--- /dev/null
+From 3159f372354e8e1f5dee714663d705dd2c7e0759 Mon Sep 17 00:00:00 2001
+From: Sergey Dyasly <dserrg@gmail.com>
+Date: Tue, 24 Sep 2013 16:38:00 +0100
+Subject: ARM: 7840/1: LPAE: don't reject mapping /dev/mem above 4GB
+
+From: Sergey Dyasly <dserrg@gmail.com>
+
+commit 3159f372354e8e1f5dee714663d705dd2c7e0759 upstream.
+
+With LPAE enabled, physical address space is larger than 4GB. Allow mapping any
+part of it via /dev/mem by using PHYS_MASK to determine valid range.
+
+PHYS_MASK covers 40 bits with LPAE enabled and 32 bits otherwise.
+
+Reported-by: Vassili Karpov <av1474@comtv.ru>
+Signed-off-by: Sergey Dyasly <dserrg@gmail.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Cc: hujianyang <hujianyang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mm/mmap.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/mm/mmap.c
++++ b/arch/arm/mm/mmap.c
+@@ -204,13 +204,11 @@ int valid_phys_addr_range(phys_addr_t ad
+ }
+
+ /*
+- * We don't use supersection mappings for mmap() on /dev/mem, which
+- * means that we can't map the memory area above the 4G barrier into
+- * userspace.
++ * Do not allow /dev/mem mappings beyond the supported physical range.
+ */
+ int valid_mmap_phys_addr_range(unsigned long pfn, size_t size)
+ {
+- return !(pfn + (size >> PAGE_SHIFT) > 0x00100000);
++ return (pfn + (size >> PAGE_SHIFT)) <= (1 + (PHYS_MASK >> PAGE_SHIFT));
+ }
+
+ #ifdef CONFIG_STRICT_DEVMEM
--- /dev/null
+From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:21 +1200
+Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
+
+Do not leak kernel-only floppy_raw_cmd structure members to userspace.
+This includes the linked-list pointer and the pointer to the allocated
+DMA space.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void
+ int ret;
+
+ while (ptr) {
+- ret = copy_to_user(param, ptr, sizeof(*ptr));
++ struct floppy_raw_cmd cmd = *ptr;
++ cmd.next = NULL;
++ cmd.kernel_data = NULL;
++ ret = copy_to_user(param, &cmd, sizeof(cmd));
+ if (ret)
+ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
--- /dev/null
+From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:20 +1200
+Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
+
+Always clear out these floppy_raw_cmd struct members after copying the
+entire structure from userspace so that the in-kernel version is always
+valid and never left in an interdeterminate state.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3107,10 +3107,11 @@ loop:
+ return -ENOMEM;
+ *rcmd = ptr;
+ ret = copy_from_user(ptr, param, sizeof(*ptr));
+- if (ret)
+- return -EFAULT;
+ ptr->next = NULL;
+ ptr->buffer_length = 0;
++ ptr->kernel_data = NULL;
++ if (ret)
++ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
+ if (ptr->cmd_count > 33)
+ /* the command may now also take up the space
+@@ -3126,7 +3127,6 @@ loop:
+ for (i = 0; i < 16; i++)
+ ptr->reply[i] = 0;
+ ptr->resultcode = 0;
+- ptr->kernel_data = NULL;
+
+ if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ if (ptr->length <= 0)
--- /dev/null
+From 03e7848a64ed535a30f5d7fc6dede2d5a6a2534b Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sun, 30 Mar 2014 15:50:03 -0700
+Subject: iser-target: Add missing se_cmd put for WRITE_PENDING in tx_comp_err
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 03e7848a64ed535a30f5d7fc6dede2d5a6a2534b upstream.
+
+This patch fixes a bug where outstanding RDMA_READs with WRITE_PENDING
+status require an extra target_put_sess_cmd() in isert_put_cmd() code
+when called from isert_cq_tx_comp_err() + isert_cq_drain_comp_llist()
+context during session shutdown.
+
+The extra kref PUT is required so that transport_generic_free_cmd()
+invokes the last target_put_sess_cmd() -> target_release_cmd_kref(),
+which will complete(&se_cmd->cmd_wait_comp) the outstanding se_cmd
+descriptor with WRITE_PENDING status, and awake the completion in
+target_wait_for_sess_cmds() to invoke TFO->release_cmd().
+
+The bug was manifesting itself in target_wait_for_sess_cmds() where
+a se_cmd descriptor with WRITE_PENDING status would end up sleeping
+indefinately.
+
+Acked-by: Sagi Grimberg <sagig@mellanox.com>
+Cc: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -1201,7 +1201,7 @@ isert_unmap_cmd(struct isert_cmd *isert_
+ }
+
+ static void
+-isert_put_cmd(struct isert_cmd *isert_cmd)
++isert_put_cmd(struct isert_cmd *isert_cmd, bool comp_err)
+ {
+ struct iscsi_cmd *cmd = &isert_cmd->iscsi_cmd;
+ struct isert_conn *isert_conn = isert_cmd->conn;
+@@ -1216,8 +1216,21 @@ isert_put_cmd(struct isert_cmd *isert_cm
+ list_del_init(&cmd->i_conn_node);
+ spin_unlock_bh(&conn->cmd_lock);
+
+- if (cmd->data_direction == DMA_TO_DEVICE)
++ if (cmd->data_direction == DMA_TO_DEVICE) {
+ iscsit_stop_dataout_timer(cmd);
++ /*
++ * Check for special case during comp_err where
++ * WRITE_PENDING has been handed off from core,
++ * but requires an extra target_put_sess_cmd()
++ * before transport_generic_free_cmd() below.
++ */
++ if (comp_err &&
++ cmd->se_cmd.t_state == TRANSPORT_WRITE_PENDING) {
++ struct se_cmd *se_cmd = &cmd->se_cmd;
++
++ target_put_sess_cmd(se_cmd->se_sess, se_cmd);
++ }
++ }
+
+ isert_unmap_cmd(isert_cmd, isert_conn);
+ transport_generic_free_cmd(&cmd->se_cmd, 0);
+@@ -1271,7 +1284,7 @@ isert_unmap_tx_desc(struct iser_tx_desc
+
+ static void
+ isert_completion_put(struct iser_tx_desc *tx_desc, struct isert_cmd *isert_cmd,
+- struct ib_device *ib_dev)
++ struct ib_device *ib_dev, bool comp_err)
+ {
+ if (isert_cmd->sense_buf_dma != 0) {
+ pr_debug("Calling ib_dma_unmap_single for isert_cmd->sense_buf_dma\n");
+@@ -1281,7 +1294,7 @@ isert_completion_put(struct iser_tx_desc
+ }
+
+ isert_unmap_tx_desc(tx_desc, ib_dev);
+- isert_put_cmd(isert_cmd);
++ isert_put_cmd(isert_cmd, comp_err);
+ }
+
+ static void
+@@ -1336,14 +1349,14 @@ isert_do_control_comp(struct work_struct
+ iscsit_tmr_post_handler(cmd, cmd->conn);
+
+ cmd->i_state = ISTATE_SENT_STATUS;
+- isert_completion_put(&isert_cmd->tx_desc, isert_cmd, ib_dev);
++ isert_completion_put(&isert_cmd->tx_desc, isert_cmd, ib_dev, false);
+ break;
+ case ISTATE_SEND_REJECT:
+ pr_debug("Got isert_do_control_comp ISTATE_SEND_REJECT: >>>\n");
+ atomic_dec(&isert_conn->post_send_buf_count);
+
+ cmd->i_state = ISTATE_SENT_STATUS;
+- isert_completion_put(&isert_cmd->tx_desc, isert_cmd, ib_dev);
++ isert_completion_put(&isert_cmd->tx_desc, isert_cmd, ib_dev, false);
+ break;
+ case ISTATE_SEND_LOGOUTRSP:
+ pr_debug("Calling iscsit_logout_post_handler >>>>>>>>>>>>>>\n");
+@@ -1382,7 +1395,7 @@ isert_response_completion(struct iser_tx
+ atomic_sub(wr->send_wr_num + 1, &isert_conn->post_send_buf_count);
+
+ cmd->i_state = ISTATE_SENT_STATUS;
+- isert_completion_put(tx_desc, isert_cmd, ib_dev);
++ isert_completion_put(tx_desc, isert_cmd, ib_dev, false);
+ }
+
+ static void
+@@ -1436,7 +1449,7 @@ isert_cq_tx_comp_err(struct iser_tx_desc
+ if (!isert_cmd)
+ isert_unmap_tx_desc(tx_desc, ib_dev);
+ else
+- isert_completion_put(tx_desc, isert_cmd, ib_dev);
++ isert_completion_put(tx_desc, isert_cmd, ib_dev, true);
+ }
+
+ static void
--- /dev/null
+From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 28 Mar 2014 20:41:50 +0100
+Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155)
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 5678de3f15010b9022ee45673f33bcfc71d47b60 upstream.
+
+QE reported that they got the BUG_ON in ioapic_service to trigger.
+I cannot reproduce it, but there are two reasons why this could happen.
+
+The less likely but also easiest one, is when kvm_irq_delivery_to_apic
+does not deliver to any APIC and returns -1.
+
+Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that
+function is never reached. However, you can target the similar loop in
+kvm_irq_delivery_to_apic_fast; just program a zero logical destination
+address into the IOAPIC, or an out-of-range physical destination address.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/ioapic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/ioapic.c
++++ b/virt/kvm/ioapic.c
+@@ -306,7 +306,7 @@ static int ioapic_deliver(struct kvm_ioa
+ BUG_ON(ioapic->rtc_status.pending_eoi != 0);
+ ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe,
+ ioapic->rtc_status.dest_map);
+- ioapic->rtc_status.pending_eoi = ret;
++ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret);
+ } else
+ ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
+
--- /dev/null
+From c14af233fbe279d0e561ecf84f1208b1bae087ef Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Sat, 22 Mar 2014 17:21:44 +0800
+Subject: MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume()
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit c14af233fbe279d0e561ecf84f1208b1bae087ef upstream.
+
+The original MIPS hibernate code flushes cache and TLB entries in
+swsusp_arch_resume(). But they are removed in Commit 44eeab67416711
+(MIPS: Hibernation: Remove SMP TLB and cacheflushing code.). A cross-
+CPU flush is surely unnecessary because all but the local CPU have
+already been disabled. But a local flush (at least the TLB flush) is
+needed. When we do hibernation on Loongson-3 with an E1000E NIC, it is
+very easy to produce a kernel panic (kernel page fault, or unaligned
+access). The root cause is E1000E driver use vzalloc_node() to allocate
+pages, the stale TLB entries of the booting kernel will be misused by
+the resumed target kernel.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Cc: John Crispin <john@phrozen.org>
+Cc: Steven J. Hill <Steven.Hill@imgtec.com>
+Cc: Aurelien Jarno <aurelien@aurel32.net>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Patchwork: https://patchwork.linux-mips.org/patch/6643/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/power/hibernate.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/power/hibernate.S
++++ b/arch/mips/power/hibernate.S
+@@ -43,6 +43,7 @@ LEAF(swsusp_arch_resume)
+ bne t1, t3, 1b
+ PTR_L t0, PBE_NEXT(t0)
+ bnez t0, 0b
++ jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */
+ PTR_LA t0, saved_regs
+ PTR_L ra, PT_R31(t0)
+ PTR_L sp, PT_R29(t0)
--- /dev/null
+From 15505679362270d02c449626385cb74af8905514 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Fri, 14 Mar 2014 13:06:07 +0000
+Subject: MIPS: KVM: Pass reserved instruction exceptions to guest
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 15505679362270d02c449626385cb74af8905514 upstream.
+
+Previously a reserved instruction exception while in guest code would
+cause a KVM internal error if kvm_mips_handle_ri() didn't recognise the
+instruction (including a RDHWR from an unrecognised hardware register).
+
+However the guest OS should really have the opportunity to catch the
+exception so that it can take the appropriate actions such as sending a
+SIGILL to the guest user process or emulating the instruction itself.
+
+Therefore in these cases emulate a guest RI exception and only return
+EMULATE_FAIL if that fails, being careful to revert the PC first in case
+the exception occurred in a branch delay slot in which case the PC will
+already point to the branch target.
+
+Also turn the printk messages relating to these cases into kvm_debug
+messages so that they aren't usually visible.
+
+This allows crashme to run in the guest without killing the entire VM.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Gleb Natapov <gleb@kernel.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Sanjay Lal <sanjayl@kymasys.com>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/kvm_mips_emul.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/kvm/kvm_mips_emul.c
++++ b/arch/mips/kvm/kvm_mips_emul.c
+@@ -1571,17 +1571,17 @@ kvm_mips_handle_ri(unsigned long cause,
+ arch->gprs[rt] = kvm_read_c0_guest_userlocal(cop0);
+ #else
+ /* UserLocal not implemented */
+- er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu);
++ er = EMULATE_FAIL;
+ #endif
+ break;
+
+ default:
+- printk("RDHWR not supported\n");
++ kvm_debug("RDHWR %#x not supported @ %p\n", rd, opc);
+ er = EMULATE_FAIL;
+ break;
+ }
+ } else {
+- printk("Emulate RI not supported @ %p: %#x\n", opc, inst);
++ kvm_debug("Emulate RI not supported @ %p: %#x\n", opc, inst);
+ er = EMULATE_FAIL;
+ }
+
+@@ -1590,6 +1590,7 @@ kvm_mips_handle_ri(unsigned long cause,
+ */
+ if (er == EMULATE_FAIL) {
+ vcpu->arch.pc = curr_pc;
++ er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu);
+ }
+ return er;
+ }
--- /dev/null
+From af61e27c3f77c7623b5335590ae24b6a5c323e22 Mon Sep 17 00:00:00 2001
+From: Tyler Stachecki <tstache1@binghamton.edu>
+Date: Fri, 25 Apr 2014 16:41:04 -0400
+Subject: [SCSI] mpt2sas: Don't disable device twice at suspend.
+
+From: Tyler Stachecki <tstache1@binghamton.edu>
+
+commit af61e27c3f77c7623b5335590ae24b6a5c323e22 upstream.
+
+On suspend, _scsih_suspend calls mpt2sas_base_free_resources, which
+in turn calls pci_disable_device if the device is enabled prior to
+suspending. However, _scsih_suspend also calls pci_disable_device
+itself.
+
+Thus, in the event that the device is enabled prior to suspending,
+pci_disable_device will be called twice. This patch removes the
+duplicate call to pci_disable_device in _scsi_suspend as it is both
+unnecessary and results in a kernel oops.
+
+Signed-off-by: Tyler Stachecki <tstache1@binghamton.edu>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+@@ -8174,7 +8174,6 @@ _scsih_suspend(struct pci_dev *pdev, pm_
+
+ mpt2sas_base_free_resources(ioc);
+ pci_save_state(pdev);
+- pci_disable_device(pdev);
+ pci_set_power_state(pdev, device_state);
+ return 0;
+ }
--- /dev/null
+From 422b9b9684db3c511e65c91842275c43f5910ae9 Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Thu, 6 Mar 2014 16:10:11 +1100
+Subject: powerpc/compat: 32-bit little endian machine name is ppcle, not ppc
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 422b9b9684db3c511e65c91842275c43f5910ae9 upstream.
+
+I noticed this when testing setarch. No, we don't magically
+support a big endian userspace on a little endian kernel.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/compat.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/include/asm/compat.h
++++ b/arch/powerpc/include/asm/compat.h
+@@ -8,7 +8,11 @@
+ #include <linux/sched.h>
+
+ #define COMPAT_USER_HZ 100
++#ifdef __BIG_ENDIAN__
+ #define COMPAT_UTS_MACHINE "ppc\0\0"
++#else
++#define COMPAT_UTS_MACHINE "ppcle\0\0"
++#endif
+
+ typedef u32 compat_size_t;
+ typedef s32 compat_ssize_t;
drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch
tty-serial-8250_core.c-bug-fix-for-exar-chips.patch
n_tty-fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
+floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
+floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
+iser-target-add-missing-se_cmd-put-for-write_pending-in-tx_comp_err.patch
+arm-7840-1-lpae-don-t-reject-mapping-dev-mem-above-4gb.patch
+kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch
+mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch
+mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch
+virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch
+virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch
+mpt2sas-don-t-disable-device-twice-at-suspend.patch
+powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch
--- /dev/null
+From 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 Mon Sep 17 00:00:00 2001
+From: Fam Zheng <famz@redhat.com>
+Date: Mon, 14 Apr 2014 10:16:09 +0800
+Subject: [SCSI] virtio-scsi: Skip setting affinity on uninitialized vq
+
+From: Fam Zheng <famz@redhat.com>
+
+commit 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 upstream.
+
+virtscsi_init calls virtscsi_remove_vqs on err, even before initializing
+the vqs. The latter calls virtscsi_set_affinity, so let's check the
+pointer there before setting affinity on it.
+
+This fixes a panic when setting device's num_queues=2 on RHEL 6.5:
+
+qemu-system-x86_64 ... \
+-device virtio-scsi-pci,id=scsi0,addr=0x13,...,num_queues=2 \
+-drive file=/stor/vm/dummy.raw,id=drive-scsi-disk,... \
+-device scsi-hd,drive=drive-scsi-disk,...
+
+[ 0.354734] scsi0 : Virtio SCSI HBA
+[ 0.379504] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+[ 0.380141] IP: [<ffffffff814741ef>] __virtscsi_set_affinity+0x4f/0x120
+[ 0.380141] PGD 0
+[ 0.380141] Oops: 0000 [#1] SMP
+[ 0.380141] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.0+ #5
+[ 0.380141] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007
+[ 0.380141] task: ffff88003c9f0000 ti: ffff88003c9f8000 task.ti: ffff88003c9f8000
+[ 0.380141] RIP: 0010:[<ffffffff814741ef>] [<ffffffff814741ef>] __virtscsi_set_affinity+0x4f/0x120
+[ 0.380141] RSP: 0000:ffff88003c9f9c08 EFLAGS: 00010256
+[ 0.380141] RAX: 0000000000000000 RBX: ffff88003c3a9d40 RCX: 0000000000001070
+[ 0.380141] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
+[ 0.380141] RBP: ffff88003c9f9c28 R08: 00000000000136c0 R09: ffff88003c801c00
+[ 0.380141] R10: ffffffff81475229 R11: 0000000000000008 R12: 0000000000000000
+[ 0.380141] R13: ffffffff81cc7ca8 R14: ffff88003cac3d40 R15: ffff88003cac37a0
+[ 0.380141] FS: 0000000000000000(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
+[ 0.380141] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 0.380141] CR2: 0000000000000020 CR3: 0000000001c0e000 CR4: 00000000000006f0
+[ 0.380141] Stack:
+[ 0.380141] ffff88003c3a9d40 0000000000000000 ffff88003cac3d80 ffff88003cac3d40
+[ 0.380141] ffff88003c9f9c48 ffffffff814742e8 ffff88003c26d000 ffff88003c26d000
+[ 0.380141] ffff88003c9f9c68 ffffffff81474321 ffff88003c26d000 ffff88003c3a9d40
+[ 0.380141] Call Trace:
+[ 0.380141] [<ffffffff814742e8>] virtscsi_set_affinity+0x28/0x40
+[ 0.380141] [<ffffffff81474321>] virtscsi_remove_vqs+0x21/0x50
+[ 0.380141] [<ffffffff81475231>] virtscsi_init+0x91/0x240
+[ 0.380141] [<ffffffff81365290>] ? vp_get+0x50/0x70
+[ 0.380141] [<ffffffff81475544>] virtscsi_probe+0xf4/0x280
+[ 0.380141] [<ffffffff81363ea5>] virtio_dev_probe+0xe5/0x140
+[ 0.380141] [<ffffffff8144c669>] driver_probe_device+0x89/0x230
+[ 0.380141] [<ffffffff8144c8ab>] __driver_attach+0x9b/0xa0
+[ 0.380141] [<ffffffff8144c810>] ? driver_probe_device+0x230/0x230
+[ 0.380141] [<ffffffff8144c810>] ? driver_probe_device+0x230/0x230
+[ 0.380141] [<ffffffff8144ac1c>] bus_for_each_dev+0x8c/0xb0
+[ 0.380141] [<ffffffff8144c499>] driver_attach+0x19/0x20
+[ 0.380141] [<ffffffff8144bf28>] bus_add_driver+0x198/0x220
+[ 0.380141] [<ffffffff8144ce9f>] driver_register+0x5f/0xf0
+[ 0.380141] [<ffffffff81d27c91>] ? spi_transport_init+0x79/0x79
+[ 0.380141] [<ffffffff8136403b>] register_virtio_driver+0x1b/0x30
+[ 0.380141] [<ffffffff81d27d19>] init+0x88/0xd6
+[ 0.380141] [<ffffffff81d27c18>] ? scsi_init_procfs+0x5b/0x5b
+[ 0.380141] [<ffffffff81ce88a7>] do_one_initcall+0x7f/0x10a
+[ 0.380141] [<ffffffff81ce8aa7>] kernel_init_freeable+0x14a/0x1de
+[ 0.380141] [<ffffffff81ce8b3b>] ? kernel_init_freeable+0x1de/0x1de
+[ 0.380141] [<ffffffff817dec20>] ? rest_init+0x80/0x80
+[ 0.380141] [<ffffffff817dec29>] kernel_init+0x9/0xf0
+[ 0.380141] [<ffffffff817e68fc>] ret_from_fork+0x7c/0xb0
+[ 0.380141] [<ffffffff817dec20>] ? rest_init+0x80/0x80
+[ 0.380141] RIP [<ffffffff814741ef>] __virtscsi_set_affinity+0x4f/0x120
+[ 0.380141] RSP <ffff88003c9f9c08>
+[ 0.380141] CR2: 0000000000000020
+[ 0.380141] ---[ end trace 8074b70c3d5e1d73 ]---
+[ 0.475018] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+[ 0.475018]
+[ 0.475068] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
+[ 0.475068] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
+
+[jejb: checkpatch fixes]
+Signed-off-by: Fam Zheng <famz@redhat.com>
+Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/virtio_scsi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -751,8 +751,12 @@ static void __virtscsi_set_affinity(stru
+
+ vscsi->affinity_hint_set = true;
+ } else {
+- for (i = 0; i < vscsi->num_queues; i++)
++ for (i = 0; i < vscsi->num_queues; i++) {
++ if (!vscsi->req_vqs[i].vq)
++ continue;
++
+ virtqueue_set_affinity(vscsi->req_vqs[i].vq, -1);
++ }
+
+ vscsi->affinity_hint_set = false;
+ }
--- /dev/null
+From 1f74ef0f2d7d692fcd615621e0e734c3e7771413 Mon Sep 17 00:00:00 2001
+From: Rusty Russell <rusty@rustcorp.com.au>
+Date: Thu, 13 Mar 2014 11:23:38 +1030
+Subject: virtio_balloon: don't softlockup on huge balloon changes.
+
+From: Rusty Russell <rusty@rustcorp.com.au>
+
+commit 1f74ef0f2d7d692fcd615621e0e734c3e7771413 upstream.
+
+When adding or removing 100G from a balloon:
+
+ BUG: soft lockup - CPU#0 stuck for 22s! [vballoon:367]
+
+We have a wait_event_interruptible(), but the condition is always true
+(more ballooning to do) so we don't ever sleep. We also have a
+wait_event() for the host to ack, but that is also always true as QEMU
+is synchronous for balloon operations.
+
+Reported-by: Gopesh Kumar Chaudhary <gopchaud@in.ibm.com>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -311,6 +311,12 @@ static int balloon(void *_vballoon)
+ else if (diff < 0)
+ leak_balloon(vb, -diff);
+ update_balloon_size(vb);
++
++ /*
++ * For large balloon changes, we could spend a lot of time
++ * and always have work to do. Be nice if preempt disabled.
++ */
++ cond_resched();
+ }
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
