commit f6767727467056943bf6d3433ffce0a8b2b05681
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Fri Mar 31 10:32:02 2017 +0200

    Linux 4.9.20

commit 1dc3a068cc1123cbfb1d6340cfd795bfd453870a
Author: Bin Liu <b-liu@ti.com>
Date:   Fri Mar 10 14:43:37 2017 -0600

    usb: musb: fix possible spinlock deadlock
    
    commit bc1e2154542071e3cfe1734b143af9b8bdacf8bd upstream.
    
    The DSPS glue calls del_timer_sync() in its musb_platform_disable()
    implementation, which requires the caller to not hold a lock. But
    musb_remove() calls musb_platform_disable() will musb->lock held. This
    could causes spinlock deadlock.
    
    So change musb_remove() to call musb_platform_disable() without holds
    musb->lock. This doesn't impact the musb_platform_disable implementation
    in other glue drivers.
    
    root@am335x-evm:~# modprobe -r musb-dsps
    [  126.134879] musb-hdrc musb-hdrc.1: remove, state 1
    [  126.140465] usb usb2: USB disconnect, device number 1
    [  126.146178] usb 2-1: USB disconnect, device number 2
    [  126.416985] musb-hdrc musb-hdrc.1: USB bus 2 deregistered
    [  126.423943]
    [  126.425525] ======================================================
    [  126.431997] [ INFO: possible circular locking dependency detected ]
    [  126.438564] 4.11.0-rc1-00003-g1557f13bca04-dirty #77 Not tainted
    [  126.444852] -------------------------------------------------------
    [  126.451414] modprobe/778 is trying to acquire lock:
    [  126.456523]  (((&glue->timer))){+.-...}, at: [<c01b8788>] del_timer_sync+0x0/0xd0
    [  126.464403]
    [  126.464403] but task is already holding lock:
    [  126.470511]  (&(&musb->lock)->rlock){-.-...}, at: [<bf30b7f8>] musb_remove+0x50/0x1
    30 [musb_hdrc]
    [  126.479965]
    [  126.479965] which lock already depends on the new lock.
    [  126.479965]
    [  126.488531]
    [  126.488531] the existing dependency chain (in reverse order) is:
    [  126.496368]
    [  126.496368] -> #1 (&(&musb->lock)->rlock){-.-...}:
    [  126.502968]        otg_timer+0x80/0xec [musb_dsps]
    [  126.507990]        call_timer_fn+0xb4/0x390
    [  126.512372]        expire_timers+0xf0/0x1fc
    [  126.516754]        run_timer_softirq+0x80/0x178
    [  126.521511]        __do_softirq+0xc4/0x554
    [  126.525802]        irq_exit+0xe8/0x158
    [  126.529735]        __handle_domain_irq+0x58/0xb8
    [  126.534583]        __irq_usr+0x54/0x80
    [  126.538507]
    [  126.538507] -> #0 (((&glue->timer))){+.-...}:
    [  126.544636]        del_timer_sync+0x40/0xd0
    [  126.549066]        musb_remove+0x6c/0x130 [musb_hdrc]
    [  126.554370]        platform_drv_remove+0x24/0x3c
    [  126.559206]        device_release_driver_internal+0x14c/0x1e0
    [  126.565225]        bus_remove_device+0xd8/0x108
    [  126.569970]        device_del+0x1e4/0x308
    [  126.574170]        platform_device_del+0x24/0x8c
    [  126.579006]        platform_device_unregister+0xc/0x20
    [  126.584394]        dsps_remove+0x14/0x30 [musb_dsps]
    [  126.589595]        platform_drv_remove+0x24/0x3c
    [  126.594432]        device_release_driver_internal+0x14c/0x1e0
    [  126.600450]        driver_detach+0x38/0x6c
    [  126.604740]        bus_remove_driver+0x4c/0xa0
    [  126.609407]        SyS_delete_module+0x11c/0x1e4
    [  126.614252]        __sys_trace_return+0x0/0x10
    
    Fixes: ea2f35c01d5ea ("usb: musb: Fix sleeping function called from invalid context for hdrc glue")
    Acked-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Bin Liu <b-liu@ti.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 916c5cfeab400f5260d20dc2e5c8e0ec52e64cfc
Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date:   Tue Jan 24 15:40:06 2017 +0100

    sched/rt: Add a missing rescheduling point
    
    commit 619bd4a71874a8fd78eb6ccf9f272c5e98bcc7b7 upstream.
    
    Since the change in commit:
    
      fd7a4bed1835 ("sched, rt: Convert switched_{from, to}_rt() / prio_changed_rt() to balance callbacks")
    
    ... we don't reschedule a task under certain circumstances:
    
    Lets say task-A, SCHED_OTHER, is running on CPU0 (and it may run only on
    CPU0) and holds a PI lock. This task is removed from the CPU because it
    used up its time slice and another SCHED_OTHER task is running. Task-B on
    CPU1 runs at RT priority and asks for the lock owned by task-A. This
    results in a priority boost for task-A. Task-B goes to sleep until the
    lock has been made available. Task-A is already runnable (but not active),
    so it receives no wake up.
    
    The reality now is that task-A gets on the CPU once the scheduler decides
    to remove the current task despite the fact that a high priority task is
    enqueued and waiting. This may take a long time.
    
    The desired behaviour is that CPU0 immediately reschedules after the
    priority boost which made task-A the task with the lowest priority.
    
    Suggested-by: Peter Zijlstra <peterz@infradead.org>
    Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Fixes: fd7a4bed1835 ("sched, rt: Convert switched_{from, to}_rt() prio_changed_rt() to balance callbacks")
    Link: http://lkml.kernel.org/r/20170124144006.29821-1-bigeasy@linutronix.de
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2984e52c75c657db7901f6189f02e0251ca963c2
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Feb 21 15:07:11 2017 -0800

    fscrypt: remove broken support for detecting keyring key revocation
    
    commit 1b53cf9815bb4744958d41f3795d5d5a1d365e2d upstream.
    
    Filesystem encryption ostensibly supported revoking a keyring key that
    had been used to "unlock" encrypted files, causing those files to become
    "locked" again.  This was, however, buggy for several reasons, the most
    severe of which was that when key revocation happened to be detected for
    an inode, its fscrypt_info was immediately freed, even while other
    threads could be using it for encryption or decryption concurrently.
    This could be exploited to crash the kernel or worse.
    
    This patch fixes the use-after-free by removing the code which detects
    the keyring key having been revoked, invalidated, or expired.  Instead,
    an encrypted inode that is "unlocked" now simply remains unlocked until
    it is evicted from memory.  Note that this is no worse than the case for
    block device-level encryption, e.g. dm-crypt, and it still remains
    possible for a privileged user to evict unused pages, inodes, and
    dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by
    simply unmounting the filesystem.  In fact, one of those actions was
    already needed anyway for key revocation to work even somewhat sanely.
    This change is not expected to break any applications.
    
    In the future I'd like to implement a real API for fscrypt key
    revocation that interacts sanely with ongoing filesystem operations ---
    waiting for existing operations to complete and blocking new operations,
    and invalidating and sanitizing key material and plaintext from the VFS
    caches.  But this is a hard problem, and for now this bug must be fixed.
    
    This bug affected almost all versions of ext4, f2fs, and ubifs
    encryption, and it was potentially reachable in any kernel configured
    with encryption support (CONFIG_EXT4_ENCRYPTION=y,
    CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or
    CONFIG_UBIFS_FS_ENCRYPTION=y).  Note that older kernels did not use the
    shared fs/crypto/ code, but due to the potential security implications
    of this bug, it may still be worthwhile to backport this fix to them.
    
    Fixes: b7236e21d55f ("ext4 crypto: reorganize how we store keys in the inode")
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Acked-by: Michael Halcrow <mhalcrow@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 21c95eca627bf63fa56dc19f5fb5fb2a770dadc0
Author: Dave Martin <Dave.Martin@arm.com>
Date:   Mon Mar 27 15:10:57 2017 +0100

    metag/ptrace: Reject partial NT_METAG_RPIPE writes
    
    commit 7195ee3120d878259e8d94a5d9f808116f34d5ea upstream.
    
    It's not clear what behaviour is sensible when doing partial write of
    NT_METAG_RPIPE, so just don't bother.
    
    This patch assumes that userspace will never rely on a partial SETREGSET
    in this case, since it's not clear what should happen anyway.
    
    Signed-off-by: Dave Martin <Dave.Martin@arm.com>
    Acked-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2d6532ceb45bffcc05036f93a0590ffa82c7794f
Author: Dave Martin <Dave.Martin@arm.com>
Date:   Mon Mar 27 15:10:56 2017 +0100

    metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
    
    commit 5fe81fe98123ce41265c65e95d34418d30d005d1 upstream.
    
    Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
    to fill TXSTATUS, a well-defined default value is used, based on the
    task's current value.
    
    Suggested-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Dave Martin <Dave.Martin@arm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2739b4874165acc5ce07e643c363e6768f44cf4f
Author: Dave Martin <Dave.Martin@arm.com>
Date:   Mon Mar 27 15:10:55 2017 +0100

    metag/ptrace: Preserve previous registers for short regset write
    
    commit a78ce80d2c9178351b34d78fec805140c29c193e upstream.
    
    Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
    to fill all the registers, the thread's old registers are preserved.
    
    Signed-off-by: Dave Martin <Dave.Martin@arm.com>
    Acked-by: James Hogan <james.hogan@imgtec.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 84b94c4356c668ebe4532b3a999cf375f0089310
Author: Dave Martin <Dave.Martin@arm.com>
Date:   Mon Mar 27 15:10:59 2017 +0100

    sparc/ptrace: Preserve previous registers for short regset write
    
    commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream.
    
    Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
    to fill all the registers, the thread's old registers are preserved.
    
    Signed-off-by: Dave Martin <Dave.Martin@arm.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0ba34c87f7ce04232295ebf4991cd3ff36ea5abd
Author: Dave Martin <Dave.Martin@arm.com>
Date:   Mon Mar 27 15:10:58 2017 +0100

    mips/ptrace: Preserve previous registers for short regset write
    
    commit d614fd58a2834cfe4efa472c33c8f3ce2338b09b upstream.
    
    Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
    to fill all the registers, the thread's old registers are preserved.
    
    Signed-off-by: Dave Martin <Dave.Martin@arm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 616fe993f410c589cd928dfb015ccaf9c931dcc1
Author: Dave Martin <Dave.Martin@arm.com>
Date:   Mon Mar 27 15:10:54 2017 +0100

    h8300/ptrace: Fix incorrect register transfer count
    
    commit 502585c7555083d4a949c08350306b9ec196779e upstream.
    
    regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun
    if CONFIG_CPU_H8S is set, since this adds an extra entry to
    register_offset[] but not to user_regs_struct.
    
    So, iterate over user_regs_struct based on its actual size, not based on
    the length of register_offset[].
    
    Signed-off-by: Dave Martin <Dave.Martin@arm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d77bd2d6a478468127da79e6920b44c467baaa9e
Author: Dave Martin <Dave.Martin@arm.com>
Date:   Mon Mar 27 15:10:53 2017 +0100

    c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
    
    commit fb411b837b587a32046dc4f369acb93a10b1def8 upstream.
    
    gpr_set won't work correctly and can never have been tested, and the
    correct behaviour is not clear due to the endianness-dependent task
    layout.
    
    So, just remove it.  The core code will now return -EOPNOTSUPPORT when
    trying to set NT_PRSTATUS on this architecture until/unless a correct
    implementation is supplied.
    
    Signed-off-by: Dave Martin <Dave.Martin@arm.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dd6054234bd82065134f62ca0b5e2695c0d859b7
Author: Bjorn Andersson <bjorn.andersson@linaro.org>
Date:   Tue Mar 14 08:23:26 2017 -0700

    pinctrl: qcom: Don't clear status bit on irq_unmask
    
    commit a6566710adaa4a7dd5e0d99820ff9c9c30ee5951 upstream.
    
    Clearing the status bit on irq_unmask will discard any pending interrupt
    that did arrive after the irq_ack, i.e. while the IRQ handler function
    was executing.
    
    Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver")
    Cc: Stephen Boyd <sboyd@codeaurora.org>
    Reported-by: Timur Tabi <timur@codeaurora.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b82b2f930c2b090a51d429664454252c87b45a47
Author: Ladi Prosek <lprosek@redhat.com>
Date:   Thu Mar 23 08:04:18 2017 +0100

    virtio_balloon: init 1st buffer in stats vq
    
    commit fc8653228c8588a120f6b5dad6983b7b61ff669e upstream.
    
    When init_vqs runs, virtio_balloon.stats is either uninitialized or
    contains stale values. The host updates its state with garbage data
    because it has no way of knowing that this is just a marker buffer
    used for signaling.
    
    This patch updates the stats before pushing the initial buffer.
    
    Alternative fixes:
    * Push an empty buffer in init_vqs. Not easily done with the current
      virtio implementation and violates the spec "Driver MUST supply the
      same subset of statistics in all buffers submitted to the statsq".
    * Push a buffer with invalid tags in init_vqs. Violates the same
      spec clause, plus "invalid tag" is not really defined.
    
    Note: the spec says:
            When using the legacy interface, the device SHOULD ignore all values in
            the first buffer in the statsq supplied by the driver after device
            initialization. Note: Historically, drivers supplied an uninitialized
            buffer in the first buffer.
    
    Unfortunately QEMU does not seem to implement the recommendation
    even for the legacy interface.
    
    Signed-off-by: Ladi Prosek <lprosek@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e8c6bd9dbc44630199892ad27ef745a45335191
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Mon Mar 27 17:53:50 2017 +0200

    KVM: x86: cleanup the page tracking SRCU instance
    
    commit 2beb6dad2e8f95d710159d5befb390e4f62ab5cf upstream.
    
    SRCU uses a delayed work item.  Skip cleaning it up, and
    the result is use-after-free in the work item callbacks.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Suggested-by: Dmitry Vyukov <dvyukov@google.com>
    Fixes: 0eb05bf290cfe8610d9680b49abef37febd1c38a
    Reviewed-by: Xiao Guangrong <xiaoguangrong.eric@gmail.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 79191ea36dc9be10a9c9b03d6b341ed2d2f76045
Author: Andy Whitcroft <apw@canonical.com>
Date:   Thu Mar 23 07:45:44 2017 +0000

    xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
    
    commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.
    
    Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
    wrapping issues.  To ensure we are correctly ensuring that the two ESN
    structures are the same size compare both the overall size as reported
    by xfrm_replay_state_esn_len() and the internal length are the same.
    
    CVE-2017-7184
    Signed-off-by: Andy Whitcroft <apw@canonical.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 64a5465799ee40e3d54d9da3037934cd4b7b502f
Author: Andy Whitcroft <apw@canonical.com>
Date:   Wed Mar 22 07:29:31 2017 +0000

    xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
    
    commit 677e806da4d916052585301785d847c3b3e6186a upstream.
    
    When a new xfrm state is created during an XFRM_MSG_NEWSA call we
    validate the user supplied replay_esn to ensure that the size is valid
    and to ensure that the replay_window size is within the allocated
    buffer.  However later it is possible to update this replay_esn via a
    XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
    buffer matches the existing state and if so inject the contents.  We do
    not at this point check that the replay_window is within the allocated
    memory.  This leads to out-of-bounds reads and writes triggered by
    netlink packets.  This leads to memory corruption and the potential for
    priviledge escalation.
    
    We already attempt to validate the incoming replay information in
    xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
    is not trying to change the size of the replay state buffer which
    includes the replay_esn.  It however does not check the replay_window
    remains within that buffer.  Add validation of the contained
    replay_window.
    
    CVE-2017-7184
    Signed-off-by: Andy Whitcroft <apw@canonical.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f68a09c7944eca3bdfce2ef18b43dfd2359346b7
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Feb 8 11:52:29 2017 +0100

    xfrm: policy: init locks early
    
    commit c282222a45cb9503cbfbebfdb60491f06ae84b49 upstream.
    
    Dmitry reports following splat:
     INFO: trying to register non-static key.
     the code is fine but needs lockdep annotation.
     turning off the locking correctness validator.
     CPU: 0 PID: 13059 Comm: syz-executor1 Not tainted 4.10.0-rc7-next-20170207 #1
    [..]
     spin_lock_bh include/linux/spinlock.h:304 [inline]
     xfrm_policy_flush+0x32/0x470 net/xfrm/xfrm_policy.c:963
     xfrm_policy_fini+0xbf/0x560 net/xfrm/xfrm_policy.c:3041
     xfrm_net_init+0x79f/0x9e0 net/xfrm/xfrm_policy.c:3091
     ops_init+0x10a/0x530 net/core/net_namespace.c:115
     setup_net+0x2ed/0x690 net/core/net_namespace.c:291
     copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
     create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
     unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
     SYSC_unshare kernel/fork.c:2281 [inline]
    
    Problem is that when we get error during xfrm_net_init we will call
    xfrm_policy_fini which will acquire xfrm_policy_lock before it was
    initialized.  Just move it around so locks get set up first.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Fixes: 283bc9f35bbbcb0e9 ("xfrm: Namespacify xfrm state/policy locks")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>