--- /dev/null
+From ccfe8c3f7e52ae83155cb038753f4c75b774ca8a Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Thu, 12 Mar 2015 09:17:51 +0100
+Subject: crypto: aesni - fix memory usage in GCM decryption
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit ccfe8c3f7e52ae83155cb038753f4c75b774ca8a upstream.
+
+The kernel crypto API logic requires the caller to provide the
+length of (ciphertext || authentication tag) as cryptlen for the
+AEAD decryption operation. Thus, the cipher implementation must
+calculate the size of the plaintext output itself and cannot simply use
+cryptlen.
+
+The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
+in req->dst. As the destination buffer for decryption only needs to hold
+the plaintext memory but cryptlen references the input buffer holding
+(ciphertext || authentication tag), the assumption of the destination
+buffer length in RFC4106 GCM operation leads to a too large size. This
+patch simply uses the already calculated plaintext size.
+
+In addition, this patch fixes the offset calculation of the AAD buffer
+pointer: as mentioned before, cryptlen already includes the size of the
+tag. Thus, the tag does not need to be added. With the addition, the AAD
+will be written beyond the already allocated buffer.
+
+Note, this fixes a kernel crash that can be triggered from user space
+via AF_ALG(aead) -- simply use the libkcapi test application
+from [1] and update it to use rfc4106-gcm-aes.
+
+Using [1], the changes were tested using CAVS vectors to demonstrate
+that the crypto operation still delivers the right results.
+
+[1] http://www.chronox.de/libkcapi.html
+
+CC: Tadeusz Struk <tadeusz.struk@intel.com>
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/crypto/aesni-intel_glue.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1109,7 +1109,7 @@ static int __driver_rfc4106_decrypt(stru
+ src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
+ if (!src)
+ return -ENOMEM;
+- assoc = (src + req->cryptlen + auth_tag_len);
++ assoc = (src + req->cryptlen);
+ scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
+ scatterwalk_map_and_copy(assoc, req->assoc, 0,
+ req->assoclen, 0);
+@@ -1134,7 +1134,7 @@ static int __driver_rfc4106_decrypt(stru
+ scatterwalk_done(&src_sg_walk, 0, 0);
+ scatterwalk_done(&assoc_sg_walk, 0, 0);
+ } else {
+- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
+ kfree(src);
+ }
+ return retval;
--- /dev/null
+From 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 26 Feb 2015 07:22:05 +0000
+Subject: crypto: arm/aes update NEON AES module to latest OpenSSL version
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed upstream.
+
+This updates the bit sliced AES module to the latest version in the
+upstream OpenSSL repository (e620e5ae37bc). This is needed to fix a
+bug in the XTS decryption path, where data chunked in a certain way
+could trigger the ciphertext stealing code, which is not supposed to
+be active in the kernel build (The kernel implementation of XTS only
+supports round multiples of the AES block size of 16 bytes, whereas
+the conformant OpenSSL implementation of XTS supports inputs of
+arbitrary size by applying ciphertext stealing). This is fixed in
+the upstream version by adding the missing #ifndef XTS_CHAIN_TWEAK
+around the offending instructions.
+
+The upstream code also contains the change applied by Russell to
+build the code unconditionally, i.e., even if __LINUX_ARM_ARCH__ < 7,
+but implemented slightly differently.
+
+Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions")
+Reported-by: Adrian Kotelba <adrian.kotelba@gmail.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Tested-by: Milan Broz <gmazyland@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/crypto/aesbs-core.S_shipped | 12 ++++++++----
+ arch/arm/crypto/bsaes-armv7.pl | 12 ++++++++----
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/crypto/aesbs-core.S_shipped
++++ b/arch/arm/crypto/aesbs-core.S_shipped
+@@ -58,14 +58,18 @@
+ # define VFP_ABI_FRAME 0
+ # define BSAES_ASM_EXTENDED_KEY
+ # define XTS_CHAIN_TWEAK
+-# define __ARM_ARCH__ 7
++# define __ARM_ARCH__ __LINUX_ARM_ARCH__
++# define __ARM_MAX_ARCH__ 7
+ #endif
+
+ #ifdef __thumb__
+ # define adrl adr
+ #endif
+
+-#if __ARM_ARCH__>=7
++#if __ARM_MAX_ARCH__>=7
++.arch armv7-a
++.fpu neon
++
+ .text
+ .syntax unified @ ARMv7-capable assembler is expected to handle this
+ #ifdef __thumb2__
+@@ -74,8 +78,6 @@
+ .code 32
+ #endif
+
+-.fpu neon
+-
+ .type _bsaes_decrypt8,%function
+ .align 4
+ _bsaes_decrypt8:
+@@ -2095,9 +2097,11 @@ bsaes_xts_decrypt:
+ vld1.8 {q8}, [r0] @ initial tweak
+ adr r2, .Lxts_magic
+
++#ifndef XTS_CHAIN_TWEAK
+ tst r9, #0xf @ if not multiple of 16
+ it ne @ Thumb2 thing, sanity check in ARM
+ subne r9, #0x10 @ subtract another 16 bytes
++#endif
+ subs r9, #0x80
+
+ blo .Lxts_dec_short
+--- a/arch/arm/crypto/bsaes-armv7.pl
++++ b/arch/arm/crypto/bsaes-armv7.pl
+@@ -701,14 +701,18 @@ $code.=<<___;
+ # define VFP_ABI_FRAME 0
+ # define BSAES_ASM_EXTENDED_KEY
+ # define XTS_CHAIN_TWEAK
+-# define __ARM_ARCH__ 7
++# define __ARM_ARCH__ __LINUX_ARM_ARCH__
++# define __ARM_MAX_ARCH__ 7
+ #endif
+
+ #ifdef __thumb__
+ # define adrl adr
+ #endif
+
+-#if __ARM_ARCH__>=7
++#if __ARM_MAX_ARCH__>=7
++.arch armv7-a
++.fpu neon
++
+ .text
+ .syntax unified @ ARMv7-capable assembler is expected to handle this
+ #ifdef __thumb2__
+@@ -717,8 +721,6 @@ $code.=<<___;
+ .code 32
+ #endif
+
+-.fpu neon
+-
+ .type _bsaes_decrypt8,%function
+ .align 4
+ _bsaes_decrypt8:
+@@ -2076,9 +2078,11 @@ bsaes_xts_decrypt:
+ vld1.8 {@XMM[8]}, [r0] @ initial tweak
+ adr $magic, .Lxts_magic
+
++#ifndef XTS_CHAIN_TWEAK
+ tst $len, #0xf @ if not multiple of 16
+ it ne @ Thumb2 thing, sanity check in ARM
+ subne $len, #0x10 @ subtract another 16 bytes
++#endif
+ subs $len, #0x80
+
+ blo .Lxts_dec_short
--- /dev/null
+From 528c943f3bb919aef75ab2fff4f00176f09a4019 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 21 Feb 2015 21:03:10 +0200
+Subject: ipvs: add missing ip_vs_pe_put in sync code
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit 528c943f3bb919aef75ab2fff4f00176f09a4019 upstream.
+
+ip_vs_conn_fill_param_sync() gets in param.pe a module
+reference for persistence engine from __ip_vs_pe_getbyname()
+but forgets to put it. Problem occurs in backup for
+sync protocol v1 (2.6.39).
+
+Also, pe_data usually comes in sync messages for
+connection templates and ip_vs_conn_new() copies
+the pointer only in this case. Make sure pe_data
+is not leaked if it comes unexpectedly for normal
+connections. Leak can happen only if bogus messages
+are sent to backup server.
+
+Fixes: fe5e7a1efb66 ("IPVS: Backup, Adding Version 1 receive capability")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_sync.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/ipvs/ip_vs_sync.c
++++ b/net/netfilter/ipvs/ip_vs_sync.c
+@@ -891,6 +891,8 @@ static void ip_vs_proc_conn(struct net *
+ IP_VS_DBG(2, "BACKUP, add new conn. failed\n");
+ return;
+ }
++ if (!(flags & IP_VS_CONN_F_TEMPLATE))
++ kfree(param->pe_data);
+ }
+
+ if (opt)
+@@ -1164,6 +1166,7 @@ static inline int ip_vs_proc_sync_conn(s
+ (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL)
+ );
+ #endif
++ ip_vs_pe_put(param.pe);
+ return 0;
+ /* Error exit */
+ out:
--- /dev/null
+From 579eb62ac35845686a7c4286c0a820b4eb1f96aa Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Thu, 18 Dec 2014 22:41:23 +0200
+Subject: ipvs: rerouting to local clients is not needed anymore
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit 579eb62ac35845686a7c4286c0a820b4eb1f96aa upstream.
+
+commit f5a41847acc5 ("ipvs: move ip_route_me_harder for ICMP")
+from 2.6.37 introduced ip_route_me_harder() call for responses to
+local clients, so that we can provide valid rt_src after SNAT.
+It was used by TCP to provide valid daddr for ip_send_reply().
+After commit 0a5ebb8000c5 ("ipv4: Pass explicit daddr arg to
+ip_send_reply()." from 3.0 this rerouting is not needed anymore
+and should be avoided, especially in LOCAL_IN.
+
+Fixes 3.12.33 crash in xfrm reported by Florian Wiessner:
+"3.12.33 - BUG xfrm_selector_match+0x25/0x2f6"
+
+Reported-by: Smart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
+Tested-by: Smart Weblications GmbH - Florian Wiessner <f.wiessner@smart-weblications.de>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_core.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -658,16 +658,24 @@ static inline int ip_vs_gather_frags(str
+ return err;
+ }
+
+-static int ip_vs_route_me_harder(int af, struct sk_buff *skb)
++static int ip_vs_route_me_harder(int af, struct sk_buff *skb,
++ unsigned int hooknum)
+ {
++ if (!sysctl_snat_reroute(skb))
++ return 0;
++ /* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */
++ if (NF_INET_LOCAL_IN == hooknum)
++ return 0;
+ #ifdef CONFIG_IP_VS_IPV6
+ if (af == AF_INET6) {
+- if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0)
++ struct dst_entry *dst = skb_dst(skb);
++
++ if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
++ ip6_route_me_harder(skb) != 0)
+ return 1;
+ } else
+ #endif
+- if ((sysctl_snat_reroute(skb) ||
+- skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
++ if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
+ ip_route_me_harder(skb, RTN_LOCAL) != 0)
+ return 1;
+
+@@ -790,7 +798,8 @@ static int handle_response_icmp(int af,
+ union nf_inet_addr *snet,
+ __u8 protocol, struct ip_vs_conn *cp,
+ struct ip_vs_protocol *pp,
+- unsigned int offset, unsigned int ihl)
++ unsigned int offset, unsigned int ihl,
++ unsigned int hooknum)
+ {
+ unsigned int verdict = NF_DROP;
+
+@@ -820,7 +829,7 @@ static int handle_response_icmp(int af,
+ #endif
+ ip_vs_nat_icmp(skb, pp, cp, 1);
+
+- if (ip_vs_route_me_harder(af, skb))
++ if (ip_vs_route_me_harder(af, skb, hooknum))
+ goto out;
+
+ /* do the statistics and put it back */
+@@ -915,7 +924,7 @@ static int ip_vs_out_icmp(struct sk_buff
+
+ snet.ip = iph->saddr;
+ return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
+- pp, ciph.len, ihl);
++ pp, ciph.len, ihl, hooknum);
+ }
+
+ #ifdef CONFIG_IP_VS_IPV6
+@@ -980,7 +989,8 @@ static int ip_vs_out_icmp_v6(struct sk_b
+ snet.in6 = ciph.saddr.in6;
+ writable = ciph.len;
+ return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp,
+- pp, writable, sizeof(struct ipv6hdr));
++ pp, writable, sizeof(struct ipv6hdr),
++ hooknum);
+ }
+ #endif
+
+@@ -1039,7 +1049,8 @@ static inline bool is_new_conn(const str
+ */
+ static unsigned int
+ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
+- struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)
++ struct ip_vs_conn *cp, struct ip_vs_iphdr *iph,
++ unsigned int hooknum)
+ {
+ struct ip_vs_protocol *pp = pd->pp;
+
+@@ -1077,7 +1088,7 @@ handle_response(int af, struct sk_buff *
+ * if it came from this machine itself. So re-compute
+ * the routing information.
+ */
+- if (ip_vs_route_me_harder(af, skb))
++ if (ip_vs_route_me_harder(af, skb, hooknum))
+ goto drop;
+
+ IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
+@@ -1180,7 +1191,7 @@ ip_vs_out(unsigned int hooknum, struct s
+ cp = pp->conn_out_get(af, skb, &iph, 0);
+
+ if (likely(cp))
+- return handle_response(af, skb, pd, cp, &iph);
++ return handle_response(af, skb, pd, cp, &iph, hooknum);
+ if (sysctl_nat_icmp_send(net) &&
+ (pp->protocol == IPPROTO_TCP ||
+ pp->protocol == IPPROTO_UDP ||
--- /dev/null
+From 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 Mon Sep 17 00:00:00 2001
+From: James Bottomley <JBottomley@Parallels.com>
+Date: Wed, 4 Mar 2015 16:18:33 -0800
+Subject: libsas: Fix Kernel Crash in smp_execute_task
+
+From: James Bottomley <JBottomley@Parallels.com>
+
+commit 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 upstream.
+
+This crash was reported:
+
+[ 366.947370] sd 3:0:1:0: [sdb] Spinning up disk....
+[ 368.804046] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 368.804072] IP: [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
+[ 368.804098] PGD 0
+[ 368.804114] Oops: 0002 [#1] SMP
+[ 368.804143] CPU 1
+[ 368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common
+[ 368.804749]
+[ 368.804764] Pid: 392, comm: kworker/u:3 Tainted: P W O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920
+[ 368.804802] RIP: 0010:[<ffffffff81358457>] [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
+[ 368.804827] RSP: 0018:ffff880117001cc0 EFLAGS: 00010246
+[ 368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420
+[ 368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4
+[ 368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe
+[ 368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4
+[ 368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8
+[ 368.804916] FS: 0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000
+[ 368.804931] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[ 368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0
+[ 368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0)
+[ 368.805009] Stack:
+[ 368.805017] ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c
+[ 368.805062] 000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000
+[ 368.805100] ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac
+[ 368.805135] Call Trace:
+[ 368.805153] [<ffffffff81056f7c>] ? up+0xb/0x33
+[ 368.805168] [<ffffffff813583ac>] ? mutex_lock+0x16/0x25
+[ 368.805194] [<ffffffffa018c414>] ? smp_execute_task+0x4e/0x222 [libsas]
+[ 368.805217] [<ffffffffa018ce1c>] ? sas_find_bcast_dev+0x3c/0x15d [libsas]
+[ 368.805240] [<ffffffffa018ce4f>] ? sas_find_bcast_dev+0x6f/0x15d [libsas]
+[ 368.805264] [<ffffffffa018e989>] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas]
+[ 368.805280] [<ffffffff81355a2a>] ? printk+0x43/0x48
+[ 368.805296] [<ffffffff81359a65>] ? _raw_spin_unlock_irqrestore+0xc/0xd
+[ 368.805318] [<ffffffffa018b767>] ? sas_revalidate_domain+0x85/0xb6 [libsas]
+[ 368.805336] [<ffffffff8104e5d9>] ? process_one_work+0x151/0x27c
+[ 368.805351] [<ffffffff8104f6cd>] ? worker_thread+0xbb/0x152
+[ 368.805366] [<ffffffff8104f612>] ? manage_workers.isra.29+0x163/0x163
+[ 368.805382] [<ffffffff81052c4e>] ? kthread+0x79/0x81
+[ 368.805399] [<ffffffff8135fea4>] ? kernel_thread_helper+0x4/0x10
+[ 368.805416] [<ffffffff81052bd5>] ? kthread_flush_work_fn+0x9/0x9
+[ 368.805431] [<ffffffff8135fea0>] ? gs_change+0x13/0x13
+[ 368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41
+[ 368.805851] RIP [<ffffffff81358457>] __mutex_lock_common.isra.7+0x9c/0x15b
+[ 368.805877] RSP <ffff880117001cc0>
+[ 368.805886] CR2: 0000000000000000
+[ 368.805899] ---[ end trace b720682065d8f4cc ]---
+
+It's directly caused by 89d3cf6 [SCSI] libsas: add mutex for SMP task
+execution, but shows a deeper cause: expander functions expect to be able to
+cast to and treat domain devices as expanders. The correct fix is to only do
+expander discover when we know we've got an expander device to avoid wrongly
+casting a non-expander device.
+
+Reported-by: Praveen Murali <pmurali@logicube.com>
+Tested-by: Praveen Murali <pmurali@logicube.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libsas/sas_discover.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/libsas/sas_discover.c
++++ b/drivers/scsi/libsas/sas_discover.c
+@@ -500,6 +500,7 @@ static void sas_revalidate_domain(struct
+ struct sas_discovery_event *ev = to_sas_discovery_event(work);
+ struct asd_sas_port *port = ev->port;
+ struct sas_ha_struct *ha = port->ha;
++ struct domain_device *ddev = port->port_dev;
+
+ /* prevent revalidation from finding sata links in recovery */
+ mutex_lock(&ha->disco_mutex);
+@@ -514,8 +515,9 @@ static void sas_revalidate_domain(struct
+ SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id,
+ task_pid_nr(current));
+
+- if (port->port_dev)
+- res = sas_ex_revalidate_domain(port->port_dev);
++ if (ddev && (ddev->dev_type == SAS_FANOUT_EXPANDER_DEVICE ||
++ ddev->dev_type == SAS_EDGE_EXPANDER_DEVICE))
++ res = sas_ex_revalidate_domain(ddev);
+
+ SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n",
+ port->id, task_pid_nr(current), res);
--- /dev/null
+From 520aa7414bb590f39d0d1591b06018e60cbc7cf4 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 12 Feb 2015 22:15:31 +0100
+Subject: netfilter: nft_compat: fix module refcount underflow
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 520aa7414bb590f39d0d1591b06018e60cbc7cf4 upstream.
+
+Feb 12 18:20:42 nfdev kernel: ------------[ cut here ]------------
+Feb 12 18:20:42 nfdev kernel: WARNING: CPU: 4 PID: 4359 at kernel/module.c:963 module_put+0x9b/0xba()
+Feb 12 18:20:42 nfdev kernel: CPU: 4 PID: 4359 Comm: ebtables-compat Tainted: G W 3.19.0-rc6+ #43
+[...]
+Feb 12 18:20:42 nfdev kernel: Call Trace:
+Feb 12 18:20:42 nfdev kernel: [<ffffffff815fd911>] dump_stack+0x4c/0x65
+Feb 12 18:20:42 nfdev kernel: [<ffffffff8103e6f7>] warn_slowpath_common+0x9c/0xb6
+Feb 12 18:20:42 nfdev kernel: [<ffffffff8109919f>] ? module_put+0x9b/0xba
+Feb 12 18:20:42 nfdev kernel: [<ffffffff8103e726>] warn_slowpath_null+0x15/0x17
+Feb 12 18:20:42 nfdev kernel: [<ffffffff8109919f>] module_put+0x9b/0xba
+Feb 12 18:20:42 nfdev kernel: [<ffffffff813ecf7c>] nft_match_destroy+0x45/0x4c
+Feb 12 18:20:42 nfdev kernel: [<ffffffff813e683f>] nf_tables_rule_destroy+0x28/0x70
+
+Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_compat.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -611,8 +611,12 @@ nft_match_select_ops(const struct nft_ct
+ struct xt_match *match = nft_match->ops.data;
+
+ if (strcmp(match->name, mt_name) == 0 &&
+- match->revision == rev && match->family == family)
++ match->revision == rev && match->family == family) {
++ if (!try_module_get(match->me))
++ return ERR_PTR(-ENOENT);
++
+ return &nft_match->ops;
++ }
+ }
+
+ match = xt_request_find_match(family, mt_name, rev);
+@@ -682,8 +686,12 @@ nft_target_select_ops(const struct nft_c
+ struct xt_target *target = nft_target->ops.data;
+
+ if (strcmp(target->name, tg_name) == 0 &&
+- target->revision == rev && target->family == family)
++ target->revision == rev && target->family == family) {
++ if (!try_module_get(target->me))
++ return ERR_PTR(-ENOENT);
++
+ return &nft_target->ops;
++ }
+ }
+
+ target = xt_request_find_target(family, tg_name, rev);
--- /dev/null
+From 78296c97ca1fd3b104f12e1f1fbc06c46635990b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 15 Feb 2015 19:03:45 -0800
+Subject: netfilter: xt_socket: fix a stack corruption bug
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 78296c97ca1fd3b104f12e1f1fbc06c46635990b upstream.
+
+As soon as extract_icmp6_fields() returns, its local storage (automatic
+variables) is deallocated and can be overwritten.
+
+Lets add an additional parameter to make sure storage is valid long
+enough.
+
+While we are at it, adds some const qualifiers.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Fixes: b64c9256a9b76 ("tproxy: added IPv6 support to the socket match")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_socket.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/xt_socket.c
++++ b/net/netfilter/xt_socket.c
+@@ -243,12 +243,13 @@ static int
+ extract_icmp6_fields(const struct sk_buff *skb,
+ unsigned int outside_hdrlen,
+ int *protocol,
+- struct in6_addr **raddr,
+- struct in6_addr **laddr,
++ const struct in6_addr **raddr,
++ const struct in6_addr **laddr,
+ __be16 *rport,
+- __be16 *lport)
++ __be16 *lport,
++ struct ipv6hdr *ipv6_var)
+ {
+- struct ipv6hdr *inside_iph, _inside_iph;
++ const struct ipv6hdr *inside_iph;
+ struct icmp6hdr *icmph, _icmph;
+ __be16 *ports, _ports[2];
+ u8 inside_nexthdr;
+@@ -263,12 +264,14 @@ extract_icmp6_fields(const struct sk_buf
+ if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK)
+ return 1;
+
+- inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph);
++ inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph),
++ sizeof(*ipv6_var), ipv6_var);
+ if (inside_iph == NULL)
+ return 1;
+ inside_nexthdr = inside_iph->nexthdr;
+
+- inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph),
++ inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) +
++ sizeof(*ipv6_var),
+ &inside_nexthdr, &inside_fragoff);
+ if (inside_hdrlen < 0)
+ return 1; /* hjm: Packet has no/incomplete transport layer headers. */
+@@ -315,10 +318,10 @@ xt_socket_get_sock_v6(struct net *net, c
+ static bool
+ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
+ {
+- struct ipv6hdr *iph = ipv6_hdr(skb);
++ struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb);
+ struct udphdr _hdr, *hp = NULL;
+ struct sock *sk = skb->sk;
+- struct in6_addr *daddr = NULL, *saddr = NULL;
++ const struct in6_addr *daddr = NULL, *saddr = NULL;
+ __be16 uninitialized_var(dport), uninitialized_var(sport);
+ int thoff = 0, uninitialized_var(tproto);
+ const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
+@@ -342,7 +345,7 @@ socket_mt6_v1_v2(const struct sk_buff *s
+
+ } else if (tproto == IPPROTO_ICMPV6) {
+ if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr,
+- &sport, &dport))
++ &sport, &dport, &ipv6_var))
+ return false;
+ } else {
+ return false;
--- /dev/null
+From ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Mon, 9 Mar 2015 23:11:12 +0200
+Subject: pagemap: do not leak physical addresses to non-privileged userspace
+
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+
+commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce upstream.
+
+As pointed by recent post[1] on exploiting DRAM physical imperfection,
+/proc/PID/pagemap exposes sensitive information which can be used to do
+attacks.
+
+This disallows anybody without CAP_SYS_ADMIN to read the pagemap.
+
+[1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
+
+[ Eventually we might want to do anything more finegrained, but for now
+ this is the simple model. - Linus ]
+
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Acked-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Seaborn <mseaborn@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/task_mmu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -1227,6 +1227,9 @@ out:
+
+ static int pagemap_open(struct inode *inode, struct file *file)
+ {
++ /* do not disclose physical addresses: attack vector */
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
+ pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about "
+ "to stop being page-shift some time soon. See the "
+ "linux/Documentation/vm/pagemap.txt for details.\n");
regulator-core-fix-enable-gpio-reference-counting.patch
nilfs2-fix-deadlock-of-segment-constructor-during-recovery.patch
drm-vmwgfx-reorder-device-takedown-somewhat.patch
+xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch
+xen-pciback-limit-guest-control-of-command-register.patch
+libsas-fix-kernel-crash-in-smp_execute_task.patch
+pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch
+crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch
+crypto-aesni-fix-memory-usage-in-gcm-decryption.patch
+x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch
+x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch
+x86-vdso-fix-the-build-on-gcc5.patch
+ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch
+ipvs-rerouting-to-local-clients-is-not-needed-anymore.patch
+netfilter-nft_compat-fix-module-refcount-underflow.patch
+netfilter-xt_socket-fix-a-stack-corruption-bug.patch
--- /dev/null
+From a7c80ebcac3068b1c3cb27d538d29558c30010c8 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Fri, 13 Mar 2015 09:53:09 +0100
+Subject: x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit a7c80ebcac3068b1c3cb27d538d29558c30010c8 upstream.
+
+math_state_restore() assumes it is called with irqs disabled,
+but this is not true if the caller is __restore_xstate_sig().
+
+This means that if ia32_fxstate == T and __copy_from_user()
+fails, __restore_xstate_sig() returns with irqs disabled too.
+
+This triggers:
+
+ BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41
+ dump_stack
+ ___might_sleep
+ ? _raw_spin_unlock_irqrestore
+ __might_sleep
+ down_read
+ ? _raw_spin_unlock_irqrestore
+ print_vma_addr
+ signal_fault
+ sys32_rt_sigreturn
+
+Change __restore_xstate_sig() to call set_used_math()
+unconditionally. This avoids enabling and disabling interrupts
+in math_state_restore(). If copy_from_user() fails, we can
+simply do fpu_finit() by hand.
+
+[ Note: this is only the first step. math_state_restore() should
+ not check used_math(), it should set this flag. While
+ init_fpu() should simply die. ]
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Pekka Riikonen <priikone@iki.fi>
+Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Suresh Siddha <sbsiddha@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/xsave.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/xsave.c
++++ b/arch/x86/kernel/xsave.c
+@@ -375,7 +375,7 @@ int __restore_xstate_sig(void __user *bu
+ * thread's fpu state, reconstruct fxstate from the fsave
+ * header. Sanitize the copied state etc.
+ */
+- struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave;
++ struct fpu *fpu = &tsk->thread.fpu;
+ struct user_i387_ia32_struct env;
+ int err = 0;
+
+@@ -389,14 +389,15 @@ int __restore_xstate_sig(void __user *bu
+ */
+ drop_fpu(tsk);
+
+- if (__copy_from_user(xsave, buf_fx, state_size) ||
++ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) ||
+ __copy_from_user(&env, buf, sizeof(env))) {
++ fpu_finit(fpu);
+ err = -1;
+ } else {
+ sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only);
+- set_used_math();
+ }
+
++ set_used_math();
+ if (use_eager_fpu()) {
+ preempt_disable();
+ math_state_restore();
--- /dev/null
+From f4c3686386393c120710dd34df2a74183ab805fd Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Fri, 13 Mar 2015 09:53:10 +0100
+Subject: x86/fpu: Drop_fpu() should not assume that tsk equals current
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit f4c3686386393c120710dd34df2a74183ab805fd upstream.
+
+drop_fpu() does clear_used_math() and usually this is correct
+because tsk == current.
+
+However switch_fpu_finish()->restore_fpu_checking() is called before
+__switch_to() updates the "current_task" variable. If it fails,
+we will wrongly clear the PF_USED_MATH flag of the previous task.
+
+So use clear_stopped_child_used_math() instead.
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Rik van Riel <riel@redhat.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Pekka Riikonen <priikone@iki.fi>
+Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Cc: Suresh Siddha <sbsiddha@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/fpu-internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/fpu-internal.h
++++ b/arch/x86/include/asm/fpu-internal.h
+@@ -368,7 +368,7 @@ static inline void drop_fpu(struct task_
+ preempt_disable();
+ tsk->thread.fpu_counter = 0;
+ __drop_fpu(tsk);
+- clear_used_math();
++ clear_stopped_child_used_math(tsk);
+ preempt_enable();
+ }
+
--- /dev/null
+From e893286918d2cde3a94850d8f7101cd1039e0c62 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Thu, 5 Mar 2015 09:13:31 +0100
+Subject: x86/vdso: Fix the build on GCC5
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit e893286918d2cde3a94850d8f7101cd1039e0c62 upstream.
+
+On gcc5 the kernel does not link:
+
+ ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670.
+
+Because prior GCC versions always emitted NOPs on ALIGN directives, but
+gcc5 started omitting them.
+
+.LSTARTFDEDLSI1 says:
+
+ /* HACK: The dwarf2 unwind routines will subtract 1 from the
+ return address to get an address in the middle of the
+ presumed call instruction. Since we didn't get here via
+ a call, we need to include the nop before the real start
+ to make up for it. */
+ .long .LSTART_sigreturn-1-. /* PC-relative start address */
+
+But commit 69d0627a7f6e ("x86 vDSO: reorder vdso32 code") from 2.6.25
+replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before
+__kernel_sigreturn.
+
+Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses
+vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN".
+
+So fix this by adding to that point at least a single NOP and make the
+function ALIGN possibly with more NOPs then.
+
+Kudos for reporting and diagnosing should go to Richard.
+
+Reported-by: Richard Biener <rguenther@suse.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Acked-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.cz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/vdso/vdso32/sigreturn.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/vdso/vdso32/sigreturn.S
++++ b/arch/x86/vdso/vdso32/sigreturn.S
+@@ -17,6 +17,7 @@
+ .text
+ .globl __kernel_sigreturn
+ .type __kernel_sigreturn,@function
++ nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */
+ ALIGN
+ __kernel_sigreturn:
+ .LSTART_sigreturn:
--- /dev/null
+From 85e40b0539b24518c8bdf63e2605c8522377d00f Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Thu, 26 Feb 2015 06:52:05 +0100
+Subject: xen/events: avoid NULL pointer dereference in dom0 on large machines
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 85e40b0539b24518c8bdf63e2605c8522377d00f upstream.
+
+Using the pvops kernel a NULL pointer dereference was detected on a
+large machine (144 processors) when booting as dom0 in
+evtchn_fifo_unmask() during assignment of a pirq.
+
+The event channel in question was the first to need a new entry in
+event_array[] in events_fifo.c. Unfortunately xen_irq_info_pirq_setup()
+is called with evtchn being 0 for a new pirq and the real event channel
+number is assigned to the pirq only during __startup_pirq().
+
+It is mandatory to call xen_evtchn_port_setup() after assigning the
+event channel number to the pirq to make sure all memory needed for the
+event channel is allocated.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/events/events_base.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -547,20 +547,26 @@ static unsigned int __startup_pirq(unsig
+ pirq_query_unmask(irq);
+
+ rc = set_evtchn_to_irq(evtchn, irq);
+- if (rc != 0) {
+- pr_err("irq%d: Failed to set port to irq mapping (%d)\n",
+- irq, rc);
+- xen_evtchn_close(evtchn);
+- return 0;
+- }
++ if (rc)
++ goto err;
++
+ bind_evtchn_to_cpu(evtchn, 0);
+ info->evtchn = evtchn;
+
++ rc = xen_evtchn_port_setup(info);
++ if (rc)
++ goto err;
++
+ out:
+ unmask_evtchn(evtchn);
+ eoi_pirq(irq_get_irq_data(irq));
+
+ return 0;
++
++err:
++ pr_err("irq%d: Failed to set port to irq mapping (%d)\n", irq, rc);
++ xen_evtchn_close(evtchn);
++ return 0;
+ }
+
+ static unsigned int startup_pirq(struct irq_data *data)
--- /dev/null
+From af6fc858a35b90e89ea7a7ee58e66628c55c776b Mon Sep 17 00:00:00 2001
+From: Jan Beulich <JBeulich@suse.com>
+Date: Wed, 11 Mar 2015 13:51:17 +0000
+Subject: xen-pciback: limit guest control of command register
+
+From: Jan Beulich <JBeulich@suse.com>
+
+commit af6fc858a35b90e89ea7a7ee58e66628c55c776b upstream.
+
+Otherwise the guest can abuse that control to cause e.g. PCIe
+Unsupported Request responses by disabling memory and/or I/O decoding
+and subsequently causing (CPU side) accesses to the respective address
+ranges, which (depending on system configuration) may be fatal to the
+host.
+
+Note that to alter any of the bits collected together as
+PCI_COMMAND_GUEST permissive mode is now required to be enabled
+globally or on the specific device.
+
+This is CVE-2015-2150 / XSA-120.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-pciback/conf_space.c | 2
+ drivers/xen/xen-pciback/conf_space.h | 2
+ drivers/xen/xen-pciback/conf_space_header.c | 59 ++++++++++++++++++++++------
+ 3 files changed, 50 insertions(+), 13 deletions(-)
+
+--- a/drivers/xen/xen-pciback/conf_space.c
++++ b/drivers/xen/xen-pciback/conf_space.c
+@@ -16,7 +16,7 @@
+ #include "conf_space.h"
+ #include "conf_space_quirks.h"
+
+-static bool permissive;
++bool permissive;
+ module_param(permissive, bool, 0644);
+
+ /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word,
+--- a/drivers/xen/xen-pciback/conf_space.h
++++ b/drivers/xen/xen-pciback/conf_space.h
+@@ -64,6 +64,8 @@ struct config_field_entry {
+ void *data;
+ };
+
++extern bool permissive;
++
+ #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset)
+
+ /* Add fields to a device - the add_fields macro expects to get a pointer to
+--- a/drivers/xen/xen-pciback/conf_space_header.c
++++ b/drivers/xen/xen-pciback/conf_space_header.c
+@@ -11,6 +11,10 @@
+ #include "pciback.h"
+ #include "conf_space.h"
+
++struct pci_cmd_info {
++ u16 val;
++};
++
+ struct pci_bar_info {
+ u32 val;
+ u32 len_val;
+@@ -20,22 +24,36 @@ struct pci_bar_info {
+ #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO))
+ #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER)
+
+-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
++/* Bits guests are allowed to control in permissive mode. */
++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \
++ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \
++ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK)
++
++static void *command_init(struct pci_dev *dev, int offset)
+ {
+- int i;
+- int ret;
++ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
++ int err;
+
+- ret = xen_pcibk_read_config_word(dev, offset, value, data);
+- if (!pci_is_enabled(dev))
+- return ret;
+-
+- for (i = 0; i < PCI_ROM_RESOURCE; i++) {
+- if (dev->resource[i].flags & IORESOURCE_IO)
+- *value |= PCI_COMMAND_IO;
+- if (dev->resource[i].flags & IORESOURCE_MEM)
+- *value |= PCI_COMMAND_MEMORY;
++ if (!cmd)
++ return ERR_PTR(-ENOMEM);
++
++ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val);
++ if (err) {
++ kfree(cmd);
++ return ERR_PTR(err);
+ }
+
++ return cmd;
++}
++
++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data)
++{
++ int ret = pci_read_config_word(dev, offset, value);
++ const struct pci_cmd_info *cmd = data;
++
++ *value &= PCI_COMMAND_GUEST;
++ *value |= cmd->val & ~PCI_COMMAND_GUEST;
++
+ return ret;
+ }
+
+@@ -43,6 +61,8 @@ static int command_write(struct pci_dev
+ {
+ struct xen_pcibk_dev_data *dev_data;
+ int err;
++ u16 val;
++ struct pci_cmd_info *cmd = data;
+
+ dev_data = pci_get_drvdata(dev);
+ if (!pci_is_enabled(dev) && is_enable_cmd(value)) {
+@@ -83,6 +103,19 @@ static int command_write(struct pci_dev
+ }
+ }
+
++ cmd->val = value;
++
++ if (!permissive && (!dev_data || !dev_data->permissive))
++ return 0;
++
++ /* Only allow the guest to control certain bits. */
++ err = pci_read_config_word(dev, offset, &val);
++ if (err || val == value)
++ return err;
++
++ value &= PCI_COMMAND_GUEST;
++ value |= val & ~PCI_COMMAND_GUEST;
++
+ return pci_write_config_word(dev, offset, value);
+ }
+
+@@ -282,6 +315,8 @@ static const struct config_field header_
+ {
+ .offset = PCI_COMMAND,
+ .size = 2,
++ .init = command_init,
++ .release = bar_release,
+ .u.w.read = command_read,
+ .u.w.write = command_write,
+ },
projects / thirdparty / kernel / stable-queue.git / commitdiff
