--- /dev/null
+From e471486c13b82b1338d49c798f78bb62b1ed0a9e Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 2 Feb 2017 10:31:00 -0800
+Subject: acpi, nfit: fix acpi_nfit_flush_probe() crash
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit e471486c13b82b1338d49c798f78bb62b1ed0a9e upstream.
+
+We queue an on-stack work item to 'nfit_wq' and wait for it to complete
+as part of a 'flush_probe' request. However, if the user cancels the
+wait we need to make sure the item is flushed from the queue otherwise
+we are leaving an out-of-scope stack address on the work list.
+
+ BUG: unable to handle kernel paging request at ffffbcb3c72f7cd0
+ IP: [<ffffffffa9413a7b>] __list_add+0x1b/0xb0
+ [..]
+ RIP: 0010:[<ffffffffa9413a7b>] [<ffffffffa9413a7b>] __list_add+0x1b/0xb0
+ RSP: 0018:ffffbcb3c7ba7c00 EFLAGS: 00010046
+ [..]
+ Call Trace:
+ [<ffffffffa90bb11a>] insert_work+0x3a/0xc0
+ [<ffffffffa927fdda>] ? seq_open+0x5a/0xa0
+ [<ffffffffa90bb30a>] __queue_work+0x16a/0x460
+ [<ffffffffa90bbb08>] queue_work_on+0x38/0x40
+ [<ffffffffc0cf2685>] acpi_nfit_flush_probe+0x95/0xc0 [nfit]
+ [<ffffffffc0cf25d0>] ? nfit_visible+0x40/0x40 [nfit]
+ [<ffffffffa9571495>] wait_probe_show+0x25/0x60
+ [<ffffffffa9546b30>] dev_attr_show+0x20/0x50
+
+Fixes: 7ae0fa439faf ("nfit, libnvdimm: async region scrub workqueue")
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -2704,6 +2704,7 @@ static int acpi_nfit_flush_probe(struct
+ struct acpi_nfit_desc *acpi_desc = to_acpi_nfit_desc(nd_desc);
+ struct device *dev = acpi_desc->dev;
+ struct acpi_nfit_flush_work flush;
++ int rc;
+
+ /* bounce the device lock to flush acpi_nfit_add / acpi_nfit_notify */
+ device_lock(dev);
+@@ -2716,7 +2717,10 @@ static int acpi_nfit_flush_probe(struct
+ INIT_WORK_ONSTACK(&flush.work, flush_probe);
+ COMPLETION_INITIALIZER_ONSTACK(flush.cmp);
+ queue_work(nfit_wq, &flush.work);
+- return wait_for_completion_interruptible(&flush.cmp);
++
++ rc = wait_for_completion_interruptible(&flush.cmp);
++ cancel_work_sync(&flush.work);
++ return rc;
+ }
+
+ static int acpi_nfit_clear_to_send(struct nvdimm_bus_descriptor *nd_desc,
--- /dev/null
+From a524c218bc94c705886a0e0fedeee45d1931da32 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Date: Tue, 7 Feb 2017 09:44:58 -0800
+Subject: ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
+
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+
+commit a524c218bc94c705886a0e0fedeee45d1931da32 upstream.
+
+Reported-by: Jo-Philipp Wich <jo@mein.io>
+Fixes: 9aed02feae57bf7 ("ARC: [arcompact] handle unaligned access delay slot")
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-snps-arc@lists.infradead.org
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/kernel/unaligned.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/kernel/unaligned.c
++++ b/arch/arc/kernel/unaligned.c
+@@ -243,7 +243,7 @@ int misaligned_fixup(unsigned long addre
+
+ /* clear any remanants of delay slot */
+ if (delay_mode(regs)) {
+- regs->ret = regs->bta ~1U;
++ regs->ret = regs->bta & ~1U;
+ regs->status32 &= ~STATUS_DE_MASK;
+ } else {
+ regs->ret += state.instr_len;
--- /dev/null
+From 6e978b22efa1db9f6e71b24440b5f1d93e968ee3 Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Fri, 3 Feb 2017 14:18:39 -0800
+Subject: cpufreq: intel_pstate: Disable energy efficiency optimization
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 6e978b22efa1db9f6e71b24440b5f1d93e968ee3 upstream.
+
+Some Kabylake desktop processors may not reach max turbo when running in
+HWP mode, even if running under sustained 100% utilization.
+
+This occurs when the HWP.EPP (Energy Performance Preference) is set to
+"balance_power" (0x80) -- the default on most systems.
+
+It occurs because the platform BIOS may erroneously enable an
+energy-efficiency setting -- MSR_IA32_POWER_CTL BIT-EE, which is not
+recommended to be enabled on this SKU.
+
+On the failing systems, this BIOS issue was not discovered when the
+desktop motherboard was tested with Windows, because the BIOS also
+neglects to provide the ACPI/CPPC table, that Windows requires to enable
+HWP, and so Windows runs in legacy P-state mode, where this setting has
+no effect.
+
+Linux' intel_pstate driver does not require ACPI/CPPC to enable HWP, and
+so it runs in HWP mode, exposing this incorrect BIOS configuration.
+
+There are several ways to address this problem.
+
+First, Linux can also run in legacy P-state mode on this system.
+As intel_pstate is how Linux enables HWP, booting with
+"intel_pstate=disable"
+will run in acpi-cpufreq/ondemand legacy p-state mode.
+
+Or second, the "performance" governor can be used with intel_pstate,
+which will modify HWP.EPP to 0.
+
+Or third, starting in 4.10, the
+/sys/devices/system/cpu/cpufreq/policy*/energy_performance_preference
+attribute in can be updated from "balance_power" to "performance".
+
+Or fourth, apply this patch, which fixes the erroneous setting of
+MSR_IA32_POWER_CTL BIT_EE on this model, allowing the default
+configuration to function as designed.
+
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Reviewed-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/intel_pstate.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -820,6 +820,25 @@ static void intel_pstate_hwp_enable(stru
+ wrmsrl_on_cpu(cpudata->cpu, MSR_PM_ENABLE, 0x1);
+ }
+
++#define MSR_IA32_POWER_CTL_BIT_EE 19
++
++/* Disable energy efficiency optimization */
++static void intel_pstate_disable_ee(int cpu)
++{
++ u64 power_ctl;
++ int ret;
++
++ ret = rdmsrl_on_cpu(cpu, MSR_IA32_POWER_CTL, &power_ctl);
++ if (ret)
++ return;
++
++ if (!(power_ctl & BIT(MSR_IA32_POWER_CTL_BIT_EE))) {
++ pr_info("Disabling energy efficiency optimization\n");
++ power_ctl |= BIT(MSR_IA32_POWER_CTL_BIT_EE);
++ wrmsrl_on_cpu(cpu, MSR_IA32_POWER_CTL, power_ctl);
++ }
++}
++
+ static int atom_get_min_pstate(void)
+ {
+ u64 value;
+@@ -1420,6 +1439,11 @@ static const struct x86_cpu_id intel_pst
+ {}
+ };
+
++static const struct x86_cpu_id intel_pstate_cpu_ee_disable_ids[] = {
++ ICPU(INTEL_FAM6_KABYLAKE_DESKTOP, core_params),
++ {}
++};
++
+ static int intel_pstate_init_cpu(unsigned int cpunum)
+ {
+ struct cpudata *cpu;
+@@ -1435,6 +1459,12 @@ static int intel_pstate_init_cpu(unsigne
+ cpu->cpu = cpunum;
+
+ if (hwp_active) {
++ const struct x86_cpu_id *id;
++
++ id = x86_match_cpu(intel_pstate_cpu_ee_disable_ids);
++ if (id)
++ intel_pstate_disable_ee(cpunum);
++
+ intel_pstate_hwp_enable(cpu);
+ pid_params.sample_rate_ms = 50;
+ pid_params.sample_rate_ns = 50 * NSEC_PER_MSEC;
--- /dev/null
+From 0b529f143e8baad441a5aac9ad55ec2434d8fb46 Mon Sep 17 00:00:00 2001
+From: Harsh Jain <harsh@chelsio.com>
+Date: Wed, 1 Feb 2017 21:10:28 +0530
+Subject: crypto: algif_aead - Fix kernel panic on list_del
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Harsh Jain <harsh@chelsio.com>
+
+commit 0b529f143e8baad441a5aac9ad55ec2434d8fb46 upstream.
+
+Kernel panics when userspace program try to access AEAD interface.
+Remove node from Linked List before freeing its memory.
+
+Signed-off-by: Harsh Jain <harsh@chelsio.com>
+Reviewed-by: Stephan Müller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_aead.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -671,9 +671,9 @@ static int aead_recvmsg_sync(struct sock
+ unlock:
+ list_for_each_entry_safe(rsgl, tmp, &ctx->list, list) {
+ af_alg_free_sg(&rsgl->sgl);
++ list_del(&rsgl->list);
+ if (rsgl != &ctx->first_rsgl)
+ sock_kfree_s(sk, rsgl, sizeof(*rsgl));
+- list_del(&rsgl->list);
+ }
+ INIT_LIST_HEAD(&ctx->list);
+ aead_wmem_wakeup(sk);
--- /dev/null
+From 500c0106e638e08c2c661c305ed57d6b67e10908 Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Fri, 27 Jan 2017 15:28:45 -0600
+Subject: crypto: ccp - Fix DMA operations when IOMMU is enabled
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit 500c0106e638e08c2c661c305ed57d6b67e10908 upstream.
+
+An I/O page fault occurs when the IOMMU is enabled on a
+system that supports the v5 CCP. DMA operations use a
+Request ID value that does not match what is expected by
+the IOMMU, resulting in the I/O page fault. Setting the
+Request ID value to 0 corrects this issue.
+
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-dev-v5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccp/ccp-dev-v5.c
++++ b/drivers/crypto/ccp/ccp-dev-v5.c
+@@ -955,7 +955,7 @@ static irqreturn_t ccp5_irq_handler(int
+ static void ccp5_config(struct ccp_device *ccp)
+ {
+ /* Public side */
+- iowrite32(0x00001249, ccp->io_regs + CMD5_REQID_CONFIG_OFFSET);
++ iowrite32(0x0, ccp->io_regs + CMD5_REQID_CONFIG_OFFSET);
+ }
+
+ static void ccp5other_config(struct ccp_device *ccp)
--- /dev/null
+From e5da5c5667381d2772374ee6a2967b3576c9483d Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Fri, 27 Jan 2017 17:09:04 -0600
+Subject: crypto: ccp - Fix double add when creating new DMA command
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit e5da5c5667381d2772374ee6a2967b3576c9483d upstream.
+
+Eliminate a double-add by creating a new list to manage
+command descriptors when created; move the descriptor to
+the pending list when the command is submitted.
+
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-dev.h | 1 +
+ drivers/crypto/ccp/ccp-dmaengine.c | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccp/ccp-dev.h
++++ b/drivers/crypto/ccp/ccp-dev.h
+@@ -238,6 +238,7 @@ struct ccp_dma_chan {
+ struct ccp_device *ccp;
+
+ spinlock_t lock;
++ struct list_head created;
+ struct list_head pending;
+ struct list_head active;
+ struct list_head complete;
+--- a/drivers/crypto/ccp/ccp-dmaengine.c
++++ b/drivers/crypto/ccp/ccp-dmaengine.c
+@@ -63,6 +63,7 @@ static void ccp_free_chan_resources(stru
+ ccp_free_desc_resources(chan->ccp, &chan->complete);
+ ccp_free_desc_resources(chan->ccp, &chan->active);
+ ccp_free_desc_resources(chan->ccp, &chan->pending);
++ ccp_free_desc_resources(chan->ccp, &chan->created);
+
+ spin_unlock_irqrestore(&chan->lock, flags);
+ }
+@@ -273,6 +274,7 @@ static dma_cookie_t ccp_tx_submit(struct
+ spin_lock_irqsave(&chan->lock, flags);
+
+ cookie = dma_cookie_assign(tx_desc);
++ list_del(&desc->entry);
+ list_add_tail(&desc->entry, &chan->pending);
+
+ spin_unlock_irqrestore(&chan->lock, flags);
+@@ -426,7 +428,7 @@ static struct ccp_dma_desc *ccp_create_d
+
+ spin_lock_irqsave(&chan->lock, sflags);
+
+- list_add_tail(&desc->entry, &chan->pending);
++ list_add_tail(&desc->entry, &chan->created);
+
+ spin_unlock_irqrestore(&chan->lock, sflags);
+
+@@ -610,6 +612,7 @@ static int ccp_terminate_all(struct dma_
+ /*TODO: Purge the complete list? */
+ ccp_free_desc_resources(chan->ccp, &chan->active);
+ ccp_free_desc_resources(chan->ccp, &chan->pending);
++ ccp_free_desc_resources(chan->ccp, &chan->created);
+
+ spin_unlock_irqrestore(&chan->lock, flags);
+
+@@ -679,6 +682,7 @@ int ccp_dmaengine_register(struct ccp_de
+ chan->ccp = ccp;
+
+ spin_lock_init(&chan->lock);
++ INIT_LIST_HEAD(&chan->created);
+ INIT_LIST_HEAD(&chan->pending);
+ INIT_LIST_HEAD(&chan->active);
+ INIT_LIST_HEAD(&chan->complete);
--- /dev/null
+From f5f7bebc91ab378dea5aad5277c4d283e46472d9 Mon Sep 17 00:00:00 2001
+From: Harsh Jain <harsh@chelsio.com>
+Date: Tue, 24 Jan 2017 10:34:33 +0530
+Subject: crypto: chcr - Check device is allocated before use
+
+From: Harsh Jain <harsh@chelsio.com>
+
+commit f5f7bebc91ab378dea5aad5277c4d283e46472d9 upstream.
+
+Ensure dev is allocated for crypto uld context before using the device
+for crypto operations.
+
+Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/chelsio/chcr_core.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/drivers/crypto/chelsio/chcr_core.c
++++ b/drivers/crypto/chelsio/chcr_core.c
+@@ -51,6 +51,7 @@ static struct cxgb4_uld_info chcr_uld_in
+ int assign_chcr_device(struct chcr_dev **dev)
+ {
+ struct uld_ctx *u_ctx;
++ int ret = -ENXIO;
+
+ /*
+ * Which device to use if multiple devices are available TODO
+@@ -58,15 +59,14 @@ int assign_chcr_device(struct chcr_dev *
+ * must go to the same device to maintain the ordering.
+ */
+ mutex_lock(&dev_mutex); /* TODO ? */
+- u_ctx = list_first_entry(&uld_ctx_list, struct uld_ctx, entry);
+- if (!u_ctx) {
+- mutex_unlock(&dev_mutex);
+- return -ENXIO;
++ list_for_each_entry(u_ctx, &uld_ctx_list, entry)
++ if (u_ctx && u_ctx->dev) {
++ *dev = u_ctx->dev;
++ ret = 0;
++ break;
+ }
+-
+- *dev = u_ctx->dev;
+ mutex_unlock(&dev_mutex);
+- return 0;
++ return ret;
+ }
+
+ static int chcr_dev_add(struct uld_ctx *u_ctx)
+@@ -203,10 +203,8 @@ static int chcr_uld_state_change(void *h
+
+ static int __init chcr_crypto_init(void)
+ {
+- if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info)) {
++ if (cxgb4_register_uld(CXGB4_ULD_CRYPTO, &chcr_uld_info))
+ pr_err("ULD register fail: No chcr crypto support in cxgb4");
+- return -1;
+- }
+
+ return 0;
+ }
--- /dev/null
+From 3484ecbe0e9deb94afb0b9b6172d77e98eb72b94 Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Thu, 22 Dec 2016 15:00:12 +0000
+Subject: crypto: qat - fix bar discovery for c62x
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit 3484ecbe0e9deb94afb0b9b6172d77e98eb72b94 upstream.
+
+Some accelerators of the c62x series have only two bars.
+This patch skips BAR0 if the accelerator does not have it.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_c62x/adf_drv.c | 2 +-
+ drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/qat/qat_c62x/adf_drv.c
++++ b/drivers/crypto/qat/qat_c62x/adf_drv.c
+@@ -233,7 +233,7 @@ static int adf_probe(struct pci_dev *pde
+ &hw_data->accel_capabilities_mask);
+
+ /* Find and map all the device's BARS */
+- i = 0;
++ i = (hw_data->fuses & ADF_DEVICE_FUSECTL_MASK) ? 1 : 0;
+ bar_mask = pci_select_bars(pdev, IORESOURCE_MEM);
+ for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,
+ ADF_PCI_MAX_BARS * 2) {
+--- a/drivers/crypto/qat/qat_common/adf_accel_devices.h
++++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h
+@@ -69,6 +69,7 @@
+ #define ADF_ERRSOU5 (0x3A000 + 0xD8)
+ #define ADF_DEVICE_FUSECTL_OFFSET 0x40
+ #define ADF_DEVICE_LEGFUSE_OFFSET 0x4C
++#define ADF_DEVICE_FUSECTL_MASK 0x80000000
+ #define ADF_PCI_MAX_BARS 3
+ #define ADF_DEVICE_NAME_LENGTH 32
+ #define ADF_ETR_MAX_RINGS_PER_BANK 16
--- /dev/null
+From 685ce0626840e2673fe64ea8807684f7324fec5f Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Thu, 22 Dec 2016 15:00:24 +0000
+Subject: crypto: qat - zero esram only for DH85x devices
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit 685ce0626840e2673fe64ea8807684f7324fec5f upstream.
+
+Zero embedded ram in DH85x devices. This is not
+needed for newer generations as it is done by HW.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_common/qat_hal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/qat/qat_common/qat_hal.c
++++ b/drivers/crypto/qat/qat_common/qat_hal.c
+@@ -456,7 +456,7 @@ static int qat_hal_init_esram(struct icp
+ unsigned int csr_val;
+ int times = 30;
+
+- if (handle->pci_dev->device == ADF_C3XXX_PCI_DEVICE_ID)
++ if (handle->pci_dev->device != ADF_DH895XCC_PCI_DEVICE_ID)
+ return 0;
+
+ csr_val = ADF_CSR_RD(csr_addr, 0);
+@@ -716,7 +716,7 @@ int qat_hal_init(struct adf_accel_dev *a
+ (void __iomem *)((uintptr_t)handle->hal_cap_ae_xfer_csr_addr_v +
+ LOCAL_TO_XFER_REG_OFFSET);
+ handle->pci_dev = pci_info->pci_dev;
+- if (handle->pci_dev->device != ADF_C3XXX_PCI_DEVICE_ID) {
++ if (handle->pci_dev->device == ADF_DH895XCC_PCI_DEVICE_ID) {
+ sram_bar =
+ &pci_info->pci_bars[hw_data->get_sram_bar_id(hw_data)];
+ handle->hal_sram_addr_v = sram_bar->virt_addr;
--- /dev/null
+From 4087a1fffe38106e10646606a27f10d40451862d Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Wed, 25 Jan 2017 16:24:52 +0100
+Subject: dm rq: cope with DM device destruction while in dm_old_request_fn()
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 4087a1fffe38106e10646606a27f10d40451862d upstream.
+
+Fixes a crash in dm_table_find_target() due to a NULL struct dm_table
+being passed from dm_old_request_fn() that races with DM device
+destruction.
+
+Reported-by: artem@flashgrid.io
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-rq.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/md/dm-rq.c
++++ b/drivers/md/dm-rq.c
+@@ -804,6 +804,10 @@ static void dm_old_request_fn(struct req
+ int srcu_idx;
+ struct dm_table *map = dm_get_live_table(md, &srcu_idx);
+
++ if (unlikely(!map)) {
++ dm_put_live_table(md, srcu_idx);
++ return;
++ }
+ ti = dm_table_find_target(map, pos);
+ dm_put_live_table(md, srcu_idx);
+ }
--- /dev/null
+From 601bbbe0517303c9f8eb3d75e11d64efed1293c9 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 31 Jan 2017 14:56:43 -0800
+Subject: Input: uinput - fix crash when mixing old and new init style
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 601bbbe0517303c9f8eb3d75e11d64efed1293c9 upstream.
+
+If user tries to initialize uinput device mixing old and new style
+initialization (i.e. using old UI_SET_ABSBIT instead of UI_ABS_SETUP,
+we forget to allocate input->absinfo and will crash when trying to send
+absolute events:
+
+ ioctl(ui, UI_DEV_SETUP, &us);
+ ioctl(ui, UI_SET_PHYS, "Test");
+
+ ioctl(ui, UI_SET_EVBIT, EV_ABS);
+ ioctl(ui, UI_SET_ABSBIT, ABS_X);
+ ioctl(ui, UI_SET_ABSBIT, ABS_Y);
+ ioctl(ui, UI_DEV_CREATE, 0);
+
+Reported-by: Rodrigo Rivas Costa <rodrigorivascosta@gmail.com>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=191811
+Fixes: fbae10db0940 ("Input: uinput - rework ABS validation")
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/uinput.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -263,13 +263,21 @@ static int uinput_create_device(struct u
+ return -EINVAL;
+ }
+
+- if (test_bit(ABS_MT_SLOT, dev->absbit)) {
+- nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
+- error = input_mt_init_slots(dev, nslot, 0);
+- if (error)
++ if (test_bit(EV_ABS, dev->evbit)) {
++ input_alloc_absinfo(dev);
++ if (!dev->absinfo) {
++ error = -EINVAL;
+ goto fail1;
+- } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
+- input_set_events_per_packet(dev, 60);
++ }
++
++ if (test_bit(ABS_MT_SLOT, dev->absbit)) {
++ nslot = input_abs_get_max(dev, ABS_MT_SLOT) + 1;
++ error = input_mt_init_slots(dev, nslot, 0);
++ if (error)
++ goto fail1;
++ } else if (test_bit(ABS_MT_POSITION_X, dev->absbit)) {
++ input_set_events_per_packet(dev, 60);
++ }
+ }
+
+ if (test_bit(EV_FF, dev->evbit) && !udev->ff_effects_max) {
--- /dev/null
+From 9d032f4201d39e5cf43a8709a047e481f5723fdc Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Wed, 25 Jan 2017 00:54:07 +0530
+Subject: libnvdimm, namespace: do not delete namespace-id 0
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 9d032f4201d39e5cf43a8709a047e481f5723fdc upstream.
+
+Given that the naming of pmem devices changes from the pmemX form to the
+pmemX.Y form when namespace id is greater than 0, arrange for namespaces
+with id-0 to be exempt from deletion. Otherwise a simple reconfiguration
+of an existing namespace to a new mode results in a name change of the
+resulting block device:
+
+ # ndctl list --namespace=namespace1.0
+ {
+ "dev":"namespace1.0",
+ "mode":"raw",
+ "size":2147483648,
+ "uuid":"3dadf3dc-89b9-4b24-b20e-abc8a4707ce3",
+ "blockdev":"pmem1"
+ }
+
+ # ndctl create-namespace --reconfig=namespace1.0 --mode=memory --force
+ {
+ "dev":"namespace1.1",
+ "mode":"memory",
+ "size":2111832064,
+ "uuid":"7b4a6341-7318-4219-a02c-fb57c0bbf613",
+ "blockdev":"pmem1.1"
+ }
+
+This change does require tooling changes to explicitly look for
+namespaceX.0 if the seed has already advanced to another namespace.
+
+Fixes: 98a29c39dc68 ("libnvdimm, namespace: allow creation of multiple pmem-namespaces per region")
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/namespace_devs.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/nvdimm/namespace_devs.c
++++ b/drivers/nvdimm/namespace_devs.c
+@@ -962,8 +962,8 @@ static ssize_t __size_store(struct devic
+ struct nvdimm_drvdata *ndd;
+ struct nd_label_id label_id;
+ u32 flags = 0, remainder;
++ int rc, i, id = -1;
+ u8 *uuid = NULL;
+- int rc, i;
+
+ if (dev->driver || ndns->claim)
+ return -EBUSY;
+@@ -972,11 +972,13 @@ static ssize_t __size_store(struct devic
+ struct nd_namespace_pmem *nspm = to_nd_namespace_pmem(dev);
+
+ uuid = nspm->uuid;
++ id = nspm->id;
+ } else if (is_namespace_blk(dev)) {
+ struct nd_namespace_blk *nsblk = to_nd_namespace_blk(dev);
+
+ uuid = nsblk->uuid;
+ flags = NSLABEL_FLAG_LOCAL;
++ id = nsblk->id;
+ }
+
+ /*
+@@ -1039,10 +1041,11 @@ static ssize_t __size_store(struct devic
+
+ /*
+ * Try to delete the namespace if we deleted all of its
+- * allocation, this is not the seed device for the region, and
+- * it is not actively claimed by a btt instance.
++ * allocation, this is not the seed or 0th device for the
++ * region, and it is not actively claimed by a btt, pfn, or dax
++ * instance.
+ */
+- if (val == 0 && nd_region->ns_seed != dev && !ndns->claim)
++ if (val == 0 && id != 0 && nd_region->ns_seed != dev && !ndns->claim)
+ nd_device_unregister(dev, ND_ASYNC);
+
+ return rc;
--- /dev/null
+From bfb34527a32a1a576d9bfb7026d3ab0369a6cd60 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sat, 4 Feb 2017 14:47:31 -0800
+Subject: libnvdimm, pfn: fix memmap reservation size versus 4K alignment
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit bfb34527a32a1a576d9bfb7026d3ab0369a6cd60 upstream.
+
+When vmemmap_populate() allocates space for the memmap it does so in 2MB
+sized chunks. The libnvdimm-pfn driver incorrectly accounts for this
+when the alignment of the device is set to 4K. When this happens we
+trigger memory allocation failures in altmap_alloc_block_buf() and
+trigger warnings of the form:
+
+ WARNING: CPU: 0 PID: 3376 at arch/x86/mm/init_64.c:656 arch_add_memory+0xe4/0xf0
+ [..]
+ Call Trace:
+ dump_stack+0x86/0xc3
+ __warn+0xcb/0xf0
+ warn_slowpath_null+0x1d/0x20
+ arch_add_memory+0xe4/0xf0
+ devm_memremap_pages+0x29b/0x4e0
+
+Fixes: 315c562536c4 ("libnvdimm, pfn: add 'align' attribute, default to HPAGE_SIZE")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/pfn_devs.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/nvdimm/pfn_devs.c
++++ b/drivers/nvdimm/pfn_devs.c
+@@ -627,15 +627,12 @@ static int nd_pfn_init(struct nd_pfn *nd
+ size = resource_size(&nsio->res);
+ npfns = (size - start_pad - end_trunc - SZ_8K) / SZ_4K;
+ if (nd_pfn->mode == PFN_MODE_PMEM) {
+- unsigned long memmap_size;
+-
+ /*
+ * vmemmap_populate_hugepages() allocates the memmap array in
+ * HPAGE_SIZE chunks.
+ */
+- memmap_size = ALIGN(64 * npfns, HPAGE_SIZE);
+- offset = ALIGN(start + SZ_8K + memmap_size + dax_label_reserve,
+- nd_pfn->align) - start;
++ offset = ALIGN(start + SZ_8K + 64 * npfns + dax_label_reserve,
++ max(nd_pfn->align, HPAGE_SIZE)) - start;
+ } else if (nd_pfn->mode == PFN_MODE_RAM)
+ offset = ALIGN(start + SZ_8K + dax_label_reserve,
+ nd_pfn->align) - start;
--- /dev/null
+From 0c461cb727d146c9ef2d3e86214f498b78b7d125 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Tue, 31 Jan 2017 11:54:04 -0500
+Subject: selinux: fix off-by-one in setprocattr
+
+From: Stephen Smalley <sds@tycho.nsa.gov>
+
+commit 0c461cb727d146c9ef2d3e86214f498b78b7d125 upstream.
+
+SELinux tries to support setting/clearing of /proc/pid/attr attributes
+from the shell by ignoring terminating newlines and treating an
+attribute value that begins with a NUL or newline as an attempt to
+clear the attribute. However, the test for clearing attributes has
+always been wrong; it has an off-by-one error, and this could further
+lead to reading past the end of the allocated buffer since commit
+bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
+switch to memdup_user()"). Fix the off-by-one error.
+
+Even with this fix, setting and clearing /proc/pid/attr attributes
+from the shell is not straightforward since the interface does not
+support multiple write() calls (so shells that write the value and
+newline separately will set and then immediately clear the attribute,
+requiring use of echo -n to set the attribute), whereas trying to use
+echo -n "" to clear the attribute causes the shell to skip the
+write() call altogether since POSIX says that a zero-length write
+causes no side effects. Thus, one must use echo -n to set and echo
+without -n to clear, as in the following example:
+$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
+$ cat /proc/$$/attr/fscreate
+unconfined_u:object_r:user_home_t:s0
+$ echo "" > /proc/$$/attr/fscreate
+$ cat /proc/$$/attr/fscreate
+
+Note the use of /proc/$$ rather than /proc/self, as otherwise
+the cat command will read its own attribute value, not that of the shell.
+
+There are no users of this facility to my knowledge; possibly we
+should just get rid of it.
+
+UPDATE: Upon further investigation it appears that a local process
+with the process:setfscreate permission can cause a kernel panic as a
+result of this bug. This patch fixes CVE-2017-2618.
+
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+[PM: added the update about CVE-2017-2618 to the commit description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+
+---
+ security/selinux/hooks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -5858,7 +5858,7 @@ static int selinux_setprocattr(struct ta
+ return error;
+
+ /* Obtain a SID for the context, if one was specified. */
+- if (size && str[1] && str[1] != '\n') {
++ if (size && str[0] && str[0] != '\n') {
+ if (str[size-1] == '\n') {
+ str[size-1] = 0;
+ size--;
projects / thirdparty / kernel / stable-queue.git / commitdiff
