From a2238663487f882df3ea5e02ce7957cb48f6a9eb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Mar 2018 19:54:04 -0800 Subject: [PATCH] 4.14-stable patches added patches: arm-dts-rockchip-remove-1.8-ghz-operation-point-from-phycore-som.patch arm-kvm-fix-building-with-gcc-8.patch arm-mvebu-fix-broken-pl310_errata_753970-selects.patch arm-orion-fix-orion_ge00_switch_board_info-initialization.patch blk-mq-don-t-call-io-sched-s-.requeue_request-when-requeueing-rq-to-dispatch.patch edac-sb_edac-fix-out-of-bound-writes-during-dimm-configuration-on-knl.patch kvm-mmu-fix-overlap-between-public-and-private-memslots.patch kvm-s390-consider-epoch-index-on-hotplugged-cpus.patch kvm-s390-consider-epoch-index-on-tod-clock-syncs.patch kvm-s390-provide-only-a-single-function-for-setting-the-tod-fix-sck.patch kvm-s390-take-care-of-clock-comparator-sign-control.patch kvm-vmx-optimize-vmx_vcpu_run-and-svm_vcpu_run-by-marking-the-rdmsr-path-as-unlikely.patch kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch kvm-x86-move-lapic-initialization-after-vmcs-creation.patch kvm-x86-remove-indirect-msr-op-calls-from-spec_ctrl.patch media-m88ds3103-don-t-call-a-non-initalized-function.patch nospec-allow-index-argument-to-have-const-qualified-type.patch x86-mm-fix-pmd-pud-_-set-clear-_flags.patch --- ...ghz-operation-point-from-phycore-som.patch | 54 ++++++ .../arm-kvm-fix-building-with-gcc-8.patch | 79 +++++++++ ...x-broken-pl310_errata_753970-selects.patch | 49 ++++++ ...e00_switch_board_info-initialization.patch | 82 +++++++++ ...quest-when-requeueing-rq-to-dispatch.patch | 54 ++++++ ...tes-during-dimm-configuration-on-knl.patch | 56 ++++++ ...-between-public-and-private-memslots.patch | 113 ++++++++++++ ...sider-epoch-index-on-hotplugged-cpus.patch | 35 ++++ ...sider-epoch-index-on-tod-clock-syncs.patch | 85 +++++++++ ...function-for-setting-the-tod-fix-sck.patch | 162 ++++++++++++++++++ ...are-of-clock-comparator-sign-control.patch | 72 ++++++++ ...y-marking-the-rdmsr-path-as-unlikely.patch | 60 +++++++ ...ram-accessing-even-if-vm-is-shutdown.patch | 57 ++++++ ...c-initialization-after-vmcs-creation.patch | 58 +++++++ ...indirect-msr-op-calls-from-spec_ctrl.patch | 101 +++++++++++ ...don-t-call-a-non-initalized-function.patch | 123 +++++++++++++ ...rgument-to-have-const-qualified-type.patch | 65 +++++++ queue-4.14/series | 18 ++ ...86-mm-fix-pmd-pud-_-set-clear-_flags.patch | 99 +++++++++++ 19 files changed, 1422 insertions(+) create mode 100644 queue-4.14/arm-dts-rockchip-remove-1.8-ghz-operation-point-from-phycore-som.patch create mode 100644 queue-4.14/arm-kvm-fix-building-with-gcc-8.patch create mode 100644 queue-4.14/arm-mvebu-fix-broken-pl310_errata_753970-selects.patch create mode 100644 queue-4.14/arm-orion-fix-orion_ge00_switch_board_info-initialization.patch create mode 100644 queue-4.14/blk-mq-don-t-call-io-sched-s-.requeue_request-when-requeueing-rq-to-dispatch.patch create mode 100644 queue-4.14/edac-sb_edac-fix-out-of-bound-writes-during-dimm-configuration-on-knl.patch create mode 100644 queue-4.14/kvm-mmu-fix-overlap-between-public-and-private-memslots.patch create mode 100644 queue-4.14/kvm-s390-consider-epoch-index-on-hotplugged-cpus.patch create mode 100644 queue-4.14/kvm-s390-consider-epoch-index-on-tod-clock-syncs.patch create mode 100644 queue-4.14/kvm-s390-provide-only-a-single-function-for-setting-the-tod-fix-sck.patch create mode 100644 queue-4.14/kvm-s390-take-care-of-clock-comparator-sign-control.patch create mode 100644 queue-4.14/kvm-vmx-optimize-vmx_vcpu_run-and-svm_vcpu_run-by-marking-the-rdmsr-path-as-unlikely.patch create mode 100644 queue-4.14/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch create mode 100644 queue-4.14/kvm-x86-move-lapic-initialization-after-vmcs-creation.patch create mode 100644 queue-4.14/kvm-x86-remove-indirect-msr-op-calls-from-spec_ctrl.patch create mode 100644 queue-4.14/media-m88ds3103-don-t-call-a-non-initalized-function.patch create mode 100644 queue-4.14/nospec-allow-index-argument-to-have-const-qualified-type.patch create mode 100644 queue-4.14/x86-mm-fix-pmd-pud-_-set-clear-_flags.patch diff --git a/queue-4.14/arm-dts-rockchip-remove-1.8-ghz-operation-point-from-phycore-som.patch b/queue-4.14/arm-dts-rockchip-remove-1.8-ghz-operation-point-from-phycore-som.patch new file mode 100644 index 00000000000..41a38f00932 --- /dev/null +++ b/queue-4.14/arm-dts-rockchip-remove-1.8-ghz-operation-point-from-phycore-som.patch @@ -0,0 +1,54 @@ +From 5ce0bad4ccd04c8a989e94d3c89e4e796ac22e48 Mon Sep 17 00:00:00 2001 +From: Daniel Schultz +Date: Tue, 13 Feb 2018 10:44:32 +0100 +Subject: ARM: dts: rockchip: Remove 1.8 GHz operation point from phycore som + +From: Daniel Schultz + +commit 5ce0bad4ccd04c8a989e94d3c89e4e796ac22e48 upstream. + +Rockchip recommends to run the CPU cores only with operations points of +1.6 GHz or lower. + +Removed the cpu0 node with too high operation points and use the default +values instead. + +Fixes: 903d31e34628 ("ARM: dts: rockchip: Add support for phyCORE-RK3288 SoM") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Schultz +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/rk3288-phycore-som.dtsi | 20 -------------------- + 1 file changed, 20 deletions(-) + +--- a/arch/arm/boot/dts/rk3288-phycore-som.dtsi ++++ b/arch/arm/boot/dts/rk3288-phycore-som.dtsi +@@ -110,26 +110,6 @@ + }; + }; + +-&cpu0 { +- cpu0-supply = <&vdd_cpu>; +- operating-points = < +- /* KHz uV */ +- 1800000 1400000 +- 1608000 1350000 +- 1512000 1300000 +- 1416000 1200000 +- 1200000 1100000 +- 1008000 1050000 +- 816000 1000000 +- 696000 950000 +- 600000 900000 +- 408000 900000 +- 312000 900000 +- 216000 900000 +- 126000 900000 +- >; +-}; +- + &emmc { + status = "okay"; + bus-width = <8>; diff --git a/queue-4.14/arm-kvm-fix-building-with-gcc-8.patch b/queue-4.14/arm-kvm-fix-building-with-gcc-8.patch new file mode 100644 index 00000000000..5b55442aa32 --- /dev/null +++ b/queue-4.14/arm-kvm-fix-building-with-gcc-8.patch @@ -0,0 +1,79 @@ +From 67870eb1204223598ea6d8a4467b482e9f5875b5 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 16:07:34 +0100 +Subject: ARM: kvm: fix building with gcc-8 + +From: Arnd Bergmann + +commit 67870eb1204223598ea6d8a4467b482e9f5875b5 upstream. + +In banked-sr.c, we use a top-level '__asm__(".arch_extension virt")' +statement to allow compilation of a multi-CPU kernel for ARMv6 +and older ARMv7-A that don't normally support access to the banked +registers. + +This is considered to be a programming error by the gcc developers +and will no longer work in gcc-8, where we now get a build error: + +/tmp/cc4Qy7GR.s:34: Error: Banked registers are not available with this architecture. -- `mrs r3,SP_usr' +/tmp/cc4Qy7GR.s:41: Error: Banked registers are not available with this architecture. -- `mrs r3,ELR_hyp' +/tmp/cc4Qy7GR.s:55: Error: Banked registers are not available with this architecture. -- `mrs r3,SP_svc' +/tmp/cc4Qy7GR.s:62: Error: Banked registers are not available with this architecture. -- `mrs r3,LR_svc' +/tmp/cc4Qy7GR.s:69: Error: Banked registers are not available with this architecture. -- `mrs r3,SPSR_svc' +/tmp/cc4Qy7GR.s:76: Error: Banked registers are not available with this architecture. -- `mrs r3,SP_abt' + +Passign the '-march-armv7ve' flag to gcc works, and is ok here, because +we know the functions won't ever be called on pre-ARMv7VE machines. +Unfortunately, older compiler versions (4.8 and earlier) do not understand +that flag, so we still need to keep the asm around. + +Backporting to stable kernels (4.6+) is needed to allow those to be built +with future compilers as well. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84129 +Fixes: 33280b4cd1dc ("ARM: KVM: Add banked registers save/restore") +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/hyp/Makefile | 5 +++++ + arch/arm/kvm/hyp/banked-sr.c | 4 ++++ + 2 files changed, 9 insertions(+) + +--- a/arch/arm/kvm/hyp/Makefile ++++ b/arch/arm/kvm/hyp/Makefile +@@ -7,6 +7,8 @@ ccflags-y += -fno-stack-protector -DDISA + + KVM=../../../../virt/kvm + ++CFLAGS_ARMV7VE :=$(call cc-option, -march=armv7ve) ++ + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v2-sr.o + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/vgic-v3-sr.o + obj-$(CONFIG_KVM_ARM_HOST) += $(KVM)/arm/hyp/timer-sr.o +@@ -15,7 +17,10 @@ obj-$(CONFIG_KVM_ARM_HOST) += tlb.o + obj-$(CONFIG_KVM_ARM_HOST) += cp15-sr.o + obj-$(CONFIG_KVM_ARM_HOST) += vfp.o + obj-$(CONFIG_KVM_ARM_HOST) += banked-sr.o ++CFLAGS_banked-sr.o += $(CFLAGS_ARMV7VE) ++ + obj-$(CONFIG_KVM_ARM_HOST) += entry.o + obj-$(CONFIG_KVM_ARM_HOST) += hyp-entry.o + obj-$(CONFIG_KVM_ARM_HOST) += switch.o ++CFLAGS_switch.o += $(CFLAGS_ARMV7VE) + obj-$(CONFIG_KVM_ARM_HOST) += s2-setup.o +--- a/arch/arm/kvm/hyp/banked-sr.c ++++ b/arch/arm/kvm/hyp/banked-sr.c +@@ -20,6 +20,10 @@ + + #include + ++/* ++ * gcc before 4.9 doesn't understand -march=armv7ve, so we have to ++ * trick the assembler. ++ */ + __asm__(".arch_extension virt"); + + void __hyp_text __banked_save_state(struct kvm_cpu_context *ctxt) diff --git a/queue-4.14/arm-mvebu-fix-broken-pl310_errata_753970-selects.patch b/queue-4.14/arm-mvebu-fix-broken-pl310_errata_753970-selects.patch new file mode 100644 index 00000000000..a80aad3a18c --- /dev/null +++ b/queue-4.14/arm-mvebu-fix-broken-pl310_errata_753970-selects.patch @@ -0,0 +1,49 @@ +From 8aa36a8dcde3183d84db7b0d622ffddcebb61077 Mon Sep 17 00:00:00 2001 +From: Ulf Magnusson +Date: Mon, 5 Feb 2018 02:21:13 +0100 +Subject: ARM: mvebu: Fix broken PL310_ERRATA_753970 selects + +From: Ulf Magnusson + +commit 8aa36a8dcde3183d84db7b0d622ffddcebb61077 upstream. + +The MACH_ARMADA_375 and MACH_ARMADA_38X boards select ARM_ERRATA_753970, +but it was renamed to PL310_ERRATA_753970 by commit fa0ce4035d48 ("ARM: +7162/1: errata: tidy up Kconfig options for PL310 errata workarounds"). + +Fix the selects to use the new name. + +Discovered with the +https://github.com/ulfalizer/Kconfiglib/blob/master/examples/list_undefined.py +script. +Fixes: fa0ce4035d48 ("ARM: 7162/1: errata: tidy up Kconfig options for +PL310 errata workarounds" +cc: stable@vger.kernel.org +Signed-off-by: Ulf Magnusson +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-mvebu/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-mvebu/Kconfig ++++ b/arch/arm/mach-mvebu/Kconfig +@@ -42,7 +42,7 @@ config MACH_ARMADA_375 + depends on ARCH_MULTI_V7 + select ARMADA_370_XP_IRQ + select ARM_ERRATA_720789 +- select ARM_ERRATA_753970 ++ select PL310_ERRATA_753970 + select ARM_GIC + select ARMADA_375_CLK + select HAVE_ARM_SCU +@@ -58,7 +58,7 @@ config MACH_ARMADA_38X + bool "Marvell Armada 380/385 boards" + depends on ARCH_MULTI_V7 + select ARM_ERRATA_720789 +- select ARM_ERRATA_753970 ++ select PL310_ERRATA_753970 + select ARM_GIC + select ARM_GLOBAL_TIMER + select CLKSRC_ARM_GLOBAL_TIMER_SCHED_CLOCK diff --git a/queue-4.14/arm-orion-fix-orion_ge00_switch_board_info-initialization.patch b/queue-4.14/arm-orion-fix-orion_ge00_switch_board_info-initialization.patch new file mode 100644 index 00000000000..86edb172fde --- /dev/null +++ b/queue-4.14/arm-orion-fix-orion_ge00_switch_board_info-initialization.patch @@ -0,0 +1,82 @@ +From 8337d083507b9827dfb36d545538b7789df834fd Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 21 Feb 2018 13:18:49 +0100 +Subject: ARM: orion: fix orion_ge00_switch_board_info initialization + +From: Arnd Bergmann + +commit 8337d083507b9827dfb36d545538b7789df834fd upstream. + +A section type mismatch warning shows up when building with LTO, +since orion_ge00_mvmdio_bus_name was put in __initconst but not marked +const itself: + +include/linux/of.h: In function 'spear_setup_of_timer': +arch/arm/mach-spear/time.c:207:34: error: 'timer_of_match' causes a section type conflict with 'orion_ge00_mvmdio_bus_name' + static const struct of_device_id timer_of_match[] __initconst = { + ^ +arch/arm/plat-orion/common.c:475:32: note: 'orion_ge00_mvmdio_bus_name' was declared here + static __initconst const char *orion_ge00_mvmdio_bus_name = "orion-mii"; + ^ + +As pointed out by Andrew Lunn, it should in fact be 'const' but not +'__initconst' because the string is never copied but may be accessed +after the init sections are freed. To fix that, I get rid of the +extra symbol and rewrite the initialization in a simpler way that +assigns both the bus_id and modalias statically. + +I spotted another theoretical bug in the same place, where d->netdev[i] +may be an out of bounds access, this can be fixed by moving the device +assignment into the loop. + +Cc: stable@vger.kernel.org +Reviewed-by: Andrew Lunn +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/plat-orion/common.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/arch/arm/plat-orion/common.c ++++ b/arch/arm/plat-orion/common.c +@@ -472,28 +472,27 @@ void __init orion_ge11_init(struct mv643 + /***************************************************************************** + * Ethernet switch + ****************************************************************************/ +-static __initconst const char *orion_ge00_mvmdio_bus_name = "orion-mii"; +-static __initdata struct mdio_board_info +- orion_ge00_switch_board_info; ++static __initdata struct mdio_board_info orion_ge00_switch_board_info = { ++ .bus_id = "orion-mii", ++ .modalias = "mv88e6085", ++}; + + void __init orion_ge00_switch_init(struct dsa_chip_data *d) + { +- struct mdio_board_info *bd; + unsigned int i; + + if (!IS_BUILTIN(CONFIG_PHYLIB)) + return; + +- for (i = 0; i < ARRAY_SIZE(d->port_names); i++) +- if (!strcmp(d->port_names[i], "cpu")) ++ for (i = 0; i < ARRAY_SIZE(d->port_names); i++) { ++ if (!strcmp(d->port_names[i], "cpu")) { ++ d->netdev[i] = &orion_ge00.dev; + break; ++ } ++ } + +- bd = &orion_ge00_switch_board_info; +- bd->bus_id = orion_ge00_mvmdio_bus_name; +- bd->mdio_addr = d->sw_addr; +- d->netdev[i] = &orion_ge00.dev; +- strcpy(bd->modalias, "mv88e6085"); +- bd->platform_data = d; ++ orion_ge00_switch_board_info.mdio_addr = d->sw_addr; ++ orion_ge00_switch_board_info.platform_data = d; + + mdiobus_register_board_info(&orion_ge00_switch_board_info, 1); + } diff --git a/queue-4.14/blk-mq-don-t-call-io-sched-s-.requeue_request-when-requeueing-rq-to-dispatch.patch b/queue-4.14/blk-mq-don-t-call-io-sched-s-.requeue_request-when-requeueing-rq-to-dispatch.patch new file mode 100644 index 00000000000..7e5b9396921 --- /dev/null +++ b/queue-4.14/blk-mq-don-t-call-io-sched-s-.requeue_request-when-requeueing-rq-to-dispatch.patch @@ -0,0 +1,54 @@ +From 105976f517791aed3b11f8f53b308a2069d42055 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 23 Feb 2018 23:36:56 +0800 +Subject: blk-mq: don't call io sched's .requeue_request when requeueing rq to ->dispatch + +From: Ming Lei + +commit 105976f517791aed3b11f8f53b308a2069d42055 upstream. + +__blk_mq_requeue_request() covers two cases: + +- one is that the requeued request is added to hctx->dispatch, such as +blk_mq_dispatch_rq_list() + +- another case is that the request is requeued to io scheduler, such as +blk_mq_requeue_request(). + +We should call io sched's .requeue_request callback only for the 2nd +case. + +Cc: Paolo Valente +Cc: Omar Sandoval +Fixes: bd166ef183c2 ("blk-mq-sched: add framework for MQ capable IO schedulers") +Cc: stable@vger.kernel.org +Reviewed-by: Bart Van Assche +Acked-by: Paolo Valente +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -638,7 +638,6 @@ static void __blk_mq_requeue_request(str + + trace_block_rq_requeue(q, rq); + wbt_requeue(q->rq_wb, &rq->issue_stat); +- blk_mq_sched_requeue_request(rq); + + if (test_and_clear_bit(REQ_ATOM_STARTED, &rq->atomic_flags)) { + if (q->dma_drain_size && blk_rq_bytes(rq)) +@@ -650,6 +649,9 @@ void blk_mq_requeue_request(struct reque + { + __blk_mq_requeue_request(rq); + ++ /* this request will be re-inserted to io scheduler queue */ ++ blk_mq_sched_requeue_request(rq); ++ + BUG_ON(blk_queued_rq(rq)); + blk_mq_add_to_requeue_list(rq, true, kick_requeue_list); + } diff --git a/queue-4.14/edac-sb_edac-fix-out-of-bound-writes-during-dimm-configuration-on-knl.patch b/queue-4.14/edac-sb_edac-fix-out-of-bound-writes-during-dimm-configuration-on-knl.patch new file mode 100644 index 00000000000..e00cd25711f --- /dev/null +++ b/queue-4.14/edac-sb_edac-fix-out-of-bound-writes-during-dimm-configuration-on-knl.patch @@ -0,0 +1,56 @@ +From bf8486709ac7fad99e4040dea73fe466c57a4ae1 Mon Sep 17 00:00:00 2001 +From: Anna Karbownik +Date: Thu, 22 Feb 2018 16:18:13 +0100 +Subject: EDAC, sb_edac: Fix out of bound writes during DIMM configuration on KNL + +From: Anna Karbownik + +commit bf8486709ac7fad99e4040dea73fe466c57a4ae1 upstream. + +Commit + + 3286d3eb906c ("EDAC, sb_edac: Drop NUM_CHANNELS from 8 back to 4") + +decreased NUM_CHANNELS from 8 to 4, but this is not enough for Knights +Landing which supports up to 6 channels. + +This caused out-of-bounds writes to pvt->mirror_mode and pvt->tolm +variables which don't pay critical role on KNL code path, so the memory +corruption wasn't causing any visible driver failures. + +The easiest way of fixing it is to change NUM_CHANNELS to 6. Do that. + +An alternative solution would be to restructure the KNL part of the +driver to 2MC/3channel representation. + +Reported-by: Dan Carpenter +Signed-off-by: Anna Karbownik +Cc: Mauro Carvalho Chehab +Cc: Tony Luck +Cc: jim.m.snow@intel.com +Cc: krzysztof.paliswiat@intel.com +Cc: lukasz.odzioba@intel.com +Cc: qiuxu.zhuo@intel.com +Cc: linux-edac +Cc: +Fixes: 3286d3eb906c ("EDAC, sb_edac: Drop NUM_CHANNELS from 8 back to 4") +Link: http://lkml.kernel.org/r/1519312693-4789-1-git-send-email-anna.karbownik@intel.com +[ Massage commit message. ] +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/sb_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -279,7 +279,7 @@ static const u32 correrrthrsld[] = { + * sbridge structs + */ + +-#define NUM_CHANNELS 4 /* Max channels per MC */ ++#define NUM_CHANNELS 6 /* Max channels per MC */ + #define MAX_DIMMS 3 /* Max DIMMS per channel */ + #define KNL_MAX_CHAS 38 /* KNL max num. of Cache Home Agents */ + #define KNL_MAX_CHANNELS 6 /* KNL max num. of PCI channels */ diff --git a/queue-4.14/kvm-mmu-fix-overlap-between-public-and-private-memslots.patch b/queue-4.14/kvm-mmu-fix-overlap-between-public-and-private-memslots.patch new file mode 100644 index 00000000000..7f193d6342e --- /dev/null +++ b/queue-4.14/kvm-mmu-fix-overlap-between-public-and-private-memslots.patch @@ -0,0 +1,113 @@ +From b28676bb8ae4569cced423dc2a88f7cb319d5379 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Tue, 13 Feb 2018 15:36:00 +0100 +Subject: KVM: mmu: Fix overlap between public and private memslots +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit b28676bb8ae4569cced423dc2a88f7cb319d5379 upstream. + +Reported by syzkaller: + + pte_list_remove: ffff9714eb1f8078 0->BUG + ------------[ cut here ]------------ + kernel BUG at arch/x86/kvm/mmu.c:1157! + invalid opcode: 0000 [#1] SMP + RIP: 0010:pte_list_remove+0x11b/0x120 [kvm] + Call Trace: + drop_spte+0x83/0xb0 [kvm] + mmu_page_zap_pte+0xcc/0xe0 [kvm] + kvm_mmu_prepare_zap_page+0x81/0x4a0 [kvm] + kvm_mmu_invalidate_zap_all_pages+0x159/0x220 [kvm] + kvm_arch_flush_shadow_all+0xe/0x10 [kvm] + kvm_mmu_notifier_release+0x6c/0xa0 [kvm] + ? kvm_mmu_notifier_release+0x5/0xa0 [kvm] + __mmu_notifier_release+0x79/0x110 + ? __mmu_notifier_release+0x5/0x110 + exit_mmap+0x15a/0x170 + ? do_exit+0x281/0xcb0 + mmput+0x66/0x160 + do_exit+0x2c9/0xcb0 + ? __context_tracking_exit.part.5+0x4a/0x150 + do_group_exit+0x50/0xd0 + SyS_exit_group+0x14/0x20 + do_syscall_64+0x73/0x1f0 + entry_SYSCALL64_slow_path+0x25/0x25 + +The reason is that when creates new memslot, there is no guarantee for new +memslot not overlap with private memslots. This can be triggered by the +following program: + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + long r[16]; + + int main() + { + void *p = valloc(0x4000); + + r[2] = open("/dev/kvm", 0); + r[3] = ioctl(r[2], KVM_CREATE_VM, 0x0ul); + + uint64_t addr = 0xf000; + ioctl(r[3], KVM_SET_IDENTITY_MAP_ADDR, &addr); + r[6] = ioctl(r[3], KVM_CREATE_VCPU, 0x0ul); + ioctl(r[3], KVM_SET_TSS_ADDR, 0x0ul); + ioctl(r[6], KVM_RUN, 0); + ioctl(r[6], KVM_RUN, 0); + + struct kvm_userspace_memory_region mr = { + .slot = 0, + .flags = KVM_MEM_LOG_DIRTY_PAGES, + .guest_phys_addr = 0xf000, + .memory_size = 0x4000, + .userspace_addr = (uintptr_t) p + }; + ioctl(r[3], KVM_SET_USER_MEMORY_REGION, &mr); + return 0; + } + +This patch fixes the bug by not adding a new memslot even if it +overlaps with private memslots. + +Reported-by: Dmitry Vyukov +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Dmitry Vyukov +Cc: Eric Biggers +Cc: stable@vger.kernel.org +Signed-off-by: Wanpeng Li +--- + virt/kvm/kvm_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) +Signed-off-by: Greg Kroah-Hartman + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -975,8 +975,7 @@ int __kvm_set_memory_region(struct kvm * + /* Check for overlaps */ + r = -EEXIST; + kvm_for_each_memslot(slot, __kvm_memslots(kvm, as_id)) { +- if ((slot->id >= KVM_USER_MEM_SLOTS) || +- (slot->id == id)) ++ if (slot->id == id) + continue; + if (!((base_gfn + npages <= slot->base_gfn) || + (base_gfn >= slot->base_gfn + slot->npages))) diff --git a/queue-4.14/kvm-s390-consider-epoch-index-on-hotplugged-cpus.patch b/queue-4.14/kvm-s390-consider-epoch-index-on-hotplugged-cpus.patch new file mode 100644 index 00000000000..6c5f6bf460b --- /dev/null +++ b/queue-4.14/kvm-s390-consider-epoch-index-on-hotplugged-cpus.patch @@ -0,0 +1,35 @@ +From d16b52cb9cdb6f06dea8ab2f0a428e7d7f0b0a81 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 7 Feb 2018 12:46:44 +0100 +Subject: KVM: s390: consider epoch index on hotplugged CPUs + +From: David Hildenbrand + +commit d16b52cb9cdb6f06dea8ab2f0a428e7d7f0b0a81 upstream. + +We must copy both, the epoch and the epoch_idx. + +Signed-off-by: David Hildenbrand +Message-Id: <20180207114647.6220-4-david@redhat.com> +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Reviewed-by: Cornelia Huck +Reviewed-by: Christian Borntraeger +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -2357,6 +2357,7 @@ void kvm_arch_vcpu_postcreate(struct kvm + mutex_lock(&vcpu->kvm->lock); + preempt_disable(); + vcpu->arch.sie_block->epoch = vcpu->kvm->arch.epoch; ++ vcpu->arch.sie_block->epdx = vcpu->kvm->arch.epdx; + preempt_enable(); + mutex_unlock(&vcpu->kvm->lock); + if (!kvm_is_ucontrol(vcpu->kvm)) { diff --git a/queue-4.14/kvm-s390-consider-epoch-index-on-tod-clock-syncs.patch b/queue-4.14/kvm-s390-consider-epoch-index-on-tod-clock-syncs.patch new file mode 100644 index 00000000000..25b452bc11f --- /dev/null +++ b/queue-4.14/kvm-s390-consider-epoch-index-on-tod-clock-syncs.patch @@ -0,0 +1,85 @@ +From 1575767ef3cf5326701d2ae3075b7732cbc855e4 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 7 Feb 2018 12:46:45 +0100 +Subject: KVM: s390: consider epoch index on TOD clock syncs + +From: David Hildenbrand + +commit 1575767ef3cf5326701d2ae3075b7732cbc855e4 upstream. + +For now, we don't take care of over/underflows. Especially underflows +are critical: + +Assume the epoch is currently 0 and we get a sync request for delta=1, +meaning the TOD is moved forward by 1 and we have to fix it up by +subtracting 1 from the epoch. Right now, this will leave the epoch +index untouched, resulting in epoch=-1, epoch_idx=0, which is wrong. + +We have to take care of over and underflows, also for the VSIE case. So +let's factor out calculation into a separate function. + +Signed-off-by: David Hildenbrand +Message-Id: <20180207114647.6220-5-david@redhat.com> +Reviewed-by: Christian Borntraeger +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger +[use u8 for idx] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 32 +++++++++++++++++++++++++++++--- + 1 file changed, 29 insertions(+), 3 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -169,6 +169,28 @@ int kvm_arch_hardware_enable(void) + static void kvm_gmap_notifier(struct gmap *gmap, unsigned long start, + unsigned long end); + ++static void kvm_clock_sync_scb(struct kvm_s390_sie_block *scb, u64 delta) ++{ ++ u8 delta_idx = 0; ++ ++ /* ++ * The TOD jumps by delta, we have to compensate this by adding ++ * -delta to the epoch. ++ */ ++ delta = -delta; ++ ++ /* sign-extension - we're adding to signed values below */ ++ if ((s64)delta < 0) ++ delta_idx = -1; ++ ++ scb->epoch += delta; ++ if (scb->ecd & ECD_MEF) { ++ scb->epdx += delta_idx; ++ if (scb->epoch < delta) ++ scb->epdx += 1; ++ } ++} ++ + /* + * This callback is executed during stop_machine(). All CPUs are therefore + * temporarily stopped. In order not to change guest behavior, we have to +@@ -184,13 +206,17 @@ static int kvm_clock_sync(struct notifie + unsigned long long *delta = v; + + list_for_each_entry(kvm, &vm_list, vm_list) { +- kvm->arch.epoch -= *delta; + kvm_for_each_vcpu(i, vcpu, kvm) { +- vcpu->arch.sie_block->epoch -= *delta; ++ kvm_clock_sync_scb(vcpu->arch.sie_block, *delta); ++ if (i == 0) { ++ kvm->arch.epoch = vcpu->arch.sie_block->epoch; ++ kvm->arch.epdx = vcpu->arch.sie_block->epdx; ++ } + if (vcpu->arch.cputm_enabled) + vcpu->arch.cputm_start += *delta; + if (vcpu->arch.vsie_block) +- vcpu->arch.vsie_block->epoch -= *delta; ++ kvm_clock_sync_scb(vcpu->arch.vsie_block, ++ *delta); + } + } + return NOTIFY_OK; diff --git a/queue-4.14/kvm-s390-provide-only-a-single-function-for-setting-the-tod-fix-sck.patch b/queue-4.14/kvm-s390-provide-only-a-single-function-for-setting-the-tod-fix-sck.patch new file mode 100644 index 00000000000..2bb732101ac --- /dev/null +++ b/queue-4.14/kvm-s390-provide-only-a-single-function-for-setting-the-tod-fix-sck.patch @@ -0,0 +1,162 @@ +From 0e7def5fb0dc53ddbb9f62a497d15f1e11ccdc36 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 7 Feb 2018 12:46:43 +0100 +Subject: KVM: s390: provide only a single function for setting the tod (fix SCK) + +From: David Hildenbrand + +commit 0e7def5fb0dc53ddbb9f62a497d15f1e11ccdc36 upstream. + +Right now, SET CLOCK called in the guest does not properly take care of +the epoch index, as the call goes via the old kvm_s390_set_tod_clock() +interface. So the epoch index is neither reset to 0, if required, nor +properly set to e.g. 0xff on negative values. + +Fix this by providing a single kvm_s390_set_tod_clock() function. Move +Multiple-epoch facility handling into it. + +Signed-off-by: David Hildenbrand +Message-Id: <20180207114647.6220-3-david@redhat.com> +Reviewed-by: Christian Borntraeger +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 46 +++++++++++++++------------------------------- + arch/s390/kvm/kvm-s390.h | 5 ++--- + arch/s390/kvm/priv.c | 9 +++++---- + 3 files changed, 22 insertions(+), 38 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -888,12 +888,9 @@ static int kvm_s390_set_tod_ext(struct k + if (copy_from_user(>od, (void __user *)attr->addr, sizeof(gtod))) + return -EFAULT; + +- if (test_kvm_facility(kvm, 139)) +- kvm_s390_set_tod_clock_ext(kvm, >od); +- else if (gtod.epoch_idx == 0) +- kvm_s390_set_tod_clock(kvm, gtod.tod); +- else ++ if (!test_kvm_facility(kvm, 139) && gtod.epoch_idx) + return -EINVAL; ++ kvm_s390_set_tod_clock(kvm, >od); + + VM_EVENT(kvm, 3, "SET: TOD extension: 0x%x, TOD base: 0x%llx", + gtod.epoch_idx, gtod.tod); +@@ -918,13 +915,14 @@ static int kvm_s390_set_tod_high(struct + + static int kvm_s390_set_tod_low(struct kvm *kvm, struct kvm_device_attr *attr) + { +- u64 gtod; ++ struct kvm_s390_vm_tod_clock gtod = { 0 }; + +- if (copy_from_user(>od, (void __user *)attr->addr, sizeof(gtod))) ++ if (copy_from_user(>od.tod, (void __user *)attr->addr, ++ sizeof(gtod.tod))) + return -EFAULT; + +- kvm_s390_set_tod_clock(kvm, gtod); +- VM_EVENT(kvm, 3, "SET: TOD base: 0x%llx", gtod); ++ kvm_s390_set_tod_clock(kvm, >od); ++ VM_EVENT(kvm, 3, "SET: TOD base: 0x%llx", gtod.tod); + return 0; + } + +@@ -2945,8 +2943,8 @@ retry: + return 0; + } + +-void kvm_s390_set_tod_clock_ext(struct kvm *kvm, +- const struct kvm_s390_vm_tod_clock *gtod) ++void kvm_s390_set_tod_clock(struct kvm *kvm, ++ const struct kvm_s390_vm_tod_clock *gtod) + { + struct kvm_vcpu *vcpu; + struct kvm_s390_tod_clock_ext htod; +@@ -2958,10 +2956,12 @@ void kvm_s390_set_tod_clock_ext(struct k + get_tod_clock_ext((char *)&htod); + + kvm->arch.epoch = gtod->tod - htod.tod; +- kvm->arch.epdx = gtod->epoch_idx - htod.epoch_idx; +- +- if (kvm->arch.epoch > gtod->tod) +- kvm->arch.epdx -= 1; ++ kvm->arch.epdx = 0; ++ if (test_kvm_facility(kvm, 139)) { ++ kvm->arch.epdx = gtod->epoch_idx - htod.epoch_idx; ++ if (kvm->arch.epoch > gtod->tod) ++ kvm->arch.epdx -= 1; ++ } + + kvm_s390_vcpu_block_all(kvm); + kvm_for_each_vcpu(i, vcpu, kvm) { +@@ -2972,22 +2972,6 @@ void kvm_s390_set_tod_clock_ext(struct k + kvm_s390_vcpu_unblock_all(kvm); + preempt_enable(); + mutex_unlock(&kvm->lock); +-} +- +-void kvm_s390_set_tod_clock(struct kvm *kvm, u64 tod) +-{ +- struct kvm_vcpu *vcpu; +- int i; +- +- mutex_lock(&kvm->lock); +- preempt_disable(); +- kvm->arch.epoch = tod - get_tod_clock(); +- kvm_s390_vcpu_block_all(kvm); +- kvm_for_each_vcpu(i, vcpu, kvm) +- vcpu->arch.sie_block->epoch = kvm->arch.epoch; +- kvm_s390_vcpu_unblock_all(kvm); +- preempt_enable(); +- mutex_unlock(&kvm->lock); + } + + /** +--- a/arch/s390/kvm/kvm-s390.h ++++ b/arch/s390/kvm/kvm-s390.h +@@ -272,9 +272,8 @@ int kvm_s390_handle_sigp_pei(struct kvm_ + int handle_sthyi(struct kvm_vcpu *vcpu); + + /* implemented in kvm-s390.c */ +-void kvm_s390_set_tod_clock_ext(struct kvm *kvm, +- const struct kvm_s390_vm_tod_clock *gtod); +-void kvm_s390_set_tod_clock(struct kvm *kvm, u64 tod); ++void kvm_s390_set_tod_clock(struct kvm *kvm, ++ const struct kvm_s390_vm_tod_clock *gtod); + long kvm_arch_fault_in_page(struct kvm_vcpu *vcpu, gpa_t gpa, int writable); + int kvm_s390_store_status_unloaded(struct kvm_vcpu *vcpu, unsigned long addr); + int kvm_s390_vcpu_store_status(struct kvm_vcpu *vcpu, unsigned long addr); +--- a/arch/s390/kvm/priv.c ++++ b/arch/s390/kvm/priv.c +@@ -84,9 +84,10 @@ int kvm_s390_handle_e3(struct kvm_vcpu * + /* Handle SCK (SET CLOCK) interception */ + static int handle_set_clock(struct kvm_vcpu *vcpu) + { ++ struct kvm_s390_vm_tod_clock gtod = { 0 }; + int rc; + u8 ar; +- u64 op2, val; ++ u64 op2; + + if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE) + return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP); +@@ -94,12 +95,12 @@ static int handle_set_clock(struct kvm_v + op2 = kvm_s390_get_base_disp_s(vcpu, &ar); + if (op2 & 7) /* Operand must be on a doubleword boundary */ + return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION); +- rc = read_guest(vcpu, op2, ar, &val, sizeof(val)); ++ rc = read_guest(vcpu, op2, ar, >od.tod, sizeof(gtod.tod)); + if (rc) + return kvm_s390_inject_prog_cond(vcpu, rc); + +- VCPU_EVENT(vcpu, 3, "SCK: setting guest TOD to 0x%llx", val); +- kvm_s390_set_tod_clock(vcpu->kvm, val); ++ VCPU_EVENT(vcpu, 3, "SCK: setting guest TOD to 0x%llx", gtod.tod); ++ kvm_s390_set_tod_clock(vcpu->kvm, >od); + + kvm_s390_set_psw_cc(vcpu, 0); + return 0; diff --git a/queue-4.14/kvm-s390-take-care-of-clock-comparator-sign-control.patch b/queue-4.14/kvm-s390-take-care-of-clock-comparator-sign-control.patch new file mode 100644 index 00000000000..2c72c258d81 --- /dev/null +++ b/queue-4.14/kvm-s390-take-care-of-clock-comparator-sign-control.patch @@ -0,0 +1,72 @@ +From 5fe01793dd953ab947fababe8abaf5ed5258c8df Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 7 Feb 2018 12:46:42 +0100 +Subject: KVM: s390: take care of clock-comparator sign control + +From: David Hildenbrand + +commit 5fe01793dd953ab947fababe8abaf5ed5258c8df upstream. + +Missed when enabling the Multiple-epoch facility. If the facility is +installed and the control is set, a sign based comaprison has to be +performed. + +Right now we would inject wrong interrupts and ignore interrupt +conditions. Also the sleep time is calculated in a wrong way. + +Signed-off-by: David Hildenbrand +Message-Id: <20180207114647.6220-2-david@redhat.com> +Fixes: 8fa1696ea781 ("KVM: s390: Multiple Epoch Facility support") +Cc: stable@vger.kernel.org +Reviewed-by: Christian Borntraeger +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/interrupt.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -173,8 +173,15 @@ static int ckc_interrupts_enabled(struct + + static int ckc_irq_pending(struct kvm_vcpu *vcpu) + { +- if (vcpu->arch.sie_block->ckc >= kvm_s390_get_tod_clock_fast(vcpu->kvm)) ++ const u64 now = kvm_s390_get_tod_clock_fast(vcpu->kvm); ++ const u64 ckc = vcpu->arch.sie_block->ckc; ++ ++ if (vcpu->arch.sie_block->gcr[0] & 0x0020000000000000ul) { ++ if ((s64)ckc >= (s64)now) ++ return 0; ++ } else if (ckc >= now) { + return 0; ++ } + return ckc_interrupts_enabled(vcpu); + } + +@@ -1004,13 +1011,19 @@ int kvm_cpu_has_pending_timer(struct kvm + + static u64 __calculate_sltime(struct kvm_vcpu *vcpu) + { +- u64 now, cputm, sltime = 0; ++ const u64 now = kvm_s390_get_tod_clock_fast(vcpu->kvm); ++ const u64 ckc = vcpu->arch.sie_block->ckc; ++ u64 cputm, sltime = 0; + + if (ckc_interrupts_enabled(vcpu)) { +- now = kvm_s390_get_tod_clock_fast(vcpu->kvm); +- sltime = tod_to_ns(vcpu->arch.sie_block->ckc - now); +- /* already expired or overflow? */ +- if (!sltime || vcpu->arch.sie_block->ckc <= now) ++ if (vcpu->arch.sie_block->gcr[0] & 0x0020000000000000ul) { ++ if ((s64)now < (s64)ckc) ++ sltime = tod_to_ns((s64)ckc - (s64)now); ++ } else if (now < ckc) { ++ sltime = tod_to_ns(ckc - now); ++ } ++ /* already expired */ ++ if (!sltime) + return 0; + if (cpu_timer_interrupts_enabled(vcpu)) { + cputm = kvm_s390_get_cpu_timer(vcpu); diff --git a/queue-4.14/kvm-vmx-optimize-vmx_vcpu_run-and-svm_vcpu_run-by-marking-the-rdmsr-path-as-unlikely.patch b/queue-4.14/kvm-vmx-optimize-vmx_vcpu_run-and-svm_vcpu_run-by-marking-the-rdmsr-path-as-unlikely.patch new file mode 100644 index 00000000000..934b334e62d --- /dev/null +++ b/queue-4.14/kvm-vmx-optimize-vmx_vcpu_run-and-svm_vcpu_run-by-marking-the-rdmsr-path-as-unlikely.patch @@ -0,0 +1,60 @@ +From 946fbbc13dce68902f64515b610eeb2a6c3d7a64 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 22 Feb 2018 16:43:18 +0100 +Subject: KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit 946fbbc13dce68902f64515b610eeb2a6c3d7a64 upstream. + +vmx_vcpu_run() and svm_vcpu_run() are large functions, and giving +branch hints to the compiler can actually make a substantial cycle +difference by keeping the fast path contiguous in memory. + +With this optimization, the retpoline-guest/retpoline-host case is +about 50 cycles faster. + +Signed-off-by: Paolo Bonzini +Reviewed-by: Jim Mattson +Cc: David Woodhouse +Cc: KarimAllah Ahmed +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: kvm@vger.kernel.org +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180222154318.20361-3-pbonzini@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 2 +- + arch/x86/kvm/vmx.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5125,7 +5125,7 @@ static void svm_vcpu_run(struct kvm_vcpu + * If the L02 MSR bitmap does not intercept the MSR, then we need to + * save it. + */ +- if (!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)) ++ if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) + svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); + + if (svm->spec_ctrl) +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -9567,7 +9567,7 @@ static void __noclone vmx_vcpu_run(struc + * If the L02 MSR bitmap does not intercept the MSR, then we need to + * save it. + */ +- if (!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)) ++ if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))) + vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); + + if (vmx->spec_ctrl) diff --git a/queue-4.14/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch b/queue-4.14/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch new file mode 100644 index 00000000000..cf19fbc9234 --- /dev/null +++ b/queue-4.14/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch @@ -0,0 +1,57 @@ +From 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Thu, 8 Feb 2018 15:32:45 +0800 +Subject: KVM: X86: Fix SMRAM accessing even if VM is shutdown +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 upstream. + +Reported by syzkaller: + + WARNING: CPU: 6 PID: 2434 at arch/x86/kvm/vmx.c:6660 handle_ept_misconfig+0x54/0x1e0 [kvm_intel] + CPU: 6 PID: 2434 Comm: repro_test Not tainted 4.15.0+ #4 + RIP: 0010:handle_ept_misconfig+0x54/0x1e0 [kvm_intel] + Call Trace: + vmx_handle_exit+0xbd/0xe20 [kvm_intel] + kvm_arch_vcpu_ioctl_run+0xdaf/0x1d50 [kvm] + kvm_vcpu_ioctl+0x3e9/0x720 [kvm] + do_vfs_ioctl+0xa4/0x6a0 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x25/0x9c + +The testcase creates a first thread to issue KVM_SMI ioctl, and then creates +a second thread to mmap and operate on the same vCPU. This triggers a race +condition when running the testcase with multiple threads. Sometimes one thread +exits with a triple fault while another thread mmaps and operates on the same +vCPU. Because CS=0x3000/IP=0x8000 is not mapped, accessing the SMI handler +results in an EPT misconfig. This patch fixes it by returning RET_PF_EMULATE +in kvm_handle_bad_page(), which will go on to cause an emulation failure and an +exit with KVM_EXIT_INTERNAL_ERROR. + +Reported-by: syzbot+c1d9517cab094dae65e446c0c5b4de6c40f4dc58@syzkaller.appspotmail.com +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: stable@vger.kernel.org +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -3004,7 +3004,7 @@ static int kvm_handle_bad_page(struct kv + return 0; + } + +- return -EFAULT; ++ return RET_PF_EMULATE; + } + + static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu, diff --git a/queue-4.14/kvm-x86-move-lapic-initialization-after-vmcs-creation.patch b/queue-4.14/kvm-x86-move-lapic-initialization-after-vmcs-creation.patch new file mode 100644 index 00000000000..3e500d77259 --- /dev/null +++ b/queue-4.14/kvm-x86-move-lapic-initialization-after-vmcs-creation.patch @@ -0,0 +1,58 @@ +From 0b2e9904c15963e715d33e5f3f1387f17d19333a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 23 Feb 2018 23:29:32 +0100 +Subject: KVM: x86: move LAPIC initialization after VMCS creation + +From: Paolo Bonzini + +commit 0b2e9904c15963e715d33e5f3f1387f17d19333a upstream. + +The initial reset of the local APIC is performed before the VMCS has been +created, but it tries to do a vmwrite: + + vmwrite error: reg 810 value 4a00 (err 18944) + CPU: 54 PID: 38652 Comm: qemu-kvm Tainted: G W I 4.16.0-0.rc2.git0.1.fc28.x86_64 #1 + Hardware name: Intel Corporation S2600CW/S2600CW, BIOS SE5C610.86B.01.01.0003.090520141303 09/05/2014 + Call Trace: + vmx_set_rvi [kvm_intel] + vmx_hwapic_irr_update [kvm_intel] + kvm_lapic_reset [kvm] + kvm_create_lapic [kvm] + kvm_arch_vcpu_init [kvm] + kvm_vcpu_init [kvm] + vmx_create_vcpu [kvm_intel] + kvm_vm_ioctl [kvm] + +Move it later, after the VMCS has been created. + +Fixes: 4191db26b714 ("KVM: x86: Update APICv on APIC reset") +Cc: stable@vger.kernel.org +Cc: Liran Alon +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 1 - + arch/x86/kvm/x86.c | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -2107,7 +2107,6 @@ int kvm_create_lapic(struct kvm_vcpu *vc + */ + vcpu->arch.apic_base = MSR_IA32_APICBASE_ENABLE; + static_key_slow_inc(&apic_sw_disabled.key); /* sw disabled at reset */ +- kvm_lapic_reset(vcpu, false); + kvm_iodevice_init(&apic->dev, &apic_mmio_ops); + + return 0; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7779,6 +7779,7 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu + if (r) + return r; + kvm_vcpu_reset(vcpu, false); ++ kvm_lapic_reset(vcpu, false); + kvm_mmu_setup(vcpu); + vcpu_put(vcpu); + return r; diff --git a/queue-4.14/kvm-x86-remove-indirect-msr-op-calls-from-spec_ctrl.patch b/queue-4.14/kvm-x86-remove-indirect-msr-op-calls-from-spec_ctrl.patch new file mode 100644 index 00000000000..0ae6d811a42 --- /dev/null +++ b/queue-4.14/kvm-x86-remove-indirect-msr-op-calls-from-spec_ctrl.patch @@ -0,0 +1,101 @@ +From ecb586bd29c99fb4de599dec388658e74388daad Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 22 Feb 2018 16:43:17 +0100 +Subject: KVM/x86: Remove indirect MSR op calls from SPEC_CTRL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit ecb586bd29c99fb4de599dec388658e74388daad upstream. + +Having a paravirt indirect call in the IBRS restore path is not a +good idea, since we are trying to protect from speculative execution +of bogus indirect branch targets. It is also slower, so use +native_wrmsrl() on the vmentry path too. + +Signed-off-by: Paolo Bonzini +Reviewed-by: Jim Mattson +Cc: David Woodhouse +Cc: KarimAllah Ahmed +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: kvm@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: d28b387fb74da95d69d2615732f50cceb38e9a4d +Link: http://lkml.kernel.org/r/20180222154318.20361-2-pbonzini@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 7 ++++--- + arch/x86/kvm/vmx.c | 7 ++++--- + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -5015,7 +5016,7 @@ static void svm_vcpu_run(struct kvm_vcpu + * being speculatively taken. + */ + if (svm->spec_ctrl) +- wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl); ++ native_wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl); + + asm volatile ( + "push %%" _ASM_BP "; \n\t" +@@ -5125,10 +5126,10 @@ static void svm_vcpu_run(struct kvm_vcpu + * save it. + */ + if (!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)) +- rdmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl); ++ svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); + + if (svm->spec_ctrl) +- wrmsrl(MSR_IA32_SPEC_CTRL, 0); ++ native_wrmsrl(MSR_IA32_SPEC_CTRL, 0); + + /* Eliminate branch target predictions from guest mode */ + vmexit_fill_RSB(); +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + #include + + #include "trace.h" +@@ -9431,7 +9432,7 @@ static void __noclone vmx_vcpu_run(struc + * being speculatively taken. + */ + if (vmx->spec_ctrl) +- wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl); ++ native_wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl); + + vmx->__launched = vmx->loaded_vmcs->launched; + asm( +@@ -9567,10 +9568,10 @@ static void __noclone vmx_vcpu_run(struc + * save it. + */ + if (!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)) +- rdmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl); ++ vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL); + + if (vmx->spec_ctrl) +- wrmsrl(MSR_IA32_SPEC_CTRL, 0); ++ native_wrmsrl(MSR_IA32_SPEC_CTRL, 0); + + /* Eliminate branch target predictions from guest mode */ + vmexit_fill_RSB(); diff --git a/queue-4.14/media-m88ds3103-don-t-call-a-non-initalized-function.patch b/queue-4.14/media-m88ds3103-don-t-call-a-non-initalized-function.patch new file mode 100644 index 00000000000..47de3dd09bb --- /dev/null +++ b/queue-4.14/media-m88ds3103-don-t-call-a-non-initalized-function.patch @@ -0,0 +1,123 @@ +From b9c97c67fd19262c002d94ced2bfb513083e161e Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Sat, 10 Feb 2018 06:14:10 -0500 +Subject: media: m88ds3103: don't call a non-initalized function + +From: Mauro Carvalho Chehab + +commit b9c97c67fd19262c002d94ced2bfb513083e161e upstream. + +If m88d3103 chip ID is not recognized, the device is not initialized. + +However, it returns from probe without any error, causing this OOPS: + +[ 7.689289] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[ 7.689297] pgd = 7b0bd7a7 +[ 7.689302] [00000000] *pgd=00000000 +[ 7.689318] Internal error: Oops: 80000005 [#1] SMP ARM +[ 7.689322] Modules linked in: dvb_usb_dvbsky(+) m88ds3103 dvb_usb_v2 dvb_core videobuf2_vmalloc videobuf2_memops videobuf2_core crc32_arm_ce videodev media +[ 7.689358] CPU: 3 PID: 197 Comm: systemd-udevd Not tainted 4.15.0-mcc+ #23 +[ 7.689361] Hardware name: BCM2835 +[ 7.689367] PC is at 0x0 +[ 7.689382] LR is at m88ds3103_attach+0x194/0x1d0 [m88ds3103] +[ 7.689386] pc : [<00000000>] lr : [] psr: 60000013 +[ 7.689391] sp : ed8e5c20 ip : ed8c1e00 fp : ed8945c0 +[ 7.689395] r10: ed894000 r9 : ed894378 r8 : eda736c0 +[ 7.689400] r7 : ed894070 r6 : ed8e5c44 r5 : bf0bb040 r4 : eda77600 +[ 7.689405] r3 : 00000000 r2 : 00000000 r1 : 00000000 r0 : eda77600 +[ 7.689412] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 7.689417] Control: 10c5383d Table: 2d8e806a DAC: 00000051 +[ 7.689423] Process systemd-udevd (pid: 197, stack limit = 0xe9dbfb63) +[ 7.689428] Stack: (0xed8e5c20 to 0xed8e6000) +[ 7.689439] 5c20: ed853a80 eda73640 ed894000 ed8942c0 ed853a80 bf0b9e98 ed894070 bf0b9f10 +[ 7.689449] 5c40: 00000000 00000000 bf08c17c c08dfc50 00000000 00000000 00000000 00000000 +[ 7.689459] 5c60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 7.689468] 5c80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 7.689479] 5ca0: 00000000 00000000 ed8945c0 ed8942c0 ed894000 ed894830 bf0b9e98 00000000 +[ 7.689490] 5cc0: ed894378 bf0a3cb4 bf0bc3b0 0000533b ed920540 00000000 00000034 bf0a6434 +[ 7.689500] 5ce0: ee952070 ed826600 bf0a7038 bf0a2dd8 00000001 bf0a6768 bf0a2f90 ed8943c0 +[ 7.689511] 5d00: 00000000 c08eca68 ed826620 ed826620 00000000 ee952070 bf0bc034 ee952000 +[ 7.689521] 5d20: ed826600 bf0bb080 ffffffed c0aa9e9c c0aa9dac ed826620 c16edf6c c168c2c8 +[ 7.689531] 5d40: c16edf70 00000000 bf0bc034 0000000d 00000000 c08e268c bf0bb080 ed826600 +[ 7.689541] 5d60: bf0bc034 ed826654 ed826620 bf0bc034 c164c8bc 00000000 00000001 00000000 +[ 7.689553] 5d80: 00000028 c08e2948 00000000 bf0bc034 c08e2848 c08e0778 ee9f0a58 ed88bab4 +[ 7.689563] 5da0: bf0bc034 ed90ba80 c168c1f0 c08e1934 bf0bb3bc c17045ac bf0bc034 c164c8bc +[ 7.689574] 5dc0: bf0bc034 bf0bb3bc ed91f564 c08e34ec bf0bc000 c164c8bc bf0bc034 c0aa8dc4 +[ 7.689584] 5de0: ffffe000 00000000 bf0bf000 ed91f600 ed91f564 c03021e4 00000001 00000000 +[ 7.689595] 5e00: c166e040 8040003f ed853a80 bf0bc448 00000000 c1678174 ed853a80 f0f22000 +[ 7.689605] 5e20: f0f21fff 8040003f 014000c0 ed91e700 ed91e700 c16d8e68 00000001 ed91e6c0 +[ 7.689615] 5e40: bf0bc400 00000001 bf0bc400 ed91f564 00000001 00000000 00000028 c03c9a24 +[ 7.689625] 5e60: 00000001 c03c8c94 ed8e5f50 ed8e5f50 00000001 bf0bc400 ed91f540 c03c8cb0 +[ 7.689637] 5e80: bf0bc40c 00007fff bf0bc400 c03c60b0 00000000 bf0bc448 00000028 c0e09684 +[ 7.689647] 5ea0: 00000002 bf0bc530 c1234bf8 bf0bc5dc bf0bc514 c10ebbe8 ffffe000 bf000000 +[ 7.689657] 5ec0: 00011538 00000000 ed8e5f48 00000000 00000000 00000000 00000000 00000000 +[ 7.689666] 5ee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 7.689676] 5f00: 00000000 00000000 7fffffff 00000000 00000013 b6e55a18 0000017b c0309104 +[ 7.689686] 5f20: ed8e4000 00000000 00510af0 c03c9430 7fffffff 00000000 00000003 00000000 +[ 7.689697] 5f40: 00000000 f0f0f000 00011538 00000000 f0f107b0 f0f0f000 00011538 f0f1fdb8 +[ 7.689707] 5f60: f0f1fbe8 f0f1b974 00004000 000041e0 bf0bc3d0 00000001 00000000 000024c4 +[ 7.689717] 5f80: 0000002d 0000002e 00000019 00000000 00000010 00000000 16894000 00000000 +[ 7.689727] 5fa0: 00000000 c0308f20 16894000 00000000 00000013 b6e55a18 00000000 b6e5652c +[ 7.689737] 5fc0: 16894000 00000000 00000000 0000017b 00020000 00508110 00000000 00510af0 +[ 7.689748] 5fe0: bef68948 bef68938 b6e4d3d0 b6d32590 60000010 00000013 00000000 00000000 +[ 7.689790] [] (m88ds3103_attach [m88ds3103]) from [] (dvbsky_s960c_attach+0x78/0x280 [dvb_usb_dvbsky]) +[ 7.689821] [] (dvbsky_s960c_attach [dvb_usb_dvbsky]) from [] (dvb_usbv2_probe+0xa3c/0x1024 [dvb_usb_v2]) +[ 7.689849] [] (dvb_usbv2_probe [dvb_usb_v2]) from [] (usb_probe_interface+0xf0/0x2a8) +[ 7.689869] [] (usb_probe_interface) from [] (driver_probe_device+0x2f8/0x4b4) +[ 7.689881] [] (driver_probe_device) from [] (__driver_attach+0x100/0x11c) +[ 7.689895] [] (__driver_attach) from [] (bus_for_each_dev+0x4c/0x9c) +[ 7.689909] [] (bus_for_each_dev) from [] (bus_add_driver+0x1c0/0x264) +[ 7.689919] [] (bus_add_driver) from [] (driver_register+0x78/0xf4) +[ 7.689931] [] (driver_register) from [] (usb_register_driver+0x70/0x134) +[ 7.689946] [] (usb_register_driver) from [] (do_one_initcall+0x44/0x168) +[ 7.689963] [] (do_one_initcall) from [] (do_init_module+0x64/0x1f4) +[ 7.689979] [] (do_init_module) from [] (load_module+0x20a0/0x25c8) +[ 7.689993] [] (load_module) from [] (SyS_finit_module+0xb4/0xec) +[ 7.690007] [] (SyS_finit_module) from [] (ret_fast_syscall+0x0/0x54) +[ 7.690018] Code: bad PC value + +This may happen on normal circumstances, if, for some reason, the demod +hangs and start returning an invalid chip ID: + +[ 10.394395] m88ds3103 3-0068: Unknown device. Chip_id=00 + +So, change the logic to cause probe to fail with -ENODEV, preventing +the OOPS. + +Detected while testing DVB MMAP patches on Raspberry Pi 3 with +DVBSky S960CI. + +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/m88ds3103.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/media/dvb-frontends/m88ds3103.c ++++ b/drivers/media/dvb-frontends/m88ds3103.c +@@ -1262,11 +1262,12 @@ static int m88ds3103_select(struct i2c_m + * New users must use I2C client binding directly! + */ + struct dvb_frontend *m88ds3103_attach(const struct m88ds3103_config *cfg, +- struct i2c_adapter *i2c, struct i2c_adapter **tuner_i2c_adapter) ++ struct i2c_adapter *i2c, ++ struct i2c_adapter **tuner_i2c_adapter) + { + struct i2c_client *client; + struct i2c_board_info board_info; +- struct m88ds3103_platform_data pdata; ++ struct m88ds3103_platform_data pdata = {}; + + pdata.clk = cfg->clock; + pdata.i2c_wr_max = cfg->i2c_wr_max; +@@ -1409,6 +1410,8 @@ static int m88ds3103_probe(struct i2c_cl + case M88DS3103_CHIP_ID: + break; + default: ++ ret = -ENODEV; ++ dev_err(&client->dev, "Unknown device. Chip_id=%02x\n", dev->chip_id); + goto err_kfree; + } + diff --git a/queue-4.14/nospec-allow-index-argument-to-have-const-qualified-type.patch b/queue-4.14/nospec-allow-index-argument-to-have-const-qualified-type.patch new file mode 100644 index 00000000000..ac69d9b3f88 --- /dev/null +++ b/queue-4.14/nospec-allow-index-argument-to-have-const-qualified-type.patch @@ -0,0 +1,65 @@ +From b98c6a160a057d5686a8c54c79cc6c8c94a7d0c8 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Fri, 16 Feb 2018 13:20:48 -0800 +Subject: nospec: Allow index argument to have const-qualified type + +From: Rasmus Villemoes + +commit b98c6a160a057d5686a8c54c79cc6c8c94a7d0c8 upstream. + +The last expression in a statement expression need not be a bare +variable, quoting gcc docs + + The last thing in the compound statement should be an expression + followed by a semicolon; the value of this subexpression serves as the + value of the entire construct. + +and we already use that in e.g. the min/max macros which end with a +ternary expression. + +This way, we can allow index to have const-qualified type, which will in +some cases avoid the need for introducing a local copy of index of +non-const qualified type. That, in turn, can prevent readers not +familiar with the internals of array_index_nospec from wondering about +the seemingly redundant extra variable, and I think that's worthwhile +considering how confusing the whole _nospec business is. + +The expression _i&_mask has type unsigned long (since that is the type +of _mask, and the BUILD_BUG_ONs guarantee that _i will get promoted to +that), so in order not to change the type of the whole expression, add +a cast back to typeof(_i). + +Signed-off-by: Rasmus Villemoes +Signed-off-by: Dan Williams +Acked-by: Linus Torvalds +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Josh Poimboeuf +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-arch@vger.kernel.org +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/151881604837.17395.10812767547837568328.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/nospec.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/include/linux/nospec.h ++++ b/include/linux/nospec.h +@@ -72,7 +72,6 @@ static inline unsigned long array_index_ + BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \ + BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \ + \ +- _i &= _mask; \ +- _i; \ ++ (typeof(_i)) (_i & _mask); \ + }) + #endif /* _LINUX_NOSPEC_H */ diff --git a/queue-4.14/series b/queue-4.14/series index bd26aa24470..692553c7581 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -80,3 +80,21 @@ s390-qeth-fix-double-free-on-ip-add-remove-race.patch revert-s390-qeth-fix-using-of-ref-counter-for-rxip-addresses.patch s390-qeth-fix-ip-address-lookup-for-l3-devices.patch s390-qeth-fix-ipa-command-submission-race.patch +blk-mq-don-t-call-io-sched-s-.requeue_request-when-requeueing-rq-to-dispatch.patch +media-m88ds3103-don-t-call-a-non-initalized-function.patch +edac-sb_edac-fix-out-of-bound-writes-during-dimm-configuration-on-knl.patch +kvm-s390-take-care-of-clock-comparator-sign-control.patch +kvm-s390-provide-only-a-single-function-for-setting-the-tod-fix-sck.patch +kvm-s390-consider-epoch-index-on-hotplugged-cpus.patch +kvm-s390-consider-epoch-index-on-tod-clock-syncs.patch +nospec-allow-index-argument-to-have-const-qualified-type.patch +x86-mm-fix-pmd-pud-_-set-clear-_flags.patch +arm-orion-fix-orion_ge00_switch_board_info-initialization.patch +arm-dts-rockchip-remove-1.8-ghz-operation-point-from-phycore-som.patch +arm-mvebu-fix-broken-pl310_errata_753970-selects.patch +arm-kvm-fix-building-with-gcc-8.patch +kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch +kvm-mmu-fix-overlap-between-public-and-private-memslots.patch +kvm-x86-remove-indirect-msr-op-calls-from-spec_ctrl.patch +kvm-x86-move-lapic-initialization-after-vmcs-creation.patch +kvm-vmx-optimize-vmx_vcpu_run-and-svm_vcpu_run-by-marking-the-rdmsr-path-as-unlikely.patch diff --git a/queue-4.14/x86-mm-fix-pmd-pud-_-set-clear-_flags.patch b/queue-4.14/x86-mm-fix-pmd-pud-_-set-clear-_flags.patch new file mode 100644 index 00000000000..82b25fe20a7 --- /dev/null +++ b/queue-4.14/x86-mm-fix-pmd-pud-_-set-clear-_flags.patch @@ -0,0 +1,99 @@ +From 842cef9113c2120f74f645111ded1e020193d84c Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 19 Feb 2018 07:48:11 -0700 +Subject: x86/mm: Fix {pmd,pud}_{set,clear}_flags() + +From: Jan Beulich + +commit 842cef9113c2120f74f645111ded1e020193d84c upstream. + +Just like pte_{set,clear}_flags() their PMD and PUD counterparts should +not do any address translation. This was outright wrong under Xen +(causing a dead boot with no useful output on "suitable" systems), and +produced needlessly more complicated code (even if just slightly) when +paravirt was enabled. + +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross +Acked-by: Thomas Gleixner +Cc: Andy Lutomirski +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/5A8AF1BB02000078001A91C3@prv-mh.provo.novell.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pgtable.h | 8 ++++---- + arch/x86/include/asm/pgtable_types.h | 10 ++++++++++ + 2 files changed, 14 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -350,14 +350,14 @@ static inline pmd_t pmd_set_flags(pmd_t + { + pmdval_t v = native_pmd_val(pmd); + +- return __pmd(v | set); ++ return native_make_pmd(v | set); + } + + static inline pmd_t pmd_clear_flags(pmd_t pmd, pmdval_t clear) + { + pmdval_t v = native_pmd_val(pmd); + +- return __pmd(v & ~clear); ++ return native_make_pmd(v & ~clear); + } + + static inline pmd_t pmd_mkold(pmd_t pmd) +@@ -409,14 +409,14 @@ static inline pud_t pud_set_flags(pud_t + { + pudval_t v = native_pud_val(pud); + +- return __pud(v | set); ++ return native_make_pud(v | set); + } + + static inline pud_t pud_clear_flags(pud_t pud, pudval_t clear) + { + pudval_t v = native_pud_val(pud); + +- return __pud(v & ~clear); ++ return native_make_pud(v & ~clear); + } + + static inline pud_t pud_mkold(pud_t pud) +--- a/arch/x86/include/asm/pgtable_types.h ++++ b/arch/x86/include/asm/pgtable_types.h +@@ -323,6 +323,11 @@ static inline pudval_t native_pud_val(pu + #else + #include + ++static inline pud_t native_make_pud(pudval_t val) ++{ ++ return (pud_t) { .p4d.pgd = native_make_pgd(val) }; ++} ++ + static inline pudval_t native_pud_val(pud_t pud) + { + return native_pgd_val(pud.p4d.pgd); +@@ -344,6 +349,11 @@ static inline pmdval_t native_pmd_val(pm + #else + #include + ++static inline pmd_t native_make_pmd(pmdval_t val) ++{ ++ return (pmd_t) { .pud.p4d.pgd = native_make_pgd(val) }; ++} ++ + static inline pmdval_t native_pmd_val(pmd_t pmd) + { + return native_pgd_val(pmd.pud.p4d.pgd); -- 2.47.3