--- /dev/null
+From 1b17844b29ae042576bea588164f2f1e9590a8bc Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 22 Apr 2014 13:49:40 -0700
+Subject: mm: make fixup_user_fault() check the vma access rights too
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1b17844b29ae042576bea588164f2f1e9590a8bc upstream.
+
+fixup_user_fault() is used by the futex code when the direct user access
+fails, and the futex code wants it to either map in the page in a usable
+form or return an error. It relied on handle_mm_fault() to map the
+page, and correctly checked the error return from that, but while that
+does map the page, it doesn't actually guarantee that the page will be
+mapped with sufficient permissions to be then accessed.
+
+So do the appropriate tests of the vma access rights by hand.
+
+[ Side note: arguably handle_mm_fault() could just do that itself, but
+ we have traditionally done it in the caller, because some callers -
+ notably get_user_pages() - have been able to access pages even when
+ they are mapped with PROT_NONE. Maybe we should re-visit that design
+ decision, but in the meantime this is the minimal patch. ]
+
+Found by Dave Jones running his trinity tool.
+
+Reported-by: Dave Jones <davej@redhat.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1872,12 +1872,17 @@ int fixup_user_fault(struct task_struct
+ unsigned long address, unsigned int fault_flags)
+ {
+ struct vm_area_struct *vma;
++ vm_flags_t vm_flags;
+ int ret;
+
+ vma = find_extend_vma(mm, address);
+ if (!vma || address < vma->vm_start)
+ return -EFAULT;
+
++ vm_flags = (fault_flags & FAULT_FLAG_WRITE) ? VM_WRITE : VM_READ;
++ if (!(vm_flags & vma->vm_flags))
++ return -EFAULT;
++
+ ret = handle_mm_fault(mm, vma, address, fault_flags);
+ if (ret & VM_FAULT_ERROR) {
+ if (ret & VM_FAULT_OOM)
--- /dev/null
+From 27aa64b9d1bd0d23fd692c91763a48309b694311 Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Date: Mon, 31 Mar 2014 19:51:14 +0200
+Subject: pata_at91: fix ata_host_activate() failure handling
+
+From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+
+commit 27aa64b9d1bd0d23fd692c91763a48309b694311 upstream.
+
+Add missing clk_put() call to ata_host_activate() failure path.
+
+Sergei says,
+
+ "Hm, I have once fixed that (see that *if* (!ret)) but looks like a
+ later commit 477c87e90853d136b188c50c0e4a93d01cad872e (ARM:
+ at91/pata: use gpio_is_valid to check the gpio) broke it again. :-(
+ Would be good if the changelog did mention that..."
+
+Cc: Andrew Victor <linux@maxim.org.za>
+Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
+Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
+Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/pata_at91.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/ata/pata_at91.c
++++ b/drivers/ata/pata_at91.c
+@@ -408,12 +408,13 @@ static int __devinit pata_at91_probe(str
+
+ host->private_data = info;
+
+- return ata_host_activate(host, gpio_is_valid(irq) ? gpio_to_irq(irq) : 0,
+- gpio_is_valid(irq) ? ata_sff_interrupt : NULL,
+- irq_flags, &pata_at91_sht);
++ ret = ata_host_activate(host, gpio_is_valid(irq) ? gpio_to_irq(irq) : 0,
++ gpio_is_valid(irq) ? ata_sff_interrupt : NULL,
++ irq_flags, &pata_at91_sht);
++ if (ret)
++ goto err_put;
+
+- if (!ret)
+- return 0;
++ return 0;
+
+ err_put:
+ clk_put(info->mck);
projects / thirdparty / kernel / stable-queue.git / commitdiff
