stub on UP builds to get rid of it. Fixes: 3fed382b46ba ("sched/numa: Implement NUMA node level wake_affine()") Reported-by: Stephen Rothwell Signed-off-by: Thomas Gleixner Cc: Rik van Riel Cc: Peter Zijlstra Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit dc427c08fd6ddc3469324c4d33edec069748a38a Author: Rik van Riel Date: Fri Jun 23 12:55:30 2017 -0400 sched/fair: Remove effective_load() commit 815abf5af45f04f759f12f3172afd15226fd7f71 upstream. The effective_load() function was only used by the NUMA balancing code, and not by the regular load balancing code. Now that the NUMA balancing code no longer uses it either, get rid of it. Signed-off-by: Rik van Riel Cc: Linus Torvalds Cc: Mel Gorman Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: jhladky@redhat.com Cc: linux-kernel@vger.kernel.org Link: http://lkml.kernel.org/r/20170623165530.22514-5-riel@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit ac74b663696f2b0b9ab01e31c47a59ebe65b6588 Author: Rik van Riel Date: Fri Jun 23 12:55:29 2017 -0400 sched/numa: Implement NUMA node level wake_affine() commit 3fed382b46baac83703130fe4cd3d9147f427fb9 upstream. Since select_idle_sibling() can place a task anywhere on a socket, comparing loads between individual CPU cores makes no real sense for deciding whether to do an affine wakeup across sockets, either. Instead, compare the load between the sockets in a similar way the load balancer and the numa balancing code do. Signed-off-by: Rik van Riel Cc: Linus Torvalds Cc: Mel Gorman Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: jhladky@redhat.com Cc: linux-kernel@vger.kernel.org Link: http://lkml.kernel.org/r/20170623165530.22514-4-riel@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit 5a51f2febca9b47d62ae7a97089d2fd2e80ee600 Author: Rik van Riel Date: Fri Jun 23 12:55:28 2017 -0400 sched/fair: Simplify wake_affine() for the single socket case commit 7d894e6e34a5cdd12309c7e4a3f830277ad4b7bf upstream. Then 'this_cpu' and 'prev_cpu' are in the same socket, select_idle_sibling() will do its thing regardless of the return value of wake_affine(). Just return true and don't look at all the other things. Signed-off-by: Rik van Riel Cc: Linus Torvalds Cc: Mel Gorman Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: jhladky@redhat.com Cc: linux-kernel@vger.kernel.org Link: http://lkml.kernel.org/r/20170623165530.22514-3-riel@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit 6cd951eefda55cbbd4f638ec0f0cb173e4d3e4b9 Author: Rik van Riel Date: Fri Jun 23 12:55:27 2017 -0400 sched/numa: Override part of migrate_degrades_locality() when idle balancing commit 739294fb03f590401bbd7faa6d31a507e3ffada5 upstream. Several tests in the NAS benchmark seem to run a lot slower with NUMA balancing enabled, than with NUMA balancing disabled. The slower run time corresponds with increased idle time. Overriding the final test of migrate_degrades_locality (but still doing the other NUMA tests first) seems to improve performance of those benchmarks. Reported-by: Jirka Hladky Signed-off-by: Rik van Riel Cc: Linus Torvalds Cc: Mel Gorman Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-kernel@vger.kernel.org Link: http://lkml.kernel.org/r/20170623165530.22514-2-riel@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit 7084a918af5c4e934e2993c24b479673c54b31a8 Author: Vlastimil Babka Date: Mon May 15 15:13:16 2017 +0200 sched/numa: Use down_read_trylock() for the mmap_sem commit 8655d5497735b288f8a9b458bd22e7d1bf95bb61 upstream. A customer has reported a soft-lockup when running an intensive memory stress test, where the trace on multiple CPU's looks like this: RIP: 0010:[] [] native_queued_spin_lock_slowpath+0x10e/0x190 ... Call Trace: [] queued_spin_lock_slowpath+0x7/0xa [] change_protection_range+0x3b1/0x930 [] change_prot_numa+0x18/0x30 [] task_numa_work+0x1fe/0x310 [] task_work_run+0x72/0x90 Further investigation showed that the lock contention here is pmd_lock(). The task_numa_work() function makes sure that only one thread is let to perform the work in a single scan period (via cmpxchg), but if there's a thread with mmap_sem locked for writing for several periods, multiple threads in task_numa_work() can build up a convoy waiting for mmap_sem for read and then all get unblocked at once. This patch changes the down_read() to the trylock version, which prevents the build up. For a workload experiencing mmap_sem contention, it's probably better to postpone the NUMA balancing work anyway. This seems to have fixed the soft lockups involving pmd_lock(), which is in line with the convoy theory. Signed-off-by: Vlastimil Babka Signed-off-by: Peter Zijlstra (Intel) Acked-by: Rik van Riel Acked-by: Mel Gorman Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170515131316.21909-1-vbabka@suse.cz Signed-off-by: Ingo Molnar Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit c329c440994eaa480c72b2092ed6c67b9a875e11 Author: Peter Zijlstra Date: Wed May 17 12:53:50 2017 +0200 sched/core: Implement new approach to scale select_idle_cpu() commit 1ad3aaf3fcd2444406628a19a9b9e0922b95e2d4 upstream. Hackbench recently suffered a bunch of pain, first by commit: 4c77b18cf8b7 ("sched/fair: Make select_idle_cpu() more aggressive") and then by commit: c743f0a5c50f ("sched/fair, cpumask: Export for_each_cpu_wrap()") which fixed a bug in the initial for_each_cpu_wrap() implementation that made select_idle_cpu() even more expensive. The bug was that it would skip over CPUs when bits were consequtive in the bitmask. This however gave me an idea to fix select_idle_cpu(); where the old scheme was a cliff-edge throttle on idle scanning, this introduces a more gradual approach. Instead of stopping to scan entirely, we limit how many CPUs we scan. Initial benchmarks show that it mostly recovers hackbench while not hurting anything else, except Mason's schbench, but not as bad as the old thing. It also appears to recover the tbench high-end, which also suffered like hackbench. Tested-by: Matt Fleming Signed-off-by: Peter Zijlstra (Intel) Cc: Chris Mason Cc: Linus Torvalds Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: hpa@zytor.com Cc: kitsunyan Cc: linux-kernel@vger.kernel.org Cc: lvenanci@redhat.com Cc: riel@redhat.com Cc: xiaolong.ye@intel.com Link: http://lkml.kernel.org/r/20170517105350.hk5m4h4jb6dfr65a@hirez.programming.kicks-ass.net Signed-off-by: Ingo Molnar Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit c6508a39640b9a27fc2bc10cb708152672c82045 Author: Peter Zijlstra Date: Fri Apr 14 14:20:05 2017 +0200 sched/fair, cpumask: Export for_each_cpu_wrap() commit c743f0a5c50f2fcbc628526279cfa24f3dabe182 upstream. More users for for_each_cpu_wrap() have appeared. Promote the construct to generic cpumask interface. The implementation is slightly modified to reduce arguments. Signed-off-by: Peter Zijlstra (Intel) Cc: Lauro Ramos Venancio Cc: Linus Torvalds Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Rik van Riel Cc: Thomas Gleixner Cc: lwang@redhat.com Link: http://lkml.kernel.org/r/20170414122005.o35me2h5nowqkxbv@hirez.programming.kicks-ass.net Signed-off-by: Ingo Molnar Signed-off-by: Mel Gorman Signed-off-by: Greg Kroah-Hartman commit 1272418996e133555b963b3fb0173ca4e0ab7e47 Author: Paolo Abeni Date: Thu Jun 29 15:55:58 2017 +0200 x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings commit 236222d39347e0e486010f10c1493e83dbbdfba8 upstream. According to the Intel datasheet, the REP MOVSB instruction exposes a pretty heavy setup cost (50 ticks), which hurts short string copy operations. This change tries to avoid this cost by calling the explicit loop available in the unrolled code for strings shorter than 64 bytes. The 64 bytes cutoff value is arbitrary from the code logic point of view - it has been selected based on measurements, as the largest value that still ensures a measurable gain. Micro benchmarks of the __copy_from_user() function with lengths in the [0-63] range show this performance gain (shorter the string, larger the gain): - in the [55%-4%] range on Intel Xeon(R) CPU E5-2690 v4 - in the [72%-9%] range on Intel Core i7-4810MQ Other tested CPUs - namely Intel Atom S1260 and AMD Opteron 8216 - show no difference, because they do not expose the ERMS feature bit. Signed-off-by: Paolo Abeni Acked-by: Linus Torvalds Cc: Alan Cox Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Hannes Frederic Sowa Cc: Josh Poimboeuf Cc: Kees Cook Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/4533a1d101fd460f80e21329a34928fad521c1d4.1498744345.git.pabeni@redhat.com [ Clarified the changelog. ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman Signed-off-by: Mel Gorman commit e1ebb00c1b02ecb3b213383c7d0494068e1126b6 Author: Nicholas Piggin Date: Fri May 12 01:15:20 2017 +1000 powerpc/powernv: Fix CPU_HOTPLUG=n idle.c compile error commit 67d20418088680d22037119d914982cd982b5c5a upstream. Fixes: a7cd88da97 ("powerpc/powernv: Move CPU-Offline idle state invocation from smp.c to idle.c") Cc: Gautham R. Shenoy Signed-off-by: Nicholas Piggin Acked-by: Gautham R. Shenoy Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit e9d8f71bda62ae05c219c12f6dd803d66126097b Author: Jarkko Sakkinen Date: Tue Jun 20 11:38:02 2017 +0200 tpm: fix a kernel memory leak in tpm-sysfs.c commit 13b47cfcfc60495cde216eef4c01040d76174cbe upstream. While cleaning up sysfs callback that prints EK we discovered a kernel memory leak. This commit fixes the issue by zeroing the buffer used for TPM command/response. The leak happen when we use either tpm_vtpm_proxy, tpm_ibmvtpm or xen-tpmfront. Fixes: 0883743825e3 ("TPM: sysfs functions consolidation") Reported-by: Jason Gunthorpe Tested-by: Stefan Berger Signed-off-by: Jarkko Sakkinen Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit e520cb6c016a556eac369ae40aecad47f086e896 Author: Josh Zimmerman Date: Sun Jun 25 14:53:24 2017 -0700 tpm: Issue a TPM2_Shutdown for TPM2 devices. commit d1bd4a792d3961a04e6154118816b00167aad91a upstream. If a TPM2 loses power without a TPM2_Shutdown command being issued (a "disorderly reboot"), it may lose some state that has yet to be persisted to NVRam, and will increment the DA counter. After the DA counter gets sufficiently large, the TPM will lock the user out. NOTE: This only changes behavior on TPM2 devices. Since TPM1 uses sysfs, and sysfs relies on implicit locking on chip->ops, it is not safe to allow this code to run in TPM1, or to add sysfs support to TPM2, until that locking is made explicit. Signed-off-by: Josh Zimmerman Fixes: 74d6b3ceaa17 ("tpm: fix suspend/resume paths for TPM 2.0") Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 23f2134fb993cd20de52499a56f967ecf3951a29 Author: Josh Zimmerman Date: Sun Jun 25 14:53:23 2017 -0700 Add "shutdown" to "struct class". commit f77af15165847406b15d8f70c382c4cb15846b2a upstream. The TPM class has some common shutdown code that must be executed for all drivers. This adds some needed functionality for that. Signed-off-by: Josh Zimmerman Acked-by: Greg Kroah-Hartman Fixes: 74d6b3ceaa17 ("tpm: fix suspend/resume paths for TPM 2.0") Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 132a4d817b42792d85926f283b468c8263313fa8 Author: Andreas Gruenbacher Date: Fri Jul 7 13:22:05 2017 -0500 gfs2: Fix glock rhashtable rcu bug commit 961ae1d83d055a4b9ebbfb4cc8ca62ec1a7a3b74 upstream. Before commit 88ffbf3e03 "GFS2: Use resizable hash table for glocks", glocks were freed via call_rcu to allow reading the glock hashtable locklessly using rcu. This was then changed to free glocks immediately, which made reading the glock hashtable unsafe. Bring back the original code for freeing glocks via call_rcu. Signed-off-by: Andreas Gruenbacher Signed-off-by: Bob Peterson Signed-off-by: Greg Kroah-Hartman commit 3cd2a58902e4f7686cf0e53ba494ee0cf25599ea Author: Jiahau Chang Date: Mon Jun 19 13:08:30 2017 +0300 xhci: Limit USB2 port wake support for AMD Promontory hosts commit dec08194ffeccfa1cf085906b53d301930eae18f upstream. For AMD Promontory xHCI host, although you can disable USB 2.0 ports in BIOS settings, those ports will be enabled anyway after you remove a device on that port and re-plug it in again. It's a known limitation of the chip. As a workaround we can clear the PORT_WAKE_BITS. This will disable wake on connect, disconnect and overcurrent on AMD Promontory USB2 ports [checkpatch cleanup and commit message reword -Mathias] Cc: Tsai Nicholas Signed-off-by: Jiahau Chang Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit bf1befcaa52b30f7bf0ab4b6f8f11cad19910dcb Author: Bjørn Mork Date: Tue Jun 13 19:11:42 2017 +0200 USB: serial: qcserial: new Sierra Wireless EM7305 device ID commit 996fab55d864ed604158f71724ff52db1c2454a3 upstream. A new Sierra Wireless EM7305 device ID used in a Toshiba laptop. Reported-by: Petr Kloc Signed-off-by: Bjørn Mork Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b555cf8458455b9bcf82c473d3ef1d33992aead4 Author: Johan Hovold Date: Mon Jun 12 16:30:16 2017 +0200 USB: serial: option: add two Longcheer device ids commit 8fb060da715ad10fe956d7c0077b2fb0c12bb9d7 upstream. Add two Longcheer device-id entries which specifically enables a Telewell TW-3G HSPA+ branded modem (0x9801). Reported-by: Teemu Likonen Reported-by: Bjørn Mork Reported-by: Lars Melin Tested-by: Teemu Likonen Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 1e35d149befae9ef34f50782cade48a64cc9d64f Author: Johan Hovold Date: Tue Jun 6 17:58:58 2017 +0200 USB: core: fix device node leak commit e271b2c909a22a2c13b2d5f77f2ce0091b74540c upstream. Make sure to release any OF device-node reference taken when creating the USB device. Note that we currently do not hold a reference to the root hub device-tree node (i.e. the parent controller node). Fixes: 69bec7259853 ("USB: core: let USB device know device node") Acked-by: Peter Chen Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit c3a90ecddfa33d09ff34e31e47eebc81b300e06f Author: Benjamin Herrenschmidt Date: Tue Jun 13 16:01:13 2017 +1000 usb: Fix typo in the definition of Endpoint[out]Request commit 7cf916bd639bd26db7214f2205bccdb4b9306256 upstream. The current definition is wrong. This breaks my upcoming Aspeed virtual hub driver. Signed-off-by: Benjamin Herrenschmidt Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 1ec27490ee536fd3d41f0e10c61f2fc73be0065d Author: Devin Heitmueller Date: Tue Jun 27 13:08:51 2017 -0400 Add USB quirk for HVR-950q to avoid intermittent device resets commit 6836796de4019944f4ba4c99a360e8250fd2e735 upstream. The USB core and sysfs will attempt to enumerate certain parameters which are unsupported by the au0828 - causing inconsistent behavior and sometimes causing the chip to reset. Avoid making these calls. This problem manifested as intermittent cases where the au8522 would be reset on analog video startup, in particular when starting up ALSA audio streaming in parallel - the sysfs entries created by snd-usb-audio on streaming startup would result in unsupported control messages being sent during tuning which would put the chip into an unknown state. Signed-off-by: Devin Heitmueller Signed-off-by: Greg Kroah-Hartman commit 9bef7d690ed144b6d3d3e88785890672c40be4aa Author: Michael Grzeschik Date: Mon May 22 13:02:44 2017 +0200 usb: usbip: set buffer pointers to NULL after free commit b3b51417d0af63fb9a06662dc292200aed9ea53f upstream. The usbip stack dynamically allocates the transfer_buffer and setup_packet of each urb that got generated by the tcp to usb stub code. As these pointers are always used only once we will set them to NULL after use. This is done likewise to the free_urb code in vudc_dev.c. This patch fixes double kfree situations where the usbip remote side added the URB_FREE_BUFFER. Signed-off-by: Michael Grzeschik Acked-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman commit 1338f7922006614bb156289a1cb37030da45d85a Author: Jeremie Rapin Date: Wed Jun 28 18:23:25 2017 +0200 USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick commit fd90f73a9925f248d696bde1cfc836d9fda5570d upstream. Added the USB serial device ID for the CEL ZigBee EM3588 radio stick. Signed-off-by: Jeremie Rapin Acked-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9a11d1f9c466ed1e895eeeae52fca7c4fc219365 Author: Felipe Balbi Date: Wed May 17 15:57:45 2017 +0300 usb: dwc3: replace %p with %pK commit 04fb365c453e14ff9e8a28f1c46050d920a27a4a upstream. %p will leak kernel pointers, so let's not expose the information on dmesg and instead use %pK. %pK will only show the actual addresses if explicitly enabled under /proc/sys/kernel/kptr_restrict. Acked-by: Greg Kroah-Hartman Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d4ca0cfa3fe21f7d6208f5ea510643733e3065d9 Author: Boris Pismenny Date: Tue Jun 27 15:09:13 2017 +0300 RDMA/uverbs: Check port number supplied by user verbs cmds commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream. The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive the port number from user input as part of its attributes and assumes it is valid. Down on the stack, that parameter is used to access kernel data structures. If the value is invalid, the kernel accesses memory it should not. To prevent this, verify the port number before using it. BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0 Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313 BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0 Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819 Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands") Fixes: 189aba99e70 ("IB/uverbs: Extend modify_qp and support packet pacing") Cc: Yevgeny Kliteynik Cc: Tziporet Koren Cc: Alex Polak Signed-off-by: Boris Pismenny Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit d0ccfd55b9c75b90ebcb9c56029b07eddefb1155 Author: Adrian Salido Date: Tue Apr 25 16:55:26 2017 -0700 driver core: platform: fix race condition with driver_override commit 6265539776a0810b7ce6398c27866ddb9c6bd154 upstream. The driver_override implementation is susceptible to race condition when different threads are reading vs storing a different driver override. Add locking to avoid race condition. Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'") Cc: stable@vger.kernel.org Signed-off-by: Adrian Salido Signed-off-by: Greg Kroah-Hartman