Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...

Pull core fixes from Ingo Molnar:
 "This fixes a particularly thorny munmap() bug with MPX, plus fixes a
  host build environment assumption in objtool"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  objtool: Allow AR to be overridden with HOSTAR
  x86/mpx, mm/core: Fix recursive munmap() corruption

diff --combined arch/powerpc/include/asm/mmu_context.h
index 611204e588b9c247aa10dfc993f840330ad6908f,4a6dd3ba0b0bee947b7a6f5274266867d6ed7fec..58efca934311312ed6d62b41d585be33e04f1c83
--- 1/arch/powerpc/include/asm/mmu_context.h
--- 2/arch/powerpc/include/asm/mmu_context.h
+++ b/arch/powerpc/include/asm/mmu_context.h
@@@ -52,7 -52,6 +52,7 @@@ static inline bool mm_iommu_is_devmem(s
  {
        return false;
  }
 +static inline void mm_iommu_init(struct mm_struct *mm) { }
  #endif
  extern void switch_slb(struct task_struct *tsk, struct mm_struct *mm);
  extern void set_context(unsigned long id, pgd_t *pgd);
@@@ -229,10 -228,15 +229,9 @@@ static inline void enter_lazy_tlb(struc
  #endif
  }
  
 -#ifdef CONFIG_PPC_BOOK3E_64
 -static inline void arch_exit_mmap(struct mm_struct *mm)
 -{
 -}
 -#else
  extern void arch_exit_mmap(struct mm_struct *mm);
 -#endif
  
  static inline void arch_unmap(struct mm_struct *mm,
-                             struct vm_area_struct *vma,
                              unsigned long start, unsigned long end)
  {
        if (start <= mm->context.vdso_base && mm->context.vdso_base < end)

diff --combined arch/x86/mm/mpx.c
index 59726aaf46713fb1f08569dbb4167135b2a8cc29,7aeb9fe2955fb839b4eb5f1e87db2298f8715f82..0d1c47cbbdd68b3a969f6cd1ac347251f0812e78
--- 1/arch/x86/mm/mpx.c
--- 2/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@@ -142,7 -142,7 +142,7 @@@ int mpx_fault_info(struct mpx_fault_inf
                goto err_out;
        }
        /* get bndregs field from current task's xsave area */
 -      bndregs = get_xsave_field_ptr(XFEATURE_MASK_BNDREGS);
 +      bndregs = get_xsave_field_ptr(XFEATURE_BNDREGS);
        if (!bndregs) {
                err = -EINVAL;
                goto err_out;
@@@ -190,7 -190,7 +190,7 @@@ static __user void *mpx_get_bounds_dir(
         * The bounds directory pointer is stored in a register
         * only accessible if we first do an xsave.
         */
 -      bndcsr = get_xsave_field_ptr(XFEATURE_MASK_BNDCSR);
 +      bndcsr = get_xsave_field_ptr(XFEATURE_BNDCSR);
        if (!bndcsr)
                return MPX_INVALID_BOUNDS_DIR;
  
@@@ -376,7 -376,7 +376,7 @@@ static int do_mpx_bt_fault(void
        const struct mpx_bndcsr *bndcsr;
        struct mm_struct *mm = current->mm;
  
 -      bndcsr = get_xsave_field_ptr(XFEATURE_MASK_BNDCSR);
 +      bndcsr = get_xsave_field_ptr(XFEATURE_BNDCSR);
        if (!bndcsr)
                return -EINVAL;
        /*
@@@ -881,9 -881,10 +881,10 @@@ static int mpx_unmap_tables(struct mm_s
   * the virtual address region start...end have already been split if
   * necessary, and the 'vma' is the first vma in this range (start -> end).
   */
- void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
-               unsigned long start, unsigned long end)
+ void mpx_notify_unmap(struct mm_struct *mm, unsigned long start,
+                     unsigned long end)
  {
+       struct vm_area_struct *vma;
        int ret;
  
        /*
@@@ -902,11 -903,12 +903,12 @@@
         * which should not occur normally. Being strict about it here
         * helps ensure that we do not have an exploitable stack overflow.
         */
-       do {
+       vma = find_vma(mm, start);
+       while (vma && vma->vm_start < end) {
                if (vma->vm_flags & VM_MPX)
                        return;
                vma = vma->vm_next;
-       } while (vma && vma->vm_start < end);
+       }
  
        ret = mpx_unmap_tables(mm, start, end);
        if (ret)