--- /dev/null
+From 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Wed, 8 Mar 2017 13:52:07 +0200
+Subject: ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 upstream.
+
+T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs= 1
+P: Vendor=1eda ProdID=2315 Rev=01.08
+S: Manufacturer=ATHEROS
+S: Product=USB2.0 WLAN
+S: SerialNumber=12345
+C: #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -37,6 +37,7 @@ static struct usb_device_id ath9k_hif_us
+ { USB_DEVICE(0x0cf3, 0xb002) }, /* Ubiquiti WifiStation */
+ { USB_DEVICE(0x057c, 0x8403) }, /* AVM FRITZ!WLAN 11N v2 USB */
+ { USB_DEVICE(0x0471, 0x209e) }, /* Philips (or NXP) PTA01 */
++ { USB_DEVICE(0x1eda, 0x2315) }, /* AirTies */
+
+ { USB_DEVICE(0x0cf3, 0x7015),
+ .driver_info = AR9287_USB }, /* Atheros */
--- /dev/null
+From ebeb36670ecac36c179b5fb5d5c88ff03ba191ec Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:44:20 +0100
+Subject: ath9k_htc: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -1220,6 +1220,9 @@ static int send_eject_command(struct usb
+ u8 bulk_out_ep;
+ int r;
+
++ if (iface_desc->desc.bNumEndpoints < 2)
++ return -ENODEV;
++
+ /* Find bulk out endpoint */
+ for (r = 1; r >= 0; r--) {
+ endpoint = &iface_desc->endpoint[r].desc;
--- /dev/null
+From 1ac202e978e18f045006d75bd549612620c6ec3a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= <dg@emlix.com>
+Date: Fri, 24 Feb 2017 15:05:14 +0100
+Subject: ima: accept previously set IMA_NEW_FILE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Glöckner <dg@emlix.com>
+
+commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.
+
+Modifying the attributes of a file makes ima_inode_post_setattr reset
+the IMA cache flags. So if the file, which has just been created,
+is opened a second time before the first file descriptor is closed,
+verification fails since the security.ima xattr has not been written
+yet. We therefore have to look at the IMA_NEW_FILE even if the file
+already existed.
+
+With this patch there should no longer be an error when cat tries to
+open testfile:
+
+$ rm -f testfile
+$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile
+
+A file being new is no reason to accept that it is missing a digital
+signature demanded by the policy.
+
+Signed-off-by: Daniel Glöckner <dg@emlix.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_appraise.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -207,10 +207,11 @@ int ima_appraise_measurement(enum ima_ho
+
+ cause = "missing-hash";
+ status = INTEGRITY_NOLABEL;
+- if (opened & FILE_CREATED) {
++ if (opened & FILE_CREATED)
+ iint->flags |= IMA_NEW_FILE;
++ if ((iint->flags & IMA_NEW_FILE) &&
++ !(iint->flags & IMA_DIGSIG_REQUIRED))
+ status = INTEGRITY_PASS;
+- }
+ goto out;
+ }
+
--- /dev/null
+From a575813bfe4bc15aba511a5e91e61d242bff8b9d Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Thu, 11 May 2017 02:58:55 -0700
+Subject: KVM: x86: Fix load damaged SSEx MXCSR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit a575813bfe4bc15aba511a5e91e61d242bff8b9d upstream.
+
+Reported by syzkaller:
+
+ BUG: unable to handle kernel paging request at ffffffffc07f6a2e
+ IP: report_bug+0x94/0x120
+ PGD 348e12067
+ P4D 348e12067
+ PUD 348e14067
+ PMD 3cbd84067
+ PTE 80000003f7e87161
+
+ Oops: 0003 [#1] SMP
+ CPU: 2 PID: 7091 Comm: kvm_load_guest_ Tainted: G OE 4.11.0+ #8
+ task: ffff92fdfb525400 task.stack: ffffbda6c3d04000
+ RIP: 0010:report_bug+0x94/0x120
+ RSP: 0018:ffffbda6c3d07b20 EFLAGS: 00010202
+ do_trap+0x156/0x170
+ do_error_trap+0xa3/0x170
+ ? kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
+ ? mark_held_locks+0x79/0xa0
+ ? retint_kernel+0x10/0x10
+ ? trace_hardirqs_off_thunk+0x1a/0x1c
+ do_invalid_op+0x20/0x30
+ invalid_op+0x1e/0x30
+ RIP: 0010:kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
+ ? kvm_load_guest_fpu.part.175+0x1c/0x170 [kvm]
+ kvm_arch_vcpu_ioctl_run+0xed6/0x1b70 [kvm]
+ kvm_vcpu_ioctl+0x384/0x780 [kvm]
+ ? kvm_vcpu_ioctl+0x384/0x780 [kvm]
+ ? sched_clock+0x13/0x20
+ ? __do_page_fault+0x2a0/0x550
+ do_vfs_ioctl+0xa4/0x700
+ ? up_read+0x1f/0x40
+ ? __do_page_fault+0x2a0/0x550
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x23/0xc2
+
+SDM mentioned that "The MXCSR has several reserved bits, and attempting to write
+a 1 to any of these bits will cause a general-protection exception(#GP) to be
+generated". The syzkaller forks' testcase overrides xsave area w/ random values
+and steps on the reserved bits of MXCSR register. The damaged MXCSR register
+values of guest will be restored to SSEx MXCSR register before vmentry. This
+patch fixes it by catching userspace override MXCSR register reserved bits w/
+random values and bails out immediately.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/fpu/init.c | 1 +
+ arch/x86/kvm/x86.c | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/fpu/init.c
++++ b/arch/x86/kernel/fpu/init.c
+@@ -90,6 +90,7 @@ static void fpu__init_system_early_gener
+ * Boot time FPU feature detection code:
+ */
+ unsigned int mxcsr_feature_mask __read_mostly = 0xffffffffu;
++EXPORT_SYMBOL_GPL(mxcsr_feature_mask);
+
+ static void __init fpu__init_system_mxcsr(void)
+ {
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3307,11 +3307,14 @@ static void kvm_vcpu_ioctl_x86_get_xsave
+ }
+ }
+
++#define XSAVE_MXCSR_OFFSET 24
++
+ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+ struct kvm_xsave *guest_xsave)
+ {
+ u64 xstate_bv =
+ *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)];
++ u32 mxcsr = *(u32 *)&guest_xsave->region[XSAVE_MXCSR_OFFSET / sizeof(u32)];
+
+ if (boot_cpu_has(X86_FEATURE_XSAVE)) {
+ /*
+@@ -3319,11 +3322,13 @@ static int kvm_vcpu_ioctl_x86_set_xsave(
+ * CPUID leaf 0xD, index 0, EDX:EAX. This is for compatibility
+ * with old userspace.
+ */
+- if (xstate_bv & ~kvm_supported_xcr0())
++ if (xstate_bv & ~kvm_supported_xcr0() ||
++ mxcsr & ~mxcsr_feature_mask)
+ return -EINVAL;
+ load_xsave(vcpu, (u8 *)guest_xsave->region);
+ } else {
+- if (xstate_bv & ~XFEATURE_MASK_FPSSE)
++ if (xstate_bv & ~XFEATURE_MASK_FPSSE ||
++ mxcsr & ~mxcsr_feature_mask)
+ return -EINVAL;
+ memcpy(&vcpu->arch.guest_fpu.state.fxsave,
+ guest_xsave->region, sizeof(struct fxregs_state));
--- /dev/null
+From e2c2206a18993bc9f62393d49c7b2066c3845b25 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Thu, 11 May 2017 18:12:05 -0700
+Subject: KVM: x86: Fix potential preemption when get the current kvmclock timestamp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit e2c2206a18993bc9f62393d49c7b2066c3845b25 upstream.
+
+ BUG: using __this_cpu_read() in preemptible [00000000] code: qemu-system-x86/2809
+ caller is __this_cpu_preempt_check+0x13/0x20
+ CPU: 2 PID: 2809 Comm: qemu-system-x86 Not tainted 4.11.0+ #13
+ Call Trace:
+ dump_stack+0x99/0xce
+ check_preemption_disabled+0xf5/0x100
+ __this_cpu_preempt_check+0x13/0x20
+ get_kvmclock_ns+0x6f/0x110 [kvm]
+ get_time_ref_counter+0x5d/0x80 [kvm]
+ kvm_hv_process_stimers+0x2a1/0x8a0 [kvm]
+ ? kvm_hv_process_stimers+0x2a1/0x8a0 [kvm]
+ ? kvm_arch_vcpu_ioctl_run+0xac9/0x1ce0 [kvm]
+ kvm_arch_vcpu_ioctl_run+0x5bf/0x1ce0 [kvm]
+ kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
+ ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
+ ? __fget+0xf3/0x210
+ do_vfs_ioctl+0xa4/0x700
+ ? __fget+0x114/0x210
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x23/0xc2
+ RIP: 0033:0x7f9d164ed357
+ ? __this_cpu_preempt_check+0x13/0x20
+
+This can be reproduced by run kvm-unit-tests/hyperv_stimer.flat w/
+CONFIG_PREEMPT and CONFIG_DEBUG_PREEMPT enabled.
+
+Safe access to per-CPU data requires a couple of constraints, though: the
+thread working with the data cannot be preempted and it cannot be migrated
+while it manipulates per-CPU variables. If the thread is preempted, the
+thread that replaces it could try to work with the same variables; migration
+to another CPU could also cause confusion. However there is no preemption
+disable when reads host per-CPU tsc rate to calculate the current kvmclock
+timestamp.
+
+This patch fixes it by utilizing get_cpu/put_cpu pair to guarantee both
+__this_cpu_read() and rdtsc() are not preempted.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1779,6 +1779,7 @@ static u64 __get_kvmclock_ns(struct kvm
+ {
+ struct kvm_arch *ka = &kvm->arch;
+ struct pvclock_vcpu_time_info hv_clock;
++ u64 ret;
+
+ spin_lock(&ka->pvclock_gtod_sync_lock);
+ if (!ka->use_master_clock) {
+@@ -1790,10 +1791,17 @@ static u64 __get_kvmclock_ns(struct kvm
+ hv_clock.system_time = ka->master_kernel_ns + ka->kvmclock_offset;
+ spin_unlock(&ka->pvclock_gtod_sync_lock);
+
++ /* both __this_cpu_read() and rdtsc() should be on the same cpu */
++ get_cpu();
++
+ kvm_get_time_scale(NSEC_PER_SEC, __this_cpu_read(cpu_tsc_khz) * 1000LL,
+ &hv_clock.tsc_shift,
+ &hv_clock.tsc_to_system_mul);
+- return __pvclock_read_cycles(&hv_clock, rdtsc());
++ ret = __pvclock_read_cycles(&hv_clock, rdtsc());
++
++ put_cpu();
++
++ return ret;
+ }
+
+ u64 get_kvmclock_ns(struct kvm *kvm)
--- /dev/null
+From cbfc6c9184ce71b52df4b1d82af5afc81a709178 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Fri, 19 May 2017 02:46:56 -0700
+Subject: KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit cbfc6c9184ce71b52df4b1d82af5afc81a709178 upstream.
+
+Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation.
+
+- "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only,
+ a read should be ignored) in guest can get a random number.
+- "rep insb" instruction to access PIT register port 0x43 can control memcpy()
+ in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes,
+ which will disclose the unimportant kernel memory in host but no crash.
+
+The similar test program below can reproduce the read out-of-bounds vulnerability:
+
+void hexdump(void *mem, unsigned int len)
+{
+ unsigned int i, j;
+
+ for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
+ {
+ /* print offset */
+ if(i % HEXDUMP_COLS == 0)
+ {
+ printf("0x%06x: ", i);
+ }
+
+ /* print hex data */
+ if(i < len)
+ {
+ printf("%02x ", 0xFF & ((char*)mem)[i]);
+ }
+ else /* end of block, just aligning for ASCII dump */
+ {
+ printf(" ");
+ }
+
+ /* print ASCII dump */
+ if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1))
+ {
+ for(j = i - (HEXDUMP_COLS - 1); j <= i; j++)
+ {
+ if(j >= len) /* end of block, not really printing */
+ {
+ putchar(' ');
+ }
+ else if(isprint(((char*)mem)[j])) /* printable char */
+ {
+ putchar(0xFF & ((char*)mem)[j]);
+ }
+ else /* other char */
+ {
+ putchar('.');
+ }
+ }
+ putchar('\n');
+ }
+ }
+}
+
+int main(void)
+{
+ int i;
+ if (iopl(3))
+ {
+ err(1, "set iopl unsuccessfully\n");
+ return -1;
+ }
+ static char buf[0x40];
+
+ /* test ioport 0x40,0x41,0x42,0x43,0x44,0x45 */
+
+ memset(buf, 0xab, sizeof(buf));
+
+ asm volatile("push %rdi;");
+ asm volatile("mov %0, %%rdi;"::"q"(buf));
+
+ asm volatile ("mov $0x40, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x41, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x42, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x43, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x44, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x45, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("pop %rdi;");
+ hexdump(buf, 0x40);
+
+ printf("\n");
+
+ /* ins port 0x40 */
+
+ memset(buf, 0xab, sizeof(buf));
+
+ asm volatile("push %rdi;");
+ asm volatile("mov %0, %%rdi;"::"q"(buf));
+
+ asm volatile ("mov $0x20, %rcx;");
+ asm volatile ("mov $0x40, %rdx;");
+ asm volatile ("rep insb;");
+
+ asm volatile ("pop %rdi;");
+ hexdump(buf, 0x40);
+
+ printf("\n");
+
+ /* ins port 0x43 */
+
+ memset(buf, 0xab, sizeof(buf));
+
+ asm volatile("push %rdi;");
+ asm volatile("mov %0, %%rdi;"::"q"(buf));
+
+ asm volatile ("mov $0x20, %rcx;");
+ asm volatile ("mov $0x43, %rdx;");
+ asm volatile ("rep insb;");
+
+ asm volatile ("pop %rdi;");
+ hexdump(buf, 0x40);
+
+ printf("\n");
+ return 0;
+}
+
+The vcpu->arch.pio_data buffer is used by both in/out instrutions emulation
+w/o clear after using which results in some random datas are left over in
+the buffer. Guest reads port 0x43 will be ignored since it is write only,
+however, the function kernel_pio() can't distigush this ignore from successfully
+reads data from device's ioport. There is no new data fill the buffer from
+port 0x43, however, emulator_pio_in_emulated() will copy the stale data in
+the buffer to the guest unconditionally. This patch fixes it by clearing the
+buffer before in instruction emulation to avoid to grant guest the stale data
+in the buffer.
+
+In addition, string I/O is not supported for in kernel device. So there is no
+iteration to read ioport %RCX times for string I/O. The function kernel_pio()
+just reads one round, and then copy the io size * %RCX to the guest unconditionally,
+actually it copies the one round ioport data w/ other random datas which are left
+over in the vcpu->arch.pio_data buffer to the guest. This patch fixes it by
+introducing the string I/O support for in kernel device in order to grant the right
+ioport datas to the guest.
+
+Before the patch:
+
+0x000000: fe 38 93 93 ff ff ab ab .8......
+0x000008: ab ab ab ab ab ab ab ab ........
+0x000010: ab ab ab ab ab ab ab ab ........
+0x000018: ab ab ab ab ab ab ab ab ........
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+0x000000: f6 00 00 00 00 00 00 00 ........
+0x000008: 00 00 00 00 00 00 00 00 ........
+0x000010: 00 00 00 00 4d 51 30 30 ....MQ00
+0x000018: 30 30 20 33 20 20 20 20 00 3
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+0x000000: f6 00 00 00 00 00 00 00 ........
+0x000008: 00 00 00 00 00 00 00 00 ........
+0x000010: 00 00 00 00 4d 51 30 30 ....MQ00
+0x000018: 30 30 20 33 20 20 20 20 00 3
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+After the patch:
+
+0x000000: 1e 02 f8 00 ff ff ab ab ........
+0x000008: ab ab ab ab ab ab ab ab ........
+0x000010: ab ab ab ab ab ab ab ab ........
+0x000018: ab ab ab ab ab ab ab ab ........
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+0x000000: d2 e2 d2 df d2 db d2 d7 ........
+0x000008: d2 d3 d2 cf d2 cb d2 c7 ........
+0x000010: d2 c4 d2 c0 d2 bc d2 b8 ........
+0x000018: d2 b4 d2 b0 d2 ac d2 a8 ........
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+0x000000: 00 00 00 00 00 00 00 00 ........
+0x000008: 00 00 00 00 00 00 00 00 ........
+0x000010: 00 00 00 00 00 00 00 00 ........
+0x000018: 00 00 00 00 00 00 00 00 ........
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+Reported-by: Moguofang <moguofang@huawei.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Moguofang <moguofang@huawei.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4862,16 +4862,20 @@ emul_write:
+
+ static int kernel_pio(struct kvm_vcpu *vcpu, void *pd)
+ {
+- /* TODO: String I/O for in kernel device */
+- int r;
++ int r = 0, i;
+
+- if (vcpu->arch.pio.in)
+- r = kvm_io_bus_read(vcpu, KVM_PIO_BUS, vcpu->arch.pio.port,
+- vcpu->arch.pio.size, pd);
+- else
+- r = kvm_io_bus_write(vcpu, KVM_PIO_BUS,
+- vcpu->arch.pio.port, vcpu->arch.pio.size,
+- pd);
++ for (i = 0; i < vcpu->arch.pio.count; i++) {
++ if (vcpu->arch.pio.in)
++ r = kvm_io_bus_read(vcpu, KVM_PIO_BUS, vcpu->arch.pio.port,
++ vcpu->arch.pio.size, pd);
++ else
++ r = kvm_io_bus_write(vcpu, KVM_PIO_BUS,
++ vcpu->arch.pio.port, vcpu->arch.pio.size,
++ pd);
++ if (r)
++ break;
++ pd += vcpu->arch.pio.size;
++ }
+ return r;
+ }
+
+@@ -4909,6 +4913,8 @@ static int emulator_pio_in_emulated(stru
+ if (vcpu->arch.pio.count)
+ goto data_avail;
+
++ memset(vcpu->arch.pio_data, 0, size * count);
++
+ ret = emulator_pio_in_out(vcpu, size, port, val, count, true);
+ if (ret) {
+ data_avail:
--- /dev/null
+From 75f88115391156b3f0fecbbae76bf870c89bcab8 Mon Sep 17 00:00:00 2001
+From: Wadim Egorov <w.egorov@phytec.de>
+Date: Wed, 22 Mar 2017 16:50:50 +0100
+Subject: regulator: rk808: Fix RK818 LDO2
+
+From: Wadim Egorov <w.egorov@phytec.de>
+
+commit 75f88115391156b3f0fecbbae76bf870c89bcab8 upstream.
+
+Set the correct voltage select register for LDO2.
+
+Signed-off-by: Wadim Egorov <w.egorov@phytec.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/rk808-regulator.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/regulator/rk808-regulator.c
++++ b/drivers/regulator/rk808-regulator.c
+@@ -519,7 +519,7 @@ static const struct regulator_desc rk818
+ RK818_LDO1_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG,
+ BIT(0), 400),
+ RK8XX_DESC(RK818_ID_LDO2, "LDO_REG2", "vcc6", 1800, 3400, 100,
+- RK818_LDO1_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG,
++ RK818_LDO2_ON_VSEL_REG, RK818_LDO_VSEL_MASK, RK818_LDO_EN_REG,
+ BIT(1), 400),
+ {
+ .name = "LDO_REG3",
--- /dev/null
+From c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 Mon Sep 17 00:00:00 2001
+From: Richard Cochran <rcochran@linutronix.de>
+Date: Mon, 17 Apr 2017 10:23:36 +0200
+Subject: regulator: tps65023: Fix inverted core enable logic.
+
+From: Richard Cochran <rcochran@linutronix.de>
+
+commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream.
+
+Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use
+regmap_read/write(), regmap_update_bits functions directly") intended
+to replace working inline helper functions with standard regmap
+calls. However, it also inverted the set/clear logic of the "CORE ADJ
+Allowed" bit. That patch was clearly never tested, since without that
+bit cleared, the core VDCDC1 voltage output does not react to I2C
+configuration changes.
+
+This patch fixes the issue by clearing the bit as in the original,
+correct implementation. Note for stable back porting that, due to
+subsequent driver churn, this patch will not apply on every kernel
+version.
+
+Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly")
+Signed-off-by: Richard Cochran <rcochran@linutronix.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/tps65023-regulator.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/regulator/tps65023-regulator.c
++++ b/drivers/regulator/tps65023-regulator.c
+@@ -311,8 +311,7 @@ static int tps_65023_probe(struct i2c_cl
+
+ /* Enable setting output voltage by I2C */
+ regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2,
+- TPS65023_REG_CTRL2_CORE_ADJ,
+- TPS65023_REG_CTRL2_CORE_ADJ);
++ TPS65023_REG_CTRL2_CORE_ADJ, 0);
+
+ return 0;
+ }
--- /dev/null
+From 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Tue, 2 May 2017 13:36:00 +0200
+Subject: s390/cputime: fix incorrect system time
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e upstream.
+
+git commit c5328901aa1db134 "[S390] entry[64].S improvements" removed
+the update of the exit_timer lowcore field from the critical section
+cleanup of the .Lsysc_restore/.Lsysc_done and .Lio_restore/.Lio_done
+blocks. If the PSW is updated by the critical section cleanup to point to
+user space again, the interrupt entry code will do a vtime calculation
+after the cleanup completed with an exit_timer value which has *not* been
+updated. Due to this incorrect system time deltas are calculated.
+
+If an interrupt occured with an old PSW between .Lsysc_restore/.Lsysc_done
+or .Lio_restore/.Lio_done update __LC_EXIT_TIMER with the system entry
+time of the interrupt.
+
+Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/entry.S | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -314,6 +314,7 @@ ENTRY(system_call)
+ lg %r14,__LC_VDSO_PER_CPU
+ lmg %r0,%r10,__PT_R0(%r11)
+ mvc __LC_RETURN_PSW(16),__PT_PSW(%r11)
++.Lsysc_exit_timer:
+ stpt __LC_EXIT_TIMER
+ mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER
+ lmg %r11,%r15,__PT_R11(%r11)
+@@ -601,6 +602,7 @@ ENTRY(io_int_handler)
+ lg %r14,__LC_VDSO_PER_CPU
+ lmg %r0,%r10,__PT_R0(%r11)
+ mvc __LC_RETURN_PSW(16),__PT_PSW(%r11)
++.Lio_exit_timer:
+ stpt __LC_EXIT_TIMER
+ mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER
+ lmg %r11,%r15,__PT_R11(%r11)
+@@ -1124,15 +1126,23 @@ cleanup_critical:
+ br %r14
+
+ .Lcleanup_sysc_restore:
++ # check if stpt has been executed
+ clg %r9,BASED(.Lcleanup_sysc_restore_insn)
++ jh 0f
++ mvc __LC_EXIT_TIMER(8),__LC_ASYNC_ENTER_TIMER
++ cghi %r11,__LC_SAVE_AREA_ASYNC
+ je 0f
++ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER
++0: clg %r9,BASED(.Lcleanup_sysc_restore_insn+8)
++ je 1f
+ lg %r9,24(%r11) # get saved pointer to pt_regs
+ mvc __LC_RETURN_PSW(16),__PT_PSW(%r9)
+ mvc 0(64,%r11),__PT_R8(%r9)
+ lmg %r0,%r7,__PT_R0(%r9)
+-0: lmg %r8,%r9,__LC_RETURN_PSW
++1: lmg %r8,%r9,__LC_RETURN_PSW
+ br %r14
+ .Lcleanup_sysc_restore_insn:
++ .quad .Lsysc_exit_timer
+ .quad .Lsysc_done - 4
+
+ .Lcleanup_io_tif:
+@@ -1140,15 +1150,20 @@ cleanup_critical:
+ br %r14
+
+ .Lcleanup_io_restore:
++ # check if stpt has been executed
+ clg %r9,BASED(.Lcleanup_io_restore_insn)
+- je 0f
++ jh 0f
++ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER
++0: clg %r9,BASED(.Lcleanup_io_restore_insn+8)
++ je 1f
+ lg %r9,24(%r11) # get saved r11 pointer to pt_regs
+ mvc __LC_RETURN_PSW(16),__PT_PSW(%r9)
+ mvc 0(64,%r11),__PT_R8(%r9)
+ lmg %r0,%r7,__PT_R0(%r9)
+-0: lmg %r8,%r9,__LC_RETURN_PSW
++1: lmg %r8,%r9,__LC_RETURN_PSW
+ br %r14
+ .Lcleanup_io_restore_insn:
++ .quad .Lio_exit_timer
+ .quad .Lio_done - 4
+
+ .Lcleanup_idle:
--- /dev/null
+From dcc00b79fc3d076832f7240de8870f492629b171 Mon Sep 17 00:00:00 2001
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2017 21:02:54 +0100
+Subject: s390/kdump: Add final note
+
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+commit dcc00b79fc3d076832f7240de8870f492629b171 upstream.
+
+Since linux v3.14 with commit 38dfac843cb6d7be1 ("vmcore: prevent PT_NOTE
+p_memsz overflow during header update") on s390 we get the following
+message in the kdump kernel:
+
+ Warning: Exceeded p_memsz, dropping PT_NOTE entry n_namesz=0x6b6b6b6b,
+ n_descsz=0x6b6b6b6b
+
+The reason for this is that we don't create a final zero note in
+the ELF header which the proc/vmcore code uses to find out the end
+of the notes section (see also kernel/kexec_core.c:final_note()).
+
+It still worked on s390 by chance because we (most of the time?) have the
+byte pattern 0x6b6b6b6b after the notes section which also makes the notes
+parsing code stop in update_note_header_size_elf64() because 0x6b6b6b6b is
+interpreded as note size:
+
+ if ((real_sz + sz) > max_sz) {
+ pr_warn("Warning: Exceeded p_memsz, dropping P ...);
+ break;
+ }
+
+So fix this and add the missing final note to the ELF header.
+We don't have to adjust the memory size for ELF header ("alloc_size")
+because the new ELF note still fits into the 0x1000 base memory.
+
+Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/crash_dump.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/s390/kernel/crash_dump.c
++++ b/arch/s390/kernel/crash_dump.c
+@@ -429,6 +429,20 @@ static void *nt_vmcoreinfo(void *ptr)
+ }
+
+ /*
++ * Initialize final note (needed for /proc/vmcore code)
++ */
++static void *nt_final(void *ptr)
++{
++ Elf64_Nhdr *note;
++
++ note = (Elf64_Nhdr *) ptr;
++ note->n_namesz = 0;
++ note->n_descsz = 0;
++ note->n_type = 0;
++ return PTR_ADD(ptr, sizeof(Elf64_Nhdr));
++}
++
++/*
+ * Initialize ELF header (new kernel)
+ */
+ static void *ehdr_init(Elf64_Ehdr *ehdr, int mem_chunk_cnt)
+@@ -515,6 +529,7 @@ static void *notes_init(Elf64_Phdr *phdr
+ if (sa->prefix != 0)
+ ptr = fill_cpu_elf_notes(ptr, cpu++, sa);
+ ptr = nt_vmcoreinfo(ptr);
++ ptr = nt_final(ptr);
+ memset(phdr, 0, sizeof(*phdr));
+ phdr->p_type = PT_NOTE;
+ phdr->p_offset = notes_offset;
rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch
mwifiex-mac-randomization-should-not-be-persistent.patch
mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch
+ima-accept-previously-set-ima_new_file.patch
+kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch
+kvm-x86-fix-potential-preemption-when-get-the-current-kvmclock-timestamp.patch
+kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch
+x86-fix-32-bit-case-of-__get_user_asm_u64.patch
+regulator-rk808-fix-rk818-ldo2.patch
+regulator-tps65023-fix-inverted-core-enable-logic.patch
+s390-kdump-add-final-note.patch
+s390-cputime-fix-incorrect-system-time.patch
+ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch
+ath9k_htc-fix-null-deref-at-probe.patch
--- /dev/null
+From 33c9e9729033387ef0521324c62e7eba529294af Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 21 May 2017 18:26:54 -0700
+Subject: x86: fix 32-bit case of __get_user_asm_u64()
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 33c9e9729033387ef0521324c62e7eba529294af upstream.
+
+The code to fetch a 64-bit value from user space was entirely buggered,
+and has been since the code was merged in early 2016 in commit
+b2f680380ddf ("x86/mm/32: Add support for 64-bit __get_user() on 32-bit
+kernels").
+
+Happily the buggered routine is almost certainly entirely unused, since
+the normal way to access user space memory is just with the non-inlined
+"get_user()", and the inlined version didn't even historically exist.
+
+The normal "get_user()" case is handled by external hand-written asm in
+arch/x86/lib/getuser.S that doesn't have either of these issues.
+
+There were two independent bugs in __get_user_asm_u64():
+
+ - it still did the STAC/CLAC user space access marking, even though
+ that is now done by the wrapper macros, see commit 11f1a4b9755f
+ ("x86: reorganize SMAP handling in user space accesses").
+
+ This didn't result in a semantic error, it just means that the
+ inlined optimized version was hugely less efficient than the
+ allegedly slower standard version, since the CLAC/STAC overhead is
+ quite high on modern Intel CPU's.
+
+ - the double register %eax/%edx was marked as an output, but the %eax
+ part of it was touched early in the asm, and could thus clobber other
+ inputs to the asm that gcc didn't expect it to touch.
+
+ In particular, that meant that the generated code could look like
+ this:
+
+ mov (%eax),%eax
+ mov 0x4(%eax),%edx
+
+ where the load of %edx obviously was _supposed_ to be from the 32-bit
+ word that followed the source of %eax, but because %eax was
+ overwritten by the first instruction, the source of %edx was
+ basically random garbage.
+
+The fixes are trivial: remove the extraneous STAC/CLAC entries, and mark
+the 64-bit output as early-clobber to let gcc know that no inputs should
+alias with the output register.
+
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Benjamin LaHaise <bcrl@kvack.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/uaccess.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -324,10 +324,10 @@ do { \
+ #define __get_user_asm_u64(x, ptr, retval, errret) \
+ ({ \
+ __typeof__(ptr) __ptr = (ptr); \
+- asm volatile(ASM_STAC "\n" \
++ asm volatile("\n" \
+ "1: movl %2,%%eax\n" \
+ "2: movl %3,%%edx\n" \
+- "3: " ASM_CLAC "\n" \
++ "3:\n" \
+ ".section .fixup,\"ax\"\n" \
+ "4: mov %4,%0\n" \
+ " xorl %%eax,%%eax\n" \
+@@ -336,7 +336,7 @@ do { \
+ ".previous\n" \
+ _ASM_EXTABLE(1b, 4b) \
+ _ASM_EXTABLE(2b, 4b) \
+- : "=r" (retval), "=A"(x) \
++ : "=r" (retval), "=&A"(x) \
+ : "m" (__m(__ptr)), "m" __m(((u32 *)(__ptr)) + 1), \
+ "i" (errret), "0" (retval)); \
+ })
projects / thirdparty / kernel / stable-queue.git / commitdiff
