--- /dev/null
+From 72f310481a08db821b614e7b5d00febcc9064b36 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Mar 2017 18:20:50 +0000
+Subject: arm/arm64: KVM: Take mmap_sem in kvm_arch_prepare_memory_region
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 72f310481a08db821b614e7b5d00febcc9064b36 upstream.
+
+We don't hold the mmap_sem while searching for VMAs (via find_vma), in
+kvm_arch_prepare_memory_region, which can end up in expected failures.
+
+Fixes: commit 8eef91239e57 ("arm/arm64: KVM: map MMIO regions at creation time")
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Eric Auger <eric.auger@rehat.com>
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+[ Handle dirty page logging failure case ]
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/mmu.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -1761,6 +1761,7 @@ int kvm_arch_prepare_memory_region(struc
+ (KVM_PHYS_SIZE >> PAGE_SHIFT))
+ return -EFAULT;
+
++ down_read(¤t->mm->mmap_sem);
+ /*
+ * A memory region could potentially cover multiple VMAs, and any holes
+ * between them, so iterate over all of them to find out if we can map
+@@ -1804,8 +1805,10 @@ int kvm_arch_prepare_memory_region(struc
+ pa += vm_start - vma->vm_start;
+
+ /* IO region dirty page logging not allowed */
+- if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES)
+- return -EINVAL;
++ if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+ ret = kvm_phys_addr_ioremap(kvm, gpa, pa,
+ vm_end - vm_start,
+@@ -1817,7 +1820,7 @@ int kvm_arch_prepare_memory_region(struc
+ } while (hva < reg_end);
+
+ if (change == KVM_MR_FLAGS_ONLY)
+- return ret;
++ goto out;
+
+ spin_lock(&kvm->mmu_lock);
+ if (ret)
+@@ -1825,6 +1828,8 @@ int kvm_arch_prepare_memory_region(struc
+ else
+ stage2_flush_memslot(kvm, memslot);
+ spin_unlock(&kvm->mmu_lock);
++out:
++ up_read(¤t->mm->mmap_sem);
+ return ret;
+ }
+
--- /dev/null
+From 90f6e150e44a0dc3883110eeb3ab35d1be42b6bb Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 16 Mar 2017 18:20:49 +0000
+Subject: arm/arm64: KVM: Take mmap_sem in stage2_unmap_vm
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 90f6e150e44a0dc3883110eeb3ab35d1be42b6bb upstream.
+
+We don't hold the mmap_sem while searching for the VMAs when
+we try to unmap each memslot for a VM. Fix this properly to
+avoid unexpected results.
+
+Fixes: commit 957db105c997 ("arm/arm64: KVM: Introduce stage2_unmap_vm")
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/mmu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -796,6 +796,7 @@ void stage2_unmap_vm(struct kvm *kvm)
+ int idx;
+
+ idx = srcu_read_lock(&kvm->srcu);
++ down_read(¤t->mm->mmap_sem);
+ spin_lock(&kvm->mmu_lock);
+
+ slots = kvm_memslots(kvm);
+@@ -803,6 +804,7 @@ void stage2_unmap_vm(struct kvm *kvm)
+ stage2_unmap_memslot(kvm, memslot);
+
+ spin_unlock(&kvm->mmu_lock);
++ up_read(¤t->mm->mmap_sem);
+ srcu_read_unlock(&kvm->srcu, idx);
+ }
+
--- /dev/null
+From 4bdc9029685ac03be50b320b29691766d2326c2b Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@free-electrons.com>
+Date: Tue, 21 Mar 2017 16:52:14 +0100
+Subject: iio: bmg160: reset chip when probing
+
+From: Quentin Schulz <quentin.schulz@free-electrons.com>
+
+commit 4bdc9029685ac03be50b320b29691766d2326c2b upstream.
+
+The gyroscope chip might need to be reset to be used.
+
+Without the chip being reset, the driver stopped at the first
+regmap_read (to get the CHIP_ID) and failed to probe.
+
+The datasheet of the gyroscope says that a minimum wait of 30ms after
+the reset has to be done.
+
+This patch has been checked on a BMX055 and the datasheet of the BMG160
+and the BMI055 give the same reset register and bits.
+
+Signed-off-by: Quentin Schulz <quentin.schulz@free-electrons.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/gyro/bmg160_core.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/iio/gyro/bmg160_core.c
++++ b/drivers/iio/gyro/bmg160_core.c
+@@ -28,6 +28,7 @@
+ #include <linux/iio/trigger_consumer.h>
+ #include <linux/iio/triggered_buffer.h>
+ #include <linux/regmap.h>
++#include <linux/delay.h>
+ #include "bmg160.h"
+
+ #define BMG160_IRQ_NAME "bmg160_event"
+@@ -53,6 +54,9 @@
+ #define BMG160_NO_FILTER 0
+ #define BMG160_DEF_BW 100
+
++#define BMG160_GYRO_REG_RESET 0x14
++#define BMG160_GYRO_RESET_VAL 0xb6
++
+ #define BMG160_REG_INT_MAP_0 0x17
+ #define BMG160_INT_MAP_0_BIT_ANY BIT(1)
+
+@@ -186,6 +190,14 @@ static int bmg160_chip_init(struct bmg16
+ int ret;
+ unsigned int val;
+
++ /*
++ * Reset chip to get it in a known good state. A delay of 30ms after
++ * reset is required according to the datasheet.
++ */
++ regmap_write(data->regmap, BMG160_GYRO_REG_RESET,
++ BMG160_GYRO_RESET_VAL);
++ usleep_range(30000, 30700);
++
+ ret = regmap_read(data->regmap, BMG160_REG_CHIP_ID, &val);
+ if (ret < 0) {
+ dev_err(data->dev, "Error reading reg_chip_id\n");
drm-ttm-drm-vmwgfx-relax-permission-checking-when-opening-surfaces.patch
drm-vmwgfx-remove-getparam-error-message.patch
drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
+sysfs-be-careful-of-error-returns-from-ops-show.patch
+staging-android-ashmem-lseek-failed-due-to-no-fmode_lseek.patch
+arm-arm64-kvm-take-mmap_sem-in-stage2_unmap_vm.patch
+arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch
+iio-bmg160-reset-chip-when-probing.patch
--- /dev/null
+From 97fbfef6bd597888485b653175fb846c6998b60c Mon Sep 17 00:00:00 2001
+From: Shuxiao Zhang <zhangshuxiao@xiaomi.com>
+Date: Thu, 6 Apr 2017 22:30:29 +0800
+Subject: staging: android: ashmem: lseek failed due to no FMODE_LSEEK.
+
+From: Shuxiao Zhang <zhangshuxiao@xiaomi.com>
+
+commit 97fbfef6bd597888485b653175fb846c6998b60c upstream.
+
+vfs_llseek will check whether the file mode has
+FMODE_LSEEK, no return failure. But ashmem can be
+lseek, so add FMODE_LSEEK to ashmem file.
+
+Comment From Greg Hackmann:
+ ashmem_llseek() passes the llseek() call through to the backing
+ shmem file. 91360b02ab48 ("ashmem: use vfs_llseek()") changed
+ this from directly calling the file's llseek() op into a VFS
+ layer call. This also adds a check for the FMODE_LSEEK bit, so
+ without that bit ashmem_llseek() now always fails with -ESPIPE.
+
+Fixes: 91360b02ab48 ("ashmem: use vfs_llseek()")
+Signed-off-by: Shuxiao Zhang <zhangshuxiao@xiaomi.com>
+Tested-by: Greg Hackmann <ghackmann@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -392,6 +392,7 @@ static int ashmem_mmap(struct file *file
+ ret = PTR_ERR(vmfile);
+ goto out;
+ }
++ vmfile->f_mode |= FMODE_LSEEK;
+ asma->file = vmfile;
+ }
+ get_file(asma->file);
--- /dev/null
+From c8a139d001a1aab1ea8734db14b22dac9dd143b6 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Mon, 3 Apr 2017 11:30:34 +1000
+Subject: sysfs: be careful of error returns from ops->show()
+
+From: NeilBrown <neilb@suse.com>
+
+commit c8a139d001a1aab1ea8734db14b22dac9dd143b6 upstream.
+
+ops->show() can return a negative error code.
+Commit 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.")
+(in v4.4) caused this to be stored in an unsigned 'size_t' variable, so errors
+would look like large numbers.
+As a result, if an error is returned, sysfs_kf_read() will return the
+value of 'count', typically 4096.
+
+Commit 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs")
+(in v4.8) extended this error to use the unsigned large 'len' as a size for
+memmove().
+Consequently, if ->show returns an error, then the first read() on the
+sysfs file will return 4096 and could return uninitialized memory to
+user-space.
+If the application performs a subsequent read, this will trigger a memmove()
+with extremely large count, and is likely to crash the machine is bizarre ways.
+
+This bug can currently only be triggered by reading from an md
+sysfs attribute declared with __ATTR_PREALLOC() during the
+brief period between when mddev_put() deletes an mddev from
+the ->all_mddevs list, and when mddev_delayed_delete() - which is
+scheduled on a workqueue - completes.
+Before this, an error won't be returned by the ->show()
+After this, the ->show() won't be called.
+
+I can reproduce it reliably only by putting delay like
+ usleep_range(500000,700000);
+early in mddev_delayed_delete(). Then after creating an
+md device md0 run
+ echo clear > /sys/block/md0/md/array_state; cat /sys/block/md0/md/array_state
+
+The bug can be triggered without the usleep.
+
+Fixes: 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.")
+Fixes: 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Reported-and-tested-by: Miroslav Benes <mbenes@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/sysfs/file.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/sysfs/file.c
++++ b/fs/sysfs/file.c
+@@ -108,7 +108,7 @@ static ssize_t sysfs_kf_read(struct kern
+ {
+ const struct sysfs_ops *ops = sysfs_file_ops(of->kn);
+ struct kobject *kobj = of->kn->parent->priv;
+- size_t len;
++ ssize_t len;
+
+ /*
+ * If buf != of->prealloc_buf, we don't know how
+@@ -117,13 +117,15 @@ static ssize_t sysfs_kf_read(struct kern
+ if (WARN_ON_ONCE(buf != of->prealloc_buf))
+ return 0;
+ len = ops->show(kobj, of->kn->priv, buf);
++ if (len < 0)
++ return len;
+ if (pos) {
+ if (len <= pos)
+ return 0;
+ len -= pos;
+ memmove(buf, buf + pos, len);
+ }
+- return min(count, len);
++ return min_t(ssize_t, count, len);
+ }
+
+ /* kernfs write callback for regular sysfs files */
projects / thirdparty / kernel / stable-queue.git / commitdiff
