--- /dev/null
+From 4a9bfafc64f44ef83de4e00ca1b57352af6cd8c2 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 11 Jun 2017 16:08:21 +0900
+Subject: ALSA: firewire-lib: Fix stall of process context at packet error
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 4a9bfafc64f44ef83de4e00ca1b57352af6cd8c2 upstream.
+
+At Linux v3.5, packet processing can be done in process context of ALSA
+PCM application as well as software IRQ context for OHCI 1394. Below is
+an example of the callgraph (some calls are omitted).
+
+ioctl(2) with e.g. HWSYNC
+(sound/core/pcm_native.c)
+->snd_pcm_common_ioctl1()
+ ->snd_pcm_hwsync()
+ ->snd_pcm_stream_lock_irq
+ (sound/core/pcm_lib.c)
+ ->snd_pcm_update_hw_ptr()
+ ->snd_pcm_udpate_hw_ptr0()
+ ->struct snd_pcm_ops.pointer()
+ (sound/firewire/*)
+ = Each handler on drivers in ALSA firewire stack
+ (sound/firewire/amdtp-stream.c)
+ ->amdtp_stream_pcm_pointer()
+ (drivers/firewire/core-iso.c)
+ ->fw_iso_context_flush_completions()
+ ->struct fw_card_driver.flush_iso_completion()
+ (drivers/firewire/ohci.c)
+ = flush_iso_completions()
+ ->struct fw_iso_context.callback.sc
+ (sound/firewire/amdtp-stream.c)
+ = in_stream_callback() or out_stream_callback()
+ ->...
+ ->snd_pcm_stream_unlock_irq
+
+When packet queueing error occurs or detecting invalid packets in
+'in_stream_callback()' or 'out_stream_callback()', 'snd_pcm_stop_xrun()'
+is called on local CPU with disabled IRQ.
+
+(sound/firewire/amdtp-stream.c)
+in_stream_callback() or out_stream_callback()
+->amdtp_stream_pcm_abort()
+ ->snd_pcm_stop_xrun()
+ ->snd_pcm_stream_lock_irqsave()
+ ->snd_pcm_stop()
+ ->snd_pcm_stream_unlock_irqrestore()
+
+The process is stalled on the CPU due to attempt to acquire recursive lock.
+
+[ 562.630853] INFO: rcu_sched detected stalls on CPUs/tasks:
+[ 562.630861] 2-...: (1 GPs behind) idle=37d/140000000000000/0 softirq=38323/38323 fqs=7140
+[ 562.630862] (detected by 3, t=15002 jiffies, g=21036, c=21035, q=5933)
+[ 562.630866] Task dump for CPU 2:
+[ 562.630867] alsa-source-OXF R running task 0 6619 1 0x00000008
+[ 562.630870] Call Trace:
+[ 562.630876] ? vt_console_print+0x79/0x3e0
+[ 562.630880] ? msg_print_text+0x9d/0x100
+[ 562.630883] ? up+0x32/0x50
+[ 562.630885] ? irq_work_queue+0x8d/0xa0
+[ 562.630886] ? console_unlock+0x2b6/0x4b0
+[ 562.630888] ? vprintk_emit+0x312/0x4a0
+[ 562.630892] ? dev_vprintk_emit+0xbf/0x230
+[ 562.630895] ? do_sys_poll+0x37a/0x550
+[ 562.630897] ? dev_printk_emit+0x4e/0x70
+[ 562.630900] ? __dev_printk+0x3c/0x80
+[ 562.630903] ? _raw_spin_lock+0x20/0x30
+[ 562.630909] ? snd_pcm_stream_lock+0x31/0x50 [snd_pcm]
+[ 562.630914] ? _snd_pcm_stream_lock_irqsave+0x2e/0x40 [snd_pcm]
+[ 562.630918] ? snd_pcm_stop_xrun+0x16/0x70 [snd_pcm]
+[ 562.630922] ? in_stream_callback+0x3e6/0x450 [snd_firewire_lib]
+[ 562.630925] ? handle_ir_packet_per_buffer+0x8e/0x1a0 [firewire_ohci]
+[ 562.630928] ? ohci_flush_iso_completions+0xa3/0x130 [firewire_ohci]
+[ 562.630932] ? fw_iso_context_flush_completions+0x15/0x20 [firewire_core]
+[ 562.630935] ? amdtp_stream_pcm_pointer+0x2d/0x40 [snd_firewire_lib]
+[ 562.630938] ? pcm_capture_pointer+0x19/0x20 [snd_oxfw]
+[ 562.630943] ? snd_pcm_update_hw_ptr0+0x47/0x3d0 [snd_pcm]
+[ 562.630945] ? poll_select_copy_remaining+0x150/0x150
+[ 562.630947] ? poll_select_copy_remaining+0x150/0x150
+[ 562.630952] ? snd_pcm_update_hw_ptr+0x10/0x20 [snd_pcm]
+[ 562.630956] ? snd_pcm_hwsync+0x45/0xb0 [snd_pcm]
+[ 562.630960] ? snd_pcm_common_ioctl1+0x1ff/0xc90 [snd_pcm]
+[ 562.630962] ? futex_wake+0x90/0x170
+[ 562.630966] ? snd_pcm_capture_ioctl1+0x136/0x260 [snd_pcm]
+[ 562.630970] ? snd_pcm_capture_ioctl+0x27/0x40 [snd_pcm]
+[ 562.630972] ? do_vfs_ioctl+0xa3/0x610
+[ 562.630974] ? vfs_read+0x11b/0x130
+[ 562.630976] ? SyS_ioctl+0x79/0x90
+[ 562.630978] ? entry_SYSCALL_64_fastpath+0x1e/0xad
+
+This commit fixes the above bug. This assumes two cases:
+1. Any error is detected in software IRQ context of OHCI 1394 context.
+In this case, PCM substream should be aborted in packet handler. On the
+other hand, it should not be done in any process context. TO distinguish
+these two context, use 'in_interrupt()' macro.
+2. Any error is detect in process context of ALSA PCM application.
+In this case, PCM substream should not be aborted in packet handler
+because PCM substream lock is acquired. The task to abort PCM substream
+should be done in ALSA PCM core. For this purpose, SNDRV_PCM_POS_XRUN is
+returned at 'struct snd_pcm_ops.pointer()'.
+
+Suggested-by: Clemens Ladisch <clemens@ladisch.de>
+Fixes: e9148dddc3c7("ALSA: firewire-lib: flush completed packets when reading PCM position")
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp-stream.c | 8 ++++++--
+ sound/firewire/amdtp-stream.h | 2 +-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/sound/firewire/amdtp-stream.c
++++ b/sound/firewire/amdtp-stream.c
+@@ -606,7 +606,9 @@ static void out_stream_callback(struct f
+ cycle = increment_cycle_count(cycle, 1);
+ if (handle_out_packet(s, cycle, i) < 0) {
+ s->packet_index = -1;
+- amdtp_stream_pcm_abort(s);
++ if (in_interrupt())
++ amdtp_stream_pcm_abort(s);
++ WRITE_ONCE(s->pcm_buffer_pointer, SNDRV_PCM_POS_XRUN);
+ return;
+ }
+ }
+@@ -658,7 +660,9 @@ static void in_stream_callback(struct fw
+ /* Queueing error or detecting invalid payload. */
+ if (i < packets) {
+ s->packet_index = -1;
+- amdtp_stream_pcm_abort(s);
++ if (in_interrupt())
++ amdtp_stream_pcm_abort(s);
++ WRITE_ONCE(s->pcm_buffer_pointer, SNDRV_PCM_POS_XRUN);
+ return;
+ }
+
+--- a/sound/firewire/amdtp-stream.h
++++ b/sound/firewire/amdtp-stream.h
+@@ -124,7 +124,7 @@ struct amdtp_stream {
+ /* For a PCM substream processing. */
+ struct snd_pcm_substream *pcm;
+ struct tasklet_struct period_tasklet;
+- unsigned int pcm_buffer_pointer;
++ snd_pcm_uframes_t pcm_buffer_pointer;
+ unsigned int pcm_period_pointer;
+
+ /* To wait for first packet. */
--- /dev/null
+From 2deaeaf102d692cb6f764123b1df7aa118a8e97c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 14 Jun 2017 16:20:32 +0200
+Subject: ALSA: pcm: Don't treat NULL chmap as a fatal error
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2deaeaf102d692cb6f764123b1df7aa118a8e97c upstream.
+
+The standard PCM chmap helper callbacks treat the NULL info->chmap as
+a fatal error and spews the kernel warning with stack trace when
+CONFIG_SND_DEBUG is on. This was OK, originally it was supposed to be
+always static and non-NULL. But, as the recent addition of Intel LPE
+audio driver shows, the chmap content may vary dynamically, and it can
+be even NULL when disconnected. The user still sees the kernel
+warning unnecessarily.
+
+For clearing such a confusion, this patch simply removes the
+snd_BUG_ON() in each place, just returns an error without warning.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_lib.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -2491,7 +2491,7 @@ static int pcm_chmap_ctl_get(struct snd_
+ struct snd_pcm_substream *substream;
+ const struct snd_pcm_chmap_elem *map;
+
+- if (snd_BUG_ON(!info->chmap))
++ if (!info->chmap)
+ return -EINVAL;
+ substream = snd_pcm_chmap_substream(info, idx);
+ if (!substream)
+@@ -2523,7 +2523,7 @@ static int pcm_chmap_ctl_tlv(struct snd_
+ unsigned int __user *dst;
+ int c, count = 0;
+
+- if (snd_BUG_ON(!info->chmap))
++ if (!info->chmap)
+ return -EINVAL;
+ if (size < 8)
+ return -ENOMEM;
--- /dev/null
+From 9fa4eb8e490a28de40964b1b0e583d8db4c7e57c Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 23 Jun 2017 15:08:43 -0700
+Subject: autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
+
+From: NeilBrown <neilb@suse.com>
+
+commit 9fa4eb8e490a28de40964b1b0e583d8db4c7e57c upstream.
+
+If a positive status is passed with the AUTOFS_DEV_IOCTL_FAIL ioctl,
+autofs4_d_automount() will return
+
+ ERR_PTR(status)
+
+with that status to follow_automount(), which will then dereference an
+invalid pointer.
+
+So treat a positive status the same as zero, and map to ENOENT.
+
+See comment in systemd src/core/automount.c::automount_send_ready().
+
+Link: http://lkml.kernel.org/r/871sqwczx5.fsf@notabene.neil.brown.name
+Signed-off-by: NeilBrown <neilb@suse.com>
+Cc: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/autofs4/dev-ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/autofs4/dev-ioctl.c
++++ b/fs/autofs4/dev-ioctl.c
+@@ -345,7 +345,7 @@ static int autofs_dev_ioctl_fail(struct
+ int status;
+
+ token = (autofs_wqt_t) param->fail.token;
+- status = param->fail.status ? param->fail.status : -ENOENT;
++ status = param->fail.status < 0 ? param->fail.status : -ENOENT;
+ return autofs4_wait_release(sbi, token, status);
+ }
+
--- /dev/null
+From dcd87838c06f05ab7650b249ebf0d5b57ae63e1e Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Tue, 6 Jun 2017 16:58:58 -0700
+Subject: CIFS: Improve readdir verbosity
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit dcd87838c06f05ab7650b249ebf0d5b57ae63e1e upstream.
+
+Downgrade the loglevel for SMB2 to prevent filling the log
+with messages if e.g. readdir was interrupted. Also make SMB2
+and SMB1 codepaths do the same logging during readdir.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb1ops.c | 9 +++++++--
+ fs/cifs/smb2ops.c | 4 ++--
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/cifs/smb1ops.c
++++ b/fs/cifs/smb1ops.c
+@@ -849,8 +849,13 @@ cifs_query_dir_first(const unsigned int
+ struct cifs_fid *fid, __u16 search_flags,
+ struct cifs_search_info *srch_inf)
+ {
+- return CIFSFindFirst(xid, tcon, path, cifs_sb,
+- &fid->netfid, search_flags, srch_inf, true);
++ int rc;
++
++ rc = CIFSFindFirst(xid, tcon, path, cifs_sb,
++ &fid->netfid, search_flags, srch_inf, true);
++ if (rc)
++ cifs_dbg(FYI, "find first failed=%d\n", rc);
++ return rc;
+ }
+
+ static int
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -964,7 +964,7 @@ smb2_query_dir_first(const unsigned int
+ rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
+ kfree(utf16_path);
+ if (rc) {
+- cifs_dbg(VFS, "open dir failed\n");
++ cifs_dbg(FYI, "open dir failed rc=%d\n", rc);
+ return rc;
+ }
+
+@@ -974,7 +974,7 @@ smb2_query_dir_first(const unsigned int
+ rc = SMB2_query_directory(xid, tcon, fid->persistent_fid,
+ fid->volatile_fid, 0, srch_inf);
+ if (rc) {
+- cifs_dbg(VFS, "query directory failed\n");
++ cifs_dbg(FYI, "query directory failed rc=%d\n", rc);
+ SMB2_close(xid, tcon, fid->persistent_fid, fid->volatile_fid);
+ }
+ return rc;
--- /dev/null
+From 38b8f823864707eb1cf331d2247608c419ed388c Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Wed, 3 May 2017 11:13:46 +0800
+Subject: clk: sunxi-ng: a31: Correct lcd1-ch1 clock register offset
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+commit 38b8f823864707eb1cf331d2247608c419ed388c upstream.
+
+The register offset for the lcd1-ch1 clock was incorrectly pointing to
+the lcd0-ch1 clock. This resulted in the lcd0-ch1 clock being disabled
+when the clk core disables unused clocks. This then stops the simplefb
+HDMI output path.
+
+Reported-by: Bob Ham <rah@settrans.net>
+Fixes: c6e6c96d8fa6 ("clk: sunxi-ng: Add A31/A31s clocks")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/sunxi-ng/ccu-sun6i-a31.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
++++ b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
+@@ -556,7 +556,7 @@ static SUNXI_CCU_M_WITH_MUX_GATE(lcd0_ch
+ 0x12c, 0, 4, 24, 3, BIT(31),
+ CLK_SET_RATE_PARENT);
+ static SUNXI_CCU_M_WITH_MUX_GATE(lcd1_ch1_clk, "lcd1-ch1", lcd_ch1_parents,
+- 0x12c, 0, 4, 24, 3, BIT(31),
++ 0x130, 0, 4, 24, 3, BIT(31),
+ CLK_SET_RATE_PARENT);
+
+ static const char * const csi_sclk_parents[] = { "pll-video0", "pll-video1",
--- /dev/null
+From dec6b33163d24e2c19ba521c89fffbaab53ae986 Mon Sep 17 00:00:00 2001
+From: Raju Rangoju <rajur@chelsio.com>
+Date: Mon, 19 Jun 2017 19:46:00 +0530
+Subject: cxgb4: notify uP to route ctrlq compl to rdma rspq
+
+From: Raju Rangoju <rajur@chelsio.com>
+
+commit dec6b33163d24e2c19ba521c89fffbaab53ae986 upstream.
+
+During the module initialisation there is a possible race
+(basically race between uld and lld) where neither the uld
+nor lld notifies the uP about where to route the ctrl queue
+completions. LLD skips notifying uP as the rdma queues were
+not created by then (will leave it to ULD to notify the uP).
+As the ULD comes up, it also skips notifying the uP as the
+flag FULL_INIT_DONE is not set yet (ULD assumes that the
+interface is not up yet).
+
+Consequently, this race between uld and lld leaves uP
+unnotified about where to send the ctrl queue completions
+to, leading to iwarp RI_RES WR failure.
+
+Here is the race:
+
+CPU 0 CPU1
+
+- allocates nic rx queus
+- t4_sge_alloc_ctrl_txq()
+(if rdma rsp queues exists,
+tell uP to route ctrl queue
+compl to rdma rspq)
+ - acquires the mutex_lock
+ - allocates rdma response queues
+ - if FULL_INIT_DONE set,
+ tell uP to route ctrl queue compl
+ to rdma rspq
+ - relinquishes mutex_lock
+- acquires the mutex_lock
+- enable_rx()
+- set FULL_INIT_DONE
+- relinquishes mutex_lock
+
+This patch fixes the above issue.
+
+Fixes: e7519f9926f1('cxgb4: avoid enabling napi twice to the same queue')
+Signed-off-by: Raju Rangoju <rajur@chelsio.com>
+Acked-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -2201,9 +2201,10 @@ static int cxgb_up(struct adapter *adap)
+ {
+ int err;
+
++ mutex_lock(&uld_mutex);
+ err = setup_sge_queues(adap);
+ if (err)
+- goto out;
++ goto rel_lock;
+ err = setup_rss(adap);
+ if (err)
+ goto freeq;
+@@ -2227,7 +2228,6 @@ static int cxgb_up(struct adapter *adap)
+ goto irq_err;
+ }
+
+- mutex_lock(&uld_mutex);
+ enable_rx(adap);
+ t4_sge_start(adap);
+ t4_intr_enable(adap);
+@@ -2240,13 +2240,15 @@ static int cxgb_up(struct adapter *adap)
+ #endif
+ /* Initialize hash mac addr list*/
+ INIT_LIST_HEAD(&adap->mac_hlist);
+- out:
+ return err;
++
+ irq_err:
+ dev_err(adap->pdev_dev, "request_irq failed, err %d\n", err);
+ freeq:
+ t4_free_sge_resources(adap);
+- goto out;
++ rel_lock:
++ mutex_unlock(&uld_mutex);
++ return err;
+ }
+
+ static void cxgb_down(struct adapter *adapter)
--- /dev/null
+From 1eb643d02b21412e603b42cdd96010a2ac31c05f Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 23 Jun 2017 15:08:46 -0700
+Subject: fs/dax.c: fix inefficiency in dax_writeback_mapping_range()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 1eb643d02b21412e603b42cdd96010a2ac31c05f upstream.
+
+dax_writeback_mapping_range() fails to update iteration index when
+searching radix tree for entries needing cache flushing. Thus each
+pagevec worth of entries is searched starting from the start which is
+inefficient and prone to livelocks. Update index properly.
+
+Link: http://lkml.kernel.org/r/20170619124531.21491-1-jack@suse.cz
+Fixes: 9973c98ecfda3 ("dax: add support for fsync/sync")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dax.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/dax.c
++++ b/fs/dax.c
+@@ -895,6 +895,7 @@ int dax_fault(struct vm_area_struct *vma
+ } else {
+ return dax_load_hole(mapping, entry, vmf);
+ }
++ start_index = indices[pvec.nr - 1] + 1;
+ }
+
+ /* Filesystem should not return unwritten buffers to us! */
--- /dev/null
+From 98da7d08850fb8bdeb395d6368ed15753304aa0c Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 23 Jun 2017 15:08:57 -0700
+Subject: fs/exec.c: account for argv/envp pointers
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 98da7d08850fb8bdeb395d6368ed15753304aa0c upstream.
+
+When limiting the argv/envp strings during exec to 1/4 of the stack limit,
+the storage of the pointers to the strings was not included. This means
+that an exec with huge numbers of tiny strings could eat 1/4 of the stack
+limit in strings and then additional space would be later used by the
+pointers to the strings.
+
+For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
+single-byte strings would consume less than 2MB of stack, the max (8MB /
+4) amount allowed, but the pointers to the strings would consume the
+remaining additional stack space (1677721 * 4 == 6710884).
+
+The result (1677721 + 6710884 == 8388605) would exhaust stack space
+entirely. Controlling this stack exhaustion could result in
+pathological behavior in setuid binaries (CVE-2017-1000365).
+
+[akpm@linux-foundation.org: additional commenting from Kees]
+Fixes: b6a2fea39318 ("mm: variable length argument support")
+Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Rik van Riel <riel@redhat.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/exec.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -215,8 +215,26 @@ static struct page *get_arg_page(struct
+
+ if (write) {
+ unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
++ unsigned long ptr_size;
+ struct rlimit *rlim;
+
++ /*
++ * Since the stack will hold pointers to the strings, we
++ * must account for them as well.
++ *
++ * The size calculation is the entire vma while each arg page is
++ * built, so each time we get here it's calculating how far it
++ * is currently (rather than each call being just the newly
++ * added size from the arg page). As a result, we need to
++ * always add the entire size of the pointers, so that on the
++ * last call to get_arg_page() we'll actually have the entire
++ * correct size.
++ */
++ ptr_size = (bprm->argc + bprm->envc) * sizeof(void *);
++ if (ptr_size > ULONG_MAX - size)
++ goto fail;
++ size += ptr_size;
++
+ acct_arg_size(bprm, size / PAGE_SIZE);
+
+ /*
+@@ -234,13 +252,15 @@ static struct page *get_arg_page(struct
+ * to work from.
+ */
+ rlim = current->signal->rlim;
+- if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
+- put_page(page);
+- return NULL;
+- }
++ if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
++ goto fail;
+ }
+
+ return page;
++
++fail:
++ put_page(page);
++ return NULL;
+ }
+
+ static void put_arg_page(struct page *page)
--- /dev/null
+From 3db28271f0feae129262d30e41384a7c4c767987 Mon Sep 17 00:00:00 2001
+From: Sebastian Parschauer <sparschauer@suse.de>
+Date: Tue, 6 Jun 2017 13:53:13 +0200
+Subject: HID: Add quirk for Dell PIXART OEM mouse
+
+From: Sebastian Parschauer <sparschauer@suse.de>
+
+commit 3db28271f0feae129262d30e41384a7c4c767987 upstream.
+
+This mouse is also known under other IDs. It needs the quirk
+ALWAYS_POLL or will disconnect in runlevel 1 or 3.
+
+Signed-off-by: Sebastian Parschauer <sparschauer@suse.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/usbhid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -311,6 +311,9 @@
+ #define USB_VENDOR_ID_DELCOM 0x0fc5
+ #define USB_DEVICE_ID_DELCOM_VISUAL_IND 0xb080
+
++#define USB_VENDOR_ID_DELL 0x413c
++#define USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE 0x301a
++
+ #define USB_VENDOR_ID_DELORME 0x1163
+ #define USB_DEVICE_ID_DELORME_EARTHMATE 0x0100
+ #define USB_DEVICE_ID_DELORME_EM_LT20 0x0200
+--- a/drivers/hid/usbhid/hid-quirks.c
++++ b/drivers/hid/usbhid/hid-quirks.c
+@@ -81,6 +81,7 @@ static const struct hid_blacklist {
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_STRAFE, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51, HID_QUIRK_NOGET },
++ { USB_VENDOR_ID_DELL, USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3, HID_QUIRK_MULTI_INPUT },
--- /dev/null
+From ca8efa1df1d15a1795a2da57f9f6aada6ed6b946 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Tue, 6 Jun 2017 16:47:22 +1000
+Subject: KVM: PPC: Book3S HV: Context-switch EBB registers properly
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+commit ca8efa1df1d15a1795a2da57f9f6aada6ed6b946 upstream.
+
+This adds code to save the values of three SPRs (special-purpose
+registers) used by userspace to control event-based branches (EBBs),
+which are essentially interrupts that get delivered directly to
+userspace. These registers are loaded up with guest values when
+entering the guest, and their values are saved when exiting the
+guest, but we were not saving the host values and restoring them
+before going back to userspace.
+
+On POWER8 this would only affect userspace programs which explicitly
+request the use of EBBs and also use the KVM_RUN ioctl, since the
+only source of EBBs on POWER8 is the PMU, and there is an explicit
+enable bit in the PMU registers (and those PMU registers do get
+properly context-switched between host and guest). On POWER9 there
+is provision for externally-generated EBBs, and these are not subject
+to the control in the PMU registers.
+
+Since these registers only affect userspace, we can save them when
+we first come in from userspace and restore them before returning to
+userspace, rather than saving/restoring the host values on every
+guest entry/exit. Similarly, we don't need to worry about their
+values on offline secondary threads since they execute in the context
+of the idle task, which never executes in userspace.
+
+Fixes: b005255e12a3 ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08)
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -2807,6 +2807,7 @@ static int kvmppc_vcpu_run_hv(struct kvm
+ {
+ int r;
+ int srcu_idx;
++ unsigned long ebb_regs[3] = {}; /* shut up GCC */
+
+ if (!vcpu->arch.sane) {
+ run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+@@ -2855,6 +2856,13 @@ static int kvmppc_vcpu_run_hv(struct kvm
+
+ flush_all_to_thread(current);
+
++ /* Save userspace EBB register values */
++ if (cpu_has_feature(CPU_FTR_ARCH_207S)) {
++ ebb_regs[0] = mfspr(SPRN_EBBHR);
++ ebb_regs[1] = mfspr(SPRN_EBBRR);
++ ebb_regs[2] = mfspr(SPRN_BESCR);
++ }
++
+ vcpu->arch.wqp = &vcpu->arch.vcore->wq;
+ vcpu->arch.pgdir = current->mm->pgd;
+ vcpu->arch.state = KVMPPC_VCPU_BUSY_IN_HOST;
+@@ -2877,6 +2885,13 @@ static int kvmppc_vcpu_run_hv(struct kvm
+ r = kvmppc_xics_rm_complete(vcpu, 0);
+ } while (is_kvmppc_resume_guest(r));
+
++ /* Restore userspace EBB register values */
++ if (cpu_has_feature(CPU_FTR_ARCH_207S)) {
++ mtspr(SPRN_EBBHR, ebb_regs[0]);
++ mtspr(SPRN_EBBRR, ebb_regs[1]);
++ mtspr(SPRN_BESCR, ebb_regs[2]);
++ }
++
+ out:
+ vcpu->arch.state = KVMPPC_VCPU_NOTREADY;
+ atomic_dec(&vcpu->kvm->arch.vcpus_running);
--- /dev/null
+From 46a704f8409f79fd66567ad3f8a7304830a84293 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Thu, 15 Jun 2017 16:10:27 +1000
+Subject: KVM: PPC: Book3S HV: Preserve userspace HTM state properly
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+commit 46a704f8409f79fd66567ad3f8a7304830a84293 upstream.
+
+If userspace attempts to call the KVM_RUN ioctl when it has hardware
+transactional memory (HTM) enabled, the values that it has put in the
+HTM-related SPRs TFHAR, TFIAR and TEXASR will get overwritten by
+guest values. To fix this, we detect this condition and save those
+SPR values in the thread struct, and disable HTM for the task. If
+userspace goes to access those SPRs or the HTM facility in future,
+a TM-unavailable interrupt will occur and the handler will reload
+those SPRs and re-enable HTM.
+
+If userspace has started a transaction and suspended it, we would
+currently lose the transactional state in the guest entry path and
+would almost certainly get a "TM Bad Thing" interrupt, which would
+cause the host to crash. To avoid this, we detect this case and
+return from the KVM_RUN ioctl with an EINVAL error, with the KVM
+exit reason set to KVM_EXIT_FAIL_ENTRY.
+
+Fixes: b005255e12a3 ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08)
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -2813,6 +2813,27 @@ static int kvmppc_vcpu_run_hv(struct kvm
+ return -EINVAL;
+ }
+
++ /*
++ * Don't allow entry with a suspended transaction, because
++ * the guest entry/exit code will lose it.
++ * If the guest has TM enabled, save away their TM-related SPRs
++ * (they will get restored by the TM unavailable interrupt).
++ */
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ if (cpu_has_feature(CPU_FTR_TM) && current->thread.regs &&
++ (current->thread.regs->msr & MSR_TM)) {
++ if (MSR_TM_ACTIVE(current->thread.regs->msr)) {
++ run->exit_reason = KVM_EXIT_FAIL_ENTRY;
++ run->fail_entry.hardware_entry_failure_reason = 0;
++ return -EINVAL;
++ }
++ current->thread.tm_tfhar = mfspr(SPRN_TFHAR);
++ current->thread.tm_tfiar = mfspr(SPRN_TFIAR);
++ current->thread.tm_texasr = mfspr(SPRN_TEXASR);
++ current->thread.regs->msr &= ~MSR_TM;
++ }
++#endif
++
+ kvmppc_core_prepare_to_enter(vcpu);
+
+ /* No need to go into the guest when all we'll do is come back out */
--- /dev/null
+From addb63c18a0d52a9ce2611d039f981f7b6148d2b Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon, 19 Jun 2017 08:02:28 +0200
+Subject: KVM: s390: gaccess: fix real-space designation asce handling for gmap shadows
+
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+
+commit addb63c18a0d52a9ce2611d039f981f7b6148d2b upstream.
+
+For real-space designation asces the asce origin part is only a token.
+The asce token origin must not be used to generate an effective
+address for storage references. This however is erroneously done
+within kvm_s390_shadow_tables().
+
+Furthermore within the same function the wrong parts of virtual
+addresses are used to generate a corresponding real address
+(e.g. the region second index is used as region first index).
+
+Both of the above can result in incorrect address translations. Only
+for real space designations with a token origin of zero and addresses
+below one megabyte the translation was correct.
+
+Furthermore replace a "!asce.r" statement with a "!*fake" statement to
+make it more obvious that a specific condition has nothing to do with
+the architecture, but with the fake handling of real space designations.
+
+Fixes: 3218f7094b6b ("s390/mm: support real-space for gmap shadows")
+Cc: David Hildenbrand <david@redhat.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Reviewed-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/gaccess.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+--- a/arch/s390/kvm/gaccess.c
++++ b/arch/s390/kvm/gaccess.c
+@@ -972,11 +972,12 @@ static int kvm_s390_shadow_tables(struct
+ ptr = asce.origin * 4096;
+ if (asce.r) {
+ *fake = 1;
++ ptr = 0;
+ asce.dt = ASCE_TYPE_REGION1;
+ }
+ switch (asce.dt) {
+ case ASCE_TYPE_REGION1:
+- if (vaddr.rfx01 > asce.tl && !asce.r)
++ if (vaddr.rfx01 > asce.tl && !*fake)
+ return PGM_REGION_FIRST_TRANS;
+ break;
+ case ASCE_TYPE_REGION2:
+@@ -1004,8 +1005,7 @@ static int kvm_s390_shadow_tables(struct
+ union region1_table_entry rfte;
+
+ if (*fake) {
+- /* offset in 16EB guest memory block */
+- ptr = ptr + ((unsigned long) vaddr.rsx << 53UL);
++ ptr += (unsigned long) vaddr.rfx << 53;
+ rfte.val = ptr;
+ goto shadow_r2t;
+ }
+@@ -1031,8 +1031,7 @@ shadow_r2t:
+ union region2_table_entry rste;
+
+ if (*fake) {
+- /* offset in 8PB guest memory block */
+- ptr = ptr + ((unsigned long) vaddr.rtx << 42UL);
++ ptr += (unsigned long) vaddr.rsx << 42;
+ rste.val = ptr;
+ goto shadow_r3t;
+ }
+@@ -1059,8 +1058,7 @@ shadow_r3t:
+ union region3_table_entry rtte;
+
+ if (*fake) {
+- /* offset in 4TB guest memory block */
+- ptr = ptr + ((unsigned long) vaddr.sx << 31UL);
++ ptr += (unsigned long) vaddr.rtx << 31;
+ rtte.val = ptr;
+ goto shadow_sgt;
+ }
+@@ -1096,8 +1094,7 @@ shadow_sgt:
+ union segment_table_entry ste;
+
+ if (*fake) {
+- /* offset in 2G guest memory block */
+- ptr = ptr + ((unsigned long) vaddr.sx << 20UL);
++ ptr += (unsigned long) vaddr.sx << 20;
+ ste.val = ptr;
+ goto shadow_pgt;
+ }
--- /dev/null
+From a91e0f680bcd9e10c253ae8b62462a38bd48f09f Mon Sep 17 00:00:00 2001
+From: Ilya Matveychikov <matvejchikov@gmail.com>
+Date: Fri, 23 Jun 2017 15:08:49 -0700
+Subject: lib/cmdline.c: fix get_options() overflow while parsing ranges
+
+From: Ilya Matveychikov <matvejchikov@gmail.com>
+
+commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f upstream.
+
+When using get_options() it's possible to specify a range of numbers,
+like 1-100500. The problem is that it doesn't track array size while
+calling internally to get_range() which iterates over the range and
+fills the memory with numbers.
+
+Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@gmail.com
+Signed-off-by: Ilya V. Matveychikov <matvejchikov@gmail.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/cmdline.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/lib/cmdline.c
++++ b/lib/cmdline.c
+@@ -22,14 +22,14 @@
+ * the values[M, M+1, ..., N] into the ints array in get_options.
+ */
+
+-static int get_range(char **str, int *pint)
++static int get_range(char **str, int *pint, int n)
+ {
+ int x, inc_counter, upper_range;
+
+ (*str)++;
+ upper_range = simple_strtol((*str), NULL, 0);
+ inc_counter = upper_range - *pint;
+- for (x = *pint; x < upper_range; x++)
++ for (x = *pint; n && x < upper_range; x++, n--)
+ *pint++ = x;
+ return inc_counter;
+ }
+@@ -96,7 +96,7 @@ char *get_options(const char *str, int n
+ break;
+ if (res == 3) {
+ int range_nums;
+- range_nums = get_range((char **)&str, ints + i);
++ range_nums = get_range((char **)&str, ints + i, nints - i);
+ if (range_nums < 0)
+ break;
+ /*
--- /dev/null
+From fb3a5055cd7098f8d1dd0cd38d7172211113255f Mon Sep 17 00:00:00 2001
+From: Kan Liang <Kan.liang@intel.com>
+Date: Mon, 19 Jun 2017 07:26:09 -0700
+Subject: perf/x86/intel: Add 1G DTLB load/store miss support for SKL
+
+From: Kan Liang <Kan.liang@intel.com>
+
+commit fb3a5055cd7098f8d1dd0cd38d7172211113255f upstream.
+
+Current DTLB load/store miss events (0x608/0x649) only counts 4K,2M and
+4M page size.
+Need to extend the events to support any page size (4K/2M/4M/1G).
+
+The complete DTLB load/store miss events are:
+
+ DTLB_LOAD_MISSES.WALK_COMPLETED 0xe08
+ DTLB_STORE_MISSES.WALK_COMPLETED 0xe49
+
+Signed-off-by: Kan Liang <Kan.liang@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: eranian@google.com
+Link: http://lkml.kernel.org/r/20170619142609.11058-1-kan.liang@intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/events/intel/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -431,11 +431,11 @@ static __initconst const u64 skl_hw_cach
+ [ C(DTLB) ] = {
+ [ C(OP_READ) ] = {
+ [ C(RESULT_ACCESS) ] = 0x81d0, /* MEM_INST_RETIRED.ALL_LOADS */
+- [ C(RESULT_MISS) ] = 0x608, /* DTLB_LOAD_MISSES.WALK_COMPLETED */
++ [ C(RESULT_MISS) ] = 0xe08, /* DTLB_LOAD_MISSES.WALK_COMPLETED */
+ },
+ [ C(OP_WRITE) ] = {
+ [ C(RESULT_ACCESS) ] = 0x82d0, /* MEM_INST_RETIRED.ALL_STORES */
+- [ C(RESULT_MISS) ] = 0x649, /* DTLB_STORE_MISSES.WALK_COMPLETED */
++ [ C(RESULT_MISS) ] = 0xe49, /* DTLB_STORE_MISSES.WALK_COMPLETED */
+ },
+ [ C(OP_PREFETCH) ] = {
+ [ C(RESULT_ACCESS) ] = 0x0,
--- /dev/null
+From bf05fc25f268cd62f147f368fe65ad3e5b04fe9f Mon Sep 17 00:00:00 2001
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Date: Thu, 15 Jun 2017 19:16:48 +0530
+Subject: powerpc/perf: Fix oops when kthread execs user process
+
+From: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+
+commit bf05fc25f268cd62f147f368fe65ad3e5b04fe9f upstream.
+
+When a kthread calls call_usermodehelper() the steps are:
+ 1. allocate current->mm
+ 2. load_elf_binary()
+ 3. populate current->thread.regs
+
+While doing this, interrupts are not disabled. If there is a perf
+interrupt in the middle of this process (i.e. step 1 has completed
+but not yet reached to step 3) and if perf tries to read userspace
+regs, kernel oops with following log:
+
+ Unable to handle kernel paging request for data at address 0x00000000
+ Faulting instruction address: 0xc0000000000da0fc
+ ...
+ Call Trace:
+ perf_output_sample_regs+0x6c/0xd0
+ perf_output_sample+0x4e4/0x830
+ perf_event_output_forward+0x64/0x90
+ __perf_event_overflow+0x8c/0x1e0
+ record_and_restart+0x220/0x5c0
+ perf_event_interrupt+0x2d8/0x4d0
+ performance_monitor_exception+0x54/0x70
+ performance_monitor_common+0x158/0x160
+ --- interrupt: f01 at avtab_search_node+0x150/0x1a0
+ LR = avtab_search_node+0x100/0x1a0
+ ...
+ load_elf_binary+0x6e8/0x15a0
+ search_binary_handler+0xe8/0x290
+ do_execveat_common.isra.14+0x5f4/0x840
+ call_usermodehelper_exec_async+0x170/0x210
+ ret_from_kernel_thread+0x5c/0x7c
+
+Fix it by setting abi to PERF_SAMPLE_REGS_ABI_NONE when userspace
+pt_regs are not set.
+
+Fixes: ed4a4ef85cf5 ("powerpc/perf: Add support for sampling interrupt register state")
+Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/perf_regs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/perf/perf_regs.c
++++ b/arch/powerpc/perf/perf_regs.c
+@@ -100,5 +100,6 @@ void perf_get_regs_user(struct perf_regs
+ struct pt_regs *regs_user_copy)
+ {
+ regs_user->regs = task_pt_regs(current);
+- regs_user->abi = perf_reg_abi(current);
++ regs_user->abi = (regs_user->regs) ? perf_reg_abi(current) :
++ PERF_SAMPLE_REGS_ABI_NONE;
+ }
--- /dev/null
+From 57db7e4a2d92c2d3dfbca4ef8057849b2682436b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Tue, 13 Jun 2017 04:31:16 -0500
+Subject: signal: Only reschedule timers on signals timers have sent
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 57db7e4a2d92c2d3dfbca4ef8057849b2682436b upstream.
+
+Thomas Gleixner wrote:
+> The CRIU support added a 'feature' which allows a user space task to send
+> arbitrary (kernel) signals to itself. The changelog says:
+>
+> The kernel prevents sending of siginfo with positive si_code, because
+> these codes are reserved for kernel. I think we can allow a task to
+> send such a siginfo to itself. This operation should not be dangerous.
+>
+> Quite contrary to that claim, it turns out that it is outright dangerous
+> for signals with info->si_code == SI_TIMER. The following code sequence in
+> a user space task allows to crash the kernel:
+>
+> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
+> timer_set(id, ....);
+> info->si_signo = SIGX;
+> info->si_code = SI_TIMER:
+> info->_sifields._timer._tid = id;
+> info->_sifields._timer._sys_private = 2;
+> rt_[tg]sigqueueinfo(..., SIGX, info);
+> sigemptyset(&sigset);
+> sigaddset(&sigset, SIGX);
+> rt_sigtimedwait(sigset, info);
+>
+> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
+> results in a kernel crash because sigwait() dequeues the signal and the
+> dequeue code observes:
+>
+> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
+>
+> which triggers the following callchain:
+>
+> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
+>
+> arm_timer() executes a list_add() on the timer, which is already armed via
+> the timer_set() syscall. That's a double list add which corrupts the posix
+> cpu timer list. As a consequence the kernel crashes on the next operation
+> touching the posix cpu timer list.
+>
+> Posix clocks which are internally implemented based on hrtimers are not
+> affected by this because hrtimer_start() can handle already armed timers
+> nicely, but it's a reliable way to trigger the WARN_ON() in
+> hrtimer_forward(), which complains about calling that function on an
+> already armed timer.
+
+This problem has existed since the posix timer code was merged into
+2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
+inject not just a signal (which linux has supported since 1.0) but the
+full siginfo of a signal.
+
+The core problem is that the code will reschedule in response to
+signals getting dequeued not just for signals the timers sent but
+for other signals that happen to a si_code of SI_TIMER.
+
+Avoid this confusion by testing to see if the queued signal was
+preallocated as all timer signals are preallocated, and so far
+only the timer code preallocates signals.
+
+Move the check for if a timer needs to be rescheduled up into
+collect_signal where the preallocation check must be performed,
+and pass the result back to dequeue_signal where the code reschedules
+timers. This makes it clear why the code cares about preallocated
+timers.
+
+Reported-by: Thomas Gleixner <tglx@linutronix.de>
+History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
+Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
+Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -503,7 +503,8 @@ int unhandled_signal(struct task_struct
+ return !tsk->ptrace;
+ }
+
+-static void collect_signal(int sig, struct sigpending *list, siginfo_t *info)
++static void collect_signal(int sig, struct sigpending *list, siginfo_t *info,
++ bool *resched_timer)
+ {
+ struct sigqueue *q, *first = NULL;
+
+@@ -525,6 +526,12 @@ static void collect_signal(int sig, stru
+ still_pending:
+ list_del_init(&first->list);
+ copy_siginfo(info, &first->info);
++
++ *resched_timer =
++ (first->flags & SIGQUEUE_PREALLOC) &&
++ (info->si_code == SI_TIMER) &&
++ (info->si_sys_private);
++
+ __sigqueue_free(first);
+ } else {
+ /*
+@@ -541,12 +548,12 @@ still_pending:
+ }
+
+ static int __dequeue_signal(struct sigpending *pending, sigset_t *mask,
+- siginfo_t *info)
++ siginfo_t *info, bool *resched_timer)
+ {
+ int sig = next_signal(pending, mask);
+
+ if (sig)
+- collect_signal(sig, pending, info);
++ collect_signal(sig, pending, info, resched_timer);
+ return sig;
+ }
+
+@@ -558,15 +565,16 @@ static int __dequeue_signal(struct sigpe
+ */
+ int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
+ {
++ bool resched_timer = false;
+ int signr;
+
+ /* We only dequeue private signals from ourselves, we don't let
+ * signalfd steal them
+ */
+- signr = __dequeue_signal(&tsk->pending, mask, info);
++ signr = __dequeue_signal(&tsk->pending, mask, info, &resched_timer);
+ if (!signr) {
+ signr = __dequeue_signal(&tsk->signal->shared_pending,
+- mask, info);
++ mask, info, &resched_timer);
+ /*
+ * itimer signal ?
+ *
+@@ -611,7 +619,7 @@ int dequeue_signal(struct task_struct *t
+ */
+ current->jobctl |= JOBCTL_STOP_DEQUEUED;
+ }
+- if ((info->si_code & __SI_MASK) == __SI_TIMER && info->si_sys_private) {
++ if (resched_timer) {
+ /*
+ * Release the siglock to ensure proper locking order
+ * of timer locks outside of siglocks. Note, we leave
--- /dev/null
+From 089bc0143f489bd3a4578bdff5f4ca68fb26f341 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Tue, 13 Jun 2017 16:28:27 -0400
+Subject: xen-blkback: don't leak stack data via response ring
+
+From: Jan Beulich <jbeulich@suse.com>
+
+commit 089bc0143f489bd3a4578bdff5f4ca68fb26f341 upstream.
+
+Rather than constructing a local structure instance on the stack, fill
+the fields directly on the shared ring, just like other backends do.
+Build on the fact that all response structure flavors are actually
+identical (the old code did make this assumption too).
+
+This is XSA-216.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/blkback.c | 23 ++++++++++++-----------
+ drivers/block/xen-blkback/common.h | 25 +++++--------------------
+ 2 files changed, 17 insertions(+), 31 deletions(-)
+
+--- a/drivers/block/xen-blkback/blkback.c
++++ b/drivers/block/xen-blkback/blkback.c
+@@ -1436,34 +1436,35 @@ static int dispatch_rw_block_io(struct x
+ static void make_response(struct xen_blkif_ring *ring, u64 id,
+ unsigned short op, int st)
+ {
+- struct blkif_response resp;
++ struct blkif_response *resp;
+ unsigned long flags;
+ union blkif_back_rings *blk_rings;
+ int notify;
+
+- resp.id = id;
+- resp.operation = op;
+- resp.status = st;
+-
+ spin_lock_irqsave(&ring->blk_ring_lock, flags);
+ blk_rings = &ring->blk_rings;
+ /* Place on the response ring for the relevant domain. */
+ switch (ring->blkif->blk_protocol) {
+ case BLKIF_PROTOCOL_NATIVE:
+- memcpy(RING_GET_RESPONSE(&blk_rings->native, blk_rings->native.rsp_prod_pvt),
+- &resp, sizeof(resp));
++ resp = RING_GET_RESPONSE(&blk_rings->native,
++ blk_rings->native.rsp_prod_pvt);
+ break;
+ case BLKIF_PROTOCOL_X86_32:
+- memcpy(RING_GET_RESPONSE(&blk_rings->x86_32, blk_rings->x86_32.rsp_prod_pvt),
+- &resp, sizeof(resp));
++ resp = RING_GET_RESPONSE(&blk_rings->x86_32,
++ blk_rings->x86_32.rsp_prod_pvt);
+ break;
+ case BLKIF_PROTOCOL_X86_64:
+- memcpy(RING_GET_RESPONSE(&blk_rings->x86_64, blk_rings->x86_64.rsp_prod_pvt),
+- &resp, sizeof(resp));
++ resp = RING_GET_RESPONSE(&blk_rings->x86_64,
++ blk_rings->x86_64.rsp_prod_pvt);
+ break;
+ default:
+ BUG();
+ }
++
++ resp->id = id;
++ resp->operation = op;
++ resp->status = st;
++
+ blk_rings->common.rsp_prod_pvt++;
+ RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blk_rings->common, notify);
+ spin_unlock_irqrestore(&ring->blk_ring_lock, flags);
+--- a/drivers/block/xen-blkback/common.h
++++ b/drivers/block/xen-blkback/common.h
+@@ -75,9 +75,8 @@ extern unsigned int xenblk_max_queues;
+ struct blkif_common_request {
+ char dummy;
+ };
+-struct blkif_common_response {
+- char dummy;
+-};
++
++/* i386 protocol version */
+
+ struct blkif_x86_32_request_rw {
+ uint8_t nr_segments; /* number of segments */
+@@ -129,14 +128,6 @@ struct blkif_x86_32_request {
+ } u;
+ } __attribute__((__packed__));
+
+-/* i386 protocol version */
+-#pragma pack(push, 4)
+-struct blkif_x86_32_response {
+- uint64_t id; /* copied from request */
+- uint8_t operation; /* copied from request */
+- int16_t status; /* BLKIF_RSP_??? */
+-};
+-#pragma pack(pop)
+ /* x86_64 protocol version */
+
+ struct blkif_x86_64_request_rw {
+@@ -193,18 +184,12 @@ struct blkif_x86_64_request {
+ } u;
+ } __attribute__((__packed__));
+
+-struct blkif_x86_64_response {
+- uint64_t __attribute__((__aligned__(8))) id;
+- uint8_t operation; /* copied from request */
+- int16_t status; /* BLKIF_RSP_??? */
+-};
+-
+ DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
+- struct blkif_common_response);
++ struct blkif_response);
+ DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
+- struct blkif_x86_32_response);
++ struct blkif_response __packed);
+ DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
+- struct blkif_x86_64_response);
++ struct blkif_response);
+
+ union blkif_back_rings {
+ struct blkif_back_ring native;
--- /dev/null
+From 46464411307746e6297a034a9983a22c9dfc5a0c Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 18 May 2017 17:28:47 +0200
+Subject: xen/blkback: fix disconnect while I/Os in flight
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 46464411307746e6297a034a9983a22c9dfc5a0c upstream.
+
+Today disconnecting xen-blkback is broken in case there are still
+I/Os in flight: xen_blkif_disconnect() will bail out early without
+releasing all resources in the hope it will be called again when
+the last request has terminated. This, however, won't happen as
+xen_blkif_free() won't be called on termination of the last running
+request: xen_blkif_put() won't decrement the blkif refcnt to 0 as
+xen_blkif_disconnect() didn't finish before thus some xen_blkif_put()
+calls in xen_blkif_disconnect() didn't happen.
+
+To solve this deadlock xen_blkif_disconnect() and
+xen_blkif_alloc_rings() shouldn't use xen_blkif_put() and
+xen_blkif_get() but use some other way to do their accounting of
+resources.
+
+This at once fixes another error in xen_blkif_disconnect(): when it
+returned early with -EBUSY for another ring than 0 it would call
+xen_blkif_put() again for already handled rings on a subsequent call.
+This will lead to inconsistencies in the refcnt handling.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Steven Haigh <netwiz@crc.id.au>
+Acked-by: Roger Pau Monné <roger.pau@citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/xen-blkback/common.h | 1 +
+ drivers/block/xen-blkback/xenbus.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/xen-blkback/common.h
++++ b/drivers/block/xen-blkback/common.h
+@@ -281,6 +281,7 @@ struct xen_blkif_ring {
+
+ wait_queue_head_t wq;
+ atomic_t inflight;
++ bool active;
+ /* One thread per blkif ring. */
+ struct task_struct *xenblkd;
+ unsigned int waiting_reqs;
+--- a/drivers/block/xen-blkback/xenbus.c
++++ b/drivers/block/xen-blkback/xenbus.c
+@@ -159,7 +159,7 @@ static int xen_blkif_alloc_rings(struct
+ init_waitqueue_head(&ring->shutdown_wq);
+ ring->blkif = blkif;
+ ring->st_print = jiffies;
+- xen_blkif_get(blkif);
++ ring->active = true;
+ }
+
+ return 0;
+@@ -249,6 +249,9 @@ static int xen_blkif_disconnect(struct x
+ struct xen_blkif_ring *ring = &blkif->rings[r];
+ unsigned int i = 0;
+
++ if (!ring->active)
++ continue;
++
+ if (ring->xenblkd) {
+ kthread_stop(ring->xenblkd);
+ wake_up(&ring->shutdown_wq);
+@@ -296,7 +299,7 @@ static int xen_blkif_disconnect(struct x
+ BUG_ON(ring->free_pages_num != 0);
+ BUG_ON(ring->persistent_gnt_c != 0);
+ WARN_ON(i != (XEN_BLKIF_REQS_PER_PAGE * blkif->nr_ring_pages));
+- xen_blkif_put(blkif);
++ ring->active = false;
+ }
+ blkif->nr_ring_pages = 0;
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
