From: Greg Kroah-Hartman Date: Tue, 23 May 2017 14:47:46 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.55~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21e6eaa877b366d6e0727a811db21d9c73105e9e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-8662-1-module-split-core-and-init-plt-sections.patch arm-8670-1-v7m-do-not-corrupt-vector-table-around-v7m_invalidate_l1-call.patch arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch arm-dts-imx6sx-sdb-remove-opp-override.patch arm-kvm-do-not-use-stack-protector-to-compile-hyp-code.patch arm64-armv8_deprecated-ensure-extension-of-addr.patch arm64-documentation-document-tagged-pointer-stack-constraints.patch arm64-dts-hi6220-reset-the-mmc-hosts.patch arm64-ensure-extension-of-smp_store_release-value.patch arm64-kvm-do-not-use-stack-protector-to-compile-el2-code.patch arm64-uaccess-ensure-extension-of-access_ok-addr.patch arm64-xchg-hazard-against-entire-exchange-variable.patch genirq-fix-chained-interrupt-data-ordering.patch iommu-vt-d-flush-the-iotlb-to-get-rid-of-the-initial-kdump-mappings.patch kvm-arm-arm64-vgic-v2-do-not-use-active-pending-state-for-a-hw-interrupt.patch kvm-arm-arm64-vgic-v3-do-not-use-active-pending-state-for-a-hw-interrupt.patch kvm-arm-plug-potential-guest-hardware-debug-leakage.patch metag-uaccess-check-access_ok-in-strncpy_from_user.patch metag-uaccess-fix-access_ok.patch mips-loongson-3-select-mips_l1_cache_shift_6.patch nvme-unmap-cmb-and-remove-sysfs-file-in-reset-path.patch powerpc-64e-fix-hang-when-debugging-programs-with-relocated-kernel.patch powerpc-book3s-mce-move-add_taint-later-in-virtual-mode.patch powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch powerpc-iommu-do-not-call-pagetranshuge-on-tail-pages.patch powerpc-mm-ensure-irqs-are-off-in-switch_mm.patch powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch powerpc-tm-fix-fp-and-vmx-register-corruption.patch stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch staging-rtl8192e-fix-2-byte-alignment-of-register-bssidr.patch staging-rtl8192e-getts-fix-invalid-tid-7-warning.patch staging-rtl8192e-rtl92e_fill_tx_desc-fix-write-to-mapped-out-memory.patch staging-rtl8192e-rtl92e_get_eeprom_size-fix-read-size-of-eprom_cmd.patch uwb-fix-device-quirk-on-big-endian-hosts.patch --- diff --git a/queue-4.9/arm-8662-1-module-split-core-and-init-plt-sections.patch b/queue-4.9/arm-8662-1-module-split-core-and-init-plt-sections.patch new file mode 100644 index 00000000000..fec882c5533 --- /dev/null +++ b/queue-4.9/arm-8662-1-module-split-core-and-init-plt-sections.patch @@ -0,0 +1,237 @@ +From b7ede5a1f5905ac394cc8e61712a13e3c5cb7b8f Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 22 Feb 2017 19:40:12 +0100 +Subject: ARM: 8662/1: module: split core and init PLT sections + +From: Ard Biesheuvel + +commit b7ede5a1f5905ac394cc8e61712a13e3c5cb7b8f upstream. + +Since commit 35fa91eed817 ("ARM: kernel: merge core and init PLTs"), +the ARM module PLT code allocates all PLT entries in a single core +section, since the overhead of having a separate init PLT section is +not justified by the small number of PLT entries usually required for +init code. + +However, the core and init module regions are allocated independently, +and there is a corner case where the core region may be allocated from +the VMALLOC region if the dedicated module region is exhausted, but the +init region, being much smaller, can still be allocated from the module +region. This puts the PLT entries out of reach of the relocated branch +instructions, defeating the whole purpose of PLTs. + +So split the core and init PLT regions, and name the latter ".init.plt" +so it gets allocated along with (and sufficiently close to) the .init +sections that it serves. Also, given that init PLT entries may need to +be emitted for branches that target the core module, modify the logic +that disregards defined symbols to only disregard symbols that are +defined in the same section. + +Fixes: 35fa91eed817 ("ARM: kernel: merge core and init PLTs") +Reported-by: Angus Clark +Tested-by: Angus Clark +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/module.h | 9 +++- + arch/arm/kernel/module-plts.c | 85 +++++++++++++++++++++++++++++------------- + arch/arm/kernel/module.lds | 1 + 3 files changed, 67 insertions(+), 28 deletions(-) + +--- a/arch/arm/include/asm/module.h ++++ b/arch/arm/include/asm/module.h +@@ -18,13 +18,18 @@ enum { + }; + #endif + ++struct mod_plt_sec { ++ struct elf32_shdr *plt; ++ int plt_count; ++}; ++ + struct mod_arch_specific { + #ifdef CONFIG_ARM_UNWIND + struct unwind_table *unwind[ARM_SEC_MAX]; + #endif + #ifdef CONFIG_ARM_MODULE_PLTS +- struct elf32_shdr *plt; +- int plt_count; ++ struct mod_plt_sec core; ++ struct mod_plt_sec init; + #endif + }; + +--- a/arch/arm/kernel/module-plts.c ++++ b/arch/arm/kernel/module-plts.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2014 Linaro Ltd. ++ * Copyright (C) 2014-2017 Linaro Ltd. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -31,9 +31,17 @@ struct plt_entries { + u32 lit[PLT_ENT_COUNT]; + }; + ++static bool in_init(const struct module *mod, unsigned long loc) ++{ ++ return loc - (u32)mod->init_layout.base < mod->init_layout.size; ++} ++ + u32 get_module_plt(struct module *mod, unsigned long loc, Elf32_Addr val) + { +- struct plt_entries *plt = (struct plt_entries *)mod->arch.plt->sh_addr; ++ struct mod_plt_sec *pltsec = !in_init(mod, loc) ? &mod->arch.core : ++ &mod->arch.init; ++ ++ struct plt_entries *plt = (struct plt_entries *)pltsec->plt->sh_addr; + int idx = 0; + + /* +@@ -41,9 +49,9 @@ u32 get_module_plt(struct module *mod, u + * relocations are sorted, this will be the last entry we allocated. + * (if one exists). + */ +- if (mod->arch.plt_count > 0) { +- plt += (mod->arch.plt_count - 1) / PLT_ENT_COUNT; +- idx = (mod->arch.plt_count - 1) % PLT_ENT_COUNT; ++ if (pltsec->plt_count > 0) { ++ plt += (pltsec->plt_count - 1) / PLT_ENT_COUNT; ++ idx = (pltsec->plt_count - 1) % PLT_ENT_COUNT; + + if (plt->lit[idx] == val) + return (u32)&plt->ldr[idx]; +@@ -53,8 +61,8 @@ u32 get_module_plt(struct module *mod, u + plt++; + } + +- mod->arch.plt_count++; +- BUG_ON(mod->arch.plt_count * PLT_ENT_SIZE > mod->arch.plt->sh_size); ++ pltsec->plt_count++; ++ BUG_ON(pltsec->plt_count * PLT_ENT_SIZE > pltsec->plt->sh_size); + + if (!idx) + /* Populate a new set of entries */ +@@ -129,7 +137,7 @@ static bool duplicate_rel(Elf32_Addr bas + + /* Count how many PLT entries we may need */ + static unsigned int count_plts(const Elf32_Sym *syms, Elf32_Addr base, +- const Elf32_Rel *rel, int num) ++ const Elf32_Rel *rel, int num, Elf32_Word dstidx) + { + unsigned int ret = 0; + const Elf32_Sym *s; +@@ -144,13 +152,17 @@ static unsigned int count_plts(const Elf + case R_ARM_THM_JUMP24: + /* + * We only have to consider branch targets that resolve +- * to undefined symbols. This is not simply a heuristic, +- * it is a fundamental limitation, since the PLT itself +- * is part of the module, and needs to be within range +- * as well, so modules can never grow beyond that limit. ++ * to symbols that are defined in a different section. ++ * This is not simply a heuristic, it is a fundamental ++ * limitation, since there is no guaranteed way to emit ++ * PLT entries sufficiently close to the branch if the ++ * section size exceeds the range of a branch ++ * instruction. So ignore relocations against defined ++ * symbols if they live in the same section as the ++ * relocation target. + */ + s = syms + ELF32_R_SYM(rel[i].r_info); +- if (s->st_shndx != SHN_UNDEF) ++ if (s->st_shndx == dstidx) + break; + + /* +@@ -161,7 +173,12 @@ static unsigned int count_plts(const Elf + * So we need to support them, but there is no need to + * take them into consideration when trying to optimize + * this code. So let's only check for duplicates when +- * the addend is zero. ++ * the addend is zero. (Note that calls into the core ++ * module via init PLT entries could involve section ++ * relative symbol references with non-zero addends, for ++ * which we may end up emitting duplicates, but the init ++ * PLT is released along with the rest of the .init ++ * region as soon as module loading completes.) + */ + if (!is_zero_addend_relocation(base, rel + i) || + !duplicate_rel(base, rel, i)) +@@ -174,7 +191,8 @@ static unsigned int count_plts(const Elf + int module_frob_arch_sections(Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, + char *secstrings, struct module *mod) + { +- unsigned long plts = 0; ++ unsigned long core_plts = 0; ++ unsigned long init_plts = 0; + Elf32_Shdr *s, *sechdrs_end = sechdrs + ehdr->e_shnum; + Elf32_Sym *syms = NULL; + +@@ -184,13 +202,15 @@ int module_frob_arch_sections(Elf_Ehdr * + */ + for (s = sechdrs; s < sechdrs_end; ++s) { + if (strcmp(".plt", secstrings + s->sh_name) == 0) +- mod->arch.plt = s; ++ mod->arch.core.plt = s; ++ else if (strcmp(".init.plt", secstrings + s->sh_name) == 0) ++ mod->arch.init.plt = s; + else if (s->sh_type == SHT_SYMTAB) + syms = (Elf32_Sym *)s->sh_addr; + } + +- if (!mod->arch.plt) { +- pr_err("%s: module PLT section missing\n", mod->name); ++ if (!mod->arch.core.plt || !mod->arch.init.plt) { ++ pr_err("%s: module PLT section(s) missing\n", mod->name); + return -ENOEXEC; + } + if (!syms) { +@@ -213,16 +233,29 @@ int module_frob_arch_sections(Elf_Ehdr * + /* sort by type and symbol index */ + sort(rels, numrels, sizeof(Elf32_Rel), cmp_rel, NULL); + +- plts += count_plts(syms, dstsec->sh_addr, rels, numrels); ++ if (strncmp(secstrings + dstsec->sh_name, ".init", 5) != 0) ++ core_plts += count_plts(syms, dstsec->sh_addr, rels, ++ numrels, s->sh_info); ++ else ++ init_plts += count_plts(syms, dstsec->sh_addr, rels, ++ numrels, s->sh_info); + } + +- mod->arch.plt->sh_type = SHT_NOBITS; +- mod->arch.plt->sh_flags = SHF_EXECINSTR | SHF_ALLOC; +- mod->arch.plt->sh_addralign = L1_CACHE_BYTES; +- mod->arch.plt->sh_size = round_up(plts * PLT_ENT_SIZE, +- sizeof(struct plt_entries)); +- mod->arch.plt_count = 0; ++ mod->arch.core.plt->sh_type = SHT_NOBITS; ++ mod->arch.core.plt->sh_flags = SHF_EXECINSTR | SHF_ALLOC; ++ mod->arch.core.plt->sh_addralign = L1_CACHE_BYTES; ++ mod->arch.core.plt->sh_size = round_up(core_plts * PLT_ENT_SIZE, ++ sizeof(struct plt_entries)); ++ mod->arch.core.plt_count = 0; ++ ++ mod->arch.init.plt->sh_type = SHT_NOBITS; ++ mod->arch.init.plt->sh_flags = SHF_EXECINSTR | SHF_ALLOC; ++ mod->arch.init.plt->sh_addralign = L1_CACHE_BYTES; ++ mod->arch.init.plt->sh_size = round_up(init_plts * PLT_ENT_SIZE, ++ sizeof(struct plt_entries)); ++ mod->arch.init.plt_count = 0; + +- pr_debug("%s: plt=%x\n", __func__, mod->arch.plt->sh_size); ++ pr_debug("%s: plt=%x, init.plt=%x\n", __func__, ++ mod->arch.core.plt->sh_size, mod->arch.init.plt->sh_size); + return 0; + } +--- a/arch/arm/kernel/module.lds ++++ b/arch/arm/kernel/module.lds +@@ -1,3 +1,4 @@ + SECTIONS { + .plt : { BYTE(0) } ++ .init.plt : { BYTE(0) } + } diff --git a/queue-4.9/arm-8670-1-v7m-do-not-corrupt-vector-table-around-v7m_invalidate_l1-call.patch b/queue-4.9/arm-8670-1-v7m-do-not-corrupt-vector-table-around-v7m_invalidate_l1-call.patch new file mode 100644 index 00000000000..54fa4c53b11 --- /dev/null +++ b/queue-4.9/arm-8670-1-v7m-do-not-corrupt-vector-table-around-v7m_invalidate_l1-call.patch @@ -0,0 +1,38 @@ +From 6d80594936914e798b1b54b3bfe4bd68d8418966 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Mon, 24 Apr 2017 10:40:48 +0100 +Subject: ARM: 8670/1: V7M: Do not corrupt vector table around v7m_invalidate_l1 call + +From: Vladimir Murzin + +commit 6d80594936914e798b1b54b3bfe4bd68d8418966 upstream. + +We save/restore registers around v7m_invalidate_l1 to address pointed +by r12, which is vector table, so the first eight entries are +overwritten with a garbage. We already have stack setup at that stage, +so use it to save/restore register. + +Fixes: 6a8146f420be ("ARM: 8609/1: V7M: Add support for the Cortex-M7 processor") +Signed-off-by: Vladimir Murzin +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/proc-v7m.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mm/proc-v7m.S ++++ b/arch/arm/mm/proc-v7m.S +@@ -147,10 +147,10 @@ __v7m_setup_cont: + + @ Configure caches (if implemented) + teq r8, #0 +- stmneia r12, {r0-r6, lr} @ v7m_invalidate_l1 touches r0-r6 ++ stmneia sp, {r0-r6, lr} @ v7m_invalidate_l1 touches r0-r6 + blne v7m_invalidate_l1 + teq r8, #0 @ re-evalutae condition +- ldmneia r12, {r0-r6, lr} ++ ldmneia sp, {r0-r6, lr} + + @ Configure the System Control Register to ensure 8-byte stack alignment + @ Note the STKALIGN bit is either RW or RAO. diff --git a/queue-4.9/arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch b/queue-4.9/arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch new file mode 100644 index 00000000000..8c041020f50 --- /dev/null +++ b/queue-4.9/arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch @@ -0,0 +1,31 @@ +From 9cdd31e5913c1f86dce7e201b086155b3f24896b Mon Sep 17 00:00:00 2001 +From: Ludovic Desroches +Date: Mon, 10 Apr 2017 10:25:16 +0200 +Subject: ARM: dts: at91: sama5d3_xplained: fix ADC vref + +From: Ludovic Desroches + +commit 9cdd31e5913c1f86dce7e201b086155b3f24896b upstream. + +The voltage reference for the ADC is not 3V but 3.3V since it is connected to +VDDANA. + +Signed-off-by: Ludovic Desroches +Acked-by: Nicolas Ferre +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/at91-sama5d3_xplained.dts | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts ++++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts +@@ -162,6 +162,7 @@ + }; + + adc0: adc@f8018000 { ++ atmel,adc-vref = <3300>; + pinctrl-0 = < + &pinctrl_adc0_adtrg + &pinctrl_adc0_ad0 diff --git a/queue-4.9/arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch b/queue-4.9/arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch new file mode 100644 index 00000000000..6191c0491df --- /dev/null +++ b/queue-4.9/arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch @@ -0,0 +1,43 @@ +From d3df1ec06353e51fc44563d2e7e18d42811af290 Mon Sep 17 00:00:00 2001 +From: Ludovic Desroches +Date: Mon, 10 Apr 2017 10:25:17 +0200 +Subject: ARM: dts: at91: sama5d3_xplained: not all ADC channels are available + +From: Ludovic Desroches + +commit d3df1ec06353e51fc44563d2e7e18d42811af290 upstream. + +Remove ADC channels that are not available by default on the sama5d3_xplained +board (resistor not populated) in order to not create confusion. + +Signed-off-by: Ludovic Desroches +Acked-by: Nicolas Ferre +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/at91-sama5d3_xplained.dts | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts ++++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts +@@ -163,9 +163,9 @@ + + adc0: adc@f8018000 { + atmel,adc-vref = <3300>; ++ atmel,adc-channels-used = <0xfe>; + pinctrl-0 = < + &pinctrl_adc0_adtrg +- &pinctrl_adc0_ad0 + &pinctrl_adc0_ad1 + &pinctrl_adc0_ad2 + &pinctrl_adc0_ad3 +@@ -173,8 +173,6 @@ + &pinctrl_adc0_ad5 + &pinctrl_adc0_ad6 + &pinctrl_adc0_ad7 +- &pinctrl_adc0_ad8 +- &pinctrl_adc0_ad9 + >; + status = "okay"; + }; diff --git a/queue-4.9/arm-dts-imx6sx-sdb-remove-opp-override.patch b/queue-4.9/arm-dts-imx6sx-sdb-remove-opp-override.patch new file mode 100644 index 00000000000..5c6452d4b43 --- /dev/null +++ b/queue-4.9/arm-dts-imx6sx-sdb-remove-opp-override.patch @@ -0,0 +1,57 @@ +From d8581c7c8be172dac156a19d261f988a72ce596f Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Fri, 5 May 2017 14:00:17 +0300 +Subject: ARM: dts: imx6sx-sdb: Remove OPP override + +From: Leonard Crestez + +commit d8581c7c8be172dac156a19d261f988a72ce596f upstream. + +The board file for imx6sx-sdb overrides cpufreq operating points to use +higher voltages. This is done because the board has a shared rail for +VDD_ARM_IN and VDD_SOC_IN and when using LDO bypass the shared voltage +needs to be a value suitable for both ARM and SOC. + +This only applies to LDO bypass mode, a feature not present in upstream. +When LDOs are enabled the effect is to use higher voltages than necessary +for no good reason. + +Setting these higher voltages can make some boards fail to boot with ugly +semi-random crashes reminiscent of memory corruption. These failures only +happen on board rev. C, rev. B is reported to still work. + +Signed-off-by: Leonard Crestez +Fixes: 54183bd7f766 ("ARM: imx6sx-sdb: add revb board and make it default") +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx6sx-sdb.dts | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/arch/arm/boot/dts/imx6sx-sdb.dts ++++ b/arch/arm/boot/dts/imx6sx-sdb.dts +@@ -12,23 +12,6 @@ + model = "Freescale i.MX6 SoloX SDB RevB Board"; + }; + +-&cpu0 { +- operating-points = < +- /* kHz uV */ +- 996000 1250000 +- 792000 1175000 +- 396000 1175000 +- 198000 1175000 +- >; +- fsl,soc-operating-points = < +- /* ARM kHz SOC uV */ +- 996000 1250000 +- 792000 1175000 +- 396000 1175000 +- 198000 1175000 +- >; +-}; +- + &i2c1 { + clock-frequency = <100000>; + pinctrl-names = "default"; diff --git a/queue-4.9/arm-kvm-do-not-use-stack-protector-to-compile-hyp-code.patch b/queue-4.9/arm-kvm-do-not-use-stack-protector-to-compile-hyp-code.patch new file mode 100644 index 00000000000..ea920d37852 --- /dev/null +++ b/queue-4.9/arm-kvm-do-not-use-stack-protector-to-compile-hyp-code.patch @@ -0,0 +1,37 @@ +From 501ad27c67ed0b90df465f23d33e9aed64058a47 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 2 May 2017 14:30:38 +0100 +Subject: arm: KVM: Do not use stack-protector to compile HYP code + +From: Marc Zyngier + +commit 501ad27c67ed0b90df465f23d33e9aed64058a47 upstream. + +We like living dangerously. Nothing explicitely forbids stack-protector +to be used in the HYP code, while distributions routinely compile their +kernel with it. We're just lucky that no code actually triggers the +instrumentation. + +Let's not try our luck for much longer, and disable stack-protector +for code living at HYP. + +Signed-off-by: Marc Zyngier +Acked-by: Christoffer Dall +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/hyp/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/kvm/hyp/Makefile ++++ b/arch/arm/kvm/hyp/Makefile +@@ -2,6 +2,8 @@ + # Makefile for Kernel-based Virtual Machine module, HYP part + # + ++ccflags-y += -fno-stack-protector ++ + KVM=../../../../virt/kvm + + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v2-sr.o diff --git a/queue-4.9/arm64-armv8_deprecated-ensure-extension-of-addr.patch b/queue-4.9/arm64-armv8_deprecated-ensure-extension-of-addr.patch new file mode 100644 index 00000000000..05001351985 --- /dev/null +++ b/queue-4.9/arm64-armv8_deprecated-ensure-extension-of-addr.patch @@ -0,0 +1,40 @@ +From 55de49f9aa17b0b2b144dd2af587177b9aadf429 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Wed, 3 May 2017 16:09:36 +0100 +Subject: arm64: armv8_deprecated: ensure extension of addr + +From: Mark Rutland + +commit 55de49f9aa17b0b2b144dd2af587177b9aadf429 upstream. + +Our compat swp emulation holds the compat user address in an unsigned +int, which it passes to __user_swpX_asm(). When a 32-bit value is passed +in a register, the upper 32 bits of the register are unknown, and we +must extend the value to 64 bits before we can use it as a base address. + +This patch casts the address to unsigned long to ensure it has been +suitably extended, avoiding the potential issue, and silencing a related +warning from clang. + +Fixes: bd35a4adc413 ("arm64: Port SWP/SWPB emulation support from arm") +Acked-by: Will Deacon +Signed-off-by: Mark Rutland +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/armv8_deprecated.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/armv8_deprecated.c ++++ b/arch/arm64/kernel/armv8_deprecated.c +@@ -309,7 +309,8 @@ static void __init register_insn_emulati + ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN, \ + CONFIG_ARM64_PAN) \ + : "=&r" (res), "+r" (data), "=&r" (temp), "=&r" (temp2) \ +- : "r" (addr), "i" (-EAGAIN), "i" (-EFAULT), \ ++ : "r" ((unsigned long)addr), "i" (-EAGAIN), \ ++ "i" (-EFAULT), \ + "i" (__SWP_LL_SC_LOOPS) \ + : "memory") + diff --git a/queue-4.9/arm64-documentation-document-tagged-pointer-stack-constraints.patch b/queue-4.9/arm64-documentation-document-tagged-pointer-stack-constraints.patch new file mode 100644 index 00000000000..b44fa590b4f --- /dev/null +++ b/queue-4.9/arm64-documentation-document-tagged-pointer-stack-constraints.patch @@ -0,0 +1,113 @@ +From f0e421b1bf7af97f026e1bb8bfe4c5a7a8c08f42 Mon Sep 17 00:00:00 2001 +From: Kristina Martsenko +Date: Wed, 3 May 2017 16:37:48 +0100 +Subject: arm64: documentation: document tagged pointer stack constraints + +From: Kristina Martsenko + +commit f0e421b1bf7af97f026e1bb8bfe4c5a7a8c08f42 upstream. + +Some kernel features don't currently work if a task puts a non-zero +address tag in its stack pointer, frame pointer, or frame record entries +(FP, LR). + +For example, with a tagged stack pointer, the kernel can't deliver +signals to the process, and the task is killed instead. As another +example, with a tagged frame pointer or frame records, perf fails to +generate call graphs or resolve symbols. + +For now, just document these limitations, instead of finding and fixing +everything that doesn't work, as it's not known if anyone needs to use +tags in these places anyway. + +In addition, as requested by Dave Martin, generalize the limitations +into a general kernel address tag policy, and refactor +tagged-pointers.txt to include it. + +Fixes: d50240a5f6ce ("arm64: mm: permit use of tagged pointers at EL0") +Reviewed-by: Dave Martin +Acked-by: Will Deacon +Signed-off-by: Kristina Martsenko +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/arm64/tagged-pointers.txt | 66 +++++++++++++++++++++++--------- + 1 file changed, 49 insertions(+), 17 deletions(-) + +--- a/Documentation/arm64/tagged-pointers.txt ++++ b/Documentation/arm64/tagged-pointers.txt +@@ -11,24 +11,56 @@ in AArch64 Linux. + The kernel configures the translation tables so that translations made + via TTBR0 (i.e. userspace mappings) have the top byte (bits 63:56) of + the virtual address ignored by the translation hardware. This frees up +-this byte for application use, with the following caveats: ++this byte for application use. + +- (1) The kernel requires that all user addresses passed to EL1 +- are tagged with tag 0x00. This means that any syscall +- parameters containing user virtual addresses *must* have +- their top byte cleared before trapping to the kernel. +- +- (2) Non-zero tags are not preserved when delivering signals. +- This means that signal handlers in applications making use +- of tags cannot rely on the tag information for user virtual +- addresses being maintained for fields inside siginfo_t. +- One exception to this rule is for signals raised in response +- to watchpoint debug exceptions, where the tag information +- will be preserved. +- +- (3) Special care should be taken when using tagged pointers, +- since it is likely that C compilers will not hazard two +- virtual addresses differing only in the upper byte. ++ ++Passing tagged addresses to the kernel ++-------------------------------------- ++ ++All interpretation of userspace memory addresses by the kernel assumes ++an address tag of 0x00. ++ ++This includes, but is not limited to, addresses found in: ++ ++ - pointer arguments to system calls, including pointers in structures ++ passed to system calls, ++ ++ - the stack pointer (sp), e.g. when interpreting it to deliver a ++ signal, ++ ++ - the frame pointer (x29) and frame records, e.g. when interpreting ++ them to generate a backtrace or call graph. ++ ++Using non-zero address tags in any of these locations may result in an ++error code being returned, a (fatal) signal being raised, or other modes ++of failure. ++ ++For these reasons, passing non-zero address tags to the kernel via ++system calls is forbidden, and using a non-zero address tag for sp is ++strongly discouraged. ++ ++Programs maintaining a frame pointer and frame records that use non-zero ++address tags may suffer impaired or inaccurate debug and profiling ++visibility. ++ ++ ++Preserving tags ++--------------- ++ ++Non-zero tags are not preserved when delivering signals. This means that ++signal handlers in applications making use of tags cannot rely on the ++tag information for user virtual addresses being maintained for fields ++inside siginfo_t. One exception to this rule is for signals raised in ++response to watchpoint debug exceptions, where the tag information will ++be preserved. + + The architecture prevents the use of a tagged PC, so the upper byte will + be set to a sign-extension of bit 55 on exception return. ++ ++ ++Other considerations ++-------------------- ++ ++Special care should be taken when using tagged pointers, since it is ++likely that C compilers will not hazard two virtual addresses differing ++only in the upper byte. diff --git a/queue-4.9/arm64-dts-hi6220-reset-the-mmc-hosts.patch b/queue-4.9/arm64-dts-hi6220-reset-the-mmc-hosts.patch new file mode 100644 index 00000000000..a0c7dee7ae3 --- /dev/null +++ b/queue-4.9/arm64-dts-hi6220-reset-the-mmc-hosts.patch @@ -0,0 +1,71 @@ +From 0fbdf9953b41c28845fe8d05007ff09634ee3000 Mon Sep 17 00:00:00 2001 +From: Daniel Lezcano +Date: Thu, 16 Mar 2017 15:03:24 +0100 +Subject: arm64: dts: hi6220: Reset the mmc hosts + +From: Daniel Lezcano + +commit 0fbdf9953b41c28845fe8d05007ff09634ee3000 upstream. + +The MMC hosts could be left in an unconsistent or uninitialized state from +the firmware. Instead of assuming, the firmware did the right things, let's +reset the host controllers. + +This change fixes a bug when the mmc2/sdio is initialized leading to a hung +task: + +[ 242.704294] INFO: task kworker/7:1:675 blocked for more than 120 seconds. +[ 242.711129] Not tainted 4.9.0-rc8-00017-gcf0251f #3 +[ 242.716571] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 242.724435] kworker/7:1 D 0 675 2 0x00000000 +[ 242.729973] Workqueue: events_freezable mmc_rescan +[ 242.734796] Call trace: +[ 242.737269] [] __switch_to+0xa8/0xb4 +[ 242.742437] [] __schedule+0x1c0/0x67c +[ 242.747689] [] schedule+0x40/0xa0 +[ 242.752594] [] schedule_timeout+0x1c4/0x35c +[ 242.758366] [] wait_for_common+0xd0/0x15c +[ 242.763964] [] wait_for_completion+0x28/0x34 +[ 242.769825] [] mmc_wait_for_req_done+0x40/0x124 +[ 242.775949] [] mmc_wait_for_req+0xc0/0xf8 +[ 242.781549] [] mmc_wait_for_cmd+0x6c/0x84 +[ 242.787149] [] mmc_io_rw_direct_host+0x9c/0x114 +[ 242.793270] [] sdio_reset+0x34/0x7c +[ 242.798347] [] mmc_rescan+0x2fc/0x360 + +[ ... ] + +Signed-off-by: Daniel Lezcano +Signed-off-by: Wei Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/hisilicon/hi6220.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/boot/dts/hisilicon/hi6220.dtsi ++++ b/arch/arm64/boot/dts/hisilicon/hi6220.dtsi +@@ -772,6 +772,7 @@ + clocks = <&sys_ctrl 2>, <&sys_ctrl 1>; + clock-names = "ciu", "biu"; + resets = <&sys_ctrl PERIPH_RSTDIS0_MMC0>; ++ reset-names = "reset"; + bus-width = <0x8>; + vmmc-supply = <&ldo19>; + pinctrl-names = "default"; +@@ -795,6 +796,7 @@ + clocks = <&sys_ctrl 4>, <&sys_ctrl 3>; + clock-names = "ciu", "biu"; + resets = <&sys_ctrl PERIPH_RSTDIS0_MMC1>; ++ reset-names = "reset"; + vqmmc-supply = <&ldo7>; + vmmc-supply = <&ldo10>; + bus-width = <0x4>; +@@ -813,6 +815,7 @@ + clocks = <&sys_ctrl HI6220_MMC2_CIUCLK>, <&sys_ctrl HI6220_MMC2_CLK>; + clock-names = "ciu", "biu"; + resets = <&sys_ctrl PERIPH_RSTDIS0_MMC2>; ++ reset-names = "reset"; + bus-width = <0x4>; + broken-cd; + pinctrl-names = "default", "idle"; diff --git a/queue-4.9/arm64-ensure-extension-of-smp_store_release-value.patch b/queue-4.9/arm64-ensure-extension-of-smp_store_release-value.patch new file mode 100644 index 00000000000..adf6289e992 --- /dev/null +++ b/queue-4.9/arm64-ensure-extension-of-smp_store_release-value.patch @@ -0,0 +1,91 @@ +From 994870bead4ab19087a79492400a5478e2906196 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Wed, 3 May 2017 16:09:34 +0100 +Subject: arm64: ensure extension of smp_store_release value + +From: Mark Rutland + +commit 994870bead4ab19087a79492400a5478e2906196 upstream. + +When an inline assembly operand's type is narrower than the register it +is allocated to, the least significant bits of the register (up to the +operand type's width) are valid, and any other bits are permitted to +contain any arbitrary value. This aligns with the AAPCS64 parameter +passing rules. + +Our __smp_store_release() implementation does not account for this, and +implicitly assumes that operands have been zero-extended to the width of +the type being stored to. Thus, we may store unknown values to memory +when the value type is narrower than the pointer type (e.g. when storing +a char to a long). + +This patch fixes the issue by casting the value operand to the same +width as the pointer operand in all cases, which ensures that the value +is zero-extended as we expect. We use the same union trickery as +__smp_load_acquire and {READ,WRITE}_ONCE() to avoid GCC complaining that +pointers are potentially cast to narrower width integers in unreachable +paths. + +A whitespace issue at the top of __smp_store_release() is also +corrected. + +No changes are necessary for __smp_load_acquire(). Load instructions +implicitly clear any upper bits of the register, and the compiler will +only consider the least significant bits of the register as valid +regardless. + +Fixes: 47933ad41a86 ("arch: Introduce smp_load_acquire(), smp_store_release()") +Fixes: 878a84d5a8a1 ("arm64: add missing data types in smp_load_acquire/smp_store_release") +Acked-by: Will Deacon +Signed-off-by: Mark Rutland +Cc: Matthias Kaehlcke +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/barrier.h | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/arch/arm64/include/asm/barrier.h ++++ b/arch/arm64/include/asm/barrier.h +@@ -42,25 +42,35 @@ + #define __smp_rmb() dmb(ishld) + #define __smp_wmb() dmb(ishst) + +-#define __smp_store_release(p, v) \ ++#define __smp_store_release(p, v) \ + do { \ ++ union { typeof(*p) __val; char __c[1]; } __u = \ ++ { .__val = (__force typeof(*p)) (v) }; \ + compiletime_assert_atomic_type(*p); \ + switch (sizeof(*p)) { \ + case 1: \ + asm volatile ("stlrb %w1, %0" \ +- : "=Q" (*p) : "r" (v) : "memory"); \ ++ : "=Q" (*p) \ ++ : "r" (*(__u8 *)__u.__c) \ ++ : "memory"); \ + break; \ + case 2: \ + asm volatile ("stlrh %w1, %0" \ +- : "=Q" (*p) : "r" (v) : "memory"); \ ++ : "=Q" (*p) \ ++ : "r" (*(__u16 *)__u.__c) \ ++ : "memory"); \ + break; \ + case 4: \ + asm volatile ("stlr %w1, %0" \ +- : "=Q" (*p) : "r" (v) : "memory"); \ ++ : "=Q" (*p) \ ++ : "r" (*(__u32 *)__u.__c) \ ++ : "memory"); \ + break; \ + case 8: \ + asm volatile ("stlr %1, %0" \ +- : "=Q" (*p) : "r" (v) : "memory"); \ ++ : "=Q" (*p) \ ++ : "r" (*(__u64 *)__u.__c) \ ++ : "memory"); \ + break; \ + } \ + } while (0) diff --git a/queue-4.9/arm64-kvm-do-not-use-stack-protector-to-compile-el2-code.patch b/queue-4.9/arm64-kvm-do-not-use-stack-protector-to-compile-el2-code.patch new file mode 100644 index 00000000000..3a5f4da0acd --- /dev/null +++ b/queue-4.9/arm64-kvm-do-not-use-stack-protector-to-compile-el2-code.patch @@ -0,0 +1,37 @@ +From cde13b5dad60471886a3bccb4f4134c647c4a9dc Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 2 May 2017 14:30:37 +0100 +Subject: arm64: KVM: Do not use stack-protector to compile EL2 code + +From: Marc Zyngier + +commit cde13b5dad60471886a3bccb4f4134c647c4a9dc upstream. + +We like living dangerously. Nothing explicitely forbids stack-protector +to be used in the EL2 code, while distributions routinely compile their +kernel with it. We're just lucky that no code actually triggers the +instrumentation. + +Let's not try our luck for much longer, and disable stack-protector +for code living at EL2. + +Signed-off-by: Marc Zyngier +Acked-by: Christoffer Dall +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/hyp/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kvm/hyp/Makefile ++++ b/arch/arm64/kvm/hyp/Makefile +@@ -2,6 +2,8 @@ + # Makefile for Kernel-based Virtual Machine module, HYP part + # + ++ccflags-y += -fno-stack-protector ++ + KVM=../../../../virt/kvm + + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v2-sr.o diff --git a/queue-4.9/arm64-uaccess-ensure-extension-of-access_ok-addr.patch b/queue-4.9/arm64-uaccess-ensure-extension-of-access_ok-addr.patch new file mode 100644 index 00000000000..743fa4430b1 --- /dev/null +++ b/queue-4.9/arm64-uaccess-ensure-extension-of-access_ok-addr.patch @@ -0,0 +1,48 @@ +From a06040d7a791a9177581dcf7293941bd92400856 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Wed, 3 May 2017 16:09:35 +0100 +Subject: arm64: uaccess: ensure extension of access_ok() addr + +From: Mark Rutland + +commit a06040d7a791a9177581dcf7293941bd92400856 upstream. + +Our access_ok() simply hands its arguments over to __range_ok(), which +implicitly assummes that the addr parameter is 64 bits wide. This isn't +necessarily true for compat code, which might pass down a 32-bit address +parameter. + +In these cases, we don't have a guarantee that the address has been zero +extended to 64 bits, and the upper bits of the register may contain +unknown values, potentially resulting in a suprious failure. + +Avoid this by explicitly casting the addr parameter to an unsigned long +(as is done on other architectures), ensuring that the parameter is +widened appropriately. + +Fixes: 0aea86a2176c ("arm64: User access library functions") +Acked-by: Will Deacon +Signed-off-by: Mark Rutland +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/uaccess.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/uaccess.h ++++ b/arch/arm64/include/asm/uaccess.h +@@ -93,11 +93,12 @@ static inline void set_fs(mm_segment_t f + */ + #define __range_ok(addr, size) \ + ({ \ ++ unsigned long __addr = (unsigned long __force)(addr); \ + unsigned long flag, roksum; \ + __chk_user_ptr(addr); \ + asm("adds %1, %1, %3; ccmp %1, %4, #2, cc; cset %0, ls" \ + : "=&r" (flag), "=&r" (roksum) \ +- : "1" (addr), "Ir" (size), \ ++ : "1" (__addr), "Ir" (size), \ + "r" (current_thread_info()->addr_limit) \ + : "cc"); \ + flag; \ diff --git a/queue-4.9/arm64-xchg-hazard-against-entire-exchange-variable.patch b/queue-4.9/arm64-xchg-hazard-against-entire-exchange-variable.patch new file mode 100644 index 00000000000..8f9206d89fc --- /dev/null +++ b/queue-4.9/arm64-xchg-hazard-against-entire-exchange-variable.patch @@ -0,0 +1,87 @@ +From fee960bed5e857eb126c4e56dd9ff85938356579 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Wed, 3 May 2017 16:09:33 +0100 +Subject: arm64: xchg: hazard against entire exchange variable + +From: Mark Rutland + +commit fee960bed5e857eb126c4e56dd9ff85938356579 upstream. + +The inline assembly in __XCHG_CASE() uses a +Q constraint to hazard +against other accesses to the memory location being exchanged. However, +the pointer passed to the constraint is a u8 pointer, and thus the +hazard only applies to the first byte of the location. + +GCC can take advantage of this, assuming that other portions of the +location are unchanged, as demonstrated with the following test case: + +union u { + unsigned long l; + unsigned int i[2]; +}; + +unsigned long update_char_hazard(union u *u) +{ + unsigned int a, b; + + a = u->i[1]; + asm ("str %1, %0" : "+Q" (*(char *)&u->l) : "r" (0UL)); + b = u->i[1]; + + return a ^ b; +} + +unsigned long update_long_hazard(union u *u) +{ + unsigned int a, b; + + a = u->i[1]; + asm ("str %1, %0" : "+Q" (*(long *)&u->l) : "r" (0UL)); + b = u->i[1]; + + return a ^ b; +} + +The linaro 15.08 GCC 5.1.1 toolchain compiles the above as follows when +using -O2 or above: + +0000000000000000 : + 0: d2800001 mov x1, #0x0 // #0 + 4: f9000001 str x1, [x0] + 8: d2800000 mov x0, #0x0 // #0 + c: d65f03c0 ret + +0000000000000010 : + 10: b9400401 ldr w1, [x0,#4] + 14: d2800002 mov x2, #0x0 // #0 + 18: f9000002 str x2, [x0] + 1c: b9400400 ldr w0, [x0,#4] + 20: 4a000020 eor w0, w1, w0 + 24: d65f03c0 ret + +This patch fixes the issue by passing an unsigned long pointer into the ++Q constraint, as we do for our cmpxchg code. This may hazard against +more than is necessary, but this is better than missing a necessary +hazard. + +Fixes: 305d454aaa29 ("arm64: atomics: implement native {relaxed, acquire, release} atomics") +Acked-by: Will Deacon +Signed-off-by: Mark Rutland +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/cmpxchg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/cmpxchg.h ++++ b/arch/arm64/include/asm/cmpxchg.h +@@ -46,7 +46,7 @@ static inline unsigned long __xchg_case_ + " swp" #acq_lse #rel #sz "\t%" #w "3, %" #w "0, %2\n" \ + __nops(3) \ + " " #nop_lse) \ +- : "=&r" (ret), "=&r" (tmp), "+Q" (*(u8 *)ptr) \ ++ : "=&r" (ret), "=&r" (tmp), "+Q" (*(unsigned long *)ptr) \ + : "r" (x) \ + : cl); \ + \ diff --git a/queue-4.9/genirq-fix-chained-interrupt-data-ordering.patch b/queue-4.9/genirq-fix-chained-interrupt-data-ordering.patch new file mode 100644 index 00000000000..5a8097a0a95 --- /dev/null +++ b/queue-4.9/genirq-fix-chained-interrupt-data-ordering.patch @@ -0,0 +1,38 @@ +From 2c4569ca26986d18243f282dd727da27e9adae4c Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 11 May 2017 13:54:11 +0200 +Subject: genirq: Fix chained interrupt data ordering + +From: Thomas Gleixner + +commit 2c4569ca26986d18243f282dd727da27e9adae4c upstream. + +irq_set_chained_handler_and_data() sets up the chained interrupt and then +stores the handler data. + +That's racy against an immediate interrupt which gets handled before the +store of the handler data happened. The handler will dereference a NULL +pointer and crash. + +Cure it by storing handler data before installing the chained handler. + +Reported-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/chip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/irq/chip.c ++++ b/kernel/irq/chip.c +@@ -877,8 +877,8 @@ irq_set_chained_handler_and_data(unsigne + if (!desc) + return; + +- __irq_do_set_handler(desc, handle, 1, NULL); + desc->irq_common_data.handler_data = data; ++ __irq_do_set_handler(desc, handle, 1, NULL); + + irq_put_desc_busunlock(desc, flags); + } diff --git a/queue-4.9/iommu-vt-d-flush-the-iotlb-to-get-rid-of-the-initial-kdump-mappings.patch b/queue-4.9/iommu-vt-d-flush-the-iotlb-to-get-rid-of-the-initial-kdump-mappings.patch new file mode 100644 index 00000000000..82f2d9e3b45 --- /dev/null +++ b/queue-4.9/iommu-vt-d-flush-the-iotlb-to-get-rid-of-the-initial-kdump-mappings.patch @@ -0,0 +1,59 @@ +From f73a7eee900e95404b61408a23a1df5c5811704c Mon Sep 17 00:00:00 2001 +From: KarimAllah Ahmed +Date: Fri, 5 May 2017 11:39:59 -0700 +Subject: iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings + +From: KarimAllah Ahmed + +commit f73a7eee900e95404b61408a23a1df5c5811704c upstream. + +Ever since commit 091d42e43d ("iommu/vt-d: Copy translation tables from +old kernel") the kdump kernel copies the IOMMU context tables from the +previous kernel. Each device mappings will be destroyed once the driver +for the respective device takes over. + +This unfortunately breaks the workflow of mapping and unmapping a new +context to the IOMMU. The mapping function assumes that either: + +1) Unmapping did the proper IOMMU flushing and it only ever flush if the + IOMMU unit supports caching invalid entries. +2) The system just booted and the initialization code took care of + flushing all IOMMU caches. + +This assumption is not true for the kdump kernel since the context +tables have been copied from the previous kernel and translations could +have been cached ever since. So make sure to flush the IOTLB as well +when we destroy these old copied mappings. + +Cc: Joerg Roedel +Cc: David Woodhouse +Cc: David Woodhouse +Cc: Anthony Liguori +Signed-off-by: KarimAllah Ahmed +Acked-by: David Woodhouse +Fixes: 091d42e43d ("iommu/vt-d: Copy translation tables from old kernel") +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2049,11 +2049,14 @@ static int domain_context_mapping_one(st + if (context_copied(context)) { + u16 did_old = context_domain_id(context); + +- if (did_old >= 0 && did_old < cap_ndoms(iommu->cap)) ++ if (did_old >= 0 && did_old < cap_ndoms(iommu->cap)) { + iommu->flush.flush_context(iommu, did_old, + (((u16)bus) << 8) | devfn, + DMA_CCMD_MASK_NOBIT, + DMA_CCMD_DEVICE_INVL); ++ iommu->flush.flush_iotlb(iommu, did_old, 0, 0, ++ DMA_TLB_DSI_FLUSH); ++ } + } + + pgd = domain->pgd; diff --git a/queue-4.9/kvm-arm-arm64-vgic-v2-do-not-use-active-pending-state-for-a-hw-interrupt.patch b/queue-4.9/kvm-arm-arm64-vgic-v2-do-not-use-active-pending-state-for-a-hw-interrupt.patch new file mode 100644 index 00000000000..bef1cd10e77 --- /dev/null +++ b/queue-4.9/kvm-arm-arm64-vgic-v2-do-not-use-active-pending-state-for-a-hw-interrupt.patch @@ -0,0 +1,41 @@ +From ddf42d068f8802de122bb7efdfcb3179336053f1 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 2 May 2017 14:30:39 +0100 +Subject: KVM: arm/arm64: vgic-v2: Do not use Active+Pending state for a HW interrupt + +From: Marc Zyngier + +commit ddf42d068f8802de122bb7efdfcb3179336053f1 upstream. + +When an interrupt is injected with the HW bit set (indicating that +deactivation should be propagated to the physical distributor), +special care must be taken so that we never mark the corresponding +LR with the Active+Pending state (as the pending state is kept in +the physycal distributor). + +Fixes: 140b086dd197 ("KVM: arm/arm64: vgic-new: Add GICv2 world switch backend") +Signed-off-by: Marc Zyngier +Reviewed-by: Christoffer Dall +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic-v2.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic-v2.c ++++ b/virt/kvm/arm/vgic/vgic-v2.c +@@ -168,6 +168,13 @@ void vgic_v2_populate_lr(struct kvm_vcpu + if (irq->hw) { + val |= GICH_LR_HW; + val |= irq->hwintid << GICH_LR_PHYSID_CPUID_SHIFT; ++ /* ++ * Never set pending+active on a HW interrupt, as the ++ * pending state is kept at the physical distributor ++ * level. ++ */ ++ if (irq->active && irq_is_pending(irq)) ++ val &= ~GICH_LR_PENDING_BIT; + } else { + if (irq->config == VGIC_CONFIG_LEVEL) + val |= GICH_LR_EOI; diff --git a/queue-4.9/kvm-arm-arm64-vgic-v3-do-not-use-active-pending-state-for-a-hw-interrupt.patch b/queue-4.9/kvm-arm-arm64-vgic-v3-do-not-use-active-pending-state-for-a-hw-interrupt.patch new file mode 100644 index 00000000000..3ca09f1dce8 --- /dev/null +++ b/queue-4.9/kvm-arm-arm64-vgic-v3-do-not-use-active-pending-state-for-a-hw-interrupt.patch @@ -0,0 +1,41 @@ +From 3d6e77ad1489650afa20da92bb589c8778baa8da Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 2 May 2017 14:30:40 +0100 +Subject: KVM: arm/arm64: vgic-v3: Do not use Active+Pending state for a HW interrupt + +From: Marc Zyngier + +commit 3d6e77ad1489650afa20da92bb589c8778baa8da upstream. + +When an interrupt is injected with the HW bit set (indicating that +deactivation should be propagated to the physical distributor), +special care must be taken so that we never mark the corresponding +LR with the Active+Pending state (as the pending state is kept in +the physycal distributor). + +Fixes: 59529f69f504 ("KVM: arm/arm64: vgic-new: Add GICv3 world switch backend") +Signed-off-by: Marc Zyngier +Reviewed-by: Christoffer Dall +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic-v3.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic-v3.c ++++ b/virt/kvm/arm/vgic/vgic-v3.c +@@ -151,6 +151,13 @@ void vgic_v3_populate_lr(struct kvm_vcpu + if (irq->hw) { + val |= ICH_LR_HW; + val |= ((u64)irq->hwintid) << ICH_LR_PHYS_ID_SHIFT; ++ /* ++ * Never set pending+active on a HW interrupt, as the ++ * pending state is kept at the physical distributor ++ * level. ++ */ ++ if (irq->active && irq_is_pending(irq)) ++ val &= ~ICH_LR_PENDING_BIT; + } else { + if (irq->config == VGIC_CONFIG_LEVEL) + val |= ICH_LR_EOI; diff --git a/queue-4.9/kvm-arm-plug-potential-guest-hardware-debug-leakage.patch b/queue-4.9/kvm-arm-plug-potential-guest-hardware-debug-leakage.patch new file mode 100644 index 00000000000..038fde9414a --- /dev/null +++ b/queue-4.9/kvm-arm-plug-potential-guest-hardware-debug-leakage.patch @@ -0,0 +1,202 @@ +From 661e6b02b5aa82db31897f36e96324b77450fd7a Mon Sep 17 00:00:00 2001 +From: Zhichao Huang +Date: Thu, 11 May 2017 13:46:11 +0100 +Subject: KVM: arm: plug potential guest hardware debug leakage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhichao Huang + +commit 661e6b02b5aa82db31897f36e96324b77450fd7a upstream. + +Hardware debugging in guests is not intercepted currently, it means +that a malicious guest can bring down the entire machine by writing +to the debug registers. + +This patch enable trapping of all debug registers, preventing the +guests to access the debug registers. This includes access to the +debug mode(DBGDSCR) in the guest world all the time which could +otherwise mess with the host state. Reads return 0 and writes are +ignored (RAZ_WI). + +The result is the guest cannot detect any working hardware based debug +support. As debug exceptions are still routed to the guest normal +debug using software based breakpoints still works. + +To support debugging using hardware registers we need to implement a +debug register aware world switch as well as special trapping for +registers that may affect the host state. + +Signed-off-by: Zhichao Huang +Signed-off-by: Alex Bennée +Reviewed-by: Christoffer Dall +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/kvm_coproc.h | 3 - + arch/arm/kvm/coproc.c | 77 +++++++++++++++++++++++++++++--------- + arch/arm/kvm/handle_exit.c | 4 - + arch/arm/kvm/hyp/switch.c | 4 + + 4 files changed, 66 insertions(+), 22 deletions(-) + +--- a/arch/arm/include/asm/kvm_coproc.h ++++ b/arch/arm/include/asm/kvm_coproc.h +@@ -31,7 +31,8 @@ void kvm_register_target_coproc_table(st + int kvm_handle_cp10_id(struct kvm_vcpu *vcpu, struct kvm_run *run); + int kvm_handle_cp_0_13_access(struct kvm_vcpu *vcpu, struct kvm_run *run); + int kvm_handle_cp14_load_store(struct kvm_vcpu *vcpu, struct kvm_run *run); +-int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run); ++int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run); ++int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run); + int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run); + int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run); + +--- a/arch/arm/kvm/coproc.c ++++ b/arch/arm/kvm/coproc.c +@@ -93,12 +93,6 @@ int kvm_handle_cp14_load_store(struct kv + return 1; + } + +-int kvm_handle_cp14_access(struct kvm_vcpu *vcpu, struct kvm_run *run) +-{ +- kvm_inject_undefined(vcpu); +- return 1; +-} +- + static void reset_mpidr(struct kvm_vcpu *vcpu, const struct coproc_reg *r) + { + /* +@@ -514,12 +508,7 @@ static int emulate_cp15(struct kvm_vcpu + return 1; + } + +-/** +- * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access +- * @vcpu: The VCPU pointer +- * @run: The kvm_run struct +- */ +-int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) ++static struct coproc_params decode_64bit_hsr(struct kvm_vcpu *vcpu) + { + struct coproc_params params; + +@@ -533,9 +522,38 @@ int kvm_handle_cp15_64(struct kvm_vcpu * + params.Rt2 = (kvm_vcpu_get_hsr(vcpu) >> 10) & 0xf; + params.CRm = 0; + ++ return params; ++} ++ ++/** ++ * kvm_handle_cp15_64 -- handles a mrrc/mcrr trap on a guest CP15 access ++ * @vcpu: The VCPU pointer ++ * @run: The kvm_run struct ++ */ ++int kvm_handle_cp15_64(struct kvm_vcpu *vcpu, struct kvm_run *run) ++{ ++ struct coproc_params params = decode_64bit_hsr(vcpu); ++ + return emulate_cp15(vcpu, ¶ms); + } + ++/** ++ * kvm_handle_cp14_64 -- handles a mrrc/mcrr trap on a guest CP14 access ++ * @vcpu: The VCPU pointer ++ * @run: The kvm_run struct ++ */ ++int kvm_handle_cp14_64(struct kvm_vcpu *vcpu, struct kvm_run *run) ++{ ++ struct coproc_params params = decode_64bit_hsr(vcpu); ++ ++ /* raz_wi cp14 */ ++ pm_fake(vcpu, ¶ms, NULL); ++ ++ /* handled */ ++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); ++ return 1; ++} ++ + static void reset_coproc_regs(struct kvm_vcpu *vcpu, + const struct coproc_reg *table, size_t num) + { +@@ -546,12 +564,7 @@ static void reset_coproc_regs(struct kvm + table[i].reset(vcpu, &table[i]); + } + +-/** +- * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access +- * @vcpu: The VCPU pointer +- * @run: The kvm_run struct +- */ +-int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) ++static struct coproc_params decode_32bit_hsr(struct kvm_vcpu *vcpu) + { + struct coproc_params params; + +@@ -565,9 +578,37 @@ int kvm_handle_cp15_32(struct kvm_vcpu * + params.Op2 = (kvm_vcpu_get_hsr(vcpu) >> 17) & 0x7; + params.Rt2 = 0; + ++ return params; ++} ++ ++/** ++ * kvm_handle_cp15_32 -- handles a mrc/mcr trap on a guest CP15 access ++ * @vcpu: The VCPU pointer ++ * @run: The kvm_run struct ++ */ ++int kvm_handle_cp15_32(struct kvm_vcpu *vcpu, struct kvm_run *run) ++{ ++ struct coproc_params params = decode_32bit_hsr(vcpu); + return emulate_cp15(vcpu, ¶ms); + } + ++/** ++ * kvm_handle_cp14_32 -- handles a mrc/mcr trap on a guest CP14 access ++ * @vcpu: The VCPU pointer ++ * @run: The kvm_run struct ++ */ ++int kvm_handle_cp14_32(struct kvm_vcpu *vcpu, struct kvm_run *run) ++{ ++ struct coproc_params params = decode_32bit_hsr(vcpu); ++ ++ /* raz_wi cp14 */ ++ pm_fake(vcpu, ¶ms, NULL); ++ ++ /* handled */ ++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); ++ return 1; ++} ++ + /****************************************************************************** + * Userspace API + *****************************************************************************/ +--- a/arch/arm/kvm/handle_exit.c ++++ b/arch/arm/kvm/handle_exit.c +@@ -83,9 +83,9 @@ static exit_handle_fn arm_exit_handlers[ + [HSR_EC_WFI] = kvm_handle_wfx, + [HSR_EC_CP15_32] = kvm_handle_cp15_32, + [HSR_EC_CP15_64] = kvm_handle_cp15_64, +- [HSR_EC_CP14_MR] = kvm_handle_cp14_access, ++ [HSR_EC_CP14_MR] = kvm_handle_cp14_32, + [HSR_EC_CP14_LS] = kvm_handle_cp14_load_store, +- [HSR_EC_CP14_64] = kvm_handle_cp14_access, ++ [HSR_EC_CP14_64] = kvm_handle_cp14_64, + [HSR_EC_CP_0_13] = kvm_handle_cp_0_13_access, + [HSR_EC_CP10_ID] = kvm_handle_cp10_id, + [HSR_EC_HVC] = handle_hvc, +--- a/arch/arm/kvm/hyp/switch.c ++++ b/arch/arm/kvm/hyp/switch.c +@@ -48,7 +48,9 @@ static void __hyp_text __activate_traps( + write_sysreg(HSTR_T(15), HSTR); + write_sysreg(HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11), HCPTR); + val = read_sysreg(HDCR); +- write_sysreg(val | HDCR_TPM | HDCR_TPMCR, HDCR); ++ val |= HDCR_TPM | HDCR_TPMCR; /* trap performance monitors */ ++ val |= HDCR_TDRA | HDCR_TDOSA | HDCR_TDA; /* trap debug regs */ ++ write_sysreg(val, HDCR); + } + + static void __hyp_text __deactivate_traps(struct kvm_vcpu *vcpu) diff --git a/queue-4.9/metag-uaccess-check-access_ok-in-strncpy_from_user.patch b/queue-4.9/metag-uaccess-check-access_ok-in-strncpy_from_user.patch new file mode 100644 index 00000000000..4f73f0379fc --- /dev/null +++ b/queue-4.9/metag-uaccess-check-access_ok-in-strncpy_from_user.patch @@ -0,0 +1,45 @@ +From 3a158a62da0673db918b53ac1440845a5b64fd90 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 2 May 2017 19:41:06 +0100 +Subject: metag/uaccess: Check access_ok in strncpy_from_user + +From: James Hogan + +commit 3a158a62da0673db918b53ac1440845a5b64fd90 upstream. + +The metag implementation of strncpy_from_user() doesn't validate the src +pointer, which could allow reading of arbitrary kernel memory. Add a +short access_ok() check to prevent that. + +Its still possible for it to read across the user/kernel boundary, but +it will invariably reach a NUL character after only 9 bytes, leaking +only a static kernel address being loaded into D0Re0 at the beginning of +__start, which is acceptable for the immediate fix. + +Reported-by: Al Viro +Signed-off-by: James Hogan +Cc: linux-metag@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/uaccess.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/metag/include/asm/uaccess.h ++++ b/arch/metag/include/asm/uaccess.h +@@ -194,8 +194,13 @@ do { + extern long __must_check __strncpy_from_user(char *dst, const char __user *src, + long count); + +-#define strncpy_from_user(dst, src, count) __strncpy_from_user(dst, src, count) +- ++static inline long ++strncpy_from_user(char *dst, const char __user *src, long count) ++{ ++ if (!access_ok(VERIFY_READ, src, 1)) ++ return -EFAULT; ++ return __strncpy_from_user(dst, src, count); ++} + /* + * Return the size of a string (including the ending 0) + * diff --git a/queue-4.9/metag-uaccess-fix-access_ok.patch b/queue-4.9/metag-uaccess-fix-access_ok.patch new file mode 100644 index 00000000000..9e87cb8eccf --- /dev/null +++ b/queue-4.9/metag-uaccess-fix-access_ok.patch @@ -0,0 +1,109 @@ +From 8a8b56638bcac4e64cccc88bf95a0f9f4b19a2fb Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 28 Apr 2017 10:50:26 +0100 +Subject: metag/uaccess: Fix access_ok() + +From: James Hogan + +commit 8a8b56638bcac4e64cccc88bf95a0f9f4b19a2fb upstream. + +The __user_bad() macro used by access_ok() has a few corner cases +noticed by Al Viro where it doesn't behave correctly: + + - The kernel range check has off by 1 errors which permit access to the + first and last byte of the kernel mapped range. + + - The kernel range check ends at LINCORE_BASE rather than + META_MEMORY_LIMIT, which is ineffective when the kernel is in global + space (an extremely uncommon configuration). + +There are a couple of other shortcomings here too: + + - Access to the whole of the other address space is permitted (i.e. the + global half of the address space when the kernel is in local space). + This isn't ideal as it could theoretically still contain privileged + mappings set up by the bootloader. + + - The size argument is unused, permitting user copies which start on + valid pages at the end of the user address range and cross the + boundary into the kernel address space (e.g. addr = 0x3ffffff0, size + > 0x10). + +It isn't very convenient to add size checks when disallowing certain +regions, and it seems far safer to be sure and explicit about what +userland is able to access, so invert the logic to allow certain regions +instead, and fix the off by 1 errors and missing size checks. This also +allows the get_fs() == KERNEL_DS check to be more easily optimised into +the user address range case. + +We now have 3 such allowed regions: + + - The user address range (incorporating the get_fs() == KERNEL_DS + check). + + - NULL (some kernel code expects this to work, and we'll always catch + the fault anyway). + + - The core code memory region. + +Fixes: 373cd784d0fc ("metag: Memory handling") +Reported-by: Al Viro +Signed-off-by: James Hogan +Cc: linux-metag@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/uaccess.h | 40 +++++++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 16 deletions(-) + +--- a/arch/metag/include/asm/uaccess.h ++++ b/arch/metag/include/asm/uaccess.h +@@ -28,24 +28,32 @@ + + #define segment_eq(a, b) ((a).seg == (b).seg) + +-#define __kernel_ok (segment_eq(get_fs(), KERNEL_DS)) +-/* +- * Explicitly allow NULL pointers here. Parts of the kernel such +- * as readv/writev use access_ok to validate pointers, but want +- * to allow NULL pointers for various reasons. NULL pointers are +- * safe to allow through because the first page is not mappable on +- * Meta. +- * +- * We also wish to avoid letting user code access the system area +- * and the kernel half of the address space. +- */ +-#define __user_bad(addr, size) (((addr) > 0 && (addr) < META_MEMORY_BASE) || \ +- ((addr) > PAGE_OFFSET && \ +- (addr) < LINCORE_BASE)) +- + static inline int __access_ok(unsigned long addr, unsigned long size) + { +- return __kernel_ok || !__user_bad(addr, size); ++ /* ++ * Allow access to the user mapped memory area, but not the system area ++ * before it. The check extends to the top of the address space when ++ * kernel access is allowed (there's no real reason to user copy to the ++ * system area in any case). ++ */ ++ if (likely(addr >= META_MEMORY_BASE && addr < get_fs().seg && ++ size <= get_fs().seg - addr)) ++ return true; ++ /* ++ * Explicitly allow NULL pointers here. Parts of the kernel such ++ * as readv/writev use access_ok to validate pointers, but want ++ * to allow NULL pointers for various reasons. NULL pointers are ++ * safe to allow through because the first page is not mappable on ++ * Meta. ++ */ ++ if (!addr) ++ return true; ++ /* Allow access to core code memory area... */ ++ if (addr >= LINCORE_CODE_BASE && addr <= LINCORE_CODE_LIMIT && ++ size <= LINCORE_CODE_LIMIT + 1 - addr) ++ return true; ++ /* ... but no other areas. */ ++ return false; + } + + #define access_ok(type, addr, size) __access_ok((unsigned long)(addr), \ diff --git a/queue-4.9/mips-loongson-3-select-mips_l1_cache_shift_6.patch b/queue-4.9/mips-loongson-3-select-mips_l1_cache_shift_6.patch new file mode 100644 index 00000000000..982b7dd4830 --- /dev/null +++ b/queue-4.9/mips-loongson-3-select-mips_l1_cache_shift_6.patch @@ -0,0 +1,36 @@ +From 17c99d9421695a0e0de18bf1e7091d859e20ec1d Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 16 Mar 2017 21:00:28 +0800 +Subject: MIPS: Loongson-3: Select MIPS_L1_CACHE_SHIFT_6 + +From: Huacai Chen + +commit 17c99d9421695a0e0de18bf1e7091d859e20ec1d upstream. + +Some newer Loongson-3 have 64 bytes cache lines, so select +MIPS_L1_CACHE_SHIFT_6. + +Signed-off-by: Huacai Chen +Cc: John Crispin +Cc: Steven J . Hill +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15755/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -1368,6 +1368,7 @@ config CPU_LOONGSON3 + select WEAK_ORDERING + select WEAK_REORDERING_BEYOND_LLSC + select MIPS_PGD_C0_CONTEXT ++ select MIPS_L1_CACHE_SHIFT_6 + select GPIOLIB + help + The Loongson 3 processor implements the MIPS64R2 instruction diff --git a/queue-4.9/nvme-unmap-cmb-and-remove-sysfs-file-in-reset-path.patch b/queue-4.9/nvme-unmap-cmb-and-remove-sysfs-file-in-reset-path.patch new file mode 100644 index 00000000000..32db46f4a0e --- /dev/null +++ b/queue-4.9/nvme-unmap-cmb-and-remove-sysfs-file-in-reset-path.patch @@ -0,0 +1,56 @@ +From f63572dff1421b6ca6abce71d46e03411e605c94 Mon Sep 17 00:00:00 2001 +From: Jon Derrick +Date: Fri, 5 May 2017 14:52:06 -0600 +Subject: nvme: unmap CMB and remove sysfs file in reset path + +From: Jon Derrick + +commit f63572dff1421b6ca6abce71d46e03411e605c94 upstream. + +CMB doesn't get unmapped until removal while getting remapped on every +reset. Add the unmapping and sysfs file removal to the reset path in +nvme_pci_disable to match the mapping path in nvme_pci_enable. + +Fixes: 202021c1a ("nvme : Add sysfs entry for NVMe CMBs when appropriate") + +Signed-off-by: Jon Derrick +Acked-by: Keith Busch +Reviewed-By: Stephen Bates +Signed-off-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvme/host/pci.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1384,6 +1384,11 @@ static inline void nvme_release_cmb(stru + if (dev->cmb) { + iounmap(dev->cmb); + dev->cmb = NULL; ++ if (dev->cmbsz) { ++ sysfs_remove_file_from_group(&dev->ctrl.device->kobj, ++ &dev_attr_cmb.attr, NULL); ++ dev->cmbsz = 0; ++ } + } + } + +@@ -1655,6 +1660,7 @@ static void nvme_pci_disable(struct nvme + { + struct pci_dev *pdev = to_pci_dev(dev->dev); + ++ nvme_release_cmb(dev); + pci_free_irq_vectors(pdev); + + if (pci_is_enabled(pdev)) { +@@ -1993,7 +1999,6 @@ static void nvme_remove(struct pci_dev * + nvme_dev_disable(dev, true); + nvme_dev_remove_admin(dev); + nvme_free_queues(dev, 0); +- nvme_release_cmb(dev); + nvme_release_prp_pools(dev); + nvme_dev_unmap(dev); + nvme_put_ctrl(&dev->ctrl); diff --git a/queue-4.9/powerpc-64e-fix-hang-when-debugging-programs-with-relocated-kernel.patch b/queue-4.9/powerpc-64e-fix-hang-when-debugging-programs-with-relocated-kernel.patch new file mode 100644 index 00000000000..8dc5025a33d --- /dev/null +++ b/queue-4.9/powerpc-64e-fix-hang-when-debugging-programs-with-relocated-kernel.patch @@ -0,0 +1,85 @@ +From fd615f69a18a9d4aa5ef02a1dc83f319f75da8e7 Mon Sep 17 00:00:00 2001 +From: LiuHailong +Date: Tue, 7 Feb 2017 10:35:52 +0800 +Subject: powerpc/64e: Fix hang when debugging programs with relocated kernel + +From: LiuHailong + +commit fd615f69a18a9d4aa5ef02a1dc83f319f75da8e7 upstream. + +Debug interrupts can be taken during interrupt entry, since interrupt +entry does not automatically turn them off. The kernel will check +whether the faulting instruction is between [interrupt_base_book3e, +__end_interrupts], and if so clear MSR[DE] and return. + +However, when the kernel is built with CONFIG_RELOCATABLE, it can't use +LOAD_REG_IMMEDIATE(r14,interrupt_base_book3e) and +LOAD_REG_IMMEDIATE(r15,__end_interrupts), as they ignore relocation. +Thus, if the kernel is actually running at a different address than it +was built at, the address comparison will fail, and the exception entry +code will hang at kernel_dbg_exc. + +r2(toc) is also not usable here, as r2 still holds data from the +interrupted context, so LOAD_REG_ADDR() doesn't work either. So we use +the *name@got* to get the EV of two labels directly. + +Test programs test.c shows as follows: +int main(int argc, char *argv[]) +{ + if (access("/proc/sys/kernel/perf_event_paranoid", F_OK) == -1) + printf("Kernel doesn't have perf_event support\n"); +} + +Steps to reproduce the bug, for example: + 1) ./gdb ./test + 2) (gdb) b access + 3) (gdb) r + 4) (gdb) s + +Signed-off-by: Liu Hailong +Signed-off-by: Jiang Xuexin +Reviewed-by: Jiang Biao +Reviewed-by: Liu Song +Reviewed-by: Huang Jian +[scottwood: cleaned up commit message, and specified bad behavior + as a hang rather than an oops to correspond to mainline kernel behavior] +Fixes: 1cb6e0649248 ("powerpc/book3e: support CONFIG_RELOCATABLE") +Signed-off-by: Scott Wood +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/exceptions-64e.S | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/powerpc/kernel/exceptions-64e.S ++++ b/arch/powerpc/kernel/exceptions-64e.S +@@ -735,8 +735,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + andis. r15,r14,(DBSR_IC|DBSR_BT)@h + beq+ 1f + ++#ifdef CONFIG_RELOCATABLE ++ ld r15,PACATOC(r13) ++ ld r14,interrupt_base_book3e@got(r15) ++ ld r15,__end_interrupts@got(r15) ++#else + LOAD_REG_IMMEDIATE(r14,interrupt_base_book3e) + LOAD_REG_IMMEDIATE(r15,__end_interrupts) ++#endif + cmpld cr0,r10,r14 + cmpld cr1,r10,r15 + blt+ cr0,1f +@@ -799,8 +805,14 @@ kernel_dbg_exc: + andis. r15,r14,(DBSR_IC|DBSR_BT)@h + beq+ 1f + ++#ifdef CONFIG_RELOCATABLE ++ ld r15,PACATOC(r13) ++ ld r14,interrupt_base_book3e@got(r15) ++ ld r15,__end_interrupts@got(r15) ++#else + LOAD_REG_IMMEDIATE(r14,interrupt_base_book3e) + LOAD_REG_IMMEDIATE(r15,__end_interrupts) ++#endif + cmpld cr0,r10,r14 + cmpld cr1,r10,r15 + blt+ cr0,1f diff --git a/queue-4.9/powerpc-book3s-mce-move-add_taint-later-in-virtual-mode.patch b/queue-4.9/powerpc-book3s-mce-move-add_taint-later-in-virtual-mode.patch new file mode 100644 index 00000000000..453d79278b3 --- /dev/null +++ b/queue-4.9/powerpc-book3s-mce-move-add_taint-later-in-virtual-mode.patch @@ -0,0 +1,63 @@ +From d93b0ac01a9ce276ec39644be47001873d3d183c Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Tue, 18 Apr 2017 22:08:17 +0530 +Subject: powerpc/book3s/mce: Move add_taint() later in virtual mode + +From: Mahesh Salgaonkar + +commit d93b0ac01a9ce276ec39644be47001873d3d183c upstream. + +machine_check_early() gets called in real mode. The very first time when +add_taint() is called, it prints a warning which ends up calling opal +call (that uses OPAL_CALL wrapper) for writing it to console. If we get a +very first machine check while we are in opal we are doomed. OPAL_CALL +overwrites the PACASAVEDMSR in r13 and in this case when we are done with +MCE handling the original opal call will use this new MSR on it's way +back to opal_return. This usually leads to unexpected behaviour or the +kernel to panic. Instead move the add_taint() call later in the virtual +mode where it is safe to call. + +This is broken with current FW level. We got lucky so far for not getting +very first MCE hit while in OPAL. But easily reproducible on Mambo. + +Fixes: 27ea2c420cad ("powerpc: Set the correct kernel taint on machine check errors.") +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/mce.c | 2 ++ + arch/powerpc/kernel/traps.c | 4 ++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/mce.c ++++ b/arch/powerpc/kernel/mce.c +@@ -205,6 +205,8 @@ static void machine_check_process_queued + { + int index; + ++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_NOW_UNRELIABLE); ++ + /* + * For now just print it to console. + * TODO: log this error event to FSP or nvram. +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -302,8 +302,6 @@ long machine_check_early(struct pt_regs + + __this_cpu_inc(irq_stat.mce_exceptions); + +- add_taint(TAINT_MACHINE_CHECK, LOCKDEP_NOW_UNRELIABLE); +- + if (cur_cpu_spec && cur_cpu_spec->machine_check_early) + handled = cur_cpu_spec->machine_check_early(regs); + return handled; +@@ -737,6 +735,8 @@ void machine_check_exception(struct pt_r + + __this_cpu_inc(irq_stat.mce_exceptions); + ++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_NOW_UNRELIABLE); ++ + /* See if any machine dependent calls. In theory, we would want + * to call the CPU first, and call the ppc_md. one if the CPU + * one returns a positive number. However there is existing code diff --git a/queue-4.9/powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch b/queue-4.9/powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch new file mode 100644 index 00000000000..4dd7aca93db --- /dev/null +++ b/queue-4.9/powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch @@ -0,0 +1,91 @@ +From daeba2956f32f91f3493788ff6ee02fb1b2f02fa Mon Sep 17 00:00:00 2001 +From: Russell Currey +Date: Wed, 19 Apr 2017 17:39:26 +1000 +Subject: powerpc/eeh: Avoid use after free in eeh_handle_special_event() + +From: Russell Currey + +commit daeba2956f32f91f3493788ff6ee02fb1b2f02fa upstream. + +eeh_handle_special_event() is called when an EEH event is detected but +can't be narrowed down to a specific PE. This function looks through +every PE to find one in an erroneous state, then calls the regular event +handler eeh_handle_normal_event() once it knows which PE has an error. + +However, if eeh_handle_normal_event() found that the PE cannot possibly +be recovered, it will free it, rendering the passed PE stale. +This leads to a use after free in eeh_handle_special_event() as it attempts to +clear the "recovering" state on the PE after eeh_handle_normal_event() returns. + +Thus, make sure the PE is valid when attempting to clear state in +eeh_handle_special_event(). + +Fixes: 8a6b1bc70dbb ("powerpc/eeh: EEH core to handle special event") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Russell Currey +Reviewed-by: Gavin Shan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/eeh_driver.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -724,7 +724,7 @@ static int eeh_reset_device(struct eeh_p + */ + #define MAX_WAIT_FOR_RECOVERY 300 + +-static void eeh_handle_normal_event(struct eeh_pe *pe) ++static bool eeh_handle_normal_event(struct eeh_pe *pe) + { + struct pci_bus *frozen_bus; + struct eeh_dev *edev, *tmp; +@@ -736,7 +736,7 @@ static void eeh_handle_normal_event(stru + if (!frozen_bus) { + pr_err("%s: Cannot find PCI bus for PHB#%d-PE#%x\n", + __func__, pe->phb->global_number, pe->addr); +- return; ++ return false; + } + + eeh_pe_update_time_stamp(pe); +@@ -870,7 +870,7 @@ static void eeh_handle_normal_event(stru + pr_info("EEH: Notify device driver to resume\n"); + eeh_pe_dev_traverse(pe, eeh_report_resume, NULL); + +- return; ++ return false; + + excess_failures: + /* +@@ -915,8 +915,12 @@ perm_error: + pci_lock_rescan_remove(); + pci_hp_remove_devices(frozen_bus); + pci_unlock_rescan_remove(); ++ ++ /* The passed PE should no longer be used */ ++ return true; + } + } ++ return false; + } + + static void eeh_handle_special_event(void) +@@ -982,7 +986,14 @@ static void eeh_handle_special_event(voi + */ + if (rc == EEH_NEXT_ERR_FROZEN_PE || + rc == EEH_NEXT_ERR_FENCED_PHB) { +- eeh_handle_normal_event(pe); ++ /* ++ * eeh_handle_normal_event() can make the PE stale if it ++ * determines that the PE cannot possibly be recovered. ++ * Don't modify the PE state if that's the case. ++ */ ++ if (eeh_handle_normal_event(pe)) ++ continue; ++ + eeh_pe_state_clear(pe, EEH_PE_RECOVERING); + } else { + pci_lock_rescan_remove(); diff --git a/queue-4.9/powerpc-iommu-do-not-call-pagetranshuge-on-tail-pages.patch b/queue-4.9/powerpc-iommu-do-not-call-pagetranshuge-on-tail-pages.patch new file mode 100644 index 00000000000..c4344008b01 --- /dev/null +++ b/queue-4.9/powerpc-iommu-do-not-call-pagetranshuge-on-tail-pages.patch @@ -0,0 +1,49 @@ +From e889e96e98e8da97bd39e46b7253615eabe14397 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Tue, 11 Apr 2017 17:54:57 +1000 +Subject: powerpc/iommu: Do not call PageTransHuge() on tail pages + +From: Alexey Kardashevskiy + +commit e889e96e98e8da97bd39e46b7253615eabe14397 upstream. + +The CMA pages migration code does not support compound pages at +the moment so it performs few tests before proceeding to actual page +migration. + +One of the tests - PageTransHuge() - has VM_BUG_ON_PAGE(PageTail()) as +it is designed to be called on head pages only. Since we also test for +PageCompound(), and it contains PageTail() and PageHead(), we can +simplify the check by leaving just PageCompound() and therefore avoid +possible VM_BUG_ON_PAGE. + +Fixes: 2e5bbb5461f1 ("KVM: PPC: Book3S HV: Migrate pinned pages out of CMA") +Signed-off-by: Alexey Kardashevskiy +Acked-by: Balbir Singh +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/mmu_context_iommu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/mm/mmu_context_iommu.c ++++ b/arch/powerpc/mm/mmu_context_iommu.c +@@ -81,7 +81,7 @@ struct page *new_iommu_non_cma_page(stru + gfp_t gfp_mask = GFP_USER; + struct page *new_page; + +- if (PageHuge(page) || PageTransHuge(page) || PageCompound(page)) ++ if (PageCompound(page)) + return NULL; + + if (PageHighMem(page)) +@@ -100,7 +100,7 @@ static int mm_iommu_move_page_from_cma(s + LIST_HEAD(cma_migrate_pages); + + /* Ignore huge pages for now */ +- if (PageHuge(page) || PageTransHuge(page) || PageCompound(page)) ++ if (PageCompound(page)) + return -EBUSY; + + lru_add_drain(); diff --git a/queue-4.9/powerpc-mm-ensure-irqs-are-off-in-switch_mm.patch b/queue-4.9/powerpc-mm-ensure-irqs-are-off-in-switch_mm.patch new file mode 100644 index 00000000000..f118ccdda0d --- /dev/null +++ b/queue-4.9/powerpc-mm-ensure-irqs-are-off-in-switch_mm.patch @@ -0,0 +1,100 @@ +From 9765ad134a00a01cbcc69c78ff6defbfad209bc5 Mon Sep 17 00:00:00 2001 +From: David Gibson +Date: Wed, 19 Apr 2017 16:38:26 +1000 +Subject: powerpc/mm: Ensure IRQs are off in switch_mm() + +From: David Gibson + +commit 9765ad134a00a01cbcc69c78ff6defbfad209bc5 upstream. + +powerpc expects IRQs to already be (soft) disabled when switch_mm() is +called, as made clear in the commit message of 9c1e105238c4 ("powerpc: Allow +perf_counters to access user memory at interrupt time"). + +Aside from any race conditions that might exist between switch_mm() and an IRQ, +there is also an unconditional hard_irq_disable() in switch_slb(). If that isn't +followed at some point by an IRQ enable then interrupts will remain disabled +until we return to userspace. + +It is true that when switch_mm() is called from the scheduler IRQs are off, but +not when it's called by use_mm(). Looking closer we see that last year in commit +f98db6013c55 ("sched/core: Add switch_mm_irqs_off() and use it in the scheduler") +this was made more explicit by the addition of switch_mm_irqs_off() which is now +called by the scheduler, vs switch_mm() which is used by use_mm(). + +Arguably it is a bug in use_mm() to call switch_mm() in a different context than +it expects, but fixing that will take time. + +This was discovered recently when vhost started throwing warnings such as: + + BUG: sleeping function called from invalid context at kernel/mutex.c:578 + in_atomic(): 0, irqs_disabled(): 1, pid: 10768, name: vhost-10760 + no locks held by vhost-10760/10768. + irq event stamp: 10 + hardirqs last enabled at (9): _raw_spin_unlock_irq+0x40/0x80 + hardirqs last disabled at (10): switch_slb+0x2e4/0x490 + softirqs last enabled at (0): copy_process+0x5e8/0x1260 + softirqs last disabled at (0): (null) + Call Trace: + show_stack+0x88/0x390 (unreliable) + dump_stack+0x30/0x44 + __might_sleep+0x1c4/0x2d0 + mutex_lock_nested+0x74/0x5c0 + cgroup_attach_task_all+0x5c/0x180 + vhost_attach_cgroups_work+0x58/0x80 [vhost] + vhost_worker+0x24c/0x3d0 [vhost] + kthread+0xec/0x100 + ret_from_kernel_thread+0x5c/0xd4 + +Prior to commit 04b96e5528ca ("vhost: lockless enqueuing") (Aug 2016) the +vhost_worker() would do a spin_unlock_irq() not long after calling use_mm(), +which had the effect of reenabling IRQs. Since that commit removed the locking +in vhost_worker() the body of the vhost_worker() loop now runs with interrupts +off causing the warnings. + +This patch addresses the problem by making the powerpc code mirror the x86 code, +ie. we disable interrupts in switch_mm(), and optimise the scheduler case by +defining switch_mm_irqs_off(). + +Signed-off-by: David Gibson +[mpe: Flesh out/rewrite change log, add stable] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/mmu_context.h | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/mmu_context.h ++++ b/arch/powerpc/include/asm/mmu_context.h +@@ -70,8 +70,9 @@ extern void drop_cop(unsigned long acop, + * switch_mm is the entry point called from the architecture independent + * code in kernel/sched/core.c + */ +-static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, +- struct task_struct *tsk) ++static inline void switch_mm_irqs_off(struct mm_struct *prev, ++ struct mm_struct *next, ++ struct task_struct *tsk) + { + /* Mark this context has been used on the new CPU */ + if (!cpumask_test_cpu(smp_processor_id(), mm_cpumask(next))) +@@ -110,6 +111,18 @@ static inline void switch_mm(struct mm_s + switch_mmu_context(prev, next, tsk); + } + ++static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, ++ struct task_struct *tsk) ++{ ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ switch_mm_irqs_off(prev, next, tsk); ++ local_irq_restore(flags); ++} ++#define switch_mm_irqs_off switch_mm_irqs_off ++ ++ + #define deactivate_mm(tsk,mm) do { } while (0) + + /* diff --git a/queue-4.9/powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch b/queue-4.9/powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch new file mode 100644 index 00000000000..084a0a19abc --- /dev/null +++ b/queue-4.9/powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch @@ -0,0 +1,58 @@ +From 68baf692c435339e6295cb470ea5545cbc28160e Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Mon, 17 Apr 2017 20:21:40 -0400 +Subject: powerpc/pseries: Fix of_node_put() underflow during DLPAR remove + +From: Tyrel Datwyler + +commit 68baf692c435339e6295cb470ea5545cbc28160e upstream. + +Historically struct device_node references were tracked using a kref embedded as +a struct field. Commit 75b57ecf9d1d ("of: Make device nodes kobjects so they +show up in sysfs") (Mar 2014) refactored device_nodes to be kobjects such that +the device tree could by more simply exposed to userspace using sysfs. + +Commit 0829f6d1f69e ("of: device_node kobject lifecycle fixes") (Mar 2014) +followed up these changes to better control the kobject lifecycle and in +particular the referecne counting via of_node_get(), of_node_put(), and +of_node_init(). + +A result of this second commit was that it introduced an of_node_put() call when +a dynamic node is detached, in of_node_remove(), that removes the initial kobj +reference created by of_node_init(). + +Traditionally as the original dynamic device node user the pseries code had +assumed responsibilty for releasing this final reference in its platform +specific DLPAR detach code. + +This patch fixes a refcount underflow introduced by commit 0829f6d1f6, and +recently exposed by the upstreaming of the recount API. + +Messages like the following are no longer seen in the kernel log with this +patch following DLPAR remove operations of cpus and pci devices. + + rpadlpar_io: slot PHB 72 removed + refcount_t: underflow; use-after-free. + ------------[ cut here ]------------ + WARNING: CPU: 5 PID: 3335 at lib/refcount.c:128 refcount_sub_and_test+0xf4/0x110 + +Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes") +Signed-off-by: Tyrel Datwyler +[mpe: Make change log commit references more verbose] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/dlpar.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -288,7 +288,6 @@ int dlpar_detach_node(struct device_node + if (rc) + return rc; + +- of_node_put(dn); /* Must decrement the refcount */ + return 0; + } + diff --git a/queue-4.9/powerpc-tm-fix-fp-and-vmx-register-corruption.patch b/queue-4.9/powerpc-tm-fix-fp-and-vmx-register-corruption.patch new file mode 100644 index 00000000000..170a2b1cb76 --- /dev/null +++ b/queue-4.9/powerpc-tm-fix-fp-and-vmx-register-corruption.patch @@ -0,0 +1,71 @@ +From f48e91e87e67b56bef63393d1a02c6e22c1d7078 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Mon, 8 May 2017 17:16:26 +1000 +Subject: powerpc/tm: Fix FP and VMX register corruption + +From: Michael Neuling + +commit f48e91e87e67b56bef63393d1a02c6e22c1d7078 upstream. + +In commit dc3106690b20 ("powerpc: tm: Always use fp_state and vr_state +to store live registers"), a section of code was removed that copied +the current state to checkpointed state. That code should not have been +removed. + +When an FP (Floating Point) unavailable is taken inside a transaction, +we need to abort the transaction. This is because at the time of the +tbegin, the FP state is bogus so the state stored in the checkpointed +registers is incorrect. To fix this, we treclaim (to get the +checkpointed GPRs) and then copy the thread_struct FP live state into +the checkpointed state. We then trecheckpoint so that the FP state is +correctly restored into the CPU. + +The copying of the FP registers from live to checkpointed is what was +missing. + +This simplifies the logic slightly from the original patch. +tm_reclaim_thread() will now always write the checkpointed FP +state. Either the checkpointed FP state will be written as part of +the actual treclaim (in tm.S), or it'll be a copy of the live +state. Which one we use is based on MSR[FP] from userspace. + +Similarly for VMX. + +Fixes: dc3106690b20 ("powerpc: tm: Always use fp_state and vr_state to store live registers") +Signed-off-by: Michael Neuling +Reviewed-by: cyrilbur@gmail.com +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/process.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -839,6 +839,25 @@ static void tm_reclaim_thread(struct thr + if (!MSR_TM_SUSPENDED(mfmsr())) + return; + ++ /* ++ * If we are in a transaction and FP is off then we can't have ++ * used FP inside that transaction. Hence the checkpointed ++ * state is the same as the live state. We need to copy the ++ * live state to the checkpointed state so that when the ++ * transaction is restored, the checkpointed state is correct ++ * and the aborted transaction sees the correct state. We use ++ * ckpt_regs.msr here as that's what tm_reclaim will use to ++ * determine if it's going to write the checkpointed state or ++ * not. So either this will write the checkpointed registers, ++ * or reclaim will. Similarly for VMX. ++ */ ++ if ((thr->ckpt_regs.msr & MSR_FP) == 0) ++ memcpy(&thr->ckfp_state, &thr->fp_state, ++ sizeof(struct thread_fp_state)); ++ if ((thr->ckpt_regs.msr & MSR_VEC) == 0) ++ memcpy(&thr->ckvr_state, &thr->vr_state, ++ sizeof(struct thread_vr_state)); ++ + giveup_all(container_of(thr, struct task_struct, thread)); + + tm_reclaim(thr, thr->ckpt_regs.msr, cause); diff --git a/queue-4.9/series b/queue-4.9/series index 763b167dff9..b0c8665019f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -107,3 +107,38 @@ dw2102-limit-messages-to-buffer-size.patch cx231xx-audio-fix-init-error-path.patch cx231xx-audio-fix-null-deref-at-probe.patch cx231xx-cards-fix-null-deref-at-probe.patch +powerpc-mm-ensure-irqs-are-off-in-switch_mm.patch +powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch +powerpc-book3s-mce-move-add_taint-later-in-virtual-mode.patch +powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch +powerpc-iommu-do-not-call-pagetranshuge-on-tail-pages.patch +powerpc-64e-fix-hang-when-debugging-programs-with-relocated-kernel.patch +powerpc-tm-fix-fp-and-vmx-register-corruption.patch +arm64-kvm-do-not-use-stack-protector-to-compile-el2-code.patch +arm-kvm-do-not-use-stack-protector-to-compile-hyp-code.patch +kvm-arm-arm64-vgic-v2-do-not-use-active-pending-state-for-a-hw-interrupt.patch +kvm-arm-arm64-vgic-v3-do-not-use-active-pending-state-for-a-hw-interrupt.patch +kvm-arm-plug-potential-guest-hardware-debug-leakage.patch +arm-8662-1-module-split-core-and-init-plt-sections.patch +arm-8670-1-v7m-do-not-corrupt-vector-table-around-v7m_invalidate_l1-call.patch +arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch +arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch +arm-dts-imx6sx-sdb-remove-opp-override.patch +arm64-dts-hi6220-reset-the-mmc-hosts.patch +arm64-xchg-hazard-against-entire-exchange-variable.patch +arm64-ensure-extension-of-smp_store_release-value.patch +arm64-armv8_deprecated-ensure-extension-of-addr.patch +arm64-uaccess-ensure-extension-of-access_ok-addr.patch +arm64-documentation-document-tagged-pointer-stack-constraints.patch +staging-rtl8192e-rtl92e_fill_tx_desc-fix-write-to-mapped-out-memory.patch +staging-rtl8192e-fix-2-byte-alignment-of-register-bssidr.patch +staging-rtl8192e-rtl92e_get_eeprom_size-fix-read-size-of-eprom_cmd.patch +staging-rtl8192e-getts-fix-invalid-tid-7-warning.patch +iommu-vt-d-flush-the-iotlb-to-get-rid-of-the-initial-kdump-mappings.patch +metag-uaccess-fix-access_ok.patch +metag-uaccess-check-access_ok-in-strncpy_from_user.patch +stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch +uwb-fix-device-quirk-on-big-endian-hosts.patch +genirq-fix-chained-interrupt-data-ordering.patch +nvme-unmap-cmb-and-remove-sysfs-file-in-reset-path.patch +mips-loongson-3-select-mips_l1_cache_shift_6.patch diff --git a/queue-4.9/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch b/queue-4.9/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch new file mode 100644 index 00000000000..a7c98012e0b --- /dev/null +++ b/queue-4.9/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch @@ -0,0 +1,40 @@ +From 5ea30e4e58040cfd6434c2f33dc3ea76e2c15b05 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Thu, 4 May 2017 09:32:09 -0400 +Subject: stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms + +From: Daniel Micay + +commit 5ea30e4e58040cfd6434c2f33dc3ea76e2c15b05 upstream. + +The stack canary is an 'unsigned long' and should be fully initialized to +random data rather than only 32 bits of random data. + +Signed-off-by: Daniel Micay +Acked-by: Arjan van de Ven +Acked-by: Rik van Riel +Acked-by: Kees Cook +Cc: Arjan van Ven +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kernel-hardening@lists.openwall.com +Link: http://lkml.kernel.org/r/20170504133209.3053-1-danielmicay@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -521,7 +521,7 @@ static struct task_struct *dup_task_stru + set_task_stack_end_magic(tsk); + + #ifdef CONFIG_CC_STACKPROTECTOR +- tsk->stack_canary = get_random_int(); ++ tsk->stack_canary = get_random_long(); + #endif + + /* diff --git a/queue-4.9/staging-rtl8192e-fix-2-byte-alignment-of-register-bssidr.patch b/queue-4.9/staging-rtl8192e-fix-2-byte-alignment-of-register-bssidr.patch new file mode 100644 index 00000000000..e70d0714cac --- /dev/null +++ b/queue-4.9/staging-rtl8192e-fix-2-byte-alignment-of-register-bssidr.patch @@ -0,0 +1,47 @@ +From 867510bde14e7b7fc6dd0f50b48f6753cfbd227a Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Thu, 11 May 2017 18:57:44 +0100 +Subject: staging: rtl8192e: fix 2 byte alignment of register BSSIDR. + +From: Malcolm Priestley + +commit 867510bde14e7b7fc6dd0f50b48f6753cfbd227a upstream. + +BSSIDR has two byte alignment on PCI ioremap correct the write +by swapping to 16 bits first. + +This fixes a problem that the device associates fail because +the filter is not set correctly. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c ++++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c +@@ -97,8 +97,9 @@ void rtl92e_set_reg(struct net_device *d + + switch (variable) { + case HW_VAR_BSSID: +- rtl92e_writel(dev, BSSIDR, ((u32 *)(val))[0]); +- rtl92e_writew(dev, BSSIDR+2, ((u16 *)(val+2))[0]); ++ /* BSSIDR 2 byte alignment */ ++ rtl92e_writew(dev, BSSIDR, *(u16 *)val); ++ rtl92e_writel(dev, BSSIDR + 2, *(u32 *)(val + 2)); + break; + + case HW_VAR_MEDIA_STATUS: +@@ -963,8 +964,8 @@ static void _rtl92e_net_update(struct ne + rtl92e_config_rate(dev, &rate_config); + priv->dot11CurrentPreambleMode = PREAMBLE_AUTO; + priv->basic_rate = rate_config &= 0x15f; +- rtl92e_writel(dev, BSSIDR, ((u32 *)net->bssid)[0]); +- rtl92e_writew(dev, BSSIDR+4, ((u16 *)net->bssid)[2]); ++ rtl92e_writew(dev, BSSIDR, *(u16 *)net->bssid); ++ rtl92e_writel(dev, BSSIDR + 2, *(u32 *)(net->bssid + 2)); + + if (priv->rtllib->iw_mode == IW_MODE_ADHOC) { + rtl92e_writew(dev, ATIMWND, 2); diff --git a/queue-4.9/staging-rtl8192e-getts-fix-invalid-tid-7-warning.patch b/queue-4.9/staging-rtl8192e-getts-fix-invalid-tid-7-warning.patch new file mode 100644 index 00000000000..fadffac5912 --- /dev/null +++ b/queue-4.9/staging-rtl8192e-getts-fix-invalid-tid-7-warning.patch @@ -0,0 +1,61 @@ +From 95d93e271d920dfda369d4740b1cc1061d41fe7f Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Thu, 11 May 2017 18:57:46 +0100 +Subject: staging: rtl8192e: GetTs Fix invalid TID 7 warning. + +From: Malcolm Priestley + +commit 95d93e271d920dfda369d4740b1cc1061d41fe7f upstream. + +TID 7 is a valid value for QoS IEEE 802.11e. + +The switch statement that follows states 7 is valid. + +Remove function IsACValid and use the default case to filter +invalid TIDs. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8192e/rtl819x_TSProc.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +--- a/drivers/staging/rtl8192e/rtl819x_TSProc.c ++++ b/drivers/staging/rtl8192e/rtl819x_TSProc.c +@@ -306,11 +306,6 @@ static void MakeTSEntry(struct ts_common + pTsCommonInfo->TClasNum = TCLAS_Num; + } + +-static bool IsACValid(unsigned int tid) +-{ +- return tid < 7; +-} +- + bool GetTs(struct rtllib_device *ieee, struct ts_common_info **ppTS, + u8 *Addr, u8 TID, enum tr_select TxRxSelect, bool bAddNewTs) + { +@@ -328,12 +323,6 @@ bool GetTs(struct rtllib_device *ieee, s + if (ieee->current_network.qos_data.supported == 0) { + UP = 0; + } else { +- if (!IsACValid(TID)) { +- netdev_warn(ieee->dev, "%s(): TID(%d) is not valid\n", +- __func__, TID); +- return false; +- } +- + switch (TID) { + case 0: + case 3: +@@ -351,6 +340,10 @@ bool GetTs(struct rtllib_device *ieee, s + case 7: + UP = 7; + break; ++ default: ++ netdev_warn(ieee->dev, "%s(): TID(%d) is not valid\n", ++ __func__, TID); ++ return false; + } + } + diff --git a/queue-4.9/staging-rtl8192e-rtl92e_fill_tx_desc-fix-write-to-mapped-out-memory.patch b/queue-4.9/staging-rtl8192e-rtl92e_fill_tx_desc-fix-write-to-mapped-out-memory.patch new file mode 100644 index 00000000000..5dd2aaf0268 --- /dev/null +++ b/queue-4.9/staging-rtl8192e-rtl92e_fill_tx_desc-fix-write-to-mapped-out-memory.patch @@ -0,0 +1,59 @@ +From baabd567f87be05330faa5140f72a91960e7405a Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Thu, 11 May 2017 18:57:43 +0100 +Subject: staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory. + +From: Malcolm Priestley + +commit baabd567f87be05330faa5140f72a91960e7405a upstream. + +The driver attempts to alter memory that is mapped to PCI device. + +This is because tx_fwinfo_8190pci points to skb->data + +Move the pci_map_single to when completed buffer is ready to be mapped with +psdec is empty to drop on mapping error. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c ++++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c +@@ -1184,8 +1184,7 @@ void rtl92e_fill_tx_desc(struct net_dev + struct cb_desc *cb_desc, struct sk_buff *skb) + { + struct r8192_priv *priv = rtllib_priv(dev); +- dma_addr_t mapping = pci_map_single(priv->pdev, skb->data, skb->len, +- PCI_DMA_TODEVICE); ++ dma_addr_t mapping; + struct tx_fwinfo_8190pci *pTxFwInfo; + + pTxFwInfo = (struct tx_fwinfo_8190pci *)skb->data; +@@ -1196,8 +1195,6 @@ void rtl92e_fill_tx_desc(struct net_dev + pTxFwInfo->Short = _rtl92e_query_is_short(pTxFwInfo->TxHT, + pTxFwInfo->TxRate, cb_desc); + +- if (pci_dma_mapping_error(priv->pdev, mapping)) +- netdev_err(dev, "%s(): DMA Mapping error\n", __func__); + if (cb_desc->bAMPDUEnable) { + pTxFwInfo->AllowAggregation = 1; + pTxFwInfo->RxMF = cb_desc->ampdu_factor; +@@ -1232,6 +1229,14 @@ void rtl92e_fill_tx_desc(struct net_dev + } + + memset((u8 *)pdesc, 0, 12); ++ ++ mapping = pci_map_single(priv->pdev, skb->data, skb->len, ++ PCI_DMA_TODEVICE); ++ if (pci_dma_mapping_error(priv->pdev, mapping)) { ++ netdev_err(dev, "%s(): DMA Mapping error\n", __func__); ++ return; ++ } ++ + pdesc->LINIP = 0; + pdesc->CmdInit = 1; + pdesc->Offset = sizeof(struct tx_fwinfo_8190pci) + 8; diff --git a/queue-4.9/staging-rtl8192e-rtl92e_get_eeprom_size-fix-read-size-of-eprom_cmd.patch b/queue-4.9/staging-rtl8192e-rtl92e_get_eeprom_size-fix-read-size-of-eprom_cmd.patch new file mode 100644 index 00000000000..4060e0a2b94 --- /dev/null +++ b/queue-4.9/staging-rtl8192e-rtl92e_get_eeprom_size-fix-read-size-of-eprom_cmd.patch @@ -0,0 +1,32 @@ +From 90be652c9f157d44b9c2803f902a8839796c090d Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Thu, 11 May 2017 18:57:45 +0100 +Subject: staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD. + +From: Malcolm Priestley + +commit 90be652c9f157d44b9c2803f902a8839796c090d upstream. + +EPROM_CMD is 2 byte aligned on PCI map so calling with rtl92e_readl +will return invalid data so use rtl92e_readw. + +The device is unable to select the right eeprom type. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c ++++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c +@@ -627,7 +627,7 @@ void rtl92e_get_eeprom_size(struct net_d + struct r8192_priv *priv = rtllib_priv(dev); + + RT_TRACE(COMP_INIT, "===========>%s()\n", __func__); +- curCR = rtl92e_readl(dev, EPROM_CMD); ++ curCR = rtl92e_readw(dev, EPROM_CMD); + RT_TRACE(COMP_INIT, "read from Reg Cmd9346CR(%x):%x\n", EPROM_CMD, + curCR); + priv->epromtype = (curCR & EPROM_CMD_9356SEL) ? EEPROM_93C56 : diff --git a/queue-4.9/uwb-fix-device-quirk-on-big-endian-hosts.patch b/queue-4.9/uwb-fix-device-quirk-on-big-endian-hosts.patch new file mode 100644 index 00000000000..594da98f617 --- /dev/null +++ b/queue-4.9/uwb-fix-device-quirk-on-big-endian-hosts.patch @@ -0,0 +1,41 @@ +From 41318a2b82f5d5fe1fb408f6d6e0b22aa557111d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 12 May 2017 12:06:32 +0200 +Subject: uwb: fix device quirk on big-endian hosts + +From: Johan Hovold + +commit 41318a2b82f5d5fe1fb408f6d6e0b22aa557111d upstream. + +Add missing endianness conversion when using the USB device-descriptor +idProduct field to apply a hardware quirk. + +Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/i1480/dfu/usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/uwb/i1480/dfu/usb.c ++++ b/drivers/uwb/i1480/dfu/usb.c +@@ -341,6 +341,7 @@ error_submit_ep1: + static + int i1480_usb_probe(struct usb_interface *iface, const struct usb_device_id *id) + { ++ struct usb_device *udev = interface_to_usbdev(iface); + struct i1480_usb *i1480_usb; + struct i1480 *i1480; + struct device *dev = &iface->dev; +@@ -352,8 +353,8 @@ int i1480_usb_probe(struct usb_interface + iface->cur_altsetting->desc.bInterfaceNumber); + goto error; + } +- if (iface->num_altsetting > 1 +- && interface_to_usbdev(iface)->descriptor.idProduct == 0xbabe) { ++ if (iface->num_altsetting > 1 && ++ le16_to_cpu(udev->descriptor.idProduct) == 0xbabe) { + /* Need altsetting #1 [HW QUIRK] or EP1 won't work */ + result = usb_set_interface(interface_to_usbdev(iface), 0, 1); + if (result < 0)