From 0b98e3be094a176c9098c21d8c2b9e5bd930311a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 Nov 2014 11:37:36 +0900 Subject: [PATCH] 3.14-stable patches added patches: arc-allow-headless-models-to-boot.patch arc-disable-caches-in-early-boot-if-so-configured.patch arc-fix-mmuv2-warning.patch arc-general-fixes.patch arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch kvm-vmx-handle-invvpid-vm-exit-gracefully.patch kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch kvm-x86-fix-wrong-masking-on-relative-jump-call.patch kvm-x86-improve-thread-safety-in-pit.patch kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch media-em28xx-check-if-a-device-has-audio-earlier.patch media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch mips-ftrace-fix-a-micromips-build-problem.patch mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch qla_target-don-t-delete-changed-nacls.patch target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch --- .../arc-allow-headless-models-to-boot.patch | 35 +++ ...aches-in-early-boot-if-so-configured.patch | 254 ++++++++++++++++++ queue-3.14/arc-fix-mmuv2-warning.patch | 35 +++ queue-3.14/arc-general-fixes.patch | 64 +++++ ...f-registers-in-kgdb-to-match-gdb-7.5.patch | 73 +++++ ...-pinning-in-kvm_iommu_map-error-path.patch | 78 ++++++ ...mx-handle-invvpid-vm-exit-gracefully.patch | 77 ++++++ ...k-non-canonical-addresses-upon-wrmsr.patch | 140 ++++++++++ ...-t-kill-guest-on-unknown-exit-reason.patch | 53 ++++ ...ip-canonical-checks-on-near-branches.patch | 234 ++++++++++++++++ ...-wrong-masking-on-relative-jump-call.patch | 65 +++++ ...kvm-x86-improve-thread-safety-in-pit.patch | 37 +++ ...-from-panicking-on-shared-msr-writes.patch | 86 ++++++ ...tage-on-tevii-s480-on-initialization.patch | 42 +++ ...-check-if-a-device-has-audio-earlier.patch | 99 +++++++ ...-vb2-core-properly-on-streaming-stop.patch | 102 +++++++ ...22-fix-32bit-overflow-on-filter-calc.patch | 38 +++ ...432_mute-bit-for-tda7432_rf-register.patch | 32 +++ ...dd-a-quirk-for-dell-xps-m1330-webcam.patch | 42 +++ ...ix-overflow-in-v4l_bound_align_image.patch | 67 +++++ ...ftrace-fix-a-micromips-build-problem.patch | 52 ++++ ...ix-huge-tlb-refill-exception-handler.patch | 90 +++++++ ...la_target-don-t-delete-changed-nacls.patch | 42 +++ queue-3.14/series | 25 ++ ...data-handling-for-dynamic-mappedluns.patch | 93 +++++++ ...pointer-for-scf_transport_task_sense.patch | 45 ++++ 26 files changed, 2000 insertions(+) create mode 100644 queue-3.14/arc-allow-headless-models-to-boot.patch create mode 100644 queue-3.14/arc-disable-caches-in-early-boot-if-so-configured.patch create mode 100644 queue-3.14/arc-fix-mmuv2-warning.patch create mode 100644 queue-3.14/arc-general-fixes.patch create mode 100644 queue-3.14/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch create mode 100644 queue-3.14/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch create mode 100644 queue-3.14/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch create mode 100644 queue-3.14/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch create mode 100644 queue-3.14/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch create mode 100644 queue-3.14/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch create mode 100644 queue-3.14/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch create mode 100644 queue-3.14/kvm-x86-improve-thread-safety-in-pit.patch create mode 100644 queue-3.14/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch create mode 100644 queue-3.14/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch create mode 100644 queue-3.14/media-em28xx-check-if-a-device-has-audio-earlier.patch create mode 100644 queue-3.14/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch create mode 100644 queue-3.14/media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch create mode 100644 queue-3.14/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch create mode 100644 queue-3.14/media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch create mode 100644 queue-3.14/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch create mode 100644 queue-3.14/mips-ftrace-fix-a-micromips-build-problem.patch create mode 100644 queue-3.14/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch create mode 100644 queue-3.14/qla_target-don-t-delete-changed-nacls.patch create mode 100644 queue-3.14/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch create mode 100644 queue-3.14/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch diff --git a/queue-3.14/arc-allow-headless-models-to-boot.patch b/queue-3.14/arc-allow-headless-models-to-boot.patch new file mode 100644 index 00000000000..2fd33e5b1e0 --- /dev/null +++ b/queue-3.14/arc-allow-headless-models-to-boot.patch @@ -0,0 +1,35 @@ +From 5c05483e2db91890faa9a7be0a831701a3f442d6 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Fri, 20 Jun 2014 16:24:49 +0530 +Subject: ARC: [nsimosci] Allow "headless" models to boot + +From: Vineet Gupta + +commit 5c05483e2db91890faa9a7be0a831701a3f442d6 upstream. + +There are certain test configuration of virtual platform which don't +have any real console device (uart/pgu). So add tty0 as a fallback console +device to allow system to boot and be accessible via telnet + +Otherwise with ttyS0 as only console, but 8250 disabled in kernel build, +init chokes. + +Reported-by: Anton Kolesov +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/boot/dts/nsimosci.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/boot/dts/nsimosci.dts ++++ b/arch/arc/boot/dts/nsimosci.dts +@@ -20,7 +20,7 @@ + /* this is for console on PGU */ + /* bootargs = "console=tty0 consoleblank=0"; */ + /* this is for console on serial */ +- bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug"; ++ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=tty0 console=ttyS0,115200n8 consoleblank=0 debug"; + }; + + aliases { diff --git a/queue-3.14/arc-disable-caches-in-early-boot-if-so-configured.patch b/queue-3.14/arc-disable-caches-in-early-boot-if-so-configured.patch new file mode 100644 index 00000000000..3bd47971a6d --- /dev/null +++ b/queue-3.14/arc-disable-caches-in-early-boot-if-so-configured.patch @@ -0,0 +1,254 @@ +From ef680cdc24376f394841a3f19b3a7ef6d57a009d Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Fri, 7 Mar 2014 18:08:11 +0530 +Subject: ARC: Disable caches in early boot if so configured + +From: Vineet Gupta + +commit ef680cdc24376f394841a3f19b3a7ef6d57a009d upstream. + +Requested-by: Noam Camus +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/cache.h | 27 ++++++++++ + arch/arc/kernel/head.S | 38 +++++++++++++- + arch/arc/mm/cache_arc700.c | 112 ++++++++++--------------------------------- + 3 files changed, 90 insertions(+), 87 deletions(-) + +--- a/arch/arc/include/asm/cache.h ++++ b/arch/arc/include/asm/cache.h +@@ -55,4 +55,31 @@ extern void read_decode_cache_bcr(void); + + #endif /* !__ASSEMBLY__ */ + ++/* Instruction cache related Auxiliary registers */ ++#define ARC_REG_IC_BCR 0x77 /* Build Config reg */ ++#define ARC_REG_IC_IVIC 0x10 ++#define ARC_REG_IC_CTRL 0x11 ++#define ARC_REG_IC_IVIL 0x19 ++#if defined(CONFIG_ARC_MMU_V3) || defined (CONFIG_ARC_MMU_V4) ++#define ARC_REG_IC_PTAG 0x1E ++#endif ++ ++/* Bit val in IC_CTRL */ ++#define IC_CTRL_CACHE_DISABLE 0x1 ++ ++/* Data cache related Auxiliary registers */ ++#define ARC_REG_DC_BCR 0x72 /* Build Config reg */ ++#define ARC_REG_DC_IVDC 0x47 ++#define ARC_REG_DC_CTRL 0x48 ++#define ARC_REG_DC_IVDL 0x4A ++#define ARC_REG_DC_FLSH 0x4B ++#define ARC_REG_DC_FLDL 0x4C ++#if defined(CONFIG_ARC_MMU_V3) || defined (CONFIG_ARC_MMU_V4) ++#define ARC_REG_DC_PTAG 0x5C ++#endif ++ ++/* Bit val in DC_CTRL */ ++#define DC_CTRL_INV_MODE_FLUSH 0x40 ++#define DC_CTRL_FLUSH_STATUS 0x100 ++ + #endif /* _ASM_CACHE_H */ +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -12,10 +12,42 @@ + * to skip certain things during boot on simulator + */ + ++#include + #include + #include +-#include + #include ++#include ++ ++.macro CPU_EARLY_SETUP ++ ++ ; Setting up Vectror Table (in case exception happens in early boot ++ sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE] ++ ++ ; Disable I-cache/D-cache if kernel so configured ++ lr r5, [ARC_REG_IC_BCR] ++ breq r5, 0, 1f ; I$ doesn't exist ++ lr r5, [ARC_REG_IC_CTRL] ++#ifdef CONFIG_ARC_HAS_ICACHE ++ bclr r5, r5, 0 ; 0 - Enable, 1 is Disable ++#else ++ bset r5, r5, 0 ; I$ exists, but is not used ++#endif ++ sr r5, [ARC_REG_IC_CTRL] ++ ++1: ++ lr r5, [ARC_REG_DC_BCR] ++ breq r5, 0, 1f ; D$ doesn't exist ++ lr r5, [ARC_REG_DC_CTRL] ++ bclr r5, r5, 6 ; Invalidate (discard w/o wback) ++#ifdef CONFIG_ARC_HAS_DCACHE ++ bclr r5, r5, 0 ; Enable (+Inv) ++#else ++ bset r5, r5, 0 ; Disable (+Inv) ++#endif ++ sr r5, [ARC_REG_DC_CTRL] ++ ++1: ++.endm + + .cpu A7 + +@@ -27,7 +59,7 @@ stext: + ; Don't clobber r0-r2 yet. It might have bootloader provided info + ;------------------------------------------------------------------- + +- sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE] ++ CPU_EARLY_SETUP + + #ifdef CONFIG_SMP + ; Ensure Boot (Master) proceeds. Others wait in platform dependent way +@@ -90,7 +122,7 @@ stext: + + first_lines_of_secondary: + +- sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE] ++ CPU_EARLY_SETUP + + ; setup per-cpu idle task as "current" on this CPU + ld r0, [@secondary_idle_tsk] +--- a/arch/arc/mm/cache_arc700.c ++++ b/arch/arc/mm/cache_arc700.c +@@ -73,33 +73,6 @@ + #include + #include + +-/* Instruction cache related Auxiliary registers */ +-#define ARC_REG_IC_BCR 0x77 /* Build Config reg */ +-#define ARC_REG_IC_IVIC 0x10 +-#define ARC_REG_IC_CTRL 0x11 +-#define ARC_REG_IC_IVIL 0x19 +-#if (CONFIG_ARC_MMU_VER > 2) +-#define ARC_REG_IC_PTAG 0x1E +-#endif +- +-/* Bit val in IC_CTRL */ +-#define IC_CTRL_CACHE_DISABLE 0x1 +- +-/* Data cache related Auxiliary registers */ +-#define ARC_REG_DC_BCR 0x72 /* Build Config reg */ +-#define ARC_REG_DC_IVDC 0x47 +-#define ARC_REG_DC_CTRL 0x48 +-#define ARC_REG_DC_IVDL 0x4A +-#define ARC_REG_DC_FLSH 0x4B +-#define ARC_REG_DC_FLDL 0x4C +-#if (CONFIG_ARC_MMU_VER > 2) +-#define ARC_REG_DC_PTAG 0x5C +-#endif +- +-/* Bit val in DC_CTRL */ +-#define DC_CTRL_INV_MODE_FLUSH 0x40 +-#define DC_CTRL_FLUSH_STATUS 0x100 +- + char *arc_cache_mumbojumbo(int c, char *buf, int len) + { + int n = 0; +@@ -168,72 +141,43 @@ void read_decode_cache_bcr(void) + */ + void arc_cache_init(void) + { +- unsigned int cpu = smp_processor_id(); +- struct cpuinfo_arc_cache *ic = &cpuinfo_arc700[cpu].icache; +- struct cpuinfo_arc_cache *dc = &cpuinfo_arc700[cpu].dcache; +- unsigned int dcache_does_alias, temp; ++ unsigned int __maybe_unused cpu = smp_processor_id(); ++ struct cpuinfo_arc_cache __maybe_unused *ic, __maybe_unused *dc; + char str[256]; + + printk(arc_cache_mumbojumbo(0, str, sizeof(str))); + +- if (!ic->ver) +- goto chk_dc; +- +-#ifdef CONFIG_ARC_HAS_ICACHE +- /* 1. Confirm some of I-cache params which Linux assumes */ +- if (ic->line_len != L1_CACHE_BYTES) +- panic("Cache H/W doesn't match kernel Config"); +- +- if (ic->ver != CONFIG_ARC_MMU_VER) +- panic("Cache ver doesn't match MMU ver\n"); +-#endif +- +- /* Enable/disable I-Cache */ +- temp = read_aux_reg(ARC_REG_IC_CTRL); +- + #ifdef CONFIG_ARC_HAS_ICACHE +- temp &= ~IC_CTRL_CACHE_DISABLE; +-#else +- temp |= IC_CTRL_CACHE_DISABLE; +-#endif +- +- write_aux_reg(ARC_REG_IC_CTRL, temp); +- +-chk_dc: +- if (!dc->ver) +- return; +- +-#ifdef CONFIG_ARC_HAS_DCACHE +- if (dc->line_len != L1_CACHE_BYTES) +- panic("Cache H/W doesn't match kernel Config"); +- +- /* check for D-Cache aliasing */ +- dcache_does_alias = (dc->sz / dc->assoc) > PAGE_SIZE; +- +- if (dcache_does_alias && !cache_is_vipt_aliasing()) +- panic("Enable CONFIG_ARC_CACHE_VIPT_ALIASING\n"); +- else if (!dcache_does_alias && cache_is_vipt_aliasing()) +- panic("Don't need CONFIG_ARC_CACHE_VIPT_ALIASING\n"); ++ ic = &cpuinfo_arc700[cpu].icache; ++ if (ic->ver) { ++ if (ic->line_len != L1_CACHE_BYTES) ++ panic("ICache line [%d] != kernel Config [%d]", ++ ic->line_len, L1_CACHE_BYTES); ++ ++ if (ic->ver != CONFIG_ARC_MMU_VER) ++ panic("Cache ver [%d] doesn't match MMU ver [%d]\n", ++ ic->ver, CONFIG_ARC_MMU_VER); ++ } + #endif + +- /* Set the default Invalidate Mode to "simpy discard dirty lines" +- * as this is more frequent then flush before invalidate +- * Ofcourse we toggle this default behviour when desired +- */ +- temp = read_aux_reg(ARC_REG_DC_CTRL); +- temp &= ~DC_CTRL_INV_MODE_FLUSH; +- + #ifdef CONFIG_ARC_HAS_DCACHE +- /* Enable D-Cache: Clear Bit 0 */ +- write_aux_reg(ARC_REG_DC_CTRL, temp & ~IC_CTRL_CACHE_DISABLE); +-#else +- /* Flush D cache */ +- write_aux_reg(ARC_REG_DC_FLSH, 0x1); +- /* Disable D cache */ +- write_aux_reg(ARC_REG_DC_CTRL, temp | IC_CTRL_CACHE_DISABLE); ++ dc = &cpuinfo_arc700[cpu].dcache; ++ if (dc->ver) { ++ unsigned int dcache_does_alias; ++ ++ if (dc->line_len != L1_CACHE_BYTES) ++ panic("DCache line [%d] != kernel Config [%d]", ++ dc->line_len, L1_CACHE_BYTES); ++ ++ /* check for D-Cache aliasing */ ++ dcache_does_alias = (dc->sz / dc->assoc) > PAGE_SIZE; ++ ++ if (dcache_does_alias && !cache_is_vipt_aliasing()) ++ panic("Enable CONFIG_ARC_CACHE_VIPT_ALIASING\n"); ++ else if (!dcache_does_alias && cache_is_vipt_aliasing()) ++ panic("Don't need CONFIG_ARC_CACHE_VIPT_ALIASING\n"); ++ } + #endif +- +- return; + } + + #define OP_INV 0x1 diff --git a/queue-3.14/arc-fix-mmuv2-warning.patch b/queue-3.14/arc-fix-mmuv2-warning.patch new file mode 100644 index 00000000000..3d1192eb67e --- /dev/null +++ b/queue-3.14/arc-fix-mmuv2-warning.patch @@ -0,0 +1,35 @@ +From d75386363ee60eb51c933c7b5e536f3a502ad7d7 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Sun, 6 Apr 2014 06:59:51 +0530 +Subject: ARC: fix mmuv2 warning + +From: Vineet Gupta + +commit d75386363ee60eb51c933c7b5e536f3a502ad7d7 upstream. + +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/mm/cache_arc700.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/arc/mm/cache_arc700.c ++++ b/arch/arc/mm/cache_arc700.c +@@ -253,12 +253,16 @@ static inline void __cache_line_loop(uns + + if (cacheop == OP_INV_IC) { + aux_cmd = ARC_REG_IC_IVIL; ++#if (CONFIG_ARC_MMU_VER > 2) + aux_tag = ARC_REG_IC_PTAG; ++#endif + } + else { + /* d$ cmd: INV (discard or wback-n-discard) OR FLUSH (wback) */ + aux_cmd = cacheop & OP_INV ? ARC_REG_DC_IVDL : ARC_REG_DC_FLDL; ++#if (CONFIG_ARC_MMU_VER > 2) + aux_tag = ARC_REG_DC_PTAG; ++#endif + } + + /* Ensure we properly floor/ceil the non-line aligned/sized requests diff --git a/queue-3.14/arc-general-fixes.patch b/queue-3.14/arc-general-fixes.patch new file mode 100644 index 00000000000..7410da0767e --- /dev/null +++ b/queue-3.14/arc-general-fixes.patch @@ -0,0 +1,64 @@ +From c3441edd2dea83923421fd6050d2ffdc57696323 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Mon, 24 Feb 2014 11:42:50 +0800 +Subject: ARC: [SMP] General Fixes + +From: Vineet Gupta + +commit c3441edd2dea83923421fd6050d2ffdc57696323 upstream. + +-Pass the expected arg to non-boot park'ing routine + (It worked so far because existing SMP backends don't use the arg) + +-CONFIG_DEBUG_PREEMPT warning + +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/arc/kernel/head.S | 7 ++++--- + arch/arc/mm/cache_arc700.c | 3 +-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arc/kernel/head.S ++++ b/arch/arc/kernel/head.S +@@ -24,13 +24,13 @@ + .globl stext + stext: + ;------------------------------------------------------------------- +- ; Don't clobber r0-r4 yet. It might have bootloader provided info ++ ; Don't clobber r0-r2 yet. It might have bootloader provided info + ;------------------------------------------------------------------- + + sr @_int_vec_base_lds, [AUX_INTR_VEC_BASE] + + #ifdef CONFIG_SMP +- ; Only Boot (Master) proceeds. Others wait in platform dependent way ++ ; Ensure Boot (Master) proceeds. Others wait in platform dependent way + ; IDENTITY Reg [ 3 2 1 0 ] + ; (cpu-id) ^^^ => Zero for UP ARC700 + ; => #Core-ID if SMP (Master 0) +@@ -39,7 +39,8 @@ stext: + ; need to make sure only boot cpu takes this path. + GET_CPU_ID r5 + cmp r5, 0 +- jnz arc_platform_smp_wait_to_boot ++ mov.ne r0, r5 ++ jne arc_platform_smp_wait_to_boot + #endif + ; Clear BSS before updating any globals + ; XXX: use ZOL here +--- a/arch/arc/mm/cache_arc700.c ++++ b/arch/arc/mm/cache_arc700.c +@@ -100,10 +100,9 @@ + #define DC_CTRL_INV_MODE_FLUSH 0x40 + #define DC_CTRL_FLUSH_STATUS 0x100 + +-char *arc_cache_mumbojumbo(int cpu_id, char *buf, int len) ++char *arc_cache_mumbojumbo(int c, char *buf, int len) + { + int n = 0; +- unsigned int c = smp_processor_id(); + + #define PR_CACHE(p, enb, str) \ + { \ diff --git a/queue-3.14/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch b/queue-3.14/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch new file mode 100644 index 00000000000..f7756877b71 --- /dev/null +++ b/queue-3.14/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch @@ -0,0 +1,73 @@ +From ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 Mon Sep 17 00:00:00 2001 +From: Anton Kolesov +Date: Thu, 25 Sep 2014 13:23:24 +0400 +Subject: ARC: Update order of registers in KGDB to match GDB 7.5 + +From: Anton Kolesov + +commit ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 upstream. + +Order of registers has changed in GDB moving from 6.8 to 7.5. This patch +updates KGDB to work properly with GDB 7.5, though makes it incompatible +with 6.8. + +Signed-off-by: Anton Kolesov +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/kgdb.h | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +--- a/arch/arc/include/asm/kgdb.h ++++ b/arch/arc/include/asm/kgdb.h +@@ -19,7 +19,7 @@ + * register API yet */ + #undef DBG_MAX_REG_NUM + +-#define GDB_MAX_REGS 39 ++#define GDB_MAX_REGS 87 + + #define BREAK_INSTR_SIZE 2 + #define CACHE_FLUSH_IS_SAFE 1 +@@ -33,23 +33,27 @@ static inline void arch_kgdb_breakpoint( + + extern void kgdb_trap(struct pt_regs *regs); + +-enum arc700_linux_regnums { ++/* This is the numbering of registers according to the GDB. See GDB's ++ * arc-tdep.h for details. ++ * ++ * Registers are ordered for GDB 7.5. It is incompatible with GDB 6.8. */ ++enum arc_linux_regnums { + _R0 = 0, + _R1, _R2, _R3, _R4, _R5, _R6, _R7, _R8, _R9, _R10, _R11, _R12, _R13, + _R14, _R15, _R16, _R17, _R18, _R19, _R20, _R21, _R22, _R23, _R24, + _R25, _R26, +- _BTA = 27, +- _LP_START = 28, +- _LP_END = 29, +- _LP_COUNT = 30, +- _STATUS32 = 31, +- _BLINK = 32, +- _FP = 33, +- __SP = 34, +- _EFA = 35, +- _RET = 36, +- _ORIG_R8 = 37, +- _STOP_PC = 38 ++ _FP = 27, ++ __SP = 28, ++ _R30 = 30, ++ _BLINK = 31, ++ _LP_COUNT = 60, ++ _STOP_PC = 64, ++ _RET = 64, ++ _LP_START = 65, ++ _LP_END = 66, ++ _STATUS32 = 67, ++ _ECR = 76, ++ _BTA = 82, + }; + + #else diff --git a/queue-3.14/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch b/queue-3.14/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch new file mode 100644 index 00000000000..a9a00db9e8e --- /dev/null +++ b/queue-3.14/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch @@ -0,0 +1,78 @@ +From 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f Mon Sep 17 00:00:00 2001 +From: Quentin Casasnovas +Date: Fri, 17 Oct 2014 22:55:59 +0200 +Subject: kvm: fix excessive pages un-pinning in kvm_iommu_map error path. + +From: Quentin Casasnovas + +commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream. + +The third parameter of kvm_unpin_pages() when called from +kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin +and not the page size. + +This error was facilitated with an inconsistent API: kvm_pin_pages() takes +a size, but kvn_unpin_pages() takes a number of pages, so fix the problem +by matching the two. + +This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter +of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of +un-pinning for pages intended to be un-pinned (i.e. memory leak) but +unfortunately potentially aggravated the number of pages we un-pin that +should have stayed pinned. As far as I understand though, the same +practical mitigations apply. + +This issue was found during review of Red Hat 6.6 patches to prepare +Ksplice rebootless updates. + +Thanks to Vegard for his time on a late Friday evening to help me in +understanding this code. + +Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)") +Signed-off-by: Quentin Casasnovas +Signed-off-by: Vegard Nossum +Signed-off-by: Jamie Iles +Reviewed-by: Sasha Levin +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/iommu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct k + gfn_t base_gfn, unsigned long npages); + + static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn, +- unsigned long size) ++ unsigned long npages) + { + gfn_t end_gfn; + pfn_t pfn; + + pfn = gfn_to_pfn_memslot(slot, gfn); +- end_gfn = gfn + (size >> PAGE_SHIFT); ++ end_gfn = gfn + npages; + gfn += 1; + + if (is_error_noslot_pfn(pfn)) +@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, + * Pin all pages we are about to map in memory. This is + * important because we unmap and unpin in 4kb steps later. + */ +- pfn = kvm_pin_pages(slot, gfn, page_size); ++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT); + if (is_error_noslot_pfn(pfn)) { + gfn += 1; + continue; +@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, + if (r) { + printk(KERN_ERR "kvm_iommu_map_address:" + "iommu failed to map pfn=%llx\n", pfn); +- kvm_unpin_pages(kvm, pfn, page_size); ++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT); + goto unmap_pages; + } + diff --git a/queue-3.14/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch b/queue-3.14/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch new file mode 100644 index 00000000000..99c1121f71e --- /dev/null +++ b/queue-3.14/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch @@ -0,0 +1,77 @@ +From a642fc305053cc1c6e47e4f4df327895747ab485 Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Tue, 23 Sep 2014 20:22:30 +0200 +Subject: kvm: vmx: handle invvpid vm exit gracefully + +From: Petr Matousek + +commit a642fc305053cc1c6e47e4f4df327895747ab485 upstream. + +On systems with invvpid instruction support (corresponding bit in +IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid +causes vm exit, which is currently not handled and results in +propagation of unknown exit to userspace. + +Fix this by installing an invvpid vm exit handler. + +This is CVE-2014-3646. + +Signed-off-by: Petr Matousek +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/uapi/asm/vmx.h | 2 ++ + arch/x86/kvm/vmx.c | 9 ++++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/uapi/asm/vmx.h ++++ b/arch/x86/include/uapi/asm/vmx.h +@@ -67,6 +67,7 @@ + #define EXIT_REASON_EPT_MISCONFIG 49 + #define EXIT_REASON_INVEPT 50 + #define EXIT_REASON_PREEMPTION_TIMER 52 ++#define EXIT_REASON_INVVPID 53 + #define EXIT_REASON_WBINVD 54 + #define EXIT_REASON_XSETBV 55 + #define EXIT_REASON_APIC_WRITE 56 +@@ -114,6 +115,7 @@ + { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \ + { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \ + { EXIT_REASON_INVD, "INVD" }, \ ++ { EXIT_REASON_INVVPID, "INVVPID" }, \ + { EXIT_REASON_INVPCID, "INVPCID" } + + #endif /* _UAPIVMX_H */ +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6444,6 +6444,12 @@ static int handle_invept(struct kvm_vcpu + return 1; + } + ++static int handle_invvpid(struct kvm_vcpu *vcpu) ++{ ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; ++} ++ + /* + * The exit handlers return 1 if the exit was handled fully and guest execution + * may resume. Otherwise they set the kvm_run parameter to indicate what needs +@@ -6489,6 +6495,7 @@ static int (*const kvm_vmx_exit_handlers + [EXIT_REASON_MWAIT_INSTRUCTION] = handle_invalid_op, + [EXIT_REASON_MONITOR_INSTRUCTION] = handle_invalid_op, + [EXIT_REASON_INVEPT] = handle_invept, ++ [EXIT_REASON_INVVPID] = handle_invvpid, + }; + + static const int kvm_vmx_max_exit_handlers = +@@ -6722,7 +6729,7 @@ static bool nested_vmx_exit_handled(stru + case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: + case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: + case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: +- case EXIT_REASON_INVEPT: ++ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: + /* + * VMX instructions trap unconditionally. This allows L1 to + * emulate them for its L2 guest, i.e., allows 3-level nesting! diff --git a/queue-3.14/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch b/queue-3.14/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch new file mode 100644 index 00000000000..2c97c9903b4 --- /dev/null +++ b/queue-3.14/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch @@ -0,0 +1,140 @@ +From 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 16 Sep 2014 03:24:05 +0300 +Subject: KVM: x86: Check non-canonical addresses upon WRMSR + +From: Nadav Amit + +commit 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 upstream. + +Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is +written to certain MSRs. The behavior is "almost" identical for AMD and Intel +(ignoring MSRs that are not implemented in either architecture since they would +anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if +non-canonical address is written on Intel but not on AMD (which ignores the top +32-bits). + +Accordingly, this patch injects a #GP on the MSRs which behave identically on +Intel and AMD. To eliminate the differences between the architecutres, the +value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to +canonical value before writing instead of injecting a #GP. + +Some references from Intel and AMD manuals: + +According to Intel SDM description of WRMSR instruction #GP is expected on +WRMSR "If the source register contains a non-canonical address and ECX +specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE, +IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP." + +According to AMD manual instruction manual: +LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the +LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical +form, a general-protection exception (#GP) occurs." +IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the +base field must be in canonical form or a #GP fault will occur." +IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must +be in canonical form." + +This patch fixes CVE-2014-3610. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++ + arch/x86/kvm/svm.c | 2 +- + arch/x86/kvm/vmx.c | 2 +- + arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -984,6 +984,20 @@ static inline void kvm_inject_gp(struct + kvm_queue_exception_e(vcpu, GP_VECTOR, error_code); + } + ++static inline u64 get_canonical(u64 la) ++{ ++ return ((int64_t)la << 16) >> 16; ++} ++ ++static inline bool is_noncanonical_address(u64 la) ++{ ++#ifdef CONFIG_X86_64 ++ return get_canonical(la) != la; ++#else ++ return false; ++#endif ++} ++ + #define TSS_IOPB_BASE_OFFSET 0x66 + #define TSS_BASE_SIZE 0x68 + #define TSS_IOPB_SIZE (65536 / 8) +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3213,7 +3213,7 @@ static int wrmsr_interception(struct vcp + msr.host_initiated = false; + + svm->next_rip = kvm_rip_read(&svm->vcpu) + 2; +- if (svm_set_msr(&svm->vcpu, &msr)) { ++ if (kvm_set_msr(&svm->vcpu, &msr)) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(&svm->vcpu, 0); + } else { +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5172,7 +5172,7 @@ static int handle_wrmsr(struct kvm_vcpu + msr.data = data; + msr.index = ecx; + msr.host_initiated = false; +- if (vmx_set_msr(vcpu, &msr) != 0) { ++ if (kvm_set_msr(vcpu, &msr) != 0) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(vcpu, 0); + return 1; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -951,7 +951,6 @@ void kvm_enable_efer_bits(u64 mask) + } + EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + +- + /* + * Writes msr value into into the appropriate "register". + * Returns 0 on success, non-0 otherwise. +@@ -959,8 +958,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + */ + int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) + { ++ switch (msr->index) { ++ case MSR_FS_BASE: ++ case MSR_GS_BASE: ++ case MSR_KERNEL_GS_BASE: ++ case MSR_CSTAR: ++ case MSR_LSTAR: ++ if (is_noncanonical_address(msr->data)) ++ return 1; ++ break; ++ case MSR_IA32_SYSENTER_EIP: ++ case MSR_IA32_SYSENTER_ESP: ++ /* ++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if ++ * non-canonical address is written on Intel but not on ++ * AMD (which ignores the top 32-bits, because it does ++ * not implement 64-bit SYSENTER). ++ * ++ * 64-bit code should hence be able to write a non-canonical ++ * value on AMD. Making the address canonical ensures that ++ * vmentry does not fail on Intel after writing a non-canonical ++ * value, and that something deterministic happens if the guest ++ * invokes 64-bit SYSENTER. ++ */ ++ msr->data = get_canonical(msr->data); ++ } + return kvm_x86_ops->set_msr(vcpu, msr); + } ++EXPORT_SYMBOL_GPL(kvm_set_msr); + + /* + * Adapt set_msr() to msr_io()'s calling convention diff --git a/queue-3.14/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch b/queue-3.14/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch new file mode 100644 index 00000000000..c17da16b048 --- /dev/null +++ b/queue-3.14/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch @@ -0,0 +1,53 @@ +From 2bc19dc3754fc066c43799659f0d848631c44cfe Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 18 Sep 2014 16:21:16 +0300 +Subject: kvm: x86: don't kill guest on unknown exit reason + +From: "Michael S. Tsirkin" + +commit 2bc19dc3754fc066c43799659f0d848631c44cfe upstream. + +KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was +triggered by a priveledged application. Let's not kill the guest: WARN +and inject #UD instead. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 6 +++--- + arch/x86/kvm/vmx.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3495,9 +3495,9 @@ static int handle_exit(struct kvm_vcpu * + + if (exit_code >= ARRAY_SIZE(svm_exit_handlers) + || !svm_exit_handlers[exit_code]) { +- kvm_run->exit_reason = KVM_EXIT_UNKNOWN; +- kvm_run->hw.hardware_exit_reason = exit_code; +- return 0; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } + + return svm_exit_handlers[exit_code](svm); +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6887,10 +6887,10 @@ static int vmx_handle_exit(struct kvm_vc + && kvm_vmx_exit_handlers[exit_reason]) + return kvm_vmx_exit_handlers[exit_reason](vcpu); + else { +- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN; +- vcpu->run->hw.hardware_exit_reason = exit_reason; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } +- return 0; + } + + static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr) diff --git a/queue-3.14/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch b/queue-3.14/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch new file mode 100644 index 00000000000..055d4fb2140 --- /dev/null +++ b/queue-3.14/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch @@ -0,0 +1,234 @@ +From 234f3ce485d54017f15cf5e0699cff4100121601 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 18 Sep 2014 22:39:38 +0300 +Subject: KVM: x86: Emulator fixes for eip canonical checks on near branches + +From: Nadav Amit + +commit 234f3ce485d54017f15cf5e0699cff4100121601 upstream. + +Before changing rip (during jmp, call, ret, etc.) the target should be asserted +to be canonical one, as real CPUs do. During sysret, both target rsp and rip +should be canonical. If any of these values is noncanonical, a #GP exception +should occur. The exception to this rule are syscall and sysenter instructions +in which the assigned rip is checked during the assignment to the relevant +MSRs. + +This patch fixes the emulator to behave as real CPUs do for near branches. +Far branches are handled by the next patch. + +This fixes CVE-2014-3647. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 78 +++++++++++++++++++++++++++++++++---------------- + 1 file changed, 54 insertions(+), 24 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -571,7 +571,8 @@ static int emulate_nm(struct x86_emulate + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + +-static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, ++ int cs_l) + { + switch (ctxt->op_bytes) { + case 2: +@@ -581,16 +582,25 @@ static inline void assign_eip_near(struc + ctxt->_eip = (u32)dst; + break; + case 8: ++ if ((cs_l && is_noncanonical_address(dst)) || ++ (!cs_l && (dst & ~(u32)-1))) ++ return emulate_gp(ctxt, 0); + ctxt->_eip = dst; + break; + default: + WARN(1, "unsupported eip assignment size\n"); + } ++ return X86EMUL_CONTINUE; ++} ++ ++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) + { +- assign_eip_near(ctxt, ctxt->_eip + rel); ++ return assign_eip_near(ctxt, ctxt->_eip + rel); + } + + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) +@@ -1975,13 +1985,15 @@ static int em_grp45(struct x86_emulate_c + case 2: /* call near abs */ { + long int old_eip; + old_eip = ctxt->_eip; +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); ++ if (rc != X86EMUL_CONTINUE) ++ break; + ctxt->src.val = old_eip; + rc = em_push(ctxt); + break; + } + case 4: /* jmp abs */ +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); + break; + case 5: /* jmp far */ + rc = em_jmp_far(ctxt); +@@ -2013,10 +2025,14 @@ static int em_cmpxchg8b(struct x86_emula + + static int em_ret(struct x86_emulate_ctxt *ctxt) + { +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- return em_pop(ctxt); ++ int rc; ++ unsigned long eip; ++ ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ ++ return assign_eip_near(ctxt, eip); + } + + static int em_ret_far(struct x86_emulate_ctxt *ctxt) +@@ -2294,7 +2310,7 @@ static int em_sysexit(struct x86_emulate + { + const struct x86_emulate_ops *ops = ctxt->ops; + struct desc_struct cs, ss; +- u64 msr_data; ++ u64 msr_data, rcx, rdx; + int usermode; + u16 cs_sel = 0, ss_sel = 0; + +@@ -2310,6 +2326,9 @@ static int em_sysexit(struct x86_emulate + else + usermode = X86EMUL_MODE_PROT32; + ++ rcx = reg_read(ctxt, VCPU_REGS_RCX); ++ rdx = reg_read(ctxt, VCPU_REGS_RDX); ++ + cs.dpl = 3; + ss.dpl = 3; + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +@@ -2327,6 +2346,9 @@ static int em_sysexit(struct x86_emulate + ss_sel = cs_sel + 8; + cs.d = 0; + cs.l = 1; ++ if (is_noncanonical_address(rcx) || ++ is_noncanonical_address(rdx)) ++ return emulate_gp(ctxt, 0); + break; + } + cs_sel |= SELECTOR_RPL_MASK; +@@ -2335,8 +2357,8 @@ static int em_sysexit(struct x86_emulate + ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + +- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX); +- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX); ++ ctxt->_eip = rdx; ++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx; + + return X86EMUL_CONTINUE; + } +@@ -2875,10 +2897,13 @@ static int em_aad(struct x86_emulate_ctx + + static int em_call(struct x86_emulate_ctxt *ctxt) + { ++ int rc; + long rel = ctxt->src.val; + + ctxt->src.val = (unsigned long)ctxt->_eip; +- jmp_rel(ctxt, rel); ++ rc = jmp_rel(ctxt, rel); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; + return em_push(ctxt); + } + +@@ -2910,11 +2935,12 @@ static int em_call_far(struct x86_emulat + static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) + { + int rc; ++ unsigned long eip; + +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes); ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ rc = assign_eip_near(ctxt, eip); + if (rc != X86EMUL_CONTINUE) + return rc; + rsp_increment(ctxt, ctxt->src.val); +@@ -3244,20 +3270,24 @@ static int em_lmsw(struct x86_emulate_ct + + static int em_loop(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1); + if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) && + (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags))) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_jcxz(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_in(struct x86_emulate_ctxt *ctxt) +@@ -4654,7 +4684,7 @@ special_insn: + break; + case 0x70 ... 0x7f: /* jcc (short) */ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x8d: /* lea r16/r32, m */ + ctxt->dst.val = ctxt->src.addr.mem.ea; +@@ -4683,7 +4713,7 @@ special_insn: + break; + case 0xe9: /* jmp rel */ + case 0xeb: /* jmp rel short */ +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + ctxt->dst.type = OP_NONE; /* Disable writeback. */ + break; + case 0xf4: /* hlt */ +@@ -4803,7 +4833,7 @@ twobyte_insn: + break; + case 0x80 ... 0x8f: /* jnz rel, etc*/ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x90 ... 0x9f: /* setcc r/m8 */ + ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); diff --git a/queue-3.14/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch b/queue-3.14/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch new file mode 100644 index 00000000000..8e773533347 --- /dev/null +++ b/queue-3.14/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch @@ -0,0 +1,65 @@ +From 05c83ec9b73c8124555b706f6af777b10adf0862 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 18 Sep 2014 22:39:37 +0300 +Subject: KVM: x86: Fix wrong masking on relative jump/call + +From: Nadav Amit + +commit 05c83ec9b73c8124555b706f6af777b10adf0862 upstream. + +Relative jumps and calls do the masking according to the operand size, and not +according to the address size as the KVM emulator does today. + +This patch fixes KVM behavior. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -498,11 +498,6 @@ static void rsp_increment(struct x86_emu + masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) +-{ +- register_address_increment(ctxt, &ctxt->_eip, rel); +-} +- + static u32 desc_limit_scaled(struct desc_struct *desc) + { + u32 limit = get_desc_limit(desc); +@@ -576,6 +571,28 @@ static int emulate_nm(struct x86_emulate + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + ++static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ switch (ctxt->op_bytes) { ++ case 2: ++ ctxt->_eip = (u16)dst; ++ break; ++ case 4: ++ ctxt->_eip = (u32)dst; ++ break; ++ case 8: ++ ctxt->_eip = dst; ++ break; ++ default: ++ WARN(1, "unsupported eip assignment size\n"); ++ } ++} ++ ++static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++{ ++ assign_eip_near(ctxt, ctxt->_eip + rel); ++} ++ + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) + { + u16 selector; diff --git a/queue-3.14/kvm-x86-improve-thread-safety-in-pit.patch b/queue-3.14/kvm-x86-improve-thread-safety-in-pit.patch new file mode 100644 index 00000000000..f6f17ad09e1 --- /dev/null +++ b/queue-3.14/kvm-x86-improve-thread-safety-in-pit.patch @@ -0,0 +1,37 @@ +From 2febc839133280d5a5e8e1179c94ea674489dae2 Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Wed, 27 Aug 2014 14:42:54 -0700 +Subject: KVM: x86: Improve thread safety in pit + +From: Andy Honig + +commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream. + +There's a race condition in the PIT emulation code in KVM. In +__kvm_migrate_pit_timer the pit_timer object is accessed without +synchronization. If the race condition occurs at the wrong time this +can crash the host kernel. + +This fixes CVE-2014-3611. + +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/i8254.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_ + return; + + timer = &pit->pit_state.timer; ++ mutex_lock(&pit->pit_state.lock); + if (hrtimer_cancel(timer)) + hrtimer_start_expires(timer, HRTIMER_MODE_ABS); ++ mutex_unlock(&pit->pit_state.lock); + } + + static void destroy_pit_timer(struct kvm_pit *pit) diff --git a/queue-3.14/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch b/queue-3.14/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch new file mode 100644 index 00000000000..3aa9e72c33d --- /dev/null +++ b/queue-3.14/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch @@ -0,0 +1,86 @@ +From 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Wed, 27 Aug 2014 11:16:44 -0700 +Subject: KVM: x86: Prevent host from panicking on shared MSR writes. + +From: Andy Honig + +commit 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f upstream. + +The previous patch blocked invalid writes directly when the MSR +is written. As a precaution, prevent future similar mistakes by +gracefulling handle GPs caused by writes to shared MSRs. + +Signed-off-by: Andrew Honig +[Remove parts obsoleted by Nadav's patch. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 2 +- + arch/x86/kvm/vmx.c | 7 +++++-- + arch/x86/kvm/x86.c | 11 ++++++++--- + 3 files changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1042,7 +1042,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcp + void kvm_vcpu_reset(struct kvm_vcpu *vcpu); + + void kvm_define_shared_msr(unsigned index, u32 msr); +-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask); ++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask); + + bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip); + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2582,12 +2582,15 @@ static int vmx_set_msr(struct kvm_vcpu * + default: + msr = find_msr_entry(vmx, msr_index); + if (msr) { ++ u64 old_msr_data = msr->data; + msr->data = data; + if (msr - vmx->guest_msrs < vmx->save_nmsrs) { + preempt_disable(); +- kvm_set_shared_msr(msr->index, msr->data, +- msr->mask); ++ ret = kvm_set_shared_msr(msr->index, msr->data, ++ msr->mask); + preempt_enable(); ++ if (ret) ++ msr->data = old_msr_data; + } + break; + } +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -225,20 +225,25 @@ static void kvm_shared_msr_cpu_online(vo + shared_msr_update(i, shared_msrs_global.msrs[i]); + } + +-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) ++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) + { + unsigned int cpu = smp_processor_id(); + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); ++ int err; + + if (((value ^ smsr->values[slot].curr) & mask) == 0) +- return; ++ return 0; + smsr->values[slot].curr = value; +- wrmsrl(shared_msrs_global.msrs[slot], value); ++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); ++ if (err) ++ return 1; ++ + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); + smsr->registered = true; + } ++ return 0; + } + EXPORT_SYMBOL_GPL(kvm_set_shared_msr); + diff --git a/queue-3.14/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch b/queue-3.14/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch new file mode 100644 index 00000000000..8c1c0a08ec9 --- /dev/null +++ b/queue-3.14/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch @@ -0,0 +1,42 @@ +From 8c5bcded11cb607b1bb5920de3b9c882136d27db Mon Sep 17 00:00:00 2001 +From: Ulrich Eckhardt +Date: Fri, 10 Oct 2014 14:19:12 -0300 +Subject: media: ds3000: fix LNB supply voltage on Tevii S480 on initialization + +From: Ulrich Eckhardt + +commit 8c5bcded11cb607b1bb5920de3b9c882136d27db upstream. + +The Tevii S480 outputs 18V on startup for the LNB supply voltage and does not +automatically power down. This blocks other receivers connected +to a satellite channel router (EN50494), since the receivers can not send the +required DiSEqC sequences when the Tevii card is connected to a the same SCR. + +This patch switches off the LNB supply voltage on initialization of the frontend. + +[mchehab@osg.samsung.com: add a comment about why we're explicitly + turning off voltage at device init] +Signed-off-by: Ulrich Eckhardt +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/ds3000.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/dvb-frontends/ds3000.c ++++ b/drivers/media/dvb-frontends/ds3000.c +@@ -864,6 +864,13 @@ struct dvb_frontend *ds3000_attach(const + memcpy(&state->frontend.ops, &ds3000_ops, + sizeof(struct dvb_frontend_ops)); + state->frontend.demodulator_priv = state; ++ ++ /* ++ * Some devices like T480 starts with voltage on. Be sure ++ * to turn voltage off during init, as this can otherwise ++ * interfere with Unicable SCR systems. ++ */ ++ ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF); + return &state->frontend; + + error3: diff --git a/queue-3.14/media-em28xx-check-if-a-device-has-audio-earlier.patch b/queue-3.14/media-em28xx-check-if-a-device-has-audio-earlier.patch new file mode 100644 index 00000000000..64d694359e1 --- /dev/null +++ b/queue-3.14/media-em28xx-check-if-a-device-has-audio-earlier.patch @@ -0,0 +1,99 @@ +From fb91bde9d3664dd879655f3a1013c0b5728e7a09 Mon Sep 17 00:00:00 2001 +From: Frank Schaefer +Date: Fri, 27 Dec 2013 00:16:13 -0300 +Subject: media: em28xx: check if a device has audio earlier" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Schaefer + +commit fb91bde9d3664dd879655f3a1013c0b5728e7a09 upstream. + +GIT_AUTHOR_DATE=1409603039 +This reverts + +commit b99f0aadd33fad269c8e62b5bec8b5c012a44a56 +Author: Mauro Carvalho Chehab + + [media] em28xx: check if a device has audio earlier + + Better to split chipset detection from the audio setup. So, move the + detection code to em28xx_init_dev(). + +It broke analog audio of the Hauppauge winTV HVR 900 and very likely many other +em28xx devices. + +Background: +The local variable has_audio in em28xx_usb_probe() describes if the currently +probed _usb_interface_ has an audio endpoint, while dev->audio_mode.has_audio +means that the _device_ as a whole provides analog audio. +Hence it is wrong to set dev->audio_mode.has_audio = has_audio in em28xx_usb_probe(). +As result, audio support is no longer detected and configured on devices which +have the audio endpoint on a separate interface, because em28xx_audio_setup() +bails out immediately at the beginning. + +Revert the faulty commit to restore the old audio detection procedure, which checks +the chip configuration register to determine if the device has analog audio. + +Cc: # 3.14 to 3.16 +Reported-by: Oravecz Csaba +Tested-by: Oravecz Csaba +Signed-off-by: Frank Schäfer +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-cards.c | 11 ----------- + drivers/media/usb/em28xx/em28xx-core.c | 12 +++++++++++- + 2 files changed, 11 insertions(+), 12 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -2993,16 +2993,6 @@ static int em28xx_init_dev(struct em28xx + } + } + +- if (dev->chip_id == CHIP_ID_EM2870 || +- dev->chip_id == CHIP_ID_EM2874 || +- dev->chip_id == CHIP_ID_EM28174 || +- dev->chip_id == CHIP_ID_EM28178) { +- /* Digital only device - don't load any alsa module */ +- dev->audio_mode.has_audio = false; +- dev->has_audio_class = false; +- dev->has_alsa_audio = false; +- } +- + if (chip_name != default_chip_name) + printk(KERN_INFO DRIVER_NAME + ": chip ID is %s\n", chip_name); +@@ -3272,7 +3262,6 @@ static int em28xx_usb_probe(struct usb_i + dev->alt = -1; + dev->is_audio_only = has_audio && !(has_video || has_dvb); + dev->has_alsa_audio = has_audio; +- dev->audio_mode.has_audio = has_audio; + dev->has_video = has_video; + dev->ifnum = ifnum; + +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -506,8 +506,18 @@ int em28xx_audio_setup(struct em28xx *de + int vid1, vid2, feat, cfg; + u32 vid; + +- if (!dev->audio_mode.has_audio) ++ if (dev->chip_id == CHIP_ID_EM2870 || ++ dev->chip_id == CHIP_ID_EM2874 || ++ dev->chip_id == CHIP_ID_EM28174 || ++ dev->chip_id == CHIP_ID_EM28178) { ++ /* Digital only device - don't load any alsa module */ ++ dev->audio_mode.has_audio = false; ++ dev->has_audio_class = false; ++ dev->has_alsa_audio = false; + return 0; ++ } ++ ++ dev->audio_mode.has_audio = true; + + /* See how this device is configured */ + cfg = em28xx_read_reg(dev, EM28XX_R00_CHIPCFG); diff --git a/queue-3.14/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch b/queue-3.14/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch new file mode 100644 index 00000000000..dee4587a601 --- /dev/null +++ b/queue-3.14/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch @@ -0,0 +1,102 @@ +From 627530c32a43283474e9dd3e954519410ffa033a Mon Sep 17 00:00:00 2001 +From: Frank Schaefer +Date: Sat, 9 Aug 2014 06:37:20 -0300 +Subject: media: em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Schaefer + +commit 627530c32a43283474e9dd3e954519410ffa033a upstream. + +When a new video frame is started, the driver takes the next video buffer from +the list of active buffers and moves it to dev->usb_ctl.vid_buf / dev->usb_ctl.vbi_buf +for further processing. + +On streaming stop we currently only give back the pending buffers from the list +but not the ones which are currently processed. + +This causes the following warning from the vb2 core since kernel 3.15: + +... + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 2284 at drivers/media/v4l2-core/videobuf2-core.c:2115 __vb2_queue_cancel+0xed/0x150 [videobuf2_core]() + [...] + Call Trace: + [] dump_stack+0x48/0x69 + [] warn_slowpath_common+0x79/0x90 + [] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] warn_slowpath_null+0x1d/0x20 + [] __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] vb2_internal_streamoff+0x35/0x90 [videobuf2_core] + [] vb2_streamoff+0x35/0x60 [videobuf2_core] + [] vb2_ioctl_streamoff+0x37/0x40 [videobuf2_core] + [] v4l_streamoff+0x15/0x20 [videodev] + [] __video_do_ioctl+0x23d/0x2d0 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] video_usercopy+0x203/0x5a0 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] ? fsnotify+0x1e7/0x2b0 + [] video_ioctl2+0x12/0x20 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] v4l2_ioctl+0xee/0x130 [videodev] + [] ? v4l2_open+0xf0/0xf0 [videodev] + [] do_vfs_ioctl+0x2e2/0x4d0 + [] ? vfs_write+0x13c/0x1c0 + [] ? vfs_writev+0x2f/0x50 + [] SyS_ioctl+0x58/0x80 + [] sysenter_do_call+0x12/0x12 + ---[ end trace 5545f934409f13f4 ]--- +... + +Many thanks to Hans Verkuil, whose recently added check in the vb2 core unveiled +this long standing issue and who has investigated it further. + +Signed-off-by: Frank Schäfer +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-video.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -953,13 +953,16 @@ static int em28xx_stop_streaming(struct + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vid_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vid_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vid_buf = NULL; ++ } + while (!list_empty(&vidq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vidq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vid_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + + return 0; +@@ -981,13 +984,16 @@ int em28xx_stop_vbi_streaming(struct vb2 + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vbi_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vbi_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vbi_buf = NULL; ++ } + while (!list_empty(&vbiq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vbiq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vbi_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + + return 0; diff --git a/queue-3.14/media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch b/queue-3.14/media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch new file mode 100644 index 00000000000..933282830c4 --- /dev/null +++ b/queue-3.14/media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch @@ -0,0 +1,38 @@ +From f538e085138e519e25ae0828bd6c6e7492ce8ca4 Mon Sep 17 00:00:00 2001 +From: Antti Palosaari +Date: Thu, 21 Aug 2014 14:02:27 -0300 +Subject: media: m88ts2022: fix 32bit overflow on filter calc + +From: Antti Palosaari + +commit f538e085138e519e25ae0828bd6c6e7492ce8ca4 upstream. + +Maximum satellite symbol rate used is 45000000Sps which overflows +when multiplied by 135. As final calculation result is fraction, +we could use mult_frac macro in order to keep calculation inside +32 bit number limits and prevent overflow. + +Original bug and fix was provided by Nibble Max. I decided to +implement it differently as it is now. + +Reported-by: Nibble Max +Tested-by: Nibble Max +Signed-off-by: Antti Palosaari +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/tuners/m88ts2022.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/tuners/m88ts2022.c ++++ b/drivers/media/tuners/m88ts2022.c +@@ -314,7 +314,7 @@ static int m88ts2022_set_params(struct d + div_min = gdiv28 * 78 / 100; + div_max = clamp_val(div_max, 0U, 63U); + +- f_3db_hz = c->symbol_rate * 135UL / 200UL; ++ f_3db_hz = mult_frac(c->symbol_rate, 135, 200); + f_3db_hz += 2000000U + (frequency_offset_khz * 1000U); + f_3db_hz = clamp(f_3db_hz, 7000000U, 40000000U); + diff --git a/queue-3.14/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch b/queue-3.14/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch new file mode 100644 index 00000000000..5e2c21f4789 --- /dev/null +++ b/queue-3.14/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch @@ -0,0 +1,32 @@ +From 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Fri, 8 Aug 2014 10:32:56 -0300 +Subject: media: tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register + +From: Axel Lin + +commit 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 upstream. + +Fix a copy-paste bug when converting to the control framework. + +Fixes: commit 5d478e0de871 ("[media] tda7432: convert to the control framework") + +Signed-off-by: Axel Lin +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tda7432.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/tda7432.c ++++ b/drivers/media/i2c/tda7432.c +@@ -293,7 +293,7 @@ static int tda7432_s_ctrl(struct v4l2_ct + if (t->mute->val) { + lf |= TDA7432_MUTE; + lr |= TDA7432_MUTE; +- lf |= TDA7432_MUTE; ++ rf |= TDA7432_MUTE; + rr |= TDA7432_MUTE; + } + /* Mute & update balance*/ diff --git a/queue-3.14/media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch b/queue-3.14/media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch new file mode 100644 index 00000000000..5ddb3fcb084 --- /dev/null +++ b/queue-3.14/media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch @@ -0,0 +1,42 @@ +From 62ea864f84fed6e04dd033d500d4c9183a83d590 Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Sun, 8 Jun 2014 12:16:48 -0300 +Subject: media: usb: uvc: add a quirk for Dell XPS M1330 webcam + +From: Paul Fertser + +commit 62ea864f84fed6e04dd033d500d4c9183a83d590 upstream. + +As reported on [1], this device needs this quirk to be able to +reliably initialise the webcam. + +[1] http://ubuntuforums.org/showthread.php?t=2145996 + +Cc: stable@vger.kernel.org +Signed-off-by: Paul Fertser +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2210,6 +2210,15 @@ static struct usb_device_id uvc_ids[] = + .bInterfaceSubClass = 1, + .bInterfaceProtocol = 0, + .driver_info = UVC_QUIRK_PROBE_DEF }, ++ /* Dell XPS M1330 (OmniVision OV7670 webcam) */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x05a9, ++ .idProduct = 0x7670, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = UVC_QUIRK_PROBE_DEF }, + /* Apple Built-In iSight */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, diff --git a/queue-3.14/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch b/queue-3.14/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch new file mode 100644 index 00000000000..00e8770cab7 --- /dev/null +++ b/queue-3.14/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch @@ -0,0 +1,67 @@ +From 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c Mon Sep 17 00:00:00 2001 +From: Maciej Matraszek +Date: Mon, 15 Sep 2014 05:14:48 -0300 +Subject: media: v4l2-common: fix overflow in v4l_bound_align_image() + +From: Maciej Matraszek + +commit 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c upstream. + +Fix clamp_align() used in v4l_bound_align_image() to prevent overflow +when passed large value like UINT32_MAX. + + In the current implementation: + clamp_align(UINT32_MAX, 8, 8192, 3) + +returns 8, because in line: + + x = (x + (1 << (align - 1))) & mask; + +x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192. + +v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and +VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter +explicitly states that: + +"The modified format should be as close as possible to the original +request." + -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html + +Thus one would expect, that passing UINT32_MAX as format width and +height will result in setting maximum possible resolution for the +device. Particularly, when the driver doesn't support +VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase. + +Fixes changeset: b0d3159be9a3 + +Signed-off-by: Maciej Matraszek +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-common.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-common.c ++++ b/drivers/media/v4l2-core/v4l2-common.c +@@ -431,16 +431,13 @@ static unsigned int clamp_align(unsigned + /* Bits that must be zero to be aligned */ + unsigned int mask = ~((1 << align) - 1); + ++ /* Clamp to aligned min and max */ ++ x = clamp(x, (min + ~mask) & mask, max & mask); ++ + /* Round to nearest aligned value */ + if (align) + x = (x + (1 << (align - 1))) & mask; + +- /* Clamp to aligned value of min and max */ +- if (x < min) +- x = (min + ~mask) & mask; +- else if (x > max) +- x = max & mask; +- + return x; + } + diff --git a/queue-3.14/mips-ftrace-fix-a-micromips-build-problem.patch b/queue-3.14/mips-ftrace-fix-a-micromips-build-problem.patch new file mode 100644 index 00000000000..9aae5d4f9db --- /dev/null +++ b/queue-3.14/mips-ftrace-fix-a-micromips-build-problem.patch @@ -0,0 +1,52 @@ +From aedd153f5bb5b1f1d6d9142014f521ae2ec294cc Mon Sep 17 00:00:00 2001 +From: Markos Chandras +Date: Mon, 20 Oct 2014 09:39:31 +0100 +Subject: MIPS: ftrace: Fix a microMIPS build problem + +From: Markos Chandras + +commit aedd153f5bb5b1f1d6d9142014f521ae2ec294cc upstream. + +Code before the .fixup section needs to have the .insn directive. +This has no side effects on MIPS32/64 but it affects the way microMIPS +loads the address for the return label. + +Fixes the following build problem: +mips-linux-gnu-ld: arch/mips/built-in.o: .fixup+0x4a0: Unsupported jump between +ISA modes; consider recompiling with interlinking enabled. +mips-linux-gnu-ld: final link failed: Bad value +Makefile:819: recipe for target 'vmlinux' failed + +The fix is similar to 1658f914ff91c3bf ("MIPS: microMIPS: +Disable LL/SC and fix linker bug.") + +Signed-off-by: Markos Chandras +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/8117/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/ftrace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/include/asm/ftrace.h ++++ b/arch/mips/include/asm/ftrace.h +@@ -24,7 +24,7 @@ do { \ + asm volatile ( \ + "1: " load " %[tmp_dst], 0(%[tmp_src])\n" \ + " li %[tmp_err], 0\n" \ +- "2:\n" \ ++ "2: .insn\n" \ + \ + ".section .fixup, \"ax\"\n" \ + "3: li %[tmp_err], 1\n" \ +@@ -46,7 +46,7 @@ do { \ + asm volatile ( \ + "1: " store " %[tmp_src], 0(%[tmp_dst])\n"\ + " li %[tmp_err], 0\n" \ +- "2:\n" \ ++ "2: .insn\n" \ + \ + ".section .fixup, \"ax\"\n" \ + "3: li %[tmp_err], 1\n" \ diff --git a/queue-3.14/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch b/queue-3.14/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch new file mode 100644 index 00000000000..78f0aee6060 --- /dev/null +++ b/queue-3.14/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch @@ -0,0 +1,90 @@ +From 9e0f162a36914937a937358fcb45e0609ef2bfc4 Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Mon, 20 Oct 2014 15:34:23 -0700 +Subject: MIPS: tlbex: Properly fix HUGE TLB Refill exception handler + +From: David Daney + +commit 9e0f162a36914937a937358fcb45e0609ef2bfc4 upstream. + +In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for +HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets +would work properly with huge pages. The change was incorrect in that +it broke the OCTEON case. + +The problem is shown here: + + xxx0: df7a0000 ld k0,0(k1) + . + . + . + xxxc0: df610000 ld at,0(k1) + xxxc4: 335a0ff0 andi k0,k0,0xff0 + xxxc8: e825ffcd bbit1 at,0x5,0x0 + xxxcc: 003ad82d daddu k1,at,k0 + . + . + . + +In the non-octeon case there is a destructive test for the huge PTE +bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609 +patch added). + +In the octeon case, we modify k1 in the branch delay slot, but we +never need k0 again, so the new load is not needed, but since k1 is +modified, if we do the load, we load from a garbage location and then +get a nested TLB Refill, which is seen in userspace as either SIGBUS +or SIGSEGV (depending on the garbage). + +The real fix is to only do this reloading if it is needed, and never +where it is harmful. + +Signed-off-by: David Daney +Cc: Huacai Chen +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/8151/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -1057,6 +1057,7 @@ static void build_update_entries(u32 **p + struct mips_huge_tlb_info { + int huge_pte; + int restore_scratch; ++ bool need_reload_pte; + }; + + static struct mips_huge_tlb_info +@@ -1071,6 +1072,7 @@ build_fast_tlb_refill_handler (u32 **p, + + rv.huge_pte = scratch; + rv.restore_scratch = 0; ++ rv.need_reload_pte = false; + + if (check_for_high_segbits) { + UASM_i_MFC0(p, tmp, C0_BADVADDR); +@@ -1259,6 +1261,7 @@ static void build_r4000_tlb_refill_handl + } else { + htlb_info.huge_pte = K0; + htlb_info.restore_scratch = 0; ++ htlb_info.need_reload_pte = true; + vmalloc_mode = refill_noscratch; + /* + * create the plain linear handler +@@ -1295,7 +1298,8 @@ static void build_r4000_tlb_refill_handl + } + #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT + uasm_l_tlb_huge_update(&l, p); +- UASM_i_LW(&p, K0, 0, K1); ++ if (htlb_info.need_reload_pte) ++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1); + build_huge_update_entries(&p, htlb_info.huge_pte, K1); + build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random, + htlb_info.restore_scratch); diff --git a/queue-3.14/qla_target-don-t-delete-changed-nacls.patch b/queue-3.14/qla_target-don-t-delete-changed-nacls.patch new file mode 100644 index 00000000000..a6cba4849aa --- /dev/null +++ b/queue-3.14/qla_target-don-t-delete-changed-nacls.patch @@ -0,0 +1,42 @@ +From f4c24db1b7ad0ce84409e15744d26c6f86a96840 Mon Sep 17 00:00:00 2001 +From: Joern Engel +Date: Fri, 3 Oct 2014 14:35:56 -0700 +Subject: qla_target: don't delete changed nacls + +From: Joern Engel + +commit f4c24db1b7ad0ce84409e15744d26c6f86a96840 upstream. + +The code is currently riddled with "drop the hardware_lock to avoid a +deadlock" bugs that expose races. One of those races seems to expose a +valid warning in tcm_qla2xxx_clear_nacl_from_fcport_map. Add some +bandaid to it. + +Signed-off-by: Joern Engel +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -707,7 +707,16 @@ static void tcm_qla2xxx_clear_nacl_from_ + pr_debug("fc_rport domain: port_id 0x%06x\n", nacl->nport_id); + + node = btree_remove32(&lport->lport_fcport_map, nacl->nport_id); +- WARN_ON(node && (node != se_nacl)); ++ if (WARN_ON(node && (node != se_nacl))) { ++ /* ++ * The nacl no longer matches what we think it should be. ++ * Most likely a new dynamic acl has been added while ++ * someone dropped the hardware lock. It clearly is a ++ * bug elsewhere, but this bit can't make things worse. ++ */ ++ btree_insert32(&lport->lport_fcport_map, nacl->nport_id, ++ node, GFP_ATOMIC); ++ } + + pr_debug("Removed from fcport_map: %p for WWNN: 0x%016LX, port_id: 0x%06x\n", + se_nacl, nacl->nport_wwnn, nacl->nport_id); diff --git a/queue-3.14/series b/queue-3.14/series index dbafa601e04..d70b9dffe56 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -68,3 +68,28 @@ drm-vmwgfx-fix-drm.h-include.patch drm-tilcdc-fix-the-error-path-in-tilcdc_load.patch drm-i915-don-t-warn-if-backlight-unexpectedly-enabled.patch drm-nouveau-bios-memset-dcb-struct-to-zero-before-parsing.patch +media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch +media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch +media-em28xx-check-if-a-device-has-audio-earlier.patch +media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch +media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch +media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch +media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch +kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch +kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch +kvm-x86-improve-thread-safety-in-pit.patch +kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch +kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch +kvm-x86-fix-wrong-masking-on-relative-jump-call.patch +kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch +kvm-vmx-handle-invvpid-vm-exit-gracefully.patch +arc-allow-headless-models-to-boot.patch +arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch +arc-general-fixes.patch +arc-fix-mmuv2-warning.patch +arc-disable-caches-in-early-boot-if-so-configured.patch +qla_target-don-t-delete-changed-nacls.patch +target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch +target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch +mips-ftrace-fix-a-micromips-build-problem.patch +mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch diff --git a/queue-3.14/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch b/queue-3.14/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch new file mode 100644 index 00000000000..b32cd5155da --- /dev/null +++ b/queue-3.14/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch @@ -0,0 +1,93 @@ +From e24805637d2d270d7975502e9024d473de86afdb Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sat, 4 Oct 2014 04:23:15 +0000 +Subject: target: Fix APTPL metadata handling for dynamic MappedLUNs + +From: Nicholas Bellinger + +commit e24805637d2d270d7975502e9024d473de86afdb upstream. + +This patch fixes a bug in handling of SPC-3 PR Activate Persistence +across Target Power Loss (APTPL) logic where re-creation of state for +MappedLUNs from dynamically generated NodeACLs did not occur during +I_T Nexus establishment. + +It adds the missing core_scsi3_check_aptpl_registration() call during +core_tpg_check_initiator_node_acl() -> core_tpg_add_node_to_devs() in +order to replay any pre-loaded APTPL metadata state associated with +the newly connected SCSI Initiator Port. + +Cc: Mike Christie +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_device.c | 3 ++- + drivers/target/target_core_pr.c | 6 +++--- + drivers/target/target_core_pr.h | 2 +- + drivers/target/target_core_tpg.c | 8 ++++++++ + 4 files changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1409,7 +1409,8 @@ int core_dev_add_initiator_node_lun_acl( + * Check to see if there are any existing persistent reservation APTPL + * pre-registrations that need to be enabled for this LUN ACL.. + */ +- core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, lacl); ++ core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, nacl, ++ lacl->mapped_lun); + return 0; + } + +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -944,10 +944,10 @@ int core_scsi3_check_aptpl_registration( + struct se_device *dev, + struct se_portal_group *tpg, + struct se_lun *lun, +- struct se_lun_acl *lun_acl) ++ struct se_node_acl *nacl, ++ u32 mapped_lun) + { +- struct se_node_acl *nacl = lun_acl->se_lun_nacl; +- struct se_dev_entry *deve = nacl->device_list[lun_acl->mapped_lun]; ++ struct se_dev_entry *deve = nacl->device_list[mapped_lun]; + + if (dev->dev_reservation_flags & DRF_SPC2_RESERVATIONS) + return 0; +--- a/drivers/target/target_core_pr.h ++++ b/drivers/target/target_core_pr.h +@@ -60,7 +60,7 @@ extern int core_scsi3_alloc_aptpl_regist + unsigned char *, u16, u32, int, int, u8); + extern int core_scsi3_check_aptpl_registration(struct se_device *, + struct se_portal_group *, struct se_lun *, +- struct se_lun_acl *); ++ struct se_node_acl *, u32); + extern void core_scsi3_free_pr_reg_from_nacl(struct se_device *, + struct se_node_acl *); + extern void core_scsi3_free_all_registrations(struct se_device *); +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -40,6 +40,7 @@ + #include + + #include "target_core_internal.h" ++#include "target_core_pr.h" + + extern struct se_device *g_lun0_dev; + +@@ -166,6 +167,13 @@ void core_tpg_add_node_to_devs( + + core_enable_device_list_for_node(lun, NULL, lun->unpacked_lun, + lun_access, acl, tpg); ++ /* ++ * Check to see if there are any existing persistent reservation ++ * APTPL pre-registrations that need to be enabled for this dynamic ++ * LUN ACL now.. ++ */ ++ core_scsi3_check_aptpl_registration(dev, tpg, lun, acl, ++ lun->unpacked_lun); + spin_lock(&tpg->tpg_lun_lock); + } + spin_unlock(&tpg->tpg_lun_lock); diff --git a/queue-3.14/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch b/queue-3.14/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch new file mode 100644 index 00000000000..ab4724b9f44 --- /dev/null +++ b/queue-3.14/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch @@ -0,0 +1,45 @@ +From 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Thu, 25 Sep 2014 06:22:28 -0400 +Subject: target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE + +From: Quinn Tran + +commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream. + +During temporary resource starvation at lower transport layer, command +is placed on queue full retry path, which expose this problem. The TCM +queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same +cmd twice to lower layer. The 1st time led to cmd normal free path. +The 2nd time cause Null pointer access. + +This regression bug was originally introduced v3.1-rc code in the +following commit: + +commit e057f53308a5f071556ee80586b99ee755bf07f5 +Author: Christoph Hellwig +Date: Mon Oct 17 13:56:41 2011 -0400 + + target: remove the transport_qf_callback se_cmd callback + +Signed-off-by: Quinn Tran +Signed-off-by: Saurav Kashyap +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1855,8 +1855,7 @@ static void transport_complete_qf(struct + if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) { + trace_target_cmd_complete(cmd); + ret = cmd->se_tfo->queue_status(cmd); +- if (ret) +- goto out; ++ goto out; + } + + switch (cmd->data_direction) { -- 2.47.3