--- /dev/null
+From 7c8a3679e3d8e9d92d58f282161760a0e247df97 Mon Sep 17 00:00:00 2001
+From: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
+Date: Tue, 15 Oct 2013 16:42:19 -0600
+Subject: elevator: acquire q->sysfs_lock in elevator_change()
+
+From: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
+
+commit 7c8a3679e3d8e9d92d58f282161760a0e247df97 upstream.
+
+Add locking of q->sysfs_lock into elevator_change() (an exported function)
+to ensure it is held to protect q->elevator from elevator_init(), even if
+elevator_change() is called from non-sysfs paths.
+sysfs path (elv_iosched_store) uses __elevator_change(), non-locking
+version, as the lock is already taken by elv_iosched_store().
+
+Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/elevator.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/block/elevator.c
++++ b/block/elevator.c
+@@ -961,7 +961,7 @@ fail_register:
+ /*
+ * Switch this queue to the given IO scheduler.
+ */
+-int elevator_change(struct request_queue *q, const char *name)
++static int __elevator_change(struct request_queue *q, const char *name)
+ {
+ char elevator_name[ELV_NAME_MAX];
+ struct elevator_type *e;
+@@ -983,6 +983,18 @@ int elevator_change(struct request_queue
+
+ return elevator_switch(q, e);
+ }
++
++int elevator_change(struct request_queue *q, const char *name)
++{
++ int ret;
++
++ /* Protect q->elevator from elevator_init() */
++ mutex_lock(&q->sysfs_lock);
++ ret = __elevator_change(q, name);
++ mutex_unlock(&q->sysfs_lock);
++
++ return ret;
++}
+ EXPORT_SYMBOL(elevator_change);
+
+ ssize_t elv_iosched_store(struct request_queue *q, const char *name,
+@@ -993,7 +1005,7 @@ ssize_t elv_iosched_store(struct request
+ if (!q->elevator)
+ return count;
+
+- ret = elevator_change(q, name);
++ ret = __elevator_change(q, name);
+ if (!ret)
+ return count;
+
--- /dev/null
+From f9423606ade08653dd8a43334f0a7fb45504c5cc Mon Sep 17 00:00:00 2001
+From: Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
+Date: Wed, 9 Oct 2013 10:03:52 +0200
+Subject: iommu/vt-d: Fixed interaction of VFIO_IOMMU_MAP_DMA with IOMMU address limits
+
+From: Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
+
+commit f9423606ade08653dd8a43334f0a7fb45504c5cc upstream.
+
+The BUG_ON in drivers/iommu/intel-iommu.c:785 can be triggered from userspace via
+VFIO by calling the VFIO_IOMMU_MAP_DMA ioctl on a vfio device with any address
+beyond the addressing capabilities of the IOMMU. The problem is that the ioctl code
+calls iommu_iova_to_phys before it calls iommu_map. iommu_map handles the case that
+it gets addresses beyond the addressing capabilities of its IOMMU.
+intel_iommu_iova_to_phys does not.
+
+This patch fixes iommu_iova_to_phys to return NULL for addresses beyond what the
+IOMMU can handle. This in turn causes the ioctl call to fail in iommu_map and
+(correctly) return EFAULT to the user with a helpful warning message in the kernel
+log.
+
+Signed-off-by: Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
+Acked-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Joerg Roedel <joro@8bytes.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -778,7 +778,11 @@ static struct dma_pte *pfn_to_dma_pte(st
+ int offset;
+
+ BUG_ON(!domain->pgd);
+- BUG_ON(addr_width < BITS_PER_LONG && pfn >> addr_width);
++
++ if (addr_width < BITS_PER_LONG && pfn >> addr_width)
++ /* Address beyond IOMMU's addressing capabilities. */
++ return NULL;
++
+ parent = domain->pgd;
+
+ while (level > 0) {
hid-picolcd_core-validate-output-report-details.patch
mmc-block-fix-a-bug-of-error-handling-in-mmc-driver.patch
nfsd-use-init_net-for-portmapper.patch
+video-kyro-fix-incorrect-sizes-when-copying-to-userspace.patch
+iommu-vt-d-fixed-interaction-of-vfio_iommu_map_dma-with-iommu-address-limits.patch
+elevator-acquire-q-sysfs_lock-in-elevator_change.patch
--- /dev/null
+From 2ab68ec927310dc488f3403bb48f9e4ad00a9491 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue, 19 Nov 2013 14:25:36 -0500
+Subject: video: kyro: fix incorrect sizes when copying to userspace
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 2ab68ec927310dc488f3403bb48f9e4ad00a9491 upstream.
+
+kyro would copy u32s and specify sizeof(unsigned long) as the size to copy.
+
+This would copy more data than intended and cause memory corruption and might
+leak kernel memory.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/kyro/fbdev.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/video/kyro/fbdev.c
++++ b/drivers/video/kyro/fbdev.c
+@@ -625,15 +625,15 @@ static int kyrofb_ioctl(struct fb_info *
+ }
+ break;
+ case KYRO_IOCTL_UVSTRIDE:
+- if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long)))
++ if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
+ return -EFAULT;
+ break;
+ case KYRO_IOCTL_STRIDE:
+- if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long)))
++ if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
+ return -EFAULT;
+ break;
+ case KYRO_IOCTL_OVERLAY_OFFSET:
+- if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long)))
++ if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
+ return -EFAULT;
+ break;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
