From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Oct 2017 11:35:36 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.73~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4dacd8844511ca6df171046e7a969f9cef86ef66;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	kvm-vmx-use-cmpxchg64.patch
	swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch
	video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch
---

diff --git a/queue-4.4/kvm-vmx-use-cmpxchg64.patch b/queue-4.4/kvm-vmx-use-cmpxchg64.patch
new file mode 100644
index 00000000000..a32f283216f
--- /dev/null
+++ b/queue-4.4/kvm-vmx-use-cmpxchg64.patch
@@ -0,0 +1,53 @@
+From c0a1666bcb2a33e84187a15eabdcd54056be9a97 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 28 Sep 2017 17:58:41 +0200
+Subject: KVM: VMX: use cmpxchg64
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit c0a1666bcb2a33e84187a15eabdcd54056be9a97 upstream.
+
+This fixes a compilation failure on 32-bit systems.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2029,8 +2029,8 @@ static void vmx_vcpu_pi_load(struct kvm_
+ 
+ 		/* Allow posting non-urgent interrupts */
+ 		new.sn = 0;
+-	} while (cmpxchg(&pi_desc->control, old.control,
+-			new.control) != old.control);
++	} while (cmpxchg64(&pi_desc->control, old.control,
++			   new.control) != old.control);
+ }
+ /*
+  * Switches to specified vcpu, until a matching vcpu_put(), but assumes
+@@ -10705,8 +10705,8 @@ static int vmx_pre_block(struct kvm_vcpu
+ 
+ 		/* set 'NV' to 'wakeup vector' */
+ 		new.nv = POSTED_INTR_WAKEUP_VECTOR;
+-	} while (cmpxchg(&pi_desc->control, old.control,
+-			new.control) != old.control);
++	} while (cmpxchg64(&pi_desc->control, old.control,
++			   new.control) != old.control);
+ 
+ 	return 0;
+ }
+@@ -10737,8 +10737,8 @@ static void vmx_post_block(struct kvm_vc
+ 
+ 		/* set 'NV' to 'notification vector' */
+ 		new.nv = POSTED_INTR_VECTOR;
+-	} while (cmpxchg(&pi_desc->control, old.control,
+-			new.control) != old.control);
++	} while (cmpxchg64(&pi_desc->control, old.control,
++			   new.control) != old.control);
+ 
+ 	if(vcpu->pre_pcpu != -1) {
+ 		spin_lock_irqsave(
diff --git a/queue-4.4/series b/queue-4.4/series
index e66b66c0c0d..cf5036c59d9 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -36,3 +36,6 @@ cxl-fix-driver-use-count.patch
 dmaengine-mmp-pdma-add-number-of-requestors.patch
 arm-pxa-add-the-number-of-dma-requestor-lines.patch
 arm-pxa-fix-the-number-of-dma-requestor-lines.patch
+kvm-vmx-use-cmpxchg64.patch
+video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch
+swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch
diff --git a/queue-4.4/swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch b/queue-4.4/swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch
new file mode 100644
index 00000000000..2f02e717658
--- /dev/null
+++ b/queue-4.4/swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch
@@ -0,0 +1,70 @@
+From 7e91c7df29b5e196de3dc6f086c8937973bd0b88 Mon Sep 17 00:00:00 2001
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Date: Tue, 7 Feb 2017 19:58:02 +0200
+Subject: swiotlb-xen: implement xen_swiotlb_dma_mmap callback
+
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+commit 7e91c7df29b5e196de3dc6f086c8937973bd0b88 upstream.
+
+This function creates userspace mapping for the DMA-coherent memory.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Signed-off-by: Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com>
+Signed-off-by: Andrii Anisov <andrii_anisov@epam.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/xen/mm.c         |    1 +
+ drivers/xen/swiotlb-xen.c |   19 +++++++++++++++++++
+ include/xen/swiotlb-xen.h |    5 +++++
+ 3 files changed, 25 insertions(+)
+
+--- a/arch/arm/xen/mm.c
++++ b/arch/arm/xen/mm.c
+@@ -199,6 +199,7 @@ static struct dma_map_ops xen_swiotlb_dm
+ 	.unmap_page = xen_swiotlb_unmap_page,
+ 	.dma_supported = xen_swiotlb_dma_supported,
+ 	.set_dma_mask = xen_swiotlb_set_dma_mask,
++	.mmap = xen_swiotlb_dma_mmap,
+ };
+ 
+ int __init xen_mm_init(void)
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -680,3 +680,22 @@ xen_swiotlb_set_dma_mask(struct device *
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(xen_swiotlb_set_dma_mask);
++
++/*
++ * Create userspace mapping for the DMA-coherent memory.
++ * This function should be called with the pages from the current domain only,
++ * passing pages mapped from other domains would lead to memory corruption.
++ */
++int
++xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++		     void *cpu_addr, dma_addr_t dma_addr, size_t size,
++		     unsigned long attrs)
++{
++#if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
++	if (__generic_dma_ops(dev)->mmap)
++		return __generic_dma_ops(dev)->mmap(dev, vma, cpu_addr,
++						    dma_addr, size, attrs);
++#endif
++	return dma_common_mmap(dev, vma, cpu_addr, dma_addr, size);
++}
++EXPORT_SYMBOL_GPL(xen_swiotlb_dma_mmap);
+--- a/include/xen/swiotlb-xen.h
++++ b/include/xen/swiotlb-xen.h
+@@ -58,4 +58,9 @@ xen_swiotlb_dma_supported(struct device
+ 
+ extern int
+ xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask);
++
++extern int
++xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++		     void *cpu_addr, dma_addr_t dma_addr, size_t size,
++		     unsigned long attrs);
+ #endif /* __LINUX_SWIOTLB_XEN_H */
diff --git a/queue-4.4/video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch b/queue-4.4/video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch
new file mode 100644
index 00000000000..ddbaf512f13
--- /dev/null
+++ b/queue-4.4/video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch
@@ -0,0 +1,34 @@
+From 8e75f7a7a00461ef6d91797a60b606367f6e344d Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Mon, 4 Sep 2017 16:00:50 +0200
+Subject: video: fbdev: aty: do not leak uninitialized padding in clk to userspace
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit 8e75f7a7a00461ef6d91797a60b606367f6e344d upstream.
+
+'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
+field unitialized, leaking data from the stack. Fix this ensuring all of
+'clk' is initialized to zero.
+
+References: https://github.com/torvalds/linux/pull/441
+Reported-by: sohu0106 <sohu0106@126.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/aty/atyfb_base.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
+ #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
+ 	case ATYIO_CLKR:
+ 		if (M64_HAS(INTEGRATED)) {
+-			struct atyclk clk;
++			struct atyclk clk = { 0 };
+ 			union aty_pll *pll = &par->pll;
+ 			u32 dsp_config = pll->ct.dsp_config;
+ 			u32 dsp_on_off = pll->ct.dsp_on_off;