On Fri, Nov 22, 2013 at 01:26:38PM +0800, Li Zefan wrote: > Hi Greg, > > Please queue this for 3.4 stable kernel. > > It fixes a CVE bug (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6763&cid=4), > and kernels >= 3.0 are affected. The fix has been backported to 3.8, > 3.10 and 3.11. > > I found you backported 4 patches in order to apply the fix to 3.10. As > they're not necessary but to resolve conflicts, and there're 2 more > conflicts in 3.4-stable, I just adjusted the context. > > The au1100fb.c and au1200fb.c parts were not build-tested, because > they depend on CONFIG_MIPS_ALCHEMY. > > ======================= > > From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Date: Fri, 22 Nov 2013 12:32:21 +0800 > Subject: [PATCH] Fix a few incorrectly checked [io_]remap_pfn_range() calls > > commit 7314e613d5ff9f0934f7a0f74ed7973b903315d1 upstream. > > Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that > really should use the vm_iomap_memory() helper. This trivially converts > two of them to the helper, and comments about why the third one really > needs to continue to use remap_pfn_range(), and adds the missing size > check. > > Reported-by: Nico Golde <nico@xxxxxxxxx> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx. > [lizf: backported to 3.4: > - adjust context > - no uio_physical_vm_ops] > Signed-off-by: Li Zefan <lizefan@xxxxxxxxxx> > --- > drivers/uio/uio.c | 16 +++++++++++++++- > drivers/video/au1100fb.c | 26 +------------------------- > drivers/video/au1200fb.c | 23 +---------------------- > 3 files changed, 17 insertions(+), 48 deletions(-) > > diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c > index a783d53..7150752 100644 > --- a/drivers/uio/uio.c > +++ b/drivers/uio/uio.c > @@ -650,16 +650,30 @@ static int uio_mmap_physical(struct vm_area_struct *vma) > { > struct uio_device *idev = vma->vm_private_data; > int mi = uio_find_mem_index(vma); > + struct uio_mem *mem; > if (mi < 0) > return -EINVAL; > + mem = idev->info->mem + mi; > + > + if (vma->vm_end - vma->vm_start > mem->size) > + return -EINVAL; > > vma->vm_flags |= VM_IO | VM_RESERVED; > > vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > > + /* > + * We cannot use the vm_iomap_memory() helper here, > + * because vma->vm_pgoff is the map index we looked > + * up above in uio_find_mem_index(), rather than an > + * actual page offset into the mmap. > + * > + * So we just do the physical mmap without a page > + * offset. > + */ > return remap_pfn_range(vma, > vma->vm_start, > - idev->info->mem[mi].addr >> PAGE_SHIFT, > + mem->addr >> PAGE_SHIFT, > vma->vm_end - vma->vm_start, > vma->vm_page_prot); > } > diff --git a/drivers/video/au1100fb.c b/drivers/video/au1100fb.c > index ffbce45..612c1c7 100644 > --- a/drivers/video/au1100fb.c > +++ b/drivers/video/au1100fb.c > @@ -375,39 +375,15 @@ void au1100fb_fb_rotate(struct fb_info *fbi, int angle) > int au1100fb_fb_mmap(struct fb_info *fbi, struct vm_area_struct *vma) > { > struct au1100fb_device *fbdev; > - unsigned int len; > - unsigned long start=0, off; > > fbdev = to_au1100fb_device(fbi); > > - if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) { > - return -EINVAL; > - } > - > - start = fbdev->fb_phys & PAGE_MASK; > - len = PAGE_ALIGN((start & ~PAGE_MASK) + fbdev->fb_len); > - > - off = vma->vm_pgoff << PAGE_SHIFT; > - > - if ((vma->vm_end - vma->vm_start + off) > len) { > - return -EINVAL; > - } > - > - off += start; > - vma->vm_pgoff = off >> PAGE_SHIFT; > - > vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > pgprot_val(vma->vm_page_prot) |= (6 << 9); //CCA=6 > > vma->vm_flags |= VM_IO; > > - if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, > - vma->vm_end - vma->vm_start, > - vma->vm_page_prot)) { > - return -EAGAIN; > - } > - > - return 0; > + return vm_iomap_memory(vma, fbdev->fb_phys, fbdev->fb_len); > } > > static struct fb_ops au1100fb_ops = > diff --git a/drivers/video/au1200fb.c b/drivers/video/au1200fb.c > index 7ca79f0..117be3d 100644 > --- a/drivers/video/au1200fb.c > +++ b/drivers/video/au1200fb.c > @@ -1233,36 +1233,15 @@ static int au1200fb_fb_blank(int blank_mode, struct fb_info *fbi) > * method mainly to allow the use of the TLB streaming flag (CCA=6) > */ > static int au1200fb_fb_mmap(struct fb_info *info, struct vm_area_struct *vma) > - > { > - unsigned int len; > - unsigned long start=0, off; > struct au1200fb_device *fbdev = info->par; > > - if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) { > - return -EINVAL; > - } > - > - start = fbdev->fb_phys & PAGE_MASK; > - len = PAGE_ALIGN((start & ~PAGE_MASK) + fbdev->fb_len); > - > - off = vma->vm_pgoff << PAGE_SHIFT; > - > - if ((vma->vm_end - vma->vm_start + off) > len) { > - return -EINVAL; > - } > - > - off += start; > - vma->vm_pgoff = off >> PAGE_SHIFT; > - > vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > pgprot_val(vma->vm_page_prot) |= _CACHE_MASK; /* CCA=7 */ > > vma->vm_flags |= VM_IO; > > - return io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, > - vma->vm_end - vma->vm_start, > - vma->vm_page_prot); > + return vm_iomap_memory(vma, fbdev->fb_phys, fbdev->fb_len); > > return 0; > } > -- > 1.8.0.2 > -- > To unsubscribe from this list: send the line "unsubscribe stable" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html Thank you for this backport, I'm using for the 3.5 kernel as well. Cheers, -- Luis -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html