--- /dev/null
+From 7e5a672289c9754d07e1c3b33649786d3d70f5e4 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <Suzuki.Poulose@arm.com>
+Date: Wed, 5 Jul 2017 09:57:00 +0100
+Subject: KVM: arm/arm64: Handle hva aging while destroying the vm
+
+From: Suzuki K Poulose <Suzuki.Poulose@arm.com>
+
+commit 7e5a672289c9754d07e1c3b33649786d3d70f5e4 upstream.
+
+The mmu_notifier_release() callback of KVM triggers cleaning up
+the stage2 page table on kvm-arm. However there could be other
+notifier callbacks in parallel with the mmu_notifier_release(),
+which could cause the call backs ending up in an empty stage2
+page table. Make sure we check it for all the notifier callbacks.
+
+Fixes: commit 293f29363 ("kvm-arm: Unmap shadow pagetables properly")
+Reported-by: Alex Graf <agraf@suse.de>
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/arm/kvm/mmu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -1629,12 +1629,16 @@ static int kvm_test_age_hva_handler(stru
+
+ int kvm_age_hva(struct kvm *kvm, unsigned long start, unsigned long end)
+ {
++ if (!kvm->arch.pgd)
++ return 0;
+ trace_kvm_age_hva(start, end);
+ return handle_hva_to_gpa(kvm, start, end, kvm_age_hva_handler, NULL);
+ }
+
+ int kvm_test_age_hva(struct kvm *kvm, unsigned long hva)
+ {
++ if (!kvm->arch.pgd)
++ return 0;
+ trace_kvm_test_age_hva(hva);
+ return handle_hva_to_gpa(kvm, hva, hva, kvm_test_age_hva_handler, NULL);
+ }
--- /dev/null
+From 7640131032db9118a78af715ac77ba2debeeb17c Mon Sep 17 00:00:00 2001
+From: Matthew Dawson <matthew@mjdsystems.ca>
+Date: Fri, 11 Mar 2016 13:08:07 -0800
+Subject: mm/mempool: avoid KASAN marking mempool poison checks as use-after-free
+
+From: Matthew Dawson <matthew@mjdsystems.ca>
+
+commit 7640131032db9118a78af715ac77ba2debeeb17c upstream.
+
+When removing an element from the mempool, mark it as unpoisoned in KASAN
+before verifying its contents for SLUB/SLAB debugging. Otherwise KASAN
+will flag the reads checking the element use-after-free writes as
+use-after-free reads.
+
+Signed-off-by: Matthew Dawson <matthew@mjdsystems.ca>
+Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrii Bordunov <aborduno@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -135,8 +135,8 @@ static void *remove_element(mempool_t *p
+ void *element = pool->elements[--pool->curr_nr];
+
+ BUG_ON(pool->curr_nr < 0);
+- check_element(pool, element);
+ kasan_unpoison_element(pool, element);
++ check_element(pool, element);
+ return element;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
