From f671fddb6cc143af75cd8a63393604c3c1889884 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Aug 2020 15:24:03 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch
	xen-balloon-make-the-balloon-wait-interruptible.patch
	xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch
---
 queue-4.19/series                             |  3 ++
 ...-alloc_xenballooned_pages-error-path.patch | 43 ++++++++++++++++++
 ...-make-the-balloon-wait-interruptible.patch | 44 +++++++++++++++++++
 ...abuf-import-with-non-zero-sgt-offset.patch | 43 ++++++++++++++++++
 4 files changed, 133 insertions(+)
 create mode 100644 queue-4.19/xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch
 create mode 100644 queue-4.19/xen-balloon-make-the-balloon-wait-interruptible.patch
 create mode 100644 queue-4.19/xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch

diff --git a/queue-4.19/series b/queue-4.19/series
index 88f2504e4f2..ad475e34370 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -163,3 +163,6 @@ parisc-implement-__smp_store_release-and-__smp_load_acquire-barriers.patch
 parisc-mask-out-enable-and-reserved-bits-from-sba-imask.patch
 arm-8992-1-fix-unwind_frame-for-clang-built-kernels.patch
 irqdomain-treewide-free-firmware-node-after-domain-removal.patch
+xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch
+xen-balloon-make-the-balloon-wait-interruptible.patch
+xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch
diff --git a/queue-4.19/xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch b/queue-4.19/xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch
new file mode 100644
index 00000000000..bc76969417f
--- /dev/null
+++ b/queue-4.19/xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch
@@ -0,0 +1,43 @@
+From 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 27 Jul 2020 11:13:39 +0200
+Subject: xen/balloon: fix accounting in alloc_xenballooned_pages error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 1951fa33ec259abdf3497bfee7b63e7ddbb1a394 upstream.
+
+target_unpopulated is incremented with nr_pages at the start of the
+function, but the call to free_xenballooned_pages will only subtract
+pgno number of pages, and thus the rest need to be subtracted before
+returning or else accounting will be skewed.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200727091342.52325-2-roger.pau@citrix.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/balloon.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -632,6 +632,12 @@ int alloc_xenballooned_pages(int nr_page
+  out_undo:
+ 	mutex_unlock(&balloon_mutex);
+ 	free_xenballooned_pages(pgno, pages);
++	/*
++	 * NB: free_xenballooned_pages will only subtract pgno pages, but since
++	 * target_unpopulated is incremented with nr_pages at the start we need
++	 * to remove the remaining ones also, or accounting will be screwed.
++	 */
++	balloon_stats.target_unpopulated -= nr_pages - pgno;
+ 	return ret;
+ }
+ EXPORT_SYMBOL(alloc_xenballooned_pages);
diff --git a/queue-4.19/xen-balloon-make-the-balloon-wait-interruptible.patch b/queue-4.19/xen-balloon-make-the-balloon-wait-interruptible.patch
new file mode 100644
index 00000000000..137f8397b01
--- /dev/null
+++ b/queue-4.19/xen-balloon-make-the-balloon-wait-interruptible.patch
@@ -0,0 +1,44 @@
+From 88a479ff6ef8af7f07e11593d58befc644244ff7 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 27 Jul 2020 11:13:40 +0200
+Subject: xen/balloon: make the balloon wait interruptible
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 88a479ff6ef8af7f07e11593d58befc644244ff7 upstream.
+
+So it can be killed, or else processes can get hung indefinitely
+waiting for balloon pages.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20200727091342.52325-3-roger.pau@citrix.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/balloon.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -570,11 +570,13 @@ static int add_ballooned_pages(int nr_pa
+ 	if (xen_hotplug_unpopulated) {
+ 		st = reserve_additional_memory();
+ 		if (st != BP_ECANCELED) {
++			int rc;
++
+ 			mutex_unlock(&balloon_mutex);
+-			wait_event(balloon_wq,
++			rc = wait_event_interruptible(balloon_wq,
+ 				   !list_empty(&ballooned_pages));
+ 			mutex_lock(&balloon_mutex);
+-			return 0;
++			return rc ? -ENOMEM : 0;
+ 		}
+ 	}
+ 
diff --git a/queue-4.19/xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch b/queue-4.19/xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch
new file mode 100644
index 00000000000..6530aefa85a
--- /dev/null
+++ b/queue-4.19/xen-gntdev-fix-dmabuf-import-with-non-zero-sgt-offset.patch
@@ -0,0 +1,43 @@
+From 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b Mon Sep 17 00:00:00 2001
+From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+Date: Thu, 13 Aug 2020 09:21:09 +0300
+Subject: xen/gntdev: Fix dmabuf import with non-zero sgt offset
+
+From: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+
+commit 5fa4e6f1c2d8c9a4e47e1931b42893172d388f2b upstream.
+
+It is possible that the scatter-gather table during dmabuf import has
+non-zero offset of the data, but user-space doesn't expect that.
+Fix this by failing the import, so user-space doesn't access wrong data.
+
+Fixes: bf8dc55b1358 ("xen/gntdev: Implement dma-buf import functionality")
+
+Signed-off-by: Oleksandr Andrushchenko <oleksandr_andrushchenko@epam.com>
+Acked-by: Juergen Gross <jgross@suse.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200813062113.11030-2-andr2000@gmail.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/gntdev-dmabuf.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/xen/gntdev-dmabuf.c
++++ b/drivers/xen/gntdev-dmabuf.c
+@@ -641,6 +641,14 @@ dmabuf_imp_to_refs(struct gntdev_dmabuf_
+ 		goto fail_detach;
+ 	}
+ 
++	/* Check that we have zero offset. */
++	if (sgt->sgl->offset) {
++		ret = ERR_PTR(-EINVAL);
++		pr_debug("DMA buffer has %d bytes offset, user-space expects 0\n",
++			 sgt->sgl->offset);
++		goto fail_unmap;
++	}
++
+ 	/* Check number of pages that imported buffer has. */
+ 	if (attach->dmabuf->size != gntdev_dmabuf->nr_pages << PAGE_SHIFT) {
+ 		ret = ERR_PTR(-EINVAL);
-- 
2.47.3