Permalink
Commits on May 2, 2009
  1. Linux 2.6.28.10

    gregkh committed May 2, 2009
  2. unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184)

    Not upstream in 2.6.30, as the function was removed there, making this a
    non-issue.
    
    Node and port send checks can skip in the compat_net=1 case. This bug
    was introduced in commit effad8d.
    
    Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
    Reported-by: Dan Carpenter <error27@gmail.com>
    Acked-by: James Morris <jmorris@namei.org>
    Acked-by: Paul Moore <paul.moore@hp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Eugene Teo committed with gregkh Apr 13, 2009
  3. thinkpad-acpi: fix LED blinking through timer trigger

    commit 75bd3bf upstream.
    
    The set_blink hook code in the LED subdriver would never manage to get
    a LED to blink, and instead it would just turn it on.  The consequence
    of this is that the "timer" trigger would not cause the LED to blink
    if given default parameters.
    
    This problem exists since 2.6.26-rc1.
    
    To fix it, switch the deferred LED work handling to use the
    thinkpad-acpi-specific LED status (off/on/blink) directly.
    
    This also makes the code easier to read, and to extend later.
    
    Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
    Cc: stable@kernel.org
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    hmh committed with gregkh Apr 14, 2009
  4. b44: Use kernel DMA addresses for the kernel DMA API

    commit 37efa23 upstream.
    
    We must not use the device DMA addresses for the kernel DMA API, because
    device DMA addresses have an additional offset added for the SSB translation.
    
    Use the original dma_addr_t for the sync operation.
    
    Cc: stable@kernel.org
    Signed-off-by: Michael Buesch <mb@bu3sch.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Michael Buesch committed with gregkh Apr 6, 2009
  5. exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)

    CVE-2009-1337
    
    commit 432870d upstream.
    
    The CAP_KILL check in exit_notify() looks just wrong, kill it.
    
    Whatever logic we have to reset ->exit_signal, the malicious user
    can bypass it if it execs the setuid application before exiting.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Serge Hallyn <serue@us.ibm.com>
    Acked-by: Roland McGrath <roland@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    utrace committed with gregkh Apr 6, 2009
  6. PCI: fix incorrect mask of PM No_Soft_Reset bit

    commit 998dd7c upstream.
    
    Reviewed-by: Matthew Wilcox <matthew@wil.cx>
    Signed-off-by: Yu Zhao <yu.zhao@intel.com>
    Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Yu Zhao committed with gregkh Feb 25, 2009
  7. crypto: ixp4xx - Fix handling of chained sg buffers

    commit 0d44dc5 upstream.
    
     - keep dma functions away from chained scatterlists.
       Use the existing scatterlist iteration inside the driver
       to call dma_map_single() for each chunk and avoid dma_map_sg().
    
    Signed-off-by: Christian Hohnstaedt <chohnstaedt@innominate.com>
    Tested-By:  Karl Hiramoto <karl@hiramoto.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Christian Hohnstaedt committed with gregkh Mar 27, 2009
  8. fix ptrace slowness

    commit 53da1d9 upstream.
    
    This patch fixes bug #12208:
    
      Bug-Entry       : http://bugzilla.kernel.org/show_bug.cgi?id=12208
      Subject         : uml is very slow on 2.6.28 host
    
    This turned out to be not a scheduler regression, but an already
    existing problem in ptrace being triggered by subtle scheduler
    changes.
    
    The problem is this:
    
     - task A is ptracing task B
     - task B stops on a trace event
     - task A is woken up and preempts task B
     - task A calls ptrace on task B, which does ptrace_check_attach()
     - this calls wait_task_inactive(), which sees that task B is still on the runq
     - task A goes to sleep for a jiffy
     - ...
    
    Since UML does lots of the above sequences, those jiffies quickly add
    up to make it slow as hell.
    
    This patch solves this by not rescheduling in read_unlock() after
    ptrace_stop() has woken up the tracer.
    
    Thanks to Oleg Nesterov and Ingo Molnar for the feedback.
    
    Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
    CC: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Miklos Szeredi committed with gregkh Mar 23, 2009
  9. fs core fixes

    Please add the following 4 commits to 2.6.27-stable and 2.6.28-stable.
    However, there has been a lot of change here between 2.6.28 and 2.6.29:
    in particular, fs/exec.c's unsafe_exec() grew into the more complicated
    check_unsafe_exec().  So applying the original patches gives too many
    rejects: at the bottom is the diffstat and the combined patch required.
    
    1
    Commit: 53e9309
    Author: Hugh Dickins <hugh@veritas.com>
    Date: Sat, 28 Mar 2009 23:16:03 +0000 (+0000)
    Subject: compat_do_execve should unshare_files
    
    2
    Commit: e426b64
    Author: Hugh Dickins <hugh@veritas.com>
    Date: Sat, 28 Mar 2009 23:20:19 +0000 (+0000)
    Subject: fix setuid sometimes doesn't
    
    3
    Commit: 7c2c7d9
    Author: Hugh Dickins <hugh@veritas.com>
    Date: Sat, 28 Mar 2009 23:21:27 +0000 (+0000)
    Subject: fix setuid sometimes wouldn't
    
    4
    Commit: f1191b5
    Author: Al Viro <viro@zeniv.linux.org.uk>
    Date: Mon, 30 Mar 2009 11:35:18 +0000 (-0400)
    Subject: check_unsafe_exec() doesn't care about signal handlers sharing
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Hugh Dickins committed with gregkh Apr 25, 2009
  10. powerpc: Sanitize stack pointer in signal handling code

    This has been backported to 2.6.28.x from commit efbda86 in Linus' tree
    
    On powerpc64 machines running 32-bit userspace, we can get garbage bits in the
    stack pointer passed into the kernel.  Most places handle this correctly, but
    the signal handling code uses the passed value directly for allocating signal
    stack frames.
    
    This fixes the issue by introducing a get_clean_sp function that returns a
    sanitized stack pointer.  For 32-bit tasks on a 64-bit kernel, the stack
    pointer is masked correctly.  In all other cases, the stack pointer is simply
    returned.
    
    Additionally, we pass an 'is_32' parameter to get_sigframe now in order to
    get the properly sanitized stack.  The callers are know to be 32 or 64-bit
    statically.
    
    Signed-off-by: Josh Boyer <jwboyer@linux.vnet.ibm.com>
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Josh Boyer committed with gregkh Apr 28, 2009
  11. block: include empty disks in /proc/diskstats

    commit 71982a4 upstream.
    
    /proc/diskstats used to show stats for all disks whether they're
    zero-sized or not and their non-zero partitions.  Commit
    074a7ac accidentally changed the
    behavior such that it doesn't print out zero sized disks.  This patch
    implements DISK_PITER_INCL_EMPTY_PART0 flag to partition iterator and
    uses it in diskstats_show() such that empty part0 is shown in
    /proc/diskstats.
    
    Reported and bisectd by Dianel Collins.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: Daniel Collins <solemnwarning@solemnwarning.no-ip.org>
    Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    htejun committed with gregkh Apr 17, 2009
  12. md: fix deadlock when stopping arrays

    [backport of 5fd3a17]
    
    Resolve a deadlock when stopping redundant arrays, i.e. ones that
    require a call to sysfs_remove_group when shutdown.  The deadlock is
    summarized below:
    
    Thread1                Thread2
    -------                -------
    read sysfs attribute   stop array
                           take mddev lock
                           sysfs_remove_group
    sysfs_get_active
    wait for mddev lock
                           wait for active
    
    Sysrq-w:
      --------
    mdmon         S 00000017  2212  4163      1
      f1982ea8 00000046 2dcf6b85 00000017 c0b23100 f2f83ed0 c0b23100 f2f8413c
      c0b23100 c0b23100 c0b1fb98 f2f8413c 00000000 f2f8413c c0b23100 f2291ecc
      00000002 c0b23100 00000000 00000017 f2f83ed0 f1982eac 00000046 c044d9dd
    Call Trace:
      [<c044d9dd>] ? debug_mutex_add_waiter+0x1d/0x58
      [<c06ef451>] __mutex_lock_common+0x1d9/0x338
      [<c06ef451>] ? __mutex_lock_common+0x1d9/0x338
      [<c06ef5e3>] mutex_lock_interruptible_nested+0x33/0x3a
      [<c0634553>] ? mddev_lock+0x14/0x16
      [<c0634553>] mddev_lock+0x14/0x16
      [<c0634eda>] md_attr_show+0x2a/0x49
      [<c04e9997>] sysfs_read_file+0x93/0xf9
    mdadm         D 00000017  2812  4177      1
      f0401d78 00000046 430456f8 00000017 f0401d58 f0401d20 c0b23100 f2da2c4c
      c0b23100 c0b23100 c0b1fb98 f2da2c4c 0a10fc36 00000000 c0b23100 f0401d70
      00000003 c0b23100 00000000 00000017 f2da29e0 00000001 00000002 00000000
    Call Trace:
      [<c06eed1b>] schedule_timeout+0x1b/0x95
      [<c06eed1b>] ? schedule_timeout+0x1b/0x95
      [<c06eeb97>] ? wait_for_common+0x34/0xdc
      [<c044fa8a>] ? trace_hardirqs_on_caller+0x18/0x145
      [<c044fbc2>] ? trace_hardirqs_on+0xb/0xd
      [<c06eec03>] wait_for_common+0xa0/0xdc
      [<c0428c7c>] ? default_wake_function+0x0/0x12
      [<c06eeccc>] wait_for_completion+0x17/0x19
      [<c04ea620>] sysfs_addrm_finish+0x19f/0x1d1
      [<c04e920e>] sysfs_hash_and_remove+0x42/0x55
      [<c04eb4db>] sysfs_remove_group+0x57/0x86
      [<c0638086>] do_md_stop+0x13a/0x499
    
    This has been there for a while, but is easier to trigger now that mdmon
    is closely watching sysfs.
    
    Cc: Neil Brown <neilb@suse.de>
    Reported-by: Jacek Danecki <jacek.danecki@intel.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    djbw committed with gregkh Mar 27, 2009
  13. ath9k: AR9280 PCI devices must serialize IO as well

    This is a port of:
    commit SHA1 5ec905a
    for 2.6.28
    
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Luis R. Rodriguez committed with gregkh Mar 23, 2009
  14. ath9k: implement IO serialization

    This is a port of:
    commit SHA1 6158425
    for 2.6.28.
    
    All 802.11n PCI devices (Cardbus, PCI, mini-PCI) require
    serialization of IO when on non-uniprocessor systems. PCI
    express devices not not require this.
    
    This should fix our only last standing open ath9k kernel.org
    bugzilla bug report:
    
    http://bugzilla.kernel.org/show_bug.cgi?id=12110
    
    Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Luis R. Rodriguez committed with gregkh Mar 23, 2009
  15. KVM: VMX: Flush volatile msrs before emulating rdmsr

    (cherry picked from 516a1a7)
    
    Some msrs (notable MSR_KERNEL_GS_BASE) are held in the processor registers
    and need to be flushed to the vcpu struture before they can be read.
    
    This fixes cygwin longjmp() failure on Windows x64.
    
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Avi Kivity committed with gregkh Mar 23, 2009
  16. KVM: x86: fix LAPIC pending count calculation

    (cherry picked from b682b81)
    
    Simplify LAPIC TMCCT calculation by using hrtimer provided
    function to query remaining time until expiration.
    
    Fixes host hang with nested ESX.
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Alexander Graf <agraf@suse.de>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Marcelo Tosatti committed with gregkh Mar 23, 2009
  17. KVM: x86: disable kvmclock on non constant TSC hosts

    (cherry picked from abe6655)
    
    This is better.
    
    Currently, this code path is posing us big troubles,
    and we won't have a decent patch in time. So, temporarily
    disable it.
    
    Signed-off-by: Glauber Costa <glommer@redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Marcelo Tosatti committed with gregkh Mar 23, 2009
  18. KVM: PIT: fix i8254 pending count read

    (cherry picked from d2a8284)
    
    count_load_time assignment is bogus: its supposed to contain what it
    means, not the expiration time.
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Marcelo Tosatti committed with gregkh Mar 23, 2009
  19. KVM: mmu_notifiers release method

    (cherry picked from 85db06e)
    
    The destructor for huge pages uses the backing inode for adjusting
    hugetlbfs accounting.
    
    Hugepage mappings are destroyed by exit_mmap, after
    mmu_notifier_release, so there are no notifications through
    unmap_hugepage_range at this point.
    
    The hugetlbfs inode can be freed with pages backed by it referenced
    by the shadow. When the shadow releases its reference, the huge page
    destructor will access a now freed inode.
    
    Implement the release operation for kvm mmu notifiers to release page
    refs before the hugetlbfs inode is gone.
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Marcelo Tosatti committed with gregkh Mar 23, 2009
  20. KVM: MMU: handle large host sptes on invlpg/resync

    (cherry picked from 8791723)
    
    The invlpg and sync walkers lack knowledge of large host sptes,
    descending to non-existant pagetable level.
    
    Stop at directory level in such case.
    
    Fixes SMP Windows XP with hugepages.
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Marcelo Tosatti committed with gregkh Mar 23, 2009
  21. KVM: MMU: check for present pdptr shadow page in walk_shadow

    (cherry picked from eb64f1e)
    
    walk_shadow assumes the caller verified validity of the pdptr pointer in
    question, which is not the case for the invlpg handler.
    
    Fixes oops during Solaris 10 install.
    
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Marcelo Tosatti committed with gregkh Mar 23, 2009
  22. KVM: Advertise the bug in memory region destruction as fixed

    (cherry picked from 1a811b6)
    
    Userspace might need to act differently.
    
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Avi Kivity committed with gregkh Mar 23, 2009
  23. KVM: set owner of cpu and vm file operations

    (cherry picked from 3d3aab1)
    
    There is a race between a "close of the file descriptors" and module
    unload in the kvm module.
    
    You can easily trigger this problem by applying this debug patch:
    >--- kvm.orig/virt/kvm/kvm_main.c
    >+++ kvm/virt/kvm/kvm_main.c
    >@@ -648,10 +648,14 @@ void kvm_free_physmem(struct kvm *kvm)
    >                kvm_free_physmem_slot(&kvm->memslots[i], NULL);
    > }
    >
    >+#include <linux/delay.h>
    > static void kvm_destroy_vm(struct kvm *kvm)
    > {
    >        struct mm_struct *mm = kvm->mm;
    >
    >+       printk("off1\n");
    >+       msleep(5000);
    >+       printk("off2\n");
    >        spin_lock(&kvm_lock);
    >        list_del(&kvm->vm_list);
    >        spin_unlock(&kvm_lock);
    
    and killing the userspace, followed by an rmmod.
    
    The problem is that kvm_destroy_vm can run while the module count
    is 0. That means, you can remove the module while kvm_destroy_vm
    is running. But kvm_destroy_vm is part of the module text. This
    causes a kerneloops. The race exists without the msleep but is much
    harder to trigger.
    
    This patch requires the fix for anon_inodes (anon_inodes: use fops->owner
    for module refcount).
    With this patch, we can set the owner of all anonymous KVM inodes file
    operations. The VFS will then control the KVM module refcount as long as there
    is an open file. kvm_destroy_vm will be called by the release function of the
    last closed file - before the VFS drops the module refcount.
    
    Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    borntraeger committed with gregkh Mar 23, 2009
  24. KVM: x86 emulator: Fix handling of VMMCALL instruction

    (cherry picked from fbce554)
    
    The VMMCALL instruction doesn't get recognised and isn't processed
    by the emulator.
    
    This is seen on an Intel host that tries to execute the VMMCALL
    instruction after a guest live migrates from an AMD host.
    
    Signed-off-by: Amit Shah <amit.shah@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Amit Shah committed with gregkh Mar 23, 2009
  25. KVM: Really remove a slot when a user ask us so

    (cherry picked from 6f89724)
    
    Right now, KVM does not remove a slot when we do a
    register ioctl for size 0 (would be the expected behaviour).
    
    Instead, we only mark it as empty, but keep all bitmaps
    and allocated data structures present. It completely
    nullifies our chances of reusing that same slot again
    for mapping a different piece of memory.
    
    In this patch, we destroy rmaps, and vfree() the
    pointers that used to hold the dirty bitmap, rmap
    and lpage_info structures.
    
    Signed-off-by: Glauber Costa <glommer@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Glauber Costa committed with gregkh Mar 23, 2009
  26. KVM: Prevent trace call into unloaded module text

    (cherry picked from b820918)
    
    Add marker_synchronize_unregister() before module unloading.
    This prevents possible trace calls into unloaded module text.
    
    Signed-off-by: Wu Fengguang <wfg@linux.intel.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    fengguang committed with gregkh Mar 23, 2009
  27. KVM: Fix cpuid iteration on multiple leaves per eac

    (cherry picked from 0fdf8e5)
    
    The code to traverse the cpuid data array list for counting type of leaves is
    currently broken.
    
    This patches fixes the 2 things in it.
    
     1. Set the 1st counting entry's flag KVM_CPUID_FLAG_STATE_READ_NEXT. Without
        it the code will never find a valid entry.
    
     2. Also the stop condition in the for loop while looking for the next unflaged
        entry is broken. It needs to stop when it find one matching entry;
        and in the case of count of 1, it will be the same entry found in this
        iteration.
    
    Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Nitin A Kamble committed with gregkh Mar 23, 2009
  28. KVM: Fix cpuid leaf 0xb loop termination

    (cherry picked from 0853d2c)
    
    For cpuid leaf 0xb the bits 8-15 in ECX register define the end of counting
    leaf.      The previous code was using bits 0-7 for this purpose, which is
    a bug.
    
    Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Nitin A Kamble committed with gregkh Mar 23, 2009
  29. KVM: MMU: Fix aliased gfns treated as unaliased

    (cherry picked from 2843099)
    
    Some areas of kvm x86 mmu are using gfn offset inside a slot without
    unaliasing the gfn first.  This patch makes sure that the gfn will be
    unaliased and add gfn_to_memslot_unaliased() to save the calculating
    of the gfn unaliasing in case we have it unaliased already.
    
    Signed-off-by: Izik Eidus <ieidus@redhat.com>
    Acked-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Izik Eidus committed with gregkh Mar 23, 2009
  30. KVM: SVM: Set the 'busy' flag of the TR selector

    (cherry picked from c0d0982)
    
    The busy flag of the TR selector is not set by the hardware. This breaks
    migration from amd hosts to intel hosts.
    
    Signed-off-by: Amit Shah <amit.shah@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Amit Shah committed with gregkh Mar 23, 2009
  31. KVM: SVM: Set the 'g' bit of the cs selector for cross-vendor migration

    (cherry picked from 25022ac)
    
    The hardware does not set the 'g' bit of the cs selector and this breaks
    migration from amd hosts to intel hosts. Set this bit if the segment
    limit is beyond 1 MB.
    
    Signed-off-by: Amit Shah <amit.shah@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Amit Shah committed with gregkh Mar 23, 2009
  32. KVM: VMX: Move private memory slot position

    (cherry picked from 6fe6397)
    
    PCI device assignment would map guest MMIO spaces as separate slot, so it is
    possible that the device has more than 2 MMIO spaces and overwrite current
    private memslot.
    
    The patch move private memory slot to the top of userspace visible memory slots.
    
    Signed-off-by: Sheng Yang <sheng@linux.intel.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Sheng Yang committed with gregkh Mar 23, 2009
  33. KVM: MMU: Extend kvm_mmu_page->slot_bitmap size

    (cherry picked from 291f26b)
    
    Otherwise set_bit() for private memory slot(above KVM_MEMORY_SLOTS) would
    corrupted memory in 32bit host.
    
    Signed-off-by: Sheng Yang <sheng@linux.intel.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Sheng Yang committed with gregkh Mar 23, 2009
  34. KVM: call kvm_arch_vcpu_reset() instead of the kvm_x86_ops callback

    (cherry picked from 5f17928)
    
    Call kvm_arch_vcpu_reset() instead of directly using arch callback.
    The function does additional things.
    
    Signed-off-by: Gleb Natapov <gleb@redhat.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Gleb Natapov committed with gregkh Mar 23, 2009
  35. KVM: x86: Reset pending/inject NMI state on CPU reset

    (cherry picked from 448fa4a)
    
    CPU reset invalidates pending or already injected NMIs, therefore reset
    the related state variables.
    
    Based on original patch by Gleb Natapov.
    
    Signed-off-by: Gleb Natapov <gleb@redhat.com>
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    jan-kiszka committed with gregkh Mar 23, 2009