commit ab35d16f66d63b625396edfba013dd258e13f560
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Jul 15 13:09:20 2017 +0200

    Linux 4.12.2

commit 2607611714b9ed2da7ba0d0fa3a038578dc20462
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Tue Jul 4 19:04:23 2017 -0400

    x86/mm/pat: Don't report PAT on CPUs that don't support it
    
    commit 99c13b8c8896d7bcb92753bf0c63a8de4326e78d upstream.
    
    The pat_enabled() logic is broken on CPUs which do not support PAT and
    where the initialization code fails to call pat_init(). Due to that the
    enabled flag stays true and pat_enabled() returns true wrongfully.
    
    As a consequence the mappings, e.g. for Xorg, are set up with the wrong
    caching mode and the required MTRR setups are omitted.
    
    To cure this the following changes are required:
    
      1) Make pat_enabled() return true only if PAT initialization was
         invoked and successful.
    
      2) Invoke init_cache_modes() unconditionally in setup_arch() and
         remove the extra callsites in pat_disable() and the pat disabled
         code path in pat_init().
    
    Also rename __pat_enabled to pat_disabled to reflect the real purpose of
    this variable.
    
    Fixes: 9cd25aac1f44 ("x86/mm/pat: Emulate PAT when it is disabled")
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Bernhard Held <berny156@gmx.de>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: "Luis R. Rodriguez" <mcgrof@suse.com>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1707041749300.3456@file01.intranet.prod.int.rdu2.redhat.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 20417e9a54561cfe70bd9d818d0c00f51bbc89c2
Author: Chao Yu <yuchao0@huawei.com>
Date:   Fri Jun 23 01:08:22 2017 -0400

    ext4: check return value of kstrtoull correctly in reserved_clusters_store
    
    commit 1ea1516fbbab2b30bf98c534ecaacba579a35208 upstream.
    
    kstrtoull returns 0 on success, however, in reserved_clusters_store we
    will return -EINVAL if kstrtoull returns 0, it makes us fail to update
    reserved_clusters value through sysfs.
    
    Fixes: 76d33bca5581b1dd5c3157fa168db849a784ada4
    Signed-off-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Miao Xie <miaoxie@huawei.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f85a3c8f00bd687d26e70b0f58df0041aabde601
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Sun Jun 11 23:20:23 2017 +0200

    crypto: rsa-pkcs1pad - use constant time memory comparison for MACs
    
    commit fec17cb2231733174e039ad9054fa16bb358e2ec upstream.
    
    Otherwise, we enable all sorts of forgeries via timing attack.
    
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Suggested-by: Stephan Müller <smueller@chronox.de>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: linux-crypto@vger.kernel.org
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d56e029fc227ff6be9d780da1f3e9b893be47cea
Author: Horia Geantă <horia.geanta@nxp.com>
Date:   Mon Jun 19 11:44:45 2017 +0300

    crypto: caam - fix gfp allocation flags (part I)
    
    commit 42cfcafb91dabb0f9d9e08396c39824535948c67 upstream.
    
    Changes in the SW cts (ciphertext stealing) code in
    commit 0605c41cc53ca ("crypto: cts - Convert to skcipher")
    revealed a problem in the CAAM driver:
    when cts(cbc(aes)) is executed and cts runs in SW,
    cbc(aes) is offloaded in CAAM; cts encrypts the last block
    in atomic context and CAAM incorrectly decides to use GFP_KERNEL
    for memory allocation.
    
    Fix this by allowing GFP_KERNEL (sleeping) only when MAY_SLEEP flag is
    set, i.e. remove MAY_BACKLOG flag.
    
    We split the fix in two parts - first is sent to -stable, while the
    second is not (since there is no known failure case).
    
    Link: http://lkml.kernel.org/g/20170602122446.2427-1-david@sigma-star.at
    Reported-by: David Gstir <david@sigma-star.at>
    Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 03cbf4a3066bb98a6143cec8161b9fbe8500b8a1
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Fri Jun 16 19:35:34 2017 +0100

    staging: comedi: fix clean-up of comedi_class in comedi_init()
    
    commit a9332e9ad09c2644c99058fcf6ae2f355e93ce74 upstream.
    
    There is a clean-up bug in the core comedi module initialization
    functions, `comedi_init()`.  If the `comedi_num_legacy_minors` module
    parameter is non-zero (and valid), it creates that many "legacy" devices
    and registers them in SysFS.  A failure causes the function to clean up
    and return an error.  Unfortunately, it fails to destroy the "comedi"
    class that was created earlier.  Fix it by adding a call to
    `class_destroy(comedi_class)` at the appropriate place in the clean-up
    sequence.
    
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 09d05eb32d7a720a160024ce707f5e6ee9d86ee4
Author: Malcolm Priestley <tvboxspy@gmail.com>
Date:   Sat Apr 29 13:03:44 2017 +0100

    staging: vt6556: vnt_start Fix missing call to vnt_key_init_table.
    
    commit dc32190f2cd41c7dba25363ea7d618d4f5172b4e upstream.
    
    The key table is not intialized correctly without this call.
    
    Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0155f201e29d3886b28c6156b164238a660871ad
Author: Kirill Tkhai <ktkhai@virtuozzo.com>
Date:   Fri Jun 16 16:44:34 2017 +0300

    locking/rwsem-spinlock: Fix EINTR branch in __down_write_common()
    
    commit a0c4acd2c220376b4e9690e75782d0c0afdaab9f upstream.
    
    If a writer could been woken up, the above branch
    
            if (sem->count == 0)
                    break;
    
    would have moved us to taking the sem. So, it's
    not the time to wake a writer now, and only readers
    are allowed now. Thus, 0 must be passed to __rwsem_do_wake().
    
    Next, __rwsem_do_wake() wakes readers unconditionally.
    But we mustn't do that if the sem is owned by writer
    in the moment. Otherwise, writer and reader own the sem
    the same time, which leads to memory corruption in
    callers.
    
    rwsem-xadd.c does not need that, as:
    
      1) the similar check is made lockless there,
      2) in __rwsem_mark_wake::try_reader_grant we test,
    
    that sem is not owned by writer.
    
    Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Niklas Cassel <niklas.cassel@axis.com>
    Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Fixes: 17fcbd590d0c "locking/rwsem: Fix down_write_killable() for CONFIG_RWSEM_GENERIC_SPINLOCK=y"
    Link: http://lkml.kernel.org/r/149762063282.19811.9129615532201147826.stgit@localhost.localdomain
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dd236b3c9aa79d4ef8ce5700db2aa1727c98f8cf
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Jul 6 08:41:06 2017 -0500

    proc: Fix proc_sys_prune_dcache to hold a sb reference
    
    commit 2fd1d2c4ceb2248a727696962cf3370dc9f5a0a4 upstream.
    
    Andrei Vagin writes:
    FYI: This bug has been reproduced on 4.11.7
    > BUG: Dentry ffff895a3dd01240{i=4e7c09a,n=lo}  still in use (1) [unmount of proc proc]
    > ------------[ cut here ]------------
    > WARNING: CPU: 1 PID: 13588 at fs/dcache.c:1445 umount_check+0x6e/0x80
    > CPU: 1 PID: 13588 Comm: kworker/1:1 Not tainted 4.11.7-200.fc25.x86_64 #1
    > Hardware name: CompuLab sbc-flt1/fitlet, BIOS SBCFLT_0.08.04 06/27/2015
    > Workqueue: events proc_cleanup_work
    > Call Trace:
    >  dump_stack+0x63/0x86
    >  __warn+0xcb/0xf0
    >  warn_slowpath_null+0x1d/0x20
    >  umount_check+0x6e/0x80
    >  d_walk+0xc6/0x270
    >  ? dentry_free+0x80/0x80
    >  do_one_tree+0x26/0x40
    >  shrink_dcache_for_umount+0x2d/0x90
    >  generic_shutdown_super+0x1f/0xf0
    >  kill_anon_super+0x12/0x20
    >  proc_kill_sb+0x40/0x50
    >  deactivate_locked_super+0x43/0x70
    >  deactivate_super+0x5a/0x60
    >  cleanup_mnt+0x3f/0x90
    >  mntput_no_expire+0x13b/0x190
    >  kern_unmount+0x3e/0x50
    >  pid_ns_release_proc+0x15/0x20
    >  proc_cleanup_work+0x15/0x20
    >  process_one_work+0x197/0x450
    >  worker_thread+0x4e/0x4a0
    >  kthread+0x109/0x140
    >  ? process_one_work+0x450/0x450
    >  ? kthread_park+0x90/0x90
    >  ret_from_fork+0x2c/0x40
    > ---[ end trace e1c109611e5d0b41 ]---
    > VFS: Busy inodes after unmount of proc. Self-destruct in 5 seconds.  Have a nice day...
    > BUG: unable to handle kernel NULL pointer dereference at           (null)
    > IP: _raw_spin_lock+0xc/0x30
    > PGD 0
    
    Fix this by taking a reference to the super block in proc_sys_prune_dcache.
    
    The superblock reference is the core of the fix however the sysctl_inodes
    list is converted to a hlist so that hlist_del_init_rcu may be used.  This
    allows proc_sys_prune_dache to remove inodes the sysctl_inodes list, while
    not causing problems for proc_sys_evict_inode when if it later choses to
    remove the inode from the sysctl_inodes list.  Removing inodes from the
    sysctl_inodes list allows proc_sys_prune_dcache to have a progress
    guarantee, while still being able to drop all locks.  The fact that
    head->unregistering is set in start_unregistering ensures that no more
    inodes will be added to the the sysctl_inodes list.
    
    Previously the code did a dance where it delayed calling iput until the
    next entry in the list was being considered to ensure the inode remained on
    the sysctl_inodes list until the next entry was walked to.  The structure
    of the loop in this patch does not need that so is much easier to
    understand and maintain.
    
    Reported-by: Andrei Vagin <avagin@gmail.com>
    Tested-by: Andrei Vagin <avagin@openvz.org>
    Fixes: ace0c791e6c3 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
    Fixes: d6cffbbe9a7e ("proc/sysctl: prune stale dentries during unregistering")
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6399cc16dd18a310a46cccfaf110e1dc53132c7f
Author: Peter Senna Tschudin <peter.senna@collabora.com>
Date:   Sun May 14 14:35:15 2017 +0200

    imx-serial: RX DMA startup latency
    
    commit 4dec2f119e86f9c91e60cdd8f0cc057452e331a9 upstream.
    
    18a4208 introduced a change to reduce the RX DMA latency on the first reception
    when the serial port was opened for reading. However it was claiming a hardirq
    unsafe lock after a hardirq safe lock which is not allowed and causes lockdep
    to complain verbosely.
    
    This patch changes the code to always start RX DMA earlier, instead of
    relying on the flags used to open the serial port removing the code that
    was looking for the serial file flags.
    
    Signed-off-by: Peter Senna Tschudin <peter.senna@collabora.com>
    Tested-by: Sascha Hauer <s.hauer@pengutronix.de>
    Signed-off-by: Fabio Estevam <festevam@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 34bfc894734d56cca6c5924b5889e6308eeb66e1
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Sun Jul 9 13:19:55 2017 -0700

    mqueue: fix a use-after-free in sys_mq_notify()
    
    commit f991af3daabaecff34684fd51fac80319d1baad1 upstream.
    
    The retry logic for netlink_attachskb() inside sys_mq_notify()
    is nasty and vulnerable:
    
    1) The sock refcnt is already released when retry is needed
    2) The fd is controllable by user-space because we already
       release the file refcnt
    
    so we when retry but the fd has been just closed by user-space
    during this small window, we end up calling netlink_detachskb()
    on the error path which releases the sock again, later when
    the user-space closes this socket a use-after-free could be
    triggered.
    
    Setting 'sock' to NULL here should be sufficient to fix it.
    
    Reported-by: GeneBlue <geneblue.mail@gmail.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>