--- /dev/null
+From 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 19 Oct 2015 18:23:57 +0800
+Subject: crypto: api - Only abort operations on fatal signal
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream.
+
+Currently a number of Crypto API operations may fail when a signal
+occurs. This causes nasty problems as the caller of those operations
+are often not in a good position to restart the operation.
+
+In fact there is currently no need for those operations to be
+interrupted by user signals at all. All we need is for them to
+be killable.
+
+This patch replaces the relevant calls of signal_pending with
+fatal_signal_pending, and wait_for_completion_interruptible with
+wait_for_completion_killable, respectively.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ablkcipher.c | 2 +-
+ crypto/algapi.c | 2 +-
+ crypto/api.c | 6 +++---
+ crypto/crypto_user.c | 2 +-
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/crypto/ablkcipher.c
++++ b/crypto/ablkcipher.c
+@@ -700,7 +700,7 @@ struct crypto_ablkcipher *crypto_alloc_a
+ err:
+ if (err != -EAGAIN)
+ break;
+- if (signal_pending(current)) {
++ if (fatal_signal_pending(current)) {
+ err = -EINTR;
+ break;
+ }
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -325,7 +325,7 @@ static void crypto_wait_for_test(struct
+ crypto_alg_tested(larval->alg.cra_driver_name, 0);
+ }
+
+- err = wait_for_completion_interruptible(&larval->completion);
++ err = wait_for_completion_killable(&larval->completion);
+ WARN_ON(err);
+
+ out:
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -172,7 +172,7 @@ static struct crypto_alg *crypto_larval_
+ struct crypto_larval *larval = (void *)alg;
+ long timeout;
+
+- timeout = wait_for_completion_interruptible_timeout(
++ timeout = wait_for_completion_killable_timeout(
+ &larval->completion, 60 * HZ);
+
+ alg = larval->adult;
+@@ -435,7 +435,7 @@ struct crypto_tfm *crypto_alloc_base(con
+ err:
+ if (err != -EAGAIN)
+ break;
+- if (signal_pending(current)) {
++ if (fatal_signal_pending(current)) {
+ err = -EINTR;
+ break;
+ }
+@@ -552,7 +552,7 @@ void *crypto_alloc_tfm(const char *alg_n
+ err:
+ if (err != -EAGAIN)
+ break;
+- if (signal_pending(current)) {
++ if (fatal_signal_pending(current)) {
+ err = -EINTR;
+ break;
+ }
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -361,7 +361,7 @@ static struct crypto_alg *crypto_user_ae
+ err = PTR_ERR(alg);
+ if (err != -EAGAIN)
+ break;
+- if (signal_pending(current)) {
++ if (fatal_signal_pending(current)) {
+ err = -EINTR;
+ break;
+ }
--- /dev/null
+From 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 Mon Sep 17 00:00:00 2001
+From: Doron Tsur <doront@mellanox.com>
+Date: Sun, 11 Oct 2015 15:58:17 +0300
+Subject: IB/cm: Fix rb-tree duplicate free and use-after-free
+
+From: Doron Tsur <doront@mellanox.com>
+
+commit 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 upstream.
+
+ib_send_cm_sidr_rep could sometimes erase the node from the sidr
+(depending on errors in the process). Since ib_send_cm_sidr_rep is
+called both from cm_sidr_req_handler and cm_destroy_id, cm_id_priv
+could be either erased from the rb_tree twice or not erased at all.
+Fixing that by making sure it's erased only once before freeing
+cm_id_priv.
+
+Fixes: a977049dacde ('[PATCH] IB: Add the kernel CM implementation')
+Signed-off-by: Doron Tsur <doront@mellanox.com>
+Signed-off-by: Matan Barak <matanb@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/cm.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -857,6 +857,11 @@ retest:
+ case IB_CM_SIDR_REQ_RCVD:
+ spin_unlock_irq(&cm_id_priv->lock);
+ cm_reject_sidr_req(cm_id_priv, IB_SIDR_REJECT);
++ spin_lock_irq(&cm.lock);
++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node))
++ rb_erase(&cm_id_priv->sidr_id_node,
++ &cm.remote_sidr_table);
++ spin_unlock_irq(&cm.lock);
+ break;
+ case IB_CM_REQ_SENT:
+ ib_cancel_mad(cm_id_priv->av.port->mad_agent, cm_id_priv->msg);
+@@ -3093,7 +3098,10 @@ int ib_send_cm_sidr_rep(struct ib_cm_id
+ spin_unlock_irqrestore(&cm_id_priv->lock, flags);
+
+ spin_lock_irqsave(&cm.lock, flags);
+- rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table);
++ if (!RB_EMPTY_NODE(&cm_id_priv->sidr_id_node)) {
++ rb_erase(&cm_id_priv->sidr_id_node, &cm.remote_sidr_table);
++ RB_CLEAR_NODE(&cm_id_priv->sidr_id_node);
++ }
+ spin_unlock_irqrestore(&cm.lock, flags);
+ return 0;
+
--- /dev/null
+From 203d27b0226a05202438ddb39ef0ef1acb14a759 Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Tue, 20 Oct 2015 12:09:12 -0400
+Subject: md/raid1: submit_bio_wait() returns 0 on success
+
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+
+commit 203d27b0226a05202438ddb39ef0ef1acb14a759 upstream.
+
+This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b
+which changed the return value of submit_bio_wait() to return != 0 on
+error, but didn't update the caller accordingly.
+
+Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md")
+Reported-by: Bill Kuzeja <William.Kuzeja@stratus.com>
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2147,7 +2147,7 @@ static int narrow_write_error(struct r1b
+ md_trim_bio(wbio, sector - r1_bio->sector, sectors);
+ wbio->bi_sector += rdev->data_offset;
+ wbio->bi_bdev = rdev->bdev;
+- if (submit_bio_wait(WRITE, wbio) == 0)
++ if (submit_bio_wait(WRITE, wbio) < 0)
+ /* failure! */
+ ok = rdev_set_badblocks(rdev, sector,
+ sectors, 0)
--- /dev/null
+From 681ab4696062f5aa939c9e04d058732306a97176 Mon Sep 17 00:00:00 2001
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+Date: Tue, 20 Oct 2015 12:09:13 -0400
+Subject: md/raid10: submit_bio_wait() returns 0 on success
+
+From: Jes Sorensen <Jes.Sorensen@redhat.com>
+
+commit 681ab4696062f5aa939c9e04d058732306a97176 upstream.
+
+This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b
+which changed the return value of submit_bio_wait() to return != 0 on
+error, but didn't update the caller accordingly.
+
+Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md")
+Reported-by: Bill Kuzeja <William.Kuzeja@stratus.com>
+Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid10.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2597,7 +2597,7 @@ static int narrow_write_error(struct r10
+ choose_data_offset(r10_bio, rdev) +
+ (sector - r10_bio->sector));
+ wbio->bi_bdev = rdev->bdev;
+- if (submit_bio_wait(WRITE, wbio) == 0)
++ if (submit_bio_wait(WRITE, wbio) < 0)
+ /* Failure! */
+ ok = rdev_set_badblocks(rdev, sector,
+ sectors, 0)
--- /dev/null
+From 2280521719e81919283b82902ac24058f87dfc1b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= <davispuh@gmail.com>
+Date: Fri, 21 Aug 2015 07:29:22 +0300
+Subject: mvsas: Fix NULL pointer dereference in mvs_slot_task_free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?D=C4=81vis=20Mos=C4=81ns?= <davispuh@gmail.com>
+
+commit 2280521719e81919283b82902ac24058f87dfc1b upstream.
+
+When pci_pool_alloc fails in mvs_task_prep then task->lldd_task stays
+NULL but it's later used in mvs_abort_task as slot which is passed
+to mvs_slot_task_free causing NULL pointer dereference.
+
+Just return from mvs_slot_task_free when passed with NULL slot.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101891
+Signed-off-by: Dāvis Mosāns <davispuh@gmail.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mvsas/mv_sas.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/mvsas/mv_sas.c
++++ b/drivers/scsi/mvsas/mv_sas.c
+@@ -987,6 +987,8 @@ static void mvs_slot_free(struct mvs_inf
+ static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task,
+ struct mvs_slot_info *slot, u32 slot_idx)
+ {
++ if (!slot)
++ return;
+ if (!slot->task)
+ return;
+ if (!sas_protocol_ata(task->task_proto))
xhci-handle-no-ping-response-error-properly.patch
xen-blkfront-check-for-null-drvdata-in-blkback_changed-xenbusstateclosing.patch
module-fix-locking-in-symbol_put_addr.patch
+crypto-api-only-abort-operations-on-fatal-signal.patch
+md-raid1-submit_bio_wait-returns-0-on-success.patch
+md-raid10-submit_bio_wait-returns-0-on-success.patch
+mvsas-fix-null-pointer-dereference-in-mvs_slot_task_free.patch
+ib-cm-fix-rb-tree-duplicate-free-and-use-after-free.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
