Jiri Slaby reported the following:

	(It's an effective revert of "mm: vmscan: scale number of pages
	reclaimed by reclaim/compaction based on failures".) Given kswapd
	had hours of runtime in ps/top output yesterday in the morning
	and after the revert it's now 2 minutes in sum for the last 24h,
	I would say, it's gone.

The intention of the patch in question was to compensate for the loss of
lumpy reclaim.  Part of the reason lumpy reclaim worked is because it
aggressively reclaimed pages and this patch was meant to be a sane
compromise.

When compaction fails, it gets deferred and both compaction and
reclaim/compaction is deferred avoid excessive reclaim.  However, since
commit c6543459 ("mm: remove __GFP_NO_KSWAPD"), kswapd is woken up
each time and continues reclaiming which was not taken into account when
the patch was developed.

Attempts to address the problem ended up just changing the shape of the
problem instead of fixing it.  The release window gets closer and while
a THP allocation failing is not a major problem, kswapd chewing up a lot
of CPU is.

This patch reverts commit 83fde0f2 ("mm: vmscan: scale number of
pages reclaimed by reclaim/compaction based on failures") and will be
revisited in the future.
Signed-off-by: Mel Gorman <mgorman@suse.de>
Cc: Zdenek Kabelac <zkabelac@redhat.com>
Tested-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Cc: Jiri Slaby <jirislaby@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Johannes Hirte <johannes.hirte@fem.tu-ilmenau.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Fix rapidio kernel-doc warnings:

  Warning(drivers/rapidio/rio.c:415): No description found for parameter 'local'
  Warning(drivers/rapidio/rio.c:415): Excess function parameter 'lstart' description in 'rio_map_inb_region'
  Warning(include/linux/rio.h:290): No description found for parameter 'switches'
  Warning(include/linux/rio.h:290): No description found for parameter 'destid_table'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Matt Porter <mporter@kernel.crashing.org>
Acked-by: Alexandre Bounine <alexandre.bounine@idt.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

There's a name leak introduced by commit 91a27b2a ("vfs: define
struct filename and have getname() return it").  Add the missing
putname.

[akpm@linux-foundation.org: cleanup]
Signed-off-by: Xiaotian Feng <dannyfeng@tencent.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

When MEMCG is configured on (even when it's disabled by boot option),
when adding or removing a page to/from its lru list, the zone pointer
used for stats updates is nowadays taken from the struct lruvec.  (On
many configurations, calculating zone from page is slower.)

But we have no code to update all the lruvecs (per zone, per memcg) when
a memory node is hotadded.  Here's an extract from the oops which
results when running numactl to bind a program to a newly onlined node:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000f60
  IP:  __mod_zone_page_state+0x9/0x60
  Pid: 1219, comm: numactl Not tainted 3.6.0-rc5+ #180 Bochs Bochs
  Process numactl (pid: 1219, threadinfo ffff880039abc000, task ffff8800383c4ce0)
  Call Trace:
    __pagevec_lru_add_fn+0xdf/0x140
    pagevec_lru_move_fn+0xb1/0x100
    __pagevec_lru_add+0x1c/0x30
    lru_add_drain_cpu+0xa3/0x130
    lru_add_drain+0x2f/0x40
   ...

The natural solution might be to use a memcg callback whenever memory is
hotadded; but that solution has not been scoped out, and it happens that
we do have an easy location at which to update lruvec->zone.  The lruvec
pointer is discovered either by mem_cgroup_zone_lruvec() or by
mem_cgroup_page_lruvec(), and both of those do know the right zone.

So check and set lruvec->zone in those; and remove the inadequate
attempt to set lruvec->zone from lruvec_init(), which is called before
NODE_DATA(node) has been allocated in such cases.

Ah, there was one exceptionr.  For no particularly good reason,
mem_cgroup_force_empty_list() has its own code for deciding lruvec.
Change it to use the standard mem_cgroup_zone_lruvec() and
mem_cgroup_get_lru_size() too.  In fact it was already safe against such
an oops (the lru lists in danger could only be empty), but we're better
proofed against future changes this way.

I've marked this for stable (3.6) since we introduced the problem in 3.5
(now closed to stable); but I have no idea if this is the only fix
needed to get memory hotadd working with memcg in 3.6, and received no
answer when I enquired twice before.
Reported-by: Tang Chen <tangchen@cn.fujitsu.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Wen Congyang <wency@cn.fujitsu.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Using a cross-compiler to fix another issue, the following build error
occurred for mips defconfig:

  arch/mips/fw/arc/misc.c: In function 'ArcHalt':
  arch/mips/fw/arc/misc.c:25:2: error: implicit declaration of function 'local_irq_disable'

Fix it up by including irqflags.h.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

oom_badness() takes a totalpages argument which says how many pages are
available and it uses it as a base for the score calculation.  The value
is calculated by mem_cgroup_get_limit which considers both limit and
total_swap_pages (resp.  memsw portion of it).

This is usually correct but since fe35004f ("mm: avoid swapping out
with swappiness==0") we do not swap when swappiness is 0 which means
that we cannot really use up all the totalpages pages.  This in turn
confuses oom score calculation if the memcg limit is much smaller than
the available swap because the used memory (capped by the limit) is
negligible comparing to totalpages so the resulting score is too small
if adj!=0 (typically task with CAP_SYS_ADMIN or non zero oom_score_adj).
A wrong process might be selected as result.

The problem can be worked around by checking mem_cgroup_swappiness==0
and not considering swap at all in such a case.
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

do_wp_page() sets mmun_called if mmun_start and mmun_end were
initialized and, if so, may call mmu_notifier_invalidate_range_end()
with these values.  This doesn't prevent gcc from emitting a build
warning though:

  mm/memory.c: In function `do_wp_page':
  mm/memory.c:2530: warning: `mmun_start' may be used uninitialized in this function
  mm/memory.c:2531: warning: `mmun_end' may be used uninitialized in this function

It's much easier to initialize the variables to impossible values and do
a simple comparison to determine if they were initialized to remove the
bool entirely.
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Iterating over the vma->anon_vma_chain without anon_vma_lock may cause
NULL ptr deref in anon_vma_interval_tree_verify(), because the node in the
chain might have been removed.

  BUG: unable to handle kernel paging request at fffffffffffffff0
  IP: [<ffffffff8122c29c>] anon_vma_interval_tree_verify+0xc/0xa0
  PGD 4e28067 PUD 4e29067 PMD 0
  Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
  CPU 0
  Pid: 9050, comm: trinity-child64 Tainted: G        W    3.7.0-rc2-next-20121025-sasha-00001-g673f98e-dirty #77
  RIP: 0010: anon_vma_interval_tree_verify+0xc/0xa0
  Process trinity-child64 (pid: 9050, threadinfo ffff880045f80000, task ffff880048eb0000)
  Call Trace:
    validate_mm+0x58/0x1e0
    vma_adjust+0x635/0x6b0
    __split_vma.isra.22+0x161/0x220
    split_vma+0x24/0x30
    sys_madvise+0x5da/0x7b0
    tracesys+0xe1/0xe6
  RIP  anon_vma_interval_tree_verify+0xc/0xa0
  CR2: fffffffffffffff0

Figured out by Bob Liu.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Bob Liu <lliubbo@gmail.com>
Signed-off-by: Michel Lespinasse <walken@google.com>
Reviewed-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Pull unicore32 update from Guan Xuetao.

* tag 'for-linus' of git://github.com/gxt/linux:
  arch/unicore32: remove CONFIG_EXPERIMENTAL
  unicore32: switch to generic sys_execve()
  unicore32: switch to generic kernel_thread()/kernel_execve()
  unicore32: Use Kbuild infrastructure for kvm_para.h
  UAPI: (Scripted) Disintegrate arch/unicore32/include/asm
  UniCore32-bugfix: Remove definitions in asm/bug.h to solve difference between native and cross compiler
  UniCore32-bugfix: fix mismatch return value of __xchg_bad_pointer
  UniCore32 bugfix: add missed CONFIG_ZONE_DMA
  unicore32/mm/fault.c: Port OOM changes to do_pf

Pull UBIFS fixes from Artem Bityutskiy:
 "Two patches which fix a problem reported by several people in the
  past, but only fixed now because no one gave enough material for
  debugging.

  Anyway, these fix the problem that sometimes after a power cut the
  file-system is not mountable with the following symptom:

	grab_empty_leb: could not find an empty LEB

  The fixes make the file-system mountable again."

* tag 'upstream-3.7-rc6' of git://git.infradead.org/linux-ubifs:
  UBIFS: fix mounting problems after power cuts
  UBIFS: introduce categorized lprops counter

Pull pstore fix from Anton Vorontsov:
 "A small fixup for the persistent storage subsystem.  The bug can
  prevent kernel booting on a APEI-enabled machines w/ PSTORE_CONSOLE=y
  (this is N by default, though)."

* tag 'for-v3.7-fixes' of git://git.infradead.org/users/cbou/linux-pstore:
  pstore: Fix NULL pointer dereference in console writes

Pill i2c fixes from Jean Delvare.

Well, "fixes"..  The biggest patch here is actually Jan marking Wolfram
Sang as the main i2c subsystem maintainer, with Jan staying on as the PC
controller maintainer.

* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
  i2c-mux-pinctrl: Fix probe error path
  MAINTAINERS: i2c: 7 years, this is it

Pull regulator fixes from Mark Brown:
 "A few fixes for teardown issues that will be rarely seen, plus a fix
  for a silly bug in regulator_is_supported_voltage() which shows how
  often the answer to the question should be false.

  The supported voltage commit is very new as I just edited to add a Cc
  to stable, the code itself has been in -next."

* tag 'regulator-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: fix voltage check in regulator_is_supported_voltage()
  regulator: core: Avoid deadlock when regulator_register fails
  Regulator: core: Unregister when gpio request fails.

Pull sound fixes from Takashi Iwai:
 "The only large LOC is seen in WM5102 driver, just writing a bunch of
  register updates, but the actual code change is small.  Other than
  that, all small fixes suitable for rc6."

* tag 'sound-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: usb-audio: Fix mutex deadlock at disconnection
  ALSA: fm801: precedence bug in snd_fm801_tea575x_get_pins()
  ALSA: es1968: precedence bug in snd_es1968_tea575x_get_pins()
  ALSA: hda - Add a missing quirk entry for iMac 9,1
  ASoC: core: Double control update err for snd_soc_put_volsw_sx
  ASoC: dapm: Use card_list during DAPM shutdown
  ASoC: cs42l52: fix the return value of cs42l52_set_fmt()
  ASoC: bells: Correct type in sub speaker DAI name for WM5102
  ASoC: wm8978: pll incorrectly configured when codec is master
  ASoC: mxs-saif: Fix channel swap for 24-bit format
  ASoC: bells: Select WM1250-EV1 Springbank audio I/O module
  ASoC: bells: Add missing select of WM0010
  ASoC: mxs-saif: Add MODULE_ALIAS
  ASoC: wm5102: Write register value corrections after SYSCLK is enabled

Passing a NULL id causes a NULL pointer deference in writers such as
erst_writer and efi_pstore_write because they expect to update this id.
Pass a dummy id instead.

This avoids a cascade of oopses caused when the initial
pstore_console_write passes a null which in turn causes writes to the
console causing further oopses in subsequent pstore_console_write calls.
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>

Merge remote-tracking branches 'regulator/fix/gpio', 'regulator/fix/put' and 'regulator/fix/supp-volt' into tmp

regulator_is_supported_voltage() should return true only if the voltage
of fixed/constant regulator is between min_uV and max_uV.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: stable@vger.kernel.org

Pull power tools fixes from Len Brown:
 "A pair of power tools patches -- a 3.7 regression fix plus a bug fix."

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux:
  tools/power turbostat: graceful fail on garbage input
  tools/power turbostat: Repair Segmentation fault when using -i option

Pull MIPS update from Ralf Baechle:
 "To avoid unnecessary risk and work the preemption fixes are combined
  with some preparatory work that isn't strictly required.  So it's
  really just 3 fixes:

   - Get is_compat_task() to do the right thing while simplifying it.
     The unnecessary complexity hid a rarely striking bug which could be
     triggered by ext3/ext4 under certain circumstances.
   - Resolve a preemption issue in the irqflags.h functions for kernels
     built to support pre-MIPS32 / pre-MIPS64 Release 2 processors.
   - Fix the interrupt number of the MIPS Malta's CBUS UART."

* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: Malta: Fix interupt number of CBUS UART.
  MIPS: Make irqflags.h functions preempt-safe for non-mipsr2 cpus
  MIPS: Remove irqflags.h dependency from bitops.h
  MIPS: bitops.h: Change use of 'unsigned short' to 'int'
  MIPS: compat: Delete now unused TIF_32BIT.
  MIPS: compat: Implement is_compat_task() by testing for 32-bit address space.
  MIPS: compat: Fix use of TIF_32BIT_ADDR vs _TIF_32BIT_ADDR

Pull cgroup fixes from Tejun Heo:
 "This contains two fix patches for device_cgroup.  One fixes a
  regression introduced earlier in 3.7 cycle where device_cgroup could
  try to dereference the NULL parent of the root cgroup.  The other one
  is RCU usage fix."

* 'for-3.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
  device_cgroup: fix RCU usage
  device_cgroup: fix unchecked cgroup parent usage

The recent change for USB-audio disconnection race fixes introduced a
mutex deadlock again.  There is a circular dependency between
chip->shutdown_rwsem and pcm->open_mutex, depicted like below, when a
device is opened during the disconnection operation:

A. snd_usb_audio_disconnect() ->
     card.c::register_mutex ->
       chip->shutdown_rwsem (write) ->
         snd_card_disconnect() ->
           pcm.c::register_mutex ->
             pcm->open_mutex

B. snd_pcm_open() ->
     pcm->open_mutex ->
       snd_usb_pcm_open() ->
         chip->shutdown_rwsem (read)

Since the chip->shutdown_rwsem protection in the case A is required
only for turning on the chip->shutdown flag and it doesn't have to be
taken for the whole operation, we can reduce its window in
snd_usb_audio_disconnect().
Reported-by: Jiri Slaby <jslaby@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

When regulator_register fails and exits through the scrub path the
regulator_put function was called whilst holding the
regulator_list_mutex, causing deadlock.

This patch adds a private version of the regulator_put function which
can be safely called whilst holding the mutex, replacing the
aforementioned call.
Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>

There is a precedence bug because | has higher precedence than ?:.  This
code was cut and pasted and I fixed a similar bug a few days ago.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

When allocating the memory for i2c busses, the code checked the wrong
variable and thus never detected if there was a memory error.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org
Signed-off-by: Jean Delvare <khali@linux-fr.org>

I have been maintaining the i2c subsystem for 7 years now, it's about
time to let someone else take over. Just before I leave, I would like
to thank several individuals who made this possible at all:

* Greg Kroah-Hartman, for his faith in my potential subsystem
  maintainer skills. Greg, I hope I met your expectations.
* Late David Brownell, for helping me convert the i2c subsystem to the
  standard device driver model. Rest in peace David, we're missing you.
* Ben Dooks, for stepping in when I asked for someone to take care of
  the huge flow of new i2c adapter drivers for embedded systems.
* Wolfram Sang, for joining the crew when it became clear that there
  was more review work than Ben and myself could deal with.

I hope I did not forget anyone, please forgive me if I did.

Another big thank is due to Wolfram again, who quickly proposed to
take over as the main i2c subsystem maintainer. This will allow for a
smooth and fast transition.

Note that I will keep maintaining all I2C/SMBus controller drivers for
PC systems as well as a few others. I am hereby updating MAINTAINERS
accordingly. I'll also keep maintaining user-space i2c-tools.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Ben Dooks <ben-linux@fluff.org>
Acked-by: Wolfram Sang <w.sang@pengutronix.de>

The CBUS UART's interrupt number was wrong conflicting with the interrupt
being tied to the Intel PIIX4.  Since the PIIX4's interrupt is registered
before the CBUS UART which is not being used on most systems this would
not be noticed.

Attempts to open the ttyS2 CBUS UART would result in:

genirq: Flags mismatch irq 18. 00000000 (serial) vs. 00010000 (XT-PIC cascade)
serial_link_irq_chain: request failed: -16 for irq: 18

Qemu was written to match the kernel so will need to be fixed also.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

I don't think this works as intended.  '|' higher precedence than ?: so
the bitwize OR "0 | (val & STR_MOST)" is a no-op.

I have re-written it to be more clear.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

ASoC: Fixes for v3.7

A few small fixes plus a large but simple change for WM5102 which writes
out a bunch of register updates to the device when we enable the clock
as recommended following chip evaluation.

Merge branches 'fix/arizona', 'fix/core', 'fix/cs42l52', 'fix/mxs', 'fix/samsung' and 'fix/wm8978' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into tmp

Pull KVM fix from Marcelo Tosatti:
 "A correction for user triggerable oops"

* git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-2012-4461)

Pull ux500 clk fixes from Mike Turquette:
 "Missing clkdev entries are causing regressions on the U8500 platform.
  This pull request contains those missing clkdev entries which are
  needed to boot that platform."

* tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux:
  clk: ux500: Register slimbus clock lookups for u8500
  clk: ux500: Update rtc clock lookup for u8500
  clk: ux500: Register msp clock lookups for u8500
  clk: ux500: Register ssp clock lookups for u8500
  clk: ux500: Register i2c clock lookups for u8500

Pull menuconfig portability fix from Michal Marek:
 "Here is a fix for v3.7 that makes menuconfig compile again on systems
  whose C library is lacking CIRCLEQ_* macros.  I thought I sent it
  earlier, but apparently I did not."

* 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild:
  menuconfig: Replace CIRCLEQ by list_head-style lists.

Pull LED fix from Bryan Wu.

* 'fixes-for-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds:
  ledtrig-cpu: kill useless mutex to fix sleep in atomic context

Pull futex fix from Thomas Gleixner:
 "Single fix for a long standing futex race when taking over a futex
  whose owner died.  You can end up with two owners, which violates
  quite some rules."

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  futex: Handle futex_pi OWNER_DIED take over correctly

On hosts without the XSAVE support unprivileged local user can trigger
oops similar to the one below by setting X86_CR4_OSXSAVE bit in guest
cr4 register using KVM_SET_SREGS ioctl and later issuing KVM_RUN
ioctl.

invalid opcode: 0000 [#2] SMP
Modules linked in: tun ip6table_filter ip6_tables ebtable_nat ebtables
...
Pid: 24935, comm: zoog_kvm_monito Tainted: G      D      3.2.0-3-686-pae
EIP: 0060:[<f8b9550c>] EFLAGS: 00210246 CPU: 0
EIP is at kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm]
EAX: 00000001 EBX: 000f387e ECX: 00000000 EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: ef5a0060 ESP: d7c63e70
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process zoog_kvm_monito (pid: 24935, ti=d7c62000 task=ed84a0c0
task.ti=d7c62000)
Stack:
 00000001 f70a1200 f8b940a9 ef5a0060 00000000 00200202 f8769009 00000000
 ef5a0060 000f387e eda5c020 8722f9c8 00015bae 00000000 ed84a0c0 ed84a0c0
 c12bf02d 0000ae80 ef7f8740 fffffffb f359b740 ef5a0060 f8b85dc1 0000ae80
Call Trace:
 [<f8b940a9>] ? kvm_arch_vcpu_ioctl_set_sregs+0x2fe/0x308 [kvm]
...
 [<c12bfb44>] ? syscall_call+0x7/0xb
Code: 89 e8 e8 14 ee ff ff ba 00 00 04 00 89 e8 e8 98 48 ff ff 85 c0 74
1e 83 7d 48 00 75 18 8b 85 08 07 00 00 31 c9 8b 95 0c 07 00 00 <0f> 01
d1 c7 45 48 01 00 00 00 c7 45 1c 01 00 00 00 0f ae f0 89
EIP: [<f8b9550c>] kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] SS:ESP
0068:d7c63e70

QEMU first retrieves the supported features via KVM_GET_SUPPORTED_CPUID
and then sets them later. So guest's X86_FEATURE_XSAVE should be masked
out on hosts without X86_FEATURE_XSAVE, making kvm_set_cr4 with
X86_CR4_OSXSAVE fail. Userspaces that allow specifying guest cpuid with
X86_FEATURE_XSAVE even on hosts that do not support it, might be
susceptible to this attack from inside the guest as well.

Allow setting X86_CR4_OSXSAVE bit only if host has XSAVE support.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

At the same time the prcc bit for the kclk is corrected to
bit 8 instead of 3.
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Mike Turquette <mturquette@linaro.org>

Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Mike Turquette <mturquette@linaro.org>

Cc: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Mike Turquette <mturquette@linaro.org>

Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Mike Turquette <mturquette@linaro.org>

Cc: Ben Dooks <ben-linux@fluff.org>
Cc: Wolfram Sang <w.sang@pengutronix.de>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Mike Turquette <mturquette@linaro.org>