From eefee69a482af8813531557b8e5ebd097f5369a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 Aug 2017 14:07:54 -0700
Subject: [PATCH] 4.4-stable patches

added patches:
	kvm-arm-arm64-handle-hva-aging-while-destroying-the-vm.patch
	mm-mempool-avoid-kasan-marking-mempool-poison-checks-as-use-after-free.patch
---
 ...le-hva-aging-while-destroying-the-vm.patch | 46 +++++++++++++++++++
 ...pool-poison-checks-as-use-after-free.patch | 37 +++++++++++++++
 queue-4.4/series                              |  2 +
 3 files changed, 85 insertions(+)
 create mode 100644 queue-4.4/kvm-arm-arm64-handle-hva-aging-while-destroying-the-vm.patch
 create mode 100644 queue-4.4/mm-mempool-avoid-kasan-marking-mempool-poison-checks-as-use-after-free.patch

diff --git a/queue-4.4/kvm-arm-arm64-handle-hva-aging-while-destroying-the-vm.patch b/queue-4.4/kvm-arm-arm64-handle-hva-aging-while-destroying-the-vm.patch
new file mode 100644
index 00000000000..922a2bc320e
--- /dev/null
+++ b/queue-4.4/kvm-arm-arm64-handle-hva-aging-while-destroying-the-vm.patch
@@ -0,0 +1,46 @@
+From 7e5a672289c9754d07e1c3b33649786d3d70f5e4 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <Suzuki.Poulose@arm.com>
+Date: Wed, 5 Jul 2017 09:57:00 +0100
+Subject: KVM: arm/arm64: Handle hva aging while destroying the vm
+
+From: Suzuki K Poulose <Suzuki.Poulose@arm.com>
+
+commit 7e5a672289c9754d07e1c3b33649786d3d70f5e4 upstream.
+
+The mmu_notifier_release() callback of KVM triggers cleaning up
+the stage2 page table on kvm-arm. However there could be other
+notifier callbacks in parallel with the mmu_notifier_release(),
+which could cause the call backs ending up in an empty stage2
+page table. Make sure we check it for all the notifier callbacks.
+
+Fixes: commit 293f29363 ("kvm-arm: Unmap shadow pagetables properly")
+Reported-by: Alex Graf <agraf@suse.de>
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/arm/kvm/mmu.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -1629,12 +1629,16 @@ static int kvm_test_age_hva_handler(stru
+ 
+ int kvm_age_hva(struct kvm *kvm, unsigned long start, unsigned long end)
+ {
++	if (!kvm->arch.pgd)
++		return 0;
+ 	trace_kvm_age_hva(start, end);
+ 	return handle_hva_to_gpa(kvm, start, end, kvm_age_hva_handler, NULL);
+ }
+ 
+ int kvm_test_age_hva(struct kvm *kvm, unsigned long hva)
+ {
++	if (!kvm->arch.pgd)
++		return 0;
+ 	trace_kvm_test_age_hva(hva);
+ 	return handle_hva_to_gpa(kvm, hva, hva, kvm_test_age_hva_handler, NULL);
+ }
diff --git a/queue-4.4/mm-mempool-avoid-kasan-marking-mempool-poison-checks-as-use-after-free.patch b/queue-4.4/mm-mempool-avoid-kasan-marking-mempool-poison-checks-as-use-after-free.patch
new file mode 100644
index 00000000000..b3882812a8d
--- /dev/null
+++ b/queue-4.4/mm-mempool-avoid-kasan-marking-mempool-poison-checks-as-use-after-free.patch
@@ -0,0 +1,37 @@
+From 7640131032db9118a78af715ac77ba2debeeb17c Mon Sep 17 00:00:00 2001
+From: Matthew Dawson <matthew@mjdsystems.ca>
+Date: Fri, 11 Mar 2016 13:08:07 -0800
+Subject: mm/mempool: avoid KASAN marking mempool poison checks as use-after-free
+
+From: Matthew Dawson <matthew@mjdsystems.ca>
+
+commit 7640131032db9118a78af715ac77ba2debeeb17c upstream.
+
+When removing an element from the mempool, mark it as unpoisoned in KASAN
+before verifying its contents for SLUB/SLAB debugging.  Otherwise KASAN
+will flag the reads checking the element use-after-free writes as
+use-after-free reads.
+
+Signed-off-by: Matthew Dawson <matthew@mjdsystems.ca>
+Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrii Bordunov <aborduno@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempool.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -135,8 +135,8 @@ static void *remove_element(mempool_t *p
+ 	void *element = pool->elements[--pool->curr_nr];
+ 
+ 	BUG_ON(pool->curr_nr < 0);
+-	check_element(pool, element);
+ 	kasan_unpoison_element(pool, element);
++	check_element(pool, element);
+ 	return element;
+ }
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index 7e68bf40752..f562cf29497 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -9,3 +9,5 @@ revert-net-account-for-current-skb-length-when-deciding-about-ufo.patch
 revert-ipv4-should-use-consistent-conditional-judgement-for-ip-fragment-in-__ip_append_data-and-ip_finish_output.patch
 udp-consistently-apply-ufo-or-fragmentation.patch
 sparc64-prevent-perf-from-running-during-super-critical-sections.patch
+kvm-arm-arm64-handle-hva-aging-while-destroying-the-vm.patch
+mm-mempool-avoid-kasan-marking-mempool-poison-checks-as-use-after-free.patch
-- 
2.47.3