--- /dev/null
+From c8ea3663f7a8e6996d44500ee818c9330ac4fd88 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:00 -0700
+Subject: drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream.
+
+strndup_user() returns error pointers on error, and then in the error
+handling we pass the error pointers to kfree(). It will cause an Oops.
+
+Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/fsl_hypervisor.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_i
+ struct fsl_hv_ioctl_prop param;
+ char __user *upath, *upropname;
+ void __user *upropval;
+- char *path = NULL, *propname = NULL;
+- void *propval = NULL;
++ char *path, *propname;
++ void *propval;
+ int ret = 0;
+
+ /* Get the parameters from the user. */
+@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_i
+ upropval = (void __user *)(uintptr_t)param.propval;
+
+ path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN);
+- if (IS_ERR(path)) {
+- ret = PTR_ERR(path);
+- goto out;
+- }
++ if (IS_ERR(path))
++ return PTR_ERR(path);
+
+ propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN);
+ if (IS_ERR(propname)) {
+ ret = PTR_ERR(propname);
+- goto out;
++ goto err_free_path;
+ }
+
+ if (param.proplen > FH_DTPROP_MAX_PROPLEN) {
+ ret = -EINVAL;
+- goto out;
++ goto err_free_propname;
+ }
+
+ propval = kmalloc(param.proplen, GFP_KERNEL);
+ if (!propval) {
+ ret = -ENOMEM;
+- goto out;
++ goto err_free_propname;
+ }
+
+ if (set) {
+ if (copy_from_user(propval, upropval, param.proplen)) {
+ ret = -EFAULT;
+- goto out;
++ goto err_free_propval;
+ }
+
+ param.ret = fh_partition_set_dtprop(param.handle,
+@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_i
+ if (copy_to_user(upropval, propval, param.proplen) ||
+ put_user(param.proplen, &p->proplen)) {
+ ret = -EFAULT;
+- goto out;
++ goto err_free_propval;
+ }
+ }
+ }
+@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_i
+ if (put_user(param.ret, &p->ret))
+ ret = -EFAULT;
+
+-out:
+- kfree(path);
++err_free_propval:
+ kfree(propval);
++err_free_propname:
+ kfree(propname);
++err_free_path:
++ kfree(path);
+
+ return ret;
+ }
--- /dev/null
+From 6a024330650e24556b8a18cc654ad00cfecf6c6c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 14 May 2019 15:47:03 -0700
+Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream.
+
+The "param.count" value is a u64 thatcomes from the user. The code
+later in the function assumes that param.count is at least one and if
+it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.
+
+Also the addition can have an integer overflow which would lead us to
+allocate a smaller "pages" array than required. I can't immediately
+tell what the possible run times implications are, but it's safest to
+prevent the overflow.
+
+Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Timur Tabi <timur@freescale.com>
+Cc: Mihai Caraman <mihai.caraman@freescale.com>
+Cc: Kumar Gala <galak@kernel.crashing.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virt/fsl_hypervisor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i
+ * hypervisor.
+ */
+ lb_offset = param.local_vaddr & (PAGE_SIZE - 1);
++ if (param.count == 0 ||
++ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1)
++ return -EINVAL;
+ num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
+
+ /* Allocate the buffers we need */
--- /dev/null
+From 0916878da355650d7e77104a7ac0fa1784eca852 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@wdc.com>
+Date: Sat, 16 Mar 2019 09:13:06 +0900
+Subject: f2fs: Fix use of number of devices
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+commit 0916878da355650d7e77104a7ac0fa1784eca852 upstream.
+
+For a single device mount using a zoned block device, the zone
+information for the device is stored in the sbi->devs single entry
+array and sbi->s_ndevs is set to 1. This differs from a single device
+mount using a regular block device which does not allocate sbi->devs
+and sets sbi->s_ndevs to 0.
+
+However, sbi->s_devs == 0 condition is used throughout the code to
+differentiate a single device mount from a multi-device mount where
+sbi->s_ndevs is always larger than 1. This results in problems with
+single zoned block device volumes as these are treated as multi-device
+mounts but do not have the start_blk and end_blk information set. One
+of the problem observed is skipping of zone discard issuing resulting in
+write commands being issued to full zones or unaligned to a zone write
+pointer.
+
+Fix this problem by simply treating the cases sbi->s_ndevs == 0 (single
+regular block device mount) and sbi->s_ndevs == 1 (single zoned block
+device mount) in the same manner. This is done by introducing the
+helper function f2fs_is_multi_device() and using this helper in place
+of direct tests of sbi->s_ndevs value, improving code readability.
+
+Fixes: 7bb3a371d199 ("f2fs: Fix zoned block device support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/data.c | 17 +++++++++++------
+ fs/f2fs/f2fs.h | 13 ++++++++++++-
+ fs/f2fs/file.c | 2 +-
+ fs/f2fs/gc.c | 2 +-
+ fs/f2fs/segment.c | 13 +++++++------
+ 5 files changed, 32 insertions(+), 15 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -218,12 +218,14 @@ struct block_device *f2fs_target_device(
+ struct block_device *bdev = sbi->sb->s_bdev;
+ int i;
+
+- for (i = 0; i < sbi->s_ndevs; i++) {
+- if (FDEV(i).start_blk <= blk_addr &&
+- FDEV(i).end_blk >= blk_addr) {
+- blk_addr -= FDEV(i).start_blk;
+- bdev = FDEV(i).bdev;
+- break;
++ if (f2fs_is_multi_device(sbi)) {
++ for (i = 0; i < sbi->s_ndevs; i++) {
++ if (FDEV(i).start_blk <= blk_addr &&
++ FDEV(i).end_blk >= blk_addr) {
++ blk_addr -= FDEV(i).start_blk;
++ bdev = FDEV(i).bdev;
++ break;
++ }
+ }
+ }
+ if (bio) {
+@@ -237,6 +239,9 @@ int f2fs_target_device_index(struct f2fs
+ {
+ int i;
+
++ if (!f2fs_is_multi_device(sbi))
++ return 0;
++
+ for (i = 0; i < sbi->s_ndevs; i++)
+ if (FDEV(i).start_blk <= blkaddr && FDEV(i).end_blk >= blkaddr)
+ return i;
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1364,6 +1364,17 @@ static inline bool time_to_inject(struct
+ }
+ #endif
+
++/*
++ * Test if the mounted volume is a multi-device volume.
++ * - For a single regular disk volume, sbi->s_ndevs is 0.
++ * - For a single zoned disk volume, sbi->s_ndevs is 1.
++ * - For a multi-device volume, sbi->s_ndevs is always 2 or more.
++ */
++static inline bool f2fs_is_multi_device(struct f2fs_sb_info *sbi)
++{
++ return sbi->s_ndevs > 1;
++}
++
+ /* For write statistics. Suppose sector size is 512 bytes,
+ * and the return value is in kbytes. s is of struct f2fs_sb_info.
+ */
+@@ -3612,7 +3623,7 @@ static inline bool f2fs_force_buffered_i
+
+ if (f2fs_post_read_required(inode))
+ return true;
+- if (sbi->s_ndevs)
++ if (f2fs_is_multi_device(sbi))
+ return true;
+ /*
+ * for blkzoned device, fallback direct IO to buffered IO, so
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2570,7 +2570,7 @@ static int f2fs_ioc_flush_device(struct
+ sizeof(range)))
+ return -EFAULT;
+
+- if (sbi->s_ndevs <= 1 || sbi->s_ndevs - 1 <= range.dev_num ||
++ if (!f2fs_is_multi_device(sbi) || sbi->s_ndevs - 1 <= range.dev_num ||
+ __is_large_section(sbi)) {
+ f2fs_msg(sbi->sb, KERN_WARNING,
+ "Can't flush %u in %d for segs_per_sec %u != 1\n",
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -1346,7 +1346,7 @@ void f2fs_build_gc_manager(struct f2fs_s
+ sbi->gc_pin_file_threshold = DEF_GC_FAILED_PINNED_FILES;
+
+ /* give warm/cold data area from slower device */
+- if (sbi->s_ndevs && !__is_large_section(sbi))
++ if (f2fs_is_multi_device(sbi) && !__is_large_section(sbi))
+ SIT_I(sbi)->last_victim[ALLOC_NEXT] =
+ GET_SEGNO(sbi, FDEV(0).end_blk) + 1;
+ }
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -576,7 +576,7 @@ static int submit_flush_wait(struct f2fs
+ int ret = 0;
+ int i;
+
+- if (!sbi->s_ndevs)
++ if (!f2fs_is_multi_device(sbi))
+ return __submit_flush_wait(sbi, sbi->sb->s_bdev);
+
+ for (i = 0; i < sbi->s_ndevs; i++) {
+@@ -644,7 +644,8 @@ int f2fs_issue_flush(struct f2fs_sb_info
+ return ret;
+ }
+
+- if (atomic_inc_return(&fcc->queued_flush) == 1 || sbi->s_ndevs > 1) {
++ if (atomic_inc_return(&fcc->queued_flush) == 1 ||
++ f2fs_is_multi_device(sbi)) {
+ ret = submit_flush_wait(sbi, ino);
+ atomic_dec(&fcc->queued_flush);
+
+@@ -750,7 +751,7 @@ int f2fs_flush_device_cache(struct f2fs_
+ {
+ int ret = 0, i;
+
+- if (!sbi->s_ndevs)
++ if (!f2fs_is_multi_device(sbi))
+ return 0;
+
+ for (i = 1; i < sbi->s_ndevs; i++) {
+@@ -1359,7 +1360,7 @@ static int __queue_discard_cmd(struct f2
+
+ trace_f2fs_queue_discard(bdev, blkstart, blklen);
+
+- if (sbi->s_ndevs) {
++ if (f2fs_is_multi_device(sbi)) {
+ int devi = f2fs_target_device_index(sbi, blkstart);
+
+ blkstart -= FDEV(devi).start_blk;
+@@ -1714,7 +1715,7 @@ static int __f2fs_issue_discard_zone(str
+ block_t lblkstart = blkstart;
+ int devi = 0;
+
+- if (sbi->s_ndevs) {
++ if (f2fs_is_multi_device(sbi)) {
+ devi = f2fs_target_device_index(sbi, blkstart);
+ blkstart -= FDEV(devi).start_blk;
+ }
+@@ -3071,7 +3072,7 @@ static void update_device_state(struct f
+ struct f2fs_sb_info *sbi = fio->sbi;
+ unsigned int devidx;
+
+- if (!sbi->s_ndevs)
++ if (!f2fs_is_multi_device(sbi))
+ return;
+
+ devidx = f2fs_target_device_index(sbi, fio->new_blkaddr);
--- /dev/null
+From 15becc2b56c6eda3d9bf5ae993bafd5661c1fad1 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Mon, 4 Mar 2019 21:34:48 +0000
+Subject: PCI: hv: Add hv_pci_remove_slots() when we unload the driver
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 15becc2b56c6eda3d9bf5ae993bafd5661c1fad1 upstream.
+
+When we unload the pci-hyperv host controller driver, the host does not
+send us a PCI_EJECT message.
+
+In this case we also need to make sure the sysfs PCI slot directory is
+removed, otherwise a command on a slot file eg:
+
+"cat /sys/bus/pci/slots/2/address"
+
+will trigger a
+
+"BUG: unable to handle kernel paging request"
+
+and, if we unload/reload the driver several times we would end up with
+stale slot entries in PCI slot directories in /sys/bus/pci/slots/
+
+root@localhost:~# ls -rtl /sys/bus/pci/slots/
+total 0
+drwxr-xr-x 2 root root 0 Feb 7 10:49 2
+drwxr-xr-x 2 root root 0 Feb 7 10:49 2-1
+drwxr-xr-x 2 root root 0 Feb 7 10:51 2-2
+
+Add the missing code to remove the PCI slot and fix the current
+behaviour.
+
+Fixes: a15f2c08c708 ("PCI: hv: support reporting serial number as slot information")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+[lorenzo.pieralisi@arm.com: reformatted the log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Stephen Hemminger <sthemmin@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/controller/pci-hyperv.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -1491,6 +1491,21 @@ static void hv_pci_assign_slots(struct h
+ }
+ }
+
++/*
++ * Remove entries in sysfs pci slot directory.
++ */
++static void hv_pci_remove_slots(struct hv_pcibus_device *hbus)
++{
++ struct hv_pci_dev *hpdev;
++
++ list_for_each_entry(hpdev, &hbus->children, list_entry) {
++ if (!hpdev->pci_slot)
++ continue;
++ pci_destroy_slot(hpdev->pci_slot);
++ hpdev->pci_slot = NULL;
++ }
++}
++
+ /**
+ * create_root_hv_pci_bus() - Expose a new root PCI bus
+ * @hbus: Root PCI bus, as understood by this driver
+@@ -2685,6 +2700,7 @@ static int hv_pci_remove(struct hv_devic
+ pci_lock_rescan_remove();
+ pci_stop_root_bus(hbus->pci_bus);
+ pci_remove_root_bus(hbus->pci_bus);
++ hv_pci_remove_slots(hbus);
+ pci_unlock_rescan_remove();
+ hbus->state = hv_pcibus_removed;
+ }
--- /dev/null
+From 340d455699400f2c2c0f9b3f703ade3085cdb501 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Mon, 4 Mar 2019 21:34:49 +0000
+Subject: PCI: hv: Add pci_destroy_slot() in pci_devices_present_work(), if necessary
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 340d455699400f2c2c0f9b3f703ade3085cdb501 upstream.
+
+When we hot-remove a device, usually the host sends us a PCI_EJECT message,
+and a PCI_BUS_RELATIONS message with bus_rel->device_count == 0.
+
+When we execute the quick hot-add/hot-remove test, the host may not send
+us the PCI_EJECT message if the guest has not fully finished the
+initialization by sending the PCI_RESOURCES_ASSIGNED* message to the
+host, so it's potentially unsafe to only depend on the
+pci_destroy_slot() in hv_eject_device_work() because the code path
+
+create_root_hv_pci_bus()
+ -> hv_pci_assign_slots()
+
+is not called in this case. Note: in this case, the host still sends the
+guest a PCI_BUS_RELATIONS message with bus_rel->device_count == 0.
+
+In the quick hot-add/hot-remove test, we can have such a race before
+the code path
+
+pci_devices_present_work()
+ -> new_pcichild_device()
+
+adds the new device into the hbus->children list, we may have already
+received the PCI_EJECT message, and since the tasklet handler
+
+hv_pci_onchannelcallback()
+
+may fail to find the "hpdev" by calling
+
+get_pcichild_wslot(hbus, dev_message->wslot.slot)
+
+hv_pci_eject_device() is not called; Later, by continuing execution
+
+create_root_hv_pci_bus()
+ -> hv_pci_assign_slots()
+
+creates the slot and the PCI_BUS_RELATIONS message with
+bus_rel->device_count == 0 removes the device from hbus->children, and
+we end up being unable to remove the slot in
+
+hv_pci_remove()
+ -> hv_pci_remove_slots()
+
+Remove the slot in pci_devices_present_work() when the device
+is removed to address this race.
+
+pci_devices_present_work() and hv_eject_device_work() run in the
+singled-threaded hbus->wq, so there is not a double-remove issue for the
+slot.
+
+We cannot offload hv_pci_eject_device() from hv_pci_onchannelcallback()
+to the workqueue, because we need the hv_pci_onchannelcallback()
+synchronously call hv_pci_eject_device() to poll the channel
+ringbuffer to work around the "hangs in hv_compose_msi_msg()" issue
+fixed in commit de0aa7b2f97d ("PCI: hv: Fix 2 hang issues in
+hv_compose_msi_msg()")
+
+Fixes: a15f2c08c708 ("PCI: hv: support reporting serial number as slot information")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+[lorenzo.pieralisi@arm.com: rewritten commit log]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/controller/pci-hyperv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -1781,6 +1781,10 @@ static void pci_devices_present_work(str
+ hpdev = list_first_entry(&removed, struct hv_pci_dev,
+ list_entry);
+ list_del(&hpdev->list_entry);
++
++ if (hpdev->pci_slot)
++ pci_destroy_slot(hpdev->pci_slot);
++
+ put_pcichild(hpdev);
+ }
+
--- /dev/null
+From 05f151a73ec2b23ffbff706e5203e729a995cdc2 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Mon, 4 Mar 2019 21:34:48 +0000
+Subject: PCI: hv: Fix a memory leak in hv_eject_device_work()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 05f151a73ec2b23ffbff706e5203e729a995cdc2 upstream.
+
+When a device is created in new_pcichild_device(), hpdev->refs is set
+to 2 (i.e. the initial value of 1 plus the get_pcichild()).
+
+When we hot remove the device from the host, in a Linux VM we first call
+hv_pci_eject_device(), which increases hpdev->refs by get_pcichild() and
+then schedules a work of hv_eject_device_work(), so hpdev->refs becomes
+3 (let's ignore the paired get/put_pcichild() in other places). But in
+hv_eject_device_work(), currently we only call put_pcichild() twice,
+meaning the 'hpdev' struct can't be freed in put_pcichild().
+
+Add one put_pcichild() to fix the memory leak.
+
+The device can also be removed when we run "rmmod pci-hyperv". On this
+path (hv_pci_remove() -> hv_pci_bus_exit() -> hv_pci_devices_present()),
+hpdev->refs is 2, and we do correctly call put_pcichild() twice in
+pci_devices_present_work().
+
+Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+[lorenzo.pieralisi@arm.com: commit log rework]
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/controller/pci-hyperv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -1905,6 +1905,9 @@ static void hv_eject_device_work(struct
+ sizeof(*ejct_pkt), (unsigned long)&ctxt.pkt,
+ VM_PKT_DATA_INBAND, 0);
+
++ /* For the get_pcichild() in hv_pci_eject_device() */
++ put_pcichild(hpdev);
++ /* For the two refs got in new_pcichild_device() */
+ put_pcichild(hpdev);
+ put_pcichild(hpdev);
+ put_hvpcibus(hpdev->hbus);
--- /dev/null
+From f39356261c265a0689d7ee568132d516e8b6cecc Mon Sep 17 00:00:00 2001
+From: Rick Lindsley <ricklind@linux.vnet.ibm.com>
+Date: Sun, 5 May 2019 17:20:43 -0700
+Subject: powerpc/book3s/64: check for NULL pointer in pgd_alloc()
+
+From: Rick Lindsley <ricklind@linux.vnet.ibm.com>
+
+commit f39356261c265a0689d7ee568132d516e8b6cecc upstream.
+
+When the memset code was added to pgd_alloc(), it failed to consider
+that kmem_cache_alloc() can return NULL. It's uncommon, but not
+impossible under heavy memory contention. Example oops:
+
+ Unable to handle kernel paging request for data at address 0x00000000
+ Faulting instruction address: 0xc0000000000a4000
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE SMP NR_CPUS=2048 NUMA pSeries
+ CPU: 70 PID: 48471 Comm: entrypoint.sh Kdump: loaded Not tainted 4.14.0-115.6.1.el7a.ppc64le #1
+ task: c000000334a00000 task.stack: c000000331c00000
+ NIP: c0000000000a4000 LR: c00000000012f43c CTR: 0000000000000020
+ REGS: c000000331c039c0 TRAP: 0300 Not tainted (4.14.0-115.6.1.el7a.ppc64le)
+ MSR: 800000010280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE,TM[E]> CR: 44022840 XER: 20040000
+ CFAR: c000000000008874 DAR: 0000000000000000 DSISR: 42000000 SOFTE: 1
+ ...
+ NIP [c0000000000a4000] memset+0x68/0x104
+ LR [c00000000012f43c] mm_init+0x27c/0x2f0
+ Call Trace:
+ mm_init+0x260/0x2f0 (unreliable)
+ copy_mm+0x11c/0x638
+ copy_process.isra.28.part.29+0x6fc/0x1080
+ _do_fork+0xdc/0x4c0
+ ppc_clone+0x8/0xc
+ Instruction dump:
+ 409e000c b0860000 38c60002 409d000c 90860000 38c60004 78a0d183 78a506a0
+ 7c0903a6 41820034 60000000 60420000 <f8860000> f8860008 f8860010 f8860018
+
+Fixes: fc5c2f4a55a2 ("powerpc/mm/hash64: Zero PGD pages on allocation")
+Cc: stable@vger.kernel.org # v4.16+
+Signed-off-by: Rick Lindsley <ricklind@vnet.linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/book3s/64/pgalloc.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/include/asm/book3s/64/pgalloc.h
++++ b/arch/powerpc/include/asm/book3s/64/pgalloc.h
+@@ -81,6 +81,9 @@ static inline pgd_t *pgd_alloc(struct mm
+
+ pgd = kmem_cache_alloc(PGT_CACHE(PGD_INDEX_SIZE),
+ pgtable_gfp_flags(mm, GFP_KERNEL));
++ if (unlikely(!pgd))
++ return pgd;
++
+ /*
+ * Don't scan the PGD for pointers, it contains references to PUDs but
+ * those references are not full pointers and so can't be recognised by
--- /dev/null
+From 5266e58d6cd90ac85c187d673093ad9cb649e16d Mon Sep 17 00:00:00 2001
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Date: Mon, 15 Apr 2019 14:52:11 +0300
+Subject: powerpc/booke64: set RI in default MSR
+
+From: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+
+commit 5266e58d6cd90ac85c187d673093ad9cb649e16d upstream.
+
+Set RI in the default kernel's MSR so that the architected way of
+detecting unrecoverable machine check interrupts has a chance to work.
+This is inline with the MSR setup of the rest of booke powerpc
+architectures configured here.
+
+Signed-off-by: Laurentiu Tudor <laurentiu.tudor@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg_booke.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/reg_booke.h
++++ b/arch/powerpc/include/asm/reg_booke.h
+@@ -41,7 +41,7 @@
+ #if defined(CONFIG_PPC_BOOK3E_64)
+ #define MSR_64BIT MSR_CM
+
+-#define MSR_ (MSR_ME | MSR_CE)
++#define MSR_ (MSR_ME | MSR_RI | MSR_CE)
+ #define MSR_KERNEL (MSR_ | MSR_64BIT)
+ #define MSR_USER32 (MSR_ | MSR_PR | MSR_EE)
+ #define MSR_USER64 (MSR_USER32 | MSR_64BIT)
--- /dev/null
+From a3f3072db6cad40895c585dce65e36aab997f042 Mon Sep 17 00:00:00 2001
+From: Russell Currey <ruscur@russell.cc>
+Date: Thu, 18 Apr 2019 16:51:16 +1000
+Subject: powerpc/powernv/idle: Restore IAMR after idle
+
+From: Russell Currey <ruscur@russell.cc>
+
+commit a3f3072db6cad40895c585dce65e36aab997f042 upstream.
+
+Without restoring the IAMR after idle, execution prevention on POWER9
+with Radix MMU is overwritten and the kernel can freely execute
+userspace without faulting.
+
+This is necessary when returning from any stop state that modifies
+user state, as well as hypervisor state.
+
+To test how this fails without this patch, load the lkdtm driver and
+do the following:
+
+ $ echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT
+
+which won't fault, then boot the kernel with powersave=off, where it
+will fault. Applying this patch will fix this.
+
+Fixes: 3b10d0095a1e ("powerpc/mm/radix: Prevent kernel execution of user space")
+Cc: stable@vger.kernel.org # v4.10+
+Signed-off-by: Russell Currey <ruscur@russell.cc>
+Reviewed-by: Akshay Adiga <akshay.adiga@linux.vnet.ibm.com>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/idle_book3s.S | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/arch/powerpc/kernel/idle_book3s.S
++++ b/arch/powerpc/kernel/idle_book3s.S
+@@ -170,6 +170,9 @@ core_idle_lock_held:
+ bne- core_idle_lock_held
+ blr
+
++/* Reuse an unused pt_regs slot for IAMR */
++#define PNV_POWERSAVE_IAMR _DAR
++
+ /*
+ * Pass requested state in r3:
+ * r3 - PNV_THREAD_NAP/SLEEP/WINKLE in POWER8
+@@ -200,6 +203,12 @@ pnv_powersave_common:
+ /* Continue saving state */
+ SAVE_GPR(2, r1)
+ SAVE_NVGPRS(r1)
++
++BEGIN_FTR_SECTION
++ mfspr r5, SPRN_IAMR
++ std r5, PNV_POWERSAVE_IAMR(r1)
++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
++
+ mfcr r5
+ std r5,_CCR(r1)
+ std r1,PACAR1(r13)
+@@ -924,6 +933,17 @@ BEGIN_FTR_SECTION
+ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
+ REST_NVGPRS(r1)
+ REST_GPR(2, r1)
++
++BEGIN_FTR_SECTION
++ /* IAMR was saved in pnv_powersave_common() */
++ ld r5, PNV_POWERSAVE_IAMR(r1)
++ mtspr SPRN_IAMR, r5
++ /*
++ * We don't need an isync here because the upcoming mtmsrd is
++ * execution synchronizing.
++ */
++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
++
+ ld r4,PACAKMSR(r13)
+ ld r5,_LINK(r1)
+ ld r6,_CCR(r1)
net-phy-fix-phy_validate_pause.patch
flow_dissector-disable-preemption-around-bpf-calls.patch
isdn-bas_gigaset-use-usb_fill_int_urb-properly.patch
+drivers-virt-fsl_hypervisor.c-dereferencing-error-pointers-in-ioctl.patch
+drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch
+powerpc-book3s-64-check-for-null-pointer-in-pgd_alloc.patch
+powerpc-powernv-idle-restore-iamr-after-idle.patch
+powerpc-booke64-set-ri-in-default-msr.patch
+virtio_ring-fix-potential-mem-leak-in-virtqueue_add_indirect_packed.patch
+pci-hv-fix-a-memory-leak-in-hv_eject_device_work.patch
+pci-hv-add-hv_pci_remove_slots-when-we-unload-the-driver.patch
+pci-hv-add-pci_destroy_slot-in-pci_devices_present_work-if-necessary.patch
+f2fs-fix-use-of-number-of-devices.patch
--- /dev/null
+From df0bfe7501e9319546ea380d39674a4179e059c3 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 12 Mar 2019 15:06:53 +0800
+Subject: virtio_ring: Fix potential mem leak in virtqueue_add_indirect_packed
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit df0bfe7501e9319546ea380d39674a4179e059c3 upstream.
+
+'desc' should be freed before leaving from err handing path.
+
+Fixes: 1ce9e6055fa0 ("virtio_ring: introduce packed ring support")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_ring.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -993,6 +993,7 @@ static int virtqueue_add_indirect_packed
+
+ if (unlikely(vq->vq.num_free < 1)) {
+ pr_debug("Can't add buf len 1 - avail = 0\n");
++ kfree(desc);
+ END_USE(vq);
+ return -ENOSPC;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
