--- /dev/null
+From a97f925a32aad2a37971d7bfb657006acf04e42d Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sat, 6 Mar 2010 02:32:29 +0000
+Subject: dm: free dm_io before bio_endio not after
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit a97f925a32aad2a37971d7bfb657006acf04e42d upstream.
+
+Free the dm_io structure before calling bio_endio() instead of after it,
+to ensure that the io_pool containing it is not referenced after it is
+freed.
+
+This partially fixes a problem described here
+ https://www.redhat.com/archives/dm-devel/2010-February/msg00109.html
+
+thread 1:
+bio_endio(bio, io_error);
+/* scheduling happens */
+ thread 2:
+ close the device
+ remove the device
+thread 1:
+free_io(md, io);
+
+Thread 2, when removing the device, sees non-empty md->io_pool (because the
+io hasn't been freed by thread 1 yet) and may crash with BUG in mempool_free.
+Thread 1 may also crash, when freeing into a nonexisting mempool.
+
+To fix this we must make sure that bio_endio() is the last call and
+the md structure is not accessed afterwards.
+
+There is another bio_endio in process_barrier, but it is called from the thread
+and the thread is destroyed prior to freeing the mempools, so this call is
+not affected by the bug.
+
+A similar bug exists with module unloads - the module may be unloaded
+immediately after bio_endio - but that is more difficult to fix.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/dm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -635,8 +635,10 @@ static void dec_pending(struct dm_io *io
+ if (!md->barrier_error && io_error != -EOPNOTSUPP)
+ md->barrier_error = io_error;
+ end_io_acct(io);
++ free_io(md, io);
+ } else {
+ end_io_acct(io);
++ free_io(md, io);
+
+ if (io_error != DM_ENDIO_REQUEUE) {
+ trace_block_bio_complete(md->queue, bio);
+@@ -644,8 +646,6 @@ static void dec_pending(struct dm_io *io
+ bio_endio(bio, io_error);
+ }
+ }
+-
+- free_io(md, io);
+ }
+ }
+
--- /dev/null
+From 0f3649a9e305ea22eb196a84a2d7520afcaa6060 Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Sat, 6 Mar 2010 02:32:24 +0000
+Subject: dm ioctl: only issue uevent on resume if state changed
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+commit 0f3649a9e305ea22eb196a84a2d7520afcaa6060 upstream.
+
+Only issue a uevent on a resume if the state of the device changed,
+i.e. if it was suspended and/or its table was replaced.
+
+Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Alasdair G Kergon <agk@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/md/dm-ioctl.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -897,16 +897,17 @@ static int do_resume(struct dm_ioctl *pa
+ set_disk_ro(dm_disk(md), 1);
+ }
+
+- if (dm_suspended_md(md))
++ if (dm_suspended_md(md)) {
+ r = dm_resume(md);
++ if (!r)
++ dm_kobject_uevent(md, KOBJ_CHANGE, param->event_nr);
++ }
+
+ if (old_map)
+ dm_table_destroy(old_map);
+
+- if (!r) {
+- dm_kobject_uevent(md, KOBJ_CHANGE, param->event_nr);
++ if (!r)
+ r = __dev_status(md, param);
+- }
+
+ dm_put(md);
+ return r;
--- /dev/null
+From 59708670b639bff00f92e519df1ae14da240e919 Mon Sep 17 00:00:00 2001
+From: Sheng Yang <sheng@linux.intel.com>
+Date: Tue, 15 Dec 2009 13:29:54 +0800
+Subject: KVM: VMX: Trap and invalid MWAIT/MONITOR instruction
+
+From: Sheng Yang <sheng@linux.intel.com>
+
+commit 59708670b639bff00f92e519df1ae14da240e919 upstream.
+
+We don't support these instructions, but guest can execute them even if the
+feature('monitor') haven't been exposed in CPUID. So we would trap and inject
+a #UD if guest try this way.
+
+Signed-off-by: Sheng Yang <sheng@linux.intel.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/vmx.h | 1 +
+ arch/x86/kvm/vmx.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/arch/x86/include/asm/vmx.h
++++ b/arch/x86/include/asm/vmx.h
+@@ -251,6 +251,7 @@ enum vmcs_field {
+ #define EXIT_REASON_MSR_READ 31
+ #define EXIT_REASON_MSR_WRITE 32
+ #define EXIT_REASON_MWAIT_INSTRUCTION 36
++#define EXIT_REASON_MONITOR_INSTRUCTION 39
+ #define EXIT_REASON_PAUSE_INSTRUCTION 40
+ #define EXIT_REASON_MCE_DURING_VMENTRY 41
+ #define EXIT_REASON_TPR_BELOW_THRESHOLD 43
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1224,6 +1224,8 @@ static __init int setup_vmcs_config(stru
+ CPU_BASED_USE_IO_BITMAPS |
+ CPU_BASED_MOV_DR_EXITING |
+ CPU_BASED_USE_TSC_OFFSETING |
++ CPU_BASED_MWAIT_EXITING |
++ CPU_BASED_MONITOR_EXITING |
+ CPU_BASED_INVLPG_EXITING;
+ opt = CPU_BASED_TPR_SHADOW |
+ CPU_BASED_USE_MSR_BITMAPS |
+@@ -3416,6 +3418,12 @@ static int handle_pause(struct kvm_vcpu
+ return 1;
+ }
+
++static int handle_invalid_op(struct kvm_vcpu *vcpu)
++{
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
++}
++
+ /*
+ * The exit handlers return 1 if the exit was handled fully and guest execution
+ * may resume. Otherwise they set the kvm_run parameter to indicate what needs
+@@ -3453,6 +3461,8 @@ static int (*kvm_vmx_exit_handlers[])(st
+ [EXIT_REASON_EPT_VIOLATION] = handle_ept_violation,
+ [EXIT_REASON_EPT_MISCONFIG] = handle_ept_misconfig,
+ [EXIT_REASON_PAUSE_INSTRUCTION] = handle_pause,
++ [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op,
++ [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op,
+ };
+
+ static const int kvm_vmx_max_exit_handlers =
--- /dev/null
+From 2db2c2eb6226e30f8059b82512a1364db98da8e3 Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Wed, 10 Feb 2010 14:21:29 +0200
+Subject: KVM: x86 emulator: Add group8 instruction decoding
+
+From: Gleb Natapov <gleb@redhat.com>
+
+commit 2db2c2eb6226e30f8059b82512a1364db98da8e3 upstream.
+
+Use groups mechanism to decode 0F BA instructions.
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/emulate.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -88,6 +88,7 @@
+ enum {
+ Group1_80, Group1_81, Group1_82, Group1_83,
+ Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
++ Group8,
+ };
+
+ static u32 opcode_table[256] = {
+@@ -267,7 +268,7 @@ static u32 twobyte_table[256] = {
+ 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
+ DstReg | SrcMem16 | ModRM | Mov,
+ /* 0xB8 - 0xBF */
+- 0, 0, DstMem | SrcImmByte | ModRM, DstMem | SrcReg | ModRM | BitOp,
++ 0, 0, Group | Group8, DstMem | SrcReg | ModRM | BitOp,
+ 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
+ DstReg | SrcMem16 | ModRM | Mov,
+ /* 0xC0 - 0xCF */
+@@ -323,6 +324,10 @@ static u32 group_table[] = {
+ 0, 0, ModRM | SrcMem, ModRM | SrcMem,
+ SrcNone | ModRM | DstMem | Mov, 0,
+ SrcMem16 | ModRM | Mov, SrcMem | ModRM | ByteOp,
++ [Group8*8] =
++ 0, 0, 0, 0,
++ DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM,
++ DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM,
+ };
+
+ static u32 group2_table[] = {
--- /dev/null
+From 60a29d4ea4e7b6b95d9391ebc8625b0426f3a363 Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Wed, 10 Feb 2010 14:21:30 +0200
+Subject: KVM: x86 emulator: Add group9 instruction decoding
+
+From: Gleb Natapov <gleb@redhat.com>
+
+commit 60a29d4ea4e7b6b95d9391ebc8625b0426f3a363 upstream.
+
+Use groups mechanism to decode 0F C7 instructions.
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/emulate.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -88,7 +88,7 @@
+ enum {
+ Group1_80, Group1_81, Group1_82, Group1_83,
+ Group1A, Group3_Byte, Group3, Group4, Group5, Group7,
+- Group8,
++ Group8, Group9,
+ };
+
+ static u32 opcode_table[256] = {
+@@ -272,7 +272,8 @@ static u32 twobyte_table[256] = {
+ 0, 0, ByteOp | DstReg | SrcMem | ModRM | Mov,
+ DstReg | SrcMem16 | ModRM | Mov,
+ /* 0xC0 - 0xCF */
+- 0, 0, 0, DstMem | SrcReg | ModRM | Mov, 0, 0, 0, ImplicitOps | ModRM,
++ 0, 0, 0, DstMem | SrcReg | ModRM | Mov,
++ 0, 0, 0, Group | GroupDual | Group9,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ /* 0xD0 - 0xDF */
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+@@ -328,6 +329,8 @@ static u32 group_table[] = {
+ 0, 0, 0, 0,
+ DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM,
+ DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM,
++ [Group9*8] =
++ 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0,
+ };
+
+ static u32 group2_table[] = {
+@@ -335,6 +338,8 @@ static u32 group2_table[] = {
+ SrcNone | ModRM, 0, 0, SrcNone | ModRM,
+ SrcNone | ModRM | DstMem | Mov, 0,
+ SrcMem16 | ModRM | Mov, 0,
++ [Group9*8] =
++ 0, 0, 0, 0, 0, 0, 0, 0,
+ };
+
+ /* EFLAGS bit definitions. */
--- /dev/null
+From e92805ac1228626c59c865f2f4e9059b9fb8c97b Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Wed, 10 Feb 2010 14:21:35 +0200
+Subject: KVM: x86 emulator: Check CPL level during privilege instruction emulation
+
+From: Gleb Natapov <gleb@redhat.com>
+
+commit e92805ac1228626c59c865f2f4e9059b9fb8c97b upstream.
+
+Add CPL checking in case emulator is tricked into emulating
+privilege instruction from userspace.
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/emulate.c | 35 ++++++++++++++++++++---------------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -76,6 +76,7 @@
+ #define GroupDual (1<<15) /* Alternate decoding of mod == 3 */
+ #define GroupMask 0xff /* Group number stored in bits 0:7 */
+ /* Misc flags */
++#define Priv (1<<27) /* instruction generates #GP if current CPL != 0 */
+ #define No64 (1<<28)
+ /* Source 2 operand type */
+ #define Src2None (0<<29)
+@@ -211,7 +212,7 @@ static u32 opcode_table[256] = {
+ SrcNone | ByteOp | ImplicitOps, SrcNone | ImplicitOps,
+ /* 0xF0 - 0xF7 */
+ 0, 0, 0, 0,
+- ImplicitOps, ImplicitOps, Group | Group3_Byte, Group | Group3,
++ ImplicitOps | Priv, ImplicitOps, Group | Group3_Byte, Group | Group3,
+ /* 0xF8 - 0xFF */
+ ImplicitOps, 0, ImplicitOps, ImplicitOps,
+ ImplicitOps, ImplicitOps, Group | Group4, Group | Group5,
+@@ -219,16 +220,20 @@ static u32 opcode_table[256] = {
+
+ static u32 twobyte_table[256] = {
+ /* 0x00 - 0x0F */
+- 0, Group | GroupDual | Group7, 0, 0, 0, ImplicitOps, ImplicitOps, 0,
+- ImplicitOps, ImplicitOps, 0, 0, 0, ImplicitOps | ModRM, 0, 0,
++ 0, Group | GroupDual | Group7, 0, 0,
++ 0, ImplicitOps, ImplicitOps | Priv, 0,
++ ImplicitOps | Priv, ImplicitOps | Priv, 0, 0,
++ 0, ImplicitOps | ModRM, 0, 0,
+ /* 0x10 - 0x1F */
+ 0, 0, 0, 0, 0, 0, 0, 0, ImplicitOps | ModRM, 0, 0, 0, 0, 0, 0, 0,
+ /* 0x20 - 0x2F */
+- ModRM | ImplicitOps, ModRM, ModRM | ImplicitOps, ModRM, 0, 0, 0, 0,
++ ModRM | ImplicitOps | Priv, ModRM | Priv,
++ ModRM | ImplicitOps | Priv, ModRM | Priv,
++ 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ /* 0x30 - 0x3F */
+- ImplicitOps, 0, ImplicitOps, 0,
+- ImplicitOps, ImplicitOps, 0, 0,
++ ImplicitOps | Priv, 0, ImplicitOps | Priv, 0,
++ ImplicitOps, ImplicitOps | Priv, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0,
+ /* 0x40 - 0x47 */
+ DstReg | SrcMem | ModRM | Mov, DstReg | SrcMem | ModRM | Mov,
+@@ -322,9 +327,9 @@ static u32 group_table[] = {
+ SrcMem | ModRM | Stack, 0,
+ SrcMem | ModRM | Stack, 0, SrcMem | ModRM | Stack, 0,
+ [Group7*8] =
+- 0, 0, ModRM | SrcMem, ModRM | SrcMem,
++ 0, 0, ModRM | SrcMem | Priv, ModRM | SrcMem | Priv,
+ SrcNone | ModRM | DstMem | Mov, 0,
+- SrcMem16 | ModRM | Mov, SrcMem | ModRM | ByteOp,
++ SrcMem16 | ModRM | Mov | Priv, SrcMem | ModRM | ByteOp | Priv,
+ [Group8*8] =
+ 0, 0, 0, 0,
+ DstMem | SrcImmByte | ModRM, DstMem | SrcImmByte | ModRM,
+@@ -335,7 +340,7 @@ static u32 group_table[] = {
+
+ static u32 group2_table[] = {
+ [Group7*8] =
+- SrcNone | ModRM, 0, 0, SrcNone | ModRM,
++ SrcNone | ModRM | Priv, 0, 0, SrcNone | ModRM,
+ SrcNone | ModRM | DstMem | Mov, 0,
+ SrcMem16 | ModRM | Mov, 0,
+ [Group9*8] =
+@@ -1700,12 +1705,6 @@ emulate_sysexit(struct x86_emulate_ctxt
+ return -1;
+ }
+
+- /* sysexit must be called from CPL 0 */
+- if (kvm_x86_ops->get_cpl(ctxt->vcpu) != 0) {
+- kvm_inject_gp(ctxt->vcpu, 0);
+- return -1;
+- }
+-
+ setup_syscalls_segments(ctxt, &cs, &ss);
+
+ if ((c->rex_prefix & 0x8) != 0x0)
+@@ -1769,6 +1768,12 @@ x86_emulate_insn(struct x86_emulate_ctxt
+ memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
+ saved_eip = c->eip;
+
++ /* Privileged instruction can be executed only in CPL=0 */
++ if ((c->d & Priv) && kvm_x86_ops->get_cpl(ctxt->vcpu)) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ goto done;
++ }
++
+ if (((c->d & ModRM) && (c->modrm_mod != 3)) || (c->d & MemAbs))
+ memop = c->modrm_ea;
+
--- /dev/null
+From d4c6a1549c056f1d817e8f6f2f97d8b44933472f Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Wed, 10 Feb 2010 14:21:34 +0200
+Subject: KVM: x86 emulator: Fix popf emulation
+
+From: Gleb Natapov <gleb@redhat.com>
+
+commit d4c6a1549c056f1d817e8f6f2f97d8b44933472f upstream.
+
+POPF behaves differently depending on current CPU mode. Emulate correct
+logic to prevent guest from changing flags that it can't change otherwise.
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/emulate.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 54 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -343,11 +343,18 @@ static u32 group2_table[] = {
+ };
+
+ /* EFLAGS bit definitions. */
++#define EFLG_ID (1<<21)
++#define EFLG_VIP (1<<20)
++#define EFLG_VIF (1<<19)
++#define EFLG_AC (1<<18)
+ #define EFLG_VM (1<<17)
+ #define EFLG_RF (1<<16)
++#define EFLG_IOPL (3<<12)
++#define EFLG_NT (1<<14)
+ #define EFLG_OF (1<<11)
+ #define EFLG_DF (1<<10)
+ #define EFLG_IF (1<<9)
++#define EFLG_TF (1<<8)
+ #define EFLG_SF (1<<7)
+ #define EFLG_ZF (1<<6)
+ #define EFLG_AF (1<<4)
+@@ -1213,6 +1220,49 @@ static int emulate_pop(struct x86_emulat
+ return rc;
+ }
+
++static int emulate_popf(struct x86_emulate_ctxt *ctxt,
++ struct x86_emulate_ops *ops,
++ void *dest, int len)
++{
++ int rc;
++ unsigned long val, change_mask;
++ int iopl = (ctxt->eflags & X86_EFLAGS_IOPL) >> IOPL_SHIFT;
++ int cpl = kvm_x86_ops->get_cpl(ctxt->vcpu);
++
++ rc = emulate_pop(ctxt, ops, &val, len);
++ if (rc != X86EMUL_CONTINUE)
++ return rc;
++
++ change_mask = EFLG_CF | EFLG_PF | EFLG_AF | EFLG_ZF | EFLG_SF | EFLG_OF
++ | EFLG_TF | EFLG_DF | EFLG_NT | EFLG_RF | EFLG_AC | EFLG_ID;
++
++ switch(ctxt->mode) {
++ case X86EMUL_MODE_PROT64:
++ case X86EMUL_MODE_PROT32:
++ case X86EMUL_MODE_PROT16:
++ if (cpl == 0)
++ change_mask |= EFLG_IOPL;
++ if (cpl <= iopl)
++ change_mask |= EFLG_IF;
++ break;
++ case X86EMUL_MODE_VM86:
++ if (iopl < 3) {
++ kvm_inject_gp(ctxt->vcpu, 0);
++ return X86EMUL_PROPAGATE_FAULT;
++ }
++ change_mask |= EFLG_IF;
++ break;
++ default: /* real mode */
++ change_mask |= (EFLG_IOPL | EFLG_IF);
++ break;
++ }
++
++ *(unsigned long *)dest =
++ (ctxt->eflags & ~change_mask) | (val & change_mask);
++
++ return rc;
++}
++
+ static void emulate_push_sreg(struct x86_emulate_ctxt *ctxt, int seg)
+ {
+ struct decode_cache *c = &ctxt->decode;
+@@ -2041,7 +2091,10 @@ special_insn:
+ c->dst.type = OP_REG;
+ c->dst.ptr = (unsigned long *) &ctxt->eflags;
+ c->dst.bytes = c->op_bytes;
+- goto pop_instruction;
++ rc = emulate_popf(ctxt, ops, &c->dst.val, c->op_bytes);
++ if (rc != X86EMUL_CONTINUE)
++ goto done;
++ break;
+ case 0xa0 ... 0xa1: /* mov */
+ c->dst.ptr = (unsigned long *)&c->regs[VCPU_REGS_RAX];
+ c->dst.val = c->src.val;
--- /dev/null
+From 8b9f44140bc4afd2698413cd9960c3912168ee91 Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Thu, 18 Feb 2010 12:14:59 +0200
+Subject: KVM: x86 emulator: Forbid modifying CS segment register by mov instruction
+
+From: Gleb Natapov <gleb@redhat.com>
+
+commit 8b9f44140bc4afd2698413cd9960c3912168ee91 upstream.
+
+Inject #UD if guest attempts to do so. This is in accordance to Intel
+SDM.
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/emulate.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -1987,6 +1987,12 @@ special_insn:
+ int err;
+
+ sel = c->src.val;
++
++ if (c->modrm_reg == VCPU_SREG_CS) {
++ kvm_queue_exception(ctxt->vcpu, UD_VECTOR);
++ goto done;
++ }
++
+ if (c->modrm_reg == VCPU_SREG_SS)
+ toggle_interruptibility(ctxt, X86_SHADOW_INT_MOV_SS);
+
--- /dev/null
+From ebed9203b68a4f333ce5d17e874b26c3afcfeff1 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Tue, 2 Mar 2010 13:06:22 -0500
+Subject: NFS: Fix an allocation-under-spinlock bug
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit ebed9203b68a4f333ce5d17e874b26c3afcfeff1 upstream.
+
+sunrpc_cache_update() will always call detail->update() from inside the
+detail->hash_lock, so it cannot allocate memory.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/dns_resolve.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/dns_resolve.c
++++ b/fs/nfs/dns_resolve.c
+@@ -36,6 +36,19 @@ struct nfs_dns_ent {
+ };
+
+
++static void nfs_dns_ent_update(struct cache_head *cnew,
++ struct cache_head *ckey)
++{
++ struct nfs_dns_ent *new;
++ struct nfs_dns_ent *key;
++
++ new = container_of(cnew, struct nfs_dns_ent, h);
++ key = container_of(ckey, struct nfs_dns_ent, h);
++
++ memcpy(&new->addr, &key->addr, key->addrlen);
++ new->addrlen = key->addrlen;
++}
++
+ static void nfs_dns_ent_init(struct cache_head *cnew,
+ struct cache_head *ckey)
+ {
+@@ -49,8 +62,7 @@ static void nfs_dns_ent_init(struct cach
+ new->hostname = kstrndup(key->hostname, key->namelen, GFP_KERNEL);
+ if (new->hostname) {
+ new->namelen = key->namelen;
+- memcpy(&new->addr, &key->addr, key->addrlen);
+- new->addrlen = key->addrlen;
++ nfs_dns_ent_update(cnew, ckey);
+ } else {
+ new->namelen = 0;
+ new->addrlen = 0;
+@@ -234,7 +246,7 @@ static struct cache_detail nfs_dns_resol
+ .cache_show = nfs_dns_show,
+ .match = nfs_dns_match,
+ .init = nfs_dns_ent_init,
+- .update = nfs_dns_ent_init,
++ .update = nfs_dns_ent_update,
+ .alloc = nfs_dns_ent_alloc,
+ };
+
--- /dev/null
+From 5a98c04d78c896d52baef20ffc11f6d1ba6eb786 Mon Sep 17 00:00:00 2001
+From: James Hogan <james@albanarts.com>
+Date: Fri, 5 Mar 2010 13:44:31 -0800
+Subject: rtc-coh901331: fix braces in resume code
+
+From: James Hogan <james@albanarts.com>
+
+commit 5a98c04d78c896d52baef20ffc11f6d1ba6eb786 upstream.
+
+The else part of the if statement is indented but does not have braces
+around it. It clearly should since it uses clk_enable and clk_disable
+which are supposed to balance.
+
+Signed-off-by: James Hogan <james@albanarts.com>
+Acked-by: Linus Walleij <linus.walleij@stericsson.com>
+Acked-by: Alessandro Zummo <a.zummo@towertech.it>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/rtc/rtc-coh901331.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-coh901331.c
++++ b/drivers/rtc/rtc-coh901331.c
+@@ -271,12 +271,13 @@ static int coh901331_resume(struct platf
+ {
+ struct coh901331_port *rtap = dev_get_drvdata(&pdev->dev);
+
+- if (device_may_wakeup(&pdev->dev))
++ if (device_may_wakeup(&pdev->dev)) {
+ disable_irq_wake(rtap->irq);
+- else
++ } else {
+ clk_enable(rtap->clk);
+ writel(rtap->irqmaskstore, rtap->virtbase + COH901331_IRQ_MASK);
+ clk_disable(rtap->clk);
++ }
+ return 0;
+ }
+ #else
--- /dev/null
+From c212808a1ba6bfba489006399b8152a047305acf Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 5 Mar 2010 13:43:35 -0800
+Subject: s3cmci: initialize default platform data no_wprotect and no_detect with 1
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit c212808a1ba6bfba489006399b8152a047305acf upstream.
+
+If no platform_data was givin to the device it's going to use it's default
+platform data struct which has all fields initialized to zero. As a
+result the driver is going to try to request gpio0 both as write protect
+and card detect pin. Which of course will fail and makes the driver
+unusable
+
+Previously to the introduction of no_wprotect and no_detect the behavior
+was to assume that if no platform data was given there is no write protect
+or card detect pin. This patch restores that behavior.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Cc: Ben Dooks <ben-linux@fluff.org>
+Cc: <linux-mmc@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mmc/host/s3cmci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/host/s3cmci.c
++++ b/drivers/mmc/host/s3cmci.c
+@@ -1360,6 +1360,8 @@ static struct mmc_host_ops s3cmci_ops =
+ static struct s3c24xx_mci_pdata s3cmci_def_pdata = {
+ /* This is currently here to avoid a number of if (host->pdata)
+ * checks. Any zero fields to ensure reasonable defaults are picked. */
++ .no_wprotect = 1,
++ .no_detect = 1,
+ };
+
+ #ifdef CONFIG_CPU_FREQ
--- /dev/null
+From dc2ed552804f3a2ae41c0ffe4bc09879ec8f7396 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 5 Mar 2010 13:43:37 -0800
+Subject: s3cmci: s3cmci_card_present: Use no_detect to decide whether there is a card detect pin
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit dc2ed552804f3a2ae41c0ffe4bc09879ec8f7396 upstream.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Cc: Ben Dooks <ben-linux@fluff.org>
+Cc: <linux-mmc@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mmc/host/s3cmci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/s3cmci.c
++++ b/drivers/mmc/host/s3cmci.c
+@@ -1179,7 +1179,7 @@ static int s3cmci_card_present(struct mm
+ struct s3c24xx_mci_pdata *pdata = host->pdata;
+ int ret;
+
+- if (pdata->gpio_detect == 0)
++ if (pdata->no_detect)
+ return -ENOSYS;
+
+ ret = gpio_get_value(pdata->gpio_detect) ? 0 : 1;
--- /dev/null
+From 3c840c18bcd8efb37f1a565e83a9509e1ea5d105 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Fri, 5 Mar 2010 13:43:07 -0800
+Subject: scripts/get_maintainer.pl: fix possible infinite loop
+
+From: Joe Perches <joe@perches.com>
+
+commit 3c840c18bcd8efb37f1a565e83a9509e1ea5d105 upstream.
+
+If MAINTAINERS section entries are misformatted, it was possible to have
+an infinite loop.
+
+Correct the defect by always moving the index to the end of section + 1
+
+Also, exit check for exclude as soon as possible.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ scripts/get_maintainer.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/scripts/get_maintainer.pl
++++ b/scripts/get_maintainer.pl
+@@ -314,6 +314,7 @@ foreach my $file (@files) {
+ if ($type eq 'X') {
+ if (file_match_pattern($file, $value)) {
+ $exclude = 1;
++ last;
+ }
+ }
+ }
+@@ -340,8 +341,7 @@ foreach my $file (@files) {
+ }
+ }
+
+- $tvi += ($end - $start);
+-
++ $tvi = $end + 1;
+ }
+
+ foreach my $line (sort {$hash{$b} <=> $hash{$a}} keys %hash) {
drm-i915-use-a-dmi-quirk-to-skip-a-broken-sdvo-tv-output.patch
drm-ttm-handle-oom-in-ttm_tt_swapout.patch
drm-radeon-kms-atom-fix-shr-shl-ops.patch
+sunrpc-remove-unnecessary-svc_xprt_put.patch
+sunrpc-handle-einval-error-returns-from-the-tcp-connect-operation.patch
+s3cmci-s3cmci_card_present-use-no_detect-to-decide-whether-there-is-a-card-detect-pin.patch
+s3cmci-initialize-default-platform-data-no_wprotect-and-no_detect-with-1.patch
+scripts-get_maintainer.pl-fix-possible-infinite-loop.patch
+rtc-coh901331-fix-braces-in-resume-code.patch
+nfs-fix-an-allocation-under-spinlock-bug.patch
+dm-free-dm_io-before-bio_endio-not-after.patch
+dm-ioctl-only-issue-uevent-on-resume-if-state-changed.patch
+kvm-vmx-trap-and-invalid-mwait-monitor-instruction.patch
+kvm-x86-emulator-add-group8-instruction-decoding.patch
+kvm-x86-emulator-forbid-modifying-cs-segment-register-by-mov-instruction.patch
+kvm-x86-emulator-add-group9-instruction-decoding.patch
+kvm-x86-emulator-fix-popf-emulation.patch
+kvm-x86-emulator-check-cpl-level-during-privilege-instruction-emulation.patch
sched-fix-sched_mv_power_savings-for-smt.patch
sched-fix-smt-scheduler-regression-in-find_busiest_queue.patch
sched-don-t-use-possibly-stale-sched_class.patch
--- /dev/null
+From 9fcfe0c83c3b04a759cde6b8c5f961237f17808b Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Tue, 2 Mar 2010 13:06:21 -0500
+Subject: SUNRPC: Handle EINVAL error returns from the TCP connect operation
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 9fcfe0c83c3b04a759cde6b8c5f961237f17808b upstream.
+
+This can, for instance, happen if the user specifies a link local IPv6
+address.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sunrpc/xprtsock.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -1912,6 +1912,11 @@ static void xs_tcp_setup_socket(struct r
+ case -EALREADY:
+ xprt_clear_connecting(xprt);
+ return;
++ case -EINVAL:
++ /* Happens, for instance, if the user specified a link
++ * local IPv6 address without a scope-id.
++ */
++ goto out;
+ }
+ out_eagain:
+ status = -EAGAIN;
--- /dev/null
+From ab1b18f70a007ea6caeb007d269abb75b131a410 Mon Sep 17 00:00:00 2001
+From: Neil Brown <neilb@suse.de>
+Date: Sat, 27 Feb 2010 09:33:40 +1100
+Subject: sunrpc: remove unnecessary svc_xprt_put
+
+From: Neil Brown <neilb@suse.de>
+
+commit ab1b18f70a007ea6caeb007d269abb75b131a410 upstream.
+
+The 'struct svc_deferred_req's on the xpt_deferred queue do not
+own a reference to the owning xprt. This is seen in svc_revisit
+which is where things are added to this queue. dr->xprt is set to
+NULL and the reference to the xprt it put.
+
+So when this list is cleaned up in svc_delete_xprt, we mustn't
+put the reference.
+
+Also, replace the 'for' with a 'while' which is arguably
+simpler and more likely to compile efficiently.
+
+Cc: Tom Tucker <tom@opengridcomputing.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sunrpc/svc_xprt.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -889,11 +889,8 @@ void svc_delete_xprt(struct svc_xprt *xp
+ if (test_bit(XPT_TEMP, &xprt->xpt_flags))
+ serv->sv_tmpcnt--;
+
+- for (dr = svc_deferred_dequeue(xprt); dr;
+- dr = svc_deferred_dequeue(xprt)) {
+- svc_xprt_put(xprt);
++ while ((dr = svc_deferred_dequeue(xprt)) != NULL)
+ kfree(dr);
+- }
+
+ svc_xprt_put(xprt);
+ spin_unlock_bh(&serv->sv_lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
