--- /dev/null
+From 5e9e38d0db1d29efed1dd4cf9a70115d33521be7 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Mon, 14 Jan 2019 14:07:19 -0800
+Subject: acpi/nfit: Block function zero DSMs
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 5e9e38d0db1d29efed1dd4cf9a70115d33521be7 upstream.
+
+In preparation for using function number 0 as an error value, prevent it
+from being considered a valid function value by acpi_nfit_ctl().
+
+Cc: <stable@vger.kernel.org>
+Cc: stuart hayes <stuart.w.hayes@gmail.com>
+Fixes: e02fb7264d8a ("nfit: add Microsoft NVDIMM DSM command set...")
+Reported-by: Jeff Moyer <jmoyer@redhat.com>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -1844,6 +1844,13 @@ static int acpi_nfit_add_dimm(struct acp
+ return 0;
+ }
+
++ /*
++ * Function 0 is the command interrogation function, don't
++ * export it to potential userspace use, and enable it to be
++ * used as an error value in acpi_nfit_ctl().
++ */
++ dsm_mask &= ~1UL;
++
+ guid = to_nfit_uuid(nfit_mem->family);
+ for_each_set_bit(i, &dsm_mask, BITS_PER_LONG)
+ if (acpi_check_dsm(adev_dimm->handle, guid,
--- /dev/null
+From 11189c1089da413aa4b5fd6be4c4d47c78968819 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sat, 19 Jan 2019 10:55:04 -0800
+Subject: acpi/nfit: Fix command-supported detection
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 11189c1089da413aa4b5fd6be4c4d47c78968819 upstream.
+
+The _DSM function number validation only happens to succeed when the
+generic Linux command number translation corresponds with a
+DSM-family-specific function number. This breaks NVDIMM-N
+implementations that correctly implement _LSR, _LSW, and _LSI, but do
+not happen to publish support for DSM function numbers 4, 5, and 6.
+
+Recall that the support for _LS{I,R,W} family of methods results in the
+DIMM being marked as supporting those command numbers at
+acpi_nfit_register_dimms() time. The DSM function mask is only used for
+ND_CMD_CALL support of non-NVDIMM_FAMILY_INTEL devices.
+
+Fixes: 31eca76ba2fc ("nfit, libnvdimm: limited/whitelisted dimm command...")
+Cc: <stable@vger.kernel.org>
+Link: https://github.com/pmem/ndctl/issues/78
+Reported-by: Sujith Pandel <sujith_pandel@dell.com>
+Tested-by: Sujith Pandel <sujith_pandel@dell.com>
+Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
+Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit/core.c | 54 ++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 40 insertions(+), 14 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -394,6 +394,32 @@ static u8 nfit_dsm_revid(unsigned family
+ return id;
+ }
+
++static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd,
++ struct nd_cmd_pkg *call_pkg)
++{
++ if (call_pkg) {
++ int i;
++
++ if (nfit_mem->family != call_pkg->nd_family)
++ return -ENOTTY;
++
++ for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
++ if (call_pkg->nd_reserved2[i])
++ return -EINVAL;
++ return call_pkg->nd_command;
++ }
++
++ /* Linux ND commands == NVDIMM_FAMILY_INTEL function numbers */
++ if (nfit_mem->family == NVDIMM_FAMILY_INTEL)
++ return cmd;
++
++ /*
++ * Force function number validation to fail since 0 is never
++ * published as a valid function in dsm_mask.
++ */
++ return 0;
++}
++
+ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc)
+ {
+@@ -407,30 +433,23 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ unsigned long cmd_mask, dsm_mask;
+ u32 offset, fw_status = 0;
+ acpi_handle handle;
+- unsigned int func;
+ const guid_t *guid;
+- int rc, i;
++ int func, rc, i;
+
+ if (cmd_rc)
+ *cmd_rc = -EINVAL;
+- func = cmd;
+- if (cmd == ND_CMD_CALL) {
+- call_pkg = buf;
+- func = call_pkg->nd_command;
+-
+- for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
+- if (call_pkg->nd_reserved2[i])
+- return -EINVAL;
+- }
+
+ if (nvdimm) {
+ struct acpi_device *adev = nfit_mem->adev;
+
+ if (!adev)
+ return -ENOTTY;
+- if (call_pkg && nfit_mem->family != call_pkg->nd_family)
+- return -ENOTTY;
+
++ if (cmd == ND_CMD_CALL)
++ call_pkg = buf;
++ func = cmd_to_func(nfit_mem, cmd, call_pkg);
++ if (func < 0)
++ return func;
+ dimm_name = nvdimm_name(nvdimm);
+ cmd_name = nvdimm_cmd_name(cmd);
+ cmd_mask = nvdimm_cmd_mask(nvdimm);
+@@ -441,6 +460,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ } else {
+ struct acpi_device *adev = to_acpi_dev(acpi_desc);
+
++ func = cmd;
+ cmd_name = nvdimm_bus_cmd_name(cmd);
+ cmd_mask = nd_desc->cmd_mask;
+ dsm_mask = cmd_mask;
+@@ -455,7 +475,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ if (!desc || (cmd && (desc->out_num + desc->in_num == 0)))
+ return -ENOTTY;
+
+- if (!test_bit(cmd, &cmd_mask) || !test_bit(func, &dsm_mask))
++ /*
++ * Check for a valid command. For ND_CMD_CALL, we also have to
++ * make sure that the DSM function is supported.
++ */
++ if (cmd == ND_CMD_CALL && !test_bit(func, &dsm_mask))
++ return -ENOTTY;
++ else if (!test_bit(cmd, &cmd_mask))
+ return -ENOTTY;
+
+ in_obj.type = ACPI_TYPE_PACKAGE;
--- /dev/null
+From 1856b9f7bcc8e9bdcccc360aabb56fbd4dd6c565 Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Wed, 9 Jan 2019 11:57:14 +0100
+Subject: dm crypt: fix parsing of extended IV arguments
+
+From: Milan Broz <gmazyland@gmail.com>
+
+commit 1856b9f7bcc8e9bdcccc360aabb56fbd4dd6c565 upstream.
+
+The dm-crypt cipher specification in a mapping table is defined as:
+ cipher[:keycount]-chainmode-ivmode[:ivopts]
+or (new crypt API format):
+ capi:cipher_api_spec-ivmode[:ivopts]
+
+For ESSIV, the parameter includes hash specification, for example:
+aes-cbc-essiv:sha256
+
+The implementation expected that additional IV option to never include
+another dash '-' character.
+
+But, with SHA3, there are names like sha3-256; so the mapping table
+parser fails:
+
+dmsetup create test --table "0 8 crypt aes-cbc-essiv:sha3-256 9c1185a5c5e9fc54612808977ee8f5b9e 0 /dev/sdb 0"
+ or (new crypt API format)
+dmsetup create test --table "0 8 crypt capi:cbc(aes)-essiv:sha3-256 9c1185a5c5e9fc54612808977ee8f5b9e 0 /dev/sdb 0"
+
+ device-mapper: crypt: Ignoring unexpected additional cipher options
+ device-mapper: table: 253:0: crypt: Error creating IV
+ device-mapper: ioctl: error adding target to table
+
+Fix the dm-crypt constructor to ignore additional dash in IV options and
+also remove a bogus warning (that is ignored anyway).
+
+Cc: stable@vger.kernel.org # 4.12+
+Signed-off-by: Milan Broz <gmazyland@gmail.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-crypt.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -2405,9 +2405,21 @@ static int crypt_ctr_cipher_new(struct d
+ * capi:cipher_api_spec-iv:ivopts
+ */
+ tmp = &cipher_in[strlen("capi:")];
+- cipher_api = strsep(&tmp, "-");
+- *ivmode = strsep(&tmp, ":");
+- *ivopts = tmp;
++
++ /* Separate IV options if present, it can contain another '-' in hash name */
++ *ivopts = strrchr(tmp, ':');
++ if (*ivopts) {
++ **ivopts = '\0';
++ (*ivopts)++;
++ }
++ /* Parse IV mode */
++ *ivmode = strrchr(tmp, '-');
++ if (*ivmode) {
++ **ivmode = '\0';
++ (*ivmode)++;
++ }
++ /* The rest is crypto API spec */
++ cipher_api = tmp;
+
+ if (*ivmode && !strcmp(*ivmode, "lmk"))
+ cc->tfms_count = 64;
+@@ -2477,11 +2489,8 @@ static int crypt_ctr_cipher_old(struct d
+ goto bad_mem;
+
+ chainmode = strsep(&tmp, "-");
+- *ivopts = strsep(&tmp, "-");
+- *ivmode = strsep(&*ivopts, ":");
+-
+- if (tmp)
+- DMWARN("Ignoring unexpected additional cipher options");
++ *ivmode = strsep(&tmp, ":");
++ *ivopts = tmp;
+
+ /*
+ * For compatibility with the original dm-crypt mapping format, if
--- /dev/null
+From d445bd9cec1a850c2100fcf53684c13b3fd934f2 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Tue, 15 Jan 2019 13:27:01 -0500
+Subject: dm thin: fix passdown_double_checking_shared_status()
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit d445bd9cec1a850c2100fcf53684c13b3fd934f2 upstream.
+
+Commit 00a0ea33b495 ("dm thin: do not queue freed thin mapping for next
+stage processing") changed process_prepared_discard_passdown_pt1() to
+increment all the blocks being discarded until after the passdown had
+completed to avoid them being prematurely reused.
+
+IO issued to a thin device that breaks sharing with a snapshot, followed
+by a discard issued to snapshot(s) that previously shared the block(s),
+results in passdown_double_checking_shared_status() being called to
+iterate through the blocks double checking their reference count is zero
+and issuing the passdown if so. So a side effect of commit 00a0ea33b495
+is passdown_double_checking_shared_status() was broken.
+
+Fix this by checking if the block reference count is greater than 1.
+Also, rename dm_pool_block_is_used() to dm_pool_block_is_shared().
+
+Fixes: 00a0ea33b495 ("dm thin: do not queue freed thin mapping for next stage processing")
+Cc: stable@vger.kernel.org # 4.9+
+Reported-by: ryan.p.norwood@gmail.com
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-thin-metadata.c | 4 ++--
+ drivers/md/dm-thin-metadata.h | 2 +-
+ drivers/md/dm-thin.c | 10 +++++-----
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -1678,7 +1678,7 @@ int dm_thin_remove_range(struct dm_thin_
+ return r;
+ }
+
+-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result)
++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result)
+ {
+ int r;
+ uint32_t ref_count;
+@@ -1686,7 +1686,7 @@ int dm_pool_block_is_used(struct dm_pool
+ down_read(&pmd->root_lock);
+ r = dm_sm_get_count(pmd->data_sm, b, &ref_count);
+ if (!r)
+- *result = (ref_count != 0);
++ *result = (ref_count > 1);
+ up_read(&pmd->root_lock);
+
+ return r;
+--- a/drivers/md/dm-thin-metadata.h
++++ b/drivers/md/dm-thin-metadata.h
+@@ -195,7 +195,7 @@ int dm_pool_get_metadata_dev_size(struct
+
+ int dm_pool_get_data_dev_size(struct dm_pool_metadata *pmd, dm_block_t *result);
+
+-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result);
++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result);
+
+ int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e);
+ int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e);
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -1048,7 +1048,7 @@ static void passdown_double_checking_sha
+ * passdown we have to check that these blocks are now unused.
+ */
+ int r = 0;
+- bool used = true;
++ bool shared = true;
+ struct thin_c *tc = m->tc;
+ struct pool *pool = tc->pool;
+ dm_block_t b = m->data_block, e, end = m->data_block + m->virt_end - m->virt_begin;
+@@ -1058,11 +1058,11 @@ static void passdown_double_checking_sha
+ while (b != end) {
+ /* find start of unmapped run */
+ for (; b < end; b++) {
+- r = dm_pool_block_is_used(pool->pmd, b, &used);
++ r = dm_pool_block_is_shared(pool->pmd, b, &shared);
+ if (r)
+ goto out;
+
+- if (!used)
++ if (!shared)
+ break;
+ }
+
+@@ -1071,11 +1071,11 @@ static void passdown_double_checking_sha
+
+ /* find end of run */
+ for (e = b + 1; e != end; e++) {
+- r = dm_pool_block_is_used(pool->pmd, e, &used);
++ r = dm_pool_block_is_shared(pool->pmd, e, &shared);
+ if (r)
+ goto out;
+
+- if (used)
++ if (shared)
+ break;
+ }
+
--- /dev/null
+From f15f3eb26e8d9d25ea2330ed1273473df2f039df Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 15 Jan 2019 12:09:09 -0500
+Subject: drm/amdgpu: Add APTX quirk for Lenovo laptop
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit f15f3eb26e8d9d25ea2330ed1273473df2f039df upstream.
+
+Needs ATPX rather than _PR3 for dGPU power control.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=202263
+Reviewed-by: Jim Qu <Jim.Qu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c
+@@ -576,6 +576,7 @@ static const struct amdgpu_px_quirk amdg
+ { 0x1002, 0x6900, 0x1028, 0x0812, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1028, 0x0813, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0x1002, 0x6900, 0x1025, 0x125A, AMDGPU_PX_QUIRK_FORCE_ATPX },
++ { 0x1002, 0x6900, 0x17AA, 0x3806, AMDGPU_PX_QUIRK_FORCE_ATPX },
+ { 0, 0, 0, 0, 0 },
+ };
+
--- /dev/null
+From 245b6c6558128327d330549b23d09594c46f58df Mon Sep 17 00:00:00 2001
+From: Thor Thayer <thor.thayer@linux.intel.com>
+Date: Tue, 22 Jan 2019 11:48:04 -0600
+Subject: EDAC, altera: Fix S10 persistent register offset
+
+From: Thor Thayer <thor.thayer@linux.intel.com>
+
+commit 245b6c6558128327d330549b23d09594c46f58df upstream.
+
+Correct the persistent register offset where address and status are
+stored.
+
+Fixes: 08f08bfb7b4c ("EDAC, altera: Merge Stratix10 into the Arria10 SDRAM probe routine")
+Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: James Morse <james.morse@arm.com>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: devicetree@vger.kernel.org
+Cc: dinguyen@kernel.org
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: mark.rutland@arm.com
+Cc: robh+dt@kernel.org
+Cc: stable <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/1548179287-21760-2-git-send-email-thor.thayer@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/altera_edac.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/edac/altera_edac.h
++++ b/drivers/edac/altera_edac.h
+@@ -295,8 +295,8 @@ struct altr_sdram_mc_data {
+ #define S10_SYSMGR_ECC_INTSTAT_DERR_OFST 0xA0
+
+ /* Sticky registers for Uncorrected Errors */
+-#define S10_SYSMGR_UE_VAL_OFST 0x120
+-#define S10_SYSMGR_UE_ADDR_OFST 0x124
++#define S10_SYSMGR_UE_VAL_OFST 0x220
++#define S10_SYSMGR_UE_ADDR_OFST 0x224
+
+ #define S10_DDR0_IRQ_MASK BIT(16)
+
--- /dev/null
+From 2e746942ebacf1565caa72cf980745e5ce297c48 Mon Sep 17 00:00:00 2001
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+Date: Sun, 13 Jan 2019 22:28:05 -0800
+Subject: Input: input_event - provide override for sparc64
+
+From: Deepa Dinamani <deepa.kernel@gmail.com>
+
+commit 2e746942ebacf1565caa72cf980745e5ce297c48 upstream.
+
+The usec part of the timeval is defined as
+__kernel_suseconds_t tv_usec; /* microseconds */
+
+Arnd noticed that sparc64 is the only architecture that defines
+__kernel_suseconds_t as int rather than long.
+
+This breaks the current y2038 fix for kernel as we only access and define
+the timeval struct for non-kernel use cases. But, this was hidden by an
+another typo in the use of __KERNEL__ qualifier.
+
+Fix the typo, and provide an override for sparc64.
+
+Fixes: 152194fe9c3f ("Input: extend usable life of event timestamps to 2106 on 32 bit systems")
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/input.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/uapi/linux/input.h
++++ b/include/uapi/linux/input.h
+@@ -26,13 +26,17 @@
+ */
+
+ struct input_event {
+-#if (__BITS_PER_LONG != 32 || !defined(__USE_TIME_BITS64)) && !defined(__KERNEL)
++#if (__BITS_PER_LONG != 32 || !defined(__USE_TIME_BITS64)) && !defined(__KERNEL__)
+ struct timeval time;
+ #define input_event_sec time.tv_sec
+ #define input_event_usec time.tv_usec
+ #else
+ __kernel_ulong_t __sec;
++#ifdef CONFIG_SPARC64
++ unsigned int __usec;
++#else
+ __kernel_ulong_t __usec;
++#endif
+ #define input_event_sec __sec
+ #define input_event_usec __usec
+ #endif
--- /dev/null
+From d77651a227f8920dd7ec179b84e400cce844eeb3 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 14 Jan 2019 13:54:55 -0800
+Subject: Input: uinput - fix undefined behavior in uinput_validate_absinfo()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit d77651a227f8920dd7ec179b84e400cce844eeb3 upstream.
+
+An integer overflow may arise in uinput_validate_absinfo() if "max - min"
+can't be represented by an "int". We should check for overflow before
+trying to use the result.
+
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/uinput.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -39,6 +39,7 @@
+ #include <linux/init.h>
+ #include <linux/fs.h>
+ #include <linux/miscdevice.h>
++#include <linux/overflow.h>
+ #include <linux/input/mt.h>
+ #include "../input-compat.h"
+
+@@ -405,7 +406,7 @@ static int uinput_open(struct inode *ino
+ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
+ const struct input_absinfo *abs)
+ {
+- int min, max;
++ int min, max, range;
+
+ min = abs->minimum;
+ max = abs->maximum;
+@@ -417,7 +418,7 @@ static int uinput_validate_absinfo(struc
+ return -EINVAL;
+ }
+
+- if (abs->flat > max - min) {
++ if (!check_sub_overflow(max, min, &range) && abs->flat > range) {
+ printk(KERN_DEBUG
+ "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n",
+ UINPUT_NAME, code, abs->flat, min, max);
--- /dev/null
+From fe2bfd0d40c935763812973ce15f5764f1c12833 Mon Sep 17 00:00:00 2001
+From: Tom Panfil <tom@steelseries.com>
+Date: Fri, 11 Jan 2019 17:49:40 -0800
+Subject: Input: xpad - add support for SteelSeries Stratus Duo
+
+From: Tom Panfil <tom@steelseries.com>
+
+commit fe2bfd0d40c935763812973ce15f5764f1c12833 upstream.
+
+Add support for the SteelSeries Stratus Duo, a wireless Xbox 360
+controller. The Stratus Duo ships with a USB dongle to enable wireless
+connectivity, but it can also function as a wired controller by connecting
+it directly to a PC via USB, hence the need for two USD PIDs. 0x1430 is the
+dongle, and 0x1431 is the controller.
+
+Signed-off-by: Tom Panfil <tom@steelseries.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -252,6 +252,8 @@ static const struct xpad_device {
+ { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX },
+ { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX },
+ { 0x102c, 0xff0c, "Joytech Wireless Advanced Controller", 0, XTYPE_XBOX },
++ { 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
++ { 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
+ { 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 },
+ { 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 },
+ { 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 },
+@@ -428,6 +430,7 @@ static const struct usb_device_id xpad_t
+ XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */
+ XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */
+ XPAD_XBOXONE_VENDOR(0x0f0d), /* Hori Controllers */
++ XPAD_XBOX360_VENDOR(0x1038), /* SteelSeries Controllers */
+ XPAD_XBOX360_VENDOR(0x11c9), /* Nacon GC100XF */
+ XPAD_XBOX360_VENDOR(0x12ab), /* X-Box 360 dance pads */
+ XPAD_XBOX360_VENDOR(0x1430), /* RedOctane X-Box 360 controllers */
--- /dev/null
+From 1ed199a41c70ad7bfaee8b14f78e791fcf43b278 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 23 Jan 2019 09:22:39 -0800
+Subject: KVM: x86: Fix PV IPIs for 32-bit KVM host
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 1ed199a41c70ad7bfaee8b14f78e791fcf43b278 upstream.
+
+The recognition of the KVM_HC_SEND_IPI hypercall was unintentionally
+wrapped in "#ifdef CONFIG_X86_64", causing 32-bit KVM hosts to reject
+any and all PV IPI requests despite advertising the feature. This
+results in all KVM paravirtualized guests hanging during SMP boot due
+to IPIs never being delivered.
+
+Fixes: 4180bf1b655a ("KVM: X86: Implement "send IPI" hypercall")
+Cc: stable@vger.kernel.org
+Cc: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6997,10 +6997,10 @@ int kvm_emulate_hypercall(struct kvm_vcp
+ case KVM_HC_CLOCK_PAIRING:
+ ret = kvm_pv_clock_pairing(vcpu, a0, a1);
+ break;
++#endif
+ case KVM_HC_SEND_IPI:
+ ret = kvm_pv_send_ipi(vcpu->kvm, a0, a1, a2, a3, op_64_bit);
+ break;
+-#endif
+ default:
+ ret = -KVM_ENOSYS;
+ break;
--- /dev/null
+From 5cc244a20b86090c087073c124284381cdf47234 Mon Sep 17 00:00:00 2001
+From: Alexander Popov <alex.popov@linux.com>
+Date: Mon, 21 Jan 2019 15:48:40 +0300
+Subject: KVM: x86: Fix single-step debugging
+
+From: Alexander Popov <alex.popov@linux.com>
+
+commit 5cc244a20b86090c087073c124284381cdf47234 upstream.
+
+The single-step debugging of KVM guests on x86 is broken: if we run
+gdb 'stepi' command at the breakpoint when the guest interrupts are
+enabled, RIP always jumps to native_apic_mem_write(). Then other
+nasty effects follow.
+
+Long investigation showed that on Jun 7, 2017 the
+commit c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall")
+introduced the kvm_run.debug corruption: kvm_vcpu_do_singlestep() can
+be called without X86_EFLAGS_TF set.
+
+Let's fix it. Please consider that for -stable.
+
+Signed-off-by: Alexander Popov <alex.popov@linux.com>
+Cc: stable@vger.kernel.org
+Fixes: c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall")
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6407,8 +6407,7 @@ restart:
+ toggle_interruptibility(vcpu, ctxt->interruptibility);
+ vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
+ kvm_rip_write(vcpu, ctxt->eip);
+- if (r == EMULATE_DONE &&
+- (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)))
++ if (r == EMULATE_DONE && ctxt->tf)
+ kvm_vcpu_do_singlestep(vcpu, &r);
+ if (!ctxt->have_exception ||
+ exception_type(ctxt->exception.vector) == EXCPT_TRAP)
--- /dev/null
+From 3a33d030daaa7c507e1c12d5adcf828248429593 Mon Sep 17 00:00:00 2001
+From: Tom Roeder <tmroeder@google.com>
+Date: Thu, 24 Jan 2019 13:48:20 -0800
+Subject: kvm: x86/vmx: Use kzalloc for cached_vmcs12
+
+From: Tom Roeder <tmroeder@google.com>
+
+commit 3a33d030daaa7c507e1c12d5adcf828248429593 upstream.
+
+This changes the allocation of cached_vmcs12 to use kzalloc instead of
+kmalloc. This removes the information leak found by Syzkaller (see
+Reported-by) in this case and prevents similar leaks from happening
+based on cached_vmcs12.
+
+It also changes vmx_get_nested_state to copy out the full 4k VMCS12_SIZE
+in copy_to_user rather than only the size of the struct.
+
+Tested: rebuilt against head, booted, and ran the syszkaller repro
+ https://syzkaller.appspot.com/text?tag=ReproC&x=174efca3400000 without
+ observing any problems.
+
+Reported-by: syzbot+ded1696f6b50b615b630@syzkaller.appspotmail.com
+Fixes: 8fcc4b5923af5de58b80b53a069453b135693304
+Cc: stable@vger.kernel.org
+Signed-off-by: Tom Roeder <tmroeder@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -8315,11 +8315,11 @@ static int enter_vmx_operation(struct kv
+ if (r < 0)
+ goto out_vmcs02;
+
+- vmx->nested.cached_vmcs12 = kmalloc(VMCS12_SIZE, GFP_KERNEL);
++ vmx->nested.cached_vmcs12 = kzalloc(VMCS12_SIZE, GFP_KERNEL);
+ if (!vmx->nested.cached_vmcs12)
+ goto out_cached_vmcs12;
+
+- vmx->nested.cached_shadow_vmcs12 = kmalloc(VMCS12_SIZE, GFP_KERNEL);
++ vmx->nested.cached_shadow_vmcs12 = kzalloc(VMCS12_SIZE, GFP_KERNEL);
+ if (!vmx->nested.cached_shadow_vmcs12)
+ goto out_cached_shadow_vmcs12;
+
+@@ -14853,13 +14853,17 @@ static int vmx_get_nested_state(struct k
+ copy_shadow_to_vmcs12(vmx);
+ }
+
+- if (copy_to_user(user_kvm_nested_state->data, vmcs12, sizeof(*vmcs12)))
++ /*
++ * Copy over the full allocated size of vmcs12 rather than just the size
++ * of the struct.
++ */
++ if (copy_to_user(user_kvm_nested_state->data, vmcs12, VMCS12_SIZE))
+ return -EFAULT;
+
+ if (nested_cpu_has_shadow_vmcs(vmcs12) &&
+ vmcs12->vmcs_link_pointer != -1ull) {
+ if (copy_to_user(user_kvm_nested_state->data + VMCS12_SIZE,
+- get_shadow_vmcs12(vcpu), sizeof(*vmcs12)))
++ get_shadow_vmcs12(vcpu), VMCS12_SIZE))
+ return -EFAULT;
+ }
+
--- /dev/null
+From de81c2f912ef57917bdc6d63b410c534c3e07982 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Wed, 23 Jan 2019 09:22:40 -0800
+Subject: KVM: x86: WARN_ONCE if sending a PV IPI returns a fatal error
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit de81c2f912ef57917bdc6d63b410c534c3e07982 upstream.
+
+KVM hypercalls return a negative value error code in case of a fatal
+error, e.g. when the hypercall isn't supported or was made with invalid
+parameters. WARN_ONCE on fatal errors when sending PV IPIs as any such
+error all but guarantees an SMP system will hang due to a missing IPI.
+
+Fixes: aaffcfd1e82d ("KVM: X86: Implement PV IPIs in linux guest")
+Cc: stable@vger.kernel.org
+Cc: Wanpeng Li <wanpengli@tencent.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kvm.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/kvm.c
++++ b/arch/x86/kernel/kvm.c
+@@ -457,6 +457,7 @@ static void __send_ipi_mask(const struct
+ #else
+ u64 ipi_bitmap = 0;
+ #endif
++ long ret;
+
+ if (cpumask_empty(mask))
+ return;
+@@ -482,8 +483,9 @@ static void __send_ipi_mask(const struct
+ } else if (apic_id < min + KVM_IPI_CLUSTER_SIZE) {
+ max = apic_id < max ? max : apic_id;
+ } else {
+- kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap,
++ ret = kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap,
+ (unsigned long)(ipi_bitmap >> BITS_PER_LONG), min, icr);
++ WARN_ONCE(ret < 0, "KVM: failed to send PV IPI: %ld", ret);
+ min = max = apic_id;
+ ipi_bitmap = 0;
+ }
+@@ -491,8 +493,9 @@ static void __send_ipi_mask(const struct
+ }
+
+ if (ipi_bitmap) {
+- kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap,
++ ret = kvm_hypercall4(KVM_HC_SEND_IPI, (unsigned long)ipi_bitmap,
+ (unsigned long)(ipi_bitmap >> BITS_PER_LONG), min, icr);
++ WARN_ONCE(ret < 0, "KVM: failed to send PV IPI: %ld", ret);
+ }
+
+ local_irq_restore(flags);
--- /dev/null
+From d67247566450cf89a693307c9bc9f05a32d96cea Mon Sep 17 00:00:00 2001
+From: Marc Gonzalez <marc.w.gonzalez@free.fr>
+Date: Tue, 22 Jan 2019 18:29:22 +0100
+Subject: scsi: ufs: Use explicit access size in ufshcd_dump_regs
+
+From: Marc Gonzalez <marc.w.gonzalez@free.fr>
+
+commit d67247566450cf89a693307c9bc9f05a32d96cea upstream.
+
+memcpy_fromio() doesn't provide any control over access size. For example,
+on arm64, it is implemented using readb and readq. This may trigger a
+synchronous external abort:
+
+[ 3.729943] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
+[ 3.737000] Modules linked in:
+[ 3.744371] CPU: 2 PID: 1 Comm: swapper/0 Tainted: G S 4.20.0-rc4 #16
+[ 3.747413] Hardware name: Qualcomm Technologies, Inc. MSM8998 v1 MTP (DT)
+[ 3.755295] pstate: 00000005 (nzcv daif -PAN -UAO)
+[ 3.761978] pc : __memcpy_fromio+0x68/0x80
+[ 3.766718] lr : ufshcd_dump_regs+0x50/0xb0
+[ 3.770767] sp : ffff00000807ba00
+[ 3.774830] x29: ffff00000807ba00 x28: 00000000fffffffb
+[ 3.778344] x27: ffff0000089db068 x26: ffff8000f6e58000
+[ 3.783728] x25: 000000000000000e x24: 0000000000000800
+[ 3.789023] x23: ffff8000f6e587c8 x22: 0000000000000800
+[ 3.794319] x21: ffff000008908368 x20: ffff8000f6e1ab80
+[ 3.799615] x19: 000000000000006c x18: ffffffffffffffff
+[ 3.804910] x17: 0000000000000000 x16: 0000000000000000
+[ 3.810206] x15: ffff000009199648 x14: ffff000089244187
+[ 3.815502] x13: ffff000009244195 x12: ffff0000091ab000
+[ 3.820797] x11: 0000000005f5e0ff x10: ffff0000091998a0
+[ 3.826093] x9 : 0000000000000000 x8 : ffff8000f6e1ac00
+[ 3.831389] x7 : 0000000000000000 x6 : 0000000000000068
+[ 3.836676] x5 : ffff8000f6e1abe8 x4 : 0000000000000000
+[ 3.841971] x3 : ffff00000928c868 x2 : ffff8000f6e1abec
+[ 3.847267] x1 : ffff00000928c868 x0 : ffff8000f6e1abe8
+[ 3.852567] Process swapper/0 (pid: 1, stack limit = 0x(____ptrval____))
+[ 3.857900] Call trace:
+[ 3.864473] __memcpy_fromio+0x68/0x80
+[ 3.866683] ufs_qcom_dump_dbg_regs+0x1c0/0x370
+[ 3.870522] ufshcd_print_host_regs+0x168/0x190
+[ 3.874946] ufshcd_init+0xd4c/0xde0
+[ 3.879459] ufshcd_pltfrm_init+0x3c8/0x550
+[ 3.883264] ufs_qcom_probe+0x24/0x60
+[ 3.887188] platform_drv_probe+0x50/0xa0
+
+Assuming aligned 32-bit registers, let's use readl, after making sure
+that 'offset' and 'len' are indeed multiples of 4.
+
+Fixes: ba80917d9932d ("scsi: ufs: ufshcd_dump_regs to use memcpy_fromio")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Marc Gonzalez <marc.w.gonzalez@free.fr>
+Acked-by: Tomas Winkler <tomas.winkler@intel.com>
+Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Tested-by: Evan Green <evgreen@chromium.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ufs/ufshcd.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -110,13 +110,19 @@
+ int ufshcd_dump_regs(struct ufs_hba *hba, size_t offset, size_t len,
+ const char *prefix)
+ {
+- u8 *regs;
++ u32 *regs;
++ size_t pos;
++
++ if (offset % 4 != 0 || len % 4 != 0) /* keep readl happy */
++ return -EINVAL;
+
+ regs = kzalloc(len, GFP_KERNEL);
+ if (!regs)
+ return -ENOMEM;
+
+- memcpy_fromio(regs, hba->mmio_base + offset, len);
++ for (pos = 0; pos < len; pos += 4)
++ regs[pos / 4] = ufshcd_readl(hba, offset + pos);
++
+ ufshcd_hex_dump(prefix, regs, len);
+ kfree(regs);
+
cifs-fix-credit-calculation-for-encrypted-reads-with-errors.patch
cifs-do-not-reconnect-tcp-session-in-add_credits.patch
smb3-add-credits-we-receive-from-oplock-break-pdus.patch
+input-xpad-add-support-for-steelseries-stratus-duo.patch
+input-input_event-provide-override-for-sparc64.patch
+input-uinput-fix-undefined-behavior-in-uinput_validate_absinfo.patch
+acpi-nfit-block-function-zero-dsms.patch
+acpi-nfit-fix-command-supported-detection.patch
+scsi-ufs-use-explicit-access-size-in-ufshcd_dump_regs.patch
+dm-thin-fix-passdown_double_checking_shared_status.patch
+dm-crypt-fix-parsing-of-extended-iv-arguments.patch
+drm-amdgpu-add-aptx-quirk-for-lenovo-laptop.patch
+edac-altera-fix-s10-persistent-register-offset.patch
+kvm-x86-fix-single-step-debugging.patch
+kvm-x86-fix-pv-ipis-for-32-bit-kvm-host.patch
+kvm-x86-warn_once-if-sending-a-pv-ipi-returns-a-fatal-error.patch
+kvm-x86-vmx-use-kzalloc-for-cached_vmcs12.patch
+x86-pkeys-properly-copy-pkey-state-at-fork.patch
+x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch
+x86-kaslr-fix-incorrect-i8254-outb-parameters.patch
+x86-entry-64-compat-fix-stack-switching-for-xen-pv.patch
--- /dev/null
+From fc24d75a7f91837d7918e40719575951820b2b8f Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Tue, 15 Jan 2019 09:58:16 -0700
+Subject: x86/entry/64/compat: Fix stack switching for XEN PV
+
+From: Jan Beulich <JBeulich@suse.com>
+
+commit fc24d75a7f91837d7918e40719575951820b2b8f upstream.
+
+While in the native case entry into the kernel happens on the trampoline
+stack, PV Xen kernels get entered with the current thread stack right
+away. Hence source and destination stacks are identical in that case,
+and special care is needed.
+
+Other than in sync_regs() the copying done on the INT80 path isn't
+NMI / #MC safe, as either of these events occurring in the middle of the
+stack copying would clobber data on the (source) stack.
+
+There is similar code in interrupt_entry() and nmi(), but there is no fixup
+required because those code paths are unreachable in XEN PV guests.
+
+[ tglx: Sanitized subject, changelog, Fixes tag and stable mail address. Sigh ]
+
+Fixes: 7f2590a110b8 ("x86/entry/64: Use a per-CPU trampoline stack for IDT entries")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Acked-by: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Anvin <hpa@zytor.com>
+Cc: xen-devel@lists.xenproject.org>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/5C3E1128020000780020DFAD@prv1-mh.provo.novell.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64_compat.S | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/entry/entry_64_compat.S
++++ b/arch/x86/entry/entry_64_compat.S
+@@ -361,7 +361,8 @@ ENTRY(entry_INT80_compat)
+
+ /* Need to switch before accessing the thread stack. */
+ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
+- movq %rsp, %rdi
++ /* In the Xen PV case we already run on the thread stack. */
++ ALTERNATIVE "movq %rsp, %rdi", "jmp .Lint80_keep_stack", X86_FEATURE_XENPV
+ movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
+
+ pushq 6*8(%rdi) /* regs->ss */
+@@ -370,8 +371,9 @@ ENTRY(entry_INT80_compat)
+ pushq 3*8(%rdi) /* regs->cs */
+ pushq 2*8(%rdi) /* regs->ip */
+ pushq 1*8(%rdi) /* regs->orig_ax */
+-
+ pushq (%rdi) /* pt_regs->di */
++.Lint80_keep_stack:
++
+ pushq %rsi /* pt_regs->si */
+ xorl %esi, %esi /* nospec si */
+ pushq %rdx /* pt_regs->dx */
--- /dev/null
+From 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 Mon Sep 17 00:00:00 2001
+From: Daniel Drake <drake@endlessm.com>
+Date: Mon, 7 Jan 2019 11:40:24 +0800
+Subject: x86/kaslr: Fix incorrect i8254 outb() parameters
+
+From: Daniel Drake <drake@endlessm.com>
+
+commit 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 upstream.
+
+The outb() function takes parameters value and port, in that order. Fix
+the parameters used in the kalsr i8254 fallback code.
+
+Fixes: 5bfce5ef55cb ("x86, kaslr: Provide randomness functions")
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: hpa@zytor.com
+Cc: linux@endlessm.com
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190107034024.15005-1-drake@endlessm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/lib/kaslr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/lib/kaslr.c
++++ b/arch/x86/lib/kaslr.c
+@@ -36,8 +36,8 @@ static inline u16 i8254(void)
+ u16 status, timer;
+
+ do {
+- outb(I8254_PORT_CONTROL,
+- I8254_CMD_READBACK | I8254_SELECT_COUNTER0);
++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0,
++ I8254_PORT_CONTROL);
+ status = inb(I8254_PORT_COUNTER0);
+ timer = inb(I8254_PORT_COUNTER0);
+ timer |= inb(I8254_PORT_COUNTER0) << 8;
--- /dev/null
+From a31e184e4f69965c99c04cc5eb8a4920e0c63737 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 2 Jan 2019 13:56:55 -0800
+Subject: x86/pkeys: Properly copy pkey state at fork()
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit a31e184e4f69965c99c04cc5eb8a4920e0c63737 upstream.
+
+Memory protection key behavior should be the same in a child as it was
+in the parent before a fork. But, there is a bug that resets the
+state in the child at fork instead of preserving it.
+
+The creation of new mm's is a bit convoluted. At fork(), the code
+does:
+
+ 1. memcpy() the parent mm to initialize child
+ 2. mm_init() to initalize some select stuff stuff
+ 3. dup_mmap() to create true copies that memcpy() did not do right
+
+For pkeys two bits of state need to be preserved across a fork:
+'execute_only_pkey' and 'pkey_allocation_map'.
+
+Those are preserved by the memcpy(), but mm_init() invokes
+init_new_context() which overwrites 'execute_only_pkey' and
+'pkey_allocation_map' with "new" values.
+
+The author of the code erroneously believed that init_new_context is *only*
+called at execve()-time. But, alas, init_new_context() is used at execve()
+and fork().
+
+The result is that, after a fork(), the child's pkey state ends up looking
+like it does after an execve(), which is totally wrong. pkeys that are
+already allocated can be allocated again, for instance.
+
+To fix this, add code called by dup_mmap() to copy the pkey state from
+parent to child explicitly. Also add a comment above init_new_context() to
+make it more clear to the next poor sod what this code is used for.
+
+Fixes: e8c24d3a23a ("x86/pkeys: Allocation/free syscalls")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: hpa@zytor.com
+Cc: peterz@infradead.org
+Cc: mpe@ellerman.id.au
+Cc: will.deacon@arm.com
+Cc: luto@kernel.org
+Cc: jroedel@suse.de
+Cc: stable@vger.kernel.org
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Joerg Roedel <jroedel@suse.de>
+Link: https://lkml.kernel.org/r/20190102215655.7A69518C@viggo.jf.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/mmu_context.h | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -178,6 +178,10 @@ static inline void switch_ldt(struct mm_
+
+ void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk);
+
++/*
++ * Init a new mm. Used on mm copies, like at fork()
++ * and on mm's that are brand-new, like at execve().
++ */
+ static inline int init_new_context(struct task_struct *tsk,
+ struct mm_struct *mm)
+ {
+@@ -228,8 +232,22 @@ do { \
+ } while (0)
+ #endif
+
++static inline void arch_dup_pkeys(struct mm_struct *oldmm,
++ struct mm_struct *mm)
++{
++#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
++ if (!cpu_feature_enabled(X86_FEATURE_OSPKE))
++ return;
++
++ /* Duplicate the oldmm pkey state in mm: */
++ mm->context.pkey_allocation_map = oldmm->context.pkey_allocation_map;
++ mm->context.execute_only_pkey = oldmm->context.execute_only_pkey;
++#endif
++}
++
+ static inline int arch_dup_mmap(struct mm_struct *oldmm, struct mm_struct *mm)
+ {
++ arch_dup_pkeys(oldmm, mm);
+ paravirt_arch_dup_mmap(oldmm, mm);
+ return ldt_dup_context(oldmm, mm);
+ }
--- /dev/null
+From e1812933b17be7814f51b6c310c5d1ced7a9a5f5 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed, 2 Jan 2019 13:56:57 -0800
+Subject: x86/selftests/pkeys: Fork() to check for state being preserved
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit e1812933b17be7814f51b6c310c5d1ced7a9a5f5 upstream.
+
+There was a bug where the per-mm pkey state was not being preserved across
+fork() in the child. fork() is performed in the pkey selftests, but all of
+the pkey activity is performed in the parent. The child does not perform
+any actions sensitive to pkey state.
+
+To make the test more sensitive to these kinds of bugs, add a fork() where
+the parent exits, and execution continues in the child.
+
+To achieve this let the key exhaustion test not terminate at the first
+allocation failure and fork after 2*NR_PKEYS loops and continue in the
+child.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: bp@alien8.de
+Cc: hpa@zytor.com
+Cc: peterz@infradead.org
+Cc: mpe@ellerman.id.au
+Cc: will.deacon@arm.com
+Cc: luto@kernel.org
+Cc: jroedel@suse.de
+Cc: stable@vger.kernel.org
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Joerg Roedel <jroedel@suse.de>
+Link: https://lkml.kernel.org/r/20190102215657.585704B7@viggo.jf.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/testing/selftests/x86/protection_keys.c | 41 +++++++++++++++++++-------
+ 1 file changed, 31 insertions(+), 10 deletions(-)
+
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -1133,6 +1133,21 @@ void test_pkey_syscalls_bad_args(int *pt
+ pkey_assert(err);
+ }
+
++void become_child(void)
++{
++ pid_t forkret;
++
++ forkret = fork();
++ pkey_assert(forkret >= 0);
++ dprintf3("[%d] fork() ret: %d\n", getpid(), forkret);
++
++ if (!forkret) {
++ /* in the child */
++ return;
++ }
++ exit(0);
++}
++
+ /* Assumes that all pkeys other than 'pkey' are unallocated */
+ void test_pkey_alloc_exhaust(int *ptr, u16 pkey)
+ {
+@@ -1141,7 +1156,7 @@ void test_pkey_alloc_exhaust(int *ptr, u
+ int nr_allocated_pkeys = 0;
+ int i;
+
+- for (i = 0; i < NR_PKEYS*2; i++) {
++ for (i = 0; i < NR_PKEYS*3; i++) {
+ int new_pkey;
+ dprintf1("%s() alloc loop: %d\n", __func__, i);
+ new_pkey = alloc_pkey();
+@@ -1152,21 +1167,27 @@ void test_pkey_alloc_exhaust(int *ptr, u
+ if ((new_pkey == -1) && (errno == ENOSPC)) {
+ dprintf2("%s() failed to allocate pkey after %d tries\n",
+ __func__, nr_allocated_pkeys);
+- break;
++ } else {
++ /*
++ * Ensure the number of successes never
++ * exceeds the number of keys supported
++ * in the hardware.
++ */
++ pkey_assert(nr_allocated_pkeys < NR_PKEYS);
++ allocated_pkeys[nr_allocated_pkeys++] = new_pkey;
+ }
+- pkey_assert(nr_allocated_pkeys < NR_PKEYS);
+- allocated_pkeys[nr_allocated_pkeys++] = new_pkey;
++
++ /*
++ * Make sure that allocation state is properly
++ * preserved across fork().
++ */
++ if (i == NR_PKEYS*2)
++ become_child();
+ }
+
+ dprintf3("%s()::%d\n", __func__, __LINE__);
+
+ /*
+- * ensure it did not reach the end of the loop without
+- * failure:
+- */
+- pkey_assert(i < NR_PKEYS*2);
+-
+- /*
+ * There are 16 pkeys supported in hardware. Three are
+ * allocated by the time we get here:
+ * 1. The default key (0)
projects / thirdparty / kernel / stable-queue.git / commitdiff
