From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Jun 2014 00:17:00 +0000 (-0700)
Subject: 3.4-stable patches
X-Git-Tag: v3.14.6~88
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2e62b6e31c84ccfd766ff6e5eba60786efc62213;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	mm-make-fixup_user_fault-check-the-vma-access-rights-too.patch
	pata_at91-fix-ata_host_activate-failure-handling.patch
---

diff --git a/queue-3.4/mm-make-fixup_user_fault-check-the-vma-access-rights-too.patch b/queue-3.4/mm-make-fixup_user_fault-check-the-vma-access-rights-too.patch
new file mode 100644
index 00000000000..cb47e755e5a
--- /dev/null
+++ b/queue-3.4/mm-make-fixup_user_fault-check-the-vma-access-rights-too.patch
@@ -0,0 +1,55 @@
+From 1b17844b29ae042576bea588164f2f1e9590a8bc Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Tue, 22 Apr 2014 13:49:40 -0700
+Subject: mm: make fixup_user_fault() check the vma access rights too
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 1b17844b29ae042576bea588164f2f1e9590a8bc upstream.
+
+fixup_user_fault() is used by the futex code when the direct user access
+fails, and the futex code wants it to either map in the page in a usable
+form or return an error.  It relied on handle_mm_fault() to map the
+page, and correctly checked the error return from that, but while that
+does map the page, it doesn't actually guarantee that the page will be
+mapped with sufficient permissions to be then accessed.
+
+So do the appropriate tests of the vma access rights by hand.
+
+[ Side note: arguably handle_mm_fault() could just do that itself, but
+  we have traditionally done it in the caller, because some callers -
+  notably get_user_pages() - have been able to access pages even when
+  they are mapped with PROT_NONE.  Maybe we should re-visit that design
+  decision, but in the meantime this is the minimal patch. ]
+
+Found by Dave Jones running his trinity tool.
+
+Reported-by: Dave Jones <davej@redhat.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1872,12 +1872,17 @@ int fixup_user_fault(struct task_struct
+ 		     unsigned long address, unsigned int fault_flags)
+ {
+ 	struct vm_area_struct *vma;
++	vm_flags_t vm_flags;
+ 	int ret;
+ 
+ 	vma = find_extend_vma(mm, address);
+ 	if (!vma || address < vma->vm_start)
+ 		return -EFAULT;
+ 
++	vm_flags = (fault_flags & FAULT_FLAG_WRITE) ? VM_WRITE : VM_READ;
++	if (!(vm_flags & vma->vm_flags))
++		return -EFAULT;
++
+ 	ret = handle_mm_fault(mm, vma, address, fault_flags);
+ 	if (ret & VM_FAULT_ERROR) {
+ 		if (ret & VM_FAULT_OOM)
diff --git a/queue-3.4/pata_at91-fix-ata_host_activate-failure-handling.patch b/queue-3.4/pata_at91-fix-ata_host_activate-failure-handling.patch
new file mode 100644
index 00000000000..5d16ed84973
--- /dev/null
+++ b/queue-3.4/pata_at91-fix-ata_host_activate-failure-handling.patch
@@ -0,0 +1,51 @@
+From 27aa64b9d1bd0d23fd692c91763a48309b694311 Mon Sep 17 00:00:00 2001
+From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Date: Mon, 31 Mar 2014 19:51:14 +0200
+Subject: pata_at91: fix ata_host_activate() failure handling
+
+From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+
+commit 27aa64b9d1bd0d23fd692c91763a48309b694311 upstream.
+
+Add missing clk_put() call to ata_host_activate() failure path.
+
+Sergei says,
+
+  "Hm, I have once fixed that (see that *if* (!ret)) but looks like a
+   later commit 477c87e90853d136b188c50c0e4a93d01cad872e (ARM:
+   at91/pata: use gpio_is_valid to check the gpio) broke it again. :-(
+   Would be good if the changelog did mention that..."
+
+Cc: Andrew Victor <linux@maxim.org.za>
+Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
+Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
+Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/pata_at91.c |   11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/ata/pata_at91.c
++++ b/drivers/ata/pata_at91.c
+@@ -408,12 +408,13 @@ static int __devinit pata_at91_probe(str
+ 
+ 	host->private_data = info;
+ 
+-	return ata_host_activate(host, gpio_is_valid(irq) ? gpio_to_irq(irq) : 0,
+-			gpio_is_valid(irq) ? ata_sff_interrupt : NULL,
+-			irq_flags, &pata_at91_sht);
++	ret = ata_host_activate(host, gpio_is_valid(irq) ? gpio_to_irq(irq) : 0,
++				gpio_is_valid(irq) ? ata_sff_interrupt : NULL,
++				irq_flags, &pata_at91_sht);
++	if (ret)
++		goto err_put;
+ 
+-	if (!ret)
+-		return 0;
++	return 0;
+ 
+ err_put:
+ 	clk_put(info->mck);
diff --git a/queue-3.4/series b/queue-3.4/series
index 8a9d0f25705..4e9171191ca 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -34,3 +34,5 @@ net-gro-reset-skb-truesize-in-napi_reuse_skb.patch
 futex-add-another-early-deadlock-detection-check.patch
 futex-prevent-attaching-to-kernel-threads.patch
 ftrace-module-hardcode-ftrace_module_init-call-into-load_module.patch
+pata_at91-fix-ata_host_activate-failure-handling.patch
+mm-make-fixup_user_fault-check-the-vma-access-rights-too.patch