4.14.8-200.fc26.gnu

8 files changed, 312 insertions, 113 deletions

diff --git a/freed-ora/current/f26/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch b/freed-ora/current/f26/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
deleted file mode 100644
index 0685f06aa..000000000
--- a/freed-ora/current/f26/Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From patchwork Tue Dec 12 19:28:38 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Subject: Revert "exec: avoid RLIMIT_STACK races with prlimit()"
-From: Kees Cook <keescook@chromium.org>
-X-Patchwork-Id: 10108209
-Message-Id: <20171212192838.GA14592@beast>
-To: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Laura Abbott <labbott@redhat.com>,
- =?utf-8?B?VG9tw6HFoQ==?= Trnka <trnka@scm.com>,
- linux-kernel@vger.kernel.org
-Date: Tue, 12 Dec 2017 11:28:38 -0800
-
-This reverts commit 04e35f4495dd560db30c25efca4eecae8ec8c375.
-
-SELinux runs with secureexec for all non-"noatsecure" domain transitions,
-which means lots of processes end up hitting the stack hard-limit change
-that was introduced in order to fix a race with prlimit(). That race fix
-will need to be redesigned.
-
-Reported-by: Laura Abbott <labbott@redhat.com>
-Reported-by: Tomáš Trnka <trnka@scm.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Kees Cook <keescook@chromium.org>
----
- fs/exec.c | 7 +------
- 1 file changed, 1 insertion(+), 6 deletions(-)
-
-diff --git a/fs/exec.c b/fs/exec.c
-index 6be2aa0ab26f..1d6243d9f2b6 100644
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -1340,15 +1340,10 @@ void setup_new_exec(struct linux_binprm * bprm)
- 		 * avoid bad behavior from the prior rlimits. This has to
- 		 * happen before arch_pick_mmap_layout(), which examines
- 		 * RLIMIT_STACK, but after the point of no return to avoid
--		 * races from other threads changing the limits. This also
--		 * must be protected from races with prlimit() calls.
-+		 * needing to clean up the change on failure.
- 		 */
--		task_lock(current->group_leader);
- 		if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
- 			current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
--		if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM)
--			current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM;
--		task_unlock(current->group_leader);
- 	}
- 
- 	arch_pick_mmap_layout(current->mm);
diff --git a/freed-ora/current/f26/USB-core-prevent-malicious-bNumInterfaces-overflow.patch b/freed-ora/current/f26/USB-core-prevent-malicious-bNumInterfaces-overflow.patch
deleted file mode 100644
index d09b25360..000000000
--- a/freed-ora/current/f26/USB-core-prevent-malicious-bNumInterfaces-overflow.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Tue, 12 Dec 2017 14:25:13 -0500
-Subject: [PATCH] USB: core: prevent malicious bNumInterfaces overflow
-
-A malicious USB device with crafted descriptors can cause the kernel
-to access unallocated memory by setting the bNumInterfaces value too
-high in a configuration descriptor.  Although the value is adjusted
-during parsing, this adjustment is skipped in one of the error return
-paths.
-
-This patch prevents the problem by setting bNumInterfaces to 0
-initially.  The existing code already sets it to the proper value
-after parsing is complete.
-
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-Reported-by: Andrey Konovalov <andreyknvl@google.com>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/core/config.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
-index 55b198ba629b..78e92d29f8d9 100644
---- a/drivers/usb/core/config.c
-+++ b/drivers/usb/core/config.c
-@@ -555,6 +555,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
- 	unsigned iad_num = 0;
- 
- 	memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
-+	nintf = nintf_orig = config->desc.bNumInterfaces;
-+	config->desc.bNumInterfaces = 0;	// Adjusted later
-+
- 	if (config->desc.bDescriptorType != USB_DT_CONFIG ||
- 	    config->desc.bLength < USB_DT_CONFIG_SIZE ||
- 	    config->desc.bLength > size) {
-@@ -568,7 +571,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
- 	buffer += config->desc.bLength;
- 	size -= config->desc.bLength;
- 
--	nintf = nintf_orig = config->desc.bNumInterfaces;
- 	if (nintf > USB_MAXINTERFACES) {
- 		dev_warn(ddev, "config %d has too many interfaces: %d, "
- 		    "using maximum allowed: %d\n",
--- 
-2.14.3
-
diff --git a/freed-ora/current/f26/e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch b/freed-ora/current/f26/e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch
new file mode 100644
index 000000000..a31d5d2c5
--- /dev/null
+++ b/freed-ora/current/f26/e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch
@@ -0,0 +1,70 @@
+From patchwork Mon Dec 11 07:26:40 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
+From: Benjamin Poirier <bpoirier@suse.com>
+X-Patchwork-Id: 10104349
+Message-Id: <20171211072640.7935-1-bpoirier@suse.com>
+To: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>,
+ Christian Hesse <list@eworm.de>, Gabriel C <nix.or.die@gmail.com>,
+ intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
+ linux-kernel@vger.kernel.org, stable@vger.kernel.org
+Date: Mon, 11 Dec 2017 16:26:40 +0900
+
+e1000e_check_for_copper_link() and e1000_check_for_copper_link_ich8lan()
+are the two functions that may be assigned to mac.ops.check_for_link when
+phy.media_type == e1000_media_type_copper. Commit 19110cfbb34d ("e1000e:
+Separate signaling for link check/link up") changed the meaning of the
+return value of check_for_link for copper media but only adjusted the first
+function. This patch adjusts the second function likewise.
+
+Reported-by: Christian Hesse <list@eworm.de>
+Reported-by: Gabriel C <nix.or.die@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=198047
+Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up")
+Tested-by: Christian Hesse <list@eworm.de>
+Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
+---
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+index d6d4ed7acf03..31277d3bb7dc 100644
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1367,6 +1367,9 @@ static s32 e1000_disable_ulp_lpt_lp(struct e1000_hw *hw, bool force)
+  *  Checks to see of the link status of the hardware has changed.  If a
+  *  change in link status has been detected, then we read the PHY registers
+  *  to get the current speed/duplex if link exists.
++ *
++ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
++ *  up).
+  **/
+ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ {
+@@ -1382,7 +1385,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ 	 * Change or Rx Sequence Error interrupt.
+ 	 */
+ 	if (!mac->get_link_status)
+-		return 0;
++		return 1;
+ 
+ 	/* First we want to see if the MII Status Register reports
+ 	 * link.  If so, then we want to get the current speed/duplex
+@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
+ 	 * different link partner.
+ 	 */
+ 	ret_val = e1000e_config_fc_after_link_up(hw);
+-	if (ret_val)
++	if (ret_val) {
+ 		e_dbg("Error configuring flow control\n");
++		return ret_val;
++	}
+ 
+-	return ret_val;
++	return 1;
+ }
+ 
+ static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
diff --git a/freed-ora/current/f26/kernel.spec b/freed-ora/current/f26/kernel.spec
index 659df1ba1..259136425 100644
--- a/freed-ora/current/f26/kernel.spec
+++ b/freed-ora/current/f26/kernel.spec
@@ -92,7 +92,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 7
+%define stable_update 8
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -661,13 +661,6 @@ Patch335: arm-exynos-fix-usb3.patch
 # rbhz 1519591 1520764
 Patch500: dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
 
-# rhbz 1525474 1525476
-Patch501: USB-core-prevent-malicious-bNumInterfaces-overflow.patch
-
-# https://patchwork.kernel.org/patch/10108209/
-# https://marc.info/?l=linux-kernel&m=151307686618795
-Patch502: Revert-exec-avoid-RLIMIT_STACK-races-with-prlimit.patch
-
 # CVE-2017-17449
 # rhbz 1525762 1525763
 Patch503: netlink-Add-netns-check-on-taps.patch
@@ -680,6 +673,10 @@ Patch504: netfilter-xt_osf-Add-missing-permission-checks.patch
 # rhbz 1525768 1525769
 Patch505: netfilter-nfnetlink_cthelper-Add-missing-permission-.patch
 
+# rhbz 1525523
+# https://patchwork.kernel.org/patch/10104349/
+Patch506: e1000e-Fix-e1000_check_for_copper_link_ich8lan-return-value..patch
+
 # 600 - Patches for improved Bay and Cherry Trail device support
 # Below patches are submitted upstream, awaiting review / merging
 Patch601: 0001-Input-gpio_keys-Allow-suppression-of-input-events-fo.patch
@@ -707,6 +704,9 @@ Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch
 # CVE-2017-17712 rhbz 1526427 1526933 
 Patch629: net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
 
+# CVE-2017-17741 rhbz 1527112 1527113
+Patch630: v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2350,6 +2350,18 @@ fi
 #
 #
 %changelog
+* Thu Dec 21 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.14.8-gnu.
+
+* Wed Dec 20 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.14.8-200
+- Linux v4.14.8
+
+* Wed Dec 20 2017 Jeremy Cline <jeremy@jcline.org>
+- Backport fix e1000_check_for_copper_link_ich8lan return value
+
+* Tue Dec 19 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2017-17741 (rhbz 1527112 1527113)
+
 * Mon Dec 18 2017 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.14.7-gnu.
 
diff --git a/freed-ora/current/f26/patch-4.14-gnu-4.14.7-gnu.xz.sign b/freed-ora/current/f26/patch-4.14-gnu-4.14.7-gnu.xz.sign
deleted file mode 100644
index 3e3152beb..000000000
--- a/freed-ora/current/f26/patch-4.14-gnu-4.14.7-gnu.xz.sign
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWja8ZAAKCRC8t8+Hfn1H
-p4A5AJ9raaSBcexl6qbvHKKPisWMTc4SugCeM1JmdNIyDqFQOGB/Smp5bCiumos=
-=9ARk
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f26/patch-4.14-gnu-4.14.8-gnu.xz.sign b/freed-ora/current/f26/patch-4.14-gnu-4.14.8-gnu.xz.sign
new file mode 100644
index 000000000..c4a50fe8c
--- /dev/null
+++ b/freed-ora/current/f26/patch-4.14-gnu-4.14.8-gnu.xz.sign
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRHRALIxYLa++OJxCe8t8+Hfn1HpwUCWjrVLgAKCRC8t8+Hfn1H
+pxjbAJ0TFcURH99GAvGFcH3Z9LUG2by/3QCfU537O7keYku60QS3oQjz7vyhdEI=
+=0CeQ
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f26/sources b/freed-ora/current/f26/sources
index d96f8c143..fe3e0db17 100644
--- a/freed-ora/current/f26/sources
+++ b/freed-ora/current/f26/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-libre-4.14-gnu.tar.xz) = 0d4b0b8ec1ffc39c59295adf56f6a2cccf77cad56d8a8bf8072624bbb52ba3e684147ebed91d1528d2685423dd784c5fca0f3650f874f2b93cfc6b7689b9a87f
 SHA512 (perf-man-4.14.tar.gz) = 76a9d8adc284cdffd4b3fbb060e7f9a14109267707ce1d03f4c3239cd70d8d164f697da3a0f90a363fbcac42a61d3c378afbcc2a86f112c501b9cb5ce74ef9f8
-SHA512 (patch-4.14-gnu-4.14.7-gnu.xz) = 5c62bbc5d3bc5aa67eed8c4952e86263cc86bd9406cfe30a87ee4ff891b8aeb23e78df82d7cfefcdbedce17520b7fe3d515d930905ee2ceaf6c7462399670fb7
+SHA512 (patch-4.14-gnu-4.14.8-gnu.xz) = 3afac9aab10cc30065636264285f97e37537c766bb6ffa72a612561ba826bf75aeb6af1920f7dac09cc252e17e5d99722bf6e4436316cdb0c81b8d40572ae847
diff --git a/freed-ora/current/f26/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch b/freed-ora/current/f26/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
new file mode 100644
index 000000000..f3767cda5
--- /dev/null
+++ b/freed-ora/current/f26/v4-KVM-Fix-stack-out-of-bounds-read-in-write_mmio.patch
@@ -0,0 +1,215 @@
+From patchwork Fri Dec 15 01:40:50 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: [v4] KVM: Fix stack-out-of-bounds read in write_mmio
+From: Wanpeng Li <kernellwp@gmail.com>
+X-Patchwork-Id: 10113513
+Message-Id: <1513302050-14253-1-git-send-email-wanpeng.li@hotmail.com>
+To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
+Cc: Paolo Bonzini <pbonzini@redhat.com>,
+ =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
+ Wanpeng Li <wanpeng.li@hotmail.com>, Marc Zyngier <marc.zyngier@arm.com>,
+ Christoffer Dall <christoffer.dall@linaro.org>
+Date: Thu, 14 Dec 2017 17:40:50 -0800
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+Reported by syzkaller:
+
+  BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
+  Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
+
+  CPU: 6 PID: 32298 Comm: syz-executor Tainted: G           OE    4.15.0-rc2+ #18
+  Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
+  Call Trace:
+   dump_stack+0xab/0xe1
+   print_address_description+0x6b/0x290
+   kasan_report+0x28a/0x370
+   write_mmio+0x11e/0x270 [kvm]
+   emulator_read_write_onepage+0x311/0x600 [kvm]
+   emulator_read_write+0xef/0x240 [kvm]
+   emulator_fix_hypercall+0x105/0x150 [kvm]
+   em_hypercall+0x2b/0x80 [kvm]
+   x86_emulate_insn+0x2b1/0x1640 [kvm]
+   x86_emulate_instruction+0x39a/0xb90 [kvm]
+   handle_exception+0x1b4/0x4d0 [kvm_intel]
+   vcpu_enter_guest+0x15a0/0x2640 [kvm]
+   kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
+   kvm_vcpu_ioctl+0x479/0x880 [kvm]
+   do_vfs_ioctl+0x142/0x9a0
+   SyS_ioctl+0x74/0x80
+   entry_SYSCALL_64_fastpath+0x23/0x9a
+
+The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
+to the guest memory, however, write_mmio tracepoint always prints 8 bytes
+through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
+can result in stack-out-of-bounds read due to access the extra 5 bytes.
+This patch fixes it by just accessing the bytes which we operates on.
+
+Before patch:
+
+syz-executor-5567  [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
+
+After patch:
+
+syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+---
+v3 -> v4:
+ * fix the arm tracepoint
+v2 -> v3:
+ * fix sparse warning
+v1 -> v2:
+ * do the memcpy in kvm_mmio tracepoint
+
+ arch/x86/kvm/x86.c         | 8 ++++----
+ include/trace/events/kvm.h | 6 ++++--
+ virt/kvm/arm/mmio.c        | 6 +++---
+ 3 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 0f82e2c..c7071e7 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4456,7 +4456,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v)
+ 					 addr, n, v))
+ 		    && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
+ 			break;
+-		trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
++		trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
+ 		handled += n;
+ 		addr += n;
+ 		len -= n;
+@@ -4715,7 +4715,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
+ {
+ 	if (vcpu->mmio_read_completed) {
+ 		trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
+-			       vcpu->mmio_fragments[0].gpa, *(u64 *)val);
++			       vcpu->mmio_fragments[0].gpa, val);
+ 		vcpu->mmio_read_completed = 0;
+ 		return 1;
+ 	}
+@@ -4737,14 +4737,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
+ 
+ static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
+ {
+-	trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
++	trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
+ 	return vcpu_mmio_write(vcpu, gpa, bytes, val);
+ }
+ 
+ static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
+ 			  void *val, int bytes)
+ {
+-	trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
++	trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
+ 	return X86EMUL_IO_NEEDED;
+ }
+ 
+diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
+index e4b0b8e..dfd2170 100644
+--- a/include/trace/events/kvm.h
++++ b/include/trace/events/kvm.h
+@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq,
+ 	{ KVM_TRACE_MMIO_WRITE, "write" }
+ 
+ TRACE_EVENT(kvm_mmio,
+-	TP_PROTO(int type, int len, u64 gpa, u64 val),
++	TP_PROTO(int type, int len, u64 gpa, void *val),
+ 	TP_ARGS(type, len, gpa, val),
+ 
+ 	TP_STRUCT__entry(
+@@ -225,7 +225,9 @@ TRACE_EVENT(kvm_mmio,
+ 		__entry->type		= type;
+ 		__entry->len		= len;
+ 		__entry->gpa		= gpa;
+-		__entry->val		= val;
++		__entry->val = 0;
++		if (val)
++			memcpy(&__entry->val, val, min(8, len));
+ 	),
+ 
+ 	TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
+diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
+index b6e715f..dac7ceb 100644
+--- a/virt/kvm/arm/mmio.c
++++ b/virt/kvm/arm/mmio.c
+@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ 		}
+ 
+ 		trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
+-			       data);
++			       &data);
+ 		data = vcpu_data_host_to_guest(vcpu, data, len);
+ 		vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
+ 	}
+@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
+ 		data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
+ 					       len);
+ 
+-		trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
++		trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
+ 		kvm_mmio_write_buf(data_buf, len, data);
+ 
+ 		ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ 				       data_buf);
+ 	} else {
+ 		trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
+-			       fault_ipa, 0);
++			       fault_ipa, NULL);
+ 
+ 		ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ 				      data_buf);
+From patchwork Mon Dec 18 11:55:05 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [v4] KVM: Fix stack-out-of-bounds read in write_mmio
+From: Paolo Bonzini <pbonzini@redhat.com>
+X-Patchwork-Id: 10118879
+Message-Id: <17d27b8d-908b-a740-1d2d-e92a8507f25b@redhat.com>
+To: Marc Zyngier <marc.zyngier@arm.com>,
+ Wanpeng Li <kernellwp@gmail.com>, linux-kernel@vger.kernel.org,
+ kvm@vger.kernel.org
+Cc: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
+ Wanpeng Li <wanpeng.li@hotmail.com>,
+ Christoffer Dall <christoffer.dall@linaro.org>
+Date: Mon, 18 Dec 2017 12:55:05 +0100
+
+On 15/12/2017 12:06, Marc Zyngier wrote:
+> Assuming you address the above:
+> 
+> Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+> Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+
+Done as follows:
+
+
+Thanks,
+
+Paolo
+
+diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
+index dfd21708694f..0a016bd14c2d 100644
+--- a/include/trace/events/kvm.h
++++ b/include/trace/events/kvm.h
+@@ -227,7 +227,8 @@
+ 		__entry->gpa		= gpa;
+ 		__entry->val = 0;
+ 		if (val)
+-			memcpy(&__entry->val, val, min(8, len));
++			memcpy(&__entry->val, val,
++			       min_t(u32, sizeof(__entry->val), len));
+ 	),
+ 
+ 	TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",