From: Greg Kroah-Hartman Date: Sun, 24 Jan 2016 23:59:55 +0000 (-0800) Subject: 4.3-stable patches X-Git-Tag: v3.10.96~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d55e122f33988a4fa0222e54587713216d63bd6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.3-stable patches added patches: alsa-fireworks-bebob-oxfw-dice-enable-to-make-as-built-in.patch alsa-hda-add-intel-lewisburg-device-ids-audio.patch alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch alsa-hda-fix-lost-4k-bdl-boundary-workaround.patch alsa-hda-realtek-dell-xps-one-alc3260-speaker-no-sound-after-resume-back.patch ipmi-move-timer-init-to-before-irq-is-setup.patch ipmi-start-the-timer-and-thread-on-internal-msgs.patch kvm-ppc-book3s-hv-don-t-dynamically-split-core-when-already-split.patch kvm-ppc-book3s-hv-prohibit-setting-illegal-transaction-state-in-msr.patch kvm-svm-unconditionally-intercept-db.patch kvm-vmx-fix-smep-and-smap-without-ept.patch kvm-x86-correctly-print-ac-in-traces.patch kvm-x86-expose-msr_tsc_aux-to-userspace.patch timers-use-proper-base-migration-in-add_timer_on.patch x86-boot-double-boot_heap_size-to-64kb.patch x86-mce-ensure-offline-cpus-don-t-participate-in-rendezvous-process.patch x86-mm-add-barriers-and-document-switch_mm-vs-flush-synchronization.patch x86-mm-improve-switch_mm-barrier-comments.patch x86-mpx-fix-instruction-decoder-condition.patch x86-paravirt-prevent-rtc_cmos-platform-device-init-on-pv-guests.patch x86-reboot-quirks-add-imac10-1-to-pci_reboot_dmi_table.patch x86-signal-fix-restart_syscall-number-for-x32-tasks.patch x86-smpboot-re-enable-init_udelay-0-by-default-on-modern-cpus.patch x86-xen-don-t-reset-vcpu_info-on-a-cancelled-suspend.patch xen-gntdev-grant-maps-should-not-be-subject-to-numa-balancing.patch --- diff --git a/queue-4.3/alsa-fireworks-bebob-oxfw-dice-enable-to-make-as-built-in.patch b/queue-4.3/alsa-fireworks-bebob-oxfw-dice-enable-to-make-as-built-in.patch new file mode 100644 index 00000000000..c6f6ad1f35f --- /dev/null +++ b/queue-4.3/alsa-fireworks-bebob-oxfw-dice-enable-to-make-as-built-in.patch @@ -0,0 +1,60 @@ +From df4833886f91eea0d20e6e97066adab308625ef8 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 18 Oct 2015 13:46:47 +0900 +Subject: ALSA: fireworks/bebob/oxfw/dice: enable to make as built-in + +From: Takashi Sakamoto + +commit df4833886f91eea0d20e6e97066adab308625ef8 upstream. + +When committed to upstream, these four modules had wrong entries for +Makefile. This forces them to be loadable modules even if they're set +as built-in. + +This commit fixes this bug. + +Fixes: b5b04336015e('ALSA: fireworks: Add skelton for Fireworks based devices') +Fixes: fd6f4b0dc167('ALSA: bebob: Add skelton for BeBoB based devices') +Fixes: 1a4e39c2e5ca('ALSA: oxfw: Move to its own directory') +Fixes: 14ff6a094815('ALSA: dice: Move file to its own directory') +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/bebob/Makefile | 2 +- + sound/firewire/dice/Makefile | 2 +- + sound/firewire/fireworks/Makefile | 2 +- + sound/firewire/oxfw/Makefile | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/sound/firewire/bebob/Makefile ++++ b/sound/firewire/bebob/Makefile +@@ -1,4 +1,4 @@ + snd-bebob-objs := bebob_command.o bebob_stream.o bebob_proc.o bebob_midi.o \ + bebob_pcm.o bebob_hwdep.o bebob_terratec.o bebob_yamaha.o \ + bebob_focusrite.o bebob_maudio.o bebob.o +-obj-m += snd-bebob.o ++obj-$(CONFIG_SND_BEBOB) += snd-bebob.o +--- a/sound/firewire/dice/Makefile ++++ b/sound/firewire/dice/Makefile +@@ -1,3 +1,3 @@ + snd-dice-objs := dice-transaction.o dice-stream.o dice-proc.o dice-midi.o \ + dice-pcm.o dice-hwdep.o dice.o +-obj-m += snd-dice.o ++obj-$(CONFIG_SND_DICE) += snd-dice.o +--- a/sound/firewire/fireworks/Makefile ++++ b/sound/firewire/fireworks/Makefile +@@ -1,4 +1,4 @@ + snd-fireworks-objs := fireworks_transaction.o fireworks_command.o \ + fireworks_stream.o fireworks_proc.o fireworks_midi.o \ + fireworks_pcm.o fireworks_hwdep.o fireworks.o +-obj-m += snd-fireworks.o ++obj-$(CONFIG_SND_FIREWORKS) += snd-fireworks.o +--- a/sound/firewire/oxfw/Makefile ++++ b/sound/firewire/oxfw/Makefile +@@ -1,3 +1,3 @@ + snd-oxfw-objs := oxfw-command.o oxfw-stream.o oxfw-control.o oxfw-pcm.o \ + oxfw-proc.o oxfw-midi.o oxfw-hwdep.o oxfw.o +-obj-m += snd-oxfw.o ++obj-$(CONFIG_SND_OXFW) += snd-oxfw.o diff --git a/queue-4.3/alsa-hda-add-intel-lewisburg-device-ids-audio.patch b/queue-4.3/alsa-hda-add-intel-lewisburg-device-ids-audio.patch new file mode 100644 index 00000000000..eed20075807 --- /dev/null +++ b/queue-4.3/alsa-hda-add-intel-lewisburg-device-ids-audio.patch @@ -0,0 +1,35 @@ +From 5cf92c8b3dc5da59e05dc81bdc069cedf6f38313 Mon Sep 17 00:00:00 2001 +From: Alexandra Yates +Date: Wed, 4 Nov 2015 15:56:09 -0800 +Subject: ALSA: hda - Add Intel Lewisburg device IDs Audio + +From: Alexandra Yates + +commit 5cf92c8b3dc5da59e05dc81bdc069cedf6f38313 upstream. + +Adding Intel codename Lewisburg platform device IDs for audio. + +[rearranged the position by tiwai] + +Signed-off-by: Alexandra Yates +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2105,6 +2105,11 @@ static const struct pci_device_id azx_id + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, + { PCI_DEVICE(0x8086, 0x8d21), + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, ++ /* Lewisburg */ ++ { PCI_DEVICE(0x8086, 0xa1f0), ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, ++ { PCI_DEVICE(0x8086, 0xa270), ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, + /* Lynx Point-LP */ + { PCI_DEVICE(0x8086, 0x9c20), + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, diff --git a/queue-4.3/alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch b/queue-4.3/alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch new file mode 100644 index 00000000000..03fb0d3e827 --- /dev/null +++ b/queue-4.3/alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch @@ -0,0 +1,31 @@ +From c932b98c1e47312822d911c1bb76e81ef50e389c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 4 Nov 2015 22:39:16 +0100 +Subject: ALSA: hda - Apply pin fixup for HP ProBook 6550b + +From: Takashi Iwai + +commit c932b98c1e47312822d911c1bb76e81ef50e389c upstream. + +HP ProBook 6550b needs the same pin fixup applied to other HP B-series +laptops with docks for making its headphone and dock headphone jacks +working properly. We just need to add the codec SSID to the list. + +Bugzilla: https://bugzilla.kernel.org/attachment.cgi?id=191971 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_sigmatel.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -702,6 +702,7 @@ static bool hp_bnb2011_with_dock(struct + static bool hp_blike_system(u32 subsystem_id) + { + switch (subsystem_id) { ++ case 0x103c1473: /* HP ProBook 6550b */ + case 0x103c1520: + case 0x103c1521: + case 0x103c1523: diff --git a/queue-4.3/alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch b/queue-4.3/alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch new file mode 100644 index 00000000000..d5f8e726adb --- /dev/null +++ b/queue-4.3/alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch @@ -0,0 +1,54 @@ +From cadd16ea33a938d49aee99edd4758cc76048b399 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 27 Oct 2015 14:21:51 +0100 +Subject: ALSA: hda - Disable 64bit address for Creative HDA controllers + +From: Takashi Iwai + +commit cadd16ea33a938d49aee99edd4758cc76048b399 upstream. + +We've had many reports that some Creative sound cards with CA0132 +don't work well. Some reported that it starts working after reloading +the module, while some reported it starts working when a 32bit kernel +is used. All these facts seem implying that the chip fails to +communicate when the buffer is located in 64bit address. + +This patch addresses these issues by just adding AZX_DCAPS_NO_64BIT +flag to the corresponding PCI entries. I casually had a chance to +test an SB Recon3D board, and indeed this seems helping. + +Although this hasn't been tested on all Creative devices, it's safer +to assume that this restriction applies to the rest of them, too. So +the flag is applied to all Creative entries. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -334,6 +334,7 @@ enum { + + #define AZX_DCAPS_PRESET_CTHDA \ + (AZX_DCAPS_NO_MSI | AZX_DCAPS_POSFIX_LPIB |\ ++ AZX_DCAPS_NO_64BIT |\ + AZX_DCAPS_4K_BDLE_BOUNDARY | AZX_DCAPS_SNOOP_OFF) + + /* +@@ -2284,11 +2285,13 @@ static const struct pci_device_id azx_id + .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8, + .class_mask = 0xffffff, + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND | ++ AZX_DCAPS_NO_64BIT | + AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB }, + #else + /* this entry seems still valid -- i.e. without emu20kx chip */ + { PCI_DEVICE(0x1102, 0x0009), + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND | ++ AZX_DCAPS_NO_64BIT | + AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB }, + #endif + /* CM8888 */ diff --git a/queue-4.3/alsa-hda-fix-lost-4k-bdl-boundary-workaround.patch b/queue-4.3/alsa-hda-fix-lost-4k-bdl-boundary-workaround.patch new file mode 100644 index 00000000000..ae5c1e4a644 --- /dev/null +++ b/queue-4.3/alsa-hda-fix-lost-4k-bdl-boundary-workaround.patch @@ -0,0 +1,37 @@ +From de1ab6af5c3d92c0a031083962a7ff270cf301b7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 2 Nov 2015 17:35:34 +0100 +Subject: ALSA: hda - Fix lost 4k BDL boundary workaround + +From: Takashi Iwai + +commit de1ab6af5c3d92c0a031083962a7ff270cf301b7 upstream. + +During the migration to HDA core code, we lost the workaround for 4k +BDL boundary. The flag exists in the new hdac_bus, but it's never +set. This resulted in the sudden sound stall on some controllers that +require this workaround like Creative Recon3D. + +This patch fixes the issue by setting the flag for such controllers +properly. + +Fixes: ccc98865aa44 ('ALSA: hda - Migrate more hdac_stream codes') +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1059,6 +1059,9 @@ int azx_bus_init(struct azx *chip, const + bus->needs_damn_long_delay = 1; + } + ++ if (chip->driver_caps & AZX_DCAPS_4K_BDLE_BOUNDARY) ++ bus->core.align_bdle_4k = true; ++ + /* AMD chipsets often cause the communication stalls upon certain + * sequence like the pin-detection. It seems that forcing the synced + * access works around the stall. Grrr... diff --git a/queue-4.3/alsa-hda-realtek-dell-xps-one-alc3260-speaker-no-sound-after-resume-back.patch b/queue-4.3/alsa-hda-realtek-dell-xps-one-alc3260-speaker-no-sound-after-resume-back.patch new file mode 100644 index 00000000000..e7108235638 --- /dev/null +++ b/queue-4.3/alsa-hda-realtek-dell-xps-one-alc3260-speaker-no-sound-after-resume-back.patch @@ -0,0 +1,57 @@ +From 6ed1131fe196ad7ffc13acc1a1eadc08a1db0303 Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Mon, 26 Oct 2015 15:37:39 +0800 +Subject: ALSA: hda/realtek - Dell XPS one ALC3260 speaker no sound after resume back + +From: Kailang Yang + +commit 6ed1131fe196ad7ffc13acc1a1eadc08a1db0303 upstream. + +This machine had I2S codec for speaker output. +It need to refill the I2S codec initial verb after resume back. + +Signed-off-by: Kailang Yang +Reported-and-tested-by: George Gugulea +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4596,6 +4596,7 @@ enum { + ALC292_FIXUP_DELL_E7X, + ALC292_FIXUP_DISABLE_AAMIX, + ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC275_FIXUP_DELL_XPS, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -5165,6 +5166,17 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE + }, ++ [ALC275_FIXUP_DELL_XPS] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ /* Enables internal speaker */ ++ {0x20, AC_VERB_SET_COEF_INDEX, 0x1f}, ++ {0x20, AC_VERB_SET_PROC_COEF, 0x00c0}, ++ {0x20, AC_VERB_SET_COEF_INDEX, 0x30}, ++ {0x20, AC_VERB_SET_PROC_COEF, 0x00b1}, ++ {} ++ } ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -5179,6 +5191,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1025, 0x0775, "Acer Aspire E1-572", ALC271_FIXUP_HP_GATE_MIC_JACK_E1_572), + SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS), + SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z), ++ SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS), + SND_PCI_QUIRK(0x1028, 0x05ca, "Dell Latitude E7240", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x05cb, "Dell Latitude E7440", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x05da, "Dell Vostro 5460", ALC290_FIXUP_SUBWOOFER), diff --git a/queue-4.3/ipmi-move-timer-init-to-before-irq-is-setup.patch b/queue-4.3/ipmi-move-timer-init-to-before-irq-is-setup.patch new file mode 100644 index 00000000000..377c628f97e --- /dev/null +++ b/queue-4.3/ipmi-move-timer-init-to-before-irq-is-setup.patch @@ -0,0 +1,75 @@ +From 27f972d3e00b50639deb4cc1392afaeb08d3cecc Mon Sep 17 00:00:00 2001 +From: Jan Stancek +Date: Tue, 8 Dec 2015 13:57:51 -0500 +Subject: ipmi: move timer init to before irq is setup + +From: Jan Stancek + +commit 27f972d3e00b50639deb4cc1392afaeb08d3cecc upstream. + +We encountered a panic on boot in ipmi_si on a dell per320 due to an +uninitialized timer as follows. + +static int smi_start_processing(void *send_info, + ipmi_smi_t intf) +{ + /* Try to claim any interrupts. */ + if (new_smi->irq_setup) + new_smi->irq_setup(new_smi); + + --> IRQ arrives here and irq handler tries to modify uninitialized timer + + which triggers BUG_ON(!timer->function) in __mod_timer(). + + Call Trace: + + [] start_new_msg+0x47/0x80 [ipmi_si] + [] start_check_enables+0x4e/0x60 [ipmi_si] + [] smi_event_handler+0x1e8/0x640 [ipmi_si] + [] ? __rcu_process_callbacks+0x54/0x350 + [] si_irq_handler+0x3c/0x60 [ipmi_si] + [] handle_IRQ_event+0x60/0x170 + [] handle_edge_irq+0xde/0x180 + [] handle_irq+0x49/0xa0 + [] do_IRQ+0x6c/0xf0 + [] ret_from_intr+0x0/0x11 + + /* Set up the timer that drives the interface. */ + setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi); + +The following patch fixes the problem. + +To: Openipmi-developer@lists.sourceforge.net +To: Corey Minyard +CC: linux-kernel@vger.kernel.org + +Signed-off-by: Jan Stancek +Signed-off-by: Tony Camuso +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_si_intf.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -1223,14 +1223,14 @@ static int smi_start_processing(void + + new_smi->intf = intf; + +- /* Try to claim any interrupts. */ +- if (new_smi->irq_setup) +- new_smi->irq_setup(new_smi); +- + /* Set up the timer that drives the interface. */ + setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi); + smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES); + ++ /* Try to claim any interrupts. */ ++ if (new_smi->irq_setup) ++ new_smi->irq_setup(new_smi); ++ + /* + * Check if the user forcefully enabled the daemon. + */ diff --git a/queue-4.3/ipmi-start-the-timer-and-thread-on-internal-msgs.patch b/queue-4.3/ipmi-start-the-timer-and-thread-on-internal-msgs.patch new file mode 100644 index 00000000000..af1242b6d64 --- /dev/null +++ b/queue-4.3/ipmi-start-the-timer-and-thread-on-internal-msgs.patch @@ -0,0 +1,196 @@ +From 0cfec916e86d881e209de4b4ae9959a6271e6660 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Sat, 5 Sep 2015 17:44:13 -0500 +Subject: ipmi: Start the timer and thread on internal msgs + +From: Corey Minyard + +commit 0cfec916e86d881e209de4b4ae9959a6271e6660 upstream. + +The timer and thread were not being started for internal messages, +so in interrupt mode if something hung the timer would never go +off and clean things up. Factor out the internal message sending +and start the timer for those messages, too. + +Signed-off-by: Corey Minyard +Tested-by: Gouji, Masayuki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_si_intf.c | 73 +++++++++++++++++++++++---------------- + 1 file changed, 44 insertions(+), 29 deletions(-) + +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -412,18 +412,42 @@ static enum si_sm_result start_next_msg( + return rv; + } + +-static void start_check_enables(struct smi_info *smi_info) ++static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val) ++{ ++ smi_info->last_timeout_jiffies = jiffies; ++ mod_timer(&smi_info->si_timer, new_val); ++ smi_info->timer_running = true; ++} ++ ++/* ++ * Start a new message and (re)start the timer and thread. ++ */ ++static void start_new_msg(struct smi_info *smi_info, unsigned char *msg, ++ unsigned int size) ++{ ++ smi_mod_timer(smi_info, jiffies + SI_TIMEOUT_JIFFIES); ++ ++ if (smi_info->thread) ++ wake_up_process(smi_info->thread); ++ ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, size); ++} ++ ++static void start_check_enables(struct smi_info *smi_info, bool start_timer) + { + unsigned char msg[2]; + + msg[0] = (IPMI_NETFN_APP_REQUEST << 2); + msg[1] = IPMI_GET_BMC_GLOBAL_ENABLES_CMD; + +- smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2); ++ if (start_timer) ++ start_new_msg(smi_info, msg, 2); ++ else ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2); + smi_info->si_state = SI_CHECKING_ENABLES; + } + +-static void start_clear_flags(struct smi_info *smi_info) ++static void start_clear_flags(struct smi_info *smi_info, bool start_timer) + { + unsigned char msg[3]; + +@@ -432,7 +456,10 @@ static void start_clear_flags(struct smi + msg[1] = IPMI_CLEAR_MSG_FLAGS_CMD; + msg[2] = WDT_PRE_TIMEOUT_INT; + +- smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3); ++ if (start_timer) ++ start_new_msg(smi_info, msg, 3); ++ else ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3); + smi_info->si_state = SI_CLEARING_FLAGS; + } + +@@ -442,10 +469,8 @@ static void start_getting_msg_queue(stru + smi_info->curr_msg->data[1] = IPMI_GET_MSG_CMD; + smi_info->curr_msg->data_size = 2; + +- smi_info->handlers->start_transaction( +- smi_info->si_sm, +- smi_info->curr_msg->data, +- smi_info->curr_msg->data_size); ++ start_new_msg(smi_info, smi_info->curr_msg->data, ++ smi_info->curr_msg->data_size); + smi_info->si_state = SI_GETTING_MESSAGES; + } + +@@ -455,20 +480,11 @@ static void start_getting_events(struct + smi_info->curr_msg->data[1] = IPMI_READ_EVENT_MSG_BUFFER_CMD; + smi_info->curr_msg->data_size = 2; + +- smi_info->handlers->start_transaction( +- smi_info->si_sm, +- smi_info->curr_msg->data, +- smi_info->curr_msg->data_size); ++ start_new_msg(smi_info, smi_info->curr_msg->data, ++ smi_info->curr_msg->data_size); + smi_info->si_state = SI_GETTING_EVENTS; + } + +-static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val) +-{ +- smi_info->last_timeout_jiffies = jiffies; +- mod_timer(&smi_info->si_timer, new_val); +- smi_info->timer_running = true; +-} +- + /* + * When we have a situtaion where we run out of memory and cannot + * allocate messages, we just leave them in the BMC and run the system +@@ -478,11 +494,11 @@ static void smi_mod_timer(struct smi_inf + * Note that we cannot just use disable_irq(), since the interrupt may + * be shared. + */ +-static inline bool disable_si_irq(struct smi_info *smi_info) ++static inline bool disable_si_irq(struct smi_info *smi_info, bool start_timer) + { + if ((smi_info->irq) && (!smi_info->interrupt_disabled)) { + smi_info->interrupt_disabled = true; +- start_check_enables(smi_info); ++ start_check_enables(smi_info, start_timer); + return true; + } + return false; +@@ -492,7 +508,7 @@ static inline bool enable_si_irq(struct + { + if ((smi_info->irq) && (smi_info->interrupt_disabled)) { + smi_info->interrupt_disabled = false; +- start_check_enables(smi_info); ++ start_check_enables(smi_info, true); + return true; + } + return false; +@@ -510,7 +526,7 @@ static struct ipmi_smi_msg *alloc_msg_ha + + msg = ipmi_alloc_smi_msg(); + if (!msg) { +- if (!disable_si_irq(smi_info)) ++ if (!disable_si_irq(smi_info, true)) + smi_info->si_state = SI_NORMAL; + } else if (enable_si_irq(smi_info)) { + ipmi_free_smi_msg(msg); +@@ -526,7 +542,7 @@ static void handle_flags(struct smi_info + /* Watchdog pre-timeout */ + smi_inc_stat(smi_info, watchdog_pretimeouts); + +- start_clear_flags(smi_info); ++ start_clear_flags(smi_info, true); + smi_info->msg_flags &= ~WDT_PRE_TIMEOUT_INT; + if (smi_info->intf) + ipmi_smi_watchdog_pretimeout(smi_info->intf); +@@ -879,8 +895,7 @@ static enum si_sm_result smi_event_handl + msg[0] = (IPMI_NETFN_APP_REQUEST << 2); + msg[1] = IPMI_GET_MSG_FLAGS_CMD; + +- smi_info->handlers->start_transaction( +- smi_info->si_sm, msg, 2); ++ start_new_msg(smi_info, msg, 2); + smi_info->si_state = SI_GETTING_FLAGS; + goto restart; + } +@@ -910,7 +925,7 @@ static enum si_sm_result smi_event_handl + * disable and messages disabled. + */ + if (smi_info->supports_event_msg_buff || smi_info->irq) { +- start_check_enables(smi_info); ++ start_check_enables(smi_info, true); + } else { + smi_info->curr_msg = alloc_msg_handle_irq(smi_info); + if (!smi_info->curr_msg) +@@ -3613,7 +3628,7 @@ static int try_smi_init(struct smi_info + * Start clearing the flags before we enable interrupts or the + * timer to avoid racing with the timer. + */ +- start_clear_flags(new_smi); ++ start_clear_flags(new_smi, false); + + /* + * IRQ is defined to be set when non-zero. req_events will +@@ -3908,7 +3923,7 @@ static void cleanup_one_si(struct smi_in + poll(to_clean); + schedule_timeout_uninterruptible(1); + } +- disable_si_irq(to_clean); ++ disable_si_irq(to_clean, false); + while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) { + poll(to_clean); + schedule_timeout_uninterruptible(1); diff --git a/queue-4.3/kvm-ppc-book3s-hv-don-t-dynamically-split-core-when-already-split.patch b/queue-4.3/kvm-ppc-book3s-hv-don-t-dynamically-split-core-when-already-split.patch new file mode 100644 index 00000000000..f3382cfffce --- /dev/null +++ b/queue-4.3/kvm-ppc-book3s-hv-don-t-dynamically-split-core-when-already-split.patch @@ -0,0 +1,48 @@ +From f74f2e2e26199f695ca3df94f29e9ab7cb707ea4 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Tue, 3 Nov 2015 16:03:30 +1100 +Subject: KVM: PPC: Book3S HV: Don't dynamically split core when already split + +From: Paul Mackerras + +commit f74f2e2e26199f695ca3df94f29e9ab7cb707ea4 upstream. + +In static micro-threading modes, the dynamic micro-threading code +is supposed to be disabled, because subcores can't make independent +decisions about what micro-threading mode to put the core in - there is +only one micro-threading mode for the whole core. The code that +implements dynamic micro-threading checks for this, except that the +check was missed in one case. This means that it is possible for a +subcore in static 2-way micro-threading mode to try to put the core +into 4-way micro-threading mode, which usually leads to stuck CPUs, +spinlock lockups, and other stalls in the host. + +The problem was in the can_split_piggybacked_subcores() function, which +should always return false if the system is in a static micro-threading +mode. This fixes the problem by making can_split_piggybacked_subcores() +use subcore_config_ok() for its checks, as subcore_config_ok() includes +the necessary check for the static micro-threading modes. + +Credit to Gautham Shenoy for working out that the reason for the hangs +and stalls we were seeing was that we were trying to do dynamic 4-way +micro-threading while we were in static 2-way mode. + +Fixes: b4deba5c41e9 +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -2019,7 +2019,7 @@ static bool can_split_piggybacked_subcor + return false; + n_subcores += (cip->subcore_threads[sub] - 1) >> 1; + } +- if (n_subcores > 3 || large_sub < 0) ++ if (large_sub < 0 || !subcore_config_ok(n_subcores + 1, 2)) + return false; + + /* diff --git a/queue-4.3/kvm-ppc-book3s-hv-prohibit-setting-illegal-transaction-state-in-msr.patch b/queue-4.3/kvm-ppc-book3s-hv-prohibit-setting-illegal-transaction-state-in-msr.patch new file mode 100644 index 00000000000..4733458fbe9 --- /dev/null +++ b/queue-4.3/kvm-ppc-book3s-hv-prohibit-setting-illegal-transaction-state-in-msr.patch @@ -0,0 +1,51 @@ +From c20875a3e638e4a03e099b343ec798edd1af5cc6 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Thu, 12 Nov 2015 16:43:02 +1100 +Subject: KVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR + +From: Paul Mackerras + +commit c20875a3e638e4a03e099b343ec798edd1af5cc6 upstream. + +Currently it is possible for userspace (e.g. QEMU) to set a value +for the MSR for a guest VCPU which has both of the TS bits set, +which is an illegal combination. The result of this is that when +we execute a hrfid (hypervisor return from interrupt doubleword) +instruction to enter the guest, the CPU will take a TM Bad Thing +type of program interrupt (vector 0x700). + +Now, if PR KVM is configured in the kernel along with HV KVM, we +actually handle this without crashing the host or giving hypervisor +privilege to the guest; instead what happens is that we deliver a +program interrupt to the guest, with SRR0 reflecting the address +of the hrfid instruction and SRR1 containing the MSR value at that +point. If PR KVM is not configured in the kernel, then we try to +run the host's program interrupt handler with the MMU set to the +guest context, which almost certainly causes a host crash. + +This closes the hole by making kvmppc_set_msr_hv() check for the +illegal combination and force the TS field to a safe value (00, +meaning non-transactional). + +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -224,6 +224,12 @@ static void kvmppc_core_vcpu_put_hv(stru + + static void kvmppc_set_msr_hv(struct kvm_vcpu *vcpu, u64 msr) + { ++ /* ++ * Check for illegal transactional state bit combination ++ * and if we find it, force the TS field to a safe state. ++ */ ++ if ((msr & MSR_TS_MASK) == MSR_TS_MASK) ++ msr &= ~MSR_TS_MASK; + vcpu->arch.shregs.msr = msr; + kvmppc_end_cede(vcpu); + } diff --git a/queue-4.3/kvm-svm-unconditionally-intercept-db.patch b/queue-4.3/kvm-svm-unconditionally-intercept-db.patch new file mode 100644 index 00000000000..e8d74db0eda --- /dev/null +++ b/queue-4.3/kvm-svm-unconditionally-intercept-db.patch @@ -0,0 +1,80 @@ +From cbdb967af3d54993f5814f1cee0ed311a055377d Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 10 Nov 2015 09:14:39 +0100 +Subject: KVM: svm: unconditionally intercept #DB + +From: Paolo Bonzini + +commit cbdb967af3d54993f5814f1cee0ed311a055377d upstream. + +This is needed to avoid the possibility that the guest triggers +an infinite stream of #DB exceptions (CVE-2015-8104). + +VMX is not affected: because it does not save DR6 in the VMCS, +it already intercepts #DB unconditionally. + +Reported-by: Jan Beulich +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1108,6 +1108,7 @@ static void init_vmcb(struct vcpu_svm *s + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); + set_exception_intercept(svm, AC_VECTOR); ++ set_exception_intercept(svm, DB_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_v + mark_dirty(svm->vmcb, VMCB_SEG); + } + +-static void update_db_bp_intercept(struct kvm_vcpu *vcpu) ++static void update_bp_intercept(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + +- clr_exception_intercept(svm, DB_VECTOR); + clr_exception_intercept(svm, BP_VECTOR); + +- if (svm->nmi_singlestep) +- set_exception_intercept(svm, DB_VECTOR); +- + if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { +- if (vcpu->guest_debug & +- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) +- set_exception_intercept(svm, DB_VECTOR); + if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) + set_exception_intercept(svm, BP_VECTOR); + } else +@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_s + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) + svm->vmcb->save.rflags &= + ~(X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(&svm->vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -3761,7 +3754,6 @@ static void enable_nmi_window(struct kvm + */ + svm->nmi_singlestep = true; + svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(vcpu); + } + + static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) +@@ -4383,7 +4375,7 @@ static struct kvm_x86_ops svm_x86_ops = + .vcpu_load = svm_vcpu_load, + .vcpu_put = svm_vcpu_put, + +- .update_db_bp_intercept = update_db_bp_intercept, ++ .update_db_bp_intercept = update_bp_intercept, + .get_msr = svm_get_msr, + .set_msr = svm_set_msr, + .get_segment_base = svm_get_segment_base, diff --git a/queue-4.3/kvm-vmx-fix-smep-and-smap-without-ept.patch b/queue-4.3/kvm-vmx-fix-smep-and-smap-without-ept.patch new file mode 100644 index 00000000000..859abc7829f --- /dev/null +++ b/queue-4.3/kvm-vmx-fix-smep-and-smap-without-ept.patch @@ -0,0 +1,59 @@ +From 656ec4a4928a3db7d16e5cb9bce351a478cfd3d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Mon, 2 Nov 2015 22:20:00 +0100 +Subject: KVM: VMX: fix SMEP and SMAP without EPT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit 656ec4a4928a3db7d16e5cb9bce351a478cfd3d5 upstream. + +The comment in code had it mostly right, but we enable paging for +emulated real mode regardless of EPT. + +Without EPT (which implies emulated real mode), secondary VCPUs won't +start unless we disable SM[AE]P when the guest doesn't use paging. + +Signed-off-by: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -3644,20 +3644,21 @@ static int vmx_set_cr4(struct kvm_vcpu * + if (!is_paging(vcpu)) { + hw_cr4 &= ~X86_CR4_PAE; + hw_cr4 |= X86_CR4_PSE; +- /* +- * SMEP/SMAP is disabled if CPU is in non-paging mode +- * in hardware. However KVM always uses paging mode to +- * emulate guest non-paging mode with TDP. +- * To emulate this behavior, SMEP/SMAP needs to be +- * manually disabled when guest switches to non-paging +- * mode. +- */ +- hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP); + } else if (!(cr4 & X86_CR4_PAE)) { + hw_cr4 &= ~X86_CR4_PAE; + } + } + ++ if (!enable_unrestricted_guest && !is_paging(vcpu)) ++ /* ++ * SMEP/SMAP is disabled if CPU is in non-paging mode in ++ * hardware. However KVM always uses paging mode without ++ * unrestricted guest. ++ * To emulate this behavior, SMEP/SMAP needs to be manually ++ * disabled when guest switches to non-paging mode. ++ */ ++ hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP); ++ + vmcs_writel(CR4_READ_SHADOW, cr4); + vmcs_writel(GUEST_CR4, hw_cr4); + return 0; diff --git a/queue-4.3/kvm-x86-correctly-print-ac-in-traces.patch b/queue-4.3/kvm-x86-correctly-print-ac-in-traces.patch new file mode 100644 index 00000000000..5cfaef2010b --- /dev/null +++ b/queue-4.3/kvm-x86-correctly-print-ac-in-traces.patch @@ -0,0 +1,31 @@ +From aba2f06c070f604e388cf77b1dcc7f4cf4577eb0 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 12 Nov 2015 16:42:18 +0100 +Subject: KVM: x86: correctly print #AC in traces + +From: Paolo Bonzini + +commit aba2f06c070f604e388cf77b1dcc7f4cf4577eb0 upstream. + +Poor #AC was so unimportant until a few days ago that we were +not even tracing its name correctly. But now it's all over +the place. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/trace.h ++++ b/arch/x86/kvm/trace.h +@@ -250,7 +250,7 @@ TRACE_EVENT(kvm_inj_virq, + #define kvm_trace_sym_exc \ + EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM), \ + EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), \ +- EXS(MF), EXS(MC) ++ EXS(MF), EXS(AC), EXS(MC) + + /* + * Tracepoint for kvm interrupt injection: diff --git a/queue-4.3/kvm-x86-expose-msr_tsc_aux-to-userspace.patch b/queue-4.3/kvm-x86-expose-msr_tsc_aux-to-userspace.patch new file mode 100644 index 00000000000..016e2cace4c --- /dev/null +++ b/queue-4.3/kvm-x86-expose-msr_tsc_aux-to-userspace.patch @@ -0,0 +1,54 @@ +From 9dbe6cf941a6fe82933aef565e4095fb10f65023 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 12 Nov 2015 14:49:17 +0100 +Subject: KVM: x86: expose MSR_TSC_AUX to userspace + +From: Paolo Bonzini + +commit 9dbe6cf941a6fe82933aef565e4095fb10f65023 upstream. + +If we do not do this, it is not properly saved and restored across +migration. Windows notices due to its self-protection mechanisms, +and is very upset about it (blue screen of death). + +Cc: Radim Krcmar +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -942,7 +942,7 @@ static u32 msrs_to_save[] = { + MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR, + #endif + MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA, +- MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS ++ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX, + }; + + static unsigned num_msrs_to_save; +@@ -3847,16 +3847,17 @@ static void kvm_init_msr_list(void) + + /* + * Even MSRs that are valid in the host may not be exposed +- * to the guests in some cases. We could work around this +- * in VMX with the generic MSR save/load machinery, but it +- * is not really worthwhile since it will really only +- * happen with nested virtualization. ++ * to the guests in some cases. + */ + switch (msrs_to_save[i]) { + case MSR_IA32_BNDCFGS: + if (!kvm_x86_ops->mpx_supported()) + continue; + break; ++ case MSR_TSC_AUX: ++ if (!kvm_x86_ops->rdtscp_supported()) ++ continue; ++ break; + default: + break; + } diff --git a/queue-4.3/series b/queue-4.3/series new file mode 100644 index 00000000000..47db68c2b3a --- /dev/null +++ b/queue-4.3/series @@ -0,0 +1,26 @@ +x86-smpboot-re-enable-init_udelay-0-by-default-on-modern-cpus.patch +x86-mpx-fix-instruction-decoder-condition.patch +x86-signal-fix-restart_syscall-number-for-x32-tasks.patch +x86-paravirt-prevent-rtc_cmos-platform-device-init-on-pv-guests.patch +x86-mce-ensure-offline-cpus-don-t-participate-in-rendezvous-process.patch +xen-gntdev-grant-maps-should-not-be-subject-to-numa-balancing.patch +x86-xen-don-t-reset-vcpu_info-on-a-cancelled-suspend.patch +kvm-vmx-fix-smep-and-smap-without-ept.patch +kvm-ppc-book3s-hv-don-t-dynamically-split-core-when-already-split.patch +kvm-svm-unconditionally-intercept-db.patch +kvm-ppc-book3s-hv-prohibit-setting-illegal-transaction-state-in-msr.patch +kvm-x86-expose-msr_tsc_aux-to-userspace.patch +kvm-x86-correctly-print-ac-in-traces.patch +x86-reboot-quirks-add-imac10-1-to-pci_reboot_dmi_table.patch +x86-boot-double-boot_heap_size-to-64kb.patch +x86-mm-add-barriers-and-document-switch_mm-vs-flush-synchronization.patch +x86-mm-improve-switch_mm-barrier-comments.patch +timers-use-proper-base-migration-in-add_timer_on.patch +ipmi-start-the-timer-and-thread-on-internal-msgs.patch +ipmi-move-timer-init-to-before-irq-is-setup.patch +alsa-hda-realtek-dell-xps-one-alc3260-speaker-no-sound-after-resume-back.patch +alsa-hda-disable-64bit-address-for-creative-hda-controllers.patch +alsa-hda-fix-lost-4k-bdl-boundary-workaround.patch +alsa-hda-add-intel-lewisburg-device-ids-audio.patch +alsa-hda-apply-pin-fixup-for-hp-probook-6550b.patch +alsa-fireworks-bebob-oxfw-dice-enable-to-make-as-built-in.patch diff --git a/queue-4.3/timers-use-proper-base-migration-in-add_timer_on.patch b/queue-4.3/timers-use-proper-base-migration-in-add_timer_on.patch new file mode 100644 index 00000000000..f765a079c5d --- /dev/null +++ b/queue-4.3/timers-use-proper-base-migration-in-add_timer_on.patch @@ -0,0 +1,104 @@ +From 22b886dd1018093920c4250dee2a9a3cb7cff7b8 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 4 Nov 2015 12:15:33 -0500 +Subject: timers: Use proper base migration in add_timer_on() + +From: Tejun Heo + +commit 22b886dd1018093920c4250dee2a9a3cb7cff7b8 upstream. + +Regardless of the previous CPU a timer was on, add_timer_on() +currently simply sets timer->flags to the new CPU. As the caller must +be seeing the timer as idle, this is locally fine, but the timer +leaving the old base while unlocked can lead to race conditions as +follows. + +Let's say timer was on cpu 0. + + cpu 0 cpu 1 + ----------------------------------------------------------------------------- + del_timer(timer) succeeds + del_timer(timer) + lock_timer_base(timer) locks cpu_0_base + add_timer_on(timer, 1) + spin_lock(&cpu_1_base->lock) + timer->flags set to cpu_1_base + operates on @timer operates on @timer + +This triggered with mod_delayed_work_on() which contains +"if (del_timer()) add_timer_on()" sequence eventually leading to the +following oops. + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [] detach_if_pending+0x69/0x1a0 + ... + Workqueue: wqthrash wqthrash_workfunc [wqthrash] + task: ffff8800172ca680 ti: ffff8800172d0000 task.ti: ffff8800172d0000 + RIP: 0010:[] [] detach_if_pending+0x69/0x1a0 + ... + Call Trace: + [] del_timer+0x44/0x60 + [] try_to_grab_pending+0xb6/0x160 + [] mod_delayed_work_on+0x33/0x80 + [] wqthrash_workfunc+0x61/0x90 [wqthrash] + [] process_one_work+0x1e8/0x650 + [] worker_thread+0x4e/0x450 + [] kthread+0xef/0x110 + [] ret_from_fork+0x3f/0x70 + +Fix it by updating add_timer_on() to perform proper migration as +__mod_timer() does. + +Reported-and-tested-by: Jeff Layton +Signed-off-by: Tejun Heo +Cc: Chris Worley +Cc: bfields@fieldses.org +Cc: Michael Skralivetsky +Cc: Trond Myklebust +Cc: Shaohua Li +Cc: Jeff Layton +Cc: kernel-team@fb.com +Link: http://lkml.kernel.org/r/20151029103113.2f893924@tlielax.poochiereds.net +Link: http://lkml.kernel.org/r/20151104171533.GI5749@mtj.duckdns.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -970,13 +970,29 @@ EXPORT_SYMBOL(add_timer); + */ + void add_timer_on(struct timer_list *timer, int cpu) + { +- struct tvec_base *base = per_cpu_ptr(&tvec_bases, cpu); ++ struct tvec_base *new_base = per_cpu_ptr(&tvec_bases, cpu); ++ struct tvec_base *base; + unsigned long flags; + + timer_stats_timer_set_start_info(timer); + BUG_ON(timer_pending(timer) || !timer->function); +- spin_lock_irqsave(&base->lock, flags); +- timer->flags = (timer->flags & ~TIMER_BASEMASK) | cpu; ++ ++ /* ++ * If @timer was on a different CPU, it should be migrated with the ++ * old base locked to prevent other operations proceeding with the ++ * wrong base locked. See lock_timer_base(). ++ */ ++ base = lock_timer_base(timer, &flags); ++ if (base != new_base) { ++ timer->flags |= TIMER_MIGRATING; ++ ++ spin_unlock(&base->lock); ++ base = new_base; ++ spin_lock(&base->lock); ++ WRITE_ONCE(timer->flags, ++ (timer->flags & ~TIMER_BASEMASK) | cpu); ++ } ++ + debug_activate(timer, timer->expires); + internal_add_timer(base, timer); + spin_unlock_irqrestore(&base->lock, flags); diff --git a/queue-4.3/x86-boot-double-boot_heap_size-to-64kb.patch b/queue-4.3/x86-boot-double-boot_heap_size-to-64kb.patch new file mode 100644 index 00000000000..779c4625336 --- /dev/null +++ b/queue-4.3/x86-boot-double-boot_heap_size-to-64kb.patch @@ -0,0 +1,43 @@ +From 8c31902cffc4d716450be549c66a67a8a3dd479c Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Mon, 4 Jan 2016 10:17:09 -0800 +Subject: x86/boot: Double BOOT_HEAP_SIZE to 64KB + +From: "H.J. Lu" + +commit 8c31902cffc4d716450be549c66a67a8a3dd479c upstream. + +When decompressing kernel image during x86 bootup, malloc memory +for ELF program headers may run out of heap space, which leads +to system halt. This patch doubles BOOT_HEAP_SIZE to 64KB. + +Tested with 32-bit kernel which failed to boot without this patch. + +Signed-off-by: H.J. Lu +Acked-by: H. Peter Anvin +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/boot.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/boot.h ++++ b/arch/x86/include/asm/boot.h +@@ -27,7 +27,7 @@ + #define BOOT_HEAP_SIZE 0x400000 + #else /* !CONFIG_KERNEL_BZIP2 */ + +-#define BOOT_HEAP_SIZE 0x8000 ++#define BOOT_HEAP_SIZE 0x10000 + + #endif /* !CONFIG_KERNEL_BZIP2 */ + diff --git a/queue-4.3/x86-mce-ensure-offline-cpus-don-t-participate-in-rendezvous-process.patch b/queue-4.3/x86-mce-ensure-offline-cpus-don-t-participate-in-rendezvous-process.patch new file mode 100644 index 00000000000..64290c76fa2 --- /dev/null +++ b/queue-4.3/x86-mce-ensure-offline-cpus-don-t-participate-in-rendezvous-process.patch @@ -0,0 +1,68 @@ +From d90167a941f62860f35eb960e1012aa2d30e7e94 Mon Sep 17 00:00:00 2001 +From: Ashok Raj +Date: Thu, 10 Dec 2015 11:12:26 +0100 +Subject: x86/mce: Ensure offline CPUs don't participate in rendezvous process + +From: Ashok Raj + +commit d90167a941f62860f35eb960e1012aa2d30e7e94 upstream. + +Intel's MCA implementation broadcasts MCEs to all CPUs on the +node. This poses a problem for offlined CPUs which cannot +participate in the rendezvous process: + + Kernel panic - not syncing: Timeout: Not all CPUs entered broadcast exception handler + Kernel Offset: disabled + Rebooting in 100 seconds.. + +More specifically, Linux does a soft offline of a CPU when +writing a 0 to /sys/devices/system/cpu/cpuX/online, which +doesn't prevent the #MC exception from being broadcasted to that +CPU. + +Ensure that offline CPUs don't participate in the MCE rendezvous +and clear the RIP valid status bit so that a second MCE won't +cause a shutdown. + +Without the patch, mce_start() will increment mce_callin and +wait for all CPUs. Offlined CPUs should avoid participating in +the rendezvous process altogether. + +Signed-off-by: Ashok Raj +[ Massage commit message. ] +Signed-off-by: Borislav Petkov +Reviewed-by: Tony Luck +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-edac +Link: http://lkml.kernel.org/r/1449742346-21470-2-git-send-email-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -999,6 +999,17 @@ void do_machine_check(struct pt_regs *re + int flags = MF_ACTION_REQUIRED; + int lmce = 0; + ++ /* If this CPU is offline, just bail out. */ ++ if (cpu_is_offline(smp_processor_id())) { ++ u64 mcgstatus; ++ ++ mcgstatus = mce_rdmsrl(MSR_IA32_MCG_STATUS); ++ if (mcgstatus & MCG_STATUS_RIPV) { ++ mce_wrmsrl(MSR_IA32_MCG_STATUS, 0); ++ return; ++ } ++ } ++ + ist_enter(regs); + + this_cpu_inc(mce_exception_count); diff --git a/queue-4.3/x86-mm-add-barriers-and-document-switch_mm-vs-flush-synchronization.patch b/queue-4.3/x86-mm-add-barriers-and-document-switch_mm-vs-flush-synchronization.patch new file mode 100644 index 00000000000..330550d5d6c --- /dev/null +++ b/queue-4.3/x86-mm-add-barriers-and-document-switch_mm-vs-flush-synchronization.patch @@ -0,0 +1,158 @@ +From 71b3c126e61177eb693423f2e18a1914205b165e Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 6 Jan 2016 12:21:01 -0800 +Subject: x86/mm: Add barriers and document switch_mm()-vs-flush synchronization + +From: Andy Lutomirski + +commit 71b3c126e61177eb693423f2e18a1914205b165e upstream. + +When switch_mm() activates a new PGD, it also sets a bit that +tells other CPUs that the PGD is in use so that TLB flush IPIs +will be sent. In order for that to work correctly, the bit +needs to be visible prior to loading the PGD and therefore +starting to fill the local TLB. + +Document all the barriers that make this work correctly and add +a couple that were missing. + +Signed-off-by: Andy Lutomirski +Cc: Andrew Morton +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Rik van Riel +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/mmu_context.h | 33 ++++++++++++++++++++++++++++++++- + arch/x86/mm/tlb.c | 29 ++++++++++++++++++++++++++--- + 2 files changed, 58 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -116,8 +116,34 @@ static inline void switch_mm(struct mm_s + #endif + cpumask_set_cpu(cpu, mm_cpumask(next)); + +- /* Re-load page tables */ ++ /* ++ * Re-load page tables. ++ * ++ * This logic has an ordering constraint: ++ * ++ * CPU 0: Write to a PTE for 'next' ++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI. ++ * CPU 1: set bit 1 in next's mm_cpumask ++ * CPU 1: load from the PTE that CPU 0 writes (implicit) ++ * ++ * We need to prevent an outcome in which CPU 1 observes ++ * the new PTE value and CPU 0 observes bit 1 clear in ++ * mm_cpumask. (If that occurs, then the IPI will never ++ * be sent, and CPU 0's TLB will contain a stale entry.) ++ * ++ * The bad outcome can occur if either CPU's load is ++ * reordered before that CPU's store, so both CPUs much ++ * execute full barriers to prevent this from happening. ++ * ++ * Thus, switch_mm needs a full barrier between the ++ * store to mm_cpumask and any operation that could load ++ * from next->pgd. This barrier synchronizes with ++ * remote TLB flushers. Fortunately, load_cr3 is ++ * serializing and thus acts as a full barrier. ++ * ++ */ + load_cr3(next->pgd); ++ + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); + + /* Stop flush ipis for the previous mm */ +@@ -156,10 +182,15 @@ static inline void switch_mm(struct mm_s + * schedule, protecting us from simultaneous changes. + */ + cpumask_set_cpu(cpu, mm_cpumask(next)); ++ + /* + * We were in lazy tlb mode and leave_mm disabled + * tlb flush IPI delivery. We must reload CR3 + * to make sure to use no freed page tables. ++ * ++ * As above, this is a barrier that forces ++ * TLB repopulation to be ordered after the ++ * store to mm_cpumask. + */ + load_cr3(next->pgd); + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -161,7 +161,10 @@ void flush_tlb_current_task(void) + preempt_disable(); + + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); ++ ++ /* This is an implicit full barrier that synchronizes with switch_mm. */ + local_flush_tlb(); ++ + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) + flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL); +@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct + unsigned long base_pages_to_flush = TLB_FLUSH_ALL; + + preempt_disable(); +- if (current->active_mm != mm) ++ if (current->active_mm != mm) { ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ + goto out; ++ } + + if (!current->mm) { + leave_mm(smp_processor_id()); ++ ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ + goto out; + } + + if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB)) + base_pages_to_flush = (end - start) >> PAGE_SHIFT; + ++ /* ++ * Both branches below are implicit full barriers (MOV to CR or ++ * INVLPG) that synchronize with switch_mm. ++ */ + if (base_pages_to_flush > tlb_single_page_flush_ceiling) { + base_pages_to_flush = TLB_FLUSH_ALL; + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); +@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struc + preempt_disable(); + + if (current->active_mm == mm) { +- if (current->mm) ++ if (current->mm) { ++ /* ++ * Implicit full barrier (INVLPG) that synchronizes ++ * with switch_mm. ++ */ + __flush_tlb_one(start); +- else ++ } else { + leave_mm(smp_processor_id()); ++ ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ } + } + + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) diff --git a/queue-4.3/x86-mm-improve-switch_mm-barrier-comments.patch b/queue-4.3/x86-mm-improve-switch_mm-barrier-comments.patch new file mode 100644 index 00000000000..e1d071dd977 --- /dev/null +++ b/queue-4.3/x86-mm-improve-switch_mm-barrier-comments.patch @@ -0,0 +1,67 @@ +From 4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Tue, 12 Jan 2016 12:47:40 -0800 +Subject: x86/mm: Improve switch_mm() barrier comments + +From: Andy Lutomirski + +commit 4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b upstream. + +My previous comments were still a bit confusing and there was a +typo. Fix it up. + +Reported-by: Peter Zijlstra +Signed-off-by: Andy Lutomirski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Rik van Riel +Cc: Thomas Gleixner +Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush synchronization") +Link: http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/mmu_context.h | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -132,14 +132,16 @@ static inline void switch_mm(struct mm_s + * be sent, and CPU 0's TLB will contain a stale entry.) + * + * The bad outcome can occur if either CPU's load is +- * reordered before that CPU's store, so both CPUs much ++ * reordered before that CPU's store, so both CPUs must + * execute full barriers to prevent this from happening. + * + * Thus, switch_mm needs a full barrier between the + * store to mm_cpumask and any operation that could load +- * from next->pgd. This barrier synchronizes with +- * remote TLB flushers. Fortunately, load_cr3 is +- * serializing and thus acts as a full barrier. ++ * from next->pgd. TLB fills are special and can happen ++ * due to instruction fetches or for no reason at all, ++ * and neither LOCK nor MFENCE orders them. ++ * Fortunately, load_cr3() is serializing and gives the ++ * ordering guarantee we need. + * + */ + load_cr3(next->pgd); +@@ -188,9 +190,8 @@ static inline void switch_mm(struct mm_s + * tlb flush IPI delivery. We must reload CR3 + * to make sure to use no freed page tables. + * +- * As above, this is a barrier that forces +- * TLB repopulation to be ordered after the +- * store to mm_cpumask. ++ * As above, load_cr3() is serializing and orders TLB ++ * fills with respect to the mm_cpumask write. + */ + load_cr3(next->pgd); + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); diff --git a/queue-4.3/x86-mpx-fix-instruction-decoder-condition.patch b/queue-4.3/x86-mpx-fix-instruction-decoder-condition.patch new file mode 100644 index 00000000000..a0e81953fac --- /dev/null +++ b/queue-4.3/x86-mpx-fix-instruction-decoder-condition.patch @@ -0,0 +1,64 @@ +From 8e8efe0379bd93e8219ca0fc6fa80b5dd85b09cb Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Mon, 30 Nov 2015 16:31:13 -0800 +Subject: x86/mpx: Fix instruction decoder condition + +From: Dave Hansen + +commit 8e8efe0379bd93e8219ca0fc6fa80b5dd85b09cb upstream. + +MPX decodes instructions in order to tell which bounds register +was violated. Part of this decoding involves looking at the "REX +prefix" which is a special instrucion prefix used to retrofit +support for new registers in to old instructions. + +The X86_REX_*() macros are defined to return actual bit values: + + #define X86_REX_R(rex) ((rex) & 4) + +*not* boolean values. However, the MPX code was checking for +them like they were booleans. This might have led to us +mis-decoding the "REX prefix" and giving false information out to +userspace about bounds violations. X86_REX_B() actually is bit 1, +so this is really only broken for the X86_REX_X() case. + +Fix the conditionals up to tolerate the non-boolean values. + +Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information" +Reported-by: Dan Carpenter +Signed-off-by: Dave Hansen +Cc: x86@kernel.org +Cc: Dave Hansen +Link: http://lkml.kernel.org/r/20151201003113.D800C1E0@viggo.jf.intel.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/mpx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -101,19 +101,19 @@ static int get_reg_offset(struct insn *i + switch (type) { + case REG_TYPE_RM: + regno = X86_MODRM_RM(insn->modrm.value); +- if (X86_REX_B(insn->rex_prefix.value) == 1) ++ if (X86_REX_B(insn->rex_prefix.value)) + regno += 8; + break; + + case REG_TYPE_INDEX: + regno = X86_SIB_INDEX(insn->sib.value); +- if (X86_REX_X(insn->rex_prefix.value) == 1) ++ if (X86_REX_X(insn->rex_prefix.value)) + regno += 8; + break; + + case REG_TYPE_BASE: + regno = X86_SIB_BASE(insn->sib.value); +- if (X86_REX_B(insn->rex_prefix.value) == 1) ++ if (X86_REX_B(insn->rex_prefix.value)) + regno += 8; + break; + diff --git a/queue-4.3/x86-paravirt-prevent-rtc_cmos-platform-device-init-on-pv-guests.patch b/queue-4.3/x86-paravirt-prevent-rtc_cmos-platform-device-init-on-pv-guests.patch new file mode 100644 index 00000000000..d66b7548d61 --- /dev/null +++ b/queue-4.3/x86-paravirt-prevent-rtc_cmos-platform-device-init-on-pv-guests.patch @@ -0,0 +1,148 @@ +From d8c98a1d1488747625ad6044d423406e17e99b7a Mon Sep 17 00:00:00 2001 +From: David Vrabel +Date: Fri, 11 Dec 2015 09:07:53 -0500 +Subject: x86/paravirt: Prevent rtc_cmos platform device init on PV guests + +From: David Vrabel + +commit d8c98a1d1488747625ad6044d423406e17e99b7a upstream. + +Adding the rtc platform device in non-privileged Xen PV guests causes +an IRQ conflict because these guests do not have legacy PIC and may +allocate irqs in the legacy range. + +In a single VCPU Xen PV guest we should have: + +/proc/interrupts: + CPU0 + 0: 4934 xen-percpu-virq timer0 + 1: 0 xen-percpu-ipi spinlock0 + 2: 0 xen-percpu-ipi resched0 + 3: 0 xen-percpu-ipi callfunc0 + 4: 0 xen-percpu-virq debug0 + 5: 0 xen-percpu-ipi callfuncsingle0 + 6: 0 xen-percpu-ipi irqwork0 + 7: 321 xen-dyn-event xenbus + 8: 90 xen-dyn-event hvc_console + ... + +But hvc_console cannot get its interrupt because it is already in use +by rtc0 and the console does not work. + + genirq: Flags mismatch irq 8. 00000000 (hvc_console) vs. 00000000 (rtc0) + +We can avoid this problem by realizing that unprivileged PV guests (both +Xen and lguests) are not supposed to have rtc_cmos device and so +adding it is not necessary. + +Privileged guests (i.e. Xen's dom0) do use it but they should not have +irq conflicts since they allocate irqs above legacy range (above +gsi_top, in fact). + +Instead of explicitly testing whether the guest is privileged we can +extend pv_info structure to include information about guest's RTC +support. + +Reported-and-tested-by: Sander Eikelenboom +Signed-off-by: David Vrabel +Signed-off-by: Boris Ostrovsky +Cc: vkuznets@redhat.com +Cc: xen-devel@lists.xenproject.org +Cc: konrad.wilk@oracle.com +Link: http://lkml.kernel.org/r/1449842873-2613-1-git-send-email-boris.ostrovsky@oracle.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/paravirt.h | 6 ++++++ + arch/x86/include/asm/paravirt_types.h | 5 +++++ + arch/x86/include/asm/processor.h | 1 + + arch/x86/kernel/rtc.c | 3 +++ + arch/x86/lguest/boot.c | 1 + + arch/x86/xen/enlighten.c | 4 +++- + 6 files changed, 19 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -19,6 +19,12 @@ static inline int paravirt_enabled(void) + return pv_info.paravirt_enabled; + } + ++static inline int paravirt_has_feature(unsigned int feature) ++{ ++ WARN_ON_ONCE(!pv_info.paravirt_enabled); ++ return (pv_info.features & feature); ++} ++ + static inline void load_sp0(struct tss_struct *tss, + struct thread_struct *thread) + { +--- a/arch/x86/include/asm/paravirt_types.h ++++ b/arch/x86/include/asm/paravirt_types.h +@@ -70,9 +70,14 @@ struct pv_info { + #endif + + int paravirt_enabled; ++ unsigned int features; /* valid only if paravirt_enabled is set */ + const char *name; + }; + ++#define paravirt_has(x) paravirt_has_feature(PV_SUPPORTED_##x) ++/* Supported features */ ++#define PV_SUPPORTED_RTC (1<<0) ++ + struct pv_init_ops { + /* + * Patch may replace one of the defined code sequences with +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -472,6 +472,7 @@ static inline unsigned long current_top_ + #else + #define __cpuid native_cpuid + #define paravirt_enabled() 0 ++#define paravirt_has(x) 0 + + static inline void load_sp0(struct tss_struct *tss, + struct thread_struct *thread) +--- a/arch/x86/kernel/rtc.c ++++ b/arch/x86/kernel/rtc.c +@@ -200,6 +200,9 @@ static __init int add_rtc_cmos(void) + } + #endif + ++ if (paravirt_enabled() && !paravirt_has(RTC)) ++ return -ENODEV; ++ + platform_device_register(&rtc_device); + dev_info(&rtc_device.dev, + "registered platform RTC device (no PNP device found)\n"); +--- a/arch/x86/lguest/boot.c ++++ b/arch/x86/lguest/boot.c +@@ -1414,6 +1414,7 @@ __init void lguest_init(void) + pv_info.kernel_rpl = 1; + /* Everyone except Xen runs with this set. */ + pv_info.shared_kernel_pmd = 1; ++ pv_info.features = 0; + + /* + * We set up all the lguest overrides for sensitive operations. These +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -1191,7 +1191,7 @@ static const struct pv_info xen_info __i + #ifdef CONFIG_X86_64 + .extra_user_64bit_cs = FLAT_USER_CS64, + #endif +- ++ .features = 0, + .name = "Xen", + }; + +@@ -1534,6 +1534,8 @@ asmlinkage __visible void __init xen_sta + + /* Install Xen paravirt ops */ + pv_info = xen_info; ++ if (xen_initial_domain()) ++ pv_info.features |= PV_SUPPORTED_RTC; + pv_init_ops = xen_init_ops; + pv_apic_ops = xen_apic_ops; + if (!xen_pvh_domain()) { diff --git a/queue-4.3/x86-reboot-quirks-add-imac10-1-to-pci_reboot_dmi_table.patch b/queue-4.3/x86-reboot-quirks-add-imac10-1-to-pci_reboot_dmi_table.patch new file mode 100644 index 00000000000..5e6f3a3a1d3 --- /dev/null +++ b/queue-4.3/x86-reboot-quirks-add-imac10-1-to-pci_reboot_dmi_table.patch @@ -0,0 +1,48 @@ +From 2f0c0b2d96b1205efb14347009748d786c2d9ba5 Mon Sep 17 00:00:00 2001 +From: Mario Kleiner +Date: Fri, 18 Dec 2015 20:24:06 +0100 +Subject: x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] + +From: Mario Kleiner + +commit 2f0c0b2d96b1205efb14347009748d786c2d9ba5 upstream. + +Without the reboot=pci method, the iMac 10,1 simply +hangs after printing "Restarting system" at the point +when it should reboot. This fixes it. + +Signed-off-by: Mario Kleiner +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Jones +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1450466646-26663-1-git-send-email-mario.kleiner.de@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/reboot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -182,6 +182,14 @@ static struct dmi_system_id __initdata r + DMI_MATCH(DMI_PRODUCT_NAME, "iMac9,1"), + }, + }, ++ { /* Handle problems with rebooting on the iMac10,1. */ ++ .callback = set_pci_reboot, ++ .ident = "Apple iMac10,1", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac10,1"), ++ }, ++ }, + + /* ASRock */ + { /* Handle problems with rebooting on ASRock Q1900DC-ITX */ diff --git a/queue-4.3/x86-signal-fix-restart_syscall-number-for-x32-tasks.patch b/queue-4.3/x86-signal-fix-restart_syscall-number-for-x32-tasks.patch new file mode 100644 index 00000000000..3c36e2ee883 --- /dev/null +++ b/queue-4.3/x86-signal-fix-restart_syscall-number-for-x32-tasks.patch @@ -0,0 +1,60 @@ +From 22eab1108781eff09961ae7001704f7bd8fb1dce Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Tue, 1 Dec 2015 00:54:36 +0300 +Subject: x86/signal: Fix restart_syscall number for x32 tasks + +From: "Dmitry V. Levin" + +commit 22eab1108781eff09961ae7001704f7bd8fb1dce upstream. + +When restarting a syscall with regs->ax == -ERESTART_RESTARTBLOCK, +regs->ax is assigned to a restart_syscall number. For x32 tasks, this +syscall number must have __X32_SYSCALL_BIT set, otherwise it will be +an x86_64 syscall number instead of a valid x32 syscall number. This +issue has been there since the introduction of x32. + +Reported-by: strace/tests/restart_syscall.test +Reported-and-tested-by: Elvira Khabirova +Signed-off-by: Dmitry V. Levin +Cc: Elvira Khabirova +Link: http://lkml.kernel.org/r/20151130215436.GA25996@altlinux.org +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/signal.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/signal.c ++++ b/arch/x86/kernel/signal.c +@@ -688,12 +688,15 @@ handle_signal(struct ksignal *ksig, stru + signal_setup_done(failed, ksig, stepping); + } + +-#ifdef CONFIG_X86_32 +-#define NR_restart_syscall __NR_restart_syscall +-#else /* !CONFIG_X86_32 */ +-#define NR_restart_syscall \ +- test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : __NR_restart_syscall +-#endif /* CONFIG_X86_32 */ ++static inline unsigned long get_nr_restart_syscall(const struct pt_regs *regs) ++{ ++#if defined(CONFIG_X86_32) || !defined(CONFIG_X86_64) ++ return __NR_restart_syscall; ++#else /* !CONFIG_X86_32 && CONFIG_X86_64 */ ++ return test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : ++ __NR_restart_syscall | (regs->orig_ax & __X32_SYSCALL_BIT); ++#endif /* CONFIG_X86_32 || !CONFIG_X86_64 */ ++} + + /* + * Note that 'init' is a special process: it doesn't get signals it doesn't +@@ -722,7 +725,7 @@ void do_signal(struct pt_regs *regs) + break; + + case -ERESTART_RESTARTBLOCK: +- regs->ax = NR_restart_syscall; ++ regs->ax = get_nr_restart_syscall(regs); + regs->ip -= 2; + break; + } diff --git a/queue-4.3/x86-smpboot-re-enable-init_udelay-0-by-default-on-modern-cpus.patch b/queue-4.3/x86-smpboot-re-enable-init_udelay-0-by-default-on-modern-cpus.patch new file mode 100644 index 00000000000..0b730047934 --- /dev/null +++ b/queue-4.3/x86-smpboot-re-enable-init_udelay-0-by-default-on-modern-cpus.patch @@ -0,0 +1,59 @@ +From 656279a1f3b210cf48ccc572fd7c6b8e2250be77 Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Sun, 22 Nov 2015 18:16:15 -0500 +Subject: x86 smpboot: Re-enable init_udelay=0 by default on modern CPUs + +From: Len Brown + +commit 656279a1f3b210cf48ccc572fd7c6b8e2250be77 upstream. + +commit f1ccd249319e allowed the cmdline "cpu_init_udelay=" to work +with all values, including the default of 10000. + +But in setting the default of 10000, it over-rode the code that sets +the delay 0 on modern processors. + +Also, tidy up use of INT/UINT. + +Fixes: f1ccd249319e "x86/smpboot: Fix cpu_init_udelay=10000 corner case boot parameter misbehavior" +Reported-by: Shane +Signed-off-by: Len Brown +Cc: dparsons@brightdsl.net +Link: http://lkml.kernel.org/r/9082eb809ef40dad02db714759c7aaf618c518d4.1448232494.git.len.brown@intel.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/smpboot.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -509,7 +509,7 @@ void __inquire_remote_apic(int apicid) + */ + #define UDELAY_10MS_DEFAULT 10000 + +-static unsigned int init_udelay = INT_MAX; ++static unsigned int init_udelay = UINT_MAX; + + static int __init cpu_init_udelay(char *str) + { +@@ -522,14 +522,15 @@ early_param("cpu_init_udelay", cpu_init_ + static void __init smp_quirk_init_udelay(void) + { + /* if cmdline changed it from default, leave it alone */ +- if (init_udelay != INT_MAX) ++ if (init_udelay != UINT_MAX) + return; + + /* if modern processor, use no delay */ + if (((boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) && (boot_cpu_data.x86 == 6)) || +- ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && (boot_cpu_data.x86 >= 0xF))) ++ ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && (boot_cpu_data.x86 >= 0xF))) { + init_udelay = 0; +- ++ return; ++ } + /* else, use legacy delay */ + init_udelay = UDELAY_10MS_DEFAULT; + } diff --git a/queue-4.3/x86-xen-don-t-reset-vcpu_info-on-a-cancelled-suspend.patch b/queue-4.3/x86-xen-don-t-reset-vcpu_info-on-a-cancelled-suspend.patch new file mode 100644 index 00000000000..1af7a57c4ed --- /dev/null +++ b/queue-4.3/x86-xen-don-t-reset-vcpu_info-on-a-cancelled-suspend.patch @@ -0,0 +1,36 @@ +From 6a1f513776b78c994045287073e55bae44ed9f8c Mon Sep 17 00:00:00 2001 +From: "Ouyang Zhaowei (Charles)" +Date: Wed, 6 May 2015 09:47:04 +0800 +Subject: x86/xen: don't reset vcpu_info on a cancelled suspend + +From: "Ouyang Zhaowei (Charles)" + +commit 6a1f513776b78c994045287073e55bae44ed9f8c upstream. + +On a cancelled suspend the vcpu_info location does not change (it's +still in the per-cpu area registered by xen_vcpu_setup()). So do not +call xen_hvm_init_shared_info() which would make the kernel think its +back in the shared info. With the wrong vcpu_info, events cannot be +received and the domain will hang after a cancelled suspend. + +Signed-off-by: Charles Ouyang +Reviewed-by: Boris Ostrovsky +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/suspend.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/xen/suspend.c ++++ b/arch/x86/xen/suspend.c +@@ -33,7 +33,8 @@ static void xen_hvm_post_suspend(int sus + { + #ifdef CONFIG_XEN_PVHVM + int cpu; +- xen_hvm_init_shared_info(); ++ if (!suspend_cancelled) ++ xen_hvm_init_shared_info(); + xen_callback_vector(); + xen_unplug_emulated_devices(); + if (xen_feature(XENFEAT_hvm_safe_pvclock)) { diff --git a/queue-4.3/xen-gntdev-grant-maps-should-not-be-subject-to-numa-balancing.patch b/queue-4.3/xen-gntdev-grant-maps-should-not-be-subject-to-numa-balancing.patch new file mode 100644 index 00000000000..49279e809b0 --- /dev/null +++ b/queue-4.3/xen-gntdev-grant-maps-should-not-be-subject-to-numa-balancing.patch @@ -0,0 +1,40 @@ +From 9c17d96500f78d7ecdb71ca6942830158bc75a2b Mon Sep 17 00:00:00 2001 +From: Boris Ostrovsky +Date: Tue, 10 Nov 2015 15:10:33 -0500 +Subject: xen/gntdev: Grant maps should not be subject to NUMA balancing + +From: Boris Ostrovsky + +commit 9c17d96500f78d7ecdb71ca6942830158bc75a2b upstream. + +Doing so will cause the grant to be unmapped and then, during +fault handling, the fault to be mistakenly treated as NUMA hint +fault. + +In addition, even if those maps could partcipate in NUMA +balancing, it wouldn't provide any benefit since we are unable +to determine physical page's node (even if/when VNUMA is +implemented). + +Marking grant maps' VMAs as VM_IO will exclude them from being +part of NUMA balancing. + +Signed-off-by: Boris Ostrovsky +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/gntdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -804,7 +804,7 @@ static int gntdev_mmap(struct file *flip + + vma->vm_ops = &gntdev_vmops; + +- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; ++ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO; + + if (use_ptemod) + vma->vm_flags |= VM_DONTCOPY;