--- /dev/null
+From fb411b837b587a32046dc4f369acb93a10b1def8 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Mon, 27 Mar 2017 15:10:53 +0100
+Subject: c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit fb411b837b587a32046dc4f369acb93a10b1def8 upstream.
+
+gpr_set won't work correctly and can never have been tested, and the
+correct behaviour is not clear due to the endianness-dependent task
+layout.
+
+So, just remove it. The core code will now return -EOPNOTSUPPORT when
+trying to set NT_PRSTATUS on this architecture until/unless a correct
+implementation is supplied.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/c6x/kernel/ptrace.c | 41 -----------------------------------------
+ 1 file changed, 41 deletions(-)
+
+--- a/arch/c6x/kernel/ptrace.c
++++ b/arch/c6x/kernel/ptrace.c
+@@ -69,46 +69,6 @@ static int gpr_get(struct task_struct *t
+ 0, sizeof(*regs));
+ }
+
+-static int gpr_set(struct task_struct *target,
+- const struct user_regset *regset,
+- unsigned int pos, unsigned int count,
+- const void *kbuf, const void __user *ubuf)
+-{
+- int ret;
+- struct pt_regs *regs = task_pt_regs(target);
+-
+- /* Don't copyin TSR or CSR */
+- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+- ®s,
+- 0, PT_TSR * sizeof(long));
+- if (ret)
+- return ret;
+-
+- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
+- PT_TSR * sizeof(long),
+- (PT_TSR + 1) * sizeof(long));
+- if (ret)
+- return ret;
+-
+- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+- ®s,
+- (PT_TSR + 1) * sizeof(long),
+- PT_CSR * sizeof(long));
+- if (ret)
+- return ret;
+-
+- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
+- PT_CSR * sizeof(long),
+- (PT_CSR + 1) * sizeof(long));
+- if (ret)
+- return ret;
+-
+- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+- ®s,
+- (PT_CSR + 1) * sizeof(long), -1);
+- return ret;
+-}
+-
+ enum c6x_regset {
+ REGSET_GPR,
+ };
+@@ -120,7 +80,6 @@ static const struct user_regset c6x_regs
+ .size = sizeof(u32),
+ .align = sizeof(u32),
+ .get = gpr_get,
+- .set = gpr_set
+ },
+ };
+
--- /dev/null
+From 502585c7555083d4a949c08350306b9ec196779e Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Mon, 27 Mar 2017 15:10:54 +0100
+Subject: h8300/ptrace: Fix incorrect register transfer count
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 502585c7555083d4a949c08350306b9ec196779e upstream.
+
+regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun
+if CONFIG_CPU_H8S is set, since this adds an extra entry to
+register_offset[] but not to user_regs_struct.
+
+So, iterate over user_regs_struct based on its actual size, not based on
+the length of register_offset[].
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/h8300/kernel/ptrace.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/h8300/kernel/ptrace.c
++++ b/arch/h8300/kernel/ptrace.c
+@@ -95,7 +95,8 @@ static int regs_get(struct task_struct *
+ long *reg = (long *)®s;
+
+ /* build user regs in buffer */
+- for (r = 0; r < ARRAY_SIZE(register_offset); r++)
++ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0);
++ for (r = 0; r < sizeof(regs) / sizeof(long); r++)
+ *reg++ = h8300_get_reg(target, r);
+
+ return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+@@ -113,7 +114,8 @@ static int regs_set(struct task_struct *
+ long *reg;
+
+ /* build user regs in buffer */
+- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++)
++ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0);
++ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++)
+ *reg++ = h8300_get_reg(target, r);
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+@@ -122,7 +124,7 @@ static int regs_set(struct task_struct *
+ return ret;
+
+ /* write back to pt_regs */
+- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++)
++ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++)
+ h8300_put_reg(target, r, *reg++);
+ return 0;
+ }
--- /dev/null
+From 63cb6d5f004ca44f9b8e562b6dd191f717a4960e Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 20 Mar 2017 21:18:53 -0700
+Subject: KVM: nVMX: Fix nested VPID vmx exec control
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit 63cb6d5f004ca44f9b8e562b6dd191f717a4960e upstream.
+
+This can be reproduced by running kvm-unit-tests/vmx.flat on L0 w/ vpid disabled.
+
+Test suite: VPID
+Unhandled exception 6 #UD at ip 00000000004051a6
+error_code=0000 rflags=00010047 cs=00000008
+rax=0000000000000000 rcx=0000000000000001 rdx=0000000000000047 rbx=0000000000402f79
+rbp=0000000000456240 rsi=0000000000000001 rdi=0000000000000000
+r8=000000000000000a r9=00000000000003f8 r10=0000000080010011 r11=0000000000000000
+r12=0000000000000003 r13=0000000000000708 r14=0000000000000000 r15=0000000000000000
+cr0=0000000080010031 cr2=0000000000000000 cr3=0000000007fff000 cr4=0000000000002020
+cr8=0000000000000000
+STACK: @4051a6 40523e 400f7f 402059 40028f
+
+We should hide and forbid VPID in L1 if it is disabled on L0. However, nested VPID
+enable bit is set unconditionally during setup nested vmx exec controls though VPID
+is not exposed through nested VMX capablity. This patch fixes it by don't set nested
+VPID enable bit if it is disabled on L0.
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Fixes: 5c614b3583e (KVM: nVMX: nested VPID emulation)
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2811,7 +2811,6 @@ static void nested_vmx_setup_ctls_msrs(s
+ SECONDARY_EXEC_RDTSCP |
+ SECONDARY_EXEC_DESC |
+ SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
+- SECONDARY_EXEC_ENABLE_VPID |
+ SECONDARY_EXEC_APIC_REGISTER_VIRT |
+ SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
+ SECONDARY_EXEC_WBINVD_EXITING |
+@@ -2839,10 +2838,12 @@ static void nested_vmx_setup_ctls_msrs(s
+ * though it is treated as global context. The alternative is
+ * not failing the single-context invvpid, and it is worse.
+ */
+- if (enable_vpid)
++ if (enable_vpid) {
++ vmx->nested.nested_vmx_secondary_ctls_high |=
++ SECONDARY_EXEC_ENABLE_VPID;
+ vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT |
+ VMX_VPID_EXTENT_SUPPORTED_MASK;
+- else
++ } else
+ vmx->nested.nested_vmx_vpid_caps = 0;
+
+ if (enable_unrestricted_guest)
--- /dev/null
+From 2beb6dad2e8f95d710159d5befb390e4f62ab5cf Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 27 Mar 2017 17:53:50 +0200
+Subject: KVM: x86: cleanup the page tracking SRCU instance
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 2beb6dad2e8f95d710159d5befb390e4f62ab5cf upstream.
+
+SRCU uses a delayed work item. Skip cleaning it up, and
+the result is use-after-free in the work item callbacks.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Suggested-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: 0eb05bf290cfe8610d9680b49abef37febd1c38a
+Reviewed-by: Xiao Guangrong <xiaoguangrong.eric@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_page_track.h | 1 +
+ arch/x86/kvm/page_track.c | 8 ++++++++
+ arch/x86/kvm/x86.c | 1 +
+ 3 files changed, 10 insertions(+)
+
+--- a/arch/x86/include/asm/kvm_page_track.h
++++ b/arch/x86/include/asm/kvm_page_track.h
+@@ -46,6 +46,7 @@ struct kvm_page_track_notifier_node {
+ };
+
+ void kvm_page_track_init(struct kvm *kvm);
++void kvm_page_track_cleanup(struct kvm *kvm);
+
+ void kvm_page_track_free_memslot(struct kvm_memory_slot *free,
+ struct kvm_memory_slot *dont);
+--- a/arch/x86/kvm/page_track.c
++++ b/arch/x86/kvm/page_track.c
+@@ -158,6 +158,14 @@ bool kvm_page_track_is_active(struct kvm
+ return !!ACCESS_ONCE(slot->arch.gfn_track[mode][index]);
+ }
+
++void kvm_page_track_cleanup(struct kvm *kvm)
++{
++ struct kvm_page_track_notifier_head *head;
++
++ head = &kvm->arch.track_notifier_head;
++ cleanup_srcu_struct(&head->track_srcu);
++}
++
+ void kvm_page_track_init(struct kvm *kvm)
+ {
+ struct kvm_page_track_notifier_head *head;
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8052,6 +8052,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm
+ kvm_free_vcpus(kvm);
+ kvfree(rcu_dereference_check(kvm->arch.apic_map, 1));
+ kvm_mmu_uninit_vm(kvm);
++ kvm_page_track_cleanup(kvm);
+ }
+
+ void kvm_arch_free_memslot(struct kvm *kvm, struct kvm_memory_slot *free,
--- /dev/null
+From a78ce80d2c9178351b34d78fec805140c29c193e Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Mon, 27 Mar 2017 15:10:55 +0100
+Subject: metag/ptrace: Preserve previous registers for short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit a78ce80d2c9178351b34d78fec805140c29c193e upstream.
+
+Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
+to fill all the registers, the thread's old registers are preserved.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/metag/kernel/ptrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/metag/kernel/ptrace.c
++++ b/arch/metag/kernel/ptrace.c
+@@ -303,7 +303,7 @@ static int metag_tls_set(struct task_str
+ const void *kbuf, const void __user *ubuf)
+ {
+ int ret;
+- void __user *tls;
++ void __user *tls = target->thread.tls_ptr;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
+ if (ret)
--- /dev/null
+From 5fe81fe98123ce41265c65e95d34418d30d005d1 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Mon, 27 Mar 2017 15:10:56 +0100
+Subject: metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 5fe81fe98123ce41265c65e95d34418d30d005d1 upstream.
+
+Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
+to fill TXSTATUS, a well-defined default value is used, based on the
+task's current value.
+
+Suggested-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/metag/kernel/ptrace.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/arch/metag/kernel/ptrace.c
++++ b/arch/metag/kernel/ptrace.c
+@@ -24,6 +24,16 @@
+ * user_regset definitions.
+ */
+
++static unsigned long user_txstatus(const struct pt_regs *regs)
++{
++ unsigned long data = (unsigned long)regs->ctx.Flags;
++
++ if (regs->ctx.SaveMask & TBICTX_CBUF_BIT)
++ data |= USER_GP_REGS_STATUS_CATCH_BIT;
++
++ return data;
++}
++
+ int metag_gp_regs_copyout(const struct pt_regs *regs,
+ unsigned int pos, unsigned int count,
+ void *kbuf, void __user *ubuf)
+@@ -62,9 +72,7 @@ int metag_gp_regs_copyout(const struct p
+ if (ret)
+ goto out;
+ /* TXSTATUS */
+- data = (unsigned long)regs->ctx.Flags;
+- if (regs->ctx.SaveMask & TBICTX_CBUF_BIT)
+- data |= USER_GP_REGS_STATUS_CATCH_BIT;
++ data = user_txstatus(regs);
+ ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+ &data, 4*25, 4*26);
+ if (ret)
+@@ -119,6 +127,7 @@ int metag_gp_regs_copyin(struct pt_regs
+ if (ret)
+ goto out;
+ /* TXSTATUS */
++ data = user_txstatus(regs);
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+ &data, 4*25, 4*26);
+ if (ret)
--- /dev/null
+From 7195ee3120d878259e8d94a5d9f808116f34d5ea Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Mon, 27 Mar 2017 15:10:57 +0100
+Subject: metag/ptrace: Reject partial NT_METAG_RPIPE writes
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit 7195ee3120d878259e8d94a5d9f808116f34d5ea upstream.
+
+It's not clear what behaviour is sensible when doing partial write of
+NT_METAG_RPIPE, so just don't bother.
+
+This patch assumes that userspace will never rely on a partial SETREGSET
+in this case, since it's not clear what should happen anyway.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/metag/kernel/ptrace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/metag/kernel/ptrace.c
++++ b/arch/metag/kernel/ptrace.c
+@@ -253,6 +253,8 @@ int metag_rp_state_copyin(struct pt_regs
+ unsigned long long *ptr;
+ int ret, i;
+
++ if (count < 4*13)
++ return -EINVAL;
+ /* Read the entire pipeline before making any changes */
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+ &rp, 0, 4*13);
--- /dev/null
+From d614fd58a2834cfe4efa472c33c8f3ce2338b09b Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Mon, 27 Mar 2017 15:10:58 +0100
+Subject: mips/ptrace: Preserve previous registers for short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit d614fd58a2834cfe4efa472c33c8f3ce2338b09b upstream.
+
+Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
+to fill all the registers, the thread's old registers are preserved.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -485,7 +485,8 @@ static int fpr_set(struct task_struct *t
+ &target->thread.fpu,
+ 0, sizeof(elf_fpregset_t));
+
+- for (i = 0; i < NUM_FPU_REGS; i++) {
++ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
++ for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) {
+ err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+ &fpr_val, i * sizeof(elf_fpreg_t),
+ (i + 1) * sizeof(elf_fpreg_t));
--- /dev/null
+From a6566710adaa4a7dd5e0d99820ff9c9c30ee5951 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Tue, 14 Mar 2017 08:23:26 -0700
+Subject: pinctrl: qcom: Don't clear status bit on irq_unmask
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+commit a6566710adaa4a7dd5e0d99820ff9c9c30ee5951 upstream.
+
+Clearing the status bit on irq_unmask will discard any pending interrupt
+that did arrive after the irq_ack, i.e. while the IRQ handler function
+was executing.
+
+Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver")
+Cc: Stephen Boyd <sboyd@codeaurora.org>
+Reported-by: Timur Tabi <timur@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -594,10 +594,6 @@ static void msm_gpio_irq_unmask(struct i
+
+ spin_lock_irqsave(&pctrl->lock, flags);
+
+- val = readl(pctrl->regs + g->intr_status_reg);
+- val &= ~BIT(g->intr_status_bit);
+- writel(val, pctrl->regs + g->intr_status_reg);
+-
+ val = readl(pctrl->regs + g->intr_cfg_reg);
+ val |= BIT(g->intr_enable_bit);
+ writel(val, pctrl->regs + g->intr_cfg_reg);
xfrm-policy-init-locks-early.patch
xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
+kvm-nvmx-fix-nested-vpid-vmx-exec-control.patch
+kvm-x86-cleanup-the-page-tracking-srcu-instance.patch
+virtio_balloon-init-1st-buffer-in-stats-vq.patch
+pinctrl-qcom-don-t-clear-status-bit-on-irq_unmask.patch
+c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch
+h8300-ptrace-fix-incorrect-register-transfer-count.patch
+mips-ptrace-preserve-previous-registers-for-short-regset-write.patch
+sparc-ptrace-preserve-previous-registers-for-short-regset-write.patch
+metag-ptrace-preserve-previous-registers-for-short-regset-write.patch
+metag-ptrace-provide-default-txstatus-for-short-nt_prstatus.patch
+metag-ptrace-reject-partial-nt_metag_rpipe-writes.patch
--- /dev/null
+From d3805c546b275c8cc7d40f759d029ae92c7175f2 Mon Sep 17 00:00:00 2001
+From: Dave Martin <Dave.Martin@arm.com>
+Date: Mon, 27 Mar 2017 15:10:59 +0100
+Subject: sparc/ptrace: Preserve previous registers for short regset write
+
+From: Dave Martin <Dave.Martin@arm.com>
+
+commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream.
+
+Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
+to fill all the registers, the thread's old registers are preserved.
+
+Signed-off-by: Dave Martin <Dave.Martin@arm.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sparc/kernel/ptrace_64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sparc/kernel/ptrace_64.c
++++ b/arch/sparc/kernel/ptrace_64.c
+@@ -350,7 +350,7 @@ static int genregs64_set(struct task_str
+ }
+
+ if (!ret) {
+- unsigned long y;
++ unsigned long y = regs->y;
+
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+ &y,
--- /dev/null
+From fc8653228c8588a120f6b5dad6983b7b61ff669e Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 23 Mar 2017 08:04:18 +0100
+Subject: virtio_balloon: init 1st buffer in stats vq
+
+From: Ladi Prosek <lprosek@redhat.com>
+
+commit fc8653228c8588a120f6b5dad6983b7b61ff669e upstream.
+
+When init_vqs runs, virtio_balloon.stats is either uninitialized or
+contains stale values. The host updates its state with garbage data
+because it has no way of knowing that this is just a marker buffer
+used for signaling.
+
+This patch updates the stats before pushing the initial buffer.
+
+Alternative fixes:
+* Push an empty buffer in init_vqs. Not easily done with the current
+ virtio implementation and violates the spec "Driver MUST supply the
+ same subset of statistics in all buffers submitted to the statsq".
+* Push a buffer with invalid tags in init_vqs. Violates the same
+ spec clause, plus "invalid tag" is not really defined.
+
+Note: the spec says:
+ When using the legacy interface, the device SHOULD ignore all values in
+ the first buffer in the statsq supplied by the driver after device
+ initialization. Note: Historically, drivers supplied an uninitialized
+ buffer in the first buffer.
+
+Unfortunately QEMU does not seem to implement the recommendation
+even for the legacy interface.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -427,6 +427,8 @@ static int init_vqs(struct virtio_balloo
+ * Prime this virtqueue with one buffer so the hypervisor can
+ * use it to signal us later (it can't be broken yet!).
+ */
++ update_balloon_stats(vb);
++
+ sg_init_one(&sg, vb->stats, sizeof vb->stats);
+ if (virtqueue_add_outbuf(vb->stats_vq, &sg, 1, vb, GFP_KERNEL)
+ < 0)
projects / thirdparty / kernel / stable-queue.git / commitdiff
