--- /dev/null
+From 126c69a0bd0e441bf6766a5d9bf20de011be9f68 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 27 Aug 2015 16:10:01 +0100
+Subject: arm64: KVM: Fix host crash when injecting a fault into a 32bit guest
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 126c69a0bd0e441bf6766a5d9bf20de011be9f68 upstream.
+
+When injecting a fault into a misbehaving 32bit guest, it seems
+rather idiotic to also inject a 64bit fault that is only going
+to corrupt the guest state. This leads to a situation where we
+perform an illegal exception return at EL2 causing the host
+to crash instead of killing the guest.
+
+Just fix the stupid bug that has been there from day 1.
+
+Reported-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Tested-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kvm/inject_fault.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/kvm/inject_fault.c
++++ b/arch/arm64/kvm/inject_fault.c
+@@ -168,8 +168,8 @@ void kvm_inject_dabt(struct kvm_vcpu *vc
+ {
+ if (!(vcpu->arch.hcr_el2 & HCR_RW))
+ inject_abt32(vcpu, false, addr);
+-
+- inject_abt64(vcpu, false, addr);
++ else
++ inject_abt64(vcpu, false, addr);
+ }
+
+ /**
+@@ -184,8 +184,8 @@ void kvm_inject_pabt(struct kvm_vcpu *vc
+ {
+ if (!(vcpu->arch.hcr_el2 & HCR_RW))
+ inject_abt32(vcpu, true, addr);
+-
+- inject_abt64(vcpu, true, addr);
++ else
++ inject_abt64(vcpu, true, addr);
+ }
+
+ /**
+@@ -198,6 +198,6 @@ void kvm_inject_undefined(struct kvm_vcp
+ {
+ if (!(vcpu->arch.hcr_el2 & HCR_RW))
+ inject_undef32(vcpu);
+-
+- inject_undef64(vcpu);
++ else
++ inject_undef64(vcpu);
+ }
--- /dev/null
+From d6c763afab142a85e4770b4bc2a5f40f256d5c5d Mon Sep 17 00:00:00 2001
+From: Yann Droneaud <ydroneaud@opteya.com>
+Date: Mon, 17 Nov 2014 23:02:19 +0000
+Subject: arm64/mm: Remove hack in mmap randomize layout
+
+From: Yann Droneaud <ydroneaud@opteya.com>
+
+commit d6c763afab142a85e4770b4bc2a5f40f256d5c5d upstream.
+
+Since commit 8a0a9bd4db63 ('random: make get_random_int() more
+random'), get_random_int() returns a random value for each call,
+so comment and hack introduced in mmap_rnd() as part of commit
+1d18c47c735e ('arm64: MMU fault handling and page table management')
+are incorrects.
+
+Commit 1d18c47c735e seems to use the same hack introduced by
+commit a5adc91a4b44 ('powerpc: Ensure random space between stack
+and mmaps'), latter copied in commit 5a0efea09f42 ('sparc64: Sharpen
+address space randomization calculations.').
+
+But both architectures were cleaned up as part of commit
+fa8cbaaf5a68 ('powerpc+sparc64/mm: Remove hack in mmap randomize
+layout') as hack is no more needed since commit 8a0a9bd4db63.
+
+So the present patch removes the comment and the hack around
+get_random_int() on AArch64's mmap_rnd().
+
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Anton Blanchard <anton@samba.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Dan McGee <dpmcgee@gmail.com>
+Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Cc: Matthias Brugger <mbrugger@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/mmap.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/arch/arm64/mm/mmap.c
++++ b/arch/arm64/mm/mmap.c
+@@ -47,22 +47,14 @@ static int mmap_is_legacy(void)
+ return sysctl_legacy_va_layout;
+ }
+
+-/*
+- * Since get_random_int() returns the same value within a 1 jiffy window, we
+- * will almost always get the same randomisation for the stack and mmap
+- * region. This will mean the relative distance between stack and mmap will be
+- * the same.
+- *
+- * To avoid this we can shift the randomness by 1 bit.
+- */
+ static unsigned long mmap_rnd(void)
+ {
+ unsigned long rnd = 0;
+
+ if (current->flags & PF_RANDOMIZE)
+- rnd = (long)get_random_int() & (STACK_RND_MASK >> 1);
++ rnd = (long)get_random_int() & STACK_RND_MASK;
+
+- return rnd << (PAGE_SHIFT + 1);
++ return rnd << PAGE_SHIFT;
+ }
+
+ static unsigned long mmap_base(void)
--- /dev/null
+From 49718f0fb8c9af192b33d8af3a2826db04025371 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 17 Aug 2015 11:02:42 -0400
+Subject: SCSI: Fix NULL pointer dereference in runtime PM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 49718f0fb8c9af192b33d8af3a2826db04025371 upstream.
+
+The routines in scsi_rpm.c assume that if a runtime-PM callback is
+invoked for a SCSI device, it can only mean that the device's driver
+has asked the block layer to handle the runtime power management (by
+calling blk_pm_runtime_init(), which among other things sets q->dev).
+
+However, this assumption turns out to be wrong for things like the ses
+driver. Normally ses devices are not allowed to do runtime PM, but
+userspace can override this setting. If this happens, the kernel gets
+a NULL pointer dereference when blk_post_runtime_resume() tries to use
+the uninitialized q->dev pointer.
+
+This patch fixes the problem by calling the block layer's runtime-PM
+routines only if the device's driver really does have a runtime-PM
+callback routine. Since ses doesn't define any such callbacks, the
+crash won't occur.
+
+This fixes Bugzilla #101371.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Stanisław Pitucha <viraptor@gmail.com>
+Reported-by: Ilan Cohen <ilanco@gmail.com>
+Tested-by: Ilan Cohen <ilanco@gmail.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_pm.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/scsi_pm.c
++++ b/drivers/scsi/scsi_pm.c
+@@ -149,15 +149,15 @@ static int sdev_runtime_suspend(struct d
+ {
+ const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
+ struct scsi_device *sdev = to_scsi_device(dev);
+- int err;
++ int err = 0;
+
+- err = blk_pre_runtime_suspend(sdev->request_queue);
+- if (err)
+- return err;
+- if (pm && pm->runtime_suspend)
++ if (pm && pm->runtime_suspend) {
++ err = blk_pre_runtime_suspend(sdev->request_queue);
++ if (err)
++ return err;
+ err = pm->runtime_suspend(dev);
+- blk_post_runtime_suspend(sdev->request_queue, err);
+-
++ blk_post_runtime_suspend(sdev->request_queue, err);
++ }
+ return err;
+ }
+
+@@ -180,11 +180,11 @@ static int sdev_runtime_resume(struct de
+ const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
+ int err = 0;
+
+- blk_pre_runtime_resume(sdev->request_queue);
+- if (pm && pm->runtime_resume)
++ if (pm && pm->runtime_resume) {
++ blk_pre_runtime_resume(sdev->request_queue);
+ err = pm->runtime_resume(dev);
+- blk_post_runtime_resume(sdev->request_queue, err);
+-
++ blk_post_runtime_resume(sdev->request_queue, err);
++ }
+ return err;
+ }
+
libfc-fix-fc_fcp_cleanup_each_cmd.patch
regmap-regcache-rbtree-clean-new-present-bits-on-present-bitmap-resize.patch
crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch
+arm64-mm-remove-hack-in-mmap-randomize-layout.patch
+scsi-fix-null-pointer-dereference-in-runtime-pm.patch
+arm64-kvm-fix-host-crash-when-injecting-a-fault-into-a-32bit-guest.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
