From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 18 Dec 2013 17:54:28 +0000 (-0800)
Subject: 3.4-stable patches
X-Git-Tag: v3.4.75~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=67f064c936bc6c62d6f4a1347d747f0763e0d0a2;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	arm-7912-1-check-stack-pointer-in-get_wchan.patch
	arm-7913-1-fix-framepointer-check-in-unwind_frame.patch
	arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch
	arm-pxa-tosa-fix-keys-mapping.patch
	kvm-improve-create-vcpu-parameter-cve-2013-4587.patch
---

diff --git a/queue-3.4/arm-7912-1-check-stack-pointer-in-get_wchan.patch b/queue-3.4/arm-7912-1-check-stack-pointer-in-get_wchan.patch
new file mode 100644
index 00000000000..85204afbab6
--- /dev/null
+++ b/queue-3.4/arm-7912-1-check-stack-pointer-in-get_wchan.patch
@@ -0,0 +1,56 @@
+From 1b15ec7a7427d4188ba91b9bbac696250a059d22 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 5 Dec 2013 14:21:36 +0100
+Subject: ARM: 7912/1: check stack pointer in get_wchan
+
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+
+commit 1b15ec7a7427d4188ba91b9bbac696250a059d22 upstream.
+
+get_wchan() is lockless. Task may wakeup at any time and change its own stack,
+thus each next stack frame may be overwritten and filled with random stuff.
+
+/proc/$pid/stack interface had been disabled for non-current tasks, see [1]
+But 'wchan' still allows to trigger stack frame unwinding on volatile stack.
+
+This patch fixes oops in unwind_frame() by adding stack pointer validation on
+each step (as x86 code do), unwind_frame() already checks frame pointer.
+
+Also I've found another report of this oops on stackoverflow (irony).
+
+Link: http://www.spinics.net/lists/arm-kernel/msg110589.html [1]
+Link: http://stackoverflow.com/questions/18479894/unwind-frame-cause-a-kernel-paging-error
+
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/process.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/kernel/process.c
++++ b/arch/arm/kernel/process.c
+@@ -503,6 +503,7 @@ EXPORT_SYMBOL(kernel_thread);
+ unsigned long get_wchan(struct task_struct *p)
+ {
+ 	struct stackframe frame;
++	unsigned long stack_page;
+ 	int count = 0;
+ 	if (!p || p == current || p->state == TASK_RUNNING)
+ 		return 0;
+@@ -511,9 +512,11 @@ unsigned long get_wchan(struct task_stru
+ 	frame.sp = thread_saved_sp(p);
+ 	frame.lr = 0;			/* recovered from the stack */
+ 	frame.pc = thread_saved_pc(p);
++	stack_page = (unsigned long)task_stack_page(p);
+ 	do {
+-		int ret = unwind_frame(&frame);
+-		if (ret < 0)
++		if (frame.sp < stack_page ||
++		    frame.sp >= stack_page + THREAD_SIZE ||
++		    unwind_frame(&frame) < 0)
+ 			return 0;
+ 		if (!in_sched_functions(frame.pc))
+ 			return frame.pc;
diff --git a/queue-3.4/arm-7913-1-fix-framepointer-check-in-unwind_frame.patch b/queue-3.4/arm-7913-1-fix-framepointer-check-in-unwind_frame.patch
new file mode 100644
index 00000000000..29b276b3abc
--- /dev/null
+++ b/queue-3.4/arm-7913-1-fix-framepointer-check-in-unwind_frame.patch
@@ -0,0 +1,31 @@
+From 3abb6671a9c04479c4bd026798a05f857393b7e2 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Thu, 5 Dec 2013 14:23:48 +0100
+Subject: ARM: 7913/1: fix framepointer check in unwind_frame
+
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+
+commit 3abb6671a9c04479c4bd026798a05f857393b7e2 upstream.
+
+This patch fixes corner case when (fp + 4) overflows unsigned long,
+for example: fp = 0xFFFFFFFF -> fp + 4 == 3.
+
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/stacktrace.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/stacktrace.c
++++ b/arch/arm/kernel/stacktrace.c
+@@ -31,7 +31,7 @@ int notrace unwind_frame(struct stackfra
+ 	high = ALIGN(low, THREAD_SIZE);
+ 
+ 	/* check current frame pointer is within bounds */
+-	if (fp < (low + 12) || fp + 4 >= high)
++	if (fp < low + 12 || fp > high - 4)
+ 		return -EINVAL;
+ 
+ 	/* restore the registers from the stack frame */
diff --git a/queue-3.4/arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch b/queue-3.4/arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch
new file mode 100644
index 00000000000..e324923db80
--- /dev/null
+++ b/queue-3.4/arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch
@@ -0,0 +1,55 @@
+From 7f4d3641e2548d1ac5dee837ff434df668a2810c Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Sun, 8 Dec 2013 18:39:02 -0700
+Subject: ARM: OMAP3: hwmod data: Don't prevent RESET of USB Host module
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 7f4d3641e2548d1ac5dee837ff434df668a2810c upstream.
+
+Unlike what the comment states, errata i660 does not state that we
+can't RESET the USB host module. Instead it states that RESET is the
+only way to recover from a deadlock situation.
+
+RESET ensures that the module is in a known good state irrespective
+of what bootloader does with the module, so it must be done at boot.
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Tested-by: Tomi Valkeinen <tomi.valkeinen@ti.com> # Panda, BeagleXM
+Fixes: de231388cb80 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3")
+Signed-off-by: Paul Walmsley <paul@pwsan.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c |   13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -3347,7 +3347,8 @@ static struct omap_hwmod_class_sysconfig
+ 	.syss_offs	= 0x0014,
+ 	.sysc_flags	= (SYSC_HAS_MIDLEMODE | SYSC_HAS_CLOCKACTIVITY |
+ 			   SYSC_HAS_SIDLEMODE | SYSC_HAS_ENAWAKEUP |
+-			   SYSC_HAS_SOFTRESET | SYSC_HAS_AUTOIDLE),
++			   SYSC_HAS_SOFTRESET | SYSC_HAS_AUTOIDLE |
++			   SYSS_HAS_RESET_STATUS),
+ 	.idlemodes	= (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART |
+ 			   MSTANDBY_FORCE | MSTANDBY_NO | MSTANDBY_SMART),
+ 	.sysc_fields	= &omap_hwmod_sysc_type1,
+@@ -3465,15 +3466,7 @@ static struct omap_hwmod omap3xxx_usb_ho
+ 	 * hence HWMOD_SWSUP_MSTANDBY
+ 	 */
+ 
+-	/*
+-	 * During system boot; If the hwmod framework resets the module
+-	 * the module will have smart idle settings; which can lead to deadlock
+-	 * (above Errata Id:i660); so, dont reset the module during boot;
+-	 * Use HWMOD_INIT_NO_RESET.
+-	 */
+-
+-	.flags		= HWMOD_SWSUP_SIDLE | HWMOD_SWSUP_MSTANDBY |
+-			  HWMOD_INIT_NO_RESET,
++	.flags		= HWMOD_SWSUP_SIDLE | HWMOD_SWSUP_MSTANDBY,
+ };
+ 
+ /*
diff --git a/queue-3.4/arm-pxa-tosa-fix-keys-mapping.patch b/queue-3.4/arm-pxa-tosa-fix-keys-mapping.patch
new file mode 100644
index 00000000000..ce09274bee2
--- /dev/null
+++ b/queue-3.4/arm-pxa-tosa-fix-keys-mapping.patch
@@ -0,0 +1,134 @@
+From 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Sat, 16 Nov 2013 16:47:50 +0400
+Subject: ARM: pxa: tosa: fix keys mapping
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 upstream.
+
+When converting from tosa-keyboard driver to matrix keyboard, tosa keys
+received extra 1 column shift. Replace that with correct values to make
+keyboard work again.
+
+Fixes: f69a6548c9d5 ('[ARM] pxa/tosa: make use of the matrix keypad driver')
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Signed-off-by: Haojian Zhuang <haojian.zhuang@gmail.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-pxa/tosa.c |  102 +++++++++++++++++++++++------------------------
+ 1 file changed, 51 insertions(+), 51 deletions(-)
+
+--- a/arch/arm/mach-pxa/tosa.c
++++ b/arch/arm/mach-pxa/tosa.c
+@@ -424,57 +424,57 @@ static struct platform_device tosa_power
+  * Tosa Keyboard
+  */
+ static const uint32_t tosakbd_keymap[] = {
+-	KEY(0, 2, KEY_W),
+-	KEY(0, 6, KEY_K),
+-	KEY(0, 7, KEY_BACKSPACE),
+-	KEY(0, 8, KEY_P),
+-	KEY(1, 1, KEY_Q),
+-	KEY(1, 2, KEY_E),
+-	KEY(1, 3, KEY_T),
+-	KEY(1, 4, KEY_Y),
+-	KEY(1, 6, KEY_O),
+-	KEY(1, 7, KEY_I),
+-	KEY(1, 8, KEY_COMMA),
+-	KEY(2, 1, KEY_A),
+-	KEY(2, 2, KEY_D),
+-	KEY(2, 3, KEY_G),
+-	KEY(2, 4, KEY_U),
+-	KEY(2, 6, KEY_L),
+-	KEY(2, 7, KEY_ENTER),
+-	KEY(2, 8, KEY_DOT),
+-	KEY(3, 1, KEY_Z),
+-	KEY(3, 2, KEY_C),
+-	KEY(3, 3, KEY_V),
+-	KEY(3, 4, KEY_J),
+-	KEY(3, 5, TOSA_KEY_ADDRESSBOOK),
+-	KEY(3, 6, TOSA_KEY_CANCEL),
+-	KEY(3, 7, TOSA_KEY_CENTER),
+-	KEY(3, 8, TOSA_KEY_OK),
+-	KEY(3, 9, KEY_LEFTSHIFT),
+-	KEY(4, 1, KEY_S),
+-	KEY(4, 2, KEY_R),
+-	KEY(4, 3, KEY_B),
+-	KEY(4, 4, KEY_N),
+-	KEY(4, 5, TOSA_KEY_CALENDAR),
+-	KEY(4, 6, TOSA_KEY_HOMEPAGE),
+-	KEY(4, 7, KEY_LEFTCTRL),
+-	KEY(4, 8, TOSA_KEY_LIGHT),
+-	KEY(4, 10, KEY_RIGHTSHIFT),
+-	KEY(5, 1, KEY_TAB),
+-	KEY(5, 2, KEY_SLASH),
+-	KEY(5, 3, KEY_H),
+-	KEY(5, 4, KEY_M),
+-	KEY(5, 5, TOSA_KEY_MENU),
+-	KEY(5, 7, KEY_UP),
+-	KEY(5, 11, TOSA_KEY_FN),
+-	KEY(6, 1, KEY_X),
+-	KEY(6, 2, KEY_F),
+-	KEY(6, 3, KEY_SPACE),
+-	KEY(6, 4, KEY_APOSTROPHE),
+-	KEY(6, 5, TOSA_KEY_MAIL),
+-	KEY(6, 6, KEY_LEFT),
+-	KEY(6, 7, KEY_DOWN),
+-	KEY(6, 8, KEY_RIGHT),
++	KEY(0, 1, KEY_W),
++	KEY(0, 5, KEY_K),
++	KEY(0, 6, KEY_BACKSPACE),
++	KEY(0, 7, KEY_P),
++	KEY(1, 0, KEY_Q),
++	KEY(1, 1, KEY_E),
++	KEY(1, 2, KEY_T),
++	KEY(1, 3, KEY_Y),
++	KEY(1, 5, KEY_O),
++	KEY(1, 6, KEY_I),
++	KEY(1, 7, KEY_COMMA),
++	KEY(2, 0, KEY_A),
++	KEY(2, 1, KEY_D),
++	KEY(2, 2, KEY_G),
++	KEY(2, 3, KEY_U),
++	KEY(2, 5, KEY_L),
++	KEY(2, 6, KEY_ENTER),
++	KEY(2, 7, KEY_DOT),
++	KEY(3, 0, KEY_Z),
++	KEY(3, 1, KEY_C),
++	KEY(3, 2, KEY_V),
++	KEY(3, 3, KEY_J),
++	KEY(3, 4, TOSA_KEY_ADDRESSBOOK),
++	KEY(3, 5, TOSA_KEY_CANCEL),
++	KEY(3, 6, TOSA_KEY_CENTER),
++	KEY(3, 7, TOSA_KEY_OK),
++	KEY(3, 8, KEY_LEFTSHIFT),
++	KEY(4, 0, KEY_S),
++	KEY(4, 1, KEY_R),
++	KEY(4, 2, KEY_B),
++	KEY(4, 3, KEY_N),
++	KEY(4, 4, TOSA_KEY_CALENDAR),
++	KEY(4, 5, TOSA_KEY_HOMEPAGE),
++	KEY(4, 6, KEY_LEFTCTRL),
++	KEY(4, 7, TOSA_KEY_LIGHT),
++	KEY(4, 9, KEY_RIGHTSHIFT),
++	KEY(5, 0, KEY_TAB),
++	KEY(5, 1, KEY_SLASH),
++	KEY(5, 2, KEY_H),
++	KEY(5, 3, KEY_M),
++	KEY(5, 4, TOSA_KEY_MENU),
++	KEY(5, 6, KEY_UP),
++	KEY(5, 10, TOSA_KEY_FN),
++	KEY(6, 0, KEY_X),
++	KEY(6, 1, KEY_F),
++	KEY(6, 2, KEY_SPACE),
++	KEY(6, 3, KEY_APOSTROPHE),
++	KEY(6, 4, TOSA_KEY_MAIL),
++	KEY(6, 5, KEY_LEFT),
++	KEY(6, 6, KEY_DOWN),
++	KEY(6, 7, KEY_RIGHT),
+ };
+ 
+ static struct matrix_keymap_data tosakbd_keymap_data = {
diff --git a/queue-3.4/kvm-improve-create-vcpu-parameter-cve-2013-4587.patch b/queue-3.4/kvm-improve-create-vcpu-parameter-cve-2013-4587.patch
new file mode 100644
index 00000000000..624a75526ce
--- /dev/null
+++ b/queue-3.4/kvm-improve-create-vcpu-parameter-cve-2013-4587.patch
@@ -0,0 +1,37 @@
+From 338c7dbadd2671189cec7faf64c84d01071b3f96 Mon Sep 17 00:00:00 2001
+From: Andy Honig <ahonig@google.com>
+Date: Mon, 18 Nov 2013 16:09:22 -0800
+Subject: KVM: Improve create VCPU parameter (CVE-2013-4587)
+
+From: Andy Honig <ahonig@google.com>
+
+commit 338c7dbadd2671189cec7faf64c84d01071b3f96 upstream.
+
+In multiple functions the vcpu_id is used as an offset into a bitfield.  Ag
+malicious user could specify a vcpu_id greater than 255 in order to set or
+clear bits in kernel memory.  This could be used to elevate priveges in the
+kernel.  This patch verifies that the vcpu_id provided is less than 255.
+The api documentation already specifies that the vcpu_id must be less than
+max_vcpus, but this is currently not checked.
+
+Reported-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Andrew Honig <ahonig@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1668,6 +1668,9 @@ static int kvm_vm_ioctl_create_vcpu(stru
+ 	int r;
+ 	struct kvm_vcpu *vcpu, *v;
+ 
++	if (id >= KVM_MAX_VCPUS)
++		return -EINVAL;
++
+ 	vcpu = kvm_arch_vcpu_create(kvm, id);
+ 	if (IS_ERR(vcpu))
+ 		return PTR_ERR(vcpu);
diff --git a/queue-3.4/series b/queue-3.4/series
index 73497a3a499..af1ea55c25c 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -1,2 +1,7 @@
 mips-dma-for-bmips5000-cores-flush-region-just-like-non-coherent-r10000.patch
 alsa-memalloc.h-fix-wrong-truncation-of-dma_addr_t.patch
+arm-pxa-tosa-fix-keys-mapping.patch
+arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch
+arm-7912-1-check-stack-pointer-in-get_wchan.patch
+arm-7913-1-fix-framepointer-check-in-unwind_frame.patch
+kvm-improve-create-vcpu-parameter-cve-2013-4587.patch