parisc-mask-out-enable-and-reserved-bits-from-sba-imask.patch
arm-8992-1-fix-unwind_frame-for-clang-built-kernels.patch
irqdomain-treewide-free-firmware-node-after-domain-removal.patch
+xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch
+xen-balloon-make-the-balloon-wait-interruptible.patch
+xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch
--- /dev/null
+From 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 27 Jul 2020 11:13:39 +0200
+Subject: xen/balloon: fix accounting in alloc_xenballooned_pages error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream.
+
+target_unpopulated is incremented with nr_pages at the start of the
+function, but the call to free_xenballooned_pages will only subtract
+pgno number of pages, and thus the rest need to be subtracted before
+returning or else accounting will be skewed.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200727091342.52325-2-roger.pau@citrix.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/balloon.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -632,6 +632,12 @@ int alloc_xenballooned_pages(int nr_page
+ out_undo:
+ mutex_unlock(&balloon_mutex);
+ free_xenballooned_pages(pgno, pages);
++ /*
++ * NB: free_xenballooned_pages will only subtract pgno pages, but since
++ * target_unpopulated is incremented with nr_pages at the start we need
++ * to remove the remaining ones also, or accounting will be screwed.
++ */
++ balloon_stats.target_unpopulated -= nr_pages - pgno;
+ return ret;
+ }
+ EXPORT_SYMBOL(alloc_xenballooned_pages);
--- /dev/null
+From 88a479ff6ef8af7f07e11593d58befc644244ff7 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 27 Jul 2020 11:13:40 +0200
+Subject: xen/balloon: make the balloon wait interruptible
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 88a479ff6ef8af7f07e11593d58befc644244ff7 upstream.
+
+So it can be killed, or else processes can get hung indefinitely
+waiting for balloon pages.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200727091342.52325-3-roger.pau@citrix.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/balloon.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -570,11 +570,13 @@ static int add_ballooned_pages(int nr_pa
+ if (xen_hotplug_unpopulated) {
+ st = reserve_additional_memory();
+ if (st != BP_ECANCELED) {
++ int rc;
++
+ mutex_unlock(&balloon_mutex);
+- wait_event(balloon_wq,
++ rc = wait_event_interruptible(balloon_wq,
+ !list_empty(&ballooned_pages));
+ mutex_lock(&balloon_mutex);
+- return 0;
++ return rc ? -ENOMEM : 0;
+ }
+ }
+
--- /dev/null
+From 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b Mon Sep 17 00:00:00 2001
+From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+Date: Thu, 13 Aug 2020 09:21:09 +0300
+Subject: xen/gntdev: Fix dmabuf import with non-zero sgt offset
+
+From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+
+commit 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b upstream.
+
+It is possible that the scatter-gather table during dmabuf import has
+non-zero offset of the data, but user-space doesn't expect that.
+Fix this by failing the import, so user-space doesn't access wrong data.
+
+Fixes: bf8dc55b1358 ("xen/gntdev: Implement dma-buf import functionality")
+
+Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+Acked-by: Juergen Gross <jgross@suse.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200813062113.11030-2-andr2000@gmail.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/gntdev-dmabuf.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/xen/gntdev-dmabuf.c
++++ b/drivers/xen/gntdev-dmabuf.c
+@@ -641,6 +641,14 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_
+ goto fail_detach;
+ }
+
++ /* Check that we have zero offset. */
++ if (sgt->sgl->offset) {
++ ret = ERR_PTR(-EINVAL);
++ pr_debug("DMA buffer has %d bytes offset, user-space expects 0\n",
++ sgt->sgl->offset);
++ goto fail_unmap;
++ }
++
+ /* Check number of pages that imported buffer has. */
+ if (attach->dmabuf->size != gntdev_dmabuf->nr_pages << PAGE_SHIFT) {
+ ret = ERR_PTR(-EINVAL);
projects / thirdparty / kernel / stable-queue.git / commitdiff
