From 9eb9b15ed81f489341453cac5ffc2e7c074bf1f8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 Nov 2014 11:37:49 +0900 Subject: [PATCH] 3.17-stable patches added patches: arc-allow-headless-models-to-boot.patch arc-unbork-fpu-save-restore.patch arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch iser-target-disable-tx-completion-interrupt-coalescing.patch kvm-emulate-avoid-accessing-null-ctxt-memopp.patch kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch kvm-vmx-handle-invvpid-vm-exit-gracefully.patch kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch kvm-x86-decoding-guest-instructions-which-cross-page-boundary-may-fail.patch kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch kvm-x86-emulator-does-not-decode-clflush-well.patch kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch kvm-x86-fix-wrong-masking-on-relative-jump-call.patch kvm-x86-handle-errors-when-rip-is-set-during-far-jumps.patch kvm-x86-improve-thread-safety-in-pit.patch kvm-x86-prefetch-and-hint_nop-should-have-srcmem-flag.patch kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch media-em28xx-check-if-a-device-has-audio-earlier.patch media-em28xx-v4l-fix-video-buffer-field-order-reporting-in-progressive-mode.patch media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch media-imon-fix-other-rc-type-protocol-support.patch media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch media-rc-core-fix-protocol_change-regression-in-ir_raw_event_register.patch media-siano-add-support-for-pctv-77e.patch media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch media-vmalloc_sg-off-by-one-in-error-handling.patch mips-cp1emu-fix-isa-restrictions-for-cop1x_op-instructions.patch mips-ftrace-fix-a-micromips-build-problem.patch mips-loongson2_cpufreq-fix-cpu-clock-rate-setting-mismerge.patch mips-ptrace.h-add-a-missing-include.patch mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch qla_target-don-t-delete-changed-nacls.patch target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch --- .../arc-allow-headless-models-to-boot.patch | 35 +++ queue-3.17/arc-unbork-fpu-save-restore.patch | 53 ++++ ...f-registers-in-kgdb-to-match-gdb-7.5.patch | 73 +++++ ...e-tx-completion-interrupt-coalescing.patch | 47 ++++ ...ate-avoid-accessing-null-ctxt-memopp.patch | 38 +++ ...-pinning-in-kvm_iommu_map-error-path.patch | 78 ++++++ ...mx-handle-invvpid-vm-exit-gracefully.patch | 77 ++++++ ...k-non-canonical-addresses-upon-wrmsr.patch | 140 ++++++++++ ...s-which-cross-page-boundary-may-fail.patch | 38 +++ ...-t-kill-guest-on-unknown-exit-reason.patch | 53 ++++ ...mulator-does-not-decode-clflush-well.patch | 78 ++++++ ...ip-canonical-checks-on-near-branches.patch | 234 ++++++++++++++++ ...-wrong-masking-on-relative-jump-call.patch | 65 +++++ ...ors-when-rip-is-set-during-far-jumps.patch | 250 ++++++++++++++++++ ...kvm-x86-improve-thread-safety-in-pit.patch | 37 +++ ...and-hint_nop-should-have-srcmem-flag.patch | 52 ++++ ...-from-panicking-on-shared-msr-writes.patch | 86 ++++++ ...tage-on-tevii-s480-on-initialization.patch | 42 +++ ...-check-if-a-device-has-audio-earlier.patch | 99 +++++++ ...-order-reporting-in-progressive-mode.patch | 36 +++ ...-vb2-core-properly-on-streaming-stop.patch | 102 +++++++ ...n-fix-other-rc-type-protocol-support.patch | 35 +++ ...22-fix-32bit-overflow-on-filter-calc.patch | 38 +++ ...-regression-in-ir_raw_event_register.patch | 56 ++++ ...media-siano-add-support-for-pctv-77e.patch | 57 ++++ ...432_mute-bit-for-tda7432_rf-register.patch | 32 +++ ...dd-a-quirk-for-dell-xps-m1330-webcam.patch | 42 +++ ...ix-overflow-in-v4l_bound_align_image.patch | 67 +++++ ...lloc_sg-off-by-one-in-error-handling.patch | 40 +++ ...strictions-for-cop1x_op-instructions.patch | 50 ++++ ...ftrace-fix-a-micromips-build-problem.patch | 52 ++++ ...-fix-cpu-clock-rate-setting-mismerge.patch | 49 ++++ .../mips-ptrace.h-add-a-missing-include.patch | 51 ++++ ...ix-huge-tlb-refill-exception-handler.patch | 90 +++++++ ...la_target-don-t-delete-changed-nacls.patch | 42 +++ queue-3.17/series | 37 +++ ...data-handling-for-dynamic-mappedluns.patch | 93 +++++++ ...pointer-for-scf_transport_task_sense.patch | 45 ++++ 38 files changed, 2589 insertions(+) create mode 100644 queue-3.17/arc-allow-headless-models-to-boot.patch create mode 100644 queue-3.17/arc-unbork-fpu-save-restore.patch create mode 100644 queue-3.17/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch create mode 100644 queue-3.17/iser-target-disable-tx-completion-interrupt-coalescing.patch create mode 100644 queue-3.17/kvm-emulate-avoid-accessing-null-ctxt-memopp.patch create mode 100644 queue-3.17/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch create mode 100644 queue-3.17/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch create mode 100644 queue-3.17/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch create mode 100644 queue-3.17/kvm-x86-decoding-guest-instructions-which-cross-page-boundary-may-fail.patch create mode 100644 queue-3.17/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch create mode 100644 queue-3.17/kvm-x86-emulator-does-not-decode-clflush-well.patch create mode 100644 queue-3.17/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch create mode 100644 queue-3.17/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch create mode 100644 queue-3.17/kvm-x86-handle-errors-when-rip-is-set-during-far-jumps.patch create mode 100644 queue-3.17/kvm-x86-improve-thread-safety-in-pit.patch create mode 100644 queue-3.17/kvm-x86-prefetch-and-hint_nop-should-have-srcmem-flag.patch create mode 100644 queue-3.17/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch create mode 100644 queue-3.17/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch create mode 100644 queue-3.17/media-em28xx-check-if-a-device-has-audio-earlier.patch create mode 100644 queue-3.17/media-em28xx-v4l-fix-video-buffer-field-order-reporting-in-progressive-mode.patch create mode 100644 queue-3.17/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch create mode 100644 queue-3.17/media-imon-fix-other-rc-type-protocol-support.patch create mode 100644 queue-3.17/media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch create mode 100644 queue-3.17/media-rc-core-fix-protocol_change-regression-in-ir_raw_event_register.patch create mode 100644 queue-3.17/media-siano-add-support-for-pctv-77e.patch create mode 100644 queue-3.17/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch create mode 100644 queue-3.17/media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch create mode 100644 queue-3.17/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch create mode 100644 queue-3.17/media-vmalloc_sg-off-by-one-in-error-handling.patch create mode 100644 queue-3.17/mips-cp1emu-fix-isa-restrictions-for-cop1x_op-instructions.patch create mode 100644 queue-3.17/mips-ftrace-fix-a-micromips-build-problem.patch create mode 100644 queue-3.17/mips-loongson2_cpufreq-fix-cpu-clock-rate-setting-mismerge.patch create mode 100644 queue-3.17/mips-ptrace.h-add-a-missing-include.patch create mode 100644 queue-3.17/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch create mode 100644 queue-3.17/qla_target-don-t-delete-changed-nacls.patch create mode 100644 queue-3.17/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch create mode 100644 queue-3.17/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch diff --git a/queue-3.17/arc-allow-headless-models-to-boot.patch b/queue-3.17/arc-allow-headless-models-to-boot.patch new file mode 100644 index 00000000000..2fd33e5b1e0 --- /dev/null +++ b/queue-3.17/arc-allow-headless-models-to-boot.patch @@ -0,0 +1,35 @@ +From 5c05483e2db91890faa9a7be0a831701a3f442d6 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Fri, 20 Jun 2014 16:24:49 +0530 +Subject: ARC: [nsimosci] Allow "headless" models to boot + +From: Vineet Gupta + +commit 5c05483e2db91890faa9a7be0a831701a3f442d6 upstream. + +There are certain test configuration of virtual platform which don't +have any real console device (uart/pgu). So add tty0 as a fallback console +device to allow system to boot and be accessible via telnet + +Otherwise with ttyS0 as only console, but 8250 disabled in kernel build, +init chokes. + +Reported-by: Anton Kolesov +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/boot/dts/nsimosci.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/boot/dts/nsimosci.dts ++++ b/arch/arc/boot/dts/nsimosci.dts +@@ -20,7 +20,7 @@ + /* this is for console on PGU */ + /* bootargs = "console=tty0 consoleblank=0"; */ + /* this is for console on serial */ +- bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug"; ++ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=tty0 console=ttyS0,115200n8 consoleblank=0 debug"; + }; + + aliases { diff --git a/queue-3.17/arc-unbork-fpu-save-restore.patch b/queue-3.17/arc-unbork-fpu-save-restore.patch new file mode 100644 index 00000000000..1dfca3c13fa --- /dev/null +++ b/queue-3.17/arc-unbork-fpu-save-restore.patch @@ -0,0 +1,53 @@ +From 52e9bae93802bd29c33be11e9e758ad7daac805f Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Sat, 27 Sep 2014 12:53:41 +0530 +Subject: ARC: unbork FPU save/restore + +From: Vineet Gupta + +commit 52e9bae93802bd29c33be11e9e758ad7daac805f upstream. + +Fixes: 2ab402dfd65d15a4b2 "ARC: make start_thread() out-of-line" +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/arcregs.h | 8 -------- + arch/arc/include/asm/processor.h | 9 +++++++++ + 2 files changed, 9 insertions(+), 8 deletions(-) + +--- a/arch/arc/include/asm/arcregs.h ++++ b/arch/arc/include/asm/arcregs.h +@@ -191,14 +191,6 @@ + #define PAGES_TO_KB(n_pages) ((n_pages) << (PAGE_SHIFT - 10)) + #define PAGES_TO_MB(n_pages) (PAGES_TO_KB(n_pages) >> 10) + +-#ifdef CONFIG_ARC_FPU_SAVE_RESTORE +-/* These DPFP regs need to be saved/restored across ctx-sw */ +-struct arc_fpu { +- struct { +- unsigned int l, h; +- } aux_dpfp[2]; +-}; +-#endif + + /* + *************************************************************** +--- a/arch/arc/include/asm/processor.h ++++ b/arch/arc/include/asm/processor.h +@@ -20,6 +20,15 @@ + + #include + ++#ifdef CONFIG_ARC_FPU_SAVE_RESTORE ++/* These DPFP regs need to be saved/restored across ctx-sw */ ++struct arc_fpu { ++ struct { ++ unsigned int l, h; ++ } aux_dpfp[2]; ++}; ++#endif ++ + /* Arch specific stuff which needs to be saved per task. + * However these items are not so important so as to earn a place in + * struct thread_info diff --git a/queue-3.17/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch b/queue-3.17/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch new file mode 100644 index 00000000000..f7756877b71 --- /dev/null +++ b/queue-3.17/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch @@ -0,0 +1,73 @@ +From ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 Mon Sep 17 00:00:00 2001 +From: Anton Kolesov +Date: Thu, 25 Sep 2014 13:23:24 +0400 +Subject: ARC: Update order of registers in KGDB to match GDB 7.5 + +From: Anton Kolesov + +commit ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 upstream. + +Order of registers has changed in GDB moving from 6.8 to 7.5. This patch +updates KGDB to work properly with GDB 7.5, though makes it incompatible +with 6.8. + +Signed-off-by: Anton Kolesov +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/kgdb.h | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +--- a/arch/arc/include/asm/kgdb.h ++++ b/arch/arc/include/asm/kgdb.h +@@ -19,7 +19,7 @@ + * register API yet */ + #undef DBG_MAX_REG_NUM + +-#define GDB_MAX_REGS 39 ++#define GDB_MAX_REGS 87 + + #define BREAK_INSTR_SIZE 2 + #define CACHE_FLUSH_IS_SAFE 1 +@@ -33,23 +33,27 @@ static inline void arch_kgdb_breakpoint( + + extern void kgdb_trap(struct pt_regs *regs); + +-enum arc700_linux_regnums { ++/* This is the numbering of registers according to the GDB. See GDB's ++ * arc-tdep.h for details. ++ * ++ * Registers are ordered for GDB 7.5. It is incompatible with GDB 6.8. */ ++enum arc_linux_regnums { + _R0 = 0, + _R1, _R2, _R3, _R4, _R5, _R6, _R7, _R8, _R9, _R10, _R11, _R12, _R13, + _R14, _R15, _R16, _R17, _R18, _R19, _R20, _R21, _R22, _R23, _R24, + _R25, _R26, +- _BTA = 27, +- _LP_START = 28, +- _LP_END = 29, +- _LP_COUNT = 30, +- _STATUS32 = 31, +- _BLINK = 32, +- _FP = 33, +- __SP = 34, +- _EFA = 35, +- _RET = 36, +- _ORIG_R8 = 37, +- _STOP_PC = 38 ++ _FP = 27, ++ __SP = 28, ++ _R30 = 30, ++ _BLINK = 31, ++ _LP_COUNT = 60, ++ _STOP_PC = 64, ++ _RET = 64, ++ _LP_START = 65, ++ _LP_END = 66, ++ _STATUS32 = 67, ++ _ECR = 76, ++ _BTA = 82, + }; + + #else diff --git a/queue-3.17/iser-target-disable-tx-completion-interrupt-coalescing.patch b/queue-3.17/iser-target-disable-tx-completion-interrupt-coalescing.patch new file mode 100644 index 00000000000..9bd8c6dc3df --- /dev/null +++ b/queue-3.17/iser-target-disable-tx-completion-interrupt-coalescing.patch @@ -0,0 +1,47 @@ +From 0d0f660d882c1c02748ced13966a2413aa5d6cc2 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sun, 5 Oct 2014 02:13:03 -0700 +Subject: iser-target: Disable TX completion interrupt coalescing + +From: Nicholas Bellinger + +commit 0d0f660d882c1c02748ced13966a2413aa5d6cc2 upstream. + +This patch explicitly disables TX completion interrupt coalescing logic +in isert_put_response() and isert_put_datain() that was originally added +as an efficiency optimization in commit 95b60f07. + +It has been reported that this change can trigger ABORT_TASK timeouts +under certain small block workloads, where disabling coalescing was +required for stability. According to Sagi, this doesn't impact +overall performance, so go ahead and disable it for now. + +Reported-by: Moussa Ba +Reported-by: Sagi Grimberg +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2185,7 +2185,7 @@ isert_put_response(struct iscsi_conn *co + isert_cmd->tx_desc.num_sge = 2; + } + +- isert_init_send_wr(isert_conn, isert_cmd, send_wr, true); ++ isert_init_send_wr(isert_conn, isert_cmd, send_wr, false); + + pr_debug("Posting SCSI Response IB_WR_SEND >>>>>>>>>>>>>>>>>>>>>>\n"); + +@@ -2884,7 +2884,7 @@ isert_put_datain(struct iscsi_conn *conn + &isert_cmd->tx_desc.iscsi_header); + isert_init_tx_hdrs(isert_conn, &isert_cmd->tx_desc); + isert_init_send_wr(isert_conn, isert_cmd, +- &isert_cmd->tx_desc.send_wr, true); ++ &isert_cmd->tx_desc.send_wr, false); + isert_cmd->rdma_wr.s_send_wr.next = &isert_cmd->tx_desc.send_wr; + wr->send_wr_num += 1; + } diff --git a/queue-3.17/kvm-emulate-avoid-accessing-null-ctxt-memopp.patch b/queue-3.17/kvm-emulate-avoid-accessing-null-ctxt-memopp.patch new file mode 100644 index 00000000000..843dd3f2614 --- /dev/null +++ b/queue-3.17/kvm-emulate-avoid-accessing-null-ctxt-memopp.patch @@ -0,0 +1,38 @@ +From a430c9166312e1aa3d80bce32374233bdbfeba32 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 23 Oct 2014 14:54:14 +0200 +Subject: KVM: emulate: avoid accessing NULL ctxt->memopp + +From: Paolo Bonzini + +commit a430c9166312e1aa3d80bce32374233bdbfeba32 upstream. + +A failure to decode the instruction can cause a NULL pointer access. +This is fixed simply by moving the "done" label as close as possible +to the return. + +This fixes CVE-2014-8481. + +Reported-by: Andy Lutomirski +Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -4481,10 +4481,10 @@ done_prefixes: + /* Decode and fetch the destination operand: register or memory. */ + rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); + +-done: + if (ctxt->rip_relative) + ctxt->memopp->addr.mem.ea += ctxt->_eip; + ++done: + return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK; + } + diff --git a/queue-3.17/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch b/queue-3.17/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch new file mode 100644 index 00000000000..a9a00db9e8e --- /dev/null +++ b/queue-3.17/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch @@ -0,0 +1,78 @@ +From 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f Mon Sep 17 00:00:00 2001 +From: Quentin Casasnovas +Date: Fri, 17 Oct 2014 22:55:59 +0200 +Subject: kvm: fix excessive pages un-pinning in kvm_iommu_map error path. + +From: Quentin Casasnovas + +commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream. + +The third parameter of kvm_unpin_pages() when called from +kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin +and not the page size. + +This error was facilitated with an inconsistent API: kvm_pin_pages() takes +a size, but kvn_unpin_pages() takes a number of pages, so fix the problem +by matching the two. + +This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter +of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of +un-pinning for pages intended to be un-pinned (i.e. memory leak) but +unfortunately potentially aggravated the number of pages we un-pin that +should have stayed pinned. As far as I understand though, the same +practical mitigations apply. + +This issue was found during review of Red Hat 6.6 patches to prepare +Ksplice rebootless updates. + +Thanks to Vegard for his time on a late Friday evening to help me in +understanding this code. + +Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)") +Signed-off-by: Quentin Casasnovas +Signed-off-by: Vegard Nossum +Signed-off-by: Jamie Iles +Reviewed-by: Sasha Levin +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/iommu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct k + gfn_t base_gfn, unsigned long npages); + + static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn, +- unsigned long size) ++ unsigned long npages) + { + gfn_t end_gfn; + pfn_t pfn; + + pfn = gfn_to_pfn_memslot(slot, gfn); +- end_gfn = gfn + (size >> PAGE_SHIFT); ++ end_gfn = gfn + npages; + gfn += 1; + + if (is_error_noslot_pfn(pfn)) +@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, + * Pin all pages we are about to map in memory. This is + * important because we unmap and unpin in 4kb steps later. + */ +- pfn = kvm_pin_pages(slot, gfn, page_size); ++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT); + if (is_error_noslot_pfn(pfn)) { + gfn += 1; + continue; +@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, + if (r) { + printk(KERN_ERR "kvm_iommu_map_address:" + "iommu failed to map pfn=%llx\n", pfn); +- kvm_unpin_pages(kvm, pfn, page_size); ++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT); + goto unmap_pages; + } + diff --git a/queue-3.17/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch b/queue-3.17/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch new file mode 100644 index 00000000000..9acc06a2ab9 --- /dev/null +++ b/queue-3.17/kvm-vmx-handle-invvpid-vm-exit-gracefully.patch @@ -0,0 +1,77 @@ +From a642fc305053cc1c6e47e4f4df327895747ab485 Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Tue, 23 Sep 2014 20:22:30 +0200 +Subject: kvm: vmx: handle invvpid vm exit gracefully + +From: Petr Matousek + +commit a642fc305053cc1c6e47e4f4df327895747ab485 upstream. + +On systems with invvpid instruction support (corresponding bit in +IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid +causes vm exit, which is currently not handled and results in +propagation of unknown exit to userspace. + +Fix this by installing an invvpid vm exit handler. + +This is CVE-2014-3646. + +Signed-off-by: Petr Matousek +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/uapi/asm/vmx.h | 2 ++ + arch/x86/kvm/vmx.c | 9 ++++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/uapi/asm/vmx.h ++++ b/arch/x86/include/uapi/asm/vmx.h +@@ -67,6 +67,7 @@ + #define EXIT_REASON_EPT_MISCONFIG 49 + #define EXIT_REASON_INVEPT 50 + #define EXIT_REASON_PREEMPTION_TIMER 52 ++#define EXIT_REASON_INVVPID 53 + #define EXIT_REASON_WBINVD 54 + #define EXIT_REASON_XSETBV 55 + #define EXIT_REASON_APIC_WRITE 56 +@@ -114,6 +115,7 @@ + { EXIT_REASON_EOI_INDUCED, "EOI_INDUCED" }, \ + { EXIT_REASON_INVALID_STATE, "INVALID_STATE" }, \ + { EXIT_REASON_INVD, "INVD" }, \ ++ { EXIT_REASON_INVVPID, "INVVPID" }, \ + { EXIT_REASON_INVPCID, "INVPCID" } + + #endif /* _UAPIVMX_H */ +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6639,6 +6639,12 @@ static int handle_invept(struct kvm_vcpu + return 1; + } + ++static int handle_invvpid(struct kvm_vcpu *vcpu) ++{ ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; ++} ++ + /* + * The exit handlers return 1 if the exit was handled fully and guest execution + * may resume. Otherwise they set the kvm_run parameter to indicate what needs +@@ -6684,6 +6690,7 @@ static int (*const kvm_vmx_exit_handlers + [EXIT_REASON_MWAIT_INSTRUCTION] = handle_mwait, + [EXIT_REASON_MONITOR_INSTRUCTION] = handle_monitor, + [EXIT_REASON_INVEPT] = handle_invept, ++ [EXIT_REASON_INVVPID] = handle_invvpid, + }; + + static const int kvm_vmx_max_exit_handlers = +@@ -6917,7 +6924,7 @@ static bool nested_vmx_exit_handled(stru + case EXIT_REASON_VMPTRST: case EXIT_REASON_VMREAD: + case EXIT_REASON_VMRESUME: case EXIT_REASON_VMWRITE: + case EXIT_REASON_VMOFF: case EXIT_REASON_VMON: +- case EXIT_REASON_INVEPT: ++ case EXIT_REASON_INVEPT: case EXIT_REASON_INVVPID: + /* + * VMX instructions trap unconditionally. This allows L1 to + * emulate them for its L2 guest, i.e., allows 3-level nesting! diff --git a/queue-3.17/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch b/queue-3.17/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch new file mode 100644 index 00000000000..e14d3feed1c --- /dev/null +++ b/queue-3.17/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch @@ -0,0 +1,140 @@ +From 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 16 Sep 2014 03:24:05 +0300 +Subject: KVM: x86: Check non-canonical addresses upon WRMSR + +From: Nadav Amit + +commit 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 upstream. + +Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is +written to certain MSRs. The behavior is "almost" identical for AMD and Intel +(ignoring MSRs that are not implemented in either architecture since they would +anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if +non-canonical address is written on Intel but not on AMD (which ignores the top +32-bits). + +Accordingly, this patch injects a #GP on the MSRs which behave identically on +Intel and AMD. To eliminate the differences between the architecutres, the +value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to +canonical value before writing instead of injecting a #GP. + +Some references from Intel and AMD manuals: + +According to Intel SDM description of WRMSR instruction #GP is expected on +WRMSR "If the source register contains a non-canonical address and ECX +specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE, +IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP." + +According to AMD manual instruction manual: +LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the +LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical +form, a general-protection exception (#GP) occurs." +IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the +base field must be in canonical form or a #GP fault will occur." +IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must +be in canonical form." + +This patch fixes CVE-2014-3610. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++ + arch/x86/kvm/svm.c | 2 +- + arch/x86/kvm/vmx.c | 2 +- + arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -991,6 +991,20 @@ static inline void kvm_inject_gp(struct + kvm_queue_exception_e(vcpu, GP_VECTOR, error_code); + } + ++static inline u64 get_canonical(u64 la) ++{ ++ return ((int64_t)la << 16) >> 16; ++} ++ ++static inline bool is_noncanonical_address(u64 la) ++{ ++#ifdef CONFIG_X86_64 ++ return get_canonical(la) != la; ++#else ++ return false; ++#endif ++} ++ + #define TSS_IOPB_BASE_OFFSET 0x66 + #define TSS_BASE_SIZE 0x68 + #define TSS_IOPB_SIZE (65536 / 8) +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3234,7 +3234,7 @@ static int wrmsr_interception(struct vcp + msr.host_initiated = false; + + svm->next_rip = kvm_rip_read(&svm->vcpu) + 2; +- if (svm_set_msr(&svm->vcpu, &msr)) { ++ if (kvm_set_msr(&svm->vcpu, &msr)) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(&svm->vcpu, 0); + } else { +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5266,7 +5266,7 @@ static int handle_wrmsr(struct kvm_vcpu + msr.data = data; + msr.index = ecx; + msr.host_initiated = false; +- if (vmx_set_msr(vcpu, &msr) != 0) { ++ if (kvm_set_msr(vcpu, &msr) != 0) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(vcpu, 0); + return 1; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -989,7 +989,6 @@ void kvm_enable_efer_bits(u64 mask) + } + EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + +- + /* + * Writes msr value into into the appropriate "register". + * Returns 0 on success, non-0 otherwise. +@@ -997,8 +996,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + */ + int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) + { ++ switch (msr->index) { ++ case MSR_FS_BASE: ++ case MSR_GS_BASE: ++ case MSR_KERNEL_GS_BASE: ++ case MSR_CSTAR: ++ case MSR_LSTAR: ++ if (is_noncanonical_address(msr->data)) ++ return 1; ++ break; ++ case MSR_IA32_SYSENTER_EIP: ++ case MSR_IA32_SYSENTER_ESP: ++ /* ++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if ++ * non-canonical address is written on Intel but not on ++ * AMD (which ignores the top 32-bits, because it does ++ * not implement 64-bit SYSENTER). ++ * ++ * 64-bit code should hence be able to write a non-canonical ++ * value on AMD. Making the address canonical ensures that ++ * vmentry does not fail on Intel after writing a non-canonical ++ * value, and that something deterministic happens if the guest ++ * invokes 64-bit SYSENTER. ++ */ ++ msr->data = get_canonical(msr->data); ++ } + return kvm_x86_ops->set_msr(vcpu, msr); + } ++EXPORT_SYMBOL_GPL(kvm_set_msr); + + /* + * Adapt set_msr() to msr_io()'s calling convention diff --git a/queue-3.17/kvm-x86-decoding-guest-instructions-which-cross-page-boundary-may-fail.patch b/queue-3.17/kvm-x86-decoding-guest-instructions-which-cross-page-boundary-may-fail.patch new file mode 100644 index 00000000000..5a516a17f94 --- /dev/null +++ b/queue-3.17/kvm-x86-decoding-guest-instructions-which-cross-page-boundary-may-fail.patch @@ -0,0 +1,38 @@ +From 08da44aedba0f493e10695fa334348a7a4f72eb3 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Fri, 3 Oct 2014 01:10:04 +0300 +Subject: KVM: x86: Decoding guest instructions which cross page boundary may fail + +From: Nadav Amit + +commit 08da44aedba0f493e10695fa334348a7a4f72eb3 upstream. + +Once an instruction crosses a page boundary, the size read from the second page +disregards the common case that part of the operand resides on the first page. +As a result, fetch of long insturctions may fail, and thereby cause the +decoding to fail as well. + +Fixes: 5cfc7e0f5e5e1adf998df94f8e36edaf5d30d38e +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -773,8 +773,10 @@ static int __do_insn_fetch_bytes(struct + static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, + unsigned size) + { +- if (unlikely(ctxt->fetch.end - ctxt->fetch.ptr < size)) +- return __do_insn_fetch_bytes(ctxt, size); ++ unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr; ++ ++ if (unlikely(done_size < size)) ++ return __do_insn_fetch_bytes(ctxt, size - done_size); + else + return X86EMUL_CONTINUE; + } diff --git a/queue-3.17/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch b/queue-3.17/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch new file mode 100644 index 00000000000..09da325c685 --- /dev/null +++ b/queue-3.17/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch @@ -0,0 +1,53 @@ +From 2bc19dc3754fc066c43799659f0d848631c44cfe Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 18 Sep 2014 16:21:16 +0300 +Subject: kvm: x86: don't kill guest on unknown exit reason + +From: "Michael S. Tsirkin" + +commit 2bc19dc3754fc066c43799659f0d848631c44cfe upstream. + +KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was +triggered by a priveledged application. Let's not kill the guest: WARN +and inject #UD instead. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 6 +++--- + arch/x86/kvm/vmx.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3534,9 +3534,9 @@ static int handle_exit(struct kvm_vcpu * + + if (exit_code >= ARRAY_SIZE(svm_exit_handlers) + || !svm_exit_handlers[exit_code]) { +- kvm_run->exit_reason = KVM_EXIT_UNKNOWN; +- kvm_run->hw.hardware_exit_reason = exit_code; +- return 0; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } + + return svm_exit_handlers[exit_code](svm); +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7058,10 +7058,10 @@ static int vmx_handle_exit(struct kvm_vc + && kvm_vmx_exit_handlers[exit_reason]) + return kvm_vmx_exit_handlers[exit_reason](vcpu); + else { +- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN; +- vcpu->run->hw.hardware_exit_reason = exit_reason; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } +- return 0; + } + + static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr) diff --git a/queue-3.17/kvm-x86-emulator-does-not-decode-clflush-well.patch b/queue-3.17/kvm-x86-emulator-does-not-decode-clflush-well.patch new file mode 100644 index 00000000000..cee1000f88b --- /dev/null +++ b/queue-3.17/kvm-x86-emulator-does-not-decode-clflush-well.patch @@ -0,0 +1,78 @@ +From 13e457e0eebf0a0c82c38ceb890d93eb826d62a6 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Mon, 13 Oct 2014 13:04:13 +0300 +Subject: KVM: x86: Emulator does not decode clflush well + +From: Nadav Amit + +commit 13e457e0eebf0a0c82c38ceb890d93eb826d62a6 upstream. + +Currently, all group15 instructions are decoded as clflush (e.g., mfence, +xsave). In addition, the clflush instruction requires no prefix (66/f2/f3) +would exist. If prefix exists it may encode a different instruction (e.g., +clflushopt). + +Creating a group for clflush, and different group for each prefix. + +This has been the case forever, but the next patch needs the cflush group +in order to fix a bug introduced in 3.17. + +Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -3376,6 +3376,12 @@ static int em_bswap(struct x86_emulate_c + return X86EMUL_CONTINUE; + } + ++static int em_clflush(struct x86_emulate_ctxt *ctxt) ++{ ++ /* emulating clflush regardless of cpuid */ ++ return X86EMUL_CONTINUE; ++} ++ + static bool valid_cr(int nr) + { + switch (nr) { +@@ -3708,6 +3714,16 @@ static const struct opcode group11[] = { + X7(D(Undefined)), + }; + ++static const struct gprefix pfx_0f_ae_7 = { ++ I(0, em_clflush), N, N, N, ++}; ++ ++static const struct group_dual group15 = { { ++ N, N, N, N, N, N, N, GP(0, &pfx_0f_ae_7), ++}, { ++ N, N, N, N, N, N, N, N, ++} }; ++ + static const struct gprefix pfx_0f_6f_0f_7f = { + I(Mmx, em_mov), I(Sse | Aligned, em_mov), N, I(Sse | Unaligned, em_mov), + }; +@@ -3967,7 +3983,7 @@ static const struct opcode twobyte_table + F(DstMem | SrcReg | ModRM | BitOp | Lock | PageTable, em_bts), + F(DstMem | SrcReg | Src2ImmByte | ModRM, em_shrd), + F(DstMem | SrcReg | Src2CL | ModRM, em_shrd), +- D(ModRM), F(DstReg | SrcMem | ModRM, em_imul), ++ GD(0, &group15), F(DstReg | SrcMem | ModRM, em_imul), + /* 0xB0 - 0xB7 */ + I2bv(DstMem | SrcReg | ModRM | Lock | PageTable, em_cmpxchg), + I(DstReg | SrcMemFAddr | ModRM | Src2SS, em_lseg), +@@ -4894,8 +4910,6 @@ twobyte_insn: + case 0x90 ... 0x9f: /* setcc r/m8 */ + ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); + break; +- case 0xae: /* clflush */ +- break; + case 0xb6 ... 0xb7: /* movzx */ + ctxt->dst.bytes = ctxt->op_bytes; + ctxt->dst.val = (ctxt->src.bytes == 1) ? (u8) ctxt->src.val diff --git a/queue-3.17/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch b/queue-3.17/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch new file mode 100644 index 00000000000..478d0a227ef --- /dev/null +++ b/queue-3.17/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch @@ -0,0 +1,234 @@ +From 234f3ce485d54017f15cf5e0699cff4100121601 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 18 Sep 2014 22:39:38 +0300 +Subject: KVM: x86: Emulator fixes for eip canonical checks on near branches + +From: Nadav Amit + +commit 234f3ce485d54017f15cf5e0699cff4100121601 upstream. + +Before changing rip (during jmp, call, ret, etc.) the target should be asserted +to be canonical one, as real CPUs do. During sysret, both target rsp and rip +should be canonical. If any of these values is noncanonical, a #GP exception +should occur. The exception to this rule are syscall and sysenter instructions +in which the assigned rip is checked during the assignment to the relevant +MSRs. + +This patch fixes the emulator to behave as real CPUs do for near branches. +Far branches are handled by the next patch. + +This fixes CVE-2014-3647. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 78 +++++++++++++++++++++++++++++++++---------------- + 1 file changed, 54 insertions(+), 24 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -563,7 +563,8 @@ static int emulate_nm(struct x86_emulate + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + +-static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, ++ int cs_l) + { + switch (ctxt->op_bytes) { + case 2: +@@ -573,16 +574,25 @@ static inline void assign_eip_near(struc + ctxt->_eip = (u32)dst; + break; + case 8: ++ if ((cs_l && is_noncanonical_address(dst)) || ++ (!cs_l && (dst & ~(u32)-1))) ++ return emulate_gp(ctxt, 0); + ctxt->_eip = dst; + break; + default: + WARN(1, "unsupported eip assignment size\n"); + } ++ return X86EMUL_CONTINUE; ++} ++ ++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) + { +- assign_eip_near(ctxt, ctxt->_eip + rel); ++ return assign_eip_near(ctxt, ctxt->_eip + rel); + } + + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) +@@ -2014,13 +2024,15 @@ static int em_grp45(struct x86_emulate_c + case 2: /* call near abs */ { + long int old_eip; + old_eip = ctxt->_eip; +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); ++ if (rc != X86EMUL_CONTINUE) ++ break; + ctxt->src.val = old_eip; + rc = em_push(ctxt); + break; + } + case 4: /* jmp abs */ +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); + break; + case 5: /* jmp far */ + rc = em_jmp_far(ctxt); +@@ -2055,10 +2067,14 @@ static int em_cmpxchg8b(struct x86_emula + + static int em_ret(struct x86_emulate_ctxt *ctxt) + { +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- return em_pop(ctxt); ++ int rc; ++ unsigned long eip; ++ ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ ++ return assign_eip_near(ctxt, eip); + } + + static int em_ret_far(struct x86_emulate_ctxt *ctxt) +@@ -2339,7 +2355,7 @@ static int em_sysexit(struct x86_emulate + { + const struct x86_emulate_ops *ops = ctxt->ops; + struct desc_struct cs, ss; +- u64 msr_data; ++ u64 msr_data, rcx, rdx; + int usermode; + u16 cs_sel = 0, ss_sel = 0; + +@@ -2355,6 +2371,9 @@ static int em_sysexit(struct x86_emulate + else + usermode = X86EMUL_MODE_PROT32; + ++ rcx = reg_read(ctxt, VCPU_REGS_RCX); ++ rdx = reg_read(ctxt, VCPU_REGS_RDX); ++ + cs.dpl = 3; + ss.dpl = 3; + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +@@ -2372,6 +2391,9 @@ static int em_sysexit(struct x86_emulate + ss_sel = cs_sel + 8; + cs.d = 0; + cs.l = 1; ++ if (is_noncanonical_address(rcx) || ++ is_noncanonical_address(rdx)) ++ return emulate_gp(ctxt, 0); + break; + } + cs_sel |= SELECTOR_RPL_MASK; +@@ -2380,8 +2402,8 @@ static int em_sysexit(struct x86_emulate + ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + +- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX); +- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX); ++ ctxt->_eip = rdx; ++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx; + + return X86EMUL_CONTINUE; + } +@@ -2922,10 +2944,13 @@ static int em_aad(struct x86_emulate_ctx + + static int em_call(struct x86_emulate_ctxt *ctxt) + { ++ int rc; + long rel = ctxt->src.val; + + ctxt->src.val = (unsigned long)ctxt->_eip; +- jmp_rel(ctxt, rel); ++ rc = jmp_rel(ctxt, rel); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; + return em_push(ctxt); + } + +@@ -2957,11 +2982,12 @@ static int em_call_far(struct x86_emulat + static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) + { + int rc; ++ unsigned long eip; + +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes); ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ rc = assign_eip_near(ctxt, eip); + if (rc != X86EMUL_CONTINUE) + return rc; + rsp_increment(ctxt, ctxt->src.val); +@@ -3292,20 +3318,24 @@ static int em_lmsw(struct x86_emulate_ct + + static int em_loop(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1); + if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) && + (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags))) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_jcxz(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_in(struct x86_emulate_ctxt *ctxt) +@@ -4770,7 +4800,7 @@ special_insn: + break; + case 0x70 ... 0x7f: /* jcc (short) */ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x8d: /* lea r16/r32, m */ + ctxt->dst.val = ctxt->src.addr.mem.ea; +@@ -4800,7 +4830,7 @@ special_insn: + break; + case 0xe9: /* jmp rel */ + case 0xeb: /* jmp rel short */ +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + ctxt->dst.type = OP_NONE; /* Disable writeback. */ + break; + case 0xf4: /* hlt */ +@@ -4923,7 +4953,7 @@ twobyte_insn: + break; + case 0x80 ... 0x8f: /* jnz rel, etc*/ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x90 ... 0x9f: /* setcc r/m8 */ + ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); diff --git a/queue-3.17/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch b/queue-3.17/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch new file mode 100644 index 00000000000..257d39c85c8 --- /dev/null +++ b/queue-3.17/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch @@ -0,0 +1,65 @@ +From 05c83ec9b73c8124555b706f6af777b10adf0862 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 18 Sep 2014 22:39:37 +0300 +Subject: KVM: x86: Fix wrong masking on relative jump/call + +From: Nadav Amit + +commit 05c83ec9b73c8124555b706f6af777b10adf0862 upstream. + +Relative jumps and calls do the masking according to the operand size, and not +according to the address size as the KVM emulator does today. + +This patch fixes KVM behavior. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -504,11 +504,6 @@ static void rsp_increment(struct x86_emu + masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) +-{ +- register_address_increment(ctxt, &ctxt->_eip, rel); +-} +- + static u32 desc_limit_scaled(struct desc_struct *desc) + { + u32 limit = get_desc_limit(desc); +@@ -568,6 +563,28 @@ static int emulate_nm(struct x86_emulate + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + ++static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ switch (ctxt->op_bytes) { ++ case 2: ++ ctxt->_eip = (u16)dst; ++ break; ++ case 4: ++ ctxt->_eip = (u32)dst; ++ break; ++ case 8: ++ ctxt->_eip = dst; ++ break; ++ default: ++ WARN(1, "unsupported eip assignment size\n"); ++ } ++} ++ ++static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++{ ++ assign_eip_near(ctxt, ctxt->_eip + rel); ++} ++ + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) + { + u16 selector; diff --git a/queue-3.17/kvm-x86-handle-errors-when-rip-is-set-during-far-jumps.patch b/queue-3.17/kvm-x86-handle-errors-when-rip-is-set-during-far-jumps.patch new file mode 100644 index 00000000000..eb5c6f0b915 --- /dev/null +++ b/queue-3.17/kvm-x86-handle-errors-when-rip-is-set-during-far-jumps.patch @@ -0,0 +1,250 @@ +From d1442d85cc30ea75f7d399474ca738e0bc96f715 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 18 Sep 2014 22:39:39 +0300 +Subject: KVM: x86: Handle errors when RIP is set during far jumps + +From: Nadav Amit + +commit d1442d85cc30ea75f7d399474ca738e0bc96f715 upstream. + +Far jmp/call/ret may fault while loading a new RIP. Currently KVM does not +handle this case, and may result in failed vm-entry once the assignment is +done. The tricky part of doing so is that loading the new CS affects the +VMCS/VMCB state, so if we fail during loading the new RIP, we are left in +unconsistent state. Therefore, this patch saves on 64-bit the old CS +descriptor and restores it if loading RIP failed. + +This fixes CVE-2014-3647. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 118 ++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 88 insertions(+), 30 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -1467,7 +1467,9 @@ static int write_segment_descriptor(stru + + /* Does not support long mode */ + static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, +- u16 selector, int seg, u8 cpl, bool in_task_switch) ++ u16 selector, int seg, u8 cpl, ++ bool in_task_switch, ++ struct desc_struct *desc) + { + struct desc_struct seg_desc, old_desc; + u8 dpl, rpl; +@@ -1599,6 +1601,8 @@ static int __load_segment_descriptor(str + } + load: + ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg); ++ if (desc) ++ *desc = seg_desc; + return X86EMUL_CONTINUE; + exception: + emulate_exception(ctxt, err_vec, err_code, true); +@@ -1609,7 +1613,7 @@ static int load_segment_descriptor(struc + u16 selector, int seg) + { + u8 cpl = ctxt->ops->cpl(ctxt); +- return __load_segment_descriptor(ctxt, selector, seg, cpl, false); ++ return __load_segment_descriptor(ctxt, selector, seg, cpl, false, NULL); + } + + static void write_register_operand(struct operand *op) +@@ -2003,17 +2007,31 @@ static int em_iret(struct x86_emulate_ct + static int em_jmp_far(struct x86_emulate_ctxt *ctxt) + { + int rc; +- unsigned short sel; ++ unsigned short sel, old_sel; ++ struct desc_struct old_desc, new_desc; ++ const struct x86_emulate_ops *ops = ctxt->ops; ++ u8 cpl = ctxt->ops->cpl(ctxt); ++ ++ /* Assignment of RIP may only fail in 64-bit mode */ ++ if (ctxt->mode == X86EMUL_MODE_PROT64) ++ ops->get_segment(ctxt, &old_sel, &old_desc, NULL, ++ VCPU_SREG_CS); + + memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); + +- rc = load_segment_descriptor(ctxt, sel, VCPU_SREG_CS); ++ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false, ++ &new_desc); + if (rc != X86EMUL_CONTINUE) + return rc; + +- ctxt->_eip = 0; +- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes); +- return X86EMUL_CONTINUE; ++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); ++ if (rc != X86EMUL_CONTINUE) { ++ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); ++ /* assigning eip failed; restore the old cs */ ++ ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); ++ return rc; ++ } ++ return rc; + } + + static int em_grp45(struct x86_emulate_ctxt *ctxt) +@@ -2080,21 +2098,34 @@ static int em_ret(struct x86_emulate_ctx + static int em_ret_far(struct x86_emulate_ctxt *ctxt) + { + int rc; +- unsigned long cs; ++ unsigned long eip, cs; ++ u16 old_cs; + int cpl = ctxt->ops->cpl(ctxt); ++ struct desc_struct old_desc, new_desc; ++ const struct x86_emulate_ops *ops = ctxt->ops; ++ ++ if (ctxt->mode == X86EMUL_MODE_PROT64) ++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, ++ VCPU_SREG_CS); + +- rc = emulate_pop(ctxt, &ctxt->_eip, ctxt->op_bytes); ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); + if (rc != X86EMUL_CONTINUE) + return rc; +- if (ctxt->op_bytes == 4) +- ctxt->_eip = (u32)ctxt->_eip; + rc = emulate_pop(ctxt, &cs, ctxt->op_bytes); + if (rc != X86EMUL_CONTINUE) + return rc; + /* Outer-privilege level return is not implemented */ + if (ctxt->mode >= X86EMUL_MODE_PROT16 && (cs & 3) > cpl) + return X86EMUL_UNHANDLEABLE; +- rc = load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS); ++ rc = __load_segment_descriptor(ctxt, (u16)cs, VCPU_SREG_CS, 0, false, ++ &new_desc); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ rc = assign_eip_far(ctxt, eip, new_desc.l); ++ if (rc != X86EMUL_CONTINUE) { ++ WARN_ON(!ctxt->mode != X86EMUL_MODE_PROT64); ++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); ++ } + return rc; + } + +@@ -2521,19 +2552,24 @@ static int load_state_from_tss16(struct + * Now load segment descriptors. If fault happens at this stage + * it is handled in a context of new task + */ +- ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->ldt, VCPU_SREG_LDTR, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; + +@@ -2658,25 +2694,32 @@ static int load_state_from_tss32(struct + * Now load segment descriptors. If fault happenes at this stage + * it is handled in a context of new task + */ +- ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->ldt_selector, VCPU_SREG_LDTR, ++ cpl, true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->es, VCPU_SREG_ES, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->cs, VCPU_SREG_CS, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->ss, VCPU_SREG_SS, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->ds, VCPU_SREG_DS, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->fs, VCPU_SREG_FS, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; +- ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, true); ++ ret = __load_segment_descriptor(ctxt, tss->gs, VCPU_SREG_GS, cpl, ++ true, NULL); + if (ret != X86EMUL_CONTINUE) + return ret; + +@@ -2959,24 +3002,39 @@ static int em_call_far(struct x86_emulat + u16 sel, old_cs; + ulong old_eip; + int rc; ++ struct desc_struct old_desc, new_desc; ++ const struct x86_emulate_ops *ops = ctxt->ops; ++ int cpl = ctxt->ops->cpl(ctxt); + +- old_cs = get_segment_selector(ctxt, VCPU_SREG_CS); + old_eip = ctxt->_eip; ++ ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS); + + memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); +- if (load_segment_descriptor(ctxt, sel, VCPU_SREG_CS)) ++ rc = __load_segment_descriptor(ctxt, sel, VCPU_SREG_CS, cpl, false, ++ &new_desc); ++ if (rc != X86EMUL_CONTINUE) + return X86EMUL_CONTINUE; + +- ctxt->_eip = 0; +- memcpy(&ctxt->_eip, ctxt->src.valptr, ctxt->op_bytes); ++ rc = assign_eip_far(ctxt, ctxt->src.val, new_desc.l); ++ if (rc != X86EMUL_CONTINUE) ++ goto fail; + + ctxt->src.val = old_cs; + rc = em_push(ctxt); + if (rc != X86EMUL_CONTINUE) +- return rc; ++ goto fail; + + ctxt->src.val = old_eip; +- return em_push(ctxt); ++ rc = em_push(ctxt); ++ /* If we failed, we tainted the memory, but the very least we should ++ restore cs */ ++ if (rc != X86EMUL_CONTINUE) ++ goto fail; ++ return rc; ++fail: ++ ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); ++ return rc; ++ + } + + static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) diff --git a/queue-3.17/kvm-x86-improve-thread-safety-in-pit.patch b/queue-3.17/kvm-x86-improve-thread-safety-in-pit.patch new file mode 100644 index 00000000000..f6f17ad09e1 --- /dev/null +++ b/queue-3.17/kvm-x86-improve-thread-safety-in-pit.patch @@ -0,0 +1,37 @@ +From 2febc839133280d5a5e8e1179c94ea674489dae2 Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Wed, 27 Aug 2014 14:42:54 -0700 +Subject: KVM: x86: Improve thread safety in pit + +From: Andy Honig + +commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream. + +There's a race condition in the PIT emulation code in KVM. In +__kvm_migrate_pit_timer the pit_timer object is accessed without +synchronization. If the race condition occurs at the wrong time this +can crash the host kernel. + +This fixes CVE-2014-3611. + +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/i8254.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_ + return; + + timer = &pit->pit_state.timer; ++ mutex_lock(&pit->pit_state.lock); + if (hrtimer_cancel(timer)) + hrtimer_start_expires(timer, HRTIMER_MODE_ABS); ++ mutex_unlock(&pit->pit_state.lock); + } + + static void destroy_pit_timer(struct kvm_pit *pit) diff --git a/queue-3.17/kvm-x86-prefetch-and-hint_nop-should-have-srcmem-flag.patch b/queue-3.17/kvm-x86-prefetch-and-hint_nop-should-have-srcmem-flag.patch new file mode 100644 index 00000000000..5edd77b667e --- /dev/null +++ b/queue-3.17/kvm-x86-prefetch-and-hint_nop-should-have-srcmem-flag.patch @@ -0,0 +1,52 @@ +From 3f6f1480d86bf9fc16c160d803ab1d006e3058d5 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Mon, 13 Oct 2014 13:04:14 +0300 +Subject: KVM: x86: PREFETCH and HINT_NOP should have SrcMem flag + +From: Nadav Amit + +commit 3f6f1480d86bf9fc16c160d803ab1d006e3058d5 upstream. + +The decode phase of the x86 emulator assumes that every instruction with the +ModRM flag, and which can be used with RIP-relative addressing, has either +SrcMem or DstMem. This is not the case for several instructions - prefetch, +hint-nop and clflush. + +Adding SrcMem|NoAccess for prefetch and hint-nop and SrcMem for clflush. + +This fixes CVE-2014-8480. + +Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -3715,7 +3715,7 @@ static const struct opcode group11[] = { + }; + + static const struct gprefix pfx_0f_ae_7 = { +- I(0, em_clflush), N, N, N, ++ I(SrcMem | ByteOp, em_clflush), N, N, N, + }; + + static const struct group_dual group15 = { { +@@ -3928,10 +3928,11 @@ static const struct opcode twobyte_table + N, I(ImplicitOps | EmulateOnUD, em_syscall), + II(ImplicitOps | Priv, em_clts, clts), N, + DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N, +- N, D(ImplicitOps | ModRM), N, N, ++ N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N, + /* 0x10 - 0x1F */ + N, N, N, N, N, N, N, N, +- D(ImplicitOps | ModRM), N, N, N, N, N, N, D(ImplicitOps | ModRM), ++ D(ImplicitOps | ModRM | SrcMem | NoAccess), ++ N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess), + /* 0x20 - 0x2F */ + DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read), + DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read), diff --git a/queue-3.17/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch b/queue-3.17/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch new file mode 100644 index 00000000000..d099bd5752e --- /dev/null +++ b/queue-3.17/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch @@ -0,0 +1,86 @@ +From 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Wed, 27 Aug 2014 11:16:44 -0700 +Subject: KVM: x86: Prevent host from panicking on shared MSR writes. + +From: Andy Honig + +commit 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f upstream. + +The previous patch blocked invalid writes directly when the MSR +is written. As a precaution, prevent future similar mistakes by +gracefulling handle GPs caused by writes to shared MSRs. + +Signed-off-by: Andrew Honig +[Remove parts obsoleted by Nadav's patch. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 2 +- + arch/x86/kvm/vmx.c | 7 +++++-- + arch/x86/kvm/x86.c | 11 ++++++++--- + 3 files changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1049,7 +1049,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcp + void kvm_vcpu_reset(struct kvm_vcpu *vcpu); + + void kvm_define_shared_msr(unsigned index, u32 msr); +-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask); ++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask); + + bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip); + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2632,12 +2632,15 @@ static int vmx_set_msr(struct kvm_vcpu * + default: + msr = find_msr_entry(vmx, msr_index); + if (msr) { ++ u64 old_msr_data = msr->data; + msr->data = data; + if (msr - vmx->guest_msrs < vmx->save_nmsrs) { + preempt_disable(); +- kvm_set_shared_msr(msr->index, msr->data, +- msr->mask); ++ ret = kvm_set_shared_msr(msr->index, msr->data, ++ msr->mask); + preempt_enable(); ++ if (ret) ++ msr->data = old_msr_data; + } + break; + } +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -229,20 +229,25 @@ static void kvm_shared_msr_cpu_online(vo + shared_msr_update(i, shared_msrs_global.msrs[i]); + } + +-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) ++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) + { + unsigned int cpu = smp_processor_id(); + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); ++ int err; + + if (((value ^ smsr->values[slot].curr) & mask) == 0) +- return; ++ return 0; + smsr->values[slot].curr = value; +- wrmsrl(shared_msrs_global.msrs[slot], value); ++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); ++ if (err) ++ return 1; ++ + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); + smsr->registered = true; + } ++ return 0; + } + EXPORT_SYMBOL_GPL(kvm_set_shared_msr); + diff --git a/queue-3.17/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch b/queue-3.17/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch new file mode 100644 index 00000000000..8c1c0a08ec9 --- /dev/null +++ b/queue-3.17/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch @@ -0,0 +1,42 @@ +From 8c5bcded11cb607b1bb5920de3b9c882136d27db Mon Sep 17 00:00:00 2001 +From: Ulrich Eckhardt +Date: Fri, 10 Oct 2014 14:19:12 -0300 +Subject: media: ds3000: fix LNB supply voltage on Tevii S480 on initialization + +From: Ulrich Eckhardt + +commit 8c5bcded11cb607b1bb5920de3b9c882136d27db upstream. + +The Tevii S480 outputs 18V on startup for the LNB supply voltage and does not +automatically power down. This blocks other receivers connected +to a satellite channel router (EN50494), since the receivers can not send the +required DiSEqC sequences when the Tevii card is connected to a the same SCR. + +This patch switches off the LNB supply voltage on initialization of the frontend. + +[mchehab@osg.samsung.com: add a comment about why we're explicitly + turning off voltage at device init] +Signed-off-by: Ulrich Eckhardt +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/ds3000.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/dvb-frontends/ds3000.c ++++ b/drivers/media/dvb-frontends/ds3000.c +@@ -864,6 +864,13 @@ struct dvb_frontend *ds3000_attach(const + memcpy(&state->frontend.ops, &ds3000_ops, + sizeof(struct dvb_frontend_ops)); + state->frontend.demodulator_priv = state; ++ ++ /* ++ * Some devices like T480 starts with voltage on. Be sure ++ * to turn voltage off during init, as this can otherwise ++ * interfere with Unicable SCR systems. ++ */ ++ ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF); + return &state->frontend; + + error3: diff --git a/queue-3.17/media-em28xx-check-if-a-device-has-audio-earlier.patch b/queue-3.17/media-em28xx-check-if-a-device-has-audio-earlier.patch new file mode 100644 index 00000000000..63fcabb972c --- /dev/null +++ b/queue-3.17/media-em28xx-check-if-a-device-has-audio-earlier.patch @@ -0,0 +1,99 @@ +From fb91bde9d3664dd879655f3a1013c0b5728e7a09 Mon Sep 17 00:00:00 2001 +From: Frank Schaefer +Date: Fri, 27 Dec 2013 00:16:13 -0300 +Subject: media: em28xx: check if a device has audio earlier" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Schaefer + +commit fb91bde9d3664dd879655f3a1013c0b5728e7a09 upstream. + +GIT_AUTHOR_DATE=1409603039 +This reverts + +commit b99f0aadd33fad269c8e62b5bec8b5c012a44a56 +Author: Mauro Carvalho Chehab + + [media] em28xx: check if a device has audio earlier + + Better to split chipset detection from the audio setup. So, move the + detection code to em28xx_init_dev(). + +It broke analog audio of the Hauppauge winTV HVR 900 and very likely many other +em28xx devices. + +Background: +The local variable has_audio in em28xx_usb_probe() describes if the currently +probed _usb_interface_ has an audio endpoint, while dev->audio_mode.has_audio +means that the _device_ as a whole provides analog audio. +Hence it is wrong to set dev->audio_mode.has_audio = has_audio in em28xx_usb_probe(). +As result, audio support is no longer detected and configured on devices which +have the audio endpoint on a separate interface, because em28xx_audio_setup() +bails out immediately at the beginning. + +Revert the faulty commit to restore the old audio detection procedure, which checks +the chip configuration register to determine if the device has analog audio. + +Cc: # 3.14 to 3.16 +Reported-by: Oravecz Csaba +Tested-by: Oravecz Csaba +Signed-off-by: Frank Schäfer +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-cards.c | 11 ----------- + drivers/media/usb/em28xx/em28xx-core.c | 12 +++++++++++- + 2 files changed, 11 insertions(+), 12 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -3098,16 +3098,6 @@ static int em28xx_init_dev(struct em28xx + } + } + +- if (dev->chip_id == CHIP_ID_EM2870 || +- dev->chip_id == CHIP_ID_EM2874 || +- dev->chip_id == CHIP_ID_EM28174 || +- dev->chip_id == CHIP_ID_EM28178) { +- /* Digital only device - don't load any alsa module */ +- dev->audio_mode.has_audio = false; +- dev->has_audio_class = false; +- dev->has_alsa_audio = false; +- } +- + if (chip_name != default_chip_name) + printk(KERN_INFO DRIVER_NAME + ": chip ID is %s\n", chip_name); +@@ -3377,7 +3367,6 @@ static int em28xx_usb_probe(struct usb_i + dev->alt = -1; + dev->is_audio_only = has_audio && !(has_video || has_dvb); + dev->has_alsa_audio = has_audio; +- dev->audio_mode.has_audio = has_audio; + dev->has_video = has_video; + dev->ifnum = ifnum; + +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -506,8 +506,18 @@ int em28xx_audio_setup(struct em28xx *de + int vid1, vid2, feat, cfg; + u32 vid; + +- if (!dev->audio_mode.has_audio) ++ if (dev->chip_id == CHIP_ID_EM2870 || ++ dev->chip_id == CHIP_ID_EM2874 || ++ dev->chip_id == CHIP_ID_EM28174 || ++ dev->chip_id == CHIP_ID_EM28178) { ++ /* Digital only device - don't load any alsa module */ ++ dev->audio_mode.has_audio = false; ++ dev->has_audio_class = false; ++ dev->has_alsa_audio = false; + return 0; ++ } ++ ++ dev->audio_mode.has_audio = true; + + /* See how this device is configured */ + cfg = em28xx_read_reg(dev, EM28XX_R00_CHIPCFG); diff --git a/queue-3.17/media-em28xx-v4l-fix-video-buffer-field-order-reporting-in-progressive-mode.patch b/queue-3.17/media-em28xx-v4l-fix-video-buffer-field-order-reporting-in-progressive-mode.patch new file mode 100644 index 00000000000..0706f8d56ec --- /dev/null +++ b/queue-3.17/media-em28xx-v4l-fix-video-buffer-field-order-reporting-in-progressive-mode.patch @@ -0,0 +1,36 @@ +From 662c97cf8f9e9d67d45d0a9f0c1565a1ede364c2 Mon Sep 17 00:00:00 2001 +From: Frank Schaefer +Date: Sat, 9 Aug 2014 06:37:21 -0300 +Subject: media: em28xx-v4l: fix video buffer field order reporting in progressive mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Schaefer + +commit 662c97cf8f9e9d67d45d0a9f0c1565a1ede364c2 upstream. + +The correct field order in progressive mode is V4L2_FIELD_NONE, not V4L2_FIELD_INTERLACED. + +Signed-off-by: Frank Schäfer +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-video.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -435,7 +435,10 @@ static inline void finish_buffer(struct + em28xx_isocdbg("[%p/%d] wakeup\n", buf, buf->top_field); + + buf->vb.v4l2_buf.sequence = dev->v4l2->field_count++; +- buf->vb.v4l2_buf.field = V4L2_FIELD_INTERLACED; ++ if (dev->v4l2->progressive) ++ buf->vb.v4l2_buf.field = V4L2_FIELD_NONE; ++ else ++ buf->vb.v4l2_buf.field = V4L2_FIELD_INTERLACED; + v4l2_get_timestamp(&buf->vb.v4l2_buf.timestamp); + + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_DONE); diff --git a/queue-3.17/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch b/queue-3.17/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch new file mode 100644 index 00000000000..e53ee723bed --- /dev/null +++ b/queue-3.17/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch @@ -0,0 +1,102 @@ +From 627530c32a43283474e9dd3e954519410ffa033a Mon Sep 17 00:00:00 2001 +From: Frank Schaefer +Date: Sat, 9 Aug 2014 06:37:20 -0300 +Subject: media: em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Schaefer + +commit 627530c32a43283474e9dd3e954519410ffa033a upstream. + +When a new video frame is started, the driver takes the next video buffer from +the list of active buffers and moves it to dev->usb_ctl.vid_buf / dev->usb_ctl.vbi_buf +for further processing. + +On streaming stop we currently only give back the pending buffers from the list +but not the ones which are currently processed. + +This causes the following warning from the vb2 core since kernel 3.15: + +... + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 2284 at drivers/media/v4l2-core/videobuf2-core.c:2115 __vb2_queue_cancel+0xed/0x150 [videobuf2_core]() + [...] + Call Trace: + [] dump_stack+0x48/0x69 + [] warn_slowpath_common+0x79/0x90 + [] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] warn_slowpath_null+0x1d/0x20 + [] __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] vb2_internal_streamoff+0x35/0x90 [videobuf2_core] + [] vb2_streamoff+0x35/0x60 [videobuf2_core] + [] vb2_ioctl_streamoff+0x37/0x40 [videobuf2_core] + [] v4l_streamoff+0x15/0x20 [videodev] + [] __video_do_ioctl+0x23d/0x2d0 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] video_usercopy+0x203/0x5a0 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] ? fsnotify+0x1e7/0x2b0 + [] video_ioctl2+0x12/0x20 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] v4l2_ioctl+0xee/0x130 [videodev] + [] ? v4l2_open+0xf0/0xf0 [videodev] + [] do_vfs_ioctl+0x2e2/0x4d0 + [] ? vfs_write+0x13c/0x1c0 + [] ? vfs_writev+0x2f/0x50 + [] SyS_ioctl+0x58/0x80 + [] sysenter_do_call+0x12/0x12 + ---[ end trace 5545f934409f13f4 ]--- +... + +Many thanks to Hans Verkuil, whose recently added check in the vb2 core unveiled +this long standing issue and who has investigated it further. + +Signed-off-by: Frank Schäfer +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-video.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -994,13 +994,16 @@ static void em28xx_stop_streaming(struct + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vid_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vid_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vid_buf = NULL; ++ } + while (!list_empty(&vidq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vidq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vid_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + } + +@@ -1021,13 +1024,16 @@ void em28xx_stop_vbi_streaming(struct vb + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vbi_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vbi_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vbi_buf = NULL; ++ } + while (!list_empty(&vbiq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vbiq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vbi_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + } + diff --git a/queue-3.17/media-imon-fix-other-rc-type-protocol-support.patch b/queue-3.17/media-imon-fix-other-rc-type-protocol-support.patch new file mode 100644 index 00000000000..754d4135b22 --- /dev/null +++ b/queue-3.17/media-imon-fix-other-rc-type-protocol-support.patch @@ -0,0 +1,35 @@ +From d358aefdc0cc92b16ced449f998dbad639db6809 Mon Sep 17 00:00:00 2001 +From: Ulrich Eckhardt +Date: Fri, 10 Oct 2014 13:27:32 -0300 +Subject: media: imon: fix other RC type protocol support + +From: Ulrich Eckhardt + +commit d358aefdc0cc92b16ced449f998dbad639db6809 upstream. + +With kernel 3.17 the imon remote control for device 15c2:0034 does not +work anymore, which uses the OTHER protocol. Only the front panel +buttons which uses the RC6 protocol are working. + +Adds the missing comparison for the RC_BIT_OTHER. + +Signed-off-by: Ulrich Eckhardt +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/imon.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -1579,7 +1579,8 @@ static void imon_incoming_packet(struct + if (press_type == 0) + rc_keyup(ictx->rdev); + else { +- if (ictx->rc_type == RC_BIT_RC6_MCE) ++ if (ictx->rc_type == RC_BIT_RC6_MCE || ++ ictx->rc_type == RC_BIT_OTHER) + rc_keydown(ictx->rdev, + ictx->rc_type == RC_BIT_RC6_MCE ? RC_TYPE_RC6_MCE : RC_TYPE_OTHER, + ictx->rc_scancode, ictx->rc_toggle); diff --git a/queue-3.17/media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch b/queue-3.17/media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch new file mode 100644 index 00000000000..933282830c4 --- /dev/null +++ b/queue-3.17/media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch @@ -0,0 +1,38 @@ +From f538e085138e519e25ae0828bd6c6e7492ce8ca4 Mon Sep 17 00:00:00 2001 +From: Antti Palosaari +Date: Thu, 21 Aug 2014 14:02:27 -0300 +Subject: media: m88ts2022: fix 32bit overflow on filter calc + +From: Antti Palosaari + +commit f538e085138e519e25ae0828bd6c6e7492ce8ca4 upstream. + +Maximum satellite symbol rate used is 45000000Sps which overflows +when multiplied by 135. As final calculation result is fraction, +we could use mult_frac macro in order to keep calculation inside +32 bit number limits and prevent overflow. + +Original bug and fix was provided by Nibble Max. I decided to +implement it differently as it is now. + +Reported-by: Nibble Max +Tested-by: Nibble Max +Signed-off-by: Antti Palosaari +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/tuners/m88ts2022.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/tuners/m88ts2022.c ++++ b/drivers/media/tuners/m88ts2022.c +@@ -314,7 +314,7 @@ static int m88ts2022_set_params(struct d + div_min = gdiv28 * 78 / 100; + div_max = clamp_val(div_max, 0U, 63U); + +- f_3db_hz = c->symbol_rate * 135UL / 200UL; ++ f_3db_hz = mult_frac(c->symbol_rate, 135, 200); + f_3db_hz += 2000000U + (frequency_offset_khz * 1000U); + f_3db_hz = clamp(f_3db_hz, 7000000U, 40000000U); + diff --git a/queue-3.17/media-rc-core-fix-protocol_change-regression-in-ir_raw_event_register.patch b/queue-3.17/media-rc-core-fix-protocol_change-regression-in-ir_raw_event_register.patch new file mode 100644 index 00000000000..b0aeceb6acd --- /dev/null +++ b/queue-3.17/media-rc-core-fix-protocol_change-regression-in-ir_raw_event_register.patch @@ -0,0 +1,56 @@ +From 14edb593338e3811e818aba286237c365f8881a1 Mon Sep 17 00:00:00 2001 +From: Tomas Melin +Date: Tue, 28 Oct 2014 15:43:14 -0300 +Subject: media: rc-core: fix protocol_change regression in ir_raw_event_register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomas Melin + +commit 14edb593338e3811e818aba286237c365f8881a1 upstream. + +IR receiver using nuvoton-cir and lirc required additional configuration +steps after upgrade from kernel 3.16 to 3.17-rcX. Bisected regression to +commit da6e162d6a4607362f8478c715c797d84d449f8b ("[media] rc-core: +simplify sysfs code"). + +The regression comes from adding function change_protocol in ir-raw.c. +It changes behaviour so that only the protocol enabled by driver's +map_name will be active after registration. This breaks user space +behaviour, lirc does not get key press signals anymore. + +Enable lirc protocol by default for ir raw decoders to restore original +behaviour. + +Signed-off-by: Tomas Melin +Acked-by: David Härdeman +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/rc-ir-raw.c | 1 - + drivers/media/rc/rc-main.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/rc/rc-ir-raw.c ++++ b/drivers/media/rc/rc-ir-raw.c +@@ -262,7 +262,6 @@ int ir_raw_event_register(struct rc_dev + return -ENOMEM; + + dev->raw->dev = dev; +- dev->enabled_protocols = ~0; + dev->change_protocol = change_protocol; + rc = kfifo_alloc(&dev->raw->kfifo, + sizeof(struct ir_raw_event) * MAX_IR_EVENT_SIZE, +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1421,6 +1421,8 @@ int rc_register_device(struct rc_dev *de + + if (dev->change_protocol) { + u64 rc_type = (1 << rc_map->rc_type); ++ if (dev->driver_type == RC_DRIVER_IR_RAW) ++ rc_type |= RC_BIT_LIRC; + rc = dev->change_protocol(dev, &rc_type); + if (rc < 0) + goto out_raw; diff --git a/queue-3.17/media-siano-add-support-for-pctv-77e.patch b/queue-3.17/media-siano-add-support-for-pctv-77e.patch new file mode 100644 index 00000000000..4998e32c825 --- /dev/null +++ b/queue-3.17/media-siano-add-support-for-pctv-77e.patch @@ -0,0 +1,57 @@ +From 29bbb7bd0a65e01a0423e1df764676119b71ecb3 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Mon, 11 Aug 2014 18:09:32 -0300 +Subject: media: siano: add support for PCTV 77e + +From: Mauro Carvalho Chehab + +commit 29bbb7bd0a65e01a0423e1df764676119b71ecb3 upstream. + +Add support for PCTV microStick (77e) device that uses a sms1140 +chipset. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/common/siano/sms-cards.c | 6 ++++++ + drivers/media/common/siano/sms-cards.h | 1 + + drivers/media/usb/siano/smsusb.c | 2 ++ + 3 files changed, 9 insertions(+) + +--- a/drivers/media/common/siano/sms-cards.c ++++ b/drivers/media/common/siano/sms-cards.c +@@ -157,6 +157,12 @@ static struct sms_board sms_boards[] = { + .type = SMS_DENVER_2160, + .default_mode = DEVICE_MODE_DAB_TDMB, + }, ++ [SMS1XXX_BOARD_PCTV_77E] = { ++ .name = "Hauppauge microStick 77e", ++ .type = SMS_NOVA_B0, ++ .fw[DEVICE_MODE_DVBT_BDA] = SMS_FW_DVB_NOVA_12MHZ_B0, ++ .default_mode = DEVICE_MODE_DVBT_BDA, ++ }, + }; + + struct sms_board *sms_get_board(unsigned id) +--- a/drivers/media/common/siano/sms-cards.h ++++ b/drivers/media/common/siano/sms-cards.h +@@ -45,6 +45,7 @@ + #define SMS1XXX_BOARD_SIANO_RIO 18 + #define SMS1XXX_BOARD_SIANO_DENVER_1530 19 + #define SMS1XXX_BOARD_SIANO_DENVER_2160 20 ++#define SMS1XXX_BOARD_PCTV_77E 21 + + struct sms_board_gpio_cfg { + int lna_vhf_exist; +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -655,6 +655,8 @@ static const struct usb_device_id smsusb + .driver_info = SMS1XXX_BOARD_ONDA_MDTV_DATA_CARD }, + { USB_DEVICE(0x3275, 0x0080), + .driver_info = SMS1XXX_BOARD_SIANO_RIO }, ++ { USB_DEVICE(0x2013, 0x0257), ++ .driver_info = SMS1XXX_BOARD_PCTV_77E }, + { } /* Terminating entry */ + }; + diff --git a/queue-3.17/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch b/queue-3.17/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch new file mode 100644 index 00000000000..5e2c21f4789 --- /dev/null +++ b/queue-3.17/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch @@ -0,0 +1,32 @@ +From 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Fri, 8 Aug 2014 10:32:56 -0300 +Subject: media: tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register + +From: Axel Lin + +commit 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 upstream. + +Fix a copy-paste bug when converting to the control framework. + +Fixes: commit 5d478e0de871 ("[media] tda7432: convert to the control framework") + +Signed-off-by: Axel Lin +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tda7432.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/tda7432.c ++++ b/drivers/media/i2c/tda7432.c +@@ -293,7 +293,7 @@ static int tda7432_s_ctrl(struct v4l2_ct + if (t->mute->val) { + lf |= TDA7432_MUTE; + lr |= TDA7432_MUTE; +- lf |= TDA7432_MUTE; ++ rf |= TDA7432_MUTE; + rr |= TDA7432_MUTE; + } + /* Mute & update balance*/ diff --git a/queue-3.17/media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch b/queue-3.17/media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch new file mode 100644 index 00000000000..d0587369bba --- /dev/null +++ b/queue-3.17/media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch @@ -0,0 +1,42 @@ +From 62ea864f84fed6e04dd033d500d4c9183a83d590 Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Sun, 8 Jun 2014 12:16:48 -0300 +Subject: media: usb: uvc: add a quirk for Dell XPS M1330 webcam + +From: Paul Fertser + +commit 62ea864f84fed6e04dd033d500d4c9183a83d590 upstream. + +As reported on [1], this device needs this quirk to be able to +reliably initialise the webcam. + +[1] http://ubuntuforums.org/showthread.php?t=2145996 + +Cc: stable@vger.kernel.org +Signed-off-by: Paul Fertser +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2229,6 +2229,15 @@ static struct usb_device_id uvc_ids[] = + .bInterfaceSubClass = 1, + .bInterfaceProtocol = 0, + .driver_info = UVC_QUIRK_PROBE_DEF }, ++ /* Dell XPS M1330 (OmniVision OV7670 webcam) */ ++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE ++ | USB_DEVICE_ID_MATCH_INT_INFO, ++ .idVendor = 0x05a9, ++ .idProduct = 0x7670, ++ .bInterfaceClass = USB_CLASS_VIDEO, ++ .bInterfaceSubClass = 1, ++ .bInterfaceProtocol = 0, ++ .driver_info = UVC_QUIRK_PROBE_DEF }, + /* Apple Built-In iSight */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, diff --git a/queue-3.17/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch b/queue-3.17/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch new file mode 100644 index 00000000000..df0c03a5fe1 --- /dev/null +++ b/queue-3.17/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch @@ -0,0 +1,67 @@ +From 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c Mon Sep 17 00:00:00 2001 +From: Maciej Matraszek +Date: Mon, 15 Sep 2014 05:14:48 -0300 +Subject: media: v4l2-common: fix overflow in v4l_bound_align_image() + +From: Maciej Matraszek + +commit 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c upstream. + +Fix clamp_align() used in v4l_bound_align_image() to prevent overflow +when passed large value like UINT32_MAX. + + In the current implementation: + clamp_align(UINT32_MAX, 8, 8192, 3) + +returns 8, because in line: + + x = (x + (1 << (align - 1))) & mask; + +x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192. + +v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and +VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter +explicitly states that: + +"The modified format should be as close as possible to the original +request." + -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html + +Thus one would expect, that passing UINT32_MAX as format width and +height will result in setting maximum possible resolution for the +device. Particularly, when the driver doesn't support +VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase. + +Fixes changeset: b0d3159be9a3 + +Signed-off-by: Maciej Matraszek +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-common.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-common.c ++++ b/drivers/media/v4l2-core/v4l2-common.c +@@ -435,16 +435,13 @@ static unsigned int clamp_align(unsigned + /* Bits that must be zero to be aligned */ + unsigned int mask = ~((1 << align) - 1); + ++ /* Clamp to aligned min and max */ ++ x = clamp(x, (min + ~mask) & mask, max & mask); ++ + /* Round to nearest aligned value */ + if (align) + x = (x + (1 << (align - 1))) & mask; + +- /* Clamp to aligned value of min and max */ +- if (x < min) +- x = (min + ~mask) & mask; +- else if (x > max) +- x = max & mask; +- + return x; + } + diff --git a/queue-3.17/media-vmalloc_sg-off-by-one-in-error-handling.patch b/queue-3.17/media-vmalloc_sg-off-by-one-in-error-handling.patch new file mode 100644 index 00000000000..99e47033430 --- /dev/null +++ b/queue-3.17/media-vmalloc_sg-off-by-one-in-error-handling.patch @@ -0,0 +1,40 @@ +From 23d3090f8b44ab42162e99e8584445bc25b8922f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 5 Aug 2014 05:11:13 -0300 +Subject: media: vmalloc_sg: off by one in error handling + +From: Dan Carpenter + +commit 23d3090f8b44ab42162e99e8584445bc25b8922f upstream. + +The "i--" needs to happen at the start of the loop or it will try to +release something bogus (probably it will crash) and it won't release +the first ->vaddr_page[]. + +Fixes: 7b4eeed174b7 ('[media] vmalloc_sg: make sure all pages in vmalloc area are really DMA-ready') + +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf-dma-sg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf-dma-sg.c ++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c +@@ -253,9 +253,11 @@ int videobuf_dma_init_kernel(struct vide + return 0; + out_free_pages: + while (i > 0) { +- void *addr = page_address(dma->vaddr_pages[i]); +- dma_free_coherent(dma->dev, PAGE_SIZE, addr, dma->dma_addr[i]); ++ void *addr; ++ + i--; ++ addr = page_address(dma->vaddr_pages[i]); ++ dma_free_coherent(dma->dev, PAGE_SIZE, addr, dma->dma_addr[i]); + } + kfree(dma->dma_addr); + dma->dma_addr = NULL; diff --git a/queue-3.17/mips-cp1emu-fix-isa-restrictions-for-cop1x_op-instructions.patch b/queue-3.17/mips-cp1emu-fix-isa-restrictions-for-cop1x_op-instructions.patch new file mode 100644 index 00000000000..ba7adeb340a --- /dev/null +++ b/queue-3.17/mips-cp1emu-fix-isa-restrictions-for-cop1x_op-instructions.patch @@ -0,0 +1,50 @@ +From a5466d7bba9af83a82cc7c081b2a7d557cde3204 Mon Sep 17 00:00:00 2001 +From: Markos Chandras +Date: Tue, 21 Oct 2014 10:21:54 +0100 +Subject: MIPS: cp1emu: Fix ISA restrictions for cop1x_op instructions + +From: Markos Chandras + +commit a5466d7bba9af83a82cc7c081b2a7d557cde3204 upstream. + +Commit 08a07904e1828 ("MIPS: math-emu: Remove most ifdefery") removed +the #ifdef ISA conditions and switched to runtime detection. However, +according to the instruction set manual, the cop1x_op instructions are +available in >=MIPS32r2 as well. This fixes a problem on MIPS32r2 +with the ntpd package which failed to execute with a SIGILL exit code due +to the fact that a madd.d instruction was not being emulated. + +Signed-off-by: Markos Chandras +Fixes: 08a07904e1828 ("MIPS: math-emu: Remove most ifdefery") +Cc: linux-mips@linux-mips.org +Reviewed-by: Paul Burton +Reviewed-by: James Hogan +Cc: Markos Chandras +Patchwork: https://patchwork.linux-mips.org/patch/8173/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -1023,7 +1023,7 @@ emul: + goto emul; + + case cop1x_op: +- if (cpu_has_mips_4_5 || cpu_has_mips64) ++ if (cpu_has_mips_4_5 || cpu_has_mips64 || cpu_has_mips32r2) + /* its one of ours */ + goto emul; + +@@ -1068,7 +1068,7 @@ emul: + break; + + case cop1x_op: +- if (!cpu_has_mips_4_5 && !cpu_has_mips64) ++ if (!cpu_has_mips_4_5 && !cpu_has_mips64 && !cpu_has_mips32r2) + return SIGILL; + + sig = fpux_emu(xcp, ctx, ir, fault_addr); diff --git a/queue-3.17/mips-ftrace-fix-a-micromips-build-problem.patch b/queue-3.17/mips-ftrace-fix-a-micromips-build-problem.patch new file mode 100644 index 00000000000..9aae5d4f9db --- /dev/null +++ b/queue-3.17/mips-ftrace-fix-a-micromips-build-problem.patch @@ -0,0 +1,52 @@ +From aedd153f5bb5b1f1d6d9142014f521ae2ec294cc Mon Sep 17 00:00:00 2001 +From: Markos Chandras +Date: Mon, 20 Oct 2014 09:39:31 +0100 +Subject: MIPS: ftrace: Fix a microMIPS build problem + +From: Markos Chandras + +commit aedd153f5bb5b1f1d6d9142014f521ae2ec294cc upstream. + +Code before the .fixup section needs to have the .insn directive. +This has no side effects on MIPS32/64 but it affects the way microMIPS +loads the address for the return label. + +Fixes the following build problem: +mips-linux-gnu-ld: arch/mips/built-in.o: .fixup+0x4a0: Unsupported jump between +ISA modes; consider recompiling with interlinking enabled. +mips-linux-gnu-ld: final link failed: Bad value +Makefile:819: recipe for target 'vmlinux' failed + +The fix is similar to 1658f914ff91c3bf ("MIPS: microMIPS: +Disable LL/SC and fix linker bug.") + +Signed-off-by: Markos Chandras +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/8117/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/ftrace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/include/asm/ftrace.h ++++ b/arch/mips/include/asm/ftrace.h +@@ -24,7 +24,7 @@ do { \ + asm volatile ( \ + "1: " load " %[tmp_dst], 0(%[tmp_src])\n" \ + " li %[tmp_err], 0\n" \ +- "2:\n" \ ++ "2: .insn\n" \ + \ + ".section .fixup, \"ax\"\n" \ + "3: li %[tmp_err], 1\n" \ +@@ -46,7 +46,7 @@ do { \ + asm volatile ( \ + "1: " store " %[tmp_src], 0(%[tmp_dst])\n"\ + " li %[tmp_err], 0\n" \ +- "2:\n" \ ++ "2: .insn\n" \ + \ + ".section .fixup, \"ax\"\n" \ + "3: li %[tmp_err], 1\n" \ diff --git a/queue-3.17/mips-loongson2_cpufreq-fix-cpu-clock-rate-setting-mismerge.patch b/queue-3.17/mips-loongson2_cpufreq-fix-cpu-clock-rate-setting-mismerge.patch new file mode 100644 index 00000000000..a837a7ab1a0 --- /dev/null +++ b/queue-3.17/mips-loongson2_cpufreq-fix-cpu-clock-rate-setting-mismerge.patch @@ -0,0 +1,49 @@ +From aa08ed55442ac6f9810c055e1474be34e785e556 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sun, 21 Sep 2014 15:38:43 +0300 +Subject: MIPS: loongson2_cpufreq: Fix CPU clock rate setting mismerge + +From: Aaro Koskinen + +commit aa08ed55442ac6f9810c055e1474be34e785e556 upstream. + +During 3.16 merge window, parts of the commit 8e8acb32960f +(MIPS/loongson2_cpufreq: Fix CPU clock rate setting) seem to have +been deleted probably due to a mismerge, and as a result cpufreq +is broken again on Loongson2 boards in 3.16 and newer kernels. +Fix by repeating the fix. + +Signed-off-by: Aaro Koskinen +Cc: Rafael J. Wysocki +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/7835/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/loongson/lemote-2f/clock.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/mips/loongson/lemote-2f/clock.c ++++ b/arch/mips/loongson/lemote-2f/clock.c +@@ -91,6 +91,7 @@ EXPORT_SYMBOL(clk_put); + + int clk_set_rate(struct clk *clk, unsigned long rate) + { ++ unsigned int rate_khz = rate / 1000; + struct cpufreq_frequency_table *pos; + int ret = 0; + int regval; +@@ -107,9 +108,9 @@ int clk_set_rate(struct clk *clk, unsign + propagate_rate(clk); + + cpufreq_for_each_valid_entry(pos, loongson2_clockmod_table) +- if (rate == pos->frequency) ++ if (rate_khz == pos->frequency) + break; +- if (rate != pos->frequency) ++ if (rate_khz != pos->frequency) + return -ENOTSUPP; + + clk->rate = rate; diff --git a/queue-3.17/mips-ptrace.h-add-a-missing-include.patch b/queue-3.17/mips-ptrace.h-add-a-missing-include.patch new file mode 100644 index 00000000000..bfa3738805f --- /dev/null +++ b/queue-3.17/mips-ptrace.h-add-a-missing-include.patch @@ -0,0 +1,51 @@ +From cdb685ad44996e9a113a10002cb42d40ff29db99 Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Tue, 14 Oct 2014 00:42:08 +0300 +Subject: MIPS: ptrace.h: Add a missing include + +From: Aaro Koskinen + +commit cdb685ad44996e9a113a10002cb42d40ff29db99 upstream. + +Commit a79ebea62010 (MIPS: ptrace: Fix user pt_regs definition, +use in ptrace_{get, set}regs()) converted struct pt_regs to use __u64. +Some userspace applications (e.g. GDB) include this file directly, +and fail to see this type. Fix by including . + +The patch fixes the following build failure with GDB 7.8 when using +GLIBC headers created against Linux 3.17: + +In file included from /home/aaro/los/work/shared/gdb-7.8/gdb/mips-linux-nat.c:37:0: +/home/aaro/los/work/mips/rootfs/mips-linux-gnu/usr/include/asm/ptrace.h:32:2: error: unknown type name '__u64' + __u64 regs[32]; + ^ +/home/aaro/los/work/mips/rootfs/mips-linux-gnu/usr/include/asm/ptrace.h:35:2: error: unknown type name '__u64' + __u64 lo; + ^ +/home/aaro/los/work/mips/rootfs/mips-linux-gnu/usr/include/asm/ptrace.h:36:2: error: unknown type name '__u64' + __u64 hi; + ^ + +Fixes: a79ebea62010 ("MIPS: ptrace: Fix user pt_regs definition, use in ptrace_{get, set}regs()") +Signed-off-by: Aaro Koskinen +Cc: Alex Smith +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/8067/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/uapi/asm/ptrace.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/include/uapi/asm/ptrace.h ++++ b/arch/mips/include/uapi/asm/ptrace.h +@@ -9,6 +9,8 @@ + #ifndef _UAPI_ASM_PTRACE_H + #define _UAPI_ASM_PTRACE_H + ++#include ++ + /* 0 - 31 are integer registers, 32 - 63 are fp registers. */ + #define FPR_BASE 32 + #define PC 64 diff --git a/queue-3.17/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch b/queue-3.17/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch new file mode 100644 index 00000000000..902a4f908aa --- /dev/null +++ b/queue-3.17/mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch @@ -0,0 +1,90 @@ +From 9e0f162a36914937a937358fcb45e0609ef2bfc4 Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Mon, 20 Oct 2014 15:34:23 -0700 +Subject: MIPS: tlbex: Properly fix HUGE TLB Refill exception handler + +From: David Daney + +commit 9e0f162a36914937a937358fcb45e0609ef2bfc4 upstream. + +In commit 8393c524a25609 (MIPS: tlbex: Fix a missing statement for +HUGETLB), the TLB Refill handler was fixed so that non-OCTEON targets +would work properly with huge pages. The change was incorrect in that +it broke the OCTEON case. + +The problem is shown here: + + xxx0: df7a0000 ld k0,0(k1) + . + . + . + xxxc0: df610000 ld at,0(k1) + xxxc4: 335a0ff0 andi k0,k0,0xff0 + xxxc8: e825ffcd bbit1 at,0x5,0x0 + xxxcc: 003ad82d daddu k1,at,k0 + . + . + . + +In the non-octeon case there is a destructive test for the huge PTE +bit, and then at 0, $k0 is reloaded (that is what the 8393c524a25609 +patch added). + +In the octeon case, we modify k1 in the branch delay slot, but we +never need k0 again, so the new load is not needed, but since k1 is +modified, if we do the load, we load from a garbage location and then +get a nested TLB Refill, which is seen in userspace as either SIGBUS +or SIGSEGV (depending on the garbage). + +The real fix is to only do this reloading if it is needed, and never +where it is harmful. + +Signed-off-by: David Daney +Cc: Huacai Chen +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/8151/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -1062,6 +1062,7 @@ static void build_update_entries(u32 **p + struct mips_huge_tlb_info { + int huge_pte; + int restore_scratch; ++ bool need_reload_pte; + }; + + static struct mips_huge_tlb_info +@@ -1076,6 +1077,7 @@ build_fast_tlb_refill_handler (u32 **p, + + rv.huge_pte = scratch; + rv.restore_scratch = 0; ++ rv.need_reload_pte = false; + + if (check_for_high_segbits) { + UASM_i_MFC0(p, tmp, C0_BADVADDR); +@@ -1264,6 +1266,7 @@ static void build_r4000_tlb_refill_handl + } else { + htlb_info.huge_pte = K0; + htlb_info.restore_scratch = 0; ++ htlb_info.need_reload_pte = true; + vmalloc_mode = refill_noscratch; + /* + * create the plain linear handler +@@ -1300,7 +1303,8 @@ static void build_r4000_tlb_refill_handl + } + #ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT + uasm_l_tlb_huge_update(&l, p); +- UASM_i_LW(&p, K0, 0, K1); ++ if (htlb_info.need_reload_pte) ++ UASM_i_LW(&p, htlb_info.huge_pte, 0, K1); + build_huge_update_entries(&p, htlb_info.huge_pte, K1); + build_huge_tlb_write_entry(&p, &l, &r, K0, tlb_random, + htlb_info.restore_scratch); diff --git a/queue-3.17/qla_target-don-t-delete-changed-nacls.patch b/queue-3.17/qla_target-don-t-delete-changed-nacls.patch new file mode 100644 index 00000000000..3aea0d0f373 --- /dev/null +++ b/queue-3.17/qla_target-don-t-delete-changed-nacls.patch @@ -0,0 +1,42 @@ +From f4c24db1b7ad0ce84409e15744d26c6f86a96840 Mon Sep 17 00:00:00 2001 +From: Joern Engel +Date: Fri, 3 Oct 2014 14:35:56 -0700 +Subject: qla_target: don't delete changed nacls + +From: Joern Engel + +commit f4c24db1b7ad0ce84409e15744d26c6f86a96840 upstream. + +The code is currently riddled with "drop the hardware_lock to avoid a +deadlock" bugs that expose races. One of those races seems to expose a +valid warning in tcm_qla2xxx_clear_nacl_from_fcport_map. Add some +bandaid to it. + +Signed-off-by: Joern Engel +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/tcm_qla2xxx.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c ++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c +@@ -757,7 +757,16 @@ static void tcm_qla2xxx_clear_nacl_from_ + pr_debug("fc_rport domain: port_id 0x%06x\n", nacl->nport_id); + + node = btree_remove32(&lport->lport_fcport_map, nacl->nport_id); +- WARN_ON(node && (node != se_nacl)); ++ if (WARN_ON(node && (node != se_nacl))) { ++ /* ++ * The nacl no longer matches what we think it should be. ++ * Most likely a new dynamic acl has been added while ++ * someone dropped the hardware lock. It clearly is a ++ * bug elsewhere, but this bit can't make things worse. ++ */ ++ btree_insert32(&lport->lport_fcport_map, nacl->nport_id, ++ node, GFP_ATOMIC); ++ } + + pr_debug("Removed from fcport_map: %p for WWNN: 0x%016LX, port_id: 0x%06x\n", + se_nacl, nacl->nport_wwnn, nacl->nport_id); diff --git a/queue-3.17/series b/queue-3.17/series index 626d95cc3ca..8a3d13a04a6 100644 --- a/queue-3.17/series +++ b/queue-3.17/series @@ -109,3 +109,40 @@ drm-vmwgfx-fix-drm.h-include.patch drm-tilcdc-fix-the-error-path-in-tilcdc_load.patch drm-nouveau-bios-memset-dcb-struct-to-zero-before-parsing.patch drm-gt214-kms-fix-hda-eld-regression.patch +media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch +media-usb-uvc-add-a-quirk-for-dell-xps-m1330-webcam.patch +media-em28xx-check-if-a-device-has-audio-earlier.patch +media-siano-add-support-for-pctv-77e.patch +media-m88ts2022-fix-32bit-overflow-on-filter-calc.patch +media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch +media-em28xx-v4l-fix-video-buffer-field-order-reporting-in-progressive-mode.patch +media-imon-fix-other-rc-type-protocol-support.patch +media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch +media-rc-core-fix-protocol_change-regression-in-ir_raw_event_register.patch +media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch +media-vmalloc_sg-off-by-one-in-error-handling.patch +kvm-emulate-avoid-accessing-null-ctxt-memopp.patch +kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch +kvm-x86-decoding-guest-instructions-which-cross-page-boundary-may-fail.patch +kvm-x86-emulator-does-not-decode-clflush-well.patch +kvm-x86-prefetch-and-hint_nop-should-have-srcmem-flag.patch +kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch +kvm-x86-improve-thread-safety-in-pit.patch +kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch +kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch +kvm-x86-fix-wrong-masking-on-relative-jump-call.patch +kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch +kvm-x86-handle-errors-when-rip-is-set-during-far-jumps.patch +kvm-vmx-handle-invvpid-vm-exit-gracefully.patch +arc-allow-headless-models-to-boot.patch +arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch +arc-unbork-fpu-save-restore.patch +qla_target-don-t-delete-changed-nacls.patch +iser-target-disable-tx-completion-interrupt-coalescing.patch +target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch +target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch +mips-ptrace.h-add-a-missing-include.patch +mips-loongson2_cpufreq-fix-cpu-clock-rate-setting-mismerge.patch +mips-cp1emu-fix-isa-restrictions-for-cop1x_op-instructions.patch +mips-ftrace-fix-a-micromips-build-problem.patch +mips-tlbex-properly-fix-huge-tlb-refill-exception-handler.patch diff --git a/queue-3.17/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch b/queue-3.17/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch new file mode 100644 index 00000000000..b32cd5155da --- /dev/null +++ b/queue-3.17/target-fix-aptpl-metadata-handling-for-dynamic-mappedluns.patch @@ -0,0 +1,93 @@ +From e24805637d2d270d7975502e9024d473de86afdb Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sat, 4 Oct 2014 04:23:15 +0000 +Subject: target: Fix APTPL metadata handling for dynamic MappedLUNs + +From: Nicholas Bellinger + +commit e24805637d2d270d7975502e9024d473de86afdb upstream. + +This patch fixes a bug in handling of SPC-3 PR Activate Persistence +across Target Power Loss (APTPL) logic where re-creation of state for +MappedLUNs from dynamically generated NodeACLs did not occur during +I_T Nexus establishment. + +It adds the missing core_scsi3_check_aptpl_registration() call during +core_tpg_check_initiator_node_acl() -> core_tpg_add_node_to_devs() in +order to replay any pre-loaded APTPL metadata state associated with +the newly connected SCSI Initiator Port. + +Cc: Mike Christie +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_device.c | 3 ++- + drivers/target/target_core_pr.c | 6 +++--- + drivers/target/target_core_pr.h | 2 +- + drivers/target/target_core_tpg.c | 8 ++++++++ + 4 files changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -1409,7 +1409,8 @@ int core_dev_add_initiator_node_lun_acl( + * Check to see if there are any existing persistent reservation APTPL + * pre-registrations that need to be enabled for this LUN ACL.. + */ +- core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, lacl); ++ core_scsi3_check_aptpl_registration(lun->lun_se_dev, tpg, lun, nacl, ++ lacl->mapped_lun); + return 0; + } + +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -944,10 +944,10 @@ int core_scsi3_check_aptpl_registration( + struct se_device *dev, + struct se_portal_group *tpg, + struct se_lun *lun, +- struct se_lun_acl *lun_acl) ++ struct se_node_acl *nacl, ++ u32 mapped_lun) + { +- struct se_node_acl *nacl = lun_acl->se_lun_nacl; +- struct se_dev_entry *deve = nacl->device_list[lun_acl->mapped_lun]; ++ struct se_dev_entry *deve = nacl->device_list[mapped_lun]; + + if (dev->dev_reservation_flags & DRF_SPC2_RESERVATIONS) + return 0; +--- a/drivers/target/target_core_pr.h ++++ b/drivers/target/target_core_pr.h +@@ -60,7 +60,7 @@ extern int core_scsi3_alloc_aptpl_regist + unsigned char *, u16, u32, int, int, u8); + extern int core_scsi3_check_aptpl_registration(struct se_device *, + struct se_portal_group *, struct se_lun *, +- struct se_lun_acl *); ++ struct se_node_acl *, u32); + extern void core_scsi3_free_pr_reg_from_nacl(struct se_device *, + struct se_node_acl *); + extern void core_scsi3_free_all_registrations(struct se_device *); +--- a/drivers/target/target_core_tpg.c ++++ b/drivers/target/target_core_tpg.c +@@ -40,6 +40,7 @@ + #include + + #include "target_core_internal.h" ++#include "target_core_pr.h" + + extern struct se_device *g_lun0_dev; + +@@ -166,6 +167,13 @@ void core_tpg_add_node_to_devs( + + core_enable_device_list_for_node(lun, NULL, lun->unpacked_lun, + lun_access, acl, tpg); ++ /* ++ * Check to see if there are any existing persistent reservation ++ * APTPL pre-registrations that need to be enabled for this dynamic ++ * LUN ACL now.. ++ */ ++ core_scsi3_check_aptpl_registration(dev, tpg, lun, acl, ++ lun->unpacked_lun); + spin_lock(&tpg->tpg_lun_lock); + } + spin_unlock(&tpg->tpg_lun_lock); diff --git a/queue-3.17/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch b/queue-3.17/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch new file mode 100644 index 00000000000..0b0b216f36a --- /dev/null +++ b/queue-3.17/target-fix-queue-full-status-null-pointer-for-scf_transport_task_sense.patch @@ -0,0 +1,45 @@ +From 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Thu, 25 Sep 2014 06:22:28 -0400 +Subject: target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE + +From: Quinn Tran + +commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43 upstream. + +During temporary resource starvation at lower transport layer, command +is placed on queue full retry path, which expose this problem. The TCM +queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same +cmd twice to lower layer. The 1st time led to cmd normal free path. +The 2nd time cause Null pointer access. + +This regression bug was originally introduced v3.1-rc code in the +following commit: + +commit e057f53308a5f071556ee80586b99ee755bf07f5 +Author: Christoph Hellwig +Date: Mon Oct 17 13:56:41 2011 -0400 + + target: remove the transport_qf_callback se_cmd callback + +Signed-off-by: Quinn Tran +Signed-off-by: Saurav Kashyap +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -1877,8 +1877,7 @@ static void transport_complete_qf(struct + if (cmd->se_cmd_flags & SCF_TRANSPORT_TASK_SENSE) { + trace_target_cmd_complete(cmd); + ret = cmd->se_tfo->queue_status(cmd); +- if (ret) +- goto out; ++ goto out; + } + + switch (cmd->data_direction) { -- 2.47.3