--- /dev/null
+From b310c178e6d897f82abb9da3af1cd7c02b09f592 Mon Sep 17 00:00:00 2001
+From: Horia Geant? <horia.geanta@freescale.com>
+Date: Tue, 11 Aug 2015 20:19:20 +0300
+Subject: crypto: caam - fix memory corruption in ahash_final_ctx
+
+From: Horia Geant? <horia.geanta@freescale.com>
+
+commit b310c178e6d897f82abb9da3af1cd7c02b09f592 upstream.
+
+When doing pointer operation for accessing the HW S/G table,
+a value representing number of entries (and not number of bytes)
+must be used.
+
+Fixes: 045e36780f115 ("crypto: caam - ahash hmac support")
+Signed-off-by: Horia Geant? <horia.geanta@freescale.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamhash.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -895,13 +895,14 @@ static int ahash_final_ctx(struct ahash_
+ state->buflen_1;
+ u32 *sh_desc = ctx->sh_desc_fin, *desc;
+ dma_addr_t ptr = ctx->sh_desc_fin_dma;
+- int sec4_sg_bytes;
++ int sec4_sg_bytes, sec4_sg_src_index;
+ int digestsize = crypto_ahash_digestsize(ahash);
+ struct ahash_edesc *edesc;
+ int ret = 0;
+ int sh_len;
+
+- sec4_sg_bytes = (1 + (buflen ? 1 : 0)) * sizeof(struct sec4_sg_entry);
++ sec4_sg_src_index = 1 + (buflen ? 1 : 0);
++ sec4_sg_bytes = sec4_sg_src_index * sizeof(struct sec4_sg_entry);
+
+ /* allocate space for base edesc and hw desc commands, link tables */
+ edesc = kmalloc(sizeof(struct ahash_edesc) + DESC_JOB_IO_LEN +
+@@ -928,7 +929,7 @@ static int ahash_final_ctx(struct ahash_
+ state->buf_dma = try_buf_map_to_sec4_sg(jrdev, edesc->sec4_sg + 1,
+ buf, state->buf_dma, buflen,
+ last_buflen);
+- (edesc->sec4_sg + sec4_sg_bytes - 1)->len |= SEC4_SG_LEN_FIN;
++ (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= SEC4_SG_LEN_FIN;
+
+ append_seq_in_ptr(desc, edesc->sec4_sg_dma, ctx->ctx_len + buflen,
+ LDST_SGF);
--- /dev/null
+From 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Fri, 5 Jun 2015 14:20:51 -0700
+Subject: libfc: Fix fc_fcp_cleanup_each_cmd()
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 upstream.
+
+Since fc_fcp_cleanup_cmd() can sleep this function must not
+be called while holding a spinlock. This patch avoids that
+fc_fcp_cleanup_each_cmd() triggers the following bug:
+
+BUG: scheduling while atomic: sg_reset/1512/0x00000202
+1 lock held by sg_reset/1512:
+ #0: (&(&fsp->scsi_pkt_lock)->rlock){+.-...}, at: [<ffffffffc0225cd5>] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
+Preemption disabled at:[<ffffffffc0225cd5>] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
+Call Trace:
+ [<ffffffff816c612c>] dump_stack+0x4f/0x7b
+ [<ffffffff810828bc>] __schedule_bug+0x6c/0xd0
+ [<ffffffff816c87aa>] __schedule+0x71a/0xa10
+ [<ffffffff816c8ad2>] schedule+0x32/0x80
+ [<ffffffffc0217eac>] fc_seq_set_resp+0xac/0x100 [libfc]
+ [<ffffffffc0218b11>] fc_exch_done+0x41/0x60 [libfc]
+ [<ffffffffc0225cff>] fc_fcp_cleanup_each_cmd.isra.21+0xcf/0x150 [libfc]
+ [<ffffffffc0225f43>] fc_eh_device_reset+0x1c3/0x270 [libfc]
+ [<ffffffff814a2cc9>] scsi_try_bus_device_reset+0x29/0x60
+ [<ffffffff814a3908>] scsi_ioctl_reset+0x258/0x2d0
+ [<ffffffff814a2650>] scsi_ioctl+0x150/0x440
+ [<ffffffff814b3a9d>] sd_ioctl+0xad/0x120
+ [<ffffffff8132f266>] blkdev_ioctl+0x1b6/0x810
+ [<ffffffff811da608>] block_ioctl+0x38/0x40
+ [<ffffffff811b4e08>] do_vfs_ioctl+0x2f8/0x530
+ [<ffffffff811b50c1>] SyS_ioctl+0x81/0xa0
+ [<ffffffff816cf8b2>] system_call_fastpath+0x16/0x7a
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Vasu Dev <vasu.dev@intel.com>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libfc/fc_fcp.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/libfc/fc_fcp.c
++++ b/drivers/scsi/libfc/fc_fcp.c
+@@ -1039,11 +1039,26 @@ restart:
+ fc_fcp_pkt_hold(fsp);
+ spin_unlock_irqrestore(&si->scsi_queue_lock, flags);
+
+- if (!fc_fcp_lock_pkt(fsp)) {
++ spin_lock_bh(&fsp->scsi_pkt_lock);
++ if (!(fsp->state & FC_SRB_COMPL)) {
++ fsp->state |= FC_SRB_COMPL;
++ /*
++ * TODO: dropping scsi_pkt_lock and then reacquiring
++ * again around fc_fcp_cleanup_cmd() is required,
++ * since fc_fcp_cleanup_cmd() calls into
++ * fc_seq_set_resp() and that func preempts cpu using
++ * schedule. May be schedule and related code should be
++ * removed instead of unlocking here to avoid scheduling
++ * while atomic bug.
++ */
++ spin_unlock_bh(&fsp->scsi_pkt_lock);
++
+ fc_fcp_cleanup_cmd(fsp, error);
++
++ spin_lock_bh(&fsp->scsi_pkt_lock);
+ fc_io_compl(fsp);
+- fc_fcp_unlock_pkt(fsp);
+ }
++ spin_unlock_bh(&fsp->scsi_pkt_lock);
+
+ fc_fcp_pkt_release(fsp);
+ spin_lock_irqsave(&si->scsi_queue_lock, flags);
projects / thirdparty / kernel / stable-queue.git / commitdiff
