--- /dev/null
+From 5b0ff9a00755d4d9c209033a77f1ed8f3186fe5c Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 24 Mar 2017 23:02:48 +0100
+Subject: infiniband: hns: avoid gcc-7.0.1 warning for uninitialized data
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 5b0ff9a00755d4d9c209033a77f1ed8f3186fe5c upstream.
+
+hns_roce_v1_cq_set_ci() calls roce_set_bit() on an uninitialized field,
+which will then change only a few of its bits, causing a warning with
+the latest gcc:
+
+infiniband/hw/hns/hns_roce_hw_v1.c: In function 'hns_roce_v1_cq_set_ci':
+infiniband/hw/hns/hns_roce_hw_v1.c:1854:23: error: 'doorbell[1]' is used uninitialized in this function [-Werror=uninitialized]
+ roce_set_bit(doorbell[1], ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_HW_SYNS_S, 1);
+
+The code is actually correct since we always set all bits of the
+port_vlan field, but gcc correctly points out that the first
+access does contain uninitialized data.
+
+This initializes the field to zero first before setting the
+individual bits.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+@@ -1851,6 +1851,7 @@ void hns_roce_v1_cq_set_ci(struct hns_ro
+ u32 doorbell[2];
+
+ doorbell[0] = cons_index & ((hr_cq->cq_depth << 1) - 1);
++ doorbell[1] = 0;
+ roce_set_bit(doorbell[1], ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_HW_SYNS_S, 1);
+ roce_set_field(doorbell[1], ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_CMD_M,
+ ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_CMD_S, 3);
--- /dev/null
+From 73dbd4a4230216b6a5540a362edceae0c9b4876b Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Sun, 23 Apr 2017 18:23:21 +0800
+Subject: iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 73dbd4a4230216b6a5540a362edceae0c9b4876b upstream.
+
+In function amd_iommu_bind_pasid(), the control flow jumps
+to label out_free when pasid_state->mm and mm is NULL. And
+mmput(mm) is called. In function mmput(mm), mm is
+referenced without validation. This will result in a NULL
+dereference bug. This patch fixes the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Fixes: f0aac63b873b ('iommu/amd: Don't hold a reference to mm_struct')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu_v2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/amd_iommu_v2.c
++++ b/drivers/iommu/amd_iommu_v2.c
+@@ -696,9 +696,9 @@ out_clear_state:
+
+ out_unregister:
+ mmu_notifier_unregister(&pasid_state->mn, mm);
++ mmput(mm);
+
+ out_free:
+- mmput(mm);
+ free_pasid_state(pasid_state);
+
+ out:
--- /dev/null
+From 84a21dbdef0b96d773599c33c2afbb002198d303 Mon Sep 17 00:00:00 2001
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date: Mon, 26 Jun 2017 04:28:04 -0500
+Subject: iommu/amd: Fix interrupt remapping when disable guest_mode
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+commit 84a21dbdef0b96d773599c33c2afbb002198d303 upstream.
+
+Pass-through devices to VM guest can get updated IRQ affinity
+information via irq_set_affinity() when not running in guest mode.
+Currently, AMD IOMMU driver in GA mode ignores the updated information
+if the pass-through device is setup to use vAPIC regardless of guest_mode.
+This could cause invalid interrupt remapping.
+
+Also, the guest_mode bit should be set and cleared only when
+SVM updates posted-interrupt interrupt remapping information.
+
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Fixes: d98de49a53e48 ('iommu/amd: Enable vAPIC interrupt remapping mode by default')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -3879,11 +3879,9 @@ static void irte_ga_prepare(void *entry,
+ u8 vector, u32 dest_apicid, int devid)
+ {
+ struct irte_ga *irte = (struct irte_ga *) entry;
+- struct iommu_dev_data *dev_data = search_dev_data(devid);
+
+ irte->lo.val = 0;
+ irte->hi.val = 0;
+- irte->lo.fields_remap.guest_mode = dev_data ? dev_data->use_vapic : 0;
+ irte->lo.fields_remap.int_type = delivery_mode;
+ irte->lo.fields_remap.dm = dest_mode;
+ irte->hi.fields.vector = vector;
+@@ -3939,10 +3937,10 @@ static void irte_ga_set_affinity(void *e
+ struct irte_ga *irte = (struct irte_ga *) entry;
+ struct iommu_dev_data *dev_data = search_dev_data(devid);
+
+- if (!dev_data || !dev_data->use_vapic) {
++ if (!dev_data || !dev_data->use_vapic ||
++ !irte->lo.fields_remap.guest_mode) {
+ irte->hi.fields.vector = vector;
+ irte->lo.fields_remap.destination = dest_apicid;
+- irte->lo.fields_remap.guest_mode = 0;
+ modify_irte_ga(devid, index, irte, NULL);
+ }
+ }
--- /dev/null
+From 938f1bbe35e3a7cb07e1fa7c512e2ef8bb866bdf Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Thu, 16 Mar 2017 17:00:17 +0000
+Subject: iommu/dma: Don't reserve PCI I/O windows
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 938f1bbe35e3a7cb07e1fa7c512e2ef8bb866bdf upstream.
+
+Even if a host controller's CPU-side MMIO windows into PCI I/O space do
+happen to leak into PCI memory space such that it might treat them as
+peer addresses, trying to reserve the corresponding I/O space addresses
+doesn't do anything to help solve that problem. Stop doing a silly thing.
+
+Fixes: fade1ec055dc ("iommu/dma: Avoid PCI host bridge windows")
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/dma-iommu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -175,8 +175,7 @@ static void iova_reserve_pci_windows(str
+ unsigned long lo, hi;
+
+ resource_list_for_each_entry(window, &bridge->windows) {
+- if (resource_type(window->res) != IORESOURCE_MEM &&
+- resource_type(window->res) != IORESOURCE_IO)
++ if (resource_type(window->res) != IORESOURCE_MEM)
+ continue;
+
+ lo = iova_pfn(iovad, window->res->start - window->offset);
--- /dev/null
+From d4912215d1031e4fb3d1038d2e1857218dba0d0a Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 5 Jun 2017 05:19:09 -0700
+Subject: KVM: nVMX: Fix exception injection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit d4912215d1031e4fb3d1038d2e1857218dba0d0a upstream.
+
+ WARNING: CPU: 3 PID: 2840 at arch/x86/kvm/vmx.c:10966 nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel]
+ CPU: 3 PID: 2840 Comm: qemu-system-x86 Tainted: G OE 4.12.0-rc3+ #23
+ RIP: 0010:nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel]
+ Call Trace:
+ ? kvm_check_async_pf_completion+0xef/0x120 [kvm]
+ ? rcu_read_lock_sched_held+0x79/0x80
+ vmx_queue_exception+0x104/0x160 [kvm_intel]
+ ? vmx_queue_exception+0x104/0x160 [kvm_intel]
+ kvm_arch_vcpu_ioctl_run+0x1171/0x1ce0 [kvm]
+ ? kvm_arch_vcpu_load+0x47/0x240 [kvm]
+ ? kvm_arch_vcpu_load+0x62/0x240 [kvm]
+ kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
+ ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
+ ? __fget+0xf3/0x210
+ do_vfs_ioctl+0xa4/0x700
+ ? __fget+0x114/0x210
+ SyS_ioctl+0x79/0x90
+ do_syscall_64+0x81/0x220
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+This is triggered occasionally by running both win7 and win2016 in L2, in
+addition, EPT is disabled on both L1 and L2. It can't be reproduced easily.
+
+Commit 0b6ac343fc (KVM: nVMX: Correct handling of exception injection) mentioned
+that "KVM wants to inject page-faults which it got to the guest. This function
+assumes it is called with the exit reason in vmcs02 being a #PF exception".
+Commit e011c663 (KVM: nVMX: Check all exceptions for intercept during delivery to
+L2) allows to check all exceptions for intercept during delivery to L2. However,
+there is no guarantee the exit reason is exception currently, when there is an
+external interrupt occurred on host, maybe a time interrupt for host which should
+not be injected to guest, and somewhere queues an exception, then the function
+nested_vmx_check_exception() will be called and the vmexit emulation codes will
+try to emulate the "Acknowledge interrupt on exit" behavior, the warning is
+triggered.
+
+Reusing the exit reason from the L2->L0 vmexit is wrong in this case,
+the reason must always be EXCEPTION_NMI when injecting an exception into
+L1 as a nested vmexit.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Fixes: e011c663b9c7 ("KVM: nVMX: Check all exceptions for intercept during delivery to L2")
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2436,7 +2436,7 @@ static int nested_vmx_check_exception(st
+ if (!(vmcs12->exception_bitmap & (1u << nr)))
+ return 0;
+
+- nested_vmx_vmexit(vcpu, to_vmx(vcpu)->exit_reason,
++ nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI,
+ vmcs_read32(VM_EXIT_INTR_INFO),
+ vmcs_readl(EXIT_QUALIFICATION));
+ return 1;
--- /dev/null
+From 6ed071f051e12cf7baa1b69d3becb8f232fdfb7b Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Tue, 25 Apr 2017 16:42:44 +0200
+Subject: KVM: x86: fix emulation of RSM and IRET instructions
+
+From: Ladi Prosek <lprosek@redhat.com>
+
+commit 6ed071f051e12cf7baa1b69d3becb8f232fdfb7b upstream.
+
+On AMD, the effect of set_nmi_mask called by emulate_iret_real and em_rsm
+on hflags is reverted later on in x86_emulate_instruction where hflags are
+overwritten with ctxt->emul_flags (the kvm_set_hflags call). This manifests
+as a hang when rebooting Windows VMs with QEMU, OVMF, and >1 vcpu.
+
+Instead of trying to merge ctxt->emul_flags into vcpu->arch.hflags after
+an instruction is emulated, this commit deletes emul_flags altogether and
+makes the emulator access vcpu->arch.hflags using two new accessors. This
+way all changes, on the emulator side as well as in functions called from
+the emulator and accessing vcpu state with emul_to_vcpu, are preserved.
+
+More details on the bug and its manifestation with Windows and OVMF:
+
+ It's a KVM bug in the interaction between SMI/SMM and NMI, specific to AMD.
+ I believe that the SMM part explains why we started seeing this only with
+ OVMF.
+
+ KVM masks and unmasks NMI when entering and leaving SMM. When KVM emulates
+ the RSM instruction in em_rsm, the set_nmi_mask call doesn't stick because
+ later on in x86_emulate_instruction we overwrite arch.hflags with
+ ctxt->emul_flags, effectively reverting the effect of the set_nmi_mask call.
+ The AMD-specific hflag of interest here is HF_NMI_MASK.
+
+ When rebooting the system, Windows sends an NMI IPI to all but the current
+ cpu to shut them down. Only after all of them are parked in HLT will the
+ initiating cpu finish the restart. If NMI is masked, other cpus never get
+ the memo and the initiating cpu spins forever, waiting for
+ hal!HalpInterruptProcessorsStarted to drop. That's the symptom we observe.
+
+Fixes: a584539b24b8 ("KVM: x86: pass the whole hflags field to emulator and back")
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_emulate.h | 4 +++-
+ arch/x86/kvm/emulate.c | 16 +++++++++-------
+ arch/x86/kvm/x86.c | 15 ++++++++++++---
+ 3 files changed, 24 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_emulate.h
++++ b/arch/x86/include/asm/kvm_emulate.h
+@@ -221,6 +221,9 @@ struct x86_emulate_ops {
+ void (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
+ u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
+ void (*set_nmi_mask)(struct x86_emulate_ctxt *ctxt, bool masked);
++
++ unsigned (*get_hflags)(struct x86_emulate_ctxt *ctxt);
++ void (*set_hflags)(struct x86_emulate_ctxt *ctxt, unsigned hflags);
+ };
+
+ typedef u32 __attribute__((vector_size(16))) sse128_t;
+@@ -290,7 +293,6 @@ struct x86_emulate_ctxt {
+
+ /* interruptibility state, as a result of execution of STI or MOV SS */
+ int interruptibility;
+- int emul_flags;
+
+ bool perm_ok; /* do not check permissions if true */
+ bool ud; /* inject an #UD if host doesn't support insn */
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -2547,7 +2547,7 @@ static int em_rsm(struct x86_emulate_ctx
+ u64 smbase;
+ int ret;
+
+- if ((ctxt->emul_flags & X86EMUL_SMM_MASK) == 0)
++ if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_MASK) == 0)
+ return emulate_ud(ctxt);
+
+ /*
+@@ -2596,11 +2596,11 @@ static int em_rsm(struct x86_emulate_ctx
+ return X86EMUL_UNHANDLEABLE;
+ }
+
+- if ((ctxt->emul_flags & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
++ if ((ctxt->ops->get_hflags(ctxt) & X86EMUL_SMM_INSIDE_NMI_MASK) == 0)
+ ctxt->ops->set_nmi_mask(ctxt, false);
+
+- ctxt->emul_flags &= ~X86EMUL_SMM_INSIDE_NMI_MASK;
+- ctxt->emul_flags &= ~X86EMUL_SMM_MASK;
++ ctxt->ops->set_hflags(ctxt, ctxt->ops->get_hflags(ctxt) &
++ ~(X86EMUL_SMM_INSIDE_NMI_MASK | X86EMUL_SMM_MASK));
+ return X86EMUL_CONTINUE;
+ }
+
+@@ -5317,6 +5317,7 @@ int x86_emulate_insn(struct x86_emulate_
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ int rc = X86EMUL_CONTINUE;
+ int saved_dst_type = ctxt->dst.type;
++ unsigned emul_flags;
+
+ ctxt->mem_read.pos = 0;
+
+@@ -5331,6 +5332,7 @@ int x86_emulate_insn(struct x86_emulate_
+ goto done;
+ }
+
++ emul_flags = ctxt->ops->get_hflags(ctxt);
+ if (unlikely(ctxt->d &
+ (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) {
+ if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) ||
+@@ -5364,7 +5366,7 @@ int x86_emulate_insn(struct x86_emulate_
+ fetch_possible_mmx_operand(ctxt, &ctxt->dst);
+ }
+
+- if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
++ if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_PRE_EXCEPT);
+ if (rc != X86EMUL_CONTINUE)
+@@ -5393,7 +5395,7 @@ int x86_emulate_insn(struct x86_emulate_
+ goto done;
+ }
+
+- if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
++ if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_POST_EXCEPT);
+ if (rc != X86EMUL_CONTINUE)
+@@ -5447,7 +5449,7 @@ int x86_emulate_insn(struct x86_emulate_
+
+ special_insn:
+
+- if (unlikely(ctxt->emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
++ if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_POST_MEMACCESS);
+ if (rc != X86EMUL_CONTINUE)
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5248,6 +5248,16 @@ static void emulator_set_nmi_mask(struct
+ kvm_x86_ops->set_nmi_mask(emul_to_vcpu(ctxt), masked);
+ }
+
++static unsigned emulator_get_hflags(struct x86_emulate_ctxt *ctxt)
++{
++ return emul_to_vcpu(ctxt)->arch.hflags;
++}
++
++static void emulator_set_hflags(struct x86_emulate_ctxt *ctxt, unsigned emul_flags)
++{
++ kvm_set_hflags(emul_to_vcpu(ctxt), emul_flags);
++}
++
+ static const struct x86_emulate_ops emulate_ops = {
+ .read_gpr = emulator_read_gpr,
+ .write_gpr = emulator_write_gpr,
+@@ -5287,6 +5297,8 @@ static const struct x86_emulate_ops emul
+ .intercept = emulator_intercept,
+ .get_cpuid = emulator_get_cpuid,
+ .set_nmi_mask = emulator_set_nmi_mask,
++ .get_hflags = emulator_get_hflags,
++ .set_hflags = emulator_set_hflags,
+ };
+
+ static void toggle_interruptibility(struct kvm_vcpu *vcpu, u32 mask)
+@@ -5341,7 +5353,6 @@ static void init_emulate_ctxt(struct kvm
+ BUILD_BUG_ON(HF_GUEST_MASK != X86EMUL_GUEST_MASK);
+ BUILD_BUG_ON(HF_SMM_MASK != X86EMUL_SMM_MASK);
+ BUILD_BUG_ON(HF_SMM_INSIDE_NMI_MASK != X86EMUL_SMM_INSIDE_NMI_MASK);
+- ctxt->emul_flags = vcpu->arch.hflags;
+
+ init_decode_cache(ctxt);
+ vcpu->arch.emulate_regs_need_sync_from_vcpu = false;
+@@ -5744,8 +5755,6 @@ restart:
+ unsigned long rflags = kvm_x86_ops->get_rflags(vcpu);
+ toggle_interruptibility(vcpu, ctxt->interruptibility);
+ vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
+- if (vcpu->arch.hflags != ctxt->emul_flags)
+- kvm_set_hflags(vcpu, ctxt->emul_flags);
+ kvm_rip_write(vcpu, ctxt->eip);
+ if (r == EMULATE_DONE &&
+ (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)))
--- /dev/null
+From 34b0dadbdf698f9b277a31b2747b625b9a75ea1f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 18 May 2017 19:37:31 +0200
+Subject: KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit 34b0dadbdf698f9b277a31b2747b625b9a75ea1f upstream.
+
+Static analysis noticed that pmu->nr_arch_gp_counters can be 32
+(INTEL_PMC_MAX_GENERIC) and therefore cannot be used to shift 'int'.
+
+I didn't add BUILD_BUG_ON for it as we have a better checker.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch")
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/pmu_intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/pmu_intel.c
++++ b/arch/x86/kvm/pmu_intel.c
+@@ -294,7 +294,7 @@ static void intel_pmu_refresh(struct kvm
+ ((u64)1 << edx.split.bit_width_fixed) - 1;
+ }
+
+- pmu->global_ctrl = ((1 << pmu->nr_arch_gp_counters) - 1) |
++ pmu->global_ctrl = ((1ull << pmu->nr_arch_gp_counters) - 1) |
+ (((1ull << pmu->nr_arch_fixed_counters) - 1) << INTEL_PMC_IDX_FIXED);
+ pmu->global_ctrl_mask = ~pmu->global_ctrl;
+
--- /dev/null
+From f0367ee1d64d27fa08be2407df5c125442e885e3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Thu, 18 May 2017 19:37:30 +0200
+Subject: KVM: x86: zero base3 of unusable segments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit f0367ee1d64d27fa08be2407df5c125442e885e3 upstream.
+
+Static checker noticed that base3 could be used uninitialized if the
+segment was not present (useable). Random stack values probably would
+not pass VMCS entry checks.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 1aa366163b8b ("KVM: x86 emulator: consolidate segment accessors")
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5098,6 +5098,8 @@ static bool emulator_get_segment(struct
+
+ if (var.unusable) {
+ memset(desc, 0, sizeof(*desc));
++ if (base3)
++ *base3 = 0;
+ return false;
+ }
+
--- /dev/null
+From 9d2ee0a60b8bd9bef2a0082c533736d6a7b39873 Mon Sep 17 00:00:00 2001
+From: Kamal Dasu <kdasu.kdev@gmail.com>
+Date: Fri, 3 Mar 2017 16:16:53 -0500
+Subject: mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program
+
+From: Kamal Dasu <kdasu.kdev@gmail.com>
+
+commit 9d2ee0a60b8bd9bef2a0082c533736d6a7b39873 upstream.
+
+On brcmnand controller v6.x and v7.x, the #WP pin is controlled through
+the NAND_WP bit in CS_SELECT register.
+
+The driver currently assumes that toggling the #WP pin is
+instantaneously enabling/disabling write-protection, but it actually
+takes some time to propagate the new state to the internal NAND chip
+logic. This behavior is sometime causing data corruptions when an
+erase/program operation is executed before write-protection has really
+been disabled.
+
+Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller")
+Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/brcmnand/brcmnand.c | 61 +++++++++++++++++++++++++++++++++--
+ 1 file changed, 58 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/brcmnand/brcmnand.c
+@@ -101,6 +101,9 @@ struct brcm_nand_dma_desc {
+ #define BRCMNAND_MIN_BLOCKSIZE (8 * 1024)
+ #define BRCMNAND_MIN_DEVSIZE (4ULL * 1024 * 1024)
+
++#define NAND_CTRL_RDY (INTFC_CTLR_READY | INTFC_FLASH_READY)
++#define NAND_POLL_STATUS_TIMEOUT_MS 100
++
+ /* Controller feature flags */
+ enum {
+ BRCMNAND_HAS_1K_SECTORS = BIT(0),
+@@ -765,6 +768,31 @@ enum {
+ CS_SELECT_AUTO_DEVICE_ID_CFG = BIT(30),
+ };
+
++static int bcmnand_ctrl_poll_status(struct brcmnand_controller *ctrl,
++ u32 mask, u32 expected_val,
++ unsigned long timeout_ms)
++{
++ unsigned long limit;
++ u32 val;
++
++ if (!timeout_ms)
++ timeout_ms = NAND_POLL_STATUS_TIMEOUT_MS;
++
++ limit = jiffies + msecs_to_jiffies(timeout_ms);
++ do {
++ val = brcmnand_read_reg(ctrl, BRCMNAND_INTFC_STATUS);
++ if ((val & mask) == expected_val)
++ return 0;
++
++ cpu_relax();
++ } while (time_after(limit, jiffies));
++
++ dev_warn(ctrl->dev, "timeout on status poll (expected %x got %x)\n",
++ expected_val, val & mask);
++
++ return -ETIMEDOUT;
++}
++
+ static inline void brcmnand_set_wp(struct brcmnand_controller *ctrl, bool en)
+ {
+ u32 val = en ? CS_SELECT_NAND_WP : 0;
+@@ -1024,12 +1052,39 @@ static void brcmnand_wp(struct mtd_info
+
+ if ((ctrl->features & BRCMNAND_HAS_WP) && wp_on == 1) {
+ static int old_wp = -1;
++ int ret;
+
+ if (old_wp != wp) {
+ dev_dbg(ctrl->dev, "WP %s\n", wp ? "on" : "off");
+ old_wp = wp;
+ }
++
++ /*
++ * make sure ctrl/flash ready before and after
++ * changing state of #WP pin
++ */
++ ret = bcmnand_ctrl_poll_status(ctrl, NAND_CTRL_RDY |
++ NAND_STATUS_READY,
++ NAND_CTRL_RDY |
++ NAND_STATUS_READY, 0);
++ if (ret)
++ return;
++
+ brcmnand_set_wp(ctrl, wp);
++ chip->cmdfunc(mtd, NAND_CMD_STATUS, -1, -1);
++ /* NAND_STATUS_WP 0x00 = protected, 0x80 = not protected */
++ ret = bcmnand_ctrl_poll_status(ctrl,
++ NAND_CTRL_RDY |
++ NAND_STATUS_READY |
++ NAND_STATUS_WP,
++ NAND_CTRL_RDY |
++ NAND_STATUS_READY |
++ (wp ? 0 : NAND_STATUS_WP), 0);
++
++ if (ret)
++ dev_err_ratelimited(&host->pdev->dev,
++ "nand #WP expected %s\n",
++ wp ? "on" : "off");
+ }
+ }
+
+@@ -1157,15 +1212,15 @@ static irqreturn_t brcmnand_dma_irq(int
+ static void brcmnand_send_cmd(struct brcmnand_host *host, int cmd)
+ {
+ struct brcmnand_controller *ctrl = host->ctrl;
+- u32 intfc;
++ int ret;
+
+ dev_dbg(ctrl->dev, "send native cmd %d addr_lo 0x%x\n", cmd,
+ brcmnand_read_reg(ctrl, BRCMNAND_CMD_ADDRESS));
+ BUG_ON(ctrl->cmd_pending != 0);
+ ctrl->cmd_pending = cmd;
+
+- intfc = brcmnand_read_reg(ctrl, BRCMNAND_INTFC_STATUS);
+- WARN_ON(!(intfc & INTFC_CTLR_READY));
++ ret = bcmnand_ctrl_poll_status(ctrl, NAND_CTRL_RDY, NAND_CTRL_RDY, 0);
++ WARN_ON(ret);
+
+ mb(); /* flush previous writes */
+ brcmnand_write_reg(ctrl, BRCMNAND_CMD_START,
--- /dev/null
+From ee56874f23e5c11576540bd695177a5ebc4f4352 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Tue, 21 Mar 2017 11:03:53 +0100
+Subject: mtd: nand: fsmc: fix NAND width handling
+
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+commit ee56874f23e5c11576540bd695177a5ebc4f4352 upstream.
+
+In commit eea628199d5b ("mtd: Add device-tree support to fsmc_nand"),
+Device Tree support was added to the fmsc_nand driver. However, this
+code has a bug in how it handles the bank-width DT property to set the
+bus width.
+
+Indeed, in the function fsmc_nand_probe_config_dt() that parses the
+Device Tree, it sets pdata->width to either 8 or 16 depending on the
+value of the bank-width DT property.
+
+Then, the ->probe() function will test if pdata->width is equal to
+FSMC_NAND_BW16 (which is 2) to set NAND_BUSWIDTH_16 in
+nand->options. Therefore, with the DT probing, this condition will never
+match.
+
+This commit fixes that by removing the "width" field from
+fsmc_nand_platform_data and instead have the fsmc_nand_probe_config_dt()
+function directly set the appropriate nand->options value.
+
+It is worth mentioning that if this commit gets backported to older
+kernels, prior to the drop of non-DT probing, then non-DT probing will
+be broken because nand->options will no longer be set to
+NAND_BUSWIDTH_16.
+
+Fixes: eea628199d5b ("mtd: Add device-tree support to fsmc_nand")
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/fsmc_nand.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/drivers/mtd/nand/fsmc_nand.c
++++ b/drivers/mtd/nand/fsmc_nand.c
+@@ -150,7 +150,6 @@ struct fsmc_nand_platform_data {
+ struct mtd_partition *partitions;
+ unsigned int nr_partitions;
+ unsigned int options;
+- unsigned int width;
+ unsigned int bank;
+
+ enum access_mode mode;
+@@ -844,18 +843,19 @@ static int fsmc_nand_probe_config_dt(str
+ u32 val;
+ int ret;
+
+- /* Set default NAND width to 8 bits */
+- pdata->width = 8;
++ pdata->options = 0;
++
+ if (!of_property_read_u32(np, "bank-width", &val)) {
+ if (val == 2) {
+- pdata->width = 16;
++ pdata->options |= NAND_BUSWIDTH_16;
+ } else if (val != 1) {
+ dev_err(&pdev->dev, "invalid bank-width %u\n", val);
+ return -EINVAL;
+ }
+ }
++
+ if (of_get_property(np, "nand-skip-bbtscan", NULL))
+- pdata->options = NAND_SKIP_BBTSCAN;
++ pdata->options |= NAND_SKIP_BBTSCAN;
+
+ pdata->nand_timings = devm_kzalloc(&pdev->dev,
+ sizeof(*pdata->nand_timings), GFP_KERNEL);
+@@ -992,9 +992,6 @@ static int __init fsmc_nand_probe(struct
+ nand->badblockbits = 7;
+ nand_set_flash_node(nand, np);
+
+- if (pdata->width == FSMC_NAND_BW16)
+- nand->options |= NAND_BUSWIDTH_16;
+-
+ switch (host->mode) {
+ case USE_DMA_ACCESS:
+ dma_cap_zero(mask);
x86-mm-fix-flush_tlb_page-on-xen.patch
ocfs2-o2hb-revert-hb-threshold-to-keep-compatible.patch
ocfs2-fix-deadlock-caused-by-recursive-locking-in-xattr.patch
+iommu-dma-don-t-reserve-pci-i-o-windows.patch
+iommu-amd-fix-incorrect-error-handling-in-amd_iommu_bind_pasid.patch
+iommu-amd-fix-interrupt-remapping-when-disable-guest_mode.patch
+infiniband-hns-avoid-gcc-7.0.1-warning-for-uninitialized-data.patch
+mtd-nand-brcmnand-check-flash-wp-pin-status-before-nand-erase-program.patch
+mtd-nand-fsmc-fix-nand-width-handling.patch
+kvm-x86-fix-emulation-of-rsm-and-iret-instructions.patch
+kvm-x86-vpmu-fix-undefined-shift-in-intel_pmu_refresh.patch
+kvm-x86-zero-base3-of-unusable-segments.patch
+kvm-nvmx-fix-exception-injection.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
