From eeff790cb071a0dab39ff3a507615a2338893448 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 May 2014 15:36:23 -0700 Subject: [PATCH] 3.10-stable patches added patches: arm-7840-1-lpae-don-t-reject-mapping-dev-mem-above-4gb.patch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch iser-target-add-missing-se_cmd-put-for-write_pending-in-tx_comp_err.patch kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch mpt2sas-don-t-disable-device-twice-at-suspend.patch powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch --- ...n-t-reject-mapping-dev-mem-above-4gb.patch | 43 +++++++ ...nly-members-to-fdrawcmd-ioctl-output.patch | 35 +++++ ...only-members-in-fdrawcmd-ioctl-input.patch | 45 +++++++ ...put-for-write_pending-in-tx_comp_err.patch | 120 ++++++++++++++++++ ...rtc_status.pending_eoi-cve-2014-0155.patch | 38 ++++++ ...sh-tlb-entries-in-swsusp_arch_resume.patch | 45 +++++++ ...rved-instruction-exceptions-to-guest.patch | 72 +++++++++++ ...on-t-disable-device-twice-at-suspend.patch | 37 ++++++ ...endian-machine-name-is-ppcle-not-ppc.patch | 34 +++++ queue-3.10/series | 11 ++ ...setting-affinity-on-uninitialized-vq.patch | 103 +++++++++++++++ ...t-softlockup-on-huge-balloon-changes.patch | 41 ++++++ 12 files changed, 624 insertions(+) create mode 100644 queue-3.10/arm-7840-1-lpae-don-t-reject-mapping-dev-mem-above-4gb.patch create mode 100644 queue-3.10/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch create mode 100644 queue-3.10/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch create mode 100644 queue-3.10/iser-target-add-missing-se_cmd-put-for-write_pending-in-tx_comp_err.patch create mode 100644 queue-3.10/kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch create mode 100644 queue-3.10/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch create mode 100644 queue-3.10/mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch create mode 100644 queue-3.10/mpt2sas-don-t-disable-device-twice-at-suspend.patch create mode 100644 queue-3.10/powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch create mode 100644 queue-3.10/virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch create mode 100644 queue-3.10/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch diff --git a/queue-3.10/arm-7840-1-lpae-don-t-reject-mapping-dev-mem-above-4gb.patch b/queue-3.10/arm-7840-1-lpae-don-t-reject-mapping-dev-mem-above-4gb.patch new file mode 100644 index 00000000000..ead0d7a7e67 --- /dev/null +++ b/queue-3.10/arm-7840-1-lpae-don-t-reject-mapping-dev-mem-above-4gb.patch @@ -0,0 +1,43 @@ +From 3159f372354e8e1f5dee714663d705dd2c7e0759 Mon Sep 17 00:00:00 2001 +From: Sergey Dyasly +Date: Tue, 24 Sep 2013 16:38:00 +0100 +Subject: ARM: 7840/1: LPAE: don't reject mapping /dev/mem above 4GB + +From: Sergey Dyasly + +commit 3159f372354e8e1f5dee714663d705dd2c7e0759 upstream. + +With LPAE enabled, physical address space is larger than 4GB. Allow mapping any +part of it via /dev/mem by using PHYS_MASK to determine valid range. + +PHYS_MASK covers 40 bits with LPAE enabled and 32 bits otherwise. + +Reported-by: Vassili Karpov +Signed-off-by: Sergey Dyasly +Acked-by: Catalin Marinas +Signed-off-by: Russell King +Cc: hujianyang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/mmap.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/arch/arm/mm/mmap.c ++++ b/arch/arm/mm/mmap.c +@@ -204,13 +204,11 @@ int valid_phys_addr_range(phys_addr_t ad + } + + /* +- * We don't use supersection mappings for mmap() on /dev/mem, which +- * means that we can't map the memory area above the 4G barrier into +- * userspace. ++ * Do not allow /dev/mem mappings beyond the supported physical range. + */ + int valid_mmap_phys_addr_range(unsigned long pfn, size_t size) + { +- return !(pfn + (size >> PAGE_SHIFT) > 0x00100000); ++ return (pfn + (size >> PAGE_SHIFT)) <= (1 + (PHYS_MASK >> PAGE_SHIFT)); + } + + #ifdef CONFIG_STRICT_DEVMEM diff --git a/queue-3.10/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch b/queue-3.10/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch new file mode 100644 index 00000000000..ed496042718 --- /dev/null +++ b/queue-3.10/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch @@ -0,0 +1,35 @@ +From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001 +From: Matthew Daley +Date: Mon, 28 Apr 2014 19:05:21 +1200 +Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output + +From: Matthew Daley + +commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream. + +Do not leak kernel-only floppy_raw_cmd structure members to userspace. +This includes the linked-list pointer and the pointer to the allocated +DMA space. + +Signed-off-by: Matthew Daley +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void + int ret; + + while (ptr) { +- ret = copy_to_user(param, ptr, sizeof(*ptr)); ++ struct floppy_raw_cmd cmd = *ptr; ++ cmd.next = NULL; ++ cmd.kernel_data = NULL; ++ ret = copy_to_user(param, &cmd, sizeof(cmd)); + if (ret) + return -EFAULT; + param += sizeof(struct floppy_raw_cmd); diff --git a/queue-3.10/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch b/queue-3.10/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch new file mode 100644 index 00000000000..9ade1d5253b --- /dev/null +++ b/queue-3.10/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch @@ -0,0 +1,45 @@ +From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001 +From: Matthew Daley +Date: Mon, 28 Apr 2014 19:05:20 +1200 +Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input + +From: Matthew Daley + +commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream. + +Always clear out these floppy_raw_cmd struct members after copying the +entire structure from userspace so that the in-kernel version is always +valid and never left in an interdeterminate state. + +Signed-off-by: Matthew Daley +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3107,10 +3107,11 @@ loop: + return -ENOMEM; + *rcmd = ptr; + ret = copy_from_user(ptr, param, sizeof(*ptr)); +- if (ret) +- return -EFAULT; + ptr->next = NULL; + ptr->buffer_length = 0; ++ ptr->kernel_data = NULL; ++ if (ret) ++ return -EFAULT; + param += sizeof(struct floppy_raw_cmd); + if (ptr->cmd_count > 33) + /* the command may now also take up the space +@@ -3126,7 +3127,6 @@ loop: + for (i = 0; i < 16; i++) + ptr->reply[i] = 0; + ptr->resultcode = 0; +- ptr->kernel_data = NULL; + + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { + if (ptr->length <= 0) diff --git a/queue-3.10/iser-target-add-missing-se_cmd-put-for-write_pending-in-tx_comp_err.patch b/queue-3.10/iser-target-add-missing-se_cmd-put-for-write_pending-in-tx_comp_err.patch new file mode 100644 index 00000000000..f06bc5f6a59 --- /dev/null +++ b/queue-3.10/iser-target-add-missing-se_cmd-put-for-write_pending-in-tx_comp_err.patch @@ -0,0 +1,120 @@ +From 03e7848a64ed535a30f5d7fc6dede2d5a6a2534b Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Sun, 30 Mar 2014 15:50:03 -0700 +Subject: iser-target: Add missing se_cmd put for WRITE_PENDING in tx_comp_err + +From: Nicholas Bellinger + +commit 03e7848a64ed535a30f5d7fc6dede2d5a6a2534b upstream. + +This patch fixes a bug where outstanding RDMA_READs with WRITE_PENDING +status require an extra target_put_sess_cmd() in isert_put_cmd() code +when called from isert_cq_tx_comp_err() + isert_cq_drain_comp_llist() +context during session shutdown. + +The extra kref PUT is required so that transport_generic_free_cmd() +invokes the last target_put_sess_cmd() -> target_release_cmd_kref(), +which will complete(&se_cmd->cmd_wait_comp) the outstanding se_cmd +descriptor with WRITE_PENDING status, and awake the completion in +target_wait_for_sess_cmds() to invoke TFO->release_cmd(). + +The bug was manifesting itself in target_wait_for_sess_cmds() where +a se_cmd descriptor with WRITE_PENDING status would end up sleeping +indefinately. + +Acked-by: Sagi Grimberg +Cc: Or Gerlitz +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -1201,7 +1201,7 @@ isert_unmap_cmd(struct isert_cmd *isert_ + } + + static void +-isert_put_cmd(struct isert_cmd *isert_cmd) ++isert_put_cmd(struct isert_cmd *isert_cmd, bool comp_err) + { + struct iscsi_cmd *cmd = &isert_cmd->iscsi_cmd; + struct isert_conn *isert_conn = isert_cmd->conn; +@@ -1216,8 +1216,21 @@ isert_put_cmd(struct isert_cmd *isert_cm + list_del_init(&cmd->i_conn_node); + spin_unlock_bh(&conn->cmd_lock); + +- if (cmd->data_direction == DMA_TO_DEVICE) ++ if (cmd->data_direction == DMA_TO_DEVICE) { + iscsit_stop_dataout_timer(cmd); ++ /* ++ * Check for special case during comp_err where ++ * WRITE_PENDING has been handed off from core, ++ * but requires an extra target_put_sess_cmd() ++ * before transport_generic_free_cmd() below. ++ */ ++ if (comp_err && ++ cmd->se_cmd.t_state == TRANSPORT_WRITE_PENDING) { ++ struct se_cmd *se_cmd = &cmd->se_cmd; ++ ++ target_put_sess_cmd(se_cmd->se_sess, se_cmd); ++ } ++ } + + isert_unmap_cmd(isert_cmd, isert_conn); + transport_generic_free_cmd(&cmd->se_cmd, 0); +@@ -1271,7 +1284,7 @@ isert_unmap_tx_desc(struct iser_tx_desc + + static void + isert_completion_put(struct iser_tx_desc *tx_desc, struct isert_cmd *isert_cmd, +- struct ib_device *ib_dev) ++ struct ib_device *ib_dev, bool comp_err) + { + if (isert_cmd->sense_buf_dma != 0) { + pr_debug("Calling ib_dma_unmap_single for isert_cmd->sense_buf_dma\n"); +@@ -1281,7 +1294,7 @@ isert_completion_put(struct iser_tx_desc + } + + isert_unmap_tx_desc(tx_desc, ib_dev); +- isert_put_cmd(isert_cmd); ++ isert_put_cmd(isert_cmd, comp_err); + } + + static void +@@ -1336,14 +1349,14 @@ isert_do_control_comp(struct work_struct + iscsit_tmr_post_handler(cmd, cmd->conn); + + cmd->i_state = ISTATE_SENT_STATUS; +- isert_completion_put(&isert_cmd->tx_desc, isert_cmd, ib_dev); ++ isert_completion_put(&isert_cmd->tx_desc, isert_cmd, ib_dev, false); + break; + case ISTATE_SEND_REJECT: + pr_debug("Got isert_do_control_comp ISTATE_SEND_REJECT: >>>\n"); + atomic_dec(&isert_conn->post_send_buf_count); + + cmd->i_state = ISTATE_SENT_STATUS; +- isert_completion_put(&isert_cmd->tx_desc, isert_cmd, ib_dev); ++ isert_completion_put(&isert_cmd->tx_desc, isert_cmd, ib_dev, false); + break; + case ISTATE_SEND_LOGOUTRSP: + pr_debug("Calling iscsit_logout_post_handler >>>>>>>>>>>>>>\n"); +@@ -1382,7 +1395,7 @@ isert_response_completion(struct iser_tx + atomic_sub(wr->send_wr_num + 1, &isert_conn->post_send_buf_count); + + cmd->i_state = ISTATE_SENT_STATUS; +- isert_completion_put(tx_desc, isert_cmd, ib_dev); ++ isert_completion_put(tx_desc, isert_cmd, ib_dev, false); + } + + static void +@@ -1436,7 +1449,7 @@ isert_cq_tx_comp_err(struct iser_tx_desc + if (!isert_cmd) + isert_unmap_tx_desc(tx_desc, ib_dev); + else +- isert_completion_put(tx_desc, isert_cmd, ib_dev); ++ isert_completion_put(tx_desc, isert_cmd, ib_dev, true); + } + + static void diff --git a/queue-3.10/kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch b/queue-3.10/kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch new file mode 100644 index 00000000000..280d40415ae --- /dev/null +++ b/queue-3.10/kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch @@ -0,0 +1,38 @@ +From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 28 Mar 2014 20:41:50 +0100 +Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) + +From: Paolo Bonzini + +commit 5678de3f15010b9022ee45673f33bcfc71d47b60 upstream. + +QE reported that they got the BUG_ON in ioapic_service to trigger. +I cannot reproduce it, but there are two reasons why this could happen. + +The less likely but also easiest one, is when kvm_irq_delivery_to_apic +does not deliver to any APIC and returns -1. + +Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that +function is never reached. However, you can target the similar loop in +kvm_irq_delivery_to_apic_fast; just program a zero logical destination +address into the IOAPIC, or an out-of-range physical destination address. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/ioapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/ioapic.c ++++ b/virt/kvm/ioapic.c +@@ -306,7 +306,7 @@ static int ioapic_deliver(struct kvm_ioa + BUG_ON(ioapic->rtc_status.pending_eoi != 0); + ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, + ioapic->rtc_status.dest_map); +- ioapic->rtc_status.pending_eoi = ret; ++ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret); + } else + ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL); + diff --git a/queue-3.10/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch b/queue-3.10/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch new file mode 100644 index 00000000000..f5e42802380 --- /dev/null +++ b/queue-3.10/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch @@ -0,0 +1,45 @@ +From c14af233fbe279d0e561ecf84f1208b1bae087ef Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sat, 22 Mar 2014 17:21:44 +0800 +Subject: MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume() + +From: Huacai Chen + +commit c14af233fbe279d0e561ecf84f1208b1bae087ef upstream. + +The original MIPS hibernate code flushes cache and TLB entries in +swsusp_arch_resume(). But they are removed in Commit 44eeab67416711 +(MIPS: Hibernation: Remove SMP TLB and cacheflushing code.). A cross- +CPU flush is surely unnecessary because all but the local CPU have +already been disabled. But a local flush (at least the TLB flush) is +needed. When we do hibernation on Loongson-3 with an E1000E NIC, it is +very easy to produce a kernel panic (kernel page fault, or unaligned +access). The root cause is E1000E driver use vzalloc_node() to allocate +pages, the stale TLB entries of the booting kernel will be misused by +the resumed target kernel. + +Signed-off-by: Huacai Chen +Cc: John Crispin +Cc: Steven J. Hill +Cc: Aurelien Jarno +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Patchwork: https://patchwork.linux-mips.org/patch/6643/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/power/hibernate.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/power/hibernate.S ++++ b/arch/mips/power/hibernate.S +@@ -43,6 +43,7 @@ LEAF(swsusp_arch_resume) + bne t1, t3, 1b + PTR_L t0, PBE_NEXT(t0) + bnez t0, 0b ++ jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */ + PTR_LA t0, saved_regs + PTR_L ra, PT_R31(t0) + PTR_L sp, PT_R29(t0) diff --git a/queue-3.10/mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch b/queue-3.10/mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch new file mode 100644 index 00000000000..f4b2c7602bc --- /dev/null +++ b/queue-3.10/mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch @@ -0,0 +1,72 @@ +From 15505679362270d02c449626385cb74af8905514 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 14 Mar 2014 13:06:07 +0000 +Subject: MIPS: KVM: Pass reserved instruction exceptions to guest + +From: James Hogan + +commit 15505679362270d02c449626385cb74af8905514 upstream. + +Previously a reserved instruction exception while in guest code would +cause a KVM internal error if kvm_mips_handle_ri() didn't recognise the +instruction (including a RDHWR from an unrecognised hardware register). + +However the guest OS should really have the opportunity to catch the +exception so that it can take the appropriate actions such as sending a +SIGILL to the guest user process or emulating the instruction itself. + +Therefore in these cases emulate a guest RI exception and only return +EMULATE_FAIL if that fails, being careful to revert the PC first in case +the exception occurred in a branch delay slot in which case the PC will +already point to the branch target. + +Also turn the printk messages relating to these cases into kvm_debug +messages so that they aren't usually visible. + +This allows crashme to run in the guest without killing the entire VM. + +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Gleb Natapov +Cc: Paolo Bonzini +Cc: Sanjay Lal +Cc: linux-mips@linux-mips.org +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kvm/kvm_mips_emul.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/mips/kvm/kvm_mips_emul.c ++++ b/arch/mips/kvm/kvm_mips_emul.c +@@ -1571,17 +1571,17 @@ kvm_mips_handle_ri(unsigned long cause, + arch->gprs[rt] = kvm_read_c0_guest_userlocal(cop0); + #else + /* UserLocal not implemented */ +- er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu); ++ er = EMULATE_FAIL; + #endif + break; + + default: +- printk("RDHWR not supported\n"); ++ kvm_debug("RDHWR %#x not supported @ %p\n", rd, opc); + er = EMULATE_FAIL; + break; + } + } else { +- printk("Emulate RI not supported @ %p: %#x\n", opc, inst); ++ kvm_debug("Emulate RI not supported @ %p: %#x\n", opc, inst); + er = EMULATE_FAIL; + } + +@@ -1590,6 +1590,7 @@ kvm_mips_handle_ri(unsigned long cause, + */ + if (er == EMULATE_FAIL) { + vcpu->arch.pc = curr_pc; ++ er = kvm_mips_emulate_ri_exc(cause, opc, run, vcpu); + } + return er; + } diff --git a/queue-3.10/mpt2sas-don-t-disable-device-twice-at-suspend.patch b/queue-3.10/mpt2sas-don-t-disable-device-twice-at-suspend.patch new file mode 100644 index 00000000000..a3c1a416a6e --- /dev/null +++ b/queue-3.10/mpt2sas-don-t-disable-device-twice-at-suspend.patch @@ -0,0 +1,37 @@ +From af61e27c3f77c7623b5335590ae24b6a5c323e22 Mon Sep 17 00:00:00 2001 +From: Tyler Stachecki +Date: Fri, 25 Apr 2014 16:41:04 -0400 +Subject: [SCSI] mpt2sas: Don't disable device twice at suspend. + +From: Tyler Stachecki + +commit af61e27c3f77c7623b5335590ae24b6a5c323e22 upstream. + +On suspend, _scsih_suspend calls mpt2sas_base_free_resources, which +in turn calls pci_disable_device if the device is enabled prior to +suspending. However, _scsih_suspend also calls pci_disable_device +itself. + +Thus, in the event that the device is enabled prior to suspending, +pci_disable_device will be called twice. This patch removes the +duplicate call to pci_disable_device in _scsi_suspend as it is both +unnecessary and results in a kernel oops. + +Signed-off-by: Tyler Stachecki +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +@@ -8174,7 +8174,6 @@ _scsih_suspend(struct pci_dev *pdev, pm_ + + mpt2sas_base_free_resources(ioc); + pci_save_state(pdev); +- pci_disable_device(pdev); + pci_set_power_state(pdev, device_state); + return 0; + } diff --git a/queue-3.10/powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch b/queue-3.10/powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch new file mode 100644 index 00000000000..82886438f3f --- /dev/null +++ b/queue-3.10/powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch @@ -0,0 +1,34 @@ +From 422b9b9684db3c511e65c91842275c43f5910ae9 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Thu, 6 Mar 2014 16:10:11 +1100 +Subject: powerpc/compat: 32-bit little endian machine name is ppcle, not ppc + +From: Anton Blanchard + +commit 422b9b9684db3c511e65c91842275c43f5910ae9 upstream. + +I noticed this when testing setarch. No, we don't magically +support a big endian userspace on a little endian kernel. + +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/compat.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/include/asm/compat.h ++++ b/arch/powerpc/include/asm/compat.h +@@ -8,7 +8,11 @@ + #include + + #define COMPAT_USER_HZ 100 ++#ifdef __BIG_ENDIAN__ + #define COMPAT_UTS_MACHINE "ppc\0\0" ++#else ++#define COMPAT_UTS_MACHINE "ppcle\0\0" ++#endif + + typedef u32 compat_size_t; + typedef s32 compat_ssize_t; diff --git a/queue-3.10/series b/queue-3.10/series index 3c2d4bf580a..7fbb712d236 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -1,3 +1,14 @@ drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch tty-serial-8250_core.c-bug-fix-for-exar-chips.patch n_tty-fix-n_tty_write-crash-when-echoing-in-raw-mode.patch +floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch +floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch +iser-target-add-missing-se_cmd-put-for-write_pending-in-tx_comp_err.patch +arm-7840-1-lpae-don-t-reject-mapping-dev-mem-above-4gb.patch +kvm-ioapic-fix-assignment-of-ioapic-rtc_status.pending_eoi-cve-2014-0155.patch +mips-kvm-pass-reserved-instruction-exceptions-to-guest.patch +mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch +virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch +virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch +mpt2sas-don-t-disable-device-twice-at-suspend.patch +powerpc-compat-32-bit-little-endian-machine-name-is-ppcle-not-ppc.patch diff --git a/queue-3.10/virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch b/queue-3.10/virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch new file mode 100644 index 00000000000..ee7dd1e6f9c --- /dev/null +++ b/queue-3.10/virtio-scsi-skip-setting-affinity-on-uninitialized-vq.patch @@ -0,0 +1,103 @@ +From 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 Mon Sep 17 00:00:00 2001 +From: Fam Zheng +Date: Mon, 14 Apr 2014 10:16:09 +0800 +Subject: [SCSI] virtio-scsi: Skip setting affinity on uninitialized vq + +From: Fam Zheng + +commit 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 upstream. + +virtscsi_init calls virtscsi_remove_vqs on err, even before initializing +the vqs. The latter calls virtscsi_set_affinity, so let's check the +pointer there before setting affinity on it. + +This fixes a panic when setting device's num_queues=2 on RHEL 6.5: + +qemu-system-x86_64 ... \ +-device virtio-scsi-pci,id=scsi0,addr=0x13,...,num_queues=2 \ +-drive file=/stor/vm/dummy.raw,id=drive-scsi-disk,... \ +-device scsi-hd,drive=drive-scsi-disk,... + +[ 0.354734] scsi0 : Virtio SCSI HBA +[ 0.379504] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 +[ 0.380141] IP: [] __virtscsi_set_affinity+0x4f/0x120 +[ 0.380141] PGD 0 +[ 0.380141] Oops: 0000 [#1] SMP +[ 0.380141] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.0+ #5 +[ 0.380141] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007 +[ 0.380141] task: ffff88003c9f0000 ti: ffff88003c9f8000 task.ti: ffff88003c9f8000 +[ 0.380141] RIP: 0010:[] [] __virtscsi_set_affinity+0x4f/0x120 +[ 0.380141] RSP: 0000:ffff88003c9f9c08 EFLAGS: 00010256 +[ 0.380141] RAX: 0000000000000000 RBX: ffff88003c3a9d40 RCX: 0000000000001070 +[ 0.380141] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 +[ 0.380141] RBP: ffff88003c9f9c28 R08: 00000000000136c0 R09: ffff88003c801c00 +[ 0.380141] R10: ffffffff81475229 R11: 0000000000000008 R12: 0000000000000000 +[ 0.380141] R13: ffffffff81cc7ca8 R14: ffff88003cac3d40 R15: ffff88003cac37a0 +[ 0.380141] FS: 0000000000000000(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000 +[ 0.380141] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 0.380141] CR2: 0000000000000020 CR3: 0000000001c0e000 CR4: 00000000000006f0 +[ 0.380141] Stack: +[ 0.380141] ffff88003c3a9d40 0000000000000000 ffff88003cac3d80 ffff88003cac3d40 +[ 0.380141] ffff88003c9f9c48 ffffffff814742e8 ffff88003c26d000 ffff88003c26d000 +[ 0.380141] ffff88003c9f9c68 ffffffff81474321 ffff88003c26d000 ffff88003c3a9d40 +[ 0.380141] Call Trace: +[ 0.380141] [] virtscsi_set_affinity+0x28/0x40 +[ 0.380141] [] virtscsi_remove_vqs+0x21/0x50 +[ 0.380141] [] virtscsi_init+0x91/0x240 +[ 0.380141] [] ? vp_get+0x50/0x70 +[ 0.380141] [] virtscsi_probe+0xf4/0x280 +[ 0.380141] [] virtio_dev_probe+0xe5/0x140 +[ 0.380141] [] driver_probe_device+0x89/0x230 +[ 0.380141] [] __driver_attach+0x9b/0xa0 +[ 0.380141] [] ? driver_probe_device+0x230/0x230 +[ 0.380141] [] ? driver_probe_device+0x230/0x230 +[ 0.380141] [] bus_for_each_dev+0x8c/0xb0 +[ 0.380141] [] driver_attach+0x19/0x20 +[ 0.380141] [] bus_add_driver+0x198/0x220 +[ 0.380141] [] driver_register+0x5f/0xf0 +[ 0.380141] [] ? spi_transport_init+0x79/0x79 +[ 0.380141] [] register_virtio_driver+0x1b/0x30 +[ 0.380141] [] init+0x88/0xd6 +[ 0.380141] [] ? scsi_init_procfs+0x5b/0x5b +[ 0.380141] [] do_one_initcall+0x7f/0x10a +[ 0.380141] [] kernel_init_freeable+0x14a/0x1de +[ 0.380141] [] ? kernel_init_freeable+0x1de/0x1de +[ 0.380141] [] ? rest_init+0x80/0x80 +[ 0.380141] [] kernel_init+0x9/0xf0 +[ 0.380141] [] ret_from_fork+0x7c/0xb0 +[ 0.380141] [] ? rest_init+0x80/0x80 +[ 0.380141] RIP [] __virtscsi_set_affinity+0x4f/0x120 +[ 0.380141] RSP +[ 0.380141] CR2: 0000000000000020 +[ 0.380141] ---[ end trace 8074b70c3d5e1d73 ]--- +[ 0.475018] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 +[ 0.475018] +[ 0.475068] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff) +[ 0.475068] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 + +[jejb: checkpatch fixes] +Signed-off-by: Fam Zheng +Acked-by: Paolo Bonzini +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/virtio_scsi.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -751,8 +751,12 @@ static void __virtscsi_set_affinity(stru + + vscsi->affinity_hint_set = true; + } else { +- for (i = 0; i < vscsi->num_queues; i++) ++ for (i = 0; i < vscsi->num_queues; i++) { ++ if (!vscsi->req_vqs[i].vq) ++ continue; ++ + virtqueue_set_affinity(vscsi->req_vqs[i].vq, -1); ++ } + + vscsi->affinity_hint_set = false; + } diff --git a/queue-3.10/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch b/queue-3.10/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch new file mode 100644 index 00000000000..18731167177 --- /dev/null +++ b/queue-3.10/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch @@ -0,0 +1,41 @@ +From 1f74ef0f2d7d692fcd615621e0e734c3e7771413 Mon Sep 17 00:00:00 2001 +From: Rusty Russell +Date: Thu, 13 Mar 2014 11:23:38 +1030 +Subject: virtio_balloon: don't softlockup on huge balloon changes. + +From: Rusty Russell + +commit 1f74ef0f2d7d692fcd615621e0e734c3e7771413 upstream. + +When adding or removing 100G from a balloon: + + BUG: soft lockup - CPU#0 stuck for 22s! [vballoon:367] + +We have a wait_event_interruptible(), but the condition is always true +(more ballooning to do) so we don't ever sleep. We also have a +wait_event() for the host to ack, but that is also always true as QEMU +is synchronous for balloon operations. + +Reported-by: Gopesh Kumar Chaudhary +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -311,6 +311,12 @@ static int balloon(void *_vballoon) + else if (diff < 0) + leak_balloon(vb, -diff); + update_balloon_size(vb); ++ ++ /* ++ * For large balloon changes, we could spend a lot of time ++ * and always have work to do. Be nice if preempt disabled. ++ */ ++ cond_resched(); + } + return 0; + } -- 2.47.3