--- /dev/null
+From 5c05483e2db91890faa9a7be0a831701a3f442d6 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Fri, 20 Jun 2014 16:24:49 +0530
+Subject: ARC: [nsimosci] Allow "headless" models to boot
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 5c05483e2db91890faa9a7be0a831701a3f442d6 upstream.
+
+There are certain test configuration of virtual platform which don't
+have any real console device (uart/pgu). So add tty0 as a fallback console
+device to allow system to boot and be accessible via telnet
+
+Otherwise with ttyS0 as only console, but 8250 disabled in kernel build,
+init chokes.
+
+Reported-by: Anton Kolesov <akolesov@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/boot/dts/nsimosci.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/boot/dts/nsimosci.dts
++++ b/arch/arc/boot/dts/nsimosci.dts
+@@ -20,7 +20,7 @@
+ /* this is for console on PGU */
+ /* bootargs = "console=tty0 consoleblank=0"; */
+ /* this is for console on serial */
+- bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug";
++ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=tty0 console=ttyS0,115200n8 consoleblank=0 debug";
+ };
+
+ aliases {
--- /dev/null
+From ef680cdc24376f394841a3f19b3a7ef6d57a009d Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Fri, 7 Mar 2014 18:08:11 +0530
+Subject: ARC: Disable caches in early boot if so configured
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit ef680cdc24376f394841a3f19b3a7ef6d57a009d upstream.
+
+Requested-by: Noam Camus <noamc@ezchip.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/cache.h | 27 ++++++++++
+ arch/arc/kernel/head.S | 38 +++++++++++++-
+ arch/arc/mm/cache_arc700.c | 112 ++++++++++---------------------------------
+ 3 files changed, 90 insertions(+), 87 deletions(-)
+
+--- a/arch/arc/include/asm/cache.h
++++ b/arch/arc/include/asm/cache.h
+@@ -55,4 +55,31 @@ extern void read_decode_cache_bcr(void);
+
+ #endif /* !__ASSEMBLY__ */
+
++/* Instruction cache related Auxiliary registers */
++#define ARC_REG_IC_BCR 0x77 /* Build Config reg */
++#define ARC_REG_IC_IVIC 0x10
++#define ARC_REG_IC_CTRL 0x11
++#define ARC_REG_IC_IVIL 0x19
++#if defined(CONFIG_ARC_MMU_V3) || defined (CONFIG_ARC_MMU_V4)
++#define ARC_REG_IC_PTAG 0x1E
++#endif
++
++/* Bit val in IC_CTRL */
++#define IC_CTRL_CACHE_DISABLE 0x1
++
++/* Data cache related Auxiliary registers */
++#define ARC_REG_DC_BCR 0x72 /* Build Config reg */
++#define ARC_REG_DC_IVDC 0x47
++#define ARC_REG_DC_CTRL 0x48
++#define ARC_REG_DC_IVDL 0x4A
++#define ARC_REG_DC_FLSH 0x4B
++#define ARC_REG_DC_FLDL 0x4C
++#if defined(CONFIG_ARC_MMU_V3) || defined (CONFIG_ARC_MMU_V4)
++#define ARC_REG_DC_PTAG 0x5C
++#endif
++
++/* Bit val in DC_CTRL */
++#define DC_CTRL_INV_MODE_FLUSH 0x40
++#define DC_CTRL_FLUSH_STATUS 0x100
++
+ #endif /* _ASM_CACHE_H */
+--- a/arch/arc/kernel/head.S
++++ b/arch/arc/kernel/head.S
+@@ -12,10 +12,42 @@
+ * to skip certain things during boot on simulator
+ */
+
++#include <linux/linkage.h>
+ #include <asm/asm-offsets.h>
+ #include <asm/entry.h>
+-#include <linux/linkage.h>
+ #include <asm/arcregs.h>
++#include <asm/cache.h>
++
++.macro CPU_EARLY_SETUP
++
++ ; Setting up Vectror Table (in case exception happens in early boot
++ sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE]
++
++ ; Disable I-cache/D-cache if kernel so configured
++ lr r5, [ARC_REG_IC_BCR]
++ breq r5, 0, 1f ; I$ doesn't exist
++ lr r5, [ARC_REG_IC_CTRL]
++#ifdef CONFIG_ARC_HAS_ICACHE
++ bclr r5, r5, 0 ; 0 - Enable, 1 is Disable
++#else
++ bset r5, r5, 0 ; I$ exists, but is not used
++#endif
++ sr r5, [ARC_REG_IC_CTRL]
++
++1:
++ lr r5, [ARC_REG_DC_BCR]
++ breq r5, 0, 1f ; D$ doesn't exist
++ lr r5, [ARC_REG_DC_CTRL]
++ bclr r5, r5, 6 ; Invalidate (discard w/o wback)
++#ifdef CONFIG_ARC_HAS_DCACHE
++ bclr r5, r5, 0 ; Enable (+Inv)
++#else
++ bset r5, r5, 0 ; Disable (+Inv)
++#endif
++ sr r5, [ARC_REG_DC_CTRL]
++
++1:
++.endm
+
+ .cpu A7
+
+@@ -27,7 +59,7 @@ stext:
+ ; Don't clobber r0-r2 yet. It might have bootloader provided info
+ ;-------------------------------------------------------------------
+
+- sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE]
++ CPU_EARLY_SETUP
+
+ #ifdef CONFIG_SMP
+ ; Ensure Boot (Master) proceeds. Others wait in platform dependent way
+@@ -90,7 +122,7 @@ stext:
+
+ first_lines_of_secondary:
+
+- sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE]
++ CPU_EARLY_SETUP
+
+ ; setup per-cpu idle task as "current" on this CPU
+ ld r0, [@secondary_idle_tsk]
+--- a/arch/arc/mm/cache_arc700.c
++++ b/arch/arc/mm/cache_arc700.c
+@@ -73,33 +73,6 @@
+ #include <asm/cachectl.h>
+ #include <asm/setup.h>
+
+-/* Instruction cache related Auxiliary registers */
+-#define ARC_REG_IC_BCR 0x77 /* Build Config reg */
+-#define ARC_REG_IC_IVIC 0x10
+-#define ARC_REG_IC_CTRL 0x11
+-#define ARC_REG_IC_IVIL 0x19
+-#if (CONFIG_ARC_MMU_VER > 2)
+-#define ARC_REG_IC_PTAG 0x1E
+-#endif
+-
+-/* Bit val in IC_CTRL */
+-#define IC_CTRL_CACHE_DISABLE 0x1
+-
+-/* Data cache related Auxiliary registers */
+-#define ARC_REG_DC_BCR 0x72 /* Build Config reg */
+-#define ARC_REG_DC_IVDC 0x47
+-#define ARC_REG_DC_CTRL 0x48
+-#define ARC_REG_DC_IVDL 0x4A
+-#define ARC_REG_DC_FLSH 0x4B
+-#define ARC_REG_DC_FLDL 0x4C
+-#if (CONFIG_ARC_MMU_VER > 2)
+-#define ARC_REG_DC_PTAG 0x5C
+-#endif
+-
+-/* Bit val in DC_CTRL */
+-#define DC_CTRL_INV_MODE_FLUSH 0x40
+-#define DC_CTRL_FLUSH_STATUS 0x100
+-
+ char *arc_cache_mumbojumbo(int c, char *buf, int len)
+ {
+ int n = 0;
+@@ -168,72 +141,43 @@ void read_decode_cache_bcr(void)
+ */
+ void arc_cache_init(void)
+ {
+- unsigned int cpu = smp_processor_id();
+- struct cpuinfo_arc_cache *ic = &cpuinfo_arc700[cpu].icache;
+- struct cpuinfo_arc_cache *dc = &cpuinfo_arc700[cpu].dcache;
+- unsigned int dcache_does_alias, temp;
++ unsigned int __maybe_unused cpu = smp_processor_id();
++ struct cpuinfo_arc_cache __maybe_unused *ic, __maybe_unused *dc;
+ char str[256];
+
+ printk(arc_cache_mumbojumbo(0, str, sizeof(str)));
+
+- if (!ic->ver)
+- goto chk_dc;
+-
+-#ifdef CONFIG_ARC_HAS_ICACHE
+- /* 1. Confirm some of I-cache params which Linux assumes */
+- if (ic->line_len != L1_CACHE_BYTES)
+- panic("Cache H/W doesn't match kernel Config");
+-
+- if (ic->ver != CONFIG_ARC_MMU_VER)
+- panic("Cache ver doesn't match MMU ver\n");
+-#endif
+-
+- /* Enable/disable I-Cache */
+- temp = read_aux_reg(ARC_REG_IC_CTRL);
+-
+ #ifdef CONFIG_ARC_HAS_ICACHE
+- temp &= ~IC_CTRL_CACHE_DISABLE;
+-#else
+- temp |= IC_CTRL_CACHE_DISABLE;
+-#endif
+-
+- write_aux_reg(ARC_REG_IC_CTRL, temp);
+-
+-chk_dc:
+- if (!dc->ver)
+- return;
+-
+-#ifdef CONFIG_ARC_HAS_DCACHE
+- if (dc->line_len != L1_CACHE_BYTES)
+- panic("Cache H/W doesn't match kernel Config");
+-
+- /* check for D-Cache aliasing */
+- dcache_does_alias = (dc->sz / dc->assoc) > PAGE_SIZE;
+-
+- if (dcache_does_alias && !cache_is_vipt_aliasing())
+- panic("Enable CONFIG_ARC_CACHE_VIPT_ALIASING\n");
+- else if (!dcache_does_alias && cache_is_vipt_aliasing())
+- panic("Don't need CONFIG_ARC_CACHE_VIPT_ALIASING\n");
++ ic = &cpuinfo_arc700[cpu].icache;
++ if (ic->ver) {
++ if (ic->line_len != L1_CACHE_BYTES)
++ panic("ICache line [%d] != kernel Config [%d]",
++ ic->line_len, L1_CACHE_BYTES);
++
++ if (ic->ver != CONFIG_ARC_MMU_VER)
++ panic("Cache ver [%d] doesn't match MMU ver [%d]\n",
++ ic->ver, CONFIG_ARC_MMU_VER);
++ }
+ #endif
+
+- /* Set the default Invalidate Mode to "simpy discard dirty lines"
+- * as this is more frequent then flush before invalidate
+- * Ofcourse we toggle this default behviour when desired
+- */
+- temp = read_aux_reg(ARC_REG_DC_CTRL);
+- temp &= ~DC_CTRL_INV_MODE_FLUSH;
+-
+ #ifdef CONFIG_ARC_HAS_DCACHE
+- /* Enable D-Cache: Clear Bit 0 */
+- write_aux_reg(ARC_REG_DC_CTRL, temp & ~IC_CTRL_CACHE_DISABLE);
+-#else
+- /* Flush D cache */
+- write_aux_reg(ARC_REG_DC_FLSH, 0x1);
+- /* Disable D cache */
+- write_aux_reg(ARC_REG_DC_CTRL, temp | IC_CTRL_CACHE_DISABLE);
++ dc = &cpuinfo_arc700[cpu].dcache;
++ if (dc->ver) {
++ unsigned int dcache_does_alias;
++
++ if (dc->line_len != L1_CACHE_BYTES)
++ panic("DCache line [%d] != kernel Config [%d]",
++ dc->line_len, L1_CACHE_BYTES);
++
++ /* check for D-Cache aliasing */
++ dcache_does_alias = (dc->sz / dc->assoc) > PAGE_SIZE;
++
++ if (dcache_does_alias && !cache_is_vipt_aliasing())
++ panic("Enable CONFIG_ARC_CACHE_VIPT_ALIASING\n");
++ else if (!dcache_does_alias && cache_is_vipt_aliasing())
++ panic("Don't need CONFIG_ARC_CACHE_VIPT_ALIASING\n");
++ }
+ #endif
+-
+- return;
+ }
+
+ #define OP_INV 0x1
--- /dev/null
+From d75386363ee60eb51c933c7b5e536f3a502ad7d7 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Sun, 6 Apr 2014 06:59:51 +0530
+Subject: ARC: fix mmuv2 warning
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit d75386363ee60eb51c933c7b5e536f3a502ad7d7 upstream.
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/mm/cache_arc700.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/arc/mm/cache_arc700.c
++++ b/arch/arc/mm/cache_arc700.c
+@@ -253,12 +253,16 @@ static inline void __cache_line_loop(uns
+
+ if (cacheop == OP_INV_IC) {
+ aux_cmd = ARC_REG_IC_IVIL;
++#if (CONFIG_ARC_MMU_VER > 2)
+ aux_tag = ARC_REG_IC_PTAG;
++#endif
+ }
+ else {
+ /* d$ cmd: INV (discard or wback-n-discard) OR FLUSH (wback) */
+ aux_cmd = cacheop & OP_INV ? ARC_REG_DC_IVDL : ARC_REG_DC_FLDL;
++#if (CONFIG_ARC_MMU_VER > 2)
+ aux_tag = ARC_REG_DC_PTAG;
++#endif
+ }
+
+ /* Ensure we properly floor/ceil the non-line aligned/sized requests
--- /dev/null
+From c3441edd2dea83923421fd6050d2ffdc57696323 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Mon, 24 Feb 2014 11:42:50 +0800
+Subject: ARC: [SMP] General Fixes
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit c3441edd2dea83923421fd6050d2ffdc57696323 upstream.
+
+-Pass the expected arg to non-boot park'ing routine
+ (It worked so far because existing SMP backends don't use the arg)
+
+-CONFIG_DEBUG_PREEMPT warning
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/arc/kernel/head.S | 7 ++++---
+ arch/arc/mm/cache_arc700.c | 3 +--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arc/kernel/head.S
++++ b/arch/arc/kernel/head.S
+@@ -24,13 +24,13 @@
+ .globl stext
+ stext:
+ ;-------------------------------------------------------------------
+- ; Don't clobber r0-r4 yet. It might have bootloader provided info
++ ; Don't clobber r0-r2 yet. It might have bootloader provided info
+ ;-------------------------------------------------------------------
+
+ sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE]
+
+ #ifdef CONFIG_SMP
+- ; Only Boot (Master) proceeds. Others wait in platform dependent way
++ ; Ensure Boot (Master) proceeds. Others wait in platform dependent way
+ ; IDENTITY Reg [ 3 2 1 0 ]
+ ; (cpu-id) ^^^ => Zero for UP ARC700
+ ; => #Core-ID if SMP (Master 0)
+@@ -39,7 +39,8 @@ stext:
+ ; need to make sure only boot cpu takes this path.
+ GET_CPU_ID r5
+ cmp r5, 0
+- jnz arc_platform_smp_wait_to_boot
++ mov.ne r0, r5
++ jne arc_platform_smp_wait_to_boot
+ #endif
+ ; Clear BSS before updating any globals
+ ; XXX: use ZOL here
+--- a/arch/arc/mm/cache_arc700.c
++++ b/arch/arc/mm/cache_arc700.c
+@@ -100,10 +100,9 @@
+ #define DC_CTRL_INV_MODE_FLUSH 0x40
+ #define DC_CTRL_FLUSH_STATUS 0x100
+
+-char *arc_cache_mumbojumbo(int cpu_id, char *buf, int len)
++char *arc_cache_mumbojumbo(int c, char *buf, int len)
+ {
+ int n = 0;
+- unsigned int c = smp_processor_id();
+
+ #define PR_CACHE(p, enb, str) \
+ { \
--- /dev/null
+From ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 Mon Sep 17 00:00:00 2001
+From: Anton Kolesov <Anton.Kolesov@synopsys.com>
+Date: Thu, 25 Sep 2014 13:23:24 +0400
+Subject: ARC: Update order of registers in KGDB to match GDB 7.5
+
+From: Anton Kolesov <Anton.Kolesov@synopsys.com>
+
+commit ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 upstream.
+
+Order of registers has changed in GDB moving from 6.8 to 7.5. This patch
+updates KGDB to work properly with GDB 7.5, though makes it incompatible
+with 6.8.
+
+Signed-off-by: Anton Kolesov <Anton.Kolesov@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/kgdb.h | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+--- a/arch/arc/include/asm/kgdb.h
++++ b/arch/arc/include/asm/kgdb.h
+@@ -19,7 +19,7 @@
+ * register API yet */
+ #undef DBG_MAX_REG_NUM
+
+-#define GDB_MAX_REGS 39
++#define GDB_MAX_REGS 87
+
+ #define BREAK_INSTR_SIZE 2
+ #define CACHE_FLUSH_IS_SAFE 1
+@@ -33,23 +33,27 @@ static inline void arch_kgdb_breakpoint(
+
+ extern void kgdb_trap(struct pt_regs *regs);
+
+-enum arc700_linux_regnums {
++/* This is the numbering of registers according to the GDB. See GDB's
++ * arc-tdep.h for details.
++ *
++ * Registers are ordered for GDB 7.5. It is incompatible with GDB 6.8. */
++enum arc_linux_regnums {
+ _R0 = 0,
+ _R1, _R2, _R3, _R4, _R5, _R6, _R7, _R8, _R9, _R10, _R11, _R12, _R13,
+ _R14, _R15, _R16, _R17, _R18, _R19, _R20, _R21, _R22, _R23, _R24,
+ _R25, _R26,
+- _BTA = 27,
+- _LP_START = 28,
+- _LP_END = 29,
+- _LP_COUNT = 30,
+- _STATUS32 = 31,
+- _BLINK = 32,
+- _FP = 33,
+- __SP = 34,
+- _EFA = 35,
+- _RET = 36,
+- _ORIG_R8 = 37,
+- _STOP_PC = 38
++ _FP = 27,
++ __SP = 28,
++ _R30 = 30,
++ _BLINK = 31,
++ _LP_COUNT = 60,
++ _STOP_PC = 64,
++ _RET = 64,
++ _LP_START = 65,
++ _LP_END = 66,
++ _STATUS32 = 67,
++ _ECR = 76,
++ _BTA = 82,
+ };
+
+ #else
--- /dev/null
+From 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Fri, 17 Oct 2014 22:55:59 +0200
+Subject: kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
+
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+
+commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream.
+
+The third parameter of kvm_unpin_pages() when called from
+kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
+and not the page size.
+
+This error was facilitated with an inconsistent API: kvm_pin_pages() takes
+a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
+by matching the two.
+
+This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
+of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
+un-pinning for pages intended to be un-pinned (i.e. memory leak) but
+unfortunately potentially aggravated the number of pages we un-pin that
+should have stayed pinned. As far as I understand though, the same
+practical mitigations apply.
+
+This issue was found during review of Red Hat 6.6 patches to prepare
+Ksplice rebootless updates.
+
+Thanks to Vegard for his time on a late Friday evening to help me in
+understanding this code.
+
+Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/iommu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct k
+ gfn_t base_gfn, unsigned long npages);
+
+ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
+- unsigned long size)
++ unsigned long npages)
+ {
+ gfn_t end_gfn;
+ pfn_t pfn;
+
+ pfn = gfn_to_pfn_memslot(slot, gfn);
+- end_gfn = gfn + (size >> PAGE_SHIFT);
++ end_gfn = gfn + npages;
+ gfn += 1;
+
+ if (is_error_noslot_pfn(pfn))
+@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ * Pin all pages we are about to map in memory. This is
+ * important because we unmap and unpin in 4kb steps later.
+ */
+- pfn = kvm_pin_pages(slot, gfn, page_size);
++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
+ if (is_error_noslot_pfn(pfn)) {
+ gfn += 1;
+ continue;
+@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ if (r) {
+ printk(KERN_ERR "kvm_iommu_map_address:"
+ "iommu failed to map pfn=%llx\n", pfn);
+- kvm_unpin_pages(kvm, pfn, page_size);
++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
+ goto unmap_pages;
+ }
+
--- /dev/null
+From a642fc305053cc1c6e47e4f4df327895747ab485 Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Tue, 23 Sep 2014 20:22:30 +0200
+Subject: kvm: vmx: handle invvpid vm exit gracefully
+
+From: Petr Matousek <pmatouse@redhat.com>
+
+commit a642fc305053cc1c6e47e4f4df327895747ab485 upstream.
+
+On systems with invvpid instruction support (corresponding bit in
+IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
+causes vm exit, which is currently not handled and results in
+propagation of unknown exit to userspace.
+
+Fix this by installing an invvpid vm exit handler.
+
+This is CVE-2014-3646.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/uapi/asm/vmx.h | 2 ++
+ arch/x86/kvm/vmx.c | 9 ++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/uapi/asm/vmx.h
++++ b/arch/x86/include/uapi/asm/vmx.h
+@@ -67,6 +67,7 @@
+ #define EXIT_REASON_EPT_MISCONFIG 49
+ #define EXIT_REASON_INVEPT 50
+ #define EXIT_REASON_PREEMPTION_TIMER 52
++#define EXIT_REASON_INVVPID 53
+ #define EXIT_REASON_WBINVD 54
+ #define EXIT_REASON_XSETBV 55
+ #define EXIT_REASON_APIC_WRITE 56
+@@ -114,6 +115,7 @@
+ { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \
+ { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \
+ { EXIT_REASON_INVD, "INVD" }, \
++ { EXIT_REASON_INVVPID, "INVVPID" }, \
+ { EXIT_REASON_INVPCID, "INVPCID" }
+
+ #endif /* _UAPIVMX_H */
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6444,6 +6444,12 @@ static int handle_invept(struct kvm_vcpu
+ return 1;
+ }
+
++static int handle_invvpid(struct kvm_vcpu *vcpu)
++{
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
++}
++
+ /*
+ * The exit handlers return 1 if the exit was handled fully and guest execution
+ * may resume. Otherwise they set the kvm_run parameter to indicate what needs
+@@ -6489,6 +6495,7 @@ static int (*const kvm_vmx_exit_handlers
+ [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op,
+ [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op,
+ [EXIT_REASON_INVEPT] = handle_invept,
++ [EXIT_REASON_INVVPID] = handle_invvpid,
+ };
+
+ static const int kvm_vmx_max_exit_handlers =
+@@ -6722,7 +6729,7 @@ static bool nested_vmx_exit_handled(stru
+ case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD:
+ case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE:
+ case EXIT_REASON_VMOFF: case EXIT_REASON_VMON:
+- case EXIT_REASON_INVEPT:
++ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID:
+ /*
+ * VMX instructions trap unconditionally. This allows L1 to
+ * emulate them for its L2 guest, i.e., allows 3-level nesting!
--- /dev/null
+From 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Tue, 16 Sep 2014 03:24:05 +0300
+Subject: KVM: x86: Check non-canonical addresses upon WRMSR
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 upstream.
+
+Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
+written to certain MSRs. The behavior is "almost" identical for AMD and Intel
+(ignoring MSRs that are not implemented in either architecture since they would
+anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
+non-canonical address is written on Intel but not on AMD (which ignores the top
+32-bits).
+
+Accordingly, this patch injects a #GP on the MSRs which behave identically on
+Intel and AMD. To eliminate the differences between the architecutres, the
+value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
+canonical value before writing instead of injecting a #GP.
+
+Some references from Intel and AMD manuals:
+
+According to Intel SDM description of WRMSR instruction #GP is expected on
+WRMSR "If the source register contains a non-canonical address and ECX
+specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
+IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
+
+According to AMD manual instruction manual:
+LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
+LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical
+form, a general-protection exception (#GP) occurs."
+IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
+base field must be in canonical form or a #GP fault will occur."
+IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
+be in canonical form."
+
+This patch fixes CVE-2014-3610.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++
+ arch/x86/kvm/svm.c | 2 +-
+ arch/x86/kvm/vmx.c | 2 +-
+ arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++-
+ 4 files changed, 42 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -984,6 +984,20 @@ static inline void kvm_inject_gp(struct
+ kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
+ }
+
++static inline u64 get_canonical(u64 la)
++{
++ return ((int64_t)la << 16) >> 16;
++}
++
++static inline bool is_noncanonical_address(u64 la)
++{
++#ifdef CONFIG_X86_64
++ return get_canonical(la) != la;
++#else
++ return false;
++#endif
++}
++
+ #define TSS_IOPB_BASE_OFFSET 0x66
+ #define TSS_BASE_SIZE 0x68
+ #define TSS_IOPB_SIZE (65536 / 8)
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3213,7 +3213,7 @@ static int wrmsr_interception(struct vcp
+ msr.host_initiated = false;
+
+ svm->next_rip = kvm_rip_read(&svm->vcpu) + 2;
+- if (svm_set_msr(&svm->vcpu, &msr)) {
++ if (kvm_set_msr(&svm->vcpu, &msr)) {
+ trace_kvm_msr_write_ex(ecx, data);
+ kvm_inject_gp(&svm->vcpu, 0);
+ } else {
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5172,7 +5172,7 @@ static int handle_wrmsr(struct kvm_vcpu
+ msr.data = data;
+ msr.index = ecx;
+ msr.host_initiated = false;
+- if (vmx_set_msr(vcpu, &msr) != 0) {
++ if (kvm_set_msr(vcpu, &msr) != 0) {
+ trace_kvm_msr_write_ex(ecx, data);
+ kvm_inject_gp(vcpu, 0);
+ return 1;
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -951,7 +951,6 @@ void kvm_enable_efer_bits(u64 mask)
+ }
+ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
+
+-
+ /*
+ * Writes msr value into into the appropriate "register".
+ * Returns 0 on success, non-0 otherwise.
+@@ -959,8 +958,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
+ */
+ int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
+ {
++ switch (msr->index) {
++ case MSR_FS_BASE:
++ case MSR_GS_BASE:
++ case MSR_KERNEL_GS_BASE:
++ case MSR_CSTAR:
++ case MSR_LSTAR:
++ if (is_noncanonical_address(msr->data))
++ return 1;
++ break;
++ case MSR_IA32_SYSENTER_EIP:
++ case MSR_IA32_SYSENTER_ESP:
++ /*
++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
++ * non-canonical address is written on Intel but not on
++ * AMD (which ignores the top 32-bits, because it does
++ * not implement 64-bit SYSENTER).
++ *
++ * 64-bit code should hence be able to write a non-canonical
++ * value on AMD. Making the address canonical ensures that
++ * vmentry does not fail on Intel after writing a non-canonical
++ * value, and that something deterministic happens if the guest
++ * invokes 64-bit SYSENTER.
++ */
++ msr->data = get_canonical(msr->data);
++ }
+ return kvm_x86_ops->set_msr(vcpu, msr);
+ }
++EXPORT_SYMBOL_GPL(kvm_set_msr);
+
+ /*
+ * Adapt set_msr() to msr_io()'s calling convention
--- /dev/null
+From 2bc19dc3754fc066c43799659f0d848631c44cfe Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 18 Sep 2014 16:21:16 +0300
+Subject: kvm: x86: don't kill guest on unknown exit reason
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+commit 2bc19dc3754fc066c43799659f0d848631c44cfe upstream.
+
+KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
+triggered by a priveledged application. Let's not kill the guest: WARN
+and inject #UD instead.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 6 +++---
+ arch/x86/kvm/vmx.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3495,9 +3495,9 @@ static int handle_exit(struct kvm_vcpu *
+
+ if (exit_code >= ARRAY_SIZE(svm_exit_handlers)
+ || !svm_exit_handlers[exit_code]) {
+- kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
+- kvm_run->hw.hardware_exit_reason = exit_code;
+- return 0;
++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code);
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
+ }
+
+ return svm_exit_handlers[exit_code](svm);
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6887,10 +6887,10 @@ static int vmx_handle_exit(struct kvm_vc
+ && kvm_vmx_exit_handlers[exit_reason])
+ return kvm_vmx_exit_handlers[exit_reason](vcpu);
+ else {
+- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
+- vcpu->run->hw.hardware_exit_reason = exit_reason;
++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason);
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
+ }
+- return 0;
+ }
+
+ static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
--- /dev/null
+From 234f3ce485d54017f15cf5e0699cff4100121601 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 18 Sep 2014 22:39:38 +0300
+Subject: KVM: x86: Emulator fixes for eip canonical checks on near branches
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 234f3ce485d54017f15cf5e0699cff4100121601 upstream.
+
+Before changing rip (during jmp, call, ret, etc.) the target should be asserted
+to be canonical one, as real CPUs do. During sysret, both target rsp and rip
+should be canonical. If any of these values is noncanonical, a #GP exception
+should occur. The exception to this rule are syscall and sysenter instructions
+in which the assigned rip is checked during the assignment to the relevant
+MSRs.
+
+This patch fixes the emulator to behave as real CPUs do for near branches.
+Far branches are handled by the next patch.
+
+This fixes CVE-2014-3647.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 78 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 54 insertions(+), 24 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -571,7 +571,8 @@ static int emulate_nm(struct x86_emulate
+ return emulate_exception(ctxt, NM_VECTOR, 0, false);
+ }
+
+-static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
++ int cs_l)
+ {
+ switch (ctxt->op_bytes) {
+ case 2:
+@@ -581,16 +582,25 @@ static inline void assign_eip_near(struc
+ ctxt->_eip = (u32)dst;
+ break;
+ case 8:
++ if ((cs_l && is_noncanonical_address(dst)) ||
++ (!cs_l && (dst & ~(u32)-1)))
++ return emulate_gp(ctxt, 0);
+ ctxt->_eip = dst;
+ break;
+ default:
+ WARN(1, "unsupported eip assignment size\n");
+ }
++ return X86EMUL_CONTINUE;
++}
++
++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++{
++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64);
+ }
+
+-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+ {
+- assign_eip_near(ctxt, ctxt->_eip + rel);
++ return assign_eip_near(ctxt, ctxt->_eip + rel);
+ }
+
+ static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
+@@ -1975,13 +1985,15 @@ static int em_grp45(struct x86_emulate_c
+ case 2: /* call near abs */ {
+ long int old_eip;
+ old_eip = ctxt->_eip;
+- ctxt->_eip = ctxt->src.val;
++ rc = assign_eip_near(ctxt, ctxt->src.val);
++ if (rc != X86EMUL_CONTINUE)
++ break;
+ ctxt->src.val = old_eip;
+ rc = em_push(ctxt);
+ break;
+ }
+ case 4: /* jmp abs */
+- ctxt->_eip = ctxt->src.val;
++ rc = assign_eip_near(ctxt, ctxt->src.val);
+ break;
+ case 5: /* jmp far */
+ rc = em_jmp_far(ctxt);
+@@ -2013,10 +2025,14 @@ static int em_cmpxchg8b(struct x86_emula
+
+ static int em_ret(struct x86_emulate_ctxt *ctxt)
+ {
+- ctxt->dst.type = OP_REG;
+- ctxt->dst.addr.reg = &ctxt->_eip;
+- ctxt->dst.bytes = ctxt->op_bytes;
+- return em_pop(ctxt);
++ int rc;
++ unsigned long eip;
++
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++
++ return assign_eip_near(ctxt, eip);
+ }
+
+ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
+@@ -2294,7 +2310,7 @@ static int em_sysexit(struct x86_emulate
+ {
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ struct desc_struct cs, ss;
+- u64 msr_data;
++ u64 msr_data, rcx, rdx;
+ int usermode;
+ u16 cs_sel = 0, ss_sel = 0;
+
+@@ -2310,6 +2326,9 @@ static int em_sysexit(struct x86_emulate
+ else
+ usermode = X86EMUL_MODE_PROT32;
+
++ rcx = reg_read(ctxt, VCPU_REGS_RCX);
++ rdx = reg_read(ctxt, VCPU_REGS_RDX);
++
+ cs.dpl = 3;
+ ss.dpl = 3;
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+@@ -2327,6 +2346,9 @@ static int em_sysexit(struct x86_emulate
+ ss_sel = cs_sel + 8;
+ cs.d = 0;
+ cs.l = 1;
++ if (is_noncanonical_address(rcx) ||
++ is_noncanonical_address(rdx))
++ return emulate_gp(ctxt, 0);
+ break;
+ }
+ cs_sel |= SELECTOR_RPL_MASK;
+@@ -2335,8 +2357,8 @@ static int em_sysexit(struct x86_emulate
+ ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+
+- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX);
+- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX);
++ ctxt->_eip = rdx;
++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
+
+ return X86EMUL_CONTINUE;
+ }
+@@ -2875,10 +2897,13 @@ static int em_aad(struct x86_emulate_ctx
+
+ static int em_call(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc;
+ long rel = ctxt->src.val;
+
+ ctxt->src.val = (unsigned long)ctxt->_eip;
+- jmp_rel(ctxt, rel);
++ rc = jmp_rel(ctxt, rel);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
+ return em_push(ctxt);
+ }
+
+@@ -2910,11 +2935,12 @@ static int em_call_far(struct x86_emulat
+ static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
++ unsigned long eip;
+
+- ctxt->dst.type = OP_REG;
+- ctxt->dst.addr.reg = &ctxt->_eip;
+- ctxt->dst.bytes = ctxt->op_bytes;
+- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++ rc = assign_eip_near(ctxt, eip);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ rsp_increment(ctxt, ctxt->src.val);
+@@ -3244,20 +3270,24 @@ static int em_lmsw(struct x86_emulate_ct
+
+ static int em_loop(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc = X86EMUL_CONTINUE;
++
+ register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1);
+ if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
+ (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+
+- return X86EMUL_CONTINUE;
++ return rc;
+ }
+
+ static int em_jcxz(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc = X86EMUL_CONTINUE;
++
+ if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+
+- return X86EMUL_CONTINUE;
++ return rc;
+ }
+
+ static int em_in(struct x86_emulate_ctxt *ctxt)
+@@ -4654,7 +4684,7 @@ special_insn:
+ break;
+ case 0x70 ... 0x7f: /* jcc (short) */
+ if (test_cc(ctxt->b, ctxt->eflags))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ break;
+ case 0x8d: /* lea r16/r32, m */
+ ctxt->dst.val = ctxt->src.addr.mem.ea;
+@@ -4683,7 +4713,7 @@ special_insn:
+ break;
+ case 0xe9: /* jmp rel */
+ case 0xeb: /* jmp rel short */
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ ctxt->dst.type = OP_NONE; /* Disable writeback. */
+ break;
+ case 0xf4: /* hlt */
+@@ -4803,7 +4833,7 @@ twobyte_insn:
+ break;
+ case 0x80 ... 0x8f: /* jnz rel, etc*/
+ if (test_cc(ctxt->b, ctxt->eflags))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ break;
+ case 0x90 ... 0x9f: /* setcc r/m8 */
+ ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
--- /dev/null
+From 05c83ec9b73c8124555b706f6af777b10adf0862 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 18 Sep 2014 22:39:37 +0300
+Subject: KVM: x86: Fix wrong masking on relative jump/call
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 05c83ec9b73c8124555b706f6af777b10adf0862 upstream.
+
+Relative jumps and calls do the masking according to the operand size, and not
+according to the address size as the KVM emulator does today.
+
+This patch fixes KVM behavior.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -498,11 +498,6 @@ static void rsp_increment(struct x86_emu
+ masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
+ }
+
+-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+-{
+- register_address_increment(ctxt, &ctxt->_eip, rel);
+-}
+-
+ static u32 desc_limit_scaled(struct desc_struct *desc)
+ {
+ u32 limit = get_desc_limit(desc);
+@@ -576,6 +571,28 @@ static int emulate_nm(struct x86_emulate
+ return emulate_exception(ctxt, NM_VECTOR, 0, false);
+ }
+
++static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++{
++ switch (ctxt->op_bytes) {
++ case 2:
++ ctxt->_eip = (u16)dst;
++ break;
++ case 4:
++ ctxt->_eip = (u32)dst;
++ break;
++ case 8:
++ ctxt->_eip = dst;
++ break;
++ default:
++ WARN(1, "unsupported eip assignment size\n");
++ }
++}
++
++static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
++{
++ assign_eip_near(ctxt, ctxt->_eip + rel);
++}
++
+ static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
+ {
+ u16 selector;
--- /dev/null
+From 2febc839133280d5a5e8e1179c94ea674489dae2 Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Wed, 27 Aug 2014 14:42:54 -0700
+Subject: KVM: x86: Improve thread safety in pit
+
+From: Andy Honig <ahonig@google.com>
+
+commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream.
+
+There's a race condition in the PIT emulation code in KVM. In
+__kvm_migrate_pit_timer the pit_timer object is accessed without
+synchronization. If the race condition occurs at the wrong time this
+can crash the host kernel.
+
+This fixes CVE-2014-3611.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/i8254.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_
+ return;
+
+ timer = &pit->pit_state.timer;
++ mutex_lock(&pit->pit_state.lock);
+ if (hrtimer_cancel(timer))
+ hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
++ mutex_unlock(&pit->pit_state.lock);
+ }
+
+ static void destroy_pit_timer(struct kvm_pit *pit)
--- /dev/null
+From 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Wed, 27 Aug 2014 11:16:44 -0700
+Subject: KVM: x86: Prevent host from panicking on shared MSR writes.
+
+From: Andy Honig <ahonig@google.com>
+
+commit 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f upstream.
+
+The previous patch blocked invalid writes directly when the MSR
+is written. As a precaution, prevent future similar mistakes by
+gracefulling handle GPs caused by writes to shared MSRs.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+[Remove parts obsoleted by Nadav's patch. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 2 +-
+ arch/x86/kvm/vmx.c | 7 +++++--
+ arch/x86/kvm/x86.c | 11 ++++++++---
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1042,7 +1042,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcp
+ void kvm_vcpu_reset(struct kvm_vcpu *vcpu);
+
+ void kvm_define_shared_msr(unsigned index, u32 msr);
+-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
+
+ bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip);
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2582,12 +2582,15 @@ static int vmx_set_msr(struct kvm_vcpu *
+ default:
+ msr = find_msr_entry(vmx, msr_index);
+ if (msr) {
++ u64 old_msr_data = msr->data;
+ msr->data = data;
+ if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
+ preempt_disable();
+- kvm_set_shared_msr(msr->index, msr->data,
+- msr->mask);
++ ret = kvm_set_shared_msr(msr->index, msr->data,
++ msr->mask);
+ preempt_enable();
++ if (ret)
++ msr->data = old_msr_data;
+ }
+ break;
+ }
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -225,20 +225,25 @@ static void kvm_shared_msr_cpu_online(vo
+ shared_msr_update(i, shared_msrs_global.msrs[i]);
+ }
+
+-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
+ {
+ unsigned int cpu = smp_processor_id();
+ struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
++ int err;
+
+ if (((value ^ smsr->values[slot].curr) & mask) == 0)
+- return;
++ return 0;
+ smsr->values[slot].curr = value;
+- wrmsrl(shared_msrs_global.msrs[slot], value);
++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
++ if (err)
++ return 1;
++
+ if (!smsr->registered) {
+ smsr->urn.on_user_return = kvm_on_user_return;
+ user_return_notifier_register(&smsr->urn);
+ smsr->registered = true;
+ }
++ return 0;
+ }
+ EXPORT_SYMBOL_GPL(kvm_set_shared_msr);
+
--- /dev/null
+From 8c5bcded11cb607b1bb5920de3b9c882136d27db Mon Sep 17 00:00:00 2001
+From: Ulrich Eckhardt <uli-lirc@uli-eckhardt.de>
+Date: Fri, 10 Oct 2014 14:19:12 -0300
+Subject: media: ds3000: fix LNB supply voltage on Tevii S480 on initialization
+
+From: Ulrich Eckhardt <uli-lirc@uli-eckhardt.de>
+
+commit 8c5bcded11cb607b1bb5920de3b9c882136d27db upstream.
+
+The Tevii S480 outputs 18V on startup for the LNB supply voltage and does not
+automatically power down. This blocks other receivers connected
+to a satellite channel router (EN50494), since the receivers can not send the
+required DiSEqC sequences when the Tevii card is connected to a the same SCR.
+
+This patch switches off the LNB supply voltage on initialization of the frontend.
+
+[mchehab@osg.samsung.com: add a comment about why we're explicitly
+ turning off voltage at device init]
+Signed-off-by: Ulrich Eckhardt <uli@uli-eckhardt.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/ds3000.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/dvb-frontends/ds3000.c
++++ b/drivers/media/dvb-frontends/ds3000.c
+@@ -864,6 +864,13 @@ struct dvb_frontend *ds3000_attach(const
+ memcpy(&state->frontend.ops, &ds3000_ops,
+ sizeof(struct dvb_frontend_ops));
+ state->frontend.demodulator_priv = state;
++
++ /*
++ * Some devices like T480 starts with voltage on. Be sure
++ * to turn voltage off during init, as this can otherwise
++ * interfere with Unicable SCR systems.
++ */
++ ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF);
+ return &state->frontend;
+
+ error3:
--- /dev/null
+From fb91bde9d3664dd879655f3a1013c0b5728e7a09 Mon Sep 17 00:00:00 2001
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+Date: Fri, 27 Dec 2013 00:16:13 -0300
+Subject: media: em28xx: check if a device has audio earlier"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+
+commit fb91bde9d3664dd879655f3a1013c0b5728e7a09 upstream.
+
+GIT_AUTHOR_DATE=1409603039
+This reverts
+
+commit b99f0aadd33fad269c8e62b5bec8b5c012a44a56
+Author: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+ [media] em28xx: check if a device has audio earlier
+
+ Better to split chipset detection from the audio setup. So, move the
+ detection code to em28xx_init_dev().
+
+It broke analog audio of the Hauppauge winTV HVR 900 and very likely many other
+em28xx devices.
+
+Background:
+The local variable has_audio in em28xx_usb_probe() describes if the currently
+probed _usb_interface_ has an audio endpoint, while dev->audio_mode.has_audio
+means that the _device_ as a whole provides analog audio.
+Hence it is wrong to set dev->audio_mode.has_audio = has_audio in em28xx_usb_probe().
+As result, audio support is no longer detected and configured on devices which
+have the audio endpoint on a separate interface, because em28xx_audio_setup()
+bails out immediately at the beginning.
+
+Revert the faulty commit to restore the old audio detection procedure, which checks
+the chip configuration register to determine if the device has analog audio.
+
+Cc: <stable@vger.kernel.org> # 3.14 to 3.16
+Reported-by: Oravecz Csaba <oravecz@nytud.mta.hu>
+Tested-by: Oravecz Csaba <oravecz@nytud.mta.hu>
+Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-cards.c | 11 -----------
+ drivers/media/usb/em28xx/em28xx-core.c | 12 +++++++++++-
+ 2 files changed, 11 insertions(+), 12 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -2993,16 +2993,6 @@ static int em28xx_init_dev(struct em28xx
+ }
+ }
+
+- if (dev->chip_id == CHIP_ID_EM2870 ||
+- dev->chip_id == CHIP_ID_EM2874 ||
+- dev->chip_id == CHIP_ID_EM28174 ||
+- dev->chip_id == CHIP_ID_EM28178) {
+- /* Digital only device - don't load any alsa module */
+- dev->audio_mode.has_audio = false;
+- dev->has_audio_class = false;
+- dev->has_alsa_audio = false;
+- }
+-
+ if (chip_name != default_chip_name)
+ printk(KERN_INFO DRIVER_NAME
+ ": chip ID is %s\n", chip_name);
+@@ -3272,7 +3262,6 @@ static int em28xx_usb_probe(struct usb_i
+ dev->alt = -1;
+ dev->is_audio_only = has_audio && !(has_video || has_dvb);
+ dev->has_alsa_audio = has_audio;
+- dev->audio_mode.has_audio = has_audio;
+ dev->has_video = has_video;
+ dev->ifnum = ifnum;
+
+--- a/drivers/media/usb/em28xx/em28xx-core.c
++++ b/drivers/media/usb/em28xx/em28xx-core.c
+@@ -506,8 +506,18 @@ int em28xx_audio_setup(struct em28xx *de
+ int vid1, vid2, feat, cfg;
+ u32 vid;
+
+- if (!dev->audio_mode.has_audio)
++ if (dev->chip_id == CHIP_ID_EM2870 ||
++ dev->chip_id == CHIP_ID_EM2874 ||
++ dev->chip_id == CHIP_ID_EM28174 ||
++ dev->chip_id == CHIP_ID_EM28178) {
++ /* Digital only device - don't load any alsa module */
++ dev->audio_mode.has_audio = false;
++ dev->has_audio_class = false;
++ dev->has_alsa_audio = false;
+ return 0;
++ }
++
++ dev->audio_mode.has_audio = true;
+
+ /* See how this device is configured */
+ cfg = em28xx_read_reg(dev, EM28XX_R00_CHIPCFG);
--- /dev/null
+From 627530c32a43283474e9dd3e954519410ffa033a Mon Sep 17 00:00:00 2001
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+Date: Sat, 9 Aug 2014 06:37:20 -0300
+Subject: media: em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+
+commit 627530c32a43283474e9dd3e954519410ffa033a upstream.
+
+When a new video frame is started, the driver takes the next video buffer from
+the list of active buffers and moves it to dev->usb_ctl.vid_buf / dev->usb_ctl.vbi_buf
+for further processing.
+
+On streaming stop we currently only give back the pending buffers from the list
+but not the ones which are currently processed.
+
+This causes the following warning from the vb2 core since kernel 3.15:
+
+...
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 2284 at drivers/media/v4l2-core/videobuf2-core.c:2115 __vb2_queue_cancel+0xed/0x150 [videobuf2_core]()
+ [...]
+ Call Trace:
+ [<c0769c46>] dump_stack+0x48/0x69
+ [<c0245b69>] warn_slowpath_common+0x79/0x90
+ [<f925e4ad>] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<f925e4ad>] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<c0245bfd>] warn_slowpath_null+0x1d/0x20
+ [<f925e4ad>] __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<f925fa35>] vb2_internal_streamoff+0x35/0x90 [videobuf2_core]
+ [<f925fac5>] vb2_streamoff+0x35/0x60 [videobuf2_core]
+ [<f925fb27>] vb2_ioctl_streamoff+0x37/0x40 [videobuf2_core]
+ [<f8e45895>] v4l_streamoff+0x15/0x20 [videodev]
+ [<f8e4925d>] __video_do_ioctl+0x23d/0x2d0 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<f8e48c63>] video_usercopy+0x203/0x5a0 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<c039d0e7>] ? fsnotify+0x1e7/0x2b0
+ [<f8e49012>] video_ioctl2+0x12/0x20 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<f8e4461e>] v4l2_ioctl+0xee/0x130 [videodev]
+ [<f8e44530>] ? v4l2_open+0xf0/0xf0 [videodev]
+ [<c0378de2>] do_vfs_ioctl+0x2e2/0x4d0
+ [<c0368eec>] ? vfs_write+0x13c/0x1c0
+ [<c0369a8f>] ? vfs_writev+0x2f/0x50
+ [<c0379028>] SyS_ioctl+0x58/0x80
+ [<c076fff3>] sysenter_do_call+0x12/0x12
+ ---[ end trace 5545f934409f13f4 ]---
+...
+
+Many thanks to Hans Verkuil, whose recently added check in the vb2 core unveiled
+this long standing issue and who has investigated it further.
+
+Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-video.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-video.c
++++ b/drivers/media/usb/em28xx/em28xx-video.c
+@@ -953,13 +953,16 @@ static int em28xx_stop_streaming(struct
+ }
+
+ spin_lock_irqsave(&dev->slock, flags);
++ if (dev->usb_ctl.vid_buf != NULL) {
++ vb2_buffer_done(&dev->usb_ctl.vid_buf->vb, VB2_BUF_STATE_ERROR);
++ dev->usb_ctl.vid_buf = NULL;
++ }
+ while (!list_empty(&vidq->active)) {
+ struct em28xx_buffer *buf;
+ buf = list_entry(vidq->active.next, struct em28xx_buffer, list);
+ list_del(&buf->list);
+ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR);
+ }
+- dev->usb_ctl.vid_buf = NULL;
+ spin_unlock_irqrestore(&dev->slock, flags);
+
+ return 0;
+@@ -981,13 +984,16 @@ int em28xx_stop_vbi_streaming(struct vb2
+ }
+
+ spin_lock_irqsave(&dev->slock, flags);
++ if (dev->usb_ctl.vbi_buf != NULL) {
++ vb2_buffer_done(&dev->usb_ctl.vbi_buf->vb, VB2_BUF_STATE_ERROR);
++ dev->usb_ctl.vbi_buf = NULL;
++ }
+ while (!list_empty(&vbiq->active)) {
+ struct em28xx_buffer *buf;
+ buf = list_entry(vbiq->active.next, struct em28xx_buffer, list);
+ list_del(&buf->list);
+ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR);
+ }
+- dev->usb_ctl.vbi_buf = NULL;
+ spin_unlock_irqrestore(&dev->slock, flags);
+
+ return 0;
--- /dev/null
+From f538e085138e519e25ae0828bd6c6e7492ce8ca4 Mon Sep 17 00:00:00 2001
+From: Antti Palosaari <crope@iki.fi>
+Date: Thu, 21 Aug 2014 14:02:27 -0300
+Subject: media: m88ts2022: fix 32bit overflow on filter calc
+
+From: Antti Palosaari <crope@iki.fi>
+
+commit f538e085138e519e25ae0828bd6c6e7492ce8ca4 upstream.
+
+Maximum satellite symbol rate used is 45000000Sps which overflows
+when multiplied by 135. As final calculation result is fraction,
+we could use mult_frac macro in order to keep calculation inside
+32 bit number limits and prevent overflow.
+
+Original bug and fix was provided by Nibble Max. I decided to
+implement it differently as it is now.
+
+Reported-by: Nibble Max <nibble.max@gmail.com>
+Tested-by: Nibble Max <nibble.max@gmail.com>
+Signed-off-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/tuners/m88ts2022.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/tuners/m88ts2022.c
++++ b/drivers/media/tuners/m88ts2022.c
+@@ -314,7 +314,7 @@ static int m88ts2022_set_params(struct d
+ div_min = gdiv28 * 78 / 100;
+ div_max = clamp_val(div_max, 0U, 63U);
+
+- f_3db_hz = c->symbol_rate * 135UL / 200UL;
++ f_3db_hz = mult_frac(c->symbol_rate, 135, 200);
+ f_3db_hz += 2000000U + (frequency_offset_khz * 1000U);
+ f_3db_hz = clamp(f_3db_hz, 7000000U, 40000000U);
+
--- /dev/null
+From 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Fri, 8 Aug 2014 10:32:56 -0300
+Subject: media: tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 upstream.
+
+Fix a copy-paste bug when converting to the control framework.
+
+Fixes: commit 5d478e0de871 ("[media] tda7432: convert to the control framework")
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/tda7432.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/tda7432.c
++++ b/drivers/media/i2c/tda7432.c
+@@ -293,7 +293,7 @@ static int tda7432_s_ctrl(struct v4l2_ct
+ if (t->mute->val) {
+ lf |= TDA7432_MUTE;
+ lr |= TDA7432_MUTE;
+- lf |= TDA7432_MUTE;
++ rf |= TDA7432_MUTE;
+ rr |= TDA7432_MUTE;
+ }
+ /* Mute & update balance*/
--- /dev/null
+From 62ea864f84fed6e04dd033d500d4c9183a83d590 Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Sun, 8 Jun 2014 12:16:48 -0300
+Subject: media: usb: uvc: add a quirk for Dell XPS M1330 webcam
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit 62ea864f84fed6e04dd033d500d4c9183a83d590 upstream.
+
+As reported on [1], this device needs this quirk to be able to
+reliably initialise the webcam.
+
+[1] http://ubuntuforums.org/showthread.php?t=2145996
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2210,6 +2210,15 @@ static struct usb_device_id uvc_ids[] =
+ .bInterfaceSubClass = 1,
+ .bInterfaceProtocol = 0,
+ .driver_info = UVC_QUIRK_PROBE_DEF },
++ /* Dell XPS M1330 (OmniVision OV7670 webcam) */
++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
++ | USB_DEVICE_ID_MATCH_INT_INFO,
++ .idVendor = 0x05a9,
++ .idProduct = 0x7670,
++ .bInterfaceClass = USB_CLASS_VIDEO,
++ .bInterfaceSubClass = 1,
++ .bInterfaceProtocol = 0,
++ .driver_info = UVC_QUIRK_PROBE_DEF },
+ /* Apple Built-In iSight */
+ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
+ | USB_DEVICE_ID_MATCH_INT_INFO,
--- /dev/null
+From 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c Mon Sep 17 00:00:00 2001
+From: Maciej Matraszek <m.matraszek@samsung.com>
+Date: Mon, 15 Sep 2014 05:14:48 -0300
+Subject: media: v4l2-common: fix overflow in v4l_bound_align_image()
+
+From: Maciej Matraszek <m.matraszek@samsung.com>
+
+commit 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c upstream.
+
+Fix clamp_align() used in v4l_bound_align_image() to prevent overflow
+when passed large value like UINT32_MAX.
+
+ In the current implementation:
+ clamp_align(UINT32_MAX, 8, 8192, 3)
+
+returns 8, because in line:
+
+ x = (x + (1 << (align - 1))) & mask;
+
+x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192.
+
+v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and
+VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter
+explicitly states that:
+
+"The modified format should be as close as possible to the original
+request."
+ -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html
+
+Thus one would expect, that passing UINT32_MAX as format width and
+height will result in setting maximum possible resolution for the
+device. Particularly, when the driver doesn't support
+VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase.
+
+Fixes changeset: b0d3159be9a3
+
+Signed-off-by: Maciej Matraszek <m.matraszek@samsung.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-common.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-common.c
++++ b/drivers/media/v4l2-core/v4l2-common.c
+@@ -431,16 +431,13 @@ static unsigned int clamp_align(unsigned
+ /* Bits that must be zero to be aligned */
+ unsigned int mask = ~((1 << align) - 1);
+
++ /* Clamp to aligned min and max */
++ x = clamp(x, (min + ~mask) & mask, max & mask);
++
+ /* Round to nearest aligned value */
+ if (align)
+ x = (x + (1 << (align - 1))) & mask;
+
+- /* Clamp to aligned value of min and max */
+- if (x < min)
+- x = (min + ~mask) & mask;
+- else if (x > max)
+- x = max & mask;
+-
+ return x;
+ }
+
--- /dev/null
+From aedd153f5bb5b1f1d6d9142014f521ae2ec294cc Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Mon, 20 Oct 2014 09:39:31 +0100
+Subject: MIPS: ftrace: Fix a microMIPS build problem
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit aedd153f5bb5b1f1d6d9142014f521ae2ec294cc upstream.
+
+Code before the .fixup section needs to have the .insn directive.
+This has no side effects on MIPS32/64 but it affects the way microMIPS
+loads the address for the return label.
+
+Fixes the following build problem:
+mips-linux-gnu-ld: arch/mips/built-in.o: .fixup+0x4a0: Unsupported jump between
+ISA modes; consider recompiling with interlinking enabled.
+mips-linux-gnu-ld: final link failed: Bad value
+Makefile:819: recipe for target 'vmlinux' failed
+
+The fix is similar to 1658f914ff91c3bf ("MIPS: microMIPS:
+Disable LL/SC and fix linker bug.")
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/8117/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/ftrace.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/include/asm/ftrace.h
++++ b/arch/mips/include/asm/ftrace.h
+@@ -24,7 +24,7 @@ do { \
+ asm volatile ( \
+ "1: " load " %[tmp_dst], 0(%[tmp_src])\n" \
+ " li %[tmp_err], 0\n" \
+- "2:\n" \
++ "2: .insn\n" \
+ \
+ ".section .fixup, \"ax\"\n" \
+ "3: li %[tmp_err], 1\n" \
+@@ -46,7 +46,7 @@ do { \
+ asm volatile ( \
+ "1: " store " %[tmp_src], 0(%[tmp_dst])\n"\
+ " li %[tmp_err], 0\n" \
+- "2:\n" \
++ "2: .insn\n" \
+ \
+ ".section .fixup, \"ax\"\n" \
+ "3: li %[tmp_err], 1\n" \
--- /dev/null
+From 9e0f162a36914937a937358fcb45e0609ef2bfc4 Mon Sep 17 00:00:00 2001
+From: David Daney <david.daney@cavium.com>
+Date: Mon, 20 Oct 2014 15:34:23 -0700
+Subject: MIPS: tlbex: Properly fix HUGE TLB Refill exception handler
+
+From: David Daney <david.daney@cavium.com>
+
+commit 9e0f162a36914937a937358fcb45e0609ef2bfc4 upstream.
+
+In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for
+HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets
+would work properly with huge pages. The change was incorrect in that
+it broke the OCTEON case.
+
+The problem is shown here:
+
+ xxx0: df7a0000 ld k0,0(k1)
+ .
+ .
+ .
+ xxxc0: df610000 ld at,0(k1)
+ xxxc4: 335a0ff0 andi k0,k0,0xff0
+ xxxc8: e825ffcd bbit1 at,0x5,0x0
+ xxxcc: 003ad82d daddu k1,at,k0
+ .
+ .
+ .
+
+In the non-octeon case there is a destructive test for the huge PTE
+bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609
+patch added).
+
+In the octeon case, we modify k1 in the branch delay slot, but we
+never need k0 again, so the new load is not needed, but since k1 is
+modified, if we do the load, we load from a garbage location and then
+get a nested TLB Refill, which is seen in userspace as either SIGBUS
+or SIGSEGV (depending on the garbage).
+
+The real fix is to only do this reloading if it is needed, and never
+where it is harmful.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/8151/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/tlbex.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mm/tlbex.c
++++ b/arch/mips/mm/tlbex.c
+@@ -1057,6 +1057,7 @@ static void build_update_entries(u32 **p
+ struct mips_huge_tlb_info {
+ int huge_pte;
+ int restore_scratch;
++ bool need_reload_pte;
+ };
+
+ static struct mips_huge_tlb_info
+@@ -1071,6 +1072,7 @@ build_fast_tlb_refill_handler (u32 **p,
+
+ rv.huge_pte = scratch;
+ rv.restore_scratch = 0;
++ rv.need_reload_pte = false;
+
+ if (check_for_high_segbits) {
+ UASM_i_MFC0(p, tmp, C0_BADVADDR);
+@@ -1259,6 +1261,7 @@ static void build_r4000_tlb_refill_handl
+ } else {
+ htlb_info.huge_pte = K0;
+ htlb_info.restore_scratch = 0;
++ htlb_info.need_reload_pte = true;
+ vmalloc_mode = refill_noscratch;
+ /*
+ * create the plain linear handler
+@@ -1295,7 +1298,8 @@ static void build_r4000_tlb_refill_handl
+ }
+ #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
+ uasm_l_tlb_huge_update(&l, p);
+- UASM_i_LW(&p, K0, 0, K1);
++ if (htlb_info.need_reload_pte)
++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1);
+ build_huge_update_entries(&p, htlb_info.huge_pte, K1);
+ build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random,
+ htlb_info.restore_scratch);
--- /dev/null
+From f4c24db1b7ad0ce84409e15744d26c6f86a96840 Mon Sep 17 00:00:00 2001
+From: Joern Engel <joern@logfs.org>
+Date: Fri, 3 Oct 2014 14:35:56 -0700
+Subject: qla_target: don't delete changed nacls
+
+From: Joern Engel <joern@logfs.org>
+
+commit f4c24db1b7ad0ce84409e15744d26c6f86a96840 upstream.
+
+The code is currently riddled with "drop the hardware_lock to avoid a
+deadlock" bugs that expose races. One of those races seems to expose a
+valid warning in tcm_qla2xxx_clear_nacl_from_fcport_map. Add some
+bandaid to it.
+
+Signed-off-by: Joern Engel <joern@logfs.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -707,7 +707,16 @@ static void tcm_qla2xxx_clear_nacl_from_
+ pr_debug("fc_rport domain: port_id 0x%06x\n", nacl->nport_id);
+
+ node = btree_remove32(&lport->lport_fcport_map, nacl->nport_id);
+- WARN_ON(node && (node != se_nacl));
++ if (WARN_ON(node && (node != se_nacl))) {
++ /*
++ * The nacl no longer matches what we think it should be.
++ * Most likely a new dynamic acl has been added while
++ * someone dropped the hardware lock. It clearly is a
++ * bug elsewhere, but this bit can't make things worse.
++ */
++ btree_insert32(&lport->lport_fcport_map, nacl->nport_id,
++ node, GFP_ATOMIC);
++ }
+
+ pr_debug("Removed from fcport_map: %p for WWNN: 0x%016LX, port_id: 0x%06x\n",
+ se_nacl, nacl->nport_wwnn, nacl->nport_id);
drm-tilcdc-fix-the-error-path-in-tilcdc_load.patch
drm-i915-don-t-warn-if-backlight-unexpectedly-enabled.patch
drm-nouveau-bios-memset-dcb-struct-to-zero-before-parsing.patch
+media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch
+media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch
+media-em28xx-check-if-a-device-has-audio-earlier.patch
+media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch
+media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch
+media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch
+media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch
+kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch
+kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch
+kvm-x86-improve-thread-safety-in-pit.patch
+kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch
+kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch
+kvm-x86-fix-wrong-masking-on-relative-jump-call.patch
+kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch
+kvm-vmx-handle-invvpid-vm-exit-gracefully.patch
+arc-allow-headless-models-to-boot.patch
+arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch
+arc-general-fixes.patch
+arc-fix-mmuv2-warning.patch
+arc-disable-caches-in-early-boot-if-so-configured.patch
+qla_target-don-t-delete-changed-nacls.patch
+target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch
+target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch
+mips-ftrace-fix-a-micromips-build-problem.patch
+mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch
--- /dev/null
+From e24805637d2d270d7975502e9024d473de86afdb Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sat, 4 Oct 2014 04:23:15 +0000
+Subject: target: Fix APTPL metadata handling for dynamic MappedLUNs
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit e24805637d2d270d7975502e9024d473de86afdb upstream.
+
+This patch fixes a bug in handling of SPC-3 PR Activate Persistence
+across Target Power Loss (APTPL) logic where re-creation of state for
+MappedLUNs from dynamically generated NodeACLs did not occur during
+I_T Nexus establishment.
+
+It adds the missing core_scsi3_check_aptpl_registration() call during
+core_tpg_check_initiator_node_acl() -> core_tpg_add_node_to_devs() in
+order to replay any pre-loaded APTPL metadata state associated with
+the newly connected SCSI Initiator Port.
+
+Cc: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_device.c | 3 ++-
+ drivers/target/target_core_pr.c | 6 +++---
+ drivers/target/target_core_pr.h | 2 +-
+ drivers/target/target_core_tpg.c | 8 ++++++++
+ 4 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -1409,7 +1409,8 @@ int core_dev_add_initiator_node_lun_acl(
+ * Check to see if there are any existing persistent reservation APTPL
+ * pre-registrations that need to be enabled for this LUN ACL..
+ */
+- core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, lacl);
++ core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, nacl,
++ lacl->mapped_lun);
+ return 0;
+ }
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -944,10 +944,10 @@ int core_scsi3_check_aptpl_registration(
+ struct se_device *dev,
+ struct se_portal_group *tpg,
+ struct se_lun *lun,
+- struct se_lun_acl *lun_acl)
++ struct se_node_acl *nacl,
++ u32 mapped_lun)
+ {
+- struct se_node_acl *nacl = lun_acl->se_lun_nacl;
+- struct se_dev_entry *deve = nacl->device_list[lun_acl->mapped_lun];
++ struct se_dev_entry *deve = nacl->device_list[mapped_lun];
+
+ if (dev->dev_reservation_flags & DRF_SPC2_RESERVATIONS)
+ return 0;
+--- a/drivers/target/target_core_pr.h
++++ b/drivers/target/target_core_pr.h
+@@ -60,7 +60,7 @@ extern int core_scsi3_alloc_aptpl_regist
+ unsigned char *, u16, u32, int, int, u8);
+ extern int core_scsi3_check_aptpl_registration(struct se_device *,
+ struct se_portal_group *, struct se_lun *,
+- struct se_lun_acl *);
++ struct se_node_acl *, u32);
+ extern void core_scsi3_free_pr_reg_from_nacl(struct se_device *,
+ struct se_node_acl *);
+ extern void core_scsi3_free_all_registrations(struct se_device *);
+--- a/drivers/target/target_core_tpg.c
++++ b/drivers/target/target_core_tpg.c
+@@ -40,6 +40,7 @@
+ #include <target/target_core_fabric.h>
+
+ #include "target_core_internal.h"
++#include "target_core_pr.h"
+
+ extern struct se_device *g_lun0_dev;
+
+@@ -166,6 +167,13 @@ void core_tpg_add_node_to_devs(
+
+ core_enable_device_list_for_node(lun, NULL, lun->unpacked_lun,
+ lun_access, acl, tpg);
++ /*
++ * Check to see if there are any existing persistent reservation
++ * APTPL pre-registrations that need to be enabled for this dynamic
++ * LUN ACL now..
++ */
++ core_scsi3_check_aptpl_registration(dev, tpg, lun, acl,
++ lun->unpacked_lun);
+ spin_lock(&tpg->tpg_lun_lock);
+ }
+ spin_unlock(&tpg->tpg_lun_lock);
--- /dev/null
+From 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@qlogic.com>
+Date: Thu, 25 Sep 2014 06:22:28 -0400
+Subject: target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE
+
+From: Quinn Tran <quinn.tran@qlogic.com>
+
+commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream.
+
+During temporary resource starvation at lower transport layer, command
+is placed on queue full retry path, which expose this problem. The TCM
+queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same
+cmd twice to lower layer. The 1st time led to cmd normal free path.
+The 2nd time cause Null pointer access.
+
+This regression bug was originally introduced v3.1-rc code in the
+following commit:
+
+commit e057f53308a5f071556ee80586b99ee755bf07f5
+Author: Christoph Hellwig <hch@infradead.org>
+Date: Mon Oct 17 13:56:41 2011 -0400
+
+ target: remove the transport_qf_callback se_cmd callback
+
+Signed-off-by: Quinn Tran <quinn.tran@qlogic.com>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1855,8 +1855,7 @@ static void transport_complete_qf(struct
+ if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
+ trace_target_cmd_complete(cmd);
+ ret = cmd->se_tfo->queue_status(cmd);
+- if (ret)
+- goto out;
++ goto out;
+ }
+
+ switch (cmd->data_direction) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
