From 8615b2bc751ec06d4fb0ff56427e6e0e6ce71cee Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 16 Sep 2015 22:18:44 -0700 Subject: [PATCH] 3.14-stable patches added patches: crypto-ghash-clmulni-specify-context-size-for-ghash-async-algorithm.patch hid-usbhid-fix-the-check-for-hid_reset_pending-in-hid_io_error.patch kvm-mmu-fix-validation-of-mmio-page-fault.patch serial-8250-don-t-bind-to-smsc-ircc-ir-port.patch --- ...ntext-size-for-ghash-async-algorithm.patch | 32 +++++ ...or-hid_reset_pending-in-hid_io_error.patch | 40 ++++++ ...mu-fix-validation-of-mmio-page-fault.patch | 125 ++++++++++++++++++ ...8250-don-t-bind-to-smsc-ircc-ir-port.patch | 34 +++++ queue-3.14/series | 4 + 5 files changed, 235 insertions(+) create mode 100644 queue-3.14/crypto-ghash-clmulni-specify-context-size-for-ghash-async-algorithm.patch create mode 100644 queue-3.14/hid-usbhid-fix-the-check-for-hid_reset_pending-in-hid_io_error.patch create mode 100644 queue-3.14/kvm-mmu-fix-validation-of-mmio-page-fault.patch create mode 100644 queue-3.14/serial-8250-don-t-bind-to-smsc-ircc-ir-port.patch diff --git a/queue-3.14/crypto-ghash-clmulni-specify-context-size-for-ghash-async-algorithm.patch b/queue-3.14/crypto-ghash-clmulni-specify-context-size-for-ghash-async-algorithm.patch new file mode 100644 index 00000000000..a9af931e1fc --- /dev/null +++ b/queue-3.14/crypto-ghash-clmulni-specify-context-size-for-ghash-async-algorithm.patch @@ -0,0 +1,32 @@ +From 71c6da846be478a61556717ef1ee1cea91f5d6a8 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Thu, 3 Sep 2015 14:32:01 +0300 +Subject: crypto: ghash-clmulni: specify context size for ghash async algorithm + +From: Andrey Ryabinin + +commit 71c6da846be478a61556717ef1ee1cea91f5d6a8 upstream. + +Currently context size (cra_ctxsize) doesn't specified for +ghash_async_alg. Which means it's zero. Thus crypto_create_tfm() +doesn't allocate needed space for ghash_async_ctx, so any +read/write to ctx (e.g. in ghash_async_init_tfm()) is not valid. + +Signed-off-by: Andrey Ryabinin +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/ghash-clmulni-intel_glue.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/crypto/ghash-clmulni-intel_glue.c ++++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c +@@ -291,6 +291,7 @@ static struct ahash_alg ghash_async_alg + .cra_name = "ghash", + .cra_driver_name = "ghash-clmulni", + .cra_priority = 400, ++ .cra_ctxsize = sizeof(struct ghash_async_ctx), + .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_ASYNC, + .cra_blocksize = GHASH_BLOCK_SIZE, + .cra_type = &crypto_ahash_type, diff --git a/queue-3.14/hid-usbhid-fix-the-check-for-hid_reset_pending-in-hid_io_error.patch b/queue-3.14/hid-usbhid-fix-the-check-for-hid_reset_pending-in-hid_io_error.patch new file mode 100644 index 00000000000..ef8622a7a05 --- /dev/null +++ b/queue-3.14/hid-usbhid-fix-the-check-for-hid_reset_pending-in-hid_io_error.patch @@ -0,0 +1,40 @@ +From 3af4e5a95184d6d3c1c6a065f163faa174a96a1d Mon Sep 17 00:00:00 2001 +From: Don Zickus +Date: Mon, 10 Aug 2015 12:06:53 -0400 +Subject: HID: usbhid: Fix the check for HID_RESET_PENDING in hid_io_error + +From: Don Zickus + +commit 3af4e5a95184d6d3c1c6a065f163faa174a96a1d upstream. + +It was reported that after 10-20 reboots, a usb keyboard plugged +into a docking station would not work unless it was replugged in. + +Using usbmon, it turns out the interrupt URBs were streaming with +callback errors of -71 for some reason. The hid-core.c::hid_io_error was +supposed to retry and then reset, but the reset wasn't really happening. + +The check for HID_NO_BANDWIDTH was inverted. Fix was simple. + +Tested by reporter and locally by me by unplugging a keyboard halfway until I +could recreate a stream of errors but no disconnect. + +Signed-off-by: Don Zickus +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hid-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -180,7 +180,7 @@ static void hid_io_error(struct hid_devi + if (time_after(jiffies, usbhid->stop_retry)) { + + /* Retries failed, so do a port reset unless we lack bandwidth*/ +- if (test_bit(HID_NO_BANDWIDTH, &usbhid->iofl) ++ if (!test_bit(HID_NO_BANDWIDTH, &usbhid->iofl) + && !test_and_set_bit(HID_RESET_PENDING, &usbhid->iofl)) { + + schedule_work(&usbhid->reset_work); diff --git a/queue-3.14/kvm-mmu-fix-validation-of-mmio-page-fault.patch b/queue-3.14/kvm-mmu-fix-validation-of-mmio-page-fault.patch new file mode 100644 index 00000000000..62c923c8ad4 --- /dev/null +++ b/queue-3.14/kvm-mmu-fix-validation-of-mmio-page-fault.patch @@ -0,0 +1,125 @@ +From 6f691251c0350ac52a007c54bf3ef62e9d8cdc5e Mon Sep 17 00:00:00 2001 +From: Xiao Guangrong +Date: Wed, 5 Aug 2015 12:04:19 +0800 +Subject: KVM: MMU: fix validation of mmio page fault + +From: Xiao Guangrong + +commit 6f691251c0350ac52a007c54bf3ef62e9d8cdc5e upstream. + +We got the bug that qemu complained with "KVM: unknown exit, hardware +reason 31" and KVM shown these info: +[84245.284948] EPT: Misconfiguration. +[84245.285056] EPT: GPA: 0xfeda848 +[84245.285154] ept_misconfig_inspect_spte: spte 0x5eaef50107 level 4 +[84245.285344] ept_misconfig_inspect_spte: spte 0x5f5fadc107 level 3 +[84245.285532] ept_misconfig_inspect_spte: spte 0x5141d18107 level 2 +[84245.285723] ept_misconfig_inspect_spte: spte 0x52e40dad77 level 1 + +This is because we got a mmio #PF and the handler see the mmio spte becomes +normal (points to the ram page) + +However, this is valid after introducing fast mmio spte invalidation which +increases the generation-number instead of zapping mmio sptes, a example +is as follows: +1. QEMU drops mmio region by adding a new memslot +2. invalidate all mmio sptes +3. + + VCPU 0 VCPU 1 + access the invalid mmio spte + access the region originally was MMIO before + set the spte to the normal ram map + + mmio #PF + check the spte and see it becomes normal ram mapping !!! + +This patch fixes the bug just by dropping the check in mmio handler, it's +good for backport. Full check will be introduced in later patches + +Reported-by: Pavel Shirshov +Tested-by: Pavel Shirshov +Signed-off-by: Xiao Guangrong +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 45 --------------------------------------------- + 1 file changed, 45 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -381,12 +381,6 @@ static u64 __get_spte_lockless(u64 *spte + { + return ACCESS_ONCE(*sptep); + } +- +-static bool __check_direct_spte_mmio_pf(u64 spte) +-{ +- /* It is valid if the spte is zapped. */ +- return spte == 0ull; +-} + #else + union split_spte { + struct { +@@ -502,23 +496,6 @@ retry: + + return spte.spte; + } +- +-static bool __check_direct_spte_mmio_pf(u64 spte) +-{ +- union split_spte sspte = (union split_spte)spte; +- u32 high_mmio_mask = shadow_mmio_mask >> 32; +- +- /* It is valid if the spte is zapped. */ +- if (spte == 0ull) +- return true; +- +- /* It is valid if the spte is being zapped. */ +- if (sspte.spte_low == 0ull && +- (sspte.spte_high & high_mmio_mask) == high_mmio_mask) +- return true; +- +- return false; +-} + #endif + + static bool spte_is_locklessly_modifiable(u64 spte) +@@ -3215,21 +3192,6 @@ static bool quickly_check_mmio_pf(struct + return vcpu_match_mmio_gva(vcpu, addr); + } + +- +-/* +- * On direct hosts, the last spte is only allows two states +- * for mmio page fault: +- * - It is the mmio spte +- * - It is zapped or it is being zapped. +- * +- * This function completely checks the spte when the last spte +- * is not the mmio spte. +- */ +-static bool check_direct_spte_mmio_pf(u64 spte) +-{ +- return __check_direct_spte_mmio_pf(spte); +-} +- + static u64 walk_shadow_page_get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr) + { + struct kvm_shadow_walk_iterator iterator; +@@ -3272,13 +3234,6 @@ int handle_mmio_page_fault_common(struct + } + + /* +- * It's ok if the gva is remapped by other cpus on shadow guest, +- * it's a BUG if the gfn is not a mmio page. +- */ +- if (direct && !check_direct_spte_mmio_pf(spte)) +- return RET_MMIO_PF_BUG; +- +- /* + * If the page table is zapped by other cpus, let CPU fault again on + * the address. + */ diff --git a/queue-3.14/serial-8250-don-t-bind-to-smsc-ircc-ir-port.patch b/queue-3.14/serial-8250-don-t-bind-to-smsc-ircc-ir-port.patch new file mode 100644 index 00000000000..a6dcf40b510 --- /dev/null +++ b/queue-3.14/serial-8250-don-t-bind-to-smsc-ircc-ir-port.patch @@ -0,0 +1,34 @@ +From ffa34de03bcfbfa88d8352942bc238bb48e94e2d Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Sun, 2 Aug 2015 23:11:52 +0200 +Subject: serial: 8250: don't bind to SMSC IrCC IR port + +From: "Maciej S. Szmigiero" + +commit ffa34de03bcfbfa88d8352942bc238bb48e94e2d upstream. + +SMSC IrCC SIR/FIR port should not be bound to by +(legacy) serial driver so its own driver (smsc-ircc2) +can bind to it. + +Signed-off-by: Maciej Szmigiero +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pnp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pnp.c ++++ b/drivers/tty/serial/8250/8250_pnp.c +@@ -364,6 +364,11 @@ static const struct pnp_device_id pnp_de + /* Winbond CIR port, should not be probed. We should keep track + of it to prevent the legacy serial driver from probing it */ + { "WEC1022", CIR_PORT }, ++ /* ++ * SMSC IrCC SIR/FIR port, should not be probed by serial driver ++ * as well so its own driver can bind to it. ++ */ ++ { "SMCF010", CIR_PORT }, + { "", 0 } + }; + diff --git a/queue-3.14/series b/queue-3.14/series index 6a04b15cd8a..c4ad779534d 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -13,3 +13,7 @@ usb-symbolserial-use-usb_get_serial_port_data.patch usb-ftdi_sio-added-custom-pid-for-customware-products.patch usb-dwc3-ep0-fix-mem-corruption-on-out-transfers-of-more-than-512-bytes.patch usb-host-ehci-sys-delete-useless-bus_to_hcd-conversion.patch +serial-8250-don-t-bind-to-smsc-ircc-ir-port.patch +crypto-ghash-clmulni-specify-context-size-for-ghash-async-algorithm.patch +hid-usbhid-fix-the-check-for-hid_reset_pending-in-hid_io_error.patch +kvm-mmu-fix-validation-of-mmio-page-fault.patch -- 2.47.2