--- /dev/null
+From 412c98c1bef65fe7589f1300e93735d96130307c Mon Sep 17 00:00:00 2001
+From: Steve Cornelius <steve.cornelius@freescale.com>
+Date: Mon, 15 Jun 2015 16:52:59 -0700
+Subject: crypto: caam - fix RNG buffer cache alignment
+
+From: Steve Cornelius <steve.cornelius@freescale.com>
+
+commit 412c98c1bef65fe7589f1300e93735d96130307c upstream.
+
+The hwrng output buffers (2) are cast inside of a a struct (caam_rng_ctx)
+allocated in one DMA-tagged region. While the kernel's heap allocator
+should place the overall struct on a cacheline aligned boundary, the 2
+buffers contained within may not necessarily align. Consenquently, the ends
+of unaligned buffers may not fully flush, and if so, stale data will be left
+behind, resulting in small repeating patterns.
+
+This fix aligns the buffers inside the struct.
+
+Note that not all of the data inside caam_rng_ctx necessarily needs to be
+DMA-tagged, only the buffers themselves require this. However, a fix would
+incur the expense of error-handling bloat in the case of allocation failure.
+
+Signed-off-by: Steve Cornelius <steve.cornelius@freescale.com>
+Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamrng.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/caam/caamrng.c
++++ b/drivers/crypto/caam/caamrng.c
+@@ -56,7 +56,7 @@
+
+ /* Buffer, its dma address and lock */
+ struct buf_data {
+- u8 buf[RN_BUF_SIZE];
++ u8 buf[RN_BUF_SIZE] ____cacheline_aligned;
+ dma_addr_t addr;
+ struct completion filled;
+ u32 hw_desc[DESC_JOB_O_LEN];
--- /dev/null
+From 25161084b1c1b0c29948f6f77266a35f302196b7 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 15 Jun 2015 16:16:15 -0400
+Subject: drm/mgag200: Reject non-character-cell-aligned mode widths
+
+From: Adam Jackson <ajax@redhat.com>
+
+commit 25161084b1c1b0c29948f6f77266a35f302196b7 upstream.
+
+Turns out 1366x768 does not in fact work on this hardware.
+
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/mgag200/mgag200_mode.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
+@@ -1529,6 +1529,11 @@ static int mga_vga_mode_valid(struct drm
+ return MODE_BANDWIDTH;
+ }
+
++ if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 ||
++ (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) {
++ return MODE_H_ILLEGAL;
++ }
++
+ if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 ||
+ mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 ||
+ mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 ||
--- /dev/null
+From 524630d5824c7a75aab568c6bd1423fd748cd3bb Mon Sep 17 00:00:00 2001
+From: Sagi Grimberg <sagig@mellanox.com>
+Date: Thu, 4 Jun 2015 19:49:21 +0300
+Subject: iser-target: Fix possible use-after-free
+
+From: Sagi Grimberg <sagig@mellanox.com>
+
+commit 524630d5824c7a75aab568c6bd1423fd748cd3bb upstream.
+
+iser connection termination process happens in 2 stages:
+- isert_wait_conn:
+ - resumes rdma disconnect
+ - wait for session commands
+ - wait for flush completions (post a marked wr to signal we are done)
+ - wait for logout completion
+ - queue work for connection cleanup (depends on disconnected/timewait
+ events)
+- isert_free_conn
+ - last reference put on the connection
+
+In case we are terminating during IOs, we might be posting send/recv
+requests after we posted the last work request which might lead
+to a use-after-free condition in isert_handle_wc.
+After we posted the last wr in isert_wait_conn we are guaranteed that
+no successful completions will follow (meaning no new work request posts
+may happen) but other flush errors might still come. So before we
+put the last reference on the connection, we repeat the process of
+posting a marked work request (isert_wait4flush) in order to make sure all
+pending completions were flushed.
+
+Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
+Signed-off-by: Jenny Falkovich <jennyf@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -2952,6 +2952,7 @@ static void isert_free_conn(struct iscsi
+ {
+ struct isert_conn *isert_conn = conn->context;
+
++ isert_wait4flush(isert_conn);
+ isert_put_conn(isert_conn);
+ }
+
--- /dev/null
+From 2cf30dc180cea808077f003c5116388183e54f9e Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Mon, 15 Jun 2015 17:50:25 -0400
+Subject: tracing: Have filter check for balanced ops
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 2cf30dc180cea808077f003c5116388183e54f9e upstream.
+
+When the following filter is used it causes a warning to trigger:
+
+ # cd /sys/kernel/debug/tracing
+ # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
+-bash: echo: write error: Invalid argument
+ # cat events/ext4/ext4_truncate_exit/filter
+((dev==1)blocks==2)
+^
+parse_error: No error
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990()
+ Modules linked in: bnep lockd grace bluetooth ...
+ CPU: 3 PID: 1223 Comm: bash Tainted: G W 4.1.0-rc3-test+ #450
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
+ 0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0
+ 0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c
+ ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea
+ Call Trace:
+ [<ffffffff816ed4f9>] dump_stack+0x4c/0x6e
+ [<ffffffff8107fb07>] warn_slowpath_common+0x97/0xe0
+ [<ffffffff8136b46c>] ? _kstrtoull+0x2c/0x80
+ [<ffffffff8107fb6a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff81159065>] replace_preds+0x3c5/0x990
+ [<ffffffff811596b2>] create_filter+0x82/0xb0
+ [<ffffffff81159944>] apply_event_filter+0xd4/0x180
+ [<ffffffff81152bbf>] event_filter_write+0x8f/0x120
+ [<ffffffff811db2a8>] __vfs_write+0x28/0xe0
+ [<ffffffff811dda43>] ? __sb_start_write+0x53/0xf0
+ [<ffffffff812e51e0>] ? security_file_permission+0x30/0xc0
+ [<ffffffff811dc408>] vfs_write+0xb8/0x1b0
+ [<ffffffff811dc72f>] SyS_write+0x4f/0xb0
+ [<ffffffff816f5217>] system_call_fastpath+0x12/0x6a
+ ---[ end trace e11028bd95818dcd ]---
+
+Worse yet, reading the error message (the filter again) it says that
+there was no error, when there clearly was. The issue is that the
+code that checks the input does not check for balanced ops. That is,
+having an op between a closed parenthesis and the next token.
+
+This would only cause a warning, and fail out before doing any real
+harm, but it should still not caues a warning, and the error reported
+should work:
+
+ # cd /sys/kernel/debug/tracing
+ # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter
+-bash: echo: write error: Invalid argument
+ # cat events/ext4/ext4_truncate_exit/filter
+((dev==1)blocks==2)
+^
+parse_error: Meaningless filter expression
+
+And give no kernel warning.
+
+Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home
+
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_filter.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1399,19 +1399,26 @@ static int check_preds(struct filter_par
+ {
+ int n_normal_preds = 0, n_logical_preds = 0;
+ struct postfix_elt *elt;
++ int cnt = 0;
+
+ list_for_each_entry(elt, &ps->postfix, list) {
+- if (elt->op == OP_NONE)
++ if (elt->op == OP_NONE) {
++ cnt++;
+ continue;
++ }
+
+ if (elt->op == OP_AND || elt->op == OP_OR) {
+ n_logical_preds++;
++ cnt--;
+ continue;
+ }
++ if (elt->op != OP_NOT)
++ cnt--;
+ n_normal_preds++;
++ WARN_ON_ONCE(cnt < 0);
+ }
+
+- if (!n_normal_preds || n_logical_preds >= n_normal_preds) {
++ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) {
+ parse_error(ps, FILT_ERR_INVALID_FILTER, 0);
+ return -EINVAL;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
