From 7219111a91ff947be5fa4323c6ef7513e789fd7d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 5 Oct 2013 17:05:04 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	cciss-fix-info-leak-in-cciss_ioctl32_passthru.patch
	cpqarray-fix-info-leak-in-ida_locked_ioctl.patch
	gianfar-change-default-hw-tx-queue-scheduling-mode.patch
---
 ...-info-leak-in-cciss_ioctl32_passthru.patch | 35 +++++++
 ...ay-fix-info-leak-in-ida_locked_ioctl.patch | 34 +++++++
 ...-default-hw-tx-queue-scheduling-mode.patch | 95 +++++++++++++++++++
 queue-3.4/series                              |  3 +
 4 files changed, 167 insertions(+)
 create mode 100644 queue-3.4/cciss-fix-info-leak-in-cciss_ioctl32_passthru.patch
 create mode 100644 queue-3.4/cpqarray-fix-info-leak-in-ida_locked_ioctl.patch
 create mode 100644 queue-3.4/gianfar-change-default-hw-tx-queue-scheduling-mode.patch
 create mode 100644 queue-3.4/series

diff --git a/queue-3.4/cciss-fix-info-leak-in-cciss_ioctl32_passthru.patch b/queue-3.4/cciss-fix-info-leak-in-cciss_ioctl32_passthru.patch
new file mode 100644
index 00000000000..1e8fbf8137f
--- /dev/null
+++ b/queue-3.4/cciss-fix-info-leak-in-cciss_ioctl32_passthru.patch
@@ -0,0 +1,35 @@
+From 58f09e00ae095e46ef9edfcf3a5fd9ccdfad065e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 24 Sep 2013 15:27:45 -0700
+Subject: cciss: fix info leak in cciss_ioctl32_passthru()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 58f09e00ae095e46ef9edfcf3a5fd9ccdfad065e upstream.
+
+The arg64 struct has a hole after ->buf_size which isn't cleared.  Or if
+any of the calls to copy_from_user() fail then that would cause an
+information leak as well.
+
+This was assigned CVE-2013-2147.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Mike Miller <mike.miller@hp.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/cciss.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/block/cciss.c
++++ b/drivers/block/cciss.c
+@@ -1186,6 +1186,7 @@ static int cciss_ioctl32_passthru(struct
+ 	int err;
+ 	u32 cp;
+ 
++	memset(&arg64, 0, sizeof(arg64));
+ 	err = 0;
+ 	err |=
+ 	    copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
diff --git a/queue-3.4/cpqarray-fix-info-leak-in-ida_locked_ioctl.patch b/queue-3.4/cpqarray-fix-info-leak-in-ida_locked_ioctl.patch
new file mode 100644
index 00000000000..132677f5c51
--- /dev/null
+++ b/queue-3.4/cpqarray-fix-info-leak-in-ida_locked_ioctl.patch
@@ -0,0 +1,34 @@
+From 627aad1c01da6f881e7f98d71fd928ca0c316b1a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 24 Sep 2013 15:27:44 -0700
+Subject: cpqarray: fix info leak in ida_locked_ioctl()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 627aad1c01da6f881e7f98d71fd928ca0c316b1a upstream.
+
+The pciinfo struct has a two byte hole after ->dev_fn so stack
+information could be leaked to the user.
+
+This was assigned CVE-2013-2147.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Mike Miller <mike.miller@hp.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/cpqarray.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/block/cpqarray.c
++++ b/drivers/block/cpqarray.c
+@@ -1195,6 +1195,7 @@ out_passthru:
+ 		ida_pci_info_struct pciinfo;
+ 
+ 		if (!arg) return -EINVAL;
++		memset(&pciinfo, 0, sizeof(pciinfo));
+ 		pciinfo.bus = host->pci_dev->bus->number;
+ 		pciinfo.dev_fn = host->pci_dev->devfn;
+ 		pciinfo.board_id = host->board_id;
diff --git a/queue-3.4/gianfar-change-default-hw-tx-queue-scheduling-mode.patch b/queue-3.4/gianfar-change-default-hw-tx-queue-scheduling-mode.patch
new file mode 100644
index 00000000000..73d5363e56e
--- /dev/null
+++ b/queue-3.4/gianfar-change-default-hw-tx-queue-scheduling-mode.patch
@@ -0,0 +1,95 @@
+From b98b8babd6e3370fadb7c6eaacb00eb2f6344a6c Mon Sep 17 00:00:00 2001
+From: Claudiu Manoil <claudiu.manoil@freescale.com>
+Date: Sun, 23 Sep 2012 22:39:08 +0000
+Subject: gianfar: Change default HW Tx queue scheduling mode
+
+From: Claudiu Manoil <claudiu.manoil@freescale.com>
+
+commit b98b8babd6e3370fadb7c6eaacb00eb2f6344a6c upstream.
+
+This is primarily to address transmission timeout occurrences, when
+multiple H/W Tx queues are being used concurrently. Because in
+the priority scheduling mode the controller does not service the
+Tx queues equally (but in ascending index order), Tx timeouts are
+being triggered rightaway for a basic test with multiple simultaneous
+connections like:
+iperf -c <server_ip> -n 100M -P 8
+
+resulting in kernel trace:
+NETDEV WATCHDOG: eth1 (fsl-gianfar): transmit queue <X> timed out
+------------[ cut here ]------------
+WARNING: at net/sched/sch_generic.c:255
+...
+and controller reset during intense traffic, and possibly further
+complications.
+
+This patch changes the default H/W Tx scheduling setting (TXSCHED)
+for multi-queue devices, from priority scheduling mode to a weighted
+round robin mode with equal weights for all H/W Tx queues, and
+addresses the issue above.
+
+Signed-off-by: Claudiu Manoil <claudiu.manoil@freescale.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/freescale/gianfar.c |   11 ++++++++++-
+ drivers/net/ethernet/freescale/gianfar.h |   11 ++++++++++-
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/gianfar.c
++++ b/drivers/net/ethernet/freescale/gianfar.c
+@@ -394,7 +394,13 @@ static void gfar_init_mac(struct net_dev
+ 	if (ndev->features & NETIF_F_IP_CSUM)
+ 		tctrl |= TCTRL_INIT_CSUM;
+ 
+-	tctrl |= TCTRL_TXSCHED_PRIO;
++	if (priv->prio_sched_en)
++		tctrl |= TCTRL_TXSCHED_PRIO;
++	else {
++		tctrl |= TCTRL_TXSCHED_WRRS;
++		gfar_write(&regs->tr03wt, DEFAULT_WRRS_WEIGHT);
++		gfar_write(&regs->tr47wt, DEFAULT_WRRS_WEIGHT);
++	}
+ 
+ 	gfar_write(&regs->tctrl, tctrl);
+ 
+@@ -1153,6 +1159,9 @@ static int gfar_probe(struct platform_de
+ 	priv->rx_filer_enable = 1;
+ 	/* Enable most messages by default */
+ 	priv->msg_enable = (NETIF_MSG_IFUP << 1 ) - 1;
++	/* use pritority h/w tx queue scheduling for single queue devices */
++	if (priv->num_tx_queues == 1)
++		priv->prio_sched_en = 1;
+ 
+ 	/* Carrier starts down, phylib will bring it up */
+ 	netif_carrier_off(dev);
+--- a/drivers/net/ethernet/freescale/gianfar.h
++++ b/drivers/net/ethernet/freescale/gianfar.h
+@@ -301,8 +301,16 @@ extern const char gfar_driver_version[];
+ #define TCTRL_TFCPAUSE		0x00000008
+ #define TCTRL_TXSCHED_MASK	0x00000006
+ #define TCTRL_TXSCHED_INIT	0x00000000
++/* priority scheduling */
+ #define TCTRL_TXSCHED_PRIO	0x00000002
++/* weighted round-robin scheduling (WRRS) */
+ #define TCTRL_TXSCHED_WRRS	0x00000004
++/* default WRRS weight and policy setting,
++ * tailored to the tr03wt and tr47wt registers:
++ * equal weight for all Tx Qs, measured in 64byte units
++ */
++#define DEFAULT_WRRS_WEIGHT	0x18181818
++
+ #define TCTRL_INIT_CSUM		(TCTRL_TUCSEN | TCTRL_IPCSEN)
+ 
+ #define IEVENT_INIT_CLEAR	0xffffffff
+@@ -1098,7 +1106,8 @@ struct gfar_private {
+ 		extended_hash:1,
+ 		bd_stash_en:1,
+ 		rx_filer_enable:1,
+-		wol_en:1; /* Wake-on-LAN enabled */
++		wol_en:1, /* Wake-on-LAN enabled */
++		prio_sched_en:1; /* Enable priorty based Tx scheduling in Hw */
+ 	unsigned short padding;
+ 
+ 	/* PHY stuff */
diff --git a/queue-3.4/series b/queue-3.4/series
new file mode 100644
index 00000000000..0e3a303de5b
--- /dev/null
+++ b/queue-3.4/series
@@ -0,0 +1,3 @@
+cpqarray-fix-info-leak-in-ida_locked_ioctl.patch
+cciss-fix-info-leak-in-cciss_ioctl32_passthru.patch
+gianfar-change-default-hw-tx-queue-scheduling-mode.patch
-- 
2.47.3