From f849d109144e86ab87b27f12f8794029f3086534 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 6 Dec 2013 10:46:47 -0800
Subject: [PATCH] 3.4-stable patches

added patches:
	elevator-acquire-q-sysfs_lock-in-elevator_change.patch
	iommu-vt-d-fixed-interaction-of-vfio_iommu_map_dma-with-iommu-address-limits.patch
	video-kyro-fix-incorrect-sizes-when-copying-to-userspace.patch
---
 ...uire-q-sysfs_lock-in-elevator_change.patch | 63 +++++++++++++++++++
 ...mu_map_dma-with-iommu-address-limits.patch | 45 +++++++++++++
 queue-3.4/series                              |  3 +
 ...rect-sizes-when-copying-to-userspace.patch | 43 +++++++++++++
 4 files changed, 154 insertions(+)
 create mode 100644 queue-3.4/elevator-acquire-q-sysfs_lock-in-elevator_change.patch
 create mode 100644 queue-3.4/iommu-vt-d-fixed-interaction-of-vfio_iommu_map_dma-with-iommu-address-limits.patch
 create mode 100644 queue-3.4/video-kyro-fix-incorrect-sizes-when-copying-to-userspace.patch

diff --git a/queue-3.4/elevator-acquire-q-sysfs_lock-in-elevator_change.patch b/queue-3.4/elevator-acquire-q-sysfs_lock-in-elevator_change.patch
new file mode 100644
index 00000000000..69047709054
--- /dev/null
+++ b/queue-3.4/elevator-acquire-q-sysfs_lock-in-elevator_change.patch
@@ -0,0 +1,63 @@
+From 7c8a3679e3d8e9d92d58f282161760a0e247df97 Mon Sep 17 00:00:00 2001
+From: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
+Date: Tue, 15 Oct 2013 16:42:19 -0600
+Subject: elevator: acquire q->sysfs_lock in elevator_change()
+
+From: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
+
+commit 7c8a3679e3d8e9d92d58f282161760a0e247df97 upstream.
+
+Add locking of q->sysfs_lock into elevator_change() (an exported function)
+to ensure it is held to protect q->elevator from elevator_init(), even if
+elevator_change() is called from non-sysfs paths.
+sysfs path (elv_iosched_store) uses __elevator_change(), non-locking
+version, as the lock is already taken by elv_iosched_store().
+
+Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Cc: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/elevator.c |   16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/block/elevator.c
++++ b/block/elevator.c
+@@ -961,7 +961,7 @@ fail_register:
+ /*
+  * Switch this queue to the given IO scheduler.
+  */
+-int elevator_change(struct request_queue *q, const char *name)
++static int __elevator_change(struct request_queue *q, const char *name)
+ {
+ 	char elevator_name[ELV_NAME_MAX];
+ 	struct elevator_type *e;
+@@ -983,6 +983,18 @@ int elevator_change(struct request_queue
+ 
+ 	return elevator_switch(q, e);
+ }
++
++int elevator_change(struct request_queue *q, const char *name)
++{
++	int ret;
++
++	/* Protect q->elevator from elevator_init() */
++	mutex_lock(&q->sysfs_lock);
++	ret = __elevator_change(q, name);
++	mutex_unlock(&q->sysfs_lock);
++
++	return ret;
++}
+ EXPORT_SYMBOL(elevator_change);
+ 
+ ssize_t elv_iosched_store(struct request_queue *q, const char *name,
+@@ -993,7 +1005,7 @@ ssize_t elv_iosched_store(struct request
+ 	if (!q->elevator)
+ 		return count;
+ 
+-	ret = elevator_change(q, name);
++	ret = __elevator_change(q, name);
+ 	if (!ret)
+ 		return count;
+ 
diff --git a/queue-3.4/iommu-vt-d-fixed-interaction-of-vfio_iommu_map_dma-with-iommu-address-limits.patch b/queue-3.4/iommu-vt-d-fixed-interaction-of-vfio_iommu_map_dma-with-iommu-address-limits.patch
new file mode 100644
index 00000000000..6dcc642680a
--- /dev/null
+++ b/queue-3.4/iommu-vt-d-fixed-interaction-of-vfio_iommu_map_dma-with-iommu-address-limits.patch
@@ -0,0 +1,45 @@
+From f9423606ade08653dd8a43334f0a7fb45504c5cc Mon Sep 17 00:00:00 2001
+From: Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
+Date: Wed, 9 Oct 2013 10:03:52 +0200
+Subject: iommu/vt-d: Fixed interaction of VFIO_IOMMU_MAP_DMA with IOMMU address limits
+
+From: Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
+
+commit f9423606ade08653dd8a43334f0a7fb45504c5cc upstream.
+
+The BUG_ON in drivers/iommu/intel-iommu.c:785 can be triggered from userspace via
+VFIO by calling the VFIO_IOMMU_MAP_DMA ioctl on a vfio device with any address
+beyond the addressing capabilities of the IOMMU. The problem is that the ioctl code
+calls iommu_iova_to_phys before it calls iommu_map. iommu_map handles the case that
+it gets addresses beyond the addressing capabilities of its IOMMU.
+intel_iommu_iova_to_phys does not.
+
+This patch fixes iommu_iova_to_phys to return NULL for addresses beyond what the
+IOMMU can handle. This in turn causes the ioctl call to fail in iommu_map and
+(correctly) return EFAULT to the user with a helpful warning message in the kernel
+log.
+
+Signed-off-by: Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
+Acked-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Joerg Roedel <joro@8bytes.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -778,7 +778,11 @@ static struct dma_pte *pfn_to_dma_pte(st
+ 	int offset;
+ 
+ 	BUG_ON(!domain->pgd);
+-	BUG_ON(addr_width < BITS_PER_LONG && pfn >> addr_width);
++
++	if (addr_width < BITS_PER_LONG && pfn >> addr_width)
++		/* Address beyond IOMMU's addressing capabilities. */
++		return NULL;
++
+ 	parent = domain->pgd;
+ 
+ 	while (level > 0) {
diff --git a/queue-3.4/series b/queue-3.4/series
index 582173786c4..de8a20a81f3 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -25,3 +25,6 @@ pktgen-xfrm-update-ipv4-header-total-len-and-checksum-after-tranformation.patch
 hid-picolcd_core-validate-output-report-details.patch
 mmc-block-fix-a-bug-of-error-handling-in-mmc-driver.patch
 nfsd-use-init_net-for-portmapper.patch
+video-kyro-fix-incorrect-sizes-when-copying-to-userspace.patch
+iommu-vt-d-fixed-interaction-of-vfio_iommu_map_dma-with-iommu-address-limits.patch
+elevator-acquire-q-sysfs_lock-in-elevator_change.patch
diff --git a/queue-3.4/video-kyro-fix-incorrect-sizes-when-copying-to-userspace.patch b/queue-3.4/video-kyro-fix-incorrect-sizes-when-copying-to-userspace.patch
new file mode 100644
index 00000000000..570a0b572e8
--- /dev/null
+++ b/queue-3.4/video-kyro-fix-incorrect-sizes-when-copying-to-userspace.patch
@@ -0,0 +1,43 @@
+From 2ab68ec927310dc488f3403bb48f9e4ad00a9491 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue, 19 Nov 2013 14:25:36 -0500
+Subject: video: kyro: fix incorrect sizes when copying to userspace
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 2ab68ec927310dc488f3403bb48f9e4ad00a9491 upstream.
+
+kyro would copy u32s and specify sizeof(unsigned long) as the size to copy.
+
+This would copy more data than intended and cause memory corruption and might
+leak kernel memory.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/kyro/fbdev.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/video/kyro/fbdev.c
++++ b/drivers/video/kyro/fbdev.c
+@@ -625,15 +625,15 @@ static int kyrofb_ioctl(struct fb_info *
+ 		}
+ 		break;
+ 	case KYRO_IOCTL_UVSTRIDE:
+-		if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(unsigned long)))
++		if (copy_to_user(argp, &deviceInfo.ulOverlayUVStride, sizeof(deviceInfo.ulOverlayUVStride)))
+ 			return -EFAULT;
+ 		break;
+ 	case KYRO_IOCTL_STRIDE:
+-		if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(unsigned long)))
++		if (copy_to_user(argp, &deviceInfo.ulOverlayStride, sizeof(deviceInfo.ulOverlayStride)))
+ 			return -EFAULT;
+ 		break;
+ 	case KYRO_IOCTL_OVERLAY_OFFSET:
+-		if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(unsigned long)))
++		if (copy_to_user(argp, &deviceInfo.ulOverlayOffset, sizeof(deviceInfo.ulOverlayOffset)))
+ 			return -EFAULT;
+ 		break;
+ 	}
-- 
2.47.3