--- /dev/null
+From 5d4e08c45a6cf8f1ab3c7fa375007635ac569165 Mon Sep 17 00:00:00 2001
+From: Mark Salter <msalter@redhat.com>
+Date: Fri, 28 Mar 2014 14:25:19 +0000
+Subject: arm: KVM: fix possible misalignment of PGDs and bounce page
+
+From: Mark Salter <msalter@redhat.com>
+
+commit 5d4e08c45a6cf8f1ab3c7fa375007635ac569165 upstream.
+
+The kvm/mmu code shared by arm and arm64 uses kalloc() to allocate
+a bounce page (if hypervisor init code crosses page boundary) and
+hypervisor PGDs. The problem is that kalloc() does not guarantee
+the proper alignment. In the case of the bounce page, the page sized
+buffer allocated may also cross a page boundary negating the purpose
+and leading to a hang during kvm initialization. Likewise the PGDs
+allocated may not meet the minimum alignment requirements of the
+underlying MMU. This patch uses __get_free_page() to guarantee the
+worst case alignment needs of the bounce page and PGDs on both arm
+and arm64.
+
+Signed-off-by: Mark Salter <msalter@redhat.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/mmu.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -42,6 +42,8 @@ static unsigned long hyp_idmap_start;
+ static unsigned long hyp_idmap_end;
+ static phys_addr_t hyp_idmap_vector;
+
++#define pgd_order get_order(PTRS_PER_PGD * sizeof(pgd_t))
++
+ #define kvm_pmd_huge(_x) (pmd_huge(_x) || pmd_trans_huge(_x))
+
+ static void kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa)
+@@ -199,14 +201,14 @@ void free_boot_hyp_pgd(void)
+ if (boot_hyp_pgd) {
+ unmap_range(NULL, boot_hyp_pgd, hyp_idmap_start, PAGE_SIZE);
+ unmap_range(NULL, boot_hyp_pgd, TRAMPOLINE_VA, PAGE_SIZE);
+- kfree(boot_hyp_pgd);
++ free_pages((unsigned long)boot_hyp_pgd, pgd_order);
+ boot_hyp_pgd = NULL;
+ }
+
+ if (hyp_pgd)
+ unmap_range(NULL, hyp_pgd, TRAMPOLINE_VA, PAGE_SIZE);
+
+- kfree(init_bounce_page);
++ free_page((unsigned long)init_bounce_page);
+ init_bounce_page = NULL;
+
+ mutex_unlock(&kvm_hyp_pgd_mutex);
+@@ -236,7 +238,7 @@ void free_hyp_pgds(void)
+ for (addr = VMALLOC_START; is_vmalloc_addr((void*)addr); addr += PGDIR_SIZE)
+ unmap_range(NULL, hyp_pgd, KERN_TO_HYP(addr), PGDIR_SIZE);
+
+- kfree(hyp_pgd);
++ free_pages((unsigned long)hyp_pgd, pgd_order);
+ hyp_pgd = NULL;
+ }
+
+@@ -930,7 +932,7 @@ int kvm_mmu_init(void)
+ size_t len = __hyp_idmap_text_end - __hyp_idmap_text_start;
+ phys_addr_t phys_base;
+
+- init_bounce_page = kmalloc(PAGE_SIZE, GFP_KERNEL);
++ init_bounce_page = (void *)__get_free_page(GFP_KERNEL);
+ if (!init_bounce_page) {
+ kvm_err("Couldn't allocate HYP init bounce page\n");
+ err = -ENOMEM;
+@@ -956,8 +958,9 @@ int kvm_mmu_init(void)
+ (unsigned long)phys_base);
+ }
+
+- hyp_pgd = kzalloc(PTRS_PER_PGD * sizeof(pgd_t), GFP_KERNEL);
+- boot_hyp_pgd = kzalloc(PTRS_PER_PGD * sizeof(pgd_t), GFP_KERNEL);
++ hyp_pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, pgd_order);
++ boot_hyp_pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, pgd_order);
++
+ if (!hyp_pgd || !boot_hyp_pgd) {
+ kvm_err("Hyp mode PGD not allocated\n");
+ err = -ENOMEM;
--- /dev/null
+From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:21 +1200
+Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
+
+Do not leak kernel-only floppy_raw_cmd structure members to userspace.
+This includes the linked-list pointer and the pointer to the allocated
+DMA space.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void
+ int ret;
+
+ while (ptr) {
+- ret = copy_to_user(param, ptr, sizeof(*ptr));
++ struct floppy_raw_cmd cmd = *ptr;
++ cmd.next = NULL;
++ cmd.kernel_data = NULL;
++ ret = copy_to_user(param, &cmd, sizeof(cmd));
+ if (ret)
+ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
--- /dev/null
+From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:20 +1200
+Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
+
+Always clear out these floppy_raw_cmd struct members after copying the
+entire structure from userspace so that the in-kernel version is always
+valid and never left in an interdeterminate state.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3107,10 +3107,11 @@ loop:
+ return -ENOMEM;
+ *rcmd = ptr;
+ ret = copy_from_user(ptr, param, sizeof(*ptr));
+- if (ret)
+- return -EFAULT;
+ ptr->next = NULL;
+ ptr->buffer_length = 0;
++ ptr->kernel_data = NULL;
++ if (ret)
++ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
+ if (ptr->cmd_count > 33)
+ /* the command may now also take up the space
+@@ -3126,7 +3127,6 @@ loop:
+ for (i = 0; i < 16; i++)
+ ptr->reply[i] = 0;
+ ptr->resultcode = 0;
+- ptr->kernel_data = NULL;
+
+ if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ if (ptr->length <= 0)
--- /dev/null
+From 91021a6c8ffdc55804dab5acdfc7de4f278b9ac3 Mon Sep 17 00:00:00 2001
+From: Haibin Wang <wanghaibin.wang@huawei.com>
+Date: Thu, 10 Apr 2014 13:14:32 +0100
+Subject: KVM: ARM: vgic: Fix sgi dispatch problem
+
+From: Haibin Wang <wanghaibin.wang@huawei.com>
+
+commit 91021a6c8ffdc55804dab5acdfc7de4f278b9ac3 upstream.
+
+When dispatch SGI(mode == 0), that is the vcpu of VM should send
+sgi to the cpu which the target_cpus list.
+So, there must add the "break" to branch of case 0.
+
+Signed-off-by: Haibin Wang <wanghaibin.wang@huawei.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -916,6 +916,7 @@ static void vgic_dispatch_sgi(struct kvm
+ case 0:
+ if (!target_cpus)
+ return;
++ break;
+
+ case 1:
+ target_cpus = ((1 << nrcpus) - 1) & ~(1 << vcpu_id) & 0xff;
--- /dev/null
+From 41c22f626254b9dc0376928cae009e73d1b6a49a Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Mon, 21 Apr 2014 15:26:01 +0200
+Subject: KVM: async_pf: mm->mm_users can not pin apf->mm
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 41c22f626254b9dc0376928cae009e73d1b6a49a upstream.
+
+get_user_pages(mm) is simply wrong if mm->mm_users == 0 and exit_mmap/etc
+was already called (or is in progress), mm->mm_count can only pin mm->pgd
+and mm_struct itself.
+
+Change kvm_setup_async_pf/async_pf_execute to inc/dec mm->mm_users.
+
+kvm_create_vm/kvm_destroy_vm play with ->mm_count too but this case looks
+fine at first glance, it seems that this ->mm is only used to verify that
+current->mm == kvm->mm.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/async_pf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/virt/kvm/async_pf.c
++++ b/virt/kvm/async_pf.c
+@@ -85,7 +85,7 @@ static void async_pf_execute(struct work
+ if (waitqueue_active(&vcpu->wq))
+ wake_up_interruptible(&vcpu->wq);
+
+- mmdrop(mm);
++ mmput(mm);
+ kvm_put_kvm(vcpu->kvm);
+ }
+
+@@ -98,7 +98,7 @@ void kvm_clear_async_pf_completion_queue
+ typeof(*work), queue);
+ list_del(&work->queue);
+ if (cancel_work_sync(&work->work)) {
+- mmdrop(work->mm);
++ mmput(work->mm);
+ kvm_put_kvm(vcpu->kvm); /* == work->vcpu->kvm */
+ kmem_cache_free(async_pf_cache, work);
+ }
+@@ -162,7 +162,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *
+ work->addr = gfn_to_hva(vcpu->kvm, gfn);
+ work->arch = *arch;
+ work->mm = current->mm;
+- atomic_inc(&work->mm->mm_count);
++ atomic_inc(&work->mm->mm_users);
+ kvm_get_kvm(work->vcpu->kvm);
+
+ /* this can't really happen otherwise gfn_to_pfn_async
+@@ -180,7 +180,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *
+ return 1;
+ retry_sync:
+ kvm_put_kvm(work->vcpu->kvm);
+- mmdrop(work->mm);
++ mmput(work->mm);
+ kmem_cache_free(async_pf_cache, work);
+ return 0;
+ }
--- /dev/null
+From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 28 Mar 2014 20:41:50 +0100
+Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 5678de3f15010b9022ee45673f33bcfc71d47b60 upstream.
+
+QE reported that they got the BUG_ON in ioapic_service to trigger.
+I cannot reproduce it, but there are two reasons why this could happen.
+
+The less likely but also easiest one, is when kvm_irq_delivery_to_apic
+does not deliver to any APIC and returns -1.
+
+Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that
+function is never reached. However, you can target the similar loop in
+kvm_irq_delivery_to_apic_fast; just program a zero logical destination
+address into the IOAPIC, or an out-of-range physical destination address.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/ioapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/ioapic.c
++++ b/virt/kvm/ioapic.c
+@@ -306,7 +306,7 @@ static int ioapic_deliver(struct kvm_ioa
+ BUG_ON(ioapic->rtc_status.pending_eoi != 0);
+ ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe,
+ ioapic->rtc_status.dest_map);
+- ioapic->rtc_status.pending_eoi = ret;
++ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret);
+ } else
+ ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
+
--- /dev/null
+From 7505258c5fcb0a1cc3c76a47b4cf9506d21d10e6 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Tue, 25 Mar 2014 10:47:01 +1100
+Subject: KVM: PPC: Book3S HV: Fix KVM hang with CONFIG_KVM_XICS=n
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 7505258c5fcb0a1cc3c76a47b4cf9506d21d10e6 upstream.
+
+I noticed KVM is broken when KVM in-kernel XICS emulation
+(CONFIG_KVM_XICS) is disabled.
+
+The problem was introduced in 48eaef05 (KVM: PPC: Book3S HV: use
+xics_wake_cpu only when defined). It used CONFIG_KVM_XICS to wrap
+xics_wake_cpu, where CONFIG_PPC_ICP_NATIVE should have been
+used.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Paul Mackerras <paulus@samba.org>
+Acked-by: Scott Wood <scottwood@freescale.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_hv.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -86,7 +86,7 @@ static void kvmppc_fast_vcpu_kick_hv(str
+
+ /* CPU points to the first thread of the core */
+ if (cpu != me && cpu >= 0 && cpu < nr_cpu_ids) {
+-#ifdef CONFIG_KVM_XICS
++#ifdef CONFIG_PPC_ICP_NATIVE
+ int real_cpu = cpu + vcpu->arch.ptid;
+ if (paca[real_cpu].kvm_hstate.xics_phys)
+ xics_wake_cpu(real_cpu);
+@@ -1360,9 +1360,7 @@ static void kvmppc_start_thread(struct k
+ smp_wmb();
+ #if defined(CONFIG_PPC_ICP_NATIVE) && defined(CONFIG_SMP)
+ if (cpu != smp_processor_id()) {
+-#ifdef CONFIG_KVM_XICS
+ xics_wake_cpu(cpu);
+-#endif
+ if (vcpu->arch.ptid)
+ ++vc->n_woken;
+ }
--- /dev/null
+From c14af233fbe279d0e561ecf84f1208b1bae087ef Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Sat, 22 Mar 2014 17:21:44 +0800
+Subject: MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume()
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit c14af233fbe279d0e561ecf84f1208b1bae087ef upstream.
+
+The original MIPS hibernate code flushes cache and TLB entries in
+swsusp_arch_resume(). But they are removed in Commit 44eeab67416711
+(MIPS: Hibernation: Remove SMP TLB and cacheflushing code.). A cross-
+CPU flush is surely unnecessary because all but the local CPU have
+already been disabled. But a local flush (at least the TLB flush) is
+needed. When we do hibernation on Loongson-3 with an E1000E NIC, it is
+very easy to produce a kernel panic (kernel page fault, or unaligned
+access). The root cause is E1000E driver use vzalloc_node() to allocate
+pages, the stale TLB entries of the booting kernel will be misused by
+the resumed target kernel.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Cc: John Crispin <john@phrozen.org>
+Cc: Steven J. Hill <Steven.Hill@imgtec.com>
+Cc: Aurelien Jarno <aurelien@aurel32.net>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Patchwork: https://patchwork.linux-mips.org/patch/6643/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/power/hibernate.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/power/hibernate.S
++++ b/arch/mips/power/hibernate.S
+@@ -43,6 +43,7 @@ LEAF(swsusp_arch_resume)
+ bne t1, t3, 1b
+ PTR_L t0, PBE_NEXT(t0)
+ bnez t0, 0b
++ jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */
+ PTR_LA t0, saved_regs
+ PTR_L ra, PT_R31(t0)
+ PTR_L sp, PT_R29(t0)
--- /dev/null
+From 15505679362270d02c449626385cb74af8905514 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Fri, 14 Mar 2014 13:06:07 +0000
+Subject: MIPS: KVM: Pass reserved instruction exceptions to guest
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 15505679362270d02c449626385cb74af8905514 upstream.
+
+Previously a reserved instruction exception while in guest code would
+cause a KVM internal error if kvm_mips_handle_ri() didn't recognise the
+instruction (including a RDHWR from an unrecognised hardware register).
+
+However the guest OS should really have the opportunity to catch the
+exception so that it can take the appropriate actions such as sending a
+SIGILL to the guest user process or emulating the instruction itself.
+
+Therefore in these cases emulate a guest RI exception and only return
+EMULATE_FAIL if that fails, being careful to revert the PC first in case
+the exception occurred in a branch delay slot in which case the PC will
+already point to the branch target.
+
+Also turn the printk messages relating to these cases into kvm_debug
+messages so that they aren't usually visible.
+
+This allows crashme to run in the guest without killing the entire VM.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Sanjay Lal <sanjayl@kymasys.com>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/kvm_mips_emul.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/kvm/kvm_mips_emul.c
++++ b/arch/mips/kvm/kvm_mips_emul.c
+@@ -1571,17 +1571,17 @@ kvm_mips_handle_ri(unsigned long cause,
+ arch->gprs[rt] = kvm_read_c0_guest_userlocal(cop0);
+ #else
+ /* UserLocal not implemented */
+- er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu);
++ er = EMULATE_FAIL;
+ #endif
+ break;
+
+ default:
+- printk("RDHWR not supported\n");
++ kvm_debug("RDHWR %#x not supported @ %p\n", rd, opc);
+ er = EMULATE_FAIL;
+ break;
+ }
+ } else {
+- printk("Emulate RI not supported @ %p: %#x\n", opc, inst);
++ kvm_debug("Emulate RI not supported @ %p: %#x\n", opc, inst);
+ er = EMULATE_FAIL;
+ }
+
+@@ -1590,6 +1590,7 @@ kvm_mips_handle_ri(unsigned long cause,
+ */
+ if (er == EMULATE_FAIL) {
+ vcpu->arch.pc = curr_pc;
++ er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu);
+ }
+ return er;
+ }
--- /dev/null
+From af61e27c3f77c7623b5335590ae24b6a5c323e22 Mon Sep 17 00:00:00 2001
+From: Tyler Stachecki <tstache1@binghamton.edu>
+Date: Fri, 25 Apr 2014 16:41:04 -0400
+Subject: [SCSI] mpt2sas: Don't disable device twice at suspend.
+
+From: Tyler Stachecki <tstache1@binghamton.edu>
+
+commit af61e27c3f77c7623b5335590ae24b6a5c323e22 upstream.
+
+On suspend, _scsih_suspend calls mpt2sas_base_free_resources, which
+in turn calls pci_disable_device if the device is enabled prior to
+suspending. However, _scsih_suspend also calls pci_disable_device
+itself.
+
+Thus, in the event that the device is enabled prior to suspending,
+pci_disable_device will be called twice. This patch removes the
+duplicate call to pci_disable_device in _scsi_suspend as it is both
+unnecessary and results in a kernel oops.
+
+Signed-off-by: Tyler Stachecki <tstache1@binghamton.edu>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+@@ -8293,7 +8293,6 @@ _scsih_suspend(struct pci_dev *pdev, pm_
+
+ mpt2sas_base_free_resources(ioc);
+ pci_save_state(pdev);
+- pci_disable_device(pdev);
+ pci_set_power_state(pdev, device_state);
+ return 0;
+ }
--- /dev/null
+From 422b9b9684db3c511e65c91842275c43f5910ae9 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 6 Mar 2014 16:10:11 +1100
+Subject: powerpc/compat: 32-bit little endian machine name is ppcle, not ppc
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 422b9b9684db3c511e65c91842275c43f5910ae9 upstream.
+
+I noticed this when testing setarch. No, we don't magically
+support a big endian userspace on a little endian kernel.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/compat.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/include/asm/compat.h
++++ b/arch/powerpc/include/asm/compat.h
+@@ -8,7 +8,11 @@
+ #include <linux/sched.h>
+
+ #define COMPAT_USER_HZ 100
++#ifdef __BIG_ENDIAN__
+ #define COMPAT_UTS_MACHINE "ppc\0\0"
++#else
++#define COMPAT_UTS_MACHINE "ppcle\0\0"
++#endif
+
+ typedef u32 compat_size_t;
+ typedef s32 compat_ssize_t;
tty-serial-8250_core.c-bug-fix-for-exar-chips.patch
tty-fix-lockless-tty-buffer-race.patch
n_tty-fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
+floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
+floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
+kvm-arm-vgic-fix-sgi-dispatch-problem.patch
+arm-kvm-fix-possible-misalignment-of-pgds-and-bounce-page.patch
+kvm-async_pf-mm-mm_users-can-not-pin-apf-mm.patch
+kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch
+mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch
+kvm-ppc-book3s-hv-fix-kvm-hang-with-config_kvm_xics-n.patch
+mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch
+virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch
+tools-virtio-add-a-missing.patch
+virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch
+mpt2sas-don-t-disable-device-twice-at-suspend.patch
+powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch
--- /dev/null
+From be40d5ccab34d579512d932fc1c6cfaffe9d1551 Mon Sep 17 00:00:00 2001
+From: Joel Stanley <joel@jms.id.au>
+Date: Thu, 13 Feb 2014 15:08:53 +1030
+Subject: tools/virtio: add a missing )
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Joel Stanley <joel@jms.id.au>
+
+commit be40d5ccab34d579512d932fc1c6cfaffe9d1551 upstream.
+
+Fixes the following build failure:
+
+ cc -g -O2 -Wall -I. -I ../../usr/include/ -Wno-pointer-sign
+ -fno-strict-overflow -fno-strict-aliasing -fno-common -MMD
+ -U_FORTIFY_SOURCE -c -o virtio_test.o virtio_test.c
+ virtio_test.c: In function ‘run_test’:
+ virtio_test.c:176:7: error: expected ‘)’ before ‘r’
+ r = -1;
+ ^
+
+Fixes: 53c18c9906441 (virtio_test: verify if virtqueue_kick() succeeded)
+Cc: Heinz Graalfs <graalfs@linux.vnet.ibm.com>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/virtio/virtio_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/virtio/virtio_test.c
++++ b/tools/virtio/virtio_test.c
+@@ -172,7 +172,7 @@ static void run_test(struct vdev_info *d
+ GFP_ATOMIC);
+ if (likely(r == 0)) {
+ ++started;
+- if (unlikely(!virtqueue_kick(vq->vq))
++ if (unlikely(!virtqueue_kick(vq->vq)))
+ r = -1;
+ }
+ } else
--- /dev/null
+From 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 Mon Sep 17 00:00:00 2001
+From: Fam Zheng <famz@redhat.com>
+Date: Mon, 14 Apr 2014 10:16:09 +0800
+Subject: [SCSI] virtio-scsi: Skip setting affinity on uninitialized vq
+
+From: Fam Zheng <famz@redhat.com>
+
+commit 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 upstream.
+
+virtscsi_init calls virtscsi_remove_vqs on err, even before initializing
+the vqs. The latter calls virtscsi_set_affinity, so let's check the
+pointer there before setting affinity on it.
+
+This fixes a panic when setting device's num_queues=2 on RHEL 6.5:
+
+qemu-system-x86_64 ... \
+-device virtio-scsi-pci,id=scsi0,addr=0x13,...,num_queues=2 \
+-drive file=/stor/vm/dummy.raw,id=drive-scsi-disk,... \
+-device scsi-hd,drive=drive-scsi-disk,...
+
+[ 0.354734] scsi0 : Virtio SCSI HBA
+[ 0.379504] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+[ 0.380141] IP: [<ffffffff814741ef>] __virtscsi_set_affinity+0x4f/0x120
+[ 0.380141] PGD 0
+[ 0.380141] Oops: 0000 [#1] SMP
+[ 0.380141] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.0+ #5
+[ 0.380141] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007
+[ 0.380141] task: ffff88003c9f0000 ti: ffff88003c9f8000 task.ti: ffff88003c9f8000
+[ 0.380141] RIP: 0010:[<ffffffff814741ef>] [<ffffffff814741ef>] __virtscsi_set_affinity+0x4f/0x120
+[ 0.380141] RSP: 0000:ffff88003c9f9c08 EFLAGS: 00010256
+[ 0.380141] RAX: 0000000000000000 RBX: ffff88003c3a9d40 RCX: 0000000000001070
+[ 0.380141] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
+[ 0.380141] RBP: ffff88003c9f9c28 R08: 00000000000136c0 R09: ffff88003c801c00
+[ 0.380141] R10: ffffffff81475229 R11: 0000000000000008 R12: 0000000000000000
+[ 0.380141] R13: ffffffff81cc7ca8 R14: ffff88003cac3d40 R15: ffff88003cac37a0
+[ 0.380141] FS: 0000000000000000(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
+[ 0.380141] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 0.380141] CR2: 0000000000000020 CR3: 0000000001c0e000 CR4: 00000000000006f0
+[ 0.380141] Stack:
+[ 0.380141] ffff88003c3a9d40 0000000000000000 ffff88003cac3d80 ffff88003cac3d40
+[ 0.380141] ffff88003c9f9c48 ffffffff814742e8 ffff88003c26d000 ffff88003c26d000
+[ 0.380141] ffff88003c9f9c68 ffffffff81474321 ffff88003c26d000 ffff88003c3a9d40
+[ 0.380141] Call Trace:
+[ 0.380141] [<ffffffff814742e8>] virtscsi_set_affinity+0x28/0x40
+[ 0.380141] [<ffffffff81474321>] virtscsi_remove_vqs+0x21/0x50
+[ 0.380141] [<ffffffff81475231>] virtscsi_init+0x91/0x240
+[ 0.380141] [<ffffffff81365290>] ? vp_get+0x50/0x70
+[ 0.380141] [<ffffffff81475544>] virtscsi_probe+0xf4/0x280
+[ 0.380141] [<ffffffff81363ea5>] virtio_dev_probe+0xe5/0x140
+[ 0.380141] [<ffffffff8144c669>] driver_probe_device+0x89/0x230
+[ 0.380141] [<ffffffff8144c8ab>] __driver_attach+0x9b/0xa0
+[ 0.380141] [<ffffffff8144c810>] ? driver_probe_device+0x230/0x230
+[ 0.380141] [<ffffffff8144c810>] ? driver_probe_device+0x230/0x230
+[ 0.380141] [<ffffffff8144ac1c>] bus_for_each_dev+0x8c/0xb0
+[ 0.380141] [<ffffffff8144c499>] driver_attach+0x19/0x20
+[ 0.380141] [<ffffffff8144bf28>] bus_add_driver+0x198/0x220
+[ 0.380141] [<ffffffff8144ce9f>] driver_register+0x5f/0xf0
+[ 0.380141] [<ffffffff81d27c91>] ? spi_transport_init+0x79/0x79
+[ 0.380141] [<ffffffff8136403b>] register_virtio_driver+0x1b/0x30
+[ 0.380141] [<ffffffff81d27d19>] init+0x88/0xd6
+[ 0.380141] [<ffffffff81d27c18>] ? scsi_init_procfs+0x5b/0x5b
+[ 0.380141] [<ffffffff81ce88a7>] do_one_initcall+0x7f/0x10a
+[ 0.380141] [<ffffffff81ce8aa7>] kernel_init_freeable+0x14a/0x1de
+[ 0.380141] [<ffffffff81ce8b3b>] ? kernel_init_freeable+0x1de/0x1de
+[ 0.380141] [<ffffffff817dec20>] ? rest_init+0x80/0x80
+[ 0.380141] [<ffffffff817dec29>] kernel_init+0x9/0xf0
+[ 0.380141] [<ffffffff817e68fc>] ret_from_fork+0x7c/0xb0
+[ 0.380141] [<ffffffff817dec20>] ? rest_init+0x80/0x80
+[ 0.380141] RIP [<ffffffff814741ef>] __virtscsi_set_affinity+0x4f/0x120
+[ 0.380141] RSP <ffff88003c9f9c08>
+[ 0.380141] CR2: 0000000000000020
+[ 0.380141] ---[ end trace 8074b70c3d5e1d73 ]---
+[ 0.475018] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+[ 0.475018]
+[ 0.475068] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
+[ 0.475068] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+
+[jejb: checkpatch fixes]
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/virtio_scsi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -750,8 +750,12 @@ static void __virtscsi_set_affinity(stru
+
+ vscsi->affinity_hint_set = true;
+ } else {
+- for (i = 0; i < vscsi->num_queues; i++)
++ for (i = 0; i < vscsi->num_queues; i++) {
++ if (!vscsi->req_vqs[i].vq)
++ continue;
++
+ virtqueue_set_affinity(vscsi->req_vqs[i].vq, -1);
++ }
+
+ vscsi->affinity_hint_set = false;
+ }
--- /dev/null
+From 1f74ef0f2d7d692fcd615621e0e734c3e7771413 Mon Sep 17 00:00:00 2001
+From: Rusty Russell <rusty@rustcorp.com.au>
+Date: Thu, 13 Mar 2014 11:23:38 +1030
+Subject: virtio_balloon: don't softlockup on huge balloon changes.
+
+From: Rusty Russell <rusty@rustcorp.com.au>
+
+commit 1f74ef0f2d7d692fcd615621e0e734c3e7771413 upstream.
+
+When adding or removing 100G from a balloon:
+
+ BUG: soft lockup - CPU#0 stuck for 22s! [vballoon:367]
+
+We have a wait_event_interruptible(), but the condition is always true
+(more ballooning to do) so we don't ever sleep. We also have a
+wait_event() for the host to ack, but that is also always true as QEMU
+is synchronous for balloon operations.
+
+Reported-by: Gopesh Kumar Chaudhary <gopchaud@in.ibm.com>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -310,6 +310,12 @@ static int balloon(void *_vballoon)
+ else if (diff < 0)
+ leak_balloon(vb, -diff);
+ update_balloon_size(vb);
++
++ /*
++ * For large balloon changes, we could spend a lot of time
++ * and always have work to do. Be nice if preempt disabled.
++ */
++ cond_resched();
+ }
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
