From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 5 Oct 2016 13:28:28 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.8.1~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8909f068ca31ae257ce6855f70f053232204b2ed;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	dmaengine-at_xdmac-fix-to-pass-correct-device-identity-to-free_irq.patch
	kernel-fork-fix-clone_child_cleartid-regression-in-nscd.patch
	kvm-nvmx-postpone-vmcs-changes-on-msr_ia32_apicbase-write.patch
---

diff --git a/queue-4.4/dmaengine-at_xdmac-fix-to-pass-correct-device-identity-to-free_irq.patch b/queue-4.4/dmaengine-at_xdmac-fix-to-pass-correct-device-identity-to-free_irq.patch
new file mode 100644
index 00000000000..5a01ab6c129
--- /dev/null
+++ b/queue-4.4/dmaengine-at_xdmac-fix-to-pass-correct-device-identity-to-free_irq.patch
@@ -0,0 +1,42 @@
+From 6a8b0c6b18f62a277ffb2139d0c0253fe35d7feb Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Wed, 10 Aug 2016 03:17:09 +0000
+Subject: dmaengine: at_xdmac: fix to pass correct device identity to free_irq()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit 6a8b0c6b18f62a277ffb2139d0c0253fe35d7feb upstream.
+
+free_irq() expects the same device identity that was passed to
+corresponding request_irq(), otherwise the IRQ is not freed.
+
+Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver")
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/at_xdmac.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -2055,7 +2055,7 @@ err_dma_unregister:
+ err_clk_disable:
+ 	clk_disable_unprepare(atxdmac->clk);
+ err_free_irq:
+-	free_irq(atxdmac->irq, atxdmac->dma.dev);
++	free_irq(atxdmac->irq, atxdmac);
+ 	return ret;
+ }
+ 
+@@ -2071,7 +2071,7 @@ static int at_xdmac_remove(struct platfo
+ 
+ 	synchronize_irq(atxdmac->irq);
+ 
+-	free_irq(atxdmac->irq, atxdmac->dma.dev);
++	free_irq(atxdmac->irq, atxdmac);
+ 
+ 	for (i = 0; i < atxdmac->dma.chancnt; i++) {
+ 		struct at_xdmac_chan *atchan = &atxdmac->chan[i];
diff --git a/queue-4.4/kernel-fork-fix-clone_child_cleartid-regression-in-nscd.patch b/queue-4.4/kernel-fork-fix-clone_child_cleartid-regression-in-nscd.patch
new file mode 100644
index 00000000000..6e85a55f0c3
--- /dev/null
+++ b/queue-4.4/kernel-fork-fix-clone_child_cleartid-regression-in-nscd.patch
@@ -0,0 +1,81 @@
+From 735f2770a770156100f534646158cb58cb8b2939 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Thu, 1 Sep 2016 16:15:13 -0700
+Subject: kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit 735f2770a770156100f534646158cb58cb8b2939 upstream.
+
+Commit fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal
+exit") has caused a subtle regression in nscd which uses
+CLONE_CHILD_CLEARTID to clear the nscd_certainly_running flag in the
+shared databases, so that the clients are notified when nscd is
+restarted.  Now, when nscd uses a non-persistent database, clients that
+have it mapped keep thinking the database is being updated by nscd, when
+in fact nscd has created a new (anonymous) one (for non-persistent
+databases it uses an unlinked file as backend).
+
+The original proposal for the CLONE_CHILD_CLEARTID change claimed
+(https://lkml.org/lkml/2006/10/25/233):
+
+: The NPTL library uses the CLONE_CHILD_CLEARTID flag on clone() syscalls
+: on behalf of pthread_create() library calls.  This feature is used to
+: request that the kernel clear the thread-id in user space (at an address
+: provided in the syscall) when the thread disassociates itself from the
+: address space, which is done in mm_release().
+:
+: Unfortunately, when a multi-threaded process incurs a core dump (such as
+: from a SIGSEGV), the core-dumping thread sends SIGKILL signals to all of
+: the other threads, which then proceed to clear their user-space tids
+: before synchronizing in exit_mm() with the start of core dumping.  This
+: misrepresents the state of process's address space at the time of the
+: SIGSEGV and makes it more difficult for someone to debug NPTL and glibc
+: problems (misleading him/her to conclude that the threads had gone away
+: before the fault).
+:
+: The fix below is to simply avoid the CLONE_CHILD_CLEARTID action if a
+: core dump has been initiated.
+
+The resulting patch from Roland (https://lkml.org/lkml/2006/10/26/269)
+seems to have a larger scope than the original patch asked for.  It
+seems that limitting the scope of the check to core dumping should work
+for SIGSEGV issue describe above.
+
+[Changelog partly based on Andreas' description]
+Fixes: fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit")
+Link: http://lkml.kernel.org/r/1471968749-26173-1-git-send-email-mhocko@kernel.org
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Tested-by: William Preston <wpreston@suse.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Roland McGrath <roland@hack.frob.com>
+Cc: Andreas Schwab <schwab@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/fork.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -901,14 +901,12 @@ void mm_release(struct task_struct *tsk,
+ 	deactivate_mm(tsk, mm);
+ 
+ 	/*
+-	 * If we're exiting normally, clear a user-space tid field if
+-	 * requested.  We leave this alone when dying by signal, to leave
+-	 * the value intact in a core dump, and to save the unnecessary
+-	 * trouble, say, a killed vfork parent shouldn't touch this mm.
+-	 * Userland only wants this done for a sys_exit.
++	 * Signal userspace if we're not exiting with a core dump
++	 * because we want to leave the value intact for debugging
++	 * purposes.
+ 	 */
+ 	if (tsk->clear_child_tid) {
+-		if (!(tsk->flags & PF_SIGNALED) &&
++		if (!(tsk->signal->flags & SIGNAL_GROUP_COREDUMP) &&
+ 		    atomic_read(&mm->mm_users) > 1) {
+ 			/*
+ 			 * We don't check the error code - if userspace has
diff --git a/queue-4.4/kvm-nvmx-postpone-vmcs-changes-on-msr_ia32_apicbase-write.patch b/queue-4.4/kvm-nvmx-postpone-vmcs-changes-on-msr_ia32_apicbase-write.patch
new file mode 100644
index 00000000000..c459249880d
--- /dev/null
+++ b/queue-4.4/kvm-nvmx-postpone-vmcs-changes-on-msr_ia32_apicbase-write.patch
@@ -0,0 +1,68 @@
+From dccbfcf52cebb8963246eba5b177b77f26b34da0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Mon, 8 Aug 2016 20:16:23 +0200
+Subject: KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim KrÄmÃ¡Å <rkrcmar@redhat.com>
+
+commit dccbfcf52cebb8963246eba5b177b77f26b34da0 upstream.
+
+If vmcs12 does not intercept APIC_BASE writes, then KVM will handle the
+write with vmcs02 as the current VMCS.
+This will incorrectly apply modifications intended for vmcs01 to vmcs02
+and L2 can use it to gain access to L0's x2APIC registers by disabling
+virtualized x2APIC while using msr bitmap that assumes enabled.
+
+Postpone execution of vmx_set_virtual_x2apic_mode until vmcs01 is the
+current VMCS.  An alternative solution would temporarily make vmcs01 the
+current VMCS, but it requires more care.
+
+Fixes: 8d14695f9542 ("x86, apicv: add virtual x2apic support")
+Reported-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim KrÄmÃ¡Å <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -408,6 +408,7 @@ struct nested_vmx {
+ 	struct list_head vmcs02_pool;
+ 	int vmcs02_num;
+ 	u64 vmcs01_tsc_offset;
++	bool change_vmcs01_virtual_x2apic_mode;
+ 	/* L2 must run next, and mustn't decide to exit to L1. */
+ 	bool nested_run_pending;
+ 	/*
+@@ -8184,6 +8185,12 @@ static void vmx_set_virtual_x2apic_mode(
+ {
+ 	u32 sec_exec_control;
+ 
++	/* Postpone execution until vmcs01 is the current VMCS. */
++	if (is_guest_mode(vcpu)) {
++		to_vmx(vcpu)->nested.change_vmcs01_virtual_x2apic_mode = true;
++		return;
++	}
++
+ 	/*
+ 	 * There is not point to enable virtualize x2apic without enable
+ 	 * apicv
+@@ -10483,6 +10490,12 @@ static void nested_vmx_vmexit(struct kvm
+ 	/* Update TSC_OFFSET if TSC was changed while L2 ran */
+ 	vmcs_write64(TSC_OFFSET, vmx->nested.vmcs01_tsc_offset);
+ 
++	if (vmx->nested.change_vmcs01_virtual_x2apic_mode) {
++		vmx->nested.change_vmcs01_virtual_x2apic_mode = false;
++		vmx_set_virtual_x2apic_mode(vcpu,
++				vcpu->arch.apic_base & X2APIC_ENABLE);
++	}
++
+ 	/* This is needed for same reason as it was needed in prepare_vmcs02 */
+ 	vmx->host_rsp = 0;
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index 2041aa13b21..34050b94a83 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -69,3 +69,6 @@ brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch
 powerpc-prom-fix-sub-processor-option-passed-to-ibm-client-architecture-support.patch
 sysctl-handle-error-writing-uint_max-to-u32-fields.patch
 asoc-omap-mcpdm-fix-irq-resource-handling.patch
+kernel-fork-fix-clone_child_cleartid-regression-in-nscd.patch
+dmaengine-at_xdmac-fix-to-pass-correct-device-identity-to-free_irq.patch
+kvm-nvmx-postpone-vmcs-changes-on-msr_ia32_apicbase-write.patch