From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Oct 2017 11:35:01 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.73~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=31a0e5ee1484a5efe1d93ce459f56c6ecd30fd36;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch
	video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch
---

diff --git a/queue-3.18/series b/queue-3.18/series
index 2cdd08cc92d..ba5db8ef1ff 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -20,3 +20,5 @@ kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
 pci-fix-race-condition-with-driver_override.patch
 btrfs-prevent-to-set-invalid-default-subvolid.patch
 x86-fpu-don-t-let-userspace-set-bogus-xcomp_bv.patch
+video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch
+swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch
diff --git a/queue-3.18/swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch b/queue-3.18/swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch
new file mode 100644
index 00000000000..e2f5b47d39c
--- /dev/null
+++ b/queue-3.18/swiotlb-xen-implement-xen_swiotlb_dma_mmap-callback.patch
@@ -0,0 +1,70 @@
+From 7e91c7df29b5e196de3dc6f086c8937973bd0b88 Mon Sep 17 00:00:00 2001
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Date: Tue, 7 Feb 2017 19:58:02 +0200
+Subject: swiotlb-xen: implement xen_swiotlb_dma_mmap callback
+
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+commit 7e91c7df29b5e196de3dc6f086c8937973bd0b88 upstream.
+
+This function creates userspace mapping for the DMA-coherent memory.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Signed-off-by: Oleksandr Dmytryshyn <oleksandr.dmytryshyn@globallogic.com>
+Signed-off-by: Andrii Anisov <andrii_anisov@epam.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/xen/mm.c         |    1 +
+ drivers/xen/swiotlb-xen.c |   19 +++++++++++++++++++
+ include/xen/swiotlb-xen.h |    5 +++++
+ 3 files changed, 25 insertions(+)
+
+--- a/arch/arm/xen/mm.c
++++ b/arch/arm/xen/mm.c
+@@ -59,6 +59,7 @@ static struct dma_map_ops xen_swiotlb_dm
+ 	.unmap_page = xen_swiotlb_unmap_page,
+ 	.dma_supported = xen_swiotlb_dma_supported,
+ 	.set_dma_mask = xen_swiotlb_set_dma_mask,
++	.mmap = xen_swiotlb_dma_mmap,
+ };
+ 
+ int __init xen_mm_init(void)
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -684,3 +684,22 @@ xen_swiotlb_set_dma_mask(struct device *
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(xen_swiotlb_set_dma_mask);
++
++/*
++ * Create userspace mapping for the DMA-coherent memory.
++ * This function should be called with the pages from the current domain only,
++ * passing pages mapped from other domains would lead to memory corruption.
++ */
++int
++xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++		     void *cpu_addr, dma_addr_t dma_addr, size_t size,
++		     unsigned long attrs)
++{
++#if defined(CONFIG_ARM) || defined(CONFIG_ARM64)
++	if (__generic_dma_ops(dev)->mmap)
++		return __generic_dma_ops(dev)->mmap(dev, vma, cpu_addr,
++						    dma_addr, size, attrs);
++#endif
++	return dma_common_mmap(dev, vma, cpu_addr, dma_addr, size);
++}
++EXPORT_SYMBOL_GPL(xen_swiotlb_dma_mmap);
+--- a/include/xen/swiotlb-xen.h
++++ b/include/xen/swiotlb-xen.h
+@@ -58,4 +58,9 @@ xen_swiotlb_dma_supported(struct device
+ 
+ extern int
+ xen_swiotlb_set_dma_mask(struct device *dev, u64 dma_mask);
++
++extern int
++xen_swiotlb_dma_mmap(struct device *dev, struct vm_area_struct *vma,
++		     void *cpu_addr, dma_addr_t dma_addr, size_t size,
++		     unsigned long attrs);
+ #endif /* __LINUX_SWIOTLB_XEN_H */
diff --git a/queue-3.18/video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch b/queue-3.18/video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch
new file mode 100644
index 00000000000..77ea65d8c02
--- /dev/null
+++ b/queue-3.18/video-fbdev-aty-do-not-leak-uninitialized-padding-in-clk-to-userspace.patch
@@ -0,0 +1,34 @@
+From 8e75f7a7a00461ef6d91797a60b606367f6e344d Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Mon, 4 Sep 2017 16:00:50 +0200
+Subject: video: fbdev: aty: do not leak uninitialized padding in clk to userspace
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit 8e75f7a7a00461ef6d91797a60b606367f6e344d upstream.
+
+'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
+field unitialized, leaking data from the stack. Fix this ensuring all of
+'clk' is initialized to zero.
+
+References: https://github.com/torvalds/linux/pull/441
+Reported-by: sohu0106 <sohu0106@126.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/aty/atyfb_base.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -1852,7 +1852,7 @@ static int atyfb_ioctl(struct fb_info *i
+ #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
+ 	case ATYIO_CLKR:
+ 		if (M64_HAS(INTEGRATED)) {
+-			struct atyclk clk;
++			struct atyclk clk = { 0 };
+ 			union aty_pll *pll = &par->pll;
+ 			u32 dsp_config = pll->ct.dsp_config;
+ 			u32 dsp_on_off = pll->ct.dsp_on_off;