--- /dev/null
+From 7627e40c66b5547e12b6c5673646ceea84797a74 Mon Sep 17 00:00:00 2001
+From: Piotr Karasinski <peter.karasinski@gmail.com>
+Date: Sat, 6 Aug 2016 21:23:05 +0200
+Subject: ALSA: usb-audio: Add a sample rate quirk for Creative Live! Cam Socialize HD (VF0610)
+
+From: Piotr Karasinski <peter.karasinski@gmail.com>
+
+commit 7627e40c66b5547e12b6c5673646ceea84797a74 upstream.
+
+VF0610 does not support reading the sample rate which leads to many
+lines of "cannot get freq at ep 0x82". This patch adds the USB ID
+(0x041E:4080) to snd_usb_get_sample_rate_quirk() list.
+
+Signed-off-by: Piotr Karasinski <peter.karasinski@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1129,6 +1129,7 @@ bool snd_usb_get_sample_rate_quirk(struc
+ {
+ /* devices which do not support reading the sample rate. */
+ switch (chip->usb_id) {
++ case USB_ID(0x041E, 0x4080): /* Creative Live Cam VF0610 */
+ case USB_ID(0x045E, 0x075D): /* MS Lifecam Cinema */
+ case USB_ID(0x045E, 0x076D): /* MS Lifecam HD-5000 */
+ case USB_ID(0x045E, 0x076E): /* MS Lifecam HD-5001 */
--- /dev/null
+From 41f5e3bdbf706a9e98194bf0c4b62a875c02f170 Mon Sep 17 00:00:00 2001
+From: "Vittorio Gambaletta (VittGam)" <linuxbugs@vittgam.net>
+Date: Mon, 8 Aug 2016 12:35:40 +0200
+Subject: ALSA: usb-audio: Add quirk for ELP HD USB Camera
+
+From: Vittorio Gambaletta (VittGam) <linuxbugs@vittgam.net>
+
+commit 41f5e3bdbf706a9e98194bf0c4b62a875c02f170 upstream.
+
+The ELP HD USB Camera (05a3:9420) needs this quirk for suppressing
+the unsupported sample rate inquiry.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=98481
+Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1140,6 +1140,7 @@ bool snd_usb_get_sample_rate_quirk(struc
+ case USB_ID(0x047F, 0xAA05): /* Plantronics DA45 */
+ case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
+ case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */
++ case USB_ID(0x05A3, 0x9420): /* ELP HD USB Camera */
+ case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
+ case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */
+ case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */
--- /dev/null
+From 3146bc64d12377a74dbda12b96ea32da3774ae07 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Mon, 25 Jul 2016 16:59:52 +0100
+Subject: arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 3146bc64d12377a74dbda12b96ea32da3774ae07 upstream.
+
+AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
+NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
+for arm64 at all even though ARCH_DLINFO will contain one NEW_AUX_ENT
+for the VDSO address.
+
+This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
+AT_BASE_PLATFORM which arm64 doesn't use, but lets define it now and add
+the comment above ARCH_DLINFO as found in several other architectures to
+remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
+date.
+
+Fixes: f668cd1673aa ("arm64: ELF definitions")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/elf.h | 1 +
+ arch/arm64/include/uapi/asm/auxvec.h | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -136,6 +136,7 @@ typedef struct user_fpsimd_state elf_fpr
+
+ #define SET_PERSONALITY(ex) clear_thread_flag(TIF_32BIT);
+
++/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
+ #define ARCH_DLINFO \
+ do { \
+ NEW_AUX_ENT(AT_SYSINFO_EHDR, \
+--- a/arch/arm64/include/uapi/asm/auxvec.h
++++ b/arch/arm64/include/uapi/asm/auxvec.h
+@@ -19,4 +19,6 @@
+ /* vDSO location */
+ #define AT_SYSINFO_EHDR 33
+
++#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
++
+ #endif
--- /dev/null
+From 68202c9f0ad6e16ee806fbadbc5838d55fe5aa5c Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Fri, 29 Jul 2016 14:59:12 -0600
+Subject: libnvdimm, nd_blk: mask off reserved status bits
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit 68202c9f0ad6e16ee806fbadbc5838d55fe5aa5c upstream.
+
+The "NVDIMM Block Window Driver Writer's Guide":
+
+ http://pmem.io/documents/NVDIMM_DriverWritersGuide-July-2016.pdf
+
+...defines the layout of the block window status register. For the July
+2016 version of the spec linked to above, this happens in Figure 4 on
+page 26.
+
+The only bits defined in this spec are bits 31, 5, 4, 2, 1 and 0. The
+rest of the bits in the status register are reserved, and there is a
+warning following the diagram that says:
+
+ Note: The driver cannot assume the value of the RESERVED bits in the
+ status register are zero. These reserved bits need to be masked off, and
+ the driver must avoid checking the state of those bits.
+
+This change ensures that for hardware implementations that set these
+reserved bits in the status register, the driver won't incorrectly fail the
+block I/Os.
+
+Reviewed-by: Lee, Chun-Yi <jlee@suse.com>
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/nfit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/nfit.c
++++ b/drivers/acpi/nfit.c
+@@ -1072,11 +1072,12 @@ static u32 read_blk_stat(struct nfit_blk
+ {
+ struct nfit_blk_mmio *mmio = &nfit_blk->mmio[DCR];
+ u64 offset = nfit_blk->stat_offset + mmio->size * bw;
++ const u32 STATUS_MASK = 0x80000037;
+
+ if (mmio->num_lines)
+ offset = to_interleave_offset(offset, mmio);
+
+- return readl(mmio->addr.base + offset);
++ return readl(mmio->addr.base + offset) & STATUS_MASK;
+ }
+
+ static void write_blk_ctl(struct nfit_blk *nfit_blk, unsigned int bw,
--- /dev/null
+From 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 20 Aug 2016 11:51:38 +0200
+Subject: parisc: Fix order of EREFUSED define in errno.h
+
+From: Helge Deller <deller@gmx.de>
+
+commit 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd upstream.
+
+When building gccgo in userspace, errno.h gets parsed and the go include file
+sysinfo.go is generated.
+
+Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED
+is defined later on in errno.h, this leads to go complaining that EREFUSED
+isn't defined yet.
+
+Fix this trivial problem by moving the define of EREFUSED down after
+ECONNREFUSED in errno.h (and clean up the indenting while touching this line).
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/errno.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/errno.h
++++ b/arch/parisc/include/uapi/asm/errno.h
+@@ -97,10 +97,10 @@
+ #define ENOTCONN 235 /* Transport endpoint is not connected */
+ #define ESHUTDOWN 236 /* Cannot send after transport endpoint shutdown */
+ #define ETOOMANYREFS 237 /* Too many references: cannot splice */
+-#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+ #define ETIMEDOUT 238 /* Connection timed out */
+ #define ECONNREFUSED 239 /* Connection refused */
+-#define EREMOTERELEASE 240 /* Remote peer released connection */
++#define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
++#define EREMOTERELEASE 240 /* Remote peer released connection */
+ #define EHOSTDOWN 241 /* Host is down */
+ #define EHOSTUNREACH 242 /* No route to host */
+
--- /dev/null
+From 3d918fb13abdbeca7947578f5d7e426eafad7f5e Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 15 Aug 2016 10:23:04 +0300
+Subject: perf intel-pt: Fix occasional decoding errors when tracing system-wide
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 3d918fb13abdbeca7947578f5d7e426eafad7f5e upstream.
+
+In order to successfully decode Intel PT traces, context switch events
+are needed from the moment the trace starts. Currently that is ensured
+by using the 'immediate' flag which enables the switch event when it is
+opened.
+
+However, since commit 86c2786994bd ("perf intel-pt: Add support for
+PERF_RECORD_SWITCH") that might not always happen. When tracing
+system-wide the context switch event is added to the tracking event
+which was not set as 'immediate'. Change that so it is.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Fixes: 86c2786994bd ("perf intel-pt: Add support for PERF_RECORD_SWITCH")
+Link: http://lkml.kernel.org/r/1471245784-22580-1-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/arch/x86/util/intel-pt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/arch/x86/util/intel-pt.c
++++ b/tools/perf/arch/x86/util/intel-pt.c
+@@ -499,7 +499,7 @@ static int intel_pt_recording_options(st
+ struct intel_pt_recording *ptr =
+ container_of(itr, struct intel_pt_recording, itr);
+ struct perf_pmu *intel_pt_pmu = ptr->intel_pt_pmu;
+- bool have_timing_info;
++ bool have_timing_info, need_immediate = false;
+ struct perf_evsel *evsel, *intel_pt_evsel = NULL;
+ const struct cpu_map *cpus = evlist->cpus;
+ bool privileged = geteuid() == 0 || perf_event_paranoid() < 0;
+@@ -653,6 +653,7 @@ static int intel_pt_recording_options(st
+ ptr->have_sched_switch = 3;
+ } else {
+ opts->record_switch_events = true;
++ need_immediate = true;
+ if (cpu_wide)
+ ptr->have_sched_switch = 3;
+ else
+@@ -698,6 +699,9 @@ static int intel_pt_recording_options(st
+ tracking_evsel->attr.freq = 0;
+ tracking_evsel->attr.sample_period = 1;
+
++ if (need_immediate)
++ tracking_evsel->immediate = true;
++
+ /* In per-cpu case, always need the time of mmap events etc */
+ if (!cpu_map__empty(cpus)) {
+ perf_evsel__set_sample_bit(tracking_evsel, TIME);
--- /dev/null
+From 949e9b827eb4736d96df520c67d07a54c64e99b8 Mon Sep 17 00:00:00 2001
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Date: Fri, 23 Oct 2015 17:19:46 +1100
+Subject: powerpc/eeh: eeh_pci_enable(): fix checking of post-request state
+
+From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+
+commit 949e9b827eb4736d96df520c67d07a54c64e99b8 upstream.
+
+In eeh_pci_enable(), after making the request to set the new options, we
+call eeh_ops->wait_state() to check that the request finished successfully.
+
+At the moment, if eeh_ops->wait_state() returns 0, we return 0 without
+checking that it reflects the expected outcome. This can lead to callers
+further up the chain incorrectly assuming the slot has been successfully
+unfrozen and continuing to attempt recovery.
+
+On powernv, this will occur if pnv_eeh_get_pe_state() or
+pnv_eeh_get_phb_state() return 0, which in turn occurs if the relevant OPAL
+call returns OPAL_EEH_STOPPED_MMIO_DMA_FREEZE or
+OPAL_EEH_PHB_ERROR respectively.
+
+On pseries, this will occur if pseries_eeh_get_state() returns 0, which in
+turn occurs if RTAS reports that the PE is in the MMIO Stopped and DMA
+Stopped states.
+
+Obviously, none of these cases represent a successful completion of a
+request to thaw MMIO or DMA.
+
+Fix the check so that a wait_state() return value of 0 won't be considered
+successful for the EEH_OPT_THAW_MMIO or EEH_OPT_THAW_DMA cases.
+
+Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Acked-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/eeh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/eeh.c
++++ b/arch/powerpc/kernel/eeh.c
+@@ -677,7 +677,7 @@ int eeh_pci_enable(struct eeh_pe *pe, in
+ /* Check if the request is finished successfully */
+ if (active_flag) {
+ rc = eeh_ops->wait_state(pe, PCI_BUS_RESET_WAIT_MSEC);
+- if (rc <= 0)
++ if (rc < 0)
+ return rc;
+
+ if (rc & active_flag)
x86-mm-disable-preemption-during-cr3-read-write.patch
uprobes-x86-fix-rip-relative-handling-of-evex-encoded-instructions.patch
tools-testing-nvdimm-fix-sigterm-vs-hotplug-crash.patch
+sunrpc-handle-eaddrnotavail-on-connection-failures.patch
+sunrpc-allow-for-upcalls-for-same-uid-but-different-gss-service.patch
+powerpc-eeh-eeh_pci_enable-fix-checking-of-post-request-state.patch
+alsa-usb-audio-add-a-sample-rate-quirk-for-creative-live-cam-socialize-hd-vf0610.patch
+alsa-usb-audio-add-quirk-for-elp-hd-usb-camera.patch
+arm64-define-at_vector_size_arch-for-arch_dlinfo.patch
+parisc-fix-order-of-erefused-define-in-errno.h.patch
+virtio-fix-memory-leak-in-virtqueue_add.patch
+vfio-pci-fix-null-pointer-oops-in-error-interrupt-setup-handling.patch
+perf-intel-pt-fix-occasional-decoding-errors-when-tracing-system-wide.patch
+libnvdimm-nd_blk-mask-off-reserved-status-bits.patch
--- /dev/null
+From 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Wed, 3 Aug 2016 20:19:48 -0400
+Subject: SUNRPC: allow for upcalls for same uid but different gss service
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+commit 9130b8dbc6ac20f2dc5846e1647f5b60eafab6e3 upstream.
+
+It's possible to have simultaneous upcalls for the same UIDs but
+different GSS service. In that case, we need to allow for the
+upcall to gssd to proceed so that not the same context is used
+by two different GSS services. Some servers lock the use of context
+to the GSS service.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/auth_gss.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/sunrpc/auth_gss/auth_gss.c
++++ b/net/sunrpc/auth_gss/auth_gss.c
+@@ -340,12 +340,14 @@ gss_release_msg(struct gss_upcall_msg *g
+ }
+
+ static struct gss_upcall_msg *
+-__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid)
++__gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth)
+ {
+ struct gss_upcall_msg *pos;
+ list_for_each_entry(pos, &pipe->in_downcall, list) {
+ if (!uid_eq(pos->uid, uid))
+ continue;
++ if (auth && pos->auth->service != auth->service)
++ continue;
+ atomic_inc(&pos->count);
+ dprintk("RPC: %s found msg %p\n", __func__, pos);
+ return pos;
+@@ -365,7 +367,7 @@ gss_add_msg(struct gss_upcall_msg *gss_m
+ struct gss_upcall_msg *old;
+
+ spin_lock(&pipe->lock);
+- old = __gss_find_upcall(pipe, gss_msg->uid);
++ old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth);
+ if (old == NULL) {
+ atomic_inc(&gss_msg->count);
+ list_add(&gss_msg->list, &pipe->in_downcall);
+@@ -714,7 +716,7 @@ gss_pipe_downcall(struct file *filp, con
+ err = -ENOENT;
+ /* Find a matching upcall */
+ spin_lock(&pipe->lock);
+- gss_msg = __gss_find_upcall(pipe, uid);
++ gss_msg = __gss_find_upcall(pipe, uid, NULL);
+ if (gss_msg == NULL) {
+ spin_unlock(&pipe->lock);
+ goto err_put_ctx;
--- /dev/null
+From 1f4c17a03ba7f430d63dba8c8e08ff1e2712581d Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 1 Aug 2016 13:36:08 -0400
+Subject: SUNRPC: Handle EADDRNOTAVAIL on connection failures
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 1f4c17a03ba7f430d63dba8c8e08ff1e2712581d upstream.
+
+If the connect attempt immediately fails with an EADDRNOTAVAIL error, then
+that means our choice of source port number was bad.
+This error is expected when we set the SO_REUSEPORT socket option and we
+have 2 sockets sharing the same source and destination address and port
+combinations.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Fixes: 402e23b4ed9ed ("SUNRPC: Fix stupid typo in xs_sock_set_reuseport")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtsock.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2286,6 +2286,10 @@ static int xs_tcp_finish_connecting(stru
+ /* SYN_SENT! */
+ if (xprt->reestablish_timeout < XS_TCP_INIT_REEST_TO)
+ xprt->reestablish_timeout = XS_TCP_INIT_REEST_TO;
++ break;
++ case -EADDRNOTAVAIL:
++ /* Source port number is unavailable. Try a new one! */
++ transport->srcport = 0;
+ }
+ out:
+ return ret;
--- /dev/null
+From c8952a707556e04374d7b2fdb3a079d63ddf6f2f Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 8 Aug 2016 16:16:23 -0600
+Subject: vfio/pci: Fix NULL pointer oops in error interrupt setup handling
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit c8952a707556e04374d7b2fdb3a079d63ddf6f2f upstream.
+
+There are multiple cases in vfio_pci_set_ctx_trigger_single() where
+we assume we can safely read from our data pointer without actually
+checking whether the user has passed any data via the count field.
+VFIO_IRQ_SET_DATA_NONE in particular is entirely broken since we
+attempt to pull an int32_t file descriptor out before even checking
+the data type. The other data types assume the data pointer contains
+one element of their type as well.
+
+In part this is good news because we were previously restricted from
+doing much sanitization of parameters because it was missed in the
+past and we didn't want to break existing users. Clearly DATA_NONE
+is completely broken, so it must not have any users and we can fix
+it up completely. For DATA_BOOL and DATA_EVENTFD, we'll just
+protect ourselves, returning error when count is zero since we
+previously would have oopsed.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Reported-by: Chris Thompson <the_cartographer@hotmail.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/pci/vfio_pci_intrs.c | 85 +++++++++++++++++++++-----------------
+ 1 file changed, 49 insertions(+), 36 deletions(-)
+
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -563,67 +563,80 @@ static int vfio_pci_set_msi_trigger(stru
+ }
+
+ static int vfio_pci_set_ctx_trigger_single(struct eventfd_ctx **ctx,
+- uint32_t flags, void *data)
++ unsigned int count, uint32_t flags,
++ void *data)
+ {
+- int32_t fd = *(int32_t *)data;
+-
+- if (!(flags & VFIO_IRQ_SET_DATA_TYPE_MASK))
+- return -EINVAL;
+-
+ /* DATA_NONE/DATA_BOOL enables loopback testing */
+ if (flags & VFIO_IRQ_SET_DATA_NONE) {
+- if (*ctx)
+- eventfd_signal(*ctx, 1);
+- return 0;
++ if (*ctx) {
++ if (count) {
++ eventfd_signal(*ctx, 1);
++ } else {
++ eventfd_ctx_put(*ctx);
++ *ctx = NULL;
++ }
++ return 0;
++ }
+ } else if (flags & VFIO_IRQ_SET_DATA_BOOL) {
+- uint8_t trigger = *(uint8_t *)data;
++ uint8_t trigger;
++
++ if (!count)
++ return -EINVAL;
++
++ trigger = *(uint8_t *)data;
+ if (trigger && *ctx)
+ eventfd_signal(*ctx, 1);
+- return 0;
+- }
+
+- /* Handle SET_DATA_EVENTFD */
+- if (fd == -1) {
+- if (*ctx)
+- eventfd_ctx_put(*ctx);
+- *ctx = NULL;
+ return 0;
+- } else if (fd >= 0) {
+- struct eventfd_ctx *efdctx;
+- efdctx = eventfd_ctx_fdget(fd);
+- if (IS_ERR(efdctx))
+- return PTR_ERR(efdctx);
+- if (*ctx)
+- eventfd_ctx_put(*ctx);
+- *ctx = efdctx;
++ } else if (flags & VFIO_IRQ_SET_DATA_EVENTFD) {
++ int32_t fd;
++
++ if (!count)
++ return -EINVAL;
++
++ fd = *(int32_t *)data;
++ if (fd == -1) {
++ if (*ctx)
++ eventfd_ctx_put(*ctx);
++ *ctx = NULL;
++ } else if (fd >= 0) {
++ struct eventfd_ctx *efdctx;
++
++ efdctx = eventfd_ctx_fdget(fd);
++ if (IS_ERR(efdctx))
++ return PTR_ERR(efdctx);
++
++ if (*ctx)
++ eventfd_ctx_put(*ctx);
++
++ *ctx = efdctx;
++ }
+ return 0;
+- } else
+- return -EINVAL;
++ }
++
++ return -EINVAL;
+ }
+
+ static int vfio_pci_set_err_trigger(struct vfio_pci_device *vdev,
+ unsigned index, unsigned start,
+ unsigned count, uint32_t flags, void *data)
+ {
+- if (index != VFIO_PCI_ERR_IRQ_INDEX)
++ if (index != VFIO_PCI_ERR_IRQ_INDEX || start != 0 || count > 1)
+ return -EINVAL;
+
+- /*
+- * We should sanitize start & count, but that wasn't caught
+- * originally, so this IRQ index must forever ignore them :-(
+- */
+-
+- return vfio_pci_set_ctx_trigger_single(&vdev->err_trigger, flags, data);
++ return vfio_pci_set_ctx_trigger_single(&vdev->err_trigger,
++ count, flags, data);
+ }
+
+ static int vfio_pci_set_req_trigger(struct vfio_pci_device *vdev,
+ unsigned index, unsigned start,
+ unsigned count, uint32_t flags, void *data)
+ {
+- if (index != VFIO_PCI_REQ_IRQ_INDEX || start != 0 || count != 1)
++ if (index != VFIO_PCI_REQ_IRQ_INDEX || start != 0 || count > 1)
+ return -EINVAL;
+
+- return vfio_pci_set_ctx_trigger_single(&vdev->req_trigger, flags, data);
++ return vfio_pci_set_ctx_trigger_single(&vdev->req_trigger,
++ count, flags, data);
+ }
+
+ int vfio_pci_set_irqs_ioctl(struct vfio_pci_device *vdev, uint32_t flags,
--- /dev/null
+From 58625edf9e2515ed41dac2a24fa8004030a87b87 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyj.lk@gmail.com>
+Date: Tue, 2 Aug 2016 14:16:31 +0000
+Subject: virtio: fix memory leak in virtqueue_add()
+
+From: Wei Yongjun <weiyj.lk@gmail.com>
+
+commit 58625edf9e2515ed41dac2a24fa8004030a87b87 upstream.
+
+When using the indirect buffers feature, 'desc' is allocated in
+virtqueue_add() but isn't freed before leaving on a ring full error,
+causing a memory leak.
+
+For example, it seems rather clear that this can trigger
+with virtio net if mergeable buffers are not used.
+
+Signed-off-by: Wei Yongjun <weiyj.lk@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_ring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -202,6 +202,8 @@ static inline int virtqueue_add(struct v
+ * host should service the ring ASAP. */
+ if (out_sgs)
+ vq->notify(&vq->vq);
++ if (indirect)
++ kfree(desc);
+ END_USE(vq);
+ return -ENOSPC;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
