--- /dev/null
+From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009
+Message-Id: <20090904200850.052613921@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:13 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Takashi Iwai <tiwai@suse.de>
+Subject: [patch 01/48] ALSA: hda - Fix MacBookPro 3,1/4,1 quirk with ALC889A
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=alsa-hda-fix-macbookpro-3-1-4-1-quirk-with-alc889a.patch
+Content-Length: 3970
+Lines: 98
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit a3f730af7e33cea10ea66f05b2565fde1f9512df upstream.
+
+This patch fixes the wrong headphone output routing for MacBookPro 3,1/4,1
+quirk with ALC889A codec, which caused the silent headphone output.
+Also, this gives the individual Headphone and Speaker volume controls.
+
+Reference: kernel bug#14078
+ http://bugzilla.kernel.org/show_bug.cgi?id=14078
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 34 ++++++++++++++++++++--------------
+ 1 file changed, 20 insertions(+), 14 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5580,9 +5580,9 @@ static struct hda_verb alc885_mbp_ch2_in
+ };
+
+ /*
+- * 6ch mode
++ * 4ch mode
+ */
+-static struct hda_verb alc885_mbp_ch6_init[] = {
++static struct hda_verb alc885_mbp_ch4_init[] = {
+ { 0x1a, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT },
+ { 0x1a, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE},
+ { 0x1a, AC_VERB_SET_CONNECT_SEL, 0x01 },
+@@ -5591,9 +5591,9 @@ static struct hda_verb alc885_mbp_ch6_in
+ { } /* end */
+ };
+
+-static struct hda_channel_mode alc885_mbp_6ch_modes[2] = {
++static struct hda_channel_mode alc885_mbp_4ch_modes[2] = {
+ { 2, alc885_mbp_ch2_init },
+- { 6, alc885_mbp_ch6_init },
++ { 4, alc885_mbp_ch4_init },
+ };
+
+
+@@ -5628,10 +5628,11 @@ static struct snd_kcontrol_new alc882_ba
+ };
+
+ static struct snd_kcontrol_new alc885_mbp3_mixer[] = {
+- HDA_CODEC_VOLUME("Front Playback Volume", 0x0c, 0x00, HDA_OUTPUT),
+- HDA_BIND_MUTE ("Front Playback Switch", 0x0c, 0x02, HDA_INPUT),
+- HDA_CODEC_MUTE ("Speaker Playback Switch", 0x14, 0x00, HDA_OUTPUT),
+- HDA_CODEC_VOLUME("Line-Out Playback Volume", 0x0d, 0x00, HDA_OUTPUT),
++ HDA_CODEC_VOLUME("Speaker Playback Volume", 0x0c, 0x00, HDA_OUTPUT),
++ HDA_BIND_MUTE ("Speaker Playback Switch", 0x0c, 0x02, HDA_INPUT),
++ HDA_CODEC_VOLUME("Headphone Playback Volume", 0x0e, 0x00, HDA_OUTPUT),
++ HDA_BIND_MUTE ("Headphone Playback Switch", 0x0e, 0x02, HDA_INPUT),
++ HDA_CODEC_VOLUME("Surround Playback Volume", 0x0d, 0x00, HDA_OUTPUT),
+ HDA_CODEC_VOLUME("Line Playback Volume", 0x0b, 0x02, HDA_INPUT),
+ HDA_CODEC_MUTE ("Line Playback Switch", 0x0b, 0x02, HDA_INPUT),
+ HDA_CODEC_VOLUME("Mic Playback Volume", 0x0b, 0x00, HDA_INPUT),
+@@ -5879,14 +5880,18 @@ static struct hda_verb alc885_mbp3_init_
+ {0x0d, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_ZERO},
+ {0x0d, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(0)},
+ {0x0d, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(1)},
++ /* HP mixer */
++ {0x0e, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_ZERO},
++ {0x0e, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(0)},
++ {0x0e, AC_VERB_SET_AMP_GAIN_MUTE, AMP_IN_MUTE(1)},
+ /* Front Pin: output 0 (0x0c) */
+ {0x14, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT},
+ {0x14, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE},
+ {0x14, AC_VERB_SET_CONNECT_SEL, 0x00},
+- /* HP Pin: output 0 (0x0d) */
++ /* HP Pin: output 0 (0x0e) */
+ {0x15, AC_VERB_SET_PIN_WIDGET_CONTROL, 0xc4},
+- {0x15, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE},
+- {0x15, AC_VERB_SET_CONNECT_SEL, 0x00},
++ {0x15, AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE},
++ {0x15, AC_VERB_SET_CONNECT_SEL, 0x02},
+ {0x15, AC_VERB_SET_UNSOLICITED_ENABLE, ALC880_HP_EVENT | AC_USRSP_EN},
+ /* Mic (rear) pin: input vref at 80% */
+ {0x18, AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_VREF80},
+@@ -6326,10 +6331,11 @@ static struct alc_config_preset alc882_p
+ .mixers = { alc885_mbp3_mixer, alc882_chmode_mixer },
+ .init_verbs = { alc885_mbp3_init_verbs,
+ alc880_gpio1_init_verbs },
+- .num_dacs = ARRAY_SIZE(alc882_dac_nids),
++ .num_dacs = 2,
+ .dac_nids = alc882_dac_nids,
+- .channel_mode = alc885_mbp_6ch_modes,
+- .num_channel_mode = ARRAY_SIZE(alc885_mbp_6ch_modes),
++ .hp_nid = 0x04,
++ .channel_mode = alc885_mbp_4ch_modes,
++ .num_channel_mode = ARRAY_SIZE(alc885_mbp_4ch_modes),
+ .input_mux = &alc882_capture_source,
+ .dig_out_nid = ALC882_DIGOUT_NID,
+ .dig_in_nid = ALC882_DIGIN_NID,
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009
+Message-Id: <20090904200850.199599575@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:14 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Oleg Nesterov <oleg@redhat.com>,
+ Roland McGrath <roland@redhat.com>,
+ KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Subject: [patch 02/48] clone(): fix race between copy_process() and de_thread()
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=clone-fix-race-between-copy_process-and-de_thread.patch
+Content-Length: 3721
+Lines: 142
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 4ab6c08336535f8c8e42cf45d7adeda882eff06e upstream.
+
+Spotted by Hiroshi Shimamoto who also provided the test-case below.
+
+copy_process() uses signal->count as a reference counter, but it is not.
+This test case
+
+ #include <sys/types.h>
+ #include <sys/wait.h>
+ #include <unistd.h>
+ #include <stdio.h>
+ #include <errno.h>
+ #include <pthread.h>
+
+ void *null_thread(void *p)
+ {
+ for (;;)
+ sleep(1);
+
+ return NULL;
+ }
+
+ void *exec_thread(void *p)
+ {
+ execl("/bin/true", "/bin/true", NULL);
+
+ return null_thread(p);
+ }
+
+ int main(int argc, char **argv)
+ {
+ for (;;) {
+ pid_t pid;
+ int ret, status;
+
+ pid = fork();
+ if (pid < 0)
+ break;
+
+ if (!pid) {
+ pthread_t tid;
+
+ pthread_create(&tid, NULL, exec_thread, NULL);
+ for (;;)
+ pthread_create(&tid, NULL, null_thread, NULL);
+ }
+
+ do {
+ ret = waitpid(pid, &status, 0);
+ } while (ret == -1 && errno == EINTR);
+ }
+
+ return 0;
+ }
+
+quickly creates an unkillable task.
+
+If copy_process(CLONE_THREAD) races with de_thread()
+copy_signal()->atomic(signal->count) breaks the signal->notify_count
+logic, and the execing thread can hang forever in kernel space.
+
+Change copy_process() to increment count/live only when we know for sure
+we can't fail. In this case the forked thread will take care of its
+reference to signal correctly.
+
+If copy_process() fails, check CLONE_THREAD flag. If it it set - do
+nothing, the counters were not changed and current belongs to the same
+thread group. If it is not set, ->signal must be released in any case
+(and ->count must be == 1), the forked child is the only thread in the
+thread group.
+
+We need more cleanups here, in particular signal->count should not be used
+by de_thread/__exit_signal at all. This patch only fixes the bug.
+
+Reported-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
+Tested-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Roland McGrath <roland@redhat.com>
+Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/fork.c | 21 ++++++---------------
+ 1 file changed, 6 insertions(+), 15 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -767,11 +767,9 @@ static int copy_signal(unsigned long clo
+ struct signal_struct *sig;
+ int ret;
+
+- if (clone_flags & CLONE_THREAD) {
+- atomic_inc(¤t->signal->count);
+- atomic_inc(¤t->signal->live);
++ if (clone_flags & CLONE_THREAD)
+ return 0;
+- }
++
+ sig = kmem_cache_alloc(signal_cachep, GFP_KERNEL);
+ tsk->signal = sig;
+ if (!sig)
+@@ -844,16 +842,6 @@ void __cleanup_signal(struct signal_stru
+ kmem_cache_free(signal_cachep, sig);
+ }
+
+-static void cleanup_signal(struct task_struct *tsk)
+-{
+- struct signal_struct *sig = tsk->signal;
+-
+- atomic_dec(&sig->live);
+-
+- if (atomic_dec_and_test(&sig->count))
+- __cleanup_signal(sig);
+-}
+-
+ static void copy_flags(unsigned long clone_flags, struct task_struct *p)
+ {
+ unsigned long new_flags = p->flags;
+@@ -1201,6 +1189,8 @@ static struct task_struct *copy_process(
+ }
+
+ if (clone_flags & CLONE_THREAD) {
++ atomic_inc(¤t->signal->count);
++ atomic_inc(¤t->signal->live);
+ p->group_leader = current->group_leader;
+ list_add_tail_rcu(&p->thread_group, &p->group_leader->thread_group);
+
+@@ -1261,7 +1251,8 @@ bad_fork_cleanup_mm:
+ if (p->mm)
+ mmput(p->mm);
+ bad_fork_cleanup_signal:
+- cleanup_signal(p);
++ if (!(clone_flags & CLONE_THREAD))
++ __cleanup_signal(p->signal);
+ bad_fork_cleanup_sighand:
+ __cleanup_sighand(p->sighand);
+ bad_fork_cleanup_fs:
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009
+Message-Id: <20090904200850.355960571@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:15 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Hannes Hering <hering2@de.ibm.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 03/48] ehea: Fix napi list corruption on ifconfig down
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=ehea-fix-napi-list-corruption-on-ifconfig-down.patch
+Content-Length: 698
+Lines: 28
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Hannes Hering <hering2@de.ibm.com>
+
+commit 357eb46d8f275b4e8484541234ea3ba06065e258 upstream.
+
+This patch fixes the napi list handling when an ehea interface is shut
+down to avoid corruption of the napi list.
+
+Signed-off-by: Hannes Hering <hering2@de.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/ehea/ehea_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ehea/ehea_main.c
++++ b/drivers/net/ehea/ehea_main.c
+@@ -1530,6 +1530,9 @@ static int ehea_clean_portres(struct ehe
+ {
+ int ret, i;
+
++ if (pr->qp)
++ netif_napi_del(&pr->napi);
++
+ ret = ehea_destroy_qp(pr->qp);
+
+ if (!ret) {
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009
+Message-Id: <20090904200850.531838310@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:16 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Clemens Ladisch <clemens@ladisch.de>,
+ Takashi Iwai <tiwai@suse.de>
+Subject: [patch 04/48] sound: pcm_lib: fix unsorted list constraint handling
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=sound-pcm_lib-fix-unsorted-list-constraint-handling.patch
+Content-Length: 2445
+Lines: 82
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit b1ddaf681e362ed453182ddee1699d7487069a16 upstream.
+
+snd_interval_list() expected a sorted list but did not document this, so
+there are drivers that give it an unsorted list. To fix this, change
+the algorithm to work with any list.
+
+This fixes the "Slave PCM not usable" error with USB devices that have
+multiple alternate settings with sample rates in decreasing order, such
+as the Philips Askey VC010 WebCam.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=14028
+
+Reported-and-tested-by: Andrzej <adkadk@gmail.com>
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/core/pcm_lib.c | 39 ++++++++-------------------------------
+ 1 file changed, 8 insertions(+), 31 deletions(-)
+
+--- a/sound/core/pcm_lib.c
++++ b/sound/core/pcm_lib.c
+@@ -779,47 +779,24 @@ static int snd_interval_ratden(struct sn
+ int snd_interval_list(struct snd_interval *i, unsigned int count, unsigned int *list, unsigned int mask)
+ {
+ unsigned int k;
+- int changed = 0;
++ struct snd_interval list_range;
+
+ if (!count) {
+ i->empty = 1;
+ return -EINVAL;
+ }
++ snd_interval_any(&list_range);
++ list_range.min = UINT_MAX;
++ list_range.max = 0;
+ for (k = 0; k < count; k++) {
+ if (mask && !(mask & (1 << k)))
+ continue;
+- if (i->min == list[k] && !i->openmin)
+- goto _l1;
+- if (i->min < list[k]) {
+- i->min = list[k];
+- i->openmin = 0;
+- changed = 1;
+- goto _l1;
+- }
+- }
+- i->empty = 1;
+- return -EINVAL;
+- _l1:
+- for (k = count; k-- > 0;) {
+- if (mask && !(mask & (1 << k)))
++ if (!snd_interval_test(i, list[k]))
+ continue;
+- if (i->max == list[k] && !i->openmax)
+- goto _l2;
+- if (i->max > list[k]) {
+- i->max = list[k];
+- i->openmax = 0;
+- changed = 1;
+- goto _l2;
+- }
++ list_range.min = min(list_range.min, list[k]);
++ list_range.max = max(list_range.max, list[k]);
+ }
+- i->empty = 1;
+- return -EINVAL;
+- _l2:
+- if (snd_interval_checkempty(i)) {
+- i->empty = 1;
+- return -EINVAL;
+- }
+- return changed;
++ return snd_interval_refine(i, &list_range);
+ }
+
+ EXPORT_SYMBOL(snd_interval_list);
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009
+Message-Id: <20090904200850.690791337@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:17 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [patch 05/48] SUNRPC: Fix rpc_task_force_reencode
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=sunrpc-fix-rpc_task_force_reencode.patch
+Content-Length: 879
+Lines: 30
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit 2574cc9f4ffc6c681c9177111357efe5b76f0e36 upstream.
+
+This patch fixes the bug that was reported in
+ http://bugzilla.kernel.org/show_bug.cgi?id=14053
+
+If we're in the case where we need to force a reencode and then resend of
+the RPC request, due to xprt_transmit failing with a networking error, then
+we _must_ retransmit the entire request.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sunrpc/clnt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -860,6 +860,7 @@ static inline void
+ rpc_task_force_reencode(struct rpc_task *task)
+ {
+ task->tk_rqstp->rq_snd_buf.len = 0;
++ task->tk_rqstp->rq_bytes_sent = 0;
+ }
+
+ static inline void
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:50 2009
+Message-Id: <20090904200850.849943398@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:18 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 06/48] KVM: VMX: Change cs reset state to be a data segment
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-vmx-change-cs-reset-state-to-be-a-data-segment.patch
+Content-Length: 988
+Lines: 33
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@qumranet.com>
+
+(cherry picked from commit 5706be0dafd6f42852f85fbae292301dcad4ccec)
+
+Real mode cs is a data segment, not a code segment.
+
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/vmx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2036,6 +2036,7 @@ static int vmx_vcpu_reset(struct kvm_vcp
+
+ fx_init(&vmx->vcpu);
+
++ seg_setup(VCPU_SREG_CS);
+ /*
+ * GUEST_CS_BASE should really be 0xffff0000, but VT vm86 mode
+ * insists on having GUEST_CS_BASE == GUEST_CS_SELECTOR << 4. Sigh.
+@@ -2047,8 +2048,6 @@ static int vmx_vcpu_reset(struct kvm_vcp
+ vmcs_write16(GUEST_CS_SELECTOR, vmx->vcpu.arch.sipi_vector << 8);
+ vmcs_writel(GUEST_CS_BASE, vmx->vcpu.arch.sipi_vector << 12);
+ }
+- vmcs_write32(GUEST_CS_LIMIT, 0xffff);
+- vmcs_write32(GUEST_CS_AR_BYTES, 0x9b);
+
+ seg_setup(VCPU_SREG_DS);
+ seg_setup(VCPU_SREG_ES);
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009
+Message-Id: <20090904200851.000111021@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:19 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 07/48] KVM: VMX: Change segment dpl at reset to 3
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-vmx-change-segment-dpl-at-reset-to-3.patch
+Content-Length: 670
+Lines: 25
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@qumranet.com>
+
+(cherry picked from commit a16b20da879430fdf245ed45461ed40ffef8db3c)
+
+This is more emulation friendly, if not 100% correct.
+
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1789,7 +1789,7 @@ static void seg_setup(int seg)
+ vmcs_write16(sf->selector, 0);
+ vmcs_writel(sf->base, 0);
+ vmcs_write32(sf->limit, 0xffff);
+- vmcs_write32(sf->ar_bytes, 0x93);
++ vmcs_write32(sf->ar_bytes, 0xf3);
+ }
+
+ static int alloc_apic_access_page(struct kvm *kvm)
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009
+Message-Id: <20090904200851.157785189@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:20 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 08/48] KVM: Load real mode segments correctly
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-load-real-mode-segments-correctly.patch
+Content-Length: 1236
+Lines: 51
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@qumranet.com>
+
+(cherry picked from commit f4bbd9aaaae23007e4d79536d35a30cbbb11d407)
+
+Real mode segments to not reference the GDT or LDT; they simply compute
+base = selector * 16.
+
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3294,11 +3294,33 @@ static int load_segment_descriptor_to_kv
+ return 0;
+ }
+
++int kvm_load_realmode_segment(struct kvm_vcpu *vcpu, u16 selector, int seg)
++{
++ struct kvm_segment segvar = {
++ .base = selector << 4,
++ .limit = 0xffff,
++ .selector = selector,
++ .type = 3,
++ .present = 1,
++ .dpl = 3,
++ .db = 0,
++ .s = 1,
++ .l = 0,
++ .g = 0,
++ .avl = 0,
++ .unusable = 0,
++ };
++ kvm_x86_ops->set_segment(vcpu, &segvar, seg);
++ return 0;
++}
++
+ int kvm_load_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector,
+ int type_bits, int seg)
+ {
+ struct kvm_segment kvm_seg;
+
++ if (!(vcpu->arch.cr0 & X86_CR0_PE))
++ return kvm_load_realmode_segment(vcpu, selector, seg);
+ if (load_segment_descriptor_to_kvm_desct(vcpu, selector, &kvm_seg))
+ return 1;
+ kvm_seg.type |= type_bits;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009
+Message-Id: <20090904200851.340681047@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:21 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 09/48] KVM: Allocate guest memory as MAP_PRIVATE, not MAP_SHARED
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-allocate-guest-memory-as-map_private-not-map_shared.patch
+Content-Length: 699
+Lines: 25
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@qumranet.com>
+
+(cherry picked from commit acee3c04e8208c17aad1baff99baa68d71640a19)
+
+There is no reason to share internal memory slots with fork()ed instances.
+
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4003,7 +4003,7 @@ int kvm_arch_set_memory_region(struct kv
+ userspace_addr = do_mmap(NULL, 0,
+ npages * PAGE_SIZE,
+ PROT_READ | PROT_WRITE,
+- MAP_SHARED | MAP_ANONYMOUS,
++ MAP_PRIVATE | MAP_ANONYMOUS,
+ 0);
+ up_write(¤t->mm->mmap_sem);
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009
+Message-Id: <20090904200851.493781097@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:22 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 10/48] KVM: Dont call get_user_pages(.force = 1)
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-don-t-call-get_user_pages.patch
+Content-Length: 790
+Lines: 27
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@qumranet.com>
+
+(cherry picked from commit d657c7335b97d746aa6123c56504b46c20e37df3)
+
+This is esoteric and only needed to break COW on MAP_SHARED mappings. Since
+KVM no longer does these sorts of mappings, breaking COW on them is no longer
+necessary.
+
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ virt/kvm/kvm_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -726,7 +726,7 @@ pfn_t gfn_to_pfn(struct kvm *kvm, gfn_t
+ return page_to_pfn(bad_page);
+ }
+
+- npages = get_user_pages(current, current->mm, addr, 1, 1, 1, page,
++ npages = get_user_pages(current, current->mm, addr, 1, 1, 0, page,
+ NULL);
+
+ if (unlikely(npages != 1)) {
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009
+Message-Id: <20090904200851.629953579@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:23 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 11/48] KVM: MMU: Add locking around kvm_mmu_slot_remove_write_access()
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-mmu-add-locking-around-kvm_mmu_slot_remove_write_access.patch
+Content-Length: 829
+Lines: 33
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@qumranet.com>
+
+(cherry picked from commit 2245a28fe2e6fdb1bdabc4dcde1ea3a5c37e2a9e)
+
+It was generally safe due to slots_lock being held for write, but it wasn't
+very nice.
+
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2055,6 +2055,7 @@ void kvm_mmu_slot_remove_write_access(st
+ {
+ struct kvm_mmu_page *sp;
+
++ spin_lock(&kvm->mmu_lock);
+ list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link) {
+ int i;
+ u64 *pt;
+@@ -2068,6 +2069,7 @@ void kvm_mmu_slot_remove_write_access(st
+ if (pt[i] & PT_WRITABLE_MASK)
+ pt[i] &= ~PT_WRITABLE_MASK;
+ }
++ spin_unlock(&kvm->mmu_lock);
+ }
+
+ void kvm_mmu_zap_all(struct kvm *kvm)
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:51 2009
+Message-Id: <20090904200851.795978998@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:24 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 12/48] KVM: MMU: Flush tlbs after clearing write permission when accessing dirty log
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-mmu-flush-tlbs-after-clearing-write-permission-when-accessing-dirty-log.patch
+Content-Length: 640
+Lines: 25
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@qumranet.com>
+
+(cherry picked from commit 171d595d3b3254b9a952af8d1f6965d2e85dcbaa)
+
+Otherwise, the cpu may allow writes to the tracked pages, and we lose
+some display bits or fail to migrate correctly.
+
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2069,6 +2069,7 @@ void kvm_mmu_slot_remove_write_access(st
+ if (pt[i] & PT_WRITABLE_MASK)
+ pt[i] &= ~PT_WRITABLE_MASK;
+ }
++ kvm_flush_remote_tlbs(kvm);
+ spin_unlock(&kvm->mmu_lock);
+ }
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009
+Message-Id: <20090904200851.940224778@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:25 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 13/48] KVM: MMU: Fix setting the accessed bit on non-speculative sptes
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-mmu-fix-setting-the-accessed-bit-on-non-speculative-sptes.patch
+Content-Length: 890
+Lines: 30
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@qumranet.com>
+
+(cherry picked from commit 3201b5d9f0f7ef392886cd76dcd2c69186d9d5cd)
+
+The accessed bit was accidentally turned on in a random flag word, rather
+than, the spte itself, which was lucky, since it used the non-EPT compatible
+PT_ACCESSED_MASK.
+
+Fix by turning the bit on in the spte and changing it to use the portable
+accessed mask.
+
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -1162,7 +1162,7 @@ static void mmu_set_spte(struct kvm_vcpu
+ */
+ spte = shadow_base_present_pte | shadow_dirty_mask;
+ if (!speculative)
+- pte_access |= PT_ACCESSED_MASK;
++ spte |= shadow_accessed_mask;
+ if (!dirty)
+ pte_access &= ~ACC_WRITE_MASK;
+ if (pte_access & ACC_EXEC_MASK)
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009
+Message-Id: <20090904200852.199656362@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:26 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>,
+ Dave Hansen <dave@linux.vnet.ibm.com>,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 14/48] KVM: Reduce kvm stack usage in kvm_arch_vm_ioctl()
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-reduce-kvm-stack-usage-in-kvm_arch_vm_ioctl.patch
+Content-Length: 4518
+Lines: 164
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Dave Hansen <dave@linux.vnet.ibm.com>
+
+(cherry picked from commit f0d662759a2465babdba1160749c446648c9d159)
+
+On my machine with gcc 3.4, kvm uses ~2k of stack in a few
+select functions. This is mostly because gcc fails to
+notice that the different case: statements could have their
+stack usage combined. It overflows very nicely if interrupts
+happen during one of these large uses.
+
+This patch uses two methods for reducing stack usage.
+1. dynamically allocate large objects instead of putting
+ on the stack.
+2. Use a union{} member for all of the case variables. This
+ tricks gcc into combining them all into a single stack
+ allocation. (There's also a comment on this)
+
+Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 72 +++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 45 insertions(+), 27 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1630,6 +1630,15 @@ long kvm_arch_vm_ioctl(struct file *filp
+ struct kvm *kvm = filp->private_data;
+ void __user *argp = (void __user *)arg;
+ int r = -EINVAL;
++ /*
++ * This union makes it completely explicit to gcc-3.x
++ * that these two variables' stack usage should be
++ * combined, not added together.
++ */
++ union {
++ struct kvm_pit_state ps;
++ struct kvm_memory_alias alias;
++ } u;
+
+ switch (ioctl) {
+ case KVM_SET_TSS_ADDR:
+@@ -1661,17 +1670,14 @@ long kvm_arch_vm_ioctl(struct file *filp
+ case KVM_GET_NR_MMU_PAGES:
+ r = kvm_vm_ioctl_get_nr_mmu_pages(kvm);
+ break;
+- case KVM_SET_MEMORY_ALIAS: {
+- struct kvm_memory_alias alias;
+-
++ case KVM_SET_MEMORY_ALIAS:
+ r = -EFAULT;
+- if (copy_from_user(&alias, argp, sizeof alias))
++ if (copy_from_user(&u.alias, argp, sizeof(struct kvm_memory_alias)))
+ goto out;
+- r = kvm_vm_ioctl_set_memory_alias(kvm, &alias);
++ r = kvm_vm_ioctl_set_memory_alias(kvm, &u.alias);
+ if (r)
+ goto out;
+ break;
+- }
+ case KVM_CREATE_IRQCHIP:
+ r = -ENOMEM;
+ kvm->arch.vpic = kvm_create_pic(kvm);
+@@ -1713,65 +1719,77 @@ long kvm_arch_vm_ioctl(struct file *filp
+ }
+ case KVM_GET_IRQCHIP: {
+ /* 0: PIC master, 1: PIC slave, 2: IOAPIC */
+- struct kvm_irqchip chip;
++ struct kvm_irqchip *chip = kmalloc(sizeof(*chip), GFP_KERNEL);
+
+- r = -EFAULT;
+- if (copy_from_user(&chip, argp, sizeof chip))
++ r = -ENOMEM;
++ if (!chip)
+ goto out;
++ r = -EFAULT;
++ if (copy_from_user(chip, argp, sizeof *chip))
++ goto get_irqchip_out;
+ r = -ENXIO;
+ if (!irqchip_in_kernel(kvm))
+- goto out;
+- r = kvm_vm_ioctl_get_irqchip(kvm, &chip);
++ goto get_irqchip_out;
++ r = kvm_vm_ioctl_get_irqchip(kvm, chip);
+ if (r)
+- goto out;
++ goto get_irqchip_out;
+ r = -EFAULT;
+- if (copy_to_user(argp, &chip, sizeof chip))
+- goto out;
++ if (copy_to_user(argp, chip, sizeof *chip))
++ goto get_irqchip_out;
+ r = 0;
++ get_irqchip_out:
++ kfree(chip);
++ if (r)
++ goto out;
+ break;
+ }
+ case KVM_SET_IRQCHIP: {
+ /* 0: PIC master, 1: PIC slave, 2: IOAPIC */
+- struct kvm_irqchip chip;
++ struct kvm_irqchip *chip = kmalloc(sizeof(*chip), GFP_KERNEL);
+
+- r = -EFAULT;
+- if (copy_from_user(&chip, argp, sizeof chip))
++ r = -ENOMEM;
++ if (!chip)
+ goto out;
++ r = -EFAULT;
++ if (copy_from_user(chip, argp, sizeof *chip))
++ goto set_irqchip_out;
+ r = -ENXIO;
+ if (!irqchip_in_kernel(kvm))
+- goto out;
+- r = kvm_vm_ioctl_set_irqchip(kvm, &chip);
++ goto set_irqchip_out;
++ r = kvm_vm_ioctl_set_irqchip(kvm, chip);
+ if (r)
+- goto out;
++ goto set_irqchip_out;
+ r = 0;
++ set_irqchip_out:
++ kfree(chip);
++ if (r)
++ goto out;
+ break;
+ }
+ case KVM_GET_PIT: {
+- struct kvm_pit_state ps;
+ r = -EFAULT;
+- if (copy_from_user(&ps, argp, sizeof ps))
++ if (copy_from_user(&u.ps, argp, sizeof(struct kvm_pit_state)))
+ goto out;
+ r = -ENXIO;
+ if (!kvm->arch.vpit)
+ goto out;
+- r = kvm_vm_ioctl_get_pit(kvm, &ps);
++ r = kvm_vm_ioctl_get_pit(kvm, &u.ps);
+ if (r)
+ goto out;
+ r = -EFAULT;
+- if (copy_to_user(argp, &ps, sizeof ps))
++ if (copy_to_user(argp, &u.ps, sizeof(struct kvm_pit_state)))
+ goto out;
+ r = 0;
+ break;
+ }
+ case KVM_SET_PIT: {
+- struct kvm_pit_state ps;
+ r = -EFAULT;
+- if (copy_from_user(&ps, argp, sizeof ps))
++ if (copy_from_user(&u.ps, argp, sizeof u.ps))
+ goto out;
+ r = -ENXIO;
+ if (!kvm->arch.vpit)
+ goto out;
+- r = kvm_vm_ioctl_set_pit(kvm, &ps);
++ r = kvm_vm_ioctl_set_pit(kvm, &u.ps);
+ if (r)
+ goto out;
+ r = 0;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009
+Message-Id: <20090904200852.437826917@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:27 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>,
+ Dave Hansen <dave@linux.vnet.ibm.com>,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 15/48] KVM: Reduce stack usage in kvm_vcpu_ioctl()
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-reduce-stack-usage-in-kvm_vcpu_ioctl.patch
+Content-Length: 2817
+Lines: 109
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Dave Hansen <dave@linux.vnet.ibm.com>
+
+(cherry picked from commit fa3795a7308df099f0f2c9e5ca2c20a5ff65bdc4)
+
+Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ virt/kvm/kvm_main.c | 46 ++++++++++++++++++++++++++++------------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1118,6 +1118,8 @@ static long kvm_vcpu_ioctl(struct file *
+ struct kvm_vcpu *vcpu = filp->private_data;
+ void __user *argp = (void __user *)arg;
+ int r;
++ struct kvm_fpu *fpu = NULL;
++ struct kvm_sregs *kvm_sregs = NULL;
+
+ if (vcpu->kvm->mm != current->mm)
+ return -EIO;
+@@ -1165,25 +1167,28 @@ out_free2:
+ break;
+ }
+ case KVM_GET_SREGS: {
+- struct kvm_sregs kvm_sregs;
+-
+- memset(&kvm_sregs, 0, sizeof kvm_sregs);
+- r = kvm_arch_vcpu_ioctl_get_sregs(vcpu, &kvm_sregs);
++ kvm_sregs = kzalloc(sizeof(struct kvm_sregs), GFP_KERNEL);
++ r = -ENOMEM;
++ if (!kvm_sregs)
++ goto out;
++ r = kvm_arch_vcpu_ioctl_get_sregs(vcpu, kvm_sregs);
+ if (r)
+ goto out;
+ r = -EFAULT;
+- if (copy_to_user(argp, &kvm_sregs, sizeof kvm_sregs))
++ if (copy_to_user(argp, kvm_sregs, sizeof(struct kvm_sregs)))
+ goto out;
+ r = 0;
+ break;
+ }
+ case KVM_SET_SREGS: {
+- struct kvm_sregs kvm_sregs;
+-
++ kvm_sregs = kmalloc(sizeof(struct kvm_sregs), GFP_KERNEL);
++ r = -ENOMEM;
++ if (!kvm_sregs)
++ goto out;
+ r = -EFAULT;
+- if (copy_from_user(&kvm_sregs, argp, sizeof kvm_sregs))
++ if (copy_from_user(kvm_sregs, argp, sizeof(struct kvm_sregs)))
+ goto out;
+- r = kvm_arch_vcpu_ioctl_set_sregs(vcpu, &kvm_sregs);
++ r = kvm_arch_vcpu_ioctl_set_sregs(vcpu, kvm_sregs);
+ if (r)
+ goto out;
+ r = 0;
+@@ -1264,25 +1269,28 @@ out_free2:
+ break;
+ }
+ case KVM_GET_FPU: {
+- struct kvm_fpu fpu;
+-
+- memset(&fpu, 0, sizeof fpu);
+- r = kvm_arch_vcpu_ioctl_get_fpu(vcpu, &fpu);
++ fpu = kzalloc(sizeof(struct kvm_fpu), GFP_KERNEL);
++ r = -ENOMEM;
++ if (!fpu)
++ goto out;
++ r = kvm_arch_vcpu_ioctl_get_fpu(vcpu, fpu);
+ if (r)
+ goto out;
+ r = -EFAULT;
+- if (copy_to_user(argp, &fpu, sizeof fpu))
++ if (copy_to_user(argp, fpu, sizeof(struct kvm_fpu)))
+ goto out;
+ r = 0;
+ break;
+ }
+ case KVM_SET_FPU: {
+- struct kvm_fpu fpu;
+-
++ fpu = kmalloc(sizeof(struct kvm_fpu), GFP_KERNEL);
++ r = -ENOMEM;
++ if (!fpu)
++ goto out;
+ r = -EFAULT;
+- if (copy_from_user(&fpu, argp, sizeof fpu))
++ if (copy_from_user(fpu, argp, sizeof(struct kvm_fpu)))
+ goto out;
+- r = kvm_arch_vcpu_ioctl_set_fpu(vcpu, &fpu);
++ r = kvm_arch_vcpu_ioctl_set_fpu(vcpu, fpu);
+ if (r)
+ goto out;
+ r = 0;
+@@ -1292,6 +1300,8 @@ out_free2:
+ r = kvm_arch_vcpu_ioctl(filp, ioctl, arg);
+ }
+ out:
++ kfree(fpu);
++ kfree(kvm_sregs);
+ return r;
+ }
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009
+Message-Id: <20090904200852.685554919@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:28 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sheng Yang <sheng.yang@intel.com>,
+ Avi Kivity <avi@redhat.com>,
+ Dave Hansen <dave@linux.vnet.ibm.com>,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 16/48] KVM: Reduce stack usage in kvm_arch_vcpu_ioctl()
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-reduce-stack-usage-in-kvm_arch_vcpu_ioctl.patch
+Content-Length: 1810
+Lines: 69
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Dave Hansen <dave@linux.vnet.ibm.com>
+
+(cherry picked from commit b772ff362ec6b821c8a5227a3355e263f917bfad)
+
+[sheng: fix KVM_GET_LAPIC using wrong size]
+
+Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
+Signed-off-by: Sheng Yang <sheng.yang@intel.com>
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1303,28 +1303,33 @@ long kvm_arch_vcpu_ioctl(struct file *fi
+ struct kvm_vcpu *vcpu = filp->private_data;
+ void __user *argp = (void __user *)arg;
+ int r;
++ struct kvm_lapic_state *lapic = NULL;
+
+ switch (ioctl) {
+ case KVM_GET_LAPIC: {
+- struct kvm_lapic_state lapic;
++ lapic = kzalloc(sizeof(struct kvm_lapic_state), GFP_KERNEL);
+
+- memset(&lapic, 0, sizeof lapic);
+- r = kvm_vcpu_ioctl_get_lapic(vcpu, &lapic);
++ r = -ENOMEM;
++ if (!lapic)
++ goto out;
++ r = kvm_vcpu_ioctl_get_lapic(vcpu, lapic);
+ if (r)
+ goto out;
+ r = -EFAULT;
+- if (copy_to_user(argp, &lapic, sizeof lapic))
++ if (copy_to_user(argp, lapic, sizeof(struct kvm_lapic_state)))
+ goto out;
+ r = 0;
+ break;
+ }
+ case KVM_SET_LAPIC: {
+- struct kvm_lapic_state lapic;
+-
++ lapic = kmalloc(sizeof(struct kvm_lapic_state), GFP_KERNEL);
++ r = -ENOMEM;
++ if (!lapic)
++ goto out;
+ r = -EFAULT;
+- if (copy_from_user(&lapic, argp, sizeof lapic))
++ if (copy_from_user(lapic, argp, sizeof(struct kvm_lapic_state)))
+ goto out;
+- r = kvm_vcpu_ioctl_set_lapic(vcpu, &lapic);;
++ r = kvm_vcpu_ioctl_set_lapic(vcpu, lapic);
+ if (r)
+ goto out;
+ r = 0;
+@@ -1422,6 +1427,8 @@ long kvm_arch_vcpu_ioctl(struct file *fi
+ r = -EINVAL;
+ }
+ out:
++ if (lapic)
++ kfree(lapic);
+ return r;
+ }
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:52 2009
+Message-Id: <20090904200852.821221381@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:29 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>,
+ Dave Hansen <dave@linux.vnet.ibm.com>,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 17/48] KVM: Reduce stack usage in kvm_pv_mmu_op()
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-reduce-stack-usage-in-kvm_pv_mmu_op.patch
+Content-Length: 2848
+Lines: 99
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Dave Hansen <dave@linux.vnet.ibm.com>
+
+(cherry picked from commit 6ad18fba05228fb1d47cdbc0339fe8b3fca1ca26)
+
+We're in a hot path. We can't use kmalloc() because
+it might impact performance. So, we just stick the buffer that
+we need into the kvm_vcpu_arch structure. This is used very
+often, so it is not really a waste.
+
+We also have to move the buffer structure's definition to the
+arch-specific x86 kvm header.
+
+Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 23 ++++++++---------------
+ include/asm-x86/kvm_host.h | 10 ++++++++++
+ 2 files changed, 18 insertions(+), 15 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -135,13 +135,6 @@ module_param(dbg, bool, 0644);
+ #define ACC_USER_MASK PT_USER_MASK
+ #define ACC_ALL (ACC_EXEC_MASK | ACC_WRITE_MASK | ACC_USER_MASK)
+
+-struct kvm_pv_mmu_op_buffer {
+- void *ptr;
+- unsigned len;
+- unsigned processed;
+- char buf[512] __aligned(sizeof(long));
+-};
+-
+ struct kvm_rmap_desc {
+ u64 *shadow_ptes[RMAP_EXT];
+ struct kvm_rmap_desc *more;
+@@ -2294,18 +2287,18 @@ int kvm_pv_mmu_op(struct kvm_vcpu *vcpu,
+ gpa_t addr, unsigned long *ret)
+ {
+ int r;
+- struct kvm_pv_mmu_op_buffer buffer;
++ struct kvm_pv_mmu_op_buffer *buffer = &vcpu->arch.mmu_op_buffer;
+
+- buffer.ptr = buffer.buf;
+- buffer.len = min_t(unsigned long, bytes, sizeof buffer.buf);
+- buffer.processed = 0;
++ buffer->ptr = buffer->buf;
++ buffer->len = min_t(unsigned long, bytes, sizeof buffer->buf);
++ buffer->processed = 0;
+
+- r = kvm_read_guest(vcpu->kvm, addr, buffer.buf, buffer.len);
++ r = kvm_read_guest(vcpu->kvm, addr, buffer->buf, buffer->len);
+ if (r)
+ goto out;
+
+- while (buffer.len) {
+- r = kvm_pv_mmu_op_one(vcpu, &buffer);
++ while (buffer->len) {
++ r = kvm_pv_mmu_op_one(vcpu, buffer);
+ if (r < 0)
+ goto out;
+ if (r == 0)
+@@ -2314,7 +2307,7 @@ int kvm_pv_mmu_op(struct kvm_vcpu *vcpu,
+
+ r = 1;
+ out:
+- *ret = buffer.processed;
++ *ret = buffer->processed;
+ return r;
+ }
+
+--- a/include/asm-x86/kvm_host.h
++++ b/include/asm-x86/kvm_host.h
+@@ -195,6 +195,13 @@ struct kvm_mmu_page {
+ };
+ };
+
++struct kvm_pv_mmu_op_buffer {
++ void *ptr;
++ unsigned len;
++ unsigned processed;
++ char buf[512] __aligned(sizeof(long));
++};
++
+ /*
+ * x86 supports 3 paging modes (4-level 64-bit, 3-level 64-bit, and 2-level
+ * 32-bit). The kvm_mmu structure abstracts the details of the current mmu
+@@ -237,6 +244,9 @@ struct kvm_vcpu_arch {
+ bool tpr_access_reporting;
+
+ struct kvm_mmu mmu;
++ /* only needed in kvm_pv_mmu_op() path, but it's hot so
++ * put it here to avoid allocation */
++ struct kvm_pv_mmu_op_buffer mmu_op_buffer;
+
+ struct kvm_mmu_memory_cache mmu_pte_chain_cache;
+ struct kvm_mmu_memory_cache mmu_rmap_desc_cache;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009
+Message-Id: <20090904200852.974946650@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:30 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Joerg Roedel <joerg.roedel@amd.com>,
+ Avi Kivity <avi@redhat.com>,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 18/48] KVM: add MC5_MISC msr read support
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-add-mc5_misc-msr-read-support.patch
+Content-Length: 819
+Lines: 27
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+(cherry picked from commit a89c1ad270ca7ad0eec2667bc754362ce7b142be)
+
+Currently KVM implements MC0-MC4_MISC read support. When booting Linux this
+results in KVM warnings in the kernel log when the guest tries to read
+MC5_MISC. Fix this warnings with this patch.
+
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -752,6 +752,7 @@ int kvm_get_msr_common(struct kvm_vcpu *
+ case MSR_IA32_MC0_MISC+8:
+ case MSR_IA32_MC0_MISC+12:
+ case MSR_IA32_MC0_MISC+16:
++ case MSR_IA32_MC0_MISC+20:
+ case MSR_IA32_UCODE_REV:
+ case MSR_IA32_EBL_CR_POWERON:
+ data = 0;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009
+Message-Id: <20090904200853.134480901@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:31 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Marcelo Tosatti <mtosatti@redhat.com>,
+ Avi Kivity <avi@redhat.com>,
+ Avi Kivity <avi@qumranet.com>
+Subject: [patch 19/48] KVM: set debug registers after "schedulable" section
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-set-debug-registers-after-schedulable-section.patch
+Content-Length: 1272
+Lines: 50
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit 29415c37f043d1d54dcf356601d738ff6633b72b)
+
+The vcpu thread can be preempted after the guest_debug_pre() callback,
+resulting in invalid debug registers on the new vcpu.
+
+Move it inside the non-preemptable section.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@qumranet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2839,10 +2839,6 @@ static int __vcpu_run(struct kvm_vcpu *v
+ down_read(&vcpu->kvm->slots_lock);
+ vapic_enter(vcpu);
+
+-preempted:
+- if (vcpu->guest_debug.enabled)
+- kvm_x86_ops->guest_debug_pre(vcpu);
+-
+ again:
+ if (vcpu->requests)
+ if (test_and_clear_bit(KVM_REQ_MMU_RELOAD, &vcpu->requests))
+@@ -2896,6 +2892,9 @@ again:
+ goto out;
+ }
+
++ if (vcpu->guest_debug.enabled)
++ kvm_x86_ops->guest_debug_pre(vcpu);
++
+ vcpu->guest_mode = 1;
+ /*
+ * Make sure that guest_mode assignment won't happen after
+@@ -2970,7 +2969,7 @@ out:
+ if (r > 0) {
+ kvm_resched(vcpu);
+ down_read(&vcpu->kvm->slots_lock);
+- goto preempted;
++ goto again;
+ }
+
+ post_kvm_run_save(vcpu, kvm_run);
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009
+Message-Id: <20090904200853.292609785@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:32 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Marcelo Tosatti <mtosatti@redhat.com>,
+ avi@redhat.com
+Subject: [patch 20/48] KVM: MMU: increase per-vcpu rmap cache alloc size
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-mmu-increase-per-vcpu-rmap-cache-alloc-size.patch
+Content-Length: 959
+Lines: 33
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit c41ef344de212bd918f7765af21b5008628c03e0)
+
+The page fault path can use two rmap_desc structures, if:
+
+- walk_addr's dirty pte update allocates one rmap_desc.
+- mmu_lock is dropped, sptes are zapped resulting in rmap_desc being
+ freed.
+- fetch->mmu_set_spte allocates another rmap_desc.
+
+Increase to 4 for safety.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -298,7 +298,7 @@ static int mmu_topup_memory_caches(struc
+ if (r)
+ goto out;
+ r = mmu_topup_memory_cache(&vcpu->arch.mmu_rmap_desc_cache,
+- rmap_desc_cache, 1);
++ rmap_desc_cache, 4);
+ if (r)
+ goto out;
+ r = mmu_topup_memory_cache_page(&vcpu->arch.mmu_page_cache, 8);
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009
+Message-Id: <20090904200853.421933556@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:33 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Sheng Yang <sheng@linux.intel.com>
+Subject: [patch 21/48] KVM: VMX: Set IGMT bit in EPT entry
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-vmx-set-igmt-bit-in-ept-entry.patch
+Content-Length: 1541
+Lines: 44
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Sheng Yang <sheng@linux.intel.com>
+
+(cherry picked from commit 928d4bf747e9c290b690ff515d8f81e8ee226d97)
+
+There is a potential issue that, when guest using pagetable without vmexit when
+EPT enabled, guest would use PAT/PCD/PWT bits to index PAT msr for it's memory,
+which would be inconsistent with host side and would cause host MCE due to
+inconsistent cache attribute.
+
+The patch set IGMT bit in EPT entry to ignore guest PAT and use WB as default
+memory type to protect host (notice that all memory mapped by KVM should be WB).
+
+Signed-off-by: Sheng Yang <sheng@linux.intel.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/vmx.c | 3 ++-
+ arch/x86/kvm/vmx.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -3299,7 +3299,8 @@ static int __init vmx_init(void)
+ bypass_guest_pf = 0;
+ kvm_mmu_set_base_ptes(VMX_EPT_READABLE_MASK |
+ VMX_EPT_WRITABLE_MASK |
+- VMX_EPT_DEFAULT_MT << VMX_EPT_MT_EPTE_SHIFT);
++ VMX_EPT_DEFAULT_MT << VMX_EPT_MT_EPTE_SHIFT |
++ VMX_EPT_IGMT_BIT);
+ kvm_mmu_set_mask_ptes(0ull, 0ull, 0ull, 0ull,
+ VMX_EPT_EXECUTABLE_MASK);
+ kvm_enable_tdp();
+--- a/arch/x86/kvm/vmx.h
++++ b/arch/x86/kvm/vmx.h
+@@ -370,6 +370,7 @@ enum vmcs_field {
+ #define VMX_EPT_READABLE_MASK 0x1ull
+ #define VMX_EPT_WRITABLE_MASK 0x2ull
+ #define VMX_EPT_EXECUTABLE_MASK 0x4ull
++#define VMX_EPT_IGMT_BIT (1ull << 6)
+
+ #define VMX_EPT_IDENTITY_PAGETABLE_ADDR 0xfffbc000ul
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009
+Message-Id: <20090904200853.572336618@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:34 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Glauber Costa <glommer@redhat.com>,
+ avi@redhat.com
+Subject: [patch 22/48] KVM: Dont destroy vcpu in case vcpu_setup fails
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-don-t-destroy-vcpu-in-case-vcpu_setup-fails.patch
+Content-Length: 1347
+Lines: 47
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Glauber Costa <glommer@redhat.com>
+
+(cherry picked from commit 7d8fece678c1abc2ca3e1ceda2277c3538a9161c)
+
+One of vcpu_setup responsibilities is to do mmu initialization.
+However, in case we fail in kvm_arch_vcpu_reset, before we get the
+chance to init mmu. OTOH, vcpu_destroy will attempt to destroy mmu,
+triggering a bug. Keeping track of whether or not mmu is initialized
+would unnecessarily complicate things. Rather, we just make return,
+making sure any needed uninitialization is done before we return, in
+case we fail.
+
+Signed-off-by: Glauber Costa <glommer@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ virt/kvm/kvm_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1074,12 +1074,11 @@ static int kvm_vm_ioctl_create_vcpu(stru
+
+ r = kvm_arch_vcpu_setup(vcpu);
+ if (r)
+- goto vcpu_destroy;
++ return r;
+
+ mutex_lock(&kvm->lock);
+ if (kvm->vcpus[n]) {
+ r = -EEXIST;
+- mutex_unlock(&kvm->lock);
+ goto vcpu_destroy;
+ }
+ kvm->vcpus[n] = vcpu;
+@@ -1095,8 +1094,8 @@ static int kvm_vm_ioctl_create_vcpu(stru
+ unlink:
+ mutex_lock(&kvm->lock);
+ kvm->vcpus[n] = NULL;
+- mutex_unlock(&kvm->lock);
+ vcpu_destroy:
++ mutex_unlock(&kvm->lock);
+ kvm_arch_vcpu_destroy(vcpu);
+ return r;
+ }
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009
+Message-Id: <20090904200853.702476063@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:35 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>
+Subject: [patch 23/48] KVM: VMX: Dont allow uninhibited access to EFER on i386
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-vmx-don-t-allow-uninhibited-access-to-efer-on-i386.patch
+Content-Length: 989
+Lines: 35
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@redhat.com>
+
+(cherry picked from commit 16175a796d061833aacfbd9672235f2d2725df65)
+
+vmx_set_msr() does not allow i386 guests to touch EFER, but they can still
+do so through the default: label in the switch. If they set EFER_LME, they
+can oops the host.
+
+Fix by having EFER access through the normal channel (which will check for
+EFER_LME) even on i386.
+
+Reported-and-tested-by: Benjamin Gilbert <bgilbert@cs.cmu.edu>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -898,11 +898,11 @@ static int vmx_set_msr(struct kvm_vcpu *
+ int ret = 0;
+
+ switch (msr_index) {
+-#ifdef CONFIG_X86_64
+ case MSR_EFER:
+ vmx_load_host_state(vmx);
+ ret = kvm_set_msr_common(vcpu, msr_index, data);
+ break;
++#ifdef CONFIG_X86_64
+ case MSR_FS_BASE:
+ vmcs_writel(GUEST_FS_BASE, data);
+ break;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:53 2009
+Message-Id: <20090904200853.830967661@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:36 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>
+Subject: [patch 24/48] KVM: SVM: Remove port 80 passthrough
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-svm-remove-port-80-passthrough.patch
+Content-Length: 966
+Lines: 30
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@redhat.com>
+
+(cherry picked from commit 99f85a28a78e96d28907fe036e1671a218fee597)
+
+KVM optimizes guest port 80 accesses by passthing them through to the host.
+Some AMD machines die on port 80 writes, allowing the guest to hard-lock the
+host.
+
+Remove the port passthrough to avoid the problem.
+
+Reported-by: Piotr Jaroszyński <p.jaroszynski@gmail.com>
+Tested-by: Piotr Jaroszyński <p.jaroszynski@gmail.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/svm.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -429,7 +429,6 @@ static __init int svm_hardware_setup(voi
+
+ iopm_va = page_address(iopm_pages);
+ memset(iopm_va, 0xff, PAGE_SIZE * (1 << IOPM_ALLOC_ORDER));
+- clear_bit(0x80, iopm_va); /* allow direct access to PC debug port */
+ iopm_base = page_to_pfn(iopm_pages) << PAGE_SHIFT;
+
+ if (boot_cpu_has(X86_FEATURE_NX))
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009
+Message-Id: <20090904200853.967007512@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:37 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>
+Subject: [patch 25/48] KVM: Make EFER reads safe when EFER does not exist
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-make-efer-reads-safe-when-efer-does-not-exist.patch
+Content-Length: 663
+Lines: 29
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@redhat.com>
+
+(cherry picked from commit e286e86e6d2042d67d09244aa0e05ffef75c9d54)
+
+Some processors don't have EFER; don't oops if userspace wants us to
+read EFER when we check NX.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -983,9 +983,9 @@ void kvm_arch_vcpu_put(struct kvm_vcpu *
+
+ static int is_efer_nx(void)
+ {
+- u64 efer;
++ unsigned long long efer = 0;
+
+- rdmsrl(MSR_EFER, efer);
++ rdmsrl_safe(MSR_EFER, &efer);
+ return efer & EFER_NX;
+ }
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009
+Message-Id: <20090904200854.115208548@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:38 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>
+Subject: [patch 26/48] KVM: VMX: Handle vmx instruction vmexits
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-vmx-handle-vmx-instruction-vmexits.patch
+Content-Length: 1815
+Lines: 48
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@redhat.com>
+
+(cherry picked from commit e3c7cb6ad7191e92ba89d00a7ae5f5dd1ca0c214)
+
+IF a guest tries to use vmx instructions, inject a #UD to let it know the
+instruction is not implemented, rather than crashing.
+
+This prevents guest userspace from crashing the guest kernel.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/vmx.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2582,6 +2582,12 @@ static int handle_vmcall(struct kvm_vcpu
+ return 1;
+ }
+
++static int handle_vmx_insn(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
++{
++ kvm_queue_exception(vcpu, UD_VECTOR);
++ return 1;
++}
++
+ static int handle_wbinvd(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+ {
+ skip_emulated_instruction(vcpu);
+@@ -2714,6 +2720,15 @@ static int (*kvm_vmx_exit_handlers[])(st
+ [EXIT_REASON_PENDING_INTERRUPT] = handle_interrupt_window,
+ [EXIT_REASON_HLT] = handle_halt,
+ [EXIT_REASON_VMCALL] = handle_vmcall,
++ [EXIT_REASON_VMCLEAR] = handle_vmx_insn,
++ [EXIT_REASON_VMLAUNCH] = handle_vmx_insn,
++ [EXIT_REASON_VMPTRLD] = handle_vmx_insn,
++ [EXIT_REASON_VMPTRST] = handle_vmx_insn,
++ [EXIT_REASON_VMREAD] = handle_vmx_insn,
++ [EXIT_REASON_VMRESUME] = handle_vmx_insn,
++ [EXIT_REASON_VMWRITE] = handle_vmx_insn,
++ [EXIT_REASON_VMOFF] = handle_vmx_insn,
++ [EXIT_REASON_VMON] = handle_vmx_insn,
+ [EXIT_REASON_TPR_BELOW_THRESHOLD] = handle_tpr_below_threshold,
+ [EXIT_REASON_APIC_ACCESS] = handle_apic_access,
+ [EXIT_REASON_WBINVD] = handle_wbinvd,
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009
+Message-Id: <20090904200854.271909531@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:39 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>
+Subject: [patch 27/48] KVM: Make paravirt tlb flush also reload the PAE PDPTRs
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch
+Content-Length: 809
+Lines: 28
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@redhat.com>
+
+(cherry picked from commit a8cd0244e9cebcf9b358d24c7e7410062f3665cb)
+
+The paravirt tlb flush may be used not only to flush TLBs, but also
+to reload the four page-directory-pointer-table entries, as it is used
+as a replacement for reloading CR3. Change the code to do the entire
+CR3 reloading dance instead of simply flushing the TLB.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2233,7 +2233,7 @@ static int kvm_pv_mmu_write(struct kvm_v
+
+ static int kvm_pv_mmu_flush_tlb(struct kvm_vcpu *vcpu)
+ {
+- kvm_x86_ops->tlb_flush(vcpu);
++ kvm_set_cr3(vcpu, vcpu->arch.cr3);
+ return 1;
+ }
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009
+Message-Id: <20090904200854.433072752@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:40 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Avi Kivity <avi@redhat.com>
+Subject: [patch 28/48] KVM: Fix PDPTR reloading on CR4 writes
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-fix-pdptr-reloading-on-cr4-writes.patch
+Content-Length: 1618
+Lines: 45
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Avi Kivity <avi@redhat.com>
+
+(cherry picked from commit a2edf57f510cce6a389cc14e58c6ad0a4296d6f9)
+
+The processor is documented to reload the PDPTRs while in PAE mode if any
+of the CR4 bits PSE, PGE, or PAE change. Linux relies on this
+behaviour when zapping the low mappings of PAE kernels during boot.
+
+The code already handled changes to CR4.PAE; augment it to also notice changes
+to PSE and PGE.
+
+This triggered while booting an F11 PAE kernel; the futex initialization code
+runs before any CR3 reloads and writes to a NULL pointer; the futex subsystem
+ended up uninitialized, killing PI futexes and pulseaudio which uses them.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/x86.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -318,6 +318,9 @@ EXPORT_SYMBOL_GPL(kvm_lmsw);
+
+ void kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ {
++ unsigned long old_cr4 = vcpu->arch.cr4;
++ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE;
++
+ if (cr4 & CR4_RESERVED_BITS) {
+ printk(KERN_DEBUG "set_cr4: #GP, reserved bits\n");
+ kvm_inject_gp(vcpu, 0);
+@@ -331,7 +334,8 @@ void kvm_set_cr4(struct kvm_vcpu *vcpu,
+ kvm_inject_gp(vcpu, 0);
+ return;
+ }
+- } else if (is_paging(vcpu) && !is_pae(vcpu) && (cr4 & X86_CR4_PAE)
++ } else if (is_paging(vcpu) && (cr4 & X86_CR4_PAE)
++ && ((cr4 ^ old_cr4) & pdptr_bits)
+ && !load_pdptrs(vcpu, vcpu->arch.cr3)) {
+ printk(KERN_DEBUG "set_cr4: #GP, pdptrs reserved bits\n");
+ kvm_inject_gp(vcpu, 0);
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009
+Message-Id: <20090904200854.584125547@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:41 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ avi@redhat.com,
+ Gleb Natapov <gleb@redhat.com>
+Subject: [patch 29/48] KVM: MMU: do not free active mmu pages in free_mmu_pages()
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-mmu-do-not-free-active-mmu-pages-in-free_mmu_pages.patch
+Content-Length: 1314
+Lines: 45
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Gleb Natapov <gleb@redhat.com>
+
+(cherry picked from commit f00be0cae4e6ad0a8c7be381c6d9be3586800b3e)
+
+free_mmu_pages() should only undo what alloc_mmu_pages() does.
+Free mmu pages from the generic VM destruction function, kvm_destroy_vm().
+
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 8 --------
+ virt/kvm/kvm_main.c | 2 ++
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -1976,14 +1976,6 @@ EXPORT_SYMBOL_GPL(kvm_disable_tdp);
+
+ static void free_mmu_pages(struct kvm_vcpu *vcpu)
+ {
+- struct kvm_mmu_page *sp;
+-
+- while (!list_empty(&vcpu->kvm->arch.active_mmu_pages)) {
+- sp = container_of(vcpu->kvm->arch.active_mmu_pages.next,
+- struct kvm_mmu_page, link);
+- kvm_mmu_zap_page(vcpu->kvm, sp);
+- cond_resched();
+- }
+ free_page((unsigned long)vcpu->arch.mmu.pae_root);
+ }
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -406,6 +406,8 @@ static void kvm_destroy_vm(struct kvm *k
+ #endif
+ #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)
+ mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm);
++#else
++ kvm_arch_flush_shadow(kvm);
+ #endif
+ kvm_arch_destroy_vm(kvm);
+ mmdrop(mm);
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:54 2009
+Message-Id: <20090904200854.746551563@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:42 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Izik Eidus <ieidus@redhat.com>,
+ avi@redhat.com
+Subject: [patch 30/48] KVM: Fix dirty bit tracking for slots with large pages
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-fix-dirty-bit-tracking-for-slots-with-large-pages.patch
+Content-Length: 791
+Lines: 30
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Izik Eidus <ieidus@redhat.com>
+
+(cherry picked from commit e244584fe3a5c20deddeca246548ac86dbc6e1d1)
+
+When slot is already allocated and being asked to be tracked we need
+to break the large pages.
+
+This code flush the mmu when someone ask a slot to start dirty bit
+tracking.
+
+Signed-off-by: Izik Eidus <ieidus@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ virt/kvm/kvm_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -550,6 +550,8 @@ int __kvm_set_memory_region(struct kvm *
+ if (!new.dirty_bitmap)
+ goto out_free;
+ memset(new.dirty_bitmap, 0, dirty_bytes);
++ if (old.npages)
++ kvm_arch_flush_shadow(kvm);
+ }
+ #endif /* not defined CONFIG_S390 */
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009
+Message-Id: <20090904200854.878903295@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:43 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Marcelo Tosatti <mtosatti@redhat.com>,
+ avi@redhat.com
+Subject: [patch 31/48] KVM: x86: check for cr3 validity in mmu_alloc_roots
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-x86-check-for-cr3-validity-in-mmu_alloc_roots.patch
+Content-Length: 2734
+Lines: 96
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit 8986ecc0ef58c96eec48d8502c048f3ab67fd8e2)
+
+Verify the cr3 address stored in vcpu->arch.cr3 points to an existant
+memslot. If not, inject a triple fault.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 25 ++++++++++++++++++++++---
+ arch/x86/kvm/x86.c | 1 +
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -1350,7 +1350,19 @@ static void mmu_free_roots(struct kvm_vc
+ vcpu->arch.mmu.root_hpa = INVALID_PAGE;
+ }
+
+-static void mmu_alloc_roots(struct kvm_vcpu *vcpu)
++static int mmu_check_root(struct kvm_vcpu *vcpu, gfn_t root_gfn)
++{
++ int ret = 0;
++
++ if (!kvm_is_visible_gfn(vcpu->kvm, root_gfn)) {
++ set_bit(KVM_REQ_TRIPLE_FAULT, &vcpu->requests);
++ ret = 1;
++ }
++
++ return ret;
++}
++
++static int mmu_alloc_roots(struct kvm_vcpu *vcpu)
+ {
+ int i;
+ gfn_t root_gfn;
+@@ -1365,13 +1377,15 @@ static void mmu_alloc_roots(struct kvm_v
+ ASSERT(!VALID_PAGE(root));
+ if (tdp_enabled)
+ metaphysical = 1;
++ if (mmu_check_root(vcpu, root_gfn))
++ return 1;
+ sp = kvm_mmu_get_page(vcpu, root_gfn, 0,
+ PT64_ROOT_LEVEL, metaphysical,
+ ACC_ALL, NULL);
+ root = __pa(sp->spt);
+ ++sp->root_count;
+ vcpu->arch.mmu.root_hpa = root;
+- return;
++ return 0;
+ }
+ metaphysical = !is_paging(vcpu);
+ if (tdp_enabled)
+@@ -1388,6 +1402,8 @@ static void mmu_alloc_roots(struct kvm_v
+ root_gfn = vcpu->arch.pdptrs[i] >> PAGE_SHIFT;
+ } else if (vcpu->arch.mmu.root_level == 0)
+ root_gfn = 0;
++ if (mmu_check_root(vcpu, root_gfn))
++ return 1;
+ sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30,
+ PT32_ROOT_LEVEL, metaphysical,
+ ACC_ALL, NULL);
+@@ -1396,6 +1412,7 @@ static void mmu_alloc_roots(struct kvm_v
+ vcpu->arch.mmu.pae_root[i] = root | PT_PRESENT_MASK;
+ }
+ vcpu->arch.mmu.root_hpa = __pa(vcpu->arch.mmu.pae_root);
++ return 0;
+ }
+
+ static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr)
+@@ -1639,8 +1656,10 @@ int kvm_mmu_load(struct kvm_vcpu *vcpu)
+ goto out;
+ spin_lock(&vcpu->kvm->mmu_lock);
+ kvm_mmu_free_some_pages(vcpu);
+- mmu_alloc_roots(vcpu);
++ r = mmu_alloc_roots(vcpu);
+ spin_unlock(&vcpu->kvm->mmu_lock);
++ if (r)
++ goto out;
+ kvm_x86_ops->set_cr3(vcpu, vcpu->arch.mmu.root_hpa);
+ kvm_mmu_flush_tlb(vcpu);
+ out:
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4073,6 +4073,7 @@ int kvm_arch_set_memory_region(struct kv
+ void kvm_arch_flush_shadow(struct kvm *kvm)
+ {
+ kvm_mmu_zap_all(kvm);
++ kvm_reload_remote_mmus(kvm);
+ }
+
+ int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009
+Message-Id: <20090904200855.017632732@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:44 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Marcelo Tosatti <mtosatti@redhat.com>,
+ avi@redhat.com
+Subject: [patch 32/48] KVM: MMU: protect kvm_mmu_change_mmu_pages with mmu_lock
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kvm-mmu-protect-kvm_mmu_change_mmu_pages-with-mmu_lock.patch
+Content-Length: 2209
+Lines: 78
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Marcelo Tosatti <mtosatti@redhat.com>
+
+(cherry picked from commit 7c8a83b75a38a807d37f5a4398eca2a42c8cf513)
+
+kvm_handle_hva, called by MMU notifiers, manipulates mmu data only with
+the protection of mmu_lock.
+
+Update kvm_mmu_change_mmu_pages callers to take mmu_lock, thus protecting
+against kvm_handle_hva.
+
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ arch/x86/kvm/mmu.c | 2 --
+ arch/x86/kvm/x86.c | 6 ++++++
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2059,7 +2059,6 @@ void kvm_mmu_slot_remove_write_access(st
+ {
+ struct kvm_mmu_page *sp;
+
+- spin_lock(&kvm->mmu_lock);
+ list_for_each_entry(sp, &kvm->arch.active_mmu_pages, link) {
+ int i;
+ u64 *pt;
+@@ -2074,7 +2073,6 @@ void kvm_mmu_slot_remove_write_access(st
+ pt[i] &= ~PT_WRITABLE_MASK;
+ }
+ kvm_flush_remote_tlbs(kvm);
+- spin_unlock(&kvm->mmu_lock);
+ }
+
+ void kvm_mmu_zap_all(struct kvm *kvm)
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1454,10 +1454,12 @@ static int kvm_vm_ioctl_set_nr_mmu_pages
+ return -EINVAL;
+
+ down_write(&kvm->slots_lock);
++ spin_lock(&kvm->mmu_lock);
+
+ kvm_mmu_change_mmu_pages(kvm, kvm_nr_mmu_pages);
+ kvm->arch.n_requested_mmu_pages = kvm_nr_mmu_pages;
+
++ spin_unlock(&kvm->mmu_lock);
+ up_write(&kvm->slots_lock);
+ return 0;
+ }
+@@ -1624,7 +1626,9 @@ int kvm_vm_ioctl_get_dirty_log(struct kv
+
+ /* If nothing is dirty, don't bother messing with page tables. */
+ if (is_dirty) {
++ spin_lock(&kvm->mmu_lock);
+ kvm_mmu_slot_remove_write_access(kvm, log->slot);
++ spin_unlock(&kvm->mmu_lock);
+ kvm_flush_remote_tlbs(kvm);
+ memslot = &kvm->memslots[log->slot];
+ n = ALIGN(memslot->npages, BITS_PER_LONG) / 8;
+@@ -4059,12 +4063,14 @@ int kvm_arch_set_memory_region(struct kv
+ }
+ }
+
++ spin_lock(&kvm->mmu_lock);
+ if (!kvm->arch.n_requested_mmu_pages) {
+ unsigned int nr_mmu_pages = kvm_mmu_calculate_mmu_pages(kvm);
+ kvm_mmu_change_mmu_pages(kvm, nr_mmu_pages);
+ }
+
+ kvm_mmu_slot_remove_write_access(kvm, mem->slot);
++ spin_unlock(&kvm->mmu_lock);
+ kvm_flush_remote_tlbs(kvm);
+
+ return 0;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009
+Message-Id: <20090904200855.152815284@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:45 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Eric Dumazet <eric.dumazet@gmail.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 33/48] appletalk: fix atalk_getname() leak
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=appletalk-fix-atalk_getname-leak.patch
+Content-Length: 676
+Lines: 25
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 3d392475c873c10c10d6d96b94d092a34ebd4791 upstream.
+
+atalk_getname() can leak 8 bytes of kernel memory to user
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/appletalk/ddp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1245,6 +1245,7 @@ static int atalk_getname(struct socket *
+ return -ENOBUFS;
+
+ *uaddr_len = sizeof(struct sockaddr_at);
++ memset(&sat.sat_zero, 0, sizeof(sat.sat_zero));
+
+ if (peer) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009
+Message-Id: <20090904200855.314980155@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:46 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Eric Dumazet <eric.dumazet@gmail.com>,
+ Oliver Hartkopp <oliver@hartkopp.net>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 34/48] can: Fix raw_getname() leak
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=can-fix-raw_getname-leak.patch
+Content-Length: 768
+Lines: 29
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit e84b90ae5eb3c112d1f208964df1d8156a538289 upstream.
+
+raw_getname() can leak 10 bytes of kernel memory to user
+
+(two bytes hole between can_family and can_ifindex,
+8 bytes at the end of sockaddr_can structure)
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Acked-by: Oliver Hartkopp <oliver@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/raw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -396,6 +396,7 @@ static int raw_getname(struct socket *so
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(addr, 0, sizeof(*addr));
+ addr->can_family = AF_CAN;
+ addr->can_ifindex = ro->ifindex;
+
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009
+Message-Id: <20090904200855.459975543@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:47 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk
+Subject: [patch 35/48] do_sigaltstack: avoid copying stack_t as a structure to user space
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-user-space.patch
+Content-Length: 1855
+Lines: 62
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 0083fc2c50e6c5127c2802ad323adf8143ab7856 upstream.
+
+Ulrich Drepper correctly points out that there is generally padding in
+the structure on 64-bit hosts, and that copying the structure from
+kernel to user space can leak information from the kernel stack in those
+padding bytes.
+
+Avoid the whole issue by just copying the three members one by one
+instead, which also means that the function also can avoid the need for
+a stack frame. This also happens to match how we copy the new structure
+from user space, so it all even makes sense.
+
+[ The obvious solution of adding a memset() generates horrid code, gcc
+ does really stupid things. ]
+
+Reported-by: Ulrich Drepper <drepper@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/signal.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2353,11 +2353,9 @@ do_sigaltstack (const stack_t __user *us
+ stack_t oss;
+ int error;
+
+- if (uoss) {
+- oss.ss_sp = (void __user *) current->sas_ss_sp;
+- oss.ss_size = current->sas_ss_size;
+- oss.ss_flags = sas_ss_flags(sp);
+- }
++ oss.ss_sp = (void __user *) current->sas_ss_sp;
++ oss.ss_size = current->sas_ss_size;
++ oss.ss_flags = sas_ss_flags(sp);
+
+ if (uss) {
+ void __user *ss_sp;
+@@ -2400,13 +2398,16 @@ do_sigaltstack (const stack_t __user *us
+ current->sas_ss_size = ss_size;
+ }
+
++ error = 0;
+ if (uoss) {
+ error = -EFAULT;
+- if (copy_to_user(uoss, &oss, sizeof(oss)))
++ if (!access_ok(VERIFY_WRITE, uoss, sizeof(*uoss)))
+ goto out;
++ error = __put_user(oss.ss_sp, &uoss->ss_sp) |
++ __put_user(oss.ss_size, &uoss->ss_size) |
++ __put_user(oss.ss_flags, &uoss->ss_flags);
+ }
+
+- error = 0;
+ out:
+ return error;
+ }
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009
+Message-Id: <20090904200855.571467442@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:48 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Eric Dumazet <eric.dumazet@gmail.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 36/48] econet: Fix econet_getname() leak
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=econet-fix-econet_getname-leak.patch
+Content-Length: 619
+Lines: 25
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa upstream.
+
+econet_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -520,6 +520,7 @@ static int econet_getname(struct socket
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(sec, 0, sizeof(*sec));
+ mutex_lock(&econet_mutex);
+
+ sk = sock->sk;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:55 2009
+Message-Id: <20090904200855.729494368@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:49 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Eric Dumazet <eric.dumazet@gmail.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 37/48] irda: Fix irda_getname() leak
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=irda-fix-irda_getname-leak.patch
+Content-Length: 672
+Lines: 25
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 09384dfc76e526c3993c09c42e016372dc9dd22c upstream.
+
+irda_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/af_irda.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -714,6 +714,7 @@ static int irda_getname(struct socket *s
+ struct sock *sk = sock->sk;
+ struct irda_sock *self = irda_sk(sk);
+
++ memset(&saddr, 0, sizeof(saddr));
+ if (peer) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009
+Message-Id: <20090904200855.890096059@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:50 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Robert Peterson <rpeterso@redhat.com>,
+ Oleg Nesterov <oleg@redhat.com>,
+ Rusty Russell <rusty@rustcorp.com.au>
+Subject: [patch 38/48] kthreads: fix kthread_create() vs kthread_stop() race
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=kthreads-fix-kthread_create-vs-kthread_stop-race.patch
+Content-Length: 1556
+Lines: 43
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Oleg Nesterov <oleg@redhat.com>
+
+The bug should be "accidently" fixed by recent changes in 2.6.31,
+all kernels <= 2.6.30 need the fix. The problem was never noticed before,
+it was found because it causes mysterious failures with GFS mount/umount.
+
+Credits to Robert Peterson. He blaimed kthread.c from the very beginning.
+But, despite my promise, I forgot to inspect the old implementation until
+he did a lot of testing and reminded me. This led to huge delay in fixing
+this bug.
+
+kthread_stop() does put_task_struct(k) before it clears kthread_stop_info.k.
+This means another kthread_create() can re-use this task_struct, but the
+new kthread can still see kthread_should_stop() == T and exit even without
+calling threadfn().
+
+Reported-by: Robert Peterson <rpeterso@redhat.com>
+Tested-by: Robert Peterson <rpeterso@redhat.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/kthread.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -213,12 +213,12 @@ int kthread_stop(struct task_struct *k)
+ /* Now set kthread_should_stop() to true, and wake it up. */
+ kthread_stop_info.k = k;
+ wake_up_process(k);
+- put_task_struct(k);
+
+ /* Once it dies, reset stop ptr, gather result and we're done. */
+ wait_for_completion(&kthread_stop_info.done);
+ kthread_stop_info.k = NULL;
+ ret = kthread_stop_info.err;
++ put_task_struct(k);
+ mutex_unlock(&kthread_stop_lock);
+
+ return ret;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009
+Message-Id: <20090904200856.062588101@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:51 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Jiri Slaby <jirislaby@gmail.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 39/48] NET: llc, zero sockaddr_llc struct
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=net-llc-zero-sockaddr_llc-struct.patch
+Content-Length: 690
+Lines: 26
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc upstream.
+
+sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
+before copying to the above layer's structure.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/llc/af_llc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -915,6 +915,7 @@ static int llc_ui_getname(struct socket
+ struct llc_sock *llc = llc_sk(sk);
+ int rc = 0;
+
++ memset(&sllc, 0, sizeof(sllc));
+ lock_sock(sk);
+ if (sock_flag(sk, SOCK_ZAPPED))
+ goto out;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009
+Message-Id: <20090904200856.202001072@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:52 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Eric Dumazet <eric.dumazet@gmail.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 40/48] netrom: Fix nr_getname() leak
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=netrom-fix-nr_getname-leak.patch
+Content-Length: 796
+Lines: 25
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit f6b97b29513950bfbf621a83d85b6f86b39ec8db upstream.
+
+nr_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -848,6 +848,7 @@ static int nr_getname(struct socket *soc
+ sax->fsa_ax25.sax25_family = AF_NETROM;
+ sax->fsa_ax25.sax25_ndigis = 1;
+ sax->fsa_ax25.sax25_call = nr->user_addr;
++ memset(sax->fsa_digipeater, 0, sizeof(sax->fsa_digipeater));
+ sax->fsa_digipeater[0] = nr->dest_addr;
+ *uaddr_len = sizeof(struct full_sockaddr_ax25);
+ } else {
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009
+Message-Id: <20090904200856.335297402@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:53 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Sunil Mushran <sunil.mushran@oracle.com>,
+ Joel Becker <joel.becker@oracle.com>
+Subject: [patch 41/48] ocfs2: Initialize the cluster were writing to in a non-sparse extend
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=ocfs2-initialize-the-cluster-we-re-writing-to-in-a-non-sparse-extend.patch
+Content-Length: 5295
+Lines: 183
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Sunil Mushran <sunil.mushran@oracle.com>
+
+commit e7432675f8ca868a4af365759a8d4c3779a3d922 upstream.
+
+In a non-sparse extend, we correctly allocate (and zero) the clusters between
+the old_i_size and pos, but we don't zero the portions of the cluster we're
+writing to outside of pos<->len.
+
+It handles clustersize > pagesize and blocksize < pagesize.
+
+[Cleaned up by Joel Becker.]
+
+Signed-off-by: Sunil Mushran <sunil.mushran@oracle.com>
+Signed-off-by: Joel Becker <joel.becker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ocfs2/aops.c | 64 ++++++++++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 46 insertions(+), 18 deletions(-)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -908,18 +908,17 @@ struct ocfs2_write_cluster_desc {
+ */
+ unsigned c_new;
+ unsigned c_unwritten;
++ unsigned c_needs_zero;
+ };
+
+-static inline int ocfs2_should_zero_cluster(struct ocfs2_write_cluster_desc *d)
+-{
+- return d->c_new || d->c_unwritten;
+-}
+-
+ struct ocfs2_write_ctxt {
+ /* Logical cluster position / len of write */
+ u32 w_cpos;
+ u32 w_clen;
+
++ /* First cluster allocated in a nonsparse extend */
++ u32 w_first_new_cpos;
++
+ struct ocfs2_write_cluster_desc w_desc[OCFS2_MAX_CLUSTERS_PER_PAGE];
+
+ /*
+@@ -997,6 +996,7 @@ static int ocfs2_alloc_write_ctxt(struct
+ return -ENOMEM;
+
+ wc->w_cpos = pos >> osb->s_clustersize_bits;
++ wc->w_first_new_cpos = UINT_MAX;
+ cend = (pos + len - 1) >> osb->s_clustersize_bits;
+ wc->w_clen = cend - wc->w_cpos + 1;
+ get_bh(di_bh);
+@@ -1239,13 +1239,11 @@ static int ocfs2_write_cluster(struct ad
+ struct ocfs2_write_ctxt *wc, u32 cpos,
+ loff_t user_pos, unsigned user_len)
+ {
+- int ret, i, new, should_zero = 0;
++ int ret, i, new;
+ u64 v_blkno, p_blkno;
+ struct inode *inode = mapping->host;
+
+ new = phys == 0 ? 1 : 0;
+- if (new || unwritten)
+- should_zero = 1;
+
+ if (new) {
+ u32 tmp_pos;
+@@ -1356,7 +1354,9 @@ static int ocfs2_write_cluster_by_desc(s
+ local_len = osb->s_clustersize - cluster_off;
+
+ ret = ocfs2_write_cluster(mapping, desc->c_phys,
+- desc->c_unwritten, data_ac, meta_ac,
++ desc->c_unwritten,
++ desc->c_needs_zero,
++ data_ac, meta_ac,
+ wc, desc->c_cpos, pos, local_len);
+ if (ret) {
+ mlog_errno(ret);
+@@ -1406,14 +1406,14 @@ static void ocfs2_set_target_boundaries(
+ * newly allocated cluster.
+ */
+ desc = &wc->w_desc[0];
+- if (ocfs2_should_zero_cluster(desc))
++ if (desc->c_needs_zero)
+ ocfs2_figure_cluster_boundaries(osb,
+ desc->c_cpos,
+ &wc->w_target_from,
+ NULL);
+
+ desc = &wc->w_desc[wc->w_clen - 1];
+- if (ocfs2_should_zero_cluster(desc))
++ if (desc->c_needs_zero)
+ ocfs2_figure_cluster_boundaries(osb,
+ desc->c_cpos,
+ NULL,
+@@ -1481,13 +1481,28 @@ static int ocfs2_populate_write_desc(str
+ phys++;
+ }
+
++ /*
++ * If w_first_new_cpos is < UINT_MAX, we have a non-sparse
++ * file that got extended. w_first_new_cpos tells us
++ * where the newly allocated clusters are so we can
++ * zero them.
++ */
++ if (desc->c_cpos >= wc->w_first_new_cpos) {
++ BUG_ON(phys == 0);
++ desc->c_needs_zero = 1;
++ }
++
+ desc->c_phys = phys;
+ if (phys == 0) {
+ desc->c_new = 1;
++ desc->c_needs_zero = 1;
+ *clusters_to_alloc = *clusters_to_alloc + 1;
+ }
+- if (ext_flags & OCFS2_EXT_UNWRITTEN)
++
++ if (ext_flags & OCFS2_EXT_UNWRITTEN) {
+ desc->c_unwritten = 1;
++ desc->c_needs_zero = 1;
++ }
+
+ num_clusters--;
+ }
+@@ -1644,10 +1659,13 @@ static int ocfs2_expand_nonsparse_inode(
+ if (newsize <= i_size_read(inode))
+ return 0;
+
+- ret = ocfs2_extend_no_holes(inode, newsize, newsize - len);
++ ret = ocfs2_extend_no_holes(inode, newsize, pos);
+ if (ret)
+ mlog_errno(ret);
+
++ wc->w_first_new_cpos =
++ ocfs2_clusters_for_bytes(inode->i_sb, i_size_read(inode));
++
+ return ret;
+ }
+
+@@ -1656,7 +1674,7 @@ int ocfs2_write_begin_nolock(struct addr
+ struct page **pagep, void **fsdata,
+ struct buffer_head *di_bh, struct page *mmap_page)
+ {
+- int ret, credits = OCFS2_INODE_UPDATE_CREDITS;
++ int ret, cluster_of_pages, credits = OCFS2_INODE_UPDATE_CREDITS;
+ unsigned int clusters_to_alloc, extents_to_split;
+ struct ocfs2_write_ctxt *wc;
+ struct inode *inode = mapping->host;
+@@ -1724,8 +1742,19 @@ int ocfs2_write_begin_nolock(struct addr
+
+ }
+
+- ocfs2_set_target_boundaries(osb, wc, pos, len,
+- clusters_to_alloc + extents_to_split);
++ /*
++ * We have to zero sparse allocated clusters, unwritten extent clusters,
++ * and non-sparse clusters we just extended. For non-sparse writes,
++ * we know zeros will only be needed in the first and/or last cluster.
++ */
++ if (clusters_to_alloc || extents_to_split ||
++ wc->w_desc[0].c_needs_zero ||
++ wc->w_desc[wc->w_clen - 1].c_needs_zero)
++ cluster_of_pages = 1;
++ else
++ cluster_of_pages = 0;
++
++ ocfs2_set_target_boundaries(osb, wc, pos, len, cluster_of_pages);
+
+ handle = ocfs2_start_trans(osb, credits);
+ if (IS_ERR(handle)) {
+@@ -1753,8 +1782,7 @@ int ocfs2_write_begin_nolock(struct addr
+ * extent.
+ */
+ ret = ocfs2_grab_pages_for_write(mapping, wc, wc->w_cpos, pos,
+- clusters_to_alloc + extents_to_split,
+- mmap_page);
++ cluster_of_pages, mmap_page);
+ if (ret) {
+ mlog_errno(ret);
+ goto out_commit;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009
+Message-Id: <20090904200856.494481884@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:54 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Eric Dumazet <eric.dumazet@gmail.com>,
+ "David S. Miller" <davem@davemloft.net>
+Subject: [patch 42/48] rose: Fix rose_getname() leak
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=rose-fix-rose_getname-leak.patch
+Content-Length: 656
+Lines: 25
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 upstream.
+
+rose_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -957,6 +957,7 @@ static int rose_getname(struct socket *s
+ struct rose_sock *rose = rose_sk(sk);
+ int n;
+
++ memset(srose, 0, sizeof(*srose));
+ if (peer != 0) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009
+Message-Id: <20090904200856.656372719@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:55 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Takashi Iwai <tiwai@suse.de>
+Subject: [patch 43/48] ALSA: hda - Add missing vmaster initialization for ALC269
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=alsa-hda-add-missing-vmaster-initialization-for-alc269.patch
+Content-Length: 821
+Lines: 30
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 100d5eb36ba20dc0b99a17ea2b9800c567bfc3d1 upstream.
+
+Without the initialization of vmaster NID, the dB information got
+confused for ALC269 codec.
+
+Reference: Novell bnc#527361
+ https://bugzilla.novell.com/show_bug.cgi?id=527361
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11640,6 +11640,8 @@ static int patch_alc269(struct hda_codec
+ spec->num_adc_nids = ARRAY_SIZE(alc269_adc_nids);
+ spec->capsrc_nids = alc269_capsrc_nids;
+
++ spec->vmaster_nid = 0x02;
++
+ codec->patch_ops = alc_patch_ops;
+ if (board_config == ALC269_AUTO)
+ spec->init_hook = alc269_auto_init;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:56 2009
+Message-Id: <20090904200856.789824376@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:56 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Alan Cox <alan@linux.intel.com>,
+ Chuck Ebbert <cebbert@redhat.com>
+Subject: [patch 44/48] parport: quickfix the proc registration bug
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=parport-quickfix-the-proc-registration-bug.patch
+Content-Length: 2089
+Lines: 72
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Alan Cox <alan@etchedpixels.co.uk>
+
+commit 05ad709d04799125ed85dd816fdb558258102172 upstream
+
+parport: quickfix the proc registration bug
+
+Ideally we should have a directory of drivers and a link to the 'active'
+driver. For now just show the first device which is effectively the existing
+semantics without a warning.
+
+This is an update on the original buggy patch that I then forgot to
+resubmit. Confusingly it was proposed by Red Hat, written by Etched Pixels
+fixed and submitted by Intel ...
+
+Resolves-Bug: http://bugzilla.kernel.org/show_bug.cgi?id=9749
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+---
+ drivers/parport/share.c | 13 ++++++++++---
+ include/linux/parport.h | 4 ++++
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/parport/share.c
++++ b/drivers/parport/share.c
+@@ -614,7 +614,10 @@ parport_register_device(struct parport *
+ * pardevice fields. -arca
+ */
+ port->ops->init_state(tmp, tmp->state);
+- parport_device_proc_register(tmp);
++ if (!test_and_set_bit(PARPORT_DEVPROC_REGISTERED, &port->devflags)) {
++ port->proc_device = tmp;
++ parport_device_proc_register(tmp);
++ }
+ return tmp;
+
+ out_free_all:
+@@ -646,10 +649,14 @@ void parport_unregister_device(struct pa
+ }
+ #endif
+
+- parport_device_proc_unregister(dev);
+-
+ port = dev->port->physport;
+
++ if (port->proc_device == dev) {
++ port->proc_device = NULL;
++ clear_bit(PARPORT_DEVPROC_REGISTERED, &port->devflags);
++ parport_device_proc_unregister(dev);
++ }
++
+ if (port->cad == dev) {
+ printk(KERN_DEBUG "%s: %s forgot to release port\n",
+ port->name, dev->name);
+--- a/include/linux/parport.h
++++ b/include/linux/parport.h
+@@ -326,6 +326,10 @@ struct parport {
+ int spintime;
+ atomic_t ref_count;
+
++ unsigned long devflags;
++#define PARPORT_DEVPROC_REGISTERED 0
++ struct pardevice *proc_device; /* Currently register proc device */
++
+ struct list_head full_list;
+ struct parport *slaves[3];
+ };
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:57 2009
+Message-Id: <20090904200856.961519803@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:57 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Oliver Neukum <oliver@neukum.org>,
+ Chuck Ebbert <cebbert@redhat.com>
+Subject: [patch 45/48] USB: removal of tty->low_latency hack dating back to the old serial code
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=usb-removal-of-tty-low_latency-hack-dating-back-to-the-old-serial-code.patch
+Content-Length: 12356
+Lines: 372
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Oliver Neukum <oliver@neukum.org>
+
+commit 2400a2bfbd0e912193fe3b077f492d4980141813 upstream
+
+
+[ cebbert@redhat.com: backport to 2.6.27 ]
+
+USB: removal of tty->low_latency hack dating back to the old serial code
+
+This removes tty->low_latency from all USB serial drivers that push
+data into the tty layer at hard interrupt context. It's no longer needed
+and actually harmful.
+
+Signed-off-by: Oliver Neukum <oliver@neukum.org>
+Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/cyberjack.c | 7 -------
+ drivers/usb/serial/cypress_m8.c | 4 ----
+ drivers/usb/serial/empeg.c | 6 ------
+ drivers/usb/serial/garmin_gps.c | 8 --------
+ drivers/usb/serial/generic.c | 6 ------
+ drivers/usb/serial/io_edgeport.c | 8 --------
+ drivers/usb/serial/io_ti.c | 8 --------
+ drivers/usb/serial/ipaq.c | 6 ------
+ drivers/usb/serial/ipw.c | 3 ---
+ drivers/usb/serial/iuu_phoenix.c | 1 -
+ drivers/usb/serial/kobil_sct.c | 6 ------
+ drivers/usb/serial/mos7720.c | 7 -------
+ drivers/usb/serial/mos7840.c | 6 ------
+ drivers/usb/serial/option.c | 3 ---
+ drivers/usb/serial/sierra.c | 3 ---
+ drivers/usb/serial/ti_usb_3410_5052.c | 17 +----------------
+ drivers/usb/serial/visor.c | 8 --------
+ 17 files changed, 1 insertion(+), 106 deletions(-)
+
+--- a/drivers/usb/serial/cyberjack.c
++++ b/drivers/usb/serial/cyberjack.c
+@@ -174,13 +174,6 @@ static int cyberjack_open(struct tty_st
+ dbg("%s - usb_clear_halt", __func__);
+ usb_clear_halt(port->serial->dev, port->write_urb->pipe);
+
+- /* force low_latency on so that our tty_push actually forces
+- * the data through, otherwise it is scheduled, and with high
+- * data rates (like with OHCI) data can get lost.
+- */
+- if (tty)
+- tty->low_latency = 1;
+-
+ priv = usb_get_serial_port_data(port);
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->rdtodo = 0;
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -655,10 +655,6 @@ static int cypress_open(struct tty_struc
+ priv->rx_flags = 0;
+ spin_unlock_irqrestore(&priv->lock, flags);
+
+- /* setting to zero could cause data loss */
+- if (tty)
+- tty->low_latency = 1;
+-
+ /* raise both lines and set termios */
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_control = CONTROL_DTR | CONTROL_RTS;
+--- a/drivers/usb/serial/empeg.c
++++ b/drivers/usb/serial/empeg.c
+@@ -478,12 +478,6 @@ static void empeg_set_termios(struct tty
+ termios->c_cflag
+ |= CS8; /* character size 8 bits */
+
+- /*
+- * Force low_latency on; otherwise the pushes are scheduled;
+- * this is bad as it opens up the possibility of dropping bytes
+- * on the floor. We don't want to drop bytes on the floor. :)
+- */
+- tty->low_latency = 1;
+ tty_encode_baud_rate(tty, 115200, 115200);
+ }
+
+--- a/drivers/usb/serial/garmin_gps.c
++++ b/drivers/usb/serial/garmin_gps.c
+@@ -972,14 +972,6 @@ static int garmin_open(struct tty_struct
+
+ dbg("%s - port %d", __func__, port->number);
+
+- /*
+- * Force low_latency on so that our tty_push actually forces the data
+- * through, otherwise it is scheduled, and with high data rates (like
+- * with OHCI) data can get lost.
+- */
+- if (tty)
+- tty->low_latency = 1;
+-
+ spin_lock_irqsave(&garmin_data_p->lock, flags);
+ garmin_data_p->mode = initial_mode;
+ garmin_data_p->count = 0;
+--- a/drivers/usb/serial/generic.c
++++ b/drivers/usb/serial/generic.c
+@@ -122,12 +122,6 @@ int usb_serial_generic_open(struct tty_s
+
+ dbg("%s - port %d", __func__, port->number);
+
+- /* force low_latency on so that our tty_push actually forces the data
+- through, otherwise it is scheduled, and with high data rates (like
+- with OHCI) data can get lost. */
+- if (tty)
+- tty->low_latency = 1;
+-
+ /* clear the throttle flags */
+ spin_lock_irqsave(&port->lock, flags);
+ port->throttled = 0;
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -193,8 +193,6 @@ static const struct divisor_table_entry
+ /* local variables */
+ static int debug;
+
+-static int low_latency = 1; /* tty low latency flag, on by default */
+-
+ static atomic_t CmdUrbs; /* Number of outstanding Command Write Urbs */
+
+
+@@ -861,9 +859,6 @@ static int edge_open(struct tty_struct *
+ if (edge_port == NULL)
+ return -ENODEV;
+
+- if (tty)
+- tty->low_latency = low_latency;
+-
+ /* see if we've set up our endpoint info yet (can't set it up
+ in edge_startup as the structures were not set up at that time.) */
+ serial = port->serial;
+@@ -3281,6 +3276,3 @@ MODULE_FIRMWARE("edgeport/down2.fw");
+
+ module_param(debug, bool, S_IRUGO | S_IWUSR);
+ MODULE_PARM_DESC(debug, "Debug enabled or not");
+-
+-module_param(low_latency, bool, S_IRUGO | S_IWUSR);
+-MODULE_PARM_DESC(low_latency, "Low latency enabled or not");
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -76,7 +76,6 @@ struct edgeport_uart_buf_desc {
+ #define EDGE_READ_URB_STOPPING 1
+ #define EDGE_READ_URB_STOPPED 2
+
+-#define EDGE_LOW_LATENCY 1
+ #define EDGE_CLOSING_WAIT 4000 /* in .01 sec */
+
+ #define EDGE_OUT_BUF_SIZE 1024
+@@ -232,7 +231,6 @@ static unsigned short OperationalBuildNu
+
+ static int debug;
+
+-static int low_latency = EDGE_LOW_LATENCY;
+ static int closing_wait = EDGE_CLOSING_WAIT;
+ static int ignore_cpu_rev;
+ static int default_uart_mode; /* RS232 */
+@@ -1838,9 +1836,6 @@ static int edge_open(struct tty_struct *
+ if (edge_port == NULL)
+ return -ENODEV;
+
+- if (tty)
+- tty->low_latency = low_latency;
+-
+ port_number = port->number - port->serial->minor;
+ switch (port_number) {
+ case 0:
+@@ -2995,9 +2990,6 @@ MODULE_FIRMWARE("edgeport/down3.bin");
+ module_param(debug, bool, S_IRUGO | S_IWUSR);
+ MODULE_PARM_DESC(debug, "Debug enabled or not");
+
+-module_param(low_latency, bool, S_IRUGO | S_IWUSR);
+-MODULE_PARM_DESC(low_latency, "Low latency enabled or not");
+-
+ module_param(closing_wait, int, S_IRUGO | S_IWUSR);
+ MODULE_PARM_DESC(closing_wait, "Maximum wait for data to drain, in .01 secs");
+
+--- a/drivers/usb/serial/ipaq.c
++++ b/drivers/usb/serial/ipaq.c
+@@ -635,13 +635,7 @@ static int ipaq_open(struct tty_struct *
+ priv->free_len += PACKET_SIZE;
+ }
+
+- /*
+- * Force low latency on. This will immediately push data to the line
+- * discipline instead of queueing.
+- */
+-
+ if (tty) {
+- tty->low_latency = 1;
+ /* FIXME: These two are bogus */
+ tty->raw = 1;
+ tty->real_raw = 1;
+--- a/drivers/usb/serial/ipw.c
++++ b/drivers/usb/serial/ipw.c
+@@ -206,9 +206,6 @@ static int ipw_open(struct tty_struct *t
+ if (!buf_flow_init)
+ return -ENOMEM;
+
+- if (tty)
+- tty->low_latency = 1;
+-
+ /* --1: Tell the modem to initialize (we think) From sniffs this is
+ * always the first thing that gets sent to the modem during
+ * opening of the device */
+--- a/drivers/usb/serial/iuu_phoenix.c
++++ b/drivers/usb/serial/iuu_phoenix.c
+@@ -1046,7 +1046,6 @@ static int iuu_open(struct tty_struct *t
+ tty->termios->c_oflag = 0;
+ tty->termios->c_iflag = 0;
+ priv->termios_initialized = 1;
+- tty->low_latency = 1;
+ priv->poll = 0;
+ }
+ spin_unlock_irqrestore(&priv->lock, flags);
+--- a/drivers/usb/serial/kobil_sct.c
++++ b/drivers/usb/serial/kobil_sct.c
+@@ -231,13 +231,7 @@ static int kobil_open(struct tty_struct
+ /* someone sets the dev to 0 if the close method has been called */
+ port->interrupt_in_urb->dev = port->serial->dev;
+
+-
+- /* force low_latency on so that our tty_push actually forces
+- * the data through, otherwise it is scheduled, and with high
+- * data rates (like with OHCI) data can get lost.
+- */
+ if (tty) {
+- tty->low_latency = 1;
+
+ /* Default to echo off and other sane device settings */
+ tty->termios->c_lflag = 0;
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -442,13 +442,6 @@ static int mos7720_open(struct tty_struc
+ data = 0x0c;
+ send_mos_cmd(serial, MOS_WRITE, port_number, 0x01, &data);
+
+- /* force low_latency on so that our tty_push actually forces *
+- * the data through,otherwise it is scheduled, and with *
+- * high data rates (like with OHCI) data can get lost. */
+-
+- if (tty)
+- tty->low_latency = 1;
+-
+ /* see if we've set up our endpoint info yet *
+ * (can't set it up in mos7720_startup as the *
+ * structures were not set up at that time.) */
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -990,12 +990,6 @@ static int mos7840_open(struct tty_struc
+ status = mos7840_set_reg_sync(port, mos7840_port->ControlRegOffset,
+ Data);
+
+- /* force low_latency on so that our tty_push actually forces *
+- * the data through,otherwise it is scheduled, and with *
+- * high data rates (like with OHCI) data can get lost. */
+- if (tty)
+- tty->low_latency = 1;
+-
+ /* Check to see if we've set up our endpoint info yet *
+ * (can't set it up in mos7840_startup as the structures *
+ * were not set up at that time.) */
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -914,9 +914,6 @@ static int option_open(struct tty_struct
+ usb_pipeout(urb->pipe), 0); */
+ }
+
+- if (tty)
+- tty->low_latency = 1;
+-
+ option_send_setup(tty, port);
+
+ return 0;
+--- a/drivers/usb/serial/sierra.c
++++ b/drivers/usb/serial/sierra.c
+@@ -576,9 +576,6 @@ static int sierra_open(struct tty_struct
+ }
+ }
+
+- if (tty)
+- tty->low_latency = 1;
+-
+ sierra_send_setup(tty, port);
+
+ /* start up the interrupt endpoint if we have one */
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -101,11 +101,10 @@
+
+ #define TI_TRANSFER_TIMEOUT 2
+
+-#define TI_DEFAULT_LOW_LATENCY 0
+ #define TI_DEFAULT_CLOSING_WAIT 4000 /* in .01 secs */
+
+ /* supported setserial flags */
+-#define TI_SET_SERIAL_FLAGS (ASYNC_LOW_LATENCY)
++#define TI_SET_SERIAL_FLAGS 0
+
+ /* read urb states */
+ #define TI_READ_URB_RUNNING 0
+@@ -212,7 +211,6 @@ static int ti_buf_get(struct circ_buf *c
+
+ /* module parameters */
+ static int debug;
+-static int low_latency = TI_DEFAULT_LOW_LATENCY;
+ static int closing_wait = TI_DEFAULT_CLOSING_WAIT;
+ static ushort vendor_3410[TI_EXTRA_VID_PID_COUNT];
+ static unsigned int vendor_3410_count;
+@@ -333,10 +331,6 @@ MODULE_FIRMWARE("ti_5052.fw");
+ module_param(debug, bool, S_IRUGO | S_IWUSR);
+ MODULE_PARM_DESC(debug, "Enable debugging, 0=no, 1=yes");
+
+-module_param(low_latency, bool, S_IRUGO | S_IWUSR);
+-MODULE_PARM_DESC(low_latency,
+- "TTY low_latency flag, 0=off, 1=on, default is off");
+-
+ module_param(closing_wait, int, S_IRUGO | S_IWUSR);
+ MODULE_PARM_DESC(closing_wait,
+ "Maximum wait for data to drain in close, in .01 secs, default is 4000");
+@@ -480,7 +474,6 @@ static int ti_startup(struct usb_serial
+ spin_lock_init(&tport->tp_lock);
+ tport->tp_uart_base_addr = (i == 0 ?
+ TI_UART1_BASE_ADDR : TI_UART2_BASE_ADDR);
+- tport->tp_flags = low_latency ? ASYNC_LOW_LATENCY : 0;
+ tport->tp_closing_wait = closing_wait;
+ init_waitqueue_head(&tport->tp_msr_wait);
+ init_waitqueue_head(&tport->tp_write_wait);
+@@ -560,10 +553,6 @@ static int ti_open(struct tty_struct *tt
+ if (mutex_lock_interruptible(&tdev->td_open_close_lock))
+ return -ERESTARTSYS;
+
+- if (tty)
+- tty->low_latency =
+- (tport->tp_flags & ASYNC_LOW_LATENCY) ? 1 : 0;
+-
+ port_number = port->number - port->serial->minor;
+
+ memset(&(tport->tp_icount), 0x00, sizeof(tport->tp_icount));
+@@ -1480,10 +1469,6 @@ static int ti_set_serial_info(struct ti_
+ return -EFAULT;
+
+ tport->tp_flags = new_serial.flags & TI_SET_SERIAL_FLAGS;
+- /* FIXME */
+- if (port->port.tty)
+- port->port.tty->low_latency =
+- (tport->tp_flags & ASYNC_LOW_LATENCY) ? 1 : 0;
+ tport->tp_closing_wait = new_serial.closing_wait;
+
+ return 0;
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -296,14 +296,6 @@ static int visor_open(struct tty_struct
+ priv->throttled = 0;
+ spin_unlock_irqrestore(&priv->lock, flags);
+
+- /*
+- * Force low_latency on so that our tty_push actually forces the data
+- * through, otherwise it is scheduled, and with high data rates (like
+- * with OHCI) data can get lost.
+- */
+- if (tty)
+- tty->low_latency = 1;
+-
+ /* Start reading from the device */
+ usb_fill_bulk_urb(port->read_urb, serial->dev,
+ usb_rcvbulkpipe(serial->dev,
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:57 2009
+Message-Id: <20090904200857.121342149@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:58 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Chuck Ebbert <cebbert@redhat.com>,
+ Alan Cox <alan@linux.intel.com>
+Subject: [patch 46/48] Remove low_latency flag setting from nozomi and mxser drivers
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=remove-low_latency-flag-setting-from-nozomi-and-mxser-drivers.patch
+Content-Length: 1247
+Lines: 47
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Chuck Ebbert <cebbert@redhat.com>
+
+commit 4d8d4d251df8eaaa3dae71c8cfa7fbf4510d967d upstream
+
+[ cebbert@redhat.com: backport to 2.6.27 ]
+
+Remove low_latency flag setting from nozomi and mxser drivers
+
+The kernel oopses if this flag is set.
+
+[and neither driver should set it as they call tty_flip_buffer_push from IRQ
+ paths so have always been buggy]
+
+Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+---
+ drivers/char/mxser.c | 2 --
+ drivers/char/nozomi.c | 1 -
+ 2 files changed, 3 deletions(-)
+
+--- a/drivers/char/mxser.c
++++ b/drivers/char/mxser.c
+@@ -1099,8 +1099,6 @@ static int mxser_open(struct tty_struct
+ if (retval)
+ return retval;
+
+- /* unmark here for very high baud rate (ex. 921600 bps) used */
+- tty->low_latency = 1;
+ return 0;
+ }
+
+--- a/drivers/char/nozomi.c
++++ b/drivers/char/nozomi.c
+@@ -1584,7 +1584,6 @@ static int ntty_open(struct tty_struct *
+
+ /* Enable interrupt downlink for channel */
+ if (port->tty_open_count == 1) {
+- tty->low_latency = 1;
+ tty->driver_data = port;
+ port->tty = tty;
+ DBG1("open: %d", port->token_dl);
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:57 2009
+Message-Id: <20090904200857.279447289@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:07:59 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ James Bottomley <James.Bottomley@HansenPartnership.com>,
+ Chuck Ebbert <cebbert@redhat.com>
+Subject: [patch 47/48] SCSI: sr: report more accurate drive status after closing the tray.
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=scsi-sr-report-more-accurate-drive-status-after-closing-the-tray.patch
+Content-Length: 1580
+Lines: 43
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Peter Jones <pjones@redhat.com>
+
+commit 96bcc722c47d07b6fd05c9d0cb3ab8ea5574c5b1 upstream
+
+[SCSI] sr: report more accurate drive status after closing the tray.
+
+So, what's happening here is that the drive is reporting a sense of
+2/4/1 ("logical unit is becoming ready") from sr_test_unit_ready(), and
+then we ask for the media event notification before checking that result
+at all. The check_media_event_descriptor() call isn't getting a check
+condition, but it's also reporting that the tray is closed and that
+there's no media. In actuality it doesn't yet know if there's media or
+not, but there's no way to express that in the media event status field.
+
+My current thought is that if it told us the device isn't yet ready, we
+should return that immediately, since there's nothing that'll tell us
+any more data than that reliably:
+
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+
+---
+ drivers/scsi/sr_ioctl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/scsi/sr_ioctl.c
++++ b/drivers/scsi/sr_ioctl.c
+@@ -309,6 +309,11 @@ int sr_drive_status(struct cdrom_device_
+ if (0 == sr_test_unit_ready(cd->device, &sshdr))
+ return CDS_DISC_OK;
+
++ /* SK/ASC/ASCQ of 2/4/1 means "unit is becoming ready" */
++ if (scsi_sense_valid(&sshdr) && sshdr.sense_key == NOT_READY
++ && sshdr.asc == 0x04 && sshdr.ascq == 0x01)
++ return CDS_DRIVE_NOT_READY;
++
+ if (!cdrom_get_media_event(cdi, &med)) {
+ if (med.media_present)
+ return CDS_DISC_OK;
+
+
+From gregkh@mini.kroah.org Fri Sep 4 13:08:57 2009
+Message-Id: <20090904200857.466721861@mini.kroah.org>
+User-Agent: quilt/0.48-1
+Date: Fri, 04 Sep 2009 13:08:00 -0700
+From: Greg KH <gregkh@suse.de>
+To: linux-kernel@vger.kernel.org,
+ stable@kernel.org
+Cc: stable-review@kernel.org,
+ torvalds@linux-foundation.org,
+ akpm@linux-foundation.org,
+ alan@lxorguk.ukuu.org.uk,
+ Steve Dickson <SteveD@redhat.com>,
+ Trond Myklebust <Trond.Myklebust@netapp.com>
+Subject: [patch 48/48] SUNRPC: Fix tcp reconnection
+References: <20090904200712.724048145@mini.kroah.org>
+Content-Disposition: inline; filename=sunrpc-fix-tcp-reconnection.patch
+Content-Length: 3885
+Lines: 129
+
+
+2.6.27-stable review patch. If anyone has any objections, please let us know.
+
+------------------
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+This fixes a problem that was reported as Red Hat Bugzilla entry number
+485339, in which rpciod starts looping on the TCP connection code,
+rendering the NFS client unusable for 1/2 minute or so.
+
+It is basically a backport of commit
+f75e6745aa3084124ae1434fd7629853bdaf6798 (SUNRPC: Fix the problem of
+EADDRNOTAVAIL syslog floods on reconnect)
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ include/linux/sunrpc/xprt.h | 1 +
+ net/sunrpc/xprt.c | 6 ++----
+ net/sunrpc/xprtsock.c | 37 ++++++++++++++++++++++++++++++++++---
+ 3 files changed, 37 insertions(+), 7 deletions(-)
+
+--- a/include/linux/sunrpc/xprt.h
++++ b/include/linux/sunrpc/xprt.h
+@@ -260,6 +260,7 @@ void xprt_conditional_disconnect(struc
+ #define XPRT_BOUND (4)
+ #define XPRT_BINDING (5)
+ #define XPRT_CLOSING (6)
++#define XPRT_CONNECTION_CLOSE (8)
+
+ static inline void xprt_set_connected(struct rpc_xprt *xprt)
+ {
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -645,10 +645,8 @@ xprt_init_autodisconnect(unsigned long d
+ if (test_and_set_bit(XPRT_LOCKED, &xprt->state))
+ goto out_abort;
+ spin_unlock(&xprt->transport_lock);
+- if (xprt_connecting(xprt))
+- xprt_release_write(xprt, NULL);
+- else
+- queue_work(rpciod_workqueue, &xprt->task_cleanup);
++ set_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
++ queue_work(rpciod_workqueue, &xprt->task_cleanup);
+ return;
+ out_abort:
+ spin_unlock(&xprt->transport_lock);
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -748,6 +748,9 @@ out_release:
+ *
+ * This is used when all requests are complete; ie, no DRC state remains
+ * on the server we want to save.
++ *
++ * The caller _must_ be holding XPRT_LOCKED in order to avoid issues with
++ * xs_reset_transport() zeroing the socket from underneath a writer.
+ */
+ static void xs_close(struct rpc_xprt *xprt)
+ {
+@@ -781,6 +784,14 @@ clear_close_wait:
+ xprt_disconnect_done(xprt);
+ }
+
++static void xs_tcp_close(struct rpc_xprt *xprt)
++{
++ if (test_and_clear_bit(XPRT_CONNECTION_CLOSE, &xprt->state))
++ xs_close(xprt);
++ else
++ xs_tcp_shutdown(xprt);
++}
++
+ /**
+ * xs_destroy - prepare to shutdown a transport
+ * @xprt: doomed transport
+@@ -1676,11 +1687,21 @@ static void xs_tcp_connect_worker4(struc
+ goto out_clear;
+ case -ECONNREFUSED:
+ case -ECONNRESET:
++ case -ENETUNREACH:
+ /* retry with existing socket, after a delay */
+- break;
++ goto out_clear;
+ default:
+ /* get rid of existing socket, and retry */
+ xs_tcp_shutdown(xprt);
++ printk("%s: connect returned unhandled error %d\n",
++ __func__, status);
++ case -EADDRNOTAVAIL:
++ /* We're probably in TIME_WAIT. Get rid of existing socket,
++ * and retry
++ */
++ set_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
++ xprt_force_disconnect(xprt);
++ status = -EAGAIN;
+ }
+ }
+ out:
+@@ -1735,11 +1756,21 @@ static void xs_tcp_connect_worker6(struc
+ goto out_clear;
+ case -ECONNREFUSED:
+ case -ECONNRESET:
++ case -ENETUNREACH:
+ /* retry with existing socket, after a delay */
+- break;
++ goto out_clear;
+ default:
+ /* get rid of existing socket, and retry */
+ xs_tcp_shutdown(xprt);
++ printk("%s: connect returned unhandled error %d\n",
++ __func__, status);
++ case -EADDRNOTAVAIL:
++ /* We're probably in TIME_WAIT. Get rid of existing socket,
++ * and retry
++ */
++ set_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
++ xprt_force_disconnect(xprt);
++ status = -EAGAIN;
+ }
+ }
+ out:
+@@ -1871,7 +1902,7 @@ static struct rpc_xprt_ops xs_tcp_ops =
+ .buf_free = rpc_free,
+ .send_request = xs_tcp_send_request,
+ .set_retrans_timeout = xprt_set_retrans_timeout_def,
+- .close = xs_tcp_shutdown,
++ .close = xs_tcp_close,
+ .destroy = xs_destroy,
+ .print_stats = xs_tcp_print_stats,
+ };
+
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
