--- /dev/null
+From 1b15ec7a7427d4188ba91b9bbac696250a059d22 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 5 Dec 2013 14:21:36 +0100
+Subject: ARM: 7912/1: check stack pointer in get_wchan
+
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+
+commit 1b15ec7a7427d4188ba91b9bbac696250a059d22 upstream.
+
+get_wchan() is lockless. Task may wakeup at any time and change its own stack,
+thus each next stack frame may be overwritten and filled with random stuff.
+
+/proc/$pid/stack interface had been disabled for non-current tasks, see [1]
+But 'wchan' still allows to trigger stack frame unwinding on volatile stack.
+
+This patch fixes oops in unwind_frame() by adding stack pointer validation on
+each step (as x86 code do), unwind_frame() already checks frame pointer.
+
+Also I've found another report of this oops on stackoverflow (irony).
+
+Link: http://www.spinics.net/lists/arm-kernel/msg110589.html [1]
+Link: http://stackoverflow.com/questions/18479894/unwind-frame-cause-a-kernel-paging-error
+
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/process.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/kernel/process.c
++++ b/arch/arm/kernel/process.c
+@@ -408,6 +408,7 @@ EXPORT_SYMBOL(dump_fpu);
+ unsigned long get_wchan(struct task_struct *p)
+ {
+ struct stackframe frame;
++ unsigned long stack_page;
+ int count = 0;
+ if (!p || p == current || p->state == TASK_RUNNING)
+ return 0;
+@@ -416,9 +417,11 @@ unsigned long get_wchan(struct task_stru
+ frame.sp = thread_saved_sp(p);
+ frame.lr = 0; /* recovered from the stack */
+ frame.pc = thread_saved_pc(p);
++ stack_page = (unsigned long)task_stack_page(p);
+ do {
+- int ret = unwind_frame(&frame);
+- if (ret < 0)
++ if (frame.sp < stack_page ||
++ frame.sp >= stack_page + THREAD_SIZE ||
++ unwind_frame(&frame) < 0)
+ return 0;
+ if (!in_sched_functions(frame.pc))
+ return frame.pc;
--- /dev/null
+From 3abb6671a9c04479c4bd026798a05f857393b7e2 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 5 Dec 2013 14:23:48 +0100
+Subject: ARM: 7913/1: fix framepointer check in unwind_frame
+
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+
+commit 3abb6671a9c04479c4bd026798a05f857393b7e2 upstream.
+
+This patch fixes corner case when (fp + 4) overflows unsigned long,
+for example: fp = 0xFFFFFFFF -> fp + 4 == 3.
+
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/stacktrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/stacktrace.c
++++ b/arch/arm/kernel/stacktrace.c
+@@ -31,7 +31,7 @@ int notrace unwind_frame(struct stackfra
+ high = ALIGN(low, THREAD_SIZE);
+
+ /* check current frame pointer is within bounds */
+- if (fp < (low + 12) || fp + 4 >= high)
++ if (fp < low + 12 || fp > high - 4)
+ return -EINVAL;
+
+ /* restore the registers from the stack frame */
--- /dev/null
+From 7f4d3641e2548d1ac5dee837ff434df668a2810c Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Sun, 8 Dec 2013 18:39:02 -0700
+Subject: ARM: OMAP3: hwmod data: Don't prevent RESET of USB Host module
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 7f4d3641e2548d1ac5dee837ff434df668a2810c upstream.
+
+Unlike what the comment states, errata i660 does not state that we
+can't RESET the USB host module. Instead it states that RESET is the
+only way to recover from a deadlock situation.
+
+RESET ensures that the module is in a known good state irrespective
+of what bootloader does with the module, so it must be done at boot.
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Tested-by: Tomi Valkeinen <tomi.valkeinen@ti.com> # Panda, BeagleXM
+Fixes: de231388cb80 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3")
+Signed-off-by: Paul Walmsley <paul@pwsan.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -1930,7 +1930,8 @@ static struct omap_hwmod_class_sysconfig
+ .syss_offs = 0x0014,
+ .sysc_flags = (SYSC_HAS_MIDLEMODE | SYSC_HAS_CLOCKACTIVITY |
+ SYSC_HAS_SIDLEMODE | SYSC_HAS_ENAWAKEUP |
+- SYSC_HAS_SOFTRESET | SYSC_HAS_AUTOIDLE),
++ SYSC_HAS_SOFTRESET | SYSC_HAS_AUTOIDLE |
++ SYSS_HAS_RESET_STATUS),
+ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART |
+ MSTANDBY_FORCE | MSTANDBY_NO | MSTANDBY_SMART),
+ .sysc_fields = &omap_hwmod_sysc_type1,
+@@ -2008,15 +2009,7 @@ static struct omap_hwmod omap3xxx_usb_ho
+ * hence HWMOD_SWSUP_MSTANDBY
+ */
+
+- /*
+- * During system boot; If the hwmod framework resets the module
+- * the module will have smart idle settings; which can lead to deadlock
+- * (above Errata Id:i660); so, dont reset the module during boot;
+- * Use HWMOD_INIT_NO_RESET.
+- */
+-
+- .flags = HWMOD_SWSUP_SIDLE | HWMOD_SWSUP_MSTANDBY |
+- HWMOD_INIT_NO_RESET,
++ .flags = HWMOD_SWSUP_SIDLE | HWMOD_SWSUP_MSTANDBY,
+ };
+
+ /*
--- /dev/null
+From ff88b4724fde18056a4c539f7327389aec0f4c2d Mon Sep 17 00:00:00 2001
+From: Sergei Ianovich <ynvich@gmail.com>
+Date: Tue, 10 Dec 2013 08:39:15 +0400
+Subject: ARM: pxa: prevent PXA270 occasional reboot freezes
+
+From: Sergei Ianovich <ynvich@gmail.com>
+
+commit ff88b4724fde18056a4c539f7327389aec0f4c2d upstream.
+
+Erratum 71 of PXA270M Processor Family Specification Update
+(April 19, 2010) explains that watchdog reset time is just
+8us insead of 10ms in EMTS.
+
+If SDRAM is not reset, it causes memory bus congestion and
+the device hangs. We put SDRAM in selfresh mode before watchdog
+reset, removing potential freezes.
+
+Without this patch PXA270-based ICP DAS LP-8x4x hangs after up to 40
+reboots. With this patch it has successfully rebooted 500 times.
+
+Signed-off-by: Sergei Ianovich <ynvich@gmail.com>
+Tested-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Haojian Zhuang <haojian.zhuang@gmail.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/reset.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mach-pxa/reset.c
++++ b/arch/arm/mach-pxa/reset.c
+@@ -13,6 +13,7 @@
+
+ #include <mach/regs-ost.h>
+ #include <mach/reset.h>
++#include <mach/smemc.h>
+
+ unsigned int reset_status;
+ EXPORT_SYMBOL(reset_status);
+@@ -81,6 +82,12 @@ static void do_hw_reset(void)
+ writel_relaxed(OSSR_M3, OSSR);
+ /* ... in 100 ms */
+ writel_relaxed(readl_relaxed(OSCR) + 368640, OSMR3);
++ /*
++ * SDRAM hangs on watchdog reset on Marvell PXA270 (erratum 71)
++ * we put SDRAM into self-refresh to prevent that
++ */
++ while (1)
++ writel_relaxed(MDREFR_SLFRSH, MDREFR);
+ }
+
+ void pxa_restart(char mode, const char *cmd)
+@@ -104,4 +111,3 @@ void pxa_restart(char mode, const char *
+ break;
+ }
+ }
+-
--- /dev/null
+From 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Sat, 16 Nov 2013 16:47:50 +0400
+Subject: ARM: pxa: tosa: fix keys mapping
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 upstream.
+
+When converting from tosa-keyboard driver to matrix keyboard, tosa keys
+received extra 1 column shift. Replace that with correct values to make
+keyboard work again.
+
+Fixes: f69a6548c9d5 ('[ARM] pxa/tosa: make use of the matrix keypad driver')
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Signed-off-by: Haojian Zhuang <haojian.zhuang@gmail.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/tosa.c | 102 +++++++++++++++++++++++------------------------
+ 1 file changed, 51 insertions(+), 51 deletions(-)
+
+--- a/arch/arm/mach-pxa/tosa.c
++++ b/arch/arm/mach-pxa/tosa.c
+@@ -424,57 +424,57 @@ static struct platform_device tosa_power
+ * Tosa Keyboard
+ */
+ static const uint32_t tosakbd_keymap[] = {
+- KEY(0, 2, KEY_W),
+- KEY(0, 6, KEY_K),
+- KEY(0, 7, KEY_BACKSPACE),
+- KEY(0, 8, KEY_P),
+- KEY(1, 1, KEY_Q),
+- KEY(1, 2, KEY_E),
+- KEY(1, 3, KEY_T),
+- KEY(1, 4, KEY_Y),
+- KEY(1, 6, KEY_O),
+- KEY(1, 7, KEY_I),
+- KEY(1, 8, KEY_COMMA),
+- KEY(2, 1, KEY_A),
+- KEY(2, 2, KEY_D),
+- KEY(2, 3, KEY_G),
+- KEY(2, 4, KEY_U),
+- KEY(2, 6, KEY_L),
+- KEY(2, 7, KEY_ENTER),
+- KEY(2, 8, KEY_DOT),
+- KEY(3, 1, KEY_Z),
+- KEY(3, 2, KEY_C),
+- KEY(3, 3, KEY_V),
+- KEY(3, 4, KEY_J),
+- KEY(3, 5, TOSA_KEY_ADDRESSBOOK),
+- KEY(3, 6, TOSA_KEY_CANCEL),
+- KEY(3, 7, TOSA_KEY_CENTER),
+- KEY(3, 8, TOSA_KEY_OK),
+- KEY(3, 9, KEY_LEFTSHIFT),
+- KEY(4, 1, KEY_S),
+- KEY(4, 2, KEY_R),
+- KEY(4, 3, KEY_B),
+- KEY(4, 4, KEY_N),
+- KEY(4, 5, TOSA_KEY_CALENDAR),
+- KEY(4, 6, TOSA_KEY_HOMEPAGE),
+- KEY(4, 7, KEY_LEFTCTRL),
+- KEY(4, 8, TOSA_KEY_LIGHT),
+- KEY(4, 10, KEY_RIGHTSHIFT),
+- KEY(5, 1, KEY_TAB),
+- KEY(5, 2, KEY_SLASH),
+- KEY(5, 3, KEY_H),
+- KEY(5, 4, KEY_M),
+- KEY(5, 5, TOSA_KEY_MENU),
+- KEY(5, 7, KEY_UP),
+- KEY(5, 11, TOSA_KEY_FN),
+- KEY(6, 1, KEY_X),
+- KEY(6, 2, KEY_F),
+- KEY(6, 3, KEY_SPACE),
+- KEY(6, 4, KEY_APOSTROPHE),
+- KEY(6, 5, TOSA_KEY_MAIL),
+- KEY(6, 6, KEY_LEFT),
+- KEY(6, 7, KEY_DOWN),
+- KEY(6, 8, KEY_RIGHT),
++ KEY(0, 1, KEY_W),
++ KEY(0, 5, KEY_K),
++ KEY(0, 6, KEY_BACKSPACE),
++ KEY(0, 7, KEY_P),
++ KEY(1, 0, KEY_Q),
++ KEY(1, 1, KEY_E),
++ KEY(1, 2, KEY_T),
++ KEY(1, 3, KEY_Y),
++ KEY(1, 5, KEY_O),
++ KEY(1, 6, KEY_I),
++ KEY(1, 7, KEY_COMMA),
++ KEY(2, 0, KEY_A),
++ KEY(2, 1, KEY_D),
++ KEY(2, 2, KEY_G),
++ KEY(2, 3, KEY_U),
++ KEY(2, 5, KEY_L),
++ KEY(2, 6, KEY_ENTER),
++ KEY(2, 7, KEY_DOT),
++ KEY(3, 0, KEY_Z),
++ KEY(3, 1, KEY_C),
++ KEY(3, 2, KEY_V),
++ KEY(3, 3, KEY_J),
++ KEY(3, 4, TOSA_KEY_ADDRESSBOOK),
++ KEY(3, 5, TOSA_KEY_CANCEL),
++ KEY(3, 6, TOSA_KEY_CENTER),
++ KEY(3, 7, TOSA_KEY_OK),
++ KEY(3, 8, KEY_LEFTSHIFT),
++ KEY(4, 0, KEY_S),
++ KEY(4, 1, KEY_R),
++ KEY(4, 2, KEY_B),
++ KEY(4, 3, KEY_N),
++ KEY(4, 4, TOSA_KEY_CALENDAR),
++ KEY(4, 5, TOSA_KEY_HOMEPAGE),
++ KEY(4, 6, KEY_LEFTCTRL),
++ KEY(4, 7, TOSA_KEY_LIGHT),
++ KEY(4, 9, KEY_RIGHTSHIFT),
++ KEY(5, 0, KEY_TAB),
++ KEY(5, 1, KEY_SLASH),
++ KEY(5, 2, KEY_H),
++ KEY(5, 3, KEY_M),
++ KEY(5, 4, TOSA_KEY_MENU),
++ KEY(5, 6, KEY_UP),
++ KEY(5, 10, TOSA_KEY_FN),
++ KEY(6, 0, KEY_X),
++ KEY(6, 1, KEY_F),
++ KEY(6, 2, KEY_SPACE),
++ KEY(6, 3, KEY_APOSTROPHE),
++ KEY(6, 4, TOSA_KEY_MAIL),
++ KEY(6, 5, KEY_LEFT),
++ KEY(6, 6, KEY_DOWN),
++ KEY(6, 7, KEY_RIGHT),
+ };
+
+ static struct matrix_keymap_data tosakbd_keymap_data = {
--- /dev/null
+From 338c7dbadd2671189cec7faf64c84d01071b3f96 Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Mon, 18 Nov 2013 16:09:22 -0800
+Subject: KVM: Improve create VCPU parameter (CVE-2013-4587)
+
+From: Andy Honig <ahonig@google.com>
+
+commit 338c7dbadd2671189cec7faf64c84d01071b3f96 upstream.
+
+In multiple functions the vcpu_id is used as an offset into a bitfield. Ag
+malicious user could specify a vcpu_id greater than 255 in order to set or
+clear bits in kernel memory. This could be used to elevate priveges in the
+kernel. This patch verifies that the vcpu_id provided is less than 255.
+The api documentation already specifies that the vcpu_id must be less than
+max_vcpus, but this is currently not checked.
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1904,6 +1904,9 @@ static int kvm_vm_ioctl_create_vcpu(stru
+ int r;
+ struct kvm_vcpu *vcpu, *v;
+
++ if (id >= KVM_MAX_VCPUS)
++ return -EINVAL;
++
+ vcpu = kvm_arch_vcpu_create(kvm, id);
+ if (IS_ERR(vcpu))
+ return PTR_ERR(vcpu);
--- /dev/null
+From fda4e2e85589191b123d31cdc21fd33ee70f50fd Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Wed, 20 Nov 2013 10:23:22 -0800
+Subject: KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
+
+From: Andy Honig <ahonig@google.com>
+
+commit fda4e2e85589191b123d31cdc21fd33ee70f50fd upstream.
+
+In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
+potential to corrupt kernel memory if userspace provides an address that
+is at the end of a page. This patches concerts those functions to use
+kvm_write_guest_cached and kvm_read_guest_cached. It also checks the
+vapic_address specified by userspace during ioctl processing and returns
+an error to userspace if the address is not a valid GPA.
+
+This is generally not guest triggerable, because the required write is
+done by firmware that runs before the guest. Also, it only affects AMD
+processors and oldish Intel that do not have the FlexPriority feature
+(unless you disable FlexPriority, of course; then newer processors are
+also affected).
+
+Fixes: b93463aa59d6 ('KVM: Accelerated apic support')
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 27 +++++++++++++++------------
+ arch/x86/kvm/lapic.h | 4 ++--
+ arch/x86/kvm/x86.c | 40 +---------------------------------------
+ 3 files changed, 18 insertions(+), 53 deletions(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1706,7 +1706,6 @@ static void apic_sync_pv_eoi_from_guest(
+ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu)
+ {
+ u32 data;
+- void *vapic;
+
+ if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention))
+ apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic);
+@@ -1714,9 +1713,8 @@ void kvm_lapic_sync_from_vapic(struct kv
+ if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention))
+ return;
+
+- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
+- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr));
+- kunmap_atomic(vapic);
++ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
++ sizeof(u32));
+
+ apic_set_tpr(vcpu->arch.apic, data & 0xff);
+ }
+@@ -1752,7 +1750,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_
+ u32 data, tpr;
+ int max_irr, max_isr;
+ struct kvm_lapic *apic = vcpu->arch.apic;
+- void *vapic;
+
+ apic_sync_pv_eoi_to_guest(vcpu, apic);
+
+@@ -1768,18 +1765,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_
+ max_isr = 0;
+ data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24);
+
+- vapic = kmap_atomic(vcpu->arch.apic->vapic_page);
+- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data;
+- kunmap_atomic(vapic);
++ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data,
++ sizeof(u32));
+ }
+
+-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr)
+ {
+- vcpu->arch.apic->vapic_addr = vapic_addr;
+- if (vapic_addr)
++ if (vapic_addr) {
++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
++ &vcpu->arch.apic->vapic_cache,
++ vapic_addr, sizeof(u32)))
++ return -EINVAL;
+ __set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
+- else
++ } else {
+ __clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention);
++ }
++
++ vcpu->arch.apic->vapic_addr = vapic_addr;
++ return 0;
+ }
+
+ int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+--- a/arch/x86/kvm/lapic.h
++++ b/arch/x86/kvm/lapic.h
+@@ -34,7 +34,7 @@ struct kvm_lapic {
+ */
+ void *regs;
+ gpa_t vapic_addr;
+- struct page *vapic_page;
++ struct gfn_to_hva_cache vapic_cache;
+ unsigned long pending_events;
+ unsigned int sipi_vector;
+ };
+@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struc
+ void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset);
+ void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector);
+
+-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr);
+ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu);
+ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu);
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3138,8 +3138,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi
+ r = -EFAULT;
+ if (copy_from_user(&va, argp, sizeof va))
+ goto out;
+- r = 0;
+- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
++ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
+ break;
+ }
+ case KVM_X86_SETUP_MCE: {
+@@ -5539,36 +5538,6 @@ static void post_kvm_run_save(struct kvm
+ !kvm_event_needs_reinjection(vcpu);
+ }
+
+-static int vapic_enter(struct kvm_vcpu *vcpu)
+-{
+- struct kvm_lapic *apic = vcpu->arch.apic;
+- struct page *page;
+-
+- if (!apic || !apic->vapic_addr)
+- return 0;
+-
+- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
+- if (is_error_page(page))
+- return -EFAULT;
+-
+- vcpu->arch.apic->vapic_page = page;
+- return 0;
+-}
+-
+-static void vapic_exit(struct kvm_vcpu *vcpu)
+-{
+- struct kvm_lapic *apic = vcpu->arch.apic;
+- int idx;
+-
+- if (!apic || !apic->vapic_addr)
+- return;
+-
+- idx = srcu_read_lock(&vcpu->kvm->srcu);
+- kvm_release_page_dirty(apic->vapic_page);
+- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT);
+- srcu_read_unlock(&vcpu->kvm->srcu, idx);
+-}
+-
+ static void update_cr8_intercept(struct kvm_vcpu *vcpu)
+ {
+ int max_irr, tpr;
+@@ -5889,11 +5858,6 @@ static int __vcpu_run(struct kvm_vcpu *v
+ struct kvm *kvm = vcpu->kvm;
+
+ vcpu->srcu_idx = srcu_read_lock(&kvm->srcu);
+- r = vapic_enter(vcpu);
+- if (r) {
+- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
+- return r;
+- }
+
+ r = 1;
+ while (r > 0) {
+@@ -5951,8 +5915,6 @@ static int __vcpu_run(struct kvm_vcpu *v
+
+ srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx);
+
+- vapic_exit(vcpu);
+-
+ return r;
+ }
+
--- /dev/null
+From 17d68b763f09a9ce824ae23eb62c9efc57b69271 Mon Sep 17 00:00:00 2001
+From: Gleb Natapov <gleb@redhat.com>
+Date: Thu, 12 Dec 2013 21:20:08 +0100
+Subject: KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
+
+From: Gleb Natapov <gleb@redhat.com>
+
+commit 17d68b763f09a9ce824ae23eb62c9efc57b69271 upstream.
+
+A guest can cause a BUG_ON() leading to a host kernel crash.
+When the guest writes to the ICR to request an IPI, while in x2apic
+mode the following things happen, the destination is read from
+ICR2, which is a register that the guest can control.
+
+kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
+cluster id. A BUG_ON is triggered, which is a protection against
+accessing map->logical_map with an out-of-bounds access and manages
+to avoid that anything really unsafe occurs.
+
+The logic in the code is correct from real HW point of view. The problem
+is that KVM supports only one cluster with ID 0 in clustered mode, but
+the code that has the bug does not take this into account.
+
+Reported-by: Lars Bull <larsbull@google.com>
+Signed-off-by: Gleb Natapov <gleb@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -153,6 +153,8 @@ static inline int kvm_apic_id(struct kvm
+ return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff;
+ }
+
++#define KVM_X2APIC_CID_BITS 0
++
+ static void recalculate_apic_map(struct kvm *kvm)
+ {
+ struct kvm_apic_map *new, *old = NULL;
+@@ -190,7 +192,8 @@ static void recalculate_apic_map(struct
+ if (apic_x2apic_mode(apic)) {
+ new->ldr_bits = 32;
+ new->cid_shift = 16;
+- new->cid_mask = new->lid_mask = 0xffff;
++ new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1;
++ new->lid_mask = 0xffff;
+ } else if (kvm_apic_sw_enabled(apic) &&
+ !new->cid_mask /* flat mode */ &&
+ kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) {
--- /dev/null
+From b963a22e6d1a266a67e9eecc88134713fd54775c Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Tue, 19 Nov 2013 14:12:18 -0800
+Subject: KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
+
+From: Andy Honig <ahonig@google.com>
+
+commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream.
+
+Under guest controllable circumstances apic_get_tmcct will execute a
+divide by zero and cause a crash. If the guest cpuid support
+tsc deadline timers and performs the following sequence of requests
+the host will crash.
+- Set the mode to periodic
+- Set the TMICT to 0
+- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
+- Set the TMICT to non-zero.
+Then the lapic_timer.period will be 0, but the TMICT will not be. If the
+guest then reads from the TMCCT then the host will perform a divide by 0.
+
+This patch ensures that if the lapic_timer.period is 0, then the division
+does not occur.
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -855,7 +855,8 @@ static u32 apic_get_tmcct(struct kvm_lap
+ ASSERT(apic != NULL);
+
+ /* if initial count is 0, current count should also be 0 */
+- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0)
++ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 ||
++ apic->lapic_timer.period == 0)
+ return 0;
+
+ remaining = hrtimer_get_remaining(&apic->lapic_timer.timer);
alsa-hda-add-static-dac-pin-mapping-for-ad1986a-codec.patch
alsa-hda-mute-all-aamix-inputs-as-default.patch
alsa-hda-hdmi-fix-iec958-ctl-indexes-for-some-simple-hdmi-devices.patch
+arm-pxa-tosa-fix-keys-mapping.patch
+arm-pxa-prevent-pxa270-occasional-reboot-freezes.patch
+arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch
+arm-7912-1-check-stack-pointer-in-get_wchan.patch
+arm-7913-1-fix-framepointer-check-in-unwind_frame.patch
+kvm-improve-create-vcpu-parameter-cve-2013-4587.patch
+kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch
+kvm-x86-convert-vapic-synchronization-to-_cached-functions-cve-2013-6368.patch
+kvm-x86-fix-guest-initiated-crash-with-x2apic-cve-2013-6376.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
