From ba943d8021bb12afd95ed611c0bf8996050116cd Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 31 Aug 2017 07:58:04 +0200
Subject: [PATCH] 4.12-stable patches

added patches:
	arm64-mm-abort-uaccess-retries-upon-fatal-signal.patch
	x86-io-add-memory-clobber-to-insb-insw-insl-outsb-outsw-outsl.patch
---
 ...rt-uaccess-retries-upon-fatal-signal.patch | 54 +++++++++++++++
 queue-4.12/series                             |  2 +
 ...-to-insb-insw-insl-outsb-outsw-outsl.patch | 66 +++++++++++++++++++
 3 files changed, 122 insertions(+)
 create mode 100644 queue-4.12/arm64-mm-abort-uaccess-retries-upon-fatal-signal.patch
 create mode 100644 queue-4.12/x86-io-add-memory-clobber-to-insb-insw-insl-outsb-outsw-outsl.patch

diff --git a/queue-4.12/arm64-mm-abort-uaccess-retries-upon-fatal-signal.patch b/queue-4.12/arm64-mm-abort-uaccess-retries-upon-fatal-signal.patch
new file mode 100644
index 00000000000..3cef57cb051
--- /dev/null
+++ b/queue-4.12/arm64-mm-abort-uaccess-retries-upon-fatal-signal.patch
@@ -0,0 +1,54 @@
+From 289d07a2dc6c6b6f3e4b8a62669320d99dbe6c3d Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 11 Jul 2017 15:19:22 +0100
+Subject: arm64: mm: abort uaccess retries upon fatal signal
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 289d07a2dc6c6b6f3e4b8a62669320d99dbe6c3d upstream.
+
+When there's a fatal signal pending, arm64's do_page_fault()
+implementation returns 0. The intent is that we'll return to the
+faulting userspace instruction, delivering the signal on the way.
+
+However, if we take a fatal signal during fixing up a uaccess, this
+results in a return to the faulting kernel instruction, which will be
+instantly retried, resulting in the same fault being taken forever. As
+the task never reaches userspace, the signal is not delivered, and the
+task is left unkillable. While the task is stuck in this state, it can
+inhibit the forward progress of the system.
+
+To avoid this, we must ensure that when a fatal signal is pending, we
+apply any necessary fixup for a faulting kernel instruction. Thus we
+will return to an error path, and it is up to that code to make forward
+progress towards delivering the fatal signal.
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Laura Abbott <labbott@redhat.com>
+Reviewed-by: Steve Capper <steve.capper@arm.com>
+Tested-by: Steve Capper <steve.capper@arm.com>
+Reviewed-by: James Morse <james.morse@arm.com>
+Tested-by: James Morse <james.morse@arm.com>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/fault.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -397,8 +397,11 @@ retry:
+ 	 * signal first. We do not need to release the mmap_sem because it
+ 	 * would already be released in __lock_page_or_retry in mm/filemap.c.
+ 	 */
+-	if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current))
++	if ((fault & VM_FAULT_RETRY) && fatal_signal_pending(current)) {
++		if (!user_mode(regs))
++			goto no_context;
+ 		return 0;
++	}
+ 
+ 	/*
+ 	 * Major/minor page fault accounting is only done on the initial
diff --git a/queue-4.12/series b/queue-4.12/series
index e69de29bb2d..11140ec4ba3 100644
--- a/queue-4.12/series
+++ b/queue-4.12/series
@@ -0,0 +1,2 @@
+arm64-mm-abort-uaccess-retries-upon-fatal-signal.patch
+x86-io-add-memory-clobber-to-insb-insw-insl-outsb-outsw-outsl.patch
diff --git a/queue-4.12/x86-io-add-memory-clobber-to-insb-insw-insl-outsb-outsw-outsl.patch b/queue-4.12/x86-io-add-memory-clobber-to-insb-insw-insl-outsb-outsw-outsl.patch
new file mode 100644
index 00000000000..bf94543e8b4
--- /dev/null
+++ b/queue-4.12/x86-io-add-memory-clobber-to-insb-insw-insl-outsb-outsw-outsl.patch
@@ -0,0 +1,66 @@
+From 7206f9bf108eb9513d170c73f151367a1bdf3dbf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 19 Jul 2017 14:53:02 +0200
+Subject: x86/io: Add "memory" clobber to insb/insw/insl/outsb/outsw/outsl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 7206f9bf108eb9513d170c73f151367a1bdf3dbf upstream.
+
+The x86 version of insb/insw/insl uses an inline assembly that does
+not have the target buffer listed as an output. This can confuse
+the compiler, leading it to think that a subsequent access of the
+buffer is uninitialized:
+
+  drivers/net/wireless/wl3501_cs.c: In function âwl3501_mgmt_scan_confirmâ:
+  drivers/net/wireless/wl3501_cs.c:665:9: error: âsig.statusâ is used uninitialized in this function [-Werror=uninitialized]
+  drivers/net/wireless/wl3501_cs.c:668:12: error: âsig.cap_infoâ may be used uninitialized in this function [-Werror=maybe-uninitialized]
+  drivers/net/sb1000.c: In function 'sb1000_rx':
+  drivers/net/sb1000.c:775:9: error: 'st[0]' is used uninitialized in this function [-Werror=uninitialized]
+  drivers/net/sb1000.c:776:10: error: 'st[1]' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+  drivers/net/sb1000.c:784:11: error: 'st[1]' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+
+I tried to mark the exact input buffer as an output here, but couldn't
+figure it out. As suggested by Linus, marking all memory as clobbered
+however is good enough too. For the outs operations, I also add the
+memory clobber, to force the input to be written to local variables.
+This is probably already guaranteed by the "asm volatile", but it can't
+hurt to do this for symmetry.
+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Link: http://lkml.kernel.org/r/20170719125310.2487451-5-arnd@arndb.de
+Link: https://lkml.org/lkml/2017/7/12/605
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/io.h |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/io.h
++++ b/arch/x86/include/asm/io.h
+@@ -328,13 +328,13 @@ static inline unsigned type in##bwl##_p(
+ static inline void outs##bwl(int port, const void *addr, unsigned long count) \
+ {									\
+ 	asm volatile("rep; outs" #bwl					\
+-		     : "+S"(addr), "+c"(count) : "d"(port));		\
++		     : "+S"(addr), "+c"(count) : "d"(port) : "memory");	\
+ }									\
+ 									\
+ static inline void ins##bwl(int port, void *addr, unsigned long count)	\
+ {									\
+ 	asm volatile("rep; ins" #bwl					\
+-		     : "+D"(addr), "+c"(count) : "d"(port));		\
++		     : "+D"(addr), "+c"(count) : "d"(port) : "memory");	\
+ }
+ 
+ BUILDIO(b, b, char)
-- 
2.47.3