From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 26 Mar 2013 17:37:30 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.71~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce424d4570dc26e1d2cb92c2c4cc0ae1554db313;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	drm-i915-bounds-check-execbuffer-relocation-count.patch
	kms-fix-edid-detailed-timing-vsync-parsing.patch
	mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch
	mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch
	tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch
	tracing-fix-race-in-snapshot-swapping.patch
---

diff --git a/queue-3.0/drm-i915-bounds-check-execbuffer-relocation-count.patch b/queue-3.0/drm-i915-bounds-check-execbuffer-relocation-count.patch
new file mode 100644
index 00000000000..48e87798925
--- /dev/null
+++ b/queue-3.0/drm-i915-bounds-check-execbuffer-relocation-count.patch
@@ -0,0 +1,53 @@
+From 3118a4f652c7b12c752f3222af0447008f9b2368 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 11 Mar 2013 17:31:45 -0700
+Subject: drm/i915: bounds check execbuffer relocation count
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream.
+
+It is possible to wrap the counter used to allocate the buffer for
+relocation copies. This could lead to heap writing overflows.
+
+CVE-2013-0913
+
+v3: collapse test, improve comment
+v2: move check into validate_exec_list
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Pinkie Pie
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -888,15 +888,20 @@ validate_exec_list(struct drm_i915_gem_e
+ 		   int count)
+ {
+ 	int i;
++	int relocs_total = 0;
++	int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+ 
+ 	for (i = 0; i < count; i++) {
+ 		char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr;
+ 		int length; /* limited by fault_in_pages_readable() */
+ 
+-		/* First check for malicious input causing overflow */
+-		if (exec[i].relocation_count >
+-		    INT_MAX / sizeof(struct drm_i915_gem_relocation_entry))
++		/* First check for malicious input causing overflow in
++		 * the worst case where we need to allocate the entire
++		 * relocation tree as a single array.
++		 */
++		if (exec[i].relocation_count > relocs_max - relocs_total)
+ 			return -EINVAL;
++		relocs_total += exec[i].relocation_count;
+ 
+ 		length = exec[i].relocation_count *
+ 			sizeof(struct drm_i915_gem_relocation_entry);
diff --git a/queue-3.0/kms-fix-edid-detailed-timing-vsync-parsing.patch b/queue-3.0/kms-fix-edid-detailed-timing-vsync-parsing.patch
new file mode 100644
index 00000000000..0d0102ce4e7
--- /dev/null
+++ b/queue-3.0/kms-fix-edid-detailed-timing-vsync-parsing.patch
@@ -0,0 +1,40 @@
+From 16dad1d743d31a104a849c8944e6b9eb479f6cd7 Mon Sep 17 00:00:00 2001
+From: Torsten Duwe <torsten@lst.de>
+Date: Sat, 23 Mar 2013 15:38:22 +0100
+Subject: KMS: fix EDID detailed timing vsync parsing
+
+From: Torsten Duwe <torsten@lst.de>
+
+commit 16dad1d743d31a104a849c8944e6b9eb479f6cd7 upstream.
+
+EDID spreads some values across multiple bytes; bit-fiddling is needed
+to retrieve these.  The current code to parse "detailed timings" has a
+cut&paste error that results in a vsync offset of at most 15 lines
+instead of 63.
+
+See
+
+   http://en.wikipedia.org/wiki/EDID
+
+and in the "EDID Detailed Timing Descriptor" see bytes 10+11 show why
+that needs to be a left shift.
+
+Signed-off-by: Torsten Duwe <duwe@lst.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -841,7 +841,7 @@ static struct drm_display_mode *drm_mode
+ 	unsigned vblank = (pt->vactive_vblank_hi & 0xf) << 8 | pt->vblank_lo;
+ 	unsigned hsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc0) << 2 | pt->hsync_offset_lo;
+ 	unsigned hsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x30) << 4 | pt->hsync_pulse_width_lo;
+-	unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) >> 2 | pt->vsync_offset_pulse_width_lo >> 4;
++	unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) << 2 | pt->vsync_offset_pulse_width_lo >> 4;
+ 	unsigned vsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x3) << 4 | (pt->vsync_offset_pulse_width_lo & 0xf);
+ 
+ 	/* ignore tiny modes */
diff --git a/queue-3.0/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch b/queue-3.0/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch
new file mode 100644
index 00000000000..683b81409a8
--- /dev/null
+++ b/queue-3.0/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch
@@ -0,0 +1,65 @@
+From d00285884c0892bb1310df96bce6056e9ce9b9d9 Mon Sep 17 00:00:00 2001
+From: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+Date: Fri, 22 Mar 2013 15:04:40 -0700
+Subject: mm/hugetlb: fix total hugetlbfs pages count when using memory overcommit accouting
+
+From: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+
+commit d00285884c0892bb1310df96bce6056e9ce9b9d9 upstream.
+
+hugetlb_total_pages is used for overcommit calculations but the current
+implementation considers only the default hugetlb page size (which is
+either the first defined hugepage size or the one specified by
+default_hugepagesz kernel boot parameter).
+
+If the system is configured for more than one hugepage size, which is
+possible since commit a137e1cc6d6e ("hugetlbfs: per mount huge page
+sizes") then the overcommit estimation done by __vm_enough_memory()
+(resp.  shown by meminfo_proc_show) is not precise - there is an
+impression of more available/allowed memory.  This can lead to an
+unexpected ENOMEM/EFAULT resp.  SIGSEGV when memory is accounted.
+
+Testcase:
+  boot: hugepagesz=1G hugepages=1
+  the default overcommit ratio is 50
+  before patch:
+
+    egrep 'CommitLimit' /proc/meminfo
+    CommitLimit:     55434168 kB
+
+  after patch:
+
+    egrep 'CommitLimit' /proc/meminfo
+    CommitLimit:     54909880 kB
+
+[akpm@linux-foundation.org: coding-style tweak]
+Signed-off-by: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
+Cc: Hillf Danton <dhillf@gmail.com>
+Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2006,8 +2006,12 @@ int hugetlb_report_node_meminfo(int nid,
+ /* Return the number pages of memory we physically have, in PAGE_SIZE units. */
+ unsigned long hugetlb_total_pages(void)
+ {
+-	struct hstate *h = &default_hstate;
+-	return h->nr_huge_pages * pages_per_huge_page(h);
++	struct hstate *h;
++	unsigned long nr_total_pages = 0;
++
++	for_each_hstate(h)
++		nr_total_pages += h->nr_huge_pages * pages_per_huge_page(h);
++	return nr_total_pages;
+ }
+ 
+ static int hugetlb_acct_memory(struct hstate *h, long delta)
diff --git a/queue-3.0/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch b/queue-3.0/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch
new file mode 100644
index 00000000000..f0669662c38
--- /dev/null
+++ b/queue-3.0/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch
@@ -0,0 +1,40 @@
+From 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c Mon Sep 17 00:00:00 2001
+From: Bing Zhao <bzhao@marvell.com>
+Date: Thu, 7 Mar 2013 20:00:16 -0800
+Subject: mwifiex: fix potential out-of-boundary access to ibss rate table
+
+From: Bing Zhao <bzhao@marvell.com>
+
+commit 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c upstream.
+
+smatch found this error:
+
+CHECK   drivers/net/wireless/mwifiex/join.c
+  drivers/net/wireless/mwifiex/join.c:1121
+  mwifiex_cmd_802_11_ad_hoc_join()
+  error: testing array offset 'i' after use.
+
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/join.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/join.c
++++ b/drivers/net/wireless/mwifiex/join.c
+@@ -1102,10 +1102,9 @@ mwifiex_cmd_802_11_ad_hoc_join(struct mw
+ 				adhoc_join->bss_descriptor.bssid,
+ 				adhoc_join->bss_descriptor.ssid);
+ 
+-	for (i = 0; bss_desc->supported_rates[i] &&
+-			i < MWIFIEX_SUPPORTED_RATES;
+-			i++)
+-			;
++	for (i = 0; i < MWIFIEX_SUPPORTED_RATES &&
++		    bss_desc->supported_rates[i]; i++)
++		;
+ 	rates_size = i;
+ 
+ 	/* Copy Data Rates from the Rates recorded in scan response */
diff --git a/queue-3.0/series b/queue-3.0/series
index 600255015f4..8c0e89c9a5a 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -22,3 +22,9 @@ alsa-hda-fix-typo-in-checking-iec958-emphasis-bit.patch
 alsa-snd-usb-mixer-propagate-errors-up-the-call-chain.patch
 alsa-snd-usb-mixer-ignore-einval-in-snd_usb_mixer_controls.patch
 drm-i915-restrict-kernel-address-leak-in-debugfs.patch
+tracing-fix-race-in-snapshot-swapping.patch
+tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch
+mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch
+drm-i915-bounds-check-execbuffer-relocation-count.patch
+kms-fix-edid-detailed-timing-vsync-parsing.patch
+mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch
diff --git a/queue-3.0/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch b/queue-3.0/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch
new file mode 100644
index 00000000000..e2e3519ded4
--- /dev/null
+++ b/queue-3.0/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch
@@ -0,0 +1,41 @@
+From 740466bc89ad8bd5afcc8de220f715f62b21e365 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Wed, 13 Mar 2013 11:15:19 -0400
+Subject: tracing: Fix free of probe entry by calling call_rcu_sched()
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 740466bc89ad8bd5afcc8de220f715f62b21e365 upstream.
+
+Because function tracing is very invasive, and can even trace
+calls to rcu_read_lock(), RCU access in function tracing is done
+with preempt_disable_notrace(). This requires a synchronize_sched()
+for updates and not a synchronize_rcu().
+
+Function probes (traceon, traceoff, etc) must be freed after
+a synchronize_sched() after its entry has been removed from the
+hash. But call_rcu() is used. Fix this by using call_rcu_sched().
+
+Also fix the usage to use hlist_del_rcu() instead of hlist_del().
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Paul McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -2709,8 +2709,8 @@ __unregister_ftrace_function_probe(char
+ 					continue;
+ 			}
+ 
+-			hlist_del(&entry->node);
+-			call_rcu(&entry->rcu, ftrace_free_entry_rcu);
++			hlist_del_rcu(&entry->node);
++			call_rcu_sched(&entry->rcu, ftrace_free_entry_rcu);
+ 		}
+ 	}
+ 	__disable_ftrace_function_probe();
diff --git a/queue-3.0/tracing-fix-race-in-snapshot-swapping.patch b/queue-3.0/tracing-fix-race-in-snapshot-swapping.patch
new file mode 100644
index 00000000000..e76e1381fe4
--- /dev/null
+++ b/queue-3.0/tracing-fix-race-in-snapshot-swapping.patch
@@ -0,0 +1,51 @@
+From 2721e72dd10f71a3ba90f59781becf02638aa0d9 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Tue, 12 Mar 2013 11:32:32 -0400
+Subject: tracing: Fix race in snapshot swapping
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 2721e72dd10f71a3ba90f59781becf02638aa0d9 upstream.
+
+Although the swap is wrapped with a spin_lock, the assignment
+of the temp buffer used to swap is not within that lock.
+It needs to be moved into that lock, otherwise two swaps
+happening on two different CPUs, can end up using the wrong
+temp buffer to assign in the swap.
+
+Luckily, all current callers of the swap function appear to have
+their own locks. But in case something is added that allows two
+different callers to call the swap, then there's a chance that
+this race can trigger and corrupt the buffers.
+
+New code is coming soon that will allow for this race to trigger.
+
+I've Cc'd stable, so this bug will not show up if someone backports
+one of the changes that can trigger this bug.
+
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -649,7 +649,7 @@ __update_max_tr(struct trace_array *tr,
+ void
+ update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu)
+ {
+-	struct ring_buffer *buf = tr->buffer;
++	struct ring_buffer *buf;
+ 
+ 	if (trace_stop_count)
+ 		return;
+@@ -661,6 +661,7 @@ update_max_tr(struct trace_array *tr, st
+ 	}
+ 	arch_spin_lock(&ftrace_max_lock);
+ 
++	buf = tr->buffer;
+ 	tr->buffer = max_tr.buffer;
+ 	max_tr.buffer = buf;
+