From: Greg Kroah-Hartman Date: Fri, 29 Aug 2014 19:12:06 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.10.54~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dac6059f2de6fa9bed150345707135044b7f4dd2;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: crypto-ux500-make-interrupt-mode-plausible.patch debugfs-fix-corrupted-loop-in-debugfs_remove_recursive.patch drivers-i2c-busses-use-correct-type-for-dma_map-unmap.patch ext4-fix-ext4_discard_allocated_blocks-if-we-can-t-allocate-the-pa-struct.patch kvm-x86-always-exit-on-eois-for-interrupts-listed-in-the-ioapic-redir-table.patch kvm-x86-inter-privilege-level-ret-emulation-is-not-implemeneted.patch serial-core-preserve-termios-c_cflag-for-console-resume.patch --- diff --git a/queue-3.14/crypto-ux500-make-interrupt-mode-plausible.patch b/queue-3.14/crypto-ux500-make-interrupt-mode-plausible.patch new file mode 100644 index 00000000000..ef01e83670e --- /dev/null +++ b/queue-3.14/crypto-ux500-make-interrupt-mode-plausible.patch @@ -0,0 +1,110 @@ +From e1f8859ee265fc89bd21b4dca79e8e983a044892 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 26 Jun 2014 13:43:02 +0200 +Subject: crypto: ux500 - make interrupt mode plausible + +From: Arnd Bergmann + +commit e1f8859ee265fc89bd21b4dca79e8e983a044892 upstream. + +The interrupt handler in the ux500 crypto driver has an obviously +incorrect way to access the data buffer, which for a while has +caused this build warning: + +../ux500/cryp/cryp_core.c: In function 'cryp_interrupt_handler': +../ux500/cryp/cryp_core.c:234:5: warning: passing argument 1 of '__fswab32' makes integer from pointer without a cast [enabled by default] + writel_relaxed(ctx->indata, + ^ +In file included from ../include/linux/swab.h:4:0, + from ../include/uapi/linux/byteorder/big_endian.h:12, + from ../include/linux/byteorder/big_endian.h:4, + from ../arch/arm/include/uapi/asm/byteorder.h:19, + from ../include/asm-generic/bitops/le.h:5, + from ../arch/arm/include/asm/bitops.h:340, + from ../include/linux/bitops.h:33, + from ../include/linux/kernel.h:10, + from ../include/linux/clk.h:16, + from ../drivers/crypto/ux500/cryp/cryp_core.c:12: +../include/uapi/linux/swab.h:57:119: note: expected '__u32' but argument is of type 'const u8 *' + static inline __attribute_const__ __u32 __fswab32(__u32 val) + +There are at least two, possibly three problems here: +a) when writing into the FIFO, we copy the pointer rather than the + actual data we want to give to the hardware +b) the data pointer is an array of 8-bit values, while the FIFO + is 32-bit wide, so both the read and write access fail to do + a proper type conversion +c) This seems incorrect for big-endian kernels, on which we need to + byte-swap any register access, but not normally FIFO accesses, + at least the DMA case doesn't do it either. + +This converts the bogus loop to use the same readsl/writesl pair +that we use for the two other modes (DMA and polling). This is +more efficient and consistent, and probably correct for endianess. + +The bug has existed since the driver was first merged, and was +probably never detected because nobody tried to use interrupt mode. +It might make sense to backport this fix to stable kernels, depending +on how the crypto maintainers feel about that. + +Signed-off-by: Arnd Bergmann +Cc: linux-crypto@vger.kernel.org +Cc: Fabio Baltieri +Cc: Linus Walleij +Cc: Herbert Xu +Cc: "David S. Miller" +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ux500/cryp/cryp_core.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +--- a/drivers/crypto/ux500/cryp/cryp_core.c ++++ b/drivers/crypto/ux500/cryp/cryp_core.c +@@ -190,7 +190,7 @@ static void add_session_id(struct cryp_c + static irqreturn_t cryp_interrupt_handler(int irq, void *param) + { + struct cryp_ctx *ctx; +- int i; ++ int count; + struct cryp_device_data *device_data; + + if (param == NULL) { +@@ -215,12 +215,11 @@ static irqreturn_t cryp_interrupt_handle + if (cryp_pending_irq_src(device_data, + CRYP_IRQ_SRC_OUTPUT_FIFO)) { + if (ctx->outlen / ctx->blocksize > 0) { +- for (i = 0; i < ctx->blocksize / 4; i++) { +- *(ctx->outdata) = readl_relaxed( +- &device_data->base->dout); +- ctx->outdata += 4; +- ctx->outlen -= 4; +- } ++ count = ctx->blocksize / 4; ++ ++ readsl(&device_data->base->dout, ctx->outdata, count); ++ ctx->outdata += count; ++ ctx->outlen -= count; + + if (ctx->outlen == 0) { + cryp_disable_irq_src(device_data, +@@ -230,12 +229,12 @@ static irqreturn_t cryp_interrupt_handle + } else if (cryp_pending_irq_src(device_data, + CRYP_IRQ_SRC_INPUT_FIFO)) { + if (ctx->datalen / ctx->blocksize > 0) { +- for (i = 0 ; i < ctx->blocksize / 4; i++) { +- writel_relaxed(ctx->indata, +- &device_data->base->din); +- ctx->indata += 4; +- ctx->datalen -= 4; +- } ++ count = ctx->blocksize / 4; ++ ++ writesl(&device_data->base->din, ctx->indata, count); ++ ++ ctx->indata += count; ++ ctx->datalen -= count; + + if (ctx->datalen == 0) + cryp_disable_irq_src(device_data, diff --git a/queue-3.14/debugfs-fix-corrupted-loop-in-debugfs_remove_recursive.patch b/queue-3.14/debugfs-fix-corrupted-loop-in-debugfs_remove_recursive.patch new file mode 100644 index 00000000000..6a1910acdb3 --- /dev/null +++ b/queue-3.14/debugfs-fix-corrupted-loop-in-debugfs_remove_recursive.patch @@ -0,0 +1,181 @@ +From 485d44022a152c0254dd63445fdb81c4194cbf0e Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Mon, 9 Jun 2014 14:06:07 -0400 +Subject: debugfs: Fix corrupted loop in debugfs_remove_recursive + +From: Steven Rostedt + +commit 485d44022a152c0254dd63445fdb81c4194cbf0e upstream. + +[ I'm currently running my tests on it now, and so far, after a few + hours it has yet to blow up. I'll run it for 24 hours which it never + succeeded in the past. ] + +The tracing code has a way to make directories within the debugfs file +system as well as deleting them using mkdir/rmdir in the instance +directory. This is very limited in functionality, such as there is +no renames, and the parent directory "instance" can not be modified. +The tracing code creates the instance directory from the debugfs code +and then replaces the dentry->d_inode->i_op with its own to allow +for mkdir/rmdir to work. + +When these are called, the d_entry and inode locks need to be released +to call the instance creation and deletion code. That code has its own +accounting and locking to serialize everything to prevent multiple +users from causing harm. As the parent "instance" directory can not +be modified this simplifies things. + +I created a stress test that creates several threads that randomly +creates and deletes directories thousands of times a second. The code +stood up to this test and I submitted it a while ago. + +Recently I added a new test that adds readers to the mix. While the +instance directories were being added and deleted, readers would read +from these directories and even enable tracing within them. This test +was able to trigger a bug: + + general protection fault: 0000 [#1] PREEMPT SMP + Modules linked in: ... + CPU: 3 PID: 17789 Comm: rmdir Tainted: G W 3.15.0-rc2-test+ #41 + Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007 + task: ffff88003786ca60 ti: ffff880077018000 task.ti: ffff880077018000 + RIP: 0010:[] [] debugfs_remove_recursive+0x1bd/0x367 + RSP: 0018:ffff880077019df8 EFLAGS: 00010246 + RAX: 0000000000000002 RBX: ffff88006f0fe490 RCX: 0000000000000000 + RDX: dead000000100058 RSI: 0000000000000246 RDI: ffff88003786d454 + RBP: ffff88006f0fe640 R08: 0000000000000628 R09: 0000000000000000 + R10: 0000000000000628 R11: ffff8800795110a0 R12: ffff88006f0fe640 + R13: ffff88006f0fe640 R14: ffffffff81817d0b R15: ffffffff818188b7 + FS: 00007ff13ae24700(0000) GS:ffff88007d580000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 0000003054ec7be0 CR3: 0000000076d51000 CR4: 00000000000007e0 + Stack: + ffff88007a41ebe0 dead000000100058 00000000fffffffe ffff88006f0fe640 + 0000000000000000 ffff88006f0fe678 ffff88007a41ebe0 ffff88003793a000 + 00000000fffffffe ffffffff810bde82 ffff88006f0fe640 ffff88007a41eb28 + Call Trace: + [] ? instance_rmdir+0x15b/0x1de + [] ? vfs_rmdir+0x80/0xd3 + [] ? do_rmdir+0xd1/0x139 + [] ? trace_hardirqs_on_thunk+0x3a/0x3c + [] ? system_call_fastpath+0x16/0x1b + Code: fe ff ff 48 8d 75 30 48 89 df e8 c9 fd ff ff 85 c0 75 13 48 c7 c6 b8 cc d2 81 48 c7 c7 b0 cc d2 81 e8 8c 7a f5 ff 48 8b 54 24 08 <48> 8b 82 a8 00 00 00 48 89 d3 48 2d a8 00 00 00 48 89 44 24 08 + RIP [] debugfs_remove_recursive+0x1bd/0x367 + RSP + +It took a while, but every time it triggered, it was always in the +same place: + + list_for_each_entry_safe(child, next, &parent->d_subdirs, d_u.d_child) { + +Where the child->d_u.d_child seemed to be corrupted. I added lots of +trace_printk()s to see what was wrong, and sure enough, it was always +the child's d_u.d_child field. I looked around to see what touches +it and noticed that in __dentry_kill() which calls dentry_free(): + +static void dentry_free(struct dentry *dentry) +{ + /* if dentry was never visible to RCU, immediate free is OK */ + if (!(dentry->d_flags & DCACHE_RCUACCESS)) + __d_free(&dentry->d_u.d_rcu); + else + call_rcu(&dentry->d_u.d_rcu, __d_free); +} + +I also noticed that __dentry_kill() unlinks the child->d_u.child +under the parent->d_lock spin_lock. + +Looking back at the loop in debugfs_remove_recursive() it never takes the +parent->d_lock to do the list walk. Adding more tracing, I was able to +prove this was the issue: + + ftrace-t-15385 1.... 246662024us : dentry_kill : free ffff88006d573600 + rmdir-15409 2.... 246662024us : debugfs_remove_recursive : child=ffff88006d573600 next=dead000000100058 + +The dentry_kill freed ffff88006d573600 just as the remove recursive was walking +it. + +In order to fix this, the list walk needs to be modified a bit to take +the parent->d_lock. The safe version is no longer necessary, as every +time we remove a child, the parent->d_lock must be released and the +list walk must start over. Each time a child is removed, even though it +may still be on the list, it should be skipped by the first check +in the loop: + + if (!debugfs_positive(child)) + continue; + +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + fs/debugfs/inode.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -533,7 +533,7 @@ EXPORT_SYMBOL_GPL(debugfs_remove); + */ + void debugfs_remove_recursive(struct dentry *dentry) + { +- struct dentry *child, *next, *parent; ++ struct dentry *child, *parent; + + if (IS_ERR_OR_NULL(dentry)) + return; +@@ -545,30 +545,49 @@ void debugfs_remove_recursive(struct den + parent = dentry; + down: + mutex_lock(&parent->d_inode->i_mutex); +- list_for_each_entry_safe(child, next, &parent->d_subdirs, d_u.d_child) { ++ loop: ++ /* ++ * The parent->d_subdirs is protected by the d_lock. Outside that ++ * lock, the child can be unlinked and set to be freed which can ++ * use the d_u.d_child as the rcu head and corrupt this list. ++ */ ++ spin_lock(&parent->d_lock); ++ list_for_each_entry(child, &parent->d_subdirs, d_u.d_child) { + if (!debugfs_positive(child)) + continue; + + /* perhaps simple_empty(child) makes more sense */ + if (!list_empty(&child->d_subdirs)) { ++ spin_unlock(&parent->d_lock); + mutex_unlock(&parent->d_inode->i_mutex); + parent = child; + goto down; + } +- up: ++ ++ spin_unlock(&parent->d_lock); ++ + if (!__debugfs_remove(child, parent)) + simple_release_fs(&debugfs_mount, &debugfs_mount_count); ++ ++ /* ++ * The parent->d_lock protects agaist child from unlinking ++ * from d_subdirs. When releasing the parent->d_lock we can ++ * no longer trust that the next pointer is valid. ++ * Restart the loop. We'll skip this one with the ++ * debugfs_positive() check. ++ */ ++ goto loop; + } ++ spin_unlock(&parent->d_lock); + + mutex_unlock(&parent->d_inode->i_mutex); + child = parent; + parent = parent->d_parent; + mutex_lock(&parent->d_inode->i_mutex); + +- if (child != dentry) { +- next = list_next_entry(child, d_u.d_child); +- goto up; +- } ++ if (child != dentry) ++ /* go up */ ++ goto loop; + + if (!__debugfs_remove(child, parent)) + simple_release_fs(&debugfs_mount, &debugfs_mount_count); diff --git a/queue-3.14/drivers-i2c-busses-use-correct-type-for-dma_map-unmap.patch b/queue-3.14/drivers-i2c-busses-use-correct-type-for-dma_map-unmap.patch new file mode 100644 index 00000000000..7b4559b55d9 --- /dev/null +++ b/queue-3.14/drivers-i2c-busses-use-correct-type-for-dma_map-unmap.patch @@ -0,0 +1,39 @@ +From 28772ac8711e4d7268c06e765887dd8cb6924f98 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Mon, 21 Jul 2014 11:42:03 +0200 +Subject: drivers/i2c/busses: use correct type for dma_map/unmap + +From: Wolfram Sang + +commit 28772ac8711e4d7268c06e765887dd8cb6924f98 upstream. + +dma_{un}map_* uses 'enum dma_data_direction' not 'enum dma_transfer_direction'. + +Signed-off-by: Wolfram Sang +Acked-by: Ludovic Desroches +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-at91.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-at91.c ++++ b/drivers/i2c/busses/i2c-at91.c +@@ -210,7 +210,7 @@ static void at91_twi_write_data_dma_call + struct at91_twi_dev *dev = (struct at91_twi_dev *)data; + + dma_unmap_single(dev->dev, sg_dma_address(&dev->dma.sg), +- dev->buf_len, DMA_MEM_TO_DEV); ++ dev->buf_len, DMA_TO_DEVICE); + + at91_twi_write(dev, AT91_TWI_CR, AT91_TWI_STOP); + } +@@ -289,7 +289,7 @@ static void at91_twi_read_data_dma_callb + struct at91_twi_dev *dev = (struct at91_twi_dev *)data; + + dma_unmap_single(dev->dev, sg_dma_address(&dev->dma.sg), +- dev->buf_len, DMA_DEV_TO_MEM); ++ dev->buf_len, DMA_FROM_DEVICE); + + /* The last two bytes have to be read without using dma */ + dev->buf += dev->buf_len - 2; diff --git a/queue-3.14/ext4-fix-ext4_discard_allocated_blocks-if-we-can-t-allocate-the-pa-struct.patch b/queue-3.14/ext4-fix-ext4_discard_allocated_blocks-if-we-can-t-allocate-the-pa-struct.patch new file mode 100644 index 00000000000..d1f3fa9481f --- /dev/null +++ b/queue-3.14/ext4-fix-ext4_discard_allocated_blocks-if-we-can-t-allocate-the-pa-struct.patch @@ -0,0 +1,62 @@ +From 86f0afd463215fc3e58020493482faa4ac3a4d69 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 30 Jul 2014 22:17:17 -0400 +Subject: ext4: fix ext4_discard_allocated_blocks() if we can't allocate the pa struct + +From: Theodore Ts'o + +commit 86f0afd463215fc3e58020493482faa4ac3a4d69 upstream. + +If there is a failure while allocating the preallocation structure, a +number of blocks can end up getting marked in the in-memory buddy +bitmap, and then not getting released. This can result in the +following corruption getting reported by the kernel: + +EXT4-fs error (device sda3): ext4_mb_generate_buddy:758: group 1126, +12793 clusters in bitmap, 12729 in gd + +In that case, we need to release the blocks using mb_free_blocks(). + +Tested: fs smoke test; also demonstrated that with injected errors, + the file system is no longer getting corrupted + +Google-Bug-Id: 16657874 + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/mballoc.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -3196,8 +3196,27 @@ static void ext4_mb_collect_stats(struct + static void ext4_discard_allocated_blocks(struct ext4_allocation_context *ac) + { + struct ext4_prealloc_space *pa = ac->ac_pa; ++ struct ext4_buddy e4b; ++ int err; + +- if (pa && pa->pa_type == MB_INODE_PA) ++ if (pa == NULL) { ++ err = ext4_mb_load_buddy(ac->ac_sb, ac->ac_f_ex.fe_group, &e4b); ++ if (err) { ++ /* ++ * This should never happen since we pin the ++ * pages in the ext4_allocation_context so ++ * ext4_mb_load_buddy() should never fail. ++ */ ++ WARN(1, "mb_load_buddy failed (%d)", err); ++ return; ++ } ++ ext4_lock_group(ac->ac_sb, ac->ac_f_ex.fe_group); ++ mb_free_blocks(ac->ac_inode, &e4b, ac->ac_f_ex.fe_start, ++ ac->ac_f_ex.fe_len); ++ ext4_unlock_group(ac->ac_sb, ac->ac_f_ex.fe_group); ++ return; ++ } ++ if (pa->pa_type == MB_INODE_PA) + pa->pa_free += ac->ac_b_ex.fe_len; + } + diff --git a/queue-3.14/kvm-x86-always-exit-on-eois-for-interrupts-listed-in-the-ioapic-redir-table.patch b/queue-3.14/kvm-x86-always-exit-on-eois-for-interrupts-listed-in-the-ioapic-redir-table.patch new file mode 100644 index 00000000000..0958c5536f6 --- /dev/null +++ b/queue-3.14/kvm-x86-always-exit-on-eois-for-interrupts-listed-in-the-ioapic-redir-table.patch @@ -0,0 +1,67 @@ +From 0f6c0a740b7d3e1f3697395922d674000f83d060 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 30 Jul 2014 18:07:24 +0200 +Subject: KVM: x86: always exit on EOIs for interrupts listed in the IOAPIC redir table + +From: Paolo Bonzini + +commit 0f6c0a740b7d3e1f3697395922d674000f83d060 upstream. + +Currently, the EOI exit bitmap (used for APICv) does not include +interrupts that are masked. However, this can cause a bug that manifests +as an interrupt storm inside the guest. Alex Williamson reported the +bug and is the one who really debugged this; I only wrote the patch. :) + +The scenario involves a multi-function PCI device with OHCI and EHCI +USB functions and an audio function, all assigned to the guest, where +both USB functions use legacy INTx interrupts. + +As soon as the guest boots, interrupts for these devices turn into an +interrupt storm in the guest; the host does not see the interrupt storm. +Basically the EOI path does not work, and the guest continues to see the +interrupt over and over, even after it attempts to mask it at the APIC. +The bug is only visible with older kernels (RHEL6.5, based on 2.6.32 +with not many changes in the area of APIC/IOAPIC handling). + +Alex then tried forcing bit 59 (corresponding to the USB functions' IRQ) +on in the eoi_exit_bitmap and TMR, and things then work. What happens +is that VFIO asserts IRQ11, then KVM recomputes the EOI exit bitmap. +It does not have set bit 59 because the RTE was masked, so the IOAPIC +never sees the EOI and the interrupt continues to fire in the guest. + +My guess was that the guest is masking the interrupt in the redirection +table in the interrupt routine, i.e. while the interrupt is set in a +LAPIC's ISR, The simplest fix is to ignore the masking state, we would +rather have an unnecessary exit rather than a missed IRQ ACK and anyway +IOAPIC interrupts are not as performance-sensitive as for example MSIs. +Alex tested this patch and it fixed his bug. + +[Thanks to Alex for his precise description of the problem + and initial debugging effort. A lot of the text above is + based on emails exchanged with him.] + +Reported-by: Alex Williamson +Tested-by: Alex Williamson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/ioapic.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -203,10 +203,9 @@ void kvm_ioapic_scan_entry(struct kvm_vc + spin_lock(&ioapic->lock); + for (index = 0; index < IOAPIC_NUM_PINS; index++) { + e = &ioapic->redirtbl[index]; +- if (!e->fields.mask && +- (e->fields.trig_mode == IOAPIC_LEVEL_TRIG || +- kvm_irq_has_notifier(ioapic->kvm, KVM_IRQCHIP_IOAPIC, +- index) || index == RTC_GSI)) { ++ if (e->fields.trig_mode == IOAPIC_LEVEL_TRIG || ++ kvm_irq_has_notifier(ioapic->kvm, KVM_IRQCHIP_IOAPIC, index) || ++ index == RTC_GSI) { + if (kvm_apic_match_dest(vcpu, NULL, 0, + e->fields.dest_id, e->fields.dest_mode)) { + __set_bit(e->fields.vector, diff --git a/queue-3.14/kvm-x86-inter-privilege-level-ret-emulation-is-not-implemeneted.patch b/queue-3.14/kvm-x86-inter-privilege-level-ret-emulation-is-not-implemeneted.patch new file mode 100644 index 00000000000..030d0f39883 --- /dev/null +++ b/queue-3.14/kvm-x86-inter-privilege-level-ret-emulation-is-not-implemeneted.patch @@ -0,0 +1,41 @@ +From 9e8919ae793f4edfaa29694a70f71a515ae9942a Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Sun, 15 Jun 2014 16:12:59 +0300 +Subject: KVM: x86: Inter-privilege level ret emulation is not implemeneted + +From: Nadav Amit + +commit 9e8919ae793f4edfaa29694a70f71a515ae9942a upstream. + +Return unhandlable error on inter-privilege level ret instruction. This is +since the current emulation does not check the privilege level correctly when +loading the CS, and does not pop RSP/SS as needed. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2006,6 +2006,7 @@ static int em_ret_far(struct x86_emulate + { + int rc; + unsigned long cs; ++ int cpl = ctxt->ops->cpl(ctxt); + + rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes); + if (rc != X86EMUL_CONTINUE) +@@ -2015,6 +2016,9 @@ static int em_ret_far(struct x86_emulate + rc = emulate_pop(ctxt, &cs, ctxt->op_bytes); + if (rc != X86EMUL_CONTINUE) + return rc; ++ /* Outer-privilege level return is not implemented */ ++ if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl) ++ return X86EMUL_UNHANDLEABLE; + rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS); + return rc; + } diff --git a/queue-3.14/serial-core-preserve-termios-c_cflag-for-console-resume.patch b/queue-3.14/serial-core-preserve-termios-c_cflag-for-console-resume.patch new file mode 100644 index 00000000000..974ebc03e18 --- /dev/null +++ b/queue-3.14/serial-core-preserve-termios-c_cflag-for-console-resume.patch @@ -0,0 +1,40 @@ +From ae84db9661cafc63d179e1d985a2c5b841ff0ac4 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Wed, 9 Jul 2014 09:21:14 -0400 +Subject: serial: core: Preserve termios c_cflag for console resume + +From: Peter Hurley + +commit ae84db9661cafc63d179e1d985a2c5b841ff0ac4 upstream. + +When a tty is opened for the serial console, the termios c_cflag +settings are inherited from the console line settings. +However, if the tty is subsequently closed, the termios settings +are lost. This results in a garbled console if the console is later +suspended and resumed. + +Preserve the termios c_cflag for the serial console when the tty +is shutdown; this reflects the most recent line settings. + +Fixes: Bugzilla #69751, 'serial console does not wake from S3' +Reported-by: Valerio Vanni +Acked-by: Alan Cox +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -235,6 +235,9 @@ static void uart_shutdown(struct tty_str + /* + * Turn off DTR and RTS early. + */ ++ if (uart_console(uport) && tty) ++ uport->cons->cflag = tty->termios.c_cflag; ++ + if (!tty || (tty->termios.c_cflag & HUPCL)) + uart_clear_mctrl(uport, TIOCM_DTR | TIOCM_RTS); + diff --git a/queue-3.14/series b/queue-3.14/series index 96ea5c21048..470540f4020 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -32,3 +32,10 @@ hwmon-lm85-fix-various-errors-on-attribute-writes.patch hwmon-ads1015-fix-out-of-bounds-array-access.patch hwmon-dme1737-prevent-overflow-problem-when-writing-large-limits.patch tpm-add-missing-tpm_do_selftest-to-st33-i2c-driver.patch +drivers-i2c-busses-use-correct-type-for-dma_map-unmap.patch +ext4-fix-ext4_discard_allocated_blocks-if-we-can-t-allocate-the-pa-struct.patch +serial-core-preserve-termios-c_cflag-for-console-resume.patch +crypto-ux500-make-interrupt-mode-plausible.patch +debugfs-fix-corrupted-loop-in-debugfs_remove_recursive.patch +kvm-x86-inter-privilege-level-ret-emulation-is-not-implemeneted.patch +kvm-x86-always-exit-on-eois-for-interrupts-listed-in-the-ioapic-redir-table.patch