From: Greg Kroah-Hartman Date: Thu, 18 Aug 2016 08:30:21 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.14.77~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3c5643e82101856a4c2810f4e1228b3bdd00c24c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm64-dts-rockchip-fixes-the-gic400-2nd-region-size-for-rk3368.patch arm64-mm-avoid-fdt_check_header-before-the-fdt-is-fully-mapped.patch bluetooth-hci_intel-fix-null-gpio-desc-pointer-dereference.patch gpio-intel-mid-remove-potentially-harmful-code.patch gpio-pca953x-fix-nbank-calculation-for-pca9536.patch intel_pstate-fix-msr_config_tdp_x-addressing-in-core_get_max_pstate.patch kvm-mtrr-fix-kvm_mtrr_check_gfn_range_consistency-page-fault.patch kvm-nvmx-fix-memory-corruption-when-using-vmcs-shadowing.patch kvm-ppc-book3s-hv-pull-out-tm-state-save-restore-into-separate-procedures.patch kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch kvm-vmx-handle-pml-full-vmexit-that-occurs-during-event-delivery.patch mfd-qcom_rpm-fix-offset-error-for-msm8660.patch mfd-qcom_rpm-parametrize-also-ack-selector-size.patch pinctrl-cherryview-prevent-concurrent-access-to-gpio-controllers.patch s390-cio-allow-to-reset-channel-measurement-block.patch serial-samsung-fix-err-pointer-dereference-on-deferred-probe.patch tty-serial-atmel-fix-rs485-half-duplex-with-dma.patch tty-serial-msm-don-t-read-off-end-of-tx-fifo.patch --- diff --git a/queue-4.4/arm64-dts-rockchip-fixes-the-gic400-2nd-region-size-for-rk3368.patch b/queue-4.4/arm64-dts-rockchip-fixes-the-gic400-2nd-region-size-for-rk3368.patch new file mode 100644 index 00000000000..066f2aa1acf --- /dev/null +++ b/queue-4.4/arm64-dts-rockchip-fixes-the-gic400-2nd-region-size-for-rk3368.patch @@ -0,0 +1,50 @@ +From ad1cfdf518976447e6b0d31517bad4e3ebbce6bb Mon Sep 17 00:00:00 2001 +From: Caesar Wang +Date: Wed, 18 May 2016 22:41:50 +0800 +Subject: arm64: dts: rockchip: fixes the gic400 2nd region size for rk3368 + +From: Caesar Wang + +commit ad1cfdf518976447e6b0d31517bad4e3ebbce6bb upstream. + +The 2nd additional region is the GIC virtual cpu interface register +base and size. + +As the gic400 of rk3368 says, the cpu interface register map as below + +: + +-0x0000 GICC_CTRL +. +. +. +-0x00fc GICC_IIDR +-0x1000 GICC_IDR + +Obviously, the region size should be greater than 0x1000. +So we should make sure to include the GICC_IDR since the kernel will access +it in some cases. + +Fixes: b790c2cab5ca ("arm64: dts: add Rockchip rk3368 core dtsi and board dts for the r88 board") +Signed-off-by: Caesar Wang +Reviewed-by: Shawn Lin +Signed-off-by: Greg Kroah-Hartman + +[added Fixes and stable-cc] +Signed-off-by: Heiko Stuebner + +--- + arch/arm64/boot/dts/rockchip/rk3368.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3368.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3368.dtsi +@@ -517,7 +517,7 @@ + #address-cells = <0>; + + reg = <0x0 0xffb71000 0x0 0x1000>, +- <0x0 0xffb72000 0x0 0x1000>, ++ <0x0 0xffb72000 0x0 0x2000>, + <0x0 0xffb74000 0x0 0x2000>, + <0x0 0xffb76000 0x0 0x2000>; + interrupts = +Date: Mon, 1 Aug 2016 13:29:31 +0200 +Subject: arm64: mm: avoid fdt_check_header() before the FDT is fully mapped + +From: Ard Biesheuvel + +commit 04a848106193b134741672f7e4e444b50c70b631 upstream. + +As reported by Zijun, the fdt_check_header() call in __fixmap_remap_fdt() +is not safe since it is not guaranteed that the FDT header is mapped +completely. Due to the minimum alignment of 8 bytes, the only fields we +can assume to be mapped are 'magic' and 'totalsize'. + +Since the OF layer is in charge of validating the FDT image, and we are +only interested in making reasonably sure that the size field contains +a meaningful value, replace the fdt_check_header() call with an explicit +comparison of the magic field's value against the expected value. + +Reported-by: Zijun Hu +Acked-by: Mark Rutland +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/mmu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -652,9 +652,9 @@ void *__init fixmap_remap_fdt(phys_addr_ + /* + * Check whether the physical FDT address is set and meets the minimum + * alignment requirement. Since we are relying on MIN_FDT_ALIGN to be +- * at least 8 bytes so that we can always access the size field of the +- * FDT header after mapping the first chunk, double check here if that +- * is indeed the case. ++ * at least 8 bytes so that we can always access the magic and size ++ * fields of the FDT header after mapping the first chunk, double check ++ * here if that is indeed the case. + */ + BUILD_BUG_ON(MIN_FDT_ALIGN < 8); + if (!dt_phys || dt_phys % MIN_FDT_ALIGN) +@@ -682,7 +682,7 @@ void *__init fixmap_remap_fdt(phys_addr_ + create_mapping(round_down(dt_phys, SWAPPER_BLOCK_SIZE), dt_virt_base, + SWAPPER_BLOCK_SIZE, prot); + +- if (fdt_check_header(dt_virt) != 0) ++ if (fdt_magic(dt_virt) != FDT_MAGIC) + return NULL; + + size = fdt_totalsize(dt_virt); diff --git a/queue-4.4/bluetooth-hci_intel-fix-null-gpio-desc-pointer-dereference.patch b/queue-4.4/bluetooth-hci_intel-fix-null-gpio-desc-pointer-dereference.patch new file mode 100644 index 00000000000..f26f5c4c683 --- /dev/null +++ b/queue-4.4/bluetooth-hci_intel-fix-null-gpio-desc-pointer-dereference.patch @@ -0,0 +1,46 @@ +From 32b9ccbc3522811c0e483637b85ae25f5491296f Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Thu, 28 Apr 2016 18:48:25 +0200 +Subject: Bluetooth: hci_intel: Fix null gpio desc pointer dereference + +From: Loic Poulain + +commit 32b9ccbc3522811c0e483637b85ae25f5491296f upstream. + +gpiod_get_optional can return either ERR_PTR or NULL pointer. +NULL case is not tested and then dereferenced later in desc_to_gpio. +Fix this by using non optional version which returns ERR_PTR in any +error case (this is not an optional gpio). +Use the same non optional version for the host-wake gpio. + +Fixes: 765ea3abd116 ("Bluetooth: hci_intel: Retrieve host-wake IRQ") +Signed-off-by: Loic Poulain +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_intel.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/bluetooth/hci_intel.c ++++ b/drivers/bluetooth/hci_intel.c +@@ -1234,8 +1234,7 @@ static int intel_probe(struct platform_d + + idev->pdev = pdev; + +- idev->reset = devm_gpiod_get_optional(&pdev->dev, "reset", +- GPIOD_OUT_LOW); ++ idev->reset = devm_gpiod_get(&pdev->dev, "reset", GPIOD_OUT_LOW); + if (IS_ERR(idev->reset)) { + dev_err(&pdev->dev, "Unable to retrieve gpio\n"); + return PTR_ERR(idev->reset); +@@ -1247,8 +1246,7 @@ static int intel_probe(struct platform_d + + dev_err(&pdev->dev, "No IRQ, falling back to gpio-irq\n"); + +- host_wake = devm_gpiod_get_optional(&pdev->dev, "host-wake", +- GPIOD_IN); ++ host_wake = devm_gpiod_get(&pdev->dev, "host-wake", GPIOD_IN); + if (IS_ERR(host_wake)) { + dev_err(&pdev->dev, "Unable to retrieve IRQ\n"); + goto no_irq; diff --git a/queue-4.4/gpio-intel-mid-remove-potentially-harmful-code.patch b/queue-4.4/gpio-intel-mid-remove-potentially-harmful-code.patch new file mode 100644 index 00000000000..38fa9543f94 --- /dev/null +++ b/queue-4.4/gpio-intel-mid-remove-potentially-harmful-code.patch @@ -0,0 +1,87 @@ +From 3dbd3212f81b2b410a34a922055e2da792864829 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 6 Jul 2016 12:50:12 +0300 +Subject: gpio: intel-mid: Remove potentially harmful code + +From: Andy Shevchenko + +commit 3dbd3212f81b2b410a34a922055e2da792864829 upstream. + +The commit d56d6b3d7d69 ("gpio: langwell: add Intel Merrifield support") +doesn't look at all as a proper support for Intel Merrifield and I dare to say +that it distorts the behaviour of the hardware. + +The register map is different on Intel Merrifield, i.e. only 6 out of 8 +register have the same purpose but none of them has same location in the +address space. The current case potentially harmful to existing hardware since +it's poking registers on wrong offsets and may set some pin to be GPIO output +when connected hardware doesn't expect such. + +Besides the above GPIO and pinctrl on Intel Merrifield have been located in +different IP blocks. The functionality has been extended as well, i.e. added +support of level interrupts, special registers for wake capable sources and +thus, in my opinion, requires a completele separate driver. + +If someone wondering the existing gpio-intel-mid.c would be converted to actual +pinctrl (which by the fact it is now), though I wouldn't be a volunteer to do +that. + +Fixes: d56d6b3d7d69 ("gpio: langwell: add Intel Merrifield support") +Signed-off-by: Andy Shevchenko +Reviewed-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-intel-mid.c | 19 ------------------- + 1 file changed, 19 deletions(-) + +--- a/drivers/gpio/gpio-intel-mid.c ++++ b/drivers/gpio/gpio-intel-mid.c +@@ -17,7 +17,6 @@ + * Moorestown platform Langwell chip. + * Medfield platform Penwell chip. + * Clovertrail platform Cloverview chip. +- * Merrifield platform Tangier chip. + */ + + #include +@@ -64,10 +63,6 @@ enum GPIO_REG { + /* intel_mid gpio driver data */ + struct intel_mid_gpio_ddata { + u16 ngpio; /* number of gpio pins */ +- u32 gplr_offset; /* offset of first GPLR register from base */ +- u32 flis_base; /* base address of FLIS registers */ +- u32 flis_len; /* length of FLIS registers */ +- u32 (*get_flis_offset)(int gpio); + u32 chip_irq_type; /* chip interrupt type */ + }; + +@@ -257,15 +252,6 @@ static const struct intel_mid_gpio_ddata + .chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE, + }; + +-static const struct intel_mid_gpio_ddata gpio_tangier = { +- .ngpio = 192, +- .gplr_offset = 4, +- .flis_base = 0xff0c0000, +- .flis_len = 0x8000, +- .get_flis_offset = NULL, +- .chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE, +-}; +- + static const struct pci_device_id intel_gpio_ids[] = { + { + /* Lincroft */ +@@ -292,11 +278,6 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x08f7), + .driver_data = (kernel_ulong_t)&gpio_cloverview_core, + }, +- { +- /* Tangier */ +- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1199), +- .driver_data = (kernel_ulong_t)&gpio_tangier, +- }, + { 0 } + }; + MODULE_DEVICE_TABLE(pci, intel_gpio_ids); diff --git a/queue-4.4/gpio-pca953x-fix-nbank-calculation-for-pca9536.patch b/queue-4.4/gpio-pca953x-fix-nbank-calculation-for-pca9536.patch new file mode 100644 index 00000000000..3663017525e --- /dev/null +++ b/queue-4.4/gpio-pca953x-fix-nbank-calculation-for-pca9536.patch @@ -0,0 +1,34 @@ +From a246b8198f776a16d1d3a3bbfc2d437bad766b29 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Thu, 9 Jun 2016 11:02:04 +0530 +Subject: gpio: pca953x: Fix NBANK calculation for PCA9536 + +From: Vignesh R + +commit a246b8198f776a16d1d3a3bbfc2d437bad766b29 upstream. + +NBANK() macro assumes that ngpios is a multiple of 8(BANK_SZ) and +hence results in 0 banks for PCA9536 which has just 4 gpios. This is +wrong as PCA9356 has 1 bank with 4 gpios. This results in uninitialized +PCA953X_INVERT register. Fix this by using DIV_ROUND_UP macro in +NBANK(). + +Signed-off-by: Vignesh R +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-pca953x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -86,7 +86,7 @@ MODULE_DEVICE_TABLE(acpi, pca953x_acpi_i + #define MAX_BANK 5 + #define BANK_SZ 8 + +-#define NBANK(chip) (chip->gpio_chip.ngpio / BANK_SZ) ++#define NBANK(chip) DIV_ROUND_UP(chip->gpio_chip.ngpio, BANK_SZ) + + struct pca953x_chip { + unsigned gpio_start; diff --git a/queue-4.4/intel_pstate-fix-msr_config_tdp_x-addressing-in-core_get_max_pstate.patch b/queue-4.4/intel_pstate-fix-msr_config_tdp_x-addressing-in-core_get_max_pstate.patch new file mode 100644 index 00000000000..0d8a56cec0a --- /dev/null +++ b/queue-4.4/intel_pstate-fix-msr_config_tdp_x-addressing-in-core_get_max_pstate.patch @@ -0,0 +1,35 @@ +From 5fc8f707a2aa40c767c3a338738b9b6fcd151ac1 Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Fri, 8 Jul 2016 20:42:04 +0200 +Subject: intel_pstate: Fix MSR_CONFIG_TDP_x addressing in core_get_max_pstate() + +From: Jan Kiszka + +commit 5fc8f707a2aa40c767c3a338738b9b6fcd151ac1 upstream. + +If MSR_CONFIG_TDP_CONTROL is locked, we currently try to address some +MSR 0x80000648 or so. Mask out the relevant level bits 0 and 1. + +Found while running over the Jailhouse hypervisor which became upset +about this strange MSR index. + +Signed-off-by: Jan Kiszka +Acked-by: Srinivas Pandruvada +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/intel_pstate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -662,7 +662,7 @@ static int core_get_max_pstate(void) + if (err) + goto skip_tar; + +- tdp_msr = MSR_CONFIG_TDP_NOMINAL + tdp_ctrl; ++ tdp_msr = MSR_CONFIG_TDP_NOMINAL + (tdp_ctrl & 0x3); + err = rdmsrl_safe(tdp_msr, &tdp_ratio); + if (err) + goto skip_tar; diff --git a/queue-4.4/kvm-mtrr-fix-kvm_mtrr_check_gfn_range_consistency-page-fault.patch b/queue-4.4/kvm-mtrr-fix-kvm_mtrr_check_gfn_range_consistency-page-fault.patch new file mode 100644 index 00000000000..4c5972db95b --- /dev/null +++ b/queue-4.4/kvm-mtrr-fix-kvm_mtrr_check_gfn_range_consistency-page-fault.patch @@ -0,0 +1,60 @@ +From 30b072ce0356e8b141f4ca6da7220486fa3641d9 Mon Sep 17 00:00:00 2001 +From: Alexis Dambricourt +Date: Mon, 4 Jul 2016 21:05:15 +0200 +Subject: KVM: MTRR: fix kvm_mtrr_check_gfn_range_consistency page fault + +From: Alexis Dambricourt + +commit 30b072ce0356e8b141f4ca6da7220486fa3641d9 upstream. + +The following #PF may occurs: +[ 1403.317041] BUG: unable to handle kernel paging request at 0000000200000068 +[ 1403.317045] IP: [] __mtrr_lookup_var_next+0x10/0xa0 [kvm] + +[ 1403.317123] Call Trace: +[ 1403.317134] [] ? kvm_mtrr_check_gfn_range_consistency+0xc5/0x120 [kvm] +[ 1403.317143] [] ? tdp_page_fault+0x9f/0x2c0 [kvm] +[ 1403.317152] [] ? kvm_set_msr_common+0x858/0xc00 [kvm] +[ 1403.317161] [] ? x86_emulate_insn+0x273/0xd30 [kvm] +[ 1403.317171] [] ? kvm_cpuid+0x34/0x190 [kvm] +[ 1403.317180] [] ? kvm_mmu_page_fault+0x59/0xe0 [kvm] +[ 1403.317183] [] ? vmx_handle_exit+0x1d1/0x14a0 [kvm_intel] +[ 1403.317185] [] ? atomic_switch_perf_msrs+0x6f/0xa0 [kvm_intel] +[ 1403.317187] [] ? vmx_vcpu_run+0x2ad/0x420 [kvm_intel] +[ 1403.317196] [] ? kvm_arch_vcpu_ioctl_run+0x622/0x1550 [kvm] +[ 1403.317204] [] ? kvm_arch_vcpu_load+0x59/0x210 [kvm] +[ 1403.317206] [] ? __kernel_fpu_end+0x35/0x100 +[ 1403.317213] [] ? kvm_vcpu_ioctl+0x316/0x5d0 [kvm] +[ 1403.317215] [] ? do_sigtimedwait+0xd5/0x220 +[ 1403.317217] [] ? do_vfs_ioctl+0x9d/0x5c0 +[ 1403.317224] [] ? kvm_on_user_return+0x3e/0x70 [kvm] +[ 1403.317225] [] ? SyS_ioctl+0x74/0x80 +[ 1403.317227] [] ? entry_SYSCALL_64_fastpath+0x1e/0xa8 +[ 1403.317242] RIP [] __mtrr_lookup_var_next+0x10/0xa0 [kvm] + +At mtrr_lookup_fixed_next(), when the condition +'if (iter->index >= ARRAY_SIZE(iter->mtrr_state->fixed_ranges))' becomes true, +mtrr_lookup_var_start() is called with iter->range with gargabe values from the +fixed MTRR union field. Then, list_prepare_entry() do not call list_entry() +initialization, keeping a garbage pointer in iter->range which is accessed in +the following __mtrr_lookup_var_next() call. + +Fixes: f571c0973e4b8c888e049b6842e4b4f93b5c609c +Signed-off-by: Alexis Dambricourt +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mtrr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/mtrr.c ++++ b/arch/x86/kvm/mtrr.c +@@ -539,6 +539,7 @@ static void mtrr_lookup_var_start(struct + + iter->fixed = false; + iter->start_max = iter->start; ++ iter->range = NULL; + iter->range = list_prepare_entry(iter->range, &mtrr_state->head, node); + + __mtrr_lookup_var_next(iter); diff --git a/queue-4.4/kvm-nvmx-fix-memory-corruption-when-using-vmcs-shadowing.patch b/queue-4.4/kvm-nvmx-fix-memory-corruption-when-using-vmcs-shadowing.patch new file mode 100644 index 00000000000..db573c05424 --- /dev/null +++ b/queue-4.4/kvm-nvmx-fix-memory-corruption-when-using-vmcs-shadowing.patch @@ -0,0 +1,85 @@ +From 2f1fe81123f59271bddda673b60116bde9660385 Mon Sep 17 00:00:00 2001 +From: Jim Mattson +Date: Fri, 8 Jul 2016 15:36:06 -0700 +Subject: KVM: nVMX: Fix memory corruption when using VMCS shadowing + +From: Jim Mattson + +commit 2f1fe81123f59271bddda673b60116bde9660385 upstream. + +When freeing the nested resources of a vcpu, there is an assumption that +the vcpu's vmcs01 is the current VMCS on the CPU that executes +nested_release_vmcs12(). If this assumption is violated, the vcpu's +vmcs01 may be made active on multiple CPUs at the same time, in +violation of Intel's specification. Moreover, since the vcpu's vmcs01 is +not VMCLEARed on every CPU on which it is active, it can linger in a +CPU's VMCS cache after it has been freed and potentially +repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity +miss can result in memory corruption. + +It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If +the vcpu in question was last loaded on a different CPU, it must be +migrated to the current CPU before calling vmx_load_vmcs01(). + +Signed-off-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 19 +++++++++++++++++-- + virt/kvm/kvm_main.c | 2 ++ + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8737,6 +8737,22 @@ static void vmx_load_vmcs01(struct kvm_v + put_cpu(); + } + ++/* ++ * Ensure that the current vmcs of the logical processor is the ++ * vmcs01 of the vcpu before calling free_nested(). ++ */ ++static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu) ++{ ++ struct vcpu_vmx *vmx = to_vmx(vcpu); ++ int r; ++ ++ r = vcpu_load(vcpu); ++ BUG_ON(r); ++ vmx_load_vmcs01(vcpu); ++ free_nested(vmx); ++ vcpu_put(vcpu); ++} ++ + static void vmx_free_vcpu(struct kvm_vcpu *vcpu) + { + struct vcpu_vmx *vmx = to_vmx(vcpu); +@@ -8745,8 +8761,7 @@ static void vmx_free_vcpu(struct kvm_vcp + vmx_destroy_pml_buffer(vmx); + free_vpid(vmx->vpid); + leave_guest_mode(vcpu); +- vmx_load_vmcs01(vcpu); +- free_nested(vmx); ++ vmx_free_vcpu_nested(vcpu); + free_loaded_vmcs(vmx->loaded_vmcs); + kfree(vmx->guest_msrs); + kvm_vcpu_uninit(vcpu); +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -142,6 +142,7 @@ int vcpu_load(struct kvm_vcpu *vcpu) + put_cpu(); + return 0; + } ++EXPORT_SYMBOL_GPL(vcpu_load); + + void vcpu_put(struct kvm_vcpu *vcpu) + { +@@ -151,6 +152,7 @@ void vcpu_put(struct kvm_vcpu *vcpu) + preempt_enable(); + mutex_unlock(&vcpu->mutex); + } ++EXPORT_SYMBOL_GPL(vcpu_put); + + static void ack_flush(void *_completed) + { diff --git a/queue-4.4/kvm-ppc-book3s-hv-pull-out-tm-state-save-restore-into-separate-procedures.patch b/queue-4.4/kvm-ppc-book3s-hv-pull-out-tm-state-save-restore-into-separate-procedures.patch new file mode 100644 index 00000000000..ceb4ab793fb --- /dev/null +++ b/queue-4.4/kvm-ppc-book3s-hv-pull-out-tm-state-save-restore-into-separate-procedures.patch @@ -0,0 +1,508 @@ +From f024ee098476a3e620232e4a78cfac505f121245 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Wed, 22 Jun 2016 14:21:59 +1000 +Subject: KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures + +From: Paul Mackerras + +commit f024ee098476a3e620232e4a78cfac505f121245 upstream. + +This moves the transactional memory state save and restore sequences +out of the guest entry/exit paths into separate procedures. This is +so that these sequences can be used in going into and out of nap +in a subsequent patch. + +The only code changes here are (a) saving and restore LR on the +stack, since these new procedures get called with a bl instruction, +(b) explicitly saving r1 into the PACA instead of assuming that +HSTATE_HOST_R1(r13) is already set, and (c) removing an unnecessary +and redundant setting of MSR[TM] that should have been removed by +commit 9d4d0bdd9e0a ("KVM: PPC: Book3S HV: Add transactional memory +support", 2013-09-24) but wasn't. + +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 449 ++++++++++++++++---------------- + 1 file changed, 237 insertions(+), 212 deletions(-) + +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -655,112 +655,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + BEGIN_FTR_SECTION +- b skip_tm +-END_FTR_SECTION_IFCLR(CPU_FTR_TM) +- +- /* Turn on TM/FP/VSX/VMX so we can restore them. */ +- mfmsr r5 +- li r6, MSR_TM >> 32 +- sldi r6, r6, 32 +- or r5, r5, r6 +- ori r5, r5, MSR_FP +- oris r5, r5, (MSR_VEC | MSR_VSX)@h +- mtmsrd r5 +- +- /* +- * The user may change these outside of a transaction, so they must +- * always be context switched. +- */ +- ld r5, VCPU_TFHAR(r4) +- ld r6, VCPU_TFIAR(r4) +- ld r7, VCPU_TEXASR(r4) +- mtspr SPRN_TFHAR, r5 +- mtspr SPRN_TFIAR, r6 +- mtspr SPRN_TEXASR, r7 +- +- ld r5, VCPU_MSR(r4) +- rldicl. r5, r5, 64 - MSR_TS_S_LG, 62 +- beq skip_tm /* TM not active in guest */ +- +- /* Make sure the failure summary is set, otherwise we'll program check +- * when we trechkpt. It's possible that this might have been not set +- * on a kvmppc_set_one_reg() call but we shouldn't let this crash the +- * host. +- */ +- oris r7, r7, (TEXASR_FS)@h +- mtspr SPRN_TEXASR, r7 +- +- /* +- * We need to load up the checkpointed state for the guest. +- * We need to do this early as it will blow away any GPRs, VSRs and +- * some SPRs. +- */ +- +- mr r31, r4 +- addi r3, r31, VCPU_FPRS_TM +- bl load_fp_state +- addi r3, r31, VCPU_VRS_TM +- bl load_vr_state +- mr r4, r31 +- lwz r7, VCPU_VRSAVE_TM(r4) +- mtspr SPRN_VRSAVE, r7 +- +- ld r5, VCPU_LR_TM(r4) +- lwz r6, VCPU_CR_TM(r4) +- ld r7, VCPU_CTR_TM(r4) +- ld r8, VCPU_AMR_TM(r4) +- ld r9, VCPU_TAR_TM(r4) +- mtlr r5 +- mtcr r6 +- mtctr r7 +- mtspr SPRN_AMR, r8 +- mtspr SPRN_TAR, r9 +- +- /* +- * Load up PPR and DSCR values but don't put them in the actual SPRs +- * till the last moment to avoid running with userspace PPR and DSCR for +- * too long. +- */ +- ld r29, VCPU_DSCR_TM(r4) +- ld r30, VCPU_PPR_TM(r4) +- +- std r2, PACATMSCRATCH(r13) /* Save TOC */ +- +- /* Clear the MSR RI since r1, r13 are all going to be foobar. */ +- li r5, 0 +- mtmsrd r5, 1 +- +- /* Load GPRs r0-r28 */ +- reg = 0 +- .rept 29 +- ld reg, VCPU_GPRS_TM(reg)(r31) +- reg = reg + 1 +- .endr +- +- mtspr SPRN_DSCR, r29 +- mtspr SPRN_PPR, r30 +- +- /* Load final GPRs */ +- ld 29, VCPU_GPRS_TM(29)(r31) +- ld 30, VCPU_GPRS_TM(30)(r31) +- ld 31, VCPU_GPRS_TM(31)(r31) +- +- /* TM checkpointed state is now setup. All GPRs are now volatile. */ +- TRECHKPT +- +- /* Now let's get back the state we need. */ +- HMT_MEDIUM +- GET_PACA(r13) +- ld r29, HSTATE_DSCR(r13) +- mtspr SPRN_DSCR, r29 +- ld r4, HSTATE_KVM_VCPU(r13) +- ld r1, HSTATE_HOST_R1(r13) +- ld r2, PACATMSCRATCH(r13) +- +- /* Set the MSR RI since we have our registers back. */ +- li r5, MSR_RI +- mtmsrd r5, 1 +-skip_tm: ++ bl kvmppc_restore_tm ++END_FTR_SECTION_IFSET(CPU_FTR_TM) + #endif + + /* Load guest PMU registers */ +@@ -841,12 +737,6 @@ BEGIN_FTR_SECTION + /* Skip next section on POWER7 */ + b 8f + END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) +- /* Turn on TM so we can access TFHAR/TFIAR/TEXASR */ +- mfmsr r8 +- li r0, 1 +- rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG +- mtmsrd r8 +- + /* Load up POWER8-specific registers */ + ld r5, VCPU_IAMR(r4) + lwz r6, VCPU_PSPB(r4) +@@ -1436,106 +1326,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S) + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + BEGIN_FTR_SECTION +- b 2f +-END_FTR_SECTION_IFCLR(CPU_FTR_TM) +- /* Turn on TM. */ +- mfmsr r8 +- li r0, 1 +- rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG +- mtmsrd r8 +- +- ld r5, VCPU_MSR(r9) +- rldicl. r5, r5, 64 - MSR_TS_S_LG, 62 +- beq 1f /* TM not active in guest. */ +- +- li r3, TM_CAUSE_KVM_RESCHED +- +- /* Clear the MSR RI since r1, r13 are all going to be foobar. */ +- li r5, 0 +- mtmsrd r5, 1 +- +- /* All GPRs are volatile at this point. */ +- TRECLAIM(R3) +- +- /* Temporarily store r13 and r9 so we have some regs to play with */ +- SET_SCRATCH0(r13) +- GET_PACA(r13) +- std r9, PACATMSCRATCH(r13) +- ld r9, HSTATE_KVM_VCPU(r13) +- +- /* Get a few more GPRs free. */ +- std r29, VCPU_GPRS_TM(29)(r9) +- std r30, VCPU_GPRS_TM(30)(r9) +- std r31, VCPU_GPRS_TM(31)(r9) +- +- /* Save away PPR and DSCR soon so don't run with user values. */ +- mfspr r31, SPRN_PPR +- HMT_MEDIUM +- mfspr r30, SPRN_DSCR +- ld r29, HSTATE_DSCR(r13) +- mtspr SPRN_DSCR, r29 +- +- /* Save all but r9, r13 & r29-r31 */ +- reg = 0 +- .rept 29 +- .if (reg != 9) && (reg != 13) +- std reg, VCPU_GPRS_TM(reg)(r9) +- .endif +- reg = reg + 1 +- .endr +- /* ... now save r13 */ +- GET_SCRATCH0(r4) +- std r4, VCPU_GPRS_TM(13)(r9) +- /* ... and save r9 */ +- ld r4, PACATMSCRATCH(r13) +- std r4, VCPU_GPRS_TM(9)(r9) +- +- /* Reload stack pointer and TOC. */ +- ld r1, HSTATE_HOST_R1(r13) +- ld r2, PACATOC(r13) +- +- /* Set MSR RI now we have r1 and r13 back. */ +- li r5, MSR_RI +- mtmsrd r5, 1 +- +- /* Save away checkpinted SPRs. */ +- std r31, VCPU_PPR_TM(r9) +- std r30, VCPU_DSCR_TM(r9) +- mflr r5 +- mfcr r6 +- mfctr r7 +- mfspr r8, SPRN_AMR +- mfspr r10, SPRN_TAR +- std r5, VCPU_LR_TM(r9) +- stw r6, VCPU_CR_TM(r9) +- std r7, VCPU_CTR_TM(r9) +- std r8, VCPU_AMR_TM(r9) +- std r10, VCPU_TAR_TM(r9) +- +- /* Restore r12 as trap number. */ +- lwz r12, VCPU_TRAP(r9) +- +- /* Save FP/VSX. */ +- addi r3, r9, VCPU_FPRS_TM +- bl store_fp_state +- addi r3, r9, VCPU_VRS_TM +- bl store_vr_state +- mfspr r6, SPRN_VRSAVE +- stw r6, VCPU_VRSAVE_TM(r9) +-1: +- /* +- * We need to save these SPRs after the treclaim so that the software +- * error code is recorded correctly in the TEXASR. Also the user may +- * change these outside of a transaction, so they must always be +- * context switched. +- */ +- mfspr r5, SPRN_TFHAR +- mfspr r6, SPRN_TFIAR +- mfspr r7, SPRN_TEXASR +- std r5, VCPU_TFHAR(r9) +- std r6, VCPU_TFIAR(r9) +- std r7, VCPU_TEXASR(r9) +-2: ++ bl kvmppc_save_tm ++END_FTR_SECTION_IFSET(CPU_FTR_TM) + #endif + + /* Increment yield count if they have a VPA */ +@@ -2629,6 +2421,239 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC) + mr r4,r31 + blr + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++/* ++ * Save transactional state and TM-related registers. ++ * Called with r9 pointing to the vcpu struct. ++ * This can modify all checkpointed registers, but ++ * restores r1, r2 and r9 (vcpu pointer) before exit. ++ */ ++kvmppc_save_tm: ++ mflr r0 ++ std r0, PPC_LR_STKOFF(r1) ++ ++ /* Turn on TM. */ ++ mfmsr r8 ++ li r0, 1 ++ rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG ++ mtmsrd r8 ++ ++ ld r5, VCPU_MSR(r9) ++ rldicl. r5, r5, 64 - MSR_TS_S_LG, 62 ++ beq 1f /* TM not active in guest. */ ++ ++ std r1, HSTATE_HOST_R1(r13) ++ li r3, TM_CAUSE_KVM_RESCHED ++ ++ /* Clear the MSR RI since r1, r13 are all going to be foobar. */ ++ li r5, 0 ++ mtmsrd r5, 1 ++ ++ /* All GPRs are volatile at this point. */ ++ TRECLAIM(R3) ++ ++ /* Temporarily store r13 and r9 so we have some regs to play with */ ++ SET_SCRATCH0(r13) ++ GET_PACA(r13) ++ std r9, PACATMSCRATCH(r13) ++ ld r9, HSTATE_KVM_VCPU(r13) ++ ++ /* Get a few more GPRs free. */ ++ std r29, VCPU_GPRS_TM(29)(r9) ++ std r30, VCPU_GPRS_TM(30)(r9) ++ std r31, VCPU_GPRS_TM(31)(r9) ++ ++ /* Save away PPR and DSCR soon so don't run with user values. */ ++ mfspr r31, SPRN_PPR ++ HMT_MEDIUM ++ mfspr r30, SPRN_DSCR ++ ld r29, HSTATE_DSCR(r13) ++ mtspr SPRN_DSCR, r29 ++ ++ /* Save all but r9, r13 & r29-r31 */ ++ reg = 0 ++ .rept 29 ++ .if (reg != 9) && (reg != 13) ++ std reg, VCPU_GPRS_TM(reg)(r9) ++ .endif ++ reg = reg + 1 ++ .endr ++ /* ... now save r13 */ ++ GET_SCRATCH0(r4) ++ std r4, VCPU_GPRS_TM(13)(r9) ++ /* ... and save r9 */ ++ ld r4, PACATMSCRATCH(r13) ++ std r4, VCPU_GPRS_TM(9)(r9) ++ ++ /* Reload stack pointer and TOC. */ ++ ld r1, HSTATE_HOST_R1(r13) ++ ld r2, PACATOC(r13) ++ ++ /* Set MSR RI now we have r1 and r13 back. */ ++ li r5, MSR_RI ++ mtmsrd r5, 1 ++ ++ /* Save away checkpinted SPRs. */ ++ std r31, VCPU_PPR_TM(r9) ++ std r30, VCPU_DSCR_TM(r9) ++ mflr r5 ++ mfcr r6 ++ mfctr r7 ++ mfspr r8, SPRN_AMR ++ mfspr r10, SPRN_TAR ++ std r5, VCPU_LR_TM(r9) ++ stw r6, VCPU_CR_TM(r9) ++ std r7, VCPU_CTR_TM(r9) ++ std r8, VCPU_AMR_TM(r9) ++ std r10, VCPU_TAR_TM(r9) ++ ++ /* Restore r12 as trap number. */ ++ lwz r12, VCPU_TRAP(r9) ++ ++ /* Save FP/VSX. */ ++ addi r3, r9, VCPU_FPRS_TM ++ bl store_fp_state ++ addi r3, r9, VCPU_VRS_TM ++ bl store_vr_state ++ mfspr r6, SPRN_VRSAVE ++ stw r6, VCPU_VRSAVE_TM(r9) ++1: ++ /* ++ * We need to save these SPRs after the treclaim so that the software ++ * error code is recorded correctly in the TEXASR. Also the user may ++ * change these outside of a transaction, so they must always be ++ * context switched. ++ */ ++ mfspr r5, SPRN_TFHAR ++ mfspr r6, SPRN_TFIAR ++ mfspr r7, SPRN_TEXASR ++ std r5, VCPU_TFHAR(r9) ++ std r6, VCPU_TFIAR(r9) ++ std r7, VCPU_TEXASR(r9) ++ ++ ld r0, PPC_LR_STKOFF(r1) ++ mtlr r0 ++ blr ++ ++/* ++ * Restore transactional state and TM-related registers. ++ * Called with r4 pointing to the vcpu struct. ++ * This potentially modifies all checkpointed registers. ++ * It restores r1, r2, r4 from the PACA. ++ */ ++kvmppc_restore_tm: ++ mflr r0 ++ std r0, PPC_LR_STKOFF(r1) ++ ++ /* Turn on TM/FP/VSX/VMX so we can restore them. */ ++ mfmsr r5 ++ li r6, MSR_TM >> 32 ++ sldi r6, r6, 32 ++ or r5, r5, r6 ++ ori r5, r5, MSR_FP ++ oris r5, r5, (MSR_VEC | MSR_VSX)@h ++ mtmsrd r5 ++ ++ /* ++ * The user may change these outside of a transaction, so they must ++ * always be context switched. ++ */ ++ ld r5, VCPU_TFHAR(r4) ++ ld r6, VCPU_TFIAR(r4) ++ ld r7, VCPU_TEXASR(r4) ++ mtspr SPRN_TFHAR, r5 ++ mtspr SPRN_TFIAR, r6 ++ mtspr SPRN_TEXASR, r7 ++ ++ ld r5, VCPU_MSR(r4) ++ rldicl. r5, r5, 64 - MSR_TS_S_LG, 62 ++ beqlr /* TM not active in guest */ ++ std r1, HSTATE_HOST_R1(r13) ++ ++ /* Make sure the failure summary is set, otherwise we'll program check ++ * when we trechkpt. It's possible that this might have been not set ++ * on a kvmppc_set_one_reg() call but we shouldn't let this crash the ++ * host. ++ */ ++ oris r7, r7, (TEXASR_FS)@h ++ mtspr SPRN_TEXASR, r7 ++ ++ /* ++ * We need to load up the checkpointed state for the guest. ++ * We need to do this early as it will blow away any GPRs, VSRs and ++ * some SPRs. ++ */ ++ ++ mr r31, r4 ++ addi r3, r31, VCPU_FPRS_TM ++ bl load_fp_state ++ addi r3, r31, VCPU_VRS_TM ++ bl load_vr_state ++ mr r4, r31 ++ lwz r7, VCPU_VRSAVE_TM(r4) ++ mtspr SPRN_VRSAVE, r7 ++ ++ ld r5, VCPU_LR_TM(r4) ++ lwz r6, VCPU_CR_TM(r4) ++ ld r7, VCPU_CTR_TM(r4) ++ ld r8, VCPU_AMR_TM(r4) ++ ld r9, VCPU_TAR_TM(r4) ++ mtlr r5 ++ mtcr r6 ++ mtctr r7 ++ mtspr SPRN_AMR, r8 ++ mtspr SPRN_TAR, r9 ++ ++ /* ++ * Load up PPR and DSCR values but don't put them in the actual SPRs ++ * till the last moment to avoid running with userspace PPR and DSCR for ++ * too long. ++ */ ++ ld r29, VCPU_DSCR_TM(r4) ++ ld r30, VCPU_PPR_TM(r4) ++ ++ std r2, PACATMSCRATCH(r13) /* Save TOC */ ++ ++ /* Clear the MSR RI since r1, r13 are all going to be foobar. */ ++ li r5, 0 ++ mtmsrd r5, 1 ++ ++ /* Load GPRs r0-r28 */ ++ reg = 0 ++ .rept 29 ++ ld reg, VCPU_GPRS_TM(reg)(r31) ++ reg = reg + 1 ++ .endr ++ ++ mtspr SPRN_DSCR, r29 ++ mtspr SPRN_PPR, r30 ++ ++ /* Load final GPRs */ ++ ld 29, VCPU_GPRS_TM(29)(r31) ++ ld 30, VCPU_GPRS_TM(30)(r31) ++ ld 31, VCPU_GPRS_TM(31)(r31) ++ ++ /* TM checkpointed state is now setup. All GPRs are now volatile. */ ++ TRECHKPT ++ ++ /* Now let's get back the state we need. */ ++ HMT_MEDIUM ++ GET_PACA(r13) ++ ld r29, HSTATE_DSCR(r13) ++ mtspr SPRN_DSCR, r29 ++ ld r4, HSTATE_KVM_VCPU(r13) ++ ld r1, HSTATE_HOST_R1(r13) ++ ld r2, PACATMSCRATCH(r13) ++ ++ /* Set the MSR RI since we have our registers back. */ ++ li r5, MSR_RI ++ mtmsrd r5, 1 ++ ++ ld r0, PPC_LR_STKOFF(r1) ++ mtlr r0 ++ blr ++#endif ++ + /* + * We come here if we get any exception or interrupt while we are + * executing host real mode code while in guest MMU context. diff --git a/queue-4.4/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch b/queue-4.4/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch new file mode 100644 index 00000000000..b7e9e8cf787 --- /dev/null +++ b/queue-4.4/kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch @@ -0,0 +1,69 @@ +From 93d17397e4e2182fdaad503e2f9da46202c0f1c3 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Wed, 22 Jun 2016 15:52:55 +1000 +Subject: KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE + +From: Paul Mackerras + +commit 93d17397e4e2182fdaad503e2f9da46202c0f1c3 upstream. + +It turns out that if the guest does a H_CEDE while the CPU is in +a transactional state, and the H_CEDE does a nap, and the nap +loses the architected state of the CPU (which is is allowed to do), +then we lose the checkpointed state of the virtual CPU. In addition, +the transactional-memory state recorded in the MSR gets reset back +to non-transactional, and when we try to return to the guest, we take +a TM bad thing type of program interrupt because we are trying to +transition from non-transactional to transactional with a hrfid +instruction, which is not permitted. + +The result of the program interrupt occurring at that point is that +the host CPU will hang in an infinite loop with interrupts disabled. +Thus this is a denial of service vulnerability in the host which can +be triggered by any guest (and depending on the guest kernel, it can +potentially triggered by unprivileged userspace in the guest). + +This vulnerability has been assigned the ID CVE-2016-5412. + +To fix this, we save the TM state before napping and restore it +on exit from the nap, when handling a H_CEDE in real mode. The +case where H_CEDE exits to host virtual mode is already OK (as are +other hcalls which exit to host virtual mode) because the exit +path saves the TM state. + +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -2037,6 +2037,13 @@ _GLOBAL(kvmppc_h_cede) /* r3 = vcpu poi + /* save FP state */ + bl kvmppc_save_fp + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++BEGIN_FTR_SECTION ++ ld r9, HSTATE_KVM_VCPU(r13) ++ bl kvmppc_save_tm ++END_FTR_SECTION_IFSET(CPU_FTR_TM) ++#endif ++ + /* + * Set DEC to the smaller of DEC and HDEC, so that we wake + * no later than the end of our timeslice (HDEC interrupts +@@ -2113,6 +2120,12 @@ kvm_end_cede: + bl kvmhv_accumulate_time + #endif + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++BEGIN_FTR_SECTION ++ bl kvmppc_restore_tm ++END_FTR_SECTION_IFSET(CPU_FTR_TM) ++#endif ++ + /* load up FP state */ + bl kvmppc_load_fp + diff --git a/queue-4.4/kvm-vmx-handle-pml-full-vmexit-that-occurs-during-event-delivery.patch b/queue-4.4/kvm-vmx-handle-pml-full-vmexit-that-occurs-during-event-delivery.patch new file mode 100644 index 00000000000..48479be530a --- /dev/null +++ b/queue-4.4/kvm-vmx-handle-pml-full-vmexit-that-occurs-during-event-delivery.patch @@ -0,0 +1,38 @@ +From b244c9fc251e14a083a1cbf04bef10bd99303a76 Mon Sep 17 00:00:00 2001 +From: "Cao, Lei" +Date: Fri, 15 Jul 2016 13:54:04 +0000 +Subject: KVM: VMX: handle PML full VMEXIT that occurs during event delivery +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cao, Lei + +commit b244c9fc251e14a083a1cbf04bef10bd99303a76 upstream. + +With PML enabled, guest will shut down if a PML full VMEXIT occurs during +event delivery. According to Intel SDM 27.2.3, PML full VMEXIT can occur when +event is being delivered through IDT, so KVM should not exit to user space +with error. Instead, it should let EXIT_REASON_PML_FULL go through and the +event will be re-injected on the next VMENTRY. + +Signed-off-by: Lei Cao +Fixes: 843e4330573c ("KVM: VMX: Add PML support in VMX") +[Shortened the summary and Cc'd stable.] +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8124,6 +8124,7 @@ static int vmx_handle_exit(struct kvm_vc + if ((vectoring_info & VECTORING_INFO_VALID_MASK) && + (exit_reason != EXIT_REASON_EXCEPTION_NMI && + exit_reason != EXIT_REASON_EPT_VIOLATION && ++ exit_reason != EXIT_REASON_PML_FULL && + exit_reason != EXIT_REASON_TASK_SWITCH)) { + vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; + vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_DELIVERY_EV; diff --git a/queue-4.4/mfd-qcom_rpm-fix-offset-error-for-msm8660.patch b/queue-4.4/mfd-qcom_rpm-fix-offset-error-for-msm8660.patch new file mode 100644 index 00000000000..fd65921ce23 --- /dev/null +++ b/queue-4.4/mfd-qcom_rpm-fix-offset-error-for-msm8660.patch @@ -0,0 +1,159 @@ +From 9835f1b70bb3890d38308b9be4fb9d7451ba67f1 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 15 Jun 2016 01:02:26 +0200 +Subject: mfd: qcom_rpm: Fix offset error for msm8660 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +commit 9835f1b70bb3890d38308b9be4fb9d7451ba67f1 upstream. + +The RPM in MSM8660/APQ8060 has different offsets to the selector +ACK and request context ACK registers. Make all these register +offsets part of the per-SoC data and assign the right values. + +The bug was found by verifying backwards to the vendor tree in +the out-of-tree files : all were using +offsets 3,11,15,23 and a select size of 4, except the MSM8660/APQ8060 +which was using offsets 3,11,19,27 and a select size of 7. + +All other platforms apart from msm8660 were affected by reading +excess registers, since 7 was hardcoded as the number of select +words, this patch makes also this part dynamic so we only write/read +as many select words as the platform actually use. + +Symptoms of this bug when using msm8660: the first RPM transaction +would work, but the next would stall or raise an error since the +previous transaction was not properly ACKed as the ACK words were +read at the wrong offset. + +Fixes: 58e214382bdd ("mfd: qcom-rpm: Driver for the Qualcomm RPM") +Signed-off-by: Linus Walleij +Reviewed-by: Björn Andersson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/qcom_rpm.c | 50 +++++++++++++++++++++++++++++++++++-------------- + 1 file changed, 36 insertions(+), 14 deletions(-) + +--- a/drivers/mfd/qcom_rpm.c ++++ b/drivers/mfd/qcom_rpm.c +@@ -34,7 +34,12 @@ struct qcom_rpm_resource { + struct qcom_rpm_data { + u32 version; + const struct qcom_rpm_resource *resource_table; +- unsigned n_resources; ++ unsigned int n_resources; ++ unsigned int req_ctx_off; ++ unsigned int req_sel_off; ++ unsigned int ack_ctx_off; ++ unsigned int ack_sel_off; ++ unsigned int sel_size; + }; + + struct qcom_rpm { +@@ -61,11 +66,7 @@ struct qcom_rpm { + + #define RPM_REQUEST_TIMEOUT (5 * HZ) + +-#define RPM_REQUEST_CONTEXT 3 +-#define RPM_REQ_SELECT 11 +-#define RPM_ACK_CONTEXT 15 +-#define RPM_ACK_SELECTOR 23 +-#define RPM_SELECT_SIZE 7 ++#define RPM_MAX_SEL_SIZE 7 + + #define RPM_NOTIFICATION BIT(30) + #define RPM_REJECTED BIT(31) +@@ -157,6 +158,11 @@ static const struct qcom_rpm_data apq806 + .version = 3, + .resource_table = apq8064_rpm_resource_table, + .n_resources = ARRAY_SIZE(apq8064_rpm_resource_table), ++ .req_ctx_off = 3, ++ .req_sel_off = 11, ++ .ack_ctx_off = 15, ++ .ack_sel_off = 23, ++ .sel_size = 4, + }; + + static const struct qcom_rpm_resource msm8660_rpm_resource_table[] = { +@@ -240,6 +246,11 @@ static const struct qcom_rpm_data msm866 + .version = 2, + .resource_table = msm8660_rpm_resource_table, + .n_resources = ARRAY_SIZE(msm8660_rpm_resource_table), ++ .req_ctx_off = 3, ++ .req_sel_off = 11, ++ .ack_ctx_off = 19, ++ .ack_sel_off = 27, ++ .sel_size = 7, + }; + + static const struct qcom_rpm_resource msm8960_rpm_resource_table[] = { +@@ -322,6 +333,11 @@ static const struct qcom_rpm_data msm896 + .version = 3, + .resource_table = msm8960_rpm_resource_table, + .n_resources = ARRAY_SIZE(msm8960_rpm_resource_table), ++ .req_ctx_off = 3, ++ .req_sel_off = 11, ++ .ack_ctx_off = 15, ++ .ack_sel_off = 23, ++ .sel_size = 4, + }; + + static const struct qcom_rpm_resource ipq806x_rpm_resource_table[] = { +@@ -362,6 +378,11 @@ static const struct qcom_rpm_data ipq806 + .version = 3, + .resource_table = ipq806x_rpm_resource_table, + .n_resources = ARRAY_SIZE(ipq806x_rpm_resource_table), ++ .req_ctx_off = 3, ++ .req_sel_off = 11, ++ .ack_ctx_off = 15, ++ .ack_sel_off = 23, ++ .sel_size = 4, + }; + + static const struct of_device_id qcom_rpm_of_match[] = { +@@ -380,7 +401,7 @@ int qcom_rpm_write(struct qcom_rpm *rpm, + { + const struct qcom_rpm_resource *res; + const struct qcom_rpm_data *data = rpm->data; +- u32 sel_mask[RPM_SELECT_SIZE] = { 0 }; ++ u32 sel_mask[RPM_MAX_SEL_SIZE] = { 0 }; + int left; + int ret = 0; + int i; +@@ -398,12 +419,12 @@ int qcom_rpm_write(struct qcom_rpm *rpm, + writel_relaxed(buf[i], RPM_REQ_REG(rpm, res->target_id + i)); + + bitmap_set((unsigned long *)sel_mask, res->select_id, 1); +- for (i = 0; i < ARRAY_SIZE(sel_mask); i++) { ++ for (i = 0; i < rpm->data->sel_size; i++) { + writel_relaxed(sel_mask[i], +- RPM_CTRL_REG(rpm, RPM_REQ_SELECT + i)); ++ RPM_CTRL_REG(rpm, rpm->data->req_sel_off + i)); + } + +- writel_relaxed(BIT(state), RPM_CTRL_REG(rpm, RPM_REQUEST_CONTEXT)); ++ writel_relaxed(BIT(state), RPM_CTRL_REG(rpm, rpm->data->req_ctx_off)); + + reinit_completion(&rpm->ack); + regmap_write(rpm->ipc_regmap, rpm->ipc_offset, BIT(rpm->ipc_bit)); +@@ -426,10 +447,11 @@ static irqreturn_t qcom_rpm_ack_interrup + u32 ack; + int i; + +- ack = readl_relaxed(RPM_CTRL_REG(rpm, RPM_ACK_CONTEXT)); +- for (i = 0; i < RPM_SELECT_SIZE; i++) +- writel_relaxed(0, RPM_CTRL_REG(rpm, RPM_ACK_SELECTOR + i)); +- writel(0, RPM_CTRL_REG(rpm, RPM_ACK_CONTEXT)); ++ ack = readl_relaxed(RPM_CTRL_REG(rpm, rpm->data->ack_ctx_off)); ++ for (i = 0; i < rpm->data->sel_size; i++) ++ writel_relaxed(0, ++ RPM_CTRL_REG(rpm, rpm->data->ack_sel_off + i)); ++ writel(0, RPM_CTRL_REG(rpm, rpm->data->ack_ctx_off)); + + if (ack & RPM_NOTIFICATION) { + dev_warn(rpm->dev, "ignoring notification!\n"); diff --git a/queue-4.4/mfd-qcom_rpm-parametrize-also-ack-selector-size.patch b/queue-4.4/mfd-qcom_rpm-parametrize-also-ack-selector-size.patch new file mode 100644 index 00000000000..f5ad3184c51 --- /dev/null +++ b/queue-4.4/mfd-qcom_rpm-parametrize-also-ack-selector-size.patch @@ -0,0 +1,99 @@ +From f37be01e6dc606f2fcc5e95c9933d948ce19bd35 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Wed, 22 Jun 2016 08:27:17 +0200 +Subject: mfd: qcom_rpm: Parametrize also ack selector size + +From: Linus Walleij + +commit f37be01e6dc606f2fcc5e95c9933d948ce19bd35 upstream. + +The RPM has two sets of selectors (IPC bit fields): request and +acknowledge. Apparently, some models use 4*32 bit words for select +and some use 7*32 bit words for request, but all use 7*32 words +for acknowledge bits. + +So apparently you can on the models with requests of 4*32 select +bits send 4*32 messages and get 7*32 different replies, so on ACK +interrupt, 7*32 bit words need to be read. This is how the vendor +code apparently works. + +Reported-by: Stephen Boyd +Signed-off-by: Linus Walleij +Reviewed-by: Bjorn Andersson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/qcom_rpm.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/mfd/qcom_rpm.c ++++ b/drivers/mfd/qcom_rpm.c +@@ -39,7 +39,8 @@ struct qcom_rpm_data { + unsigned int req_sel_off; + unsigned int ack_ctx_off; + unsigned int ack_sel_off; +- unsigned int sel_size; ++ unsigned int req_sel_size; ++ unsigned int ack_sel_size; + }; + + struct qcom_rpm { +@@ -162,7 +163,8 @@ static const struct qcom_rpm_data apq806 + .req_sel_off = 11, + .ack_ctx_off = 15, + .ack_sel_off = 23, +- .sel_size = 4, ++ .req_sel_size = 4, ++ .ack_sel_size = 7, + }; + + static const struct qcom_rpm_resource msm8660_rpm_resource_table[] = { +@@ -250,7 +252,8 @@ static const struct qcom_rpm_data msm866 + .req_sel_off = 11, + .ack_ctx_off = 19, + .ack_sel_off = 27, +- .sel_size = 7, ++ .req_sel_size = 7, ++ .ack_sel_size = 7, + }; + + static const struct qcom_rpm_resource msm8960_rpm_resource_table[] = { +@@ -337,7 +340,8 @@ static const struct qcom_rpm_data msm896 + .req_sel_off = 11, + .ack_ctx_off = 15, + .ack_sel_off = 23, +- .sel_size = 4, ++ .req_sel_size = 4, ++ .ack_sel_size = 7, + }; + + static const struct qcom_rpm_resource ipq806x_rpm_resource_table[] = { +@@ -382,7 +386,8 @@ static const struct qcom_rpm_data ipq806 + .req_sel_off = 11, + .ack_ctx_off = 15, + .ack_sel_off = 23, +- .sel_size = 4, ++ .req_sel_size = 4, ++ .ack_sel_size = 7, + }; + + static const struct of_device_id qcom_rpm_of_match[] = { +@@ -419,7 +424,7 @@ int qcom_rpm_write(struct qcom_rpm *rpm, + writel_relaxed(buf[i], RPM_REQ_REG(rpm, res->target_id + i)); + + bitmap_set((unsigned long *)sel_mask, res->select_id, 1); +- for (i = 0; i < rpm->data->sel_size; i++) { ++ for (i = 0; i < rpm->data->req_sel_size; i++) { + writel_relaxed(sel_mask[i], + RPM_CTRL_REG(rpm, rpm->data->req_sel_off + i)); + } +@@ -448,7 +453,7 @@ static irqreturn_t qcom_rpm_ack_interrup + int i; + + ack = readl_relaxed(RPM_CTRL_REG(rpm, rpm->data->ack_ctx_off)); +- for (i = 0; i < rpm->data->sel_size; i++) ++ for (i = 0; i < rpm->data->ack_sel_size; i++) + writel_relaxed(0, + RPM_CTRL_REG(rpm, rpm->data->ack_sel_off + i)); + writel(0, RPM_CTRL_REG(rpm, rpm->data->ack_ctx_off)); diff --git a/queue-4.4/pinctrl-cherryview-prevent-concurrent-access-to-gpio-controllers.patch b/queue-4.4/pinctrl-cherryview-prevent-concurrent-access-to-gpio-controllers.patch new file mode 100644 index 00000000000..dd6183c7942 --- /dev/null +++ b/queue-4.4/pinctrl-cherryview-prevent-concurrent-access-to-gpio-controllers.patch @@ -0,0 +1,338 @@ +From 0bd50d719b004110e791800450ad204399100a86 Mon Sep 17 00:00:00 2001 +From: Dan O'Donovan +Date: Fri, 10 Jun 2016 13:23:34 +0100 +Subject: pinctrl: cherryview: prevent concurrent access to GPIO controllers + +From: Dan O'Donovan + +commit 0bd50d719b004110e791800450ad204399100a86 upstream. + +Due to a silicon issue on the Atom X5-Z8000 "Cherry Trail" processor +series, a common lock must be used to prevent concurrent accesses +across the 4 GPIO controllers managed by this driver. + +See Intel Atom Z8000 Processor Series Specification Update +(Rev. 005), errata #CHT34, for further information. + +Signed-off-by: Dan O'Donovan +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 80 +++++++++++++++-------------- + 1 file changed, 44 insertions(+), 36 deletions(-) + +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -160,7 +160,6 @@ struct chv_pin_context { + * @pctldev: Pointer to the pin controller device + * @chip: GPIO chip in this pin controller + * @regs: MMIO registers +- * @lock: Lock to serialize register accesses + * @intr_lines: Stores mapping between 16 HW interrupt wires and GPIO + * offset (in GPIO number space) + * @community: Community this pinctrl instance represents +@@ -174,7 +173,6 @@ struct chv_pinctrl { + struct pinctrl_dev *pctldev; + struct gpio_chip chip; + void __iomem *regs; +- raw_spinlock_t lock; + unsigned intr_lines[16]; + const struct chv_community *community; + u32 saved_intmask; +@@ -659,6 +657,17 @@ static const struct chv_community *chv_c + &southeast_community, + }; + ++/* ++ * Lock to serialize register accesses ++ * ++ * Due to a silicon issue, a shared lock must be used to prevent ++ * concurrent accesses across the 4 GPIO controllers. ++ * ++ * See Intel Atom Z8000 Processor Series Specification Update (Rev. 005), ++ * errata #CHT34, for further information. ++ */ ++static DEFINE_RAW_SPINLOCK(chv_lock); ++ + static void __iomem *chv_padreg(struct chv_pinctrl *pctrl, unsigned offset, + unsigned reg) + { +@@ -720,13 +729,13 @@ static void chv_pin_dbg_show(struct pinc + u32 ctrl0, ctrl1; + bool locked; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + + ctrl0 = readl(chv_padreg(pctrl, offset, CHV_PADCTRL0)); + ctrl1 = readl(chv_padreg(pctrl, offset, CHV_PADCTRL1)); + locked = chv_pad_locked(pctrl, offset); + +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + if (ctrl0 & CHV_PADCTRL0_GPIOEN) { + seq_puts(s, "GPIO "); +@@ -789,14 +798,14 @@ static int chv_pinmux_set_mux(struct pin + + grp = &pctrl->community->groups[group]; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + + /* Check first that the pad is not locked */ + for (i = 0; i < grp->npins; i++) { + if (chv_pad_locked(pctrl, grp->pins[i])) { + dev_warn(pctrl->dev, "unable to set mode for locked pin %u\n", + grp->pins[i]); +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + return -EBUSY; + } + } +@@ -839,7 +848,7 @@ static int chv_pinmux_set_mux(struct pin + pin, altfunc->mode, altfunc->invert_oe ? "" : "not "); + } + +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + return 0; + } +@@ -853,13 +862,13 @@ static int chv_gpio_request_enable(struc + void __iomem *reg; + u32 value; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + + if (chv_pad_locked(pctrl, offset)) { + value = readl(chv_padreg(pctrl, offset, CHV_PADCTRL0)); + if (!(value & CHV_PADCTRL0_GPIOEN)) { + /* Locked so cannot enable */ +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + return -EBUSY; + } + } else { +@@ -899,7 +908,7 @@ static int chv_gpio_request_enable(struc + chv_writel(value, reg); + } + +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + return 0; + } +@@ -913,13 +922,13 @@ static void chv_gpio_disable_free(struct + void __iomem *reg; + u32 value; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + + reg = chv_padreg(pctrl, offset, CHV_PADCTRL0); + value = readl(reg) & ~CHV_PADCTRL0_GPIOEN; + chv_writel(value, reg); + +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + } + + static int chv_gpio_set_direction(struct pinctrl_dev *pctldev, +@@ -931,7 +940,7 @@ static int chv_gpio_set_direction(struct + unsigned long flags; + u32 ctrl0; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + + ctrl0 = readl(reg) & ~CHV_PADCTRL0_GPIOCFG_MASK; + if (input) +@@ -940,7 +949,7 @@ static int chv_gpio_set_direction(struct + ctrl0 |= CHV_PADCTRL0_GPIOCFG_GPO << CHV_PADCTRL0_GPIOCFG_SHIFT; + chv_writel(ctrl0, reg); + +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + return 0; + } +@@ -965,10 +974,10 @@ static int chv_config_get(struct pinctrl + u16 arg = 0; + u32 term; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + ctrl0 = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0)); + ctrl1 = readl(chv_padreg(pctrl, pin, CHV_PADCTRL1)); +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + term = (ctrl0 & CHV_PADCTRL0_TERM_MASK) >> CHV_PADCTRL0_TERM_SHIFT; + +@@ -1042,7 +1051,7 @@ static int chv_config_set_pull(struct ch + unsigned long flags; + u32 ctrl0, pull; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + ctrl0 = readl(reg); + + switch (param) { +@@ -1065,7 +1074,7 @@ static int chv_config_set_pull(struct ch + pull = CHV_PADCTRL0_TERM_20K << CHV_PADCTRL0_TERM_SHIFT; + break; + default: +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + return -EINVAL; + } + +@@ -1083,7 +1092,7 @@ static int chv_config_set_pull(struct ch + pull = CHV_PADCTRL0_TERM_20K << CHV_PADCTRL0_TERM_SHIFT; + break; + default: +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + return -EINVAL; + } + +@@ -1091,12 +1100,12 @@ static int chv_config_set_pull(struct ch + break; + + default: +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + return -EINVAL; + } + + chv_writel(ctrl0, reg); +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + return 0; + } +@@ -1162,9 +1171,9 @@ static int chv_gpio_get(struct gpio_chip + unsigned long flags; + u32 ctrl0, cfg; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + ctrl0 = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0)); +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + cfg = ctrl0 & CHV_PADCTRL0_GPIOCFG_MASK; + cfg >>= CHV_PADCTRL0_GPIOCFG_SHIFT; +@@ -1182,7 +1191,7 @@ static void chv_gpio_set(struct gpio_chi + void __iomem *reg; + u32 ctrl0; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + + reg = chv_padreg(pctrl, pin, CHV_PADCTRL0); + ctrl0 = readl(reg); +@@ -1194,7 +1203,7 @@ static void chv_gpio_set(struct gpio_chi + + chv_writel(ctrl0, reg); + +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + } + + static int chv_gpio_get_direction(struct gpio_chip *chip, unsigned offset) +@@ -1204,9 +1213,9 @@ static int chv_gpio_get_direction(struct + u32 ctrl0, direction; + unsigned long flags; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + ctrl0 = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0)); +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + direction = ctrl0 & CHV_PADCTRL0_GPIOCFG_MASK; + direction >>= CHV_PADCTRL0_GPIOCFG_SHIFT; +@@ -1244,14 +1253,14 @@ static void chv_gpio_irq_ack(struct irq_ + int pin = chv_gpio_offset_to_pin(pctrl, irqd_to_hwirq(d)); + u32 intr_line; + +- raw_spin_lock(&pctrl->lock); ++ raw_spin_lock(&chv_lock); + + intr_line = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0)); + intr_line &= CHV_PADCTRL0_INTSEL_MASK; + intr_line >>= CHV_PADCTRL0_INTSEL_SHIFT; + chv_writel(BIT(intr_line), pctrl->regs + CHV_INTSTAT); + +- raw_spin_unlock(&pctrl->lock); ++ raw_spin_unlock(&chv_lock); + } + + static void chv_gpio_irq_mask_unmask(struct irq_data *d, bool mask) +@@ -1262,7 +1271,7 @@ static void chv_gpio_irq_mask_unmask(str + u32 value, intr_line; + unsigned long flags; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + + intr_line = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0)); + intr_line &= CHV_PADCTRL0_INTSEL_MASK; +@@ -1275,7 +1284,7 @@ static void chv_gpio_irq_mask_unmask(str + value |= BIT(intr_line); + chv_writel(value, pctrl->regs + CHV_INTMASK); + +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + } + + static void chv_gpio_irq_mask(struct irq_data *d) +@@ -1309,7 +1318,7 @@ static unsigned chv_gpio_irq_startup(str + unsigned long flags; + u32 intsel, value; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + intsel = readl(chv_padreg(pctrl, pin, CHV_PADCTRL0)); + intsel &= CHV_PADCTRL0_INTSEL_MASK; + intsel >>= CHV_PADCTRL0_INTSEL_SHIFT; +@@ -1324,7 +1333,7 @@ static unsigned chv_gpio_irq_startup(str + irq_set_handler_locked(d, handler); + pctrl->intr_lines[intsel] = offset; + } +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + } + + chv_gpio_irq_unmask(d); +@@ -1340,7 +1349,7 @@ static int chv_gpio_irq_type(struct irq_ + unsigned long flags; + u32 value; + +- raw_spin_lock_irqsave(&pctrl->lock, flags); ++ raw_spin_lock_irqsave(&chv_lock, flags); + + /* + * Pins which can be used as shared interrupt are configured in +@@ -1389,7 +1398,7 @@ static int chv_gpio_irq_type(struct irq_ + else if (type & IRQ_TYPE_LEVEL_MASK) + irq_set_handler_locked(d, handle_level_irq); + +- raw_spin_unlock_irqrestore(&pctrl->lock, flags); ++ raw_spin_unlock_irqrestore(&chv_lock, flags); + + return 0; + } +@@ -1501,7 +1510,6 @@ static int chv_pinctrl_probe(struct plat + if (i == ARRAY_SIZE(chv_communities)) + return -ENODEV; + +- raw_spin_lock_init(&pctrl->lock); + pctrl->dev = &pdev->dev; + + #ifdef CONFIG_PM_SLEEP diff --git a/queue-4.4/s390-cio-allow-to-reset-channel-measurement-block.patch b/queue-4.4/s390-cio-allow-to-reset-channel-measurement-block.patch new file mode 100644 index 00000000000..7104249d8c1 --- /dev/null +++ b/queue-4.4/s390-cio-allow-to-reset-channel-measurement-block.patch @@ -0,0 +1,97 @@ +From 0f5d050ceaa31b2229102211d60c149f920df3aa Mon Sep 17 00:00:00 2001 +From: Sebastian Ott +Date: Tue, 12 Jul 2016 19:57:57 +0200 +Subject: s390/cio: allow to reset channel measurement block + +From: Sebastian Ott + +commit 0f5d050ceaa31b2229102211d60c149f920df3aa upstream. + +Prior to commit 1bc6664bdfb949bc69a08113801e7d6acbf6bc3f a call to +enable_cmf for a device for which channel measurement was already +enabled resulted in a reset of the measurement data. + +What looked like bugs at the time (a 2nd allocation was triggered +but failed, reset was called regardless of previous failures, and +errors have not been reported to userspace) was actually something +at least one userspace tool depended on. Restore that behavior in +a sane way. + +Fixes: 1bc6664bdfb ("s390/cio: use device_lock during cmb activation") +Signed-off-by: Sebastian Ott +Reviewed-by: Cornelia Huck +Reviewed-by: Peter Oberparleiter +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/cio/cmf.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/s390/cio/cmf.c ++++ b/drivers/s390/cio/cmf.c +@@ -753,6 +753,17 @@ static void reset_cmb(struct ccw_device + cmf_generic_reset(cdev); + } + ++static int cmf_enabled(struct ccw_device *cdev) ++{ ++ int enabled; ++ ++ spin_lock_irq(cdev->ccwlock); ++ enabled = !!cdev->private->cmb; ++ spin_unlock_irq(cdev->ccwlock); ++ ++ return enabled; ++} ++ + static struct attribute_group cmf_attr_group; + + static struct cmb_operations cmbops_basic = { +@@ -1153,13 +1164,8 @@ static ssize_t cmb_enable_show(struct de + char *buf) + { + struct ccw_device *cdev = to_ccwdev(dev); +- int enabled; + +- spin_lock_irq(cdev->ccwlock); +- enabled = !!cdev->private->cmb; +- spin_unlock_irq(cdev->ccwlock); +- +- return sprintf(buf, "%d\n", enabled); ++ return sprintf(buf, "%d\n", cmf_enabled(cdev)); + } + + static ssize_t cmb_enable_store(struct device *dev, +@@ -1199,15 +1205,20 @@ int ccw_set_cmf(struct ccw_device *cdev, + * @cdev: The ccw device to be enabled + * + * Returns %0 for success or a negative error value. +- * ++ * Note: If this is called on a device for which channel measurement is already ++ * enabled a reset of the measurement data is triggered. + * Context: + * non-atomic + */ + int enable_cmf(struct ccw_device *cdev) + { +- int ret; ++ int ret = 0; + + device_lock(&cdev->dev); ++ if (cmf_enabled(cdev)) { ++ cmbops->reset(cdev); ++ goto out_unlock; ++ } + get_device(&cdev->dev); + ret = cmbops->alloc(cdev); + if (ret) +@@ -1226,7 +1237,7 @@ int enable_cmf(struct ccw_device *cdev) + out: + if (ret) + put_device(&cdev->dev); +- ++out_unlock: + device_unlock(&cdev->dev); + return ret; + } diff --git a/queue-4.4/serial-samsung-fix-err-pointer-dereference-on-deferred-probe.patch b/queue-4.4/serial-samsung-fix-err-pointer-dereference-on-deferred-probe.patch new file mode 100644 index 00000000000..5e1deda6e83 --- /dev/null +++ b/queue-4.4/serial-samsung-fix-err-pointer-dereference-on-deferred-probe.patch @@ -0,0 +1,108 @@ +From e51e4d8a185de90424b03f30181b35f29c46a25a Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 16 Jun 2016 08:27:35 +0200 +Subject: serial: samsung: Fix ERR pointer dereference on deferred probe + +From: Krzysztof Kozlowski + +commit e51e4d8a185de90424b03f30181b35f29c46a25a upstream. + +When the clk_get() of "uart" clock returns EPROBE_DEFER, the next re-probe +finishes with success but uses invalid (ERR_PTR) values. This leads to +dereferencing of ERR_PTR stored under ourport->clk: + + 12c30000.serial: Controller clock not found + (...) + 12c30000.serial: ttySAC3 at MMIO 0x12c30000 (irq = 61, base_baud = 0) is a S3C6400/10 + Unable to handle kernel paging request at virtual address fffffdfb + + (clk_prepare) from [] (s3c24xx_serial_pm+0x20/0x128) + (s3c24xx_serial_pm) from [] (uart_change_pm+0x38/0x40) + (uart_change_pm) from [] (uart_add_one_port+0x31c/0x44c) + (uart_add_one_port) from [] (s3c24xx_serial_probe+0x2a8/0x418) + (s3c24xx_serial_probe) from [] (platform_drv_probe+0x50/0xb0) + (platform_drv_probe) from [] (driver_probe_device+0x1f4/0x2b0) + (driver_probe_device) from [] (bus_for_each_drv+0x44/0x8c) + (bus_for_each_drv) from [] (__device_attach+0x9c/0x100) + (__device_attach) from [] (bus_probe_device+0x84/0x8c) + (bus_probe_device) from [] (deferred_probe_work_func+0x60/0x8c) + (deferred_probe_work_func) from [] (process_one_work+0x120/0x328) + (process_one_work) from [] (worker_thread+0x2c/0x4ac) + (worker_thread) from [] (kthread+0xd8/0xf4) + (kthread) from [] (ret_from_fork+0x14/0x3c) + +The first unsuccessful clk_get() causes s3c24xx_serial_init_port() to +exit with failure but the s3c24xx_uart_port is left half-configured +(e.g. port->mapbase is set, clk contains ERR_PTR). On next re-probe, +the function s3c24xx_serial_init_port() will exit early with success +because of configured port->mapbase and driver will use old values, +including the ERR_PTR as clock. + +Fix this by cleaning the port->mapbase on error path so each re-probe +will initialize all of the port settings. + +Fixes: 60e93575476f ("serial: samsung: enable clock before clearing pending interrupts during init") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Javier Martinez Canillas +Tested-by: Javier Martinez Canillas +Tested-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/samsung.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1676,7 +1676,7 @@ static int s3c24xx_serial_init_port(stru + return -ENODEV; + + if (port->mapbase != 0) +- return 0; ++ return -EINVAL; + + /* setup info for port */ + port->dev = &platdev->dev; +@@ -1730,22 +1730,25 @@ static int s3c24xx_serial_init_port(stru + ourport->dma = devm_kzalloc(port->dev, + sizeof(*ourport->dma), + GFP_KERNEL); +- if (!ourport->dma) +- return -ENOMEM; ++ if (!ourport->dma) { ++ ret = -ENOMEM; ++ goto err; ++ } + } + + ourport->clk = clk_get(&platdev->dev, "uart"); + if (IS_ERR(ourport->clk)) { + pr_err("%s: Controller clock not found\n", + dev_name(&platdev->dev)); +- return PTR_ERR(ourport->clk); ++ ret = PTR_ERR(ourport->clk); ++ goto err; + } + + ret = clk_prepare_enable(ourport->clk); + if (ret) { + pr_err("uart: clock failed to prepare+enable: %d\n", ret); + clk_put(ourport->clk); +- return ret; ++ goto err; + } + + /* Keep all interrupts masked and cleared */ +@@ -1761,7 +1764,12 @@ static int s3c24xx_serial_init_port(stru + + /* reset the fifos (and setup the uart) */ + s3c24xx_serial_resetport(port, cfg); ++ + return 0; ++ ++err: ++ port->mapbase = 0; ++ return ret; + } + + /* Device driver serial port probe */ diff --git a/queue-4.4/series b/queue-4.4/series index db8b2614a65..6e9a2261d6c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,3 +9,21 @@ usb-usbfs-fix-potential-infoleak-in-devio.patch arm64-kernel-save-and-restore-uao-and-addr_limit-on-exception-entry.patch arm64-debug-unmask-pstate.d-earlier.patch arm64-fix-incorrect-per-cpu-usage-for-boot-cpu.patch +tty-serial-msm-don-t-read-off-end-of-tx-fifo.patch +serial-samsung-fix-err-pointer-dereference-on-deferred-probe.patch +tty-serial-atmel-fix-rs485-half-duplex-with-dma.patch +gpio-pca953x-fix-nbank-calculation-for-pca9536.patch +gpio-intel-mid-remove-potentially-harmful-code.patch +bluetooth-hci_intel-fix-null-gpio-desc-pointer-dereference.patch +pinctrl-cherryview-prevent-concurrent-access-to-gpio-controllers.patch +arm64-dts-rockchip-fixes-the-gic400-2nd-region-size-for-rk3368.patch +arm64-mm-avoid-fdt_check_header-before-the-fdt-is-fully-mapped.patch +kvm-ppc-book3s-hv-pull-out-tm-state-save-restore-into-separate-procedures.patch +kvm-ppc-book3s-hv-save-restore-tm-state-in-h_cede.patch +kvm-mtrr-fix-kvm_mtrr_check_gfn_range_consistency-page-fault.patch +kvm-vmx-handle-pml-full-vmexit-that-occurs-during-event-delivery.patch +kvm-nvmx-fix-memory-corruption-when-using-vmcs-shadowing.patch +s390-cio-allow-to-reset-channel-measurement-block.patch +intel_pstate-fix-msr_config_tdp_x-addressing-in-core_get_max_pstate.patch +mfd-qcom_rpm-fix-offset-error-for-msm8660.patch +mfd-qcom_rpm-parametrize-also-ack-selector-size.patch diff --git a/queue-4.4/tty-serial-atmel-fix-rs485-half-duplex-with-dma.patch b/queue-4.4/tty-serial-atmel-fix-rs485-half-duplex-with-dma.patch new file mode 100644 index 00000000000..19a5801e89a --- /dev/null +++ b/queue-4.4/tty-serial-atmel-fix-rs485-half-duplex-with-dma.patch @@ -0,0 +1,50 @@ +From 0058f0871efe7b01c6f2b3046c68196ab73e96da Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Sat, 28 May 2016 00:54:08 +0200 +Subject: tty/serial: atmel: fix RS485 half duplex with DMA + +From: Alexandre Belloni + +commit 0058f0871efe7b01c6f2b3046c68196ab73e96da upstream. + +When using DMA, half duplex doesn't work properly because rx is not stopped +before starting tx. Ensure we call atmel_stop_rx() in the DMA case. + +Signed-off-by: Alexandre Belloni +Acked-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -485,19 +485,21 @@ static void atmel_start_tx(struct uart_p + { + struct atmel_uart_port *atmel_port = to_atmel_uart_port(port); + +- if (atmel_use_pdc_tx(port)) { +- if (atmel_uart_readl(port, ATMEL_PDC_PTSR) & ATMEL_PDC_TXTEN) +- /* The transmitter is already running. Yes, we +- really need this.*/ +- return; ++ if (atmel_use_pdc_tx(port) && (atmel_uart_readl(port, ATMEL_PDC_PTSR) ++ & ATMEL_PDC_TXTEN)) ++ /* The transmitter is already running. Yes, we ++ really need this.*/ ++ return; + ++ if (atmel_use_pdc_tx(port) || atmel_use_dma_tx(port)) + if ((port->rs485.flags & SER_RS485_ENABLED) && + !(port->rs485.flags & SER_RS485_RX_DURING_TX)) + atmel_stop_rx(port); + ++ if (atmel_use_pdc_tx(port)) + /* re-enable PDC transmit */ + atmel_uart_writel(port, ATMEL_PDC_PTCR, ATMEL_PDC_TXTEN); +- } ++ + /* Enable interrupts */ + atmel_uart_writel(port, ATMEL_US_IER, atmel_port->tx_done_mask); + } diff --git a/queue-4.4/tty-serial-msm-don-t-read-off-end-of-tx-fifo.patch b/queue-4.4/tty-serial-msm-don-t-read-off-end-of-tx-fifo.patch new file mode 100644 index 00000000000..d1a6930c13e --- /dev/null +++ b/queue-4.4/tty-serial-msm-don-t-read-off-end-of-tx-fifo.patch @@ -0,0 +1,42 @@ +From 30acf549ca1e81859a67590ab9ecfce3d1050a0b Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Thu, 2 Jun 2016 17:48:28 -0700 +Subject: tty: serial: msm: Don't read off end of tx fifo + +From: Bjorn Andersson + +commit 30acf549ca1e81859a67590ab9ecfce3d1050a0b upstream. + +For dm uarts in pio mode tx data is transferred to the fifo register 4 +bytes at a time, but care is not taken when these 4 bytes spans the end +of the xmit buffer so the loop might read up to 3 bytes past the buffer +and then skip the actual data at the beginning of the buffer. + +Fix this by, analogous to the DMA case, make sure the chunk doesn't +wrap the xmit buffer. + +Fixes: 3a878c430fd6 ("tty: serial: msm: Add TX DMA support") +Cc: Ivan Ivanov +Reported-by: Frank Rowand +Reported-by: Nicolas Dechesne +Signed-off-by: Bjorn Andersson +Acked-by: Andy Gross +Tested-by: Frank Rowand +Reviewed-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/msm_serial.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -726,7 +726,7 @@ static void msm_handle_tx(struct uart_po + return; + } + +- pio_count = CIRC_CNT(xmit->head, xmit->tail, UART_XMIT_SIZE); ++ pio_count = CIRC_CNT_TO_END(xmit->head, xmit->tail, UART_XMIT_SIZE); + dma_count = CIRC_CNT_TO_END(xmit->head, xmit->tail, UART_XMIT_SIZE); + + dma_min = 1; /* Always DMA */