--- /dev/null
+From 9c603e53d380459fb62fec7cd085acb0b74ac18f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 8 Sep 2012 12:57:30 -0700
+Subject: mtdchar: fix offset overflow detection
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 9c603e53d380459fb62fec7cd085acb0b74ac18f upstream.
+
+Sasha Levin has been running trinity in a KVM tools guest, and was able
+to trigger the BUG_ON() at arch/x86/mm/pat.c:279 (verifying the range of
+the memory type). The call trace showed that it was mtdchar_mmap() that
+created an invalid remap_pfn_range().
+
+The problem is that mtdchar_mmap() does various really odd and subtle
+things with the vma page offset etc, and uses the wrong types (and the
+wrong overflow) detection for it.
+
+For example, the page offset may well be 32-bit on a 32-bit
+architecture, but after shifting it up by PAGE_SHIFT, we need to use a
+potentially 64-bit resource_size_t to correctly hold the full value.
+
+Also, we need to check that the vma length plus offset doesn't overflow
+before we check that it is smaller than the length of the mtdmap region.
+
+This fixes things up and tries to make the code a bit easier to read.
+
+Reported-and-tested-by: Sasha Levin <levinsasha928@gmail.com>
+Acked-by: Suresh Siddha <suresh.b.siddha@intel.com>
+Acked-by: Artem Bityutskiy <dedekind1@gmail.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: linux-mtd@lists.infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/mtdchar.c | 48 ++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 42 insertions(+), 6 deletions(-)
+
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -1064,6 +1064,33 @@ static unsigned long mtd_get_unmapped_ar
+ }
+ #endif
+
++static inline unsigned long get_vm_size(struct vm_area_struct *vma)
++{
++ return vma->vm_end - vma->vm_start;
++}
++
++static inline resource_size_t get_vm_offset(struct vm_area_struct *vma)
++{
++ return (resource_size_t) vma->vm_pgoff << PAGE_SHIFT;
++}
++
++/*
++ * Set a new vm offset.
++ *
++ * Verify that the incoming offset really works as a page offset,
++ * and that the offset and size fit in a resource_size_t.
++ */
++static inline int set_vm_offset(struct vm_area_struct *vma, resource_size_t off)
++{
++ pgoff_t pgoff = off >> PAGE_SHIFT;
++ if (off != (resource_size_t) pgoff << PAGE_SHIFT)
++ return -EINVAL;
++ if (off + get_vm_size(vma) - 1 < off)
++ return -EINVAL;
++ vma->vm_pgoff = pgoff;
++ return 0;
++}
++
+ /*
+ * set up a mapping for shared memory segments
+ */
+@@ -1073,20 +1100,29 @@ static int mtd_mmap(struct file *file, s
+ struct mtd_file_info *mfi = file->private_data;
+ struct mtd_info *mtd = mfi->mtd;
+ struct map_info *map = mtd->priv;
+- unsigned long start;
+- unsigned long off;
+- u32 len;
++ resource_size_t start, off;
++ unsigned long len, vma_len;
+
+ if (mtd->type == MTD_RAM || mtd->type == MTD_ROM) {
+- off = vma->vm_pgoff << PAGE_SHIFT;
++ off = get_vm_offset(vma);
+ start = map->phys;
+ len = PAGE_ALIGN((start & ~PAGE_MASK) + map->size);
+ start &= PAGE_MASK;
+- if ((vma->vm_end - vma->vm_start + off) > len)
++ vma_len = get_vm_size(vma);
++
++ /* Overflow in off+len? */
++ if (vma_len + off < off)
++ return -EINVAL;
++ /* Does it fit in the mapping? */
++ if (vma_len + off > len)
+ return -EINVAL;
+
+ off += start;
+- vma->vm_pgoff = off >> PAGE_SHIFT;
++ /* Did that overflow? */
++ if (off < start)
++ return -EINVAL;
++ if (set_vm_offset(vma, off) < 0)
++ return -EINVAL;
+ vma->vm_flags |= VM_IO | VM_RESERVED;
+
+ #ifdef pgprot_noncached
--- /dev/null
+From romieu@fr.zoreil.com Sun Apr 14 18:34:05 2013
+From: Francois Romieu <romieu@fr.zoreil.com>
+Date: Sat, 13 Apr 2013 12:26:55 +0200
+Subject: r8169: fix auto speed down issue
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org, Hayes Wang <hayeswang@realtek.com>, "David S. Miller" <davem@davemloft.net>
+Message-ID: <20130413102655.GB19939@electric-eye.fr.zoreil.com>
+Content-Disposition: inline
+
+From: Hayes Wang <hayeswang@realtek.com>
+
+commit e2409d83434d77874b461b78af6a19cd6e6a1280 upstream.
+
+It would cause no link after suspending or shutdowning when the
+nic changes the speed to 10M and connects to a link partner which
+forces the speed to 100M.
+
+Check the link partner ability to determine which speed to set.
+
+The link speed down code path is not factored in this kernel version.
+
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Acked-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/r8169.c | 30 ++++++++++++++++++++++++++----
+ 1 file changed, 26 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/r8169.c
++++ b/drivers/net/r8169.c
+@@ -3105,11 +3105,34 @@ static void r810x_phy_power_up(struct rt
+ rtl_writephy(tp, MII_BMCR, BMCR_ANENABLE);
+ }
+
++static void rtl_speed_down(struct rtl8169_private *tp)
++{
++ u32 adv;
++ int lpa;
++
++ rtl_writephy(tp, 0x1f, 0x0000);
++ lpa = rtl_readphy(tp, MII_LPA);
++
++ if (lpa & (LPA_10HALF | LPA_10FULL))
++ adv = ADVERTISED_10baseT_Half | ADVERTISED_10baseT_Full;
++ else if (lpa & (LPA_100HALF | LPA_100FULL))
++ adv = ADVERTISED_10baseT_Half | ADVERTISED_10baseT_Full |
++ ADVERTISED_100baseT_Half | ADVERTISED_100baseT_Full;
++ else
++ adv = ADVERTISED_10baseT_Half | ADVERTISED_10baseT_Full |
++ ADVERTISED_100baseT_Half | ADVERTISED_100baseT_Full |
++ (tp->mii.supports_gmii ?
++ ADVERTISED_1000baseT_Half |
++ ADVERTISED_1000baseT_Full : 0);
++
++ rtl8169_set_speed(tp->dev, AUTONEG_ENABLE, SPEED_1000, DUPLEX_FULL,
++ adv);
++}
++
+ static void r810x_pll_power_down(struct rtl8169_private *tp)
+ {
+ if (__rtl8169_get_wol(tp) & WAKE_ANY) {
+- rtl_writephy(tp, 0x1f, 0x0000);
+- rtl_writephy(tp, MII_BMCR, 0x0000);
++ rtl_speed_down(tp);
+ return;
+ }
+
+@@ -3201,8 +3224,7 @@ static void r8168_pll_power_down(struct
+ rtl_ephy_write(ioaddr, 0x19, 0xff64);
+
+ if (__rtl8169_get_wol(tp) & WAKE_ANY) {
+- rtl_writephy(tp, 0x1f, 0x0000);
+- rtl_writephy(tp, MII_BMCR, 0x0000);
++ rtl_speed_down(tp);
+
+ if (tp->mac_version == RTL_GIGA_MAC_VER_32 ||
+ tp->mac_version == RTL_GIGA_MAC_VER_33)
projects / thirdparty / kernel / stable-queue.git / commitdiff
