From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 13 Jul 2016 22:47:08 +0000 (+0900)
Subject: 3.14-stable patches
X-Git-Tag: v4.6.5~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=09a007e7782825047cdbd23034cc24a982b75afc;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	mips-kvm-fix-modular-kvm-under-qemu.patch
	signal-remove-warning-about-using-si_tkill-in-rt_sigqueueinfo.patch
---

diff --git a/queue-3.14/mips-kvm-fix-modular-kvm-under-qemu.patch b/queue-3.14/mips-kvm-fix-modular-kvm-under-qemu.patch
new file mode 100644
index 00000000000..ac9286c66a4
--- /dev/null
+++ b/queue-3.14/mips-kvm-fix-modular-kvm-under-qemu.patch
@@ -0,0 +1,107 @@
+From 797179bc4fe06c89e47a9f36f886f68640b423f8 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 9 Jun 2016 10:50:43 +0100
+Subject: MIPS: KVM: Fix modular KVM under QEMU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 797179bc4fe06c89e47a9f36f886f68640b423f8 upstream.
+
+Copy __kvm_mips_vcpu_run() into unmapped memory, so that we can never
+get a TLB refill exception in it when KVM is built as a module.
+
+This was observed to happen with the host MIPS kernel running under
+QEMU, due to a not entirely transparent optimisation in the QEMU TLB
+handling where TLB entries replaced with TLBWR are copied to a separate
+part of the TLB array. Code in those pages continue to be executable,
+but those mappings persist only until the next ASID switch, even if they
+are marked global.
+
+An ASID switch happens in __kvm_mips_vcpu_run() at exception level after
+switching to the guest exception base. Subsequent TLB mapped kernel
+instructions just prior to switching to the guest trigger a TLB refill
+exception, which enters the guest exception handlers without updating
+EPC. This appears as a guest triggered TLB refill on a host kernel
+mapped (host KSeg2) address, which is not handled correctly as user
+(guest) mode accesses to kernel (host) segments always generate address
+error exceptions.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim KrÄmÃ¡Å <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: kvm@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # 3.10.x-
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[james.hogan@imgtec.com: backported for stable 3.14]
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/kvm_host.h |    1 +
+ arch/mips/kvm/kvm_locore.S       |    1 +
+ arch/mips/kvm/kvm_mips.c         |   11 ++++++++++-
+ arch/mips/kvm/kvm_mips_int.h     |    2 ++
+ 4 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/include/asm/kvm_host.h
++++ b/arch/mips/include/asm/kvm_host.h
+@@ -342,6 +342,7 @@ struct kvm_mips_tlb {
+ #define KVM_MIPS_GUEST_TLB_SIZE     64
+ struct kvm_vcpu_arch {
+ 	void *host_ebase, *guest_ebase;
++	int (*vcpu_run)(struct kvm_run *run, struct kvm_vcpu *vcpu);
+ 	unsigned long host_stack;
+ 	unsigned long host_gp;
+ 
+--- a/arch/mips/kvm/kvm_locore.S
++++ b/arch/mips/kvm/kvm_locore.S
+@@ -229,6 +229,7 @@ FEXPORT(__kvm_mips_load_k0k1)
+ 
+ 	/* Jump to guest */
+ 	eret
++EXPORT(__kvm_mips_vcpu_run_end)
+ 
+ VECTOR(MIPSX(exception), unknown)
+ /*
+--- a/arch/mips/kvm/kvm_mips.c
++++ b/arch/mips/kvm/kvm_mips.c
+@@ -348,6 +348,15 @@ struct kvm_vcpu *kvm_arch_vcpu_create(st
+ 	memcpy(gebase + offset, mips32_GuestException,
+ 	       mips32_GuestExceptionEnd - mips32_GuestException);
+ 
++#ifdef MODULE
++	offset += mips32_GuestExceptionEnd - mips32_GuestException;
++	memcpy(gebase + offset, (char *)__kvm_mips_vcpu_run,
++	       __kvm_mips_vcpu_run_end - (char *)__kvm_mips_vcpu_run);
++	vcpu->arch.vcpu_run = gebase + offset;
++#else
++	vcpu->arch.vcpu_run = __kvm_mips_vcpu_run;
++#endif
++
+ 	/* Invalidate the icache for these ranges */
+ 	mips32_SyncICache((unsigned long) gebase, ALIGN(size, PAGE_SIZE));
+ 
+@@ -431,7 +440,7 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v
+ 
+ 	kvm_guest_enter();
+ 
+-	r = __kvm_mips_vcpu_run(run, vcpu);
++	r = vcpu->arch.vcpu_run(run, vcpu);
+ 
+ 	kvm_guest_exit();
+ 	local_irq_enable();
+--- a/arch/mips/kvm/kvm_mips_int.h
++++ b/arch/mips/kvm/kvm_mips_int.h
+@@ -27,6 +27,8 @@
+ #define MIPS_EXC_MAX                12
+ /* XXXSL More to follow */
+ 
++extern char __kvm_mips_vcpu_run_end[];
++
+ #define C_TI        (_ULCAST_(1) << 30)
+ 
+ #define KVM_MIPS_IRQ_DELIVER_ALL_AT_ONCE (0)
diff --git a/queue-3.14/series b/queue-3.14/series
index 6daa9514f2f..5c9a88c7688 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -22,3 +22,5 @@ mm-export-migrate_page_move_mapping-and-migrate_page_copy.patch
 ubifs-implement-migratepage.patch
 posix_acl-add-set_posix_acl.patch
 nfsd-check-permissions-when-setting-acls.patch
+signal-remove-warning-about-using-si_tkill-in-rt_sigqueueinfo.patch
+mips-kvm-fix-modular-kvm-under-qemu.patch
diff --git a/queue-3.14/signal-remove-warning-about-using-si_tkill-in-rt_sigqueueinfo.patch b/queue-3.14/signal-remove-warning-about-using-si_tkill-in-rt_sigqueueinfo.patch
new file mode 100644
index 00000000000..dd41788693e
--- /dev/null
+++ b/queue-3.14/signal-remove-warning-about-using-si_tkill-in-rt_sigqueueinfo.patch
@@ -0,0 +1,64 @@
+From 69828dce7af2cb6d08ef5a03de687d422fb7ec1f Mon Sep 17 00:00:00 2001
+From: Vladimir Davydov <vdavydov@parallels.com>
+Date: Thu, 16 Apr 2015 12:47:35 -0700
+Subject: signal: remove warning about using SI_TKILL in rt_[tg]sigqueueinfo
+
+From: Vladimir Davydov <vdavydov@parallels.com>
+
+commit 69828dce7af2cb6d08ef5a03de687d422fb7ec1f upstream.
+
+Sending SI_TKILL from rt_[tg]sigqueueinfo was deprecated, so now we issue
+a warning on the first attempt of doing it.  We use WARN_ON_ONCE, which is
+not informative and, what is worse, taints the kernel, making the trinity
+syscall fuzzer complain false-positively from time to time.
+
+It does not look like we need this warning at all, because the behaviour
+changed quite a long time ago (2.6.39), and if an application relies on
+the old API, it gets EPERM anyway and can issue a warning by itself.
+
+So let us zap the warning in kernel.
+
+Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c |   14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -3004,11 +3004,9 @@ static int do_rt_sigqueueinfo(pid_t pid,
+ 	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
+ 	 */
+ 	if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
+-	    (task_pid_vnr(current) != pid)) {
+-		/* We used to allow any < 0 si_code */
+-		WARN_ON_ONCE(info->si_code < 0);
++	    (task_pid_vnr(current) != pid))
+ 		return -EPERM;
+-	}
++
+ 	info->si_signo = sig;
+ 
+ 	/* POSIX.1b doesn't mention process groups.  */
+@@ -3053,12 +3051,10 @@ static int do_rt_tgsigqueueinfo(pid_t tg
+ 	/* Not even root can pretend to send signals from the kernel.
+ 	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
+ 	 */
+-	if (((info->si_code >= 0 || info->si_code == SI_TKILL)) &&
+-	    (task_pid_vnr(current) != pid)) {
+-		/* We used to allow any < 0 si_code */
+-		WARN_ON_ONCE(info->si_code < 0);
++	if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
++	    (task_pid_vnr(current) != pid))
+ 		return -EPERM;
+-	}
++
+ 	info->si_signo = sig;
+ 
+ 	return do_send_specific(tgid, pid, sig, info);