--- /dev/null
+From 3118a4f652c7b12c752f3222af0447008f9b2368 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 11 Mar 2013 17:31:45 -0700
+Subject: drm/i915: bounds check execbuffer relocation count
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream.
+
+It is possible to wrap the counter used to allocate the buffer for
+relocation copies. This could lead to heap writing overflows.
+
+CVE-2013-0913
+
+v3: collapse test, improve comment
+v2: move check into validate_exec_list
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Pinkie Pie
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -888,15 +888,20 @@ validate_exec_list(struct drm_i915_gem_e
+ int count)
+ {
+ int i;
++ int relocs_total = 0;
++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+
+ for (i = 0; i < count; i++) {
+ char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ int length; /* limited by fault_in_pages_readable() */
+
+- /* First check for malicious input causing overflow */
+- if (exec[i].relocation_count >
+- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
++ /* First check for malicious input causing overflow in
++ * the worst case where we need to allocate the entire
++ * relocation tree as a single array.
++ */
++ if (exec[i].relocation_count > relocs_max - relocs_total)
+ return -EINVAL;
++ relocs_total += exec[i].relocation_count;
+
+ length = exec[i].relocation_count *
+ sizeof(struct drm_i915_gem_relocation_entry);
--- /dev/null
+From 16dad1d743d31a104a849c8944e6b9eb479f6cd7 Mon Sep 17 00:00:00 2001
+From: Torsten Duwe <torsten@lst.de>
+Date: Sat, 23 Mar 2013 15:38:22 +0100
+Subject: KMS: fix EDID detailed timing vsync parsing
+
+From: Torsten Duwe <torsten@lst.de>
+
+commit 16dad1d743d31a104a849c8944e6b9eb479f6cd7 upstream.
+
+EDID spreads some values across multiple bytes; bit-fiddling is needed
+to retrieve these. The current code to parse "detailed timings" has a
+cut&paste error that results in a vsync offset of at most 15 lines
+instead of 63.
+
+See
+
+ http://en.wikipedia.org/wiki/EDID
+
+and in the "EDID Detailed Timing Descriptor" see bytes 10+11 show why
+that needs to be a left shift.
+
+Signed-off-by: Torsten Duwe <duwe@lst.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -841,7 +841,7 @@ static struct drm_display_mode *drm_mode
+ unsigned vblank = (pt->vactive_vblank_hi & 0xf) << 8 | pt->vblank_lo;
+ unsigned hsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc0) << 2 | pt->hsync_offset_lo;
+ unsigned hsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x30) << 4 | pt->hsync_pulse_width_lo;
+- unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) >> 2 | pt->vsync_offset_pulse_width_lo >> 4;
++ unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) << 2 | pt->vsync_offset_pulse_width_lo >> 4;
+ unsigned vsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x3) << 4 | (pt->vsync_offset_pulse_width_lo & 0xf);
+
+ /* ignore tiny modes */
--- /dev/null
+From d00285884c0892bb1310df96bce6056e9ce9b9d9 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+Date: Fri, 22 Mar 2013 15:04:40 -0700
+Subject: mm/hugetlb: fix total hugetlbfs pages count when using memory overcommit accouting
+
+From: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+
+commit d00285884c0892bb1310df96bce6056e9ce9b9d9 upstream.
+
+hugetlb_total_pages is used for overcommit calculations but the current
+implementation considers only the default hugetlb page size (which is
+either the first defined hugepage size or the one specified by
+default_hugepagesz kernel boot parameter).
+
+If the system is configured for more than one hugepage size, which is
+possible since commit a137e1cc6d6e ("hugetlbfs: per mount huge page
+sizes") then the overcommit estimation done by __vm_enough_memory()
+(resp. shown by meminfo_proc_show) is not precise - there is an
+impression of more available/allowed memory. This can lead to an
+unexpected ENOMEM/EFAULT resp. SIGSEGV when memory is accounted.
+
+Testcase:
+ boot: hugepagesz=1G hugepages=1
+ the default overcommit ratio is 50
+ before patch:
+
+ egrep 'CommitLimit' /proc/meminfo
+ CommitLimit: 55434168 kB
+
+ after patch:
+
+ egrep 'CommitLimit' /proc/meminfo
+ CommitLimit: 54909880 kB
+
+[akpm@linux-foundation.org: coding-style tweak]
+Signed-off-by: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Hillf Danton <dhillf@gmail.com>
+Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2006,8 +2006,12 @@ int hugetlb_report_node_meminfo(int nid,
+ /* Return the number pages of memory we physically have, in PAGE_SIZE units. */
+ unsigned long hugetlb_total_pages(void)
+ {
+- struct hstate *h = &default_hstate;
+- return h->nr_huge_pages * pages_per_huge_page(h);
++ struct hstate *h;
++ unsigned long nr_total_pages = 0;
++
++ for_each_hstate(h)
++ nr_total_pages += h->nr_huge_pages * pages_per_huge_page(h);
++ return nr_total_pages;
+ }
+
+ static int hugetlb_acct_memory(struct hstate *h, long delta)
--- /dev/null
+From 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c Mon Sep 17 00:00:00 2001
+From: Bing Zhao <bzhao@marvell.com>
+Date: Thu, 7 Mar 2013 20:00:16 -0800
+Subject: mwifiex: fix potential out-of-boundary access to ibss rate table
+
+From: Bing Zhao <bzhao@marvell.com>
+
+commit 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c upstream.
+
+smatch found this error:
+
+CHECK drivers/net/wireless/mwifiex/join.c
+ drivers/net/wireless/mwifiex/join.c:1121
+ mwifiex_cmd_802_11_ad_hoc_join()
+ error: testing array offset 'i' after use.
+
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/join.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/join.c
++++ b/drivers/net/wireless/mwifiex/join.c
+@@ -1102,10 +1102,9 @@ mwifiex_cmd_802_11_ad_hoc_join(struct mw
+ adhoc_join->bss_descriptor.bssid,
+ adhoc_join->bss_descriptor.ssid);
+
+- for (i = 0; bss_desc->supported_rates[i] &&
+- i < MWIFIEX_SUPPORTED_RATES;
+- i++)
+- ;
++ for (i = 0; i < MWIFIEX_SUPPORTED_RATES &&
++ bss_desc->supported_rates[i]; i++)
++ ;
+ rates_size = i;
+
+ /* Copy Data Rates from the Rates recorded in scan response */
alsa-snd-usb-mixer-propagate-errors-up-the-call-chain.patch
alsa-snd-usb-mixer-ignore-einval-in-snd_usb_mixer_controls.patch
drm-i915-restrict-kernel-address-leak-in-debugfs.patch
+tracing-fix-race-in-snapshot-swapping.patch
+tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch
+mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch
+drm-i915-bounds-check-execbuffer-relocation-count.patch
+kms-fix-edid-detailed-timing-vsync-parsing.patch
+mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch
--- /dev/null
+From 740466bc89ad8bd5afcc8de220f715f62b21e365 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Wed, 13 Mar 2013 11:15:19 -0400
+Subject: tracing: Fix free of probe entry by calling call_rcu_sched()
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 740466bc89ad8bd5afcc8de220f715f62b21e365 upstream.
+
+Because function tracing is very invasive, and can even trace
+calls to rcu_read_lock(), RCU access in function tracing is done
+with preempt_disable_notrace(). This requires a synchronize_sched()
+for updates and not a synchronize_rcu().
+
+Function probes (traceon, traceoff, etc) must be freed after
+a synchronize_sched() after its entry has been removed from the
+hash. But call_rcu() is used. Fix this by using call_rcu_sched().
+
+Also fix the usage to use hlist_del_rcu() instead of hlist_del().
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -2709,8 +2709,8 @@ __unregister_ftrace_function_probe(char
+ continue;
+ }
+
+- hlist_del(&entry->node);
+- call_rcu(&entry->rcu, ftrace_free_entry_rcu);
++ hlist_del_rcu(&entry->node);
++ call_rcu_sched(&entry->rcu, ftrace_free_entry_rcu);
+ }
+ }
+ __disable_ftrace_function_probe();
--- /dev/null
+From 2721e72dd10f71a3ba90f59781becf02638aa0d9 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Tue, 12 Mar 2013 11:32:32 -0400
+Subject: tracing: Fix race in snapshot swapping
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 2721e72dd10f71a3ba90f59781becf02638aa0d9 upstream.
+
+Although the swap is wrapped with a spin_lock, the assignment
+of the temp buffer used to swap is not within that lock.
+It needs to be moved into that lock, otherwise two swaps
+happening on two different CPUs, can end up using the wrong
+temp buffer to assign in the swap.
+
+Luckily, all current callers of the swap function appear to have
+their own locks. But in case something is added that allows two
+different callers to call the swap, then there's a chance that
+this race can trigger and corrupt the buffers.
+
+New code is coming soon that will allow for this race to trigger.
+
+I've Cc'd stable, so this bug will not show up if someone backports
+one of the changes that can trigger this bug.
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -649,7 +649,7 @@ __update_max_tr(struct trace_array *tr,
+ void
+ update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
+ {
+- struct ring_buffer *buf = tr->buffer;
++ struct ring_buffer *buf;
+
+ if (trace_stop_count)
+ return;
+@@ -661,6 +661,7 @@ update_max_tr(struct trace_array *tr, st
+ }
+ arch_spin_lock(&ftrace_max_lock);
+
++ buf = tr->buffer;
+ tr->buffer = max_tr.buffer;
+ max_tr.buffer = buf;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
