--- /dev/null
+From 1b15ec7a7427d4188ba91b9bbac696250a059d22 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 5 Dec 2013 14:21:36 +0100
+Subject: ARM: 7912/1: check stack pointer in get_wchan
+
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+
+commit 1b15ec7a7427d4188ba91b9bbac696250a059d22 upstream.
+
+get_wchan() is lockless. Task may wakeup at any time and change its own stack,
+thus each next stack frame may be overwritten and filled with random stuff.
+
+/proc/$pid/stack interface had been disabled for non-current tasks, see [1]
+But 'wchan' still allows to trigger stack frame unwinding on volatile stack.
+
+This patch fixes oops in unwind_frame() by adding stack pointer validation on
+each step (as x86 code do), unwind_frame() already checks frame pointer.
+
+Also I've found another report of this oops on stackoverflow (irony).
+
+Link: http://www.spinics.net/lists/arm-kernel/msg110589.html [1]
+Link: http://stackoverflow.com/questions/18479894/unwind-frame-cause-a-kernel-paging-error
+
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/process.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/kernel/process.c
++++ b/arch/arm/kernel/process.c
+@@ -404,6 +404,7 @@ EXPORT_SYMBOL(dump_fpu);
+ unsigned long get_wchan(struct task_struct *p)
+ {
+ struct stackframe frame;
++ unsigned long stack_page;
+ int count = 0;
+ if (!p || p == current || p->state == TASK_RUNNING)
+ return 0;
+@@ -412,9 +413,11 @@ unsigned long get_wchan(struct task_stru
+ frame.sp = thread_saved_sp(p);
+ frame.lr = 0; /* recovered from the stack */
+ frame.pc = thread_saved_pc(p);
++ stack_page = (unsigned long)task_stack_page(p);
+ do {
+- int ret = unwind_frame(&frame);
+- if (ret < 0)
++ if (frame.sp < stack_page ||
++ frame.sp >= stack_page + THREAD_SIZE ||
++ unwind_frame(&frame) < 0)
+ return 0;
+ if (!in_sched_functions(frame.pc))
+ return frame.pc;
--- /dev/null
+From 3abb6671a9c04479c4bd026798a05f857393b7e2 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 5 Dec 2013 14:23:48 +0100
+Subject: ARM: 7913/1: fix framepointer check in unwind_frame
+
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+
+commit 3abb6671a9c04479c4bd026798a05f857393b7e2 upstream.
+
+This patch fixes corner case when (fp + 4) overflows unsigned long,
+for example: fp = 0xFFFFFFFF -> fp + 4 == 3.
+
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/stacktrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/stacktrace.c
++++ b/arch/arm/kernel/stacktrace.c
+@@ -31,7 +31,7 @@ int notrace unwind_frame(struct stackfra
+ high = ALIGN(low, THREAD_SIZE);
+
+ /* check current frame pointer is within bounds */
+- if (fp < (low + 12) || fp + 4 >= high)
++ if (fp < low + 12 || fp > high - 4)
+ return -EINVAL;
+
+ /* restore the registers from the stack frame */
--- /dev/null
+From b31459adeab018b297541e288ac88873011da82a Mon Sep 17 00:00:00 2001
+From: Jon Medhurst <tixy@linaro.org>
+Date: Mon, 9 Dec 2013 13:45:46 +0100
+Subject: ARM: 7917/1: cacheflush: correctly limit range of memory region being flushed
+
+From: Jon Medhurst <tixy@linaro.org>
+
+commit b31459adeab018b297541e288ac88873011da82a upstream.
+
+The __do_cache_op function operates with a 'chunk' size of one page
+but fails to limit the size of the final chunk so as to not exceed
+the specified memory region. Fix this.
+
+Reported-by: Christian Gmeiner <christian.gmeiner@gmail.com>
+Tested-by: Christian Gmeiner <christian.gmeiner@gmail.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Jon Medhurst <tixy@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/traps.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/traps.c
++++ b/arch/arm/kernel/traps.c
+@@ -503,9 +503,10 @@ static inline int
+ __do_cache_op(unsigned long start, unsigned long end)
+ {
+ int ret;
+- unsigned long chunk = PAGE_SIZE;
+
+ do {
++ unsigned long chunk = min(PAGE_SIZE, end - start);
++
+ if (signal_pending(current)) {
+ struct thread_info *ti = current_thread_info();
+
--- /dev/null
+From 3843114856728075d0a80e7151197c19fb3a9e08 Mon Sep 17 00:00:00 2001
+From: Rob Herring <rob.herring@calxeda.com>
+Date: Wed, 4 Dec 2013 11:05:17 -0600
+Subject: ARM: highbank: handle soft poweroff and reset key events
+
+From: Rob Herring <rob.herring@calxeda.com>
+
+commit 3843114856728075d0a80e7151197c19fb3a9e08 upstream.
+
+Graceful reboot and poweroff via IPMI commands to the management
+processor don't work. Power and reset keys are events from the
+management processor which are generated via IPC messages. Passing
+the keys to userspace does not work as neither acpid nor a desktop
+environment are present.
+
+This adds a notifier handler for the IPC messages so the kernel can
+handle the key events directly and IPMI graceful shutdown will work.
+
+Signed-off-by: Rob Herring <rob.herring@calxeda.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-highbank/highbank.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/arch/arm/mach-highbank/highbank.c
++++ b/arch/arm/mach-highbank/highbank.c
+@@ -17,12 +17,15 @@
+ #include <linux/clkdev.h>
+ #include <linux/clocksource.h>
+ #include <linux/dma-mapping.h>
++#include <linux/input.h>
+ #include <linux/io.h>
+ #include <linux/irqchip.h>
++#include <linux/mailbox.h>
+ #include <linux/of.h>
+ #include <linux/of_irq.h>
+ #include <linux/of_platform.h>
+ #include <linux/of_address.h>
++#include <linux/reboot.h>
+ #include <linux/amba/bus.h>
+ #include <linux/clk-provider.h>
+
+@@ -153,6 +156,24 @@ static struct notifier_block highbank_pl
+ .notifier_call = highbank_platform_notifier,
+ };
+
++static int hb_keys_notifier(struct notifier_block *nb, unsigned long event, void *data)
++{
++ u32 key = *(u32 *)data;
++
++ if (event != 0x1000)
++ return 0;
++
++ if (key == KEY_POWER)
++ orderly_poweroff(false);
++ else if (key == 0xffff)
++ ctrl_alt_del();
++
++ return 0;
++}
++static struct notifier_block hb_keys_nb = {
++ .notifier_call = hb_keys_notifier,
++};
++
+ static void __init highbank_init(void)
+ {
+ pm_power_off = highbank_power_off;
+@@ -161,6 +182,8 @@ static void __init highbank_init(void)
+ bus_register_notifier(&platform_bus_type, &highbank_platform_nb);
+ bus_register_notifier(&amba_bustype, &highbank_amba_nb);
+
++ pl320_ipc_register_notifier(&hb_keys_nb);
++
+ of_platform_populate(NULL, of_default_bus_match_table, NULL, NULL);
+ }
+
--- /dev/null
+From 7f4d3641e2548d1ac5dee837ff434df668a2810c Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Sun, 8 Dec 2013 18:39:02 -0700
+Subject: ARM: OMAP3: hwmod data: Don't prevent RESET of USB Host module
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 7f4d3641e2548d1ac5dee837ff434df668a2810c upstream.
+
+Unlike what the comment states, errata i660 does not state that we
+can't RESET the USB host module. Instead it states that RESET is the
+only way to recover from a deadlock situation.
+
+RESET ensures that the module is in a known good state irrespective
+of what bootloader does with the module, so it must be done at boot.
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Tested-by: Tomi Valkeinen <tomi.valkeinen@ti.com> # Panda, BeagleXM
+Fixes: de231388cb80 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3")
+Signed-off-by: Paul Walmsley <paul@pwsan.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -1943,7 +1943,8 @@ static struct omap_hwmod_class_sysconfig
+ .syss_offs = 0x0014,
+ .sysc_flags = (SYSC_HAS_MIDLEMODE | SYSC_HAS_CLOCKACTIVITY |
+ SYSC_HAS_SIDLEMODE | SYSC_HAS_ENAWAKEUP |
+- SYSC_HAS_SOFTRESET | SYSC_HAS_AUTOIDLE),
++ SYSC_HAS_SOFTRESET | SYSC_HAS_AUTOIDLE |
++ SYSS_HAS_RESET_STATUS),
+ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART |
+ MSTANDBY_FORCE | MSTANDBY_NO | MSTANDBY_SMART),
+ .sysc_fields = &omap_hwmod_sysc_type1,
+@@ -2021,15 +2022,7 @@ static struct omap_hwmod omap3xxx_usb_ho
+ * hence HWMOD_SWSUP_MSTANDBY
+ */
+
+- /*
+- * During system boot; If the hwmod framework resets the module
+- * the module will have smart idle settings; which can lead to deadlock
+- * (above Errata Id:i660); so, dont reset the module during boot;
+- * Use HWMOD_INIT_NO_RESET.
+- */
+-
+- .flags = HWMOD_SWSUP_SIDLE | HWMOD_SWSUP_MSTANDBY |
+- HWMOD_INIT_NO_RESET,
++ .flags = HWMOD_SWSUP_SIDLE | HWMOD_SWSUP_MSTANDBY,
+ };
+
+ /*
--- /dev/null
+From ff88b4724fde18056a4c539f7327389aec0f4c2d Mon Sep 17 00:00:00 2001
+From: Sergei Ianovich <ynvich@gmail.com>
+Date: Tue, 10 Dec 2013 08:39:15 +0400
+Subject: ARM: pxa: prevent PXA270 occasional reboot freezes
+
+From: Sergei Ianovich <ynvich@gmail.com>
+
+commit ff88b4724fde18056a4c539f7327389aec0f4c2d upstream.
+
+Erratum 71 of PXA270M Processor Family Specification Update
+(April 19, 2010) explains that watchdog reset time is just
+8us insead of 10ms in EMTS.
+
+If SDRAM is not reset, it causes memory bus congestion and
+the device hangs. We put SDRAM in selfresh mode before watchdog
+reset, removing potential freezes.
+
+Without this patch PXA270-based ICP DAS LP-8x4x hangs after up to 40
+reboots. With this patch it has successfully rebooted 500 times.
+
+Signed-off-by: Sergei Ianovich <ynvich@gmail.com>
+Tested-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Haojian Zhuang <haojian.zhuang@gmail.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/reset.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-pxa/reset.c
++++ b/arch/arm/mach-pxa/reset.c
+@@ -13,6 +13,7 @@
+
+ #include <mach/regs-ost.h>
+ #include <mach/reset.h>
++#include <mach/smemc.h>
+
+ unsigned int reset_status;
+ EXPORT_SYMBOL(reset_status);
+@@ -81,6 +82,12 @@ static void do_hw_reset(void)
+ writel_relaxed(OSSR_M3, OSSR);
+ /* ... in 100 ms */
+ writel_relaxed(readl_relaxed(OSCR) + 368640, OSMR3);
++ /*
++ * SDRAM hangs on watchdog reset on Marvell PXA270 (erratum 71)
++ * we put SDRAM into self-refresh to prevent that
++ */
++ while (1)
++ writel_relaxed(MDREFR_SLFRSH, MDREFR);
+ }
+
+ void pxa_restart(enum reboot_mode mode, const char *cmd)
+@@ -104,4 +111,3 @@ void pxa_restart(enum reboot_mode mode,
+ break;
+ }
+ }
+-
--- /dev/null
+From 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Sat, 16 Nov 2013 16:47:50 +0400
+Subject: ARM: pxa: tosa: fix keys mapping
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 upstream.
+
+When converting from tosa-keyboard driver to matrix keyboard, tosa keys
+received extra 1 column shift. Replace that with correct values to make
+keyboard work again.
+
+Fixes: f69a6548c9d5 ('[ARM] pxa/tosa: make use of the matrix keypad driver')
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Signed-off-by: Haojian Zhuang <haojian.zhuang@gmail.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/tosa.c | 102 +++++++++++++++++++++++------------------------
+ 1 file changed, 51 insertions(+), 51 deletions(-)
+
+--- a/arch/arm/mach-pxa/tosa.c
++++ b/arch/arm/mach-pxa/tosa.c
+@@ -425,57 +425,57 @@ static struct platform_device tosa_power
+ * Tosa Keyboard
+ */
+ static const uint32_t tosakbd_keymap[] = {
+- KEY(0, 2, KEY_W),
+- KEY(0, 6, KEY_K),
+- KEY(0, 7, KEY_BACKSPACE),
+- KEY(0, 8, KEY_P),
+- KEY(1, 1, KEY_Q),
+- KEY(1, 2, KEY_E),
+- KEY(1, 3, KEY_T),
+- KEY(1, 4, KEY_Y),
+- KEY(1, 6, KEY_O),
+- KEY(1, 7, KEY_I),
+- KEY(1, 8, KEY_COMMA),
+- KEY(2, 1, KEY_A),
+- KEY(2, 2, KEY_D),
+- KEY(2, 3, KEY_G),
+- KEY(2, 4, KEY_U),
+- KEY(2, 6, KEY_L),
+- KEY(2, 7, KEY_ENTER),
+- KEY(2, 8, KEY_DOT),
+- KEY(3, 1, KEY_Z),
+- KEY(3, 2, KEY_C),
+- KEY(3, 3, KEY_V),
+- KEY(3, 4, KEY_J),
+- KEY(3, 5, TOSA_KEY_ADDRESSBOOK),
+- KEY(3, 6, TOSA_KEY_CANCEL),
+- KEY(3, 7, TOSA_KEY_CENTER),
+- KEY(3, 8, TOSA_KEY_OK),
+- KEY(3, 9, KEY_LEFTSHIFT),
+- KEY(4, 1, KEY_S),
+- KEY(4, 2, KEY_R),
+- KEY(4, 3, KEY_B),
+- KEY(4, 4, KEY_N),
+- KEY(4, 5, TOSA_KEY_CALENDAR),
+- KEY(4, 6, TOSA_KEY_HOMEPAGE),
+- KEY(4, 7, KEY_LEFTCTRL),
+- KEY(4, 8, TOSA_KEY_LIGHT),
+- KEY(4, 10, KEY_RIGHTSHIFT),
+- KEY(5, 1, KEY_TAB),
+- KEY(5, 2, KEY_SLASH),
+- KEY(5, 3, KEY_H),
+- KEY(5, 4, KEY_M),
+- KEY(5, 5, TOSA_KEY_MENU),
+- KEY(5, 7, KEY_UP),
+- KEY(5, 11, TOSA_KEY_FN),
+- KEY(6, 1, KEY_X),
+- KEY(6, 2, KEY_F),
+- KEY(6, 3, KEY_SPACE),
+- KEY(6, 4, KEY_APOSTROPHE),
+- KEY(6, 5, TOSA_KEY_MAIL),
+- KEY(6, 6, KEY_LEFT),
+- KEY(6, 7, KEY_DOWN),
+- KEY(6, 8, KEY_RIGHT),
++ KEY(0, 1, KEY_W),
++ KEY(0, 5, KEY_K),
++ KEY(0, 6, KEY_BACKSPACE),
++ KEY(0, 7, KEY_P),
++ KEY(1, 0, KEY_Q),
++ KEY(1, 1, KEY_E),
++ KEY(1, 2, KEY_T),
++ KEY(1, 3, KEY_Y),
++ KEY(1, 5, KEY_O),
++ KEY(1, 6, KEY_I),
++ KEY(1, 7, KEY_COMMA),
++ KEY(2, 0, KEY_A),
++ KEY(2, 1, KEY_D),
++ KEY(2, 2, KEY_G),
++ KEY(2, 3, KEY_U),
++ KEY(2, 5, KEY_L),
++ KEY(2, 6, KEY_ENTER),
++ KEY(2, 7, KEY_DOT),
++ KEY(3, 0, KEY_Z),
++ KEY(3, 1, KEY_C),
++ KEY(3, 2, KEY_V),
++ KEY(3, 3, KEY_J),
++ KEY(3, 4, TOSA_KEY_ADDRESSBOOK),
++ KEY(3, 5, TOSA_KEY_CANCEL),
++ KEY(3, 6, TOSA_KEY_CENTER),
++ KEY(3, 7, TOSA_KEY_OK),
++ KEY(3, 8, KEY_LEFTSHIFT),
++ KEY(4, 0, KEY_S),
++ KEY(4, 1, KEY_R),
++ KEY(4, 2, KEY_B),
++ KEY(4, 3, KEY_N),
++ KEY(4, 4, TOSA_KEY_CALENDAR),
++ KEY(4, 5, TOSA_KEY_HOMEPAGE),
++ KEY(4, 6, KEY_LEFTCTRL),
++ KEY(4, 7, TOSA_KEY_LIGHT),
++ KEY(4, 9, KEY_RIGHTSHIFT),
++ KEY(5, 0, KEY_TAB),
++ KEY(5, 1, KEY_SLASH),
++ KEY(5, 2, KEY_H),
++ KEY(5, 3, KEY_M),
++ KEY(5, 4, TOSA_KEY_MENU),
++ KEY(5, 6, KEY_UP),
++ KEY(5, 10, TOSA_KEY_FN),
++ KEY(6, 0, KEY_X),
++ KEY(6, 1, KEY_F),
++ KEY(6, 2, KEY_SPACE),
++ KEY(6, 3, KEY_APOSTROPHE),
++ KEY(6, 4, TOSA_KEY_MAIL),
++ KEY(6, 5, KEY_LEFT),
++ KEY(6, 6, KEY_DOWN),
++ KEY(6, 7, KEY_RIGHT),
+ };
+
+ static struct matrix_keymap_data tosakbd_keymap_data = {
--- /dev/null
+From 6f97dc8d4663abed96fa30e3ea4a1d4cfd1c4276 Mon Sep 17 00:00:00 2001
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+Date: Tue, 10 Dec 2013 19:37:22 +0100
+Subject: ARM: sun6i: dt: Fix interrupt trigger types
+
+From: Maxime Ripard <maxime.ripard@free-electrons.com>
+
+commit 6f97dc8d4663abed96fa30e3ea4a1d4cfd1c4276 upstream.
+
+The Allwinner A31 uses the ARM GIC as its internal interrupts controller. The
+GIC can work on several interrupt triggers, and the A31 was actually setting it
+up to use a rising edge as a trigger, while it was actually a level high
+trigger, leading to some interrupts that would be completely ignored if the
+edge was missed.
+
+Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Acked-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/sun6i-a31.dtsi | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/arch/arm/boot/dts/sun6i-a31.dtsi
++++ b/arch/arm/boot/dts/sun6i-a31.dtsi
+@@ -193,7 +193,10 @@
+ pio: pinctrl@01c20800 {
+ compatible = "allwinner,sun6i-a31-pinctrl";
+ reg = <0x01c20800 0x400>;
+- interrupts = <0 11 1>, <0 15 1>, <0 16 1>, <0 17 1>;
++ interrupts = <0 11 4>,
++ <0 15 4>,
++ <0 16 4>,
++ <0 17 4>;
+ clocks = <&apb1_gates 5>;
+ gpio-controller;
+ interrupt-controller;
+@@ -212,11 +215,11 @@
+ timer@01c20c00 {
+ compatible = "allwinner,sun4i-timer";
+ reg = <0x01c20c00 0xa0>;
+- interrupts = <0 18 1>,
+- <0 19 1>,
+- <0 20 1>,
+- <0 21 1>,
+- <0 22 1>;
++ interrupts = <0 18 4>,
++ <0 19 4>,
++ <0 20 4>,
++ <0 21 4>,
++ <0 22 4>;
+ clocks = <&osc24M>;
+ };
+
+@@ -228,7 +231,7 @@
+ uart0: serial@01c28000 {
+ compatible = "snps,dw-apb-uart";
+ reg = <0x01c28000 0x400>;
+- interrupts = <0 0 1>;
++ interrupts = <0 0 4>;
+ reg-shift = <2>;
+ reg-io-width = <4>;
+ clocks = <&apb2_gates 16>;
+@@ -238,7 +241,7 @@
+ uart1: serial@01c28400 {
+ compatible = "snps,dw-apb-uart";
+ reg = <0x01c28400 0x400>;
+- interrupts = <0 1 1>;
++ interrupts = <0 1 4>;
+ reg-shift = <2>;
+ reg-io-width = <4>;
+ clocks = <&apb2_gates 17>;
+@@ -248,7 +251,7 @@
+ uart2: serial@01c28800 {
+ compatible = "snps,dw-apb-uart";
+ reg = <0x01c28800 0x400>;
+- interrupts = <0 2 1>;
++ interrupts = <0 2 4>;
+ reg-shift = <2>;
+ reg-io-width = <4>;
+ clocks = <&apb2_gates 18>;
+@@ -258,7 +261,7 @@
+ uart3: serial@01c28c00 {
+ compatible = "snps,dw-apb-uart";
+ reg = <0x01c28c00 0x400>;
+- interrupts = <0 3 1>;
++ interrupts = <0 3 4>;
+ reg-shift = <2>;
+ reg-io-width = <4>;
+ clocks = <&apb2_gates 19>;
+@@ -268,7 +271,7 @@
+ uart4: serial@01c29000 {
+ compatible = "snps,dw-apb-uart";
+ reg = <0x01c29000 0x400>;
+- interrupts = <0 4 1>;
++ interrupts = <0 4 4>;
+ reg-shift = <2>;
+ reg-io-width = <4>;
+ clocks = <&apb2_gates 20>;
+@@ -278,7 +281,7 @@
+ uart5: serial@01c29400 {
+ compatible = "snps,dw-apb-uart";
+ reg = <0x01c29400 0x400>;
+- interrupts = <0 5 1>;
++ interrupts = <0 5 4>;
+ reg-shift = <2>;
+ reg-io-width = <4>;
+ clocks = <&apb2_gates 21>;
--- /dev/null
+From 338c7dbadd2671189cec7faf64c84d01071b3f96 Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Mon, 18 Nov 2013 16:09:22 -0800
+Subject: KVM: Improve create VCPU parameter (CVE-2013-4587)
+
+From: Andy Honig <ahonig@google.com>
+
+commit 338c7dbadd2671189cec7faf64c84d01071b3f96 upstream.
+
+In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
+malicious user could specify a vcpu_id greater than 255 in order to set or
+clear bits in kernel memory. This could be used to elevate priveges in the
+kernel. This patch verifies that the vcpu_id provided is less than 255.
+The api documentation already specifies that the vcpu_id must be less than
+max_vcpus, but this is currently not checked.
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1893,6 +1893,9 @@ static int kvm_vm_ioctl_create_vcpu(stru
+ int r;
+ struct kvm_vcpu *vcpu, *v;
+
++ if (id >= KVM_MAX_VCPUS)
++ return -EINVAL;
++
+ vcpu = kvm_arch_vcpu_create(kvm, id);
+ if (IS_ERR(vcpu))
+ return PTR_ERR(vcpu);
--- /dev/null
+From fda4e2e85589191b123d31cdc21fd33ee70f50fd Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Wed, 20 Nov 2013 10:23:22 -0800
+Subject: KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
+
+From: Andy Honig <ahonig@google.com>
+
+commit fda4e2e85589191b123d31cdc21fd33ee70f50fd upstream.
+
+In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
+potential to corrupt kernel memory if userspace provides an address that
+is at the end of a page. This patches concerts those functions to use
+kvm_write_guest_cached and kvm_read_guest_cached. It also checks the
+vapic_address specified by userspace during ioctl processing and returns
+an error to userspace if the address is not a valid GPA.
+
+This is generally not guest triggerable, because the required write is
+done by firmware that runs before the guest. Also, it only affects AMD
+processors and oldish Intel that do not have the FlexPriority feature
+(unless you disable FlexPriority, of course; then newer processors are
+also affected).
+
+Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 27 +++++++++++++++------------
+ arch/x86/kvm/lapic.h | 4 ++--
+ arch/x86/kvm/x86.c | 40 +---------------------------------------
+ 3 files changed, 18 insertions(+), 53 deletions(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1692,7 +1692,6 @@ static void apic_sync_pv_eoi_from_guest(
+ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
+ {
+ u32 data;
+- void *vapic;
+
+ if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention))
+ apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic);
+@@ -1700,9 +1699,8 @@ void kvm_lapic_sync_from_vapic(struct kv
+ if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention))
+ return;
+
+- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
+- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr));
+- kunmap_atomic(vapic);
++ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
++ sizeof(u32));
+
+ apic_set_tpr(vcpu->arch.apic, data & 0xff);
+ }
+@@ -1738,7 +1736,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_
+ u32 data, tpr;
+ int max_irr, max_isr;
+ struct kvm_lapic *apic = vcpu->arch.apic;
+- void *vapic;
+
+ apic_sync_pv_eoi_to_guest(vcpu, apic);
+
+@@ -1754,18 +1751,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_
+ max_isr = 0;
+ data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24);
+
+- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
+- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data;
+- kunmap_atomic(vapic);
++ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
++ sizeof(u32));
+ }
+
+-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
+ {
+- vcpu->arch.apic->vapic_addr = vapic_addr;
+- if (vapic_addr)
++ if (vapic_addr) {
++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
++ &vcpu->arch.apic->vapic_cache,
++ vapic_addr, sizeof(u32)))
++ return -EINVAL;
+ __set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
+- else
++ } else {
+ __clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
++ }
++
++ vcpu->arch.apic->vapic_addr = vapic_addr;
++ return 0;
+ }
+
+ int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+--- a/arch/x86/kvm/lapic.h
++++ b/arch/x86/kvm/lapic.h
+@@ -34,7 +34,7 @@ struct kvm_lapic {
+ */
+ void *regs;
+ gpa_t vapic_addr;
+- struct page *vapic_page;
++ struct gfn_to_hva_cache vapic_cache;
+ unsigned long pending_events;
+ unsigned int sipi_vector;
+ };
+@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struc
+ void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset);
+ void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector);
+
+-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
+ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu);
+ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu);
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3192,8 +3192,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi
+ r = -EFAULT;
+ if (copy_from_user(&va, argp, sizeof va))
+ goto out;
+- r = 0;
+- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
++ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
+ break;
+ }
+ case KVM_X86_SETUP_MCE: {
+@@ -5718,36 +5717,6 @@ static void post_kvm_run_save(struct kvm
+ !kvm_event_needs_reinjection(vcpu);
+ }
+
+-static int vapic_enter(struct kvm_vcpu *vcpu)
+-{
+- struct kvm_lapic *apic = vcpu->arch.apic;
+- struct page *page;
+-
+- if (!apic || !apic->vapic_addr)
+- return 0;
+-
+- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
+- if (is_error_page(page))
+- return -EFAULT;
+-
+- vcpu->arch.apic->vapic_page = page;
+- return 0;
+-}
+-
+-static void vapic_exit(struct kvm_vcpu *vcpu)
+-{
+- struct kvm_lapic *apic = vcpu->arch.apic;
+- int idx;
+-
+- if (!apic || !apic->vapic_addr)
+- return;
+-
+- idx = srcu_read_lock(&vcpu->kvm->srcu);
+- kvm_release_page_dirty(apic->vapic_page);
+- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
+- srcu_read_unlock(&vcpu->kvm->srcu, idx);
+-}
+-
+ static void update_cr8_intercept(struct kvm_vcpu *vcpu)
+ {
+ int max_irr, tpr;
+@@ -6047,11 +6016,6 @@ static int __vcpu_run(struct kvm_vcpu *v
+ struct kvm *kvm = vcpu->kvm;
+
+ vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
+- r = vapic_enter(vcpu);
+- if (r) {
+- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
+- return r;
+- }
+
+ r = 1;
+ while (r > 0) {
+@@ -6110,8 +6074,6 @@ static int __vcpu_run(struct kvm_vcpu *v
+
+ srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
+
+- vapic_exit(vcpu);
+-
+ return r;
+ }
+
--- /dev/null
+From 17d68b763f09a9ce824ae23eb62c9efc57b69271 Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Thu, 12 Dec 2013 21:20:08 +0100
+Subject: KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
+
+From: Gleb Natapov <gleb@redhat.com>
+
+commit 17d68b763f09a9ce824ae23eb62c9efc57b69271 upstream.
+
+A guest can cause a BUG_ON() leading to a host kernel crash.
+When the guest writes to the ICR to request an IPI, while in x2apic
+mode the following things happen, the destination is read from
+ICR2, which is a register that the guest can control.
+
+kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
+cluster id. A BUG_ON is triggered, which is a protection against
+accessing map->logical_map with an out-of-bounds access and manages
+to avoid that anything really unsafe occurs.
+
+The logic in the code is correct from real HW point of view. The problem
+is that KVM supports only one cluster with ID 0 in clustered mode, but
+the code that has the bug does not take this into account.
+
+Reported-by: Lars Bull <larsbull@google.com>
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm
+ return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
+ }
+
++#define KVM_X2APIC_CID_BITS 0
++
+ static void recalculate_apic_map(struct kvm *kvm)
+ {
+ struct kvm_apic_map *new, *old = NULL;
+@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct
+ if (apic_x2apic_mode(apic)) {
+ new->ldr_bits = 32;
+ new->cid_shift = 16;
+- new->cid_mask = new->lid_mask = 0xffff;
++ new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1;
++ new->lid_mask = 0xffff;
+ } else if (kvm_apic_sw_enabled(apic) &&
+ !new->cid_mask /* flat mode */ &&
+ kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) {
--- /dev/null
+From b963a22e6d1a266a67e9eecc88134713fd54775c Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Tue, 19 Nov 2013 14:12:18 -0800
+Subject: KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
+
+From: Andy Honig <ahonig@google.com>
+
+commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream.
+
+Under guest controllable circumstances apic_get_tmcct will execute a
+divide by zero and cause a crash. If the guest cpuid support
+tsc deadline timers and performs the following sequence of requests
+the host will crash.
+- Set the mode to periodic
+- Set the TMICT to 0
+- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
+- Set the TMICT to non-zero.
+Then the lapic_timer.period will be 0, but the TMICT will not be. If the
+guest then reads from the TMCCT then the host will perform a divide by 0.
+
+This patch ensures that if the lapic_timer.period is 0, then the division
+does not occur.
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lap
+ ASSERT(apic != NULL);
+
+ /* if initial count is 0, current count should also be 0 */
+- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0)
++ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 ||
++ apic->lapic_timer.period == 0)
+ return 0;
+
+ remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
alsa-hda-add-static-dac-pin-mapping-for-ad1986a-codec.patch
alsa-hda-mute-all-aamix-inputs-as-default.patch
alsa-hda-hdmi-fix-iec958-ctl-indexes-for-some-simple-hdmi-devices.patch
+arm-pxa-tosa-fix-keys-mapping.patch
+arm-highbank-handle-soft-poweroff-and-reset-key-events.patch
+arm-sun6i-dt-fix-interrupt-trigger-types.patch
+arm-pxa-prevent-pxa270-occasional-reboot-freezes.patch
+arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch
+arm-7912-1-check-stack-pointer-in-get_wchan.patch
+arm-7913-1-fix-framepointer-check-in-unwind_frame.patch
+arm-7917-1-cacheflush-correctly-limit-range-of-memory-region-being-flushed.patch
+kvm-improve-create-vcpu-parameter-cve-2013-4587.patch
+kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch
+kvm-x86-convert-vapic-synchronization-to-_cached-functions-cve-2013-6368.patch
+kvm-x86-fix-guest-initiated-crash-with-x2apic-cve-2013-6376.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
