--- /dev/null
+From 5c05483e2db91890faa9a7be0a831701a3f442d6 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Fri, 20 Jun 2014 16:24:49 +0530
+Subject: ARC: [nsimosci] Allow "headless" models to boot
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 5c05483e2db91890faa9a7be0a831701a3f442d6 upstream.
+
+There are certain test configuration of virtual platform which don't
+have any real console device (uart/pgu). So add tty0 as a fallback console
+device to allow system to boot and be accessible via telnet
+
+Otherwise with ttyS0 as only console, but 8250 disabled in kernel build,
+init chokes.
+
+Reported-by: Anton Kolesov <akolesov@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/boot/dts/nsimosci.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/boot/dts/nsimosci.dts
++++ b/arch/arc/boot/dts/nsimosci.dts
+@@ -20,7 +20,7 @@
+ /* this is for console on PGU */
+ /* bootargs = "console=tty0 consoleblank=0"; */
+ /* this is for console on serial */
+- bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug";
++ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=tty0 console=ttyS0,115200n8 consoleblank=0 debug";
+ };
+
+ aliases {
--- /dev/null
+From ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 Mon Sep 17 00:00:00 2001
+From: Anton Kolesov <Anton.Kolesov@synopsys.com>
+Date: Thu, 25 Sep 2014 13:23:24 +0400
+Subject: ARC: Update order of registers in KGDB to match GDB 7.5
+
+From: Anton Kolesov <Anton.Kolesov@synopsys.com>
+
+commit ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 upstream.
+
+Order of registers has changed in GDB moving from 6.8 to 7.5. This patch
+updates KGDB to work properly with GDB 7.5, though makes it incompatible
+with 6.8.
+
+Signed-off-by: Anton Kolesov <Anton.Kolesov@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/kgdb.h | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+--- a/arch/arc/include/asm/kgdb.h
++++ b/arch/arc/include/asm/kgdb.h
+@@ -19,7 +19,7 @@
+ * register API yet */
+ #undef DBG_MAX_REG_NUM
+
+-#define GDB_MAX_REGS 39
++#define GDB_MAX_REGS 87
+
+ #define BREAK_INSTR_SIZE 2
+ #define CACHE_FLUSH_IS_SAFE 1
+@@ -33,23 +33,27 @@ static inline void arch_kgdb_breakpoint(
+
+ extern void kgdb_trap(struct pt_regs *regs, int param);
+
+-enum arc700_linux_regnums {
++/* This is the numbering of registers according to the GDB. See GDB's
++ * arc-tdep.h for details.
++ *
++ * Registers are ordered for GDB 7.5. It is incompatible with GDB 6.8. */
++enum arc_linux_regnums {
+ _R0 = 0,
+ _R1, _R2, _R3, _R4, _R5, _R6, _R7, _R8, _R9, _R10, _R11, _R12, _R13,
+ _R14, _R15, _R16, _R17, _R18, _R19, _R20, _R21, _R22, _R23, _R24,
+ _R25, _R26,
+- _BTA = 27,
+- _LP_START = 28,
+- _LP_END = 29,
+- _LP_COUNT = 30,
+- _STATUS32 = 31,
+- _BLINK = 32,
+- _FP = 33,
+- __SP = 34,
+- _EFA = 35,
+- _RET = 36,
+- _ORIG_R8 = 37,
+- _STOP_PC = 38
++ _FP = 27,
++ __SP = 28,
++ _R30 = 30,
++ _BLINK = 31,
++ _LP_COUNT = 60,
++ _STOP_PC = 64,
++ _RET = 64,
++ _LP_START = 65,
++ _LP_END = 66,
++ _STATUS32 = 67,
++ _ECR = 76,
++ _BTA = 82,
+ };
+
+ #else
--- /dev/null
+From 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Fri, 17 Oct 2014 22:55:59 +0200
+Subject: kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
+
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+
+commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream.
+
+The third parameter of kvm_unpin_pages() when called from
+kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
+and not the page size.
+
+This error was facilitated with an inconsistent API: kvm_pin_pages() takes
+a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
+by matching the two.
+
+This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
+of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
+un-pinning for pages intended to be un-pinned (i.e. memory leak) but
+unfortunately potentially aggravated the number of pages we un-pin that
+should have stayed pinned. As far as I understand though, the same
+practical mitigations apply.
+
+This issue was found during review of Red Hat 6.6 patches to prepare
+Ksplice rebootless updates.
+
+Thanks to Vegard for his time on a late Friday evening to help me in
+understanding this code.
+
+Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/iommu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct k
+ gfn_t base_gfn, unsigned long npages);
+
+ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
+- unsigned long size)
++ unsigned long npages)
+ {
+ gfn_t end_gfn;
+ pfn_t pfn;
+
+ pfn = gfn_to_pfn_memslot(slot, gfn);
+- end_gfn = gfn + (size >> PAGE_SHIFT);
++ end_gfn = gfn + npages;
+ gfn += 1;
+
+ if (is_error_noslot_pfn(pfn))
+@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ * Pin all pages we are about to map in memory. This is
+ * important because we unmap and unpin in 4kb steps later.
+ */
+- pfn = kvm_pin_pages(slot, gfn, page_size);
++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
+ if (is_error_noslot_pfn(pfn)) {
+ gfn += 1;
+ continue;
+@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ if (r) {
+ printk(KERN_ERR "kvm_iommu_map_address:"
+ "iommu failed to map pfn=%llx\n", pfn);
+- kvm_unpin_pages(kvm, pfn, page_size);
++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
+ goto unmap_pages;
+ }
+
--- /dev/null
+From 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Tue, 16 Sep 2014 03:24:05 +0300
+Subject: KVM: x86: Check non-canonical addresses upon WRMSR
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 upstream.
+
+Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
+written to certain MSRs. The behavior is "almost" identical for AMD and Intel
+(ignoring MSRs that are not implemented in either architecture since they would
+anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
+non-canonical address is written on Intel but not on AMD (which ignores the top
+32-bits).
+
+Accordingly, this patch injects a #GP on the MSRs which behave identically on
+Intel and AMD. To eliminate the differences between the architecutres, the
+value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
+canonical value before writing instead of injecting a #GP.
+
+Some references from Intel and AMD manuals:
+
+According to Intel SDM description of WRMSR instruction #GP is expected on
+WRMSR "If the source register contains a non-canonical address and ECX
+specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
+IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
+
+According to AMD manual instruction manual:
+LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
+LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical
+form, a general-protection exception (#GP) occurs."
+IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
+base field must be in canonical form or a #GP fault will occur."
+IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
+be in canonical form."
+
+This patch fixes CVE-2014-3610.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++
+ arch/x86/kvm/svm.c | 2 +-
+ arch/x86/kvm/vmx.c | 2 +-
+ arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++-
+ 4 files changed, 42 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -953,6 +953,20 @@ static inline void kvm_inject_gp(struct
+ kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
+ }
+
++static inline u64 get_canonical(u64 la)
++{
++ return ((int64_t)la << 16) >> 16;
++}
++
++static inline bool is_noncanonical_address(u64 la)
++{
++#ifdef CONFIG_X86_64
++ return get_canonical(la) != la;
++#else
++ return false;
++#endif
++}
++
+ #define TSS_IOPB_BASE_OFFSET 0x66
+ #define TSS_BASE_SIZE 0x68
+ #define TSS_IOPB_SIZE (65536 / 8)
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3196,7 +3196,7 @@ static int wrmsr_interception(struct vcp
+ msr.host_initiated = false;
+
+ svm->next_rip = kvm_rip_read(&svm->vcpu) + 2;
+- if (svm_set_msr(&svm->vcpu, &msr)) {
++ if (kvm_set_msr(&svm->vcpu, &msr)) {
+ trace_kvm_msr_write_ex(ecx, data);
+ kvm_inject_gp(&svm->vcpu, 0);
+ } else {
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5065,7 +5065,7 @@ static int handle_wrmsr(struct kvm_vcpu
+ msr.data = data;
+ msr.index = ecx;
+ msr.host_initiated = false;
+- if (vmx_set_msr(vcpu, &msr) != 0) {
++ if (kvm_set_msr(vcpu, &msr) != 0) {
+ trace_kvm_msr_write_ex(ecx, data);
+ kvm_inject_gp(vcpu, 0);
+ return 1;
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -925,7 +925,6 @@ void kvm_enable_efer_bits(u64 mask)
+ }
+ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
+
+-
+ /*
+ * Writes msr value into into the appropriate "register".
+ * Returns 0 on success, non-0 otherwise.
+@@ -933,8 +932,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
+ */
+ int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
+ {
++ switch (msr->index) {
++ case MSR_FS_BASE:
++ case MSR_GS_BASE:
++ case MSR_KERNEL_GS_BASE:
++ case MSR_CSTAR:
++ case MSR_LSTAR:
++ if (is_noncanonical_address(msr->data))
++ return 1;
++ break;
++ case MSR_IA32_SYSENTER_EIP:
++ case MSR_IA32_SYSENTER_ESP:
++ /*
++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
++ * non-canonical address is written on Intel but not on
++ * AMD (which ignores the top 32-bits, because it does
++ * not implement 64-bit SYSENTER).
++ *
++ * 64-bit code should hence be able to write a non-canonical
++ * value on AMD. Making the address canonical ensures that
++ * vmentry does not fail on Intel after writing a non-canonical
++ * value, and that something deterministic happens if the guest
++ * invokes 64-bit SYSENTER.
++ */
++ msr->data = get_canonical(msr->data);
++ }
+ return kvm_x86_ops->set_msr(vcpu, msr);
+ }
++EXPORT_SYMBOL_GPL(kvm_set_msr);
+
+ /*
+ * Adapt set_msr() to msr_io()'s calling convention
--- /dev/null
+From 2bc19dc3754fc066c43799659f0d848631c44cfe Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 18 Sep 2014 16:21:16 +0300
+Subject: kvm: x86: don't kill guest on unknown exit reason
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+commit 2bc19dc3754fc066c43799659f0d848631c44cfe upstream.
+
+KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
+triggered by a priveledged application. Let's not kill the guest: WARN
+and inject #UD instead.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 6 +++---
+ arch/x86/kvm/vmx.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3478,9 +3478,9 @@ static int handle_exit(struct kvm_vcpu *
+
+ if (exit_code >= ARRAY_SIZE(svm_exit_handlers)
+ || !svm_exit_handlers[exit_code]) {
+- kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
+- kvm_run->hw.hardware_exit_reason = exit_code;
+- return 0;
++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code);
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
+ }
+
+ return svm_exit_handlers[exit_code](svm);
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6654,10 +6654,10 @@ static int vmx_handle_exit(struct kvm_vc
+ && kvm_vmx_exit_handlers[exit_reason])
+ return kvm_vmx_exit_handlers[exit_reason](vcpu);
+ else {
+- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
+- vcpu->run->hw.hardware_exit_reason = exit_reason;
++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason);
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
+ }
+- return 0;
+ }
+
+ static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
--- /dev/null
+From 234f3ce485d54017f15cf5e0699cff4100121601 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 18 Sep 2014 22:39:38 +0300
+Subject: KVM: x86: Emulator fixes for eip canonical checks on near branches
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 234f3ce485d54017f15cf5e0699cff4100121601 upstream.
+
+Before changing rip (during jmp, call, ret, etc.) the target should be asserted
+to be canonical one, as real CPUs do. During sysret, both target rsp and rip
+should be canonical. If any of these values is noncanonical, a #GP exception
+should occur. The exception to this rule are syscall and sysenter instructions
+in which the assigned rip is checked during the assignment to the relevant
+MSRs.
+
+This patch fixes the emulator to behave as real CPUs do for near branches.
+Far branches are handled by the next patch.
+
+This fixes CVE-2014-3647.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 78 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 54 insertions(+), 24 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -736,7 +736,8 @@ static int emulate_nm(struct x86_emulate
+ return emulate_exception(ctxt, NM_VECTOR, 0, false);
+ }
+
+-static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
++ int cs_l)
+ {
+ switch (ctxt->op_bytes) {
+ case 2:
+@@ -746,16 +747,25 @@ static inline void assign_eip_near(struc
+ ctxt->_eip = (u32)dst;
+ break;
+ case 8:
++ if ((cs_l && is_noncanonical_address(dst)) ||
++ (!cs_l && (dst & ~(u32)-1)))
++ return emulate_gp(ctxt, 0);
+ ctxt->_eip = dst;
+ break;
+ default:
+ WARN(1, "unsupported eip assignment size\n");
+ }
++ return X86EMUL_CONTINUE;
++}
++
++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++{
++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64);
+ }
+
+-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+ {
+- assign_eip_near(ctxt, ctxt->_eip + rel);
++ return assign_eip_near(ctxt, ctxt->_eip + rel);
+ }
+
+ static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
+@@ -2178,13 +2188,15 @@ static int em_grp45(struct x86_emulate_c
+ case 2: /* call near abs */ {
+ long int old_eip;
+ old_eip = ctxt->_eip;
+- ctxt->_eip = ctxt->src.val;
++ rc = assign_eip_near(ctxt, ctxt->src.val);
++ if (rc != X86EMUL_CONTINUE)
++ break;
+ ctxt->src.val = old_eip;
+ rc = em_push(ctxt);
+ break;
+ }
+ case 4: /* jmp abs */
+- ctxt->_eip = ctxt->src.val;
++ rc = assign_eip_near(ctxt, ctxt->src.val);
+ break;
+ case 5: /* jmp far */
+ rc = em_jmp_far(ctxt);
+@@ -2216,10 +2228,14 @@ static int em_cmpxchg8b(struct x86_emula
+
+ static int em_ret(struct x86_emulate_ctxt *ctxt)
+ {
+- ctxt->dst.type = OP_REG;
+- ctxt->dst.addr.reg = &ctxt->_eip;
+- ctxt->dst.bytes = ctxt->op_bytes;
+- return em_pop(ctxt);
++ int rc;
++ unsigned long eip;
++
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++
++ return assign_eip_near(ctxt, eip);
+ }
+
+ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
+@@ -2486,7 +2502,7 @@ static int em_sysexit(struct x86_emulate
+ {
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ struct desc_struct cs, ss;
+- u64 msr_data;
++ u64 msr_data, rcx, rdx;
+ int usermode;
+ u16 cs_sel = 0, ss_sel = 0;
+
+@@ -2502,6 +2518,9 @@ static int em_sysexit(struct x86_emulate
+ else
+ usermode = X86EMUL_MODE_PROT32;
+
++ rcx = reg_read(ctxt, VCPU_REGS_RCX);
++ rdx = reg_read(ctxt, VCPU_REGS_RDX);
++
+ cs.dpl = 3;
+ ss.dpl = 3;
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+@@ -2519,6 +2538,9 @@ static int em_sysexit(struct x86_emulate
+ ss_sel = cs_sel + 8;
+ cs.d = 0;
+ cs.l = 1;
++ if (is_noncanonical_address(rcx) ||
++ is_noncanonical_address(rdx))
++ return emulate_gp(ctxt, 0);
+ break;
+ }
+ cs_sel |= SELECTOR_RPL_MASK;
+@@ -2527,8 +2549,8 @@ static int em_sysexit(struct x86_emulate
+ ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+
+- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX);
+- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX);
++ ctxt->_eip = rdx;
++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
+
+ return X86EMUL_CONTINUE;
+ }
+@@ -3067,10 +3089,13 @@ static int em_aad(struct x86_emulate_ctx
+
+ static int em_call(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc;
+ long rel = ctxt->src.val;
+
+ ctxt->src.val = (unsigned long)ctxt->_eip;
+- jmp_rel(ctxt, rel);
++ rc = jmp_rel(ctxt, rel);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
+ return em_push(ctxt);
+ }
+
+@@ -3102,11 +3127,12 @@ static int em_call_far(struct x86_emulat
+ static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
++ unsigned long eip;
+
+- ctxt->dst.type = OP_REG;
+- ctxt->dst.addr.reg = &ctxt->_eip;
+- ctxt->dst.bytes = ctxt->op_bytes;
+- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++ rc = assign_eip_near(ctxt, eip);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ rsp_increment(ctxt, ctxt->src.val);
+@@ -3396,20 +3422,24 @@ static int em_lmsw(struct x86_emulate_ct
+
+ static int em_loop(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc = X86EMUL_CONTINUE;
++
+ register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1);
+ if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
+ (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+
+- return X86EMUL_CONTINUE;
++ return rc;
+ }
+
+ static int em_jcxz(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc = X86EMUL_CONTINUE;
++
+ if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+
+- return X86EMUL_CONTINUE;
++ return rc;
+ }
+
+ static int em_in(struct x86_emulate_ctxt *ctxt)
+@@ -4738,7 +4768,7 @@ special_insn:
+ break;
+ case 0x70 ... 0x7f: /* jcc (short) */
+ if (test_cc(ctxt->b, ctxt->eflags))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ break;
+ case 0x8d: /* lea r16/r32, m */
+ ctxt->dst.val = ctxt->src.addr.mem.ea;
+@@ -4767,7 +4797,7 @@ special_insn:
+ break;
+ case 0xe9: /* jmp rel */
+ case 0xeb: /* jmp rel short */
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ ctxt->dst.type = OP_NONE; /* Disable writeback. */
+ break;
+ case 0xf4: /* hlt */
+@@ -4879,7 +4909,7 @@ twobyte_insn:
+ break;
+ case 0x80 ... 0x8f: /* jnz rel, etc*/
+ if (test_cc(ctxt->b, ctxt->eflags))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ break;
+ case 0x90 ... 0x9f: /* setcc r/m8 */
+ ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
--- /dev/null
+From 05c83ec9b73c8124555b706f6af777b10adf0862 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 18 Sep 2014 22:39:37 +0300
+Subject: KVM: x86: Fix wrong masking on relative jump/call
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 05c83ec9b73c8124555b706f6af777b10adf0862 upstream.
+
+Relative jumps and calls do the masking according to the operand size, and not
+according to the address size as the KVM emulator does today.
+
+This patch fixes KVM behavior.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -663,11 +663,6 @@ static void rsp_increment(struct x86_emu
+ masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
+ }
+
+-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+-{
+- register_address_increment(ctxt, &ctxt->_eip, rel);
+-}
+-
+ static u32 desc_limit_scaled(struct desc_struct *desc)
+ {
+ u32 limit = get_desc_limit(desc);
+@@ -741,6 +736,28 @@ static int emulate_nm(struct x86_emulate
+ return emulate_exception(ctxt, NM_VECTOR, 0, false);
+ }
+
++static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++{
++ switch (ctxt->op_bytes) {
++ case 2:
++ ctxt->_eip = (u16)dst;
++ break;
++ case 4:
++ ctxt->_eip = (u32)dst;
++ break;
++ case 8:
++ ctxt->_eip = dst;
++ break;
++ default:
++ WARN(1, "unsupported eip assignment size\n");
++ }
++}
++
++static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
++{
++ assign_eip_near(ctxt, ctxt->_eip + rel);
++}
++
+ static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
+ {
+ u16 selector;
--- /dev/null
+From 2febc839133280d5a5e8e1179c94ea674489dae2 Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Wed, 27 Aug 2014 14:42:54 -0700
+Subject: KVM: x86: Improve thread safety in pit
+
+From: Andy Honig <ahonig@google.com>
+
+commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream.
+
+There's a race condition in the PIT emulation code in KVM. In
+__kvm_migrate_pit_timer the pit_timer object is accessed without
+synchronization. If the race condition occurs at the wrong time this
+can crash the host kernel.
+
+This fixes CVE-2014-3611.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/i8254.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_
+ return;
+
+ timer = &pit->pit_state.timer;
++ mutex_lock(&pit->pit_state.lock);
+ if (hrtimer_cancel(timer))
+ hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
++ mutex_unlock(&pit->pit_state.lock);
+ }
+
+ static void destroy_pit_timer(struct kvm_pit *pit)
--- /dev/null
+From 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Wed, 27 Aug 2014 11:16:44 -0700
+Subject: KVM: x86: Prevent host from panicking on shared MSR writes.
+
+From: Andy Honig <ahonig@google.com>
+
+commit 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f upstream.
+
+The previous patch blocked invalid writes directly when the MSR
+is written. As a precaution, prevent future similar mistakes by
+gracefulling handle GPs caused by writes to shared MSRs.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+[Remove parts obsoleted by Nadav's patch. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 2 +-
+ arch/x86/kvm/vmx.c | 7 +++++--
+ arch/x86/kvm/x86.c | 11 ++++++++---
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1011,7 +1011,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcp
+ void kvm_vcpu_reset(struct kvm_vcpu *vcpu);
+
+ void kvm_define_shared_msr(unsigned index, u32 msr);
+-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
+
+ bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip);
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2493,12 +2493,15 @@ static int vmx_set_msr(struct kvm_vcpu *
+ break;
+ msr = find_msr_entry(vmx, msr_index);
+ if (msr) {
++ u64 old_msr_data = msr->data;
+ msr->data = data;
+ if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
+ preempt_disable();
+- kvm_set_shared_msr(msr->index, msr->data,
+- msr->mask);
++ ret = kvm_set_shared_msr(msr->index, msr->data,
++ msr->mask);
+ preempt_enable();
++ if (ret)
++ msr->data = old_msr_data;
+ }
+ break;
+ }
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -225,20 +225,25 @@ static void kvm_shared_msr_cpu_online(vo
+ shared_msr_update(i, shared_msrs_global.msrs[i]);
+ }
+
+-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
+ {
+ unsigned int cpu = smp_processor_id();
+ struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
++ int err;
+
+ if (((value ^ smsr->values[slot].curr) & mask) == 0)
+- return;
++ return 0;
+ smsr->values[slot].curr = value;
+- wrmsrl(shared_msrs_global.msrs[slot], value);
++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
++ if (err)
++ return 1;
++
+ if (!smsr->registered) {
+ smsr->urn.on_user_return = kvm_on_user_return;
+ user_return_notifier_register(&smsr->urn);
+ smsr->registered = true;
+ }
++ return 0;
+ }
+ EXPORT_SYMBOL_GPL(kvm_set_shared_msr);
+
--- /dev/null
+From 8c5bcded11cb607b1bb5920de3b9c882136d27db Mon Sep 17 00:00:00 2001
+From: Ulrich Eckhardt <uli-lirc@uli-eckhardt.de>
+Date: Fri, 10 Oct 2014 14:19:12 -0300
+Subject: media: ds3000: fix LNB supply voltage on Tevii S480 on initialization
+
+From: Ulrich Eckhardt <uli-lirc@uli-eckhardt.de>
+
+commit 8c5bcded11cb607b1bb5920de3b9c882136d27db upstream.
+
+The Tevii S480 outputs 18V on startup for the LNB supply voltage and does not
+automatically power down. This blocks other receivers connected
+to a satellite channel router (EN50494), since the receivers can not send the
+required DiSEqC sequences when the Tevii card is connected to a the same SCR.
+
+This patch switches off the LNB supply voltage on initialization of the frontend.
+
+[mchehab@osg.samsung.com: add a comment about why we're explicitly
+ turning off voltage at device init]
+Signed-off-by: Ulrich Eckhardt <uli@uli-eckhardt.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/ds3000.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/dvb-frontends/ds3000.c
++++ b/drivers/media/dvb-frontends/ds3000.c
+@@ -864,6 +864,13 @@ struct dvb_frontend *ds3000_attach(const
+ memcpy(&state->frontend.ops, &ds3000_ops,
+ sizeof(struct dvb_frontend_ops));
+ state->frontend.demodulator_priv = state;
++
++ /*
++ * Some devices like T480 starts with voltage on. Be sure
++ * to turn voltage off during init, as this can otherwise
++ * interfere with Unicable SCR systems.
++ */
++ ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF);
+ return &state->frontend;
+
+ error3:
--- /dev/null
+From 627530c32a43283474e9dd3e954519410ffa033a Mon Sep 17 00:00:00 2001
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+Date: Sat, 9 Aug 2014 06:37:20 -0300
+Subject: media: em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+
+commit 627530c32a43283474e9dd3e954519410ffa033a upstream.
+
+When a new video frame is started, the driver takes the next video buffer from
+the list of active buffers and moves it to dev->usb_ctl.vid_buf / dev->usb_ctl.vbi_buf
+for further processing.
+
+On streaming stop we currently only give back the pending buffers from the list
+but not the ones which are currently processed.
+
+This causes the following warning from the vb2 core since kernel 3.15:
+
+...
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 2284 at drivers/media/v4l2-core/videobuf2-core.c:2115 __vb2_queue_cancel+0xed/0x150 [videobuf2_core]()
+ [...]
+ Call Trace:
+ [<c0769c46>] dump_stack+0x48/0x69
+ [<c0245b69>] warn_slowpath_common+0x79/0x90
+ [<f925e4ad>] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<f925e4ad>] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<c0245bfd>] warn_slowpath_null+0x1d/0x20
+ [<f925e4ad>] __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<f925fa35>] vb2_internal_streamoff+0x35/0x90 [videobuf2_core]
+ [<f925fac5>] vb2_streamoff+0x35/0x60 [videobuf2_core]
+ [<f925fb27>] vb2_ioctl_streamoff+0x37/0x40 [videobuf2_core]
+ [<f8e45895>] v4l_streamoff+0x15/0x20 [videodev]
+ [<f8e4925d>] __video_do_ioctl+0x23d/0x2d0 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<f8e48c63>] video_usercopy+0x203/0x5a0 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<c039d0e7>] ? fsnotify+0x1e7/0x2b0
+ [<f8e49012>] video_ioctl2+0x12/0x20 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<f8e4461e>] v4l2_ioctl+0xee/0x130 [videodev]
+ [<f8e44530>] ? v4l2_open+0xf0/0xf0 [videodev]
+ [<c0378de2>] do_vfs_ioctl+0x2e2/0x4d0
+ [<c0368eec>] ? vfs_write+0x13c/0x1c0
+ [<c0369a8f>] ? vfs_writev+0x2f/0x50
+ [<c0379028>] SyS_ioctl+0x58/0x80
+ [<c076fff3>] sysenter_do_call+0x12/0x12
+ ---[ end trace 5545f934409f13f4 ]---
+...
+
+Many thanks to Hans Verkuil, whose recently added check in the vb2 core unveiled
+this long standing issue and who has investigated it further.
+
+Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-video.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-video.c
++++ b/drivers/media/usb/em28xx/em28xx-video.c
+@@ -696,13 +696,16 @@ static int em28xx_stop_streaming(struct
+ }
+
+ spin_lock_irqsave(&dev->slock, flags);
++ if (dev->usb_ctl.vid_buf != NULL) {
++ vb2_buffer_done(&dev->usb_ctl.vid_buf->vb, VB2_BUF_STATE_ERROR);
++ dev->usb_ctl.vid_buf = NULL;
++ }
+ while (!list_empty(&vidq->active)) {
+ struct em28xx_buffer *buf;
+ buf = list_entry(vidq->active.next, struct em28xx_buffer, list);
+ list_del(&buf->list);
+ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR);
+ }
+- dev->usb_ctl.vid_buf = NULL;
+ spin_unlock_irqrestore(&dev->slock, flags);
+
+ return 0;
+@@ -724,13 +727,16 @@ int em28xx_stop_vbi_streaming(struct vb2
+ }
+
+ spin_lock_irqsave(&dev->slock, flags);
++ if (dev->usb_ctl.vbi_buf != NULL) {
++ vb2_buffer_done(&dev->usb_ctl.vbi_buf->vb, VB2_BUF_STATE_ERROR);
++ dev->usb_ctl.vbi_buf = NULL;
++ }
+ while (!list_empty(&vbiq->active)) {
+ struct em28xx_buffer *buf;
+ buf = list_entry(vbiq->active.next, struct em28xx_buffer, list);
+ list_del(&buf->list);
+ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR);
+ }
+- dev->usb_ctl.vbi_buf = NULL;
+ spin_unlock_irqrestore(&dev->slock, flags);
+
+ return 0;
--- /dev/null
+From 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Fri, 8 Aug 2014 10:32:56 -0300
+Subject: media: tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 upstream.
+
+Fix a copy-paste bug when converting to the control framework.
+
+Fixes: commit 5d478e0de871 ("[media] tda7432: convert to the control framework")
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/tda7432.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/tda7432.c
++++ b/drivers/media/i2c/tda7432.c
+@@ -293,7 +293,7 @@ static int tda7432_s_ctrl(struct v4l2_ct
+ if (t->mute->val) {
+ lf |= TDA7432_MUTE;
+ lr |= TDA7432_MUTE;
+- lf |= TDA7432_MUTE;
++ rf |= TDA7432_MUTE;
+ rr |= TDA7432_MUTE;
+ }
+ /* Mute & update balance*/
--- /dev/null
+From 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c Mon Sep 17 00:00:00 2001
+From: Maciej Matraszek <m.matraszek@samsung.com>
+Date: Mon, 15 Sep 2014 05:14:48 -0300
+Subject: media: v4l2-common: fix overflow in v4l_bound_align_image()
+
+From: Maciej Matraszek <m.matraszek@samsung.com>
+
+commit 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c upstream.
+
+Fix clamp_align() used in v4l_bound_align_image() to prevent overflow
+when passed large value like UINT32_MAX.
+
+ In the current implementation:
+ clamp_align(UINT32_MAX, 8, 8192, 3)
+
+returns 8, because in line:
+
+ x = (x + (1 << (align - 1))) & mask;
+
+x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192.
+
+v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and
+VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter
+explicitly states that:
+
+"The modified format should be as close as possible to the original
+request."
+ -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html
+
+Thus one would expect, that passing UINT32_MAX as format width and
+height will result in setting maximum possible resolution for the
+device. Particularly, when the driver doesn't support
+VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase.
+
+Fixes changeset: b0d3159be9a3
+
+Signed-off-by: Maciej Matraszek <m.matraszek@samsung.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-common.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-common.c
++++ b/drivers/media/v4l2-core/v4l2-common.c
+@@ -485,16 +485,13 @@ static unsigned int clamp_align(unsigned
+ /* Bits that must be zero to be aligned */
+ unsigned int mask = ~((1 << align) - 1);
+
++ /* Clamp to aligned min and max */
++ x = clamp(x, (min + ~mask) & mask, max & mask);
++
+ /* Round to nearest aligned value */
+ if (align)
+ x = (x + (1 << (align - 1))) & mask;
+
+- /* Clamp to aligned value of min and max */
+- if (x < min)
+- x = (min + ~mask) & mask;
+- else if (x > max)
+- x = max & mask;
+-
+ return x;
+ }
+
drm-ast-fix-hw-cursor-image.patch
drm-tilcdc-fix-the-error-path-in-tilcdc_load.patch
drm-nouveau-bios-memset-dcb-struct-to-zero-before-parsing.patch
+media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch
+media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch
+media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch
+media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch
+kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch
+kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch
+kvm-x86-improve-thread-safety-in-pit.patch
+kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch
+kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch
+kvm-x86-fix-wrong-masking-on-relative-jump-call.patch
+kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch
+arc-allow-headless-models-to-boot.patch
+arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
