From: Greg Kroah-Hartman Date: Fri, 7 Sep 2018 09:31:19 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v4.18.7~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c5947a9cccf80d589ac08f1a03e299ffcd7411de;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: 9p-fix-multiple-null-pointer-dereferences.patch 9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch apparmor-fix-bad-debug-check-in-apparmor_secid_to_secctx.patch cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch dma-buf-move-bug_on-from-_add_shared_fence-to-_add_shared_inplace.patch fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch ib-mlx5-fix-leaking-stack-memory-to-userspace.patch ib-mlx5-honor-cnt_set_id_valid-flag-instead-of-set_id.patch ib-srpt-fix-srpt_cm_req_recv-error-path-1-2.patch ib-srpt-fix-srpt_cm_req_recv-error-path-2-2.patch ib-srpt-support-hcas-with-more-than-two-ports.patch ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch media-revert-tvp5150-fix-pad-format-frame-height.patch net-9p-client.c-version-pointer-uninitialized.patch net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch ocxl-fix-page-fault-handler-in-case-of-fault-on-dying-process.patch powerpc-64s-fix-page-table-fragment-refcount-race-vs-speculative-references.patch powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch powerpc-nohash-fix-pte_access_permitted.patch powerpc-pkeys-deny-read-write-execute-by-default.patch powerpc-pkeys-fix-calculation-of-total-pkeys.patch powerpc-pkeys-give-all-threads-control-of-their-key-permissions.patch powerpc-pkeys-key-allocation-deallocation-must-not-change-pkey-registers.patch powerpc-pkeys-preallocate-execute-only-key.patch powerpc-pkeys-save-the-pkey-registers-before-fork.patch powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch powerpc64-ftrace-include-ftrace.h-needed-for-enable-disable-calls.patch rdma-mlx5-fix-shift-overflow-in-mlx5_ib_create_wq.patch rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch replace-magic-for-trusting-the-secondary-keyring-with-define.patch --- diff --git a/queue-4.18/9p-fix-multiple-null-pointer-dereferences.patch b/queue-4.18/9p-fix-multiple-null-pointer-dereferences.patch new file mode 100644 index 00000000000..a82b0f915b2 --- /dev/null +++ b/queue-4.18/9p-fix-multiple-null-pointer-dereferences.patch @@ -0,0 +1,82 @@ +From 10aa14527f458e9867cf3d2cc6b8cb0f6704448b Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Fri, 27 Jul 2018 13:05:58 +0200 +Subject: 9p: fix multiple NULL-pointer-dereferences + +From: Tomas Bortoli + +commit 10aa14527f458e9867cf3d2cc6b8cb0f6704448b upstream. + +Added checks to prevent GPFs from raising. + +Link: http://lkml.kernel.org/r/20180727110558.5479-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_fd.c | 5 ++++- + net/9p/trans_rdma.c | 3 +++ + net/9p/trans_virtio.c | 3 +++ + net/9p/trans_xen.c | 3 +++ + 4 files changed, 13 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -940,7 +940,7 @@ p9_fd_create_tcp(struct p9_client *clien + if (err < 0) + return err; + +- if (valid_ipaddr4(addr) < 0) ++ if (addr == NULL || valid_ipaddr4(addr) < 0) + return -EINVAL; + + csocket = NULL; +@@ -990,6 +990,9 @@ p9_fd_create_unix(struct p9_client *clie + + csocket = NULL; + ++ if (addr == NULL) ++ return -EINVAL; ++ + if (strlen(addr) >= UNIX_PATH_MAX) { + pr_err("%s (%d): address too long: %s\n", + __func__, task_pid_nr(current), addr); +--- a/net/9p/trans_rdma.c ++++ b/net/9p/trans_rdma.c +@@ -644,6 +644,9 @@ rdma_create_trans(struct p9_client *clie + struct rdma_conn_param conn_param; + struct ib_qp_init_attr qp_attr; + ++ if (addr == NULL) ++ return -EINVAL; ++ + /* Parse the transport specific mount options */ + err = parse_opts(args, &opts); + if (err < 0) +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -650,6 +650,9 @@ p9_virtio_create(struct p9_client *clien + int ret = -ENOENT; + int found = 0; + ++ if (devname == NULL) ++ return -EINVAL; ++ + mutex_lock(&virtio_9p_lock); + list_for_each_entry(chan, &virtio_chan_list, chan_list) { + if (!strncmp(devname, chan->tag, chan->tag_len) && +--- a/net/9p/trans_xen.c ++++ b/net/9p/trans_xen.c +@@ -94,6 +94,9 @@ static int p9_xen_create(struct p9_clien + { + struct xen_9pfs_front_priv *priv; + ++ if (addr == NULL) ++ return -EINVAL; ++ + read_lock(&xen_9pfs_lock); + list_for_each_entry(priv, &xen_9pfs_devs, list) { + if (!strcmp(priv->tag, addr)) { diff --git a/queue-4.18/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch b/queue-4.18/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch new file mode 100644 index 00000000000..bb6daaaf809 --- /dev/null +++ b/queue-4.18/9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch @@ -0,0 +1,44 @@ +From 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 Mon Sep 17 00:00:00 2001 +From: jiangyiwen +Date: Fri, 3 Aug 2018 12:11:34 +0800 +Subject: 9p/virtio: fix off-by-one error in sg list bounds check + +From: jiangyiwen + +commit 23cba9cbde0bba05d772b335fe5f66aa82b9ad19 upstream. + +Because the value of limit is VIRTQUEUE_NUM, if index is equal to +limit, it will cause sg array out of bounds, so correct the judgement +of BUG_ON. + +Link: http://lkml.kernel.org/r/5B63D5F6.6080109@huawei.com +Signed-off-by: Yiwen Jiang +Reported-By: Dan Carpenter +Acked-by: Jun Piao +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_virtio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -188,7 +188,7 @@ static int pack_sg_list(struct scatterli + s = rest_of_page(data); + if (s > count) + s = count; +- BUG_ON(index > limit); ++ BUG_ON(index >= limit); + /* Make sure we don't terminate early. */ + sg_unmark_end(&sg[index]); + sg_set_buf(&sg[index++], data, s); +@@ -233,6 +233,7 @@ pack_sg_list_p(struct scatterlist *sg, i + s = PAGE_SIZE - data_off; + if (s > count) + s = count; ++ BUG_ON(index >= limit); + /* Make sure we don't terminate early. */ + sg_unmark_end(&sg[index]); + sg_set_page(&sg[index++], pdata[i++], s, data_off); diff --git a/queue-4.18/apparmor-fix-bad-debug-check-in-apparmor_secid_to_secctx.patch b/queue-4.18/apparmor-fix-bad-debug-check-in-apparmor_secid_to_secctx.patch new file mode 100644 index 00000000000..9ee2f281c24 --- /dev/null +++ b/queue-4.18/apparmor-fix-bad-debug-check-in-apparmor_secid_to_secctx.patch @@ -0,0 +1,98 @@ +From edf4e7b7b9104b58fddfcd073bd7dcc1585d5326 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Sat, 1 Sep 2018 01:57:52 -0700 +Subject: apparmor: fix bad debug check in apparmor_secid_to_secctx() + +From: John Johansen + +commit edf4e7b7b9104b58fddfcd073bd7dcc1585d5326 upstream. + +apparmor_secid_to_secctx() has a bad debug statement tripping on a +condition handle by the code. When kconfig SECURITY_APPARMOR_DEBUG is +enabled the debug WARN_ON will trip when **secdata is NULL resulting +in the following trace. + +------------[ cut here ]------------ +AppArmor WARN apparmor_secid_to_secctx: ((!secdata)): +WARNING: CPU: 0 PID: 14826 at security/apparmor/secid.c:82 apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82 +Kernel panic - not syncing: panic_on_warn set ... + +CPU: 0 PID: 14826 Comm: syz-executor1 Not tainted 4.19.0-rc1+ #193 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 + panic+0x238/0x4e7 kernel/panic.c:184 + __warn.cold.8+0x163/0x1ba kernel/panic.c:536 + report_bug+0x252/0x2d0 lib/bug.c:186 + fixup_bug arch/x86/kernel/traps.c:178 [inline] + do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296 + do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 + invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993 +RIP: 0010:apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82 +Code: c7 c7 40 66 58 87 e8 6a 6d 0f fe 0f 0b e9 6c fe ff ff e8 3e aa 44 fe 48 c7 c6 80 67 58 87 48 c7 c7 a0 65 58 87 e8 4b 6d 0f fe <0f> 0b e9 3f fe ff ff 48 89 df e8 fc a7 83 fe e9 ed fe ff ff bb f4 +RSP: 0018:ffff8801ba1bed10 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff8801ba1beed0 RCX: ffffc9000227e000 +RDX: 0000000000018482 RSI: ffffffff8163ac01 RDI: 0000000000000001 +RBP: ffff8801ba1bed30 R08: ffff8801b80ec080 R09: ffffed003b603eca +R10: ffffed003b603eca R11: ffff8801db01f657 R12: 0000000000000001 +R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801ba1beed0 + security_secid_to_secctx+0x63/0xc0 security/security.c:1314 + ctnetlink_secctx_size net/netfilter/nf_conntrack_netlink.c:621 [inline] + ctnetlink_nlmsg_size net/netfilter/nf_conntrack_netlink.c:659 [inline] + ctnetlink_conntrack_event+0x303/0x1470 net/netfilter/nf_conntrack_netlink.c:706 + nf_conntrack_eventmask_report+0x55f/0x930 net/netfilter/nf_conntrack_ecache.c:151 + nf_conntrack_event_report include/net/netfilter/nf_conntrack_ecache.h:112 [inline] + nf_ct_delete+0x33c/0x5d0 net/netfilter/nf_conntrack_core.c:601 + nf_ct_iterate_cleanup+0x48c/0x5e0 net/netfilter/nf_conntrack_core.c:1892 + nf_ct_iterate_cleanup_net+0x23c/0x2d0 net/netfilter/nf_conntrack_core.c:1974 + ctnetlink_flush_conntrack net/netfilter/nf_conntrack_netlink.c:1226 [inline] + ctnetlink_del_conntrack+0x66c/0x850 net/netfilter/nf_conntrack_netlink.c:1258 + nfnetlink_rcv_msg+0xd88/0x1070 net/netfilter/nfnetlink.c:228 + netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454 + nfnetlink_rcv+0x1c0/0x4d0 net/netfilter/nfnetlink.c:560 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg+0xd5/0x120 net/socket.c:631 + ___sys_sendmsg+0x7fd/0x930 net/socket.c:2114 + __sys_sendmsg+0x11d/0x290 net/socket.c:2152 + __do_sys_sendmsg net/socket.c:2161 [inline] + __se_sys_sendmsg net/socket.c:2159 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2159 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x457089 +Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f7bc6e03c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f7bc6e046d4 RCX: 0000000000457089 +RDX: 0000000000000000 RSI: 0000000020d65000 RDI: 0000000000000003 +RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000004d4588 R14: 00000000004c8d5c R15: 0000000000000000 +Dumping ftrace buffer: + (ftrace buffer empty) +Kernel Offset: disabled +Rebooting in 86400 seconds.. + +CC: #4.18 +Fixes: c092921219d2 ("apparmor: add support for mapping secids and using secctxes") +Reported-by: syzbot+21016130b0580a9de3b5@syzkaller.appspotmail.com +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/secid.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/security/apparmor/secid.c ++++ b/security/apparmor/secid.c +@@ -79,7 +79,6 @@ int apparmor_secid_to_secctx(u32 secid, + struct aa_label *label = aa_secid_to_label(secid); + int len; + +- AA_BUG(!secdata); + AA_BUG(!seclen); + + if (!label) diff --git a/queue-4.18/cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch b/queue-4.18/cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch new file mode 100644 index 00000000000..562cd9255bd --- /dev/null +++ b/queue-4.18/cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch @@ -0,0 +1,42 @@ +From ef6cb5f1a048fdf91ccee6d63d2bfa293338502d Mon Sep 17 00:00:00 2001 +From: Vaibhav Jain +Date: Wed, 4 Jul 2018 20:58:33 +0530 +Subject: cxl: Fix wrong comparison in cxl_adapter_context_get() + +From: Vaibhav Jain + +commit ef6cb5f1a048fdf91ccee6d63d2bfa293338502d upstream. + +Function atomic_inc_unless_negative() returns a bool to indicate +success/failure. However cxl_adapter_context_get() wrongly compares +the return value against '>=0' which will always be true. The patch +fixes this comparison to '==0' there by also fixing this compile time +warning: + + drivers/misc/cxl/main.c:290 cxl_adapter_context_get() + warn: 'atomic_inc_unless_negative(&adapter->contexts_num)' is unsigned + +Fixes: 70b565bbdb91 ("cxl: Prevent adapter reset if an active context exists") +Cc: stable@vger.kernel.org # v4.9+ +Reported-by: Dan Carpenter +Signed-off-by: Vaibhav Jain +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/cxl/main.c ++++ b/drivers/misc/cxl/main.c +@@ -287,7 +287,7 @@ int cxl_adapter_context_get(struct cxl * + int rc; + + rc = atomic_inc_unless_negative(&adapter->contexts_num); +- return rc >= 0 ? 0 : -EBUSY; ++ return rc ? 0 : -EBUSY; + } + + void cxl_adapter_context_put(struct cxl *adapter) diff --git a/queue-4.18/dma-buf-move-bug_on-from-_add_shared_fence-to-_add_shared_inplace.patch b/queue-4.18/dma-buf-move-bug_on-from-_add_shared_fence-to-_add_shared_inplace.patch new file mode 100644 index 00000000000..d3be635f141 --- /dev/null +++ b/queue-4.18/dma-buf-move-bug_on-from-_add_shared_fence-to-_add_shared_inplace.patch @@ -0,0 +1,74 @@ +From 7f43ef9f0d98abbc0eb5e697628ec06756bf60a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michel=20D=C3=A4nzer?= +Date: Wed, 4 Jul 2018 17:14:05 +0200 +Subject: dma-buf: Move BUG_ON from _add_shared_fence to _add_shared_inplace +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michel Dänzer + +commit 7f43ef9f0d98abbc0eb5e697628ec06756bf60a9 upstream. + +Fixes the BUG_ON spuriously triggering under the following +circumstances: + +* reservation_object_reserve_shared is called with shared_count == + shared_max - 1, so obj->staged is freed in preparation of an in-place + update. + +* reservation_object_add_shared_fence is called with the first fence, + after which shared_count == shared_max. + +* reservation_object_add_shared_fence is called with a follow-up fence + from the same context. + +In the second reservation_object_add_shared_fence call, the BUG_ON +triggers. However, nothing bad would happen in +reservation_object_add_shared_inplace, since both fences are from the +same context, so they only occupy a single slot. + +Prevent this by moving the BUG_ON to where an overflow would actually +happen (e.g. if a buggy caller didn't call +reservation_object_reserve_shared before). + +v2: +* Fix description of breaking scenario (Christian König) +* Add bugzilla reference + +Cc: stable@vger.kernel.org +Bugzilla: https://bugs.freedesktop.org/106418 +Reviewed-by: Chris Wilson # v1 +Reviewed-by: Christian König # v1 +Signed-off-by: Michel Dänzer +Signed-off-by: Sumit Semwal +Link: https://patchwork.freedesktop.org/patch/msgid/20180704151405.10357-1-michel@daenzer.net +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma-buf/reservation.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/dma-buf/reservation.c ++++ b/drivers/dma-buf/reservation.c +@@ -141,6 +141,7 @@ reservation_object_add_shared_inplace(st + if (signaled) { + RCU_INIT_POINTER(fobj->shared[signaled_idx], fence); + } else { ++ BUG_ON(fobj->shared_count >= fobj->shared_max); + RCU_INIT_POINTER(fobj->shared[fobj->shared_count], fence); + fobj->shared_count++; + } +@@ -230,10 +231,9 @@ void reservation_object_add_shared_fence + old = reservation_object_get_list(obj); + obj->staged = NULL; + +- if (!fobj) { +- BUG_ON(old->shared_count >= old->shared_max); ++ if (!fobj) + reservation_object_add_shared_inplace(obj, old, fence); +- } else ++ else + reservation_object_add_shared_replace(obj, old, fobj, fence); + } + EXPORT_SYMBOL(reservation_object_add_shared_fence); diff --git a/queue-4.18/fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch b/queue-4.18/fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch new file mode 100644 index 00000000000..193ef0128ec --- /dev/null +++ b/queue-4.18/fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch @@ -0,0 +1,41 @@ +From ea93102f32244e3f45c8b26260be77ed0cc1d16c Mon Sep 17 00:00:00 2001 +From: Yannik Sembritzki +Date: Thu, 16 Aug 2018 14:05:23 +0100 +Subject: Fix kexec forbidding kernels signed with keys in the secondary keyring to boot + +From: Yannik Sembritzki + +commit ea93102f32244e3f45c8b26260be77ed0cc1d16c upstream. + +The split of .system_keyring into .builtin_trusted_keys and +.secondary_trusted_keys broke kexec, thereby preventing kernels signed by +keys which are now in the secondary keyring from being kexec'd. + +Fix this by passing VERIFY_USE_SECONDARY_KEYRING to +verify_pefile_signature(). + +Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") +Signed-off-by: Yannik Sembritzki +Signed-off-by: David Howells +Cc: kexec@lists.infradead.org +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kexec-bzimage64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loade + static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) + { + return verify_pefile_signature(kernel, kernel_len, +- NULL, ++ VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_KEXEC_PE_SIGNATURE); + } + #endif diff --git a/queue-4.18/fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch b/queue-4.18/fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch new file mode 100644 index 00000000000..d79f05efe76 --- /dev/null +++ b/queue-4.18/fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch @@ -0,0 +1,62 @@ +From 3111784bee81591ea2815011688d28b65df03627 Mon Sep 17 00:00:00 2001 +From: piaojun +Date: Wed, 25 Jul 2018 11:13:16 +0800 +Subject: fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed + +From: piaojun + +commit 3111784bee81591ea2815011688d28b65df03627 upstream. + +In my testing, v9fs_fid_xattr_set will return successfully even if the +backend ext4 filesystem has no space to store xattr key-value. That will +cause inconsistent behavior between front end and back end. The reason is +that lsetxattr will be triggered by p9_client_clunk, and unfortunately we +did not catch the error. This patch will catch the error to notify upper +caller. + +p9_client_clunk (in 9p) + p9_client_rpc(clnt, P9_TCLUNK, "d", fid->fid); + v9fs_clunk (in qemu) + put_fid + free_fid + v9fs_xattr_fid_clunk + v9fs_co_lsetxattr + s->ops->lsetxattr + ext4_xattr_user_set (in host ext4 filesystem) + +Link: http://lkml.kernel.org/r/5B57EACC.2060900@huawei.com +Signed-off-by: Jun Piao +Cc: Eric Van Hensbergen +Cc: Ron Minnich +Cc: Latchesar Ionkov +Cc: Andrew Morton +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/xattr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/9p/xattr.c ++++ b/fs/9p/xattr.c +@@ -105,7 +105,7 @@ int v9fs_fid_xattr_set(struct p9_fid *fi + { + struct kvec kvec = {.iov_base = (void *)value, .iov_len = value_len}; + struct iov_iter from; +- int retval; ++ int retval, err; + + iov_iter_kvec(&from, WRITE | ITER_KVEC, &kvec, 1, value_len); + +@@ -126,7 +126,9 @@ int v9fs_fid_xattr_set(struct p9_fid *fi + retval); + else + p9_client_write(fid, 0, &from, &retval); +- p9_client_clunk(fid); ++ err = p9_client_clunk(fid); ++ if (!retval && err) ++ retval = err; + return retval; + } + diff --git a/queue-4.18/ib-mlx5-fix-leaking-stack-memory-to-userspace.patch b/queue-4.18/ib-mlx5-fix-leaking-stack-memory-to-userspace.patch new file mode 100644 index 00000000000..c12b2cd8803 --- /dev/null +++ b/queue-4.18/ib-mlx5-fix-leaking-stack-memory-to-userspace.patch @@ -0,0 +1,33 @@ +From 0625b4ba1a5d4703c7fb01c497bd6c156908af00 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 14 Aug 2018 15:33:52 -0600 +Subject: IB/mlx5: Fix leaking stack memory to userspace + +From: Jason Gunthorpe + +commit 0625b4ba1a5d4703c7fb01c497bd6c156908af00 upstream. + +mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes +were written. + +Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp") +Cc: +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -1626,7 +1626,7 @@ static int create_qp_common(struct mlx5_ + struct mlx5_ib_resources *devr = &dev->devr; + int inlen = MLX5_ST_SZ_BYTES(create_qp_in); + struct mlx5_core_dev *mdev = dev->mdev; +- struct mlx5_ib_create_qp_resp resp; ++ struct mlx5_ib_create_qp_resp resp = {}; + struct mlx5_ib_cq *send_cq; + struct mlx5_ib_cq *recv_cq; + unsigned long flags; diff --git a/queue-4.18/ib-mlx5-honor-cnt_set_id_valid-flag-instead-of-set_id.patch b/queue-4.18/ib-mlx5-honor-cnt_set_id_valid-flag-instead-of-set_id.patch new file mode 100644 index 00000000000..2c08c999fe5 --- /dev/null +++ b/queue-4.18/ib-mlx5-honor-cnt_set_id_valid-flag-instead-of-set_id.patch @@ -0,0 +1,37 @@ +From 921c0f5ba58e4064deb18b4985a202508fc5527f Mon Sep 17 00:00:00 2001 +From: Parav Pandit +Date: Sun, 8 Jul 2018 13:40:30 +0300 +Subject: IB/mlx5: Honor cnt_set_id_valid flag instead of set_id + +From: Parav Pandit + +commit 921c0f5ba58e4064deb18b4985a202508fc5527f upstream. + +It is incorrect to depend on set_id value to know if counters were +allocated or not. set_id_valid field is set to true when counters +were allocated. Therefore, use set_id_valid while deciding to +free counters. + +Cc: # 4.15 +Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE") +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -4694,7 +4694,7 @@ static void mlx5_ib_dealloc_counters(str + int i; + + for (i = 0; i < dev->num_ports; i++) { +- if (dev->port[i].cnts.set_id) ++ if (dev->port[i].cnts.set_id_valid) + mlx5_core_dealloc_q_counter(dev->mdev, + dev->port[i].cnts.set_id); + kfree(dev->port[i].cnts.names); diff --git a/queue-4.18/ib-srpt-fix-srpt_cm_req_recv-error-path-1-2.patch b/queue-4.18/ib-srpt-fix-srpt_cm_req_recv-error-path-1-2.patch new file mode 100644 index 00000000000..80313785adc --- /dev/null +++ b/queue-4.18/ib-srpt-fix-srpt_cm_req_recv-error-path-1-2.patch @@ -0,0 +1,77 @@ +From 847462de3a0aabc5343a1e338537f69a03bb61af Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 10 Jul 2018 10:31:58 -0700 +Subject: IB/srpt: Fix srpt_cm_req_recv() error path (1/2) + +From: Bart Van Assche + +commit 847462de3a0aabc5343a1e338537f69a03bb61af upstream. + +Once a target session has been allocated, if an error occurs, the session +must be freed. Since it is not safe to call blocking code from the context +of an connection manager callback, trigger target session release in this +case by calling srpt_close_ch(). + +Fixes: db7683d7deb2 ("IB/srpt: Fix login-related race conditions") +Signed-off-by: Bart Van Assche +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2087,7 +2087,7 @@ static int srpt_cm_req_recv(struct srpt_ + struct rdma_conn_param rdma_cm; + struct ib_cm_rep_param ib_cm; + } *rep_param = NULL; +- struct srpt_rdma_ch *ch; ++ struct srpt_rdma_ch *ch = NULL; + char i_port_id[36]; + u32 it_iu_len; + int i, ret; +@@ -2234,13 +2234,15 @@ static int srpt_cm_req_recv(struct srpt_ + TARGET_PROT_NORMAL, + i_port_id + 2, ch, NULL); + if (IS_ERR_OR_NULL(ch->sess)) { ++ WARN_ON_ONCE(ch->sess == NULL); + ret = PTR_ERR(ch->sess); ++ ch->sess = NULL; + pr_info("Rejected login for initiator %s: ret = %d.\n", + ch->sess_name, ret); + rej->reason = cpu_to_be32(ret == -ENOMEM ? + SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES : + SRP_LOGIN_REJ_CHANNEL_LIMIT_REACHED); +- goto reject; ++ goto destroy_ib; + } + + mutex_lock(&sport->mutex); +@@ -2279,7 +2281,7 @@ static int srpt_cm_req_recv(struct srpt_ + rej->reason = cpu_to_be32(SRP_LOGIN_REJ_INSUFFICIENT_RESOURCES); + pr_err("rejected SRP_LOGIN_REQ because enabling RTR failed (error code = %d)\n", + ret); +- goto destroy_ib; ++ goto reject; + } + + pr_debug("Establish connection sess=%p name=%s ch=%p\n", ch->sess, +@@ -2379,6 +2381,15 @@ reject: + ib_send_cm_rej(ib_cm_id, IB_CM_REJ_CONSUMER_DEFINED, NULL, 0, + rej, sizeof(*rej)); + ++ if (ch && ch->sess) { ++ srpt_close_ch(ch); ++ /* ++ * Tell the caller not to free cm_id since ++ * srpt_release_channel_work() will do that. ++ */ ++ ret = 0; ++ } ++ + out: + kfree(rep_param); + kfree(rsp); diff --git a/queue-4.18/ib-srpt-fix-srpt_cm_req_recv-error-path-2-2.patch b/queue-4.18/ib-srpt-fix-srpt_cm_req_recv-error-path-2-2.patch new file mode 100644 index 00000000000..e937065de17 --- /dev/null +++ b/queue-4.18/ib-srpt-fix-srpt_cm_req_recv-error-path-2-2.patch @@ -0,0 +1,37 @@ +From 6869e0004fe16184acd6488f0c637e0081a84a8a Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 10 Jul 2018 10:31:59 -0700 +Subject: IB/srpt: Fix srpt_cm_req_recv() error path (2/2) + +From: Bart Van Assche + +commit 6869e0004fe16184acd6488f0c637e0081a84a8a upstream. + +If a login request was received through the RDMA/CM and if an error occurs +during login, clear rdma_cm_id->context instead of ib_cm_id->context. + +Fixes: 63cf1a902c9d ("IB/srpt: Add RDMA/CM support") +Signed-off-by: Bart Van Assche +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2360,8 +2360,11 @@ free_ring: + srpt_free_ioctx_ring((struct srpt_ioctx **)ch->ioctx_ring, + ch->sport->sdev, ch->rq_size, + ch->max_rsp_size, DMA_TO_DEVICE); ++ + free_ch: +- if (ib_cm_id) ++ if (rdma_cm_id) ++ rdma_cm_id->context = NULL; ++ else + ib_cm_id->context = NULL; + kfree(ch); + ch = NULL; diff --git a/queue-4.18/ib-srpt-support-hcas-with-more-than-two-ports.patch b/queue-4.18/ib-srpt-support-hcas-with-more-than-two-ports.patch new file mode 100644 index 00000000000..76d9071b61b --- /dev/null +++ b/queue-4.18/ib-srpt-support-hcas-with-more-than-two-ports.patch @@ -0,0 +1,74 @@ +From e620ebfc228dcbef7519e3d16f43c6c6f1a1d0cb Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 26 Jun 2018 15:24:48 -0700 +Subject: IB/srpt: Support HCAs with more than two ports + +From: Bart Van Assche + +commit e620ebfc228dcbef7519e3d16f43c6c6f1a1d0cb upstream. + +Since there are adapters that have four ports, increase the size of +the srpt_device.port[] array. This patch avoids that the following +warning is hit with quad port Chelsio adapters: + + WARN_ON(sdev->device->phys_port_cnt > ARRAY_SIZE(sdev->port)); + +Reported-by: Steve Wise +Signed-off-by: Bart Van Assche +Cc: Steve Wise +Cc: Christoph Hellwig +Cc: +Reviewed-by: Steve Wise +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 5 ++--- + drivers/infiniband/ulp/srpt/ib_srpt.h | 4 ++-- + 2 files changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2983,7 +2983,8 @@ static void srpt_add_one(struct ib_devic + + pr_debug("device = %p\n", device); + +- sdev = kzalloc(sizeof(*sdev), GFP_KERNEL); ++ sdev = kzalloc(struct_size(sdev, port, device->phys_port_cnt), ++ GFP_KERNEL); + if (!sdev) + goto err; + +@@ -3037,8 +3038,6 @@ static void srpt_add_one(struct ib_devic + srpt_event_handler); + ib_register_event_handler(&sdev->event_handler); + +- WARN_ON(sdev->device->phys_port_cnt > ARRAY_SIZE(sdev->port)); +- + for (i = 1; i <= sdev->device->phys_port_cnt; i++) { + sport = &sdev->port[i - 1]; + INIT_LIST_HEAD(&sport->nexus_list); +--- a/drivers/infiniband/ulp/srpt/ib_srpt.h ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.h +@@ -396,9 +396,9 @@ struct srpt_port { + * @sdev_mutex: Serializes use_srq changes. + * @use_srq: Whether or not to use SRQ. + * @ioctx_ring: Per-HCA SRQ. +- * @port: Information about the ports owned by this HCA. + * @event_handler: Per-HCA asynchronous IB event handler. + * @list: Node in srpt_dev_list. ++ * @port: Information about the ports owned by this HCA. + */ + struct srpt_device { + struct ib_device *device; +@@ -410,9 +410,9 @@ struct srpt_device { + struct mutex sdev_mutex; + bool use_srq; + struct srpt_recv_ioctx **ioctx_ring; +- struct srpt_port port[2]; + struct ib_event_handler event_handler; + struct list_head list; ++ struct srpt_port port[]; + }; + + #endif /* IB_SRPT_H */ diff --git a/queue-4.18/ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch b/queue-4.18/ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch new file mode 100644 index 00000000000..6e07b84b87b --- /dev/null +++ b/queue-4.18/ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch @@ -0,0 +1,53 @@ +From 14d15c2b278011056482eb015dff89f9cbf2b841 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 2 Jul 2018 14:08:45 -0700 +Subject: ib_srpt: Fix a use-after-free in __srpt_close_all_ch() + +From: Bart Van Assche + +commit 14d15c2b278011056482eb015dff89f9cbf2b841 upstream. + +BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt] +Read of size 4 at addr ffff8801269d23f8 by task check/29726 + +CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0xa4/0xf5 + print_address_description+0x6f/0x270 + kasan_report+0x241/0x360 + __asan_load4+0x78/0x80 + srpt_set_enabled+0x1a9/0x1e0 [ib_srpt] + srpt_tpg_enable_store+0xb8/0x120 [ib_srpt] + configfs_write_file+0x14e/0x1d0 [configfs] + __vfs_write+0xd2/0x3b0 + vfs_write+0x101/0x270 + ksys_write+0xab/0x120 + __x64_sys_write+0x43/0x50 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7f235cfe6154 + +Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably") +Signed-off-by: Bart Van Assche +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -1939,8 +1939,8 @@ static void __srpt_close_all_ch(struct s + list_for_each_entry(nexus, &sport->nexus_list, entry) { + list_for_each_entry(ch, &nexus->ch_list, list) { + if (srpt_disconnect_ch(ch) >= 0) +- pr_info("Closing channel %s-%d because target %s_%d has been disabled\n", +- ch->sess_name, ch->qp->qp_num, ++ pr_info("Closing channel %s because target %s_%d has been disabled\n", ++ ch->sess_name, + sport->sdev->device->name, sport->port); + srpt_close_ch(ch); + } diff --git a/queue-4.18/ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch b/queue-4.18/ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch new file mode 100644 index 00000000000..ae7b59f8c18 --- /dev/null +++ b/queue-4.18/ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch @@ -0,0 +1,54 @@ +From 995250959d22fc341b5424e3343b0ce5df672461 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 2 Jul 2018 14:08:18 -0700 +Subject: ib_srpt: Fix a use-after-free in srpt_close_ch() + +From: Bart Van Assche + +commit 995250959d22fc341b5424e3343b0ce5df672461 upstream. + +Avoid that KASAN reports the following: + +BUG: KASAN: use-after-free in srpt_close_ch+0x4f/0x1b0 [ib_srpt] +Read of size 4 at addr ffff880151180cb8 by task check/4681 + +CPU: 15 PID: 4681 Comm: check Not tainted 4.18.0-rc2-dbg+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0xa4/0xf5 + print_address_description+0x6f/0x270 + kasan_report+0x241/0x360 + __asan_load4+0x78/0x80 + srpt_close_ch+0x4f/0x1b0 [ib_srpt] + srpt_set_enabled+0xf7/0x1e0 [ib_srpt] + srpt_tpg_enable_store+0xb8/0x120 [ib_srpt] + configfs_write_file+0x14e/0x1d0 [configfs] + __vfs_write+0xd2/0x3b0 + vfs_write+0x101/0x270 + ksys_write+0xab/0x120 + __x64_sys_write+0x43/0x50 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably") +Signed-off-by: Bart Van Assche +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -1833,8 +1833,7 @@ static bool srpt_close_ch(struct srpt_rd + int ret; + + if (!srpt_set_ch_state(ch, CH_DRAINING)) { +- pr_debug("%s-%d: already closed\n", ch->sess_name, +- ch->qp->qp_num); ++ pr_debug("%s: already closed\n", ch->sess_name); + return false; + } + diff --git a/queue-4.18/libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch b/queue-4.18/libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch new file mode 100644 index 00000000000..9726857433d --- /dev/null +++ b/queue-4.18/libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch @@ -0,0 +1,114 @@ +From 7444a8092906ed44c09459780c56ba57043e39b1 Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Wed, 27 Jun 2018 20:58:45 +0200 +Subject: libertas: fix suspend and resume for SDIO connected cards + +From: Daniel Mack + +commit 7444a8092906ed44c09459780c56ba57043e39b1 upstream. + +Prior to commit 573185cc7e64 ("mmc: core: Invoke sdio func driver's PM +callbacks from the sdio bus"), the MMC core used to call into the power +management functions of SDIO clients itself and removed the card if the +return code was non-zero. IOW, the mmc handled errors gracefully and didn't +upchain them to the pm core. + +Since this change, the mmc core relies on generic power management +functions which treat all errors as a reason to cancel the suspend +immediately. This causes suspend attempts to fail when the libertas +driver is loaded. + +To fix this, power down the card explicitly in if_sdio_suspend() when we +know we're about to lose power and return success. Also set a flag in these +cases, and power up the card again in if_sdio_resume(). + +Fixes: 573185cc7e64 ("mmc: core: Invoke sdio func driver's PM callbacks from the sdio bus") +Cc: +Signed-off-by: Daniel Mack +Reviewed-by: Chris Ball +Reviewed-by: Ulf Hansson +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/libertas/dev.h | 1 + drivers/net/wireless/marvell/libertas/if_sdio.c | 30 +++++++++++++++++++----- + 2 files changed, 25 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/marvell/libertas/dev.h ++++ b/drivers/net/wireless/marvell/libertas/dev.h +@@ -104,6 +104,7 @@ struct lbs_private { + u8 fw_ready; + u8 surpriseremoved; + u8 setup_fw_on_resume; ++ u8 power_up_on_resume; + int (*hw_host_to_card) (struct lbs_private *priv, u8 type, u8 *payload, u16 nb); + void (*reset_card) (struct lbs_private *priv); + int (*power_save) (struct lbs_private *priv); +--- a/drivers/net/wireless/marvell/libertas/if_sdio.c ++++ b/drivers/net/wireless/marvell/libertas/if_sdio.c +@@ -1290,15 +1290,23 @@ static void if_sdio_remove(struct sdio_f + static int if_sdio_suspend(struct device *dev) + { + struct sdio_func *func = dev_to_sdio_func(dev); +- int ret; + struct if_sdio_card *card = sdio_get_drvdata(func); ++ struct lbs_private *priv = card->priv; ++ int ret; + + mmc_pm_flag_t flags = sdio_get_host_pm_caps(func); ++ priv->power_up_on_resume = false; + + /* If we're powered off anyway, just let the mmc layer remove the + * card. */ +- if (!lbs_iface_active(card->priv)) +- return -ENOSYS; ++ if (!lbs_iface_active(priv)) { ++ if (priv->fw_ready) { ++ priv->power_up_on_resume = true; ++ if_sdio_power_off(card); ++ } ++ ++ return 0; ++ } + + dev_info(dev, "%s: suspend: PM flags = 0x%x\n", + sdio_func_id(func), flags); +@@ -1306,9 +1314,14 @@ static int if_sdio_suspend(struct device + /* If we aren't being asked to wake on anything, we should bail out + * and let the SD stack power down the card. + */ +- if (card->priv->wol_criteria == EHS_REMOVE_WAKEUP) { ++ if (priv->wol_criteria == EHS_REMOVE_WAKEUP) { + dev_info(dev, "Suspend without wake params -- powering down card\n"); +- return -ENOSYS; ++ if (priv->fw_ready) { ++ priv->power_up_on_resume = true; ++ if_sdio_power_off(card); ++ } ++ ++ return 0; + } + + if (!(flags & MMC_PM_KEEP_POWER)) { +@@ -1321,7 +1334,7 @@ static int if_sdio_suspend(struct device + if (ret) + return ret; + +- ret = lbs_suspend(card->priv); ++ ret = lbs_suspend(priv); + if (ret) + return ret; + +@@ -1336,6 +1349,11 @@ static int if_sdio_resume(struct device + + dev_info(dev, "%s: resume: we're back\n", sdio_func_id(func)); + ++ if (card->priv->power_up_on_resume) { ++ if_sdio_power_on(card); ++ wait_event(card->pwron_waitq, card->priv->fw_ready); ++ } ++ + ret = lbs_resume(card->priv); + + return ret; diff --git a/queue-4.18/mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch b/queue-4.18/mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..47e210cad39 --- /dev/null +++ b/queue-4.18/mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,43 @@ +From 3512a18cbd8d09e22a790540cb9624c3c49827ba Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 26 Jul 2018 12:11:39 -0500 +Subject: mailbox: xgene-slimpro: Fix potential NULL pointer dereference + +From: Gustavo A. R. Silva + +commit 3512a18cbd8d09e22a790540cb9624c3c49827ba upstream. + +There is a potential execution path in which function +platform_get_resource() returns NULL. If this happens, +we will end up having a NULL pointer dereference. + +Fix this by replacing devm_ioremap with devm_ioremap_resource, +which has the NULL check and the memory region request. + +This code was detected with the help of Coccinelle. + +Cc: stable@vger.kernel.org +Fixes: f700e84f417b ("mailbox: Add support for APM X-Gene platform mailbox driver") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Jassi Brar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/mailbox-xgene-slimpro.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mailbox/mailbox-xgene-slimpro.c ++++ b/drivers/mailbox/mailbox-xgene-slimpro.c +@@ -195,9 +195,9 @@ static int slimpro_mbox_probe(struct pla + platform_set_drvdata(pdev, ctx); + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- mb_base = devm_ioremap(&pdev->dev, regs->start, resource_size(regs)); +- if (!mb_base) +- return -ENOMEM; ++ mb_base = devm_ioremap_resource(&pdev->dev, regs); ++ if (IS_ERR(mb_base)) ++ return PTR_ERR(mb_base); + + /* Setup mailbox links */ + for (i = 0; i < MBOX_CNT; i++) { diff --git a/queue-4.18/media-revert-tvp5150-fix-pad-format-frame-height.patch b/queue-4.18/media-revert-tvp5150-fix-pad-format-frame-height.patch new file mode 100644 index 00000000000..31b94f49944 --- /dev/null +++ b/queue-4.18/media-revert-tvp5150-fix-pad-format-frame-height.patch @@ -0,0 +1,44 @@ +From 1831af092308aa5a59ae61e47494e441c8be6b93 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Sun, 10 Jun 2018 16:43:02 -0400 +Subject: media: Revert "[media] tvp5150: fix pad format frame height" + +From: Javier Martinez Canillas + +commit 1831af092308aa5a59ae61e47494e441c8be6b93 upstream. + +This reverts commit 0866df8dffd514185bfab0d205db76e4c02cf1e4. + +The v4l uAPI documentation [0] makes clear that in the case of interlaced +video (i.e: field is V4L2_FIELD_ALTERNATE) the height refers to the number +of lines in the field and not the number of lines in the full frame (which +is twice the field height for interlaced formats). + +So the original height calculation was correct, and it shouldn't had been +changed by the mentioned commit. + +[0]:https://linuxtv.org/downloads/v4l-dvb-apis/uapi/v4l/subdev-formats.html + +Fixes: 0866df8dffd5 ("[media] tvp5150: fix pad format frame height") + +Signed-off-by: Javier Martinez Canillas +Cc: # for v4.12 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tvp5150.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/tvp5150.c ++++ b/drivers/media/i2c/tvp5150.c +@@ -872,7 +872,7 @@ static int tvp5150_fill_fmt(struct v4l2_ + f = &format->format; + + f->width = decoder->rect.width; +- f->height = decoder->rect.height; ++ f->height = decoder->rect.height / 2; + + f->code = MEDIA_BUS_FMT_UYVY8_2X8; + f->field = V4L2_FIELD_ALTERNATE; diff --git a/queue-4.18/net-9p-client.c-version-pointer-uninitialized.patch b/queue-4.18/net-9p-client.c-version-pointer-uninitialized.patch new file mode 100644 index 00000000000..be9411141b8 --- /dev/null +++ b/queue-4.18/net-9p-client.c-version-pointer-uninitialized.patch @@ -0,0 +1,43 @@ +From 7913690dcc5e18e235769fd87c34143072f5dbea Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Tue, 10 Jul 2018 00:29:43 +0200 +Subject: net/9p/client.c: version pointer uninitialized + +From: Tomas Bortoli + +commit 7913690dcc5e18e235769fd87c34143072f5dbea upstream. + +The p9_client_version() does not initialize the version pointer. If the +call to p9pdu_readf() returns an error and version has not been allocated +in p9pdu_readf(), then the program will jump to the "error" label and will +try to free the version pointer. If version is not initialized, free() +will be called with uninitialized, garbage data and will provoke a crash. + +Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com +Reviewed-by: Jun Piao +Reviewed-by: Yiwen Jiang +Cc: Eric Van Hensbergen +Cc: Ron Minnich +Cc: Latchesar Ionkov +Signed-off-by: Andrew Morton +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -958,7 +958,7 @@ static int p9_client_version(struct p9_c + { + int err = 0; + struct p9_req_t *req; +- char *version; ++ char *version = NULL; + int msize; + + p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n", diff --git a/queue-4.18/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch b/queue-4.18/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch new file mode 100644 index 00000000000..b54af0a98ce --- /dev/null +++ b/queue-4.18/net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch @@ -0,0 +1,39 @@ +From 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Fri, 20 Jul 2018 11:27:30 +0200 +Subject: net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() + +From: Tomas Bortoli + +commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1 upstream. + +The patch adds the flush in p9_mux_poll_stop() as it the function used by +p9_conn_destroy(), in turn called by p9_fd_close() to stop the async +polling associated with the data regarding the connection. + +Link: http://lkml.kernel.org/r/20180720092730.27104-1-tomasbortoli@gmail.com +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com +To: Eric Van Hensbergen +To: Ron Minnich +To: Latchesar Ionkov +Cc: Yiwen Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_fd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_c + spin_lock_irqsave(&p9_poll_lock, flags); + list_del_init(&m->poll_pending_link); + spin_unlock_irqrestore(&p9_poll_lock, flags); ++ ++ flush_work(&p9_poll_work); + } + + /** diff --git a/queue-4.18/ocxl-fix-page-fault-handler-in-case-of-fault-on-dying-process.patch b/queue-4.18/ocxl-fix-page-fault-handler-in-case-of-fault-on-dying-process.patch new file mode 100644 index 00000000000..7d2e0bcdc66 --- /dev/null +++ b/queue-4.18/ocxl-fix-page-fault-handler-in-case-of-fault-on-dying-process.patch @@ -0,0 +1,93 @@ +From d497ebf5fb3a026c0817f8c96cde578787f24093 Mon Sep 17 00:00:00 2001 +From: Frederic Barrat +Date: Mon, 18 Jun 2018 14:14:36 +0200 +Subject: ocxl: Fix page fault handler in case of fault on dying process + +From: Frederic Barrat + +commit d497ebf5fb3a026c0817f8c96cde578787f24093 upstream. + +If a process exits without doing proper cleanup, there's a window +where an opencapi device can try to access the memory of the dying +process and may trigger a page fault. That's an expected scenario and +the ocxl driver holds a reference on the mm_struct of the process +until the opencapi device is notified of the process exiting. +However, if mm_users is already at 0, i.e. the address space of the +process has already been destroyed, the driver shouldn't try resolving +the page fault, as it will fail, but it can also try accessing already +freed data. + +It is fixed by only calling the bottom half of the page fault handler +if mm_users is greater than 0 and get a reference on mm_users instead +of mm_count. Otherwise, we can safely return a translation fault to +the device, as its associated memory context is being removed. The +opencapi device will be properly cleaned up shortly after when closing +the file descriptors. + +Fixes: 5ef3166e8a32 ("ocxl: Driver code for 'generic' opencapi devices") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Frederic Barrat +Reviewed-By: Alastair D'Silva +Acked-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/ocxl/link.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/misc/ocxl/link.c ++++ b/drivers/misc/ocxl/link.c +@@ -136,7 +136,7 @@ static void xsl_fault_handler_bh(struct + int rc; + + /* +- * We need to release a reference on the mm whenever exiting this ++ * We must release a reference on mm_users whenever exiting this + * function (taken in the memory fault interrupt handler) + */ + rc = copro_handle_mm_fault(fault->pe_data.mm, fault->dar, fault->dsisr, +@@ -172,7 +172,7 @@ static void xsl_fault_handler_bh(struct + } + r = RESTART; + ack: +- mmdrop(fault->pe_data.mm); ++ mmput(fault->pe_data.mm); + ack_irq(spa, r); + } + +@@ -184,6 +184,7 @@ static irqreturn_t xsl_fault_handler(int + struct pe_data *pe_data; + struct ocxl_process_element *pe; + int lpid, pid, tid; ++ bool schedule = false; + + read_irq(spa, &dsisr, &dar, &pe_handle); + trace_ocxl_fault(spa->spa_mem, pe_handle, dsisr, dar, -1); +@@ -226,14 +227,19 @@ static irqreturn_t xsl_fault_handler(int + } + WARN_ON(pe_data->mm->context.id != pid); + +- spa->xsl_fault.pe = pe_handle; +- spa->xsl_fault.dar = dar; +- spa->xsl_fault.dsisr = dsisr; +- spa->xsl_fault.pe_data = *pe_data; +- mmgrab(pe_data->mm); /* mm count is released by bottom half */ +- ++ if (mmget_not_zero(pe_data->mm)) { ++ spa->xsl_fault.pe = pe_handle; ++ spa->xsl_fault.dar = dar; ++ spa->xsl_fault.dsisr = dsisr; ++ spa->xsl_fault.pe_data = *pe_data; ++ schedule = true; ++ /* mm_users count released by bottom half */ ++ } + rcu_read_unlock(); +- schedule_work(&spa->xsl_fault.fault_work); ++ if (schedule) ++ schedule_work(&spa->xsl_fault.fault_work); ++ else ++ ack_irq(spa, ADDRESS_ERROR); + return IRQ_HANDLED; + } + diff --git a/queue-4.18/powerpc-64s-fix-page-table-fragment-refcount-race-vs-speculative-references.patch b/queue-4.18/powerpc-64s-fix-page-table-fragment-refcount-race-vs-speculative-references.patch new file mode 100644 index 00000000000..c28eebc467e --- /dev/null +++ b/queue-4.18/powerpc-64s-fix-page-table-fragment-refcount-race-vs-speculative-references.patch @@ -0,0 +1,137 @@ +From 4231aba000f5a4583dd9f67057aadb68c3eca99d Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Fri, 27 Jul 2018 21:48:17 +1000 +Subject: powerpc/64s: Fix page table fragment refcount race vs speculative references + +From: Nicholas Piggin + +commit 4231aba000f5a4583dd9f67057aadb68c3eca99d upstream. + +The page table fragment allocator uses the main page refcount racily +with respect to speculative references. A customer observed a BUG due +to page table page refcount underflow in the fragment allocator. This +can be caused by the fragment allocator set_page_count stomping on a +speculative reference, and then the speculative failure handler +decrements the new reference, and the underflow eventually pops when +the page tables are freed. + +Fix this by using a dedicated field in the struct page for the page +table fragment allocator. + +Fixes: 5c1f6ee9a31c ("powerpc: Reduce PTE table memory wastage") +Cc: stable@vger.kernel.org # v3.10+ +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/mmu_context_book3s64.c | 8 ++++---- + arch/powerpc/mm/pgtable-book3s64.c | 17 +++++++++++------ + include/linux/mm_types.h | 5 ++++- + 3 files changed, 19 insertions(+), 11 deletions(-) + +--- a/arch/powerpc/mm/mmu_context_book3s64.c ++++ b/arch/powerpc/mm/mmu_context_book3s64.c +@@ -200,9 +200,9 @@ static void pte_frag_destroy(void *pte_f + /* drop all the pending references */ + count = ((unsigned long)pte_frag & ~PAGE_MASK) >> PTE_FRAG_SIZE_SHIFT; + /* We allow PTE_FRAG_NR fragments from a PTE page */ +- if (page_ref_sub_and_test(page, PTE_FRAG_NR - count)) { ++ if (atomic_sub_and_test(PTE_FRAG_NR - count, &page->pt_frag_refcount)) { + pgtable_page_dtor(page); +- free_unref_page(page); ++ __free_page(page); + } + } + +@@ -215,9 +215,9 @@ static void pmd_frag_destroy(void *pmd_f + /* drop all the pending references */ + count = ((unsigned long)pmd_frag & ~PAGE_MASK) >> PMD_FRAG_SIZE_SHIFT; + /* We allow PTE_FRAG_NR fragments from a PTE page */ +- if (page_ref_sub_and_test(page, PMD_FRAG_NR - count)) { ++ if (atomic_sub_and_test(PMD_FRAG_NR - count, &page->pt_frag_refcount)) { + pgtable_pmd_page_dtor(page); +- free_unref_page(page); ++ __free_page(page); + } + } + +--- a/arch/powerpc/mm/pgtable-book3s64.c ++++ b/arch/powerpc/mm/pgtable-book3s64.c +@@ -270,6 +270,8 @@ static pmd_t *__alloc_for_pmdcache(struc + return NULL; + } + ++ atomic_set(&page->pt_frag_refcount, 1); ++ + ret = page_address(page); + /* + * if we support only one fragment just return the +@@ -285,7 +287,7 @@ static pmd_t *__alloc_for_pmdcache(struc + * count. + */ + if (likely(!mm->context.pmd_frag)) { +- set_page_count(page, PMD_FRAG_NR); ++ atomic_set(&page->pt_frag_refcount, PMD_FRAG_NR); + mm->context.pmd_frag = ret + PMD_FRAG_SIZE; + } + spin_unlock(&mm->page_table_lock); +@@ -308,9 +310,10 @@ void pmd_fragment_free(unsigned long *pm + { + struct page *page = virt_to_page(pmd); + +- if (put_page_testzero(page)) { ++ BUG_ON(atomic_read(&page->pt_frag_refcount) <= 0); ++ if (atomic_dec_and_test(&page->pt_frag_refcount)) { + pgtable_pmd_page_dtor(page); +- free_unref_page(page); ++ __free_page(page); + } + } + +@@ -352,6 +355,7 @@ static pte_t *__alloc_for_ptecache(struc + return NULL; + } + ++ atomic_set(&page->pt_frag_refcount, 1); + + ret = page_address(page); + /* +@@ -367,7 +371,7 @@ static pte_t *__alloc_for_ptecache(struc + * count. + */ + if (likely(!mm->context.pte_frag)) { +- set_page_count(page, PTE_FRAG_NR); ++ atomic_set(&page->pt_frag_refcount, PTE_FRAG_NR); + mm->context.pte_frag = ret + PTE_FRAG_SIZE; + } + spin_unlock(&mm->page_table_lock); +@@ -390,10 +394,11 @@ void pte_fragment_free(unsigned long *ta + { + struct page *page = virt_to_page(table); + +- if (put_page_testzero(page)) { ++ BUG_ON(atomic_read(&page->pt_frag_refcount) <= 0); ++ if (atomic_dec_and_test(&page->pt_frag_refcount)) { + if (!kernel) + pgtable_page_dtor(page); +- free_unref_page(page); ++ __free_page(page); + } + } + +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -139,7 +139,10 @@ struct page { + unsigned long _pt_pad_1; /* compound_head */ + pgtable_t pmd_huge_pte; /* protected by page->ptl */ + unsigned long _pt_pad_2; /* mapping */ +- struct mm_struct *pt_mm; /* x86 pgds only */ ++ union { ++ struct mm_struct *pt_mm; /* x86 pgds only */ ++ atomic_t pt_frag_refcount; /* powerpc */ ++ }; + #if ALLOC_SPLIT_PTLOCKS + spinlock_t *ptl; + #else diff --git a/queue-4.18/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch b/queue-4.18/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch new file mode 100644 index 00000000000..5c67f207c4a --- /dev/null +++ b/queue-4.18/powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch @@ -0,0 +1,253 @@ +From 1bd6a1c4b80a28d975287630644e6b47d0f977a5 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Tue, 7 Aug 2018 02:12:45 +0530 +Subject: powerpc/fadump: handle crash memory ranges array index overflow + +From: Hari Bathini + +commit 1bd6a1c4b80a28d975287630644e6b47d0f977a5 upstream. + +Crash memory ranges is an array of memory ranges of the crashing kernel +to be exported as a dump via /proc/vmcore file. The size of the array +is set based on INIT_MEMBLOCK_REGIONS, which works alright in most cases +where memblock memory regions count is less than INIT_MEMBLOCK_REGIONS +value. But this count can grow beyond INIT_MEMBLOCK_REGIONS value since +commit 142b45a72e22 ("memblock: Add array resizing support"). + +On large memory systems with a few DLPAR operations, the memblock memory +regions count could be larger than INIT_MEMBLOCK_REGIONS value. On such +systems, registering fadump results in crash or other system failures +like below: + + task: c00007f39a290010 ti: c00000000b738000 task.ti: c00000000b738000 + NIP: c000000000047df4 LR: c0000000000f9e58 CTR: c00000000010f180 + REGS: c00000000b73b570 TRAP: 0300 Tainted: G L X (4.4.140+) + MSR: 8000000000009033 CR: 22004484 XER: 20000000 + CFAR: c000000000008500 DAR: 000007a450000000 DSISR: 40000000 SOFTE: 0 + ... + NIP [c000000000047df4] smp_send_reschedule+0x24/0x80 + LR [c0000000000f9e58] resched_curr+0x138/0x160 + Call Trace: + resched_curr+0x138/0x160 (unreliable) + check_preempt_curr+0xc8/0xf0 + ttwu_do_wakeup+0x38/0x150 + try_to_wake_up+0x224/0x4d0 + __wake_up_common+0x94/0x100 + ep_poll_callback+0xac/0x1c0 + __wake_up_common+0x94/0x100 + __wake_up_sync_key+0x70/0xa0 + sock_def_readable+0x58/0xa0 + unix_stream_sendmsg+0x2dc/0x4c0 + sock_sendmsg+0x68/0xa0 + ___sys_sendmsg+0x2cc/0x2e0 + __sys_sendmsg+0x5c/0xc0 + SyS_socketcall+0x36c/0x3f0 + system_call+0x3c/0x100 + +as array index overflow is not checked for while setting up crash memory +ranges causing memory corruption. To resolve this issue, dynamically +allocate memory for crash memory ranges and resize it incrementally, +in units of pagesize, on hitting array size limit. + +Fixes: 2df173d9e85d ("fadump: Initialize elfcore header and add PT_LOAD program headers.") +Cc: stable@vger.kernel.org # v3.4+ +Signed-off-by: Hari Bathini +Reviewed-by: Mahesh Salgaonkar +[mpe: Just use PAGE_SIZE directly, fixup variable placement] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/fadump.h | 3 - + arch/powerpc/kernel/fadump.c | 91 ++++++++++++++++++++++++++++++++------ + 2 files changed, 77 insertions(+), 17 deletions(-) + +--- a/arch/powerpc/include/asm/fadump.h ++++ b/arch/powerpc/include/asm/fadump.h +@@ -195,9 +195,6 @@ struct fadump_crash_info_header { + struct cpumask online_mask; + }; + +-/* Crash memory ranges */ +-#define INIT_CRASHMEM_RANGES (INIT_MEMBLOCK_REGIONS + 2) +- + struct fad_crash_memory_ranges { + unsigned long long base; + unsigned long long size; +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -47,8 +47,10 @@ static struct fadump_mem_struct fdm; + static const struct fadump_mem_struct *fdm_active; + + static DEFINE_MUTEX(fadump_mutex); +-struct fad_crash_memory_ranges crash_memory_ranges[INIT_CRASHMEM_RANGES]; ++struct fad_crash_memory_ranges *crash_memory_ranges; ++int crash_memory_ranges_size; + int crash_mem_ranges; ++int max_crash_mem_ranges; + + /* Scan the Firmware Assisted dump configuration details. */ + int __init early_init_dt_scan_fw_dump(unsigned long node, +@@ -868,38 +870,88 @@ static int __init process_fadump(const s + return 0; + } + +-static inline void fadump_add_crash_memory(unsigned long long base, +- unsigned long long end) ++static void free_crash_memory_ranges(void) ++{ ++ kfree(crash_memory_ranges); ++ crash_memory_ranges = NULL; ++ crash_memory_ranges_size = 0; ++ max_crash_mem_ranges = 0; ++} ++ ++/* ++ * Allocate or reallocate crash memory ranges array in incremental units ++ * of PAGE_SIZE. ++ */ ++static int allocate_crash_memory_ranges(void) ++{ ++ struct fad_crash_memory_ranges *new_array; ++ u64 new_size; ++ ++ new_size = crash_memory_ranges_size + PAGE_SIZE; ++ pr_debug("Allocating %llu bytes of memory for crash memory ranges\n", ++ new_size); ++ ++ new_array = krealloc(crash_memory_ranges, new_size, GFP_KERNEL); ++ if (new_array == NULL) { ++ pr_err("Insufficient memory for setting up crash memory ranges\n"); ++ free_crash_memory_ranges(); ++ return -ENOMEM; ++ } ++ ++ crash_memory_ranges = new_array; ++ crash_memory_ranges_size = new_size; ++ max_crash_mem_ranges = (new_size / ++ sizeof(struct fad_crash_memory_ranges)); ++ return 0; ++} ++ ++static inline int fadump_add_crash_memory(unsigned long long base, ++ unsigned long long end) + { + if (base == end) +- return; ++ return 0; ++ ++ if (crash_mem_ranges == max_crash_mem_ranges) { ++ int ret; ++ ++ ret = allocate_crash_memory_ranges(); ++ if (ret) ++ return ret; ++ } + + pr_debug("crash_memory_range[%d] [%#016llx-%#016llx], %#llx bytes\n", + crash_mem_ranges, base, end - 1, (end - base)); + crash_memory_ranges[crash_mem_ranges].base = base; + crash_memory_ranges[crash_mem_ranges].size = end - base; + crash_mem_ranges++; ++ return 0; + } + +-static void fadump_exclude_reserved_area(unsigned long long start, ++static int fadump_exclude_reserved_area(unsigned long long start, + unsigned long long end) + { + unsigned long long ra_start, ra_end; ++ int ret = 0; + + ra_start = fw_dump.reserve_dump_area_start; + ra_end = ra_start + fw_dump.reserve_dump_area_size; + + if ((ra_start < end) && (ra_end > start)) { + if ((start < ra_start) && (end > ra_end)) { +- fadump_add_crash_memory(start, ra_start); +- fadump_add_crash_memory(ra_end, end); ++ ret = fadump_add_crash_memory(start, ra_start); ++ if (ret) ++ return ret; ++ ++ ret = fadump_add_crash_memory(ra_end, end); + } else if (start < ra_start) { +- fadump_add_crash_memory(start, ra_start); ++ ret = fadump_add_crash_memory(start, ra_start); + } else if (ra_end < end) { +- fadump_add_crash_memory(ra_end, end); ++ ret = fadump_add_crash_memory(ra_end, end); + } + } else +- fadump_add_crash_memory(start, end); ++ ret = fadump_add_crash_memory(start, end); ++ ++ return ret; + } + + static int fadump_init_elfcore_header(char *bufp) +@@ -939,10 +991,11 @@ static int fadump_init_elfcore_header(ch + * Traverse through memblock structure and setup crash memory ranges. These + * ranges will be used create PT_LOAD program headers in elfcore header. + */ +-static void fadump_setup_crash_memory_ranges(void) ++static int fadump_setup_crash_memory_ranges(void) + { + struct memblock_region *reg; + unsigned long long start, end; ++ int ret; + + pr_debug("Setup crash memory ranges.\n"); + crash_mem_ranges = 0; +@@ -953,7 +1006,9 @@ static void fadump_setup_crash_memory_ra + * specified during fadump registration. We need to create a separate + * program header for this chunk with the correct offset. + */ +- fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size); ++ ret = fadump_add_crash_memory(RMA_START, fw_dump.boot_memory_size); ++ if (ret) ++ return ret; + + for_each_memblock(memory, reg) { + start = (unsigned long long)reg->base; +@@ -973,8 +1028,12 @@ static void fadump_setup_crash_memory_ra + } + + /* add this range excluding the reserved dump area. */ +- fadump_exclude_reserved_area(start, end); ++ ret = fadump_exclude_reserved_area(start, end); ++ if (ret) ++ return ret; + } ++ ++ return 0; + } + + /* +@@ -1097,6 +1156,7 @@ static int register_fadump(void) + { + unsigned long addr; + void *vaddr; ++ int ret; + + /* + * If no memory is reserved then we can not register for firmware- +@@ -1105,7 +1165,9 @@ static int register_fadump(void) + if (!fw_dump.reserve_dump_area_size) + return -ENODEV; + +- fadump_setup_crash_memory_ranges(); ++ ret = fadump_setup_crash_memory_ranges(); ++ if (ret) ++ return ret; + + addr = be64_to_cpu(fdm.rmr_region.destination_address) + be64_to_cpu(fdm.rmr_region.source_len); + /* Initialize fadump crash info header. */ +@@ -1183,6 +1245,7 @@ void fadump_cleanup(void) + } else if (fw_dump.dump_registered) { + /* Un-register Firmware-assisted dump if it was registered. */ + fadump_unregister_dump(&fdm); ++ free_crash_memory_ranges(); + } + } + diff --git a/queue-4.18/powerpc-nohash-fix-pte_access_permitted.patch b/queue-4.18/powerpc-nohash-fix-pte_access_permitted.patch new file mode 100644 index 00000000000..388872b37de --- /dev/null +++ b/queue-4.18/powerpc-nohash-fix-pte_access_permitted.patch @@ -0,0 +1,64 @@ +From 810e9f86f36f59f1d6f6710220c49afe0c705f38 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 21 Aug 2018 13:03:23 +0000 +Subject: powerpc/nohash: fix pte_access_permitted() + +From: Christophe Leroy + +commit 810e9f86f36f59f1d6f6710220c49afe0c705f38 upstream. + +Commit 5769beaf180a8 ("powerpc/mm: Add proper pte access check helper +for other platforms") replaced generic pte_access_permitted() by an +arch specific one. + +The generic one is defined as +(pte_present(pte) && (!(write) || pte_write(pte))) + +The arch specific one is open coded checking that _PAGE_USER and +_PAGE_WRITE (_PAGE_RW) flags are set, but lacking to check that +_PAGE_RO and _PAGE_PRIVILEGED are unset, leading to a useless test +on targets like the 8xx which defines _PAGE_RW and _PAGE_USER as 0. + +Commit 5fa5b16be5b31 ("powerpc/mm/hugetlb: Use pte_access_permitted +for hugetlb access check") replaced some tests performed with +pte helpers by a call to pte_access_permitted(), leading to the same +issue. + +This patch rewrites powerpc/nohash pte_access_permitted() +using pte helpers. + +Fixes: 5769beaf180a8 ("powerpc/mm: Add proper pte access check helper for other platforms") +Fixes: 5fa5b16be5b31 ("powerpc/mm/hugetlb: Use pte_access_permitted for hugetlb access check") +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Christophe Leroy +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/nohash/pgtable.h | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/nohash/pgtable.h ++++ b/arch/powerpc/include/asm/nohash/pgtable.h +@@ -51,17 +51,14 @@ static inline int pte_present(pte_t pte) + #define pte_access_permitted pte_access_permitted + static inline bool pte_access_permitted(pte_t pte, bool write) + { +- unsigned long pteval = pte_val(pte); + /* + * A read-only access is controlled by _PAGE_USER bit. + * We have _PAGE_READ set for WRITE and EXECUTE + */ +- unsigned long need_pte_bits = _PAGE_PRESENT | _PAGE_USER; +- +- if (write) +- need_pte_bits |= _PAGE_WRITE; ++ if (!pte_present(pte) || !pte_user(pte) || !pte_read(pte)) ++ return false; + +- if ((pteval & need_pte_bits) != need_pte_bits) ++ if (write && !pte_write(pte)) + return false; + + return true; diff --git a/queue-4.18/powerpc-pkeys-deny-read-write-execute-by-default.patch b/queue-4.18/powerpc-pkeys-deny-read-write-execute-by-default.patch new file mode 100644 index 00000000000..626041765ad --- /dev/null +++ b/queue-4.18/powerpc-pkeys-deny-read-write-execute-by-default.patch @@ -0,0 +1,41 @@ +From de113256f8c1c24d8c79ae388bf2a5abd70f7577 Mon Sep 17 00:00:00 2001 +From: Ram Pai +Date: Tue, 17 Jul 2018 06:51:03 -0700 +Subject: powerpc/pkeys: Deny read/write/execute by default + +From: Ram Pai + +commit de113256f8c1c24d8c79ae388bf2a5abd70f7577 upstream. + +Deny all permissions on all keys, with some exceptions. pkey-0 must +allow all permissions, or else everything comes to a screaching halt. +Execute-only key must allow execute permission. + +Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Ram Pai +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pkeys.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/mm/pkeys.c ++++ b/arch/powerpc/mm/pkeys.c +@@ -124,12 +124,10 @@ int pkey_initialize(void) + + /* register mask is in BE format */ + pkey_amr_mask = ~0x0ul; +- pkey_iamr_mask = ~0x0ul; ++ pkey_amr_mask &= ~(0x3ul << pkeyshift(0)); + +- for (i = 0; i < (pkeys_total - os_reserved); i++) { +- pkey_amr_mask &= ~(0x3ul << pkeyshift(i)); +- pkey_iamr_mask &= ~(0x1ul << pkeyshift(i)); +- } ++ pkey_iamr_mask = ~0x0ul; ++ pkey_iamr_mask &= ~(0x3ul << pkeyshift(0)); + + pkey_uamor_mask = ~0x0ul; + pkey_uamor_mask &= ~(0x3ul << pkeyshift(0)); diff --git a/queue-4.18/powerpc-pkeys-fix-calculation-of-total-pkeys.patch b/queue-4.18/powerpc-pkeys-fix-calculation-of-total-pkeys.patch new file mode 100644 index 00000000000..ea45cb0ef5c --- /dev/null +++ b/queue-4.18/powerpc-pkeys-fix-calculation-of-total-pkeys.patch @@ -0,0 +1,32 @@ +From fe6a2804e65969a574377bdb3605afb79e6091a9 Mon Sep 17 00:00:00 2001 +From: Ram Pai +Date: Tue, 17 Jul 2018 06:51:06 -0700 +Subject: powerpc/pkeys: Fix calculation of total pkeys. + +From: Ram Pai + +commit fe6a2804e65969a574377bdb3605afb79e6091a9 upstream. + +Total number of pkeys calculation is off by 1. Fix it. + +Fixes: 4fb158f65ac5 ("powerpc: track allocation status of all pkeys") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Ram Pai +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pkeys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/mm/pkeys.c ++++ b/arch/powerpc/mm/pkeys.c +@@ -92,7 +92,7 @@ int pkey_initialize(void) + * arch-neutral code. + */ + pkeys_total = min_t(int, pkeys_total, +- (ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT)); ++ ((ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT)+1)); + + if (!pkey_mmu_enabled() || radix_enabled() || !pkeys_total) + static_branch_enable(&pkey_disabled); diff --git a/queue-4.18/powerpc-pkeys-give-all-threads-control-of-their-key-permissions.patch b/queue-4.18/powerpc-pkeys-give-all-threads-control-of-their-key-permissions.patch new file mode 100644 index 00000000000..f1d371a4de2 --- /dev/null +++ b/queue-4.18/powerpc-pkeys-give-all-threads-control-of-their-key-permissions.patch @@ -0,0 +1,127 @@ +From a57a04c76e06822e4377831611364c846b7202ca Mon Sep 17 00:00:00 2001 +From: Ram Pai +Date: Tue, 17 Jul 2018 06:51:02 -0700 +Subject: powerpc/pkeys: Give all threads control of their key permissions + +From: Ram Pai + +commit a57a04c76e06822e4377831611364c846b7202ca upstream. + +Currently in a multithreaded application, a key allocated by one +thread is not usable by other threads. By "not usable" we mean that +other threads are unable to change the access permissions for that +key for themselves. + +When a new key is allocated in one thread, the corresponding UAMOR +bits for that thread get enabled, however the UAMOR bits for that key +for all other threads remain disabled. + +Other threads have no way to set permissions on the key, and the +current default permissions are that read/write is enabled for all +keys, which means the key has no effect for other threads. Although +that may be the desired behaviour in some circumstances, having all +threads able to control their permissions for the key is more +flexible. + +The current behaviour also differs from the x86 behaviour, which is +problematic for users. + +To fix this, enable the UAMOR bits for all keys, at process +creation (in start_thread(), ie exec time). Since the contents of +UAMOR are inherited at fork, all threads are capable of modifying the +permissions on any key. + +This is technically an ABI break on powerpc, but pkey support is fairly +new on powerpc and not widely used, and this brings us into +line with x86. + +Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem") +Cc: stable@vger.kernel.org # v4.16+ +Tested-by: Florian Weimer +Signed-off-by: Ram Pai +[mpe: Reword some of the changelog] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pkeys.c | 44 ++++++++++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 18 deletions(-) + +--- a/arch/powerpc/mm/pkeys.c ++++ b/arch/powerpc/mm/pkeys.c +@@ -15,8 +15,9 @@ bool pkey_execute_disable_supported; + int pkeys_total; /* Total pkeys as per device tree */ + bool pkeys_devtree_defined; /* pkey property exported by device tree */ + u32 initial_allocation_mask; /* Bits set for reserved keys */ +-u64 pkey_amr_uamor_mask; /* Bits in AMR/UMOR not to be touched */ ++u64 pkey_amr_mask; /* Bits in AMR not to be touched */ + u64 pkey_iamr_mask; /* Bits in AMR not to be touched */ ++u64 pkey_uamor_mask; /* Bits in UMOR not to be touched */ + + #define AMR_BITS_PER_PKEY 2 + #define AMR_RD_BIT 0x1UL +@@ -119,20 +120,26 @@ int pkey_initialize(void) + #else + os_reserved = 0; + #endif +- initial_allocation_mask = ~0x0; +- pkey_amr_uamor_mask = ~0x0ul; ++ initial_allocation_mask = (0x1 << 0) | (0x1 << 1); ++ ++ /* register mask is in BE format */ ++ pkey_amr_mask = ~0x0ul; + pkey_iamr_mask = ~0x0ul; +- /* +- * key 0, 1 are reserved. +- * key 0 is the default key, which allows read/write/execute. +- * key 1 is recommended not to be used. PowerISA(3.0) page 1015, +- * programming note. +- */ +- for (i = 2; i < (pkeys_total - os_reserved); i++) { +- initial_allocation_mask &= ~(0x1 << i); +- pkey_amr_uamor_mask &= ~(0x3ul << pkeyshift(i)); ++ ++ for (i = 0; i < (pkeys_total - os_reserved); i++) { ++ pkey_amr_mask &= ~(0x3ul << pkeyshift(i)); + pkey_iamr_mask &= ~(0x1ul << pkeyshift(i)); + } ++ ++ pkey_uamor_mask = ~0x0ul; ++ pkey_uamor_mask &= ~(0x3ul << pkeyshift(0)); ++ ++ /* mark the rest of the keys as reserved and hence unavailable */ ++ for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) { ++ initial_allocation_mask |= (0x1 << i); ++ pkey_uamor_mask &= ~(0x3ul << pkeyshift(i)); ++ } ++ + return 0; + } + +@@ -289,9 +296,6 @@ void thread_pkey_regs_restore(struct thr + if (static_branch_likely(&pkey_disabled)) + return; + +- /* +- * TODO: Just set UAMOR to zero if @new_thread hasn't used any keys yet. +- */ + if (old_thread->amr != new_thread->amr) + write_amr(new_thread->amr); + if (old_thread->iamr != new_thread->iamr) +@@ -305,9 +309,13 @@ void thread_pkey_regs_init(struct thread + if (static_branch_likely(&pkey_disabled)) + return; + +- thread->amr = read_amr() & pkey_amr_uamor_mask; +- thread->iamr = read_iamr() & pkey_iamr_mask; +- thread->uamor = read_uamor() & pkey_amr_uamor_mask; ++ thread->amr = pkey_amr_mask; ++ thread->iamr = pkey_iamr_mask; ++ thread->uamor = pkey_uamor_mask; ++ ++ write_uamor(pkey_uamor_mask); ++ write_amr(pkey_amr_mask); ++ write_iamr(pkey_iamr_mask); + } + + static inline bool pkey_allows_readwrite(int pkey) diff --git a/queue-4.18/powerpc-pkeys-key-allocation-deallocation-must-not-change-pkey-registers.patch b/queue-4.18/powerpc-pkeys-key-allocation-deallocation-must-not-change-pkey-registers.patch new file mode 100644 index 00000000000..d14be1e0bd0 --- /dev/null +++ b/queue-4.18/powerpc-pkeys-key-allocation-deallocation-must-not-change-pkey-registers.patch @@ -0,0 +1,103 @@ +From 4a4a5e5d2aadc793be95024f454cf511d115b62d Mon Sep 17 00:00:00 2001 +From: Ram Pai +Date: Tue, 17 Jul 2018 06:51:04 -0700 +Subject: powerpc/pkeys: key allocation/deallocation must not change pkey registers + +From: Ram Pai + +commit 4a4a5e5d2aadc793be95024f454cf511d115b62d upstream. + +Key allocation and deallocation has the side effect of programming the +UAMOR/AMR/IAMR registers. This is wrong, since its the responsibility of +the application and not that of the kernel, to modify the permission on +the key. + +Do not modify the pkey registers at key allocation/deallocation. + +This patch also fixes a bug where a sys_pkey_free() resets the UAMOR +bits of the key, thus making its permissions unmodifiable from user +space. Later if the same key gets reallocated from a different thread +this thread will no longer be able to change the permissions on the key. + +Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem") +Cc: stable@vger.kernel.org # v4.16+ +Reviewed-by: Thiago Jung Bauermann +Signed-off-by: Ram Pai +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/pkeys.h | 11 ----------- + arch/powerpc/mm/pkeys.c | 27 --------------------------- + 2 files changed, 38 deletions(-) + +--- a/arch/powerpc/include/asm/pkeys.h ++++ b/arch/powerpc/include/asm/pkeys.h +@@ -94,8 +94,6 @@ static inline bool mm_pkey_is_allocated( + __mm_pkey_is_allocated(mm, pkey)); + } + +-extern void __arch_activate_pkey(int pkey); +-extern void __arch_deactivate_pkey(int pkey); + /* + * Returns a positive, 5-bit key on success, or -1 on failure. + * Relies on the mmap_sem to protect against concurrency in mm_pkey_alloc() and +@@ -124,11 +122,6 @@ static inline int mm_pkey_alloc(struct m + ret = ffz((u32)mm_pkey_allocation_map(mm)); + __mm_pkey_allocated(mm, ret); + +- /* +- * Enable the key in the hardware +- */ +- if (ret > 0) +- __arch_activate_pkey(ret); + return ret; + } + +@@ -140,10 +133,6 @@ static inline int mm_pkey_free(struct mm + if (!mm_pkey_is_allocated(mm, pkey)) + return -EINVAL; + +- /* +- * Disable the key in the hardware +- */ +- __arch_deactivate_pkey(pkey); + __mm_pkey_free(mm, pkey); + + return 0; +--- a/arch/powerpc/mm/pkeys.c ++++ b/arch/powerpc/mm/pkeys.c +@@ -218,33 +218,6 @@ static inline void init_iamr(int pkey, u + write_iamr(old_iamr | new_iamr_bits); + } + +-static void pkey_status_change(int pkey, bool enable) +-{ +- u64 old_uamor; +- +- /* Reset the AMR and IAMR bits for this key */ +- init_amr(pkey, 0x0); +- init_iamr(pkey, 0x0); +- +- /* Enable/disable key */ +- old_uamor = read_uamor(); +- if (enable) +- old_uamor |= (0x3ul << pkeyshift(pkey)); +- else +- old_uamor &= ~(0x3ul << pkeyshift(pkey)); +- write_uamor(old_uamor); +-} +- +-void __arch_activate_pkey(int pkey) +-{ +- pkey_status_change(pkey, true); +-} +- +-void __arch_deactivate_pkey(int pkey) +-{ +- pkey_status_change(pkey, false); +-} +- + /* + * Set the access rights in AMR IAMR and UAMOR registers for @pkey to that + * specified in @init_val. diff --git a/queue-4.18/powerpc-pkeys-preallocate-execute-only-key.patch b/queue-4.18/powerpc-pkeys-preallocate-execute-only-key.patch new file mode 100644 index 00000000000..a783abe9716 --- /dev/null +++ b/queue-4.18/powerpc-pkeys-preallocate-execute-only-key.patch @@ -0,0 +1,139 @@ +From a4fcc877d4e18b5efe26e93f08f0cfd4e278c7d9 Mon Sep 17 00:00:00 2001 +From: Ram Pai +Date: Tue, 17 Jul 2018 06:51:07 -0700 +Subject: powerpc/pkeys: Preallocate execute-only key + +From: Ram Pai + +commit a4fcc877d4e18b5efe26e93f08f0cfd4e278c7d9 upstream. + +execute-only key is allocated dynamically. This is a problem. When a +thread implicitly creates an execute-only key, and resets the UAMOR +for that key, the UAMOR value does not percolate to all the other +threads. Any other thread may ignorantly change the permissions on the +key. This can cause the key to be not execute-only for that thread. + +Preallocate the execute-only key and ensure that no thread can change +the permission of the key, by resetting the corresponding bit in +UAMOR. + +Fixes: 5586cf61e108 ("powerpc: introduce execute-only pkey") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Ram Pai +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/pkeys.c | 63 +++++++++++++----------------------------------- + 1 file changed, 18 insertions(+), 45 deletions(-) + +--- a/arch/powerpc/mm/pkeys.c ++++ b/arch/powerpc/mm/pkeys.c +@@ -18,6 +18,7 @@ u32 initial_allocation_mask; /* Bits se + u64 pkey_amr_mask; /* Bits in AMR not to be touched */ + u64 pkey_iamr_mask; /* Bits in AMR not to be touched */ + u64 pkey_uamor_mask; /* Bits in UMOR not to be touched */ ++int execute_only_key = 2; + + #define AMR_BITS_PER_PKEY 2 + #define AMR_RD_BIT 0x1UL +@@ -120,7 +121,8 @@ int pkey_initialize(void) + #else + os_reserved = 0; + #endif +- initial_allocation_mask = (0x1 << 0) | (0x1 << 1); ++ initial_allocation_mask = (0x1 << 0) | (0x1 << 1) | ++ (0x1 << execute_only_key); + + /* register mask is in BE format */ + pkey_amr_mask = ~0x0ul; +@@ -128,9 +130,11 @@ int pkey_initialize(void) + + pkey_iamr_mask = ~0x0ul; + pkey_iamr_mask &= ~(0x3ul << pkeyshift(0)); ++ pkey_iamr_mask &= ~(0x3ul << pkeyshift(execute_only_key)); + + pkey_uamor_mask = ~0x0ul; + pkey_uamor_mask &= ~(0x3ul << pkeyshift(0)); ++ pkey_uamor_mask &= ~(0x3ul << pkeyshift(execute_only_key)); + + /* mark the rest of the keys as reserved and hence unavailable */ + for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) { +@@ -138,6 +142,17 @@ int pkey_initialize(void) + pkey_uamor_mask &= ~(0x3ul << pkeyshift(i)); + } + ++ if (unlikely((pkeys_total - os_reserved) <= execute_only_key)) { ++ /* ++ * Insufficient number of keys to support ++ * execute only key. Mark it unavailable. ++ * Any AMR, UAMOR, IAMR bit set for ++ * this key is irrelevant since this key ++ * can never be allocated. ++ */ ++ execute_only_key = -1; ++ } ++ + return 0; + } + +@@ -148,8 +163,7 @@ void pkey_mm_init(struct mm_struct *mm) + if (static_branch_likely(&pkey_disabled)) + return; + mm_pkey_allocation_map(mm) = initial_allocation_mask; +- /* -1 means unallocated or invalid */ +- mm->context.execute_only_pkey = -1; ++ mm->context.execute_only_pkey = execute_only_key; + } + + static inline u64 read_amr(void) +@@ -301,48 +315,7 @@ static inline bool pkey_allows_readwrite + + int __execute_only_pkey(struct mm_struct *mm) + { +- bool need_to_set_mm_pkey = false; +- int execute_only_pkey = mm->context.execute_only_pkey; +- int ret; +- +- /* Do we need to assign a pkey for mm's execute-only maps? */ +- if (execute_only_pkey == -1) { +- /* Go allocate one to use, which might fail */ +- execute_only_pkey = mm_pkey_alloc(mm); +- if (execute_only_pkey < 0) +- return -1; +- need_to_set_mm_pkey = true; +- } +- +- /* +- * We do not want to go through the relatively costly dance to set AMR +- * if we do not need to. Check it first and assume that if the +- * execute-only pkey is readwrite-disabled than we do not have to set it +- * ourselves. +- */ +- if (!need_to_set_mm_pkey && !pkey_allows_readwrite(execute_only_pkey)) +- return execute_only_pkey; +- +- /* +- * Set up AMR so that it denies access for everything other than +- * execution. +- */ +- ret = __arch_set_user_pkey_access(current, execute_only_pkey, +- PKEY_DISABLE_ACCESS | +- PKEY_DISABLE_WRITE); +- /* +- * If the AMR-set operation failed somehow, just return 0 and +- * effectively disable execute-only support. +- */ +- if (ret) { +- mm_pkey_free(mm, execute_only_pkey); +- return -1; +- } +- +- /* We got one, store it and use it from here on out */ +- if (need_to_set_mm_pkey) +- mm->context.execute_only_pkey = execute_only_pkey; +- return execute_only_pkey; ++ return mm->context.execute_only_pkey; + } + + static inline bool vma_is_pkey_exec_only(struct vm_area_struct *vma) diff --git a/queue-4.18/powerpc-pkeys-save-the-pkey-registers-before-fork.patch b/queue-4.18/powerpc-pkeys-save-the-pkey-registers-before-fork.patch new file mode 100644 index 00000000000..fcf57d34e45 --- /dev/null +++ b/queue-4.18/powerpc-pkeys-save-the-pkey-registers-before-fork.patch @@ -0,0 +1,35 @@ +From c76662e825f507b98938dc3bb141c4505bd4968c Mon Sep 17 00:00:00 2001 +From: Ram Pai +Date: Tue, 17 Jul 2018 06:51:05 -0700 +Subject: powerpc/pkeys: Save the pkey registers before fork + +From: Ram Pai + +commit c76662e825f507b98938dc3bb141c4505bd4968c upstream. + +When a thread forks the contents of AMR, IAMR, UAMOR registers in the +newly forked thread are not inherited. + +Save the registers before forking, for content of those +registers to be automatically copied into the new thread. + +Fixes: cf43d3b26452 ("powerpc: Enable pkey subsystem") +Cc: stable@vger.kernel.org # v4.16+ +Signed-off-by: Ram Pai +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/process.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -583,6 +583,7 @@ static void save_all(struct task_struct + __giveup_spe(tsk); + + msr_check_and_clear(msr_all_available); ++ thread_pkey_regs_save(&tsk->thread); + } + + void flush_all_to_thread(struct task_struct *tsk) diff --git a/queue-4.18/powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch b/queue-4.18/powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch new file mode 100644 index 00000000000..9d48b98e539 --- /dev/null +++ b/queue-4.18/powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch @@ -0,0 +1,88 @@ +From db2173198b9513f7add8009f225afa1f1c79bcc6 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Fri, 17 Aug 2018 17:30:39 +1000 +Subject: powerpc/powernv/pci: Work around races in PCI bridge enabling + +From: Benjamin Herrenschmidt + +commit db2173198b9513f7add8009f225afa1f1c79bcc6 upstream. + +The generic code is racy when multiple children of a PCI bridge try to +enable it simultaneously. + +This leads to drivers trying to access a device through a +not-yet-enabled bridge, and this EEH errors under various +circumstances when using parallel driver probing. + +There is work going on to fix that properly in the PCI core but it +will take some time. + +x86 gets away with it because (outside of hotplug), the BIOS enables +all the bridges at boot time. + +This patch does the same thing on powernv by enabling all bridges that +have child devices at boot time, thus avoiding subsequent races. It's +suitable for backporting to stable and distros, while the proper PCI +fix will probably be significantly more invasive. + +Signed-off-by: Benjamin Herrenschmidt +Cc: stable@vger.kernel.org +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 37 ++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -3368,12 +3368,49 @@ static void pnv_pci_ioda_create_dbgfs(vo + #endif /* CONFIG_DEBUG_FS */ + } + ++static void pnv_pci_enable_bridge(struct pci_bus *bus) ++{ ++ struct pci_dev *dev = bus->self; ++ struct pci_bus *child; ++ ++ /* Empty bus ? bail */ ++ if (list_empty(&bus->devices)) ++ return; ++ ++ /* ++ * If there's a bridge associated with that bus enable it. This works ++ * around races in the generic code if the enabling is done during ++ * parallel probing. This can be removed once those races have been ++ * fixed. ++ */ ++ if (dev) { ++ int rc = pci_enable_device(dev); ++ if (rc) ++ pci_err(dev, "Error enabling bridge (%d)\n", rc); ++ pci_set_master(dev); ++ } ++ ++ /* Perform the same to child busses */ ++ list_for_each_entry(child, &bus->children, node) ++ pnv_pci_enable_bridge(child); ++} ++ ++static void pnv_pci_enable_bridges(void) ++{ ++ struct pci_controller *hose; ++ ++ list_for_each_entry(hose, &hose_list, list_node) ++ pnv_pci_enable_bridge(hose->bus); ++} ++ + static void pnv_pci_ioda_fixup(void) + { + pnv_pci_ioda_setup_PEs(); + pnv_pci_ioda_setup_iommu_api(); + pnv_pci_ioda_create_dbgfs(); + ++ pnv_pci_enable_bridges(); ++ + #ifdef CONFIG_EEH + pnv_eeh_post_init(); + #endif diff --git a/queue-4.18/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch b/queue-4.18/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch new file mode 100644 index 00000000000..4320325e54d --- /dev/null +++ b/queue-4.18/powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch @@ -0,0 +1,71 @@ +From cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Tue, 7 Aug 2018 19:46:46 +0530 +Subject: powerpc/pseries: Fix endianness while restoring of r3 in MCE handler. + +From: Mahesh Salgaonkar + +commit cd813e1cd7122f2c261dce5b54d1e0c97f80e1a5 upstream. + +During Machine Check interrupt on pseries platform, register r3 points +RTAS extended event log passed by hypervisor. Since hypervisor uses r3 +to pass pointer to rtas log, it stores the original r3 value at the +start of the memory (first 8 bytes) pointed by r3. Since hypervisor +stores this info and rtas log is in BE format, linux should make +sure to restore r3 value in correct endian format. + +Without this patch when MCE handler, after recovery, returns to code that +that caused the MCE may end up with Data SLB access interrupt for invalid +address followed by kernel panic or hang. + + Severe Machine check interrupt [Recovered] + NIP [d00000000ca301b8]: init_module+0x1b8/0x338 [bork_kernel] + Initiator: CPU + Error type: SLB [Multihit] + Effective address: d00000000ca70000 + cpu 0xa: Vector: 380 (Data SLB Access) at [c0000000fc7775b0] + pc: c0000000009694c0: vsnprintf+0x80/0x480 + lr: c0000000009698e0: vscnprintf+0x20/0x60 + sp: c0000000fc777830 + msr: 8000000002009033 + dar: a803a30c000000d0 + current = 0xc00000000bc9ef00 + paca = 0xc00000001eca5c00 softe: 3 irq_happened: 0x01 + pid = 8860, comm = insmod + vscnprintf+0x20/0x60 + vprintk_emit+0xb4/0x4b0 + vprintk_func+0x5c/0xd0 + printk+0x38/0x4c + init_module+0x1c0/0x338 [bork_kernel] + do_one_initcall+0x54/0x230 + do_init_module+0x8c/0x248 + load_module+0x12b8/0x15b0 + sys_finit_module+0xa8/0x110 + system_call+0x58/0x6c + --- Exception: c00 (System Call) at 00007fff8bda0644 + SP (7fffdfbfe980) is in userspace + +This patch fixes this issue. + +Fixes: a08a53ea4c97 ("powerpc/le: Enable RTAS events support") +Cc: stable@vger.kernel.org # v3.15+ +Reviewed-by: Nicholas Piggin +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/ras.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -360,7 +360,7 @@ static struct rtas_error_log *fwnmi_get_ + } + + savep = __va(regs->gpr[3]); +- regs->gpr[3] = savep[0]; /* restore original r3 */ ++ regs->gpr[3] = be64_to_cpu(savep[0]); /* restore original r3 */ + + /* If it isn't an extended log we can use the per cpu 64bit buffer */ + h = (struct rtas_error_log *)&savep[1]; diff --git a/queue-4.18/powerpc64-ftrace-include-ftrace.h-needed-for-enable-disable-calls.patch b/queue-4.18/powerpc64-ftrace-include-ftrace.h-needed-for-enable-disable-calls.patch new file mode 100644 index 00000000000..e7df8577566 --- /dev/null +++ b/queue-4.18/powerpc64-ftrace-include-ftrace.h-needed-for-enable-disable-calls.patch @@ -0,0 +1,33 @@ +From d6ee76d3d37d156c479348821574b6f99d6472a1 Mon Sep 17 00:00:00 2001 +From: Luke Dashjr +Date: Thu, 16 Aug 2018 21:36:26 +0000 +Subject: powerpc64/ftrace: Include ftrace.h needed for enable/disable calls + +From: Luke Dashjr + +commit d6ee76d3d37d156c479348821574b6f99d6472a1 upstream. + +this_cpu_disable_ftrace and this_cpu_enable_ftrace are inlines in +ftrace.h Without it included, the build fails. + +Fixes: a4bc64d305af ("powerpc64/ftrace: Disable ftrace during kvm entry/exit") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Luke Dashjr +Acked-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -46,6 +46,7 @@ + #include + #include + ++#include + #include + #include + #include diff --git a/queue-4.18/rdma-mlx5-fix-shift-overflow-in-mlx5_ib_create_wq.patch b/queue-4.18/rdma-mlx5-fix-shift-overflow-in-mlx5_ib_create_wq.patch new file mode 100644 index 00000000000..5338f01e0e0 --- /dev/null +++ b/queue-4.18/rdma-mlx5-fix-shift-overflow-in-mlx5_ib_create_wq.patch @@ -0,0 +1,59 @@ +From 0dfe452241f4904de497aef01ad2f609ccb9be90 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Wed, 1 Aug 2018 14:25:41 -0700 +Subject: RDMA/mlx5: Fix shift overflow in mlx5_ib_create_wq + +From: Leon Romanovsky + +commit 0dfe452241f4904de497aef01ad2f609ccb9be90 upstream. + +[ 61.182439] UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:5366:34 +[ 61.183673] shift exponent 4294967288 is too large for 32-bit type 'unsigned int' +[ 61.185530] CPU: 0 PID: 639 Comm: qp Not tainted 4.18.0-rc1-00037-g4aa1d69a9c60-dirty #96 +[ 61.186981] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014 +[ 61.188315] Call Trace: +[ 61.188661] dump_stack+0xc7/0x13b +[ 61.190427] ubsan_epilogue+0x9/0x49 +[ 61.190899] __ubsan_handle_shift_out_of_bounds+0x1ea/0x22f +[ 61.197040] mlx5_ib_create_wq+0x1c99/0x1d50 +[ 61.206632] ib_uverbs_ex_create_wq+0x499/0x820 +[ 61.213892] ib_uverbs_write+0x77e/0xae0 +[ 61.248018] vfs_write+0x121/0x3b0 +[ 61.249831] ksys_write+0xa1/0x120 +[ 61.254024] do_syscall_64+0x7c/0x2a0 +[ 61.256178] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 61.259211] RIP: 0033:0x7f54bab70e99 +[ 61.262125] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 +[ 61.268678] RSP: 002b:00007ffe1541c318 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 61.271076] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f54bab70e99 +[ 61.273795] RDX: 0000000000000070 RSI: 0000000020000240 RDI: 0000000000000003 +[ 61.276982] RBP: 00007ffe1541c330 R08: 00000000200078e0 R09: 0000000000000002 +[ 61.280035] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004005c0 +[ 61.283279] R13: 00007ffe1541c420 R14: 0000000000000000 R15: 0000000000000000 + +Cc: # 4.7 +Fixes: 79b20a6c3014 ("IB/mlx5: Add receive Work Queue verbs") +Cc: syzkaller +Reported-by: Noa Osherovich +Signed-off-by: Leon Romanovsky +Signed-off-by: Kees Cook +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -5365,7 +5365,9 @@ static int set_user_rq_size(struct mlx5_ + + rwq->wqe_count = ucmd->rq_wqe_count; + rwq->wqe_shift = ucmd->rq_wqe_shift; +- rwq->buf_size = (rwq->wqe_count << rwq->wqe_shift); ++ if (check_shl_overflow(rwq->wqe_count, rwq->wqe_shift, &rwq->buf_size)) ++ return -EINVAL; ++ + rwq->log_rq_stride = rwq->wqe_shift; + rwq->log_rq_size = ilog2(rwq->wqe_count); + return 0; diff --git a/queue-4.18/rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch b/queue-4.18/rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch new file mode 100644 index 00000000000..3ead6903b3b --- /dev/null +++ b/queue-4.18/rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch @@ -0,0 +1,33 @@ +From 61b717d041b1976530f68f8b539b2e3a7dd8e39c Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 26 Jun 2018 08:39:36 -0700 +Subject: RDMA/rxe: Set wqe->status correctly if an unexpected response is received + +From: Bart Van Assche + +commit 61b717d041b1976530f68f8b539b2e3a7dd8e39c upstream. + +Every function that returns COMPST_ERROR must set wqe->status to another +value than IB_WC_SUCCESS before returning COMPST_ERROR. Fix the only code +path for which this is not yet the case. + +Signed-off-by: Bart Van Assche +Cc: +Reviewed-by: Yuval Shaia +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rxe/rxe_comp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/sw/rxe/rxe_comp.c ++++ b/drivers/infiniband/sw/rxe/rxe_comp.c +@@ -276,6 +276,7 @@ static inline enum comp_state check_ack( + case IB_OPCODE_RC_RDMA_READ_RESPONSE_MIDDLE: + if (wqe->wr.opcode != IB_WR_RDMA_READ && + wqe->wr.opcode != IB_WR_RDMA_READ_WITH_INV) { ++ wqe->status = IB_WC_FATAL_ERR; + return COMPST_ERROR; + } + reset_retry_counters(qp); diff --git a/queue-4.18/replace-magic-for-trusting-the-secondary-keyring-with-define.patch b/queue-4.18/replace-magic-for-trusting-the-secondary-keyring-with-define.patch new file mode 100644 index 00000000000..d5c379196cc --- /dev/null +++ b/queue-4.18/replace-magic-for-trusting-the-secondary-keyring-with-define.patch @@ -0,0 +1,70 @@ +From 817aef260037f33ee0f44c17fe341323d3aebd6d Mon Sep 17 00:00:00 2001 +From: Yannik Sembritzki +Date: Thu, 16 Aug 2018 14:05:10 +0100 +Subject: Replace magic for trusting the secondary keyring with #define + +From: Yannik Sembritzki + +commit 817aef260037f33ee0f44c17fe341323d3aebd6d upstream. + +Replace the use of a magic number that indicates that verify_*_signature() +should use the secondary keyring with a symbol. + +Signed-off-by: Yannik Sembritzki +Signed-off-by: David Howells +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + certs/system_keyring.c | 3 ++- + crypto/asymmetric_keys/pkcs7_key_type.c | 2 +- + include/linux/verification.h | 6 ++++++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -230,7 +231,7 @@ int verify_pkcs7_signature(const void *d + + if (!trusted_keys) { + trusted_keys = builtin_trusted_keys; +- } else if (trusted_keys == (void *)1UL) { ++ } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) { + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + trusted_keys = secondary_trusted_keys; + #else +--- a/crypto/asymmetric_keys/pkcs7_key_type.c ++++ b/crypto/asymmetric_keys/pkcs7_key_type.c +@@ -63,7 +63,7 @@ static int pkcs7_preparse(struct key_pre + + return verify_pkcs7_signature(NULL, 0, + prep->data, prep->datalen, +- (void *)1UL, usage, ++ VERIFY_USE_SECONDARY_KEYRING, usage, + pkcs7_view_content, prep); + } + +--- a/include/linux/verification.h ++++ b/include/linux/verification.h +@@ -13,6 +13,12 @@ + #define _LINUX_VERIFICATION_H + + /* ++ * Indicate that both builtin trusted keys and secondary trusted keys ++ * should be used. ++ */ ++#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) ++ ++/* + * The use to which an asymmetric key is being put. + */ + enum key_being_used_for { diff --git a/queue-4.18/series b/queue-4.18/series index fd76a1d235d..9d53011ee82 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -16,3 +16,38 @@ block-really-disable-runtime-pm-for-blk-mq.patch blkcg-introduce-blkg_root_lookup.patch block-introduce-blk_exit_queue.patch block-ensure-that-a-request-queue-is-dissociated-from-the-cgroup-controller.patch +apparmor-fix-bad-debug-check-in-apparmor_secid_to_secctx.patch +dma-buf-move-bug_on-from-_add_shared_fence-to-_add_shared_inplace.patch +libertas-fix-suspend-and-resume-for-sdio-connected-cards.patch +media-revert-tvp5150-fix-pad-format-frame-height.patch +mailbox-xgene-slimpro-fix-potential-null-pointer-dereference.patch +replace-magic-for-trusting-the-secondary-keyring-with-define.patch +fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch +powerpc-fadump-handle-crash-memory-ranges-array-index-overflow.patch +powerpc-64s-fix-page-table-fragment-refcount-race-vs-speculative-references.patch +powerpc-pseries-fix-endianness-while-restoring-of-r3-in-mce-handler.patch +powerpc-pkeys-give-all-threads-control-of-their-key-permissions.patch +powerpc-pkeys-deny-read-write-execute-by-default.patch +powerpc-pkeys-key-allocation-deallocation-must-not-change-pkey-registers.patch +powerpc-pkeys-save-the-pkey-registers-before-fork.patch +powerpc-pkeys-fix-calculation-of-total-pkeys.patch +powerpc-pkeys-preallocate-execute-only-key.patch +powerpc-nohash-fix-pte_access_permitted.patch +powerpc64-ftrace-include-ftrace.h-needed-for-enable-disable-calls.patch +powerpc-powernv-pci-work-around-races-in-pci-bridge-enabling.patch +cxl-fix-wrong-comparison-in-cxl_adapter_context_get.patch +ocxl-fix-page-fault-handler-in-case-of-fault-on-dying-process.patch +ib-mlx5-honor-cnt_set_id_valid-flag-instead-of-set_id.patch +ib-mlx5-fix-leaking-stack-memory-to-userspace.patch +ib-srpt-fix-srpt_cm_req_recv-error-path-1-2.patch +ib-srpt-fix-srpt_cm_req_recv-error-path-2-2.patch +ib-srpt-support-hcas-with-more-than-two-ports.patch +rdma-mlx5-fix-shift-overflow-in-mlx5_ib_create_wq.patch +ib_srpt-fix-a-use-after-free-in-srpt_close_ch.patch +ib_srpt-fix-a-use-after-free-in-__srpt_close_all_ch.patch +rdma-rxe-set-wqe-status-correctly-if-an-unexpected-response-is-received.patch +9p-fix-multiple-null-pointer-dereferences.patch +fs-9p-xattr.c-catch-the-error-of-p9_client_clunk-when-setting-xattr-failed.patch +9p-virtio-fix-off-by-one-error-in-sg-list-bounds-check.patch +net-9p-client.c-version-pointer-uninitialized.patch +net-9p-trans_fd.c-fix-race-condition-by-flushing-workqueue-before-the-kfree.patch