--- /dev/null
+From ccfe8c3f7e52ae83155cb038753f4c75b774ca8a Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Thu, 12 Mar 2015 09:17:51 +0100
+Subject: crypto: aesni - fix memory usage in GCM decryption
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit ccfe8c3f7e52ae83155cb038753f4c75b774ca8a upstream.
+
+The kernel crypto API logic requires the caller to provide the
+length of (ciphertext || authentication tag) as cryptlen for the
+AEAD decryption operation. Thus, the cipher implementation must
+calculate the size of the plaintext output itself and cannot simply use
+cryptlen.
+
+The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
+in req->dst. As the destination buffer for decryption only needs to hold
+the plaintext memory but cryptlen references the input buffer holding
+(ciphertext || authentication tag), the assumption of the destination
+buffer length in RFC4106 GCM operation leads to a too large size. This
+patch simply uses the already calculated plaintext size.
+
+In addition, this patch fixes the offset calculation of the AAD buffer
+pointer: as mentioned before, cryptlen already includes the size of the
+tag. Thus, the tag does not need to be added. With the addition, the AAD
+will be written beyond the already allocated buffer.
+
+Note, this fixes a kernel crash that can be triggered from user space
+via AF_ALG(aead) -- simply use the libkcapi test application
+from [1] and update it to use rfc4106-gcm-aes.
+
+Using [1], the changes were tested using CAVS vectors to demonstrate
+that the crypto operation still delivers the right results.
+
+[1] http://www.chronox.de/libkcapi.html
+
+CC: Tadeusz Struk <tadeusz.struk@intel.com>
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/crypto/aesni-intel_glue.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1133,7 +1133,7 @@ static int __driver_rfc4106_decrypt(stru
+ src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
+ if (!src)
+ return -ENOMEM;
+- assoc = (src + req->cryptlen + auth_tag_len);
++ assoc = (src + req->cryptlen);
+ scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
+ scatterwalk_map_and_copy(assoc, req->assoc, 0,
+ req->assoclen, 0);
+@@ -1158,7 +1158,7 @@ static int __driver_rfc4106_decrypt(stru
+ scatterwalk_done(&src_sg_walk, 0, 0);
+ scatterwalk_done(&assoc_sg_walk, 0, 0);
+ } else {
+- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
+ kfree(src);
+ }
+ return retval;
--- /dev/null
+From 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 26 Feb 2015 07:22:05 +0000
+Subject: crypto: arm/aes update NEON AES module to latest OpenSSL version
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed upstream.
+
+This updates the bit sliced AES module to the latest version in the
+upstream OpenSSL repository (e620e5ae37bc). This is needed to fix a
+bug in the XTS decryption path, where data chunked in a certain way
+could trigger the ciphertext stealing code, which is not supposed to
+be active in the kernel build (The kernel implementation of XTS only
+supports round multiples of the AES block size of 16 bytes, whereas
+the conformant OpenSSL implementation of XTS supports inputs of
+arbitrary size by applying ciphertext stealing). This is fixed in
+the upstream version by adding the missing #ifndef XTS_CHAIN_TWEAK
+around the offending instructions.
+
+The upstream code also contains the change applied by Russell to
+build the code unconditionally, i.e., even if __LINUX_ARM_ARCH__ < 7,
+but implemented slightly differently.
+
+Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions")
+Reported-by: Adrian Kotelba <adrian.kotelba@gmail.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Tested-by: Milan Broz <gmazyland@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/crypto/aesbs-core.S_shipped | 12 ++++++++----
+ arch/arm/crypto/bsaes-armv7.pl | 12 ++++++++----
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/crypto/aesbs-core.S_shipped
++++ b/arch/arm/crypto/aesbs-core.S_shipped
+@@ -58,14 +58,18 @@
+ # define VFP_ABI_FRAME 0
+ # define BSAES_ASM_EXTENDED_KEY
+ # define XTS_CHAIN_TWEAK
+-# define __ARM_ARCH__ 7
++# define __ARM_ARCH__ __LINUX_ARM_ARCH__
++# define __ARM_MAX_ARCH__ 7
+ #endif
+
+ #ifdef __thumb__
+ # define adrl adr
+ #endif
+
+-#if __ARM_ARCH__>=7
++#if __ARM_MAX_ARCH__>=7
++.arch armv7-a
++.fpu neon
++
+ .text
+ .syntax unified @ ARMv7-capable assembler is expected to handle this
+ #ifdef __thumb2__
+@@ -74,8 +78,6 @@
+ .code 32
+ #endif
+
+-.fpu neon
+-
+ .type _bsaes_decrypt8,%function
+ .align 4
+ _bsaes_decrypt8:
+@@ -2095,9 +2097,11 @@ bsaes_xts_decrypt:
+ vld1.8 {q8}, [r0] @ initial tweak
+ adr r2, .Lxts_magic
+
++#ifndef XTS_CHAIN_TWEAK
+ tst r9, #0xf @ if not multiple of 16
+ it ne @ Thumb2 thing, sanity check in ARM
+ subne r9, #0x10 @ subtract another 16 bytes
++#endif
+ subs r9, #0x80
+
+ blo .Lxts_dec_short
+--- a/arch/arm/crypto/bsaes-armv7.pl
++++ b/arch/arm/crypto/bsaes-armv7.pl
+@@ -701,14 +701,18 @@ $code.=<<___;
+ # define VFP_ABI_FRAME 0
+ # define BSAES_ASM_EXTENDED_KEY
+ # define XTS_CHAIN_TWEAK
+-# define __ARM_ARCH__ 7
++# define __ARM_ARCH__ __LINUX_ARM_ARCH__
++# define __ARM_MAX_ARCH__ 7
+ #endif
+
+ #ifdef __thumb__
+ # define adrl adr
+ #endif
+
+-#if __ARM_ARCH__>=7
++#if __ARM_MAX_ARCH__>=7
++.arch armv7-a
++.fpu neon
++
+ .text
+ .syntax unified @ ARMv7-capable assembler is expected to handle this
+ #ifdef __thumb2__
+@@ -717,8 +721,6 @@ $code.=<<___;
+ .code 32
+ #endif
+
+-.fpu neon
+-
+ .type _bsaes_decrypt8,%function
+ .align 4
+ _bsaes_decrypt8:
+@@ -2076,9 +2078,11 @@ bsaes_xts_decrypt:
+ vld1.8 {@XMM[8]}, [r0] @ initial tweak
+ adr $magic, .Lxts_magic
+
++#ifndef XTS_CHAIN_TWEAK
+ tst $len, #0xf @ if not multiple of 16
+ it ne @ Thumb2 thing, sanity check in ARM
+ subne $len, #0x10 @ subtract another 16 bytes
++#endif
+ subs $len, #0x80
+
+ blo .Lxts_dec_short
--- /dev/null
+From 8792f7772f4f40ffc68bad5f28311205584b734d Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
+Date: Thu, 12 Mar 2015 16:25:49 -0700
+Subject: drivers/rtc/rtc-s3c.c: add .needs_src_clk to s3c6410 RTC data
+
+From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
+
+commit 8792f7772f4f40ffc68bad5f28311205584b734d upstream.
+
+Commit df9e26d093d3 ("rtc: s3c: add support for RTC of Exynos3250 SoC")
+added an "rtc_src" DT property to specify the clock used as a source to
+the S3C real-time clock.
+
+Not all SoCs needs this so commit eaf3a659086e ("drivers/rtc/rtc-s3c.c:
+fix initialization failure without rtc source clock") changed to check
+the struct s3c_rtc_data .needs_src_clk to conditionally grab the clock.
+
+But that commit didn't update the data for each IP version so the RTC
+broke on the boards that needs a source clock. This is the case of at
+least Exynos5250 and Exynos5440 which uses the s3c6410 RTC IP block.
+
+This commit fixes the S3C rtc on the Exynos5250 Snow and Exynos5420
+Peach Pit and Pi Chromebooks.
+
+Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Chanwoo Choi <cw00.choi@samsung.com>
+Cc: Doug Anderson <dianders@chromium.org>
+Cc: Olof Johansson <olof@lixom.net>
+Cc: Kevin Hilman <khilman@linaro.org>
+Cc: Tyler Baker <tyler.baker@linaro.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-s3c.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/rtc/rtc-s3c.c
++++ b/drivers/rtc/rtc-s3c.c
+@@ -849,6 +849,7 @@ static struct s3c_rtc_data const s3c2443
+
+ static struct s3c_rtc_data const s3c6410_rtc_data = {
+ .max_user_freq = 32768,
++ .needs_src_clk = true,
+ .irq_handler = s3c6410_rtc_irq,
+ .set_freq = s3c6410_rtc_setfreq,
+ .enable_tick = s3c6410_rtc_enable_tick,
--- /dev/null
+From f01d35a15fa04162a58b95970fc01fa70ec9dacd Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 6 Feb 2015 02:07:45 -0500
+Subject: gadgetfs: use-after-free in ->aio_read()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.
+
+AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
+we are going to access it asynchronously, we'd better get ourselves
+a copy - the one on kernel stack of aio_run_iocb() won't be there
+anymore. function/f_fs.c take care of doing that, legacy/inode.c
+doesn't...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/inode.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -566,7 +566,6 @@ static ssize_t ep_copy_to_user(struct ki
+ if (total == 0)
+ break;
+ }
+-
+ return len;
+ }
+
+@@ -585,6 +584,7 @@ static void ep_user_copy_worker(struct w
+ aio_complete(iocb, ret, ret);
+
+ kfree(priv->buf);
++ kfree(priv->iv);
+ kfree(priv);
+ }
+
+@@ -605,6 +605,7 @@ static void ep_aio_complete(struct usb_e
+ */
+ if (priv->iv == NULL || unlikely(req->actual == 0)) {
+ kfree(req->buf);
++ kfree(priv->iv);
+ kfree(priv);
+ iocb->private = NULL;
+ /* aio_complete() reports bytes-transferred _and_ faults */
+@@ -640,7 +641,7 @@ ep_aio_rwtail(
+ struct usb_request *req;
+ ssize_t value;
+
+- priv = kmalloc(sizeof *priv, GFP_KERNEL);
++ priv = kzalloc(sizeof *priv, GFP_KERNEL);
+ if (!priv) {
+ value = -ENOMEM;
+ fail:
+@@ -649,7 +650,14 @@ fail:
+ }
+ iocb->private = priv;
+ priv->iocb = iocb;
+- priv->iv = iv;
++ if (iv) {
++ priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec),
++ GFP_KERNEL);
++ if (!priv->iv) {
++ kfree(priv);
++ goto fail;
++ }
++ }
+ priv->nr_segs = nr_segs;
+ INIT_WORK(&priv->work, ep_user_copy_worker);
+
+@@ -689,6 +697,7 @@ fail:
+ mutex_unlock(&epdata->lock);
+
+ if (unlikely(value)) {
++ kfree(priv->iv);
+ kfree(priv);
+ put_ep(epdata);
+ } else
--- /dev/null
+From 528c943f3bb919aef75ab2fff4f00176f09a4019 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 21 Feb 2015 21:03:10 +0200
+Subject: ipvs: add missing ip_vs_pe_put in sync code
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit 528c943f3bb919aef75ab2fff4f00176f09a4019 upstream.
+
+ip_vs_conn_fill_param_sync() gets in param.pe a module
+reference for persistence engine from __ip_vs_pe_getbyname()
+but forgets to put it. Problem occurs in backup for
+sync protocol v1 (2.6.39).
+
+Also, pe_data usually comes in sync messages for
+connection templates and ip_vs_conn_new() copies
+the pointer only in this case. Make sure pe_data
+is not leaked if it comes unexpectedly for normal
+connections. Leak can happen only if bogus messages
+are sent to backup server.
+
+Fixes: fe5e7a1efb66 ("IPVS: Backup, Adding Version 1 receive capability")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_sync.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -896,6 +896,8 @@ static void ip_vs_proc_conn(struct net *
+ IP_VS_DBG(2, "BACKUP, add new conn. failed\n");
+ return;
+ }
++ if (!(flags & IP_VS_CONN_F_TEMPLATE))
++ kfree(param->pe_data);
+ }
+
+ if (opt)
+@@ -1169,6 +1171,7 @@ static inline int ip_vs_proc_sync_conn(s
+ (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL)
+ );
+ #endif
++ ip_vs_pe_put(param.pe);
+ return 0;
+ /* Error exit */
+ out:
--- /dev/null
+From dd3733b3e798daf778a1ec08557f388f00fdc2f6 Mon Sep 17 00:00:00 2001
+From: Alexey Andriyanov <alan@al-an.info>
+Date: Fri, 6 Feb 2015 22:32:20 +0300
+Subject: ipvs: fix inability to remove a mixed-family RS
+
+From: Alexey Andriyanov <alan@al-an.info>
+
+commit dd3733b3e798daf778a1ec08557f388f00fdc2f6 upstream.
+
+The current code prevents any operation with a mixed-family dest
+unless IP_VS_CONN_F_TUNNEL flag is set. The problem is that it's impossible
+for the client to follow this rule, because ip_vs_genl_parse_dest does
+not even read the destination conn_flags when cmd = IPVS_CMD_DEL_DEST
+(need_full_dest = 0).
+
+Also, not every client can pass this flag when removing a dest. ipvsadm,
+for example, does not support the "-i" command line option together with
+the "-d" option.
+
+This change disables any checks for mixed-family on IPVS_CMD_DEL_DEST command.
+
+Signed-off-by: Alexey Andriyanov <alan@al-an.info>
+Fixes: bc18d37f676f ("ipvs: Allow heterogeneous pools now that we support them")
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -3399,7 +3399,7 @@ static int ip_vs_genl_set_cmd(struct sk_
+ if (udest.af == 0)
+ udest.af = svc->af;
+
+- if (udest.af != svc->af) {
++ if (udest.af != svc->af && cmd != IPVS_CMD_DEL_DEST) {
+ /* The synchronization protocol is incompatible
+ * with mixed family services
+ */
--- /dev/null
+From 5724be8464dceac047c1eaddaa3651cea0ec16ca Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Tue, 3 Mar 2015 11:27:23 +0100
+Subject: irqchip: armada-370-xp: Fix chained per-cpu interrupts
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit 5724be8464dceac047c1eaddaa3651cea0ec16ca upstream.
+
+On the Cortex-A9-based Armada SoCs, the MPIC is not the primary interrupt
+controller. Yet, it still has to handle some per-cpu interrupt.
+
+To do so, it is chained with the GIC using a per-cpu interrupt. However, the
+current code only call irq_set_chained_handler, which is called and enable that
+interrupt only on the boot CPU, which means that the parent per-CPU interrupt
+is never unmasked on the secondary CPUs, preventing the per-CPU interrupt to
+actually work as expected.
+
+This was not seen until now since the only MPIC PPI users were the Marvell
+timers that were not working, but not used either since the system use the ARM
+TWD by default, and the ethernet controllers, that are faking there interrupts
+as SPI, and don't really expect to have interrupts on the secondary cores
+anyway.
+
+Add a CPU notifier that will enable the PPI on the secondary cores when they
+are brought up.
+
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Acked-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Link: https://lkml.kernel.org/r/1425378443-28822-1-git-send-email-maxime.ripard@free-electrons.com
+Signed-off-by: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-armada-370-xp.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-armada-370-xp.c
++++ b/drivers/irqchip/irq-armada-370-xp.c
+@@ -69,6 +69,7 @@ static void __iomem *per_cpu_int_base;
+ static void __iomem *main_int_base;
+ static struct irq_domain *armada_370_xp_mpic_domain;
+ static u32 doorbell_mask_reg;
++static int parent_irq;
+ #ifdef CONFIG_PCI_MSI
+ static struct irq_domain *armada_370_xp_msi_domain;
+ static DECLARE_BITMAP(msi_used, PCI_MSI_DOORBELL_NR);
+@@ -356,6 +357,7 @@ static int armada_xp_mpic_secondary_init
+ {
+ if (action == CPU_STARTING || action == CPU_STARTING_FROZEN)
+ armada_xp_mpic_smp_cpu_init();
++
+ return NOTIFY_OK;
+ }
+
+@@ -364,6 +366,20 @@ static struct notifier_block armada_370_
+ .priority = 100,
+ };
+
++static int mpic_cascaded_secondary_init(struct notifier_block *nfb,
++ unsigned long action, void *hcpu)
++{
++ if (action == CPU_STARTING || action == CPU_STARTING_FROZEN)
++ enable_percpu_irq(parent_irq, IRQ_TYPE_NONE);
++
++ return NOTIFY_OK;
++}
++
++static struct notifier_block mpic_cascaded_cpu_notifier = {
++ .notifier_call = mpic_cascaded_secondary_init,
++ .priority = 100,
++};
++
+ #endif /* CONFIG_SMP */
+
+ static struct irq_domain_ops armada_370_xp_mpic_irq_ops = {
+@@ -539,7 +555,7 @@ static int __init armada_370_xp_mpic_of_
+ struct device_node *parent)
+ {
+ struct resource main_int_res, per_cpu_int_res;
+- int parent_irq, nr_irqs, i;
++ int nr_irqs, i;
+ u32 control;
+
+ BUG_ON(of_address_to_resource(node, 0, &main_int_res));
+@@ -587,6 +603,9 @@ static int __init armada_370_xp_mpic_of_
+ register_cpu_notifier(&armada_370_xp_mpic_cpu_notifier);
+ #endif
+ } else {
++#ifdef CONFIG_SMP
++ register_cpu_notifier(&mpic_cascaded_cpu_notifier);
++#endif
+ irq_set_chained_handler(parent_irq,
+ armada_370_xp_mpic_handle_cascade_irq);
+ }
--- /dev/null
+From dc9be0fac70a2ad86e31a81372bb0bdfb6945353 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 5 Mar 2015 11:54:46 +0100
+Subject: kvm: move advertising of KVM_CAP_IRQFD to common code
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit dc9be0fac70a2ad86e31a81372bb0bdfb6945353 upstream.
+
+POWER supports irqfds but forgot to advertise them. Some userspace does
+not check for the capability, but others check it---thus they work on
+x86 and s390 but not POWER.
+
+To avoid that other architectures in the future make the same mistake, let
+common code handle KVM_CAP_IRQFD the same way as KVM_CAP_IRQFD_RESAMPLE.
+
+Reported-and-tested-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
+Fixes: 297e21053a52f060944e9f0de4c64fad9bcd72fc
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 1 -
+ arch/x86/kvm/x86.c | 1 -
+ virt/kvm/kvm_main.c | 1 +
+ 3 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -159,7 +159,6 @@ int kvm_vm_ioctl_check_extension(struct
+ case KVM_CAP_ONE_REG:
+ case KVM_CAP_ENABLE_CAP:
+ case KVM_CAP_S390_CSS_SUPPORT:
+- case KVM_CAP_IRQFD:
+ case KVM_CAP_IOEVENTFD:
+ case KVM_CAP_DEVICE_CTRL:
+ case KVM_CAP_ENABLE_CAP_VM:
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2716,7 +2716,6 @@ int kvm_vm_ioctl_check_extension(struct
+ case KVM_CAP_USER_NMI:
+ case KVM_CAP_REINJECT_CONTROL:
+ case KVM_CAP_IRQ_INJECT_STATUS:
+- case KVM_CAP_IRQFD:
+ case KVM_CAP_IOEVENTFD:
+ case KVM_CAP_IOEVENTFD_NO_LENGTH:
+ case KVM_CAP_PIT2:
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2416,6 +2416,7 @@ static long kvm_vm_ioctl_check_extension
+ case KVM_CAP_SIGNAL_MSI:
+ #endif
+ #ifdef CONFIG_HAVE_KVM_IRQFD
++ case KVM_CAP_IRQFD:
+ case KVM_CAP_IRQFD_RESAMPLE:
+ #endif
+ case KVM_CAP_CHECK_EXTENSION_VM:
--- /dev/null
+From 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 Mon Sep 17 00:00:00 2001
+From: James Bottomley <JBottomley@Parallels.com>
+Date: Wed, 4 Mar 2015 16:18:33 -0800
+Subject: libsas: Fix Kernel Crash in smp_execute_task
+
+From: James Bottomley <JBottomley@Parallels.com>
+
+commit 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 upstream.
+
+This crash was reported:
+
+[ 366.947370] sd 3:0:1:0: [sdb] Spinning up disk....
+[ 368.804046] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 368.804072] IP: [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
+[ 368.804098] PGD 0
+[ 368.804114] Oops: 0002 [#1] SMP
+[ 368.804143] CPU 1
+[ 368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common
+[ 368.804749]
+[ 368.804764] Pid: 392, comm: kworker/u:3 Tainted: P W O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920
+[ 368.804802] RIP: 0010:[<ffffffff81358457>] [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
+[ 368.804827] RSP: 0018:ffff880117001cc0 EFLAGS: 00010246
+[ 368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420
+[ 368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4
+[ 368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe
+[ 368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4
+[ 368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8
+[ 368.804916] FS: 0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000
+[ 368.804931] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0
+[ 368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0)
+[ 368.805009] Stack:
+[ 368.805017] ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c
+[ 368.805062] 000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000
+[ 368.805100] ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac
+[ 368.805135] Call Trace:
+[ 368.805153] [<ffffffff81056f7c>] ? up+0xb/0x33
+[ 368.805168] [<ffffffff813583ac>] ? mutex_lock+0x16/0x25
+[ 368.805194] [<ffffffffa018c414>] ? smp_execute_task+0x4e/0x222 [libsas]
+[ 368.805217] [<ffffffffa018ce1c>] ? sas_find_bcast_dev+0x3c/0x15d [libsas]
+[ 368.805240] [<ffffffffa018ce4f>] ? sas_find_bcast_dev+0x6f/0x15d [libsas]
+[ 368.805264] [<ffffffffa018e989>] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas]
+[ 368.805280] [<ffffffff81355a2a>] ? printk+0x43/0x48
+[ 368.805296] [<ffffffff81359a65>] ? _raw_spin_unlock_irqrestore+0xc/0xd
+[ 368.805318] [<ffffffffa018b767>] ? sas_revalidate_domain+0x85/0xb6 [libsas]
+[ 368.805336] [<ffffffff8104e5d9>] ? process_one_work+0x151/0x27c
+[ 368.805351] [<ffffffff8104f6cd>] ? worker_thread+0xbb/0x152
+[ 368.805366] [<ffffffff8104f612>] ? manage_workers.isra.29+0x163/0x163
+[ 368.805382] [<ffffffff81052c4e>] ? kthread+0x79/0x81
+[ 368.805399] [<ffffffff8135fea4>] ? kernel_thread_helper+0x4/0x10
+[ 368.805416] [<ffffffff81052bd5>] ? kthread_flush_work_fn+0x9/0x9
+[ 368.805431] [<ffffffff8135fea0>] ? gs_change+0x13/0x13
+[ 368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41
+[ 368.805851] RIP [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
+[ 368.805877] RSP <ffff880117001cc0>
+[ 368.805886] CR2: 0000000000000000
+[ 368.805899] ---[ end trace b720682065d8f4cc ]---
+
+It's directly caused by 89d3cf6 [SCSI] libsas: add mutex for SMP task
+execution, but shows a deeper cause: expander functions expect to be able to
+cast to and treat domain devices as expanders. The correct fix is to only do
+expander discover when we know we've got an expander device to avoid wrongly
+casting a non-expander device.
+
+Reported-by: Praveen Murali <pmurali@logicube.com>
+Tested-by: Praveen Murali <pmurali@logicube.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libsas/sas_discover.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/libsas/sas_discover.c
++++ b/drivers/scsi/libsas/sas_discover.c
+@@ -500,6 +500,7 @@ static void sas_revalidate_domain(struct
+ struct sas_discovery_event *ev = to_sas_discovery_event(work);
+ struct asd_sas_port *port = ev->port;
+ struct sas_ha_struct *ha = port->ha;
++ struct domain_device *ddev = port->port_dev;
+
+ /* prevent revalidation from finding sata links in recovery */
+ mutex_lock(&ha->disco_mutex);
+@@ -514,8 +515,9 @@ static void sas_revalidate_domain(struct
+ SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id,
+ task_pid_nr(current));
+
+- if (port->port_dev)
+- res = sas_ex_revalidate_domain(port->port_dev);
++ if (ddev && (ddev->dev_type == SAS_FANOUT_EXPANDER_DEVICE ||
++ ddev->dev_type == SAS_EDGE_EXPANDER_DEVICE))
++ res = sas_ex_revalidate_domain(ddev);
+
+ SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n",
+ port->id, task_pid_nr(current), res);
--- /dev/null
+From 02263db00b6cb98701332aa257c07ca549c2324b Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 20 Feb 2015 17:11:10 +0100
+Subject: netfilter: nf_tables: fix addition/deletion of elements from commit/abort
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 02263db00b6cb98701332aa257c07ca549c2324b upstream.
+
+We have several problems in this path:
+
+1) There is a use-after-free when removing individual elements from
+ the commit path.
+
+2) We have to uninit() the data part of the element from the abort
+ path to avoid a chain refcount leak.
+
+3) We have to check for set->flags to see if there's a mapping, instead
+ of the element flags.
+
+4) We have to check for !(flags & NFT_SET_ELEM_INTERVAL_END) to skip
+ elements that are part of the interval that have no data part, so
+ they don't need to be uninit().
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3606,12 +3606,11 @@ static int nf_tables_commit(struct sk_bu
+ &te->elem,
+ NFT_MSG_DELSETELEM, 0);
+ te->set->ops->get(te->set, &te->elem);
+- te->set->ops->remove(te->set, &te->elem);
+ nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
+- if (te->elem.flags & NFT_SET_MAP) {
+- nft_data_uninit(&te->elem.data,
+- te->set->dtype);
+- }
++ if (te->set->flags & NFT_SET_MAP &&
++ !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
++ nft_data_uninit(&te->elem.data, te->set->dtype);
++ te->set->ops->remove(te->set, &te->elem);
+ nft_trans_destroy(trans);
+ break;
+ }
+@@ -3652,7 +3651,7 @@ static int nf_tables_abort(struct sk_buf
+ {
+ struct net *net = sock_net(skb->sk);
+ struct nft_trans *trans, *next;
+- struct nft_set *set;
++ struct nft_trans_elem *te;
+
+ list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
+ switch (trans->msg_type) {
+@@ -3713,9 +3712,13 @@ static int nf_tables_abort(struct sk_buf
+ break;
+ case NFT_MSG_NEWSETELEM:
+ nft_trans_elem_set(trans)->nelems--;
+- set = nft_trans_elem_set(trans);
+- set->ops->get(set, &nft_trans_elem(trans));
+- set->ops->remove(set, &nft_trans_elem(trans));
++ te = (struct nft_trans_elem *)trans->data;
++ te->set->ops->get(te->set, &te->elem);
++ nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
++ if (te->set->flags & NFT_SET_MAP &&
++ !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
++ nft_data_uninit(&te->elem.data, te->set->dtype);
++ te->set->ops->remove(te->set, &te->elem);
+ nft_trans_destroy(trans);
+ break;
+ case NFT_MSG_DELSETELEM:
--- /dev/null
+From 8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Tue, 3 Mar 2015 20:04:18 +0000
+Subject: netfilter: nf_tables: fix transaction race condition
+
+From: Patrick McHardy <kaber@trash.net>
+
+commit 8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf upstream.
+
+A race condition exists in the rule transaction code for rules that
+get added and removed within the same transaction.
+
+The new rule starts out as inactive in the current and active in the
+next generation and is inserted into the ruleset. When it is deleted,
+it is additionally set to inactive in the next generation as well.
+
+On commit the next generation is begun, then the actions are finalized.
+For the new rule this would mean clearing out the inactive bit for
+the previously current, now next generation.
+
+However nft_rule_clear() clears out the bits for *both* generations,
+activating the rule in the current generation, where it should be
+deactivated due to being deleted. The rule will thus be active until
+the deletion is finalized, removing the rule from the ruleset.
+
+Similarly, when aborting a transaction for the same case, the undo
+of insertion will remove it from the RCU protected rule list, the
+deletion will clear out all bits. However until the next RCU
+synchronization after all operations have been undone, the rule is
+active on CPUs which can still see the rule on the list.
+
+Generally, there may never be any modifications of the current
+generations' inactive bit since this defeats the entire purpose of
+atomicity. Change nft_rule_clear() to only touch the next generations
+bit to fix this.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -227,7 +227,7 @@ nft_rule_deactivate_next(struct net *net
+
+ static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
+ {
+- rule->genmask = 0;
++ rule->genmask &= ~(1 << gencursor_next(net));
+ }
+
+ static int
--- /dev/null
+From 520aa7414bb590f39d0d1591b06018e60cbc7cf4 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 12 Feb 2015 22:15:31 +0100
+Subject: netfilter: nft_compat: fix module refcount underflow
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 520aa7414bb590f39d0d1591b06018e60cbc7cf4 upstream.
+
+Feb 12 18:20:42 nfdev kernel: ------------[ cut here ]------------
+Feb 12 18:20:42 nfdev kernel: WARNING: CPU: 4 PID: 4359 at kernel/module.c:963 module_put+0x9b/0xba()
+Feb 12 18:20:42 nfdev kernel: CPU: 4 PID: 4359 Comm: ebtables-compat Tainted: G W 3.19.0-rc6+ #43
+[...]
+Feb 12 18:20:42 nfdev kernel: Call Trace:
+Feb 12 18:20:42 nfdev kernel: [<ffffffff815fd911>] dump_stack+0x4c/0x65
+Feb 12 18:20:42 nfdev kernel: [<ffffffff8103e6f7>] warn_slowpath_common+0x9c/0xb6
+Feb 12 18:20:42 nfdev kernel: [<ffffffff8109919f>] ? module_put+0x9b/0xba
+Feb 12 18:20:42 nfdev kernel: [<ffffffff8103e726>] warn_slowpath_null+0x15/0x17
+Feb 12 18:20:42 nfdev kernel: [<ffffffff8109919f>] module_put+0x9b/0xba
+Feb 12 18:20:42 nfdev kernel: [<ffffffff813ecf7c>] nft_match_destroy+0x45/0x4c
+Feb 12 18:20:42 nfdev kernel: [<ffffffff813e683f>] nf_tables_rule_destroy+0x28/0x70
+
+Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_compat.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -578,8 +578,12 @@ nft_match_select_ops(const struct nft_ct
+ struct xt_match *match = nft_match->ops.data;
+
+ if (strcmp(match->name, mt_name) == 0 &&
+- match->revision == rev && match->family == family)
++ match->revision == rev && match->family == family) {
++ if (!try_module_get(match->me))
++ return ERR_PTR(-ENOENT);
++
+ return &nft_match->ops;
++ }
+ }
+
+ match = xt_request_find_match(family, mt_name, rev);
+@@ -648,8 +652,12 @@ nft_target_select_ops(const struct nft_c
+ struct xt_target *target = nft_target->ops.data;
+
+ if (strcmp(target->name, tg_name) == 0 &&
+- target->revision == rev && target->family == family)
++ target->revision == rev && target->family == family) {
++ if (!try_module_get(target->me))
++ return ERR_PTR(-ENOENT);
++
+ return &nft_target->ops;
++ }
+ }
+
+ target = xt_request_find_target(family, tg_name, rev);
--- /dev/null
+From 78296c97ca1fd3b104f12e1f1fbc06c46635990b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 15 Feb 2015 19:03:45 -0800
+Subject: netfilter: xt_socket: fix a stack corruption bug
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 78296c97ca1fd3b104f12e1f1fbc06c46635990b upstream.
+
+As soon as extract_icmp6_fields() returns, its local storage (automatic
+variables) is deallocated and can be overwritten.
+
+Lets add an additional parameter to make sure storage is valid long
+enough.
+
+While we are at it, adds some const qualifiers.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Fixes: b64c9256a9b76 ("tproxy: added IPv6 support to the socket match")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_socket.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/xt_socket.c
++++ b/net/netfilter/xt_socket.c
+@@ -243,12 +243,13 @@ static int
+ extract_icmp6_fields(const struct sk_buff *skb,
+ unsigned int outside_hdrlen,
+ int *protocol,
+- struct in6_addr **raddr,
+- struct in6_addr **laddr,
++ const struct in6_addr **raddr,
++ const struct in6_addr **laddr,
+ __be16 *rport,
+- __be16 *lport)
++ __be16 *lport,
++ struct ipv6hdr *ipv6_var)
+ {
+- struct ipv6hdr *inside_iph, _inside_iph;
++ const struct ipv6hdr *inside_iph;
+ struct icmp6hdr *icmph, _icmph;
+ __be16 *ports, _ports[2];
+ u8 inside_nexthdr;
+@@ -263,12 +264,14 @@ extract_icmp6_fields(const struct sk_buf
+ if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK)
+ return 1;
+
+- inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph);
++ inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph),
++ sizeof(*ipv6_var), ipv6_var);
+ if (inside_iph == NULL)
+ return 1;
+ inside_nexthdr = inside_iph->nexthdr;
+
+- inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph),
++ inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) +
++ sizeof(*ipv6_var),
+ &inside_nexthdr, &inside_fragoff);
+ if (inside_hdrlen < 0)
+ return 1; /* hjm: Packet has no/incomplete transport layer headers. */
+@@ -315,10 +318,10 @@ xt_socket_get_sock_v6(struct net *net, c
+ static bool
+ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
+ {
+- struct ipv6hdr *iph = ipv6_hdr(skb);
++ struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb);
+ struct udphdr _hdr, *hp = NULL;
+ struct sock *sk = skb->sk;
+- struct in6_addr *daddr = NULL, *saddr = NULL;
++ const struct in6_addr *daddr = NULL, *saddr = NULL;
+ __be16 uninitialized_var(dport), uninitialized_var(sport);
+ int thoff = 0, uninitialized_var(tproto);
+ const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
+@@ -342,7 +345,7 @@ socket_mt6_v1_v2(const struct sk_buff *s
+
+ } else if (tproto == IPPROTO_ICMPV6) {
+ if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr,
+- &sport, &dport))
++ &sport, &dport, &ipv6_var))
+ return false;
+ } else {
+ return false;
--- /dev/null
+From 106937e8ccdcf0f4b95fbf0fe9abd42766cade33 Mon Sep 17 00:00:00 2001
+From: Leif Lindholm <leif.lindholm@linaro.org>
+Date: Fri, 6 Mar 2015 16:52:53 +0000
+Subject: of: fix handling of '/' in options for of_find_node_by_path()
+
+From: Leif Lindholm <leif.lindholm@linaro.org>
+
+commit 106937e8ccdcf0f4b95fbf0fe9abd42766cade33 upstream.
+
+Ensure proper handling of paths with appended options (after ':'),
+where those options may contain a '/'.
+
+Fixes: 7914a7c5651a ("of: support passing console options with stdout-path")
+Reported-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/base.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -714,16 +714,17 @@ static struct device_node *__of_find_nod
+ const char *path)
+ {
+ struct device_node *child;
+- int len = strchrnul(path, '/') - path;
+- int term;
++ int len;
++ const char *end;
+
++ end = strchr(path, ':');
++ if (!end)
++ end = strchrnul(path, '/');
++
++ len = end - path;
+ if (!len)
+ return NULL;
+
+- term = strchrnul(path, ':') - path;
+- if (term < len)
+- len = term;
+-
+ __for_each_child_of_node(parent, child) {
+ const char *name = strrchr(child->full_name, '/');
+ if (WARN(!name, "malformed device_node %s\n", child->full_name))
+@@ -768,8 +769,12 @@ struct device_node *of_find_node_opts_by
+
+ /* The path could begin with an alias */
+ if (*path != '/') {
+- char *p = strchrnul(path, '/');
+- int len = separator ? separator - path : p - path;
++ int len;
++ const char *p = separator;
++
++ if (!p)
++ p = strchrnul(path, '/');
++ len = p - path;
+
+ /* of_aliases must not be NULL */
+ if (!of_aliases)
+@@ -794,6 +799,8 @@ struct device_node *of_find_node_opts_by
+ path++; /* Increment past '/' delimiter */
+ np = __of_find_node_by_path(np, path);
+ path = strchrnul(path, '/');
++ if (separator && separator < path)
++ break;
+ }
+ raw_spin_unlock_irqrestore(&devtree_lock, flags);
+ return np;
--- /dev/null
+From 721a09e95c786346b4188863a1cfa3909c76f690 Mon Sep 17 00:00:00 2001
+From: Brian Norris <computersforpeace@gmail.com>
+Date: Tue, 17 Mar 2015 12:30:31 -0700
+Subject: of: handle both '/' and ':' in path strings
+
+From: Brian Norris <computersforpeace@gmail.com>
+
+commit 721a09e95c786346b4188863a1cfa3909c76f690 upstream.
+
+Commit 106937e8ccdc ("of: fix handling of '/' in options for
+of_find_node_by_path()") caused a regression in OF handling of
+stdout-path. While it fixes some cases which have '/' after the ':', it
+breaks cases where there is more than one '/' *before* the ':'.
+
+For example, it breaks this boot string
+
+ stdout-path = "/rdb/serial@f040ab00:115200";
+
+So rather than doing sequentialized checks (first for '/', then for ':';
+or vice versa), to get the correct behavior we need to check for the
+first occurrence of either one of them.
+
+It so happens that the handy strcspn() helper can do just that.
+
+Fixes: 106937e8ccdc ("of: fix handling of '/' in options for of_find_node_by_path()")
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Acked-by: Leif Lindholm <leif.lindholm@linaro.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/base.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -715,13 +715,8 @@ static struct device_node *__of_find_nod
+ {
+ struct device_node *child;
+ int len;
+- const char *end;
+
+- end = strchr(path, ':');
+- if (!end)
+- end = strchrnul(path, '/');
+-
+- len = end - path;
++ len = strcspn(path, "/:");
+ if (!len)
+ return NULL;
+
--- /dev/null
+From ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Mon, 9 Mar 2015 23:11:12 +0200
+Subject: pagemap: do not leak physical addresses to non-privileged userspace
+
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+
+commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce upstream.
+
+As pointed by recent post[1] on exploiting DRAM physical imperfection,
+/proc/PID/pagemap exposes sensitive information which can be used to do
+attacks.
+
+This disallows anybody without CAP_SYS_ADMIN to read the pagemap.
+
+[1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
+
+[ Eventually we might want to do anything more finegrained, but for now
+ this is the simple model. - Linus ]
+
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Acked-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Seaborn <mseaborn@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/task_mmu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -1326,6 +1326,9 @@ out:
+
+ static int pagemap_open(struct inode *inode, struct file *file)
+ {
++ /* do not disclose physical addresses: attack vector */
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
+ pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
+ "to stop being page-shift some time soon. See the "
+ "linux/Documentation/vm/pagemap.txt for details.\n");
--- /dev/null
+From 4efe874aace57dba967624ce1c48322da2447b75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Wed, 4 Feb 2015 17:38:15 -0500
+Subject: PCI: Don't read past the end of sysfs "driver_override" buffer
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 4efe874aace57dba967624ce1c48322da2447b75 upstream.
+
+When printing the driver_override parameter when it is 4095 and 4094 bytes
+long, the printing code would access invalid memory because we need count+1
+bytes for printing.
+
+Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using pci_dev.driver_override")
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Alex Williamson <alex.williamson@redhat.com>
+CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+CC: Alexander Graf <agraf@suse.de>
+CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pci-sysfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -521,7 +521,8 @@ static ssize_t driver_override_store(str
+ struct pci_dev *pdev = to_pci_dev(dev);
+ char *driver_override, *old = pdev->driver_override, *cp;
+
+- if (count > PATH_MAX)
++ /* We need to keep extra room for a newline */
++ if (count >= (PAGE_SIZE - 1))
+ return -EINVAL;
+
+ driver_override = kstrndup(buf, count, GFP_KERNEL);
+@@ -549,7 +550,7 @@ static ssize_t driver_override_show(stru
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+
+- return sprintf(buf, "%s\n", pdev->driver_override);
++ return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
--- /dev/null
+From 4ad04e5987115ece5fa8a0cf1dc72fcd4707e33e Mon Sep 17 00:00:00 2001
+From: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+Date: Sat, 21 Feb 2015 11:00:50 -0800
+Subject: powerpc/iommu: Remove IOMMU device references via bus notifier
+
+From: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+
+commit 4ad04e5987115ece5fa8a0cf1dc72fcd4707e33e upstream.
+
+After d905c5df9aef ("PPC: POWERNV: move iommu_add_device earlier"), the
+refcnt on the kobject backing the IOMMU group for a PCI device is
+elevated by each call to pci_dma_dev_setup_pSeriesLP() (via
+set_iommu_table_base_and_group). When we go to dlpar a multi-function
+PCI device out:
+
+ iommu_reconfig_notifier ->
+ iommu_free_table ->
+ iommu_group_put
+ BUG_ON(tbl->it_group)
+
+We trip this BUG_ON, because there are still references on the table, so
+it is not freed. Fix this by moving the powernv bus notifier to common
+code and calling it for both powernv and pseries.
+
+Fixes: d905c5df9aef ("PPC: POWERNV: move iommu_add_device earlier")
+Signed-off-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+Tested-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/iommu.h | 6 ++++++
+ arch/powerpc/kernel/iommu.c | 26 ++++++++++++++++++++++++++
+ arch/powerpc/platforms/powernv/pci.c | 26 --------------------------
+ arch/powerpc/platforms/pseries/iommu.c | 2 ++
+ 4 files changed, 34 insertions(+), 26 deletions(-)
+
+--- a/arch/powerpc/include/asm/iommu.h
++++ b/arch/powerpc/include/asm/iommu.h
+@@ -113,6 +113,7 @@ extern void iommu_register_group(struct
+ int pci_domain_number, unsigned long pe_num);
+ extern int iommu_add_device(struct device *dev);
+ extern void iommu_del_device(struct device *dev);
++extern int __init tce_iommu_bus_notifier_init(void);
+ #else
+ static inline void iommu_register_group(struct iommu_table *tbl,
+ int pci_domain_number,
+@@ -128,6 +129,11 @@ static inline int iommu_add_device(struc
+ static inline void iommu_del_device(struct device *dev)
+ {
+ }
++
++static inline int __init tce_iommu_bus_notifier_init(void)
++{
++ return 0;
++}
+ #endif /* !CONFIG_IOMMU_API */
+
+ static inline void set_iommu_table_base_and_group(struct device *dev,
+--- a/arch/powerpc/kernel/iommu.c
++++ b/arch/powerpc/kernel/iommu.c
+@@ -1175,4 +1175,30 @@ void iommu_del_device(struct device *dev
+ }
+ EXPORT_SYMBOL_GPL(iommu_del_device);
+
++static int tce_iommu_bus_notifier(struct notifier_block *nb,
++ unsigned long action, void *data)
++{
++ struct device *dev = data;
++
++ switch (action) {
++ case BUS_NOTIFY_ADD_DEVICE:
++ return iommu_add_device(dev);
++ case BUS_NOTIFY_DEL_DEVICE:
++ if (dev->iommu_group)
++ iommu_del_device(dev);
++ return 0;
++ default:
++ return 0;
++ }
++}
++
++static struct notifier_block tce_iommu_bus_nb = {
++ .notifier_call = tce_iommu_bus_notifier,
++};
++
++int __init tce_iommu_bus_notifier_init(void)
++{
++ bus_register_notifier(&pci_bus_type, &tce_iommu_bus_nb);
++ return 0;
++}
+ #endif /* CONFIG_IOMMU_API */
+--- a/arch/powerpc/platforms/powernv/pci.c
++++ b/arch/powerpc/platforms/powernv/pci.c
+@@ -866,30 +866,4 @@ void __init pnv_pci_init(void)
+ #endif
+ }
+
+-static int tce_iommu_bus_notifier(struct notifier_block *nb,
+- unsigned long action, void *data)
+-{
+- struct device *dev = data;
+-
+- switch (action) {
+- case BUS_NOTIFY_ADD_DEVICE:
+- return iommu_add_device(dev);
+- case BUS_NOTIFY_DEL_DEVICE:
+- if (dev->iommu_group)
+- iommu_del_device(dev);
+- return 0;
+- default:
+- return 0;
+- }
+-}
+-
+-static struct notifier_block tce_iommu_bus_nb = {
+- .notifier_call = tce_iommu_bus_notifier,
+-};
+-
+-static int __init tce_iommu_bus_notifier_init(void)
+-{
+- bus_register_notifier(&pci_bus_type, &tce_iommu_bus_nb);
+- return 0;
+-}
+ machine_subsys_initcall_sync(powernv, tce_iommu_bus_notifier_init);
+--- a/arch/powerpc/platforms/pseries/iommu.c
++++ b/arch/powerpc/platforms/pseries/iommu.c
+@@ -1340,3 +1340,5 @@ static int __init disable_multitce(char
+ }
+
+ __setup("multitce=", disable_multitce);
++
++machine_subsys_initcall_sync(pseries, tce_iommu_bus_notifier_init);
--- /dev/null
+From 875ebe940d77a41682c367ad799b4f39f128d3fa Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 24 Feb 2015 17:58:02 +1100
+Subject: powerpc/smp: Wait until secondaries are active & online
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 875ebe940d77a41682c367ad799b4f39f128d3fa upstream.
+
+Anton has a busy ppc64le KVM box where guests sometimes hit the infamous
+"kernel BUG at kernel/smpboot.c:134!" issue during boot:
+
+ BUG_ON(td->cpu != smp_processor_id());
+
+Basically a per CPU hotplug thread scheduled on the wrong CPU. The oops
+output confirms it:
+
+ CPU: 0
+ Comm: watchdog/130
+
+The problem is that we aren't ensuring the CPU active bit is set for the
+secondary before allowing the master to continue on. The master unparks
+the secondary CPU's kthreads and the scheduler looks for a CPU to run
+on. It calls select_task_rq() and realises the suggested CPU is not in
+the cpus_allowed mask. It then ends up in select_fallback_rq(), and
+since the active bit isnt't set we choose some other CPU to run on.
+
+This seems to have been introduced by 6acbfb96976f "sched: Fix hotplug
+vs. set_cpus_allowed_ptr()", which changed from setting active before
+online to setting active after online. However that was in turn fixing a
+bug where other code assumed an active CPU was also online, so we can't
+just revert that fix.
+
+The simplest fix is just to spin waiting for both active & online to be
+set. We already have a barrier prior to set_cpu_online() (which also
+sets active), to ensure all other setup is completed before online &
+active are set.
+
+Fixes: 6acbfb96976f ("sched: Fix hotplug vs. set_cpus_allowed_ptr()")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/smp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/smp.c
++++ b/arch/powerpc/kernel/smp.c
+@@ -555,8 +555,8 @@ int __cpu_up(unsigned int cpu, struct ta
+ if (smp_ops->give_timebase)
+ smp_ops->give_timebase();
+
+- /* Wait until cpu puts itself in the online map */
+- while (!cpu_online(cpu))
++ /* Wait until cpu puts itself in the online & active maps */
++ while (!cpu_online(cpu) || !cpu_active(cpu))
+ cpu_relax();
+
+ return 0;
drm-don-t-assign-fbs-for-universal-cursor-support-to-files.patch
drm-i915-add-dev_to_i915-helper.patch
drm-i915-gen4-work-around-hang-during-hibernation.patch
+drivers-rtc-rtc-s3c.c-add-.needs_src_clk-to-s3c6410-rtc-data.patch
+xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch
+x86-xen-correct-bug-in-p2m-list-initialization.patch
+xen-pciback-limit-guest-control-of-command-register.patch
+of-fix-handling-of-in-options-for-of_find_node_by_path.patch
+of-handle-both-and-in-path-strings.patch
+gadgetfs-use-after-free-in-aio_read.patch
+libsas-fix-kernel-crash-in-smp_execute_task.patch
+pci-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch
+irqchip-armada-370-xp-fix-chained-per-cpu-interrupts.patch
+pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch
+crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch
+crypto-aesni-fix-memory-usage-in-gcm-decryption.patch
+x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch
+x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch
+kvm-move-advertising-of-kvm_cap_irqfd-to-common-code.patch
+x86-vdso-fix-the-build-on-gcc5.patch
+x86-asm-entry-32-fix-user_mode-misuses.patch
+x86-apic-numachip-fix-sibling-map-with-numachip.patch
+powerpc-smp-wait-until-secondaries-are-active-online.patch
+powerpc-iommu-remove-iommu-device-references-via-bus-notifier.patch
+ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch
+ipvs-fix-inability-to-remove-a-mixed-family-rs.patch
+netfilter-nft_compat-fix-module-refcount-underflow.patch
+netfilter-xt_socket-fix-a-stack-corruption-bug.patch
+netfilter-nf_tables-fix-transaction-race-condition.patch
+netfilter-nf_tables-fix-addition-deletion-of-elements-from-commit-abort.patch
--- /dev/null
+From c8a470cab030bae8f9e6e5cfff72b047b7c627a7 Mon Sep 17 00:00:00 2001
+From: Daniel J Blueman <daniel@numascale.com>
+Date: Thu, 12 Mar 2015 16:55:13 +0100
+Subject: x86/apic/numachip: Fix sibling map with NumaChip
+
+From: Daniel J Blueman <daniel@numascale.com>
+
+commit c8a470cab030bae8f9e6e5cfff72b047b7c627a7 upstream.
+
+On NumaChip systems, the physical processor ID assignment wasn't
+accounting for the number of nodes in AMD multi-module
+processors, giving an incorrect sibling map:
+
+ $ cd /sys/devices/system/cpu/cpu29/topology
+ $ grep . *
+ core_id:5
+ core_siblings:00000000,ff000000
+ core_siblings_list:24-31
+ physical_package_id:3
+ thread_siblings:00000000,30000000
+ thread_siblings_list:28-29
+
+This fixes it:
+
+ $ cd /sys/devices/system/cpu/cpu29/topology
+ $ grep . *
+ core_id:5
+ core_siblings:00000000,ffff0000
+ core_siblings_list:16-31
+ physical_package_id:1
+ thread_siblings:00000000,30000000
+ thread_siblings_list:28-29
+
+Signed-off-by: Daniel J Blueman <daniel@numascale.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Steffen Persvold <sp@numascale.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1426135950-10110-1-git-send-email-daniel@numascale.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic_numachip.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/apic/apic_numachip.c
++++ b/arch/x86/kernel/apic/apic_numachip.c
+@@ -37,10 +37,12 @@ static const struct apic apic_numachip;
+ static unsigned int get_apic_id(unsigned long x)
+ {
+ unsigned long value;
+- unsigned int id;
++ unsigned int id = (x >> 24) & 0xff;
+
+- rdmsrl(MSR_FAM10H_NODE_ID, value);
+- id = ((x >> 24) & 0xffU) | ((value << 2) & 0xff00U);
++ if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) {
++ rdmsrl(MSR_FAM10H_NODE_ID, value);
++ id |= (value << 2) & 0xff00;
++ }
+
+ return id;
+ }
+@@ -155,10 +157,18 @@ static int __init numachip_probe(void)
+
+ static void fixup_cpu_id(struct cpuinfo_x86 *c, int node)
+ {
+- if (c->phys_proc_id != node) {
+- c->phys_proc_id = node;
+- per_cpu(cpu_llc_id, smp_processor_id()) = node;
++ u64 val;
++ u32 nodes = 1;
++
++ this_cpu_write(cpu_llc_id, node);
++
++ /* Account for nodes per socket in multi-core-module processors */
++ if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) {
++ rdmsrl(MSR_FAM10H_NODE_ID, val);
++ nodes = ((val >> 3) & 7) + 1;
+ }
++
++ c->phys_proc_id = node / nodes;
+ }
+
+ static int __init numachip_system_init(void)
--- /dev/null
+From 394838c96013ba414a24ffe7a2a593a9154daadf Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Mon, 9 Mar 2015 17:42:31 -0700
+Subject: x86/asm/entry/32: Fix user_mode() misuses
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit 394838c96013ba414a24ffe7a2a593a9154daadf upstream.
+
+The one in do_debug() is probably harmless, but better safe than sorry.
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/d67deaa9df5458363623001f252d1aee3215d014.1425948056.git.luto@amacapital.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/traps.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -300,7 +300,7 @@ dotraplinkage void do_bounds(struct pt_r
+ goto exit;
+ conditional_sti(regs);
+
+- if (!user_mode(regs))
++ if (!user_mode_vm(regs))
+ die("bounds", regs, error_code);
+
+ if (!cpu_feature_enabled(X86_FEATURE_MPX)) {
+@@ -566,7 +566,7 @@ dotraplinkage void do_debug(struct pt_re
+ * then it's very likely the result of an icebp/int01 trap.
+ * User wants a sigtrap for that.
+ */
+- if (!dr6 && user_mode(regs))
++ if (!dr6 && user_mode_vm(regs))
+ user_icebp = 1;
+
+ /* Catch kmemcheck conditions first of all! */
--- /dev/null
+From a7c80ebcac3068b1c3cb27d538d29558c30010c8 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Fri, 13 Mar 2015 09:53:09 +0100
+Subject: x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit a7c80ebcac3068b1c3cb27d538d29558c30010c8 upstream.
+
+math_state_restore() assumes it is called with irqs disabled,
+but this is not true if the caller is __restore_xstate_sig().
+
+This means that if ia32_fxstate == T and __copy_from_user()
+fails, __restore_xstate_sig() returns with irqs disabled too.
+
+This triggers:
+
+ BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41
+ dump_stack
+ ___might_sleep
+ ? _raw_spin_unlock_irqrestore
+ __might_sleep
+ down_read
+ ? _raw_spin_unlock_irqrestore
+ print_vma_addr
+ signal_fault
+ sys32_rt_sigreturn
+
+Change __restore_xstate_sig() to call set_used_math()
+unconditionally. This avoids enabling and disabling interrupts
+in math_state_restore(). If copy_from_user() fails, we can
+simply do fpu_finit() by hand.
+
+[ Note: this is only the first step. math_state_restore() should
+ not check used_math(), it should set this flag. While
+ init_fpu() should simply die. ]
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Pekka Riikonen <priikone@iki.fi>
+Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Suresh Siddha <sbsiddha@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/xsave.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/xsave.c
++++ b/arch/x86/kernel/xsave.c
+@@ -378,7 +378,7 @@ int __restore_xstate_sig(void __user *bu
+ * thread's fpu state, reconstruct fxstate from the fsave
+ * header. Sanitize the copied state etc.
+ */
+- struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave;
++ struct fpu *fpu = &tsk->thread.fpu;
+ struct user_i387_ia32_struct env;
+ int err = 0;
+
+@@ -392,14 +392,15 @@ int __restore_xstate_sig(void __user *bu
+ */
+ drop_fpu(tsk);
+
+- if (__copy_from_user(xsave, buf_fx, state_size) ||
++ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) ||
+ __copy_from_user(&env, buf, sizeof(env))) {
++ fpu_finit(fpu);
+ err = -1;
+ } else {
+ sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only);
+- set_used_math();
+ }
+
++ set_used_math();
+ if (use_eager_fpu()) {
+ preempt_disable();
+ math_state_restore();
--- /dev/null
+From f4c3686386393c120710dd34df2a74183ab805fd Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Fri, 13 Mar 2015 09:53:10 +0100
+Subject: x86/fpu: Drop_fpu() should not assume that tsk equals current
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit f4c3686386393c120710dd34df2a74183ab805fd upstream.
+
+drop_fpu() does clear_used_math() and usually this is correct
+because tsk == current.
+
+However switch_fpu_finish()->restore_fpu_checking() is called before
+__switch_to() updates the "current_task" variable. If it fails,
+we will wrongly clear the PF_USED_MATH flag of the previous task.
+
+So use clear_stopped_child_used_math() instead.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Rik van Riel <riel@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Pekka Riikonen <priikone@iki.fi>
+Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Cc: Suresh Siddha <sbsiddha@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/fpu-internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/fpu-internal.h
++++ b/arch/x86/include/asm/fpu-internal.h
+@@ -368,7 +368,7 @@ static inline void drop_fpu(struct task_
+ preempt_disable();
+ tsk->thread.fpu_counter = 0;
+ __drop_fpu(tsk);
+- clear_used_math();
++ clear_stopped_child_used_math(tsk);
+ preempt_enable();
+ }
+
--- /dev/null
+From e893286918d2cde3a94850d8f7101cd1039e0c62 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Thu, 5 Mar 2015 09:13:31 +0100
+Subject: x86/vdso: Fix the build on GCC5
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit e893286918d2cde3a94850d8f7101cd1039e0c62 upstream.
+
+On gcc5 the kernel does not link:
+
+ ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670.
+
+Because prior GCC versions always emitted NOPs on ALIGN directives, but
+gcc5 started omitting them.
+
+.LSTARTFDEDLSI1 says:
+
+ /* HACK: The dwarf2 unwind routines will subtract 1 from the
+ return address to get an address in the middle of the
+ presumed call instruction. Since we didn't get here via
+ a call, we need to include the nop before the real start
+ to make up for it. */
+ .long .LSTART_sigreturn-1-. /* PC-relative start address */
+
+But commit 69d0627a7f6e ("x86 vDSO: reorder vdso32 code") from 2.6.25
+replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before
+__kernel_sigreturn.
+
+Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses
+vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN".
+
+So fix this by adding to that point at least a single NOP and make the
+function ALIGN possibly with more NOPs then.
+
+Kudos for reporting and diagnosing should go to Richard.
+
+Reported-by: Richard Biener <rguenther@suse.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Acked-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.cz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/vdso/vdso32/sigreturn.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/vdso/vdso32/sigreturn.S
++++ b/arch/x86/vdso/vdso32/sigreturn.S
+@@ -17,6 +17,7 @@
+ .text
+ .globl __kernel_sigreturn
+ .type __kernel_sigreturn,@function
++ nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */
+ ALIGN
+ __kernel_sigreturn:
+ .LSTART_sigreturn:
--- /dev/null
+From b8f05c8803fce899d79ca66f8d7f348cf15fb40e Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Fri, 27 Feb 2015 15:45:29 +0100
+Subject: x86/xen: correct bug in p2m list initialization
+
+From: Juergen Gross <jgross@suse.com>
+
+commit b8f05c8803fce899d79ca66f8d7f348cf15fb40e upstream.
+
+Commit 054954eb051f35e74b75a566a96fe756015352c8 ("xen: switch to
+linear virtual mapped sparse p2m list") introduced an error.
+
+During initialization of the p2m list a p2m identity area mapped by
+a complete identity pmd entry has to be split up into smaller chunks
+sometimes, if a non-identity pfn is introduced in this area.
+
+If this non-identity pfn is not at index 0 of a p2m page the new
+p2m page needed is initialized with wrong identity entries, as the
+identity pfns don't start with the value corresponding to index 0,
+but with the initial non-identity pfn. This results in weird wrong
+mappings.
+
+Correct the wrong initialization by starting with the correct pfn.
+
+Reported-by: Stefan Bader <stefan.bader@canonical.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Stefan Bader <stefan.bader@canonical.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/p2m.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/xen/p2m.c
++++ b/arch/x86/xen/p2m.c
+@@ -567,7 +567,7 @@ static bool alloc_p2m(unsigned long pfn)
+ if (p2m_pfn == PFN_DOWN(__pa(p2m_missing)))
+ p2m_init(p2m);
+ else
+- p2m_init_identity(p2m, pfn);
++ p2m_init_identity(p2m, pfn & ~(P2M_PER_PAGE - 1));
+
+ spin_lock_irqsave(&p2m_update_lock, flags);
+
--- /dev/null
+From 85e40b0539b24518c8bdf63e2605c8522377d00f Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 26 Feb 2015 06:52:05 +0100
+Subject: xen/events: avoid NULL pointer dereference in dom0 on large machines
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 85e40b0539b24518c8bdf63e2605c8522377d00f upstream.
+
+Using the pvops kernel a NULL pointer dereference was detected on a
+large machine (144 processors) when booting as dom0 in
+evtchn_fifo_unmask() during assignment of a pirq.
+
+The event channel in question was the first to need a new entry in
+event_array[] in events_fifo.c. Unfortunately xen_irq_info_pirq_setup()
+is called with evtchn being 0 for a new pirq and the real event channel
+number is assigned to the pirq only during __startup_pirq().
+
+It is mandatory to call xen_evtchn_port_setup() after assigning the
+event channel number to the pirq to make sure all memory needed for the
+event channel is allocated.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/events/events_base.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -526,20 +526,26 @@ static unsigned int __startup_pirq(unsig
+ pirq_query_unmask(irq);
+
+ rc = set_evtchn_to_irq(evtchn, irq);
+- if (rc != 0) {
+- pr_err("irq%d: Failed to set port to irq mapping (%d)\n",
+- irq, rc);
+- xen_evtchn_close(evtchn);
+- return 0;
+- }
++ if (rc)
++ goto err;
++
+ bind_evtchn_to_cpu(evtchn, 0);
+ info->evtchn = evtchn;
+
++ rc = xen_evtchn_port_setup(info);
++ if (rc)
++ goto err;
++
+ out:
+ unmask_evtchn(evtchn);
+ eoi_pirq(irq_get_irq_data(irq));
+
+ return 0;
++
++err:
++ pr_err("irq%d: Failed to set port to irq mapping (%d)\n", irq, rc);
++ xen_evtchn_close(evtchn);
++ return 0;
+ }
+
+ static unsigned int startup_pirq(struct irq_data *data)
--- /dev/null
+From af6fc858a35b90e89ea7a7ee58e66628c55c776b Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Wed, 11 Mar 2015 13:51:17 +0000
+Subject: xen-pciback: limit guest control of command register
+
+From: Jan Beulich <JBeulich@suse.com>
+
+commit af6fc858a35b90e89ea7a7ee58e66628c55c776b upstream.
+
+Otherwise the guest can abuse that control to cause e.g. PCIe
+Unsupported Request responses by disabling memory and/or I/O decoding
+and subsequently causing (CPU side) accesses to the respective address
+ranges, which (depending on system configuration) may be fatal to the
+host.
+
+Note that to alter any of the bits collected together as
+PCI_COMMAND_GUEST permissive mode is now required to be enabled
+globally or on the specific device.
+
+This is CVE-2015-2150 / XSA-120.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-pciback/conf_space.c | 2
+ drivers/xen/xen-pciback/conf_space.h | 2
+ drivers/xen/xen-pciback/conf_space_header.c | 59 ++++++++++++++++++++++------
+ 3 files changed, 50 insertions(+), 13 deletions(-)
+
+--- a/drivers/xen/xen-pciback/conf_space.c
++++ b/drivers/xen/xen-pciback/conf_space.c
+@@ -16,7 +16,7 @@
+ #include "conf_space.h"
+ #include "conf_space_quirks.h"
+
+-static bool permissive;
++bool permissive;
+ module_param(permissive, bool, 0644);
+
+ /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word,
+--- a/drivers/xen/xen-pciback/conf_space.h
++++ b/drivers/xen/xen-pciback/conf_space.h
+@@ -64,6 +64,8 @@ struct config_field_entry {
+ void *data;
+ };
+
++extern bool permissive;
++
+ #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset)
+
+ /* Add fields to a device - the add_fields macro expects to get a pointer to
+--- a/drivers/xen/xen-pciback/conf_space_header.c
++++ b/drivers/xen/xen-pciback/conf_space_header.c
+@@ -11,6 +11,10 @@
+ #include "pciback.h"
+ #include "conf_space.h"
+
++struct pci_cmd_info {
++ u16 val;
++};
++
+ struct pci_bar_info {
+ u32 val;
+ u32 len_val;
+@@ -20,22 +24,36 @@ struct pci_bar_info {
+ #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO))
+ #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER)
+
+-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
++/* Bits guests are allowed to control in permissive mode. */
++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \
++ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \
++ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK)
++
++static void *command_init(struct pci_dev *dev, int offset)
+ {
+- int i;
+- int ret;
++ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
++ int err;
+
+- ret = xen_pcibk_read_config_word(dev, offset, value, data);
+- if (!pci_is_enabled(dev))
+- return ret;
+-
+- for (i = 0; i < PCI_ROM_RESOURCE; i++) {
+- if (dev->resource[i].flags & IORESOURCE_IO)
+- *value |= PCI_COMMAND_IO;
+- if (dev->resource[i].flags & IORESOURCE_MEM)
+- *value |= PCI_COMMAND_MEMORY;
++ if (!cmd)
++ return ERR_PTR(-ENOMEM);
++
++ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val);
++ if (err) {
++ kfree(cmd);
++ return ERR_PTR(err);
+ }
+
++ return cmd;
++}
++
++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
++{
++ int ret = pci_read_config_word(dev, offset, value);
++ const struct pci_cmd_info *cmd = data;
++
++ *value &= PCI_COMMAND_GUEST;
++ *value |= cmd->val & ~PCI_COMMAND_GUEST;
++
+ return ret;
+ }
+
+@@ -43,6 +61,8 @@ static int command_write(struct pci_dev
+ {
+ struct xen_pcibk_dev_data *dev_data;
+ int err;
++ u16 val;
++ struct pci_cmd_info *cmd = data;
+
+ dev_data = pci_get_drvdata(dev);
+ if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
+@@ -83,6 +103,19 @@ static int command_write(struct pci_dev
+ }
+ }
+
++ cmd->val = value;
++
++ if (!permissive && (!dev_data || !dev_data->permissive))
++ return 0;
++
++ /* Only allow the guest to control certain bits. */
++ err = pci_read_config_word(dev, offset, &val);
++ if (err || val == value)
++ return err;
++
++ value &= PCI_COMMAND_GUEST;
++ value |= val & ~PCI_COMMAND_GUEST;
++
+ return pci_write_config_word(dev, offset, value);
+ }
+
+@@ -282,6 +315,8 @@ static const struct config_field header_
+ {
+ .offset = PCI_COMMAND,
+ .size = 2,
++ .init = command_init,
++ .release = bar_release,
+ .u.w.read = command_read,
+ .u.w.write = command_write,
+ },
projects / thirdparty / kernel / stable-queue.git / commitdiff
