--- /dev/null
+From f856567b930dfcdbc3323261bf77240ccdde01f5 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 22:11:06 +0300
+Subject: aacraid: missing capable() check in compat ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f856567b930dfcdbc3323261bf77240ccdde01f5 upstream.
+
+In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we
+added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the
+check as well.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/linit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/aacraid/linit.c
++++ b/drivers/scsi/aacraid/linit.c
+@@ -777,6 +777,8 @@ static long aac_compat_do_ioctl(struct a
+ static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
+ {
+ struct aac_dev *dev = (struct aac_dev *)sdev->host->hostdata;
++ if (!capable(CAP_SYS_RAWIO))
++ return -EPERM;
+ return aac_compat_do_ioctl(dev, cmd, (unsigned long)arg);
+ }
+
--- /dev/null
+From a4461f41b94cb52e0141af717dcf4ef6558c8e2e Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Thu, 31 Oct 2013 15:01:37 +0000
+Subject: ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit a4461f41b94cb52e0141af717dcf4ef6558c8e2e upstream.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = d5300000
+[00000008] *pgd=0d265831, *pte=00000000, *ppte=00000000
+Internal error: Oops: 17 [#1] PREEMPT ARM
+CPU: 0 PID: 2295 Comm: vlc Not tainted 3.11.0+ #755
+task: dee74800 ti: e213c000 task.ti: e213c000
+PC is at snd_pcm_info+0xc8/0xd8
+LR is at 0x30232065
+pc : [<c031b52c>] lr : [<30232065>] psr: a0070013
+sp : e213dea8 ip : d81cb0d0 fp : c05f7678
+r10: c05f7770 r9 : fffffdfd r8 : 00000000
+r7 : d8a968a8 r6 : d8a96800 r5 : d8a96200 r4 : d81cb000
+r3 : 00000000 r2 : d81cb000 r1 : 00000001 r0 : d8a96200
+Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 10c5387d Table: 15300019 DAC: 00000015
+Process vlc (pid: 2295, stack limit = 0xe213c248)
+[<c031b52c>] (snd_pcm_info) from [<c031b570>] (snd_pcm_info_user+0x34/0x9c)
+[<c031b570>] (snd_pcm_info_user) from [<c03164a4>] (snd_pcm_control_ioctl+0x274/0x280)
+[<c03164a4>] (snd_pcm_control_ioctl) from [<c0311458>] (snd_ctl_ioctl+0xc0/0x55c)
+[<c0311458>] (snd_ctl_ioctl) from [<c00eca84>] (do_vfs_ioctl+0x80/0x31c)
+[<c00eca84>] (do_vfs_ioctl) from [<c00ecd5c>] (SyS_ioctl+0x3c/0x60)
+[<c00ecd5c>] (SyS_ioctl) from [<c000e500>] (ret_fast_syscall+0x0/0x48)
+Code: e1a00005 e59530dc e3a01001 e1a02004 (e5933008)
+---[ end trace cb3d9bdb8dfefb3c ]---
+
+This is provoked when the ASoC front end is open along with its backend,
+(which causes the backend to have a runtime assigned to it) and then the
+SNDRV_CTL_IOCTL_PCM_INFO is requested for the (visible) backend device.
+
+Resolve this by ensuring that ASoC internal backend devices are not
+visible to userspace, just as the commentry for snd_pcm_new_internal()
+says it should be.
+
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Acked-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -49,6 +49,8 @@ static struct snd_pcm *snd_pcm_get(struc
+ struct snd_pcm *pcm;
+
+ list_for_each_entry(pcm, &snd_pcm_devices, list) {
++ if (pcm->internal)
++ continue;
+ if (pcm->card == card && pcm->device == device)
+ return pcm;
+ }
+@@ -60,6 +62,8 @@ static int snd_pcm_next(struct snd_card
+ struct snd_pcm *pcm;
+
+ list_for_each_entry(pcm, &snd_pcm_devices, list) {
++ if (pcm->internal)
++ continue;
+ if (pcm->card == card && pcm->device > device)
+ return pcm->device;
+ else if (pcm->card->number > card->number)
--- /dev/null
+From 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 30 Oct 2013 12:29:40 +0100
+Subject: ALSA: hda - Add a fixup for ASUS N76VZ
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 upstream.
+
+ASUS N76VZ needs the same fixup as N56VZ for supporting the boost
+speaker.
+
+Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=846529
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6833,6 +6833,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE),
+ SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
+ SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_ASUS_MODE4),
++ SND_PCI_QUIRK(0x1043, 0x1bf3, "ASUS N76VZ", ALC662_FIXUP_ASUS_MODE4),
+ SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
+ SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2),
+ SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD),
--- /dev/null
+From ff18620c2157671a8ee21ebb8e6a3520ea209b1f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 28 Oct 2013 14:21:49 +0100
+Subject: ASoC: dapm: Fix source list debugfs outputs
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ff18620c2157671a8ee21ebb8e6a3520ea209b1f upstream.
+
+... due to a copy & paste error.
+
+Spotted by coverity CID 710923.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-dapm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -1590,7 +1590,7 @@ static ssize_t dapm_widget_power_read_fi
+ w->active ? "active" : "inactive");
+
+ list_for_each_entry(p, &w->sources, list_sink) {
+- if (p->connected && !p->connected(w, p->sink))
++ if (p->connected && !p->connected(w, p->source))
+ continue;
+
+ if (p->connect)
--- /dev/null
+From 268ff14525edba31da29a12a9dd693cdd6a7872e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 30 Oct 2013 08:35:02 +0100
+Subject: ASoC: wm_hubs: Add missing break in hp_supply_event()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 268ff14525edba31da29a12a9dd693cdd6a7872e upstream.
+
+Spotted by coverity CID 115170.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/wm_hubs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/codecs/wm_hubs.c
++++ b/sound/soc/codecs/wm_hubs.c
+@@ -413,6 +413,7 @@ static int hp_supply_event(struct snd_so
+ hubs->hp_startup_mode);
+ break;
+ }
++ break;
+
+ case SND_SOC_DAPM_PRE_PMD:
+ snd_soc_update_bits(codec, WM8993_CHARGE_PUMP_1,
--- /dev/null
+From 3d77b50c5874b7e923be946ba793644f82336b75 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Thu, 31 Oct 2013 16:34:17 -0700
+Subject: lib/scatterlist.c: don't flush_kernel_dcache_page on slab page
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit 3d77b50c5874b7e923be946ba793644f82336b75 upstream.
+
+Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper
+functions") introduces two sg buffer copy helpers, and calls
+flush_kernel_dcache_page() on pages in SG list after these pages are
+written to.
+
+Unfortunately, the commit may introduce a potential bug:
+
+ - Before sending some SCSI commands, kmalloc() buffer may be passed to
+ block layper, so flush_kernel_dcache_page() can see a slab page
+ finally
+
+ - According to cachetlb.txt, flush_kernel_dcache_page() is only called
+ on "a user page", which surely can't be a slab page.
+
+ - ARCH's implementation of flush_kernel_dcache_page() may use page
+ mapping information to do optimization so page_mapping() will see the
+ slab page, then VM_BUG_ON() is triggered.
+
+Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled,
+and this patch fixes the bug by adding test of '!PageSlab(miter->page)'
+before calling flush_kernel_dcache_page().
+
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Tested-by: Simon Baatz <gmbnomis@gmail.com>
+Cc: Russell King - ARM Linux <linux@arm.linux.org.uk>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/scatterlist.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/lib/scatterlist.c
++++ b/lib/scatterlist.c
+@@ -419,7 +419,8 @@ void sg_miter_stop(struct sg_mapping_ite
+ if (miter->addr) {
+ miter->__offset += miter->consumed;
+
+- if (miter->__flags & SG_MITER_TO_SG)
++ if ((miter->__flags & SG_MITER_TO_SG) &&
++ !PageSlab(miter->page))
+ flush_kernel_dcache_page(miter->page);
+
+ if (miter->__flags & SG_MITER_ATOMIC) {
md-fix-skipping-recovery-for-read-only-arrays.patch
clockevents-sanitize-ticks-to-nsec-conversion.patch
parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch
+alsa-hda-add-a-fixup-for-asus-n76vz.patch
+alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch
+asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch
+asoc-dapm-fix-source-list-debugfs-outputs.patch
+staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch
+staging-bcm-info-leak-in-ioctl.patch
+uml-check-length-in-exitcode_proc_write.patch
+xtensa-don-t-use-alternate-signal-stack-on-threads.patch
+lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch
+aacraid-missing-capable-check-in-compat-ioctl.patch
--- /dev/null
+From 8d1e72250c847fa96498ec029891de4dc638a5ba Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 23:01:11 +0300
+Subject: Staging: bcm: info leak in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8d1e72250c847fa96498ec029891de4dc638a5ba upstream.
+
+The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
+information to user space.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/bcm/Bcmchar.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/bcm/Bcmchar.c
++++ b/drivers/staging/bcm/Bcmchar.c
+@@ -1957,6 +1957,7 @@ cntrlEnd:
+
+ BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Called IOCTL_BCM_GET_DEVICE_DRIVER_INFO\n");
+
++ memset(&DevInfo, 0, sizeof(DevInfo));
+ DevInfo.MaxRDMBufferSize = BUFFER_4K;
+ DevInfo.u32DSDStartOffset = EEPROM_CALPARAM_START;
+ DevInfo.u32RxAlignmentCorrection = 0;
--- /dev/null
+From c2c65cd2e14ada6de44cb527e7f1990bede24e15 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 22:07:47 +0300
+Subject: staging: ozwpan: prevent overflow in oz_cdev_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream.
+
+We need to check "count" so we don't overflow the ei->data buffer.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/ozwpan/ozcdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/staging/ozwpan/ozcdev.c
++++ b/drivers/staging/ozwpan/ozcdev.c
+@@ -153,6 +153,9 @@ ssize_t oz_cdev_write(struct file *filp,
+ struct oz_app_hdr *app_hdr;
+ struct oz_serial_ctx *ctx;
+
++ if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr))
++ return -EINVAL;
++
+ spin_lock_bh(&g_cdev.lock);
+ pd = g_cdev.active_pd;
+ if (pd)
--- /dev/null
+From 201f99f170df14ba52ea4c52847779042b7a623b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 29 Oct 2013 22:06:04 +0300
+Subject: uml: check length in exitcode_proc_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 201f99f170df14ba52ea4c52847779042b7a623b upstream.
+
+We don't cap the size of buffer from the user so we could write past the
+end of the array here. Only root can write to this file.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/um/kernel/exitcode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/um/kernel/exitcode.c
++++ b/arch/um/kernel/exitcode.c
+@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struc
+ const char __user *buffer, size_t count, loff_t *pos)
+ {
+ char *end, buf[sizeof("nnnnn\0")];
++ size_t size;
+ int tmp;
+
+- if (copy_from_user(buf, buffer, count))
++ size = min(count, sizeof(buf));
++ if (copy_from_user(buf, buffer, size))
+ return -EFAULT;
+
+ tmp = simple_strtol(buf, &end, 0);
--- /dev/null
+From cba9a90053e3b7973eff4f1946f33032e98eeed5 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Tue, 15 Oct 2013 02:22:43 +0400
+Subject: xtensa: don't use alternate signal stack on threads
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+commit cba9a90053e3b7973eff4f1946f33032e98eeed5 upstream.
+
+According to create_thread(3): "The new thread does not inherit the creating
+thread's alternate signal stack". Since commit f9a3879a (Fix sigaltstack
+corruption among cloned threads), current->sas_ss_size is set to 0 for cloned
+processes sharing VM with their parent. Don't use the (nonexistent) alternate
+signal stack in this case. This has been broken since commit 29c4dfd9 ([XTENSA]
+Remove non-rt signal handling).
+
+Fixes the SA_ONSTACK part of the nptl/tst-cancel20 test from uClibc.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Chris Zankel <chris@zankel.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/xtensa/kernel/signal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/xtensa/kernel/signal.c
++++ b/arch/xtensa/kernel/signal.c
+@@ -343,7 +343,7 @@ static int setup_frame(int sig, struct k
+
+ sp = regs->areg[1];
+
+- if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && ! on_sig_stack(sp)) {
++ if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && sas_ss_flags(sp) == 0) {
+ sp = current->sas_ss_sp + current->sas_ss_size;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
