From: Greg Kroah-Hartman Date: Tue, 6 May 2014 22:36:31 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.4~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2049e061c984bcdb66f4ebcddfaac69f7c6ace2e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: arm-kvm-fix-possible-misalignment-of-pgds-and-bounce-page.patch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch kvm-arm-vgic-fix-sgi-dispatch-problem.patch kvm-async_pf-mm-mm_users-can-not-pin-apf-mm.patch kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch kvm-ppc-book3s-hv-fix-kvm-hang-with-config_kvm_xics-n.patch mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch mpt2sas-don-t-disable-device-twice-at-suspend.patch powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch tools-virtio-add-a-missing.patch virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch --- diff --git a/queue-3.14/arm-kvm-fix-possible-misalignment-of-pgds-and-bounce-page.patch b/queue-3.14/arm-kvm-fix-possible-misalignment-of-pgds-and-bounce-page.patch new file mode 100644 index 00000000000..39f85b12659 --- /dev/null +++ b/queue-3.14/arm-kvm-fix-possible-misalignment-of-pgds-and-bounce-page.patch @@ -0,0 +1,87 @@ +From 5d4e08c45a6cf8f1ab3c7fa375007635ac569165 Mon Sep 17 00:00:00 2001 +From: Mark Salter +Date: Fri, 28 Mar 2014 14:25:19 +0000 +Subject: arm: KVM: fix possible misalignment of PGDs and bounce page + +From: Mark Salter + +commit 5d4e08c45a6cf8f1ab3c7fa375007635ac569165 upstream. + +The kvm/mmu code shared by arm and arm64 uses kalloc() to allocate +a bounce page (if hypervisor init code crosses page boundary) and +hypervisor PGDs. The problem is that kalloc() does not guarantee +the proper alignment. In the case of the bounce page, the page sized +buffer allocated may also cross a page boundary negating the purpose +and leading to a hang during kvm initialization. Likewise the PGDs +allocated may not meet the minimum alignment requirements of the +underlying MMU. This patch uses __get_free_page() to guarantee the +worst case alignment needs of the bounce page and PGDs on both arm +and arm64. + +Signed-off-by: Mark Salter +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/mmu.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -42,6 +42,8 @@ static unsigned long hyp_idmap_start; + static unsigned long hyp_idmap_end; + static phys_addr_t hyp_idmap_vector; + ++#define pgd_order get_order(PTRS_PER_PGD * sizeof(pgd_t)) ++ + #define kvm_pmd_huge(_x) (pmd_huge(_x) || pmd_trans_huge(_x)) + + static void kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa) +@@ -199,14 +201,14 @@ void free_boot_hyp_pgd(void) + if (boot_hyp_pgd) { + unmap_range(NULL, boot_hyp_pgd, hyp_idmap_start, PAGE_SIZE); + unmap_range(NULL, boot_hyp_pgd, TRAMPOLINE_VA, PAGE_SIZE); +- kfree(boot_hyp_pgd); ++ free_pages((unsigned long)boot_hyp_pgd, pgd_order); + boot_hyp_pgd = NULL; + } + + if (hyp_pgd) + unmap_range(NULL, hyp_pgd, TRAMPOLINE_VA, PAGE_SIZE); + +- kfree(init_bounce_page); ++ free_page((unsigned long)init_bounce_page); + init_bounce_page = NULL; + + mutex_unlock(&kvm_hyp_pgd_mutex); +@@ -236,7 +238,7 @@ void free_hyp_pgds(void) + for (addr = VMALLOC_START; is_vmalloc_addr((void*)addr); addr += PGDIR_SIZE) + unmap_range(NULL, hyp_pgd, KERN_TO_HYP(addr), PGDIR_SIZE); + +- kfree(hyp_pgd); ++ free_pages((unsigned long)hyp_pgd, pgd_order); + hyp_pgd = NULL; + } + +@@ -930,7 +932,7 @@ int kvm_mmu_init(void) + size_t len = __hyp_idmap_text_end - __hyp_idmap_text_start; + phys_addr_t phys_base; + +- init_bounce_page = kmalloc(PAGE_SIZE, GFP_KERNEL); ++ init_bounce_page = (void *)__get_free_page(GFP_KERNEL); + if (!init_bounce_page) { + kvm_err("Couldn't allocate HYP init bounce page\n"); + err = -ENOMEM; +@@ -956,8 +958,9 @@ int kvm_mmu_init(void) + (unsigned long)phys_base); + } + +- hyp_pgd = kzalloc(PTRS_PER_PGD * sizeof(pgd_t), GFP_KERNEL); +- boot_hyp_pgd = kzalloc(PTRS_PER_PGD * sizeof(pgd_t), GFP_KERNEL); ++ hyp_pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, pgd_order); ++ boot_hyp_pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, pgd_order); ++ + if (!hyp_pgd || !boot_hyp_pgd) { + kvm_err("Hyp mode PGD not allocated\n"); + err = -ENOMEM; diff --git a/queue-3.14/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch b/queue-3.14/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch new file mode 100644 index 00000000000..ed496042718 --- /dev/null +++ b/queue-3.14/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch @@ -0,0 +1,35 @@ +From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001 +From: Matthew Daley +Date: Mon, 28 Apr 2014 19:05:21 +1200 +Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output + +From: Matthew Daley + +commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream. + +Do not leak kernel-only floppy_raw_cmd structure members to userspace. +This includes the linked-list pointer and the pointer to the allocated +DMA space. + +Signed-off-by: Matthew Daley +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void + int ret; + + while (ptr) { +- ret = copy_to_user(param, ptr, sizeof(*ptr)); ++ struct floppy_raw_cmd cmd = *ptr; ++ cmd.next = NULL; ++ cmd.kernel_data = NULL; ++ ret = copy_to_user(param, &cmd, sizeof(cmd)); + if (ret) + return -EFAULT; + param += sizeof(struct floppy_raw_cmd); diff --git a/queue-3.14/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch b/queue-3.14/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch new file mode 100644 index 00000000000..9ade1d5253b --- /dev/null +++ b/queue-3.14/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch @@ -0,0 +1,45 @@ +From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001 +From: Matthew Daley +Date: Mon, 28 Apr 2014 19:05:20 +1200 +Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input + +From: Matthew Daley + +commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream. + +Always clear out these floppy_raw_cmd struct members after copying the +entire structure from userspace so that the in-kernel version is always +valid and never left in an interdeterminate state. + +Signed-off-by: Matthew Daley +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3107,10 +3107,11 @@ loop: + return -ENOMEM; + *rcmd = ptr; + ret = copy_from_user(ptr, param, sizeof(*ptr)); +- if (ret) +- return -EFAULT; + ptr->next = NULL; + ptr->buffer_length = 0; ++ ptr->kernel_data = NULL; ++ if (ret) ++ return -EFAULT; + param += sizeof(struct floppy_raw_cmd); + if (ptr->cmd_count > 33) + /* the command may now also take up the space +@@ -3126,7 +3127,6 @@ loop: + for (i = 0; i < 16; i++) + ptr->reply[i] = 0; + ptr->resultcode = 0; +- ptr->kernel_data = NULL; + + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { + if (ptr->length <= 0) diff --git a/queue-3.14/kvm-arm-vgic-fix-sgi-dispatch-problem.patch b/queue-3.14/kvm-arm-vgic-fix-sgi-dispatch-problem.patch new file mode 100644 index 00000000000..fa9d92a49ef --- /dev/null +++ b/queue-3.14/kvm-arm-vgic-fix-sgi-dispatch-problem.patch @@ -0,0 +1,32 @@ +From 91021a6c8ffdc55804dab5acdfc7de4f278b9ac3 Mon Sep 17 00:00:00 2001 +From: Haibin Wang +Date: Thu, 10 Apr 2014 13:14:32 +0100 +Subject: KVM: ARM: vgic: Fix sgi dispatch problem + +From: Haibin Wang + +commit 91021a6c8ffdc55804dab5acdfc7de4f278b9ac3 upstream. + +When dispatch SGI(mode == 0), that is the vcpu of VM should send +sgi to the cpu which the target_cpus list. +So, there must add the "break" to branch of case 0. + +Signed-off-by: Haibin Wang +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/virt/kvm/arm/vgic.c ++++ b/virt/kvm/arm/vgic.c +@@ -916,6 +916,7 @@ static void vgic_dispatch_sgi(struct kvm + case 0: + if (!target_cpus) + return; ++ break; + + case 1: + target_cpus = ((1 << nrcpus) - 1) & ~(1 << vcpu_id) & 0xff; diff --git a/queue-3.14/kvm-async_pf-mm-mm_users-can-not-pin-apf-mm.patch b/queue-3.14/kvm-async_pf-mm-mm_users-can-not-pin-apf-mm.patch new file mode 100644 index 00000000000..9227b1ffa2d --- /dev/null +++ b/queue-3.14/kvm-async_pf-mm-mm_users-can-not-pin-apf-mm.patch @@ -0,0 +1,65 @@ +From 41c22f626254b9dc0376928cae009e73d1b6a49a Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Mon, 21 Apr 2014 15:26:01 +0200 +Subject: KVM: async_pf: mm->mm_users can not pin apf->mm + +From: Oleg Nesterov + +commit 41c22f626254b9dc0376928cae009e73d1b6a49a upstream. + +get_user_pages(mm) is simply wrong if mm->mm_users == 0 and exit_mmap/etc +was already called (or is in progress), mm->mm_count can only pin mm->pgd +and mm_struct itself. + +Change kvm_setup_async_pf/async_pf_execute to inc/dec mm->mm_users. + +kvm_create_vm/kvm_destroy_vm play with ->mm_count too but this case looks +fine at first glance, it seems that this ->mm is only used to verify that +current->mm == kvm->mm. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/async_pf.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/virt/kvm/async_pf.c ++++ b/virt/kvm/async_pf.c +@@ -85,7 +85,7 @@ static void async_pf_execute(struct work + if (waitqueue_active(&vcpu->wq)) + wake_up_interruptible(&vcpu->wq); + +- mmdrop(mm); ++ mmput(mm); + kvm_put_kvm(vcpu->kvm); + } + +@@ -98,7 +98,7 @@ void kvm_clear_async_pf_completion_queue + typeof(*work), queue); + list_del(&work->queue); + if (cancel_work_sync(&work->work)) { +- mmdrop(work->mm); ++ mmput(work->mm); + kvm_put_kvm(vcpu->kvm); /* == work->vcpu->kvm */ + kmem_cache_free(async_pf_cache, work); + } +@@ -162,7 +162,7 @@ int kvm_setup_async_pf(struct kvm_vcpu * + work->addr = gfn_to_hva(vcpu->kvm, gfn); + work->arch = *arch; + work->mm = current->mm; +- atomic_inc(&work->mm->mm_count); ++ atomic_inc(&work->mm->mm_users); + kvm_get_kvm(work->vcpu->kvm); + + /* this can't really happen otherwise gfn_to_pfn_async +@@ -180,7 +180,7 @@ int kvm_setup_async_pf(struct kvm_vcpu * + return 1; + retry_sync: + kvm_put_kvm(work->vcpu->kvm); +- mmdrop(work->mm); ++ mmput(work->mm); + kmem_cache_free(async_pf_cache, work); + return 0; + } diff --git a/queue-3.14/kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch b/queue-3.14/kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch new file mode 100644 index 00000000000..280d40415ae --- /dev/null +++ b/queue-3.14/kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch @@ -0,0 +1,38 @@ +From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 28 Mar 2014 20:41:50 +0100 +Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) + +From: Paolo Bonzini + +commit 5678de3f15010b9022ee45673f33bcfc71d47b60 upstream. + +QE reported that they got the BUG_ON in ioapic_service to trigger. +I cannot reproduce it, but there are two reasons why this could happen. + +The less likely but also easiest one, is when kvm_irq_delivery_to_apic +does not deliver to any APIC and returns -1. + +Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that +function is never reached. However, you can target the similar loop in +kvm_irq_delivery_to_apic_fast; just program a zero logical destination +address into the IOAPIC, or an out-of-range physical destination address. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/ioapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -306,7 +306,7 @@ static int ioapic_deliver(struct kvm_ioa + BUG_ON(ioapic->rtc_status.pending_eoi != 0); + ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, + ioapic->rtc_status.dest_map); +- ioapic->rtc_status.pending_eoi = ret; ++ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret); + } else + ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL); + diff --git a/queue-3.14/kvm-ppc-book3s-hv-fix-kvm-hang-with-config_kvm_xics-n.patch b/queue-3.14/kvm-ppc-book3s-hv-fix-kvm-hang-with-config_kvm_xics-n.patch new file mode 100644 index 00000000000..91e7ff169db --- /dev/null +++ b/queue-3.14/kvm-ppc-book3s-hv-fix-kvm-hang-with-config_kvm_xics-n.patch @@ -0,0 +1,47 @@ +From 7505258c5fcb0a1cc3c76a47b4cf9506d21d10e6 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Tue, 25 Mar 2014 10:47:01 +1100 +Subject: KVM: PPC: Book3S HV: Fix KVM hang with CONFIG_KVM_XICS=n + +From: Anton Blanchard + +commit 7505258c5fcb0a1cc3c76a47b4cf9506d21d10e6 upstream. + +I noticed KVM is broken when KVM in-kernel XICS emulation +(CONFIG_KVM_XICS) is disabled. + +The problem was introduced in 48eaef05 (KVM: PPC: Book3S HV: use +xics_wake_cpu only when defined). It used CONFIG_KVM_XICS to wrap +xics_wake_cpu, where CONFIG_PPC_ICP_NATIVE should have been +used. + +Signed-off-by: Anton Blanchard +Signed-off-by: Paul Mackerras +Acked-by: Scott Wood +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_hv.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -86,7 +86,7 @@ static void kvmppc_fast_vcpu_kick_hv(str + + /* CPU points to the first thread of the core */ + if (cpu != me && cpu >= 0 && cpu < nr_cpu_ids) { +-#ifdef CONFIG_KVM_XICS ++#ifdef CONFIG_PPC_ICP_NATIVE + int real_cpu = cpu + vcpu->arch.ptid; + if (paca[real_cpu].kvm_hstate.xics_phys) + xics_wake_cpu(real_cpu); +@@ -1360,9 +1360,7 @@ static void kvmppc_start_thread(struct k + smp_wmb(); + #if defined(CONFIG_PPC_ICP_NATIVE) && defined(CONFIG_SMP) + if (cpu != smp_processor_id()) { +-#ifdef CONFIG_KVM_XICS + xics_wake_cpu(cpu); +-#endif + if (vcpu->arch.ptid) + ++vc->n_woken; + } diff --git a/queue-3.14/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch b/queue-3.14/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch new file mode 100644 index 00000000000..f5e42802380 --- /dev/null +++ b/queue-3.14/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch @@ -0,0 +1,45 @@ +From c14af233fbe279d0e561ecf84f1208b1bae087ef Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sat, 22 Mar 2014 17:21:44 +0800 +Subject: MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume() + +From: Huacai Chen + +commit c14af233fbe279d0e561ecf84f1208b1bae087ef upstream. + +The original MIPS hibernate code flushes cache and TLB entries in +swsusp_arch_resume(). But they are removed in Commit 44eeab67416711 +(MIPS: Hibernation: Remove SMP TLB and cacheflushing code.). A cross- +CPU flush is surely unnecessary because all but the local CPU have +already been disabled. But a local flush (at least the TLB flush) is +needed. When we do hibernation on Loongson-3 with an E1000E NIC, it is +very easy to produce a kernel panic (kernel page fault, or unaligned +access). The root cause is E1000E driver use vzalloc_node() to allocate +pages, the stale TLB entries of the booting kernel will be misused by +the resumed target kernel. + +Signed-off-by: Huacai Chen +Cc: John Crispin +Cc: Steven J. Hill +Cc: Aurelien Jarno +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Patchwork: https://patchwork.linux-mips.org/patch/6643/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/power/hibernate.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/power/hibernate.S ++++ b/arch/mips/power/hibernate.S +@@ -43,6 +43,7 @@ LEAF(swsusp_arch_resume) + bne t1, t3, 1b + PTR_L t0, PBE_NEXT(t0) + bnez t0, 0b ++ jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */ + PTR_LA t0, saved_regs + PTR_L ra, PT_R31(t0) + PTR_L sp, PT_R29(t0) diff --git a/queue-3.14/mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch b/queue-3.14/mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch new file mode 100644 index 00000000000..f4b2c7602bc --- /dev/null +++ b/queue-3.14/mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch @@ -0,0 +1,72 @@ +From 15505679362270d02c449626385cb74af8905514 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 14 Mar 2014 13:06:07 +0000 +Subject: MIPS: KVM: Pass reserved instruction exceptions to guest + +From: James Hogan + +commit 15505679362270d02c449626385cb74af8905514 upstream. + +Previously a reserved instruction exception while in guest code would +cause a KVM internal error if kvm_mips_handle_ri() didn't recognise the +instruction (including a RDHWR from an unrecognised hardware register). + +However the guest OS should really have the opportunity to catch the +exception so that it can take the appropriate actions such as sending a +SIGILL to the guest user process or emulating the instruction itself. + +Therefore in these cases emulate a guest RI exception and only return +EMULATE_FAIL if that fails, being careful to revert the PC first in case +the exception occurred in a branch delay slot in which case the PC will +already point to the branch target. + +Also turn the printk messages relating to these cases into kvm_debug +messages so that they aren't usually visible. + +This allows crashme to run in the guest without killing the entire VM. + +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Gleb Natapov +Cc: Paolo Bonzini +Cc: Sanjay Lal +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/kvm_mips_emul.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/mips/kvm/kvm_mips_emul.c ++++ b/arch/mips/kvm/kvm_mips_emul.c +@@ -1571,17 +1571,17 @@ kvm_mips_handle_ri(unsigned long cause, + arch->gprs[rt] = kvm_read_c0_guest_userlocal(cop0); + #else + /* UserLocal not implemented */ +- er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu); ++ er = EMULATE_FAIL; + #endif + break; + + default: +- printk("RDHWR not supported\n"); ++ kvm_debug("RDHWR %#x not supported @ %p\n", rd, opc); + er = EMULATE_FAIL; + break; + } + } else { +- printk("Emulate RI not supported @ %p: %#x\n", opc, inst); ++ kvm_debug("Emulate RI not supported @ %p: %#x\n", opc, inst); + er = EMULATE_FAIL; + } + +@@ -1590,6 +1590,7 @@ kvm_mips_handle_ri(unsigned long cause, + */ + if (er == EMULATE_FAIL) { + vcpu->arch.pc = curr_pc; ++ er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu); + } + return er; + } diff --git a/queue-3.14/mpt2sas-don-t-disable-device-twice-at-suspend.patch b/queue-3.14/mpt2sas-don-t-disable-device-twice-at-suspend.patch new file mode 100644 index 00000000000..df89bd10a2a --- /dev/null +++ b/queue-3.14/mpt2sas-don-t-disable-device-twice-at-suspend.patch @@ -0,0 +1,37 @@ +From af61e27c3f77c7623b5335590ae24b6a5c323e22 Mon Sep 17 00:00:00 2001 +From: Tyler Stachecki +Date: Fri, 25 Apr 2014 16:41:04 -0400 +Subject: [SCSI] mpt2sas: Don't disable device twice at suspend. + +From: Tyler Stachecki + +commit af61e27c3f77c7623b5335590ae24b6a5c323e22 upstream. + +On suspend, _scsih_suspend calls mpt2sas_base_free_resources, which +in turn calls pci_disable_device if the device is enabled prior to +suspending. However, _scsih_suspend also calls pci_disable_device +itself. + +Thus, in the event that the device is enabled prior to suspending, +pci_disable_device will be called twice. This patch removes the +duplicate call to pci_disable_device in _scsi_suspend as it is both +unnecessary and results in a kernel oops. + +Signed-off-by: Tyler Stachecki +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +@@ -8293,7 +8293,6 @@ _scsih_suspend(struct pci_dev *pdev, pm_ + + mpt2sas_base_free_resources(ioc); + pci_save_state(pdev); +- pci_disable_device(pdev); + pci_set_power_state(pdev, device_state); + return 0; + } diff --git a/queue-3.14/powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch b/queue-3.14/powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch new file mode 100644 index 00000000000..82886438f3f --- /dev/null +++ b/queue-3.14/powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch @@ -0,0 +1,34 @@ +From 422b9b9684db3c511e65c91842275c43f5910ae9 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Thu, 6 Mar 2014 16:10:11 +1100 +Subject: powerpc/compat: 32-bit little endian machine name is ppcle, not ppc + +From: Anton Blanchard + +commit 422b9b9684db3c511e65c91842275c43f5910ae9 upstream. + +I noticed this when testing setarch. No, we don't magically +support a big endian userspace on a little endian kernel. + +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/compat.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/include/asm/compat.h ++++ b/arch/powerpc/include/asm/compat.h +@@ -8,7 +8,11 @@ + #include + + #define COMPAT_USER_HZ 100 ++#ifdef __BIG_ENDIAN__ + #define COMPAT_UTS_MACHINE "ppc\0\0" ++#else ++#define COMPAT_UTS_MACHINE "ppcle\0\0" ++#endif + + typedef u32 compat_size_t; + typedef s32 compat_ssize_t; diff --git a/queue-3.14/series b/queue-3.14/series index 861cca0dc54..91dd887f19a 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -2,3 +2,17 @@ drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch tty-serial-8250_core.c-bug-fix-for-exar-chips.patch tty-fix-lockless-tty-buffer-race.patch n_tty-fix-n_tty_write-crash-when-echoing-in-raw-mode.patch +floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch +floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch +kvm-arm-vgic-fix-sgi-dispatch-problem.patch +arm-kvm-fix-possible-misalignment-of-pgds-and-bounce-page.patch +kvm-async_pf-mm-mm_users-can-not-pin-apf-mm.patch +kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch +mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch +kvm-ppc-book3s-hv-fix-kvm-hang-with-config_kvm_xics-n.patch +mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch +virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch +tools-virtio-add-a-missing.patch +virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch +mpt2sas-don-t-disable-device-twice-at-suspend.patch +powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch diff --git a/queue-3.14/tools-virtio-add-a-missing.patch b/queue-3.14/tools-virtio-add-a-missing.patch new file mode 100644 index 00000000000..13581e7979c --- /dev/null +++ b/queue-3.14/tools-virtio-add-a-missing.patch @@ -0,0 +1,44 @@ +From be40d5ccab34d579512d932fc1c6cfaffe9d1551 Mon Sep 17 00:00:00 2001 +From: Joel Stanley +Date: Thu, 13 Feb 2014 15:08:53 +1030 +Subject: tools/virtio: add a missing ) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joel Stanley + +commit be40d5ccab34d579512d932fc1c6cfaffe9d1551 upstream. + +Fixes the following build failure: + + cc -g -O2 -Wall -I. -I ../../usr/include/ -Wno-pointer-sign + -fno-strict-overflow -fno-strict-aliasing -fno-common -MMD + -U_FORTIFY_SOURCE -c -o virtio_test.o virtio_test.c + virtio_test.c: In function ‘run_test’: + virtio_test.c:176:7: error: expected ‘)’ before ‘r’ + r = -1; + ^ + +Fixes: 53c18c9906441 (virtio_test: verify if virtqueue_kick() succeeded) +Cc: Heinz Graalfs +Signed-off-by: Joel Stanley +Acked-by: Michael S. Tsirkin +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + tools/virtio/virtio_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/virtio/virtio_test.c ++++ b/tools/virtio/virtio_test.c +@@ -172,7 +172,7 @@ static void run_test(struct vdev_info *d + GFP_ATOMIC); + if (likely(r == 0)) { + ++started; +- if (unlikely(!virtqueue_kick(vq->vq)) ++ if (unlikely(!virtqueue_kick(vq->vq))) + r = -1; + } + } else diff --git a/queue-3.14/virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch b/queue-3.14/virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch new file mode 100644 index 00000000000..80df687cfd0 --- /dev/null +++ b/queue-3.14/virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch @@ -0,0 +1,103 @@ +From 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 Mon Sep 17 00:00:00 2001 +From: Fam Zheng +Date: Mon, 14 Apr 2014 10:16:09 +0800 +Subject: [SCSI] virtio-scsi: Skip setting affinity on uninitialized vq + +From: Fam Zheng + +commit 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 upstream. + +virtscsi_init calls virtscsi_remove_vqs on err, even before initializing +the vqs. The latter calls virtscsi_set_affinity, so let's check the +pointer there before setting affinity on it. + +This fixes a panic when setting device's num_queues=2 on RHEL 6.5: + +qemu-system-x86_64 ... \ +-device virtio-scsi-pci,id=scsi0,addr=0x13,...,num_queues=2 \ +-drive file=/stor/vm/dummy.raw,id=drive-scsi-disk,... \ +-device scsi-hd,drive=drive-scsi-disk,... + +[ 0.354734] scsi0 : Virtio SCSI HBA +[ 0.379504] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 +[ 0.380141] IP: [] __virtscsi_set_affinity+0x4f/0x120 +[ 0.380141] PGD 0 +[ 0.380141] Oops: 0000 [#1] SMP +[ 0.380141] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.0+ #5 +[ 0.380141] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007 +[ 0.380141] task: ffff88003c9f0000 ti: ffff88003c9f8000 task.ti: ffff88003c9f8000 +[ 0.380141] RIP: 0010:[] [] __virtscsi_set_affinity+0x4f/0x120 +[ 0.380141] RSP: 0000:ffff88003c9f9c08 EFLAGS: 00010256 +[ 0.380141] RAX: 0000000000000000 RBX: ffff88003c3a9d40 RCX: 0000000000001070 +[ 0.380141] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.380141] RBP: ffff88003c9f9c28 R08: 00000000000136c0 R09: ffff88003c801c00 +[ 0.380141] R10: ffffffff81475229 R11: 0000000000000008 R12: 0000000000000000 +[ 0.380141] R13: ffffffff81cc7ca8 R14: ffff88003cac3d40 R15: ffff88003cac37a0 +[ 0.380141] FS: 0000000000000000(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000 +[ 0.380141] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 0.380141] CR2: 0000000000000020 CR3: 0000000001c0e000 CR4: 00000000000006f0 +[ 0.380141] Stack: +[ 0.380141] ffff88003c3a9d40 0000000000000000 ffff88003cac3d80 ffff88003cac3d40 +[ 0.380141] ffff88003c9f9c48 ffffffff814742e8 ffff88003c26d000 ffff88003c26d000 +[ 0.380141] ffff88003c9f9c68 ffffffff81474321 ffff88003c26d000 ffff88003c3a9d40 +[ 0.380141] Call Trace: +[ 0.380141] [] virtscsi_set_affinity+0x28/0x40 +[ 0.380141] [] virtscsi_remove_vqs+0x21/0x50 +[ 0.380141] [] virtscsi_init+0x91/0x240 +[ 0.380141] [] ? vp_get+0x50/0x70 +[ 0.380141] [] virtscsi_probe+0xf4/0x280 +[ 0.380141] [] virtio_dev_probe+0xe5/0x140 +[ 0.380141] [] driver_probe_device+0x89/0x230 +[ 0.380141] [] __driver_attach+0x9b/0xa0 +[ 0.380141] [] ? driver_probe_device+0x230/0x230 +[ 0.380141] [] ? driver_probe_device+0x230/0x230 +[ 0.380141] [] bus_for_each_dev+0x8c/0xb0 +[ 0.380141] [] driver_attach+0x19/0x20 +[ 0.380141] [] bus_add_driver+0x198/0x220 +[ 0.380141] [] driver_register+0x5f/0xf0 +[ 0.380141] [] ? spi_transport_init+0x79/0x79 +[ 0.380141] [] register_virtio_driver+0x1b/0x30 +[ 0.380141] [] init+0x88/0xd6 +[ 0.380141] [] ? scsi_init_procfs+0x5b/0x5b +[ 0.380141] [] do_one_initcall+0x7f/0x10a +[ 0.380141] [] kernel_init_freeable+0x14a/0x1de +[ 0.380141] [] ? kernel_init_freeable+0x1de/0x1de +[ 0.380141] [] ? rest_init+0x80/0x80 +[ 0.380141] [] kernel_init+0x9/0xf0 +[ 0.380141] [] ret_from_fork+0x7c/0xb0 +[ 0.380141] [] ? rest_init+0x80/0x80 +[ 0.380141] RIP [] __virtscsi_set_affinity+0x4f/0x120 +[ 0.380141] RSP +[ 0.380141] CR2: 0000000000000020 +[ 0.380141] ---[ end trace 8074b70c3d5e1d73 ]--- +[ 0.475018] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 +[ 0.475018] +[ 0.475068] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff) +[ 0.475068] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 + +[jejb: checkpatch fixes] +Signed-off-by: Fam Zheng +Acked-by: Paolo Bonzini +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/virtio_scsi.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -750,8 +750,12 @@ static void __virtscsi_set_affinity(stru + + vscsi->affinity_hint_set = true; + } else { +- for (i = 0; i < vscsi->num_queues; i++) ++ for (i = 0; i < vscsi->num_queues; i++) { ++ if (!vscsi->req_vqs[i].vq) ++ continue; ++ + virtqueue_set_affinity(vscsi->req_vqs[i].vq, -1); ++ } + + vscsi->affinity_hint_set = false; + } diff --git a/queue-3.14/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch b/queue-3.14/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch new file mode 100644 index 00000000000..f70b958a77e --- /dev/null +++ b/queue-3.14/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch @@ -0,0 +1,41 @@ +From 1f74ef0f2d7d692fcd615621e0e734c3e7771413 Mon Sep 17 00:00:00 2001 +From: Rusty Russell +Date: Thu, 13 Mar 2014 11:23:38 +1030 +Subject: virtio_balloon: don't softlockup on huge balloon changes. + +From: Rusty Russell + +commit 1f74ef0f2d7d692fcd615621e0e734c3e7771413 upstream. + +When adding or removing 100G from a balloon: + + BUG: soft lockup - CPU#0 stuck for 22s! [vballoon:367] + +We have a wait_event_interruptible(), but the condition is always true +(more ballooning to do) so we don't ever sleep. We also have a +wait_event() for the host to ack, but that is also always true as QEMU +is synchronous for balloon operations. + +Reported-by: Gopesh Kumar Chaudhary +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -310,6 +310,12 @@ static int balloon(void *_vballoon) + else if (diff < 0) + leak_balloon(vb, -diff); + update_balloon_size(vb); ++ ++ /* ++ * For large balloon changes, we could spend a lot of time ++ * and always have work to do. Be nice if preempt disabled. ++ */ ++ cond_resched(); + } + return 0; + }