--- /dev/null
+From e2dfb4b880146bfd4b6aa8e138c0205407cebbaf Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 30 May 2016 23:14:56 +0100
+Subject: ARM: fix PTRACE_SETVFPREGS on SMP systems
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit e2dfb4b880146bfd4b6aa8e138c0205407cebbaf upstream.
+
+PTRACE_SETVFPREGS fails to properly mark the VFP register set to be
+reloaded, because it undoes one of the effects of vfp_flush_hwstate().
+
+Specifically vfp_flush_hwstate() sets thread->vfpstate.hard.cpu to
+an invalid CPU number, but vfp_set() overwrites this with the original
+CPU number, thereby rendering the hardware state as apparently "valid",
+even though the software state is more recent.
+
+Fix this by reverting the previous change.
+
+Fixes: 8130b9d7b9d8 ("ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers")
+Acked-by: Will Deacon <will.deacon@arm.com>
+Tested-by: Simon Marchi <simon.marchi@ericsson.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/ptrace.c
++++ b/arch/arm/kernel/ptrace.c
+@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *t
+ if (ret)
+ return ret;
+
+- vfp_flush_hwstate(thread);
+ thread->vfpstate.hard = new_vfp;
++ vfp_flush_hwstate(thread);
+
+ return 0;
+ }
--- /dev/null
+From ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Fri, 20 May 2016 17:33:03 -0500
+Subject: crypto: ccp - Fix AES XTS error for request sizes above 4096
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 upstream.
+
+The ccp-crypto module for AES XTS support has a bug that can allow requests
+greater than 4096 bytes in size to be passed to the CCP hardware. The CCP
+hardware does not support request sizes larger than 4096, resulting in
+incorrect output. The request should actually be handled by the fallback
+mechanism instantiated by the ccp-crypto module.
+
+Add a check to insure the request size is less than or equal to the maximum
+supported size and use the fallback mechanism if it is not.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-crypto-aes-xts.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c
++++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
+@@ -123,6 +123,7 @@ static int ccp_aes_xts_crypt(struct ablk
+ struct ccp_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
+ struct ccp_aes_req_ctx *rctx = ablkcipher_request_ctx(req);
+ unsigned int unit;
++ u32 unit_size;
+ int ret;
+
+ if (!ctx->u.aes.key_len)
+@@ -134,11 +135,17 @@ static int ccp_aes_xts_crypt(struct ablk
+ if (!req->info)
+ return -EINVAL;
+
+- for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++)
+- if (!(req->nbytes & (unit_size_map[unit].size - 1)))
+- break;
++ unit_size = CCP_XTS_AES_UNIT_SIZE__LAST;
++ if (req->nbytes <= unit_size_map[0].size) {
++ for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) {
++ if (!(req->nbytes & (unit_size_map[unit].size - 1))) {
++ unit_size = unit_size_map[unit].value;
++ break;
++ }
++ }
++ }
+
+- if ((unit_size_map[unit].value == CCP_XTS_AES_UNIT_SIZE__LAST) ||
++ if ((unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) ||
+ (ctx->u.aes.key_len != AES_KEYSIZE_128)) {
+ /* Use the fallback to process the request for any
+ * unsupported unit sizes or key sizes
+@@ -159,7 +166,7 @@ static int ccp_aes_xts_crypt(struct ablk
+ rctx->cmd.engine = CCP_ENGINE_XTS_AES_128;
+ rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT
+ : CCP_AES_ACTION_DECRYPT;
+- rctx->cmd.u.xts.unit_size = unit_size_map[unit].value;
++ rctx->cmd.u.xts.unit_size = unit_size;
+ rctx->cmd.u.xts.key = &ctx->u.aes.key_sg;
+ rctx->cmd.u.xts.key_len = ctx->u.aes.key_len;
+ rctx->cmd.u.xts.iv = &rctx->iv_sg;
--- /dev/null
+From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Jun 2016 11:55:06 +0200
+Subject: ecryptfs: forbid opening files without mmap handler
+
+From: Jann Horn <jannh@google.com>
+
+commit 2f36db71009304b3f0b95afacd8eba1f9f046b87 upstream.
+
+This prevents users from triggering a stack overflow through a recursive
+invocation of pagefault handling that involves mapping procfs files into
+virtual memory.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ecryptfs/kthread.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/fs/ecryptfs/kthread.c
++++ b/fs/ecryptfs/kthread.c
+@@ -25,6 +25,7 @@
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+ #include <linux/mount.h>
++#include <linux/file.h>
+ #include "ecryptfs_kernel.h"
+
+ struct ecryptfs_open_req {
+@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file
+ flags |= IS_RDONLY(lower_dentry->d_inode) ? O_RDONLY : O_RDWR;
+ (*lower_file) = dentry_open(&req.path, flags, cred);
+ if (!IS_ERR(*lower_file))
+- goto out;
++ goto have_file;
+ if ((flags & O_ACCMODE) == O_RDONLY) {
+ rc = PTR_ERR((*lower_file));
+ goto out;
+@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file
+ mutex_unlock(&ecryptfs_kthread_ctl.mux);
+ wake_up(&ecryptfs_kthread_ctl.wait);
+ wait_for_completion(&req.done);
+- if (IS_ERR(*lower_file))
++ if (IS_ERR(*lower_file)) {
+ rc = PTR_ERR(*lower_file);
++ goto out;
++ }
++have_file:
++ if ((*lower_file)->f_op->mmap == NULL) {
++ fput(*lower_file);
++ *lower_file = NULL;
++ rc = -EMEDIUMTYPE;
++ }
+ out:
+ return rc;
+ }
--- /dev/null
+From 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Tue, 7 Jun 2016 21:26:55 -0400
+Subject: fix d_walk()/non-delayed __d_free() race
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 upstream.
+
+Ascend-to-parent logics in d_walk() depends on all encountered child
+dentries not getting freed without an RCU delay. Unfortunately, in
+quite a few cases it is not true, with hard-to-hit oopsable race as
+the result.
+
+Fortunately, the fix is simiple; right now the rule is "if it ever
+been hashed, freeing must be delayed" and changing it to "if it
+ever had a parent, freeing must be delayed" closes that hole and
+covers all cases the old rule used to cover. Moreover, pipes and
+sockets remain _not_ covered, so we do not introduce RCU delay in
+the cases which are the reason for having that delay conditional
+in the first place.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1500,7 +1500,7 @@ struct dentry *d_alloc(struct dentry * p
+ struct dentry *dentry = __d_alloc(parent->d_sb, name);
+ if (!dentry)
+ return NULL;
+-
++ dentry->d_flags |= DCACHE_RCUACCESS;
+ spin_lock(&parent->d_lock);
+ /*
+ * don't need child lock because it is not subject
+@@ -2352,7 +2352,6 @@ static void __d_rehash(struct dentry * e
+ {
+ BUG_ON(!d_unhashed(entry));
+ hlist_bl_lock(b);
+- entry->d_flags |= DCACHE_RCUACCESS;
+ hlist_bl_add_head_rcu(&entry->d_hash, b);
+ hlist_bl_unlock(b);
+ }
+@@ -2536,6 +2535,7 @@ static void __d_move(struct dentry * den
+
+ /* ... and switch the parents */
+ if (IS_ROOT(dentry)) {
++ dentry->d_flags |= DCACHE_RCUACCESS;
+ dentry->d_parent = target->d_parent;
+ target->d_parent = target;
+ INIT_LIST_HEAD(&target->d_child);
--- /dev/null
+From d14bdb553f9196169f003058ae1cdabe514470e6 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 1 Jun 2016 14:09:23 +0200
+Subject: KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit d14bdb553f9196169f003058ae1cdabe514470e6 upstream.
+
+MOV to DR6 or DR7 causes a #GP if an attempt is made to write a 1 to
+any of bits 63:32. However, this is not detected at KVM_SET_DEBUGREGS
+time, and the next KVM_RUN oopses:
+
+ general protection fault: 0000 [#1] SMP
+ CPU: 2 PID: 14987 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
+ Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012
+ [...]
+ Call Trace:
+ [<ffffffffa072c93d>] kvm_arch_vcpu_ioctl_run+0x141d/0x14e0 [kvm]
+ [<ffffffffa071405d>] kvm_vcpu_ioctl+0x33d/0x620 [kvm]
+ [<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
+ [<ffffffff812418a9>] SyS_ioctl+0x79/0x90
+ [<ffffffff817a0f2e>] entry_SYSCALL_64_fastpath+0x12/0x71
+ Code: 55 83 ff 07 48 89 e5 77 27 89 ff ff 24 fd 90 87 80 81 0f 23 fe 5d c3 0f 23 c6 5d c3 0f 23 ce 5d c3 0f 23 d6 5d c3 0f 23 de 5d c3 <0f> 23 f6 5d c3 0f 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
+ RIP [<ffffffff810639eb>] native_set_debugreg+0x2b/0x40
+ RSP <ffff88005836bd50>
+
+Testcase (beautified/reduced from syzkaller output):
+
+ #include <unistd.h>
+ #include <sys/syscall.h>
+ #include <string.h>
+ #include <stdint.h>
+ #include <linux/kvm.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
+
+ long r[8];
+
+ int main()
+ {
+ struct kvm_debugregs dr = { 0 };
+
+ r[2] = open("/dev/kvm", O_RDONLY);
+ r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
+ r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
+
+ memcpy(&dr,
+ "\x5d\x6a\x6b\xe8\x57\x3b\x4b\x7e\xcf\x0d\xa1\x72"
+ "\xa3\x4a\x29\x0c\xfc\x6d\x44\x00\xa7\x52\xc7\xd8"
+ "\x00\xdb\x89\x9d\x78\xb5\x54\x6b\x6b\x13\x1c\xe9"
+ "\x5e\xd3\x0e\x40\x6f\xb4\x66\xf7\x5b\xe3\x36\xcb",
+ 48);
+ r[7] = ioctl(r[4], KVM_SET_DEBUGREGS, &dr);
+ r[6] = ioctl(r[4], KVM_RUN, 0);
+ }
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3029,6 +3029,11 @@ static int kvm_vcpu_ioctl_x86_set_debugr
+ if (dbgregs->flags)
+ return -EINVAL;
+
++ if (dbgregs->dr6 & ~0xffffffffull)
++ return -EINVAL;
++ if (dbgregs->dr7 & ~0xffffffffull)
++ return -EINVAL;
++
+ memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db));
+ vcpu->arch.dr6 = dbgregs->dr6;
+ kvm_update_dr6(vcpu);
--- /dev/null
+From 8b78f260887df532da529f225c49195d18fef36b Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 4 Jun 2016 17:21:33 +0200
+Subject: parisc: Fix pagefault crash in unaligned __get_user() call
+
+From: Helge Deller <deller@gmx.de>
+
+commit 8b78f260887df532da529f225c49195d18fef36b upstream.
+
+One of the debian buildd servers had this crash in the syslog without
+any other information:
+
+ Unaligned handler failed, ret = -2
+ clock_adjtime (pid 22578): Unaligned data reference (code 28)
+ CPU: 1 PID: 22578 Comm: clock_adjtime Tainted: G E 4.5.0-2-parisc64-smp #1 Debian 4.5.4-1
+ task: 000000007d9960f8 ti: 00000001bde7c000 task.ti: 00000001bde7c000
+
+ YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
+ PSW: 00001000000001001111100000001111 Tainted: G E
+ r00-03 000000ff0804f80f 00000001bde7c2b0 00000000402d2be8 00000001bde7c2b0
+ r04-07 00000000409e1fd0 00000000fa6f7fff 00000001bde7c148 00000000fa6f7fff
+ r08-11 0000000000000000 00000000ffffffff 00000000fac9bb7b 000000000002b4d4
+ r12-15 000000000015241c 000000000015242c 000000000000002d 00000000fac9bb7b
+ r16-19 0000000000028800 0000000000000001 0000000000000070 00000001bde7c218
+ r20-23 0000000000000000 00000001bde7c210 0000000000000002 0000000000000000
+ r24-27 0000000000000000 0000000000000000 00000001bde7c148 00000000409e1fd0
+ r28-31 0000000000000001 00000001bde7c320 00000001bde7c350 00000001bde7c218
+ sr00-03 0000000001200000 0000000001200000 0000000000000000 0000000001200000
+ sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+
+ IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d2e84 00000000402d2e88
+ IIR: 0ca0d089 ISR: 0000000001200000 IOR: 00000000fa6f7fff
+ CPU: 1 CR30: 00000001bde7c000 CR31: ffffffffffffffff
+ ORIG_R28: 00000002369fe628
+ IAOQ[0]: compat_get_timex+0x2dc/0x3c0
+ IAOQ[1]: compat_get_timex+0x2e0/0x3c0
+ RP(r2): compat_get_timex+0x40/0x3c0
+ Backtrace:
+ [<00000000402d4608>] compat_SyS_clock_adjtime+0x40/0xc0
+ [<0000000040205024>] syscall_exit+0x0/0x14
+
+This means the userspace program clock_adjtime called the clock_adjtime()
+syscall and then crashed inside the compat_get_timex() function.
+Syscalls should never crash programs, but instead return EFAULT.
+
+The IIR register contains the executed instruction, which disassebles
+into "ldw 0(sr3,r5),r9".
+This load-word instruction is part of __get_user() which tried to read the word
+at %r5/IOR (0xfa6f7fff). This means the unaligned handler jumped in. The
+unaligned handler is able to emulate all ldw instructions, but it fails if it
+fails to read the source e.g. because of page fault.
+
+The following program reproduces the problem:
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/mman.h>
+
+int main(void) {
+ /* allocate 8k */
+ char *ptr = mmap(NULL, 2*4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+ /* free second half (upper 4k) and make it invalid. */
+ munmap(ptr+4096, 4096);
+ /* syscall where first int is unaligned and clobbers into invalid memory region */
+ /* syscall should return EFAULT */
+ return syscall(__NR_clock_adjtime, 0, ptr+4095);
+}
+
+To fix this issue we simply need to check if the faulting instruction address
+is in the exception fixup table when the unaligned handler failed. If it
+is, call the fixup routine instead of crashing.
+
+While looking at the unaligned handler I found another issue as well: The
+target register should not be modified if the handler was unsuccessful.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/unaligned.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/unaligned.c
++++ b/arch/parisc/kernel/unaligned.c
+@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *re
+ break;
+ }
+
+- if (modify && R1(regs->iir))
++ if (ret == 0 && modify && R1(regs->iir))
+ regs->gr[R1(regs->iir)] = newbase;
+
+
+@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *re
+
+ if (ret)
+ {
++ /*
++ * The unaligned handler failed.
++ * If we were called by __get_user() or __put_user() jump
++ * to it's exception fixup handler instead of crashing.
++ */
++ if (!user_mode(regs) && fixup_exception(regs))
++ return;
++
+ printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret);
+ die_if_kernel("Unaligned data reference", regs, 28);
+
--- /dev/null
+From d23fac2b27d94aeb7b65536a50d32bfdc21fe01e Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 12 May 2016 13:26:44 +0200
+Subject: powerpc: Fix definition of SIAR and SDAR registers
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit d23fac2b27d94aeb7b65536a50d32bfdc21fe01e upstream.
+
+The SIAR and SDAR registers are available twice, one time as SPRs
+780 / 781 (unprivileged, but read-only), and one time as the SPRs
+796 / 797 (privileged, but read and write). The Linux kernel code
+currently uses the unprivileged SPRs - while this is OK for reading,
+writing to that register of course does not work.
+Since the KVM code tries to write to this register, too (see the mtspr
+in book3s_hv_rmhandlers.S), the contents of this register sometimes get
+lost for the guests, e.g. during migration of a VM.
+To fix this issue, simply switch to the privileged SPR numbers instead.
+
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -715,13 +715,13 @@
+ #define SPRN_PMC6 792
+ #define SPRN_PMC7 793
+ #define SPRN_PMC8 794
+-#define SPRN_SIAR 780
+-#define SPRN_SDAR 781
+ #define SPRN_SIER 784
+ #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */
+ #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */
+ #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */
+ #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */
++#define SPRN_SIAR 796
++#define SPRN_SDAR 797
+ #define SPRN_TACR 888
+ #define SPRN_TCSCR 889
+ #define SPRN_CSIGR 890
--- /dev/null
+From 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 12 May 2016 13:29:11 +0200
+Subject: powerpc: Use privileged SPR number for MMCR2
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 upstream.
+
+We are already using the privileged versions of MMCR0, MMCR1
+and MMCRA in the kernel, so for MMCR2, we should better use
+the privileged versions, too, to be consistent.
+
+Fixes: 240686c13687 ("powerpc: Initialise PMU related regs on Power8")
+Suggested-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -680,7 +680,7 @@
+ #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */
+ #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */
+ #define SPRN_MMCR1 798
+-#define SPRN_MMCR2 769
++#define SPRN_MMCR2 785
+ #define SPRN_MMCRA 0x312
+ #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */
+ #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL
--- /dev/null
+From e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Jun 2016 11:55:05 +0200
+Subject: proc: prevent stacking filesystems on top
+
+From: Jann Horn <jannh@google.com>
+
+commit e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 upstream.
+
+This prevents stacking filesystems (ecryptfs and overlayfs) from using
+procfs as lower filesystem. There is too much magic going on inside
+procfs, and there is no good reason to stack stuff on top of procfs.
+
+(For example, procfs does access checks in VFS open handlers, and
+ecryptfs by design calls open handlers from a kernel thread that doesn't
+drop privileges or so.)
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/root.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/proc/root.c
++++ b/fs/proc/root.c
+@@ -122,6 +122,13 @@ static struct dentry *proc_mount(struct
+ if (IS_ERR(sb))
+ return ERR_CAST(sb);
+
++ /*
++ * procfs isn't actually a stacking filesystem; however, there is
++ * too much magic going on inside it to permit stacking things on
++ * top of it
++ */
++ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
++
+ if (!proc_parse_options(options, ns)) {
+ deactivate_locked_super(sb);
+ return ERR_PTR(-EINVAL);
netlink-fix-dump-skb-leak-double-free.patch
sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch
tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch
+kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch
+arm-fix-ptrace_setvfpregs-on-smp-systems.patch
+crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch
+powerpc-fix-definition-of-siar-and-sdar-registers.patch
+powerpc-use-privileged-spr-number-for-mmcr2.patch
+parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch
+ecryptfs-forbid-opening-files-without-mmap-handler.patch
+wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch
+proc-prevent-stacking-filesystems-on-top.patch
+fix-d_walk-non-delayed-__d_free-race.patch
--- /dev/null
+From 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 Mon Sep 17 00:00:00 2001
+From: Prasun Maiti <prasunmaiti87@gmail.com>
+Date: Mon, 6 Jun 2016 20:04:19 +0530
+Subject: wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel
+
+From: Prasun Maiti <prasunmaiti87@gmail.com>
+
+commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 upstream.
+
+iwpriv app uses iw_point structure to send data to Kernel. The iw_point
+structure holds a pointer. For compatibility Kernel converts the pointer
+as required for WEXT IOCTLs (SIOCIWFIRST to SIOCIWLAST). Some drivers
+may use iw_handler_def.private_args to populate iwpriv commands instead
+of iw_handler_def.private. For those case, the IOCTLs from
+SIOCIWFIRSTPRIV to SIOCIWLASTPRIV will follow the path ndo_do_ioctl().
+Accordingly when the filled up iw_point structure comes from 32 bit
+iwpriv to 64 bit Kernel, Kernel will not convert the pointer and sends
+it to driver. So, the driver may get the invalid data.
+
+The pointer conversion for the IOCTLs (SIOCIWFIRSTPRIV to
+SIOCIWLASTPRIV), which follow the path ndo_do_ioctl(), is mandatory.
+This patch adds pointer conversion from 32 bit to 64 bit and vice versa,
+if the ioctl comes from 32 bit iwpriv to 64 bit Kernel.
+
+Signed-off-by: Prasun Maiti <prasunmaiti87@gmail.com>
+Signed-off-by: Ujjal Roy <royujjal@gmail.com>
+Tested-by: Dibyajyoti Ghosh <dibyajyotig@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/wext-core.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -954,8 +954,29 @@ static int wireless_process_ioctl(struct
+ return private(dev, iwr, cmd, info, handler);
+ }
+ /* Old driver API : call driver ioctl handler */
+- if (dev->netdev_ops->ndo_do_ioctl)
+- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
++ if (dev->netdev_ops->ndo_do_ioctl) {
++#ifdef CONFIG_COMPAT
++ if (info->flags & IW_REQUEST_FLAG_COMPAT) {
++ int ret = 0;
++ struct iwreq iwr_lcl;
++ struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
++
++ memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
++ iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
++ iwr_lcl.u.data.length = iwp_compat->length;
++ iwr_lcl.u.data.flags = iwp_compat->flags;
++
++ ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
++
++ iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
++ iwp_compat->length = iwr_lcl.u.data.length;
++ iwp_compat->flags = iwr_lcl.u.data.flags;
++
++ return ret;
++ } else
++#endif
++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
++ }
+ return -EOPNOTSUPP;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
