--- /dev/null
+From c667186f1c01ca8970c785888868b7ffd74e51ee Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 27 Apr 2017 19:06:48 +0100
+Subject: arm64: KVM: Fix decoding of Rt/Rt2 when trapping AArch32 CP accesses
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit c667186f1c01ca8970c785888868b7ffd74e51ee upstream.
+
+Our 32bit CP14/15 handling inherited some of the ARMv7 code for handling
+the trapped system registers, completely missing the fact that the
+fields for Rt and Rt2 are now 5 bit wide, and not 4...
+
+Let's fix it, and provide an accessor for the most common Rt case.
+
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/kvm_emulate.h | 6 ++++++
+ arch/arm64/kvm/sys_regs.c | 8 ++++----
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -217,6 +217,12 @@ static inline u8 kvm_vcpu_trap_get_fault
+ return kvm_vcpu_get_hsr(vcpu) & ESR_ELx_FSC_TYPE;
+ }
+
++static inline int kvm_vcpu_sys_get_rt(struct kvm_vcpu *vcpu)
++{
++ u32 esr = kvm_vcpu_get_hsr(vcpu);
++ return (esr & ESR_ELx_SYS64_ISS_RT_MASK) >> ESR_ELx_SYS64_ISS_RT_SHIFT;
++}
++
+ static inline unsigned long kvm_vcpu_get_mpidr_aff(struct kvm_vcpu *vcpu)
+ {
+ return vcpu_sys_reg(vcpu, MPIDR_EL1) & MPIDR_HWID_BITMASK;
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -1054,8 +1054,8 @@ static int kvm_handle_cp_64(struct kvm_v
+ {
+ struct sys_reg_params params;
+ u32 hsr = kvm_vcpu_get_hsr(vcpu);
+- int Rt = (hsr >> 5) & 0xf;
+- int Rt2 = (hsr >> 10) & 0xf;
++ int Rt = kvm_vcpu_sys_get_rt(vcpu);
++ int Rt2 = (hsr >> 10) & 0x1f;
+
+ params.is_aarch32 = true;
+ params.is_32bit = false;
+@@ -1106,7 +1106,7 @@ static int kvm_handle_cp_32(struct kvm_v
+ {
+ struct sys_reg_params params;
+ u32 hsr = kvm_vcpu_get_hsr(vcpu);
+- int Rt = (hsr >> 5) & 0xf;
++ int Rt = kvm_vcpu_sys_get_rt(vcpu);
+
+ params.is_aarch32 = true;
+ params.is_32bit = true;
+@@ -1221,7 +1221,7 @@ int kvm_handle_sys_reg(struct kvm_vcpu *
+ {
+ struct sys_reg_params params;
+ unsigned long esr = kvm_vcpu_get_hsr(vcpu);
+- int Rt = (esr >> 5) & 0x1f;
++ int Rt = kvm_vcpu_sys_get_rt(vcpu);
+ int ret;
+
+ trace_kvm_handle_sys_reg(esr);
--- /dev/null
+From 2859323e35ab5fc42f351fbda23ab544eaa85945 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Sat, 22 Apr 2017 17:22:09 -0400
+Subject: block: fix blk_integrity_register to use template's interval_exp if not 0
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 2859323e35ab5fc42f351fbda23ab544eaa85945 upstream.
+
+When registering an integrity profile: if the template's interval_exp is
+not 0 use it, otherwise use the ilog2() of logical block size of the
+provided gendisk.
+
+This fixes a long-standing DM linear target bug where it cannot pass
+integrity data to the underlying device if its logical block size
+conflicts with the underlying device's logical block size.
+
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-integrity.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/block/blk-integrity.c
++++ b/block/blk-integrity.c
+@@ -412,7 +412,8 @@ void blk_integrity_register(struct gendi
+
+ bi->flags = BLK_INTEGRITY_VERIFY | BLK_INTEGRITY_GENERATE |
+ template->flags;
+- bi->interval_exp = ilog2(queue_logical_block_size(disk->queue));
++ bi->interval_exp = template->interval_exp ? :
++ ilog2(queue_logical_block_size(disk->queue));
+ bi->profile = template->profile ? template->profile : &nop_profile;
+ bi->tuple_size = template->tuple_size;
+ bi->tag_size = template->tag_size;
--- /dev/null
+From 2a2a251f110576b1d89efbd0662677d7e7db21a8 Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Mon, 24 Apr 2017 11:15:23 +0200
+Subject: crypto: algif_aead - Require setkey before accept(2)
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit 2a2a251f110576b1d89efbd0662677d7e7db21a8 upstream.
+
+Some cipher implementations will crash if you try to use them
+without calling setkey first. This patch adds a check so that
+the accept(2) call will fail with -ENOKEY if setkey hasn't been
+done on the socket yet.
+
+Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_aead.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 149 insertions(+), 8 deletions(-)
+
+--- a/crypto/algif_aead.c
++++ b/crypto/algif_aead.c
+@@ -29,6 +29,11 @@ struct aead_sg_list {
+ struct scatterlist sg[ALG_MAX_PAGES];
+ };
+
++struct aead_tfm {
++ struct crypto_aead *aead;
++ bool has_key;
++};
++
+ struct aead_ctx {
+ struct aead_sg_list tsgl;
+ /*
+@@ -513,24 +518,146 @@ static struct proto_ops algif_aead_ops =
+ .poll = aead_poll,
+ };
+
++static int aead_check_key(struct socket *sock)
++{
++ int err = 0;
++ struct sock *psk;
++ struct alg_sock *pask;
++ struct aead_tfm *tfm;
++ struct sock *sk = sock->sk;
++ struct alg_sock *ask = alg_sk(sk);
++
++ lock_sock(sk);
++ if (ask->refcnt)
++ goto unlock_child;
++
++ psk = ask->parent;
++ pask = alg_sk(ask->parent);
++ tfm = pask->private;
++
++ err = -ENOKEY;
++ lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
++ if (!tfm->has_key)
++ goto unlock;
++
++ if (!pask->refcnt++)
++ sock_hold(psk);
++
++ ask->refcnt = 1;
++ sock_put(psk);
++
++ err = 0;
++
++unlock:
++ release_sock(psk);
++unlock_child:
++ release_sock(sk);
++
++ return err;
++}
++
++static int aead_sendmsg_nokey(struct socket *sock, struct msghdr *msg,
++ size_t size)
++{
++ int err;
++
++ err = aead_check_key(sock);
++ if (err)
++ return err;
++
++ return aead_sendmsg(sock, msg, size);
++}
++
++static ssize_t aead_sendpage_nokey(struct socket *sock, struct page *page,
++ int offset, size_t size, int flags)
++{
++ int err;
++
++ err = aead_check_key(sock);
++ if (err)
++ return err;
++
++ return aead_sendpage(sock, page, offset, size, flags);
++}
++
++static int aead_recvmsg_nokey(struct socket *sock, struct msghdr *msg,
++ size_t ignored, int flags)
++{
++ int err;
++
++ err = aead_check_key(sock);
++ if (err)
++ return err;
++
++ return aead_recvmsg(sock, msg, ignored, flags);
++}
++
++static struct proto_ops algif_aead_ops_nokey = {
++ .family = PF_ALG,
++
++ .connect = sock_no_connect,
++ .socketpair = sock_no_socketpair,
++ .getname = sock_no_getname,
++ .ioctl = sock_no_ioctl,
++ .listen = sock_no_listen,
++ .shutdown = sock_no_shutdown,
++ .getsockopt = sock_no_getsockopt,
++ .mmap = sock_no_mmap,
++ .bind = sock_no_bind,
++ .accept = sock_no_accept,
++ .setsockopt = sock_no_setsockopt,
++
++ .release = af_alg_release,
++ .sendmsg = aead_sendmsg_nokey,
++ .sendpage = aead_sendpage_nokey,
++ .recvmsg = aead_recvmsg_nokey,
++ .poll = aead_poll,
++};
++
+ static void *aead_bind(const char *name, u32 type, u32 mask)
+ {
+- return crypto_alloc_aead(name, type, mask);
++ struct aead_tfm *tfm;
++ struct crypto_aead *aead;
++
++ tfm = kzalloc(sizeof(*tfm), GFP_KERNEL);
++ if (!tfm)
++ return ERR_PTR(-ENOMEM);
++
++ aead = crypto_alloc_aead(name, type, mask);
++ if (IS_ERR(aead)) {
++ kfree(tfm);
++ return ERR_CAST(aead);
++ }
++
++ tfm->aead = aead;
++
++ return tfm;
+ }
+
+ static void aead_release(void *private)
+ {
+- crypto_free_aead(private);
++ struct aead_tfm *tfm = private;
++
++ crypto_free_aead(tfm->aead);
++ kfree(tfm);
+ }
+
+ static int aead_setauthsize(void *private, unsigned int authsize)
+ {
+- return crypto_aead_setauthsize(private, authsize);
++ struct aead_tfm *tfm = private;
++
++ return crypto_aead_setauthsize(tfm->aead, authsize);
+ }
+
+ static int aead_setkey(void *private, const u8 *key, unsigned int keylen)
+ {
+- return crypto_aead_setkey(private, key, keylen);
++ struct aead_tfm *tfm = private;
++ int err;
++
++ err = crypto_aead_setkey(tfm->aead, key, keylen);
++ tfm->has_key = !err;
++
++ return err;
+ }
+
+ static void aead_sock_destruct(struct sock *sk)
+@@ -546,12 +673,14 @@ static void aead_sock_destruct(struct so
+ af_alg_release_parent(sk);
+ }
+
+-static int aead_accept_parent(void *private, struct sock *sk)
++static int aead_accept_parent_nokey(void *private, struct sock *sk)
+ {
+ struct aead_ctx *ctx;
+ struct alg_sock *ask = alg_sk(sk);
+- unsigned int len = sizeof(*ctx) + crypto_aead_reqsize(private);
+- unsigned int ivlen = crypto_aead_ivsize(private);
++ struct aead_tfm *tfm = private;
++ struct crypto_aead *aead = tfm->aead;
++ unsigned int len = sizeof(*ctx) + crypto_aead_reqsize(aead);
++ unsigned int ivlen = crypto_aead_ivsize(aead);
+
+ ctx = sock_kmalloc(sk, len, GFP_KERNEL);
+ if (!ctx)
+@@ -577,7 +706,7 @@ static int aead_accept_parent(void *priv
+
+ ask->private = ctx;
+
+- aead_request_set_tfm(&ctx->aead_req, private);
++ aead_request_set_tfm(&ctx->aead_req, aead);
+ aead_request_set_callback(&ctx->aead_req, CRYPTO_TFM_REQ_MAY_BACKLOG,
+ af_alg_complete, &ctx->completion);
+
+@@ -586,13 +715,25 @@ static int aead_accept_parent(void *priv
+ return 0;
+ }
+
++static int aead_accept_parent(void *private, struct sock *sk)
++{
++ struct aead_tfm *tfm = private;
++
++ if (!tfm->has_key)
++ return -ENOKEY;
++
++ return aead_accept_parent_nokey(private, sk);
++}
++
+ static const struct af_alg_type algif_type_aead = {
+ .bind = aead_bind,
+ .release = aead_release,
+ .setkey = aead_setkey,
+ .setauthsize = aead_setauthsize,
+ .accept = aead_accept_parent,
++ .accept_nokey = aead_accept_parent_nokey,
+ .ops = &algif_aead_ops,
++ .ops_nokey = &algif_aead_ops_nokey,
+ .name = "aead",
+ .owner = THIS_MODULE
+ };
--- /dev/null
+From 117aceb030307dcd431fdcff87ce988d3016c34a Mon Sep 17 00:00:00 2001
+From: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
+Date: Fri, 7 Apr 2017 12:14:55 -0700
+Subject: dm era: save spacemap metadata root after the pre-commit
+
+From: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
+
+commit 117aceb030307dcd431fdcff87ce988d3016c34a upstream.
+
+When committing era metadata to disk, it doesn't always save the latest
+spacemap metadata root in superblock. Due to this, metadata is getting
+corrupted sometimes when reopening the device. The correct order of update
+should be, pre-commit (shadows spacemap root), save the spacemap root
+(newly shadowed block) to in-core superblock and then the final commit.
+
+Signed-off-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-era-target.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm-era-target.c
++++ b/drivers/md/dm-era-target.c
+@@ -961,15 +961,15 @@ static int metadata_commit(struct era_me
+ }
+ }
+
+- r = save_sm_root(md);
++ r = dm_tm_pre_commit(md->tm);
+ if (r) {
+- DMERR("%s: save_sm_root failed", __func__);
++ DMERR("%s: pre commit failed", __func__);
+ return r;
+ }
+
+- r = dm_tm_pre_commit(md->tm);
++ r = save_sm_root(md);
+ if (r) {
+- DMERR("%s: pre commit failed", __func__);
++ DMERR("%s: save_sm_root failed", __func__);
+ return r;
+ }
+
--- /dev/null
+From 6c7a5dce22b3f3cc44be098e2837fa6797edb8b8 Mon Sep 17 00:00:00 2001
+From: Andrew Jones <drjones@redhat.com>
+Date: Tue, 18 Apr 2017 17:59:58 +0200
+Subject: KVM: arm/arm64: fix races in kvm_psci_vcpu_on
+
+From: Andrew Jones <drjones@redhat.com>
+
+commit 6c7a5dce22b3f3cc44be098e2837fa6797edb8b8 upstream.
+
+Fix potential races in kvm_psci_vcpu_on() by taking the kvm->lock
+mutex. In general, it's a bad idea to allow more than one PSCI_CPU_ON
+to process the same target VCPU at the same time. One such problem
+that may arise is that one PSCI_CPU_ON could be resetting the target
+vcpu, which fills the entire sys_regs array with a temporary value
+including the MPIDR register, while another looks up the VCPU based
+on the MPIDR value, resulting in no target VCPU found. Resolves both
+races found with the kvm-unit-tests/arm/psci unit test.
+
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Reported-by: Levente Kurusa <lkurusa@redhat.com>
+Suggested-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/psci.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kvm/psci.c
++++ b/arch/arm/kvm/psci.c
+@@ -208,9 +208,10 @@ int kvm_psci_version(struct kvm_vcpu *vc
+
+ static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu)
+ {
+- int ret = 1;
++ struct kvm *kvm = vcpu->kvm;
+ unsigned long psci_fn = vcpu_get_reg(vcpu, 0) & ~((u32) 0);
+ unsigned long val;
++ int ret = 1;
+
+ switch (psci_fn) {
+ case PSCI_0_2_FN_PSCI_VERSION:
+@@ -230,7 +231,9 @@ static int kvm_psci_0_2_call(struct kvm_
+ break;
+ case PSCI_0_2_FN_CPU_ON:
+ case PSCI_0_2_FN64_CPU_ON:
++ mutex_lock(&kvm->lock);
+ val = kvm_psci_vcpu_on(vcpu);
++ mutex_unlock(&kvm->lock);
+ break;
+ case PSCI_0_2_FN_AFFINITY_INFO:
+ case PSCI_0_2_FN64_AFFINITY_INFO:
+@@ -279,6 +282,7 @@ static int kvm_psci_0_2_call(struct kvm_
+
+ static int kvm_psci_0_1_call(struct kvm_vcpu *vcpu)
+ {
++ struct kvm *kvm = vcpu->kvm;
+ unsigned long psci_fn = vcpu_get_reg(vcpu, 0) & ~((u32) 0);
+ unsigned long val;
+
+@@ -288,7 +292,9 @@ static int kvm_psci_0_1_call(struct kvm_
+ val = PSCI_RET_SUCCESS;
+ break;
+ case KVM_PSCI_FN_CPU_ON:
++ mutex_lock(&kvm->lock);
+ val = kvm_psci_vcpu_on(vcpu);
++ mutex_unlock(&kvm->lock);
+ break;
+ default:
+ val = PSCI_RET_NOT_SUPPORTED;
--- /dev/null
+From 28bf28887976d8881a3a59491896c718fade7355 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Thu, 23 Mar 2017 11:46:03 +0100
+Subject: KVM: x86: fix user triggerable warning in kvm_apic_accept_events()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 28bf28887976d8881a3a59491896c718fade7355 upstream.
+
+If we already entered/are about to enter SMM, don't allow switching to
+INIT/SIPI_RECEIVED, otherwise the next call to kvm_apic_accept_events()
+will report a warning.
+
+Same applies if we are already in MP state INIT_RECEIVED and SMM is
+requested to be turned on. Refuse to set the VCPU events in this case.
+
+Fixes: cd7764fe9f73 ("KVM: x86: latch INITs while in system management mode")
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2960,6 +2960,12 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_e
+ | KVM_VCPUEVENT_VALID_SMM))
+ return -EINVAL;
+
++ /* INITs are latched while in SMM */
++ if (events->flags & KVM_VCPUEVENT_VALID_SMM &&
++ (events->smi.smm || events->smi.pending) &&
++ vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED)
++ return -EINVAL;
++
+ process_nmi(vcpu);
+ vcpu->arch.exception.pending = events->exception.injected;
+ vcpu->arch.exception.nr = events->exception.nr;
+@@ -6993,6 +6999,12 @@ int kvm_arch_vcpu_ioctl_set_mpstate(stru
+ mp_state->mp_state != KVM_MP_STATE_RUNNABLE)
+ return -EINVAL;
+
++ /* INITs are latched while in SMM */
++ if ((is_smm(vcpu) || vcpu->arch.smi_pending) &&
++ (mp_state->mp_state == KVM_MP_STATE_SIPI_RECEIVED ||
++ mp_state->mp_state == KVM_MP_STATE_INIT_RECEIVED))
++ return -EINVAL;
++
+ if (mp_state->mp_state == KVM_MP_STATE_SIPI_RECEIVED) {
+ vcpu->arch.mp_state = KVM_MP_STATE_INIT_RECEIVED;
+ set_bit(KVM_APIC_SIPI, &vcpu->arch.apic->pending_events);
--- /dev/null
+From 65973dd3fd31151823f4b8c289eebbb3fb7e6bc0 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 22 Mar 2017 14:32:29 -0700
+Subject: selftests/x86/ldt_gdt_32: Work around a glibc sigaction() bug
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 65973dd3fd31151823f4b8c289eebbb3fb7e6bc0 upstream.
+
+i386 glibc is buggy and calls the sigaction syscall incorrectly.
+
+This is asymptomatic for normal programs, but it blows up on
+programs that do evil things with segmentation. The ldt_gdt
+self-test is an example of such an evil program.
+
+This doesn't appear to be a regression -- I think I just got lucky
+with the uninitialized memory that glibc threw at the kernel when I
+wrote the test.
+
+This hackish fix manually issues sigaction(2) syscalls to undo the
+damage. Without the fix, ldt_gdt_32 segfaults; with the fix, it
+passes for me.
+
+See: https://sourceware.org/bugzilla/show_bug.cgi?id=21269
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Garnier <thgarnie@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/aaab0f9f93c9af25396f01232608c163a760a668.1490218061.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/x86/ldt_gdt.c | 46 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+--- a/tools/testing/selftests/x86/ldt_gdt.c
++++ b/tools/testing/selftests/x86/ldt_gdt.c
+@@ -394,6 +394,51 @@ static void *threadproc(void *ctx)
+ }
+ }
+
++#ifdef __i386__
++
++#ifndef SA_RESTORE
++#define SA_RESTORER 0x04000000
++#endif
++
++/*
++ * The UAPI header calls this 'struct sigaction', which conflicts with
++ * glibc. Sigh.
++ */
++struct fake_ksigaction {
++ void *handler; /* the real type is nasty */
++ unsigned long sa_flags;
++ void (*sa_restorer)(void);
++ unsigned char sigset[8];
++};
++
++static void fix_sa_restorer(int sig)
++{
++ struct fake_ksigaction ksa;
++
++ if (syscall(SYS_rt_sigaction, sig, NULL, &ksa, 8) == 0) {
++ /*
++ * glibc has a nasty bug: it sometimes writes garbage to
++ * sa_restorer. This interacts quite badly with anything
++ * that fiddles with SS because it can trigger legacy
++ * stack switching. Patch it up. See:
++ *
++ * https://sourceware.org/bugzilla/show_bug.cgi?id=21269
++ */
++ if (!(ksa.sa_flags & SA_RESTORER) && ksa.sa_restorer) {
++ ksa.sa_restorer = NULL;
++ if (syscall(SYS_rt_sigaction, sig, &ksa, NULL,
++ sizeof(ksa.sigset)) != 0)
++ err(1, "rt_sigaction");
++ }
++ }
++}
++#else
++static void fix_sa_restorer(int sig)
++{
++ /* 64-bit glibc works fine. */
++}
++#endif
++
+ static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
+ int flags)
+ {
+@@ -405,6 +450,7 @@ static void sethandler(int sig, void (*h
+ if (sigaction(sig, &sa, 0))
+ err(1, "sigaction");
+
++ fix_sa_restorer(sig);
+ }
+
+ static jmp_buf jmpbuf;
usb-hub-fix-error-loop-seen-after-hub-communication-errors.patch
usb-hub-do-not-attempt-to-autosuspend-disconnected-devices.patch
usb-misc-legousbtower-fix-buffers-on-stack.patch
+x86-boot-fix-bss-corruption-overwrite-bug-in-early-x86-kernel-startup.patch
+selftests-x86-ldt_gdt_32-work-around-a-glibc-sigaction-bug.patch
+x86-pmem-fix-cache-flushing-for-iovec-write-8-bytes.patch
+um-fix-ptrace_pokeuser-on-x86_64.patch
+kvm-x86-fix-user-triggerable-warning-in-kvm_apic_accept_events.patch
+kvm-arm-arm64-fix-races-in-kvm_psci_vcpu_on.patch
+arm64-kvm-fix-decoding-of-rt-rt2-when-trapping-aarch32-cp-accesses.patch
+block-fix-blk_integrity_register-to-use-template-s-interval_exp-if-not-0.patch
+crypto-algif_aead-require-setkey-before-accept-2.patch
+dm-era-save-spacemap-metadata-root-after-the-pre-commit.patch
--- /dev/null
+From 9abc74a22d85ab29cef9896a2582a530da7e79bf Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Sat, 1 Apr 2017 00:41:57 +0200
+Subject: um: Fix PTRACE_POKEUSER on x86_64
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 9abc74a22d85ab29cef9896a2582a530da7e79bf upstream.
+
+This is broken since ever but sadly nobody noticed.
+Recent versions of GDB set DR_CONTROL unconditionally and
+UML dies due to a heap corruption. It turns out that
+the PTRACE_POKEUSER was copy&pasted from i386 and assumes
+that addresses are 4 bytes long.
+
+Fix that by using 8 as address size in the calculation.
+
+Reported-by: jie cao <cj3054@gmail.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/um/ptrace_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/um/ptrace_64.c
++++ b/arch/x86/um/ptrace_64.c
+@@ -121,7 +121,7 @@ int poke_user(struct task_struct *child,
+ else if ((addr >= offsetof(struct user, u_debugreg[0])) &&
+ (addr <= offsetof(struct user, u_debugreg[7]))) {
+ addr -= offsetof(struct user, u_debugreg[0]);
+- addr = addr >> 2;
++ addr = addr >> 3;
+ if ((addr == 4) || (addr == 5))
+ return -EIO;
+ child->thread.arch.debugregs[addr] = data;
--- /dev/null
+From d594aa0277e541bb997aef0bc0a55172d8138340 Mon Sep 17 00:00:00 2001
+From: Ashish Kalra <ashish@bluestacks.com>
+Date: Wed, 19 Apr 2017 20:50:15 +0530
+Subject: x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
+
+From: Ashish Kalra <ashish@bluestacks.com>
+
+commit d594aa0277e541bb997aef0bc0a55172d8138340 upstream.
+
+The minimum size for a new stack (512 bytes) setup for arch/x86/boot components
+when the bootloader does not setup/provide a stack for the early boot components
+is not "enough".
+
+The setup code executing as part of early kernel startup code, uses the stack
+beyond 512 bytes and accidentally overwrites and corrupts part of the BSS
+section. This is exposed mostly in the early video setup code, where
+it was corrupting BSS variables like force_x, force_y, which in-turn affected
+kernel parameters such as screen_info (screen_info.orig_video_cols) and
+later caused an exception/panic in console_init().
+
+Most recent boot loaders setup the stack for early boot components, so this
+stack overwriting into BSS section issue has not been exposed.
+
+Signed-off-by: Ashish Kalra <ashish@bluestacks.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20170419152015.10011-1-ashishkalra@Ashishs-MacBook-Pro.local
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/boot.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/boot/boot.h
++++ b/arch/x86/boot/boot.h
+@@ -16,7 +16,7 @@
+ #ifndef BOOT_BOOT_H
+ #define BOOT_BOOT_H
+
+-#define STACK_SIZE 512 /* Minimum number of bytes for stack */
++#define STACK_SIZE 1024 /* Minimum number of bytes for stack */
+
+ #ifndef __ASSEMBLY__
+
--- /dev/null
+From 8376efd31d3d7c44bd05be337adde023cc531fa1 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 9 May 2017 18:00:43 +0100
+Subject: x86, pmem: Fix cache flushing for iovec write < 8 bytes
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit 8376efd31d3d7c44bd05be337adde023cc531fa1 upstream.
+
+Commit 11e63f6d920d added cache flushing for unaligned writes from an
+iovec, covering the first and last cache line of a >= 8 byte write and
+the first cache line of a < 8 byte write. But an unaligned write of
+2-7 bytes can still cover two cache lines, so make sure we flush both
+in that case.
+
+Fixes: 11e63f6d920d ("x86, pmem: fix broken __copy_user_nocache ...")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/pmem.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/pmem.h
++++ b/arch/x86/include/asm/pmem.h
+@@ -122,7 +122,7 @@ static inline size_t arch_copy_from_iter
+
+ if (bytes < 8) {
+ if (!IS_ALIGNED(dest, 4) || (bytes != 4))
+- __arch_wb_cache_pmem(addr, 1);
++ __arch_wb_cache_pmem(addr, bytes);
+ } else {
+ if (!IS_ALIGNED(dest, 8)) {
+ dest = ALIGN(dest, boot_cpu_data.x86_clflush_size);
projects / thirdparty / kernel / stable-queue.git / commitdiff
