From: Greg Kroah-Hartman Date: Wed, 8 Jul 2015 07:23:01 +0000 (-0700) Subject: 4.0-stable patches X-Git-Tag: v4.0.8~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=56c71b2c9c5b7af07c2a9d356b641f499cb19cdf;p=thirdparty%2Fkernel%2Fstable-queue.git 4.0-stable patches added patches: arm-kvm-force-execution-of-hcptr-access-on-vm-exit.patch arm-kvm-psci-fix-handling-of-unimplemented-functions.patch arm-mvebu-fix-suspend-to-ram-on-big-endian-configurations.patch arm-tegra20-store-cpu-resettable-status-in-iram.patch crypto-talitos-avoid-memleak-in-talitos_alg_alloc.patch fs-fix-s_nosec-handling.patch fs-ufs-restore-s_lock-mutex.patch fs-ufs-revert-ufs-fix-deadlocks-introduced-by-sb-mutex-merge.patch intel_pstate-set-byt-msr-with-wrmsrl_on_cpu.patch iommu-amd-handle-large-pages-correctly-in-free_pagetable.patch iommu-arm-smmu-fix-broken-atos-check.patch kvm-mips-use-id_to_memslot-correctly.patch kvm-s390-fix-external-call-injection-without-sigp-interpretation.patch kvm-s390-virtio-ccw-don-t-overwrite-config-space-values.patch kvm-x86-make-vapics_in_nmi_mode-atomic.patch kvm-x86-properly-restore-lvt0.patch mips-fix-kvm-guest-fixmap-address.patch mmc-sdhci-fix-low-memory-corruption.patch powerpc-perf-fix-book3s-kernel-to-userspace-backtraces.patch revert-crypto-talitos-convert-to-use-be16_add_cpu.patch s390-kdump-fix-regset_vx_low-vector-register-elf-notes.patch selinux-fix-setting-of-security-labels-on-nfs.patch tick-idle-powerpc-do-not-register-idle-states-with-cpuidle_flag_timer_stop-set-in-periodic-mode.patch vfs-ignore-unlocked-mounts-in-fs_fully_visible.patch vfs-remove-incorrect-debugging-warn-in-prepend_path.patch x86-pci-use-host-bridge-_crs-info-on-foxconn-k8m890-8237a.patch x86-pci-use-host-bridge-_crs-info-on-systems-with-32-bit-addressing.patch --- diff --git a/queue-4.0/arm-kvm-force-execution-of-hcptr-access-on-vm-exit.patch b/queue-4.0/arm-kvm-force-execution-of-hcptr-access-on-vm-exit.patch new file mode 100644 index 00000000000..f3ad8585e2a --- /dev/null +++ b/queue-4.0/arm-kvm-force-execution-of-hcptr-access-on-vm-exit.patch @@ -0,0 +1,113 @@ +From 85e84ba31039595995dae80b277378213602891b Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 16 Mar 2015 10:59:43 +0000 +Subject: arm: KVM: force execution of HCPTR access on VM exit + +From: Marc Zyngier + +commit 85e84ba31039595995dae80b277378213602891b upstream. + +On VM entry, we disable access to the VFP registers in order to +perform a lazy save/restore of these registers. + +On VM exit, we restore access, test if we did enable them before, +and save/restore the guest/host registers if necessary. In this +sequence, the FPEXC register is always accessed, irrespective +of the trapping configuration. + +If the guest didn't touch the VFP registers, then the HCPTR access +has now enabled such access, but we're missing a barrier to ensure +architectural execution of the new HCPTR configuration. If the HCPTR +access has been delayed/reordered, the subsequent access to FPEXC +will cause a trap, which we aren't prepared to handle at all. + +The same condition exists when trapping to enable VFP for the guest. + +The fix is to introduce a barrier after enabling VFP access. In the +vmexit case, it can be relaxed to only takes place if the guest hasn't +accessed its view of the VFP registers, making the access to FPEXC safe. + +The set_hcptr macro is modified to deal with both vmenter/vmexit and +vmtrap operations, and now takes an optional label that is branched to +when the guest hasn't touched the VFP registers. + +Reported-by: Vikram Sethi +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/interrupts.S | 10 ++++------ + arch/arm/kvm/interrupts_head.S | 20 ++++++++++++++++++-- + 2 files changed, 22 insertions(+), 8 deletions(-) + +--- a/arch/arm/kvm/interrupts.S ++++ b/arch/arm/kvm/interrupts.S +@@ -170,13 +170,9 @@ __kvm_vcpu_return: + @ Don't trap coprocessor accesses for host kernel + set_hstr vmexit + set_hdcr vmexit +- set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)) ++ set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)), after_vfp_restore + + #ifdef CONFIG_VFPv3 +- @ Save floating point registers we if let guest use them. +- tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11)) +- bne after_vfp_restore +- + @ Switch VFP/NEON hardware state to the host's + add r7, vcpu, #VCPU_VFP_GUEST + store_vfp_state r7 +@@ -188,6 +184,8 @@ after_vfp_restore: + @ Restore FPEXC_EN which we clobbered on entry + pop {r2} + VFPFMXR FPEXC, r2 ++#else ++after_vfp_restore: + #endif + + @ Reset Hyp-role +@@ -483,7 +481,7 @@ switch_to_guest_vfp: + push {r3-r7} + + @ NEON/VFP used. Turn on VFP access. +- set_hcptr vmexit, (HCPTR_TCP(10) | HCPTR_TCP(11)) ++ set_hcptr vmtrap, (HCPTR_TCP(10) | HCPTR_TCP(11)) + + @ Switch VFP/NEON hardware state to the guest's + add r7, r0, #VCPU_VFP_HOST +--- a/arch/arm/kvm/interrupts_head.S ++++ b/arch/arm/kvm/interrupts_head.S +@@ -599,8 +599,13 @@ ARM_BE8(rev r6, r6 ) + .endm + + /* Configures the HCPTR (Hyp Coprocessor Trap Register) on entry/return +- * (hardware reset value is 0). Keep previous value in r2. */ +-.macro set_hcptr operation, mask ++ * (hardware reset value is 0). Keep previous value in r2. ++ * An ISB is emited on vmexit/vmtrap, but executed on vmexit only if ++ * VFP wasn't already enabled (always executed on vmtrap). ++ * If a label is specified with vmexit, it is branched to if VFP wasn't ++ * enabled. ++ */ ++.macro set_hcptr operation, mask, label = none + mrc p15, 4, r2, c1, c1, 2 + ldr r3, =\mask + .if \operation == vmentry +@@ -609,6 +614,17 @@ ARM_BE8(rev r6, r6 ) + bic r3, r2, r3 @ Don't trap defined coproc-accesses + .endif + mcr p15, 4, r3, c1, c1, 2 ++ .if \operation != vmentry ++ .if \operation == vmexit ++ tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11)) ++ beq 1f ++ .endif ++ isb ++ .if \label != none ++ b \label ++ .endif ++1: ++ .endif + .endm + + /* Configures the HDCR (Hyp Debug Configuration Register) on entry/return diff --git a/queue-4.0/arm-kvm-psci-fix-handling-of-unimplemented-functions.patch b/queue-4.0/arm-kvm-psci-fix-handling-of-unimplemented-functions.patch new file mode 100644 index 00000000000..6e914244164 --- /dev/null +++ b/queue-4.0/arm-kvm-psci-fix-handling-of-unimplemented-functions.patch @@ -0,0 +1,82 @@ +From e2d997366dc5b6c9d14035867f73957f93e7578c Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Wed, 10 Jun 2015 15:19:24 +0100 +Subject: ARM: kvm: psci: fix handling of unimplemented functions + +From: Lorenzo Pieralisi + +commit e2d997366dc5b6c9d14035867f73957f93e7578c upstream. + +According to the PSCI specification and the SMC/HVC calling +convention, PSCI function_ids that are not implemented must +return NOT_SUPPORTED as return value. + +Current KVM implementation takes an unhandled PSCI function_id +as an error and injects an undefined instruction into the guest +if PSCI implementation is called with a function_id that is not +handled by the resident PSCI version (ie it is not implemented), +which is not the behaviour expected by a guest when calling a +PSCI function_id that is not implemented. + +This patch fixes this issue by returning NOT_SUPPORTED whenever +the kvm PSCI call is executed for a function_id that is not +implemented by the PSCI kvm layer. + +Cc: Christoffer Dall +Acked-by: Sudeep Holla +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/psci.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +--- a/arch/arm/kvm/psci.c ++++ b/arch/arm/kvm/psci.c +@@ -230,10 +230,6 @@ static int kvm_psci_0_2_call(struct kvm_ + case PSCI_0_2_FN64_AFFINITY_INFO: + val = kvm_psci_vcpu_affinity_info(vcpu); + break; +- case PSCI_0_2_FN_MIGRATE: +- case PSCI_0_2_FN64_MIGRATE: +- val = PSCI_RET_NOT_SUPPORTED; +- break; + case PSCI_0_2_FN_MIGRATE_INFO_TYPE: + /* + * Trusted OS is MP hence does not require migration +@@ -242,10 +238,6 @@ static int kvm_psci_0_2_call(struct kvm_ + */ + val = PSCI_0_2_TOS_MP; + break; +- case PSCI_0_2_FN_MIGRATE_INFO_UP_CPU: +- case PSCI_0_2_FN64_MIGRATE_INFO_UP_CPU: +- val = PSCI_RET_NOT_SUPPORTED; +- break; + case PSCI_0_2_FN_SYSTEM_OFF: + kvm_psci_system_off(vcpu); + /* +@@ -271,7 +263,8 @@ static int kvm_psci_0_2_call(struct kvm_ + ret = 0; + break; + default: +- return -EINVAL; ++ val = PSCI_RET_NOT_SUPPORTED; ++ break; + } + + *vcpu_reg(vcpu, 0) = val; +@@ -291,12 +284,9 @@ static int kvm_psci_0_1_call(struct kvm_ + case KVM_PSCI_FN_CPU_ON: + val = kvm_psci_vcpu_on(vcpu); + break; +- case KVM_PSCI_FN_CPU_SUSPEND: +- case KVM_PSCI_FN_MIGRATE: ++ default: + val = PSCI_RET_NOT_SUPPORTED; + break; +- default: +- return -EINVAL; + } + + *vcpu_reg(vcpu, 0) = val; diff --git a/queue-4.0/arm-mvebu-fix-suspend-to-ram-on-big-endian-configurations.patch b/queue-4.0/arm-mvebu-fix-suspend-to-ram-on-big-endian-configurations.patch new file mode 100644 index 00000000000..917b576be3f --- /dev/null +++ b/queue-4.0/arm-mvebu-fix-suspend-to-ram-on-big-endian-configurations.patch @@ -0,0 +1,40 @@ +From 2f5bc307be2480ba89e4c5d118f406f04a4a7299 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Tue, 16 Jun 2015 14:12:57 +0200 +Subject: ARM: mvebu: fix suspend to RAM on big-endian configurations + +From: Thomas Petazzoni + +commit 2f5bc307be2480ba89e4c5d118f406f04a4a7299 upstream. + +The current Armada XP suspend to RAM implementation, as added in +commit 27432825ae19f ("ARM: mvebu: Armada XP GP specific +suspend/resume code") does not handle big-endian configurations +properly: the small bit of assembly code putting the DRAM in +self-refresh and toggling the GPIOs to turn off power forgets to +convert the values to little-endian. + +This commit fixes that by making sure the two values we will write to +the DRAM controller register and GPIO register are already in +little-endian before entering the critical assembly code. + +Signed-off-by: Thomas Petazzoni +Fixes: 27432825ae19f ("ARM: mvebu: Armada XP GP specific suspend/resume code") +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-mvebu/pm-board.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/mach-mvebu/pm-board.c ++++ b/arch/arm/mach-mvebu/pm-board.c +@@ -43,6 +43,9 @@ static void mvebu_armada_xp_gp_pm_enter( + for (i = 0; i < ARMADA_XP_GP_PIC_NR_GPIOS; i++) + ackcmd |= BIT(pic_raw_gpios[i]); + ++ srcmd = cpu_to_le32(srcmd); ++ ackcmd = cpu_to_le32(ackcmd); ++ + /* + * Wait a while, the PIC needs quite a bit of time between the + * two GPIO commands. diff --git a/queue-4.0/arm-tegra20-store-cpu-resettable-status-in-iram.patch b/queue-4.0/arm-tegra20-store-cpu-resettable-status-in-iram.patch new file mode 100644 index 00000000000..0895e26fe98 --- /dev/null +++ b/queue-4.0/arm-tegra20-store-cpu-resettable-status-in-iram.patch @@ -0,0 +1,219 @@ +From 4d48edb3c3e1234d6b3fcdfb9ac24d7c6de449cb Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 15 Jan 2015 13:58:57 +0300 +Subject: ARM: tegra20: Store CPU "resettable" status in IRAM + +From: Dmitry Osipenko + +commit 4d48edb3c3e1234d6b3fcdfb9ac24d7c6de449cb upstream. + +Commit 7232398abc6a ("ARM: tegra: Convert PMC to a driver") changed tegra_resume() +location storing from late to early and, as a result, broke suspend on Tegra20. +PMC scratch register 41 is used by tegra LP1 resume code for retrieving stored +physical memory address of common resume function and in the same time used by +tegra20_cpu_shutdown() (shared by Tegra20 cpuidle driver and platform SMP code), +which is storing CPU1 "resettable" status. It implies strict order of scratch +register usage, otherwise resume function address is lost on Tegra20 after +disabling non-boot CPU's on suspend. Fix it by storing "resettable" status in +IRAM instead of PMC scratch register. + +Signed-off-by: Dmitry Osipenko +Fixes: 7232398abc6a (ARM: tegra: Convert PMC to a driver) +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-tegra/cpuidle-tegra20.c | 5 +--- + arch/arm/mach-tegra/reset-handler.S | 10 ++++++--- + arch/arm/mach-tegra/reset.h | 4 +++ + arch/arm/mach-tegra/sleep-tegra20.S | 37 +++++++++++++++++++--------------- + arch/arm/mach-tegra/sleep.h | 4 +++ + 5 files changed, 38 insertions(+), 22 deletions(-) + +--- a/arch/arm/mach-tegra/cpuidle-tegra20.c ++++ b/arch/arm/mach-tegra/cpuidle-tegra20.c +@@ -35,6 +35,7 @@ + #include "iomap.h" + #include "irq.h" + #include "pm.h" ++#include "reset.h" + #include "sleep.h" + + #ifdef CONFIG_PM_SLEEP +@@ -71,15 +72,13 @@ static struct cpuidle_driver tegra_idle_ + + #ifdef CONFIG_PM_SLEEP + #ifdef CONFIG_SMP +-static void __iomem *pmc = IO_ADDRESS(TEGRA_PMC_BASE); +- + static int tegra20_reset_sleeping_cpu_1(void) + { + int ret = 0; + + tegra_pen_lock(); + +- if (readl(pmc + PMC_SCRATCH41) == CPU_RESETTABLE) ++ if (readb(tegra20_cpu1_resettable_status) == CPU_RESETTABLE) + tegra20_cpu_shutdown(1); + else + ret = -EINVAL; +--- a/arch/arm/mach-tegra/reset-handler.S ++++ b/arch/arm/mach-tegra/reset-handler.S +@@ -169,10 +169,10 @@ after_errata: + cmp r6, #TEGRA20 + bne 1f + /* If not CPU0, don't let CPU0 reset CPU1 now that CPU1 is coming up. */ +- mov32 r5, TEGRA_PMC_BASE +- mov r0, #0 ++ mov32 r5, TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET ++ mov r0, #CPU_NOT_RESETTABLE + cmp r10, #0 +- strne r0, [r5, #PMC_SCRATCH41] ++ strneb r0, [r5, #__tegra20_cpu1_resettable_status_offset] + 1: + #endif + +@@ -281,6 +281,10 @@ __tegra_cpu_reset_handler_data: + .rept TEGRA_RESET_DATA_SIZE + .long 0 + .endr ++ .globl __tegra20_cpu1_resettable_status_offset ++ .equ __tegra20_cpu1_resettable_status_offset, \ ++ . - __tegra_cpu_reset_handler_start ++ .byte 0 + .align L1_CACHE_SHIFT + + ENTRY(__tegra_cpu_reset_handler_end) +--- a/arch/arm/mach-tegra/reset.h ++++ b/arch/arm/mach-tegra/reset.h +@@ -35,6 +35,7 @@ extern unsigned long __tegra_cpu_reset_h + + void __tegra_cpu_reset_handler_start(void); + void __tegra_cpu_reset_handler(void); ++void __tegra20_cpu1_resettable_status_offset(void); + void __tegra_cpu_reset_handler_end(void); + void tegra_secondary_startup(void); + +@@ -47,6 +48,9 @@ void tegra_secondary_startup(void); + (IO_ADDRESS(TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET + \ + ((u32)&__tegra_cpu_reset_handler_data[TEGRA_RESET_MASK_LP2] - \ + (u32)__tegra_cpu_reset_handler_start))) ++#define tegra20_cpu1_resettable_status \ ++ (IO_ADDRESS(TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET + \ ++ (u32)__tegra20_cpu1_resettable_status_offset)) + #endif + + #define tegra_cpu_reset_handler_offset \ +--- a/arch/arm/mach-tegra/sleep-tegra20.S ++++ b/arch/arm/mach-tegra/sleep-tegra20.S +@@ -97,9 +97,10 @@ ENDPROC(tegra20_hotplug_shutdown) + ENTRY(tegra20_cpu_shutdown) + cmp r0, #0 + reteq lr @ must not be called for CPU 0 +- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41 ++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r2, =__tegra20_cpu1_resettable_status_offset + mov r12, #CPU_RESETTABLE +- str r12, [r1] ++ strb r12, [r1, r2] + + cpu_to_halt_reg r1, r0 + ldr r3, =TEGRA_FLOW_CTRL_VIRT +@@ -182,38 +183,41 @@ ENDPROC(tegra_pen_unlock) + /* + * tegra20_cpu_clear_resettable(void) + * +- * Called to clear the "resettable soon" flag in PMC_SCRATCH41 when ++ * Called to clear the "resettable soon" flag in IRAM variable when + * it is expected that the secondary CPU will be idle soon. + */ + ENTRY(tegra20_cpu_clear_resettable) +- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41 ++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r2, =__tegra20_cpu1_resettable_status_offset + mov r12, #CPU_NOT_RESETTABLE +- str r12, [r1] ++ strb r12, [r1, r2] + ret lr + ENDPROC(tegra20_cpu_clear_resettable) + + /* + * tegra20_cpu_set_resettable_soon(void) + * +- * Called to set the "resettable soon" flag in PMC_SCRATCH41 when ++ * Called to set the "resettable soon" flag in IRAM variable when + * it is expected that the secondary CPU will be idle soon. + */ + ENTRY(tegra20_cpu_set_resettable_soon) +- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41 ++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r2, =__tegra20_cpu1_resettable_status_offset + mov r12, #CPU_RESETTABLE_SOON +- str r12, [r1] ++ strb r12, [r1, r2] + ret lr + ENDPROC(tegra20_cpu_set_resettable_soon) + + /* + * tegra20_cpu_is_resettable_soon(void) + * +- * Returns true if the "resettable soon" flag in PMC_SCRATCH41 has been ++ * Returns true if the "resettable soon" flag in IRAM variable has been + * set because it is expected that the secondary CPU will be idle soon. + */ + ENTRY(tegra20_cpu_is_resettable_soon) +- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41 +- ldr r12, [r1] ++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r2, =__tegra20_cpu1_resettable_status_offset ++ ldrb r12, [r1, r2] + cmp r12, #CPU_RESETTABLE_SOON + moveq r0, #1 + movne r0, #0 +@@ -256,9 +260,10 @@ ENTRY(tegra20_sleep_cpu_secondary_finish + mov r0, #TEGRA_FLUSH_CACHE_LOUIS + bl tegra_disable_clean_inv_dcache + +- mov32 r0, TEGRA_PMC_VIRT + PMC_SCRATCH41 ++ mov32 r0, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r4, =__tegra20_cpu1_resettable_status_offset + mov r3, #CPU_RESETTABLE +- str r3, [r0] ++ strb r3, [r0, r4] + + bl tegra_cpu_do_idle + +@@ -274,10 +279,10 @@ ENTRY(tegra20_sleep_cpu_secondary_finish + + bl tegra_pen_lock + +- mov32 r3, TEGRA_PMC_VIRT +- add r0, r3, #PMC_SCRATCH41 ++ mov32 r0, TEGRA_IRAM_RESET_BASE_VIRT ++ ldr r4, =__tegra20_cpu1_resettable_status_offset + mov r3, #CPU_NOT_RESETTABLE +- str r3, [r0] ++ strb r3, [r0, r4] + + bl tegra_pen_unlock + +--- a/arch/arm/mach-tegra/sleep.h ++++ b/arch/arm/mach-tegra/sleep.h +@@ -18,6 +18,7 @@ + #define __MACH_TEGRA_SLEEP_H + + #include "iomap.h" ++#include "irammap.h" + + #define TEGRA_ARM_PERIF_VIRT (TEGRA_ARM_PERIF_BASE - IO_CPU_PHYS \ + + IO_CPU_VIRT) +@@ -29,6 +30,9 @@ + + IO_APB_VIRT) + #define TEGRA_PMC_VIRT (TEGRA_PMC_BASE - IO_APB_PHYS + IO_APB_VIRT) + ++#define TEGRA_IRAM_RESET_BASE_VIRT (IO_IRAM_VIRT + \ ++ TEGRA_IRAM_RESET_HANDLER_OFFSET) ++ + /* PMC_SCRATCH37-39 and 41 are used for tegra_pen_lock and idle */ + #define PMC_SCRATCH37 0x130 + #define PMC_SCRATCH38 0x134 diff --git a/queue-4.0/crypto-talitos-avoid-memleak-in-talitos_alg_alloc.patch b/queue-4.0/crypto-talitos-avoid-memleak-in-talitos_alg_alloc.patch new file mode 100644 index 00000000000..40426cac158 --- /dev/null +++ b/queue-4.0/crypto-talitos-avoid-memleak-in-talitos_alg_alloc.patch @@ -0,0 +1,28 @@ +From 5fa7dadc898567ce14d6d6d427e7bd8ce6eb5d39 Mon Sep 17 00:00:00 2001 +From: Horia Geant? +Date: Mon, 11 May 2015 20:03:24 +0300 +Subject: crypto: talitos - avoid memleak in talitos_alg_alloc() + +From: Horia Geant? + +commit 5fa7dadc898567ce14d6d6d427e7bd8ce6eb5d39 upstream. + +Fixes: 1d11911a8c57 ("crypto: talitos - fix warning: 'alg' may be used uninitialized in this function") +Signed-off-by: Horia Geanta +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/talitos.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -2563,6 +2563,7 @@ static struct talitos_crypto_alg *talito + break; + default: + dev_err(dev, "unknown algorithm type %d\n", t_alg->algt.type); ++ kfree(t_alg); + return ERR_PTR(-EINVAL); + } + diff --git a/queue-4.0/fs-fix-s_nosec-handling.patch b/queue-4.0/fs-fix-s_nosec-handling.patch new file mode 100644 index 00000000000..bf271aedf1d --- /dev/null +++ b/queue-4.0/fs-fix-s_nosec-handling.patch @@ -0,0 +1,36 @@ +From 2426f3910069ed47c0cc58559a6d088af7920201 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 21 May 2015 16:05:52 +0200 +Subject: fs: Fix S_NOSEC handling + +From: Jan Kara + +commit 2426f3910069ed47c0cc58559a6d088af7920201 upstream. + +file_remove_suid() could mistakenly set S_NOSEC inode bit when root was +modifying the file. As a result following writes to the file by ordinary +user would avoid clearing suid or sgid bits. + +Fix the bug by checking actual mode bits before setting S_NOSEC. + +Signed-off-by: Jan Kara +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1693,8 +1693,8 @@ int file_remove_suid(struct file *file) + error = security_inode_killpriv(dentry); + if (!error && killsuid) + error = __remove_suid(dentry, killsuid); +- if (!error && (inode->i_sb->s_flags & MS_NOSEC)) +- inode->i_flags |= S_NOSEC; ++ if (!error) ++ inode_has_no_xattr(inode); + + return error; + } diff --git a/queue-4.0/fs-ufs-restore-s_lock-mutex.patch b/queue-4.0/fs-ufs-restore-s_lock-mutex.patch new file mode 100644 index 00000000000..f1720976624 --- /dev/null +++ b/queue-4.0/fs-ufs-restore-s_lock-mutex.patch @@ -0,0 +1,325 @@ +From cdd9eefdf905e92e7fc6cc393314efe68dc6ff66 Mon Sep 17 00:00:00 2001 +From: Fabian Frederick +Date: Wed, 10 Jun 2015 10:09:32 +1000 +Subject: fs/ufs: restore s_lock mutex + +From: Fabian Frederick + +commit cdd9eefdf905e92e7fc6cc393314efe68dc6ff66 upstream. + +Commit 0244756edc4b98c ("ufs: sb mutex merge + mutex_destroy") generated +deadlocks in read/write mode on mkdir. + +This patch partially reverts it keeping fixes by Andrew Morton and +mutex_destroy() + +[AV: fixed a missing bit in ufs_remount()] + +Signed-off-by: Fabian Frederick +Reported-by: Ian Campbell +Suggested-by: Jan Kara +Cc: Ian Campbell +Cc: Evgeniy Dushistov +Cc: Alexey Khoroshilov +Cc: Roger Pau Monne +Cc: Ian Jackson +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ufs/balloc.c | 34 +++++++++++++++++----------------- + fs/ufs/ialloc.c | 16 ++++++++-------- + fs/ufs/super.c | 10 ++++++++++ + fs/ufs/ufs.h | 1 + + 4 files changed, 36 insertions(+), 25 deletions(-) + +--- a/fs/ufs/balloc.c ++++ b/fs/ufs/balloc.c +@@ -51,8 +51,8 @@ void ufs_free_fragments(struct inode *in + + if (ufs_fragnum(fragment) + count > uspi->s_fpg) + ufs_error (sb, "ufs_free_fragments", "internal error"); +- +- lock_ufs(sb); ++ ++ mutex_lock(&UFS_SB(sb)->s_lock); + + cgno = ufs_dtog(uspi, fragment); + bit = ufs_dtogd(uspi, fragment); +@@ -115,13 +115,13 @@ void ufs_free_fragments(struct inode *in + if (sb->s_flags & MS_SYNCHRONOUS) + ubh_sync_block(UCPI_UBH(ucpi)); + ufs_mark_sb_dirty(sb); +- +- unlock_ufs(sb); ++ ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT\n"); + return; + + failed: +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT (FAILED)\n"); + return; + } +@@ -151,7 +151,7 @@ void ufs_free_blocks(struct inode *inode + goto failed; + } + +- lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + + do_more: + overflow = 0; +@@ -211,12 +211,12 @@ do_more: + } + + ufs_mark_sb_dirty(sb); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT\n"); + return; + + failed_unlock: +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + failed: + UFSD("EXIT (FAILED)\n"); + return; +@@ -357,7 +357,7 @@ u64 ufs_new_fragments(struct inode *inod + usb1 = ubh_get_usb_first(uspi); + *err = -ENOSPC; + +- lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + tmp = ufs_data_ptr_to_cpu(sb, p); + + if (count + ufs_fragnum(fragment) > uspi->s_fpb) { +@@ -378,19 +378,19 @@ u64 ufs_new_fragments(struct inode *inod + "fragment %llu, tmp %llu\n", + (unsigned long long)fragment, + (unsigned long long)tmp); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return INVBLOCK; + } + if (fragment < UFS_I(inode)->i_lastfrag) { + UFSD("EXIT (ALREADY ALLOCATED)\n"); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return 0; + } + } + else { + if (tmp) { + UFSD("EXIT (ALREADY ALLOCATED)\n"); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return 0; + } + } +@@ -399,7 +399,7 @@ u64 ufs_new_fragments(struct inode *inod + * There is not enough space for user on the device + */ + if (!capable(CAP_SYS_RESOURCE) && ufs_freespace(uspi, UFS_MINFREE) <= 0) { +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT (FAILED)\n"); + return 0; + } +@@ -424,7 +424,7 @@ u64 ufs_new_fragments(struct inode *inod + ufs_clear_frags(inode, result + oldcount, + newcount - oldcount, locked_page != NULL); + } +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT, result %llu\n", (unsigned long long)result); + return result; + } +@@ -439,7 +439,7 @@ u64 ufs_new_fragments(struct inode *inod + fragment + count); + ufs_clear_frags(inode, result + oldcount, newcount - oldcount, + locked_page != NULL); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT, result %llu\n", (unsigned long long)result); + return result; + } +@@ -477,7 +477,7 @@ u64 ufs_new_fragments(struct inode *inod + *err = 0; + UFS_I(inode)->i_lastfrag = max(UFS_I(inode)->i_lastfrag, + fragment + count); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + if (newcount < request) + ufs_free_fragments (inode, result + newcount, request - newcount); + ufs_free_fragments (inode, tmp, oldcount); +@@ -485,7 +485,7 @@ u64 ufs_new_fragments(struct inode *inod + return result; + } + +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT (FAILED)\n"); + return 0; + } +--- a/fs/ufs/ialloc.c ++++ b/fs/ufs/ialloc.c +@@ -69,11 +69,11 @@ void ufs_free_inode (struct inode * inod + + ino = inode->i_ino; + +- lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + + if (!((ino > 1) && (ino < (uspi->s_ncg * uspi->s_ipg )))) { + ufs_warning(sb, "ufs_free_inode", "reserved inode or nonexistent inode %u\n", ino); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return; + } + +@@ -81,7 +81,7 @@ void ufs_free_inode (struct inode * inod + bit = ufs_inotocgoff (ino); + ucpi = ufs_load_cylinder (sb, cg); + if (!ucpi) { +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + return; + } + ucg = ubh_get_ucg(UCPI_UBH(ucpi)); +@@ -115,7 +115,7 @@ void ufs_free_inode (struct inode * inod + ubh_sync_block(UCPI_UBH(ucpi)); + + ufs_mark_sb_dirty(sb); +- unlock_ufs(sb); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + UFSD("EXIT\n"); + } + +@@ -193,7 +193,7 @@ struct inode *ufs_new_inode(struct inode + sbi = UFS_SB(sb); + uspi = sbi->s_uspi; + +- lock_ufs(sb); ++ mutex_lock(&sbi->s_lock); + + /* + * Try to place the inode in its parent directory +@@ -331,21 +331,21 @@ cg_found: + sync_dirty_buffer(bh); + brelse(bh); + } +- unlock_ufs(sb); ++ mutex_unlock(&sbi->s_lock); + + UFSD("allocating inode %lu\n", inode->i_ino); + UFSD("EXIT\n"); + return inode; + + fail_remove_inode: +- unlock_ufs(sb); ++ mutex_unlock(&sbi->s_lock); + clear_nlink(inode); + unlock_new_inode(inode); + iput(inode); + UFSD("EXIT (FAILED): err %d\n", err); + return ERR_PTR(err); + failed: +- unlock_ufs(sb); ++ mutex_unlock(&sbi->s_lock); + make_bad_inode(inode); + iput (inode); + UFSD("EXIT (FAILED): err %d\n", err); +--- a/fs/ufs/super.c ++++ b/fs/ufs/super.c +@@ -694,6 +694,7 @@ static int ufs_sync_fs(struct super_bloc + unsigned flags; + + lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + + UFSD("ENTER\n"); + +@@ -711,6 +712,7 @@ static int ufs_sync_fs(struct super_bloc + ufs_put_cstotal(sb); + + UFSD("EXIT\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + + return 0; +@@ -1277,6 +1279,7 @@ static int ufs_remount (struct super_blo + + sync_filesystem(sb); + lock_ufs(sb); ++ mutex_lock(&UFS_SB(sb)->s_lock); + uspi = UFS_SB(sb)->s_uspi; + flags = UFS_SB(sb)->s_flags; + usb1 = ubh_get_usb_first(uspi); +@@ -1290,6 +1293,7 @@ static int ufs_remount (struct super_blo + new_mount_opt = 0; + ufs_set_opt (new_mount_opt, ONERROR_LOCK); + if (!ufs_parse_options (data, &new_mount_opt)) { ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EINVAL; + } +@@ -1297,12 +1301,14 @@ static int ufs_remount (struct super_blo + new_mount_opt |= ufstype; + } else if ((new_mount_opt & UFS_MOUNT_UFSTYPE) != ufstype) { + pr_err("ufstype can't be changed during remount\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EINVAL; + } + + if ((*mount_flags & MS_RDONLY) == (sb->s_flags & MS_RDONLY)) { + UFS_SB(sb)->s_mount_opt = new_mount_opt; ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return 0; + } +@@ -1326,6 +1332,7 @@ static int ufs_remount (struct super_blo + */ + #ifndef CONFIG_UFS_FS_WRITE + pr_err("ufs was compiled with read-only support, can't be mounted as read-write\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EINVAL; + #else +@@ -1335,11 +1342,13 @@ static int ufs_remount (struct super_blo + ufstype != UFS_MOUNT_UFSTYPE_SUNx86 && + ufstype != UFS_MOUNT_UFSTYPE_UFS2) { + pr_err("this ufstype is read-only supported\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EINVAL; + } + if (!ufs_read_cylinder_structures(sb)) { + pr_err("failed during remounting\n"); ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return -EPERM; + } +@@ -1347,6 +1356,7 @@ static int ufs_remount (struct super_blo + #endif + } + UFS_SB(sb)->s_mount_opt = new_mount_opt; ++ mutex_unlock(&UFS_SB(sb)->s_lock); + unlock_ufs(sb); + return 0; + } +--- a/fs/ufs/ufs.h ++++ b/fs/ufs/ufs.h +@@ -30,6 +30,7 @@ struct ufs_sb_info { + int work_queued; /* non-zero if the delayed work is queued */ + struct delayed_work sync_work; /* FS sync delayed work */ + spinlock_t work_lock; /* protects sync_work and work_queued */ ++ struct mutex s_lock; + }; + + struct ufs_inode_info { diff --git a/queue-4.0/fs-ufs-revert-ufs-fix-deadlocks-introduced-by-sb-mutex-merge.patch b/queue-4.0/fs-ufs-revert-ufs-fix-deadlocks-introduced-by-sb-mutex-merge.patch new file mode 100644 index 00000000000..069482de881 --- /dev/null +++ b/queue-4.0/fs-ufs-revert-ufs-fix-deadlocks-introduced-by-sb-mutex-merge.patch @@ -0,0 +1,93 @@ +From 13b987ea275840d74d9df9a44326632fab1894da Mon Sep 17 00:00:00 2001 +From: Fabian Frederick +Date: Wed, 10 Jun 2015 10:09:32 +1000 +Subject: fs/ufs: revert "ufs: fix deadlocks introduced by sb mutex merge" + +From: Fabian Frederick + +commit 13b987ea275840d74d9df9a44326632fab1894da upstream. + +This reverts commit 9ef7db7f38d0 ("ufs: fix deadlocks introduced by sb +mutex merge") That patch tried to solve commit 0244756edc4b98c ("ufs: sb +mutex merge + mutex_destroy") which is itself partially reverted due to +multiple deadlocks. + +Signed-off-by: Fabian Frederick +Suggested-by: Jan Kara +Cc: Ian Campbell +Cc: Evgeniy Dushistov +Cc: Alexey Khoroshilov +Cc: Roger Pau Monne +Cc: Ian Jackson +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ufs/inode.c | 5 ++++- + fs/ufs/namei.c | 14 ++++++++------ + 2 files changed, 12 insertions(+), 7 deletions(-) + +--- a/fs/ufs/inode.c ++++ b/fs/ufs/inode.c +@@ -902,6 +902,9 @@ void ufs_evict_inode(struct inode * inod + invalidate_inode_buffers(inode); + clear_inode(inode); + +- if (want_delete) ++ if (want_delete) { ++ lock_ufs(inode->i_sb); + ufs_free_inode(inode); ++ unlock_ufs(inode->i_sb); ++ } + } +--- a/fs/ufs/namei.c ++++ b/fs/ufs/namei.c +@@ -128,12 +128,12 @@ static int ufs_symlink (struct inode * d + if (l > sb->s_blocksize) + goto out_notlocked; + ++ lock_ufs(dir->i_sb); + inode = ufs_new_inode(dir, S_IFLNK | S_IRWXUGO); + err = PTR_ERR(inode); + if (IS_ERR(inode)) +- goto out_notlocked; ++ goto out; + +- lock_ufs(dir->i_sb); + if (l > UFS_SB(sb)->s_uspi->s_maxsymlinklen) { + /* slow symlink */ + inode->i_op = &ufs_symlink_inode_operations; +@@ -184,9 +184,13 @@ static int ufs_mkdir(struct inode * dir, + struct inode * inode; + int err; + ++ lock_ufs(dir->i_sb); ++ inode_inc_link_count(dir); ++ + inode = ufs_new_inode(dir, S_IFDIR|mode); ++ err = PTR_ERR(inode); + if (IS_ERR(inode)) +- return PTR_ERR(inode); ++ goto out_dir; + + inode->i_op = &ufs_dir_inode_operations; + inode->i_fop = &ufs_dir_operations; +@@ -194,9 +198,6 @@ static int ufs_mkdir(struct inode * dir, + + inode_inc_link_count(inode); + +- lock_ufs(dir->i_sb); +- inode_inc_link_count(dir); +- + err = ufs_make_empty(inode, dir); + if (err) + goto out_fail; +@@ -215,6 +216,7 @@ out_fail: + inode_dec_link_count(inode); + unlock_new_inode(inode); + iput (inode); ++out_dir: + inode_dec_link_count(dir); + unlock_ufs(dir->i_sb); + goto out; diff --git a/queue-4.0/intel_pstate-set-byt-msr-with-wrmsrl_on_cpu.patch b/queue-4.0/intel_pstate-set-byt-msr-with-wrmsrl_on_cpu.patch new file mode 100644 index 00000000000..3691101c60b --- /dev/null +++ b/queue-4.0/intel_pstate-set-byt-msr-with-wrmsrl_on_cpu.patch @@ -0,0 +1,37 @@ +From 0dd23f94251f49da99a6cbfb22418b2d757d77d6 Mon Sep 17 00:00:00 2001 +From: Joe Konno +Date: Tue, 12 May 2015 07:59:42 -0700 +Subject: intel_pstate: set BYT MSR with wrmsrl_on_cpu() + +From: Joe Konno + +commit 0dd23f94251f49da99a6cbfb22418b2d757d77d6 upstream. + +Commit 007bea098b86 (intel_pstate: Add setting voltage value for +baytrail P states.) introduced byt_set_pstate() with the assumption that +it would always be run by the CPU whose MSR is to be written by it. It +turns out, however, that is not always the case in practice, so modify +byt_set_pstate() to enforce the MSR write done by it to always happen on +the right CPU. + +Fixes: 007bea098b86 (intel_pstate: Add setting voltage value for baytrail P states.) +Signed-off-by: Joe Konno +Acked-by: Kristen Carlson Accardi +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/intel_pstate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -534,7 +534,7 @@ static void byt_set_pstate(struct cpudat + + val |= vid; + +- wrmsrl(MSR_IA32_PERF_CTL, val); ++ wrmsrl_on_cpu(cpudata->cpu, MSR_IA32_PERF_CTL, val); + } + + #define BYT_BCLK_FREQS 5 diff --git a/queue-4.0/iommu-amd-handle-large-pages-correctly-in-free_pagetable.patch b/queue-4.0/iommu-amd-handle-large-pages-correctly-in-free_pagetable.patch new file mode 100644 index 00000000000..a101639885a --- /dev/null +++ b/queue-4.0/iommu-amd-handle-large-pages-correctly-in-free_pagetable.patch @@ -0,0 +1,38 @@ +From 0b3fff54bc01e8e6064d222a33e6fa7adabd94cd Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Thu, 18 Jun 2015 10:48:34 +0200 +Subject: iommu/amd: Handle large pages correctly in free_pagetable + +From: Joerg Roedel + +commit 0b3fff54bc01e8e6064d222a33e6fa7adabd94cd upstream. + +Make sure that we are skipping over large PTEs while walking +the page-table tree. + +Fixes: 5c34c403b723 ("iommu/amd: Fix memory leak in free_pagetable") +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -1870,9 +1870,15 @@ static void free_pt_##LVL (unsigned long + pt = (u64 *)__pt; \ + \ + for (i = 0; i < 512; ++i) { \ ++ /* PTE present? */ \ + if (!IOMMU_PTE_PRESENT(pt[i])) \ + continue; \ + \ ++ /* Large PTE? */ \ ++ if (PM_PTE_LEVEL(pt[i]) == 0 || \ ++ PM_PTE_LEVEL(pt[i]) == 7) \ ++ continue; \ ++ \ + p = (unsigned long)IOMMU_PTE_PAGE(pt[i]); \ + FN(p); \ + } \ diff --git a/queue-4.0/iommu-arm-smmu-fix-broken-atos-check.patch b/queue-4.0/iommu-arm-smmu-fix-broken-atos-check.patch new file mode 100644 index 00000000000..19fd813bd7d --- /dev/null +++ b/queue-4.0/iommu-arm-smmu-fix-broken-atos-check.patch @@ -0,0 +1,36 @@ +From d38f0ff9ab35414644995bae187d015c31aae19c Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 29 Jun 2015 17:47:42 +0100 +Subject: iommu/arm-smmu: Fix broken ATOS check + +From: Will Deacon + +commit d38f0ff9ab35414644995bae187d015c31aae19c upstream. + +Commit 83a60ed8f0b5 ("iommu/arm-smmu: fix ARM_SMMU_FEAT_TRANS_OPS +condition") accidentally negated the ID0_ATOSNS predicate in the ATOS +feature check, causing the driver to attempt ATOS requests on SMMUv2 +hardware without the ATOS feature implemented. + +This patch restores the predicate to the correct value. + +Reported-by: Varun Sethi +Signed-off-by: Will Deacon +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/arm-smmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/arm-smmu.c ++++ b/drivers/iommu/arm-smmu.c +@@ -1533,7 +1533,7 @@ static int arm_smmu_device_cfg_probe(str + return -ENODEV; + } + +- if ((id & ID0_S1TS) && ((smmu->version == 1) || (id & ID0_ATOSNS))) { ++ if ((id & ID0_S1TS) && ((smmu->version == 1) || !(id & ID0_ATOSNS))) { + smmu->features |= ARM_SMMU_FEAT_TRANS_OPS; + dev_notice(smmu->dev, "\taddress translation ops\n"); + } diff --git a/queue-4.0/kvm-mips-use-id_to_memslot-correctly.patch b/queue-4.0/kvm-mips-use-id_to_memslot-correctly.patch new file mode 100644 index 00000000000..95191e8d27c --- /dev/null +++ b/queue-4.0/kvm-mips-use-id_to_memslot-correctly.patch @@ -0,0 +1,31 @@ +From 69a1220060c1523fd0515216eaa29e22f133b894 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 18 May 2015 08:35:43 +0200 +Subject: KVM: mips: use id_to_memslot correctly + +From: Paolo Bonzini + +commit 69a1220060c1523fd0515216eaa29e22f133b894 upstream. + +The argument to KVM_GET_DIRTY_LOG is a memslot id; it may not match the +position in the memslots array, which is sorted by gfn. + +Reviewed-by: James Hogan +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/mips.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kvm/mips.c ++++ b/arch/mips/kvm/mips.c +@@ -785,7 +785,7 @@ int kvm_vm_ioctl_get_dirty_log(struct kv + + /* If nothing is dirty, don't bother messing with page tables. */ + if (is_dirty) { +- memslot = &kvm->memslots->memslots[log->slot]; ++ memslot = id_to_memslot(kvm->memslots, log->slot); + + ga = memslot->base_gfn << PAGE_SHIFT; + ga_end = ga + (memslot->npages << PAGE_SHIFT); diff --git a/queue-4.0/kvm-s390-fix-external-call-injection-without-sigp-interpretation.patch b/queue-4.0/kvm-s390-fix-external-call-injection-without-sigp-interpretation.patch new file mode 100644 index 00000000000..1a65215f193 --- /dev/null +++ b/queue-4.0/kvm-s390-fix-external-call-injection-without-sigp-interpretation.patch @@ -0,0 +1,44 @@ +From b938eacea0b6881f2116a061e6da3ec840e75137 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 30 Apr 2015 13:33:59 +0200 +Subject: KVM: s390: fix external call injection without sigp interpretation + +From: David Hildenbrand + +commit b938eacea0b6881f2116a061e6da3ec840e75137 upstream. + +Commit ea5f49692575 ("KVM: s390: only one external call may be pending +at a time") introduced a bug on machines that don't have SIGP +interpretation facility installed. +The injection of an external call will now always fail with -EBUSY +(if none is already pending). + +This leads to the following symptoms: +- An external call will be injected but with the wrong "src cpu id", + as this id will not be remembered. +- The target vcpu will not be woken up, therefore the guest will hang if + it cannot deal with unexpected failures of the SIGP EXTERNAL CALL + instruction. +- If an external call is already pending, -EBUSY will not be reported. + +Reviewed-by: Christian Borntraeger +Reviewed-by: Jens Freimann +Signed-off-by: David Hildenbrand +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/interrupt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -1037,7 +1037,7 @@ static int __inject_extcall(struct kvm_v + if (sclp_has_sigpif()) + return __inject_extcall_sigpif(vcpu, src_id); + +- if (!test_and_set_bit(IRQ_PEND_EXT_EXTERNAL, &li->pending_irqs)) ++ if (test_and_set_bit(IRQ_PEND_EXT_EXTERNAL, &li->pending_irqs)) + return -EBUSY; + *extcall = irq->u.extcall; + atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags); diff --git a/queue-4.0/kvm-s390-virtio-ccw-don-t-overwrite-config-space-values.patch b/queue-4.0/kvm-s390-virtio-ccw-don-t-overwrite-config-space-values.patch new file mode 100644 index 00000000000..9e12fd2339f --- /dev/null +++ b/queue-4.0/kvm-s390-virtio-ccw-don-t-overwrite-config-space-values.patch @@ -0,0 +1,72 @@ +From 431dae778aea4eed31bd12e5ee82edc571cd4d70 Mon Sep 17 00:00:00 2001 +From: Cornelia Huck +Date: Mon, 29 Jun 2015 16:44:01 +0200 +Subject: KVM: s390: virtio-ccw: don't overwrite config space values + +From: Cornelia Huck + +commit 431dae778aea4eed31bd12e5ee82edc571cd4d70 upstream. + +Eric noticed problems with vhost-scsi and virtio-ccw: vhost-scsi +complained about overwriting values in the config space, which +was triggered by a broken implementation of virtio-ccw's config +get/set routines. It was probably sheer luck that we did not hit +this before. + +When writing a value to the config space, the WRITE_CONF ccw will +always write from the beginning of the config space up to and +including the value to be set. If the config space up to the value +has not yet been retrieved from the device, however, we'll end up +overwriting values. Keep track of the known config space and update +if needed to avoid this. + +Moreover, READ_CONF will only read the number of bytes it has been +instructed to retrieve, so we must not copy more than that to the +buffer, or we might overwrite trailing values. + +Reported-by: Eric Farman +Signed-off-by: Cornelia Huck +Reviewed-by: Eric Farman +Tested-by: Eric Farman +Signed-off-by: Christian Borntraeger +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/kvm/virtio_ccw.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/s390/kvm/virtio_ccw.c ++++ b/drivers/s390/kvm/virtio_ccw.c +@@ -65,6 +65,7 @@ struct virtio_ccw_device { + bool is_thinint; + bool going_away; + bool device_lost; ++ unsigned int config_ready; + void *airq_info; + }; + +@@ -833,8 +834,11 @@ static void virtio_ccw_get_config(struct + if (ret) + goto out_free; + +- memcpy(vcdev->config, config_area, sizeof(vcdev->config)); +- memcpy(buf, &vcdev->config[offset], len); ++ memcpy(vcdev->config, config_area, offset + len); ++ if (buf) ++ memcpy(buf, &vcdev->config[offset], len); ++ if (vcdev->config_ready < offset + len) ++ vcdev->config_ready = offset + len; + + out_free: + kfree(config_area); +@@ -857,6 +861,9 @@ static void virtio_ccw_set_config(struct + if (!config_area) + goto out_free; + ++ /* Make sure we don't overwrite fields. */ ++ if (vcdev->config_ready < offset) ++ virtio_ccw_get_config(vdev, 0, NULL, offset); + memcpy(&vcdev->config[offset], buf, len); + /* Write the config area to the host. */ + memcpy(config_area, vcdev->config, sizeof(vcdev->config)); diff --git a/queue-4.0/kvm-x86-make-vapics_in_nmi_mode-atomic.patch b/queue-4.0/kvm-x86-make-vapics_in_nmi_mode-atomic.patch new file mode 100644 index 00000000000..3c2903493e0 --- /dev/null +++ b/queue-4.0/kvm-x86-make-vapics_in_nmi_mode-atomic.patch @@ -0,0 +1,64 @@ +From 42720138b06301cc8a7ee8a495a6d021c4b6a9bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Wed, 1 Jul 2015 15:31:49 +0200 +Subject: KVM: x86: make vapics_in_nmi_mode atomic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit 42720138b06301cc8a7ee8a495a6d021c4b6a9bc upstream. + +Writes were a bit racy, but hard to turn into a bug at the same time. +(Particularly because modern Linux doesn't use this feature anymore.) + +Signed-off-by: Radim Krčmář +[Actually the next patch makes it much, much easier to trigger the race + so I'm including this one for stable@ as well. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 2 +- + arch/x86/kvm/i8254.c | 2 +- + arch/x86/kvm/lapic.c | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -583,7 +583,7 @@ struct kvm_arch { + struct kvm_pic *vpic; + struct kvm_ioapic *vioapic; + struct kvm_pit *vpit; +- int vapics_in_nmi_mode; ++ atomic_t vapics_in_nmi_mode; + struct mutex apic_map_lock; + struct kvm_apic_map *apic_map; + +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -305,7 +305,7 @@ static void pit_do_work(struct kthread_w + * LVT0 to NMI delivery. Other PIC interrupts are just sent to + * VCPU0, and only if its LVT0 is in EXTINT mode. + */ +- if (kvm->arch.vapics_in_nmi_mode > 0) ++ if (atomic_read(&kvm->arch.vapics_in_nmi_mode) > 0) + kvm_for_each_vcpu(i, vcpu, kvm) + kvm_apic_nmi_wd_deliver(vcpu); + } +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1224,10 +1224,10 @@ static void apic_manage_nmi_watchdog(str + if (!nmi_wd_enabled) { + apic_debug("Receive NMI setting on APIC_LVT0 " + "for cpu %d\n", apic->vcpu->vcpu_id); +- apic->vcpu->kvm->arch.vapics_in_nmi_mode++; ++ atomic_inc(&apic->vcpu->kvm->arch.vapics_in_nmi_mode); + } + } else if (nmi_wd_enabled) +- apic->vcpu->kvm->arch.vapics_in_nmi_mode--; ++ atomic_dec(&apic->vcpu->kvm->arch.vapics_in_nmi_mode); + } + + static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val) diff --git a/queue-4.0/kvm-x86-properly-restore-lvt0.patch b/queue-4.0/kvm-x86-properly-restore-lvt0.patch new file mode 100644 index 00000000000..79685c72ea4 --- /dev/null +++ b/queue-4.0/kvm-x86-properly-restore-lvt0.patch @@ -0,0 +1,33 @@ +From db1385624c686fe99fe2d1b61a36e1537b915d08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= +Date: Tue, 30 Jun 2015 22:19:17 +0200 +Subject: KVM: x86: properly restore LVT0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= + +commit db1385624c686fe99fe2d1b61a36e1537b915d08 upstream. + +Legacy NMI watchdog didn't work after migration/resume, because +vapics_in_nmi_mode was left at 0. + +Signed-off-by: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1784,6 +1784,7 @@ void kvm_apic_post_state_restore(struct + apic_update_ppr(apic); + hrtimer_cancel(&apic->lapic_timer.timer); + apic_update_lvtt(apic); ++ apic_manage_nmi_watchdog(apic, kvm_apic_get_reg(apic, APIC_LVT0)); + update_divide_count(apic); + start_apic_timer(apic); + apic->irr_pending = true; diff --git a/queue-4.0/mips-fix-kvm-guest-fixmap-address.patch b/queue-4.0/mips-fix-kvm-guest-fixmap-address.patch new file mode 100644 index 00000000000..3347868d1b1 --- /dev/null +++ b/queue-4.0/mips-fix-kvm-guest-fixmap-address.patch @@ -0,0 +1,41 @@ +From 8e748c8d09a9314eedb5c6367d9acfaacddcdc88 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Mon, 27 Apr 2015 15:07:16 +0100 +Subject: MIPS: Fix KVM guest fixmap address + +From: James Hogan + +commit 8e748c8d09a9314eedb5c6367d9acfaacddcdc88 upstream. + +KVM guest kernels for trap & emulate run in user mode, with a modified +set of kernel memory segments. However the fixmap address is still in +the normal KSeg3 region at 0xfffe0000 regardless, causing problems when +cache alias handling makes use of them when handling copy on write. + +Therefore define FIXADDR_TOP as 0x7ffe0000 in the guest kernel mapped +region when CONFIG_KVM_GUEST is defined. + +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/9887/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/mach-generic/spaces.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/mips/include/asm/mach-generic/spaces.h ++++ b/arch/mips/include/asm/mach-generic/spaces.h +@@ -94,7 +94,11 @@ + #endif + + #ifndef FIXADDR_TOP ++#ifdef CONFIG_KVM_GUEST ++#define FIXADDR_TOP ((unsigned long)(long)(int)0x7ffe0000) ++#else + #define FIXADDR_TOP ((unsigned long)(long)(int)0xfffe0000) + #endif ++#endif + + #endif /* __ASM_MACH_GENERIC_SPACES_H */ diff --git a/queue-4.0/mmc-sdhci-fix-low-memory-corruption.patch b/queue-4.0/mmc-sdhci-fix-low-memory-corruption.patch new file mode 100644 index 00000000000..3216417fff3 --- /dev/null +++ b/queue-4.0/mmc-sdhci-fix-low-memory-corruption.patch @@ -0,0 +1,55 @@ +From 62a7f368ffbc13d9aedfdd7aeae711b177db69ac Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 12 Jun 2015 11:45:02 +0200 +Subject: mmc: sdhci: fix low memory corruption + +From: Jiri Slaby + +commit 62a7f368ffbc13d9aedfdd7aeae711b177db69ac upstream. + +When dma mapping (dma_map_sg) fails in sdhci_pre_dma_transfer, -EINVAL +is returned. There are 3 callers of sdhci_pre_dma_transfer: +* sdhci_pre_req and sdhci_adma_table_pre: handle negative return +* sdhci_prepare_data: handles 0 (error) and "else" (good) only + +sdhci_prepare_data is therefore broken. When it receives -EINVAL from +sdhci_pre_dma_transfer, it assumes 1 sg mapping was mapped. Later, +this non-existent mapping with address 0 is kmap'ped and written to: +Corrupted low memory at ffff880000001000 (1000 phys) = 22b7d67df2f6d1cf +Corrupted low memory at ffff880000001008 (1008 phys) = 63848a5216b7dd95 +Corrupted low memory at ffff880000001010 (1010 phys) = 330eb7ddef39e427 +Corrupted low memory at ffff880000001018 (1018 phys) = 8017ac7295039bda +Corrupted low memory at ffff880000001020 (1020 phys) = 8ce039eac119074f +... + +So teach sdhci_prepare_data to understand negative return values from +sdhci_pre_dma_transfer and disable DMA in that case, as well as for +zero. + +It was introduced in 348487cb28e66b032bae1b38424d81bf5b444408 (mmc: +sdhci: use pipeline mmc requests to improve performance). The commit +seems to be suspicious also by assigning host->sg_count both in +sdhci_pre_dma_transfer and sdhci_adma_table_pre. + +Signed-off-by: Jiri Slaby +Fixes: 348487cb28e6 +Cc: Ulf Hansson +Cc: Haibo Chen +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -846,7 +846,7 @@ static void sdhci_prepare_data(struct sd + int sg_cnt; + + sg_cnt = sdhci_pre_dma_transfer(host, data, NULL); +- if (sg_cnt == 0) { ++ if (sg_cnt <= 0) { + /* + * This only happens when someone fed + * us an invalid request. diff --git a/queue-4.0/powerpc-perf-fix-book3s-kernel-to-userspace-backtraces.patch b/queue-4.0/powerpc-perf-fix-book3s-kernel-to-userspace-backtraces.patch new file mode 100644 index 00000000000..06c9ac2597a --- /dev/null +++ b/queue-4.0/powerpc-perf-fix-book3s-kernel-to-userspace-backtraces.patch @@ -0,0 +1,98 @@ +From 72e349f1124a114435e599479c9b8d14bfd1ebcd Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Tue, 26 May 2015 15:10:24 +1000 +Subject: powerpc/perf: Fix book3s kernel to userspace backtraces + +From: Anton Blanchard + +commit 72e349f1124a114435e599479c9b8d14bfd1ebcd upstream. + +When we take a PMU exception or a software event we call +perf_read_regs(). This overloads regs->result with a boolean that +describes if we should use the sampled instruction address register +(SIAR) or the regs. + +If the exception is in kernel, we start with the kernel regs and +backtrace through the kernel stack. At this point we switch to the +userspace regs and backtrace the user stack with perf_callchain_user(). + +Unfortunately these regs have not got the perf_read_regs() treatment, +so regs->result could be anything. If it is non zero, +perf_instruction_pointer() decides to use the SIAR, and we get issues +like this: + +0.11% qemu-system-ppc [kernel.kallsyms] [k] _raw_spin_lock_irqsave + | + ---_raw_spin_lock_irqsave + | + |--52.35%-- 0 + | | + | |--46.39%-- __hrtimer_start_range_ns + | | kvmppc_run_core + | | kvmppc_vcpu_run_hv + | | kvmppc_vcpu_run + | | kvm_arch_vcpu_ioctl_run + | | kvm_vcpu_ioctl + | | do_vfs_ioctl + | | sys_ioctl + | | system_call + | | | + | | |--67.08%-- _raw_spin_lock_irqsave <--- hi mum + | | | | + | | | --100.00%-- 0x7e714 + | | | 0x7e714 + +Notice the bogus _raw_spin_irqsave when we transition from kernel +(system_call) to userspace (0x7e714). We inserted what was in the SIAR. + +Add a check in regs_use_siar() to check that the regs in question +are from a PMU exception. With this fix the backtrace makes sense: + + 0.47% qemu-system-ppc [kernel.vmlinux] [k] _raw_spin_lock_irqsave + | + ---_raw_spin_lock_irqsave + | + |--53.83%-- 0 + | | + | |--44.73%-- hrtimer_try_to_cancel + | | kvmppc_start_thread + | | kvmppc_run_core + | | kvmppc_vcpu_run_hv + | | kvmppc_vcpu_run + | | kvm_arch_vcpu_ioctl_run + | | kvm_vcpu_ioctl + | | do_vfs_ioctl + | | sys_ioctl + | | system_call + | | __ioctl + | | 0x7e714 + | | 0x7e714 + +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/perf/core-book3s.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -131,7 +131,16 @@ static void pmao_restore_workaround(bool + + static bool regs_use_siar(struct pt_regs *regs) + { +- return !!regs->result; ++ /* ++ * When we take a performance monitor exception the regs are setup ++ * using perf_read_regs() which overloads some fields, in particular ++ * regs->result to tell us whether to use SIAR. ++ * ++ * However if the regs are from another exception, eg. a syscall, then ++ * they have not been setup using perf_read_regs() and so regs->result ++ * is something random. ++ */ ++ return ((TRAP(regs) == 0xf00) && regs->result); + } + + /* diff --git a/queue-4.0/revert-crypto-talitos-convert-to-use-be16_add_cpu.patch b/queue-4.0/revert-crypto-talitos-convert-to-use-be16_add_cpu.patch new file mode 100644 index 00000000000..257b385f5f5 --- /dev/null +++ b/queue-4.0/revert-crypto-talitos-convert-to-use-be16_add_cpu.patch @@ -0,0 +1,36 @@ +From 69d9cd8c592f1abce820dbce7181bbbf6812cfbd Mon Sep 17 00:00:00 2001 +From: Horia Geant? +Date: Mon, 11 May 2015 20:04:49 +0300 +Subject: Revert "crypto: talitos - convert to use be16_add_cpu()" + +From: Horia Geant? + +commit 69d9cd8c592f1abce820dbce7181bbbf6812cfbd upstream. + +This reverts commit 7291a932c6e27d9768e374e9d648086636daf61c. + +The conversion to be16_add_cpu() is incorrect in case cryptlen is +negative due to premature (i.e. before addition / subtraction) +implicit conversion of cryptlen (int -> u16) leading to sign loss. + +Cc: Wei Yongjun +Signed-off-by: Horia Geanta +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/talitos.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -927,7 +927,8 @@ static int sg_to_link_tbl(struct scatter + sg_count--; + link_tbl_ptr--; + } +- be16_add_cpu(&link_tbl_ptr->len, cryptlen); ++ link_tbl_ptr->len = cpu_to_be16(be16_to_cpu(link_tbl_ptr->len) ++ + cryptlen); + + /* tag end of link table */ + link_tbl_ptr->j_extent = DESC_PTR_LNKTBL_RETURN; diff --git a/queue-4.0/s390-kdump-fix-regset_vx_low-vector-register-elf-notes.patch b/queue-4.0/s390-kdump-fix-regset_vx_low-vector-register-elf-notes.patch new file mode 100644 index 00000000000..75ad38a2083 --- /dev/null +++ b/queue-4.0/s390-kdump-fix-regset_vx_low-vector-register-elf-notes.patch @@ -0,0 +1,35 @@ +From 3c8e5105e759e7b2d88ea8a85b1285e535bc7500 Mon Sep 17 00:00:00 2001 +From: Michael Holzheu +Date: Thu, 11 Jun 2015 19:59:04 +0200 +Subject: s390/kdump: fix REGSET_VX_LOW vector register ELF notes + +From: Michael Holzheu + +commit 3c8e5105e759e7b2d88ea8a85b1285e535bc7500 upstream. + +The REGSET_VX_LOW ELF notes should contain the lower 64 bit halfes of the +first sixteen 128 bit vector registers. Unfortunately currently we copy +the upper halfes. + +Fix this and correctly copy the lower halfes. + +Fixes: a62bc0739253 ("s390/kdump: add support for vector extension") +Signed-off-by: Michael Holzheu +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/crash_dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -415,7 +415,7 @@ static void *nt_s390_vx_low(void *ptr, _ + ptr += len; + /* Copy lower halves of SIMD registers 0-15 */ + for (i = 0; i < 16; i++) { +- memcpy(ptr, &vx_regs[i], 8); ++ memcpy(ptr, &vx_regs[i].u[2], 8); + ptr += 8; + } + return ptr; diff --git a/queue-4.0/selinux-fix-setting-of-security-labels-on-nfs.patch b/queue-4.0/selinux-fix-setting-of-security-labels-on-nfs.patch new file mode 100644 index 00000000000..58968a15944 --- /dev/null +++ b/queue-4.0/selinux-fix-setting-of-security-labels-on-nfs.patch @@ -0,0 +1,45 @@ +From 9fc2b4b436cff7d8403034676014f1be9d534942 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 4 Jun 2015 15:57:25 -0400 +Subject: selinux: fix setting of security labels on NFS + +From: "J. Bruce Fields" + +commit 9fc2b4b436cff7d8403034676014f1be9d534942 upstream. + +Before calling into the filesystem, vfs_setxattr calls +security_inode_setxattr, which ends up calling selinux_inode_setxattr in +our case. That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set. +SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it +only if selinux_is_sblabel_mnt returns true. + +The selinux_is_sblabel_mnt logic was broken by eadcabc697e9 "SELinux: do +all flags twiddling in one place", which didn't take into the account +the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs +with eb9ae686507b "SELinux: Add new labeling type native labels". + +This caused setxattr's of security labels over NFSv4.2 to fail. + +Cc: Eric Paris +Cc: David Quigley +Reported-by: Richard Chan +Signed-off-by: J. Bruce Fields +Acked-by: Stephen Smalley +[PM: added the stable dependency] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -404,6 +404,7 @@ static int selinux_is_sblabel_mnt(struct + return sbsec->behavior == SECURITY_FS_USE_XATTR || + sbsec->behavior == SECURITY_FS_USE_TRANS || + sbsec->behavior == SECURITY_FS_USE_TASK || ++ sbsec->behavior == SECURITY_FS_USE_NATIVE || + /* Special handling. Genfs but also in-core setxattr handler */ + !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "pstore") || diff --git a/queue-4.0/series b/queue-4.0/series index d5f3cc1064b..bc8a2d081dd 100644 --- a/queue-4.0/series +++ b/queue-4.0/series @@ -26,3 +26,30 @@ arm-mvebu-update-ethernet-compatible-string-for-armada-xp.patch net-mvneta-disable-ip-checksum-with-jumbo-frames-for-armada-370.patch usb-gadget-f_fs-fix-check-in-read-operation.patch usb-gadget-f_fs-add-extra-check-before-unregister_gadget_item.patch +crypto-talitos-avoid-memleak-in-talitos_alg_alloc.patch +revert-crypto-talitos-convert-to-use-be16_add_cpu.patch +iommu-arm-smmu-fix-broken-atos-check.patch +iommu-amd-handle-large-pages-correctly-in-free_pagetable.patch +mmc-sdhci-fix-low-memory-corruption.patch +intel_pstate-set-byt-msr-with-wrmsrl_on_cpu.patch +selinux-fix-setting-of-security-labels-on-nfs.patch +arm-kvm-force-execution-of-hcptr-access-on-vm-exit.patch +arm-kvm-psci-fix-handling-of-unimplemented-functions.patch +arm-tegra20-store-cpu-resettable-status-in-iram.patch +arm-mvebu-fix-suspend-to-ram-on-big-endian-configurations.patch +tick-idle-powerpc-do-not-register-idle-states-with-cpuidle_flag_timer_stop-set-in-periodic-mode.patch +powerpc-perf-fix-book3s-kernel-to-userspace-backtraces.patch +x86-pci-use-host-bridge-_crs-info-on-systems-with-32-bit-addressing.patch +x86-pci-use-host-bridge-_crs-info-on-foxconn-k8m890-8237a.patch +kvm-mips-use-id_to_memslot-correctly.patch +mips-fix-kvm-guest-fixmap-address.patch +kvm-s390-fix-external-call-injection-without-sigp-interpretation.patch +s390-kdump-fix-regset_vx_low-vector-register-elf-notes.patch +kvm-s390-virtio-ccw-don-t-overwrite-config-space-values.patch +kvm-x86-properly-restore-lvt0.patch +kvm-x86-make-vapics_in_nmi_mode-atomic.patch +fs-fix-s_nosec-handling.patch +fs-ufs-revert-ufs-fix-deadlocks-introduced-by-sb-mutex-merge.patch +fs-ufs-restore-s_lock-mutex.patch +vfs-remove-incorrect-debugging-warn-in-prepend_path.patch +vfs-ignore-unlocked-mounts-in-fs_fully_visible.patch diff --git a/queue-4.0/tick-idle-powerpc-do-not-register-idle-states-with-cpuidle_flag_timer_stop-set-in-periodic-mode.patch b/queue-4.0/tick-idle-powerpc-do-not-register-idle-states-with-cpuidle_flag_timer_stop-set-in-periodic-mode.patch new file mode 100644 index 00000000000..4119becf743 --- /dev/null +++ b/queue-4.0/tick-idle-powerpc-do-not-register-idle-states-with-cpuidle_flag_timer_stop-set-in-periodic-mode.patch @@ -0,0 +1,86 @@ +From cc5a2f7b8f39e7db559778f7913a2410257b3e50 Mon Sep 17 00:00:00 2001 +From: preeti +Date: Wed, 24 Jun 2015 01:48:01 -0500 +Subject: tick/idle/powerpc: Do not register idle states with CPUIDLE_FLAG_TIMER_STOP set in periodic mode + +From: preeti + +commit cc5a2f7b8f39e7db559778f7913a2410257b3e50 upstream. + +On some archs, the local clockevent device stops in deep cpuidle states. +The broadcast framework is used to wakeup cpus in these idle states, in +which either an external clockevent device is used to send wakeup ipis +or the hrtimer broadcast framework kicks in in the absence of such a +device. One cpu is nominated as the broadcast cpu and this cpu sends +wakeup ipis to sleeping cpus at the appropriate time. This is the +implementation in the oneshot mode of broadcast. + +In periodic mode of broadcast however, the presence of such cpuidle +states results in the cpuidle driver calling tick_broadcast_enable() +which shuts down the local clockevent devices of all the cpus and +appoints the tick broadcast device as the clockevent device for each of +them. This works on those archs where the tick broadcast device is a +real clockevent device. But on archs which depend on the hrtimer mode +of broadcast, the tick broadcast device hapens to be a pseudo device. +The consequence is that the local clockevent devices of all cpus are +shutdown and the kernel hangs at boot time in periodic mode. + +Let us thus not register the cpuidle states which have +CPUIDLE_FLAG_TIMER_STOP flag set, on archs which depend on the hrtimer +mode of broadcast in periodic mode. This patch takes care of doing this +on powerpc. The cpus would not have entered into such deep cpuidle +states in periodic mode on powerpc anyway. So there is no loss here. + +Signed-off-by: Preeti U Murthy +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/cpuidle-powernv.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -60,6 +60,8 @@ static int nap_loop(struct cpuidle_devic + return index; + } + ++/* Register for fastsleep only in oneshot mode of broadcast */ ++#ifdef CONFIG_TICK_ONESHOT + static int fastsleep_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) +@@ -83,7 +85,7 @@ static int fastsleep_loop(struct cpuidle + + return index; + } +- ++#endif + /* + * States for dedicated partition case. + */ +@@ -209,7 +211,14 @@ static int powernv_add_idle_states(void) + powernv_states[nr_idle_states].flags = 0; + powernv_states[nr_idle_states].target_residency = 100; + powernv_states[nr_idle_states].enter = &nap_loop; +- } else if (flags[i] & OPAL_PM_SLEEP_ENABLED || ++ } ++ ++ /* ++ * All cpuidle states with CPUIDLE_FLAG_TIMER_STOP set must come ++ * within this config dependency check. ++ */ ++#ifdef CONFIG_TICK_ONESHOT ++ if (flags[i] & OPAL_PM_SLEEP_ENABLED || + flags[i] & OPAL_PM_SLEEP_ENABLED_ER1) { + /* Add FASTSLEEP state */ + strcpy(powernv_states[nr_idle_states].name, "FastSleep"); +@@ -218,7 +227,7 @@ static int powernv_add_idle_states(void) + powernv_states[nr_idle_states].target_residency = 300000; + powernv_states[nr_idle_states].enter = &fastsleep_loop; + } +- ++#endif + powernv_states[nr_idle_states].exit_latency = + ((unsigned int)latency_ns[i]) / 1000; + diff --git a/queue-4.0/vfs-ignore-unlocked-mounts-in-fs_fully_visible.patch b/queue-4.0/vfs-ignore-unlocked-mounts-in-fs_fully_visible.patch new file mode 100644 index 00000000000..5397aab3b66 --- /dev/null +++ b/queue-4.0/vfs-ignore-unlocked-mounts-in-fs_fully_visible.patch @@ -0,0 +1,40 @@ +From ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 7 Jan 2015 08:10:09 -0600 +Subject: vfs: Ignore unlocked mounts in fs_fully_visible + +From: "Eric W. Biederman" + +commit ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 upstream. + +Limit the mounts fs_fully_visible considers to locked mounts. +Unlocked can always be unmounted so considering them adds hassle +but no security benefit. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namespace.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -3187,11 +3187,15 @@ bool fs_fully_visible(struct file_system + if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root) + continue; + +- /* This mount is not fully visible if there are any child mounts +- * that cover anything except for empty directories. ++ /* This mount is not fully visible if there are any ++ * locked child mounts that cover anything except for ++ * empty directories. + */ + list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { + struct inode *inode = child->mnt_mountpoint->d_inode; ++ /* Only worry about locked mounts */ ++ if (!(mnt->mnt.mnt_flags & MNT_LOCKED)) ++ continue; + if (!S_ISDIR(inode->i_mode)) + goto next; + if (inode->i_nlink > 2) diff --git a/queue-4.0/vfs-remove-incorrect-debugging-warn-in-prepend_path.patch b/queue-4.0/vfs-remove-incorrect-debugging-warn-in-prepend_path.patch new file mode 100644 index 00000000000..6ef39de0bcd --- /dev/null +++ b/queue-4.0/vfs-remove-incorrect-debugging-warn-in-prepend_path.patch @@ -0,0 +1,50 @@ +From 93e3bce6287e1fb3e60d3324ed08555b5bbafa89 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sun, 24 May 2015 09:25:00 -0500 +Subject: vfs: Remove incorrect debugging WARN in prepend_path + +From: "Eric W. Biederman" + +commit 93e3bce6287e1fb3e60d3324ed08555b5bbafa89 upstream. + +The warning message in prepend_path is unclear and outdated. It was +added as a warning that the mechanism for generating names of pseudo +files had been removed from prepend_path and d_dname should be used +instead. Unfortunately the warning reads like a general warning, +making it unclear what to do with it. + +Remove the warning. The transition it was added to warn about is long +over, and I added code several years ago which in rare cases causes +the warning to fire on legitimate code, and the warning is now firing +and scaring people for no good reason. + +Reported-by: Ivan Delalande +Reported-by: Omar Sandoval +Fixes: f48cfddc6729e ("vfs: In d_path don't call d_dname on a mount point") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 11 ----------- + 1 file changed, 11 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2896,17 +2896,6 @@ restart: + vfsmnt = &mnt->mnt; + continue; + } +- /* +- * Filesystems needing to implement special "root names" +- * should do so with ->d_dname() +- */ +- if (IS_ROOT(dentry) && +- (dentry->d_name.len != 1 || +- dentry->d_name.name[0] != '/')) { +- WARN(1, "Root dentry has weird name <%.*s>\n", +- (int) dentry->d_name.len, +- dentry->d_name.name); +- } + if (!error) + error = is_mounted(vfsmnt) ? 1 : 2; + break; diff --git a/queue-4.0/x86-pci-use-host-bridge-_crs-info-on-foxconn-k8m890-8237a.patch b/queue-4.0/x86-pci-use-host-bridge-_crs-info-on-foxconn-k8m890-8237a.patch new file mode 100644 index 00000000000..83d79fd43d9 --- /dev/null +++ b/queue-4.0/x86-pci-use-host-bridge-_crs-info-on-foxconn-k8m890-8237a.patch @@ -0,0 +1,62 @@ +From 1dace0116d0b05c967d94644fc4dfe96be2ecd3d Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Tue, 9 Jun 2015 18:54:07 -0500 +Subject: x86/PCI: Use host bridge _CRS info on Foxconn K8M890-8237A + +From: Bjorn Helgaas + +commit 1dace0116d0b05c967d94644fc4dfe96be2ecd3d upstream. + +The Foxconn K8M890-8237A has two PCI host bridges, and we can't assign +resources correctly without the information from _CRS that tells us which +address ranges are claimed by which bridge. In the bugs mentioned below, +we incorrectly assign a sound card address (this example is from 1033299): + + bus: 00 index 2 [mem 0x80000000-0xfcffffffff] + ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-7f]) + pci_root PNP0A08:00: host bridge window [mem 0x80000000-0xbfefffff] (ignored) + pci_root PNP0A08:00: host bridge window [mem 0xc0000000-0xdfffffff] (ignored) + pci_root PNP0A08:00: host bridge window [mem 0xf0000000-0xfebfffff] (ignored) + ACPI: PCI Root Bridge [PCI1] (domain 0000 [bus 80-ff]) + pci_root PNP0A08:01: host bridge window [mem 0xbff00000-0xbfffffff] (ignored) + pci 0000:80:01.0: [1106:3288] type 0 class 0x000403 + pci 0000:80:01.0: reg 10: [mem 0xbfffc000-0xbfffffff 64bit] + pci 0000:80:01.0: address space collision: [mem 0xbfffc000-0xbfffffff 64bit] conflicts with PCI Bus #00 [mem 0x80000000-0xfcffffffff] + pci 0000:80:01.0: BAR 0: assigned [mem 0xfd00000000-0xfd00003fff 64bit] + BUG: unable to handle kernel paging request at ffffc90000378000 + IP: [] azx_create+0x37c/0x822 [snd_hda_intel] + +We assigned 0xfd_0000_0000, but that is not in any of the host bridge +windows, and the sound card doesn't work. + +Turn on pci=use_crs automatically for this system. + +Link: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368 +Link: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299 +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/acpi.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/arch/x86/pci/acpi.c ++++ b/arch/x86/pci/acpi.c +@@ -81,6 +81,17 @@ static const struct dmi_system_id pci_cr + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"), + }, + }, ++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368 */ ++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299 */ ++ { ++ .callback = set_use_crs, ++ .ident = "Foxconn K8M890-8237A", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Foxconn"), ++ DMI_MATCH(DMI_BOARD_NAME, "K8M890-8237A"), ++ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"), ++ }, ++ }, + + /* Now for the blacklist.. */ + diff --git a/queue-4.0/x86-pci-use-host-bridge-_crs-info-on-systems-with-32-bit-addressing.patch b/queue-4.0/x86-pci-use-host-bridge-_crs-info-on-systems-with-32-bit-addressing.patch new file mode 100644 index 00000000000..e2c15283fc2 --- /dev/null +++ b/queue-4.0/x86-pci-use-host-bridge-_crs-info-on-systems-with-32-bit-addressing.patch @@ -0,0 +1,54 @@ +From 3d9fecf6bfb8b12bc2f9a4c7109895a2a2bb9436 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Tue, 9 Jun 2015 17:31:38 -0500 +Subject: x86/PCI: Use host bridge _CRS info on systems with >32 bit addressing + +From: Bjorn Helgaas + +commit 3d9fecf6bfb8b12bc2f9a4c7109895a2a2bb9436 upstream. + +We enable _CRS on all systems from 2008 and later. On older systems, we +ignore _CRS and assume the whole physical address space (excluding RAM and +other devices) is available for PCI devices, but on systems that support +physical address spaces larger than 4GB, it's doubtful that the area above +4GB is really available for PCI. + +After d56dbf5bab8c ("PCI: Allocate 64-bit BARs above 4G when possible"), we +try to use that space above 4GB *first*, so we're more likely to put a +device there. + +On Juan's Toshiba Satellite Pro U200, BIOS left the graphics, sound, 1394, +and card reader devices unassigned (but only after Windows had been +booted). Only the sound device had a 64-bit BAR, so it was the only device +placed above 4GB, and hence the only device that didn't work. + +Keep _CRS enabled even on pre-2008 systems if they support physical address +space larger than 4GB. + +Fixes: d56dbf5bab8c ("PCI: Allocate 64-bit BARs above 4G when possible") +Reported-and-tested-by: Juan Dayer +Reported-and-tested-by: Alan Horsfield +Link: https://bugzilla.kernel.org/show_bug.cgi?id=99221 +Link: https://bugzilla.opensuse.org/show_bug.cgi?id=907092 +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/acpi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/pci/acpi.c ++++ b/arch/x86/pci/acpi.c +@@ -121,8 +121,10 @@ void __init pci_acpi_crs_quirks(void) + { + int year; + +- if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) +- pci_use_crs = false; ++ if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) { ++ if (iomem_resource.end <= 0xffffffff) ++ pci_use_crs = false; ++ } + + dmi_check_system(pci_crs_quirks); +