From: Greg Kroah-Hartman Date: Mon, 9 Aug 2021 10:49:35 +0000 (+0200) Subject: 5.13-stable patches X-Git-Tag: v4.4.280~31 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=01264cd32d975014857e4cceefc565a3f4f65ac9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.13-stable patches added patches: arm-omap2-hwmod-fix-potential-null-pointer-access.patch arm64-fix-compat-syscall-return-truncation.patch bus-ti-sysc-am3-rng-is-gp-only.patch io-wq-fix-race-between-worker-exiting-and-activating-free-worker.patch kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch kvm-svm-fix-off-by-one-indexing-when-nullifying-last-used-sev-vmcb.patch kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch revert-gpio-mpc8xxx-change-the-gpio-interrupt-flags.patch s390-dasd-fix-use-after-free-in-dasd-path-handling.patch scsi-ibmvfc-fix-command-state-accounting-and-stale-response-detection.patch selinux-correct-the-return-value-when-loads-initial-sids.patch --- diff --git a/queue-5.13/arm-omap2-hwmod-fix-potential-null-pointer-access.patch b/queue-5.13/arm-omap2-hwmod-fix-potential-null-pointer-access.patch new file mode 100644 index 00000000000..e305ba217d7 --- /dev/null +++ b/queue-5.13/arm-omap2-hwmod-fix-potential-null-pointer-access.patch @@ -0,0 +1,48 @@ +From b070f9ca78680486927b799cf6126b128a7c2c1b Mon Sep 17 00:00:00 2001 +From: Tero Kristo +Date: Tue, 20 Jul 2021 11:47:10 -0700 +Subject: ARM: omap2+: hwmod: fix potential NULL pointer access + +From: Tero Kristo + +commit b070f9ca78680486927b799cf6126b128a7c2c1b upstream. + +omap_hwmod_get_pwrdm() may access a NULL clk_hw pointer in some failure +cases. Add a check for the case and bail out gracely if this happens. + +Reported-by: Dan Murphy +Signed-off-by: Tero Kristo +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Kevin Hilman +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/omap_hwmod.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -3776,6 +3776,7 @@ struct powerdomain *omap_hwmod_get_pwrdm + struct omap_hwmod_ocp_if *oi; + struct clockdomain *clkdm; + struct clk_hw_omap *clk; ++ struct clk_hw *hw; + + if (!oh) + return NULL; +@@ -3792,7 +3793,14 @@ struct powerdomain *omap_hwmod_get_pwrdm + c = oi->_clk; + } + +- clk = to_clk_hw_omap(__clk_get_hw(c)); ++ hw = __clk_get_hw(c); ++ if (!hw) ++ return NULL; ++ ++ clk = to_clk_hw_omap(hw); ++ if (!clk) ++ return NULL; ++ + clkdm = clk->clkdm; + if (!clkdm) + return NULL; diff --git a/queue-5.13/arm64-fix-compat-syscall-return-truncation.patch b/queue-5.13/arm64-fix-compat-syscall-return-truncation.patch new file mode 100644 index 00000000000..2ee1c3f079d --- /dev/null +++ b/queue-5.13/arm64-fix-compat-syscall-return-truncation.patch @@ -0,0 +1,182 @@ +From e30e8d46cf605d216a799a28c77b8a41c328613a Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Mon, 2 Aug 2021 11:42:00 +0100 +Subject: arm64: fix compat syscall return truncation + +From: Mark Rutland + +commit e30e8d46cf605d216a799a28c77b8a41c328613a upstream. + +Due to inconsistencies in the way we manipulate compat GPRs, we have a +few issues today: + +* For audit and tracing, where error codes are handled as a (native) + long, negative error codes are expected to be sign-extended to the + native 64-bits, or they may fail to be matched correctly. Thus a + syscall which fails with an error may erroneously be identified as + failing. + +* For ptrace, *all* compat return values should be sign-extended for + consistency with 32-bit arm, but we currently only do this for + negative return codes. + +* As we may transiently set the upper 32 bits of some compat GPRs while + in the kernel, these can be sampled by perf, which is somewhat + confusing. This means that where a syscall returns a pointer above 2G, + this will be sign-extended, but will not be mistaken for an error as + error codes are constrained to the inclusive range [-4096, -1] where + no user pointer can exist. + +To fix all of these, we must consistently use helpers to get/set the +compat GPRs, ensuring that we never write the upper 32 bits of the +return code, and always sign-extend when reading the return code. This +patch does so, with the following changes: + +* We re-organise syscall_get_return_value() to always sign-extend for + compat tasks, and reimplement syscall_get_error() atop. We update + syscall_trace_exit() to use syscall_get_return_value(). + +* We consistently use syscall_set_return_value() to set the return + value, ensureing the upper 32 bits are never set unexpectedly. + +* As the core audit code currently uses regs_return_value() rather than + syscall_get_return_value(), we special-case this for + compat_user_mode(regs) such that this will do the right thing. Going + forward, we should try to move the core audit code over to + syscall_get_return_value(). + +Cc: +Reported-by: He Zhe +Reported-by: weiyuchen +Cc: Catalin Marinas +Cc: Will Deacon +Reviewed-by: Catalin Marinas +Link: https://lore.kernel.org/r/20210802104200.21390-1-mark.rutland@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/ptrace.h | 12 +++++++++++- + arch/arm64/include/asm/syscall.h | 19 ++++++++++--------- + arch/arm64/kernel/ptrace.c | 2 +- + arch/arm64/kernel/signal.c | 3 ++- + arch/arm64/kernel/syscall.c | 9 +++------ + 5 files changed, 27 insertions(+), 18 deletions(-) + +--- a/arch/arm64/include/asm/ptrace.h ++++ b/arch/arm64/include/asm/ptrace.h +@@ -320,7 +320,17 @@ static inline unsigned long kernel_stack + + static inline unsigned long regs_return_value(struct pt_regs *regs) + { +- return regs->regs[0]; ++ unsigned long val = regs->regs[0]; ++ ++ /* ++ * Audit currently uses regs_return_value() instead of ++ * syscall_get_return_value(). Apply the same sign-extension here until ++ * audit is updated to use syscall_get_return_value(). ++ */ ++ if (compat_user_mode(regs)) ++ val = sign_extend64(val, 31); ++ ++ return val; + } + + static inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc) +--- a/arch/arm64/include/asm/syscall.h ++++ b/arch/arm64/include/asm/syscall.h +@@ -29,22 +29,23 @@ static inline void syscall_rollback(stru + regs->regs[0] = regs->orig_x0; + } + +- +-static inline long syscall_get_error(struct task_struct *task, +- struct pt_regs *regs) ++static inline long syscall_get_return_value(struct task_struct *task, ++ struct pt_regs *regs) + { +- unsigned long error = regs->regs[0]; ++ unsigned long val = regs->regs[0]; + + if (is_compat_thread(task_thread_info(task))) +- error = sign_extend64(error, 31); ++ val = sign_extend64(val, 31); + +- return IS_ERR_VALUE(error) ? error : 0; ++ return val; + } + +-static inline long syscall_get_return_value(struct task_struct *task, +- struct pt_regs *regs) ++static inline long syscall_get_error(struct task_struct *task, ++ struct pt_regs *regs) + { +- return regs->regs[0]; ++ unsigned long error = syscall_get_return_value(task, regs); ++ ++ return IS_ERR_VALUE(error) ? error : 0; + } + + static inline void syscall_set_return_value(struct task_struct *task, +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1862,7 +1862,7 @@ void syscall_trace_exit(struct pt_regs * + audit_syscall_exit(regs); + + if (flags & _TIF_SYSCALL_TRACEPOINT) +- trace_sys_exit(regs, regs_return_value(regs)); ++ trace_sys_exit(regs, syscall_get_return_value(current, regs)); + + if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -890,7 +891,7 @@ static void do_signal(struct pt_regs *re + retval == -ERESTART_RESTARTBLOCK || + (retval == -ERESTARTSYS && + !(ksig.ka.sa.sa_flags & SA_RESTART)))) { +- regs->regs[0] = -EINTR; ++ syscall_set_return_value(current, regs, -EINTR, 0); + regs->pc = continue_addr; + } + +--- a/arch/arm64/kernel/syscall.c ++++ b/arch/arm64/kernel/syscall.c +@@ -54,10 +54,7 @@ static void invoke_syscall(struct pt_reg + ret = do_ni_syscall(regs, scno); + } + +- if (is_compat_task()) +- ret = lower_32_bits(ret); +- +- regs->regs[0] = ret; ++ syscall_set_return_value(current, regs, 0, ret); + + /* + * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), +@@ -115,7 +112,7 @@ static void el0_svc_common(struct pt_reg + * syscall. do_notify_resume() will send a signal to userspace + * before the syscall is restarted. + */ +- regs->regs[0] = -ERESTARTNOINTR; ++ syscall_set_return_value(current, regs, -ERESTARTNOINTR, 0); + return; + } + +@@ -136,7 +133,7 @@ static void el0_svc_common(struct pt_reg + * anyway. + */ + if (scno == NO_SYSCALL) +- regs->regs[0] = -ENOSYS; ++ syscall_set_return_value(current, regs, -ENOSYS, 0); + scno = syscall_trace_enter(regs); + if (scno == NO_SYSCALL) + goto trace_exit; diff --git a/queue-5.13/bus-ti-sysc-am3-rng-is-gp-only.patch b/queue-5.13/bus-ti-sysc-am3-rng-is-gp-only.patch new file mode 100644 index 00000000000..77e1f5c1c3e --- /dev/null +++ b/queue-5.13/bus-ti-sysc-am3-rng-is-gp-only.patch @@ -0,0 +1,41 @@ +From a6d90e9f22328f07343e49e08a4ca483ae8e8abb Mon Sep 17 00:00:00 2001 +From: Kevin Hilman +Date: Tue, 20 Jul 2021 11:27:16 -0700 +Subject: bus: ti-sysc: AM3: RNG is GP only + +From: Kevin Hilman + +commit a6d90e9f22328f07343e49e08a4ca483ae8e8abb upstream. + +Make the RNG on AM3 GP only. + +Based on this patch from TI v5.4 tree which is based on hwmod data +which are now removed: + +| ARM: AM43xx: hwmod: Move RNG to a GP only links table +| +| On non-GP devices the RNG is controlled by the secure-side software, +| like in DRA7xx hwmod we should not control this IP when we are not +| a GP device. +| +| Signed-off-by: Andrew F. Davis + +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Kevin Hilman +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/ti-sysc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -2953,6 +2953,8 @@ static int sysc_init_soc(struct sysc *dd + case SOC_3430 ... SOC_3630: + sysc_add_disabled(0x48304000); /* timer12 */ + break; ++ case SOC_AM3: ++ sysc_add_disabled(0x48310000); /* rng */ + default: + break; + } diff --git a/queue-5.13/io-wq-fix-race-between-worker-exiting-and-activating-free-worker.patch b/queue-5.13/io-wq-fix-race-between-worker-exiting-and-activating-free-worker.patch new file mode 100644 index 00000000000..e0a8ac115f5 --- /dev/null +++ b/queue-5.13/io-wq-fix-race-between-worker-exiting-and-activating-free-worker.patch @@ -0,0 +1,114 @@ +From 83d6c39310b6d11199179f6384c2b0a415389597 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 3 Aug 2021 09:14:35 -0600 +Subject: io-wq: fix race between worker exiting and activating free worker + +From: Jens Axboe + +commit 83d6c39310b6d11199179f6384c2b0a415389597 upstream. + +Nadav correctly reports that we have a race between a worker exiting, +and new work being queued. This can lead to work being queued behind +an existing worker that could be sleeping on an event before it can +run to completion, and hence introducing potential big latency gaps +if we hit this race condition: + +cpu0 cpu1 +---- ---- + io_wqe_worker() + schedule_timeout() + // timed out +io_wqe_enqueue() +io_wqe_wake_worker() +// work_flags & IO_WQ_WORK_CONCURRENT +io_wqe_activate_free_worker() + io_worker_exit() + +Fix this by having the exiting worker go through the normal decrement +of a running worker, which will spawn a new one if needed. + +The free worker activation is modified to only return success if we +were able to find a sleeping worker - if not, we keep looking through +the list. If we fail, we create a new worker as per usual. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/io-uring/BFF746C0-FEDE-4646-A253-3021C57C26C9@gmail.com/ +Reported-by: Nadav Amit +Tested-by: Nadav Amit +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io-wq.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +--- a/fs/io-wq.c ++++ b/fs/io-wq.c +@@ -131,6 +131,7 @@ struct io_cb_cancel_data { + }; + + static void create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index); ++static void io_wqe_dec_running(struct io_worker *worker); + + static bool io_worker_get(struct io_worker *worker) + { +@@ -169,26 +170,21 @@ static void io_worker_exit(struct io_wor + { + struct io_wqe *wqe = worker->wqe; + struct io_wqe_acct *acct = io_wqe_get_acct(worker); +- unsigned flags; + + if (refcount_dec_and_test(&worker->ref)) + complete(&worker->ref_done); + wait_for_completion(&worker->ref_done); + +- preempt_disable(); +- current->flags &= ~PF_IO_WORKER; +- flags = worker->flags; +- worker->flags = 0; +- if (flags & IO_WORKER_F_RUNNING) +- atomic_dec(&acct->nr_running); +- worker->flags = 0; +- preempt_enable(); +- + raw_spin_lock_irq(&wqe->lock); +- if (flags & IO_WORKER_F_FREE) ++ if (worker->flags & IO_WORKER_F_FREE) + hlist_nulls_del_rcu(&worker->nulls_node); + list_del_rcu(&worker->all_list); + acct->nr_workers--; ++ preempt_disable(); ++ io_wqe_dec_running(worker); ++ worker->flags = 0; ++ current->flags &= ~PF_IO_WORKER; ++ preempt_enable(); + raw_spin_unlock_irq(&wqe->lock); + + kfree_rcu(worker, rcu); +@@ -215,15 +211,19 @@ static bool io_wqe_activate_free_worker( + struct hlist_nulls_node *n; + struct io_worker *worker; + +- n = rcu_dereference(hlist_nulls_first_rcu(&wqe->free_list)); +- if (is_a_nulls(n)) +- return false; +- +- worker = hlist_nulls_entry(n, struct io_worker, nulls_node); +- if (io_worker_get(worker)) { +- wake_up_process(worker->task); ++ /* ++ * Iterate free_list and see if we can find an idle worker to ++ * activate. If a given worker is on the free_list but in the process ++ * of exiting, keep trying. ++ */ ++ hlist_nulls_for_each_entry_rcu(worker, n, &wqe->free_list, nulls_node) { ++ if (!io_worker_get(worker)) ++ continue; ++ if (wake_up_process(worker->task)) { ++ io_worker_release(worker); ++ return true; ++ } + io_worker_release(worker); +- return true; + } + + return false; diff --git a/queue-5.13/kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch b/queue-5.13/kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch new file mode 100644 index 00000000000..d496bdf9703 --- /dev/null +++ b/queue-5.13/kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch @@ -0,0 +1,85 @@ +From 85cd39af14f498f791d8aab3fbd64cd175787f1a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 4 Aug 2021 05:28:52 -0400 +Subject: KVM: Do not leak memory for duplicate debugfs directories + +From: Paolo Bonzini + +commit 85cd39af14f498f791d8aab3fbd64cd175787f1a upstream. + +KVM creates a debugfs directory for each VM in order to store statistics +about the virtual machine. The directory name is built from the process +pid and a VM fd. While generally unique, it is possible to keep a +file descriptor alive in a way that causes duplicate directories, which +manifests as these messages: + + [ 471.846235] debugfs: Directory '20245-4' with parent 'kvm' already present! + +Even though this should not happen in practice, it is more or less +expected in the case of KVM for testcases that call KVM_CREATE_VM and +close the resulting file descriptor repeatedly and in parallel. + +When this happens, debugfs_create_dir() returns an error but +kvm_create_vm_debugfs() goes on to allocate stat data structs which are +later leaked. The slow memory leak was spotted by syzkaller, where it +caused OOM reports. + +Since the issue only affects debugfs, do a lookup before calling +debugfs_create_dir, so that the message is downgraded and rate-limited. +While at it, ensure kvm->debugfs_dentry is NULL rather than an error +if it is not created. This fixes kvm_destroy_vm_debugfs, which was not +checking IS_ERR_OR_NULL correctly. + +Cc: stable@vger.kernel.org +Fixes: 536a6f88c49d ("KVM: Create debugfs dir and stat files for each VM") +Reported-by: Alexey Kardashevskiy +Suggested-by: Greg Kroah-Hartman +Acked-by: Greg Kroah-Hartman +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -845,6 +845,8 @@ static void kvm_destroy_vm_debugfs(struc + + static int kvm_create_vm_debugfs(struct kvm *kvm, int fd) + { ++ static DEFINE_MUTEX(kvm_debugfs_lock); ++ struct dentry *dent; + char dir_name[ITOA_MAX_LEN * 2]; + struct kvm_stat_data *stat_data; + struct kvm_stats_debugfs_item *p; +@@ -853,8 +855,20 @@ static int kvm_create_vm_debugfs(struct + return 0; + + snprintf(dir_name, sizeof(dir_name), "%d-%d", task_pid_nr(current), fd); +- kvm->debugfs_dentry = debugfs_create_dir(dir_name, kvm_debugfs_dir); ++ mutex_lock(&kvm_debugfs_lock); ++ dent = debugfs_lookup(dir_name, kvm_debugfs_dir); ++ if (dent) { ++ pr_warn_ratelimited("KVM: debugfs: duplicate directory %s\n", dir_name); ++ dput(dent); ++ mutex_unlock(&kvm_debugfs_lock); ++ return 0; ++ } ++ dent = debugfs_create_dir(dir_name, kvm_debugfs_dir); ++ mutex_unlock(&kvm_debugfs_lock); ++ if (IS_ERR(dent)) ++ return 0; + ++ kvm->debugfs_dentry = dent; + kvm->debugfs_stat_data = kcalloc(kvm_debugfs_num_entries, + sizeof(*kvm->debugfs_stat_data), + GFP_KERNEL_ACCOUNT); +@@ -4993,7 +5007,7 @@ static void kvm_uevent_notify_change(uns + } + add_uevent_var(env, "PID=%d", kvm->userspace_pid); + +- if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) { ++ if (kvm->debugfs_dentry) { + char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL_ACCOUNT); + + if (p) { diff --git a/queue-5.13/kvm-svm-fix-off-by-one-indexing-when-nullifying-last-used-sev-vmcb.patch b/queue-5.13/kvm-svm-fix-off-by-one-indexing-when-nullifying-last-used-sev-vmcb.patch new file mode 100644 index 00000000000..4c45e6bc7f1 --- /dev/null +++ b/queue-5.13/kvm-svm-fix-off-by-one-indexing-when-nullifying-last-used-sev-vmcb.patch @@ -0,0 +1,47 @@ +From 179c6c27bf487273652efc99acd3ba512a23c137 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 3 Aug 2021 09:27:46 -0700 +Subject: KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB + +From: Sean Christopherson + +commit 179c6c27bf487273652efc99acd3ba512a23c137 upstream. + +Use the raw ASID, not ASID-1, when nullifying the last used VMCB when +freeing an SEV ASID. The consumer, pre_sev_run(), indexes the array by +the raw ASID, thus KVM could get a false negative when checking for a +different VMCB if KVM manages to reallocate the same ASID+VMCB combo for +a new VM. + +Note, this cannot cause a functional issue _in the current code_, as +pre_sev_run() also checks which pCPU last did VMRUN for the vCPU, and +last_vmentry_cpu is initialized to -1 during vCPU creation, i.e. is +guaranteed to mismatch on the first VMRUN. However, prior to commit +8a14fe4f0c54 ("kvm: x86: Move last_cpu into kvm_vcpu_arch as +last_vmentry_cpu"), SVM tracked pCPU on its own and zero-initialized the +last_cpu variable. Thus it's theoretically possible that older versions +of KVM could miss a TLB flush if the first VMRUN is on pCPU0 and the ASID +and VMCB exactly match those of a prior VM. + +Fixes: 70cd94e60c73 ("KVM: SVM: VMRUN should use associated ASID when SEV is enabled") +Cc: Tom Lendacky +Cc: Brijesh Singh +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -188,7 +188,7 @@ static void sev_asid_free(struct kvm_sev + + for_each_possible_cpu(cpu) { + sd = per_cpu(svm_data, cpu); +- sd->sev_vmcbs[pos] = NULL; ++ sd->sev_vmcbs[sev->asid] = NULL; + } + + mutex_unlock(&sev_bitmap_lock); diff --git a/queue-5.13/kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch b/queue-5.13/kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch new file mode 100644 index 00000000000..70464b0efb8 --- /dev/null +++ b/queue-5.13/kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch @@ -0,0 +1,57 @@ +From fa7a549d321a4189677b0cea86e58d9db7977f7b Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 14 Jul 2021 17:37:49 -0400 +Subject: KVM: x86: accept userspace interrupt only if no event is injected + +From: Paolo Bonzini + +commit fa7a549d321a4189677b0cea86e58d9db7977f7b upstream. + +Once an exception has been injected, any side effects related to +the exception (such as setting CR2 or DR6) have been taked place. +Therefore, once KVM sets the VM-entry interruption information +field or the AMD EVENTINJ field, the next VM-entry must deliver that +exception. + +Pending interrupts are processed after injected exceptions, so +in theory it would not be a problem to use KVM_INTERRUPT when +an injected exception is present. However, DOSEMU is using +run->ready_for_interrupt_injection to detect interrupt windows +and then using KVM_SET_SREGS/KVM_SET_REGS to inject the +interrupt manually. For this to work, the interrupt window +must be delayed after the completion of the previous event +injection. + +Cc: stable@vger.kernel.org +Reported-by: Stas Sergeev +Tested-by: Stas Sergeev +Fixes: 71cc849b7093 ("KVM: x86: Fix split-irqchip vs interrupt injection window request") +Reviewed-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4252,8 +4252,17 @@ static int kvm_cpu_accept_dm_intr(struct + + static int kvm_vcpu_ready_for_interrupt_injection(struct kvm_vcpu *vcpu) + { +- return kvm_arch_interrupt_allowed(vcpu) && +- kvm_cpu_accept_dm_intr(vcpu); ++ /* ++ * Do not cause an interrupt window exit if an exception ++ * is pending or an event needs reinjection; userspace ++ * might want to inject the interrupt manually using KVM_SET_REGS ++ * or KVM_SET_SREGS. For that to work, we must be at an ++ * instruction boundary and with no events half-injected. ++ */ ++ return (kvm_arch_interrupt_allowed(vcpu) && ++ kvm_cpu_accept_dm_intr(vcpu) && ++ !kvm_event_needs_reinjection(vcpu) && ++ !vcpu->arch.exception.pending); + } + + static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, diff --git a/queue-5.13/kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch b/queue-5.13/kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch new file mode 100644 index 00000000000..50212e5816c --- /dev/null +++ b/queue-5.13/kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch @@ -0,0 +1,54 @@ +From d5aaad6f83420efb8357ac8e11c868708b22d0a9 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 4 Aug 2021 14:46:09 -0700 +Subject: KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds + +From: Sean Christopherson + +commit d5aaad6f83420efb8357ac8e11c868708b22d0a9 upstream. + +Take a signed 'long' instead of an 'unsigned long' for the number of +pages to add/subtract to the total number of pages used by the MMU. This +fixes a zero-extension bug on 32-bit kernels that effectively corrupts +the per-cpu counter used by the shrinker. + +Per-cpu counters take a signed 64-bit value on both 32-bit and 64-bit +kernels, whereas kvm_mod_used_mmu_pages() takes an unsigned long and thus +an unsigned 32-bit value on 32-bit kernels. As a result, the value used +to adjust the per-cpu counter is zero-extended (unsigned -> signed), not +sign-extended (signed -> signed), and so KVM's intended -1 gets morphed to +4294967295 and effectively corrupts the counter. + +This was found by a staggering amount of sheer dumb luck when running +kvm-unit-tests on a 32-bit KVM build. The shrinker just happened to kick +in while running tests and do_shrink_slab() logged an error about trying +to free a negative number of objects. The truly lucky part is that the +kernel just happened to be a slightly stale build, as the shrinker no +longer yells about negative objects as of commit 18bb473e5031 ("mm: +vmscan: shrink deferred objects proportional to priority"). + + vmscan: shrink_slab: mmu_shrink_scan+0x0/0x210 [kvm] negative objects to delete nr=-858993460 + +Fixes: bc8a3d8925a8 ("kvm: mmu: Fix overflow on kvm mmu page limit calculation") +Cc: stable@vger.kernel.org +Cc: Ben Gardon +Signed-off-by: Sean Christopherson +Message-Id: <20210804214609.1096003-1-seanjc@google.com> +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/mmu/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -1546,7 +1546,7 @@ static int is_empty_shadow_page(u64 *spt + * aggregate version in order to make the slab shrinker + * faster + */ +-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr) ++static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, long nr) + { + kvm->arch.n_used_mmu_pages += nr; + percpu_counter_add(&kvm_total_used_mmu_pages, nr); diff --git a/queue-5.13/md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch b/queue-5.13/md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch new file mode 100644 index 00000000000..0b794f56c18 --- /dev/null +++ b/queue-5.13/md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch @@ -0,0 +1,53 @@ +From 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 Mon Sep 17 00:00:00 2001 +From: Wei Shuyu +Date: Mon, 28 Jun 2021 15:15:08 +0800 +Subject: md/raid10: properly indicate failure when ending a failed write request + +From: Wei Shuyu + +commit 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 upstream. + +Similar to [1], this patch fixes the same bug in raid10. Also cleanup the +comments. + +[1] commit 2417b9869b81 ("md/raid1: properly indicate failure when ending + a failed write request") +Cc: stable@vger.kernel.org +Fixes: 7cee6d4e6035 ("md/raid10: end bio when the device faulty") +Signed-off-by: Wei Shuyu +Acked-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid1.c | 2 -- + drivers/md/raid10.c | 4 ++-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -472,8 +472,6 @@ static void raid1_end_write_request(stru + /* + * When the device is faulty, it is not necessary to + * handle write error. +- * For failfast, this is the only remaining device, +- * We need to retry the write without FailFast. + */ + if (!test_bit(Faulty, &rdev->flags)) + set_bit(R1BIO_WriteError, &r1_bio->state); +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -469,12 +469,12 @@ static void raid10_end_write_request(str + /* + * When the device is faulty, it is not necessary to + * handle write error. +- * For failfast, this is the only remaining device, +- * We need to retry the write without FailFast. + */ + if (!test_bit(Faulty, &rdev->flags)) + set_bit(R10BIO_WriteError, &r10_bio->state); + else { ++ /* Fail the request */ ++ set_bit(R10BIO_Degraded, &r10_bio->state); + r10_bio->devs[slot].bio = NULL; + to_put = bio; + dec_rdev = 1; diff --git a/queue-5.13/pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch b/queue-5.13/pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch new file mode 100644 index 00000000000..abd8807285f --- /dev/null +++ b/queue-5.13/pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch @@ -0,0 +1,32 @@ +From e39cdacf2f664b09029e7c1eb354c91a20c367af Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Tue, 22 Jun 2021 07:11:31 +0000 +Subject: pcmcia: i82092: fix a null pointer dereference bug + +From: Zheyu Ma + +commit e39cdacf2f664b09029e7c1eb354c91a20c367af upstream. + +During the driver loading process, the 'dev' field was not assigned, but +the 'dev' field was referenced in the subsequent 'i82092aa_set_mem_map' +function. + +Signed-off-by: Zheyu Ma +CC: +[linux@dominikbrodowski.net: shorten commit message, add Cc to stable] +Signed-off-by: Dominik Brodowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pcmcia/i82092.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pcmcia/i82092.c ++++ b/drivers/pcmcia/i82092.c +@@ -112,6 +112,7 @@ static int i82092aa_pci_probe(struct pci + for (i = 0; i < socket_count; i++) { + sockets[i].card_state = 1; /* 1 = present but empty */ + sockets[i].io_base = pci_resource_start(dev, 0); ++ sockets[i].dev = dev; + sockets[i].socket.features |= SS_CAP_PCCARD; + sockets[i].socket.map_size = 0x1000; + sockets[i].socket.irq_mask = 0; diff --git a/queue-5.13/revert-gpio-mpc8xxx-change-the-gpio-interrupt-flags.patch b/queue-5.13/revert-gpio-mpc8xxx-change-the-gpio-interrupt-flags.patch new file mode 100644 index 00000000000..c3c1ce17e00 --- /dev/null +++ b/queue-5.13/revert-gpio-mpc8xxx-change-the-gpio-interrupt-flags.patch @@ -0,0 +1,54 @@ +From ec7099fdea8025988710ee6fecfd4e4210c29ab5 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Fri, 2 Jul 2021 15:37:12 +0200 +Subject: Revert "gpio: mpc8xxx: change the gpio interrupt flags." + +From: Rasmus Villemoes + +commit ec7099fdea8025988710ee6fecfd4e4210c29ab5 upstream. + +This reverts commit 3d5bfbd9716318b1ca5c38488aa69f64d38a9aa5. + +When booting with threadirqs, it causes a splat + + WARNING: CPU: 0 PID: 29 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1ec/0x27c + irq 66 handler irq_default_primary_handler+0x0/0x1c enabled interrupts + +That splat later went away with commit 81e2073c175b ("genirq: Disable +interrupts for force threaded handlers"), which got backported to +-stable. However, when running an -rt kernel, the splat still +exists. Moreover, quoting Thomas Gleixner [1] + + But 3d5bfbd97163 ("gpio: mpc8xxx: change the gpio interrupt flags.") + has nothing to do with that: + + "Delete the interrupt IRQF_NO_THREAD flags in order to gpio interrupts + can be threaded to allow high-priority processes to preempt." + + This changelog is blatantly wrong. In mainline forced irq threads + have always been invoked with softirqs disabled, which obviously + makes them non-preemptible. + +So the patch didn't even do what its commit log said. + +[1] https://lore.kernel.org/lkml/871r8zey88.ffs@nanos.tec.linutronix.de/ + +Cc: stable@vger.kernel.org # v5.9+ +Signed-off-by: Rasmus Villemoes +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mpc8xxx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -405,7 +405,7 @@ static int mpc8xxx_probe(struct platform + + ret = devm_request_irq(&pdev->dev, mpc8xxx_gc->irqn, + mpc8xxx_gpio_irq_cascade, +- IRQF_SHARED, "gpio-cascade", ++ IRQF_NO_THREAD | IRQF_SHARED, "gpio-cascade", + mpc8xxx_gc); + if (ret) { + dev_err(&pdev->dev, diff --git a/queue-5.13/s390-dasd-fix-use-after-free-in-dasd-path-handling.patch b/queue-5.13/s390-dasd-fix-use-after-free-in-dasd-path-handling.patch new file mode 100644 index 00000000000..10ff7012494 --- /dev/null +++ b/queue-5.13/s390-dasd-fix-use-after-free-in-dasd-path-handling.patch @@ -0,0 +1,66 @@ +From 952835edb4fdad49361d5330da918be8b765b787 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Wed, 4 Aug 2021 17:18:00 +0200 +Subject: s390/dasd: fix use after free in dasd path handling + +From: Stefan Haberland + +commit 952835edb4fdad49361d5330da918be8b765b787 upstream. + +When new configuration data is obtained after a path event it is stored +in the per path array. The old data needs to be freed. +The first valid configuration data is also referenced in the device +private structure to identify the device. +When the old per path configuration data was freed the device still +pointed to the already freed data leading to a use after free. + +Fix by replacing also the device configuration data with the newly +obtained one before the old data gets freed. + +Fixes: 460181217a24 ("s390/dasd: Store path configuration data during path handling") +Cc: stable@vger.kernel.org # 5.11+ +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Link: https://lore.kernel.org/r/20210804151800.4031761-2-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd_eckd.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -1004,15 +1004,23 @@ static unsigned char dasd_eckd_path_acce + static void dasd_eckd_store_conf_data(struct dasd_device *device, + struct dasd_conf_data *conf_data, int chp) + { ++ struct dasd_eckd_private *private = device->private; + struct channel_path_desc_fmt0 *chp_desc; + struct subchannel_id sch_id; ++ void *cdp; + +- ccw_device_get_schid(device->cdev, &sch_id); + /* + * path handling and read_conf allocate data + * free it before replacing the pointer ++ * also replace the old private->conf_data pointer ++ * with the new one if this points to the same data + */ +- kfree(device->path[chp].conf_data); ++ cdp = device->path[chp].conf_data; ++ if (private->conf_data == cdp) { ++ private->conf_data = (void *)conf_data; ++ dasd_eckd_identify_conf_parts(private); ++ } ++ ccw_device_get_schid(device->cdev, &sch_id); + device->path[chp].conf_data = conf_data; + device->path[chp].cssid = sch_id.cssid; + device->path[chp].ssid = sch_id.ssid; +@@ -1020,6 +1028,7 @@ static void dasd_eckd_store_conf_data(st + if (chp_desc) + device->path[chp].chpid = chp_desc->chpid; + kfree(chp_desc); ++ kfree(cdp); + } + + static void dasd_eckd_clear_conf_data(struct dasd_device *device) diff --git a/queue-5.13/scsi-ibmvfc-fix-command-state-accounting-and-stale-response-detection.patch b/queue-5.13/scsi-ibmvfc-fix-command-state-accounting-and-stale-response-detection.patch new file mode 100644 index 00000000000..b0e7f57ce82 --- /dev/null +++ b/queue-5.13/scsi-ibmvfc-fix-command-state-accounting-and-stale-response-detection.patch @@ -0,0 +1,117 @@ +From a264cf5e81c78e2b9918b8b9ef2ace9dde1850df Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Fri, 16 Jul 2021 14:52:20 -0600 +Subject: scsi: ibmvfc: Fix command state accounting and stale response detection + +From: Tyrel Datwyler + +commit a264cf5e81c78e2b9918b8b9ef2ace9dde1850df upstream. + +Prior to commit 1f4a4a19508d ("scsi: ibmvfc: Complete commands outside the +host/queue lock") responses to commands were completed sequentially with +the host lock held such that a command had a basic binary state of active +or free. It was therefore a simple affair of ensuring the assocaiated +ibmvfc_event to a VIOS response was valid by testing that it was not +already free. The lock relexation work to complete commands outside the +lock inadverdently made it a trinary command state such that a command is +either in flight, received and being completed, or completed and now +free. This breaks the stale command detection logic as a command may be +still marked active and been placed on the delayed completion list when a +second stale response for the same command arrives. This can lead to double +completions and list corruption. This issue was exposed by a recent VIOS +regression were a missing memory barrier could occasionally result in the +ibmvfc client receiving a duplicate response for the same command. + +Fix the issue by introducing the atomic ibmvfc_event.active to track the +trinary state of a command. The state is explicitly set to 1 when a command +is successfully sent. The CRQ response handlers use +atomic_dec_if_positive() to test for stale responses and correctly +transition to the completion state when a active command is received. +Finally, atomic_dec_and_test() is used to sanity check transistions when +commands are freed as a result of a completion, or moved to the purge list +as a result of error handling or adapter reset. + +Link: https://lore.kernel.org/r/20210716205220.1101150-1-tyreld@linux.ibm.com +Fixes: 1f4a4a19508d ("scsi: ibmvfc: Complete commands outside the host/queue lock") +Cc: stable@vger.kernel.org +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 19 +++++++++++++++++-- + drivers/scsi/ibmvscsi/ibmvfc.h | 1 + + 2 files changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -804,6 +804,13 @@ static int ibmvfc_init_event_pool(struct + for (i = 0; i < size; ++i) { + struct ibmvfc_event *evt = &pool->events[i]; + ++ /* ++ * evt->active states ++ * 1 = in flight ++ * 0 = being completed ++ * -1 = free/freed ++ */ ++ atomic_set(&evt->active, -1); + atomic_set(&evt->free, 1); + evt->crq.valid = 0x80; + evt->crq.ioba = cpu_to_be64(pool->iu_token + (sizeof(*evt->xfer_iu) * i)); +@@ -1014,6 +1021,7 @@ static void ibmvfc_free_event(struct ibm + + BUG_ON(!ibmvfc_valid_event(pool, evt)); + BUG_ON(atomic_inc_return(&evt->free) != 1); ++ BUG_ON(atomic_dec_and_test(&evt->active)); + + spin_lock_irqsave(&evt->queue->l_lock, flags); + list_add_tail(&evt->queue_list, &evt->queue->free); +@@ -1069,6 +1077,12 @@ static void ibmvfc_complete_purge(struct + **/ + static void ibmvfc_fail_request(struct ibmvfc_event *evt, int error_code) + { ++ /* ++ * Anything we are failing should still be active. Otherwise, it ++ * implies we already got a response for the command and are doing ++ * something bad like double completing it. ++ */ ++ BUG_ON(!atomic_dec_and_test(&evt->active)); + if (evt->cmnd) { + evt->cmnd->result = (error_code << 16); + evt->done = ibmvfc_scsi_eh_done; +@@ -1720,6 +1734,7 @@ static int ibmvfc_send_event(struct ibmv + + evt->done(evt); + } else { ++ atomic_set(&evt->active, 1); + spin_unlock_irqrestore(&evt->queue->l_lock, flags); + ibmvfc_trc_start(evt); + } +@@ -3248,7 +3263,7 @@ static void ibmvfc_handle_crq(struct ibm + return; + } + +- if (unlikely(atomic_read(&evt->free))) { ++ if (unlikely(atomic_dec_if_positive(&evt->active))) { + dev_err(vhost->dev, "Received duplicate correlation_token 0x%08llx!\n", + crq->ioba); + return; +@@ -3775,7 +3790,7 @@ static void ibmvfc_handle_scrq(struct ib + return; + } + +- if (unlikely(atomic_read(&evt->free))) { ++ if (unlikely(atomic_dec_if_positive(&evt->active))) { + dev_err(vhost->dev, "Received duplicate correlation_token 0x%08llx!\n", + crq->ioba); + return; +--- a/drivers/scsi/ibmvscsi/ibmvfc.h ++++ b/drivers/scsi/ibmvscsi/ibmvfc.h +@@ -744,6 +744,7 @@ struct ibmvfc_event { + struct ibmvfc_target *tgt; + struct scsi_cmnd *cmnd; + atomic_t free; ++ atomic_t active; + union ibmvfc_iu *xfer_iu; + void (*done)(struct ibmvfc_event *evt); + void (*_done)(struct ibmvfc_event *evt); diff --git a/queue-5.13/selinux-correct-the-return-value-when-loads-initial-sids.patch b/queue-5.13/selinux-correct-the-return-value-when-loads-initial-sids.patch new file mode 100644 index 00000000000..e9951d817a8 --- /dev/null +++ b/queue-5.13/selinux-correct-the-return-value-when-loads-initial-sids.patch @@ -0,0 +1,57 @@ +From 4c156084daa8ee70978e4b150b5eb5fc7b1f15be Mon Sep 17 00:00:00 2001 +From: Xiu Jianfeng +Date: Thu, 29 Jul 2021 11:16:44 +0800 +Subject: selinux: correct the return value when loads initial sids + +From: Xiu Jianfeng + +commit 4c156084daa8ee70978e4b150b5eb5fc7b1f15be upstream. + +It should not return 0 when SID 0 is assigned to isids. +This patch fixes it. + +Cc: stable@vger.kernel.org +Fixes: e3e0b582c321a ("selinux: remove unused initial SIDs and improve handling") +Signed-off-by: Xiu Jianfeng +[PM: remove changelog from description] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/ss/policydb.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/security/selinux/ss/policydb.c ++++ b/security/selinux/ss/policydb.c +@@ -874,7 +874,7 @@ int policydb_load_isids(struct policydb + rc = sidtab_init(s); + if (rc) { + pr_err("SELinux: out of memory on SID table init\n"); +- goto out; ++ return rc; + } + + head = p->ocontexts[OCON_ISID]; +@@ -885,7 +885,7 @@ int policydb_load_isids(struct policydb + if (sid == SECSID_NULL) { + pr_err("SELinux: SID 0 was assigned a context.\n"); + sidtab_destroy(s); +- goto out; ++ return -EINVAL; + } + + /* Ignore initial SIDs unused by this kernel. */ +@@ -897,12 +897,10 @@ int policydb_load_isids(struct policydb + pr_err("SELinux: unable to load initial SID %s.\n", + name); + sidtab_destroy(s); +- goto out; ++ return rc; + } + } +- rc = 0; +-out: +- return rc; ++ return 0; + } + + int policydb_class_isvalid(struct policydb *p, unsigned int class) diff --git a/queue-5.13/series b/queue-5.13/series index 149cc317ff1..47368e2415e 100644 --- a/queue-5.13/series +++ b/queue-5.13/series @@ -134,3 +134,17 @@ virt-acrn-do-hcall_destroy_vm-before-resource-release.patch perf-fix-required-permissions-if-sigtrap-is-requested.patch xfrm-fix-rcu-vs-hash_resize_mutex-lock-inversion.patch net-xfrm-compat-copy-xfrm_spdattr_type_t-atributes.patch +pcmcia-i82092-fix-a-null-pointer-dereference-bug.patch +scsi-ibmvfc-fix-command-state-accounting-and-stale-response-detection.patch +selinux-correct-the-return-value-when-loads-initial-sids.patch +bus-ti-sysc-am3-rng-is-gp-only.patch +revert-gpio-mpc8xxx-change-the-gpio-interrupt-flags.patch +arm64-fix-compat-syscall-return-truncation.patch +arm-omap2-hwmod-fix-potential-null-pointer-access.patch +md-raid10-properly-indicate-failure-when-ending-a-failed-write-request.patch +io-wq-fix-race-between-worker-exiting-and-activating-free-worker.patch +s390-dasd-fix-use-after-free-in-dasd-path-handling.patch +kvm-x86-accept-userspace-interrupt-only-if-no-event-is-injected.patch +kvm-svm-fix-off-by-one-indexing-when-nullifying-last-used-sev-vmcb.patch +kvm-do-not-leak-memory-for-duplicate-debugfs-directories.patch +kvm-x86-mmu-fix-per-cpu-counter-corruption-on-32-bit-builds.patch