--- /dev/null
+From 6f3508f61c814ee852c199988a62bd954c50dfc1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 20 Jan 2016 12:54:51 +0300
+Subject: EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 6f3508f61c814ee852c199988a62bd954c50dfc1 upstream.
+
+dct_sel_base_off is declared as a u64 but we're only using the lower 32
+bits because of a shift wrapping bug. This can possibly truncate the
+upper 16 bits of DctSelBaseOffset[47:26], causing us to misdecode the CS
+row.
+
+Fixes: c8e518d5673d ('amd64_edac: Sanitize f10_get_base_addr_offset')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20160120095451.GB19898@mwanda
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/amd64_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -1294,7 +1294,7 @@ static u64 f1x_get_norm_dct_addr(struct
+ u64 chan_off;
+ u64 dram_base = get_dram_base(pvt, range);
+ u64 hole_off = f10_dhar_offset(pvt);
+- u64 dct_sel_base_off = (pvt->dct_sel_hi & 0xFFFFFC00) << 16;
++ u64 dct_sel_base_off = (u64)(pvt->dct_sel_hi & 0xFFFFFC00) << 16;
+
+ if (hi_rng) {
+ /*
--- /dev/null
+From e9ad4ec8379ad1ba6f68b8ca1c26b50b5ae0a327 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 21 Mar 2016 10:15:25 +0100
+Subject: KVM: fix spin_lock_init order on x86
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit e9ad4ec8379ad1ba6f68b8ca1c26b50b5ae0a327 upstream.
+
+Moving the initialization earlier is needed in 4.6 because
+kvm_arch_init_vm is now using mmu_lock, causing lockdep to
+complain:
+
+[ 284.440294] INFO: trying to register non-static key.
+[ 284.445259] the code is fine but needs lockdep annotation.
+[ 284.450736] turning off the locking correctness validator.
+...
+[ 284.528318] [<ffffffff810aecc3>] lock_acquire+0xd3/0x240
+[ 284.533733] [<ffffffffa0305aa0>] ? kvm_page_track_register_notifier+0x20/0x60 [kvm]
+[ 284.541467] [<ffffffff81715581>] _raw_spin_lock+0x41/0x80
+[ 284.546960] [<ffffffffa0305aa0>] ? kvm_page_track_register_notifier+0x20/0x60 [kvm]
+[ 284.554707] [<ffffffffa0305aa0>] kvm_page_track_register_notifier+0x20/0x60 [kvm]
+[ 284.562281] [<ffffffffa02ece70>] kvm_mmu_init_vm+0x20/0x30 [kvm]
+[ 284.568381] [<ffffffffa02dbf7a>] kvm_arch_init_vm+0x1ea/0x200 [kvm]
+[ 284.574740] [<ffffffffa02bff3f>] kvm_dev_ioctl+0xbf/0x4d0 [kvm]
+
+However, it also helps fixing a preexisting problem, which is why this
+patch is also good for stable kernels: kvm_create_vm was incrementing
+current->mm->mm_count but not decrementing it at the out_err label (in
+case kvm_init_mmu_notifier failed). The new initialization order makes
+it possible to add the required mmdrop without adding a new error label.
+
+Reported-by: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -454,6 +454,16 @@ static struct kvm *kvm_create_vm(unsigne
+ if (!kvm)
+ return ERR_PTR(-ENOMEM);
+
++ spin_lock_init(&kvm->mmu_lock);
++ atomic_inc(¤t->mm->mm_count);
++ kvm->mm = current->mm;
++ kvm_eventfd_init(kvm);
++ mutex_init(&kvm->lock);
++ mutex_init(&kvm->irq_lock);
++ mutex_init(&kvm->slots_lock);
++ atomic_set(&kvm->users_count, 1);
++ INIT_LIST_HEAD(&kvm->devices);
++
+ r = kvm_arch_init_vm(kvm, type);
+ if (r)
+ goto out_err_nodisable;
+@@ -483,16 +493,6 @@ static struct kvm *kvm_create_vm(unsigne
+ goto out_err;
+ }
+
+- spin_lock_init(&kvm->mmu_lock);
+- kvm->mm = current->mm;
+- atomic_inc(&kvm->mm->mm_count);
+- kvm_eventfd_init(kvm);
+- mutex_init(&kvm->lock);
+- mutex_init(&kvm->irq_lock);
+- mutex_init(&kvm->slots_lock);
+- atomic_set(&kvm->users_count, 1);
+- INIT_LIST_HEAD(&kvm->devices);
+-
+ r = kvm_init_mmu_notifier(kvm);
+ if (r)
+ goto out_err;
+@@ -512,6 +512,7 @@ out_err_nodisable:
+ kfree(kvm->buses[i]);
+ kfree(kvm->memslots);
+ kvm_arch_free_vm(kvm);
++ mmdrop(current->mm);
+ return ERR_PTR(r);
+ }
+
--- /dev/null
+From 7dd0fdff145c5be7146d0ac06732ae3613412ac1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Wed, 2 Mar 2016 22:56:38 +0100
+Subject: KVM: i8254: change PIT discard tick policy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@redhat.com>
+
+commit 7dd0fdff145c5be7146d0ac06732ae3613412ac1 upstream.
+
+Discard policy uses ack_notifiers to prevent injection of PIT interrupts
+before EOI from the last one.
+
+This patch changes the policy to always try to deliver the interrupt,
+which makes a difference when its vector is in ISR.
+Old implementation would drop the interrupt, but proposed one injects to
+IRR, like real hardware would.
+
+The old policy breaks legacy NMI watchdogs, where PIT is used through
+virtual wire (LVT0): PIT never sends an interrupt before receiving EOI,
+thus a guest deadlock with disabled interrupts will stop NMIs.
+
+Note that NMI doesn't do EOI, so PIT also had to send a normal interrupt
+through IOAPIC. (KVM's PIT is deeply rotten and luckily not used much
+in modern systems.)
+
+Even though there is a chance of regressions, I think we can fix the
+LVT0 NMI bug without introducing a new tick policy.
+
+Reported-by: Yuki Shibuya <shibuya.yk@ncos.nec.co.jp>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/i8254.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -244,7 +244,7 @@ static void kvm_pit_ack_irq(struct kvm_i
+ * PIC is being reset. Handle it gracefully here
+ */
+ atomic_inc(&ps->pending);
+- else if (value > 0)
++ else if (value > 0 && ps->reinject)
+ /* in this case, we had multiple outstanding pit interrupts
+ * that we needed to inject. Reinject
+ */
+@@ -287,7 +287,9 @@ static void pit_do_work(struct kthread_w
+ * last one has been acked.
+ */
+ spin_lock(&ps->inject_lock);
+- if (ps->irq_ack) {
++ if (!ps->reinject)
++ inject = 1;
++ else if (ps->irq_ack) {
+ ps->irq_ack = 0;
+ inject = 1;
+ }
+@@ -316,10 +318,10 @@ static enum hrtimer_restart pit_timer_fn
+ struct kvm_kpit_state *ps = container_of(data, struct kvm_kpit_state, timer);
+ struct kvm_pit *pt = ps->kvm->arch.vpit;
+
+- if (ps->reinject || !atomic_read(&ps->pending)) {
++ if (ps->reinject)
+ atomic_inc(&ps->pending);
+- queue_kthread_work(&pt->worker, &pt->expired);
+- }
++
++ queue_kthread_work(&pt->worker, &pt->expired);
+
+ if (ps->is_periodic) {
+ hrtimer_add_expires_ns(&ps->timer, ps->period);
--- /dev/null
+From 2849eb4f99d54925c543db12917127f88b3c38ff Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 18 Mar 2016 16:53:29 +0100
+Subject: KVM: VMX: avoid guest hang on invalid invept instruction
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 2849eb4f99d54925c543db12917127f88b3c38ff upstream.
+
+A guest executing an invalid invept instruction would hang
+because the instruction pointer was not updated.
+
+Fixes: bfd0a56b90005f8c8a004baf407ad90045c2b11e
+Reviewed-by: David Matlack <dmatlack@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/vmx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6423,6 +6423,7 @@ static int handle_invept(struct kvm_vcpu
+ if (!(types & (1UL << type))) {
+ nested_vmx_failValid(vcpu,
+ VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
++ skip_emulated_instruction(vcpu);
+ return 1;
+ }
+
--- /dev/null
+From b84106b4e2290c081cdab521fa832596cdfea246 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Thu, 25 Feb 2016 14:35:57 -0600
+Subject: PCI: Disable IO/MEM decoding for devices with non-compliant BARs
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit b84106b4e2290c081cdab521fa832596cdfea246 upstream.
+
+The PCI config header (first 64 bytes of each device's config space) is
+defined by the PCI spec so generic software can identify the device and
+manage its usage of I/O, memory, and IRQ resources.
+
+Some non-spec-compliant devices put registers other than BARs where the
+BARs should be. When the PCI core sizes these "BARs", the reads and writes
+it does may have unwanted side effects, and the "BAR" may appear to
+describe non-sensical address space.
+
+Add a flag bit to mark non-compliant devices so we don't touch their BARs.
+Turn off IO/MEM decoding to prevent the devices from consuming address
+space, since we can't read the BARs to find out what that address space
+would be.
+
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/probe.c | 14 ++++++++++++++
+ include/linux/pci.h | 1 +
+ 2 files changed, 15 insertions(+)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -175,6 +175,9 @@ int __pci_read_base(struct pci_dev *dev,
+ struct pci_bus_region region, inverted_region;
+ bool bar_too_big = false, bar_disabled = false;
+
++ if (dev->non_compliant_bars)
++ return 0;
++
+ mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
+
+ /* No printks while decoding is disabled! */
+@@ -1074,6 +1077,7 @@ int pci_cfg_space_size(struct pci_dev *d
+ int pci_setup_device(struct pci_dev *dev)
+ {
+ u32 class;
++ u16 cmd;
+ u8 hdr_type;
+ struct pci_slot *slot;
+ int pos = 0;
+@@ -1121,6 +1125,16 @@ int pci_setup_device(struct pci_dev *dev
+ /* device class may be changed after fixup */
+ class = dev->class >> 8;
+
++ if (dev->non_compliant_bars) {
++ pci_read_config_word(dev, PCI_COMMAND, &cmd);
++ if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) {
++ dev_info(&dev->dev, "device has non-compliant BARs; disabling IO/MEM decoding\n");
++ cmd &= ~PCI_COMMAND_IO;
++ cmd &= ~PCI_COMMAND_MEMORY;
++ pci_write_config_word(dev, PCI_COMMAND, cmd);
++ }
++ }
++
+ switch (dev->hdr_type) { /* header type */
+ case PCI_HEADER_TYPE_NORMAL: /* standard header */
+ if (class == PCI_CLASS_BRIDGE_PCI)
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -344,6 +344,7 @@ struct pci_dev {
+ unsigned int __aer_firmware_first:1;
+ unsigned int broken_intx_masking:1;
+ unsigned int io_window_1k:1; /* Intel P2P bridge 1K I/O windows */
++ unsigned int non_compliant_bars:1; /* broken BARs; ignore them */
+ pci_dev_flags_t dev_flags;
+ atomic_t enable_cnt; /* pci_enable_device has been called */
+
target-drop-incorrect-abort_task-put-for-completed-commands.patch
usb-serial-add-google-simple-serial-subclass-support.patch
+kvm-i8254-change-pit-discard-tick-policy.patch
+kvm-fix-spin_lock_init-order-on-x86.patch
+kvm-vmx-avoid-guest-hang-on-invalid-invept-instruction.patch
+edac-amd64_edac-shift-wrapping-issue-in-f1x_get_norm_dct_addr.patch
+pci-disable-io-mem-decoding-for-devices-with-non-compliant-bars.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
