From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 4 Mar 2015 04:45:25 +0000 (-0800)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.71~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e248c51dd29d9994a194cb61303690db38690c7f;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch
	hx4700-regulator-declare-full-constraints.patch
	kvm-mips-don-t-leak-fpu-dsp-to-guest.patch
	kvm-s390-floating-irqs-fix-user-triggerable-endless-loop.patch
	kvm-x86-update-masterclock-values-on-tsc-writes.patch
---

diff --git a/queue-3.14/arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch b/queue-3.14/arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch
new file mode 100644
index 00000000000..50b15c24f14
--- /dev/null
+++ b/queue-3.14/arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch
@@ -0,0 +1,51 @@
+From 9d42d48a342aee208c1154696196497fdc556bbf Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Mon, 23 Feb 2015 15:13:40 +0000
+Subject: arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 9d42d48a342aee208c1154696196497fdc556bbf upstream.
+
+The native (64-bit) sigval_t union contains sival_int (32-bit) and
+sival_ptr (64-bit). When a compat application invokes a syscall that
+takes a sigval_t value (as part of a larger structure, e.g.
+compat_sys_mq_notify, compat_sys_timer_create), the compat_sigval_t
+union is converted to the native sigval_t with sival_int overlapping
+with either the least or the most significant half of sival_ptr,
+depending on endianness. When the corresponding signal is delivered to a
+compat application, on big endian the current (compat_uptr_t)sival_ptr
+cast always returns 0 since sival_int corresponds to the top part of
+sival_ptr. This patch fixes copy_siginfo_to_user32() so that sival_int
+is copied to the compat_siginfo_t structure.
+
+Reported-by: Bamvor Jian Zhang <bamvor.zhangjian@huawei.com>
+Tested-by: Bamvor Jian Zhang <bamvor.zhangjian@huawei.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/signal32.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/kernel/signal32.c
++++ b/arch/arm64/kernel/signal32.c
+@@ -151,8 +151,7 @@ int copy_siginfo_to_user32(compat_siginf
+ 	case __SI_TIMER:
+ 		 err |= __put_user(from->si_tid, &to->si_tid);
+ 		 err |= __put_user(from->si_overrun, &to->si_overrun);
+-		 err |= __put_user((compat_uptr_t)(unsigned long)from->si_ptr,
+-				   &to->si_ptr);
++		 err |= __put_user(from->si_int, &to->si_int);
+ 		break;
+ 	case __SI_POLL:
+ 		err |= __put_user(from->si_band, &to->si_band);
+@@ -181,7 +180,7 @@ int copy_siginfo_to_user32(compat_siginf
+ 	case __SI_MESGQ: /* But this is */
+ 		err |= __put_user(from->si_pid, &to->si_pid);
+ 		err |= __put_user(from->si_uid, &to->si_uid);
+-		err |= __put_user((compat_uptr_t)(unsigned long)from->si_ptr, &to->si_ptr);
++		err |= __put_user(from->si_int, &to->si_int);
+ 		break;
+ 	default: /* this is just in case for now ... */
+ 		err |= __put_user(from->si_pid, &to->si_pid);
diff --git a/queue-3.14/hx4700-regulator-declare-full-constraints.patch b/queue-3.14/hx4700-regulator-declare-full-constraints.patch
new file mode 100644
index 00000000000..fd1b7efe25e
--- /dev/null
+++ b/queue-3.14/hx4700-regulator-declare-full-constraints.patch
@@ -0,0 +1,32 @@
+From a52d209336f8fc7483a8c7f4a8a7d2a8e1692a6c Mon Sep 17 00:00:00 2001
+From: Martin Vajnar <martin.vajnar@gmail.com>
+Date: Wed, 24 Dec 2014 00:27:57 +0100
+Subject: hx4700: regulator: declare full constraints
+
+From: Martin Vajnar <martin.vajnar@gmail.com>
+
+commit a52d209336f8fc7483a8c7f4a8a7d2a8e1692a6c upstream.
+
+Since the removal of CONFIG_REGULATOR_DUMMY option, the touchscreen stopped
+working. This patch enables the "replacement" for REGULATOR_DUMMY and
+allows the touchscreen to work even though there is no regulator for "vcc".
+
+Signed-off-by: Martin Vajnar <martin.vajnar@gmail.com>
+Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/hx4700.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/mach-pxa/hx4700.c
++++ b/arch/arm/mach-pxa/hx4700.c
+@@ -892,6 +892,8 @@ static void __init hx4700_init(void)
+ 	mdelay(10);
+ 	gpio_set_value(GPIO71_HX4700_ASIC3_nRESET, 1);
+ 	mdelay(10);
++
++	regulator_has_full_constraints();
+ }
+ 
+ MACHINE_START(H4700, "HP iPAQ HX4700")
diff --git a/queue-3.14/kvm-mips-don-t-leak-fpu-dsp-to-guest.patch b/queue-3.14/kvm-mips-don-t-leak-fpu-dsp-to-guest.patch
new file mode 100644
index 00000000000..f0ac3e3d145
--- /dev/null
+++ b/queue-3.14/kvm-mips-don-t-leak-fpu-dsp-to-guest.patch
@@ -0,0 +1,100 @@
+From f798217dfd038af981a18bbe4bc57027a08bb182 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 4 Feb 2015 17:06:37 +0000
+Subject: KVM: MIPS: Don't leak FPU/DSP to guest
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit f798217dfd038af981a18bbe4bc57027a08bb182 upstream.
+
+The FPU and DSP are enabled via the CP0 Status CU1 and MX bits by
+kvm_mips_set_c0_status() on a guest exit, presumably in case there is
+active state that needs saving if pre-emption occurs. However neither of
+these bits are cleared again when returning to the guest.
+
+This effectively gives the guest access to the FPU/DSP hardware after
+the first guest exit even though it is not aware of its presence,
+allowing FP instructions in guest user code to intermittently actually
+execute instead of trapping into the guest OS for emulation. It will
+then read & manipulate the hardware FP registers which technically
+belong to the user process (e.g. QEMU), or are stale from another user
+process. It can also crash the guest OS by causing an FP exception, for
+which a guest exception handler won't have been registered.
+
+First lets save and disable the FPU (and MSA) state with lose_fpu(1)
+before entering the guest. This simplifies the problem, especially for
+when guest FPU/MSA support is added in the future, and prevents FR=1 FPU
+state being live when the FR bit gets cleared for the guest, which
+according to the architecture causes the contents of the FPU and vector
+registers to become UNPREDICTABLE.
+
+We can then safely remove the enabling of the FPU in
+kvm_mips_set_c0_status(), since there should never be any active FPU or
+MSA state to save at pre-emption, which should plug the FPU leak.
+
+DSP state is always live rather than being lazily restored, so for that
+it is simpler to just clear the MX bit again when re-entering the guest.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Sanjay Lal <sanjayl@kymasys.com>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: kvm@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Cc: <stable@vger.kernel.org> # v3.10+: 044f0f03eca0: MIPS: KVM: Deliver guest interrupts
+Cc: <stable@vger.kernel.org> # v3.10+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+This should apply to stable trees 3.12 and 3.14, but not 3.10. The files
+had been renamed since v3.14 so it cherry-picked cleanly but the patch
+didn't apply cleanly. I've also added a reference to the "MIPS: Export
+FP functions used by lose_fpu(1) for KVM" commit which is itself marked
+for stable, but is needed to avoid a build failure when KVM=m.
+---
+ arch/mips/kvm/kvm_locore.S |    2 +-
+ arch/mips/kvm/kvm_mips.c   |    6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/kvm/kvm_locore.S
++++ b/arch/mips/kvm/kvm_locore.S
+@@ -428,7 +428,7 @@ __kvm_mips_return_to_guest:
+ 	/* Setup status register for running guest in UM */
+ 	.set	at
+ 	or	v1, v1, (ST0_EXL | KSU_USER | ST0_IE)
+-	and	v1, v1, ~ST0_CU0
++	and	v1, v1, ~(ST0_CU0 | ST0_MX)
+ 	.set	noat
+ 	mtc0	v1, CP0_STATUS
+ 	ehb
+--- a/arch/mips/kvm/kvm_mips.c
++++ b/arch/mips/kvm/kvm_mips.c
+@@ -15,6 +15,7 @@
+ #include <linux/vmalloc.h>
+ #include <linux/fs.h>
+ #include <linux/bootmem.h>
++#include <asm/fpu.h>
+ #include <asm/page.h>
+ #include <asm/cacheflush.h>
+ #include <asm/mmu_context.h>
+@@ -418,6 +419,8 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v
+ 		vcpu->mmio_needed = 0;
+ 	}
+ 
++	lose_fpu(1);
++
+ 	local_irq_disable();
+ 	/* Check if we have any exceptions/interrupts pending */
+ 	kvm_mips_deliver_interrupts(vcpu,
+@@ -1021,9 +1024,6 @@ void kvm_mips_set_c0_status(void)
+ {
+ 	uint32_t status = read_c0_status();
+ 
+-	if (cpu_has_fpu)
+-		status |= (ST0_CU1);
+-
+ 	if (cpu_has_dsp)
+ 		status |= (ST0_MX);
+ 
diff --git a/queue-3.14/kvm-s390-floating-irqs-fix-user-triggerable-endless-loop.patch b/queue-3.14/kvm-s390-floating-irqs-fix-user-triggerable-endless-loop.patch
new file mode 100644
index 00000000000..1156a252c91
--- /dev/null
+++ b/queue-3.14/kvm-s390-floating-irqs-fix-user-triggerable-endless-loop.patch
@@ -0,0 +1,36 @@
+From 8e2207cdd087ebb031e9118d1fd0902c6533a5e5 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Thu, 15 Jan 2015 17:56:18 +0100
+Subject: KVM: s390: floating irqs: fix user triggerable endless loop
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit 8e2207cdd087ebb031e9118d1fd0902c6533a5e5 upstream.
+
+If a vm with no VCPUs is created, the injection of a floating irq
+leads to an endless loop in the kernel.
+
+Let's skip the search for a destination VCPU for a floating irq if no
+VCPUs were created.
+
+Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
+Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -739,6 +739,8 @@ int kvm_s390_inject_vm(struct kvm *kvm,
+ 		list_add_tail(&inti->list, &iter->list);
+ 	}
+ 	atomic_set(&fi->active, 1);
++	if (atomic_read(&kvm->online_vcpus) == 0)
++		goto unlock_fi;
+ 	sigcpu = find_first_bit(fi->idle_mask, KVM_MAX_VCPUS);
+ 	if (sigcpu == KVM_MAX_VCPUS) {
+ 		do {
diff --git a/queue-3.14/kvm-x86-update-masterclock-values-on-tsc-writes.patch b/queue-3.14/kvm-x86-update-masterclock-values-on-tsc-writes.patch
new file mode 100644
index 00000000000..4dd46304eae
--- /dev/null
+++ b/queue-3.14/kvm-x86-update-masterclock-values-on-tsc-writes.patch
@@ -0,0 +1,60 @@
+From 7f187922ddf6b67f2999a76dcb71663097b75497 Mon Sep 17 00:00:00 2001
+From: Marcelo Tosatti <mtosatti@redhat.com>
+Date: Tue, 4 Nov 2014 21:30:44 -0200
+Subject: KVM: x86: update masterclock values on TSC writes
+
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+commit 7f187922ddf6b67f2999a76dcb71663097b75497 upstream.
+
+When the guest writes to the TSC, the masterclock TSC copy must be
+updated as well along with the TSC_OFFSET update, otherwise a negative
+tsc_timestamp is calculated at kvm_guest_time_update.
+
+Once "if (!vcpus_matched && ka->use_master_clock)" is simplified to
+"if (ka->use_master_clock)", the corresponding "if (!ka->use_master_clock)"
+becomes redundant, so remove the do_request boolean and collapse
+everything into a single condition.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c |   19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1207,21 +1207,22 @@ void kvm_track_tsc_matching(struct kvm_v
+ {
+ #ifdef CONFIG_X86_64
+ 	bool vcpus_matched;
+-	bool do_request = false;
+ 	struct kvm_arch *ka = &vcpu->kvm->arch;
+ 	struct pvclock_gtod_data *gtod = &pvclock_gtod_data;
+ 
+ 	vcpus_matched = (ka->nr_vcpus_matched_tsc + 1 ==
+ 			 atomic_read(&vcpu->kvm->online_vcpus));
+ 
+-	if (vcpus_matched && gtod->clock.vclock_mode == VCLOCK_TSC)
+-		if (!ka->use_master_clock)
+-			do_request = 1;
+-
+-	if (!vcpus_matched && ka->use_master_clock)
+-			do_request = 1;
+-
+-	if (do_request)
++	/*
++	 * Once the masterclock is enabled, always perform request in
++	 * order to update it.
++	 *
++	 * In order to enable masterclock, the host clocksource must be TSC
++	 * and the vcpus need to have matched TSCs.  When that happens,
++	 * perform request to enable masterclock.
++	 */
++	if (ka->use_master_clock ||
++	    (gtod->clock.vclock_mode == VCLOCK_TSC && vcpus_matched))
+ 		kvm_make_request(KVM_REQ_MASTERCLOCK_UPDATE, vcpu);
+ 
+ 	trace_kvm_track_tsc(vcpu->vcpu_id, ka->nr_vcpus_matched_tsc,
diff --git a/queue-3.14/series b/queue-3.14/series
index 05dad433f4c..61a9787033a 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -56,3 +56,6 @@ ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch
 arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch
 kvm-s390-floating-irqs-fix-user-triggerable-endless-loop.patch
 kvm-mips-don-t-leak-fpu-dsp-to-guest.patch
+kvm-x86-update-masterclock-values-on-tsc-writes.patch
+hx4700-regulator-declare-full-constraints.patch
+arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch