From: Greg Kroah-Hartman Date: Mon, 10 Nov 2014 02:32:55 +0000 (+0900) Subject: 3.10-stable patches X-Git-Tag: v3.10.60~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a7ae49b8fe66131b6419dd1a98ca953d09a06bf;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: arc-allow-headless-models-to-boot.patch arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch kvm-x86-fix-wrong-masking-on-relative-jump-call.patch kvm-x86-improve-thread-safety-in-pit.patch kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch --- diff --git a/queue-3.10/arc-allow-headless-models-to-boot.patch b/queue-3.10/arc-allow-headless-models-to-boot.patch new file mode 100644 index 00000000000..2fd33e5b1e0 --- /dev/null +++ b/queue-3.10/arc-allow-headless-models-to-boot.patch @@ -0,0 +1,35 @@ +From 5c05483e2db91890faa9a7be0a831701a3f442d6 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Fri, 20 Jun 2014 16:24:49 +0530 +Subject: ARC: [nsimosci] Allow "headless" models to boot + +From: Vineet Gupta + +commit 5c05483e2db91890faa9a7be0a831701a3f442d6 upstream. + +There are certain test configuration of virtual platform which don't +have any real console device (uart/pgu). So add tty0 as a fallback console +device to allow system to boot and be accessible via telnet + +Otherwise with ttyS0 as only console, but 8250 disabled in kernel build, +init chokes. + +Reported-by: Anton Kolesov +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/boot/dts/nsimosci.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arc/boot/dts/nsimosci.dts ++++ b/arch/arc/boot/dts/nsimosci.dts +@@ -20,7 +20,7 @@ + /* this is for console on PGU */ + /* bootargs = "console=tty0 consoleblank=0"; */ + /* this is for console on serial */ +- bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug"; ++ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=tty0 console=ttyS0,115200n8 consoleblank=0 debug"; + }; + + aliases { diff --git a/queue-3.10/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch b/queue-3.10/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch new file mode 100644 index 00000000000..2cda87bf93e --- /dev/null +++ b/queue-3.10/arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch @@ -0,0 +1,73 @@ +From ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 Mon Sep 17 00:00:00 2001 +From: Anton Kolesov +Date: Thu, 25 Sep 2014 13:23:24 +0400 +Subject: ARC: Update order of registers in KGDB to match GDB 7.5 + +From: Anton Kolesov + +commit ebc0c74e76cec9c4dd860eb0ca1c0b39dc63c482 upstream. + +Order of registers has changed in GDB moving from 6.8 to 7.5. This patch +updates KGDB to work properly with GDB 7.5, though makes it incompatible +with 6.8. + +Signed-off-by: Anton Kolesov +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/kgdb.h | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +--- a/arch/arc/include/asm/kgdb.h ++++ b/arch/arc/include/asm/kgdb.h +@@ -19,7 +19,7 @@ + * register API yet */ + #undef DBG_MAX_REG_NUM + +-#define GDB_MAX_REGS 39 ++#define GDB_MAX_REGS 87 + + #define BREAK_INSTR_SIZE 2 + #define CACHE_FLUSH_IS_SAFE 1 +@@ -33,23 +33,27 @@ static inline void arch_kgdb_breakpoint( + + extern void kgdb_trap(struct pt_regs *regs, int param); + +-enum arc700_linux_regnums { ++/* This is the numbering of registers according to the GDB. See GDB's ++ * arc-tdep.h for details. ++ * ++ * Registers are ordered for GDB 7.5. It is incompatible with GDB 6.8. */ ++enum arc_linux_regnums { + _R0 = 0, + _R1, _R2, _R3, _R4, _R5, _R6, _R7, _R8, _R9, _R10, _R11, _R12, _R13, + _R14, _R15, _R16, _R17, _R18, _R19, _R20, _R21, _R22, _R23, _R24, + _R25, _R26, +- _BTA = 27, +- _LP_START = 28, +- _LP_END = 29, +- _LP_COUNT = 30, +- _STATUS32 = 31, +- _BLINK = 32, +- _FP = 33, +- __SP = 34, +- _EFA = 35, +- _RET = 36, +- _ORIG_R8 = 37, +- _STOP_PC = 38 ++ _FP = 27, ++ __SP = 28, ++ _R30 = 30, ++ _BLINK = 31, ++ _LP_COUNT = 60, ++ _STOP_PC = 64, ++ _RET = 64, ++ _LP_START = 65, ++ _LP_END = 66, ++ _STATUS32 = 67, ++ _ECR = 76, ++ _BTA = 82, + }; + + #else diff --git a/queue-3.10/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch b/queue-3.10/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch new file mode 100644 index 00000000000..a9a00db9e8e --- /dev/null +++ b/queue-3.10/kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch @@ -0,0 +1,78 @@ +From 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f Mon Sep 17 00:00:00 2001 +From: Quentin Casasnovas +Date: Fri, 17 Oct 2014 22:55:59 +0200 +Subject: kvm: fix excessive pages un-pinning in kvm_iommu_map error path. + +From: Quentin Casasnovas + +commit 3d32e4dbe71374a6780eaf51d719d76f9a9bf22f upstream. + +The third parameter of kvm_unpin_pages() when called from +kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin +and not the page size. + +This error was facilitated with an inconsistent API: kvm_pin_pages() takes +a size, but kvn_unpin_pages() takes a number of pages, so fix the problem +by matching the two. + +This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter +of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of +un-pinning for pages intended to be un-pinned (i.e. memory leak) but +unfortunately potentially aggravated the number of pages we un-pin that +should have stayed pinned. As far as I understand though, the same +practical mitigations apply. + +This issue was found during review of Red Hat 6.6 patches to prepare +Ksplice rebootless updates. + +Thanks to Vegard for his time on a late Friday evening to help me in +understanding this code. + +Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)") +Signed-off-by: Quentin Casasnovas +Signed-off-by: Vegard Nossum +Signed-off-by: Jamie Iles +Reviewed-by: Sasha Levin +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/iommu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/virt/kvm/iommu.c ++++ b/virt/kvm/iommu.c +@@ -43,13 +43,13 @@ static void kvm_iommu_put_pages(struct k + gfn_t base_gfn, unsigned long npages); + + static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn, +- unsigned long size) ++ unsigned long npages) + { + gfn_t end_gfn; + pfn_t pfn; + + pfn = gfn_to_pfn_memslot(slot, gfn); +- end_gfn = gfn + (size >> PAGE_SHIFT); ++ end_gfn = gfn + npages; + gfn += 1; + + if (is_error_noslot_pfn(pfn)) +@@ -119,7 +119,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, + * Pin all pages we are about to map in memory. This is + * important because we unmap and unpin in 4kb steps later. + */ +- pfn = kvm_pin_pages(slot, gfn, page_size); ++ pfn = kvm_pin_pages(slot, gfn, page_size >> PAGE_SHIFT); + if (is_error_noslot_pfn(pfn)) { + gfn += 1; + continue; +@@ -131,7 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, + if (r) { + printk(KERN_ERR "kvm_iommu_map_address:" + "iommu failed to map pfn=%llx\n", pfn); +- kvm_unpin_pages(kvm, pfn, page_size); ++ kvm_unpin_pages(kvm, pfn, page_size >> PAGE_SHIFT); + goto unmap_pages; + } + diff --git a/queue-3.10/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch b/queue-3.10/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch new file mode 100644 index 00000000000..a1c184fe7b1 --- /dev/null +++ b/queue-3.10/kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch @@ -0,0 +1,140 @@ +From 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 16 Sep 2014 03:24:05 +0300 +Subject: KVM: x86: Check non-canonical addresses upon WRMSR + +From: Nadav Amit + +commit 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 upstream. + +Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is +written to certain MSRs. The behavior is "almost" identical for AMD and Intel +(ignoring MSRs that are not implemented in either architecture since they would +anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if +non-canonical address is written on Intel but not on AMD (which ignores the top +32-bits). + +Accordingly, this patch injects a #GP on the MSRs which behave identically on +Intel and AMD. To eliminate the differences between the architecutres, the +value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to +canonical value before writing instead of injecting a #GP. + +Some references from Intel and AMD manuals: + +According to Intel SDM description of WRMSR instruction #GP is expected on +WRMSR "If the source register contains a non-canonical address and ECX +specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE, +IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP." + +According to AMD manual instruction manual: +LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the +LSTAR and CSTAR registers. If an RIP written by WRMSR is not in canonical +form, a general-protection exception (#GP) occurs." +IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the +base field must be in canonical form or a #GP fault will occur." +IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must +be in canonical form." + +This patch fixes CVE-2014-3610. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 14 ++++++++++++++ + arch/x86/kvm/svm.c | 2 +- + arch/x86/kvm/vmx.c | 2 +- + arch/x86/kvm/x86.c | 27 ++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -953,6 +953,20 @@ static inline void kvm_inject_gp(struct + kvm_queue_exception_e(vcpu, GP_VECTOR, error_code); + } + ++static inline u64 get_canonical(u64 la) ++{ ++ return ((int64_t)la << 16) >> 16; ++} ++ ++static inline bool is_noncanonical_address(u64 la) ++{ ++#ifdef CONFIG_X86_64 ++ return get_canonical(la) != la; ++#else ++ return false; ++#endif ++} ++ + #define TSS_IOPB_BASE_OFFSET 0x66 + #define TSS_BASE_SIZE 0x68 + #define TSS_IOPB_SIZE (65536 / 8) +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3196,7 +3196,7 @@ static int wrmsr_interception(struct vcp + msr.host_initiated = false; + + svm->next_rip = kvm_rip_read(&svm->vcpu) + 2; +- if (svm_set_msr(&svm->vcpu, &msr)) { ++ if (kvm_set_msr(&svm->vcpu, &msr)) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(&svm->vcpu, 0); + } else { +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5065,7 +5065,7 @@ static int handle_wrmsr(struct kvm_vcpu + msr.data = data; + msr.index = ecx; + msr.host_initiated = false; +- if (vmx_set_msr(vcpu, &msr) != 0) { ++ if (kvm_set_msr(vcpu, &msr) != 0) { + trace_kvm_msr_write_ex(ecx, data); + kvm_inject_gp(vcpu, 0); + return 1; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -925,7 +925,6 @@ void kvm_enable_efer_bits(u64 mask) + } + EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + +- + /* + * Writes msr value into into the appropriate "register". + * Returns 0 on success, non-0 otherwise. +@@ -933,8 +932,34 @@ EXPORT_SYMBOL_GPL(kvm_enable_efer_bits); + */ + int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) + { ++ switch (msr->index) { ++ case MSR_FS_BASE: ++ case MSR_GS_BASE: ++ case MSR_KERNEL_GS_BASE: ++ case MSR_CSTAR: ++ case MSR_LSTAR: ++ if (is_noncanonical_address(msr->data)) ++ return 1; ++ break; ++ case MSR_IA32_SYSENTER_EIP: ++ case MSR_IA32_SYSENTER_ESP: ++ /* ++ * IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if ++ * non-canonical address is written on Intel but not on ++ * AMD (which ignores the top 32-bits, because it does ++ * not implement 64-bit SYSENTER). ++ * ++ * 64-bit code should hence be able to write a non-canonical ++ * value on AMD. Making the address canonical ensures that ++ * vmentry does not fail on Intel after writing a non-canonical ++ * value, and that something deterministic happens if the guest ++ * invokes 64-bit SYSENTER. ++ */ ++ msr->data = get_canonical(msr->data); ++ } + return kvm_x86_ops->set_msr(vcpu, msr); + } ++EXPORT_SYMBOL_GPL(kvm_set_msr); + + /* + * Adapt set_msr() to msr_io()'s calling convention diff --git a/queue-3.10/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch b/queue-3.10/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch new file mode 100644 index 00000000000..d97d1ff3bd6 --- /dev/null +++ b/queue-3.10/kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch @@ -0,0 +1,53 @@ +From 2bc19dc3754fc066c43799659f0d848631c44cfe Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 18 Sep 2014 16:21:16 +0300 +Subject: kvm: x86: don't kill guest on unknown exit reason + +From: "Michael S. Tsirkin" + +commit 2bc19dc3754fc066c43799659f0d848631c44cfe upstream. + +KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was +triggered by a priveledged application. Let's not kill the guest: WARN +and inject #UD instead. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 6 +++--- + arch/x86/kvm/vmx.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3478,9 +3478,9 @@ static int handle_exit(struct kvm_vcpu * + + if (exit_code >= ARRAY_SIZE(svm_exit_handlers) + || !svm_exit_handlers[exit_code]) { +- kvm_run->exit_reason = KVM_EXIT_UNKNOWN; +- kvm_run->hw.hardware_exit_reason = exit_code; +- return 0; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_code); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } + + return svm_exit_handlers[exit_code](svm); +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6654,10 +6654,10 @@ static int vmx_handle_exit(struct kvm_vc + && kvm_vmx_exit_handlers[exit_reason]) + return kvm_vmx_exit_handlers[exit_reason](vcpu); + else { +- vcpu->run->exit_reason = KVM_EXIT_UNKNOWN; +- vcpu->run->hw.hardware_exit_reason = exit_reason; ++ WARN_ONCE(1, "vmx: unexpected exit reason 0x%x\n", exit_reason); ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; + } +- return 0; + } + + static void update_cr8_intercept(struct kvm_vcpu *vcpu, int tpr, int irr) diff --git a/queue-3.10/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch b/queue-3.10/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch new file mode 100644 index 00000000000..53c0436332b --- /dev/null +++ b/queue-3.10/kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch @@ -0,0 +1,234 @@ +From 234f3ce485d54017f15cf5e0699cff4100121601 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 18 Sep 2014 22:39:38 +0300 +Subject: KVM: x86: Emulator fixes for eip canonical checks on near branches + +From: Nadav Amit + +commit 234f3ce485d54017f15cf5e0699cff4100121601 upstream. + +Before changing rip (during jmp, call, ret, etc.) the target should be asserted +to be canonical one, as real CPUs do. During sysret, both target rsp and rip +should be canonical. If any of these values is noncanonical, a #GP exception +should occur. The exception to this rule are syscall and sysenter instructions +in which the assigned rip is checked during the assignment to the relevant +MSRs. + +This patch fixes the emulator to behave as real CPUs do for near branches. +Far branches are handled by the next patch. + +This fixes CVE-2014-3647. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 78 +++++++++++++++++++++++++++++++++---------------- + 1 file changed, 54 insertions(+), 24 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -736,7 +736,8 @@ static int emulate_nm(struct x86_emulate + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + +-static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++static inline int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst, ++ int cs_l) + { + switch (ctxt->op_bytes) { + case 2: +@@ -746,16 +747,25 @@ static inline void assign_eip_near(struc + ctxt->_eip = (u32)dst; + break; + case 8: ++ if ((cs_l && is_noncanonical_address(dst)) || ++ (!cs_l && (dst & ~(u32)-1))) ++ return emulate_gp(ctxt, 0); + ctxt->_eip = dst; + break; + default: + WARN(1, "unsupported eip assignment size\n"); + } ++ return X86EMUL_CONTINUE; ++} ++ ++static inline int assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ return assign_eip_far(ctxt, dst, ctxt->mode == X86EMUL_MODE_PROT64); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) + { +- assign_eip_near(ctxt, ctxt->_eip + rel); ++ return assign_eip_near(ctxt, ctxt->_eip + rel); + } + + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) +@@ -2178,13 +2188,15 @@ static int em_grp45(struct x86_emulate_c + case 2: /* call near abs */ { + long int old_eip; + old_eip = ctxt->_eip; +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); ++ if (rc != X86EMUL_CONTINUE) ++ break; + ctxt->src.val = old_eip; + rc = em_push(ctxt); + break; + } + case 4: /* jmp abs */ +- ctxt->_eip = ctxt->src.val; ++ rc = assign_eip_near(ctxt, ctxt->src.val); + break; + case 5: /* jmp far */ + rc = em_jmp_far(ctxt); +@@ -2216,10 +2228,14 @@ static int em_cmpxchg8b(struct x86_emula + + static int em_ret(struct x86_emulate_ctxt *ctxt) + { +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- return em_pop(ctxt); ++ int rc; ++ unsigned long eip; ++ ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ ++ return assign_eip_near(ctxt, eip); + } + + static int em_ret_far(struct x86_emulate_ctxt *ctxt) +@@ -2486,7 +2502,7 @@ static int em_sysexit(struct x86_emulate + { + const struct x86_emulate_ops *ops = ctxt->ops; + struct desc_struct cs, ss; +- u64 msr_data; ++ u64 msr_data, rcx, rdx; + int usermode; + u16 cs_sel = 0, ss_sel = 0; + +@@ -2502,6 +2518,9 @@ static int em_sysexit(struct x86_emulate + else + usermode = X86EMUL_MODE_PROT32; + ++ rcx = reg_read(ctxt, VCPU_REGS_RCX); ++ rdx = reg_read(ctxt, VCPU_REGS_RDX); ++ + cs.dpl = 3; + ss.dpl = 3; + ops->get_msr(ctxt, MSR_IA32_SYSENTER_CS, &msr_data); +@@ -2519,6 +2538,9 @@ static int em_sysexit(struct x86_emulate + ss_sel = cs_sel + 8; + cs.d = 0; + cs.l = 1; ++ if (is_noncanonical_address(rcx) || ++ is_noncanonical_address(rdx)) ++ return emulate_gp(ctxt, 0); + break; + } + cs_sel |= SELECTOR_RPL_MASK; +@@ -2527,8 +2549,8 @@ static int em_sysexit(struct x86_emulate + ops->set_segment(ctxt, cs_sel, &cs, 0, VCPU_SREG_CS); + ops->set_segment(ctxt, ss_sel, &ss, 0, VCPU_SREG_SS); + +- ctxt->_eip = reg_read(ctxt, VCPU_REGS_RDX); +- *reg_write(ctxt, VCPU_REGS_RSP) = reg_read(ctxt, VCPU_REGS_RCX); ++ ctxt->_eip = rdx; ++ *reg_write(ctxt, VCPU_REGS_RSP) = rcx; + + return X86EMUL_CONTINUE; + } +@@ -3067,10 +3089,13 @@ static int em_aad(struct x86_emulate_ctx + + static int em_call(struct x86_emulate_ctxt *ctxt) + { ++ int rc; + long rel = ctxt->src.val; + + ctxt->src.val = (unsigned long)ctxt->_eip; +- jmp_rel(ctxt, rel); ++ rc = jmp_rel(ctxt, rel); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; + return em_push(ctxt); + } + +@@ -3102,11 +3127,12 @@ static int em_call_far(struct x86_emulat + static int em_ret_near_imm(struct x86_emulate_ctxt *ctxt) + { + int rc; ++ unsigned long eip; + +- ctxt->dst.type = OP_REG; +- ctxt->dst.addr.reg = &ctxt->_eip; +- ctxt->dst.bytes = ctxt->op_bytes; +- rc = emulate_pop(ctxt, &ctxt->dst.val, ctxt->op_bytes); ++ rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); ++ if (rc != X86EMUL_CONTINUE) ++ return rc; ++ rc = assign_eip_near(ctxt, eip); + if (rc != X86EMUL_CONTINUE) + return rc; + rsp_increment(ctxt, ctxt->src.val); +@@ -3396,20 +3422,24 @@ static int em_lmsw(struct x86_emulate_ct + + static int em_loop(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + register_address_increment(ctxt, reg_rmw(ctxt, VCPU_REGS_RCX), -1); + if ((address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) != 0) && + (ctxt->b == 0xe2 || test_cc(ctxt->b ^ 0x5, ctxt->eflags))) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_jcxz(struct x86_emulate_ctxt *ctxt) + { ++ int rc = X86EMUL_CONTINUE; ++ + if (address_mask(ctxt, reg_read(ctxt, VCPU_REGS_RCX)) == 0) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + +- return X86EMUL_CONTINUE; ++ return rc; + } + + static int em_in(struct x86_emulate_ctxt *ctxt) +@@ -4738,7 +4768,7 @@ special_insn: + break; + case 0x70 ... 0x7f: /* jcc (short) */ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x8d: /* lea r16/r32, m */ + ctxt->dst.val = ctxt->src.addr.mem.ea; +@@ -4767,7 +4797,7 @@ special_insn: + break; + case 0xe9: /* jmp rel */ + case 0xeb: /* jmp rel short */ +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + ctxt->dst.type = OP_NONE; /* Disable writeback. */ + break; + case 0xf4: /* hlt */ +@@ -4879,7 +4909,7 @@ twobyte_insn: + break; + case 0x80 ... 0x8f: /* jnz rel, etc*/ + if (test_cc(ctxt->b, ctxt->eflags)) +- jmp_rel(ctxt, ctxt->src.val); ++ rc = jmp_rel(ctxt, ctxt->src.val); + break; + case 0x90 ... 0x9f: /* setcc r/m8 */ + ctxt->dst.val = test_cc(ctxt->b, ctxt->eflags); diff --git a/queue-3.10/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch b/queue-3.10/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch new file mode 100644 index 00000000000..5647e1b0069 --- /dev/null +++ b/queue-3.10/kvm-x86-fix-wrong-masking-on-relative-jump-call.patch @@ -0,0 +1,65 @@ +From 05c83ec9b73c8124555b706f6af777b10adf0862 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Thu, 18 Sep 2014 22:39:37 +0300 +Subject: KVM: x86: Fix wrong masking on relative jump/call + +From: Nadav Amit + +commit 05c83ec9b73c8124555b706f6af777b10adf0862 upstream. + +Relative jumps and calls do the masking according to the operand size, and not +according to the address size as the KVM emulator does today. + +This patch fixes KVM behavior. + +Signed-off-by: Nadav Amit +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -663,11 +663,6 @@ static void rsp_increment(struct x86_emu + masked_increment(reg_rmw(ctxt, VCPU_REGS_RSP), stack_mask(ctxt), inc); + } + +-static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) +-{ +- register_address_increment(ctxt, &ctxt->_eip, rel); +-} +- + static u32 desc_limit_scaled(struct desc_struct *desc) + { + u32 limit = get_desc_limit(desc); +@@ -741,6 +736,28 @@ static int emulate_nm(struct x86_emulate + return emulate_exception(ctxt, NM_VECTOR, 0, false); + } + ++static inline void assign_eip_near(struct x86_emulate_ctxt *ctxt, ulong dst) ++{ ++ switch (ctxt->op_bytes) { ++ case 2: ++ ctxt->_eip = (u16)dst; ++ break; ++ case 4: ++ ctxt->_eip = (u32)dst; ++ break; ++ case 8: ++ ctxt->_eip = dst; ++ break; ++ default: ++ WARN(1, "unsupported eip assignment size\n"); ++ } ++} ++ ++static inline void jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ++{ ++ assign_eip_near(ctxt, ctxt->_eip + rel); ++} ++ + static u16 get_segment_selector(struct x86_emulate_ctxt *ctxt, unsigned seg) + { + u16 selector; diff --git a/queue-3.10/kvm-x86-improve-thread-safety-in-pit.patch b/queue-3.10/kvm-x86-improve-thread-safety-in-pit.patch new file mode 100644 index 00000000000..f6f17ad09e1 --- /dev/null +++ b/queue-3.10/kvm-x86-improve-thread-safety-in-pit.patch @@ -0,0 +1,37 @@ +From 2febc839133280d5a5e8e1179c94ea674489dae2 Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Wed, 27 Aug 2014 14:42:54 -0700 +Subject: KVM: x86: Improve thread safety in pit + +From: Andy Honig + +commit 2febc839133280d5a5e8e1179c94ea674489dae2 upstream. + +There's a race condition in the PIT emulation code in KVM. In +__kvm_migrate_pit_timer the pit_timer object is accessed without +synchronization. If the race condition occurs at the wrong time this +can crash the host kernel. + +This fixes CVE-2014-3611. + +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/i8254.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/i8254.c ++++ b/arch/x86/kvm/i8254.c +@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_ + return; + + timer = &pit->pit_state.timer; ++ mutex_lock(&pit->pit_state.lock); + if (hrtimer_cancel(timer)) + hrtimer_start_expires(timer, HRTIMER_MODE_ABS); ++ mutex_unlock(&pit->pit_state.lock); + } + + static void destroy_pit_timer(struct kvm_pit *pit) diff --git a/queue-3.10/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch b/queue-3.10/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch new file mode 100644 index 00000000000..d691d45627c --- /dev/null +++ b/queue-3.10/kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch @@ -0,0 +1,86 @@ +From 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Wed, 27 Aug 2014 11:16:44 -0700 +Subject: KVM: x86: Prevent host from panicking on shared MSR writes. + +From: Andy Honig + +commit 8b3c3104c3f4f706e99365c3e0d2aa61b95f969f upstream. + +The previous patch blocked invalid writes directly when the MSR +is written. As a precaution, prevent future similar mistakes by +gracefulling handle GPs caused by writes to shared MSRs. + +Signed-off-by: Andrew Honig +[Remove parts obsoleted by Nadav's patch. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/kvm_host.h | 2 +- + arch/x86/kvm/vmx.c | 7 +++++-- + arch/x86/kvm/x86.c | 11 ++++++++--- + 3 files changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1011,7 +1011,7 @@ int kvm_cpu_get_interrupt(struct kvm_vcp + void kvm_vcpu_reset(struct kvm_vcpu *vcpu); + + void kvm_define_shared_msr(unsigned index, u32 msr); +-void kvm_set_shared_msr(unsigned index, u64 val, u64 mask); ++int kvm_set_shared_msr(unsigned index, u64 val, u64 mask); + + bool kvm_is_linear_rip(struct kvm_vcpu *vcpu, unsigned long linear_rip); + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2493,12 +2493,15 @@ static int vmx_set_msr(struct kvm_vcpu * + break; + msr = find_msr_entry(vmx, msr_index); + if (msr) { ++ u64 old_msr_data = msr->data; + msr->data = data; + if (msr - vmx->guest_msrs < vmx->save_nmsrs) { + preempt_disable(); +- kvm_set_shared_msr(msr->index, msr->data, +- msr->mask); ++ ret = kvm_set_shared_msr(msr->index, msr->data, ++ msr->mask); + preempt_enable(); ++ if (ret) ++ msr->data = old_msr_data; + } + break; + } +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -225,20 +225,25 @@ static void kvm_shared_msr_cpu_online(vo + shared_msr_update(i, shared_msrs_global.msrs[i]); + } + +-void kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) ++int kvm_set_shared_msr(unsigned slot, u64 value, u64 mask) + { + unsigned int cpu = smp_processor_id(); + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); ++ int err; + + if (((value ^ smsr->values[slot].curr) & mask) == 0) +- return; ++ return 0; + smsr->values[slot].curr = value; +- wrmsrl(shared_msrs_global.msrs[slot], value); ++ err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); ++ if (err) ++ return 1; ++ + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); + smsr->registered = true; + } ++ return 0; + } + EXPORT_SYMBOL_GPL(kvm_set_shared_msr); + diff --git a/queue-3.10/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch b/queue-3.10/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch new file mode 100644 index 00000000000..8c1c0a08ec9 --- /dev/null +++ b/queue-3.10/media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch @@ -0,0 +1,42 @@ +From 8c5bcded11cb607b1bb5920de3b9c882136d27db Mon Sep 17 00:00:00 2001 +From: Ulrich Eckhardt +Date: Fri, 10 Oct 2014 14:19:12 -0300 +Subject: media: ds3000: fix LNB supply voltage on Tevii S480 on initialization + +From: Ulrich Eckhardt + +commit 8c5bcded11cb607b1bb5920de3b9c882136d27db upstream. + +The Tevii S480 outputs 18V on startup for the LNB supply voltage and does not +automatically power down. This blocks other receivers connected +to a satellite channel router (EN50494), since the receivers can not send the +required DiSEqC sequences when the Tevii card is connected to a the same SCR. + +This patch switches off the LNB supply voltage on initialization of the frontend. + +[mchehab@osg.samsung.com: add a comment about why we're explicitly + turning off voltage at device init] +Signed-off-by: Ulrich Eckhardt +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/ds3000.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/dvb-frontends/ds3000.c ++++ b/drivers/media/dvb-frontends/ds3000.c +@@ -864,6 +864,13 @@ struct dvb_frontend *ds3000_attach(const + memcpy(&state->frontend.ops, &ds3000_ops, + sizeof(struct dvb_frontend_ops)); + state->frontend.demodulator_priv = state; ++ ++ /* ++ * Some devices like T480 starts with voltage on. Be sure ++ * to turn voltage off during init, as this can otherwise ++ * interfere with Unicable SCR systems. ++ */ ++ ds3000_set_voltage(&state->frontend, SEC_VOLTAGE_OFF); + return &state->frontend; + + error3: diff --git a/queue-3.10/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch b/queue-3.10/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch new file mode 100644 index 00000000000..62c13592844 --- /dev/null +++ b/queue-3.10/media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch @@ -0,0 +1,102 @@ +From 627530c32a43283474e9dd3e954519410ffa033a Mon Sep 17 00:00:00 2001 +From: Frank Schaefer +Date: Sat, 9 Aug 2014 06:37:20 -0300 +Subject: media: em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Schaefer + +commit 627530c32a43283474e9dd3e954519410ffa033a upstream. + +When a new video frame is started, the driver takes the next video buffer from +the list of active buffers and moves it to dev->usb_ctl.vid_buf / dev->usb_ctl.vbi_buf +for further processing. + +On streaming stop we currently only give back the pending buffers from the list +but not the ones which are currently processed. + +This causes the following warning from the vb2 core since kernel 3.15: + +... + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 2284 at drivers/media/v4l2-core/videobuf2-core.c:2115 __vb2_queue_cancel+0xed/0x150 [videobuf2_core]() + [...] + Call Trace: + [] dump_stack+0x48/0x69 + [] warn_slowpath_common+0x79/0x90 + [] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] ? __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] warn_slowpath_null+0x1d/0x20 + [] __vb2_queue_cancel+0xed/0x150 [videobuf2_core] + [] vb2_internal_streamoff+0x35/0x90 [videobuf2_core] + [] vb2_streamoff+0x35/0x60 [videobuf2_core] + [] vb2_ioctl_streamoff+0x37/0x40 [videobuf2_core] + [] v4l_streamoff+0x15/0x20 [videodev] + [] __video_do_ioctl+0x23d/0x2d0 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] video_usercopy+0x203/0x5a0 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] ? fsnotify+0x1e7/0x2b0 + [] video_ioctl2+0x12/0x20 [videodev] + [] ? video_ioctl2+0x20/0x20 [videodev] + [] v4l2_ioctl+0xee/0x130 [videodev] + [] ? v4l2_open+0xf0/0xf0 [videodev] + [] do_vfs_ioctl+0x2e2/0x4d0 + [] ? vfs_write+0x13c/0x1c0 + [] ? vfs_writev+0x2f/0x50 + [] SyS_ioctl+0x58/0x80 + [] sysenter_do_call+0x12/0x12 + ---[ end trace 5545f934409f13f4 ]--- +... + +Many thanks to Hans Verkuil, whose recently added check in the vb2 core unveiled +this long standing issue and who has investigated it further. + +Signed-off-by: Frank Schäfer +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/em28xx/em28xx-video.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-video.c ++++ b/drivers/media/usb/em28xx/em28xx-video.c +@@ -696,13 +696,16 @@ static int em28xx_stop_streaming(struct + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vid_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vid_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vid_buf = NULL; ++ } + while (!list_empty(&vidq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vidq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vid_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + + return 0; +@@ -724,13 +727,16 @@ int em28xx_stop_vbi_streaming(struct vb2 + } + + spin_lock_irqsave(&dev->slock, flags); ++ if (dev->usb_ctl.vbi_buf != NULL) { ++ vb2_buffer_done(&dev->usb_ctl.vbi_buf->vb, VB2_BUF_STATE_ERROR); ++ dev->usb_ctl.vbi_buf = NULL; ++ } + while (!list_empty(&vbiq->active)) { + struct em28xx_buffer *buf; + buf = list_entry(vbiq->active.next, struct em28xx_buffer, list); + list_del(&buf->list); + vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); + } +- dev->usb_ctl.vbi_buf = NULL; + spin_unlock_irqrestore(&dev->slock, flags); + + return 0; diff --git a/queue-3.10/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch b/queue-3.10/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch new file mode 100644 index 00000000000..5e2c21f4789 --- /dev/null +++ b/queue-3.10/media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch @@ -0,0 +1,32 @@ +From 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 Mon Sep 17 00:00:00 2001 +From: Axel Lin +Date: Fri, 8 Aug 2014 10:32:56 -0300 +Subject: media: tda7432: Fix setting TDA7432_MUTE bit for TDA7432_RF register + +From: Axel Lin + +commit 91ba0e59babdb3c7aca836a65f1095b3eaff7b06 upstream. + +Fix a copy-paste bug when converting to the control framework. + +Fixes: commit 5d478e0de871 ("[media] tda7432: convert to the control framework") + +Signed-off-by: Axel Lin +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/tda7432.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/tda7432.c ++++ b/drivers/media/i2c/tda7432.c +@@ -293,7 +293,7 @@ static int tda7432_s_ctrl(struct v4l2_ct + if (t->mute->val) { + lf |= TDA7432_MUTE; + lr |= TDA7432_MUTE; +- lf |= TDA7432_MUTE; ++ rf |= TDA7432_MUTE; + rr |= TDA7432_MUTE; + } + /* Mute & update balance*/ diff --git a/queue-3.10/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch b/queue-3.10/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch new file mode 100644 index 00000000000..2d41f26a544 --- /dev/null +++ b/queue-3.10/media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch @@ -0,0 +1,67 @@ +From 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c Mon Sep 17 00:00:00 2001 +From: Maciej Matraszek +Date: Mon, 15 Sep 2014 05:14:48 -0300 +Subject: media: v4l2-common: fix overflow in v4l_bound_align_image() + +From: Maciej Matraszek + +commit 3bacc10cd4a85bc70bc0b6c001d3bf995c7fe04c upstream. + +Fix clamp_align() used in v4l_bound_align_image() to prevent overflow +when passed large value like UINT32_MAX. + + In the current implementation: + clamp_align(UINT32_MAX, 8, 8192, 3) + +returns 8, because in line: + + x = (x + (1 << (align - 1))) & mask; + +x overflows to (-1 + 4) & 0x7 = 3, while expected value is 8192. + +v4l_bound_align_image() is heavily used in VIDIOC_S_FMT and +VIDIOC_SUBDEV_S_FMT ioctls handlers, and documentation of the latter +explicitly states that: + +"The modified format should be as close as possible to the original +request." + -- http://linuxtv.org/downloads/v4l-dvb-apis/vidioc-subdev-g-fmt.html + +Thus one would expect, that passing UINT32_MAX as format width and +height will result in setting maximum possible resolution for the +device. Particularly, when the driver doesn't support +VIDIOC_ENUM_FRAMESIZES ioctl, which is common in the codebase. + +Fixes changeset: b0d3159be9a3 + +Signed-off-by: Maciej Matraszek +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-common.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-common.c ++++ b/drivers/media/v4l2-core/v4l2-common.c +@@ -485,16 +485,13 @@ static unsigned int clamp_align(unsigned + /* Bits that must be zero to be aligned */ + unsigned int mask = ~((1 << align) - 1); + ++ /* Clamp to aligned min and max */ ++ x = clamp(x, (min + ~mask) & mask, max & mask); ++ + /* Round to nearest aligned value */ + if (align) + x = (x + (1 << (align - 1))) & mask; + +- /* Clamp to aligned value of min and max */ +- if (x < min) +- x = (min + ~mask) & mask; +- else if (x > max) +- x = max & mask; +- + return x; + } + diff --git a/queue-3.10/series b/queue-3.10/series index 365013a729e..f156db46f71 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -44,3 +44,16 @@ input-i8042-quirks-for-fujitsu-lifebook-a544-and-lifebook-ah544.patch drm-ast-fix-hw-cursor-image.patch drm-tilcdc-fix-the-error-path-in-tilcdc_load.patch drm-nouveau-bios-memset-dcb-struct-to-zero-before-parsing.patch +media-v4l2-common-fix-overflow-in-v4l_bound_align_image.patch +media-em28xx-v4l-give-back-all-active-video-buffers-to-the-vb2-core-properly-on-streaming-stop.patch +media-ds3000-fix-lnb-supply-voltage-on-tevii-s480-on-initialization.patch +media-tda7432-fix-setting-tda7432_mute-bit-for-tda7432_rf-register.patch +kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-error-path.patch +kvm-x86-prevent-host-from-panicking-on-shared-msr-writes.patch +kvm-x86-improve-thread-safety-in-pit.patch +kvm-x86-check-non-canonical-addresses-upon-wrmsr.patch +kvm-x86-don-t-kill-guest-on-unknown-exit-reason.patch +kvm-x86-fix-wrong-masking-on-relative-jump-call.patch +kvm-x86-emulator-fixes-for-eip-canonical-checks-on-near-branches.patch +arc-allow-headless-models-to-boot.patch +arc-update-order-of-registers-in-kgdb-to-match-gdb-7.5.patch