--- /dev/null
+From d5b42e6607661b198d8b26a0c30969605b1bf5c7 Mon Sep 17 00:00:00 2001
+From: Wolfgang Grandegger <wg@grandegger.com>
+Date: Wed, 13 Dec 2017 19:52:23 +0100
+Subject: can: gs_usb: fix return value of the "set_bittiming" callback
+
+From: Wolfgang Grandegger <wg@grandegger.com>
+
+commit d5b42e6607661b198d8b26a0c30969605b1bf5c7 upstream.
+
+The "set_bittiming" callback treats a positive return value as error!
+For that reason "can_changelink()" will quit silently after setting
+the bittiming values without processing ctrlmode, restart-ms, etc.
+
+Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/gs_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -430,7 +430,7 @@ static int gs_usb_set_bittiming(struct n
+ dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)",
+ rc);
+
+- return rc;
++ return (rc > 0) ? 0 : rc;
+ }
+
+ static void gs_usb_xmit_callback(struct urb *urb)
--- /dev/null
+From bec40c26041de61162f7be9d2ce548c756ce0f65 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 3 Jan 2018 13:39:15 -0800
+Subject: IB/srpt: Disable RDMA access by the initiator
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+commit bec40c26041de61162f7be9d2ce548c756ce0f65 upstream.
+
+With the SRP protocol all RDMA operations are initiated by the target.
+Since no RDMA operations are initiated by the initiator, do not grant
+the initiator permission to submit RDMA reads or writes to the target.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -957,8 +957,7 @@ static int srpt_init_ch_qp(struct srpt_r
+ return -ENOMEM;
+
+ attr->qp_state = IB_QPS_INIT;
+- attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_READ |
+- IB_ACCESS_REMOTE_WRITE;
++ attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE;
+ attr->port_num = ch->sport->port;
+ attr->pkey_index = 0;
+
--- /dev/null
+From 0cb5b30698fdc8f6b4646012e3acb4ddce430788 Mon Sep 17 00:00:00 2001
+From: Jim Mattson <jmattson@google.com>
+Date: Wed, 3 Jan 2018 14:31:38 -0800
+Subject: kvm: vmx: Scrub hardware GPRs at VM-exit
+
+From: Jim Mattson <jmattson@google.com>
+
+commit 0cb5b30698fdc8f6b4646012e3acb4ddce430788 upstream.
+
+Guest GPR values are live in the hardware GPRs at VM-exit. Do not
+leave any guest values in hardware GPRs after the guest GPR values are
+saved to the vcpu_vmx structure.
+
+This is a partial mitigation for CVE 2017-5715 and CVE 2017-5753.
+Specifically, it defeats the Project Zero PoC for CVE 2017-5715.
+
+Suggested-by: Eric Northup <digitaleric@google.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Eric Northup <digitaleric@google.com>
+Reviewed-by: Benjamin Serebrin <serebrin@google.com>
+Reviewed-by: Andrew Honig <ahonig@google.com>
+[Paolo: Add AMD bits, Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 19 +++++++++++++++++++
+ arch/x86/kvm/vmx.c | 14 +++++++++++++-
+ 2 files changed, 32 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3856,6 +3856,25 @@ static void svm_vcpu_run(struct kvm_vcpu
+ "mov %%r14, %c[r14](%[svm]) \n\t"
+ "mov %%r15, %c[r15](%[svm]) \n\t"
+ #endif
++ /*
++ * Clear host registers marked as clobbered to prevent
++ * speculative use.
++ */
++ "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
++ "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
++ "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
++ "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
++ "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
++#ifdef CONFIG_X86_64
++ "xor %%r8, %%r8 \n\t"
++ "xor %%r9, %%r9 \n\t"
++ "xor %%r10, %%r10 \n\t"
++ "xor %%r11, %%r11 \n\t"
++ "xor %%r12, %%r12 \n\t"
++ "xor %%r13, %%r13 \n\t"
++ "xor %%r14, %%r14 \n\t"
++ "xor %%r15, %%r15 \n\t"
++#endif
+ "pop %%" _ASM_BP
+ :
+ : [svm]"a"(svm),
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -8623,6 +8623,7 @@ static void __noclone vmx_vcpu_run(struc
+ /* Save guest registers, load host registers, keep flags */
+ "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
+ "pop %0 \n\t"
++ "setbe %c[fail](%0)\n\t"
+ "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
+ "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
+ __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
+@@ -8639,12 +8640,23 @@ static void __noclone vmx_vcpu_run(struc
+ "mov %%r13, %c[r13](%0) \n\t"
+ "mov %%r14, %c[r14](%0) \n\t"
+ "mov %%r15, %c[r15](%0) \n\t"
++ "xor %%r8d, %%r8d \n\t"
++ "xor %%r9d, %%r9d \n\t"
++ "xor %%r10d, %%r10d \n\t"
++ "xor %%r11d, %%r11d \n\t"
++ "xor %%r12d, %%r12d \n\t"
++ "xor %%r13d, %%r13d \n\t"
++ "xor %%r14d, %%r14d \n\t"
++ "xor %%r15d, %%r15d \n\t"
+ #endif
+ "mov %%cr2, %%" _ASM_AX " \n\t"
+ "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
+
++ "xor %%eax, %%eax \n\t"
++ "xor %%ebx, %%ebx \n\t"
++ "xor %%esi, %%esi \n\t"
++ "xor %%edi, %%edi \n\t"
+ "pop %%" _ASM_BP "; pop %%" _ASM_DX " \n\t"
+- "setbe %c[fail](%0) \n\t"
+ ".pushsection .rodata \n\t"
+ ".global vmx_return \n\t"
+ "vmx_return: " _ASM_PTR " 2b \n\t"
--- /dev/null
+From 006501e039eec411842bb3150c41358867d320c2 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 11 Dec 2017 22:55:40 +0000
+Subject: MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit 006501e039eec411842bb3150c41358867d320c2 upstream.
+
+Complement commit d614fd58a283 ("mips/ptrace: Preserve previous
+registers for short regset write") and like with the PTRACE_GETREGSET
+ptrace(2) request also apply a BUILD_BUG_ON check for the size of the
+`elf_fpreg_t' type in the PTRACE_SETREGSET request handler.
+
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Fixes: d614fd58a283 ("mips/ptrace: Preserve previous registers for short regset write")
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Paul Burton <Paul.Burton@mips.com>
+Cc: Alex Smith <alex@alex-smith.me.uk>
+Cc: Dave Martin <Dave.Martin@arm.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17929/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -467,6 +467,7 @@ static int fpr_get_msa(struct task_struc
+ u64 fpr_val;
+ int err;
+
++ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
+ for (i = 0; i < NUM_FPU_REGS; i++) {
+ fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);
+ err = user_regset_copyout(pos, count, kbuf, ubuf,
--- /dev/null
+From 80b3ffce0196ea50068885d085ff981e4b8396f4 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 11 Dec 2017 22:53:14 +0000
+Subject: MIPS: Consistently handle buffer counter with PTRACE_SETREGSET
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit 80b3ffce0196ea50068885d085ff981e4b8396f4 upstream.
+
+Update commit d614fd58a283 ("mips/ptrace: Preserve previous registers
+for short regset write") bug and consistently consume all data supplied
+to `fpr_set_msa' with the ptrace(2) PTRACE_SETREGSET request, such that
+a zero data buffer counter is returned where insufficient data has been
+given to fill a whole number of FP general registers.
+
+In reality this is not going to happen, as the caller is supposed to
+only supply data covering a whole number of registers and it is verified
+in `ptrace_regset' and again asserted in `fpr_set', however structuring
+code such that the presence of trailing partial FP general register data
+causes `fpr_set_msa' to return with a non-zero data buffer counter makes
+it appear that this trailing data will be used if there are subsequent
+writes made to FP registers, which is going to be the case with the FCSR
+once the missing write to that register has been fixed.
+
+Fixes: d614fd58a283 ("mips/ptrace: Preserve previous registers for short regset write")
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Paul Burton <Paul.Burton@mips.com>
+Cc: Alex Smith <alex@alex-smith.me.uk>
+Cc: Dave Martin <Dave.Martin@arm.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17927/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -524,7 +524,7 @@ static int fpr_set_msa(struct task_struc
+ int err;
+
+ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
+- for (i = 0; i < NUM_FPU_REGS && *count >= sizeof(elf_fpreg_t); i++) {
++ for (i = 0; i < NUM_FPU_REGS && *count > 0; i++) {
+ err = user_regset_copyin(pos, count, kbuf, ubuf,
+ &fpr_val, i * sizeof(elf_fpreg_t),
+ (i + 1) * sizeof(elf_fpreg_t));
--- /dev/null
+From c8c5a3a24d395b14447a9a89d61586a913840a3b Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 11 Dec 2017 22:56:54 +0000
+Subject: MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit c8c5a3a24d395b14447a9a89d61586a913840a3b upstream.
+
+Complement commit c23b3d1a5311 ("MIPS: ptrace: Change GP regset to use
+correct core dump register layout") and also reject outsized
+PTRACE_SETREGSET requests to the NT_PRFPREG regset, like with the
+NT_PRSTATUS regset.
+
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Fixes: c23b3d1a5311 ("MIPS: ptrace: Change GP regset to use correct core dump register layout")
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Paul Burton <Paul.Burton@mips.com>
+Cc: Alex Smith <alex@alex-smith.me.uk>
+Cc: Dave Martin <Dave.Martin@arm.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17930/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -570,6 +570,9 @@ static int fpr_set(struct task_struct *t
+
+ BUG_ON(count % sizeof(elf_fpreg_t));
+
++ if (pos + count > sizeof(elf_fpregset_t))
++ return -EIO;
++
+ init_fp_ctx(target);
+
+ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
--- /dev/null
+From a03fe72572c12e98f4173f8a535f32468e48b6ec Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 11 Dec 2017 22:51:35 +0000
+Subject: MIPS: Factor out NT_PRFPREG regset access helpers
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit a03fe72572c12e98f4173f8a535f32468e48b6ec upstream.
+
+In preparation to fix a commit 72b22bbad1e7 ("MIPS: Don't assume 64-bit
+FP registers for FP regset") FCSR access regression factor out
+NT_PRFPREG regset access helpers for the non-MSA and the MSA variants
+respectively, to avoid having to deal with excessive indentation in the
+actual fix.
+
+No functional change, however use `target->thread.fpu.fpr[0]' rather
+than `target->thread.fpu.fpr[i]' for FGR holding type size determination
+as there's no `i' variable to refer to anymore, and for the factored out
+`i' variable declaration use `unsigned int' rather than `unsigned' as
+its type, following the common style.
+
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Fixes: 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset")
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Paul Burton <Paul.Burton@mips.com>
+Cc: Alex Smith <alex@alex-smith.me.uk>
+Cc: Dave Martin <Dave.Martin@arm.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17925/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 108 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 83 insertions(+), 25 deletions(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -439,25 +439,36 @@ static int gpr64_set(struct task_struct
+
+ #endif /* CONFIG_64BIT */
+
+-static int fpr_get(struct task_struct *target,
+- const struct user_regset *regset,
+- unsigned int pos, unsigned int count,
+- void *kbuf, void __user *ubuf)
++/*
++ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
++ * !CONFIG_CPU_HAS_MSA variant. FP context's general register slots
++ * correspond 1:1 to buffer slots.
++ */
++static int fpr_get_fpa(struct task_struct *target,
++ unsigned int *pos, unsigned int *count,
++ void **kbuf, void __user **ubuf)
+ {
+- unsigned i;
+- int err;
+- u64 fpr_val;
+-
+- /* XXX fcr31 */
++ return user_regset_copyout(pos, count, kbuf, ubuf,
++ &target->thread.fpu,
++ 0, sizeof(elf_fpregset_t));
++}
+
+- if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
+- return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+- &target->thread.fpu,
+- 0, sizeof(elf_fpregset_t));
++/*
++ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
++ * CONFIG_CPU_HAS_MSA variant. Only lower 64 bits of FP context's
++ * general register slots are copied to buffer slots.
++ */
++static int fpr_get_msa(struct task_struct *target,
++ unsigned int *pos, unsigned int *count,
++ void **kbuf, void __user **ubuf)
++{
++ unsigned int i;
++ u64 fpr_val;
++ int err;
+
+ for (i = 0; i < NUM_FPU_REGS; i++) {
+ fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);
+- err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
++ err = user_regset_copyout(pos, count, kbuf, ubuf,
+ &fpr_val, i * sizeof(elf_fpreg_t),
+ (i + 1) * sizeof(elf_fpreg_t));
+ if (err)
+@@ -467,27 +478,54 @@ static int fpr_get(struct task_struct *t
+ return 0;
+ }
+
+-static int fpr_set(struct task_struct *target,
++/* Copy the floating-point context to the supplied NT_PRFPREG buffer. */
++static int fpr_get(struct task_struct *target,
+ const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
+- const void *kbuf, const void __user *ubuf)
++ void *kbuf, void __user *ubuf)
+ {
+- unsigned i;
+ int err;
+- u64 fpr_val;
+
+ /* XXX fcr31 */
+
+- init_fp_ctx(target);
++ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
++ err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf);
++ else
++ err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf);
++
++ return err;
++}
+
+- if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
+- return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+- &target->thread.fpu,
+- 0, sizeof(elf_fpregset_t));
++/*
++ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
++ * !CONFIG_CPU_HAS_MSA variant. Buffer slots correspond 1:1 to FP
++ * context's general register slots.
++ */
++static int fpr_set_fpa(struct task_struct *target,
++ unsigned int *pos, unsigned int *count,
++ const void **kbuf, const void __user **ubuf)
++{
++ return user_regset_copyin(pos, count, kbuf, ubuf,
++ &target->thread.fpu,
++ 0, sizeof(elf_fpregset_t));
++}
++
++/*
++ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
++ * CONFIG_CPU_HAS_MSA variant. Buffer slots are copied to lower 64
++ * bits only of FP context's general register slots.
++ */
++static int fpr_set_msa(struct task_struct *target,
++ unsigned int *pos, unsigned int *count,
++ const void **kbuf, const void __user **ubuf)
++{
++ unsigned int i;
++ u64 fpr_val;
++ int err;
+
+ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
+- for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) {
+- err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
++ for (i = 0; i < NUM_FPU_REGS && *count >= sizeof(elf_fpreg_t); i++) {
++ err = user_regset_copyin(pos, count, kbuf, ubuf,
+ &fpr_val, i * sizeof(elf_fpreg_t),
+ (i + 1) * sizeof(elf_fpreg_t));
+ if (err)
+@@ -498,6 +536,26 @@ static int fpr_set(struct task_struct *t
+ return 0;
+ }
+
++/* Copy the supplied NT_PRFPREG buffer to the floating-point context. */
++static int fpr_set(struct task_struct *target,
++ const struct user_regset *regset,
++ unsigned int pos, unsigned int count,
++ const void *kbuf, const void __user *ubuf)
++{
++ int err;
++
++ /* XXX fcr31 */
++
++ init_fp_ctx(target);
++
++ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
++ err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf);
++ else
++ err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf);
++
++ return err;
++}
++
+ enum mips_regset {
+ REGSET_GPR,
+ REGSET_FPR,
--- /dev/null
+From be07a6a1188372b6d19a3307ec33211fc9c9439d Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 11 Dec 2017 22:54:33 +0000
+Subject: MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit be07a6a1188372b6d19a3307ec33211fc9c9439d upstream.
+
+Fix a commit 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for
+FP regset") public API regression, then activated by commit 1db1af84d6df
+("MIPS: Basic MSA context switching support"), that caused the FCSR
+register not to be read or written for CONFIG_CPU_HAS_MSA kernel
+configurations (regardless of actual presence or absence of the MSA
+feature in a given processor) with ptrace(2) PTRACE_GETREGSET and
+PTRACE_SETREGSET requests nor recorded in core dumps.
+
+This is because with !CONFIG_CPU_HAS_MSA configurations the whole of
+`elf_fpregset_t' array is bulk-copied as it is, which includes the FCSR
+in one half of the last, 33rd slot, whereas with CONFIG_CPU_HAS_MSA
+configurations array elements are copied individually, and then only the
+leading 32 FGR slots while the remaining slot is ignored.
+
+Correct the code then such that only FGR slots are copied in the
+respective !MSA and MSA helpers an then the FCSR slot is handled
+separately in common code. Use `ptrace_setfcr31' to update the FCSR
+too, so that the read-only mask is respected.
+
+Retrieving a correct value of FCSR is important in debugging not only
+for the human to be able to get the right interpretation of the
+situation, but for correct operation of GDB as well. This is because
+the condition code bits in FSCR are used by GDB to determine the
+location to place a breakpoint at when single-stepping through an FPU
+branch instruction. If such a breakpoint is placed incorrectly (i.e.
+with the condition reversed), then it will be missed, likely causing the
+debuggee to run away from the control of GDB and consequently breaking
+the process of investigation.
+
+Fortunately GDB continues using the older PTRACE_GETFPREGS ptrace(2)
+request which is unaffected, so the regression only really hits with
+post-mortem debug sessions using a core dump file, in which case
+execution, and consequently single-stepping through branches is not
+possible. Of course core files created by buggy kernels out there will
+have the value of FCSR recorded clobbered, but such core files cannot be
+corrected and the person using them simply will have to be aware that
+the value of FCSR retrieved is not reliable.
+
+Which also means we can likely get away without defining a replacement
+API which would ensure a correct value of FSCR to be retrieved, or none
+at all.
+
+This is based on previous work by Alex Smith, extensively rewritten.
+
+Signed-off-by: Alex Smith <alex@alex-smith.me.uk>
+Signed-off-by: James Hogan <james.hogan@mips.com>
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Fixes: 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset")
+Cc: Paul Burton <Paul.Burton@mips.com>
+Cc: Dave Martin <Dave.Martin@arm.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17928/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 47 +++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 36 insertions(+), 11 deletions(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -442,7 +442,7 @@ static int gpr64_set(struct task_struct
+ /*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
+ * !CONFIG_CPU_HAS_MSA variant. FP context's general register slots
+- * correspond 1:1 to buffer slots.
++ * correspond 1:1 to buffer slots. Only general registers are copied.
+ */
+ static int fpr_get_fpa(struct task_struct *target,
+ unsigned int *pos, unsigned int *count,
+@@ -450,13 +450,14 @@ static int fpr_get_fpa(struct task_struc
+ {
+ return user_regset_copyout(pos, count, kbuf, ubuf,
+ &target->thread.fpu,
+- 0, sizeof(elf_fpregset_t));
++ 0, NUM_FPU_REGS * sizeof(elf_fpreg_t));
+ }
+
+ /*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
+ * CONFIG_CPU_HAS_MSA variant. Only lower 64 bits of FP context's
+- * general register slots are copied to buffer slots.
++ * general register slots are copied to buffer slots. Only general
++ * registers are copied.
+ */
+ static int fpr_get_msa(struct task_struct *target,
+ unsigned int *pos, unsigned int *count,
+@@ -478,20 +479,29 @@ static int fpr_get_msa(struct task_struc
+ return 0;
+ }
+
+-/* Copy the floating-point context to the supplied NT_PRFPREG buffer. */
++/*
++ * Copy the floating-point context to the supplied NT_PRFPREG buffer.
++ * Choose the appropriate helper for general registers, and then copy
++ * the FCSR register separately.
++ */
+ static int fpr_get(struct task_struct *target,
+ const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+ {
++ const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
+ int err;
+
+- /* XXX fcr31 */
+-
+ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
+ err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf);
+ else
+ err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf);
++ if (err)
++ return err;
++
++ err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
++ &target->thread.fpu.fcr31,
++ fcr31_pos, fcr31_pos + sizeof(u32));
+
+ return err;
+ }
+@@ -499,7 +509,7 @@ static int fpr_get(struct task_struct *t
+ /*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
+ * !CONFIG_CPU_HAS_MSA variant. Buffer slots correspond 1:1 to FP
+- * context's general register slots.
++ * context's general register slots. Only general registers are copied.
+ */
+ static int fpr_set_fpa(struct task_struct *target,
+ unsigned int *pos, unsigned int *count,
+@@ -507,13 +517,14 @@ static int fpr_set_fpa(struct task_struc
+ {
+ return user_regset_copyin(pos, count, kbuf, ubuf,
+ &target->thread.fpu,
+- 0, sizeof(elf_fpregset_t));
++ 0, NUM_FPU_REGS * sizeof(elf_fpreg_t));
+ }
+
+ /*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
+ * CONFIG_CPU_HAS_MSA variant. Buffer slots are copied to lower 64
+- * bits only of FP context's general register slots.
++ * bits only of FP context's general register slots. Only general
++ * registers are copied.
+ */
+ static int fpr_set_msa(struct task_struct *target,
+ unsigned int *pos, unsigned int *count,
+@@ -538,6 +549,8 @@ static int fpr_set_msa(struct task_struc
+
+ /*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context.
++ * Choose the appropriate helper for general registers, and then copy
++ * the FCSR register separately.
+ *
+ * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
+ * which is supposed to have been guaranteed by the kernel before
+@@ -550,18 +563,30 @@ static int fpr_set(struct task_struct *t
+ unsigned int pos, unsigned int count,
+ const void *kbuf, const void __user *ubuf)
+ {
++ const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
++ u32 fcr31;
+ int err;
+
+ BUG_ON(count % sizeof(elf_fpreg_t));
+
+- /* XXX fcr31 */
+-
+ init_fp_ctx(target);
+
+ if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
+ err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf);
+ else
+ err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf);
++ if (err)
++ return err;
++
++ if (count > 0) {
++ err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
++ &fcr31,
++ fcr31_pos, fcr31_pos + sizeof(u32));
++ if (err)
++ return err;
++
++ ptrace_setfcr31(target, fcr31);
++ }
+
+ return err;
+ }
--- /dev/null
+From dc24d0edf33c3e15099688b6bbdf7bdc24bf6e91 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 11 Dec 2017 22:52:15 +0000
+Subject: MIPS: Guard against any partial write attempt with PTRACE_SETREGSET
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit dc24d0edf33c3e15099688b6bbdf7bdc24bf6e91 upstream.
+
+Complement commit d614fd58a283 ("mips/ptrace: Preserve previous
+registers for short regset write") and ensure that no partial register
+write attempt is made with PTRACE_SETREGSET, as we do not preinitialize
+any temporaries used to hold incoming register data and consequently
+random data could be written.
+
+It is the responsibility of the caller, such as `ptrace_regset', to
+arrange for writes to span whole registers only, so here we only assert
+that it has indeed happened.
+
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Fixes: 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset")
+Cc: James Hogan <james.hogan@mips.com>
+Cc: Paul Burton <Paul.Burton@mips.com>
+Cc: Alex Smith <alex@alex-smith.me.uk>
+Cc: Dave Martin <Dave.Martin@arm.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17926/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -536,7 +536,15 @@ static int fpr_set_msa(struct task_struc
+ return 0;
+ }
+
+-/* Copy the supplied NT_PRFPREG buffer to the floating-point context. */
++/*
++ * Copy the supplied NT_PRFPREG buffer to the floating-point context.
++ *
++ * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
++ * which is supposed to have been guaranteed by the kernel before
++ * calling us, e.g. in `ptrace_regset'. We enforce that requirement,
++ * so that we can safely avoid preinitializing temporaries for
++ * partial register writes.
++ */
+ static int fpr_set(struct task_struct *target,
+ const struct user_regset *regset,
+ unsigned int pos, unsigned int count,
+@@ -544,6 +552,8 @@ static int fpr_set(struct task_struct *t
+ {
+ int err;
+
++ BUG_ON(count % sizeof(elf_fpreg_t));
++
+ /* XXX fcr31 */
+
+ init_fp_ctx(target);
--- /dev/null
+From b67336eee3fcb8ecedc6c13e2bf88aacfa3151e2 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@mips.com>
+Date: Mon, 27 Nov 2017 09:33:03 +0000
+Subject: MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task
+
+From: Maciej W. Rozycki <macro@mips.com>
+
+commit b67336eee3fcb8ecedc6c13e2bf88aacfa3151e2 upstream.
+
+Fix an API loophole introduced with commit 9791554b45a2 ("MIPS,prctl:
+add PR_[GS]ET_FP_MODE prctl options for MIPS"), where the caller of
+prctl(2) is incorrectly allowed to make a change to CP0.Status.FR or
+CP0.Config5.FRE register bits even if CONFIG_MIPS_O32_FP64_SUPPORT has
+not been enabled, despite that an executable requesting the mode
+requested via ELF file annotation would not be allowed to run in the
+first place, or for n64 and n64 ABI tasks which do not have non-default
+modes defined at all. Add suitable checks to `mips_set_process_fp_mode'
+and bail out if an invalid mode change has been requested for the ABI in
+effect, even if the FPU hardware or emulation would otherwise allow it.
+
+Always succeed however without taking any further action if the mode
+requested is the same as one already in effect, regardless of whether
+any mode change, should it be requested, would actually be allowed for
+the task concerned.
+
+Signed-off-by: Maciej W. Rozycki <macro@mips.com>
+Fixes: 9791554b45a2 ("MIPS,prctl: add PR_[GS]ET_FP_MODE prctl options for MIPS")
+Reviewed-by: Paul Burton <paul.burton@mips.com>
+Cc: James Hogan <james.hogan@mips.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/17800/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/process.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -664,6 +664,18 @@ int mips_set_process_fp_mode(struct task
+ unsigned long switch_count;
+ struct task_struct *t;
+
++ /* If nothing to change, return right away, successfully. */
++ if (value == mips_get_process_fp_mode(task))
++ return 0;
++
++ /* Only accept a mode change if 64-bit FP enabled for o32. */
++ if (!IS_ENABLED(CONFIG_MIPS_O32_FP64_SUPPORT))
++ return -EOPNOTSUPP;
++
++ /* And only for o32 tasks. */
++ if (IS_ENABLED(CONFIG_64BIT) && !test_thread_flag(TIF_32BIT_REGS))
++ return -EOPNOTSUPP;
++
+ /* Check the value is valid */
+ if (value & ~known_bits)
+ return -EOPNOTSUPP;
--- /dev/null
+From 68920c973254c5b71a684645c5f6f82d6732c5d6 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Wed, 20 Jan 2016 15:00:51 -0800
+Subject: net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 68920c973254c5b71a684645c5f6f82d6732c5d6 upstream.
+
+With upcoming CONFIG_UBSAN the following BUILD_BUG_ON in
+net/mac80211/debugfs.c starts to trigger:
+
+ BUILD_BUG_ON(hw_flag_names[NUM_IEEE80211_HW_FLAGS] != (void *)0x1);
+
+It seems, that compiler instrumentation causes some code
+deoptimizations. Because of that GCC is not being able to resolve
+condition in BUILD_BUG_ON() at compile time.
+
+We could make size of hw_flag_names array unspecified and replace the
+condition in BUILD_BUG_ON() with following:
+
+ ARRAY_SIZE(hw_flag_names) != NUM_IEEE80211_HW_FLAGS
+
+That will have the same effect as before (adding new flag without
+updating array will trigger build failure) except it doesn't fail with
+CONFIG_UBSAN. As a bonus this patch slightly decreases size of
+hw_flag_names array.
+
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[Daniel: backport to 4.4.]
+Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+
+Hi,
+
+The only stable tree which is missing this fix is 4.4. 4.1 doesn't
+have 30686bf7f5b3 ("mac80211: convert HW flags to unsigned long
+bitmap") which makes gcc unhappy with allmodconfig. 4.9 contains the
+fix.
+
+Thanks,
+Daniel
+
+ net/mac80211/debugfs.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/debugfs.c
++++ b/net/mac80211/debugfs.c
+@@ -91,7 +91,7 @@ static const struct file_operations rese
+ };
+ #endif
+
+-static const char *hw_flag_names[NUM_IEEE80211_HW_FLAGS + 1] = {
++static const char *hw_flag_names[] = {
+ #define FLAG(F) [IEEE80211_HW_##F] = #F
+ FLAG(HAS_RATE_CONTROL),
+ FLAG(RX_INCLUDES_FCS),
+@@ -125,9 +125,6 @@ static const char *hw_flag_names[NUM_IEE
+ FLAG(TDLS_WIDER_BW),
+ FLAG(SUPPORTS_AMSDU_IN_AMPDU),
+ FLAG(BEACON_TX_STATUS),
+-
+- /* keep last for the build bug below */
+- (void *)0x1
+ #undef FLAG
+ };
+
+@@ -147,7 +144,7 @@ static ssize_t hwflags_read(struct file
+ /* fail compilation if somebody adds or removes
+ * a flag without updating the name array above
+ */
+- BUILD_BUG_ON(hw_flag_names[NUM_IEEE80211_HW_FLAGS] != (void *)0x1);
++ BUILD_BUG_ON(ARRAY_SIZE(hw_flag_names) != NUM_IEEE80211_HW_FLAGS);
+
+ for (i = 0; i < NUM_IEEE80211_HW_FLAGS; i++) {
+ if (test_bit(i, local->hw.flags))
dm-bufio-fix-shrinker-scans-when-nr_to_scan-retain_target.patch
kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
+can-gs_usb-fix-return-value-of-the-set_bittiming-callback.patch
+ib-srpt-disable-rdma-access-by-the-initiator.patch
+mips-validate-pr_set_fp_mode-prctl-2-requests-against-the-abi-of-the-task.patch
+mips-factor-out-nt_prfpreg-regset-access-helpers.patch
+mips-guard-against-any-partial-write-attempt-with-ptrace_setregset.patch
+mips-consistently-handle-buffer-counter-with-ptrace_setregset.patch
+mips-fix-an-fcsr-access-api-regression-with-nt_prfpreg-and-msa.patch
+mips-also-verify-sizeof-elf_fpreg_t-with-ptrace_setregset.patch
+mips-disallow-outsized-ptrace_setregset-nt_prfpreg-regset-accesses.patch
+net-mac80211-debugfs.c-prevent-build-failure-with-config_ubsan-y.patch
+kvm-vmx-scrub-hardware-gprs-at-vm-exit.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
