--- /dev/null
+From aa2be9b3d6d2d699e9ca7cbfc00867c80e5da213 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 3 Mar 2017 17:56:55 +1100
+Subject: crypto: powerpc - Fix initialisation of crc32c context
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit aa2be9b3d6d2d699e9ca7cbfc00867c80e5da213 upstream.
+
+Turning on crypto self-tests on a POWER8 shows:
+
+ alg: hash: Test 1 failed for crc32c-vpmsum
+ 00000000: ff ff ff ff
+
+Comparing the code with the Intel CRC32c implementation on which
+ours is based shows that we are doing an init with 0, not ~0
+as CRC32c requires.
+
+This probably wasn't caught because btrfs does its own weird
+open-coded initialisation.
+
+Initialise our internal context to ~0 on init.
+
+This makes the self-tests pass, and btrfs continues to work.
+
+Fixes: 6dd7a82cc54e ("crypto: powerpc - Add POWER8 optimised crc32c")
+Cc: Anton Blanchard <anton@samba.org>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Acked-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/crypto/crc32c-vpmsum_glue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/crypto/crc32c-vpmsum_glue.c
++++ b/arch/powerpc/crypto/crc32c-vpmsum_glue.c
+@@ -52,7 +52,7 @@ static int crc32c_vpmsum_cra_init(struct
+ {
+ u32 *key = crypto_tfm_ctx(tfm);
+
+- *key = 0;
++ *key = ~0;
+
+ return 0;
+ }
--- /dev/null
+From 9bbb25afeb182502ca4f2c4f3f88af0681b34cae Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Sat, 4 Mar 2017 10:27:19 +0100
+Subject: futex: Add missing error handling to FUTEX_REQUEUE_PI
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 9bbb25afeb182502ca4f2c4f3f88af0681b34cae upstream.
+
+Thomas spotted that fixup_pi_state_owner() can return errors and we
+fail to unlock the rt_mutex in that case.
+
+Reported-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Darren Hart <dvhart@linux.intel.com>
+Cc: juri.lelli@arm.com
+Cc: bigeasy@linutronix.de
+Cc: xlpang@redhat.com
+Cc: rostedt@goodmis.org
+Cc: mathieu.desnoyers@efficios.com
+Cc: jdesfossez@efficios.com
+Cc: dvhart@infradead.org
+Cc: bristot@redhat.com
+Link: http://lkml.kernel.org/r/20170304093558.867401760@infradead.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2896,6 +2896,8 @@ static int futex_wait_requeue_pi(u32 __u
+ if (q.pi_state && (q.pi_state->owner != current)) {
+ spin_lock(q.lock_ptr);
+ ret = fixup_pi_state_owner(uaddr2, &q, current);
++ if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current)
++ rt_mutex_unlock(&q.pi_state->pi_mutex);
+ /*
+ * Drop the reference to the pi state which
+ * the requeue_pi() code acquired for us.
--- /dev/null
+From c236c8e95a3d395b0494e7108f0d41cf36ec107c Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Sat, 4 Mar 2017 10:27:18 +0100
+Subject: futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit c236c8e95a3d395b0494e7108f0d41cf36ec107c upstream.
+
+While working on the futex code, I stumbled over this potential
+use-after-free scenario. Dmitry triggered it later with syzkaller.
+
+pi_mutex is a pointer into pi_state, which we drop the reference on in
+unqueue_me_pi(). So any access to that pointer after that is bad.
+
+Since other sites already do rt_mutex_unlock() with hb->lock held, see
+for example futex_lock_pi(), simply move the unlock before
+unqueue_me_pi().
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Darren Hart <dvhart@linux.intel.com>
+Cc: juri.lelli@arm.com
+Cc: bigeasy@linutronix.de
+Cc: xlpang@redhat.com
+Cc: rostedt@goodmis.org
+Cc: mathieu.desnoyers@efficios.com
+Cc: jdesfossez@efficios.com
+Cc: dvhart@infradead.org
+Cc: bristot@redhat.com
+Link: http://lkml.kernel.org/r/20170304093558.801744246@infradead.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/futex.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -2813,7 +2813,6 @@ static int futex_wait_requeue_pi(u32 __u
+ {
+ struct hrtimer_sleeper timeout, *to = NULL;
+ struct rt_mutex_waiter rt_waiter;
+- struct rt_mutex *pi_mutex = NULL;
+ struct futex_hash_bucket *hb;
+ union futex_key key2 = FUTEX_KEY_INIT;
+ struct futex_q q = futex_q_init;
+@@ -2905,6 +2904,8 @@ static int futex_wait_requeue_pi(u32 __u
+ spin_unlock(q.lock_ptr);
+ }
+ } else {
++ struct rt_mutex *pi_mutex;
++
+ /*
+ * We have been woken up by futex_unlock_pi(), a timeout, or a
+ * signal. futex_unlock_pi() will not destroy the lock_ptr nor
+@@ -2928,18 +2929,19 @@ static int futex_wait_requeue_pi(u32 __u
+ if (res)
+ ret = (res < 0) ? res : 0;
+
++ /*
++ * If fixup_pi_state_owner() faulted and was unable to handle
++ * the fault, unlock the rt_mutex and return the fault to
++ * userspace.
++ */
++ if (ret && rt_mutex_owner(pi_mutex) == current)
++ rt_mutex_unlock(pi_mutex);
++
+ /* Unqueue and drop the lock. */
+ unqueue_me_pi(&q);
+ }
+
+- /*
+- * If fixup_pi_state_owner() faulted and was unable to handle the
+- * fault, unlock the rt_mutex and return the fault to userspace.
+- */
+- if (ret == -EFAULT) {
+- if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
+- rt_mutex_unlock(pi_mutex);
+- } else if (ret == -EINTR) {
++ if (ret == -EINTR) {
+ /*
+ * We've already been requeued, but cannot restart by calling
+ * futex_lock_pi() directly. We could restart this syscall, but
--- /dev/null
+From 17fcbd590d0c3e35bd9646e2215f86586378bc42 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <niklas.cassel@axis.com>
+Date: Sat, 25 Feb 2017 01:17:53 +0100
+Subject: locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y
+
+From: Niklas Cassel <niklas.cassel@axis.com>
+
+commit 17fcbd590d0c3e35bd9646e2215f86586378bc42 upstream.
+
+We hang if SIGKILL has been sent, but the task is stuck in down_read()
+(after do_exit()), even though no task is doing down_write() on the
+rwsem in question:
+
+ INFO: task libupnp:21868 blocked for more than 120 seconds.
+ libupnp D 0 21868 1 0x08100008
+ ...
+ Call Trace:
+ __schedule()
+ schedule()
+ __down_read()
+ do_exit()
+ do_group_exit()
+ __wake_up_parent()
+
+This bug has already been fixed for CONFIG_RWSEM_XCHGADD_ALGORITHM=y in
+the following commit:
+
+ 04cafed7fc19 ("locking/rwsem: Fix down_write_killable()")
+
+... however, this bug also exists for CONFIG_RWSEM_GENERIC_SPINLOCK=y.
+
+Signed-off-by: Niklas Cassel <niklas.cassel@axis.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: <mhocko@suse.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Niklas Cassel <niklass@axis.com>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: d47996082f52 ("locking/rwsem: Introduce basis for down_write_killable()")
+Link: http://lkml.kernel.org/r/1487981873-12649-1-git-send-email-niklass@axis.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/locking/rwsem-spinlock.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/kernel/locking/rwsem-spinlock.c
++++ b/kernel/locking/rwsem-spinlock.c
+@@ -216,10 +216,8 @@ int __sched __down_write_common(struct r
+ */
+ if (sem->count == 0)
+ break;
+- if (signal_pending_state(state, current)) {
+- ret = -EINTR;
+- goto out;
+- }
++ if (signal_pending_state(state, current))
++ goto out_nolock;
+ set_task_state(tsk, state);
+ raw_spin_unlock_irqrestore(&sem->wait_lock, flags);
+ schedule();
+@@ -227,12 +225,19 @@ int __sched __down_write_common(struct r
+ }
+ /* got the lock */
+ sem->count = -1;
+-out:
+ list_del(&waiter.list);
+
+ raw_spin_unlock_irqrestore(&sem->wait_lock, flags);
+
+ return ret;
++
++out_nolock:
++ list_del(&waiter.list);
++ if (!list_empty(&sem->wait_list))
++ __rwsem_do_wake(sem, 1);
++ raw_spin_unlock_irqrestore(&sem->wait_lock, flags);
++
++ return -EINTR;
+ }
+
+ void __sched __down_write(struct rw_semaphore *sem)
drm-vc4-fix-clock_select-setting-for-the-vec-encoder.patch
arm64-kvm-vhe-clear-hcr_tge-when-invalidating-guest-tlbs.patch
irqchip-gicv3-its-add-workaround-for-qdf2400-its-erratum-0065.patch
+x86-tsc-fix-art-for-tsc_known_freq.patch
+x86-kasan-fix-boot-with-kasan-y-and-profile_annotated_branches-y.patch
+x86-perf-fix-cr4.pce-propagation-to-use-active_mm-instead-of-mm.patch
+futex-fix-potential-use-after-free-in-futex_requeue_pi.patch
+futex-add-missing-error-handling-to-futex_requeue_pi.patch
+locking-rwsem-fix-down_write_killable-for-config_rwsem_generic_spinlock-y.patch
+crypto-powerpc-fix-initialisation-of-crc32c-context.patch
--- /dev/null
+From be3606ff739d1c1be36389f8737c577ad87e1f57 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Mon, 13 Mar 2017 19:33:37 +0300
+Subject: x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit be3606ff739d1c1be36389f8737c577ad87e1f57 upstream.
+
+The kernel doesn't boot with both PROFILE_ANNOTATED_BRANCHES=y and KASAN=y
+options selected. With branch profiling enabled we end up calling
+ftrace_likely_update() before kasan_early_init(). ftrace_likely_update() is
+built with KASAN instrumentation, so calling it before kasan has been
+initialized leads to crash.
+
+Use DISABLE_BRANCH_PROFILING define to make sure that we don't call
+ftrace_likely_update() from early code before kasan_early_init().
+
+Fixes: ef7f0d6a6ca8 ("x86_64: add KASan support")
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: kasan-dev@googlegroups.com
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: lkp@01.org
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/20170313163337.1704-1-aryabinin@virtuozzo.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/head64.c | 1 +
+ arch/x86/mm/kasan_init_64.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/head64.c
++++ b/arch/x86/kernel/head64.c
+@@ -4,6 +4,7 @@
+ * Copyright (C) 2000 Andrea Arcangeli <andrea@suse.de> SuSE
+ */
+
++#define DISABLE_BRANCH_PROFILING
+ #include <linux/init.h>
+ #include <linux/linkage.h>
+ #include <linux/types.h>
+--- a/arch/x86/mm/kasan_init_64.c
++++ b/arch/x86/mm/kasan_init_64.c
+@@ -1,3 +1,4 @@
++#define DISABLE_BRANCH_PROFILING
+ #define pr_fmt(fmt) "kasan: " fmt
+ #include <linux/bootmem.h>
+ #include <linux/kasan.h>
--- /dev/null
+From 5dc855d44c2ad960a86f593c60461f1ae1566b6d Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Thu, 16 Mar 2017 12:59:39 -0700
+Subject: x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 5dc855d44c2ad960a86f593c60461f1ae1566b6d upstream.
+
+If one thread mmaps a perf event while another thread in the same mm
+is in some context where active_mm != mm (which can happen in the
+scheduler, for example), refresh_pce() would write the wrong value
+to CR4.PCE. This broke some PAPI tests.
+
+Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bpetkov@suse.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 7911d3f7af14 ("perf/x86: Only allow rdpmc if a perf_event is mapped")
+Link: http://lkml.kernel.org/r/0c5b38a76ea50e405f9abe07a13dfaef87c173a1.1489694270.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -2096,8 +2096,8 @@ static int x86_pmu_event_init(struct per
+
+ static void refresh_pce(void *ignored)
+ {
+- if (current->mm)
+- load_mm_cr4(current->mm);
++ if (current->active_mm)
++ load_mm_cr4(current->active_mm);
+ }
+
+ static void x86_pmu_event_mapped(struct perf_event *event)
--- /dev/null
+From 44fee88cea43d3c2cac962e0439cb10a3cabff6d Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 13 Mar 2017 15:57:12 +0100
+Subject: x86/tsc: Fix ART for TSC_KNOWN_FREQ
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 44fee88cea43d3c2cac962e0439cb10a3cabff6d upstream.
+
+Subhransu reported that convert_art_to_tsc() isn't working for him.
+
+The ART to TSC relation is only set up for systems which use the refined
+TSC calibration. Systems with known TSC frequency (available via CPUID 15)
+are not using the refined calibration and therefor the ART to TSC relation
+is never established.
+
+Add the setup to the known frequency init path which skips ART
+calibration. The init code needs to be duplicated as for systems which use
+refined calibration the ART setup must be delayed until calibration has
+been done.
+
+The problem has been there since the ART support was introdduced, but only
+detected now because Subhransu tested the first time on hardware which has
+TSC frequency enumerated via CPUID 15.
+
+Note for stable: The conditional has changed from TSC_RELIABLE to
+ TSC_KNOWN_FREQUENCY.
+
+[ tglx: Rewrote changelog and identified the proper 'Fixes' commit ]
+
+Fixes: f9677e0f8308 ("x86/tsc: Always Running Timer (ART) correlated clocksource")
+Reported-by: "Prusty, Subhransu S" <subhransu.s.prusty@intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Cc: christopher.s.hall@intel.com
+Cc: kevin.b.stanton@intel.com
+Cc: john.stultz@linaro.org
+Cc: akataria@vmware.com
+Link: http://lkml.kernel.org/r/20170313145712.GI3312@twins.programming.kicks-ass.net
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/tsc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -1287,6 +1287,8 @@ static int __init init_tsc_clocksource(v
+ * exporting a reliable TSC.
+ */
+ if (boot_cpu_has(X86_FEATURE_TSC_RELIABLE)) {
++ if (boot_cpu_has(X86_FEATURE_ART))
++ art_related_clocksource = &clocksource_tsc;
+ clocksource_register_khz(&clocksource_tsc, tsc_khz);
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
