The third parameter of kvm_iommu_put_pages is wrong,
It should be 'gfn - slot->base_gfn'.

By making gfn very large, malicious guest or userspace can cause kvm to
go to this error path, and subsequently to pass a huge value as size.
Alternatively if gfn is small, then pages would be pinned but never
unpinned, causing host memory leak and local DOS.

Passing a reasonable but large value could be the most dangerous case,
because it would unpin a page that should have stayed pinned, and thus
allow the device to DMA into arbitrary memory.  However, this cannot
happen because of the condition that can trigger the error:

- out of memory (where you can't allocate even a single page)
  should not be possible for the attacker to trigger

- when exceeding the iommu's address space, guest pages after gfn
  will also exceed the iommu's address space, and inside
  kvm_iommu_put_pages() the iommu_iova_to_phys() will fail.  The
  page thus would not be unpinned at all.
Reported-by: NJack Morgenstein <jackm@mellanox.com>
Cc: stable@vger.kernel.org
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Pull x86 platform driver updates from Matthew Garrett:
 "A moderate number of changes, but nothing awfully significant.

  A lot of const cleanups, some reworking and additions to the rfkill
  quirks in the asus driver, a new driver for generating falling laptop
  events on Toshibas and some misc fixes.

  Maybe vendors have stopped inventing things"

* 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86: (41 commits)
  platform/x86: Enable build support for toshiba_haps
  Documentation: Add file about toshiba_haps module
  platform/x86: Toshiba HDD Active Protection Sensor
  asus-nb-wmi: Add wapf4 quirk for the U32U
  alienware-wmi: make hdmi_mux enabled on case-by-case basis
  ideapad-laptop: Constify DMI table and other r/o variables
  asus-nb-wmi.c: Rename x401u quirk to wapf4
  compal-laptop: correct invalid hwmon name
  toshiba_acpi: Add Qosmio X75-A to the alt keymap dmi list
  toshiba_acpi: Add extra check to backlight code
  Fix log message about future removal of interface
  ideapad-laptop: Disable touchpad interface on Yoga models
  asus-nb-wmi: Add wapf4 quirk for the X550CC
  intel_ips: Make ips_mcp_limits variables static
  thinkpad_acpi: Mark volume_alsa_control_{vol,mute} as __initdata
  fujitsu-laptop: Mark fujitsu_dmi_table[] DMI table as __initconst
  hp-wmi: Add missing __init annotations to initialization code
  hp_accel: Constify ACPI and DMI tables
  fujitsu-tablet: Mark DMI callbacks as __init code
  dell-laptop: Mark dell_quirks[] DMI table as __initconst
  ...

Pull idle update from Len Brown:
 "Two Intel-platform-specific updates to intel_idle, and a cosmetic
  tweak to the turbostat utility"

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux:
  tools/power turbostat: tweak whitespace in output format
  intel_idle: Broadwell support
  intel_idle: Disable Baytrail Core and Module C6 auto-demotion

Pull module fix from Rusty Russell:
 "Nasty potential bug if someone uses a known module param with an
  invalid value (we don't fail unknown module params any more, just
  warn)"

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
  module: Clean up ro/nx after early module load failures

Pull virtio-rng update from Amit Shah:
 "Add derating factor for use by hwrng core

  Sending directly to you with the commit log changes Ted Ts'o pointed
  out.  Not sure if Rusty's back after his travel, but this already has
  his s-o-b"

* 'rng-queue' of git://git.kernel.org/pub/scm/linux/kernel/git/amit/virtio:
  virtio: rng: add derating factor for use by hwrng core

Pull btrfs updates from Chris Mason:
 "These are all fixes I'd like to get out to a broader audience.

  The biggest of the bunch is Mark's quota fix, which is also in the
  SUSE kernel, and makes our subvolume quotas dramatically more
  accurate.

  I've been running xfstests with these against your current git
  overnight, but I'm queueing up longer tests as well"

* 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  btrfs: disable strict file flushes for renames and truncates
  Btrfs: fix csum tree corruption, duplicate and outdated checksums
  Btrfs: Fix memory corruption by ulist_add_merge() on 32bit arch
  Btrfs: fix compressed write corruption on enospc
  btrfs: correctly handle return from ulist_add
  btrfs: qgroup: account shared subtrees during snapshot delete
  Btrfs: read lock extent buffer while walking backrefs
  Btrfs: __btrfs_mod_ref should always use no_quota
  btrfs: adjust statfs calculations according to raid profiles

Pull file locking bugfixes from Jeff Layton:
 "Most of these patches are to fix a long-standing regression that crept
  in when the BKL was removed from the file-locking code.  The code was
  converted to use a conventional spinlock, but some fl_release_private
  ops can block and you can end up sleeping inside the lock.

  There's also a patch to make /proc/locks show delegations as 'DELEG'"

* tag 'locks-v3.17-2' of git://git.samba.org/jlayton/linux:
  locks: update Locking documentation to clarify fl_release_private behavior
  locks: move locks_free_lock calls in do_fcntl_add_lease outside spinlock
  locks: defer freeing locks in locks_delete_lock until after i_lock has been dropped
  locks: don't reuse file_lock in __posix_lock_file
  locks: don't call locks_release_private from locks_copy_lock
  locks: show delegations as "DELEG" in /proc/locks

Pull aio updates from Ben LaHaise.

* git://git.kvack.org/~bcrl/aio-next:
  aio: use iovec array rather than the single one
  aio: fix some comments
  aio: use the macro rather than the inline magic number
  aio: remove the needless registration of ring file's private_data
  aio: remove no longer needed preempt_disable()
  aio: kill the misleading rcu read locks in ioctx_add_table() and kill_ioctx()
  aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock()

Makefile and Kconfig build support patch for the newly introduced
kernel module toshiba_haps.
Signed-off-by: NAzael Avalos <coproscefalo@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

This patch provides information about the Toshiba HDD
Active Protection Sensor driver module toshiba_haps.
Signed-off-by: NAzael Avalos <coproscefalo@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

This driver adds support for the built-in accelereometer found
on recent Toshiba laptops with HID TOS620A.

This driver receives ACPI notify events 0x80 when the sensor
detects a sudden move or a harsh vibration, as well as an
ACPI notify event 0x81 whenever the movement or vibration has
been stabilized.

Also provides sysfs entries to get/set the desired protection
level and reseting the HDD protection interface.
Signed-off-by: NAzael Avalos <coproscefalo@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

As reported here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1173681
the U32U needs wapf=4 too.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Not all HW supporting WMAX method will support the HDMI mux feature.
Explicitly quirk the HW that does support it.
Signed-off-by: NMario Limonciello <mario_limonciello@dell.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Constify the rfkill_blacklist[] DMI table, the ideapad_rfk_data[] table
and the ideapad_attribute_group attribute group. There's no need to have
them writeable during runtime.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Ike Panhc <ike.pan@canonical.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

The actual x401u does not use the so named x401u quirk but the x55u quirk.
All that the x401u quirk does it setting wapf to 4, so rename it to wapf4 to
stop the confusion.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Change the name of the hwmon interface from "compal-laptop" to "compal".
A dash is an invalid character for a hwmon name and caused the call to
hwmon_device_register_with_groups() to fail.
Signed-off-by: NRoald Frederickx <roald.frederickx@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

The Toshiba Qosmio X75-A series models also come with
the new keymap layout.

This patch adds this model to the alt_keymap_dmi list,
along with an extra key found on these models.
Signed-off-by: NAzael Avalos <coproscefalo@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Some Toshiba models (most notably Qosmios) come with an
incomplete backlight method where the AML code doesn't
check for write or read commands and always returns
HCI_SUCCESS and the actual brightness (and in some
cases the max brightness), thus allowing the backlight
interface to be registered without write support.

This patch changes the set_lcd_brightness function,
checking the returned values for values greater than
zero to avoid registering a broken backlight interface.
Signed-off-by: NAzael Avalos <coproscefalo@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

If this is going away, it won't be in 2012.
Signed-off-by: NMartin Kepplinger <martink@posteo.de>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Yoga models don't offer touchpad ctrl through the ideapad interface, causing
ideapad_sync_touchpad_state to send wrong touchpad enable/disable events.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

As reported here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1173681
the X550CC needs wapf=4 too.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

These variables don't need to be visible outside of this compilation
unit, make them static.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Mark volume_alsa_control_vol and volume_alsa_control_mute as __initdata,
as snd_ctl_new1() will copy the relevant parts, so there is no need to
keep the master copies around after initialization.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Henrique de Moraes Holschuh <ibm-acpi@hmh.eng.br>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

The DMI table is only ever used during initialization. Mark it as
__initconst so its memory can be released afterwards -- roughly 1.5 kB.
In turn, the callback functions can be marked with __init, too.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Jonathan Woithe <jwoithe@just42.net>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

These functions are only called from other initialization routines, so
can be marked __init, too.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Constify the lis3lv02d_device_ids[] ACPI and the lis3lv02d_dmi_ids[] DMI
tables. There's no need to have them writeable during runtime.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Eric Piel <eric.piel@tremplin-utc.net>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

The DMI table is already marked as __initconst, so can be the callback
functions as they're only used in that context.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Robert Gerlach <khnz@gmx.de>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

The dell_quirks[] DMI table is only ever used during initialization.
Mark it as __initconst so its memory can be released afterwards --
roughly 5.7 kB. In turn, the callback function can be marked with
__init, too.

Also the touchpad_led_init() function can be marked __init as it's only
referenced from dell_init() -- an __init function.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Constify the asus_quirks[] DMI table. There's no need to have it
writeable during runtime.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Corentin Chary <corentin.chary@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Quite a lot of code and data of acer-wmi.c is only ever used during
initialization. Mark those accordingly -- and constify, where
appropriate -- so the memory can be released afterwards.

All in all those changes move ~10 kB of code and data to the .init
sections, marking them for release after initialization has finished.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: "Lee, Chun-Yi" <jlee@suse.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Constify the asus_quirks[] DMI table. There's no need to have it
writeable during runtime.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Corentin Chary <corentin.chary@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

The DMI table is only ever used during initialization. Mark it as
__initconst so its memory can be released appropriately. In turn, the
callback function can be marked with __init, too.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Encapsulate acer_suspend() and acer_resume with #ifdef CONFIG_PM_SLEEP
to get rid of the following warnings:

  ../acer-wmi.c:2046:12: warning: ‘acer_suspend’ defined but not used [-Wunused-function]
  ../acer-wmi.c:2068:12: warning: ‘acer_resume’ defined but not used [-Wunused-function]
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: "Lee, Chun-Yi" <jlee@suse.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

sparse_keymap_setup() will make a copy of the keymap, so we can release
the master copy after initialization.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: "Lee, Chun-Yi" <jlee@suse.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

The repo on kernel.org is no longer available but has a replacement at
cavan.codon.org.uk.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

This patch removes the null test on block. block is initialized at the
beginning of the function to &wblock->gblock. Since wblock is
dereferenced prior to the null test, wblock must be a valid pointer,
and &wblock->gblock cannot be null.

The following Coccinelle script is used for detecting the change:

@r@
expression e,f;
identifier g,y;
statement S1,S2;
@@

*e = &f->g
<+...
 f->y
 ...+>
*if (e != NULL || ...)
 S1 else S2
Signed-off-by: NHimangi Saraogi <himangi774@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80231Reported-by: NDavid Binderman <dcb314@hotmail.com>
Signed-off-by: NAndrey Utkin <andrey.krieger.utkin@gmail.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

As reported here: https://bugs.launchpad.net/bugs/1277959
the X550CL needs wapf=4 too.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>

BIOS won't light on the wifi-led after S3, so asus-wmi driver needs to
control the wifi and wifi-led status.
But, it'll lead to bt status error if asus-wmi driver controls bt as well.
So, for X200CA, asus-wmi driver controls wifi status only and have to set
wapf to 1.
Signed-off-by: NAceLan Kao <acelan.kao@canonical.com>
Signed-off-by: NMatthew Garrett <matthew.garrett@nebula.com>