From: Greg Kroah-Hartman Date: Wed, 18 Dec 2013 17:54:24 +0000 (-0800) Subject: 3.12-stable patches X-Git-Tag: v3.4.75~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d747d279333e9b867ab79fc5160f3075dfaac78;p=thirdparty%2Fkernel%2Fstable-queue.git 3.12-stable patches added patches: arm-7912-1-check-stack-pointer-in-get_wchan.patch arm-7913-1-fix-framepointer-check-in-unwind_frame.patch arm-7917-1-cacheflush-correctly-limit-range-of-memory-region-being-flushed.patch arm-highbank-handle-soft-poweroff-and-reset-key-events.patch arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch arm-pxa-prevent-pxa270-occasional-reboot-freezes.patch arm-pxa-tosa-fix-keys-mapping.patch arm-sun6i-dt-fix-interrupt-trigger-types.patch kvm-improve-create-vcpu-parameter-cve-2013-4587.patch kvm-x86-convert-vapic-synchronization-to-_cached-functions-cve-2013-6368.patch kvm-x86-fix-guest-initiated-crash-with-x2apic-cve-2013-6376.patch kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch --- diff --git a/queue-3.12/arm-7912-1-check-stack-pointer-in-get_wchan.patch b/queue-3.12/arm-7912-1-check-stack-pointer-in-get_wchan.patch new file mode 100644 index 00000000000..a469f485fa9 --- /dev/null +++ b/queue-3.12/arm-7912-1-check-stack-pointer-in-get_wchan.patch @@ -0,0 +1,56 @@ +From 1b15ec7a7427d4188ba91b9bbac696250a059d22 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 5 Dec 2013 14:21:36 +0100 +Subject: ARM: 7912/1: check stack pointer in get_wchan + +From: Konstantin Khlebnikov + +commit 1b15ec7a7427d4188ba91b9bbac696250a059d22 upstream. + +get_wchan() is lockless. Task may wakeup at any time and change its own stack, +thus each next stack frame may be overwritten and filled with random stuff. + +/proc/$pid/stack interface had been disabled for non-current tasks, see [1] +But 'wchan' still allows to trigger stack frame unwinding on volatile stack. + +This patch fixes oops in unwind_frame() by adding stack pointer validation on +each step (as x86 code do), unwind_frame() already checks frame pointer. + +Also I've found another report of this oops on stackoverflow (irony). + +Link: http://www.spinics.net/lists/arm-kernel/msg110589.html [1] +Link: http://stackoverflow.com/questions/18479894/unwind-frame-cause-a-kernel-paging-error + +Signed-off-by: Konstantin Khlebnikov +Acked-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/process.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/arm/kernel/process.c ++++ b/arch/arm/kernel/process.c +@@ -404,6 +404,7 @@ EXPORT_SYMBOL(dump_fpu); + unsigned long get_wchan(struct task_struct *p) + { + struct stackframe frame; ++ unsigned long stack_page; + int count = 0; + if (!p || p == current || p->state == TASK_RUNNING) + return 0; +@@ -412,9 +413,11 @@ unsigned long get_wchan(struct task_stru + frame.sp = thread_saved_sp(p); + frame.lr = 0; /* recovered from the stack */ + frame.pc = thread_saved_pc(p); ++ stack_page = (unsigned long)task_stack_page(p); + do { +- int ret = unwind_frame(&frame); +- if (ret < 0) ++ if (frame.sp < stack_page || ++ frame.sp >= stack_page + THREAD_SIZE || ++ unwind_frame(&frame) < 0) + return 0; + if (!in_sched_functions(frame.pc)) + return frame.pc; diff --git a/queue-3.12/arm-7913-1-fix-framepointer-check-in-unwind_frame.patch b/queue-3.12/arm-7913-1-fix-framepointer-check-in-unwind_frame.patch new file mode 100644 index 00000000000..29b276b3abc --- /dev/null +++ b/queue-3.12/arm-7913-1-fix-framepointer-check-in-unwind_frame.patch @@ -0,0 +1,31 @@ +From 3abb6671a9c04479c4bd026798a05f857393b7e2 Mon Sep 17 00:00:00 2001 +From: Konstantin Khlebnikov +Date: Thu, 5 Dec 2013 14:23:48 +0100 +Subject: ARM: 7913/1: fix framepointer check in unwind_frame + +From: Konstantin Khlebnikov + +commit 3abb6671a9c04479c4bd026798a05f857393b7e2 upstream. + +This patch fixes corner case when (fp + 4) overflows unsigned long, +for example: fp = 0xFFFFFFFF -> fp + 4 == 3. + +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/stacktrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -31,7 +31,7 @@ int notrace unwind_frame(struct stackfra + high = ALIGN(low, THREAD_SIZE); + + /* check current frame pointer is within bounds */ +- if (fp < (low + 12) || fp + 4 >= high) ++ if (fp < low + 12 || fp > high - 4) + return -EINVAL; + + /* restore the registers from the stack frame */ diff --git a/queue-3.12/arm-7917-1-cacheflush-correctly-limit-range-of-memory-region-being-flushed.patch b/queue-3.12/arm-7917-1-cacheflush-correctly-limit-range-of-memory-region-being-flushed.patch new file mode 100644 index 00000000000..e30fa20403b --- /dev/null +++ b/queue-3.12/arm-7917-1-cacheflush-correctly-limit-range-of-memory-region-being-flushed.patch @@ -0,0 +1,38 @@ +From b31459adeab018b297541e288ac88873011da82a Mon Sep 17 00:00:00 2001 +From: Jon Medhurst +Date: Mon, 9 Dec 2013 13:45:46 +0100 +Subject: ARM: 7917/1: cacheflush: correctly limit range of memory region being flushed + +From: Jon Medhurst + +commit b31459adeab018b297541e288ac88873011da82a upstream. + +The __do_cache_op function operates with a 'chunk' size of one page +but fails to limit the size of the final chunk so as to not exceed +the specified memory region. Fix this. + +Reported-by: Christian Gmeiner +Tested-by: Christian Gmeiner +Acked-by: Will Deacon +Signed-off-by: Jon Medhurst +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/traps.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/kernel/traps.c ++++ b/arch/arm/kernel/traps.c +@@ -503,9 +503,10 @@ static inline int + __do_cache_op(unsigned long start, unsigned long end) + { + int ret; +- unsigned long chunk = PAGE_SIZE; + + do { ++ unsigned long chunk = min(PAGE_SIZE, end - start); ++ + if (signal_pending(current)) { + struct thread_info *ti = current_thread_info(); + diff --git a/queue-3.12/arm-highbank-handle-soft-poweroff-and-reset-key-events.patch b/queue-3.12/arm-highbank-handle-soft-poweroff-and-reset-key-events.patch new file mode 100644 index 00000000000..0b9f3a67fde --- /dev/null +++ b/queue-3.12/arm-highbank-handle-soft-poweroff-and-reset-key-events.patch @@ -0,0 +1,78 @@ +From 3843114856728075d0a80e7151197c19fb3a9e08 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Wed, 4 Dec 2013 11:05:17 -0600 +Subject: ARM: highbank: handle soft poweroff and reset key events + +From: Rob Herring + +commit 3843114856728075d0a80e7151197c19fb3a9e08 upstream. + +Graceful reboot and poweroff via IPMI commands to the management +processor don't work. Power and reset keys are events from the +management processor which are generated via IPC messages. Passing +the keys to userspace does not work as neither acpid nor a desktop +environment are present. + +This adds a notifier handler for the IPC messages so the kernel can +handle the key events directly and IPMI graceful shutdown will work. + +Signed-off-by: Rob Herring +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-highbank/highbank.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/arch/arm/mach-highbank/highbank.c ++++ b/arch/arm/mach-highbank/highbank.c +@@ -17,12 +17,15 @@ + #include + #include + #include ++#include + #include + #include ++#include + #include + #include + #include + #include ++#include + #include + #include + +@@ -153,6 +156,24 @@ static struct notifier_block highbank_pl + .notifier_call = highbank_platform_notifier, + }; + ++static int hb_keys_notifier(struct notifier_block *nb, unsigned long event, void *data) ++{ ++ u32 key = *(u32 *)data; ++ ++ if (event != 0x1000) ++ return 0; ++ ++ if (key == KEY_POWER) ++ orderly_poweroff(false); ++ else if (key == 0xffff) ++ ctrl_alt_del(); ++ ++ return 0; ++} ++static struct notifier_block hb_keys_nb = { ++ .notifier_call = hb_keys_notifier, ++}; ++ + static void __init highbank_init(void) + { + pm_power_off = highbank_power_off; +@@ -161,6 +182,8 @@ static void __init highbank_init(void) + bus_register_notifier(&platform_bus_type, &highbank_platform_nb); + bus_register_notifier(&amba_bustype, &highbank_amba_nb); + ++ pl320_ipc_register_notifier(&hb_keys_nb); ++ + of_platform_populate(NULL, of_default_bus_match_table, NULL, NULL); + } + diff --git a/queue-3.12/arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch b/queue-3.12/arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch new file mode 100644 index 00000000000..a61e9d1476a --- /dev/null +++ b/queue-3.12/arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch @@ -0,0 +1,55 @@ +From 7f4d3641e2548d1ac5dee837ff434df668a2810c Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Sun, 8 Dec 2013 18:39:02 -0700 +Subject: ARM: OMAP3: hwmod data: Don't prevent RESET of USB Host module + +From: Roger Quadros + +commit 7f4d3641e2548d1ac5dee837ff434df668a2810c upstream. + +Unlike what the comment states, errata i660 does not state that we +can't RESET the USB host module. Instead it states that RESET is the +only way to recover from a deadlock situation. + +RESET ensures that the module is in a known good state irrespective +of what bootloader does with the module, so it must be done at boot. + +Signed-off-by: Roger Quadros +Tested-by: Tomi Valkeinen # Panda, BeagleXM +Fixes: de231388cb80 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3") +Signed-off-by: Paul Walmsley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c +@@ -1943,7 +1943,8 @@ static struct omap_hwmod_class_sysconfig + .syss_offs = 0x0014, + .sysc_flags = (SYSC_HAS_MIDLEMODE | SYSC_HAS_CLOCKACTIVITY | + SYSC_HAS_SIDLEMODE | SYSC_HAS_ENAWAKEUP | +- SYSC_HAS_SOFTRESET | SYSC_HAS_AUTOIDLE), ++ SYSC_HAS_SOFTRESET | SYSC_HAS_AUTOIDLE | ++ SYSS_HAS_RESET_STATUS), + .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART | + MSTANDBY_FORCE | MSTANDBY_NO | MSTANDBY_SMART), + .sysc_fields = &omap_hwmod_sysc_type1, +@@ -2021,15 +2022,7 @@ static struct omap_hwmod omap3xxx_usb_ho + * hence HWMOD_SWSUP_MSTANDBY + */ + +- /* +- * During system boot; If the hwmod framework resets the module +- * the module will have smart idle settings; which can lead to deadlock +- * (above Errata Id:i660); so, dont reset the module during boot; +- * Use HWMOD_INIT_NO_RESET. +- */ +- +- .flags = HWMOD_SWSUP_SIDLE | HWMOD_SWSUP_MSTANDBY | +- HWMOD_INIT_NO_RESET, ++ .flags = HWMOD_SWSUP_SIDLE | HWMOD_SWSUP_MSTANDBY, + }; + + /* diff --git a/queue-3.12/arm-pxa-prevent-pxa270-occasional-reboot-freezes.patch b/queue-3.12/arm-pxa-prevent-pxa270-occasional-reboot-freezes.patch new file mode 100644 index 00000000000..23096b9c2aa --- /dev/null +++ b/queue-3.12/arm-pxa-prevent-pxa270-occasional-reboot-freezes.patch @@ -0,0 +1,58 @@ +From ff88b4724fde18056a4c539f7327389aec0f4c2d Mon Sep 17 00:00:00 2001 +From: Sergei Ianovich +Date: Tue, 10 Dec 2013 08:39:15 +0400 +Subject: ARM: pxa: prevent PXA270 occasional reboot freezes + +From: Sergei Ianovich + +commit ff88b4724fde18056a4c539f7327389aec0f4c2d upstream. + +Erratum 71 of PXA270M Processor Family Specification Update +(April 19, 2010) explains that watchdog reset time is just +8us insead of 10ms in EMTS. + +If SDRAM is not reset, it causes memory bus congestion and +the device hangs. We put SDRAM in selfresh mode before watchdog +reset, removing potential freezes. + +Without this patch PXA270-based ICP DAS LP-8x4x hangs after up to 40 +reboots. With this patch it has successfully rebooted 500 times. + +Signed-off-by: Sergei Ianovich +Tested-by: Marek Vasut +Signed-off-by: Haojian Zhuang +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-pxa/reset.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-pxa/reset.c ++++ b/arch/arm/mach-pxa/reset.c +@@ -13,6 +13,7 @@ + + #include + #include ++#include + + unsigned int reset_status; + EXPORT_SYMBOL(reset_status); +@@ -81,6 +82,12 @@ static void do_hw_reset(void) + writel_relaxed(OSSR_M3, OSSR); + /* ... in 100 ms */ + writel_relaxed(readl_relaxed(OSCR) + 368640, OSMR3); ++ /* ++ * SDRAM hangs on watchdog reset on Marvell PXA270 (erratum 71) ++ * we put SDRAM into self-refresh to prevent that ++ */ ++ while (1) ++ writel_relaxed(MDREFR_SLFRSH, MDREFR); + } + + void pxa_restart(enum reboot_mode mode, const char *cmd) +@@ -104,4 +111,3 @@ void pxa_restart(enum reboot_mode mode, + break; + } + } +- diff --git a/queue-3.12/arm-pxa-tosa-fix-keys-mapping.patch b/queue-3.12/arm-pxa-tosa-fix-keys-mapping.patch new file mode 100644 index 00000000000..2d242a07d04 --- /dev/null +++ b/queue-3.12/arm-pxa-tosa-fix-keys-mapping.patch @@ -0,0 +1,134 @@ +From 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Sat, 16 Nov 2013 16:47:50 +0400 +Subject: ARM: pxa: tosa: fix keys mapping + +From: Dmitry Eremin-Solenikov + +commit 506cac15ac86f204b83e3cfccde73eeb4e7c5f34 upstream. + +When converting from tosa-keyboard driver to matrix keyboard, tosa keys +received extra 1 column shift. Replace that with correct values to make +keyboard work again. + +Fixes: f69a6548c9d5 ('[ARM] pxa/tosa: make use of the matrix keypad driver') +Signed-off-by: Dmitry Eremin-Solenikov +Signed-off-by: Haojian Zhuang +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-pxa/tosa.c | 102 +++++++++++++++++++++++------------------------ + 1 file changed, 51 insertions(+), 51 deletions(-) + +--- a/arch/arm/mach-pxa/tosa.c ++++ b/arch/arm/mach-pxa/tosa.c +@@ -425,57 +425,57 @@ static struct platform_device tosa_power + * Tosa Keyboard + */ + static const uint32_t tosakbd_keymap[] = { +- KEY(0, 2, KEY_W), +- KEY(0, 6, KEY_K), +- KEY(0, 7, KEY_BACKSPACE), +- KEY(0, 8, KEY_P), +- KEY(1, 1, KEY_Q), +- KEY(1, 2, KEY_E), +- KEY(1, 3, KEY_T), +- KEY(1, 4, KEY_Y), +- KEY(1, 6, KEY_O), +- KEY(1, 7, KEY_I), +- KEY(1, 8, KEY_COMMA), +- KEY(2, 1, KEY_A), +- KEY(2, 2, KEY_D), +- KEY(2, 3, KEY_G), +- KEY(2, 4, KEY_U), +- KEY(2, 6, KEY_L), +- KEY(2, 7, KEY_ENTER), +- KEY(2, 8, KEY_DOT), +- KEY(3, 1, KEY_Z), +- KEY(3, 2, KEY_C), +- KEY(3, 3, KEY_V), +- KEY(3, 4, KEY_J), +- KEY(3, 5, TOSA_KEY_ADDRESSBOOK), +- KEY(3, 6, TOSA_KEY_CANCEL), +- KEY(3, 7, TOSA_KEY_CENTER), +- KEY(3, 8, TOSA_KEY_OK), +- KEY(3, 9, KEY_LEFTSHIFT), +- KEY(4, 1, KEY_S), +- KEY(4, 2, KEY_R), +- KEY(4, 3, KEY_B), +- KEY(4, 4, KEY_N), +- KEY(4, 5, TOSA_KEY_CALENDAR), +- KEY(4, 6, TOSA_KEY_HOMEPAGE), +- KEY(4, 7, KEY_LEFTCTRL), +- KEY(4, 8, TOSA_KEY_LIGHT), +- KEY(4, 10, KEY_RIGHTSHIFT), +- KEY(5, 1, KEY_TAB), +- KEY(5, 2, KEY_SLASH), +- KEY(5, 3, KEY_H), +- KEY(5, 4, KEY_M), +- KEY(5, 5, TOSA_KEY_MENU), +- KEY(5, 7, KEY_UP), +- KEY(5, 11, TOSA_KEY_FN), +- KEY(6, 1, KEY_X), +- KEY(6, 2, KEY_F), +- KEY(6, 3, KEY_SPACE), +- KEY(6, 4, KEY_APOSTROPHE), +- KEY(6, 5, TOSA_KEY_MAIL), +- KEY(6, 6, KEY_LEFT), +- KEY(6, 7, KEY_DOWN), +- KEY(6, 8, KEY_RIGHT), ++ KEY(0, 1, KEY_W), ++ KEY(0, 5, KEY_K), ++ KEY(0, 6, KEY_BACKSPACE), ++ KEY(0, 7, KEY_P), ++ KEY(1, 0, KEY_Q), ++ KEY(1, 1, KEY_E), ++ KEY(1, 2, KEY_T), ++ KEY(1, 3, KEY_Y), ++ KEY(1, 5, KEY_O), ++ KEY(1, 6, KEY_I), ++ KEY(1, 7, KEY_COMMA), ++ KEY(2, 0, KEY_A), ++ KEY(2, 1, KEY_D), ++ KEY(2, 2, KEY_G), ++ KEY(2, 3, KEY_U), ++ KEY(2, 5, KEY_L), ++ KEY(2, 6, KEY_ENTER), ++ KEY(2, 7, KEY_DOT), ++ KEY(3, 0, KEY_Z), ++ KEY(3, 1, KEY_C), ++ KEY(3, 2, KEY_V), ++ KEY(3, 3, KEY_J), ++ KEY(3, 4, TOSA_KEY_ADDRESSBOOK), ++ KEY(3, 5, TOSA_KEY_CANCEL), ++ KEY(3, 6, TOSA_KEY_CENTER), ++ KEY(3, 7, TOSA_KEY_OK), ++ KEY(3, 8, KEY_LEFTSHIFT), ++ KEY(4, 0, KEY_S), ++ KEY(4, 1, KEY_R), ++ KEY(4, 2, KEY_B), ++ KEY(4, 3, KEY_N), ++ KEY(4, 4, TOSA_KEY_CALENDAR), ++ KEY(4, 5, TOSA_KEY_HOMEPAGE), ++ KEY(4, 6, KEY_LEFTCTRL), ++ KEY(4, 7, TOSA_KEY_LIGHT), ++ KEY(4, 9, KEY_RIGHTSHIFT), ++ KEY(5, 0, KEY_TAB), ++ KEY(5, 1, KEY_SLASH), ++ KEY(5, 2, KEY_H), ++ KEY(5, 3, KEY_M), ++ KEY(5, 4, TOSA_KEY_MENU), ++ KEY(5, 6, KEY_UP), ++ KEY(5, 10, TOSA_KEY_FN), ++ KEY(6, 0, KEY_X), ++ KEY(6, 1, KEY_F), ++ KEY(6, 2, KEY_SPACE), ++ KEY(6, 3, KEY_APOSTROPHE), ++ KEY(6, 4, TOSA_KEY_MAIL), ++ KEY(6, 5, KEY_LEFT), ++ KEY(6, 6, KEY_DOWN), ++ KEY(6, 7, KEY_RIGHT), + }; + + static struct matrix_keymap_data tosakbd_keymap_data = { diff --git a/queue-3.12/arm-sun6i-dt-fix-interrupt-trigger-types.patch b/queue-3.12/arm-sun6i-dt-fix-interrupt-trigger-types.patch new file mode 100644 index 00000000000..ab165bd572f --- /dev/null +++ b/queue-3.12/arm-sun6i-dt-fix-interrupt-trigger-types.patch @@ -0,0 +1,109 @@ +From 6f97dc8d4663abed96fa30e3ea4a1d4cfd1c4276 Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Tue, 10 Dec 2013 19:37:22 +0100 +Subject: ARM: sun6i: dt: Fix interrupt trigger types + +From: Maxime Ripard + +commit 6f97dc8d4663abed96fa30e3ea4a1d4cfd1c4276 upstream. + +The Allwinner A31 uses the ARM GIC as its internal interrupts controller. The +GIC can work on several interrupt triggers, and the A31 was actually setting it +up to use a rising edge as a trigger, while it was actually a level high +trigger, leading to some interrupts that would be completely ignored if the +edge was missed. + +Signed-off-by: Maxime Ripard +Acked-by: Hans de Goede +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun6i-a31.dtsi | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +--- a/arch/arm/boot/dts/sun6i-a31.dtsi ++++ b/arch/arm/boot/dts/sun6i-a31.dtsi +@@ -193,7 +193,10 @@ + pio: pinctrl@01c20800 { + compatible = "allwinner,sun6i-a31-pinctrl"; + reg = <0x01c20800 0x400>; +- interrupts = <0 11 1>, <0 15 1>, <0 16 1>, <0 17 1>; ++ interrupts = <0 11 4>, ++ <0 15 4>, ++ <0 16 4>, ++ <0 17 4>; + clocks = <&apb1_gates 5>; + gpio-controller; + interrupt-controller; +@@ -212,11 +215,11 @@ + timer@01c20c00 { + compatible = "allwinner,sun4i-timer"; + reg = <0x01c20c00 0xa0>; +- interrupts = <0 18 1>, +- <0 19 1>, +- <0 20 1>, +- <0 21 1>, +- <0 22 1>; ++ interrupts = <0 18 4>, ++ <0 19 4>, ++ <0 20 4>, ++ <0 21 4>, ++ <0 22 4>; + clocks = <&osc24M>; + }; + +@@ -228,7 +231,7 @@ + uart0: serial@01c28000 { + compatible = "snps,dw-apb-uart"; + reg = <0x01c28000 0x400>; +- interrupts = <0 0 1>; ++ interrupts = <0 0 4>; + reg-shift = <2>; + reg-io-width = <4>; + clocks = <&apb2_gates 16>; +@@ -238,7 +241,7 @@ + uart1: serial@01c28400 { + compatible = "snps,dw-apb-uart"; + reg = <0x01c28400 0x400>; +- interrupts = <0 1 1>; ++ interrupts = <0 1 4>; + reg-shift = <2>; + reg-io-width = <4>; + clocks = <&apb2_gates 17>; +@@ -248,7 +251,7 @@ + uart2: serial@01c28800 { + compatible = "snps,dw-apb-uart"; + reg = <0x01c28800 0x400>; +- interrupts = <0 2 1>; ++ interrupts = <0 2 4>; + reg-shift = <2>; + reg-io-width = <4>; + clocks = <&apb2_gates 18>; +@@ -258,7 +261,7 @@ + uart3: serial@01c28c00 { + compatible = "snps,dw-apb-uart"; + reg = <0x01c28c00 0x400>; +- interrupts = <0 3 1>; ++ interrupts = <0 3 4>; + reg-shift = <2>; + reg-io-width = <4>; + clocks = <&apb2_gates 19>; +@@ -268,7 +271,7 @@ + uart4: serial@01c29000 { + compatible = "snps,dw-apb-uart"; + reg = <0x01c29000 0x400>; +- interrupts = <0 4 1>; ++ interrupts = <0 4 4>; + reg-shift = <2>; + reg-io-width = <4>; + clocks = <&apb2_gates 20>; +@@ -278,7 +281,7 @@ + uart5: serial@01c29400 { + compatible = "snps,dw-apb-uart"; + reg = <0x01c29400 0x400>; +- interrupts = <0 5 1>; ++ interrupts = <0 5 4>; + reg-shift = <2>; + reg-io-width = <4>; + clocks = <&apb2_gates 21>; diff --git a/queue-3.12/kvm-improve-create-vcpu-parameter-cve-2013-4587.patch b/queue-3.12/kvm-improve-create-vcpu-parameter-cve-2013-4587.patch new file mode 100644 index 00000000000..1f52b330fcb --- /dev/null +++ b/queue-3.12/kvm-improve-create-vcpu-parameter-cve-2013-4587.patch @@ -0,0 +1,37 @@ +From 338c7dbadd2671189cec7faf64c84d01071b3f96 Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Mon, 18 Nov 2013 16:09:22 -0800 +Subject: KVM: Improve create VCPU parameter (CVE-2013-4587) + +From: Andy Honig + +commit 338c7dbadd2671189cec7faf64c84d01071b3f96 upstream. + +In multiple functions the vcpu_id is used as an offset into a bitfield. Ag +malicious user could specify a vcpu_id greater than 255 in order to set or +clear bits in kernel memory. This could be used to elevate priveges in the +kernel. This patch verifies that the vcpu_id provided is less than 255. +The api documentation already specifies that the vcpu_id must be less than +max_vcpus, but this is currently not checked. + +Reported-by: Andrew Honig +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1893,6 +1893,9 @@ static int kvm_vm_ioctl_create_vcpu(stru + int r; + struct kvm_vcpu *vcpu, *v; + ++ if (id >= KVM_MAX_VCPUS) ++ return -EINVAL; ++ + vcpu = kvm_arch_vcpu_create(kvm, id); + if (IS_ERR(vcpu)) + return PTR_ERR(vcpu); diff --git a/queue-3.12/kvm-x86-convert-vapic-synchronization-to-_cached-functions-cve-2013-6368.patch b/queue-3.12/kvm-x86-convert-vapic-synchronization-to-_cached-functions-cve-2013-6368.patch new file mode 100644 index 00000000000..5750823d9ef --- /dev/null +++ b/queue-3.12/kvm-x86-convert-vapic-synchronization-to-_cached-functions-cve-2013-6368.patch @@ -0,0 +1,187 @@ +From fda4e2e85589191b123d31cdc21fd33ee70f50fd Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Wed, 20 Nov 2013 10:23:22 -0800 +Subject: KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) + +From: Andy Honig + +commit fda4e2e85589191b123d31cdc21fd33ee70f50fd upstream. + +In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the +potential to corrupt kernel memory if userspace provides an address that +is at the end of a page. This patches concerts those functions to use +kvm_write_guest_cached and kvm_read_guest_cached. It also checks the +vapic_address specified by userspace during ioctl processing and returns +an error to userspace if the address is not a valid GPA. + +This is generally not guest triggerable, because the required write is +done by firmware that runs before the guest. Also, it only affects AMD +processors and oldish Intel that do not have the FlexPriority feature +(unless you disable FlexPriority, of course; then newer processors are +also affected). + +Fixes: b93463aa59d6 ('KVM: Accelerated apic support') + +Reported-by: Andrew Honig +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 27 +++++++++++++++------------ + arch/x86/kvm/lapic.h | 4 ++-- + arch/x86/kvm/x86.c | 40 +--------------------------------------- + 3 files changed, 18 insertions(+), 53 deletions(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1692,7 +1692,6 @@ static void apic_sync_pv_eoi_from_guest( + void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu) + { + u32 data; +- void *vapic; + + if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention)) + apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic); +@@ -1700,9 +1699,8 @@ void kvm_lapic_sync_from_vapic(struct kv + if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention)) + return; + +- vapic = kmap_atomic(vcpu->arch.apic->vapic_page); +- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)); +- kunmap_atomic(vapic); ++ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data, ++ sizeof(u32)); + + apic_set_tpr(vcpu->arch.apic, data & 0xff); + } +@@ -1738,7 +1736,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_ + u32 data, tpr; + int max_irr, max_isr; + struct kvm_lapic *apic = vcpu->arch.apic; +- void *vapic; + + apic_sync_pv_eoi_to_guest(vcpu, apic); + +@@ -1754,18 +1751,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_ + max_isr = 0; + data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24); + +- vapic = kmap_atomic(vcpu->arch.apic->vapic_page); +- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data; +- kunmap_atomic(vapic); ++ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data, ++ sizeof(u32)); + } + +-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr) ++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr) + { +- vcpu->arch.apic->vapic_addr = vapic_addr; +- if (vapic_addr) ++ if (vapic_addr) { ++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ++ &vcpu->arch.apic->vapic_cache, ++ vapic_addr, sizeof(u32))) ++ return -EINVAL; + __set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention); +- else ++ } else { + __clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention); ++ } ++ ++ vcpu->arch.apic->vapic_addr = vapic_addr; ++ return 0; + } + + int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data) +--- a/arch/x86/kvm/lapic.h ++++ b/arch/x86/kvm/lapic.h +@@ -34,7 +34,7 @@ struct kvm_lapic { + */ + void *regs; + gpa_t vapic_addr; +- struct page *vapic_page; ++ struct gfn_to_hva_cache vapic_cache; + unsigned long pending_events; + unsigned int sipi_vector; + }; +@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struc + void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset); + void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector); + +-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr); ++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr); + void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu); + void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu); + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3192,8 +3192,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi + r = -EFAULT; + if (copy_from_user(&va, argp, sizeof va)) + goto out; +- r = 0; +- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); ++ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); + break; + } + case KVM_X86_SETUP_MCE: { +@@ -5718,36 +5717,6 @@ static void post_kvm_run_save(struct kvm + !kvm_event_needs_reinjection(vcpu); + } + +-static int vapic_enter(struct kvm_vcpu *vcpu) +-{ +- struct kvm_lapic *apic = vcpu->arch.apic; +- struct page *page; +- +- if (!apic || !apic->vapic_addr) +- return 0; +- +- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); +- if (is_error_page(page)) +- return -EFAULT; +- +- vcpu->arch.apic->vapic_page = page; +- return 0; +-} +- +-static void vapic_exit(struct kvm_vcpu *vcpu) +-{ +- struct kvm_lapic *apic = vcpu->arch.apic; +- int idx; +- +- if (!apic || !apic->vapic_addr) +- return; +- +- idx = srcu_read_lock(&vcpu->kvm->srcu); +- kvm_release_page_dirty(apic->vapic_page); +- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); +- srcu_read_unlock(&vcpu->kvm->srcu, idx); +-} +- + static void update_cr8_intercept(struct kvm_vcpu *vcpu) + { + int max_irr, tpr; +@@ -6047,11 +6016,6 @@ static int __vcpu_run(struct kvm_vcpu *v + struct kvm *kvm = vcpu->kvm; + + vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); +- r = vapic_enter(vcpu); +- if (r) { +- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); +- return r; +- } + + r = 1; + while (r > 0) { +@@ -6110,8 +6074,6 @@ static int __vcpu_run(struct kvm_vcpu *v + + srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); + +- vapic_exit(vcpu); +- + return r; + } + diff --git a/queue-3.12/kvm-x86-fix-guest-initiated-crash-with-x2apic-cve-2013-6376.patch b/queue-3.12/kvm-x86-fix-guest-initiated-crash-with-x2apic-cve-2013-6376.patch new file mode 100644 index 00000000000..9c039cd3805 --- /dev/null +++ b/queue-3.12/kvm-x86-fix-guest-initiated-crash-with-x2apic-cve-2013-6376.patch @@ -0,0 +1,53 @@ +From 17d68b763f09a9ce824ae23eb62c9efc57b69271 Mon Sep 17 00:00:00 2001 +From: Gleb Natapov +Date: Thu, 12 Dec 2013 21:20:08 +0100 +Subject: KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) + +From: Gleb Natapov + +commit 17d68b763f09a9ce824ae23eb62c9efc57b69271 upstream. + +A guest can cause a BUG_ON() leading to a host kernel crash. +When the guest writes to the ICR to request an IPI, while in x2apic +mode the following things happen, the destination is read from +ICR2, which is a register that the guest can control. + +kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the +cluster id. A BUG_ON is triggered, which is a protection against +accessing map->logical_map with an out-of-bounds access and manages +to avoid that anything really unsafe occurs. + +The logic in the code is correct from real HW point of view. The problem +is that KVM supports only one cluster with ID 0 in clustered mode, but +the code that has the bug does not take this into account. + +Reported-by: Lars Bull +Signed-off-by: Gleb Natapov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm + return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff; + } + ++#define KVM_X2APIC_CID_BITS 0 ++ + static void recalculate_apic_map(struct kvm *kvm) + { + struct kvm_apic_map *new, *old = NULL; +@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct + if (apic_x2apic_mode(apic)) { + new->ldr_bits = 32; + new->cid_shift = 16; +- new->cid_mask = new->lid_mask = 0xffff; ++ new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1; ++ new->lid_mask = 0xffff; + } else if (kvm_apic_sw_enabled(apic) && + !new->cid_mask /* flat mode */ && + kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) { diff --git a/queue-3.12/kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch b/queue-3.12/kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch new file mode 100644 index 00000000000..a95170c4c03 --- /dev/null +++ b/queue-3.12/kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch @@ -0,0 +1,44 @@ +From b963a22e6d1a266a67e9eecc88134713fd54775c Mon Sep 17 00:00:00 2001 +From: Andy Honig +Date: Tue, 19 Nov 2013 14:12:18 -0800 +Subject: KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) + +From: Andy Honig + +commit b963a22e6d1a266a67e9eecc88134713fd54775c upstream. + +Under guest controllable circumstances apic_get_tmcct will execute a +divide by zero and cause a crash. If the guest cpuid support +tsc deadline timers and performs the following sequence of requests +the host will crash. +- Set the mode to periodic +- Set the TMICT to 0 +- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) +- Set the TMICT to non-zero. +Then the lapic_timer.period will be 0, but the TMICT will not be. If the +guest then reads from the TMCCT then the host will perform a divide by 0. + +This patch ensures that if the lapic_timer.period is 0, then the division +does not occur. + +Reported-by: Andrew Honig +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lap + ASSERT(apic != NULL); + + /* if initial count is 0, current count should also be 0 */ +- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0) ++ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 || ++ apic->lapic_timer.period == 0) + return 0; + + remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); diff --git a/queue-3.12/series b/queue-3.12/series index c80858bff97..3d9ce6f890c 100644 --- a/queue-3.12/series +++ b/queue-3.12/series @@ -5,3 +5,15 @@ alsa-memalloc.h-fix-wrong-truncation-of-dma_addr_t.patch alsa-hda-add-static-dac-pin-mapping-for-ad1986a-codec.patch alsa-hda-mute-all-aamix-inputs-as-default.patch alsa-hda-hdmi-fix-iec958-ctl-indexes-for-some-simple-hdmi-devices.patch +arm-pxa-tosa-fix-keys-mapping.patch +arm-highbank-handle-soft-poweroff-and-reset-key-events.patch +arm-sun6i-dt-fix-interrupt-trigger-types.patch +arm-pxa-prevent-pxa270-occasional-reboot-freezes.patch +arm-omap3-hwmod-data-don-t-prevent-reset-of-usb-host-module.patch +arm-7912-1-check-stack-pointer-in-get_wchan.patch +arm-7913-1-fix-framepointer-check-in-unwind_frame.patch +arm-7917-1-cacheflush-correctly-limit-range-of-memory-region-being-flushed.patch +kvm-improve-create-vcpu-parameter-cve-2013-4587.patch +kvm-x86-fix-potential-divide-by-0-in-lapic-cve-2013-6367.patch +kvm-x86-convert-vapic-synchronization-to-_cached-functions-cve-2013-6368.patch +kvm-x86-fix-guest-initiated-crash-with-x2apic-cve-2013-6376.patch