--- /dev/null
+From f856567b930dfcdbc3323261bf77240ccdde01f5 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 22:11:06 +0300
+Subject: aacraid: missing capable() check in compat ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f856567b930dfcdbc3323261bf77240ccdde01f5 upstream.
+
+In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
+added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the
+check as well.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/linit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -771,6 +771,8 @@ static long aac_compat_do_ioctl(struct a
+ static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
+ {
+ struct aac_dev *dev = (struct aac_dev *)sdev->host->hostdata;
++ if (!capable(CAP_SYS_RAWIO))
++ return -EPERM;
+ return aac_compat_do_ioctl(dev, cmd, (unsigned long)arg);
+ }
+
--- /dev/null
+From a4461f41b94cb52e0141af717dcf4ef6558c8e2e Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Thu, 31 Oct 2013 15:01:37 +0000
+Subject: ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit a4461f41b94cb52e0141af717dcf4ef6558c8e2e upstream.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = d5300000
+[00000008] *pgd=0d265831, *pte=00000000, *ppte=00000000
+Internal error: Oops: 17 [#1] PREEMPT ARM
+CPU: 0 PID: 2295 Comm: vlc Not tainted 3.11.0+ #755
+task: dee74800 ti: e213c000 task.ti: e213c000
+PC is at snd_pcm_info+0xc8/0xd8
+LR is at 0x30232065
+pc : [<c031b52c>] lr : [<30232065>] psr: a0070013
+sp : e213dea8 ip : d81cb0d0 fp : c05f7678
+r10: c05f7770 r9 : fffffdfd r8 : 00000000
+r7 : d8a968a8 r6 : d8a96800 r5 : d8a96200 r4 : d81cb000
+r3 : 00000000 r2 : d81cb000 r1 : 00000001 r0 : d8a96200
+Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 10c5387d Table: 15300019 DAC: 00000015
+Process vlc (pid: 2295, stack limit = 0xe213c248)
+[<c031b52c>] (snd_pcm_info) from [<c031b570>] (snd_pcm_info_user+0x34/0x9c)
+[<c031b570>] (snd_pcm_info_user) from [<c03164a4>] (snd_pcm_control_ioctl+0x274/0x280)
+[<c03164a4>] (snd_pcm_control_ioctl) from [<c0311458>] (snd_ctl_ioctl+0xc0/0x55c)
+[<c0311458>] (snd_ctl_ioctl) from [<c00eca84>] (do_vfs_ioctl+0x80/0x31c)
+[<c00eca84>] (do_vfs_ioctl) from [<c00ecd5c>] (SyS_ioctl+0x3c/0x60)
+[<c00ecd5c>] (SyS_ioctl) from [<c000e500>] (ret_fast_syscall+0x0/0x48)
+Code: e1a00005 e59530dc e3a01001 e1a02004 (e5933008)
+---[ end trace cb3d9bdb8dfefb3c ]---
+
+This is provoked when the ASoC front end is open along with its backend,
+(which causes the backend to have a runtime assigned to it) and then the
+SNDRV_CTL_IOCTL_PCM_INFO is requested for the (visible) backend device.
+
+Resolve this by ensuring that ASoC internal backend devices are not
+visible to userspace, just as the commentry for snd_pcm_new_internal()
+says it should be.
+
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Acked-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -49,6 +49,8 @@ static struct snd_pcm *snd_pcm_get(struc
+ struct snd_pcm *pcm;
+
+ list_for_each_entry(pcm, &snd_pcm_devices, list) {
++ if (pcm->internal)
++ continue;
+ if (pcm->card == card && pcm->device == device)
+ return pcm;
+ }
+@@ -60,6 +62,8 @@ static int snd_pcm_next(struct snd_card
+ struct snd_pcm *pcm;
+
+ list_for_each_entry(pcm, &snd_pcm_devices, list) {
++ if (pcm->internal)
++ continue;
+ if (pcm->card == card && pcm->device > device)
+ return pcm->device;
+ else if (pcm->card->number > card->number)
--- /dev/null
+From 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 30 Oct 2013 12:29:40 +0100
+Subject: ALSA: hda - Add a fixup for ASUS N76VZ
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 upstream.
+
+ASUS N76VZ needs the same fixup as N56VZ for supporting the boost
+speaker.
+
+Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=846529
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4253,6 +4253,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
+ SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_ASUS_MODE4),
++ SND_PCI_QUIRK(0x1043, 0x1bf3, "ASUS N76VZ", ALC662_FIXUP_ASUS_MODE4),
+ SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
+ SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2),
+ SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD),
--- /dev/null
+From b63eae0a6c84839275a4638a7baa391be965cd0e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 25 Oct 2013 23:43:10 +0200
+Subject: ALSA: hda - Add missing initial vmaster hook at build_controls callback
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b63eae0a6c84839275a4638a7baa391be965cd0e upstream.
+
+The generic parser has a support of vmaster hook, but this is
+initialized only in the init callback with the check of the presence
+of the corresponding kctl. However, since kctl is NULL at the very
+first init callback that is called before build_controls callback, the
+vmaster hook sync is skipped there. Eventually this leads to the
+uninitialized state depending on the hook implementation.
+
+This patch adds a simple workaround, just calling the sync function
+explicitly at build_controls callback.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -4383,9 +4383,11 @@ int snd_hda_gen_build_controls(struct hd
+ true, &spec->vmaster_mute.sw_kctl);
+ if (err < 0)
+ return err;
+- if (spec->vmaster_mute.hook)
++ if (spec->vmaster_mute.hook) {
+ snd_hda_add_vmaster_hook(codec, &spec->vmaster_mute,
+ spec->vmaster_mute_enum);
++ snd_hda_sync_vmaster_hook(&spec->vmaster_mute);
++ }
+ }
+
+ free_kctls(spec); /* no longer needed */
--- /dev/null
+From e6bbe666673ab044a3d39ddb74e4d9a401cf1d6f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 24 Oct 2013 01:20:24 +0200
+Subject: ALSA: hda - Fix unbalanced runtime PM refcount after S3/S4
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit e6bbe666673ab044a3d39ddb74e4d9a401cf1d6f upstream.
+
+When a machine goes to S3/S4 after power-save is enabled, the runtime
+PM refcount might be incorrectly decreased because the power-down
+triggered soon after resume assumes that the controller was already
+powered up, and issues the pm_notify down.
+
+This patch fixes the incorrect pm_notify call simply by checking the
+current value properly.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_codec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -4789,8 +4789,8 @@ static void hda_power_work(struct work_s
+ spin_unlock(&codec->power_lock);
+
+ state = hda_call_codec_suspend(codec, true);
+- codec->pm_down_notified = 0;
+- if (!bus->power_keep_link_on && (state & AC_PWRST_CLK_STOP_OK)) {
++ if (!codec->pm_down_notified &&
++ !bus->power_keep_link_on && (state & AC_PWRST_CLK_STOP_OK)) {
+ codec->pm_down_notified = 1;
+ hda_call_pm_notify(bus, false);
+ }
--- /dev/null
+From 9c41f4eeb9d51f3ece20428d35a3ea32cf3b5622 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Date: Sat, 2 Nov 2013 17:47:49 +0530
+Subject: ARC: Incorrect mm reference used in vmalloc fault handler
+
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+
+commit 9c41f4eeb9d51f3ece20428d35a3ea32cf3b5622 upstream.
+
+A vmalloc fault needs to sync up PGD/PTE entry from init_mm to current
+task's "active_mm". ARC vmalloc fault handler however was using mm.
+
+A vmalloc fault for non user task context (actually pre-userland, from
+init thread's open for /dev/console) caused the handler to deref NULL mm
+(for mm->pgd)
+
+The reasons it worked so far is amazing:
+
+1. By default (!SMP), vmalloc fault handler uses a cached value of PGD.
+ In SMP that MMU register is repurposed hence need for mm pointer deref.
+
+2. In pre-3.12 SMP kernel, the problem triggering vmalloc didn't exist in
+ pre-userland code path - it was introduced with commit 20bafb3d23d108bc
+ "n_tty: Move buffers into n_tty_data"
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Cc: Gilad Ben-Yossef <gilad@benyossef.com>
+Cc: Noam Camus <noamc@ezchip.com>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/mm/fault.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arc/mm/fault.c
++++ b/arch/arc/mm/fault.c
+@@ -16,7 +16,7 @@
+ #include <linux/kdebug.h>
+ #include <asm/pgalloc.h>
+
+-static int handle_vmalloc_fault(struct mm_struct *mm, unsigned long address)
++static int handle_vmalloc_fault(unsigned long address)
+ {
+ /*
+ * Synchronize this task's top level page-table
+@@ -26,7 +26,7 @@ static int handle_vmalloc_fault(struct m
+ pud_t *pud, *pud_k;
+ pmd_t *pmd, *pmd_k;
+
+- pgd = pgd_offset_fast(mm, address);
++ pgd = pgd_offset_fast(current->active_mm, address);
+ pgd_k = pgd_offset_k(address);
+
+ if (!pgd_present(*pgd_k))
+@@ -72,7 +72,7 @@ void do_page_fault(struct pt_regs *regs,
+ * nothing more.
+ */
+ if (address >= VMALLOC_START && address <= VMALLOC_END) {
+- ret = handle_vmalloc_fault(mm, address);
++ ret = handle_vmalloc_fault(address);
+ if (unlikely(ret))
+ goto bad_area_nosemaphore;
+ else
--- /dev/null
+From ff18620c2157671a8ee21ebb8e6a3520ea209b1f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 28 Oct 2013 14:21:49 +0100
+Subject: ASoC: dapm: Fix source list debugfs outputs
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ff18620c2157671a8ee21ebb8e6a3520ea209b1f upstream.
+
+... due to a copy & paste error.
+
+Spotted by coverity CID 710923.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-dapm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -1797,7 +1797,7 @@ static ssize_t dapm_widget_power_read_fi
+ w->active ? "active" : "inactive");
+
+ list_for_each_entry(p, &w->sources, list_sink) {
+- if (p->connected && !p->connected(w, p->sink))
++ if (p->connected && !p->connected(w, p->source))
+ continue;
+
+ if (p->connect)
--- /dev/null
+From 268ff14525edba31da29a12a9dd693cdd6a7872e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 30 Oct 2013 08:35:02 +0100
+Subject: ASoC: wm_hubs: Add missing break in hp_supply_event()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 268ff14525edba31da29a12a9dd693cdd6a7872e upstream.
+
+Spotted by coverity CID 115170.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm_hubs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/codecs/wm_hubs.c
++++ b/sound/soc/codecs/wm_hubs.c
+@@ -530,6 +530,7 @@ static int hp_supply_event(struct snd_so
+ hubs->hp_startup_mode);
+ break;
+ }
++ break;
+
+ case SND_SOC_DAPM_PRE_PMD:
+ snd_soc_update_bits(codec, WM8993_CHARGE_PUMP_1,
--- /dev/null
+From c607f450f6e49f5794f27617bedc638b51044d2e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 11 May 2013 12:38:38 -0400
+Subject: au1100fb: VM_IO is set by io_remap_pfn_range()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c607f450f6e49f5794f27617bedc638b51044d2e upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/au1100fb.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/video/au1100fb.c
++++ b/drivers/video/au1100fb.c
+@@ -385,8 +385,6 @@ int au1100fb_fb_mmap(struct fb_info *fbi
+ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+ pgprot_val(vma->vm_page_prot) |= (6 << 9); //CCA=6
+
+- vma->vm_flags |= VM_IO;
+-
+ if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT,
+ vma->vm_end - vma->vm_start,
+ vma->vm_page_prot)) {
--- /dev/null
+From 1fca06fafb235a88c4fa91294aa1726c0e22855b Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 11 May 2013 12:37:38 -0400
+Subject: au1200fb: io_remap_pfn_range() sets VM_IO
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 1fca06fafb235a88c4fa91294aa1726c0e22855b upstream.
+
+... and single return is quite sufficient to get out of function, TYVM
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/au1200fb.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/video/au1200fb.c
++++ b/drivers/video/au1200fb.c
+@@ -1258,13 +1258,9 @@ static int au1200fb_fb_mmap(struct fb_in
+ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+ pgprot_val(vma->vm_page_prot) |= _CACHE_MASK; /* CCA=7 */
+
+- vma->vm_flags |= VM_IO;
+-
+ return io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT,
+ vma->vm_end - vma->vm_start,
+ vma->vm_page_prot);
+-
+- return 0;
+ }
+
+ static void set_global(u_int cmd, struct au1200_lcd_global_regs_t *pdata)
--- /dev/null
+From 2f9f64bc5aa31836810cd25301aa4772ad73ebab Mon Sep 17 00:00:00 2001
+From: Jonathan Austin <jonathan.austin@arm.com>
+Date: Tue, 23 Jul 2013 16:42:18 +0100
+Subject: clk: fixup argument order when setting VCO parameters
+
+From: Jonathan Austin <jonathan.austin@arm.com>
+
+commit 2f9f64bc5aa31836810cd25301aa4772ad73ebab upstream.
+
+The order of arguments in the call to vco_set() for the ICST clocks appears to
+have been switched in error, which results in the VCO not being initialised
+correctly. This in turn stops the integrated LCD on things like Integrator/CP
+from working correctly.
+
+This patch fixes the order and restores the expected functionality.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Austin <jonathan.austin@arm.com>
+Signed-off-by: Mike Turquette <mturquette@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/versatile/clk-icst.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/versatile/clk-icst.c
++++ b/drivers/clk/versatile/clk-icst.c
+@@ -107,7 +107,7 @@ static int icst_set_rate(struct clk_hw *
+
+ vco = icst_hz_to_vco(icst->params, rate);
+ icst->rate = icst_hz(icst->params, vco);
+- vco_set(icst->vcoreg, icst->lockreg, vco);
++ vco_set(icst->lockreg, icst->vcoreg, vco);
+ return 0;
+ }
+
--- /dev/null
+From 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 29 Oct 2013 10:21:34 -0700
+Subject: Fix a few incorrectly checked [io_]remap_pfn_range() calls
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 7314e613d5ff9f0934f7a0f74ed7973b903315d1 upstream.
+
+Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that
+really should use the vm_iomap_memory() helper. This trivially converts
+two of them to the helper, and comments about why the third one really
+needs to continue to use remap_pfn_range(), and adds the missing size
+check.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org.
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio.c | 17 +++++++++++++++--
+ drivers/video/au1100fb.c | 26 +-------------------------
+ drivers/video/au1200fb.c | 23 +----------------------
+ 3 files changed, 17 insertions(+), 49 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -654,16 +654,29 @@ static int uio_mmap_physical(struct vm_a
+ {
+ struct uio_device *idev = vma->vm_private_data;
+ int mi = uio_find_mem_index(vma);
++ struct uio_mem *mem;
+ if (mi < 0)
+ return -EINVAL;
++ mem = idev->info->mem + mi;
+
+- vma->vm_ops = &uio_physical_vm_ops;
++ if (vma->vm_end - vma->vm_start > mem->size)
++ return -EINVAL;
+
++ vma->vm_ops = &uio_physical_vm_ops;
+ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+
++ /*
++ * We cannot use the vm_iomap_memory() helper here,
++ * because vma->vm_pgoff is the map index we looked
++ * up above in uio_find_mem_index(), rather than an
++ * actual page offset into the mmap.
++ *
++ * So we just do the physical mmap without a page
++ * offset.
++ */
+ return remap_pfn_range(vma,
+ vma->vm_start,
+- idev->info->mem[mi].addr >> PAGE_SHIFT,
++ mem->addr >> PAGE_SHIFT,
+ vma->vm_end - vma->vm_start,
+ vma->vm_page_prot);
+ }
+--- a/drivers/video/au1100fb.c
++++ b/drivers/video/au1100fb.c
+@@ -361,37 +361,13 @@ void au1100fb_fb_rotate(struct fb_info *
+ int au1100fb_fb_mmap(struct fb_info *fbi, struct vm_area_struct *vma)
+ {
+ struct au1100fb_device *fbdev;
+- unsigned int len;
+- unsigned long start=0, off;
+
+ fbdev = to_au1100fb_device(fbi);
+
+- if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) {
+- return -EINVAL;
+- }
+-
+- start = fbdev->fb_phys & PAGE_MASK;
+- len = PAGE_ALIGN((start & ~PAGE_MASK) + fbdev->fb_len);
+-
+- off = vma->vm_pgoff << PAGE_SHIFT;
+-
+- if ((vma->vm_end - vma->vm_start + off) > len) {
+- return -EINVAL;
+- }
+-
+- off += start;
+- vma->vm_pgoff = off >> PAGE_SHIFT;
+-
+ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+ pgprot_val(vma->vm_page_prot) |= (6 << 9); //CCA=6
+
+- if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT,
+- vma->vm_end - vma->vm_start,
+- vma->vm_page_prot)) {
+- return -EAGAIN;
+- }
+-
+- return 0;
++ return vm_iomap_memory(vma, fbdev->fb_phys, fbdev->fb_len);
+ }
+
+ static struct fb_ops au1100fb_ops =
+--- a/drivers/video/au1200fb.c
++++ b/drivers/video/au1200fb.c
+@@ -1233,34 +1233,13 @@ static int au1200fb_fb_blank(int blank_m
+ * method mainly to allow the use of the TLB streaming flag (CCA=6)
+ */
+ static int au1200fb_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
+-
+ {
+- unsigned int len;
+- unsigned long start=0, off;
+ struct au1200fb_device *fbdev = info->par;
+
+- if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) {
+- return -EINVAL;
+- }
+-
+- start = fbdev->fb_phys & PAGE_MASK;
+- len = PAGE_ALIGN((start & ~PAGE_MASK) + fbdev->fb_len);
+-
+- off = vma->vm_pgoff << PAGE_SHIFT;
+-
+- if ((vma->vm_end - vma->vm_start + off) > len) {
+- return -EINVAL;
+- }
+-
+- off += start;
+- vma->vm_pgoff = off >> PAGE_SHIFT;
+-
+ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+ pgprot_val(vma->vm_page_prot) |= _CACHE_MASK; /* CCA=7 */
+
+- return io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT,
+- vma->vm_end - vma->vm_start,
+- vma->vm_page_prot);
++ return vm_iomap_memory(vma, fbdev->fb_phys, fbdev->fb_len);
+ }
+
+ static void set_global(u_int cmd, struct au1200_lcd_global_regs_t *pdata)
--- /dev/null
+From 3d77b50c5874b7e923be946ba793644f82336b75 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Thu, 31 Oct 2013 16:34:17 -0700
+Subject: lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit 3d77b50c5874b7e923be946ba793644f82336b75 upstream.
+
+Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
+functions") introduces two sg buffer copy helpers, and calls
+flush_kernel_dcache_page() on pages in SG list after these pages are
+written to.
+
+Unfortunately, the commit may introduce a potential bug:
+
+ - Before sending some SCSI commands, kmalloc() buffer may be passed to
+ block layper, so flush_kernel_dcache_page() can see a slab page
+ finally
+
+ - According to cachetlb.txt, flush_kernel_dcache_page() is only called
+ on "a user page", which surely can't be a slab page.
+
+ - ARCH's implementation of flush_kernel_dcache_page() may use page
+ mapping information to do optimization so page_mapping() will see the
+ slab page, then VM_BUG_ON() is triggered.
+
+Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
+and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
+before calling flush_kernel_dcache_page().
+
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Tested-by: Simon Baatz <gmbnomis@gmail.com>
+Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/scatterlist.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/lib/scatterlist.c
++++ b/lib/scatterlist.c
+@@ -529,7 +529,8 @@ void sg_miter_stop(struct sg_mapping_ite
+ miter->__offset += miter->consumed;
+ miter->__remaining -= miter->consumed;
+
+- if (miter->__flags & SG_MITER_TO_SG)
++ if ((miter->__flags & SG_MITER_TO_SG) &&
++ !PageSlab(miter->page))
+ flush_kernel_dcache_page(miter->page);
+
+ if (miter->__flags & SG_MITER_ATOMIC) {
--- /dev/null
+From 5a73633ef01cd8772defa6a3c34a588376a1df4c Mon Sep 17 00:00:00 2001
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Date: Wed, 7 Aug 2013 13:02:52 +0200
+Subject: mm: make generic_access_phys available for modules
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 5a73633ef01cd8772defa6a3c34a588376a1df4c upstream.
+
+In the next commit this function will be used in the uio subsystem
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -4074,6 +4074,7 @@ int generic_access_phys(struct vm_area_s
+
+ return len;
+ }
++EXPORT_SYMBOL_GPL(generic_access_phys);
+ #endif
+
+ /*
--- /dev/null
+From f6537f2f0eba4eba3354e48dbe3047db6d8b6254 Mon Sep 17 00:00:00 2001
+From: Ming Lei <tom.leiming@gmail.com>
+Date: Sat, 2 Nov 2013 09:11:33 +1030
+Subject: scripts/kallsyms: filter symbols not in kernel address space
+
+From: Ming Lei <tom.leiming@gmail.com>
+
+commit f6537f2f0eba4eba3354e48dbe3047db6d8b6254 upstream.
+
+This patch uses CONFIG_PAGE_OFFSET to filter symbols which
+are not in kernel address space because these symbols are
+generally for generating code purpose and can't be run at
+kernel mode, so we needn't keep them in /proc/kallsyms.
+
+For example, on ARM there are some symbols which may be
+linked in relocatable code section, then perf can't parse
+symbols any more from /proc/kallsyms, this patch fixes the
+problem (introduced b9b32bf70f2fb710b07c94e13afbc729afe221da)
+
+Cc: Russell King <linux@arm.linux.org.uk>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: Michal Marek <mmarek@suse.cz>
+Signed-off-by: Ming Lei <tom.leiming@gmail.com>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/kallsyms.c | 12 +++++++++++-
+ scripts/link-vmlinux.sh | 2 ++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/scripts/kallsyms.c
++++ b/scripts/kallsyms.c
+@@ -55,6 +55,7 @@ static struct sym_entry *table;
+ static unsigned int table_size, table_cnt;
+ static int all_symbols = 0;
+ static char symbol_prefix_char = '\0';
++static unsigned long long kernel_start_addr = 0;
+
+ int token_profit[0x10000];
+
+@@ -65,7 +66,10 @@ unsigned char best_table_len[256];
+
+ static void usage(void)
+ {
+- fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=<prefix char>] < in.map > out.S\n");
++ fprintf(stderr, "Usage: kallsyms [--all-symbols] "
++ "[--symbol-prefix=<prefix char>] "
++ "[--page-offset=<CONFIG_PAGE_OFFSET>] "
++ "< in.map > out.S\n");
+ exit(1);
+ }
+
+@@ -194,6 +198,9 @@ static int symbol_valid(struct sym_entry
+ int i;
+ int offset = 1;
+
++ if (s->addr < kernel_start_addr)
++ return 0;
++
+ /* skip prefix char */
+ if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char)
+ offset++;
+@@ -646,6 +653,9 @@ int main(int argc, char **argv)
+ if ((*p == '"' && *(p+2) == '"') || (*p == '\'' && *(p+2) == '\''))
+ p++;
+ symbol_prefix_char = *p;
++ } else if (strncmp(argv[i], "--page-offset=", 14) == 0) {
++ const char *p = &argv[i][14];
++ kernel_start_addr = strtoull(p, NULL, 16);
+ } else
+ usage();
+ }
+--- a/scripts/link-vmlinux.sh
++++ b/scripts/link-vmlinux.sh
+@@ -82,6 +82,8 @@ kallsyms()
+ kallsymopt="${kallsymopt} --all-symbols"
+ fi
+
++ kallsymopt="${kallsymopt} --page-offset=$CONFIG_PAGE_OFFSET"
++
+ local aflags="${KBUILD_AFLAGS} ${KBUILD_AFLAGS_KERNEL} \
+ ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS}"
+
vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch
clockevents-sanitize-ticks-to-nsec-conversion.patch
parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch
+scripts-kallsyms-filter-symbols-not-in-kernel-address-space.patch
+arc-incorrect-mm-reference-used-in-vmalloc-fault-handler.patch
+alsa-hda-add-missing-initial-vmaster-hook-at-build_controls-callback.patch
+alsa-hda-fix-unbalanced-runtime-pm-refcount-after-s3-s4.patch
+alsa-hda-add-a-fixup-for-asus-n76vz.patch
+alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch
+asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch
+asoc-dapm-fix-source-list-debugfs-outputs.patch
+staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch
+staging-bcm-info-leak-in-ioctl.patch
+staging-sb105x-info-leak-in-mp_get_count.patch
+staging-wlags49_h2-buffer-overflow-setting-station-name.patch
+uml-check-length-in-exitcode_proc_write.patch
+xtensa-don-t-use-alternate-signal-stack-on-threads.patch
+mm-make-generic_access_phys-available-for-modules.patch
+uio-provide-vm-access-to-uio_mem_phys-maps.patch
+au1100fb-vm_io-is-set-by-io_remap_pfn_range.patch
+au1200fb-io_remap_pfn_range-sets-vm_io.patch
+fix-a-few-incorrectly-checked-remap_pfn_range-calls.patch
+lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch
+aacraid-missing-capable-check-in-compat-ioctl.patch
+clk-fixup-argument-order-when-setting-vco-parameters.patch
--- /dev/null
+From 8d1e72250c847fa96498ec029891de4dc638a5ba Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 23:01:11 +0300
+Subject: Staging: bcm: info leak in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8d1e72250c847fa96498ec029891de4dc638a5ba upstream.
+
+The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
+information to user space.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/bcm/Bcmchar.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/bcm/Bcmchar.c
++++ b/drivers/staging/bcm/Bcmchar.c
+@@ -1960,6 +1960,7 @@ cntrlEnd:
+
+ BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Called IOCTL_BCM_GET_DEVICE_DRIVER_INFO\n");
+
++ memset(&DevInfo, 0, sizeof(DevInfo));
+ DevInfo.MaxRDMBufferSize = BUFFER_4K;
+ DevInfo.u32DSDStartOffset = EEPROM_CALPARAM_START;
+ DevInfo.u32RxAlignmentCorrection = 0;
--- /dev/null
+From c2c65cd2e14ada6de44cb527e7f1990bede24e15 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 22:07:47 +0300
+Subject: staging: ozwpan: prevent overflow in oz_cdev_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream.
+
+We need to check "count" so we don't overflow the ei->data buffer.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/ozwpan/ozcdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/staging/ozwpan/ozcdev.c
++++ b/drivers/staging/ozwpan/ozcdev.c
+@@ -153,6 +153,9 @@ static ssize_t oz_cdev_write(struct file
+ struct oz_app_hdr *app_hdr;
+ struct oz_serial_ctx *ctx;
+
++ if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr))
++ return -EINVAL;
++
+ spin_lock_bh(&g_cdev.lock);
+ pd = g_cdev.active_pd;
+ if (pd)
--- /dev/null
+From a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 23:01:43 +0300
+Subject: Staging: sb105x: info leak in mp_get_count()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 upstream.
+
+The icount.reserved[] array isn't initialized so it leaks stack
+information to userspace.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/sb105x/sb_pci_mp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/sb105x/sb_pci_mp.c
++++ b/drivers/staging/sb105x/sb_pci_mp.c
+@@ -1063,7 +1063,7 @@ static int mp_wait_modem_status(struct s
+
+ static int mp_get_count(struct sb_uart_state *state, struct serial_icounter_struct *icnt)
+ {
+- struct serial_icounter_struct icount;
++ struct serial_icounter_struct icount = {};
+ struct sb_uart_icount cnow;
+ struct sb_uart_port *port = state->port;
+
--- /dev/null
+From b5e2f339865fb443107e5b10603e53bbc92dc054 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 23:00:15 +0300
+Subject: staging: wlags49_h2: buffer overflow setting station name
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream.
+
+We need to check the length parameter before doing the memcpy(). I've
+actually changed it to strlcpy() as well so that it's NUL terminated.
+
+You need CAP_NET_ADMIN to trigger these so it's not the end of the
+world.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/wlags49_h2/wl_priv.c
++++ b/drivers/staging/wlags49_h2/wl_priv.c
+@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq *ur
+ ltv_t *pLtv;
+ bool_t ltvAllocated = FALSE;
+ ENCSTRCT sEncryption;
++ size_t len;
+
+ #ifdef USE_WDS
+ hcf_16 hcfPort = HCF_PORT_0;
+@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq *ur
+ break;
+ case CFG_CNF_OWN_NAME:
+ memset(lp->StationName, 0, sizeof(lp->StationName));
+- memcpy((void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]);
++ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName));
++ strlcpy(lp->StationName, &pLtv->u.u8[2], len);
+ pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]);
+ break;
+ case CFG_CNF_LOAD_BALANCING:
+@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct ne
+ {
+ struct wl_private *lp = wl_priv(dev);
+ unsigned long flags;
++ size_t len;
+ int ret = 0;
+ /*------------------------------------------------------------------------*/
+
+@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct ne
+ wl_lock(lp, &flags);
+
+ memset(lp->StationName, 0, sizeof(lp->StationName));
+-
+- memcpy(lp->StationName, extra, wrqu->data.length);
++ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName));
++ strlcpy(lp->StationName, extra, len);
+
+ /* Commit the adapter parameters */
+ wl_apply(lp);
--- /dev/null
+From 7294151d0592e0ff48c61fca9fd7c93d613134da Mon Sep 17 00:00:00 2001
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Date: Wed, 7 Aug 2013 13:02:53 +0200
+Subject: uio: provide vm access to UIO_MEM_PHYS maps
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 7294151d0592e0ff48c61fca9fd7c93d613134da upstream.
+
+This makes it possible to let gdb access mappings of the process that is
+being debugged.
+
+uio_mmap_logical was moved and uio_vm_ops renamed to group related code
+and differentiate to new stuff.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -630,12 +630,26 @@ static int uio_vma_fault(struct vm_area_
+ return 0;
+ }
+
+-static const struct vm_operations_struct uio_vm_ops = {
++static const struct vm_operations_struct uio_logical_vm_ops = {
+ .open = uio_vma_open,
+ .close = uio_vma_close,
+ .fault = uio_vma_fault,
+ };
+
++static int uio_mmap_logical(struct vm_area_struct *vma)
++{
++ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
++ vma->vm_ops = &uio_logical_vm_ops;
++ uio_vma_open(vma);
++ return 0;
++}
++
++static const struct vm_operations_struct uio_physical_vm_ops = {
++#ifdef CONFIG_HAVE_IOREMAP_PROT
++ .access = generic_access_phys,
++#endif
++};
++
+ static int uio_mmap_physical(struct vm_area_struct *vma)
+ {
+ struct uio_device *idev = vma->vm_private_data;
+@@ -643,6 +657,8 @@ static int uio_mmap_physical(struct vm_a
+ if (mi < 0)
+ return -EINVAL;
+
++ vma->vm_ops = &uio_physical_vm_ops;
++
+ vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+
+ return remap_pfn_range(vma,
+@@ -652,14 +668,6 @@ static int uio_mmap_physical(struct vm_a
+ vma->vm_page_prot);
+ }
+
+-static int uio_mmap_logical(struct vm_area_struct *vma)
+-{
+- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
+- vma->vm_ops = &uio_vm_ops;
+- uio_vma_open(vma);
+- return 0;
+-}
+-
+ static int uio_mmap(struct file *filep, struct vm_area_struct *vma)
+ {
+ struct uio_listener *listener = filep->private_data;
--- /dev/null
+From 201f99f170df14ba52ea4c52847779042b7a623b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 22:06:04 +0300
+Subject: uml: check length in exitcode_proc_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 201f99f170df14ba52ea4c52847779042b7a623b upstream.
+
+We don't cap the size of buffer from the user so we could write past the
+end of the array here. Only root can write to this file.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/um/kernel/exitcode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/um/kernel/exitcode.c
++++ b/arch/um/kernel/exitcode.c
+@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struc
+ const char __user *buffer, size_t count, loff_t *pos)
+ {
+ char *end, buf[sizeof("nnnnn\0")];
++ size_t size;
+ int tmp;
+
+- if (copy_from_user(buf, buffer, count))
++ size = min(count, sizeof(buf));
++ if (copy_from_user(buf, buffer, size))
+ return -EFAULT;
+
+ tmp = simple_strtol(buf, &end, 0);
--- /dev/null
+From cba9a90053e3b7973eff4f1946f33032e98eeed5 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Tue, 15 Oct 2013 02:22:43 +0400
+Subject: xtensa: don't use alternate signal stack on threads
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+commit cba9a90053e3b7973eff4f1946f33032e98eeed5 upstream.
+
+According to create_thread(3): "The new thread does not inherit the creating
+thread's alternate signal stack". Since commit f9a3879a (Fix sigaltstack
+corruption among cloned threads), current->sas_ss_size is set to 0 for cloned
+processes sharing VM with their parent. Don't use the (nonexistent) alternate
+signal stack in this case. This has been broken since commit 29c4dfd9 ([XTENSA]
+Remove non-rt signal handling).
+
+Fixes the SA_ONSTACK part of the nptl/tst-cancel20 test from uClibc.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Chris Zankel <chris@zankel.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/kernel/signal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/xtensa/kernel/signal.c
++++ b/arch/xtensa/kernel/signal.c
+@@ -341,7 +341,7 @@ static int setup_frame(int sig, struct k
+
+ sp = regs->areg[1];
+
+- if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && ! on_sig_stack(sp)) {
++ if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && sas_ss_flags(sp) == 0) {
+ sp = current->sas_ss_sp + current->sas_ss_size;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
