--- /dev/null
+From 5c05483e2db91890faa9a7be0a831701a3f442d6 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Fri, 20 Jun 2014 16:24:49 +0530
+Subject: ARC: [nsimosci] Allow "headless" models to boot
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 5c05483e2db91890faa9a7be0a831701a3f442d6 upstream.
+
+There are certain test configuration of virtual platform which don't
+have any real console device (uart/pgu). So add tty0 as a fallback console
+device to allow system to boot and be accessible via telnet
+
+Otherwise with ttyS0 as only console, but 8250 disabled in kernel build,
+init chokes.
+
+Reported-by: Anton Kolesov <akolesov@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/boot/dts/nsimosci.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/boot/dts/nsimosci.dts
++++ b/arch/arc/boot/dts/nsimosci.dts
+@@ -20,7 +20,7 @@
+ /* this is for console on PGU */
+ /* bootargs = "console=tty0 consoleblank=0"; */
+ /* this is for console on serial */
+- bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug";
++ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=tty0 console=ttyS0,115200n8 consoleblank=0 debug";
+ };
+
+ aliases {
--- /dev/null
+From 52e9bae93802bd29c33be11e9e758ad7daac805f Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Sat, 27 Sep 2014 12:53:41 +0530
+Subject: ARC: unbork FPU save/restore
+
+From: Vineet Gupta <vgupta@synopsys.com>
+
+commit 52e9bae93802bd29c33be11e9e758ad7daac805f upstream.
+
+Fixes: 2ab402dfd65d15a4b2 "ARC: make start_thread() out-of-line"
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/arcregs.h | 8 --------
+ arch/arc/include/asm/processor.h | 9 +++++++++
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/arch/arc/include/asm/arcregs.h
++++ b/arch/arc/include/asm/arcregs.h
+@@ -191,14 +191,6 @@
+ #define PAGES_TO_KB(n_pages) ((n_pages) << (PAGE_SHIFT - 10))
+ #define PAGES_TO_MB(n_pages) (PAGES_TO_KB(n_pages) >> 10)
+
+-#ifdef CONFIG_ARC_FPU_SAVE_RESTORE
+-/* These DPFP regs need to be saved/restored across ctx-sw */
+-struct arc_fpu {
+- struct {
+- unsigned int l, h;
+- } aux_dpfp[2];
+-};
+-#endif
+
+ /*
+ ***************************************************************
+--- a/arch/arc/include/asm/processor.h
++++ b/arch/arc/include/asm/processor.h
+@@ -20,6 +20,15 @@
+
+ #include <asm/ptrace.h>
+
++#ifdef CONFIG_ARC_FPU_SAVE_RESTORE
++/* These DPFP regs need to be saved/restored across ctx-sw */
++struct arc_fpu {
++ struct {
++ unsigned int l, h;
++ } aux_dpfp[2];
++};
++#endif
++
+ /* Arch specific stuff which needs to be saved per task.
+ * However these items are not so important so as to earn a place in
+ * struct thread_info
--- /dev/null
+From ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 Mon Sep 17 00:00:00 2001
+From: Anton Kolesov <Anton.Kolesov@synopsys.com>
+Date: Thu, 25 Sep 2014 13:23:24 +0400
+Subject: ARC: Update order of registers in KGDB to match GDB 7.5
+
+From: Anton Kolesov <Anton.Kolesov@synopsys.com>
+
+commit ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 upstream.
+
+Order of registers has changed in GDB moving from 6.8 to 7.5. This patch
+updates KGDB to work properly with GDB 7.5, though makes it incompatible
+with 6.8.
+
+Signed-off-by: Anton Kolesov <Anton.Kolesov@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/kgdb.h | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+--- a/arch/arc/include/asm/kgdb.h
++++ b/arch/arc/include/asm/kgdb.h
+@@ -19,7 +19,7 @@
+ * register API yet */
+ #undef DBG_MAX_REG_NUM
+
+-#define GDB_MAX_REGS 39
++#define GDB_MAX_REGS 87
+
+ #define BREAK_INSTR_SIZE 2
+ #define CACHE_FLUSH_IS_SAFE 1
+@@ -33,23 +33,27 @@ static inline void arch_kgdb_breakpoint(
+
+ extern void kgdb_trap(struct pt_regs *regs);
+
+-enum arc700_linux_regnums {
++/* This is the numbering of registers according to the GDB. See GDB's
++ * arc-tdep.h for details.
++ *
++ * Registers are ordered for GDB 7.5. It is incompatible with GDB 6.8. */
++enum arc_linux_regnums {
+ _R0 = 0,
+ _R1, _R2, _R3, _R4, _R5, _R6, _R7, _R8, _R9, _R10, _R11, _R12, _R13,
+ _R14, _R15, _R16, _R17, _R18, _R19, _R20, _R21, _R22, _R23, _R24,
+ _R25, _R26,
+- _BTA = 27,
+- _LP_START = 28,
+- _LP_END = 29,
+- _LP_COUNT = 30,
+- _STATUS32 = 31,
+- _BLINK = 32,
+- _FP = 33,
+- __SP = 34,
+- _EFA = 35,
+- _RET = 36,
+- _ORIG_R8 = 37,
+- _STOP_PC = 38
++ _FP = 27,
++ __SP = 28,
++ _R30 = 30,
++ _BLINK = 31,
++ _LP_COUNT = 60,
++ _STOP_PC = 64,
++ _RET = 64,
++ _LP_START = 65,
++ _LP_END = 66,
++ _STATUS32 = 67,
++ _ECR = 76,
++ _BTA = 82,
+ };
+
+ #else
--- /dev/null
+From 0d0f660d882c1c02748ced13966a2413aa5d6cc2 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 5 Oct 2014 02:13:03 -0700
+Subject: iser-target: Disable TX completion interrupt coalescing
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 0d0f660d882c1c02748ced13966a2413aa5d6cc2 upstream.
+
+This patch explicitly disables TX completion interrupt coalescing logic
+in isert_put_response() and isert_put_datain() that was originally added
+as an efficiency optimization in commit 95b60f07.
+
+It has been reported that this change can trigger ABORT_TASK timeouts
+under certain small block workloads, where disabling coalescing was
+required for stability. According to Sagi, this doesn't impact
+overall performance, so go ahead and disable it for now.
+
+Reported-by: Moussa Ba <moussaba@micron.com>
+Reported-by: Sagi Grimberg <sagig@dev.mellanox.co.il>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2185,7 +2185,7 @@ isert_put_response(struct iscsi_conn *co
+ isert_cmd->tx_desc.num_sge = 2;
+ }
+
+- isert_init_send_wr(isert_conn, isert_cmd, send_wr, true);
++ isert_init_send_wr(isert_conn, isert_cmd, send_wr, false);
+
+ pr_debug("Posting SCSI Response IB_WR_SEND >>>>>>>>>>>>>>>>>>>>>>\n");
+
+@@ -2884,7 +2884,7 @@ isert_put_datain(struct iscsi_conn *conn
+ &isert_cmd->tx_desc.iscsi_header);
+ isert_init_tx_hdrs(isert_conn, &isert_cmd->tx_desc);
+ isert_init_send_wr(isert_conn, isert_cmd,
+- &isert_cmd->tx_desc.send_wr, true);
++ &isert_cmd->tx_desc.send_wr, false);
+ isert_cmd->rdma_wr.s_send_wr.next = &isert_cmd->tx_desc.send_wr;
+ wr->send_wr_num += 1;
+ }
--- /dev/null
+From a430c9166312e1aa3d80bce32374233bdbfeba32 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 23 Oct 2014 14:54:14 +0200
+Subject: KVM: emulate: avoid accessing NULL ctxt->memopp
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit a430c9166312e1aa3d80bce32374233bdbfeba32 upstream.
+
+A failure to decode the instruction can cause a NULL pointer access.
+This is fixed simply by moving the "done" label as close as possible
+to the return.
+
+This fixes CVE-2014-8481.
+
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -4481,10 +4481,10 @@ done_prefixes:
+ /* Decode and fetch the destination operand: register or memory. */
+ rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
+
+-done:
+ if (ctxt->rip_relative)
+ ctxt->memopp->addr.mem.ea += ctxt->_eip;
+
++done:
+ return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
+ }
+
--- /dev/null
+From 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Fri, 17 Oct 2014 22:55:59 +0200
+Subject: kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
+
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+
+commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream.
+
+The third parameter of kvm_unpin_pages() when called from
+kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
+and not the page size.
+
+This error was facilitated with an inconsistent API: kvm_pin_pages() takes
+a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
+by matching the two.
+
+This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
+of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
+un-pinning for pages intended to be un-pinned (i.e. memory leak) but
+unfortunately potentially aggravated the number of pages we un-pin that
+should have stayed pinned. As far as I understand though, the same
+practical mitigations apply.
+
+This issue was found during review of Red Hat 6.6 patches to prepare
+Ksplice rebootless updates.
+
+Thanks to Vegard for his time on a late Friday evening to help me in
+understanding this code.
+
+Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/iommu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/virt/kvm/iommu.c
++++ b/virt/kvm/iommu.c
+@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct k
+ gfn_t base_gfn, unsigned long npages);
+
+ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
+- unsigned long size)
++ unsigned long npages)
+ {
+ gfn_t end_gfn;
+ pfn_t pfn;
+
+ pfn = gfn_to_pfn_memslot(slot, gfn);
+- end_gfn = gfn + (size >> PAGE_SHIFT);
++ end_gfn = gfn + npages;
+ gfn += 1;
+
+ if (is_error_noslot_pfn(pfn))
+@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ * Pin all pages we are about to map in memory. This is
+ * important because we unmap and unpin in 4kb steps later.
+ */
+- pfn = kvm_pin_pages(slot, gfn, page_size);
++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT);
+ if (is_error_noslot_pfn(pfn)) {
+ gfn += 1;
+ continue;
+@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm,
+ if (r) {
+ printk(KERN_ERR "kvm_iommu_map_address:"
+ "iommu failed to map pfn=%llx\n", pfn);
+- kvm_unpin_pages(kvm, pfn, page_size);
++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT);
+ goto unmap_pages;
+ }
+
--- /dev/null
+From a642fc305053cc1c6e47e4f4df327895747ab485 Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Tue, 23 Sep 2014 20:22:30 +0200
+Subject: kvm: vmx: handle invvpid vm exit gracefully
+
+From: Petr Matousek <pmatouse@redhat.com>
+
+commit a642fc305053cc1c6e47e4f4df327895747ab485 upstream.
+
+On systems with invvpid instruction support (corresponding bit in
+IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
+causes vm exit, which is currently not handled and results in
+propagation of unknown exit to userspace.
+
+Fix this by installing an invvpid vm exit handler.
+
+This is CVE-2014-3646.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/uapi/asm/vmx.h | 2 ++
+ arch/x86/kvm/vmx.c | 9 ++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/uapi/asm/vmx.h
++++ b/arch/x86/include/uapi/asm/vmx.h
+@@ -67,6 +67,7 @@
+ #define EXIT_REASON_EPT_MISCONFIG 49
+ #define EXIT_REASON_INVEPT 50
+ #define EXIT_REASON_PREEMPTION_TIMER 52
++#define EXIT_REASON_INVVPID 53
+ #define EXIT_REASON_WBINVD 54
+ #define EXIT_REASON_XSETBV 55
+ #define EXIT_REASON_APIC_WRITE 56
+@@ -114,6 +115,7 @@
+ { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \
+ { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \
+ { EXIT_REASON_INVD, "INVD" }, \
++ { EXIT_REASON_INVVPID, "INVVPID" }, \
+ { EXIT_REASON_INVPCID, "INVPCID" }
+
+ #endif /* _UAPIVMX_H */
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6639,6 +6639,12 @@ static int handle_invept(struct kvm_vcpu
+ return 1;
+ }
+
++static int handle_invvpid(struct kvm_vcpu *vcpu)
++{
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
++}
++
+ /*
+ * The exit handlers return 1 if the exit was handled fully and guest execution
+ * may resume. Otherwise they set the kvm_run parameter to indicate what needs
+@@ -6684,6 +6690,7 @@ static int (*const kvm_vmx_exit_handlers
+ [EXIT_REASON_MWAIT_INSTRUCTION] = handle_mwait,
+ [EXIT_REASON_MONITOR_INSTRUCTION] = handle_monitor,
+ [EXIT_REASON_INVEPT] = handle_invept,
++ [EXIT_REASON_INVVPID] = handle_invvpid,
+ };
+
+ static const int kvm_vmx_max_exit_handlers =
+@@ -6917,7 +6924,7 @@ static bool nested_vmx_exit_handled(stru
+ case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD:
+ case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE:
+ case EXIT_REASON_VMOFF: case EXIT_REASON_VMON:
+- case EXIT_REASON_INVEPT:
++ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID:
+ /*
+ * VMX instructions trap unconditionally. This allows L1 to
+ * emulate them for its L2 guest, i.e., allows 3-level nesting!
--- /dev/null
+From 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Tue, 16 Sep 2014 03:24:05 +0300
+Subject: KVM: x86: Check non-canonical addresses upon WRMSR
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 upstream.
+
+Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
+written to certain MSRs. The behavior is "almost" identical for AMD and Intel
+(ignoring MSRs that are not implemented in either architecture since they would
+anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
+non-canonical address is written on Intel but not on AMD (which ignores the top
+32-bits).
+
+Accordingly, this patch injects a #GP on the MSRs which behave identically on
+Intel and AMD. To eliminate the differences between the architecutres, the
+value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
+canonical value before writing instead of injecting a #GP.
+
+Some references from Intel and AMD manuals:
+
+According to Intel SDM description of WRMSR instruction #GP is expected on
+WRMSR "If the source register contains a non-canonical address and ECX
+specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
+IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."
+
+According to AMD manual instruction manual:
+LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
+LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical
+form, a general-protection exception (#GP) occurs."
+IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
+base field must be in canonical form or a #GP fault will occur."
+IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
+be in canonical form."
+
+This patch fixes CVE-2014-3610.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++
+ arch/x86/kvm/svm.c | 2 +-
+ arch/x86/kvm/vmx.c | 2 +-
+ arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++-
+ 4 files changed, 42 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -991,6 +991,20 @@ static inline void kvm_inject_gp(struct
+ kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
+ }
+
++static inline u64 get_canonical(u64 la)
++{
++ return ((int64_t)la << 16) >> 16;
++}
++
++static inline bool is_noncanonical_address(u64 la)
++{
++#ifdef CONFIG_X86_64
++ return get_canonical(la) != la;
++#else
++ return false;
++#endif
++}
++
+ #define TSS_IOPB_BASE_OFFSET 0x66
+ #define TSS_BASE_SIZE 0x68
+ #define TSS_IOPB_SIZE (65536 / 8)
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3234,7 +3234,7 @@ static int wrmsr_interception(struct vcp
+ msr.host_initiated = false;
+
+ svm->next_rip = kvm_rip_read(&svm->vcpu) + 2;
+- if (svm_set_msr(&svm->vcpu, &msr)) {
++ if (kvm_set_msr(&svm->vcpu, &msr)) {
+ trace_kvm_msr_write_ex(ecx, data);
+ kvm_inject_gp(&svm->vcpu, 0);
+ } else {
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5266,7 +5266,7 @@ static int handle_wrmsr(struct kvm_vcpu
+ msr.data = data;
+ msr.index = ecx;
+ msr.host_initiated = false;
+- if (vmx_set_msr(vcpu, &msr) != 0) {
++ if (kvm_set_msr(vcpu, &msr) != 0) {
+ trace_kvm_msr_write_ex(ecx, data);
+ kvm_inject_gp(vcpu, 0);
+ return 1;
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -989,7 +989,6 @@ void kvm_enable_efer_bits(u64 mask)
+ }
+ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
+
+-
+ /*
+ * Writes msr value into into the appropriate "register".
+ * Returns 0 on success, non-0 otherwise.
+@@ -997,8 +996,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits);
+ */
+ int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
+ {
++ switch (msr->index) {
++ case MSR_FS_BASE:
++ case MSR_GS_BASE:
++ case MSR_KERNEL_GS_BASE:
++ case MSR_CSTAR:
++ case MSR_LSTAR:
++ if (is_noncanonical_address(msr->data))
++ return 1;
++ break;
++ case MSR_IA32_SYSENTER_EIP:
++ case MSR_IA32_SYSENTER_ESP:
++ /*
++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
++ * non-canonical address is written on Intel but not on
++ * AMD (which ignores the top 32-bits, because it does
++ * not implement 64-bit SYSENTER).
++ *
++ * 64-bit code should hence be able to write a non-canonical
++ * value on AMD. Making the address canonical ensures that
++ * vmentry does not fail on Intel after writing a non-canonical
++ * value, and that something deterministic happens if the guest
++ * invokes 64-bit SYSENTER.
++ */
++ msr->data = get_canonical(msr->data);
++ }
+ return kvm_x86_ops->set_msr(vcpu, msr);
+ }
++EXPORT_SYMBOL_GPL(kvm_set_msr);
+
+ /*
+ * Adapt set_msr() to msr_io()'s calling convention
--- /dev/null
+From 08da44aedba0f493e10695fa334348a7a4f72eb3 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Fri, 3 Oct 2014 01:10:04 +0300
+Subject: KVM: x86: Decoding guest instructions which cross page boundary may fail
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 08da44aedba0f493e10695fa334348a7a4f72eb3 upstream.
+
+Once an instruction crosses a page boundary, the size read from the second page
+disregards the common case that part of the operand resides on the first page.
+As a result, fetch of long insturctions may fail, and thereby cause the
+decoding to fail as well.
+
+Fixes: 5cfc7e0f5e5e1adf998df94f8e36edaf5d30d38e
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -773,8 +773,10 @@ static int __do_insn_fetch_bytes(struct
+ static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt,
+ unsigned size)
+ {
+- if (unlikely(ctxt->fetch.end - ctxt->fetch.ptr < size))
+- return __do_insn_fetch_bytes(ctxt, size);
++ unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr;
++
++ if (unlikely(done_size < size))
++ return __do_insn_fetch_bytes(ctxt, size - done_size);
+ else
+ return X86EMUL_CONTINUE;
+ }
--- /dev/null
+From 2bc19dc3754fc066c43799659f0d848631c44cfe Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 18 Sep 2014 16:21:16 +0300
+Subject: kvm: x86: don't kill guest on unknown exit reason
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+commit 2bc19dc3754fc066c43799659f0d848631c44cfe upstream.
+
+KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
+triggered by a priveledged application. Let's not kill the guest: WARN
+and inject #UD instead.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/svm.c | 6 +++---
+ arch/x86/kvm/vmx.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3534,9 +3534,9 @@ static int handle_exit(struct kvm_vcpu *
+
+ if (exit_code >= ARRAY_SIZE(svm_exit_handlers)
+ || !svm_exit_handlers[exit_code]) {
+- kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
+- kvm_run->hw.hardware_exit_reason = exit_code;
+- return 0;
++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code);
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
+ }
+
+ return svm_exit_handlers[exit_code](svm);
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7058,10 +7058,10 @@ static int vmx_handle_exit(struct kvm_vc
+ && kvm_vmx_exit_handlers[exit_reason])
+ return kvm_vmx_exit_handlers[exit_reason](vcpu);
+ else {
+- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN;
+- vcpu->run->hw.hardware_exit_reason = exit_reason;
++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason);
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
+ }
+- return 0;
+ }
+
+ static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr)
--- /dev/null
+From 13e457e0eebf0a0c82c38ceb890d93eb826d62a6 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Mon, 13 Oct 2014 13:04:13 +0300
+Subject: KVM: x86: Emulator does not decode clflush well
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 13e457e0eebf0a0c82c38ceb890d93eb826d62a6 upstream.
+
+Currently, all group15 instructions are decoded as clflush (e.g., mfence,
+xsave). In addition, the clflush instruction requires no prefix (66/f2/f3)
+would exist. If prefix exists it may encode a different instruction (e.g.,
+clflushopt).
+
+Creating a group for clflush, and different group for each prefix.
+
+This has been the case forever, but the next patch needs the cflush group
+in order to fix a bug introduced in 3.17.
+
+Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -3376,6 +3376,12 @@ static int em_bswap(struct x86_emulate_c
+ return X86EMUL_CONTINUE;
+ }
+
++static int em_clflush(struct x86_emulate_ctxt *ctxt)
++{
++ /* emulating clflush regardless of cpuid */
++ return X86EMUL_CONTINUE;
++}
++
+ static bool valid_cr(int nr)
+ {
+ switch (nr) {
+@@ -3708,6 +3714,16 @@ static const struct opcode group11[] = {
+ X7(D(Undefined)),
+ };
+
++static const struct gprefix pfx_0f_ae_7 = {
++ I(0, em_clflush), N, N, N,
++};
++
++static const struct group_dual group15 = { {
++ N, N, N, N, N, N, N, GP(0, &pfx_0f_ae_7),
++}, {
++ N, N, N, N, N, N, N, N,
++} };
++
+ static const struct gprefix pfx_0f_6f_0f_7f = {
+ I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov),
+ };
+@@ -3967,7 +3983,7 @@ static const struct opcode twobyte_table
+ F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts),
+ F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd),
+ F(DstMem | SrcReg | Src2CL | ModRM, em_shrd),
+- D(ModRM), F(DstReg | SrcMem | ModRM, em_imul),
++ GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul),
+ /* 0xB0 - 0xB7 */
+ I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg),
+ I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg),
+@@ -4894,8 +4910,6 @@ twobyte_insn:
+ case 0x90 ... 0x9f: /* setcc r/m8 */
+ ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
+ break;
+- case 0xae: /* clflush */
+- break;
+ case 0xb6 ... 0xb7: /* movzx */
+ ctxt->dst.bytes = ctxt->op_bytes;
+ ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val
--- /dev/null
+From 234f3ce485d54017f15cf5e0699cff4100121601 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 18 Sep 2014 22:39:38 +0300
+Subject: KVM: x86: Emulator fixes for eip canonical checks on near branches
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 234f3ce485d54017f15cf5e0699cff4100121601 upstream.
+
+Before changing rip (during jmp, call, ret, etc.) the target should be asserted
+to be canonical one, as real CPUs do. During sysret, both target rsp and rip
+should be canonical. If any of these values is noncanonical, a #GP exception
+should occur. The exception to this rule are syscall and sysenter instructions
+in which the assigned rip is checked during the assignment to the relevant
+MSRs.
+
+This patch fixes the emulator to behave as real CPUs do for near branches.
+Far branches are handled by the next patch.
+
+This fixes CVE-2014-3647.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 78 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 54 insertions(+), 24 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -563,7 +563,8 @@ static int emulate_nm(struct x86_emulate
+ return emulate_exception(ctxt, NM_VECTOR, 0, false);
+ }
+
+-static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
++ int cs_l)
+ {
+ switch (ctxt->op_bytes) {
+ case 2:
+@@ -573,16 +574,25 @@ static inline void assign_eip_near(struc
+ ctxt->_eip = (u32)dst;
+ break;
+ case 8:
++ if ((cs_l && is_noncanonical_address(dst)) ||
++ (!cs_l && (dst & ~(u32)-1)))
++ return emulate_gp(ctxt, 0);
+ ctxt->_eip = dst;
+ break;
+ default:
+ WARN(1, "unsupported eip assignment size\n");
+ }
++ return X86EMUL_CONTINUE;
++}
++
++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++{
++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64);
+ }
+
+-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+ {
+- assign_eip_near(ctxt, ctxt->_eip + rel);
++ return assign_eip_near(ctxt, ctxt->_eip + rel);
+ }
+
+ static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
+@@ -2014,13 +2024,15 @@ static int em_grp45(struct x86_emulate_c
+ case 2: /* call near abs */ {
+ long int old_eip;
+ old_eip = ctxt->_eip;
+- ctxt->_eip = ctxt->src.val;
++ rc = assign_eip_near(ctxt, ctxt->src.val);
++ if (rc != X86EMUL_CONTINUE)
++ break;
+ ctxt->src.val = old_eip;
+ rc = em_push(ctxt);
+ break;
+ }
+ case 4: /* jmp abs */
+- ctxt->_eip = ctxt->src.val;
++ rc = assign_eip_near(ctxt, ctxt->src.val);
+ break;
+ case 5: /* jmp far */
+ rc = em_jmp_far(ctxt);
+@@ -2055,10 +2067,14 @@ static int em_cmpxchg8b(struct x86_emula
+
+ static int em_ret(struct x86_emulate_ctxt *ctxt)
+ {
+- ctxt->dst.type = OP_REG;
+- ctxt->dst.addr.reg = &ctxt->_eip;
+- ctxt->dst.bytes = ctxt->op_bytes;
+- return em_pop(ctxt);
++ int rc;
++ unsigned long eip;
++
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++
++ return assign_eip_near(ctxt, eip);
+ }
+
+ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
+@@ -2339,7 +2355,7 @@ static int em_sysexit(struct x86_emulate
+ {
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ struct desc_struct cs, ss;
+- u64 msr_data;
++ u64 msr_data, rcx, rdx;
+ int usermode;
+ u16 cs_sel = 0, ss_sel = 0;
+
+@@ -2355,6 +2371,9 @@ static int em_sysexit(struct x86_emulate
+ else
+ usermode = X86EMUL_MODE_PROT32;
+
++ rcx = reg_read(ctxt, VCPU_REGS_RCX);
++ rdx = reg_read(ctxt, VCPU_REGS_RDX);
++
+ cs.dpl = 3;
+ ss.dpl = 3;
+ ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data);
+@@ -2372,6 +2391,9 @@ static int em_sysexit(struct x86_emulate
+ ss_sel = cs_sel + 8;
+ cs.d = 0;
+ cs.l = 1;
++ if (is_noncanonical_address(rcx) ||
++ is_noncanonical_address(rdx))
++ return emulate_gp(ctxt, 0);
+ break;
+ }
+ cs_sel |= SELECTOR_RPL_MASK;
+@@ -2380,8 +2402,8 @@ static int em_sysexit(struct x86_emulate
+ ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS);
+ ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS);
+
+- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX);
+- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX);
++ ctxt->_eip = rdx;
++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx;
+
+ return X86EMUL_CONTINUE;
+ }
+@@ -2922,10 +2944,13 @@ static int em_aad(struct x86_emulate_ctx
+
+ static int em_call(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc;
+ long rel = ctxt->src.val;
+
+ ctxt->src.val = (unsigned long)ctxt->_eip;
+- jmp_rel(ctxt, rel);
++ rc = jmp_rel(ctxt, rel);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
+ return em_push(ctxt);
+ }
+
+@@ -2957,11 +2982,12 @@ static int em_call_far(struct x86_emulat
+ static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
++ unsigned long eip;
+
+- ctxt->dst.type = OP_REG;
+- ctxt->dst.addr.reg = &ctxt->_eip;
+- ctxt->dst.bytes = ctxt->op_bytes;
+- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes);
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++ rc = assign_eip_near(ctxt, eip);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ rsp_increment(ctxt, ctxt->src.val);
+@@ -3292,20 +3318,24 @@ static int em_lmsw(struct x86_emulate_ct
+
+ static int em_loop(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc = X86EMUL_CONTINUE;
++
+ register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1);
+ if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) &&
+ (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags)))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+
+- return X86EMUL_CONTINUE;
++ return rc;
+ }
+
+ static int em_jcxz(struct x86_emulate_ctxt *ctxt)
+ {
++ int rc = X86EMUL_CONTINUE;
++
+ if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0)
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+
+- return X86EMUL_CONTINUE;
++ return rc;
+ }
+
+ static int em_in(struct x86_emulate_ctxt *ctxt)
+@@ -4770,7 +4800,7 @@ special_insn:
+ break;
+ case 0x70 ... 0x7f: /* jcc (short) */
+ if (test_cc(ctxt->b, ctxt->eflags))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ break;
+ case 0x8d: /* lea r16/r32, m */
+ ctxt->dst.val = ctxt->src.addr.mem.ea;
+@@ -4800,7 +4830,7 @@ special_insn:
+ break;
+ case 0xe9: /* jmp rel */
+ case 0xeb: /* jmp rel short */
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ ctxt->dst.type = OP_NONE; /* Disable writeback. */
+ break;
+ case 0xf4: /* hlt */
+@@ -4923,7 +4953,7 @@ twobyte_insn:
+ break;
+ case 0x80 ... 0x8f: /* jnz rel, etc*/
+ if (test_cc(ctxt->b, ctxt->eflags))
+- jmp_rel(ctxt, ctxt->src.val);
++ rc = jmp_rel(ctxt, ctxt->src.val);
+ break;
+ case 0x90 ... 0x9f: /* setcc r/m8 */
+ ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags);
--- /dev/null
+From 05c83ec9b73c8124555b706f6af777b10adf0862 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 18 Sep 2014 22:39:37 +0300
+Subject: KVM: x86: Fix wrong masking on relative jump/call
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 05c83ec9b73c8124555b706f6af777b10adf0862 upstream.
+
+Relative jumps and calls do the masking according to the operand size, and not
+according to the address size as the KVM emulator does today.
+
+This patch fixes KVM behavior.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -504,11 +504,6 @@ static void rsp_increment(struct x86_emu
+ masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc);
+ }
+
+-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
+-{
+- register_address_increment(ctxt, &ctxt->_eip, rel);
+-}
+-
+ static u32 desc_limit_scaled(struct desc_struct *desc)
+ {
+ u32 limit = get_desc_limit(desc);
+@@ -568,6 +563,28 @@ static int emulate_nm(struct x86_emulate
+ return emulate_exception(ctxt, NM_VECTOR, 0, false);
+ }
+
++static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst)
++{
++ switch (ctxt->op_bytes) {
++ case 2:
++ ctxt->_eip = (u16)dst;
++ break;
++ case 4:
++ ctxt->_eip = (u32)dst;
++ break;
++ case 8:
++ ctxt->_eip = dst;
++ break;
++ default:
++ WARN(1, "unsupported eip assignment size\n");
++ }
++}
++
++static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
++{
++ assign_eip_near(ctxt, ctxt->_eip + rel);
++}
++
+ static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg)
+ {
+ u16 selector;
--- /dev/null
+From d1442d85cc30ea75f7d399474ca738e0bc96f715 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Thu, 18 Sep 2014 22:39:39 +0300
+Subject: KVM: x86: Handle errors when RIP is set during far jumps
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit d1442d85cc30ea75f7d399474ca738e0bc96f715 upstream.
+
+Far jmp/call/ret may fault while loading a new RIP. Currently KVM does not
+handle this case, and may result in failed vm-entry once the assignment is
+done. The tricky part of doing so is that loading the new CS affects the
+VMCS/VMCB state, so if we fail during loading the new RIP, we are left in
+unconsistent state. Therefore, this patch saves on 64-bit the old CS
+descriptor and restores it if loading RIP failed.
+
+This fixes CVE-2014-3647.
+
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 118 ++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 88 insertions(+), 30 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1467,7 +1467,9 @@ static int write_segment_descriptor(stru
+
+ /* Does not support long mode */
+ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
+- u16 selector, int seg, u8 cpl, bool in_task_switch)
++ u16 selector, int seg, u8 cpl,
++ bool in_task_switch,
++ struct desc_struct *desc)
+ {
+ struct desc_struct seg_desc, old_desc;
+ u8 dpl, rpl;
+@@ -1599,6 +1601,8 @@ static int __load_segment_descriptor(str
+ }
+ load:
+ ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg);
++ if (desc)
++ *desc = seg_desc;
+ return X86EMUL_CONTINUE;
+ exception:
+ emulate_exception(ctxt, err_vec, err_code, true);
+@@ -1609,7 +1613,7 @@ static int load_segment_descriptor(struc
+ u16 selector, int seg)
+ {
+ u8 cpl = ctxt->ops->cpl(ctxt);
+- return __load_segment_descriptor(ctxt, selector, seg, cpl, false);
++ return __load_segment_descriptor(ctxt, selector, seg, cpl, false, NULL);
+ }
+
+ static void write_register_operand(struct operand *op)
+@@ -2003,17 +2007,31 @@ static int em_iret(struct x86_emulate_ct
+ static int em_jmp_far(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
+- unsigned short sel;
++ unsigned short sel, old_sel;
++ struct desc_struct old_desc, new_desc;
++ const struct x86_emulate_ops *ops = ctxt->ops;
++ u8 cpl = ctxt->ops->cpl(ctxt);
++
++ /* Assignment of RIP may only fail in 64-bit mode */
++ if (ctxt->mode == X86EMUL_MODE_PROT64)
++ ops->get_segment(ctxt, &old_sel, &old_desc, NULL,
++ VCPU_SREG_CS);
+
+ memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
+
+- rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS);
++ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false,
++ &new_desc);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+- ctxt->_eip = 0;
+- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
+- return X86EMUL_CONTINUE;
++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
++ if (rc != X86EMUL_CONTINUE) {
++ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
++ /* assigning eip failed; restore the old cs */
++ ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS);
++ return rc;
++ }
++ return rc;
+ }
+
+ static int em_grp45(struct x86_emulate_ctxt *ctxt)
+@@ -2080,21 +2098,34 @@ static int em_ret(struct x86_emulate_ctx
+ static int em_ret_far(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
+- unsigned long cs;
++ unsigned long eip, cs;
++ u16 old_cs;
+ int cpl = ctxt->ops->cpl(ctxt);
++ struct desc_struct old_desc, new_desc;
++ const struct x86_emulate_ops *ops = ctxt->ops;
++
++ if (ctxt->mode == X86EMUL_MODE_PROT64)
++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL,
++ VCPU_SREG_CS);
+
+- rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes);
++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+- if (ctxt->op_bytes == 4)
+- ctxt->_eip = (u32)ctxt->_eip;
+ rc = emulate_pop(ctxt, &cs, ctxt->op_bytes);
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+ /* Outer-privilege level return is not implemented */
+ if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl)
+ return X86EMUL_UNHANDLEABLE;
+- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS);
++ rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, 0, false,
++ &new_desc);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++ rc = assign_eip_far(ctxt, eip, new_desc.l);
++ if (rc != X86EMUL_CONTINUE) {
++ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64);
++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
++ }
+ return rc;
+ }
+
+@@ -2521,19 +2552,24 @@ static int load_state_from_tss16(struct
+ * Now load segment descriptors. If fault happens at this stage
+ * it is handled in a context of new task
+ */
+- ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+@@ -2658,25 +2694,32 @@ static int load_state_from_tss32(struct
+ * Now load segment descriptors. If fault happenes at this stage
+ * it is handled in a context of new task
+ */
+- ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR,
++ cpl, true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+- ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, true);
++ ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl,
++ true, NULL);
+ if (ret != X86EMUL_CONTINUE)
+ return ret;
+
+@@ -2959,24 +3002,39 @@ static int em_call_far(struct x86_emulat
+ u16 sel, old_cs;
+ ulong old_eip;
+ int rc;
++ struct desc_struct old_desc, new_desc;
++ const struct x86_emulate_ops *ops = ctxt->ops;
++ int cpl = ctxt->ops->cpl(ctxt);
+
+- old_cs = get_segment_selector(ctxt, VCPU_SREG_CS);
+ old_eip = ctxt->_eip;
++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
+
+ memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2);
+- if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS))
++ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false,
++ &new_desc);
++ if (rc != X86EMUL_CONTINUE)
+ return X86EMUL_CONTINUE;
+
+- ctxt->_eip = 0;
+- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes);
++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l);
++ if (rc != X86EMUL_CONTINUE)
++ goto fail;
+
+ ctxt->src.val = old_cs;
+ rc = em_push(ctxt);
+ if (rc != X86EMUL_CONTINUE)
+- return rc;
++ goto fail;
+
+ ctxt->src.val = old_eip;
+- return em_push(ctxt);
++ rc = em_push(ctxt);
++ /* If we failed, we tainted the memory, but the very least we should
++ restore cs */
++ if (rc != X86EMUL_CONTINUE)
++ goto fail;
++ return rc;
++fail:
++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
++ return rc;
++
+ }
+
+ static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt)
--- /dev/null
+From 2febc839133280d5a5e8e1179c94ea674489dae2 Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Wed, 27 Aug 2014 14:42:54 -0700
+Subject: KVM: x86: Improve thread safety in pit
+
+From: Andy Honig <ahonig@google.com>
+
+commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream.
+
+There's a race condition in the PIT emulation code in KVM. In
+__kvm_migrate_pit_timer the pit_timer object is accessed without
+synchronization. If the race condition occurs at the wrong time this
+can crash the host kernel.
+
+This fixes CVE-2014-3611.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/i8254.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_
+ return;
+
+ timer = &pit->pit_state.timer;
++ mutex_lock(&pit->pit_state.lock);
+ if (hrtimer_cancel(timer))
+ hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
++ mutex_unlock(&pit->pit_state.lock);
+ }
+
+ static void destroy_pit_timer(struct kvm_pit *pit)
--- /dev/null
+From 3f6f1480d86bf9fc16c160d803ab1d006e3058d5 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@cs.technion.ac.il>
+Date: Mon, 13 Oct 2014 13:04:14 +0300
+Subject: KVM: x86: PREFETCH and HINT_NOP should have SrcMem flag
+
+From: Nadav Amit <namit@cs.technion.ac.il>
+
+commit 3f6f1480d86bf9fc16c160d803ab1d006e3058d5 upstream.
+
+The decode phase of the x86 emulator assumes that every instruction with the
+ModRM flag, and which can be used with RIP-relative addressing, has either
+SrcMem or DstMem. This is not the case for several instructions - prefetch,
+hint-nop and clflush.
+
+Adding SrcMem|NoAccess for prefetch and hint-nop and SrcMem for clflush.
+
+This fixes CVE-2014-8480.
+
+Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
+Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -3715,7 +3715,7 @@ static const struct opcode group11[] = {
+ };
+
+ static const struct gprefix pfx_0f_ae_7 = {
+- I(0, em_clflush), N, N, N,
++ I(SrcMem | ByteOp, em_clflush), N, N, N,
+ };
+
+ static const struct group_dual group15 = { {
+@@ -3928,10 +3928,11 @@ static const struct opcode twobyte_table
+ N, I(ImplicitOps | EmulateOnUD, em_syscall),
+ II(ImplicitOps | Priv, em_clts, clts), N,
+ DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
+- N, D(ImplicitOps | ModRM), N, N,
++ N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
+ /* 0x10 - 0x1F */
+ N, N, N, N, N, N, N, N,
+- D(ImplicitOps | ModRM), N, N, N, N, N, N, D(ImplicitOps | ModRM),
++ D(ImplicitOps | ModRM | SrcMem | NoAccess),
++ N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
+ /* 0x20 - 0x2F */
+ DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
+ DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
--- /dev/null
+From 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Wed, 27 Aug 2014 11:16:44 -0700
+Subject: KVM: x86: Prevent host from panicking on shared MSR writes.
+
+From: Andy Honig <ahonig@google.com>
+
+commit 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f upstream.
+
+The previous patch blocked invalid writes directly when the MSR
+is written. As a precaution, prevent future similar mistakes by
+gracefulling handle GPs caused by writes to shared MSRs.
+
+Signed-off-by: Andrew Honig <ahonig@google.com>
+[Remove parts obsoleted by Nadav's patch. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 2 +-
+ arch/x86/kvm/vmx.c | 7 +++++--
+ arch/x86/kvm/x86.c | 11 ++++++++---
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1049,7 +1049,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcp
+ void kvm_vcpu_reset(struct kvm_vcpu *vcpu);
+
+ void kvm_define_shared_msr(unsigned index, u32 msr);
+-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask);
+
+ bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip);
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2632,12 +2632,15 @@ static int vmx_set_msr(struct kvm_vcpu *
+ default:
+ msr = find_msr_entry(vmx, msr_index);
+ if (msr) {
++ u64 old_msr_data = msr->data;
+ msr->data = data;
+ if (msr - vmx->guest_msrs < vmx->save_nmsrs) {
+ preempt_disable();
+- kvm_set_shared_msr(msr->index, msr->data,
+- msr->mask);
++ ret = kvm_set_shared_msr(msr->index, msr->data,
++ msr->mask);
+ preempt_enable();
++ if (ret)
++ msr->data = old_msr_data;
+ }
+ break;
+ }
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -229,20 +229,25 @@ static void kvm_shared_msr_cpu_online(vo
+ shared_msr_update(i, shared_msrs_global.msrs[i]);
+ }
+
+-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask)
+ {
+ unsigned int cpu = smp_processor_id();
+ struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
++ int err;
+
+ if (((value ^ smsr->values[slot].curr) & mask) == 0)
+- return;
++ return 0;
+ smsr->values[slot].curr = value;
+- wrmsrl(shared_msrs_global.msrs[slot], value);
++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
++ if (err)
++ return 1;
++
+ if (!smsr->registered) {
+ smsr->urn.on_user_return = kvm_on_user_return;
+ user_return_notifier_register(&smsr->urn);
+ smsr->registered = true;
+ }
++ return 0;
+ }
+ EXPORT_SYMBOL_GPL(kvm_set_shared_msr);
+
--- /dev/null
+From 8c5bcded11cb607b1bb5920de3b9c882136d27db Mon Sep 17 00:00:00 2001
+From: Ulrich Eckhardt <uli-lirc@uli-eckhardt.de>
+Date: Fri, 10 Oct 2014 14:19:12 -0300
+Subject: media: ds3000: fix LNB supply voltage on Tevii S480 on initialization
+
+From: Ulrich Eckhardt <uli-lirc@uli-eckhardt.de>
+
+commit 8c5bcded11cb607b1bb5920de3b9c882136d27db upstream.
+
+The Tevii S480 outputs 18V on startup for the LNB supply voltage and does not
+automatically power down. This blocks other receivers connected
+to a satellite channel router (EN50494), since the receivers can not send the
+required DiSEqC sequences when the Tevii card is connected to a the same SCR.
+
+This patch switches off the LNB supply voltage on initialization of the frontend.
+
+[mchehab@osg.samsung.com: add a comment about why we're explicitly
+ turning off voltage at device init]
+Signed-off-by: Ulrich Eckhardt <uli@uli-eckhardt.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/ds3000.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/dvb-frontends/ds3000.c
++++ b/drivers/media/dvb-frontends/ds3000.c
+@@ -864,6 +864,13 @@ struct dvb_frontend *ds3000_attach(const
+ memcpy(&state->frontend.ops, &ds3000_ops,
+ sizeof(struct dvb_frontend_ops));
+ state->frontend.demodulator_priv = state;
++
++ /*
++ * Some devices like T480 starts with voltage on. Be sure
++ * to turn voltage off during init, as this can otherwise
++ * interfere with Unicable SCR systems.
++ */
++ ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF);
+ return &state->frontend;
+
+ error3:
--- /dev/null
+From fb91bde9d3664dd879655f3a1013c0b5728e7a09 Mon Sep 17 00:00:00 2001
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+Date: Fri, 27 Dec 2013 00:16:13 -0300
+Subject: media: em28xx: check if a device has audio earlier"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+
+commit fb91bde9d3664dd879655f3a1013c0b5728e7a09 upstream.
+
+GIT_AUTHOR_DATE=1409603039
+This reverts
+
+commit b99f0aadd33fad269c8e62b5bec8b5c012a44a56
+Author: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+ [media] em28xx: check if a device has audio earlier
+
+ Better to split chipset detection from the audio setup. So, move the
+ detection code to em28xx_init_dev().
+
+It broke analog audio of the Hauppauge winTV HVR 900 and very likely many other
+em28xx devices.
+
+Background:
+The local variable has_audio in em28xx_usb_probe() describes if the currently
+probed _usb_interface_ has an audio endpoint, while dev->audio_mode.has_audio
+means that the _device_ as a whole provides analog audio.
+Hence it is wrong to set dev->audio_mode.has_audio = has_audio in em28xx_usb_probe().
+As result, audio support is no longer detected and configured on devices which
+have the audio endpoint on a separate interface, because em28xx_audio_setup()
+bails out immediately at the beginning.
+
+Revert the faulty commit to restore the old audio detection procedure, which checks
+the chip configuration register to determine if the device has analog audio.
+
+Cc: <stable@vger.kernel.org> # 3.14 to 3.16
+Reported-by: Oravecz Csaba <oravecz@nytud.mta.hu>
+Tested-by: Oravecz Csaba <oravecz@nytud.mta.hu>
+Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-cards.c | 11 -----------
+ drivers/media/usb/em28xx/em28xx-core.c | 12 +++++++++++-
+ 2 files changed, 11 insertions(+), 12 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-cards.c
++++ b/drivers/media/usb/em28xx/em28xx-cards.c
+@@ -3098,16 +3098,6 @@ static int em28xx_init_dev(struct em28xx
+ }
+ }
+
+- if (dev->chip_id == CHIP_ID_EM2870 ||
+- dev->chip_id == CHIP_ID_EM2874 ||
+- dev->chip_id == CHIP_ID_EM28174 ||
+- dev->chip_id == CHIP_ID_EM28178) {
+- /* Digital only device - don't load any alsa module */
+- dev->audio_mode.has_audio = false;
+- dev->has_audio_class = false;
+- dev->has_alsa_audio = false;
+- }
+-
+ if (chip_name != default_chip_name)
+ printk(KERN_INFO DRIVER_NAME
+ ": chip ID is %s\n", chip_name);
+@@ -3377,7 +3367,6 @@ static int em28xx_usb_probe(struct usb_i
+ dev->alt = -1;
+ dev->is_audio_only = has_audio && !(has_video || has_dvb);
+ dev->has_alsa_audio = has_audio;
+- dev->audio_mode.has_audio = has_audio;
+ dev->has_video = has_video;
+ dev->ifnum = ifnum;
+
+--- a/drivers/media/usb/em28xx/em28xx-core.c
++++ b/drivers/media/usb/em28xx/em28xx-core.c
+@@ -506,8 +506,18 @@ int em28xx_audio_setup(struct em28xx *de
+ int vid1, vid2, feat, cfg;
+ u32 vid;
+
+- if (!dev->audio_mode.has_audio)
++ if (dev->chip_id == CHIP_ID_EM2870 ||
++ dev->chip_id == CHIP_ID_EM2874 ||
++ dev->chip_id == CHIP_ID_EM28174 ||
++ dev->chip_id == CHIP_ID_EM28178) {
++ /* Digital only device - don't load any alsa module */
++ dev->audio_mode.has_audio = false;
++ dev->has_audio_class = false;
++ dev->has_alsa_audio = false;
+ return 0;
++ }
++
++ dev->audio_mode.has_audio = true;
+
+ /* See how this device is configured */
+ cfg = em28xx_read_reg(dev, EM28XX_R00_CHIPCFG);
--- /dev/null
+From 662c97cf8f9e9d67d45d0a9f0c1565a1ede364c2 Mon Sep 17 00:00:00 2001
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+Date: Sat, 9 Aug 2014 06:37:21 -0300
+Subject: media: em28xx-v4l: fix video buffer field order reporting in progressive mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+
+commit 662c97cf8f9e9d67d45d0a9f0c1565a1ede364c2 upstream.
+
+The correct field order in progressive mode is V4L2_FIELD_NONE, not V4L2_FIELD_INTERLACED.
+
+Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-video.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-video.c
++++ b/drivers/media/usb/em28xx/em28xx-video.c
+@@ -435,7 +435,10 @@ static inline void finish_buffer(struct
+ em28xx_isocdbg("[%p/%d] wakeup\n", buf, buf->top_field);
+
+ buf->vb.v4l2_buf.sequence = dev->v4l2->field_count++;
+- buf->vb.v4l2_buf.field = V4L2_FIELD_INTERLACED;
++ if (dev->v4l2->progressive)
++ buf->vb.v4l2_buf.field = V4L2_FIELD_NONE;
++ else
++ buf->vb.v4l2_buf.field = V4L2_FIELD_INTERLACED;
+ v4l2_get_timestamp(&buf->vb.v4l2_buf.timestamp);
+
+ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_DONE);
--- /dev/null
+From 627530c32a43283474e9dd3e954519410ffa033a Mon Sep 17 00:00:00 2001
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+Date: Sat, 9 Aug 2014 06:37:20 -0300
+Subject: media: em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frank Schaefer <fschaefer.oss@googlemail.com>
+
+commit 627530c32a43283474e9dd3e954519410ffa033a upstream.
+
+When a new video frame is started, the driver takes the next video buffer from
+the list of active buffers and moves it to dev->usb_ctl.vid_buf / dev->usb_ctl.vbi_buf
+for further processing.
+
+On streaming stop we currently only give back the pending buffers from the list
+but not the ones which are currently processed.
+
+This causes the following warning from the vb2 core since kernel 3.15:
+
+...
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 2284 at drivers/media/v4l2-core/videobuf2-core.c:2115 __vb2_queue_cancel+0xed/0x150 [videobuf2_core]()
+ [...]
+ Call Trace:
+ [<c0769c46>] dump_stack+0x48/0x69
+ [<c0245b69>] warn_slowpath_common+0x79/0x90
+ [<f925e4ad>] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<f925e4ad>] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<c0245bfd>] warn_slowpath_null+0x1d/0x20
+ [<f925e4ad>] __vb2_queue_cancel+0xed/0x150 [videobuf2_core]
+ [<f925fa35>] vb2_internal_streamoff+0x35/0x90 [videobuf2_core]
+ [<f925fac5>] vb2_streamoff+0x35/0x60 [videobuf2_core]
+ [<f925fb27>] vb2_ioctl_streamoff+0x37/0x40 [videobuf2_core]
+ [<f8e45895>] v4l_streamoff+0x15/0x20 [videodev]
+ [<f8e4925d>] __video_do_ioctl+0x23d/0x2d0 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<f8e48c63>] video_usercopy+0x203/0x5a0 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<c039d0e7>] ? fsnotify+0x1e7/0x2b0
+ [<f8e49012>] video_ioctl2+0x12/0x20 [videodev]
+ [<f8e49020>] ? video_ioctl2+0x20/0x20 [videodev]
+ [<f8e4461e>] v4l2_ioctl+0xee/0x130 [videodev]
+ [<f8e44530>] ? v4l2_open+0xf0/0xf0 [videodev]
+ [<c0378de2>] do_vfs_ioctl+0x2e2/0x4d0
+ [<c0368eec>] ? vfs_write+0x13c/0x1c0
+ [<c0369a8f>] ? vfs_writev+0x2f/0x50
+ [<c0379028>] SyS_ioctl+0x58/0x80
+ [<c076fff3>] sysenter_do_call+0x12/0x12
+ ---[ end trace 5545f934409f13f4 ]---
+...
+
+Many thanks to Hans Verkuil, whose recently added check in the vb2 core unveiled
+this long standing issue and who has investigated it further.
+
+Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/em28xx/em28xx-video.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-video.c
++++ b/drivers/media/usb/em28xx/em28xx-video.c
+@@ -994,13 +994,16 @@ static void em28xx_stop_streaming(struct
+ }
+
+ spin_lock_irqsave(&dev->slock, flags);
++ if (dev->usb_ctl.vid_buf != NULL) {
++ vb2_buffer_done(&dev->usb_ctl.vid_buf->vb, VB2_BUF_STATE_ERROR);
++ dev->usb_ctl.vid_buf = NULL;
++ }
+ while (!list_empty(&vidq->active)) {
+ struct em28xx_buffer *buf;
+ buf = list_entry(vidq->active.next, struct em28xx_buffer, list);
+ list_del(&buf->list);
+ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR);
+ }
+- dev->usb_ctl.vid_buf = NULL;
+ spin_unlock_irqrestore(&dev->slock, flags);
+ }
+
+@@ -1021,13 +1024,16 @@ void em28xx_stop_vbi_streaming(struct vb
+ }
+
+ spin_lock_irqsave(&dev->slock, flags);
++ if (dev->usb_ctl.vbi_buf != NULL) {
++ vb2_buffer_done(&dev->usb_ctl.vbi_buf->vb, VB2_BUF_STATE_ERROR);
++ dev->usb_ctl.vbi_buf = NULL;
++ }
+ while (!list_empty(&vbiq->active)) {
+ struct em28xx_buffer *buf;
+ buf = list_entry(vbiq->active.next, struct em28xx_buffer, list);
+ list_del(&buf->list);
+ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR);
+ }
+- dev->usb_ctl.vbi_buf = NULL;
+ spin_unlock_irqrestore(&dev->slock, flags);
+ }
+
--- /dev/null
+From d358aefdc0cc92b16ced449f998dbad639db6809 Mon Sep 17 00:00:00 2001
+From: Ulrich Eckhardt <uli-lirc@uli-eckhardt.de>
+Date: Fri, 10 Oct 2014 13:27:32 -0300
+Subject: media: imon: fix other RC type protocol support
+
+From: Ulrich Eckhardt <uli-lirc@uli-eckhardt.de>
+
+commit d358aefdc0cc92b16ced449f998dbad639db6809 upstream.
+
+With kernel 3.17 the imon remote control for device 15c2:0034 does not
+work anymore, which uses the OTHER protocol. Only the front panel
+buttons which uses the RC6 protocol are working.
+
+Adds the missing comparison for the RC_BIT_OTHER.
+
+Signed-off-by: Ulrich Eckhardt <uli@uli-eckhardt.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/imon.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/rc/imon.c
++++ b/drivers/media/rc/imon.c
+@@ -1579,7 +1579,8 @@ static void imon_incoming_packet(struct
+ if (press_type == 0)
+ rc_keyup(ictx->rdev);
+ else {
+- if (ictx->rc_type == RC_BIT_RC6_MCE)
++ if (ictx->rc_type == RC_BIT_RC6_MCE ||
++ ictx->rc_type == RC_BIT_OTHER)
+ rc_keydown(ictx->rdev,
+ ictx->rc_type == RC_BIT_RC6_MCE ? RC_TYPE_RC6_MCE : RC_TYPE_OTHER,
+ ictx->rc_scancode, ictx->rc_toggle);
--- /dev/null
+From f538e085138e519e25ae0828bd6c6e7492ce8ca4 Mon Sep 17 00:00:00 2001
+From: Antti Palosaari <crope@iki.fi>
+Date: Thu, 21 Aug 2014 14:02:27 -0300
+Subject: media: m88ts2022: fix 32bit overflow on filter calc
+
+From: Antti Palosaari <crope@iki.fi>
+
+commit f538e085138e519e25ae0828bd6c6e7492ce8ca4 upstream.
+
+Maximum satellite symbol rate used is 45000000Sps which overflows
+when multiplied by 135. As final calculation result is fraction,
+we could use mult_frac macro in order to keep calculation inside
+32 bit number limits and prevent overflow.
+
+Original bug and fix was provided by Nibble Max. I decided to
+implement it differently as it is now.
+
+Reported-by: Nibble Max <nibble.max@gmail.com>
+Tested-by: Nibble Max <nibble.max@gmail.com>
+Signed-off-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/tuners/m88ts2022.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/tuners/m88ts2022.c
++++ b/drivers/media/tuners/m88ts2022.c
+@@ -314,7 +314,7 @@ static int m88ts2022_set_params(struct d
+ div_min = gdiv28 * 78 / 100;
+ div_max = clamp_val(div_max, 0U, 63U);
+
+- f_3db_hz = c->symbol_rate * 135UL / 200UL;
++ f_3db_hz = mult_frac(c->symbol_rate, 135, 200);
+ f_3db_hz += 2000000U + (frequency_offset_khz * 1000U);
+ f_3db_hz = clamp(f_3db_hz, 7000000U, 40000000U);
+
--- /dev/null
+From 14edb593338e3811e818aba286237c365f8881a1 Mon Sep 17 00:00:00 2001
+From: Tomas Melin <tomas.melin@iki.fi>
+Date: Tue, 28 Oct 2014 15:43:14 -0300
+Subject: media: rc-core: fix protocol_change regression in ir_raw_event_register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomas Melin <tomas.melin@iki.fi>
+
+commit 14edb593338e3811e818aba286237c365f8881a1 upstream.
+
+IR receiver using nuvoton-cir and lirc required additional configuration
+steps after upgrade from kernel 3.16 to 3.17-rcX. Bisected regression to
+commit da6e162d6a4607362f8478c715c797d84d449f8b ("[media] rc-core:
+simplify sysfs code").
+
+The regression comes from adding function change_protocol in ir-raw.c.
+It changes behaviour so that only the protocol enabled by driver's
+map_name will be active after registration. This breaks user space
+behaviour, lirc does not get key press signals anymore.
+
+Enable lirc protocol by default for ir raw decoders to restore original
+behaviour.
+
+Signed-off-by: Tomas Melin <tomas.melin@iki.fi>
+Acked-by: David Härdeman <david@hardeman.nu>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/rc-ir-raw.c | 1 -
+ drivers/media/rc/rc-main.c | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/rc/rc-ir-raw.c
++++ b/drivers/media/rc/rc-ir-raw.c
+@@ -262,7 +262,6 @@ int ir_raw_event_register(struct rc_dev
+ return -ENOMEM;
+
+ dev->raw->dev = dev;
+- dev->enabled_protocols = ~0;
+ dev->change_protocol = change_protocol;
+ rc = kfifo_alloc(&dev->raw->kfifo,
+ sizeof(struct ir_raw_event) * MAX_IR_EVENT_SIZE,
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -1421,6 +1421,8 @@ int rc_register_device(struct rc_dev *de
+
+ if (dev->change_protocol) {
+ u64 rc_type = (1 << rc_map->rc_type);
++ if (dev->driver_type == RC_DRIVER_IR_RAW)
++ rc_type |= RC_BIT_LIRC;
+ rc = dev->change_protocol(dev, &rc_type);
+ if (rc < 0)
+ goto out_raw;
--- /dev/null
+From 29bbb7bd0a65e01a0423e1df764676119b71ecb3 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Date: Mon, 11 Aug 2014 18:09:32 -0300
+Subject: media: siano: add support for PCTV 77e
+
+From: Mauro Carvalho Chehab <m.chehab@samsung.com>
+
+commit 29bbb7bd0a65e01a0423e1df764676119b71ecb3 upstream.
+
+Add support for PCTV microStick (77e) device that uses a sms1140
+chipset.
+
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/common/siano/sms-cards.c | 6 ++++++
+ drivers/media/common/siano/sms-cards.h | 1 +
+ drivers/media/usb/siano/smsusb.c | 2 ++
+ 3 files changed, 9 insertions(+)
+
+--- a/drivers/media/common/siano/sms-cards.c
++++ b/drivers/media/common/siano/sms-cards.c
+@@ -157,6 +157,12 @@ static struct sms_board sms_boards[] = {
+ .type = SMS_DENVER_2160,
+ .default_mode = DEVICE_MODE_DAB_TDMB,
+ },
++ [SMS1XXX_BOARD_PCTV_77E] = {
++ .name = "Hauppauge microStick 77e",
++ .type = SMS_NOVA_B0,
++ .fw[DEVICE_MODE_DVBT_BDA] = SMS_FW_DVB_NOVA_12MHZ_B0,
++ .default_mode = DEVICE_MODE_DVBT_BDA,
++ },
+ };
+
+ struct sms_board *sms_get_board(unsigned id)
+--- a/drivers/media/common/siano/sms-cards.h
++++ b/drivers/media/common/siano/sms-cards.h
+@@ -45,6 +45,7 @@
+ #define SMS1XXX_BOARD_SIANO_RIO 18
+ #define SMS1XXX_BOARD_SIANO_DENVER_1530 19
+ #define SMS1XXX_BOARD_SIANO_DENVER_2160 20
++#define SMS1XXX_BOARD_PCTV_77E 21
+
+ struct sms_board_gpio_cfg {
+ int lna_vhf_exist;
+--- a/drivers/media/usb/siano/smsusb.c
++++ b/drivers/media/usb/siano/smsusb.c
+@@ -655,6 +655,8 @@ static const struct usb_device_id smsusb
+ .driver_info = SMS1XXX_BOARD_ONDA_MDTV_DATA_CARD },
+ { USB_DEVICE(0x3275, 0x0080),
+ .driver_info = SMS1XXX_BOARD_SIANO_RIO },
++ { USB_DEVICE(0x2013, 0x0257),
++ .driver_info = SMS1XXX_BOARD_PCTV_77E },
+ { } /* Terminating entry */
+ };
+
--- /dev/null
+From 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 Mon Sep 17 00:00:00 2001
+From: Axel Lin <axel.lin@ingics.com>
+Date: Fri, 8 Aug 2014 10:32:56 -0300
+Subject: media: tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register
+
+From: Axel Lin <axel.lin@ingics.com>
+
+commit 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 upstream.
+
+Fix a copy-paste bug when converting to the control framework.
+
+Fixes: commit 5d478e0de871 ("[media] tda7432: convert to the control framework")
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/i2c/tda7432.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/tda7432.c
++++ b/drivers/media/i2c/tda7432.c
+@@ -293,7 +293,7 @@ static int tda7432_s_ctrl(struct v4l2_ct
+ if (t->mute->val) {
+ lf |= TDA7432_MUTE;
+ lr |= TDA7432_MUTE;
+- lf |= TDA7432_MUTE;
++ rf |= TDA7432_MUTE;
+ rr |= TDA7432_MUTE;
+ }
+ /* Mute & update balance*/
--- /dev/null
+From 62ea864f84fed6e04dd033d500d4c9183a83d590 Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Sun, 8 Jun 2014 12:16:48 -0300
+Subject: media: usb: uvc: add a quirk for Dell XPS M1330 webcam
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit 62ea864f84fed6e04dd033d500d4c9183a83d590 upstream.
+
+As reported on [1], this device needs this quirk to be able to
+reliably initialise the webcam.
+
+[1] http://ubuntuforums.org/showthread.php?t=2145996
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2229,6 +2229,15 @@ static struct usb_device_id uvc_ids[] =
+ .bInterfaceSubClass = 1,
+ .bInterfaceProtocol = 0,
+ .driver_info = UVC_QUIRK_PROBE_DEF },
++ /* Dell XPS M1330 (OmniVision OV7670 webcam) */
++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
++ | USB_DEVICE_ID_MATCH_INT_INFO,
++ .idVendor = 0x05a9,
++ .idProduct = 0x7670,
++ .bInterfaceClass = USB_CLASS_VIDEO,
++ .bInterfaceSubClass = 1,
++ .bInterfaceProtocol = 0,
++ .driver_info = UVC_QUIRK_PROBE_DEF },
+ /* Apple Built-In iSight */
+ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
+ | USB_DEVICE_ID_MATCH_INT_INFO,
--- /dev/null
+From 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c Mon Sep 17 00:00:00 2001
+From: Maciej Matraszek <m.matraszek@samsung.com>
+Date: Mon, 15 Sep 2014 05:14:48 -0300
+Subject: media: v4l2-common: fix overflow in v4l_bound_align_image()
+
+From: Maciej Matraszek <m.matraszek@samsung.com>
+
+commit 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c upstream.
+
+Fix clamp_align() used in v4l_bound_align_image() to prevent overflow
+when passed large value like UINT32_MAX.
+
+ In the current implementation:
+ clamp_align(UINT32_MAX, 8, 8192, 3)
+
+returns 8, because in line:
+
+ x = (x + (1 << (align - 1))) & mask;
+
+x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192.
+
+v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and
+VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter
+explicitly states that:
+
+"The modified format should be as close as possible to the original
+request."
+ -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html
+
+Thus one would expect, that passing UINT32_MAX as format width and
+height will result in setting maximum possible resolution for the
+device. Particularly, when the driver doesn't support
+VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase.
+
+Fixes changeset: b0d3159be9a3
+
+Signed-off-by: Maciej Matraszek <m.matraszek@samsung.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-common.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-common.c
++++ b/drivers/media/v4l2-core/v4l2-common.c
+@@ -435,16 +435,13 @@ static unsigned int clamp_align(unsigned
+ /* Bits that must be zero to be aligned */
+ unsigned int mask = ~((1 << align) - 1);
+
++ /* Clamp to aligned min and max */
++ x = clamp(x, (min + ~mask) & mask, max & mask);
++
+ /* Round to nearest aligned value */
+ if (align)
+ x = (x + (1 << (align - 1))) & mask;
+
+- /* Clamp to aligned value of min and max */
+- if (x < min)
+- x = (min + ~mask) & mask;
+- else if (x > max)
+- x = max & mask;
+-
+ return x;
+ }
+
--- /dev/null
+From 23d3090f8b44ab42162e99e8584445bc25b8922f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 5 Aug 2014 05:11:13 -0300
+Subject: media: vmalloc_sg: off by one in error handling
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 23d3090f8b44ab42162e99e8584445bc25b8922f upstream.
+
+The "i--" needs to happen at the start of the loop or it will try to
+release something bogus (probably it will crash) and it won't release
+the first ->vaddr_page[].
+
+Fixes: 7b4eeed174b7 ('[media] vmalloc_sg: make sure all pages in vmalloc area are really DMA-ready')
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf-dma-sg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/v4l2-core/videobuf-dma-sg.c
++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c
+@@ -253,9 +253,11 @@ int videobuf_dma_init_kernel(struct vide
+ return 0;
+ out_free_pages:
+ while (i > 0) {
+- void *addr = page_address(dma->vaddr_pages[i]);
+- dma_free_coherent(dma->dev, PAGE_SIZE, addr, dma->dma_addr[i]);
++ void *addr;
++
+ i--;
++ addr = page_address(dma->vaddr_pages[i]);
++ dma_free_coherent(dma->dev, PAGE_SIZE, addr, dma->dma_addr[i]);
+ }
+ kfree(dma->dma_addr);
+ dma->dma_addr = NULL;
--- /dev/null
+From a5466d7bba9af83a82cc7c081b2a7d557cde3204 Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Tue, 21 Oct 2014 10:21:54 +0100
+Subject: MIPS: cp1emu: Fix ISA restrictions for cop1x_op instructions
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit a5466d7bba9af83a82cc7c081b2a7d557cde3204 upstream.
+
+Commit 08a07904e1828 ("MIPS: math-emu: Remove most ifdefery") removed
+the #ifdef ISA conditions and switched to runtime detection. However,
+according to the instruction set manual, the cop1x_op instructions are
+available in >=MIPS32r2 as well. This fixes a problem on MIPS32r2
+with the ntpd package which failed to execute with a SIGILL exit code due
+to the fact that a madd.d instruction was not being emulated.
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Fixes: 08a07904e1828 ("MIPS: math-emu: Remove most ifdefery")
+Cc: linux-mips@linux-mips.org
+Reviewed-by: Paul Burton <paul.burton@imgtec.com>
+Reviewed-by: James Hogan <james.hogan@imgtec.com>
+Cc: Markos Chandras <markos.chandras@imgtec.com>
+Patchwork: https://patchwork.linux-mips.org/patch/8173/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/math-emu/cp1emu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1023,7 +1023,7 @@ emul:
+ goto emul;
+
+ case cop1x_op:
+- if (cpu_has_mips_4_5 || cpu_has_mips64)
++ if (cpu_has_mips_4_5 || cpu_has_mips64 || cpu_has_mips32r2)
+ /* its one of ours */
+ goto emul;
+
+@@ -1068,7 +1068,7 @@ emul:
+ break;
+
+ case cop1x_op:
+- if (!cpu_has_mips_4_5 && !cpu_has_mips64)
++ if (!cpu_has_mips_4_5 && !cpu_has_mips64 && !cpu_has_mips32r2)
+ return SIGILL;
+
+ sig = fpux_emu(xcp, ctx, ir, fault_addr);
--- /dev/null
+From aedd153f5bb5b1f1d6d9142014f521ae2ec294cc Mon Sep 17 00:00:00 2001
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Mon, 20 Oct 2014 09:39:31 +0100
+Subject: MIPS: ftrace: Fix a microMIPS build problem
+
+From: Markos Chandras <markos.chandras@imgtec.com>
+
+commit aedd153f5bb5b1f1d6d9142014f521ae2ec294cc upstream.
+
+Code before the .fixup section needs to have the .insn directive.
+This has no side effects on MIPS32/64 but it affects the way microMIPS
+loads the address for the return label.
+
+Fixes the following build problem:
+mips-linux-gnu-ld: arch/mips/built-in.o: .fixup+0x4a0: Unsupported jump between
+ISA modes; consider recompiling with interlinking enabled.
+mips-linux-gnu-ld: final link failed: Bad value
+Makefile:819: recipe for target 'vmlinux' failed
+
+The fix is similar to 1658f914ff91c3bf ("MIPS: microMIPS:
+Disable LL/SC and fix linker bug.")
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/8117/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/ftrace.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/include/asm/ftrace.h
++++ b/arch/mips/include/asm/ftrace.h
+@@ -24,7 +24,7 @@ do { \
+ asm volatile ( \
+ "1: " load " %[tmp_dst], 0(%[tmp_src])\n" \
+ " li %[tmp_err], 0\n" \
+- "2:\n" \
++ "2: .insn\n" \
+ \
+ ".section .fixup, \"ax\"\n" \
+ "3: li %[tmp_err], 1\n" \
+@@ -46,7 +46,7 @@ do { \
+ asm volatile ( \
+ "1: " store " %[tmp_src], 0(%[tmp_dst])\n"\
+ " li %[tmp_err], 0\n" \
+- "2:\n" \
++ "2: .insn\n" \
+ \
+ ".section .fixup, \"ax\"\n" \
+ "3: li %[tmp_err], 1\n" \
--- /dev/null
+From aa08ed55442ac6f9810c055e1474be34e785e556 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Sun, 21 Sep 2014 15:38:43 +0300
+Subject: MIPS: loongson2_cpufreq: Fix CPU clock rate setting mismerge
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit aa08ed55442ac6f9810c055e1474be34e785e556 upstream.
+
+During 3.16 merge window, parts of the commit 8e8acb32960f
+(MIPS/loongson2_cpufreq: Fix CPU clock rate setting) seem to have
+been deleted probably due to a mismerge, and as a result cpufreq
+is broken again on Loongson2 boards in 3.16 and newer kernels.
+Fix by repeating the fix.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/7835/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/loongson/lemote-2f/clock.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/loongson/lemote-2f/clock.c
++++ b/arch/mips/loongson/lemote-2f/clock.c
+@@ -91,6 +91,7 @@ EXPORT_SYMBOL(clk_put);
+
+ int clk_set_rate(struct clk *clk, unsigned long rate)
+ {
++ unsigned int rate_khz = rate / 1000;
+ struct cpufreq_frequency_table *pos;
+ int ret = 0;
+ int regval;
+@@ -107,9 +108,9 @@ int clk_set_rate(struct clk *clk, unsign
+ propagate_rate(clk);
+
+ cpufreq_for_each_valid_entry(pos, loongson2_clockmod_table)
+- if (rate == pos->frequency)
++ if (rate_khz == pos->frequency)
+ break;
+- if (rate != pos->frequency)
++ if (rate_khz != pos->frequency)
+ return -ENOTSUPP;
+
+ clk->rate = rate;
--- /dev/null
+From cdb685ad44996e9a113a10002cb42d40ff29db99 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+Date: Tue, 14 Oct 2014 00:42:08 +0300
+Subject: MIPS: ptrace.h: Add a missing include
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+commit cdb685ad44996e9a113a10002cb42d40ff29db99 upstream.
+
+Commit a79ebea62010 (MIPS: ptrace: Fix user pt_regs definition,
+use in ptrace_{get, set}regs()) converted struct pt_regs to use __u64.
+Some userspace applications (e.g. GDB) include this file directly,
+and fail to see this type. Fix by including <linux/types.h>.
+
+The patch fixes the following build failure with GDB 7.8 when using
+GLIBC headers created against Linux 3.17:
+
+In file included from /home/aaro/los/work/shared/gdb-7.8/gdb/mips-linux-nat.c:37:0:
+/home/aaro/los/work/mips/rootfs/mips-linux-gnu/usr/include/asm/ptrace.h:32:2: error: unknown type name '__u64'
+ __u64 regs[32];
+ ^
+/home/aaro/los/work/mips/rootfs/mips-linux-gnu/usr/include/asm/ptrace.h:35:2: error: unknown type name '__u64'
+ __u64 lo;
+ ^
+/home/aaro/los/work/mips/rootfs/mips-linux-gnu/usr/include/asm/ptrace.h:36:2: error: unknown type name '__u64'
+ __u64 hi;
+ ^
+
+Fixes: a79ebea62010 ("MIPS: ptrace: Fix user pt_regs definition, use in ptrace_{get, set}regs()")
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: Alex Smith <alex@alex-smith.me.uk>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/8067/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/uapi/asm/ptrace.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/include/uapi/asm/ptrace.h
++++ b/arch/mips/include/uapi/asm/ptrace.h
+@@ -9,6 +9,8 @@
+ #ifndef _UAPI_ASM_PTRACE_H
+ #define _UAPI_ASM_PTRACE_H
+
++#include <linux/types.h>
++
+ /* 0 - 31 are integer registers, 32 - 63 are fp registers. */
+ #define FPR_BASE 32
+ #define PC 64
--- /dev/null
+From 9e0f162a36914937a937358fcb45e0609ef2bfc4 Mon Sep 17 00:00:00 2001
+From: David Daney <david.daney@cavium.com>
+Date: Mon, 20 Oct 2014 15:34:23 -0700
+Subject: MIPS: tlbex: Properly fix HUGE TLB Refill exception handler
+
+From: David Daney <david.daney@cavium.com>
+
+commit 9e0f162a36914937a937358fcb45e0609ef2bfc4 upstream.
+
+In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for
+HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets
+would work properly with huge pages. The change was incorrect in that
+it broke the OCTEON case.
+
+The problem is shown here:
+
+ xxx0: df7a0000 ld k0,0(k1)
+ .
+ .
+ .
+ xxxc0: df610000 ld at,0(k1)
+ xxxc4: 335a0ff0 andi k0,k0,0xff0
+ xxxc8: e825ffcd bbit1 at,0x5,0x0
+ xxxcc: 003ad82d daddu k1,at,k0
+ .
+ .
+ .
+
+In the non-octeon case there is a destructive test for the huge PTE
+bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609
+patch added).
+
+In the octeon case, we modify k1 in the branch delay slot, but we
+never need k0 again, so the new load is not needed, but since k1 is
+modified, if we do the load, we load from a garbage location and then
+get a nested TLB Refill, which is seen in userspace as either SIGBUS
+or SIGSEGV (depending on the garbage).
+
+The real fix is to only do this reloading if it is needed, and never
+where it is harmful.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/8151/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/tlbex.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mm/tlbex.c
++++ b/arch/mips/mm/tlbex.c
+@@ -1062,6 +1062,7 @@ static void build_update_entries(u32 **p
+ struct mips_huge_tlb_info {
+ int huge_pte;
+ int restore_scratch;
++ bool need_reload_pte;
+ };
+
+ static struct mips_huge_tlb_info
+@@ -1076,6 +1077,7 @@ build_fast_tlb_refill_handler (u32 **p,
+
+ rv.huge_pte = scratch;
+ rv.restore_scratch = 0;
++ rv.need_reload_pte = false;
+
+ if (check_for_high_segbits) {
+ UASM_i_MFC0(p, tmp, C0_BADVADDR);
+@@ -1264,6 +1266,7 @@ static void build_r4000_tlb_refill_handl
+ } else {
+ htlb_info.huge_pte = K0;
+ htlb_info.restore_scratch = 0;
++ htlb_info.need_reload_pte = true;
+ vmalloc_mode = refill_noscratch;
+ /*
+ * create the plain linear handler
+@@ -1300,7 +1303,8 @@ static void build_r4000_tlb_refill_handl
+ }
+ #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
+ uasm_l_tlb_huge_update(&l, p);
+- UASM_i_LW(&p, K0, 0, K1);
++ if (htlb_info.need_reload_pte)
++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1);
+ build_huge_update_entries(&p, htlb_info.huge_pte, K1);
+ build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random,
+ htlb_info.restore_scratch);
--- /dev/null
+From f4c24db1b7ad0ce84409e15744d26c6f86a96840 Mon Sep 17 00:00:00 2001
+From: Joern Engel <joern@logfs.org>
+Date: Fri, 3 Oct 2014 14:35:56 -0700
+Subject: qla_target: don't delete changed nacls
+
+From: Joern Engel <joern@logfs.org>
+
+commit f4c24db1b7ad0ce84409e15744d26c6f86a96840 upstream.
+
+The code is currently riddled with "drop the hardware_lock to avoid a
+deadlock" bugs that expose races. One of those races seems to expose a
+valid warning in tcm_qla2xxx_clear_nacl_from_fcport_map. Add some
+bandaid to it.
+
+Signed-off-by: Joern Engel <joern@logfs.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -757,7 +757,16 @@ static void tcm_qla2xxx_clear_nacl_from_
+ pr_debug("fc_rport domain: port_id 0x%06x\n", nacl->nport_id);
+
+ node = btree_remove32(&lport->lport_fcport_map, nacl->nport_id);
+- WARN_ON(node && (node != se_nacl));
++ if (WARN_ON(node && (node != se_nacl))) {
++ /*
++ * The nacl no longer matches what we think it should be.
++ * Most likely a new dynamic acl has been added while
++ * someone dropped the hardware lock. It clearly is a
++ * bug elsewhere, but this bit can't make things worse.
++ */
++ btree_insert32(&lport->lport_fcport_map, nacl->nport_id,
++ node, GFP_ATOMIC);
++ }
+
+ pr_debug("Removed from fcport_map: %p for WWNN: 0x%016LX, port_id: 0x%06x\n",
+ se_nacl, nacl->nport_wwnn, nacl->nport_id);
drm-tilcdc-fix-the-error-path-in-tilcdc_load.patch
drm-nouveau-bios-memset-dcb-struct-to-zero-before-parsing.patch
drm-gt214-kms-fix-hda-eld-regression.patch
+media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch
+media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch
+media-em28xx-check-if-a-device-has-audio-earlier.patch
+media-siano-add-support-for-pctv-77e.patch
+media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch
+media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch
+media-em28xx-v4l-fix-video-buffer-field-order-reporting-in-progressive-mode.patch
+media-imon-fix-other-rc-type-protocol-support.patch
+media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch
+media-rc-core-fix-protocol_change-regression-in-ir_raw_event_register.patch
+media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch
+media-vmalloc_sg-off-by-one-in-error-handling.patch
+kvm-emulate-avoid-accessing-null-ctxt-memopp.patch
+kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch
+kvm-x86-decoding-guest-instructions-which-cross-page-boundary-may-fail.patch
+kvm-x86-emulator-does-not-decode-clflush-well.patch
+kvm-x86-prefetch-and-hint_nop-should-have-srcmem-flag.patch
+kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch
+kvm-x86-improve-thread-safety-in-pit.patch
+kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch
+kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch
+kvm-x86-fix-wrong-masking-on-relative-jump-call.patch
+kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch
+kvm-x86-handle-errors-when-rip-is-set-during-far-jumps.patch
+kvm-vmx-handle-invvpid-vm-exit-gracefully.patch
+arc-allow-headless-models-to-boot.patch
+arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch
+arc-unbork-fpu-save-restore.patch
+qla_target-don-t-delete-changed-nacls.patch
+iser-target-disable-tx-completion-interrupt-coalescing.patch
+target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch
+target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch
+mips-ptrace.h-add-a-missing-include.patch
+mips-loongson2_cpufreq-fix-cpu-clock-rate-setting-mismerge.patch
+mips-cp1emu-fix-isa-restrictions-for-cop1x_op-instructions.patch
+mips-ftrace-fix-a-micromips-build-problem.patch
+mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch
--- /dev/null
+From e24805637d2d270d7975502e9024d473de86afdb Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sat, 4 Oct 2014 04:23:15 +0000
+Subject: target: Fix APTPL metadata handling for dynamic MappedLUNs
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit e24805637d2d270d7975502e9024d473de86afdb upstream.
+
+This patch fixes a bug in handling of SPC-3 PR Activate Persistence
+across Target Power Loss (APTPL) logic where re-creation of state for
+MappedLUNs from dynamically generated NodeACLs did not occur during
+I_T Nexus establishment.
+
+It adds the missing core_scsi3_check_aptpl_registration() call during
+core_tpg_check_initiator_node_acl() -> core_tpg_add_node_to_devs() in
+order to replay any pre-loaded APTPL metadata state associated with
+the newly connected SCSI Initiator Port.
+
+Cc: Mike Christie <michaelc@cs.wisc.edu>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_device.c | 3 ++-
+ drivers/target/target_core_pr.c | 6 +++---
+ drivers/target/target_core_pr.h | 2 +-
+ drivers/target/target_core_tpg.c | 8 ++++++++
+ 4 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -1409,7 +1409,8 @@ int core_dev_add_initiator_node_lun_acl(
+ * Check to see if there are any existing persistent reservation APTPL
+ * pre-registrations that need to be enabled for this LUN ACL..
+ */
+- core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, lacl);
++ core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, nacl,
++ lacl->mapped_lun);
+ return 0;
+ }
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -944,10 +944,10 @@ int core_scsi3_check_aptpl_registration(
+ struct se_device *dev,
+ struct se_portal_group *tpg,
+ struct se_lun *lun,
+- struct se_lun_acl *lun_acl)
++ struct se_node_acl *nacl,
++ u32 mapped_lun)
+ {
+- struct se_node_acl *nacl = lun_acl->se_lun_nacl;
+- struct se_dev_entry *deve = nacl->device_list[lun_acl->mapped_lun];
++ struct se_dev_entry *deve = nacl->device_list[mapped_lun];
+
+ if (dev->dev_reservation_flags & DRF_SPC2_RESERVATIONS)
+ return 0;
+--- a/drivers/target/target_core_pr.h
++++ b/drivers/target/target_core_pr.h
+@@ -60,7 +60,7 @@ extern int core_scsi3_alloc_aptpl_regist
+ unsigned char *, u16, u32, int, int, u8);
+ extern int core_scsi3_check_aptpl_registration(struct se_device *,
+ struct se_portal_group *, struct se_lun *,
+- struct se_lun_acl *);
++ struct se_node_acl *, u32);
+ extern void core_scsi3_free_pr_reg_from_nacl(struct se_device *,
+ struct se_node_acl *);
+ extern void core_scsi3_free_all_registrations(struct se_device *);
+--- a/drivers/target/target_core_tpg.c
++++ b/drivers/target/target_core_tpg.c
+@@ -40,6 +40,7 @@
+ #include <target/target_core_fabric.h>
+
+ #include "target_core_internal.h"
++#include "target_core_pr.h"
+
+ extern struct se_device *g_lun0_dev;
+
+@@ -166,6 +167,13 @@ void core_tpg_add_node_to_devs(
+
+ core_enable_device_list_for_node(lun, NULL, lun->unpacked_lun,
+ lun_access, acl, tpg);
++ /*
++ * Check to see if there are any existing persistent reservation
++ * APTPL pre-registrations that need to be enabled for this dynamic
++ * LUN ACL now..
++ */
++ core_scsi3_check_aptpl_registration(dev, tpg, lun, acl,
++ lun->unpacked_lun);
+ spin_lock(&tpg->tpg_lun_lock);
+ }
+ spin_unlock(&tpg->tpg_lun_lock);
--- /dev/null
+From 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@qlogic.com>
+Date: Thu, 25 Sep 2014 06:22:28 -0400
+Subject: target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE
+
+From: Quinn Tran <quinn.tran@qlogic.com>
+
+commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream.
+
+During temporary resource starvation at lower transport layer, command
+is placed on queue full retry path, which expose this problem. The TCM
+queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same
+cmd twice to lower layer. The 1st time led to cmd normal free path.
+The 2nd time cause Null pointer access.
+
+This regression bug was originally introduced v3.1-rc code in the
+following commit:
+
+commit e057f53308a5f071556ee80586b99ee755bf07f5
+Author: Christoph Hellwig <hch@infradead.org>
+Date: Mon Oct 17 13:56:41 2011 -0400
+
+ target: remove the transport_qf_callback se_cmd callback
+
+Signed-off-by: Quinn Tran <quinn.tran@qlogic.com>
+Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_transport.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -1877,8 +1877,7 @@ static void transport_complete_qf(struct
+ if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) {
+ trace_target_cmd_complete(cmd);
+ ret = cmd->se_tfo->queue_status(cmd);
+- if (ret)
+- goto out;
++ goto out;
+ }
+
+ switch (cmd->data_direction) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
