From cd196ff9500f84b9811ea52d4f65190008c57543 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 16 Apr 2018 12:32:52 +0200
Subject: [PATCH] 3.18-stable patches

added patches:
	parisc-fix-out-of-array-access-in-match_pci_device.patch
	x86-apic-fix-restoring-boot-irq-mode-in-reboot-and-kexec-kdump.patch
---
 ...-of-array-access-in-match_pci_device.patch | 49 ++++++++++
 queue-3.18/series                             |  2 +
 ...t-irq-mode-in-reboot-and-kexec-kdump.patch | 95 +++++++++++++++++++
 3 files changed, 146 insertions(+)
 create mode 100644 queue-3.18/parisc-fix-out-of-array-access-in-match_pci_device.patch
 create mode 100644 queue-3.18/x86-apic-fix-restoring-boot-irq-mode-in-reboot-and-kexec-kdump.patch

diff --git a/queue-3.18/parisc-fix-out-of-array-access-in-match_pci_device.patch b/queue-3.18/parisc-fix-out-of-array-access-in-match_pci_device.patch
new file mode 100644
index 00000000000..28111e3b701
--- /dev/null
+++ b/queue-3.18/parisc-fix-out-of-array-access-in-match_pci_device.patch
@@ -0,0 +1,49 @@
+From 615b2665fd20c327b631ff1e79426775de748094 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sun, 25 Mar 2018 23:53:22 +0200
+Subject: parisc: Fix out of array access in match_pci_device()
+
+From: Helge Deller <deller@gmx.de>
+
+commit 615b2665fd20c327b631ff1e79426775de748094 upstream.
+
+As found by the ubsan checker, the value of the 'index' variable can be
+out of range for the bc[] array:
+
+UBSAN: Undefined behaviour in arch/parisc/kernel/drivers.c:655:21
+index 6 is out of range for type 'char [6]'
+Backtrace:
+ [<104fa850>] __ubsan_handle_out_of_bounds+0x68/0x80
+ [<1019d83c>] check_parent+0xc0/0x170
+ [<1019d91c>] descend_children+0x30/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019cd54>] parse_tree_node+0x40/0x54
+ [<1019d86c>] check_parent+0xf0/0x170
+ [<1019d91c>] descend_children+0x30/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019d938>] descend_children+0x4c/0x6c
+ [<1059e164>] device_for_each_child+0x60/0x98
+ [<1019cd54>] parse_tree_node+0x40/0x54
+ [<1019cffc>] hwpath_to_device+0xa4/0xc4
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/drivers.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/parisc/kernel/drivers.c
++++ b/arch/parisc/kernel/drivers.c
+@@ -648,6 +648,10 @@ static int match_pci_device(struct devic
+ 					(modpath->mod == PCI_FUNC(devfn)));
+ 	}
+ 
++	/* index might be out of bounds for bc[] */
++	if (index >= 6)
++		return 0;
++
+ 	id = PCI_SLOT(pdev->devfn) | (PCI_FUNC(pdev->devfn) << 5);
+ 	return (modpath->bc[index] == id);
+ }
diff --git a/queue-3.18/series b/queue-3.18/series
index 7029bc23c1c..d725f0f15e9 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -1 +1,3 @@
 media-v4l2-compat-ioctl32-don-t-oops-on-overlay.patch
+parisc-fix-out-of-array-access-in-match_pci_device.patch
+x86-apic-fix-restoring-boot-irq-mode-in-reboot-and-kexec-kdump.patch
diff --git a/queue-3.18/x86-apic-fix-restoring-boot-irq-mode-in-reboot-and-kexec-kdump.patch b/queue-3.18/x86-apic-fix-restoring-boot-irq-mode-in-reboot-and-kexec-kdump.patch
new file mode 100644
index 00000000000..a50ed2bc489
--- /dev/null
+++ b/queue-3.18/x86-apic-fix-restoring-boot-irq-mode-in-reboot-and-kexec-kdump.patch
@@ -0,0 +1,95 @@
+From 339b2ae0cd5d4a58f9efe06e4ee36adbeca59228 Mon Sep 17 00:00:00 2001
+From: Baoquan He <bhe@redhat.com>
+Date: Wed, 14 Feb 2018 13:46:53 +0800
+Subject: x86/apic: Fix restoring boot IRQ mode in reboot and kexec/kdump
+
+From: Baoquan He <bhe@redhat.com>
+
+commit 339b2ae0cd5d4a58f9efe06e4ee36adbeca59228 upstream.
+
+This is a regression fix.
+
+Before, to fix erratum AVR31, the following commit:
+
+  522e66464467 ("x86/apic: Disable I/O APIC before shutdown of the local APIC")
+
+... moved the lapic_shutdown() call to after disable_IO_APIC() in the reboot
+and kexec/kdump code paths.
+
+This introduced the following regression: disable_IO_APIC() not only clears
+the IO-APIC, but it also restores boot IRQ mode by setting the
+LAPIC/APIC/IMCR, calling lapic_shutdown() after disable_IO_APIC() will
+disable LAPIC and ruin the possible virtual wire mode setting which
+the code has been trying to do all along.
+
+The consequence is that a KVM guest kernel always prints the warning below
+during kexec/kdump as the kernel boots up:
+
+  [    0.001000] WARNING: CPU: 0 PID: 0 at arch/x86/kernel/apic/apic.c:1467 setup_local_APIC+0x228/0x330
+  [    ........]
+  [    0.001000] Call Trace:
+  [    0.001000]  apic_bsp_setup+0x56/0x74
+  [    0.001000]  x86_late_time_init+0x11/0x16
+  [    0.001000]  start_kernel+0x3c9/0x486
+  [    0.001000]  secondary_startup_64+0xa5/0xb0
+  [    ........]
+  [    0.001000] masked ExtINT on CPU#0
+
+To fix this, just call clear_IO_APIC() to stop the IO-APIC where
+disable_IO_APIC() was called, and call restore_boot_irq_mode() to
+restore boot IRQ mode before a reboot or a kexec/kdump jump.
+
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Reviewed-by: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: douly.fnst@cn.fujitsu.com
+Cc: joro@8bytes.org
+Cc: prarit@redhat.com
+Cc: stable@vger.kernel.org
+Cc: uobergfe@redhat.com
+Fixes: commit 522e66464467 ("x86/apic: Disable I/O APIC before shutdown of the local APIC")
+Link: http://lkml.kernel.org/r/20180214054656.3780-4-bhe@redhat.com
+[ Rewrote the changelog. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/crash.c  |    3 ++-
+ arch/x86/kernel/reboot.c |    3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/crash.c
++++ b/arch/x86/kernel/crash.c
+@@ -173,9 +173,10 @@ void native_machine_crash_shutdown(struc
+ #ifdef CONFIG_X86_IO_APIC
+ 	/* Prevent crash_kexec() from deadlocking on ioapic_lock. */
+ 	ioapic_zap_locks();
+-	disable_IO_APIC();
++	clear_IO_APIC();
+ #endif
+ 	lapic_shutdown();
++	restore_boot_irq_mode();
+ #ifdef CONFIG_HPET_TIMER
+ 	hpet_disable();
+ #endif
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -606,7 +606,7 @@ void native_machine_shutdown(void)
+ 	 * Even without the erratum, it still makes sense to quiet IO APIC
+ 	 * before disabling Local APIC.
+ 	 */
+-	disable_IO_APIC();
++	clear_IO_APIC();
+ #endif
+ 
+ #ifdef CONFIG_SMP
+@@ -620,6 +620,7 @@ void native_machine_shutdown(void)
+ #endif
+ 
+ 	lapic_shutdown();
++	restore_boot_irq_mode();
+ 
+ #ifdef CONFIG_HPET_TIMER
+ 	hpet_disable();
-- 
2.47.3