--- /dev/null
+From d5880c7a8620290a6c90ced7a0e8bd0ad9419601 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Fri, 13 Sep 2019 18:17:11 +0300
+Subject: fuse: fix missing unlock_page in fuse_writepage()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit d5880c7a8620290a6c90ced7a0e8bd0ad9419601 upstream.
+
+unlock_page() was missing in case of an already in-flight write against the
+same page.
+
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Fixes: ff17be086477 ("fuse: writepage: skip already in flight")
+Cc: <stable@vger.kernel.org> # v3.13
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1700,6 +1700,7 @@ static int fuse_writepage(struct page *p
+ WARN_ON(wbc->sync_mode == WB_SYNC_ALL);
+
+ redirty_page_for_writepage(wbc, page);
++ unlock_page(page);
+ return 0;
+ }
+
--- /dev/null
+From 8530a79c5a9f4e29e6ffb35ec1a79d81f4968ec8 Mon Sep 17 00:00:00 2001
+From: Jan Dakinevich <jan.dakinevich@virtuozzo.com>
+Date: Tue, 27 Aug 2019 13:07:09 +0000
+Subject: KVM: x86: always stop emulation on page fault
+
+From: Jan Dakinevich <jan.dakinevich@virtuozzo.com>
+
+commit 8530a79c5a9f4e29e6ffb35ec1a79d81f4968ec8 upstream.
+
+inject_emulated_exception() returns true if and only if nested page
+fault happens. However, page fault can come from guest page tables
+walk, either nested or not nested. In both cases we should stop an
+attempt to read under RIP and give guest to step over its own page
+fault handler.
+
+This is also visible when an emulated instruction causes a #GP fault
+and the VMware backdoor is enabled. To handle the VMware backdoor,
+KVM intercepts #GP faults; with only the next patch applied,
+x86_emulate_instruction() injects a #GP but returns EMULATE_FAIL
+instead of EMULATE_DONE. EMULATE_FAIL causes handle_exception_nmi()
+(or gp_interception() for SVM) to re-inject the original #GP because it
+thinks emulation failed due to a non-VMware opcode. This patch prevents
+the issue as x86_emulate_instruction() will return EMULATE_DONE after
+injecting the #GP.
+
+Fixes: 6ea6e84309ca ("KVM: x86: inject exceptions produced by x86_decode_insn")
+Cc: stable@vger.kernel.org
+Cc: Denis Lunev <den@virtuozzo.com>
+Cc: Roman Kagan <rkagan@virtuozzo.com>
+Cc: Denis Plotnikov <dplotnikov@virtuozzo.com>
+Signed-off-by: Jan Dakinevich <jan.dakinevich@virtuozzo.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6244,8 +6244,10 @@ int x86_emulate_instruction(struct kvm_v
+ if (reexecute_instruction(vcpu, cr2, write_fault_to_spt,
+ emulation_type))
+ return EMULATE_DONE;
+- if (ctxt->have_exception && inject_emulated_exception(vcpu))
++ if (ctxt->have_exception) {
++ inject_emulated_exception(vcpu);
+ return EMULATE_DONE;
++ }
+ if (emulation_type & EMULTYPE_SKIP)
+ return EMULATE_FAIL;
+ return handle_emulation_failure(vcpu, emulation_type);
--- /dev/null
+From 16cfacc8085782dab8e365979356ce1ca87fd6cc Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+Date: Tue, 3 Sep 2019 16:36:45 -0700
+Subject: KVM: x86: Manually calculate reserved bits when loading PDPTRS
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+commit 16cfacc8085782dab8e365979356ce1ca87fd6cc upstream.
+
+Manually generate the PDPTR reserved bit mask when explicitly loading
+PDPTRs. The reserved bits that are being tracked by the MMU reflect the
+current paging mode, which is unlikely to be PAE paging in the vast
+majority of flows that use load_pdptrs(), e.g. CR0 and CR4 emulation,
+__set_sregs(), etc... This can cause KVM to incorrectly signal a bad
+PDPTR, or more likely, miss a reserved bit check and subsequently fail
+a VM-Enter due to a bad VMCS.GUEST_PDPTR.
+
+Add a one off helper to generate the reserved bits instead of sharing
+code across the MMU's calculations and the PDPTR emulation. The PDPTR
+reserved bits are basically set in stone, and pushing a helper into
+the MMU's calculation adds unnecessary complexity without improving
+readability.
+
+Oppurtunistically fix/update the comment for load_pdptrs().
+
+Note, the buggy commit also introduced a deliberate functional change,
+"Also remove bit 5-6 from rsvd_bits_mask per latest SDM.", which was
+effectively (and correctly) reverted by commit cd9ae5fe47df ("KVM: x86:
+Fix page-tables reserved bits"). A bit of SDM archaeology shows that
+the SDM from late 2008 had a bug (likely a copy+paste error) where it
+listed bits 6:5 as AVL and A for PDPTEs used for 4k entries but reserved
+for 2mb entries. I.e. the SDM contradicted itself, and bits 6:5 are and
+always have been reserved.
+
+Fixes: 20c466b56168d ("KVM: Use rsvd_bits_mask in load_pdptrs()")
+Cc: stable@vger.kernel.org
+Cc: Nadav Amit <nadav.amit@gmail.com>
+Reported-by: Doug Reiland <doug.reiland@intel.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -581,8 +581,14 @@ static int kvm_read_nested_guest_page(st
+ data, offset, len, access);
+ }
+
++static inline u64 pdptr_rsvd_bits(struct kvm_vcpu *vcpu)
++{
++ return rsvd_bits(cpuid_maxphyaddr(vcpu), 63) | rsvd_bits(5, 8) |
++ rsvd_bits(1, 2);
++}
++
+ /*
+- * Load the pae pdptrs. Return true is they are all valid.
++ * Load the pae pdptrs. Return 1 if they are all valid, 0 otherwise.
+ */
+ int load_pdptrs(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, unsigned long cr3)
+ {
+@@ -601,8 +607,7 @@ int load_pdptrs(struct kvm_vcpu *vcpu, s
+ }
+ for (i = 0; i < ARRAY_SIZE(pdpte); ++i) {
+ if ((pdpte[i] & PT_PRESENT_MASK) &&
+- (pdpte[i] &
+- vcpu->arch.mmu.guest_rsvd_check.rsvd_bits_mask[0][2])) {
++ (pdpte[i] & pdptr_rsvd_bits(vcpu))) {
+ ret = 0;
+ goto out;
+ }
--- /dev/null
+From c8848cee74ff05638e913582a476bde879c968ad Mon Sep 17 00:00:00 2001
+From: Jan Dakinevich <jan.dakinevich@virtuozzo.com>
+Date: Tue, 27 Aug 2019 13:07:08 +0000
+Subject: KVM: x86: set ctxt->have_exception in x86_decode_insn()
+
+From: Jan Dakinevich <jan.dakinevich@virtuozzo.com>
+
+commit c8848cee74ff05638e913582a476bde879c968ad upstream.
+
+x86_emulate_instruction() takes into account ctxt->have_exception flag
+during instruction decoding, but in practice this flag is never set in
+x86_decode_insn().
+
+Fixes: 6ea6e84309ca ("KVM: x86: inject exceptions produced by x86_decode_insn")
+Cc: stable@vger.kernel.org
+Cc: Denis Lunev <den@virtuozzo.com>
+Cc: Roman Kagan <rkagan@virtuozzo.com>
+Cc: Denis Plotnikov <dplotnikov@virtuozzo.com>
+Signed-off-by: Jan Dakinevich <jan.dakinevich@virtuozzo.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 2 ++
+ arch/x86/kvm/x86.c | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -5368,6 +5368,8 @@ done_prefixes:
+ ctxt->memopp->addr.mem.ea + ctxt->_eip);
+
+ done:
++ if (rc == X86EMUL_PROPAGATE_FAULT)
++ ctxt->have_exception = true;
+ return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
+ }
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6245,6 +6245,12 @@ int x86_emulate_instruction(struct kvm_v
+ emulation_type))
+ return EMULATE_DONE;
+ if (ctxt->have_exception) {
++ /*
++ * #UD should result in just EMULATION_FAILED, and trap-like
++ * exception should not be encountered during decode.
++ */
++ WARN_ON_ONCE(ctxt->exception.vector == UD_VECTOR ||
++ exception_type(ctxt->exception.vector) == EXCPT_TRAP);
+ inject_emulated_exception(vcpu);
+ return EMULATE_DONE;
+ }
--- /dev/null
+From 5fa1659105fac63e0f3c199b476025c2e04111ce Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Thu, 5 Sep 2019 16:44:17 +0200
+Subject: parisc: Disable HP HSC-PCI Cards to prevent kernel crash
+
+From: Helge Deller <deller@gmx.de>
+
+commit 5fa1659105fac63e0f3c199b476025c2e04111ce upstream.
+
+The HP Dino PCI controller chip can be used in two variants: as on-board
+controller (e.g. in B160L), or on an Add-On card ("Card-Mode") to bridge
+PCI components to systems without a PCI bus, e.g. to a HSC/GSC bus. One
+such Add-On card is the HP HSC-PCI Card which has one or more DEC Tulip
+PCI NIC chips connected to the on-card Dino PCI controller.
+
+Dino in Card-Mode has a big disadvantage: All PCI memory accesses need
+to go through the DINO_MEM_DATA register, so Linux drivers will not be
+able to use the ioremap() function. Without ioremap() many drivers will
+not work, one example is the tulip driver which then simply crashes the
+kernel if it tries to access the ports on the HP HSC card.
+
+This patch disables the HP HSC card if it finds one, and as such
+fixes the kernel crash on a HP D350/2 machine.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Noticed-by: Phil Scarr <phil.scarr@pm.me>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/parisc/dino.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/parisc/dino.c
++++ b/drivers/parisc/dino.c
+@@ -160,6 +160,15 @@ struct dino_device
+ (struct dino_device *)__pdata; })
+
+
++/* Check if PCI device is behind a Card-mode Dino. */
++static int pci_dev_is_behind_card_dino(struct pci_dev *dev)
++{
++ struct dino_device *dino_dev;
++
++ dino_dev = DINO_DEV(parisc_walk_tree(dev->bus->bridge));
++ return is_card_dino(&dino_dev->hba.dev->id);
++}
++
+ /*
+ * Dino Configuration Space Accessor Functions
+ */
+@@ -442,6 +451,21 @@ static void quirk_cirrus_cardbus(struct
+ }
+ DECLARE_PCI_FIXUP_ENABLE(PCI_VENDOR_ID_CIRRUS, PCI_DEVICE_ID_CIRRUS_6832, quirk_cirrus_cardbus );
+
++#ifdef CONFIG_TULIP
++static void pci_fixup_tulip(struct pci_dev *dev)
++{
++ if (!pci_dev_is_behind_card_dino(dev))
++ return;
++ if (!(pci_resource_flags(dev, 1) & IORESOURCE_MEM))
++ return;
++ pr_warn("%s: HP HSC-PCI Cards with card-mode Dino not yet supported.\n",
++ pci_name(dev));
++ /* Disable this card by zeroing the PCI resources */
++ memset(&dev->resource[0], 0, sizeof(dev->resource[0]));
++ memset(&dev->resource[1], 0, sizeof(dev->resource[1]));
++}
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_DEC, PCI_ANY_ID, pci_fixup_tulip);
++#endif /* CONFIG_TULIP */
+
+ static void __init
+ dino_bios_init(void)
--- /dev/null
+From 41ba17f20ea835c489e77bd54e2da73184e22060 Mon Sep 17 00:00:00 2001
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Date: Tue, 27 Aug 2019 15:46:35 +0530
+Subject: powerpc/imc: Dont create debugfs files for cpu-less nodes
+
+From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+
+commit 41ba17f20ea835c489e77bd54e2da73184e22060 upstream.
+
+Commit <684d984038aa> ('powerpc/powernv: Add debugfs interface for
+imc-mode and imc') added debugfs interface for the nest imc pmu
+devices to support changing of different ucode modes. Primarily adding
+this capability for debug. But when doing so, the code did not
+consider the case of cpu-less nodes. So when reading the _cmd_ or
+_mode_ file of a cpu-less node will create this crash.
+
+ Faulting instruction address: 0xc0000000000d0d58
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ ...
+ CPU: 67 PID: 5301 Comm: cat Not tainted 5.2.0-rc6-next-20190627+ #19
+ NIP: c0000000000d0d58 LR: c00000000049aa18 CTR:c0000000000d0d50
+ REGS: c00020194548f9e0 TRAP: 0300 Not tainted (5.2.0-rc6-next-20190627+)
+ MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR:28022822 XER: 00000000
+ CFAR: c00000000049aa14 DAR: 000000000003fc08 DSISR:40000000 IRQMASK: 0
+ ...
+ NIP imc_mem_get+0x8/0x20
+ LR simple_attr_read+0x118/0x170
+ Call Trace:
+ simple_attr_read+0x70/0x170 (unreliable)
+ debugfs_attr_read+0x6c/0xb0
+ __vfs_read+0x3c/0x70
+ vfs_read+0xbc/0x1a0
+ ksys_read+0x7c/0x140
+ system_call+0x5c/0x70
+
+Patch fixes the issue with a more robust check for vbase to NULL.
+
+Before patch, ls output for the debugfs imc directory
+
+ # ls /sys/kernel/debug/powerpc/imc/
+ imc_cmd_0 imc_cmd_251 imc_cmd_253 imc_cmd_255 imc_mode_0 imc_mode_251 imc_mode_253 imc_mode_255
+ imc_cmd_250 imc_cmd_252 imc_cmd_254 imc_cmd_8 imc_mode_250 imc_mode_252 imc_mode_254 imc_mode_8
+
+After patch, ls output for the debugfs imc directory
+
+ # ls /sys/kernel/debug/powerpc/imc/
+ imc_cmd_0 imc_cmd_8 imc_mode_0 imc_mode_8
+
+Actual bug here is that, we have two loops with potentially different
+loop counts. That is, in imc_get_mem_addr_nest(), loop count is
+obtained from the dt entries. But in case of export_imc_mode_and_cmd(),
+loop was based on for_each_nid() count. Patch fixes the loop count in
+latter based on the struct mem_info. Ideally it would be better to
+have array size in struct imc_pmu.
+
+Fixes: 684d984038aa ('powerpc/powernv: Add debugfs interface for imc-mode and imc')
+Reported-by: Qian Cai <cai@lca.pw>
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190827101635.6942-1-maddy@linux.vnet.ibm.com
+Cc: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/platforms/powernv/opal-imc.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-imc.c
++++ b/arch/powerpc/platforms/powernv/opal-imc.c
+@@ -57,9 +57,9 @@ static void export_imc_mode_and_cmd(stru
+ struct imc_pmu *pmu_ptr)
+ {
+ static u64 loc, *imc_mode_addr, *imc_cmd_addr;
+- int chip = 0, nid;
+ char mode[16], cmd[16];
+ u32 cb_offset;
++ struct imc_mem_info *ptr = pmu_ptr->mem_info;
+
+ imc_debugfs_parent = debugfs_create_dir("imc", powerpc_debugfs_root);
+
+@@ -73,20 +73,20 @@ static void export_imc_mode_and_cmd(stru
+ if (of_property_read_u32(node, "cb_offset", &cb_offset))
+ cb_offset = IMC_CNTL_BLK_OFFSET;
+
+- for_each_node(nid) {
+- loc = (u64)(pmu_ptr->mem_info[chip].vbase) + cb_offset;
++ while (ptr->vbase != NULL) {
++ loc = (u64)(ptr->vbase) + cb_offset;
+ imc_mode_addr = (u64 *)(loc + IMC_CNTL_BLK_MODE_OFFSET);
+- sprintf(mode, "imc_mode_%d", nid);
++ sprintf(mode, "imc_mode_%d", (u32)(ptr->id));
+ if (!imc_debugfs_create_x64(mode, 0600, imc_debugfs_parent,
+ imc_mode_addr))
+ goto err;
+
+ imc_cmd_addr = (u64 *)(loc + IMC_CNTL_BLK_CMD_OFFSET);
+- sprintf(cmd, "imc_cmd_%d", nid);
++ sprintf(cmd, "imc_cmd_%d", (u32)(ptr->id));
+ if (!imc_debugfs_create_x64(cmd, 0600, imc_debugfs_parent,
+ imc_cmd_addr))
+ goto err;
+- chip++;
++ ptr++;
+ }
+ return;
+
alsa-hda-realtek-pci-quirk-for-medion-e4254.patch
blk-mq-add-callback-of-.cleanup_rq.patch
scsi-implement-.cleanup_rq-callback.patch
+powerpc-imc-dont-create-debugfs-files-for-cpu-less-nodes.patch
+fuse-fix-missing-unlock_page-in-fuse_writepage.patch
+parisc-disable-hp-hsc-pci-cards-to-prevent-kernel-crash.patch
+kvm-x86-always-stop-emulation-on-page-fault.patch
+kvm-x86-set-ctxt-have_exception-in-x86_decode_insn.patch
+kvm-x86-manually-calculate-reserved-bits-when-loading-pdptrs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
