1. 15 Dec, 2013 1 commit
  2. 14 Dec, 2013 3 commits
  3. 13 Dec, 2013 25 commits
  4. 12 Dec, 2013 11 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 54fb723c
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "Four security fixes for KVM on x86.  Thanks to Andrew Honig and Lars
        Bull from Google for reporting them"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376)
        KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
        KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
        KVM: Improve create VCPU parameter (CVE-2013-4587)
      54fb723c
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · ea1e61cb
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "Another week, another batch of fixes.
      
        Again, OMAP regressions due to move to DT is the bulk of the changes
        here, but this should be the last of it for 3.13.  There are also a
        handful of OMAP hwmod changes (power management, reset handling) for
        USB on OMAP3 that fixes some longish-standing bugs around USB resets.
      
        There are a couple of other changes that also add up line count a bit:
        One is a long-standing bug with the keyboard layout on one of the PXA
        platforms.  The other is a fix for highbank that moves their
        power-off/reset button handling to be done in-kernel since relying on
        userspace to handle it was fragile and awkward"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: sun6i: dt: Fix interrupt trigger types
        ARM: sun7i: dt: Fix interrupt trigger types
        MAINTAINERS: merge IMX6 entry into IMX
        ARM: tegra: add missing break to fuse initialization code
        ARM: pxa: prevent PXA270 occasional reboot freezes
        ARM: pxa: tosa: fix keys mapping
        ARM: OMAP2+: omap_device: add fail hook for runtime_pm when bad data is detected
        ARM: OMAP2+: hwmod: Fix usage of invalid iclk / oclk when clock node is not present
        ARM: OMAP3: hwmod data: Don't prevent RESET of USB Host module
        ARM: OMAP2+: hwmod: Fix SOFTRESET logic
        ARM: OMAP4+: hwmod data: Don't prevent RESET of USB Host module
        ARM: dts: Fix booting for secure omaps
        ARM: OMAP2+: Fix the machine entry for am3517
        ARM: dts: Fix missing entries for am3517
        ARM: OMAP2+: Fix overwriting hwmod data with data from device tree
        ARM: davinci: Fix McASP mem resource names
        ARM: highbank: handle soft poweroff and reset key events
        ARM: davinci: fix number of resources passed to davinci_gpio_register()
        gpio: davinci: fix check for unbanked gpio
      ea1e61cb
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · e09f67f1
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "This is a small collection of fixes.  It was rebased this morning, but
        I was just fixing signed-off-by tags with the wrong email"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: fix access_ok() check in btrfs_ioctl_send()
        Btrfs: make sure we cleanup all reloc roots if error happens
        Btrfs: skip building backref tree for uuid and quota tree when doing balance relocation
        Btrfs: fix an oops when doing balance relocation
        Btrfs: don't miss skinny extent items on delayed ref head contention
        btrfs: call mnt_drop_write after interrupted subvol deletion
        Btrfs: don't clear the default compression type
      e09f67f1
    • Linus Torvalds's avatar
      Merge branch 'for-3.13' of git://linux-nfs.org/~bfields/linux · c9111b4d
      Linus Torvalds authored
      Pull nfsd reply cache bugfix from Bruce Fields:
       "One bugfix for nfsd crashes"
      
      * 'for-3.13' of git://linux-nfs.org/~bfields/linux:
        nfsd: when reusing an existing repcache entry, unhash it first
      c9111b4d
    • Ezequiel Garcia's avatar
      mtd: nand: pxa3xx: Use info->use_dma to release DMA resources · 15b540c7
      Ezequiel Garcia authored
      In commit:
      
        commit 62e8b851
        Author: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
        Date:   Fri Oct 4 15:30:38 2013 -0300
      
        mtd: nand: pxa3xx: Allocate data buffer on detected flash size
      
      the way the buffer is allocated was changed: the first READ_ID is issued
      with a small kmalloc'ed buffer. Only once the flash page size is detected
      the DMA buffers are allocated, and info->use_dma is set.
      
      Currently, if the device detection fails, the driver checks the 'use_dma'
      module parameter and tries to release unallocated DMA resources.
      
      Fix this by checking the proper indicator of the DMA allocation, which
      is 'info->use_dma'.
      Signed-off-by: default avatarEzequiel Garcia <ezequiel.garcia@free-electrons.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      15b540c7
    • Ezequiel Garcia's avatar
      Partially revert "mtd: nand: pxa3xx: Introduce 'marvell,armada370-nand' compatible string" · 9c59ac61
      Ezequiel Garcia authored
      This partially reverts c0f3b864.
      
      The "armada370-nand" compatible support is not complete, and it was mistake
      to add it. Revert it and postpone the support until the infrastructure is
      in place.
      
      Cc: <stable@vger.kernel.org> # 3.12
      Signed-off-by: default avatarEzequiel Garcia <ezequiel.garcia@free-electrons.com>
      Acked-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      9c59ac61
    • Fabio Estevam's avatar
      i2c: imx: Check the return value from clk_prepare_enable() · e5bf216a
      Fabio Estevam authored
      clk_prepare_enable() may fail, so let's check its return value and propagate it
      in the case of error.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      e5bf216a
    • Gleb Natapov's avatar
      KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) · 17d68b76
      Gleb Natapov authored
      A guest can cause a BUG_ON() leading to a host kernel crash.
      When the guest writes to the ICR to request an IPI, while in x2apic
      mode the following things happen, the destination is read from
      ICR2, which is a register that the guest can control.
      
      kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the
      cluster id.  A BUG_ON is triggered, which is a protection against
      accessing map->logical_map with an out-of-bounds access and manages
      to avoid that anything really unsafe occurs.
      
      The logic in the code is correct from real HW point of view. The problem
      is that KVM supports only one cluster with ID 0 in clustered mode, but
      the code that has the bug does not take this into account.
      Reported-by: default avatarLars Bull <larsbull@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGleb Natapov <gleb@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      17d68b76
    • Andy Honig's avatar
      KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) · fda4e2e8
      Andy Honig authored
      In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the
      potential to corrupt kernel memory if userspace provides an address that
      is at the end of a page.  This patches concerts those functions to use
      kvm_write_guest_cached and kvm_read_guest_cached.  It also checks the
      vapic_address specified by userspace during ioctl processing and returns
      an error to userspace if the address is not a valid GPA.
      
      This is generally not guest triggerable, because the required write is
      done by firmware that runs before the guest.  Also, it only affects AMD
      processors and oldish Intel that do not have the FlexPriority feature
      (unless you disable FlexPriority, of course; then newer processors are
      also affected).
      
      Fixes: b93463aa ('KVM: Accelerated apic support')
      Reported-by: default avatarAndrew Honig <ahonig@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      fda4e2e8
    • Andy Honig's avatar
      KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) · b963a22e
      Andy Honig authored
      Under guest controllable circumstances apic_get_tmcct will execute a
      divide by zero and cause a crash.  If the guest cpuid support
      tsc deadline timers and performs the following sequence of requests
      the host will crash.
      - Set the mode to periodic
      - Set the TMICT to 0
      - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline)
      - Set the TMICT to non-zero.
      Then the lapic_timer.period will be 0, but the TMICT will not be.  If the
      guest then reads from the TMCCT then the host will perform a divide by 0.
      
      This patch ensures that if the lapic_timer.period is 0, then the division
      does not occur.
      Reported-by: default avatarAndrew Honig <ahonig@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b963a22e
    • Andy Honig's avatar
      KVM: Improve create VCPU parameter (CVE-2013-4587) · 338c7dba
      Andy Honig authored
      In multiple functions the vcpu_id is used as an offset into a bitfield.  Ag
      malicious user could specify a vcpu_id greater than 255 in order to set or
      clear bits in kernel memory.  This could be used to elevate priveges in the
      kernel.  This patch verifies that the vcpu_id provided is less than 255.
      The api documentation already specifies that the vcpu_id must be less than
      max_vcpus, but this is currently not checked.
      Reported-by: default avatarAndrew Honig <ahonig@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndrew Honig <ahonig@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      338c7dba