--- /dev/null
+From 688bc577ac42ae3d07c889a1f0a72f0b23763d58 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Wed, 16 Sep 2015 16:18:59 +0100
+Subject: arm: KVM: Disable virtual timer even if the guest is not using it
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 688bc577ac42ae3d07c889a1f0a72f0b23763d58 upstream.
+
+When running a guest with the architected timer disabled (with QEMU and
+the kernel_irqchip=off option, for example), it is important to make
+sure the timer gets turned off. Otherwise, the guest may try to
+enable it anyway, leading to a screaming HW interrupt.
+
+The fix is to unconditionally turn off the virtual timer on guest
+exit.
+
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/interrupts_head.S | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/kvm/interrupts_head.S
++++ b/arch/arm/kvm/interrupts_head.S
+@@ -518,8 +518,7 @@ ARM_BE8(rev r6, r6 )
+
+ mrc p15, 0, r2, c14, c3, 1 @ CNTV_CTL
+ str r2, [vcpu, #VCPU_TIMER_CNTV_CTL]
+- bic r2, #1 @ Clear ENABLE
+- mcr p15, 0, r2, c14, c3, 1 @ CNTV_CTL
++
+ isb
+
+ mrrc p15, 3, rr_lo_hi(r2, r3), c14 @ CNTV_CVAL
+@@ -532,6 +531,9 @@ ARM_BE8(rev r6, r6 )
+ mcrr p15, 4, r2, r2, c14 @ CNTVOFF
+
+ 1:
++ mov r2, #0 @ Clear ENABLE
++ mcr p15, 0, r2, c14, c3, 1 @ CNTV_CTL
++
+ @ Allow physical timer/counter access for the host
+ mrc p15, 4, r2, c14, c1, 0 @ CNTHCTL
+ orr r2, r2, #(CNTHCTL_PL1PCEN | CNTHCTL_PL1PCTEN)
--- /dev/null
+From ca09f02f122b2ecb0f5ddfc5fd47b29ed657d4fd Mon Sep 17 00:00:00 2001
+From: Marek Majtyka <marek.majtyka@tieto.com>
+Date: Wed, 16 Sep 2015 12:04:55 +0200
+Subject: arm: KVM: Fix incorrect device to IPA mapping
+
+From: Marek Majtyka <marek.majtyka@tieto.com>
+
+commit ca09f02f122b2ecb0f5ddfc5fd47b29ed657d4fd upstream.
+
+A critical bug has been found in device memory stage1 translation for
+VMs with more then 4GB of address space. Once vm_pgoff size is smaller
+then pa (which is true for LPAE case, u32 and u64 respectively) some
+more significant bits of pa may be lost as a shift operation is performed
+on u32 and later cast onto u64.
+
+Example: vm_pgoff(u32)=0x00210030, PAGE_SHIFT=12
+ expected pa(u64): 0x0000002010030000
+ produced pa(u64): 0x0000000010030000
+
+The fix is to change the order of operations (casting first onto phys_addr_t
+and then shifting).
+
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+[maz: fixed changelog and patch formatting]
+Signed-off-by: Marek Majtyka <marek.majtyka@tieto.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/mmu.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -1790,8 +1790,10 @@ int kvm_arch_prepare_memory_region(struc
+ if (vma->vm_flags & VM_PFNMAP) {
+ gpa_t gpa = mem->guest_phys_addr +
+ (vm_start - mem->userspace_addr);
+- phys_addr_t pa = (vma->vm_pgoff << PAGE_SHIFT) +
+- vm_start - vma->vm_start;
++ phys_addr_t pa;
++
++ pa = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT;
++ pa += vm_start - vma->vm_start;
+
+ /* IO region dirty page logging not allowed */
+ if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES)
--- /dev/null
+From 8453fecbecae26edb3f278627376caab05d9a88d Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 15 Sep 2015 14:41:54 +0800
+Subject: kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 8453fecbecae26edb3f278627376caab05d9a88d upstream.
+
+We only want zero length mmio eventfd to be registered on
+KVM_FAST_MMIO_BUS. So check this explicitly when arg->len is zero to
+make sure this.
+
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/eventfd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -846,7 +846,7 @@ kvm_assign_ioeventfd(struct kvm *kvm, st
+ /* When length is ignored, MMIO is also put on a separate bus, for
+ * faster lookups.
+ */
+- if (!args->len && !(args->flags & KVM_IOEVENTFD_FLAG_PIO)) {
++ if (!args->len && bus_idx == KVM_MMIO_BUS) {
+ ret = kvm_io_bus_register_dev(kvm, KVM_FAST_MMIO_BUS,
+ p->addr, 0, &p->dev);
+ if (ret < 0)
+@@ -901,7 +901,7 @@ kvm_deassign_ioeventfd(struct kvm *kvm,
+ continue;
+
+ kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev);
+- if (!p->length) {
++ if (!p->length && p->bus_idx == KVM_MMIO_BUS) {
+ kvm_io_bus_unregister_dev(kvm, KVM_FAST_MMIO_BUS,
+ &p->dev);
+ }
--- /dev/null
+From 85da11ca587c8eb73993a1b503052391a73586f9 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 15 Sep 2015 14:41:55 +0800
+Subject: kvm: factor out core eventfd assign/deassign logic
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 85da11ca587c8eb73993a1b503052391a73586f9 upstream.
+
+This patch factors out core eventfd assign/deassign logic and leaves
+the argument checking and bus index selection to callers.
+
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/eventfd.c | 85 +++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 50 insertions(+), 35 deletions(-)
+
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -771,40 +771,14 @@ static enum kvm_bus ioeventfd_bus_from_f
+ return KVM_MMIO_BUS;
+ }
+
+-static int
+-kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
++static int kvm_assign_ioeventfd_idx(struct kvm *kvm,
++ enum kvm_bus bus_idx,
++ struct kvm_ioeventfd *args)
+ {
+- enum kvm_bus bus_idx;
+- struct _ioeventfd *p;
+- struct eventfd_ctx *eventfd;
+- int ret;
+
+- bus_idx = ioeventfd_bus_from_flags(args->flags);
+- /* must be natural-word sized, or 0 to ignore length */
+- switch (args->len) {
+- case 0:
+- case 1:
+- case 2:
+- case 4:
+- case 8:
+- break;
+- default:
+- return -EINVAL;
+- }
+-
+- /* check for range overflow */
+- if (args->addr + args->len < args->addr)
+- return -EINVAL;
+-
+- /* check for extra flags that we don't understand */
+- if (args->flags & ~KVM_IOEVENTFD_VALID_FLAG_MASK)
+- return -EINVAL;
+-
+- /* ioeventfd with no length can't be combined with DATAMATCH */
+- if (!args->len &&
+- args->flags & (KVM_IOEVENTFD_FLAG_PIO |
+- KVM_IOEVENTFD_FLAG_DATAMATCH))
+- return -EINVAL;
++ struct eventfd_ctx *eventfd;
++ struct _ioeventfd *p;
++ int ret;
+
+ eventfd = eventfd_ctx_fdget(args->fd);
+ if (IS_ERR(eventfd))
+@@ -873,14 +847,13 @@ fail:
+ }
+
+ static int
+-kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
++kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx,
++ struct kvm_ioeventfd *args)
+ {
+- enum kvm_bus bus_idx;
+ struct _ioeventfd *p, *tmp;
+ struct eventfd_ctx *eventfd;
+ int ret = -ENOENT;
+
+- bus_idx = ioeventfd_bus_from_flags(args->flags);
+ eventfd = eventfd_ctx_fdget(args->fd);
+ if (IS_ERR(eventfd))
+ return PTR_ERR(eventfd);
+@@ -918,6 +891,48 @@ kvm_deassign_ioeventfd(struct kvm *kvm,
+ return ret;
+ }
+
++static int kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
++{
++ enum kvm_bus bus_idx = ioeventfd_bus_from_flags(args->flags);
++
++ return kvm_deassign_ioeventfd_idx(kvm, bus_idx, args);
++}
++
++static int
++kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
++{
++ enum kvm_bus bus_idx;
++
++ bus_idx = ioeventfd_bus_from_flags(args->flags);
++ /* must be natural-word sized, or 0 to ignore length */
++ switch (args->len) {
++ case 0:
++ case 1:
++ case 2:
++ case 4:
++ case 8:
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ /* check for range overflow */
++ if (args->addr + args->len < args->addr)
++ return -EINVAL;
++
++ /* check for extra flags that we don't understand */
++ if (args->flags & ~KVM_IOEVENTFD_VALID_FLAG_MASK)
++ return -EINVAL;
++
++ /* ioeventfd with no length can't be combined with DATAMATCH */
++ if (!args->len &&
++ args->flags & (KVM_IOEVENTFD_FLAG_PIO |
++ KVM_IOEVENTFD_FLAG_DATAMATCH))
++ return -EINVAL;
++
++ return kvm_assign_ioeventfd_idx(kvm, bus_idx, args);
++}
++
+ int
+ kvm_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
+ {
--- /dev/null
+From eefd6b06b17c5478e7c24bea6f64beaa2c431ca6 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 15 Sep 2015 14:41:56 +0800
+Subject: kvm: fix double free for fast mmio eventfd
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit eefd6b06b17c5478e7c24bea6f64beaa2c431ca6 upstream.
+
+We register wildcard mmio eventfd on two buses, once for KVM_MMIO_BUS
+and once on KVM_FAST_MMIO_BUS but with a single iodev
+instance. This will lead to an issue: kvm_io_bus_destroy() knows
+nothing about the devices on two buses pointing to a single dev. Which
+will lead to double free[1] during exit. Fix this by allocating two
+instances of iodevs then registering one on KVM_MMIO_BUS and another
+on KVM_FAST_MMIO_BUS.
+
+CPU: 1 PID: 2894 Comm: qemu-system-x86 Not tainted 3.19.0-26-generic #28-Ubuntu
+Hardware name: LENOVO 2356BG6/2356BG6, BIOS G7ET96WW (2.56 ) 09/12/2013
+task: ffff88009ae0c4b0 ti: ffff88020e7f0000 task.ti: ffff88020e7f0000
+RIP: 0010:[<ffffffffc07e25d8>] [<ffffffffc07e25d8>] ioeventfd_release+0x28/0x60 [kvm]
+RSP: 0018:ffff88020e7f3bc8 EFLAGS: 00010292
+RAX: dead000000200200 RBX: ffff8801ec19c900 RCX: 000000018200016d
+RDX: ffff8801ec19cf80 RSI: ffffea0008bf1d40 RDI: ffff8801ec19c900
+RBP: ffff88020e7f3bd8 R08: 000000002fc75a01 R09: 000000018200016d
+R10: ffffffffc07df6ae R11: ffff88022fc75a98 R12: ffff88021e7cc000
+R13: ffff88021e7cca48 R14: ffff88021e7cca50 R15: ffff8801ec19c880
+FS: 00007fc1ee3e6700(0000) GS:ffff88023e240000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f8f389d8000 CR3: 000000023dc13000 CR4: 00000000001427e0
+Stack:
+ffff88021e7cc000 0000000000000000 ffff88020e7f3be8 ffffffffc07e2622
+ffff88020e7f3c38 ffffffffc07df69a ffff880232524160 ffff88020e792d80
+ 0000000000000000 ffff880219b78c00 0000000000000008 ffff8802321686a8
+Call Trace:
+[<ffffffffc07e2622>] ioeventfd_destructor+0x12/0x20 [kvm]
+[<ffffffffc07df69a>] kvm_put_kvm+0xca/0x210 [kvm]
+[<ffffffffc07df818>] kvm_vcpu_release+0x18/0x20 [kvm]
+[<ffffffff811f69f7>] __fput+0xe7/0x250
+[<ffffffff811f6bae>] ____fput+0xe/0x10
+[<ffffffff81093f04>] task_work_run+0xd4/0xf0
+[<ffffffff81079358>] do_exit+0x368/0xa50
+[<ffffffff81082c8f>] ? recalc_sigpending+0x1f/0x60
+[<ffffffff81079ad5>] do_group_exit+0x45/0xb0
+[<ffffffff81085c71>] get_signal+0x291/0x750
+[<ffffffff810144d8>] do_signal+0x28/0xab0
+[<ffffffff810f3a3b>] ? do_futex+0xdb/0x5d0
+[<ffffffff810b7028>] ? __wake_up_locked_key+0x18/0x20
+[<ffffffff810f3fa6>] ? SyS_futex+0x76/0x170
+[<ffffffff81014fc9>] do_notify_resume+0x69/0xb0
+[<ffffffff817cb9af>] int_signal+0x12/0x17
+Code: 5d c3 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 83 ec 08 48 8b 7f 20 e8 06 d6 a5 c0 48 8b 43 08 48 8b 13 48 89 df 48 89 42 08 <48> 89 10 48 b8 00 01 10 00 00
+ RIP [<ffffffffc07e25d8>] ioeventfd_release+0x28/0x60 [kvm]
+ RSP <ffff88020e7f3bc8>
+
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/eventfd.c | 43 +++++++++++++++++++++++++------------------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -817,16 +817,6 @@ static int kvm_assign_ioeventfd_idx(stru
+ if (ret < 0)
+ goto unlock_fail;
+
+- /* When length is ignored, MMIO is also put on a separate bus, for
+- * faster lookups.
+- */
+- if (!args->len && bus_idx == KVM_MMIO_BUS) {
+- ret = kvm_io_bus_register_dev(kvm, KVM_FAST_MMIO_BUS,
+- p->addr, 0, &p->dev);
+- if (ret < 0)
+- goto register_fail;
+- }
+-
+ kvm->buses[bus_idx]->ioeventfd_count++;
+ list_add_tail(&p->list, &kvm->ioeventfds);
+
+@@ -834,8 +824,6 @@ static int kvm_assign_ioeventfd_idx(stru
+
+ return 0;
+
+-register_fail:
+- kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev);
+ unlock_fail:
+ mutex_unlock(&kvm->slots_lock);
+
+@@ -874,10 +862,6 @@ kvm_deassign_ioeventfd_idx(struct kvm *k
+ continue;
+
+ kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev);
+- if (!p->length && p->bus_idx == KVM_MMIO_BUS) {
+- kvm_io_bus_unregister_dev(kvm, KVM_FAST_MMIO_BUS,
+- &p->dev);
+- }
+ kvm->buses[bus_idx]->ioeventfd_count--;
+ ioeventfd_release(p);
+ ret = 0;
+@@ -894,14 +878,19 @@ kvm_deassign_ioeventfd_idx(struct kvm *k
+ static int kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
+ {
+ enum kvm_bus bus_idx = ioeventfd_bus_from_flags(args->flags);
++ int ret = kvm_deassign_ioeventfd_idx(kvm, bus_idx, args);
++
++ if (!args->len && bus_idx == KVM_MMIO_BUS)
++ kvm_deassign_ioeventfd_idx(kvm, KVM_FAST_MMIO_BUS, args);
+
+- return kvm_deassign_ioeventfd_idx(kvm, bus_idx, args);
++ return ret;
+ }
+
+ static int
+ kvm_assign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
+ {
+ enum kvm_bus bus_idx;
++ int ret;
+
+ bus_idx = ioeventfd_bus_from_flags(args->flags);
+ /* must be natural-word sized, or 0 to ignore length */
+@@ -930,7 +919,25 @@ kvm_assign_ioeventfd(struct kvm *kvm, st
+ KVM_IOEVENTFD_FLAG_DATAMATCH))
+ return -EINVAL;
+
+- return kvm_assign_ioeventfd_idx(kvm, bus_idx, args);
++ ret = kvm_assign_ioeventfd_idx(kvm, bus_idx, args);
++ if (ret)
++ goto fail;
++
++ /* When length is ignored, MMIO is also put on a separate bus, for
++ * faster lookups.
++ */
++ if (!args->len && bus_idx == KVM_MMIO_BUS) {
++ ret = kvm_assign_ioeventfd_idx(kvm, KVM_FAST_MMIO_BUS, args);
++ if (ret < 0)
++ goto fast_fail;
++ }
++
++ return 0;
++
++fast_fail:
++ kvm_deassign_ioeventfd_idx(kvm, bus_idx, args);
++fail:
++ return ret;
+ }
+
+ int
--- /dev/null
+From 8f4216c7d28976f7ec1b2bcbfa0a9f787133c45e Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 15 Sep 2015 14:41:57 +0800
+Subject: kvm: fix zero length mmio searching
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 8f4216c7d28976f7ec1b2bcbfa0a9f787133c45e upstream.
+
+Currently, if we had a zero length mmio eventfd assigned on
+KVM_MMIO_BUS. It will never be found by kvm_io_bus_cmp() since it
+always compares the kvm_io_range() with the length that guest
+wrote. This will cause e.g for vhost, kick will be trapped by qemu
+userspace instead of vhost. Fixing this by using zero length if an
+iodevice is zero length.
+
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2935,10 +2935,25 @@ static void kvm_io_bus_destroy(struct kv
+ static inline int kvm_io_bus_cmp(const struct kvm_io_range *r1,
+ const struct kvm_io_range *r2)
+ {
+- if (r1->addr < r2->addr)
++ gpa_t addr1 = r1->addr;
++ gpa_t addr2 = r2->addr;
++
++ if (addr1 < addr2)
+ return -1;
+- if (r1->addr + r1->len > r2->addr + r2->len)
++
++ /* If r2->len == 0, match the exact address. If r2->len != 0,
++ * accept any overlapping write. Any order is acceptable for
++ * overlapping ranges, because kvm_io_bus_get_first_dev ensures
++ * we process all of them.
++ */
++ if (r2->len) {
++ addr1 += r1->len;
++ addr2 += r2->len;
++ }
++
++ if (addr1 > addr2)
+ return 1;
++
+ return 0;
+ }
+
--- /dev/null
+From 7e022e717f54897e396504306d0c9b61452adf4e Mon Sep 17 00:00:00 2001
+From: "Gautham R. Shenoy" <ego@linux.vnet.ibm.com>
+Date: Thu, 21 May 2015 13:57:04 +0530
+Subject: KVM: PPC: Book3S HV: Pass the correct trap argument to kvmhv_commence_exit
+
+From: "Gautham R. Shenoy" <ego@linux.vnet.ibm.com>
+
+commit 7e022e717f54897e396504306d0c9b61452adf4e upstream.
+
+In guest_exit_cont we call kvmhv_commence_exit which expects the trap
+number as the argument. However r3 doesn't contain the trap number at
+this point and as a result we would be calling the function with a
+spurious trap number.
+
+Fix this by copying r12 into r3 before calling kvmhv_commence_exit as
+r12 contains the trap number.
+
+Fixes: eddb60fb1443
+Signed-off-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv_rmhandlers.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+@@ -1171,6 +1171,7 @@ mc_cont:
+ bl kvmhv_accumulate_time
+ #endif
+
++ mr r3, r12
+ /* Increment exit count, poke other threads to exit */
+ bl kvmhv_commence_exit
+ nop
--- /dev/null
+From 3eb4ee68254235e4f47bc0410538fcdaede39589 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Fri, 18 Sep 2015 08:57:28 +0200
+Subject: KVM: PPC: Book3S: Take the kvm->srcu lock in kvmppc_h_logical_ci_load/store()
+
+From: Thomas Huth <thuth@redhat.com>
+
+commit 3eb4ee68254235e4f47bc0410538fcdaede39589 upstream.
+
+Access to the kvm->buses (like with the kvm_io_bus_read() and -write()
+functions) has to be protected via the kvm->srcu lock.
+The kvmppc_h_logical_ci_load() and -store() functions are missing
+this lock so far, so let's add it there, too.
+This fixes the problem that the kernel reports "suspicious RCU usage"
+when lock debugging is enabled.
+
+Fixes: 99342cf8044420eebdf9297ca03a14cb6a7085a1
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/powerpc/kvm/book3s.c
++++ b/arch/powerpc/kvm/book3s.c
+@@ -826,12 +826,15 @@ int kvmppc_h_logical_ci_load(struct kvm_
+ unsigned long size = kvmppc_get_gpr(vcpu, 4);
+ unsigned long addr = kvmppc_get_gpr(vcpu, 5);
+ u64 buf;
++ int srcu_idx;
+ int ret;
+
+ if (!is_power_of_2(size) || (size > sizeof(buf)))
+ return H_TOO_HARD;
+
++ srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
+ ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, size, &buf);
++ srcu_read_unlock(&vcpu->kvm->srcu, srcu_idx);
+ if (ret != 0)
+ return H_TOO_HARD;
+
+@@ -866,6 +869,7 @@ int kvmppc_h_logical_ci_store(struct kvm
+ unsigned long addr = kvmppc_get_gpr(vcpu, 5);
+ unsigned long val = kvmppc_get_gpr(vcpu, 6);
+ u64 buf;
++ int srcu_idx;
+ int ret;
+
+ switch (size) {
+@@ -889,7 +893,9 @@ int kvmppc_h_logical_ci_store(struct kvm
+ return H_TOO_HARD;
+ }
+
++ srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
+ ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, addr, size, &buf);
++ srcu_read_unlock(&vcpu->kvm->srcu, srcu_idx);
+ if (ret != 0)
+ return H_TOO_HARD;
+
--- /dev/null
+From 04bb92e4b4cf06a66889d37b892b78f926faa9d4 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Wed, 16 Sep 2015 19:31:11 +0800
+Subject: KVM: vmx: fix VPID is 0000H in non-root operation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+commit 04bb92e4b4cf06a66889d37b892b78f926faa9d4 upstream.
+
+Reference SDM 28.1:
+
+The current VPID is 0000H in the following situations:
+- Outside VMX operation. (This includes operation in system-management
+ mode under the default treatment of SMIs and SMM with VMX operation;
+ see Section 34.14.)
+- In VMX root operation.
+- In VMX non-root operation when the “enable VPID” VM-execution control
+ is 0.
+
+The VPID should never be 0000H in non-root operation when "enable VPID"
+VM-execution control is 1. However, commit 34a1cd60 ("kvm: x86: vmx:
+move some vmx setting from vmx_init() to hardware_setup()") remove the
+codes which reserve 0000H for VMX root operation.
+
+This patch fix it by again reserving 0000H for VMX root operation.
+
+Fixes: 34a1cd60d17f62c1f077c1478a6c2ca8c3d17af4
+Reported-by: Wincy Van <fanwenyi0529@gmail.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6144,6 +6144,8 @@ static __init int hardware_setup(void)
+ memcpy(vmx_msr_bitmap_longmode_x2apic,
+ vmx_msr_bitmap_longmode, PAGE_SIZE);
+
++ set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */
++
+ if (enable_apicv) {
+ for (msr = 0x800; msr <= 0x8ff; msr++)
+ vmx_disable_intercept_msr_read_x2apic(msr);
--- /dev/null
+From 2619d7e9c92d524cb155ec89fd72875321512e5b Mon Sep 17 00:00:00 2001
+From: John Stultz <john.stultz@linaro.org>
+Date: Wed, 9 Sep 2015 16:07:30 -0700
+Subject: time: Fix timekeeping_freqadjust()'s incorrect use of abs() instead of abs64()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Stultz <john.stultz@linaro.org>
+
+commit 2619d7e9c92d524cb155ec89fd72875321512e5b upstream.
+
+The internal clocksteering done for fine-grained error
+correction uses a logarithmic approximation, so any time
+adjtimex() adjusts the clock steering, timekeeping_freqadjust()
+quickly approximates the correct clock frequency over a series
+of ticks.
+
+Unfortunately, the logic in timekeeping_freqadjust(), introduced
+in commit:
+
+ dc491596f639 ("timekeeping: Rework frequency adjustments to work better w/ nohz")
+
+used the abs() function with a s64 error value to calculate the
+size of the approximated adjustment to be made.
+
+Per include/linux/kernel.h:
+
+ "abs() should not be used for 64-bit types (s64, u64, long long) - use abs64()".
+
+Thus on 32-bit platforms, this resulted in the clocksteering to
+take a quite dampended random walk trying to converge on the
+proper frequency, which caused the adjustments to be made much
+slower then intended (most easily observed when large
+adjustments are made).
+
+This patch fixes the issue by using abs64() instead.
+
+Reported-by: Nuno Gonçalves <nunojpg@gmail.com>
+Tested-by: Nuno Goncalves <nunojpg@gmail.com>
+Signed-off-by: John Stultz <john.stultz@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Miroslav Lichvar <mlichvar@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Prarit Bhargava <prarit@redhat.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1441840051-20244-1-git-send-email-john.stultz@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/timekeeping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/time/timekeeping.c
++++ b/kernel/time/timekeeping.c
+@@ -1615,7 +1615,7 @@ static __always_inline void timekeeping_
+ negative = (tick_error < 0);
+
+ /* Sort out the magnitude of the correction */
+- tick_error = abs(tick_error);
++ tick_error = abs64(tick_error);
+ for (adj = 0; tick_error > interval; adj++)
+ tick_error >>= 1;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
