From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 27 Nov 2017 12:40:40 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.85~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=14d5bf59e3f9dd1cc5aa98cadc934bc36be4fd3b;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch
	arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch
	mips-ralink-fix-mt7628-pinmux.patch
	mips-ralink-fix-typo-in-mt7628-pinmux-function.patch
	x86-decoder-add-new-test-instruction-pattern.patch
---

diff --git a/queue-4.4/arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch b/queue-4.4/arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch
new file mode 100644
index 00000000000..20e78a89f83
--- /dev/null
+++ b/queue-4.4/arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch
@@ -0,0 +1,55 @@
+From 3b0c0c922ff4be275a8beb87ce5657d16f355b54 Mon Sep 17 00:00:00 2001
+From: Philip Derrin <philip@cog.systems>
+Date: Tue, 14 Nov 2017 00:55:26 +0100
+Subject: ARM: 8721/1: mm: dump: check hardware RO bit for LPAE
+
+From: Philip Derrin <philip@cog.systems>
+
+commit 3b0c0c922ff4be275a8beb87ce5657d16f355b54 upstream.
+
+When CONFIG_ARM_LPAE is set, the PMD dump relies on the software
+read-only bit to determine whether a page is writable. This
+concealed a bug which left the kernel text section writable
+(AP2=0) while marked read-only in the software bit.
+
+In a kernel with the AP2 bug, the dump looks like this:
+
+    ---[ Kernel Mapping ]---
+    0xc0000000-0xc0200000           2M RW NX SHD
+    0xc0200000-0xc0600000           4M ro x  SHD
+    0xc0600000-0xc0800000           2M ro NX SHD
+    0xc0800000-0xc4800000          64M RW NX SHD
+
+The fix is to check that the software and hardware bits are both
+set before displaying "ro". The dump then shows the true perms:
+
+    ---[ Kernel Mapping ]---
+    0xc0000000-0xc0200000           2M RW NX SHD
+    0xc0200000-0xc0600000           4M RW x  SHD
+    0xc0600000-0xc0800000           2M RW NX SHD
+    0xc0800000-0xc4800000          64M RW NX SHD
+
+Fixes: ded947798469 ("ARM: 8109/1: mm: Modify pte_write and pmd_write logic for LPAE")
+Signed-off-by: Philip Derrin <philip@cog.systems>
+Tested-by: Neil Dick <neil@cog.systems>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/dump.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mm/dump.c
++++ b/arch/arm/mm/dump.c
+@@ -126,8 +126,8 @@ static const struct prot_bits section_bi
+ 		.val	= PMD_SECT_USER,
+ 		.set	= "USR",
+ 	}, {
+-		.mask	= L_PMD_SECT_RDONLY,
+-		.val	= L_PMD_SECT_RDONLY,
++		.mask	= L_PMD_SECT_RDONLY | PMD_SECT_AP2,
++		.val	= L_PMD_SECT_RDONLY | PMD_SECT_AP2,
+ 		.set	= "ro",
+ 		.clear	= "RW",
+ #elif __LINUX_ARM_ARCH__ >= 6
diff --git a/queue-4.4/arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch b/queue-4.4/arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch
new file mode 100644
index 00000000000..13f9874b1d3
--- /dev/null
+++ b/queue-4.4/arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch
@@ -0,0 +1,48 @@
+From 400eeffaffc7232c0ae1134fe04e14ae4fb48d8c Mon Sep 17 00:00:00 2001
+From: Philip Derrin <philip@cog.systems>
+Date: Tue, 14 Nov 2017 00:55:25 +0100
+Subject: ARM: 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE
+
+From: Philip Derrin <philip@cog.systems>
+
+commit 400eeffaffc7232c0ae1134fe04e14ae4fb48d8c upstream.
+
+Currently, for ARM kernels with CONFIG_ARM_LPAE and
+CONFIG_STRICT_KERNEL_RWX enabled, the 2MiB pages mapping the
+kernel code and rodata are writable. They are marked read-only in
+a software bit (L_PMD_SECT_RDONLY) but the hardware read-only bit
+is not set (PMD_SECT_AP2).
+
+For user mappings, the logic that propagates the software bit
+to the hardware bit is in set_pmd_at(); but for the kernel,
+section_update() writes the PMDs directly, skipping this logic.
+
+The fix is to set PMD_SECT_AP2 for read-only sections in
+section_update(), at the same time as L_PMD_SECT_RDONLY.
+
+Fixes: 1e3479225acb ("ARM: 8275/1: mm: fix PMD_SECT_RDONLY undeclared compile error")
+Signed-off-by: Philip Derrin <philip@cog.systems>
+Reported-by: Neil Dick <neil@cog.systems>
+Tested-by: Neil Dick <neil@cog.systems>
+Tested-by: Laura Abbott <labbott@redhat.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/init.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mm/init.c
++++ b/arch/arm/mm/init.c
+@@ -611,8 +611,8 @@ static struct section_perm ro_perms[] =
+ 		.start  = (unsigned long)_stext,
+ 		.end    = (unsigned long)__init_begin,
+ #ifdef CONFIG_ARM_LPAE
+-		.mask   = ~L_PMD_SECT_RDONLY,
+-		.prot   = L_PMD_SECT_RDONLY,
++		.mask   = ~(L_PMD_SECT_RDONLY | PMD_SECT_AP2),
++		.prot   = L_PMD_SECT_RDONLY | PMD_SECT_AP2,
+ #else
+ 		.mask   = ~(PMD_SECT_APX | PMD_SECT_AP_WRITE),
+ 		.prot   = PMD_SECT_APX | PMD_SECT_AP_WRITE,
diff --git a/queue-4.4/mips-ralink-fix-mt7628-pinmux.patch b/queue-4.4/mips-ralink-fix-mt7628-pinmux.patch
new file mode 100644
index 00000000000..59aac82e18d
--- /dev/null
+++ b/queue-4.4/mips-ralink-fix-mt7628-pinmux.patch
@@ -0,0 +1,38 @@
+From 8ef4b43cd3794d63052d85898e42424fd3b14d24 Mon Sep 17 00:00:00 2001
+From: Mathias Kresin <dev@kresin.me>
+Date: Thu, 11 May 2017 08:11:14 +0200
+Subject: MIPS: ralink: Fix MT7628 pinmux
+
+From: Mathias Kresin <dev@kresin.me>
+
+commit 8ef4b43cd3794d63052d85898e42424fd3b14d24 upstream.
+
+According to the datasheet the REFCLK pin is shared with GPIO#37 and
+the PERST pin is shared with GPIO#36.
+
+Fixes: 53263a1c6852 ("MIPS: ralink: add mt7628an support")
+Signed-off-by: Mathias Kresin <dev@kresin.me>
+Acked-by: John Crispin <john@phrozen.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16046/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/ralink/mt7620.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/ralink/mt7620.c
++++ b/arch/mips/ralink/mt7620.c
+@@ -141,8 +141,8 @@ static struct rt2880_pmx_func i2c_grp_mt
+ 	FUNC("i2c", 0, 4, 2),
+ };
+ 
+-static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 36, 1) };
+-static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 37, 1) };
++static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 37, 1) };
++static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 36, 1) };
+ static struct rt2880_pmx_func wdt_grp_mt7628[] = { FUNC("wdt", 0, 38, 1) };
+ static struct rt2880_pmx_func spi_grp_mt7628[] = { FUNC("spi", 0, 7, 4) };
+ 
diff --git a/queue-4.4/mips-ralink-fix-typo-in-mt7628-pinmux-function.patch b/queue-4.4/mips-ralink-fix-typo-in-mt7628-pinmux-function.patch
new file mode 100644
index 00000000000..3bc491c17a9
--- /dev/null
+++ b/queue-4.4/mips-ralink-fix-typo-in-mt7628-pinmux-function.patch
@@ -0,0 +1,36 @@
+From 05a67cc258e75ac9758e6f13d26337b8be51162a Mon Sep 17 00:00:00 2001
+From: Mathias Kresin <dev@kresin.me>
+Date: Thu, 11 May 2017 08:11:15 +0200
+Subject: MIPS: ralink: Fix typo in mt7628 pinmux function
+
+From: Mathias Kresin <dev@kresin.me>
+
+commit 05a67cc258e75ac9758e6f13d26337b8be51162a upstream.
+
+There is a typo inside the pinmux setup code. The function is called
+refclk and not reclk.
+
+Fixes: 53263a1c6852 ("MIPS: ralink: add mt7628an support")
+Signed-off-by: Mathias Kresin <dev@kresin.me>
+Acked-by: John Crispin <john@phrozen.org>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/16047/
+Signed-off-by: James Hogan <jhogan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/ralink/mt7620.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/ralink/mt7620.c
++++ b/arch/mips/ralink/mt7620.c
+@@ -141,7 +141,7 @@ static struct rt2880_pmx_func i2c_grp_mt
+ 	FUNC("i2c", 0, 4, 2),
+ };
+ 
+-static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("reclk", 0, 37, 1) };
++static struct rt2880_pmx_func refclk_grp_mt7628[] = { FUNC("refclk", 0, 37, 1) };
+ static struct rt2880_pmx_func perst_grp_mt7628[] = { FUNC("perst", 0, 36, 1) };
+ static struct rt2880_pmx_func wdt_grp_mt7628[] = { FUNC("wdt", 0, 38, 1) };
+ static struct rt2880_pmx_func spi_grp_mt7628[] = { FUNC("spi", 0, 7, 4) };
diff --git a/queue-4.4/series b/queue-4.4/series
index 5ca6f5e6db2..1a9b8dbb9dd 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -7,3 +7,8 @@ af_vsock-shrink-the-area-influenced-by-prepare_to_wait.patch
 vsock-use-new-wait-api-for-vsock_stream_sendmsg.patch
 sched-make-resched_cpu-unconditional.patch
 lib-mpi-call-cond_resched-from-mpi_powm-loop.patch
+x86-decoder-add-new-test-instruction-pattern.patch
+arm-8722-1-mm-make-strict_kernel_rwx-effective-for-lpae.patch
+arm-8721-1-mm-dump-check-hardware-ro-bit-for-lpae.patch
+mips-ralink-fix-mt7628-pinmux.patch
+mips-ralink-fix-typo-in-mt7628-pinmux-function.patch
diff --git a/queue-4.4/x86-decoder-add-new-test-instruction-pattern.patch b/queue-4.4/x86-decoder-add-new-test-instruction-pattern.patch
new file mode 100644
index 00000000000..26582cf8790
--- /dev/null
+++ b/queue-4.4/x86-decoder-add-new-test-instruction-pattern.patch
@@ -0,0 +1,58 @@
+From 12a78d43de767eaf8fb272facb7a7b6f2dc6a9df Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Fri, 24 Nov 2017 13:56:30 +0900
+Subject: x86/decoder: Add new TEST instruction pattern
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 12a78d43de767eaf8fb272facb7a7b6f2dc6a9df upstream.
+
+The kbuild test robot reported this build warning:
+
+  Warning: arch/x86/tools/test_get_len found difference at <jump_table>:ffffffff8103dd2c
+
+  Warning: ffffffff8103dd82: f6 09 d8 testb $0xd8,(%rcx)
+  Warning: objdump says 3 bytes, but insn_get_length() says 2
+  Warning: decoded and checked 1569014 instructions with 1 warnings
+
+This sequence seems to be a new instruction not in the opcode map in the Intel SDM.
+
+The instruction sequence is "F6 09 d8", means Group3(F6), MOD(00)REG(001)RM(001), and 0xd8.
+Intel SDM vol2 A.4 Table A-6 said the table index in the group is "Encoding of Bits 5,4,3 of
+the ModR/M Byte (bits 2,1,0 in parenthesis)"
+
+In that table, opcodes listed by the index REG bits as:
+
+  000         001       010 011  100        101        110         111
+ TEST Ib/Iz,(undefined),NOT,NEG,MUL AL/rAX,IMUL AL/rAX,DIV AL/rAX,IDIV AL/rAX
+
+So, it seems TEST Ib is assigned to 001.
+
+Add the new pattern.
+
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/lib/x86-opcode-map.txt |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/lib/x86-opcode-map.txt
++++ b/arch/x86/lib/x86-opcode-map.txt
+@@ -833,7 +833,7 @@ EndTable
+ 
+ GrpTable: Grp3_1
+ 0: TEST Eb,Ib
+-1:
++1: TEST Eb,Ib
+ 2: NOT Eb
+ 3: NEG Eb
+ 4: MUL AL,Eb