From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 22 Feb 2021 11:05:18 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v5.11.1~1^2~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8aba81cf6dc603bd6d4629ebc890650ace13ea9a;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	kvm-check-tlbs_dirty-directly.patch
	scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch
---

diff --git a/queue-4.4/kvm-check-tlbs_dirty-directly.patch b/queue-4.4/kvm-check-tlbs_dirty-directly.patch
new file mode 100644
index 00000000000..528babce665
--- /dev/null
+++ b/queue-4.4/kvm-check-tlbs_dirty-directly.patch
@@ -0,0 +1,47 @@
+From foo@baz Mon Feb 22 11:59:30 AM CET 2021
+From: Lai Jiangshan <laijs@linux.alibaba.com>
+Date: Thu, 17 Dec 2020 23:41:18 +0800
+Subject: kvm: check tlbs_dirty directly
+
+From: Lai Jiangshan <laijs@linux.alibaba.com>
+
+commit 88bf56d04bc3564542049ec4ec168a8b60d0b48c upstream
+
+In kvm_mmu_notifier_invalidate_range_start(), tlbs_dirty is used as:
+        need_tlb_flush |= kvm->tlbs_dirty;
+with need_tlb_flush's type being int and tlbs_dirty's type being long.
+
+It means that tlbs_dirty is always used as int and the higher 32 bits
+is useless.  We need to check tlbs_dirty in a correct way and this
+change checks it directly without propagating it to need_tlb_flush.
+
+Note: it's _extremely_ unlikely this neglecting of higher 32 bits can
+cause problems in practice.  It would require encountering tlbs_dirty
+on a 4 billion count boundary, and KVM would need to be using shadow
+paging or be running a nested guest.
+
+Cc: stable@vger.kernel.org
+Fixes: a4ee1ca4a36e ("KVM: MMU: delay flush all tlbs on sync_page path")
+Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
+Message-Id: <20201217154118.16497-1-jiangshanlai@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -346,9 +346,8 @@ static void kvm_mmu_notifier_invalidate_
+ 	 */
+ 	kvm->mmu_notifier_count++;
+ 	need_tlb_flush = kvm_unmap_hva_range(kvm, start, end);
+-	need_tlb_flush |= kvm->tlbs_dirty;
+ 	/* we've to flush the tlb before the pages can be freed */
+-	if (need_tlb_flush)
++	if (need_tlb_flush || kvm->tlbs_dirty)
+ 		kvm_flush_remote_tlbs(kvm);
+ 
+ 	spin_unlock(&kvm->mmu_lock);
diff --git a/queue-4.4/scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch b/queue-4.4/scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch
new file mode 100644
index 00000000000..4d71359032c
--- /dev/null
+++ b/queue-4.4/scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch
@@ -0,0 +1,90 @@
+From foo@baz Mon Feb 22 11:51:58 AM CET 2021
+From: Arun Easi <aeasi@marvell.com>
+Date: Wed, 2 Dec 2020 05:23:04 -0800
+Subject: scsi: qla2xxx: Fix crash during driver load on big endian machines
+
+From: Arun Easi <aeasi@marvell.com>
+
+commit 8de309e7299a00b3045fb274f82b326f356404f0 upstream
+
+Crash stack:
+	[576544.715489] Unable to handle kernel paging request for data at address 0xd00000000f970000
+	[576544.715497] Faulting instruction address: 0xd00000000f880f64
+	[576544.715503] Oops: Kernel access of bad area, sig: 11 [#1]
+	[576544.715506] SMP NR_CPUS=2048 NUMA pSeries
+	:
+	[576544.715703] NIP [d00000000f880f64] .qla27xx_fwdt_template_valid+0x94/0x100 [qla2xxx]
+	[576544.715722] LR [d00000000f7952dc] .qla24xx_load_risc_flash+0x2fc/0x590 [qla2xxx]
+	[576544.715726] Call Trace:
+	[576544.715731] [c0000004d0ffb000] [c0000006fe02c350] 0xc0000006fe02c350 (unreliable)
+	[576544.715750] [c0000004d0ffb080] [d00000000f7952dc] .qla24xx_load_risc_flash+0x2fc/0x590 [qla2xxx]
+	[576544.715770] [c0000004d0ffb170] [d00000000f7aa034] .qla81xx_load_risc+0x84/0x1a0 [qla2xxx]
+	[576544.715789] [c0000004d0ffb210] [d00000000f79f7c8] .qla2x00_setup_chip+0xc8/0x910 [qla2xxx]
+	[576544.715808] [c0000004d0ffb300] [d00000000f7a631c] .qla2x00_initialize_adapter+0x4dc/0xb00 [qla2xxx]
+	[576544.715826] [c0000004d0ffb3e0] [d00000000f78ce28] .qla2x00_probe_one+0xf08/0x2200 [qla2xxx]
+
+Link: https://lore.kernel.org/r/20201202132312.19966-8-njavali@marvell.com
+Fixes: f73cb695d3ec ("[SCSI] qla2xxx: Add support for ISP2071.")
+Cc: stable@vger.kernel.org
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_tmpl.c |    9 +++++----
+ drivers/scsi/qla2xxx/qla_tmpl.h |    2 +-
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_tmpl.c
++++ b/drivers/scsi/qla2xxx/qla_tmpl.c
+@@ -871,7 +871,8 @@ qla27xx_template_checksum(void *p, ulong
+ static inline int
+ qla27xx_verify_template_checksum(struct qla27xx_fwdt_template *tmp)
+ {
+-	return qla27xx_template_checksum(tmp, tmp->template_size) == 0;
++	return qla27xx_template_checksum(tmp,
++		le32_to_cpu(tmp->template_size)) == 0;
+ }
+ 
+ static inline int
+@@ -887,7 +888,7 @@ qla27xx_execute_fwdt_template(struct scs
+ 	ulong len;
+ 
+ 	if (qla27xx_fwdt_template_valid(tmp)) {
+-		len = tmp->template_size;
++		len = le32_to_cpu(tmp->template_size);
+ 		tmp = memcpy(vha->hw->fw_dump, tmp, len);
+ 		ql27xx_edit_template(vha, tmp);
+ 		qla27xx_walk_template(vha, tmp, tmp, &len);
+@@ -903,7 +904,7 @@ qla27xx_fwdt_calculate_dump_size(struct
+ 	ulong len = 0;
+ 
+ 	if (qla27xx_fwdt_template_valid(tmp)) {
+-		len = tmp->template_size;
++		len = le32_to_cpu(tmp->template_size);
+ 		qla27xx_walk_template(vha, tmp, NULL, &len);
+ 	}
+ 
+@@ -915,7 +916,7 @@ qla27xx_fwdt_template_size(void *p)
+ {
+ 	struct qla27xx_fwdt_template *tmp = p;
+ 
+-	return tmp->template_size;
++	return le32_to_cpu(tmp->template_size);
+ }
+ 
+ ulong
+--- a/drivers/scsi/qla2xxx/qla_tmpl.h
++++ b/drivers/scsi/qla2xxx/qla_tmpl.h
+@@ -13,7 +13,7 @@
+ struct __packed qla27xx_fwdt_template {
+ 	uint32_t template_type;
+ 	uint32_t entry_offset;
+-	uint32_t template_size;
++	__le32 template_size;
+ 	uint32_t reserved_1;
+ 
+ 	uint32_t entry_count;
diff --git a/queue-4.4/series b/queue-4.4/series
index 5b96a663e1f..193654df3c8 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -31,3 +31,5 @@ xen-blkback-don-t-handle-error-by-bug.patch
 xen-netback-don-t-handle-error-by-bug.patch
 xen-scsiback-don-t-handle-error-by-bug.patch
 xen-blkback-fix-error-handling-in-xen_blkbk_map.patch
+scsi-qla2xxx-fix-crash-during-driver-load-on-big-endian-machines.patch
+kvm-check-tlbs_dirty-directly.patch