--- /dev/null
+From f4831605f2dacd12730fe73961c77253cc2ea425 Mon Sep 17 00:00:00 2001
+From: Nishanth Menon <nm@ti.com>
+Date: Sat, 7 Mar 2015 03:39:05 -0600
+Subject: C6x: time: Ensure consistency in __init
+
+From: Nishanth Menon <nm@ti.com>
+
+commit f4831605f2dacd12730fe73961c77253cc2ea425 upstream.
+
+time_init invokes timer64_init (which is __init annotation)
+since all of these are invoked at init time, lets maintain
+consistency by ensuring time_init is marked appropriately
+as well.
+
+This fixes the following warning with CONFIG_DEBUG_SECTION_MISMATCH=y
+
+WARNING: vmlinux.o(.text+0x3bfc): Section mismatch in reference from the function time_init() to the function .init.text:timer64_init()
+The function time_init() references
+the function __init timer64_init().
+This is often because time_init lacks a __init
+annotation or the annotation of timer64_init is wrong.
+
+Fixes: 546a39546c64 ("C6X: time management")
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Mark Salter <msalter@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/c6x/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/c6x/kernel/time.c
++++ b/arch/c6x/kernel/time.c
+@@ -49,7 +49,7 @@ u64 sched_clock(void)
+ return (tsc * sched_clock_multiplier) >> SCHED_CLOCK_SHIFT;
+ }
+
+-void time_init(void)
++void __init time_init(void)
+ {
+ u64 tmp = (u64)NSEC_PER_SEC << SCHED_CLOCK_SHIFT;
+
--- /dev/null
+From 6d7e7e02a044025237b6f62a20521170b794537f Mon Sep 17 00:00:00 2001
+From: "Vutla, Lokesh" <lokeshvutla@ti.com>
+Date: Tue, 31 Mar 2015 09:52:25 +0530
+Subject: crypto: omap-aes - Fix support for unequal lengths
+
+From: "Vutla, Lokesh" <lokeshvutla@ti.com>
+
+commit 6d7e7e02a044025237b6f62a20521170b794537f upstream.
+
+For cases where total length of an input SGs is not same as
+length of the input data for encryption, omap-aes driver
+crashes. This happens in the case when IPsec is trying to use
+omap-aes driver.
+
+To avoid this, we copy all the pages from the input SG list
+into a contiguous buffer and prepare a single element SG list
+for this buffer with length as the total bytes to crypt, which is
+similar thing that is done in case of unaligned lengths.
+
+Fixes: 6242332ff2f3 ("crypto: omap-aes - Add support for cases of unaligned lengths")
+Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/omap-aes.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/omap-aes.c
++++ b/drivers/crypto/omap-aes.c
+@@ -554,15 +554,23 @@ static int omap_aes_crypt_dma_stop(struc
+ return err;
+ }
+
+-static int omap_aes_check_aligned(struct scatterlist *sg)
++static int omap_aes_check_aligned(struct scatterlist *sg, int total)
+ {
++ int len = 0;
++
+ while (sg) {
+ if (!IS_ALIGNED(sg->offset, 4))
+ return -1;
+ if (!IS_ALIGNED(sg->length, AES_BLOCK_SIZE))
+ return -1;
++
++ len += sg->length;
+ sg = sg_next(sg);
+ }
++
++ if (len != total)
++ return -1;
++
+ return 0;
+ }
+
+@@ -633,8 +641,8 @@ static int omap_aes_handle_queue(struct
+ dd->in_sg = req->src;
+ dd->out_sg = req->dst;
+
+- if (omap_aes_check_aligned(dd->in_sg) ||
+- omap_aes_check_aligned(dd->out_sg)) {
++ if (omap_aes_check_aligned(dd->in_sg, dd->total) ||
++ omap_aes_check_aligned(dd->out_sg, dd->total)) {
+ if (omap_aes_copy_sgs(dd))
+ pr_err("Failed to copy SGs for unaligned cases\n");
+ dd->sgs_copied = 1;
--- /dev/null
+From 08e8331654d1d7b2c58045e549005bc356aa7810 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Thu, 26 Feb 2015 05:35:41 +0000
+Subject: e1000: add dummy allocator to fix race condition between mtu change and netpoll
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+commit 08e8331654d1d7b2c58045e549005bc356aa7810 upstream.
+
+There is a race condition between e1000_change_mtu's cleanups and
+netpoll, when we change the MTU across jumbo size:
+
+Changing MTU frees all the rx buffers:
+ e1000_change_mtu -> e1000_down -> e1000_clean_all_rx_rings ->
+ e1000_clean_rx_ring
+
+Then, close to the end of e1000_change_mtu:
+ pr_info -> ... -> netpoll_poll_dev -> e1000_clean ->
+ e1000_clean_rx_irq -> e1000_alloc_rx_buffers -> e1000_alloc_frag
+
+And when we come back to do the rest of the MTU change:
+ e1000_up -> e1000_configure -> e1000_configure_rx ->
+ e1000_alloc_jumbo_rx_buffers
+
+alloc_jumbo finds the buffers already != NULL, since data (shared with
+page in e1000_rx_buffer->rxbuf) has been re-alloc'd, but it's garbage,
+or at least not what is expected when in jumbo state.
+
+This results in an unusable adapter (packets don't get through), and a
+NULL pointer dereference on the next call to e1000_clean_rx_ring
+(other mtu change, link down, shutdown):
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: [<ffffffff81194d6e>] put_compound_page+0x7e/0x330
+
+ [...]
+
+Call Trace:
+ [<ffffffff81195445>] put_page+0x55/0x60
+ [<ffffffff815d9f44>] e1000_clean_rx_ring+0x134/0x200
+ [<ffffffff815da055>] e1000_clean_all_rx_rings+0x45/0x60
+ [<ffffffff815df5e0>] e1000_down+0x1c0/0x1d0
+ [<ffffffff811e2260>] ? deactivate_slab+0x7f0/0x840
+ [<ffffffff815e21bc>] e1000_change_mtu+0xdc/0x170
+ [<ffffffff81647050>] dev_set_mtu+0xa0/0x140
+ [<ffffffff81664218>] do_setlink+0x218/0xac0
+ [<ffffffff814459e9>] ? nla_parse+0xb9/0x120
+ [<ffffffff816652d0>] rtnl_newlink+0x6d0/0x890
+ [<ffffffff8104f000>] ? kvm_clock_read+0x20/0x40
+ [<ffffffff810a2068>] ? sched_clock_cpu+0xa8/0x100
+ [<ffffffff81663802>] rtnetlink_rcv_msg+0x92/0x260
+
+By setting the allocator to a dummy version, netpoll can't mess up our
+rx buffers. The allocator is set back to a sane value in
+e1000_configure_rx.
+
+Fixes: edbbb3ca1077 ("e1000: implement jumbo receive with partial descriptors")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -144,6 +144,11 @@ static bool e1000_clean_rx_irq(struct e1
+ static bool e1000_clean_jumbo_rx_irq(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int *work_done, int work_to_do);
++static void e1000_alloc_dummy_rx_buffers(struct e1000_adapter *adapter,
++ struct e1000_rx_ring *rx_ring,
++ int cleaned_count)
++{
++}
+ static void e1000_alloc_rx_buffers(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int cleaned_count);
+@@ -3531,8 +3536,11 @@ static int e1000_change_mtu(struct net_d
+ msleep(1);
+ /* e1000_down has a dependency on max_frame_size */
+ hw->max_frame_size = max_frame;
+- if (netif_running(netdev))
++ if (netif_running(netdev)) {
++ /* prevent buffers from being reallocated */
++ adapter->alloc_rx_buf = e1000_alloc_dummy_rx_buffers;
+ e1000_down(adapter);
++ }
+
+ /* NOTE: netdev_alloc_skb reserves 16 bytes, and typically NET_IP_ALIGN
+ * means we reserve 2 more, this pushes us to allocate from the next
--- /dev/null
+From 0b053c9518292705736329a8fe20ef4686ffc8e9 Mon Sep 17 00:00:00 2001
+From: mancha security <mancha1@zoho.com>
+Date: Wed, 18 Mar 2015 18:47:25 +0100
+Subject: lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR
+
+From: mancha security <mancha1@zoho.com>
+
+commit 0b053c9518292705736329a8fe20ef4686ffc8e9 upstream.
+
+OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to
+ensure protection from dead store optimization.
+
+For the random driver and crypto drivers, calls are emitted ...
+
+ $ gdb vmlinux
+ (gdb) disassemble memzero_explicit
+ Dump of assembler code for function memzero_explicit:
+ 0xffffffff813a18b0 <+0>: push %rbp
+ 0xffffffff813a18b1 <+1>: mov %rsi,%rdx
+ 0xffffffff813a18b4 <+4>: xor %esi,%esi
+ 0xffffffff813a18b6 <+6>: mov %rsp,%rbp
+ 0xffffffff813a18b9 <+9>: callq 0xffffffff813a7120 <memset>
+ 0xffffffff813a18be <+14>: pop %rbp
+ 0xffffffff813a18bf <+15>: retq
+ End of assembler dump.
+
+ (gdb) disassemble extract_entropy
+ [...]
+ 0xffffffff814a5009 <+313>: mov %r12,%rdi
+ 0xffffffff814a500c <+316>: mov $0xa,%esi
+ 0xffffffff814a5011 <+321>: callq 0xffffffff813a18b0 <memzero_explicit>
+ 0xffffffff814a5016 <+326>: mov -0x48(%rbp),%rax
+ [...]
+
+... but in case in future we might use facilities such as LTO, then
+OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible
+eviction of the memset(). We have to use a compiler barrier instead.
+
+Minimal test example when we assume memzero_explicit() would *not* be
+a call, but would have been *inlined* instead:
+
+ static inline void memzero_explicit(void *s, size_t count)
+ {
+ memset(s, 0, count);
+ <foo>
+ }
+
+ int main(void)
+ {
+ char buff[20];
+
+ snprintf(buff, sizeof(buff) - 1, "test");
+ printf("%s", buff);
+
+ memzero_explicit(buff, sizeof(buff));
+ return 0;
+ }
+
+With <foo> := OPTIMIZER_HIDE_VAR():
+
+ (gdb) disassemble main
+ Dump of assembler code for function main:
+ [...]
+ 0x0000000000400464 <+36>: callq 0x400410 <printf@plt>
+ 0x0000000000400469 <+41>: xor %eax,%eax
+ 0x000000000040046b <+43>: add $0x28,%rsp
+ 0x000000000040046f <+47>: retq
+ End of assembler dump.
+
+With <foo> := barrier():
+
+ (gdb) disassemble main
+ Dump of assembler code for function main:
+ [...]
+ 0x0000000000400464 <+36>: callq 0x400410 <printf@plt>
+ 0x0000000000400469 <+41>: movq $0x0,(%rsp)
+ 0x0000000000400471 <+49>: movq $0x0,0x8(%rsp)
+ 0x000000000040047a <+58>: movl $0x0,0x10(%rsp)
+ 0x0000000000400482 <+66>: xor %eax,%eax
+ 0x0000000000400484 <+68>: add $0x28,%rsp
+ 0x0000000000400488 <+72>: retq
+ End of assembler dump.
+
+As can be seen, movq, movq, movl are being emitted inlined
+via memset().
+
+Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/
+Fixes: d4c5efdb9777 ("random: add and use memzero_explicit() for clearing data")
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: mancha security <mancha1@zoho.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/string.c
++++ b/lib/string.c
+@@ -598,7 +598,7 @@ EXPORT_SYMBOL(memset);
+ void memzero_explicit(void *s, size_t count)
+ {
+ memset(s, 0, count);
+- OPTIMIZER_HIDE_VAR(s);
++ barrier();
+ }
+ EXPORT_SYMBOL(memzero_explicit);
+
--- /dev/null
+From 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 16 Apr 2015 12:48:35 -0700
+Subject: memstick: mspro_block: add missing curly braces
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 upstream.
+
+Using the indenting we can see the curly braces were obviously intended.
+This is a static checker fix, but my guess is that we don't read enough
+bytes, because we don't calculate "t_len" correctly.
+
+Fixes: f1d82698029b ('memstick: use fully asynchronous request processing')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Alex Dubov <oakad@yahoo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/memstick/core/mspro_block.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/memstick/core/mspro_block.c
++++ b/drivers/memstick/core/mspro_block.c
+@@ -758,7 +758,7 @@ static int mspro_block_complete_req(stru
+
+ if (error || (card->current_mrq.tpc == MSPRO_CMD_STOP)) {
+ if (msb->data_dir == READ) {
+- for (cnt = 0; cnt < msb->current_seg; cnt++)
++ for (cnt = 0; cnt < msb->current_seg; cnt++) {
+ t_len += msb->req_sg[cnt].length
+ / msb->page_size;
+
+@@ -766,6 +766,7 @@ static int mspro_block_complete_req(stru
+ t_len += msb->current_page - 1;
+
+ t_len *= msb->page_size;
++ }
+ }
+ } else
+ t_len = blk_rq_bytes(msb->block_req);
drm-i915-cope-with-large-i2c-transfers.patch
rcu-pathwalk-breakage-when-running-into-a-symlink-overmounting-something.patch
ksoftirqd-enable-irqs-and-call-cond_resched-before-poking-rcu.patch
+e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch
+lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch
+wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch
+crypto-omap-aes-fix-support-for-unequal-lengths.patch
+c6x-time-ensure-consistency-in-__init.patch
+memstick-mspro_block-add-missing-curly-braces.patch
--- /dev/null
+From a3fa71c40f1853d0c27e8f5bc01a722a705d9682 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Date: Fri, 13 Mar 2015 15:17:14 +0800
+Subject: wl18xx: show rx_frames_per_rates as an array as it really is
+
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+
+commit a3fa71c40f1853d0c27e8f5bc01a722a705d9682 upstream.
+
+In struct wl18xx_acx_rx_rate_stat, rx_frames_per_rates field is an
+array, not a number. This means WL18XX_DEBUGFS_FWSTATS_FILE can't be
+used to display this field in debugfs (it would display a pointer, not
+the actual data). Use WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY instead.
+
+This bug has been found by adding a __printf attribute to
+wl1271_format_buffer. gcc complained about "format '%u' expects
+argument of type 'unsigned int', but argument 5 has type 'u32 *'".
+
+Fixes: c5d94169e818 ("wl18xx: use new fw stats structures")
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wl18xx/debugfs.c | 2 +-
+ drivers/net/wireless/ti/wlcore/debugfs.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ti/wl18xx/debugfs.c
++++ b/drivers/net/wireless/ti/wl18xx/debugfs.c
+@@ -136,7 +136,7 @@ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, p
+ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, accum_arp_pend_requests, "%u");
+ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, max_arp_queue_dep, "%u");
+
+-WL18XX_DEBUGFS_FWSTATS_FILE(rx_rate, rx_frames_per_rates, "%u");
++WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(rx_rate, rx_frames_per_rates, 50);
+
+ WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(aggr_size, tx_agg_vs_rate,
+ AGGR_STATS_TX_AGG*AGGR_STATS_TX_RATE);
+--- a/drivers/net/wireless/ti/wlcore/debugfs.h
++++ b/drivers/net/wireless/ti/wlcore/debugfs.h
+@@ -26,8 +26,8 @@
+
+ #include "wlcore.h"
+
+-int wl1271_format_buffer(char __user *userbuf, size_t count,
+- loff_t *ppos, char *fmt, ...);
++__printf(4, 5) int wl1271_format_buffer(char __user *userbuf, size_t count,
++ loff_t *ppos, char *fmt, ...);
+
+ int wl1271_debugfs_init(struct wl1271 *wl);
+ void wl1271_debugfs_exit(struct wl1271 *wl);
projects / thirdparty / kernel / stable-queue.git / commitdiff
