On Fri, Nov 22, 2013 at 11:33:17AM +0000, Luis Henriques wrote: > On Fri, Nov 22, 2013 at 01:26:38PM +0800, Li Zefan wrote: > > Hi Greg, > > > > Please queue this for 3.4 stable kernel. > > > > It fixes a CVE bug (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6763&cid=4), > > and kernels >= 3.0 are affected. The fix has been backported to 3.8, > > 3.10 and 3.11. > > > > I found you backported 4 patches in order to apply the fix to 3.10. As > > they're not necessary but to resolve conflicts, and there're 2 more > > conflicts in 3.4-stable, I just adjusted the context. > > > > The au1100fb.c and au1200fb.c parts were not build-tested, because > > they depend on CONFIG_MIPS_ALCHEMY. > > > > ======================= > > > > From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > > Date: Fri, 22 Nov 2013 12:32:21 +0800 > > Subject: [PATCH] Fix a few incorrectly checked [io_]remap_pfn_range() calls > > > > commit 7314e613d5ff9f0934f7a0f74ed7973b903315d1 upstream. > > > > Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that > > really should use the vm_iomap_memory() helper. This trivially converts > > two of them to the helper, and comments about why the third one really > > needs to continue to use remap_pfn_range(), and adds the missing size > > check. > > > > Reported-by: Nico Golde <nico@xxxxxxxxx> > > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx. > > [lizf: backported to 3.4: > > - adjust context > > - no uio_physical_vm_ops] > > Signed-off-by: Li Zefan <lizefan@xxxxxxxxxx> > > --- > > drivers/uio/uio.c | 16 +++++++++++++++- > > drivers/video/au1100fb.c | 26 +------------------------- > > drivers/video/au1200fb.c | 23 +---------------------- > > 3 files changed, 17 insertions(+), 48 deletions(-) > > > > diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c > > index a783d53..7150752 100644 > > --- a/drivers/uio/uio.c > > +++ b/drivers/uio/uio.c > > @@ -650,16 +650,30 @@ static int uio_mmap_physical(struct vm_area_struct *vma) > > { > > struct uio_device *idev = vma->vm_private_data; > > int mi = uio_find_mem_index(vma); > > + struct uio_mem *mem; > > if (mi < 0) > > return -EINVAL; > > + mem = idev->info->mem + mi; > > + > > + if (vma->vm_end - vma->vm_start > mem->size) > > + return -EINVAL; > > > > vma->vm_flags |= VM_IO | VM_RESERVED; > > > > vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > > > > + /* > > + * We cannot use the vm_iomap_memory() helper here, > > + * because vma->vm_pgoff is the map index we looked > > + * up above in uio_find_mem_index(), rather than an > > + * actual page offset into the mmap. > > + * > > + * So we just do the physical mmap without a page > > + * offset. > > + */ > > return remap_pfn_range(vma, > > vma->vm_start, > > - idev->info->mem[mi].addr >> PAGE_SHIFT, > > + mem->addr >> PAGE_SHIFT, > > vma->vm_end - vma->vm_start, > > vma->vm_page_prot); > > } > > diff --git a/drivers/video/au1100fb.c b/drivers/video/au1100fb.c > > index ffbce45..612c1c7 100644 > > --- a/drivers/video/au1100fb.c > > +++ b/drivers/video/au1100fb.c > > @@ -375,39 +375,15 @@ void au1100fb_fb_rotate(struct fb_info *fbi, int angle) > > int au1100fb_fb_mmap(struct fb_info *fbi, struct vm_area_struct *vma) > > { > > struct au1100fb_device *fbdev; > > - unsigned int len; > > - unsigned long start=0, off; > > > > fbdev = to_au1100fb_device(fbi); > > > > - if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) { > > - return -EINVAL; > > - } > > - > > - start = fbdev->fb_phys & PAGE_MASK; > > - len = PAGE_ALIGN((start & ~PAGE_MASK) + fbdev->fb_len); > > - > > - off = vma->vm_pgoff << PAGE_SHIFT; > > - > > - if ((vma->vm_end - vma->vm_start + off) > len) { > > - return -EINVAL; > > - } > > - > > - off += start; > > - vma->vm_pgoff = off >> PAGE_SHIFT; > > - > > vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > > pgprot_val(vma->vm_page_prot) |= (6 << 9); //CCA=6 > > > > vma->vm_flags |= VM_IO; > > > > - if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, > > - vma->vm_end - vma->vm_start, > > - vma->vm_page_prot)) { > > - return -EAGAIN; > > - } > > - > > - return 0; > > + return vm_iomap_memory(vma, fbdev->fb_phys, fbdev->fb_len); > > } > > > > static struct fb_ops au1100fb_ops = > > diff --git a/drivers/video/au1200fb.c b/drivers/video/au1200fb.c > > index 7ca79f0..117be3d 100644 > > --- a/drivers/video/au1200fb.c > > +++ b/drivers/video/au1200fb.c > > @@ -1233,36 +1233,15 @@ static int au1200fb_fb_blank(int blank_mode, struct fb_info *fbi) > > * method mainly to allow the use of the TLB streaming flag (CCA=6) > > */ > > static int au1200fb_fb_mmap(struct fb_info *info, struct vm_area_struct *vma) > > - > > { > > - unsigned int len; > > - unsigned long start=0, off; > > struct au1200fb_device *fbdev = info->par; > > > > - if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) { > > - return -EINVAL; > > - } > > - > > - start = fbdev->fb_phys & PAGE_MASK; > > - len = PAGE_ALIGN((start & ~PAGE_MASK) + fbdev->fb_len); > > - > > - off = vma->vm_pgoff << PAGE_SHIFT; > > - > > - if ((vma->vm_end - vma->vm_start + off) > len) { > > - return -EINVAL; > > - } > > - > > - off += start; > > - vma->vm_pgoff = off >> PAGE_SHIFT; > > - > > vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > > pgprot_val(vma->vm_page_prot) |= _CACHE_MASK; /* CCA=7 */ > > > > vma->vm_flags |= VM_IO; > > > > - return io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, > > - vma->vm_end - vma->vm_start, > > - vma->vm_page_prot); > > + return vm_iomap_memory(vma, fbdev->fb_phys, fbdev->fb_len); > > > > return 0; > > } > > -- > > 1.8.0.2 > > -- > > To unsubscribe from this list: send the line "unsubscribe stable" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > Thank you for this backport, I'm using for the 3.5 kernel as well. Btw, it looks like, with trivial changes, this could also be applied to kernels as old as 2.6.32 (after cherry-picking b4cbb19 "vm: add vm_iomap_memory() helper function"). Cheers, -- Luis -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html