--- /dev/null
+From 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Wed, 8 Mar 2017 13:52:07 +0200
+Subject: ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 upstream.
+
+T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs= 1
+P: Vendor=1eda ProdID=2315 Rev=01.08
+S: Manufacturer=ATHEROS
+S: Product=USB2.0 WLAN
+S: SerialNumber=12345
+C: #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -37,6 +37,7 @@ static struct usb_device_id ath9k_hif_us
+ { USB_DEVICE(0x0cf3, 0xb002) }, /* Ubiquiti WifiStation */
+ { USB_DEVICE(0x057c, 0x8403) }, /* AVM FRITZ!WLAN 11N v2 USB */
+ { USB_DEVICE(0x0471, 0x209e) }, /* Philips (or NXP) PTA01 */
++ { USB_DEVICE(0x1eda, 0x2315) }, /* AirTies */
+
+ { USB_DEVICE(0x0cf3, 0x7015),
+ .driver_info = AR9287_USB }, /* Atheros */
--- /dev/null
+From ebeb36670ecac36c179b5fb5d5c88ff03ba191ec Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:44:20 +0100
+Subject: ath9k_htc: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -1217,6 +1217,9 @@ static int send_eject_command(struct usb
+ u8 bulk_out_ep;
+ int r;
+
++ if (iface_desc->desc.bNumEndpoints < 2)
++ return -ENODEV;
++
+ /* Find bulk out endpoint */
+ for (r = 1; r >= 0; r--) {
+ endpoint = &iface_desc->endpoint[r].desc;
--- /dev/null
+From 1ac202e978e18f045006d75bd549612620c6ec3a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= <dg@emlix.com>
+Date: Fri, 24 Feb 2017 15:05:14 +0100
+Subject: ima: accept previously set IMA_NEW_FILE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Glöckner <dg@emlix.com>
+
+commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.
+
+Modifying the attributes of a file makes ima_inode_post_setattr reset
+the IMA cache flags. So if the file, which has just been created,
+is opened a second time before the first file descriptor is closed,
+verification fails since the security.ima xattr has not been written
+yet. We therefore have to look at the IMA_NEW_FILE even if the file
+already existed.
+
+With this patch there should no longer be an error when cat tries to
+open testfile:
+
+$ rm -f testfile
+$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile
+
+A file being new is no reason to accept that it is missing a digital
+signature demanded by the policy.
+
+Signed-off-by: Daniel Glöckner <dg@emlix.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_appraise.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -203,10 +203,11 @@ int ima_appraise_measurement(int func, s
+
+ cause = "missing-hash";
+ status = INTEGRITY_NOLABEL;
+- if (opened & FILE_CREATED) {
++ if (opened & FILE_CREATED)
+ iint->flags |= IMA_NEW_FILE;
++ if ((iint->flags & IMA_NEW_FILE) &&
++ !(iint->flags & IMA_DIGSIG_REQUIRED))
+ status = INTEGRITY_PASS;
+- }
+ goto out;
+ }
+
--- /dev/null
+From a575813bfe4bc15aba511a5e91e61d242bff8b9d Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Thu, 11 May 2017 02:58:55 -0700
+Subject: KVM: x86: Fix load damaged SSEx MXCSR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit a575813bfe4bc15aba511a5e91e61d242bff8b9d upstream.
+
+Reported by syzkaller:
+
+ BUG: unable to handle kernel paging request at ffffffffc07f6a2e
+ IP: report_bug+0x94/0x120
+ PGD 348e12067
+ P4D 348e12067
+ PUD 348e14067
+ PMD 3cbd84067
+ PTE 80000003f7e87161
+
+ Oops: 0003 [#1] SMP
+ CPU: 2 PID: 7091 Comm: kvm_load_guest_ Tainted: G OE 4.11.0+ #8
+ task: ffff92fdfb525400 task.stack: ffffbda6c3d04000
+ RIP: 0010:report_bug+0x94/0x120
+ RSP: 0018:ffffbda6c3d07b20 EFLAGS: 00010202
+ do_trap+0x156/0x170
+ do_error_trap+0xa3/0x170
+ ? kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
+ ? mark_held_locks+0x79/0xa0
+ ? retint_kernel+0x10/0x10
+ ? trace_hardirqs_off_thunk+0x1a/0x1c
+ do_invalid_op+0x20/0x30
+ invalid_op+0x1e/0x30
+ RIP: 0010:kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
+ ? kvm_load_guest_fpu.part.175+0x1c/0x170 [kvm]
+ kvm_arch_vcpu_ioctl_run+0xed6/0x1b70 [kvm]
+ kvm_vcpu_ioctl+0x384/0x780 [kvm]
+ ? kvm_vcpu_ioctl+0x384/0x780 [kvm]
+ ? sched_clock+0x13/0x20
+ ? __do_page_fault+0x2a0/0x550
+ do_vfs_ioctl+0xa4/0x700
+ ? up_read+0x1f/0x40
+ ? __do_page_fault+0x2a0/0x550
+ SyS_ioctl+0x79/0x90
+ entry_SYSCALL_64_fastpath+0x23/0xc2
+
+SDM mentioned that "The MXCSR has several reserved bits, and attempting to write
+a 1 to any of these bits will cause a general-protection exception(#GP) to be
+generated". The syzkaller forks' testcase overrides xsave area w/ random values
+and steps on the reserved bits of MXCSR register. The damaged MXCSR register
+values of guest will be restored to SSEx MXCSR register before vmentry. This
+patch fixes it by catching userspace override MXCSR register reserved bits w/
+random values and bails out immediately.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/fpu/init.c | 1 +
+ arch/x86/kvm/x86.c | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/fpu/init.c
++++ b/arch/x86/kernel/fpu/init.c
+@@ -96,6 +96,7 @@ static void fpu__init_system_early_gener
+ * Boot time FPU feature detection code:
+ */
+ unsigned int mxcsr_feature_mask __read_mostly = 0xffffffffu;
++EXPORT_SYMBOL_GPL(mxcsr_feature_mask);
+
+ static void __init fpu__init_system_mxcsr(void)
+ {
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3140,11 +3140,14 @@ static void kvm_vcpu_ioctl_x86_get_xsave
+ }
+ }
+
++#define XSAVE_MXCSR_OFFSET 24
++
+ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
+ struct kvm_xsave *guest_xsave)
+ {
+ u64 xstate_bv =
+ *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)];
++ u32 mxcsr = *(u32 *)&guest_xsave->region[XSAVE_MXCSR_OFFSET / sizeof(u32)];
+
+ if (cpu_has_xsave) {
+ /*
+@@ -3152,11 +3155,13 @@ static int kvm_vcpu_ioctl_x86_set_xsave(
+ * CPUID leaf 0xD, index 0, EDX:EAX. This is for compatibility
+ * with old userspace.
+ */
+- if (xstate_bv & ~kvm_supported_xcr0())
++ if (xstate_bv & ~kvm_supported_xcr0() ||
++ mxcsr & ~mxcsr_feature_mask)
+ return -EINVAL;
+ load_xsave(vcpu, (u8 *)guest_xsave->region);
+ } else {
+- if (xstate_bv & ~XFEATURE_MASK_FPSSE)
++ if (xstate_bv & ~XFEATURE_MASK_FPSSE ||
++ mxcsr & ~mxcsr_feature_mask)
+ return -EINVAL;
+ memcpy(&vcpu->arch.guest_fpu.state.fxsave,
+ guest_xsave->region, sizeof(struct fxregs_state));
--- /dev/null
+From cbfc6c9184ce71b52df4b1d82af5afc81a709178 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Fri, 19 May 2017 02:46:56 -0700
+Subject: KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit cbfc6c9184ce71b52df4b1d82af5afc81a709178 upstream.
+
+Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation.
+
+- "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only,
+ a read should be ignored) in guest can get a random number.
+- "rep insb" instruction to access PIT register port 0x43 can control memcpy()
+ in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes,
+ which will disclose the unimportant kernel memory in host but no crash.
+
+The similar test program below can reproduce the read out-of-bounds vulnerability:
+
+void hexdump(void *mem, unsigned int len)
+{
+ unsigned int i, j;
+
+ for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
+ {
+ /* print offset */
+ if(i % HEXDUMP_COLS == 0)
+ {
+ printf("0x%06x: ", i);
+ }
+
+ /* print hex data */
+ if(i < len)
+ {
+ printf("%02x ", 0xFF & ((char*)mem)[i]);
+ }
+ else /* end of block, just aligning for ASCII dump */
+ {
+ printf(" ");
+ }
+
+ /* print ASCII dump */
+ if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1))
+ {
+ for(j = i - (HEXDUMP_COLS - 1); j <= i; j++)
+ {
+ if(j >= len) /* end of block, not really printing */
+ {
+ putchar(' ');
+ }
+ else if(isprint(((char*)mem)[j])) /* printable char */
+ {
+ putchar(0xFF & ((char*)mem)[j]);
+ }
+ else /* other char */
+ {
+ putchar('.');
+ }
+ }
+ putchar('\n');
+ }
+ }
+}
+
+int main(void)
+{
+ int i;
+ if (iopl(3))
+ {
+ err(1, "set iopl unsuccessfully\n");
+ return -1;
+ }
+ static char buf[0x40];
+
+ /* test ioport 0x40,0x41,0x42,0x43,0x44,0x45 */
+
+ memset(buf, 0xab, sizeof(buf));
+
+ asm volatile("push %rdi;");
+ asm volatile("mov %0, %%rdi;"::"q"(buf));
+
+ asm volatile ("mov $0x40, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x41, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x42, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x43, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x44, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("mov $0x45, %rdx;");
+ asm volatile ("in %dx,%al;");
+ asm volatile ("stosb;");
+
+ asm volatile ("pop %rdi;");
+ hexdump(buf, 0x40);
+
+ printf("\n");
+
+ /* ins port 0x40 */
+
+ memset(buf, 0xab, sizeof(buf));
+
+ asm volatile("push %rdi;");
+ asm volatile("mov %0, %%rdi;"::"q"(buf));
+
+ asm volatile ("mov $0x20, %rcx;");
+ asm volatile ("mov $0x40, %rdx;");
+ asm volatile ("rep insb;");
+
+ asm volatile ("pop %rdi;");
+ hexdump(buf, 0x40);
+
+ printf("\n");
+
+ /* ins port 0x43 */
+
+ memset(buf, 0xab, sizeof(buf));
+
+ asm volatile("push %rdi;");
+ asm volatile("mov %0, %%rdi;"::"q"(buf));
+
+ asm volatile ("mov $0x20, %rcx;");
+ asm volatile ("mov $0x43, %rdx;");
+ asm volatile ("rep insb;");
+
+ asm volatile ("pop %rdi;");
+ hexdump(buf, 0x40);
+
+ printf("\n");
+ return 0;
+}
+
+The vcpu->arch.pio_data buffer is used by both in/out instrutions emulation
+w/o clear after using which results in some random datas are left over in
+the buffer. Guest reads port 0x43 will be ignored since it is write only,
+however, the function kernel_pio() can't distigush this ignore from successfully
+reads data from device's ioport. There is no new data fill the buffer from
+port 0x43, however, emulator_pio_in_emulated() will copy the stale data in
+the buffer to the guest unconditionally. This patch fixes it by clearing the
+buffer before in instruction emulation to avoid to grant guest the stale data
+in the buffer.
+
+In addition, string I/O is not supported for in kernel device. So there is no
+iteration to read ioport %RCX times for string I/O. The function kernel_pio()
+just reads one round, and then copy the io size * %RCX to the guest unconditionally,
+actually it copies the one round ioport data w/ other random datas which are left
+over in the vcpu->arch.pio_data buffer to the guest. This patch fixes it by
+introducing the string I/O support for in kernel device in order to grant the right
+ioport datas to the guest.
+
+Before the patch:
+
+0x000000: fe 38 93 93 ff ff ab ab .8......
+0x000008: ab ab ab ab ab ab ab ab ........
+0x000010: ab ab ab ab ab ab ab ab ........
+0x000018: ab ab ab ab ab ab ab ab ........
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+0x000000: f6 00 00 00 00 00 00 00 ........
+0x000008: 00 00 00 00 00 00 00 00 ........
+0x000010: 00 00 00 00 4d 51 30 30 ....MQ00
+0x000018: 30 30 20 33 20 20 20 20 00 3
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+0x000000: f6 00 00 00 00 00 00 00 ........
+0x000008: 00 00 00 00 00 00 00 00 ........
+0x000010: 00 00 00 00 4d 51 30 30 ....MQ00
+0x000018: 30 30 20 33 20 20 20 20 00 3
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+After the patch:
+
+0x000000: 1e 02 f8 00 ff ff ab ab ........
+0x000008: ab ab ab ab ab ab ab ab ........
+0x000010: ab ab ab ab ab ab ab ab ........
+0x000018: ab ab ab ab ab ab ab ab ........
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+0x000000: d2 e2 d2 df d2 db d2 d7 ........
+0x000008: d2 d3 d2 cf d2 cb d2 c7 ........
+0x000010: d2 c4 d2 c0 d2 bc d2 b8 ........
+0x000018: d2 b4 d2 b0 d2 ac d2 a8 ........
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+0x000000: 00 00 00 00 00 00 00 00 ........
+0x000008: 00 00 00 00 00 00 00 00 ........
+0x000010: 00 00 00 00 00 00 00 00 ........
+0x000018: 00 00 00 00 00 00 00 00 ........
+0x000020: ab ab ab ab ab ab ab ab ........
+0x000028: ab ab ab ab ab ab ab ab ........
+0x000030: ab ab ab ab ab ab ab ab ........
+0x000038: ab ab ab ab ab ab ab ab ........
+
+Reported-by: Moguofang <moguofang@huawei.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Moguofang <moguofang@huawei.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4608,16 +4608,20 @@ emul_write:
+
+ static int kernel_pio(struct kvm_vcpu *vcpu, void *pd)
+ {
+- /* TODO: String I/O for in kernel device */
+- int r;
++ int r = 0, i;
+
+- if (vcpu->arch.pio.in)
+- r = kvm_io_bus_read(vcpu, KVM_PIO_BUS, vcpu->arch.pio.port,
+- vcpu->arch.pio.size, pd);
+- else
+- r = kvm_io_bus_write(vcpu, KVM_PIO_BUS,
+- vcpu->arch.pio.port, vcpu->arch.pio.size,
+- pd);
++ for (i = 0; i < vcpu->arch.pio.count; i++) {
++ if (vcpu->arch.pio.in)
++ r = kvm_io_bus_read(vcpu, KVM_PIO_BUS, vcpu->arch.pio.port,
++ vcpu->arch.pio.size, pd);
++ else
++ r = kvm_io_bus_write(vcpu, KVM_PIO_BUS,
++ vcpu->arch.pio.port, vcpu->arch.pio.size,
++ pd);
++ if (r)
++ break;
++ pd += vcpu->arch.pio.size;
++ }
+ return r;
+ }
+
+@@ -4655,6 +4659,8 @@ static int emulator_pio_in_emulated(stru
+ if (vcpu->arch.pio.count)
+ goto data_avail;
+
++ memset(vcpu->arch.pio_data, 0, size * count);
++
+ ret = emulator_pio_in_out(vcpu, size, port, val, count, true);
+ if (ret) {
+ data_avail:
--- /dev/null
+From c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 Mon Sep 17 00:00:00 2001
+From: Richard Cochran <rcochran@linutronix.de>
+Date: Mon, 17 Apr 2017 10:23:36 +0200
+Subject: regulator: tps65023: Fix inverted core enable logic.
+
+From: Richard Cochran <rcochran@linutronix.de>
+
+commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream.
+
+Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use
+regmap_read/write(), regmap_update_bits functions directly") intended
+to replace working inline helper functions with standard regmap
+calls. However, it also inverted the set/clear logic of the "CORE ADJ
+Allowed" bit. That patch was clearly never tested, since without that
+bit cleared, the core VDCDC1 voltage output does not react to I2C
+configuration changes.
+
+This patch fixes the issue by clearing the bit as in the original,
+correct implementation. Note for stable back porting that, due to
+subsequent driver churn, this patch will not apply on every kernel
+version.
+
+Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly")
+Signed-off-by: Richard Cochran <rcochran@linutronix.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/tps65023-regulator.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/regulator/tps65023-regulator.c
++++ b/drivers/regulator/tps65023-regulator.c
+@@ -311,8 +311,7 @@ static int tps_65023_probe(struct i2c_cl
+
+ /* Enable setting output voltage by I2C */
+ regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2,
+- TPS65023_REG_CTRL2_CORE_ADJ,
+- TPS65023_REG_CTRL2_CORE_ADJ);
++ TPS65023_REG_CTRL2_CORE_ADJ, 0);
+
+ return 0;
+ }
--- /dev/null
+From 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e Mon Sep 17 00:00:00 2001
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Date: Tue, 2 May 2017 13:36:00 +0200
+Subject: s390/cputime: fix incorrect system time
+
+From: Martin Schwidefsky <schwidefsky@de.ibm.com>
+
+commit 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e upstream.
+
+git commit c5328901aa1db134 "[S390] entry[64].S improvements" removed
+the update of the exit_timer lowcore field from the critical section
+cleanup of the .Lsysc_restore/.Lsysc_done and .Lio_restore/.Lio_done
+blocks. If the PSW is updated by the critical section cleanup to point to
+user space again, the interrupt entry code will do a vtime calculation
+after the cleanup completed with an exit_timer value which has *not* been
+updated. Due to this incorrect system time deltas are calculated.
+
+If an interrupt occured with an old PSW between .Lsysc_restore/.Lsysc_done
+or .Lio_restore/.Lio_done update __LC_EXIT_TIMER with the system entry
+time of the interrupt.
+
+Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/entry.S | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -308,6 +308,7 @@ ENTRY(system_call)
+ lg %r14,__LC_VDSO_PER_CPU
+ lmg %r0,%r10,__PT_R0(%r11)
+ mvc __LC_RETURN_PSW(16),__PT_PSW(%r11)
++.Lsysc_exit_timer:
+ stpt __LC_EXIT_TIMER
+ mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER
+ lmg %r11,%r15,__PT_R11(%r11)
+@@ -593,6 +594,7 @@ ENTRY(io_int_handler)
+ lg %r14,__LC_VDSO_PER_CPU
+ lmg %r0,%r10,__PT_R0(%r11)
+ mvc __LC_RETURN_PSW(16),__PT_PSW(%r11)
++.Lio_exit_timer:
+ stpt __LC_EXIT_TIMER
+ mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER
+ lmg %r11,%r15,__PT_R11(%r11)
+@@ -1118,15 +1120,23 @@ cleanup_critical:
+ br %r14
+
+ .Lcleanup_sysc_restore:
++ # check if stpt has been executed
+ clg %r9,BASED(.Lcleanup_sysc_restore_insn)
++ jh 0f
++ mvc __LC_EXIT_TIMER(8),__LC_ASYNC_ENTER_TIMER
++ cghi %r11,__LC_SAVE_AREA_ASYNC
+ je 0f
++ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER
++0: clg %r9,BASED(.Lcleanup_sysc_restore_insn+8)
++ je 1f
+ lg %r9,24(%r11) # get saved pointer to pt_regs
+ mvc __LC_RETURN_PSW(16),__PT_PSW(%r9)
+ mvc 0(64,%r11),__PT_R8(%r9)
+ lmg %r0,%r7,__PT_R0(%r9)
+-0: lmg %r8,%r9,__LC_RETURN_PSW
++1: lmg %r8,%r9,__LC_RETURN_PSW
+ br %r14
+ .Lcleanup_sysc_restore_insn:
++ .quad .Lsysc_exit_timer
+ .quad .Lsysc_done - 4
+
+ .Lcleanup_io_tif:
+@@ -1134,15 +1144,20 @@ cleanup_critical:
+ br %r14
+
+ .Lcleanup_io_restore:
++ # check if stpt has been executed
+ clg %r9,BASED(.Lcleanup_io_restore_insn)
+- je 0f
++ jh 0f
++ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER
++0: clg %r9,BASED(.Lcleanup_io_restore_insn+8)
++ je 1f
+ lg %r9,24(%r11) # get saved r11 pointer to pt_regs
+ mvc __LC_RETURN_PSW(16),__PT_PSW(%r9)
+ mvc 0(64,%r11),__PT_R8(%r9)
+ lmg %r0,%r7,__PT_R0(%r9)
+-0: lmg %r8,%r9,__LC_RETURN_PSW
++1: lmg %r8,%r9,__LC_RETURN_PSW
+ br %r14
+ .Lcleanup_io_restore_insn:
++ .quad .Lio_exit_timer
+ .quad .Lio_done - 4
+
+ .Lcleanup_idle:
--- /dev/null
+From dcc00b79fc3d076832f7240de8870f492629b171 Mon Sep 17 00:00:00 2001
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2017 21:02:54 +0100
+Subject: s390/kdump: Add final note
+
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+commit dcc00b79fc3d076832f7240de8870f492629b171 upstream.
+
+Since linux v3.14 with commit 38dfac843cb6d7be1 ("vmcore: prevent PT_NOTE
+p_memsz overflow during header update") on s390 we get the following
+message in the kdump kernel:
+
+ Warning: Exceeded p_memsz, dropping PT_NOTE entry n_namesz=0x6b6b6b6b,
+ n_descsz=0x6b6b6b6b
+
+The reason for this is that we don't create a final zero note in
+the ELF header which the proc/vmcore code uses to find out the end
+of the notes section (see also kernel/kexec_core.c:final_note()).
+
+It still worked on s390 by chance because we (most of the time?) have the
+byte pattern 0x6b6b6b6b after the notes section which also makes the notes
+parsing code stop in update_note_header_size_elf64() because 0x6b6b6b6b is
+interpreded as note size:
+
+ if ((real_sz + sz) > max_sz) {
+ pr_warn("Warning: Exceeded p_memsz, dropping P ...);
+ break;
+ }
+
+So fix this and add the missing final note to the ELF header.
+We don't have to adjust the memory size for ELF header ("alloc_size")
+because the new ELF note still fits into the 0x1000 base memory.
+
+Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/crash_dump.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/s390/kernel/crash_dump.c
++++ b/arch/s390/kernel/crash_dump.c
+@@ -464,6 +464,20 @@ static void *nt_vmcoreinfo(void *ptr)
+ }
+
+ /*
++ * Initialize final note (needed for /proc/vmcore code)
++ */
++static void *nt_final(void *ptr)
++{
++ Elf64_Nhdr *note;
++
++ note = (Elf64_Nhdr *) ptr;
++ note->n_namesz = 0;
++ note->n_descsz = 0;
++ note->n_type = 0;
++ return PTR_ADD(ptr, sizeof(Elf64_Nhdr));
++}
++
++/*
+ * Initialize ELF header (new kernel)
+ */
+ static void *ehdr_init(Elf64_Ehdr *ehdr, int mem_chunk_cnt)
+@@ -553,6 +567,7 @@ static void *notes_init(Elf64_Phdr *phdr
+ ptr = fill_cpu_elf_notes(ptr, &sa_ext->sa, sa_ext->vx_regs);
+ }
+ ptr = nt_vmcoreinfo(ptr);
++ ptr = nt_final(ptr);
+ memset(phdr, 0, sizeof(*phdr));
+ phdr->p_type = PT_NOTE;
+ phdr->p_offset = notes_offset;
md-update-slab_cache-before-releasing-new-stripes-when-stripes-resizing.patch
rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch
mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch
+ima-accept-previously-set-ima_new_file.patch
+kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch
+kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch
+regulator-tps65023-fix-inverted-core-enable-logic.patch
+s390-kdump-add-final-note.patch
+s390-cputime-fix-incorrect-system-time.patch
+ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch
+ath9k_htc-fix-null-deref-at-probe.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
