--- /dev/null
+From 5b9f57cf47b87f07210875d6a24776b4496b818d Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 7 Dec 2017 00:28:27 -0800
+Subject: apparmor: fix regression in mount mediation when feature set is pinned
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 5b9f57cf47b87f07210875d6a24776b4496b818d upstream.
+
+When the mount code was refactored for Labels it was not correctly
+updated to check whether policy supported mediation of the mount
+class. This causes a regression when the kernel feature set is
+reported as supporting mount and policy is pinned to a feature set
+that does not support mount mediation.
+
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697#41
+Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
+Reported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/mount.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/mount.c
++++ b/security/apparmor/mount.c
+@@ -330,6 +330,9 @@ static int match_mnt_path_str(struct aa_
+ AA_BUG(!mntpath);
+ AA_BUG(!buffer);
+
++ if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
++ return 0;
++
+ error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
+ &mntpnt, &info, profile->disconnected);
+ if (error)
+@@ -381,6 +384,9 @@ static int match_mnt(struct aa_profile *
+ AA_BUG(!profile);
+ AA_BUG(devpath && !devbuffer);
+
++ if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
++ return 0;
++
+ if (devpath) {
+ error = aa_path_name(devpath, path_flags(profile, devpath),
+ devbuffer, &devname, &info,
+@@ -559,6 +565,9 @@ static int profile_umount(struct aa_prof
+ AA_BUG(!profile);
+ AA_BUG(!path);
+
++ if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
++ return 0;
++
+ error = aa_path_name(path, path_flags(profile, path), buffer, &name,
+ &info, profile->disconnected);
+ if (error)
+@@ -614,7 +623,8 @@ static struct aa_label *build_pivotroot(
+ AA_BUG(!new_path);
+ AA_BUG(!old_path);
+
+- if (profile_unconfined(profile))
++ if (profile_unconfined(profile) ||
++ !PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+ return aa_get_newest_label(&profile->label);
+
+ error = aa_path_name(old_path, path_flags(profile, old_path),
--- /dev/null
+From 32aa144fc32abfcbf7140f473dfbd94c5b9b4105 Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 15 Dec 2017 13:14:31 +0100
+Subject: KVM: s390: fix cmma migration for multiple memory slots
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit 32aa144fc32abfcbf7140f473dfbd94c5b9b4105 upstream.
+
+When multiple memory slots are present the cmma migration code
+does not allocate enough memory for the bitmap. The memory slots
+are sorted in reverse order, so we must use gfn and size of
+slot[0] instead of the last one.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Fixes: 190df4a212a7 (KVM: s390: CMMA tracking, ESSA emulation, migration mode)
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/kvm-s390.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -794,11 +794,12 @@ static int kvm_s390_vm_start_migration(s
+
+ if (kvm->arch.use_cmma) {
+ /*
+- * Get the last slot. They should be sorted by base_gfn, so the
+- * last slot is also the one at the end of the address space.
+- * We have verified above that at least one slot is present.
++ * Get the first slot. They are reverse sorted by base_gfn, so
++ * the first slot is also the one at the end of the address
++ * space. We have verified above that at least one slot is
++ * present.
+ */
+- ms = slots->memslots + slots->used_slots - 1;
++ ms = slots->memslots;
+ /* round up so we only use full longs */
+ ram_pages = roundup(ms->base_gfn + ms->npages, BITS_PER_LONG);
+ /* allocate enough bytes to store all the bits */
--- /dev/null
+From c2cf265d860882b51a200e4a7553c17827f2b730 Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Thu, 21 Dec 2017 09:18:22 +0100
+Subject: KVM: s390: prevent buffer overrun on memory hotplug during migration
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit c2cf265d860882b51a200e4a7553c17827f2b730 upstream.
+
+We must not go beyond the pre-allocated buffer. This can happen when
+a new memory slot is added during migration.
+
+Reported-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Fixes: 190df4a212a7 (KVM: s390: CMMA tracking, ESSA emulation, migration mode)
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/priv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/priv.c
++++ b/arch/s390/kvm/priv.c
+@@ -1009,7 +1009,7 @@ static inline int do_essa(struct kvm_vcp
+ cbrlo[entries] = gfn << PAGE_SHIFT;
+ }
+
+- if (orc) {
++ if (orc && gfn < ms->bitmap_size) {
+ /* increment only if we are really flipping the bit to 1 */
+ if (!test_and_set_bit(gfn, ms->pgste_bitmap))
+ atomic64_inc(&ms->dirty_pages);
--- /dev/null
+From fee4380f368e84ed216b62ccd2fbc4126f2bf40b Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Mon, 18 Dec 2017 11:32:45 +0100
+Subject: mtd: nand: pxa3xx: Fix READOOB implementation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit fee4380f368e84ed216b62ccd2fbc4126f2bf40b upstream.
+
+In the current driver, OOB bytes are accessed in raw mode, and when a
+page access is done with NDCR_SPARE_EN set and NDCR_ECC_EN cleared, the
+driver must read the whole spare area (64 bytes in case of a 2k page,
+16 bytes for a 512 page). The driver was only reading the free OOB
+bytes, which was leaving some unread data in the FIFO and was somehow
+leading to a timeout.
+
+We could patch the driver to read ->spare_size + ->ecc_size instead of
+just ->spare_size when READOOB is requested, but we'd better make
+in-band and OOB accesses consistent.
+Since the driver is always accessing in-band data in non-raw mode (with
+the ECC engine enabled), we should also access OOB data in this mode.
+That's particularly useful when using the BCH engine because in this
+mode the free OOB bytes are also ECC protected.
+
+Fixes: 43bcfd2bb24a ("mtd: nand: pxa3xx: Add driver-specific ECC BCH support")
+Reported-by: Sean Nyekjær <sean.nyekjaer@prevas.dk>
+Tested-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Acked-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Tested-by: Sean Nyekjaer <sean.nyekjaer@prevas.dk>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/pxa3xx_nand.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/pxa3xx_nand.c
++++ b/drivers/mtd/nand/pxa3xx_nand.c
+@@ -950,6 +950,7 @@ static void prepare_start_command(struct
+
+ switch (command) {
+ case NAND_CMD_READ0:
++ case NAND_CMD_READOOB:
+ case NAND_CMD_PAGEPROG:
+ info->use_ecc = 1;
+ break;
--- /dev/null
+From 88776c0e70be0290f8357019d844aae15edaa967 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Tue, 2 Jan 2018 20:36:44 +0100
+Subject: parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel
+
+From: Helge Deller <deller@gmx.de>
+
+commit 88776c0e70be0290f8357019d844aae15edaa967 upstream.
+
+Qemu for PARISC reported on a 32bit SMP parisc kernel strange failures
+about "Not-handled unaligned insn 0x0e8011d6 and 0x0c2011c9."
+
+Those opcodes evaluate to the ldcw() assembly instruction which requires
+(on 32bit) an alignment of 16 bytes to ensure atomicity.
+
+As it turns out, qemu is correct and in our assembly code in entry.S and
+pacache.S we don't pay attention to the required alignment.
+
+This patch fixes the problem by aligning the lock offset in assembly
+code in the same manner as we do in our C-code.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/ldcw.h | 2 ++
+ arch/parisc/kernel/entry.S | 13 +++++++++++--
+ arch/parisc/kernel/pacache.S | 9 +++++++--
+ 3 files changed, 20 insertions(+), 4 deletions(-)
+
+--- a/arch/parisc/include/asm/ldcw.h
++++ b/arch/parisc/include/asm/ldcw.h
+@@ -12,6 +12,7 @@
+ for the semaphore. */
+
+ #define __PA_LDCW_ALIGNMENT 16
++#define __PA_LDCW_ALIGN_ORDER 4
+ #define __ldcw_align(a) ({ \
+ unsigned long __ret = (unsigned long) &(a)->lock[0]; \
+ __ret = (__ret + __PA_LDCW_ALIGNMENT - 1) \
+@@ -29,6 +30,7 @@
+ ldcd). */
+
+ #define __PA_LDCW_ALIGNMENT 4
++#define __PA_LDCW_ALIGN_ORDER 2
+ #define __ldcw_align(a) (&(a)->slock)
+ #define __LDCW "ldcw,co"
+
+--- a/arch/parisc/kernel/entry.S
++++ b/arch/parisc/kernel/entry.S
+@@ -35,6 +35,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/signal.h>
+ #include <asm/unistd.h>
++#include <asm/ldcw.h>
+ #include <asm/thread_info.h>
+
+ #include <linux/linkage.h>
+@@ -46,6 +47,14 @@
+ #endif
+
+ .import pa_tlb_lock,data
++ .macro load_pa_tlb_lock reg
++#if __PA_LDCW_ALIGNMENT > 4
++ load32 PA(pa_tlb_lock) + __PA_LDCW_ALIGNMENT-1, \reg
++ depi 0,31,__PA_LDCW_ALIGN_ORDER, \reg
++#else
++ load32 PA(pa_tlb_lock), \reg
++#endif
++ .endm
+
+ /* space_to_prot macro creates a prot id from a space id */
+
+@@ -457,7 +466,7 @@
+ .macro tlb_lock spc,ptp,pte,tmp,tmp1,fault
+ #ifdef CONFIG_SMP
+ cmpib,COND(=),n 0,\spc,2f
+- load32 PA(pa_tlb_lock),\tmp
++ load_pa_tlb_lock \tmp
+ 1: LDCW 0(\tmp),\tmp1
+ cmpib,COND(=) 0,\tmp1,1b
+ nop
+@@ -480,7 +489,7 @@
+ /* Release pa_tlb_lock lock. */
+ .macro tlb_unlock1 spc,tmp
+ #ifdef CONFIG_SMP
+- load32 PA(pa_tlb_lock),\tmp
++ load_pa_tlb_lock \tmp
+ tlb_unlock0 \spc,\tmp
+ #endif
+ .endm
+--- a/arch/parisc/kernel/pacache.S
++++ b/arch/parisc/kernel/pacache.S
+@@ -36,6 +36,7 @@
+ #include <asm/assembly.h>
+ #include <asm/pgtable.h>
+ #include <asm/cache.h>
++#include <asm/ldcw.h>
+ #include <linux/linkage.h>
+
+ .text
+@@ -333,8 +334,12 @@ ENDPROC_CFI(flush_data_cache_local)
+
+ .macro tlb_lock la,flags,tmp
+ #ifdef CONFIG_SMP
+- ldil L%pa_tlb_lock,%r1
+- ldo R%pa_tlb_lock(%r1),\la
++#if __PA_LDCW_ALIGNMENT > 4
++ load32 pa_tlb_lock + __PA_LDCW_ALIGNMENT-1, \la
++ depi 0,31,__PA_LDCW_ALIGN_ORDER, \la
++#else
++ load32 pa_tlb_lock, \la
++#endif
+ rsm PSW_SM_I,\flags
+ 1: LDCW 0(\la),\tmp
+ cmpib,<>,n 0,\tmp,3f
--- /dev/null
+From 310d82784fb4d60c80569f5ca9f53a7f3bf1d477 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 5 Jan 2018 21:55:38 +0100
+Subject: parisc: qemu idle sleep support
+
+From: Helge Deller <deller@gmx.de>
+
+commit 310d82784fb4d60c80569f5ca9f53a7f3bf1d477 upstream.
+
+Add qemu idle sleep support when running under qemu with SeaBIOS PDC
+firmware.
+
+Like the power architecture we use the "or" assembler instructions,
+which translate to nops on real hardware, to indicate that qemu shall
+idle sleep.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: Richard Henderson <rth@twiddle.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/kernel/process.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+--- a/arch/parisc/kernel/process.c
++++ b/arch/parisc/kernel/process.c
+@@ -39,6 +39,7 @@
+ #include <linux/kernel.h>
+ #include <linux/mm.h>
+ #include <linux/fs.h>
++#include <linux/cpu.h>
+ #include <linux/module.h>
+ #include <linux/personality.h>
+ #include <linux/ptrace.h>
+@@ -184,6 +185,44 @@ int dump_task_fpu (struct task_struct *t
+ }
+
+ /*
++ * Idle thread support
++ *
++ * Detect when running on QEMU with SeaBIOS PDC Firmware and let
++ * QEMU idle the host too.
++ */
++
++int running_on_qemu __read_mostly;
++
++void __cpuidle arch_cpu_idle_dead(void)
++{
++ /* nop on real hardware, qemu will offline CPU. */
++ asm volatile("or %%r31,%%r31,%%r31\n":::);
++}
++
++void __cpuidle arch_cpu_idle(void)
++{
++ local_irq_enable();
++
++ /* nop on real hardware, qemu will idle sleep. */
++ asm volatile("or %%r10,%%r10,%%r10\n":::);
++}
++
++static int __init parisc_idle_init(void)
++{
++ const char *marker;
++
++ /* check QEMU/SeaBIOS marker in PAGE0 */
++ marker = (char *) &PAGE0->pad0;
++ running_on_qemu = (memcmp(marker, "SeaBIOS", 8) == 0);
++
++ if (!running_on_qemu)
++ cpu_idle_poll_ctrl(1);
++
++ return 0;
++}
++arch_initcall(parisc_idle_init);
++
++/*
+ * Copy architecture-specific thread state
+ */
+ int
powerpc-mm-fix-segv-on-mapped-region-to-return-segv_accerr.patch
input-elantech-add-new-icbody-type-15.patch
x86-microcode-amd-add-support-for-fam17h-microcode-loading.patch
+apparmor-fix-regression-in-mount-mediation-when-feature-set-is-pinned.patch
+parisc-fix-alignment-of-pa_tlb_lock-in-assembly-on-32-bit-smp-kernel.patch
+parisc-qemu-idle-sleep-support.patch
+mtd-nand-pxa3xx-fix-readoob-implementation.patch
+kvm-s390-fix-cmma-migration-for-multiple-memory-slots.patch
+kvm-s390-prevent-buffer-overrun-on-memory-hotplug-during-migration.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
