From: Greg Kroah-Hartman Date: Thu, 30 Mar 2017 08:12:48 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.59~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea77dbfa1ae172251de1307d50f696b0474bec89;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch h8300-ptrace-fix-incorrect-register-transfer-count.patch kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch kvm-nvmx-invvpid-handling-improvements.patch kvm-x86-cleanup-the-page-tracking-srcu-instance.patch metag-ptrace-preserve-previous-registers-for-short-regset-write.patch metag-ptrace-provide-default-txstatus-for-short-nt_prstatus.patch metag-ptrace-reject-partial-nt_metag_rpipe-writes.patch mips-ptrace-preserve-previous-registers-for-short-regset-write.patch pinctrl-qcom-don-t-clear-status-bit-on-irq_unmask.patch sparc-ptrace-preserve-previous-registers-for-short-regset-write.patch virtio_balloon-init-1st-buffer-in-stats-vq.patch --- diff --git a/queue-4.9/c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch b/queue-4.9/c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch new file mode 100644 index 00000000000..f0ebb0872a2 --- /dev/null +++ b/queue-4.9/c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch @@ -0,0 +1,82 @@ +From fb411b837b587a32046dc4f369acb93a10b1def8 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Mon, 27 Mar 2017 15:10:53 +0100 +Subject: c6x/ptrace: Remove useless PTRACE_SETREGSET implementation + +From: Dave Martin + +commit fb411b837b587a32046dc4f369acb93a10b1def8 upstream. + +gpr_set won't work correctly and can never have been tested, and the +correct behaviour is not clear due to the endianness-dependent task +layout. + +So, just remove it. The core code will now return -EOPNOTSUPPORT when +trying to set NT_PRSTATUS on this architecture until/unless a correct +implementation is supplied. + +Signed-off-by: Dave Martin +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/c6x/kernel/ptrace.c | 41 ----------------------------------------- + 1 file changed, 41 deletions(-) + +--- a/arch/c6x/kernel/ptrace.c ++++ b/arch/c6x/kernel/ptrace.c +@@ -69,46 +69,6 @@ static int gpr_get(struct task_struct *t + 0, sizeof(*regs)); + } + +-static int gpr_set(struct task_struct *target, +- const struct user_regset *regset, +- unsigned int pos, unsigned int count, +- const void *kbuf, const void __user *ubuf) +-{ +- int ret; +- struct pt_regs *regs = task_pt_regs(target); +- +- /* Don't copyin TSR or CSR */ +- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- ®s, +- 0, PT_TSR * sizeof(long)); +- if (ret) +- return ret; +- +- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, +- PT_TSR * sizeof(long), +- (PT_TSR + 1) * sizeof(long)); +- if (ret) +- return ret; +- +- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- ®s, +- (PT_TSR + 1) * sizeof(long), +- PT_CSR * sizeof(long)); +- if (ret) +- return ret; +- +- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, +- PT_CSR * sizeof(long), +- (PT_CSR + 1) * sizeof(long)); +- if (ret) +- return ret; +- +- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +- ®s, +- (PT_CSR + 1) * sizeof(long), -1); +- return ret; +-} +- + enum c6x_regset { + REGSET_GPR, + }; +@@ -120,7 +80,6 @@ static const struct user_regset c6x_regs + .size = sizeof(u32), + .align = sizeof(u32), + .get = gpr_get, +- .set = gpr_set + }, + }; + diff --git a/queue-4.9/h8300-ptrace-fix-incorrect-register-transfer-count.patch b/queue-4.9/h8300-ptrace-fix-incorrect-register-transfer-count.patch new file mode 100644 index 00000000000..ef5a16d01f3 --- /dev/null +++ b/queue-4.9/h8300-ptrace-fix-incorrect-register-transfer-count.patch @@ -0,0 +1,55 @@ +From 502585c7555083d4a949c08350306b9ec196779e Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Mon, 27 Mar 2017 15:10:54 +0100 +Subject: h8300/ptrace: Fix incorrect register transfer count + +From: Dave Martin + +commit 502585c7555083d4a949c08350306b9ec196779e upstream. + +regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun +if CONFIG_CPU_H8S is set, since this adds an extra entry to +register_offset[] but not to user_regs_struct. + +So, iterate over user_regs_struct based on its actual size, not based on +the length of register_offset[]. + +Signed-off-by: Dave Martin +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/h8300/kernel/ptrace.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/h8300/kernel/ptrace.c ++++ b/arch/h8300/kernel/ptrace.c +@@ -95,7 +95,8 @@ static int regs_get(struct task_struct * + long *reg = (long *)®s; + + /* build user regs in buffer */ +- for (r = 0; r < ARRAY_SIZE(register_offset); r++) ++ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0); ++ for (r = 0; r < sizeof(regs) / sizeof(long); r++) + *reg++ = h8300_get_reg(target, r); + + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, +@@ -113,7 +114,8 @@ static int regs_set(struct task_struct * + long *reg; + + /* build user regs in buffer */ +- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++) ++ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0); ++ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++) + *reg++ = h8300_get_reg(target, r); + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, +@@ -122,7 +124,7 @@ static int regs_set(struct task_struct * + return ret; + + /* write back to pt_regs */ +- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++) ++ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++) + h8300_put_reg(target, r, *reg++); + return 0; + } diff --git a/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch b/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch new file mode 100644 index 00000000000..36551d194e3 --- /dev/null +++ b/queue-4.9/kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch @@ -0,0 +1,66 @@ +From 63cb6d5f004ca44f9b8e562b6dd191f717a4960e Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Mon, 20 Mar 2017 21:18:53 -0700 +Subject: KVM: nVMX: Fix nested VPID vmx exec control +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 63cb6d5f004ca44f9b8e562b6dd191f717a4960e upstream. + +This can be reproduced by running kvm-unit-tests/vmx.flat on L0 w/ vpid disabled. + +Test suite: VPID +Unhandled exception 6 #UD at ip 00000000004051a6 +error_code=0000 rflags=00010047 cs=00000008 +rax=0000000000000000 rcx=0000000000000001 rdx=0000000000000047 rbx=0000000000402f79 +rbp=0000000000456240 rsi=0000000000000001 rdi=0000000000000000 +r8=000000000000000a r9=00000000000003f8 r10=0000000080010011 r11=0000000000000000 +r12=0000000000000003 r13=0000000000000708 r14=0000000000000000 r15=0000000000000000 +cr0=0000000080010031 cr2=0000000000000000 cr3=0000000007fff000 cr4=0000000000002020 +cr8=0000000000000000 +STACK: @4051a6 40523e 400f7f 402059 40028f + +We should hide and forbid VPID in L1 if it is disabled on L0. However, nested VPID +enable bit is set unconditionally during setup nested vmx exec controls though VPID +is not exposed through nested VMX capablity. This patch fixes it by don't set nested +VPID enable bit if it is disabled on L0. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Fixes: 5c614b3583e (KVM: nVMX: nested VPID emulation) +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2787,7 +2787,6 @@ static void nested_vmx_setup_ctls_msrs(s + SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES | + SECONDARY_EXEC_RDTSCP | + SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE | +- SECONDARY_EXEC_ENABLE_VPID | + SECONDARY_EXEC_APIC_REGISTER_VIRT | + SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY | + SECONDARY_EXEC_WBINVD_EXITING | +@@ -2815,10 +2814,12 @@ static void nested_vmx_setup_ctls_msrs(s + * though it is treated as global context. The alternative is + * not failing the single-context invvpid, and it is worse. + */ +- if (enable_vpid) ++ if (enable_vpid) { ++ vmx->nested.nested_vmx_secondary_ctls_high |= ++ SECONDARY_EXEC_ENABLE_VPID; + vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT | + VMX_VPID_EXTENT_SUPPORTED_MASK; +- else ++ } else + vmx->nested.nested_vmx_vpid_caps = 0; + + if (enable_unrestricted_guest) diff --git a/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch b/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch new file mode 100644 index 00000000000..2b324902012 --- /dev/null +++ b/queue-4.9/kvm-nvmx-invvpid-handling-improvements.patch @@ -0,0 +1,98 @@ +From bcdde302b8268ef7dbc4ddbdaffb5b44eafe9a1e Mon Sep 17 00:00:00 2001 +From: Jan Dakinevich +Date: Fri, 28 Oct 2016 07:00:30 +0300 +Subject: KVM: nVMX: invvpid handling improvements +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Dakinevich + +commit bcdde302b8268ef7dbc4ddbdaffb5b44eafe9a1e upstream. + + - Expose all invalidation types to the L1 + + - Reject invvpid instruction, if L1 passed zero vpid value to single + context invalidations + +Signed-off-by: Jan Dakinevich +Tested-by: Ladi Prosek +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -132,6 +132,12 @@ module_param_named(preemption_timer, ena + + #define VMX_MISC_EMULATED_PREEMPTION_TIMER_RATE 5 + ++#define VMX_VPID_EXTENT_SUPPORTED_MASK \ ++ (VMX_VPID_EXTENT_INDIVIDUAL_ADDR_BIT | \ ++ VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT | \ ++ VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT | \ ++ VMX_VPID_EXTENT_SINGLE_NON_GLOBAL_BIT) ++ + /* + * These 2 parameters are used to config the controls for Pause-Loop Exiting: + * ple_gap: upper bound on the amount of time between two successive +@@ -2811,8 +2817,7 @@ static void nested_vmx_setup_ctls_msrs(s + */ + if (enable_vpid) + vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT | +- VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT | +- VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT; ++ VMX_VPID_EXTENT_SUPPORTED_MASK; + else + vmx->nested.nested_vmx_vpid_caps = 0; + +@@ -7698,7 +7703,8 @@ static int handle_invvpid(struct kvm_vcp + vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO); + type = kvm_register_readl(vcpu, (vmx_instruction_info >> 28) & 0xf); + +- types = (vmx->nested.nested_vmx_vpid_caps >> 8) & 0x7; ++ types = (vmx->nested.nested_vmx_vpid_caps & ++ VMX_VPID_EXTENT_SUPPORTED_MASK) >> 8; + + if (type >= 32 || !(types & (1 << type))) { + nested_vmx_failValid(vcpu, +@@ -7720,21 +7726,27 @@ static int handle_invvpid(struct kvm_vcp + } + + switch (type) { ++ case VMX_VPID_EXTENT_INDIVIDUAL_ADDR: + case VMX_VPID_EXTENT_SINGLE_CONTEXT: +- /* +- * Old versions of KVM use the single-context version so we +- * have to support it; just treat it the same as all-context. +- */ ++ case VMX_VPID_EXTENT_SINGLE_NON_GLOBAL: ++ if (!vpid) { ++ nested_vmx_failValid(vcpu, ++ VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID); ++ skip_emulated_instruction(vcpu); ++ return 1; ++ } ++ break; + case VMX_VPID_EXTENT_ALL_CONTEXT: +- __vmx_flush_tlb(vcpu, to_vmx(vcpu)->nested.vpid02); +- nested_vmx_succeed(vcpu); + break; + default: +- /* Trap individual address invalidation invvpid calls */ +- BUG_ON(1); +- break; ++ WARN_ON_ONCE(1); ++ skip_emulated_instruction(vcpu); ++ return 1; + } + ++ __vmx_flush_tlb(vcpu, vmx->nested.vpid02); ++ nested_vmx_succeed(vcpu); ++ + skip_emulated_instruction(vcpu); + return 1; + } diff --git a/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch b/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch new file mode 100644 index 00000000000..eb506ffcf17 --- /dev/null +++ b/queue-4.9/kvm-x86-cleanup-the-page-tracking-srcu-instance.patch @@ -0,0 +1,62 @@ +From 2beb6dad2e8f95d710159d5befb390e4f62ab5cf Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 27 Mar 2017 17:53:50 +0200 +Subject: KVM: x86: cleanup the page tracking SRCU instance + +From: Paolo Bonzini + +commit 2beb6dad2e8f95d710159d5befb390e4f62ab5cf upstream. + +SRCU uses a delayed work item. Skip cleaning it up, and +the result is use-after-free in the work item callbacks. + +Reported-by: Dmitry Vyukov +Suggested-by: Dmitry Vyukov +Fixes: 0eb05bf290cfe8610d9680b49abef37febd1c38a +Reviewed-by: Xiao Guangrong +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_page_track.h | 1 + + arch/x86/kvm/page_track.c | 8 ++++++++ + arch/x86/kvm/x86.c | 1 + + 3 files changed, 10 insertions(+) + +--- a/arch/x86/include/asm/kvm_page_track.h ++++ b/arch/x86/include/asm/kvm_page_track.h +@@ -35,6 +35,7 @@ struct kvm_page_track_notifier_node { + }; + + void kvm_page_track_init(struct kvm *kvm); ++void kvm_page_track_cleanup(struct kvm *kvm); + + void kvm_page_track_free_memslot(struct kvm_memory_slot *free, + struct kvm_memory_slot *dont); +--- a/arch/x86/kvm/page_track.c ++++ b/arch/x86/kvm/page_track.c +@@ -156,6 +156,14 @@ bool kvm_page_track_is_active(struct kvm + return !!ACCESS_ONCE(slot->arch.gfn_track[mode][index]); + } + ++void kvm_page_track_cleanup(struct kvm *kvm) ++{ ++ struct kvm_page_track_notifier_head *head; ++ ++ head = &kvm->arch.track_notifier_head; ++ cleanup_srcu_struct(&head->track_srcu); ++} ++ + void kvm_page_track_init(struct kvm *kvm) + { + struct kvm_page_track_notifier_head *head; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7976,6 +7976,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm + kvm_free_vcpus(kvm); + kvfree(rcu_dereference_check(kvm->arch.apic_map, 1)); + kvm_mmu_uninit_vm(kvm); ++ kvm_page_track_cleanup(kvm); + } + + void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free, diff --git a/queue-4.9/metag-ptrace-preserve-previous-registers-for-short-regset-write.patch b/queue-4.9/metag-ptrace-preserve-previous-registers-for-short-regset-write.patch new file mode 100644 index 00000000000..5fa2558a73b --- /dev/null +++ b/queue-4.9/metag-ptrace-preserve-previous-registers-for-short-regset-write.patch @@ -0,0 +1,32 @@ +From a78ce80d2c9178351b34d78fec805140c29c193e Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Mon, 27 Mar 2017 15:10:55 +0100 +Subject: metag/ptrace: Preserve previous registers for short regset write + +From: Dave Martin + +commit a78ce80d2c9178351b34d78fec805140c29c193e upstream. + +Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET +to fill all the registers, the thread's old registers are preserved. + +Signed-off-by: Dave Martin +Acked-by: James Hogan +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/metag/kernel/ptrace.c ++++ b/arch/metag/kernel/ptrace.c +@@ -303,7 +303,7 @@ static int metag_tls_set(struct task_str + const void *kbuf, const void __user *ubuf) + { + int ret; +- void __user *tls; ++ void __user *tls = target->thread.tls_ptr; + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1); + if (ret) diff --git a/queue-4.9/metag-ptrace-provide-default-txstatus-for-short-nt_prstatus.patch b/queue-4.9/metag-ptrace-provide-default-txstatus-for-short-nt_prstatus.patch new file mode 100644 index 00000000000..010686b3eee --- /dev/null +++ b/queue-4.9/metag-ptrace-provide-default-txstatus-for-short-nt_prstatus.patch @@ -0,0 +1,60 @@ +From 5fe81fe98123ce41265c65e95d34418d30d005d1 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Mon, 27 Mar 2017 15:10:56 +0100 +Subject: metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS + +From: Dave Martin + +commit 5fe81fe98123ce41265c65e95d34418d30d005d1 upstream. + +Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET +to fill TXSTATUS, a well-defined default value is used, based on the +task's current value. + +Suggested-by: James Hogan +Signed-off-by: Dave Martin +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/kernel/ptrace.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/arch/metag/kernel/ptrace.c ++++ b/arch/metag/kernel/ptrace.c +@@ -24,6 +24,16 @@ + * user_regset definitions. + */ + ++static unsigned long user_txstatus(const struct pt_regs *regs) ++{ ++ unsigned long data = (unsigned long)regs->ctx.Flags; ++ ++ if (regs->ctx.SaveMask & TBICTX_CBUF_BIT) ++ data |= USER_GP_REGS_STATUS_CATCH_BIT; ++ ++ return data; ++} ++ + int metag_gp_regs_copyout(const struct pt_regs *regs, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) +@@ -62,9 +72,7 @@ int metag_gp_regs_copyout(const struct p + if (ret) + goto out; + /* TXSTATUS */ +- data = (unsigned long)regs->ctx.Flags; +- if (regs->ctx.SaveMask & TBICTX_CBUF_BIT) +- data |= USER_GP_REGS_STATUS_CATCH_BIT; ++ data = user_txstatus(regs); + ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf, + &data, 4*25, 4*26); + if (ret) +@@ -119,6 +127,7 @@ int metag_gp_regs_copyin(struct pt_regs + if (ret) + goto out; + /* TXSTATUS */ ++ data = user_txstatus(regs); + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &data, 4*25, 4*26); + if (ret) diff --git a/queue-4.9/metag-ptrace-reject-partial-nt_metag_rpipe-writes.patch b/queue-4.9/metag-ptrace-reject-partial-nt_metag_rpipe-writes.patch new file mode 100644 index 00000000000..bfa6cf6ebc2 --- /dev/null +++ b/queue-4.9/metag-ptrace-reject-partial-nt_metag_rpipe-writes.patch @@ -0,0 +1,35 @@ +From 7195ee3120d878259e8d94a5d9f808116f34d5ea Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Mon, 27 Mar 2017 15:10:57 +0100 +Subject: metag/ptrace: Reject partial NT_METAG_RPIPE writes + +From: Dave Martin + +commit 7195ee3120d878259e8d94a5d9f808116f34d5ea upstream. + +It's not clear what behaviour is sensible when doing partial write of +NT_METAG_RPIPE, so just don't bother. + +This patch assumes that userspace will never rely on a partial SETREGSET +in this case, since it's not clear what should happen anyway. + +Signed-off-by: Dave Martin +Acked-by: James Hogan +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/kernel/ptrace.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/metag/kernel/ptrace.c ++++ b/arch/metag/kernel/ptrace.c +@@ -253,6 +253,8 @@ int metag_rp_state_copyin(struct pt_regs + unsigned long long *ptr; + int ret, i; + ++ if (count < 4*13) ++ return -EINVAL; + /* Read the entire pipeline before making any changes */ + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &rp, 0, 4*13); diff --git a/queue-4.9/mips-ptrace-preserve-previous-registers-for-short-regset-write.patch b/queue-4.9/mips-ptrace-preserve-previous-registers-for-short-regset-write.patch new file mode 100644 index 00000000000..84849b15bed --- /dev/null +++ b/queue-4.9/mips-ptrace-preserve-previous-registers-for-short-regset-write.patch @@ -0,0 +1,32 @@ +From d614fd58a2834cfe4efa472c33c8f3ce2338b09b Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Mon, 27 Mar 2017 15:10:58 +0100 +Subject: mips/ptrace: Preserve previous registers for short regset write + +From: Dave Martin + +commit d614fd58a2834cfe4efa472c33c8f3ce2338b09b upstream. + +Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET +to fill all the registers, the thread's old registers are preserved. + +Signed-off-by: Dave Martin +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -485,7 +485,8 @@ static int fpr_set(struct task_struct *t + &target->thread.fpu, + 0, sizeof(elf_fpregset_t)); + +- for (i = 0; i < NUM_FPU_REGS; i++) { ++ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); ++ for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) { + err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &fpr_val, i * sizeof(elf_fpreg_t), + (i + 1) * sizeof(elf_fpreg_t)); diff --git a/queue-4.9/pinctrl-qcom-don-t-clear-status-bit-on-irq_unmask.patch b/queue-4.9/pinctrl-qcom-don-t-clear-status-bit-on-irq_unmask.patch new file mode 100644 index 00000000000..ea469b7deda --- /dev/null +++ b/queue-4.9/pinctrl-qcom-don-t-clear-status-bit-on-irq_unmask.patch @@ -0,0 +1,37 @@ +From a6566710adaa4a7dd5e0d99820ff9c9c30ee5951 Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Tue, 14 Mar 2017 08:23:26 -0700 +Subject: pinctrl: qcom: Don't clear status bit on irq_unmask + +From: Bjorn Andersson + +commit a6566710adaa4a7dd5e0d99820ff9c9c30ee5951 upstream. + +Clearing the status bit on irq_unmask will discard any pending interrupt +that did arrive after the irq_ack, i.e. while the IRQ handler function +was executing. + +Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver") +Cc: Stephen Boyd +Reported-by: Timur Tabi +Signed-off-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -594,10 +594,6 @@ static void msm_gpio_irq_unmask(struct i + + spin_lock_irqsave(&pctrl->lock, flags); + +- val = readl(pctrl->regs + g->intr_status_reg); +- val &= ~BIT(g->intr_status_bit); +- writel(val, pctrl->regs + g->intr_status_reg); +- + val = readl(pctrl->regs + g->intr_cfg_reg); + val |= BIT(g->intr_enable_bit); + writel(val, pctrl->regs + g->intr_cfg_reg); diff --git a/queue-4.9/series b/queue-4.9/series index 5b3fda0a658..21514e8a2e4 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,3 +1,15 @@ xfrm-policy-init-locks-early.patch xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch +kvm-nvmx-invvpid-handling-improvements.patch +kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch +kvm-x86-cleanup-the-page-tracking-srcu-instance.patch +virtio_balloon-init-1st-buffer-in-stats-vq.patch +pinctrl-qcom-don-t-clear-status-bit-on-irq_unmask.patch +c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch +h8300-ptrace-fix-incorrect-register-transfer-count.patch +mips-ptrace-preserve-previous-registers-for-short-regset-write.patch +sparc-ptrace-preserve-previous-registers-for-short-regset-write.patch +metag-ptrace-preserve-previous-registers-for-short-regset-write.patch +metag-ptrace-provide-default-txstatus-for-short-nt_prstatus.patch +metag-ptrace-reject-partial-nt_metag_rpipe-writes.patch diff --git a/queue-4.9/sparc-ptrace-preserve-previous-registers-for-short-regset-write.patch b/queue-4.9/sparc-ptrace-preserve-previous-registers-for-short-regset-write.patch new file mode 100644 index 00000000000..4f7cd547846 --- /dev/null +++ b/queue-4.9/sparc-ptrace-preserve-previous-registers-for-short-regset-write.patch @@ -0,0 +1,32 @@ +From d3805c546b275c8cc7d40f759d029ae92c7175f2 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Mon, 27 Mar 2017 15:10:59 +0100 +Subject: sparc/ptrace: Preserve previous registers for short regset write + +From: Dave Martin + +commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream. + +Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET +to fill all the registers, the thread's old registers are preserved. + +Signed-off-by: Dave Martin +Acked-by: David S. Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc/kernel/ptrace_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sparc/kernel/ptrace_64.c ++++ b/arch/sparc/kernel/ptrace_64.c +@@ -313,7 +313,7 @@ static int genregs64_set(struct task_str + } + + if (!ret) { +- unsigned long y; ++ unsigned long y = regs->y; + + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &y, diff --git a/queue-4.9/virtio_balloon-init-1st-buffer-in-stats-vq.patch b/queue-4.9/virtio_balloon-init-1st-buffer-in-stats-vq.patch new file mode 100644 index 00000000000..e7dc20b9dbc --- /dev/null +++ b/queue-4.9/virtio_balloon-init-1st-buffer-in-stats-vq.patch @@ -0,0 +1,51 @@ +From fc8653228c8588a120f6b5dad6983b7b61ff669e Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 23 Mar 2017 08:04:18 +0100 +Subject: virtio_balloon: init 1st buffer in stats vq + +From: Ladi Prosek + +commit fc8653228c8588a120f6b5dad6983b7b61ff669e upstream. + +When init_vqs runs, virtio_balloon.stats is either uninitialized or +contains stale values. The host updates its state with garbage data +because it has no way of knowing that this is just a marker buffer +used for signaling. + +This patch updates the stats before pushing the initial buffer. + +Alternative fixes: +* Push an empty buffer in init_vqs. Not easily done with the current + virtio implementation and violates the spec "Driver MUST supply the + same subset of statistics in all buffers submitted to the statsq". +* Push a buffer with invalid tags in init_vqs. Violates the same + spec clause, plus "invalid tag" is not really defined. + +Note: the spec says: + When using the legacy interface, the device SHOULD ignore all values in + the first buffer in the statsq supplied by the driver after device + initialization. Note: Historically, drivers supplied an uninitialized + buffer in the first buffer. + +Unfortunately QEMU does not seem to implement the recommendation +even for the legacy interface. + +Signed-off-by: Ladi Prosek +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -427,6 +427,8 @@ static int init_vqs(struct virtio_balloo + * Prime this virtqueue with one buffer so the hypervisor can + * use it to signal us later (it can't be broken yet!). + */ ++ update_balloon_stats(vb); ++ + sg_init_one(&sg, vb->stats, sizeof vb->stats); + if (virtqueue_add_outbuf(vb->stats_vq, &sg, 1, vb, GFP_KERNEL) + < 0)