--- /dev/null
+From afd62fa26343be6445479e75de9f07092a061459 Mon Sep 17 00:00:00 2001
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Wed, 13 Sep 2017 12:44:51 +0200
+Subject: crypto: talitos - fix sha224
+
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+
+commit afd62fa26343be6445479e75de9f07092a061459 upstream.
+
+Kernel crypto tests report the following error at startup
+
+[ 2.752626] alg: hash: Test 4 failed for sha224-talitos
+[ 2.757907] 00000000: 30 e2 86 e2 e7 8a dd 0d d7 eb 9f d5 83 fe f1 b0
+00000010: 2d 5a 6c a5 f9 55 ea fd 0e 72 05 22
+
+This patch fixes it
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1581,9 +1581,9 @@ static int common_nonsnoop_hash(struct t
+ req_ctx->swinit = 0;
+ } else {
+ desc->ptr[1] = zero_entry;
+- /* Indicate next op is not the first. */
+- req_ctx->first = 0;
+ }
++ /* Indicate next op is not the first. */
++ req_ctx->first = 0;
+
+ /* HMAC key */
+ if (ctx->keylen)
--- /dev/null
+From paulus@ozlabs.org Mon Oct 2 11:14:29 2017
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Tue, 12 Sep 2017 16:00:24 +1000
+Subject: KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
+To: stable@vger.kernel.org
+Message-ID: <20170912060024.f4zdddwnqbyiv6zn@oak.ozlabs.ibm.com>
+Content-Disposition: inline
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+commit 47c5310a8dbe7c2cb9f0083daa43ceed76c257fa upstream, with part
+of commit edd03602d97236e8fea13cd76886c576186aa307 folded in.
+
+Nixiaoming pointed out that there is a memory leak in
+kvm_vm_ioctl_create_spapr_tce() if the call to anon_inode_getfd()
+fails; the memory allocated for the kvmppc_spapr_tce_table struct
+is not freed, and nor are the pages allocated for the iommu
+tables.
+
+David Hildenbrand pointed out that there is a race in that the
+function checks early on that there is not already an entry in the
+stt->iommu_tables list with the same LIOBN, but an entry with the
+same LIOBN could get added between then and when the new entry is
+added to the list.
+
+This fixes both problems. To simplify things, we now call
+anon_inode_getfd() before placing the new entry in the list. The
+check for an existing entry is done while holding the kvm->lock
+mutex, immediately before adding the new entry to the list.
+
+[paulus@ozlabs.org - folded in that part of edd03602d972 ("KVM:
+ PPC: Book3S HV: Protect updates to spapr_tce_tables list", 2017-08-28)
+ which restructured the code that 47c5310a8dbe modified, to avoid
+ a build failure caused by the absence of put_unused_fd().
+ Also removed the locked memory accounting, since it doesn't exist
+ in this version, and adjusted the commit message.]
+
+Fixes: 54738c097163 ("KVM: PPC: Accelerate H_PUT_TCE by implementing it in real mode")
+Reported-by: Nixiaoming <nixiaoming@huawei.com>
+Reported-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_64_vio.c | 46 ++++++++++++++++++++++-----------------
+ 1 file changed, 27 insertions(+), 19 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -101,22 +101,17 @@ long kvm_vm_ioctl_create_spapr_tce(struc
+ struct kvm_create_spapr_tce *args)
+ {
+ struct kvmppc_spapr_tce_table *stt = NULL;
++ struct kvmppc_spapr_tce_table *siter;
+ long npages;
+ int ret = -ENOMEM;
+ int i;
+
+- /* Check this LIOBN hasn't been previously allocated */
+- list_for_each_entry(stt, &kvm->arch.spapr_tce_tables, list) {
+- if (stt->liobn == args->liobn)
+- return -EBUSY;
+- }
+-
+ npages = kvmppc_stt_npages(args->window_size);
+
+ stt = kzalloc(sizeof(*stt) + npages * sizeof(struct page *),
+ GFP_KERNEL);
+ if (!stt)
+- goto fail;
++ return ret;
+
+ stt->liobn = args->liobn;
+ stt->window_size = args->window_size;
+@@ -128,23 +123,36 @@ long kvm_vm_ioctl_create_spapr_tce(struc
+ goto fail;
+ }
+
+- kvm_get_kvm(kvm);
+-
+ mutex_lock(&kvm->lock);
+- list_add(&stt->list, &kvm->arch.spapr_tce_tables);
++
++ /* Check this LIOBN hasn't been previously allocated */
++ ret = 0;
++ list_for_each_entry(siter, &kvm->arch.spapr_tce_tables, list) {
++ if (siter->liobn == args->liobn) {
++ ret = -EBUSY;
++ break;
++ }
++ }
++
++ if (!ret)
++ ret = anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
++ stt, O_RDWR | O_CLOEXEC);
++
++ if (ret >= 0) {
++ list_add(&stt->list, &kvm->arch.spapr_tce_tables);
++ kvm_get_kvm(kvm);
++ }
+
+ mutex_unlock(&kvm->lock);
+
+- return anon_inode_getfd("kvm-spapr-tce", &kvm_spapr_tce_fops,
+- stt, O_RDWR | O_CLOEXEC);
++ if (ret >= 0)
++ return ret;
+
+-fail:
+- if (stt) {
+- for (i = 0; i < npages; i++)
+- if (stt->pages[i])
+- __free_page(stt->pages[i]);
++ fail:
++ for (i = 0; i < npages; i++)
++ if (stt->pages[i])
++ __free_page(stt->pages[i]);
+
+- kfree(stt);
+- }
++ kfree(stt);
+ return ret;
+ }
--- /dev/null
+From c88f0e6b06f4092995688211a631bb436125d77b Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 27 Aug 2017 20:25:26 +0800
+Subject: scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit c88f0e6b06f4092995688211a631bb436125d77b upstream.
+
+ChunYu found a kernel crash by syzkaller:
+
+[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
+[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
+[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
+[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
+[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
+[...]
+[ 651.627260] Call Trace:
+[ 651.629156] skb_release_all+0x4f/0x60
+[ 651.629450] consume_skb+0x1a5/0x600
+[ 651.630705] netlink_unicast+0x505/0x720
+[ 651.632345] netlink_sendmsg+0xab2/0xe70
+[ 651.633704] sock_sendmsg+0xcf/0x110
+[ 651.633942] ___sys_sendmsg+0x833/0x980
+[ 651.637117] __sys_sendmsg+0xf3/0x240
+[ 651.638820] SyS_sendmsg+0x32/0x50
+[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+It's caused by skb_shared_info at the end of sk_buff was overwritten by
+ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
+
+During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
+ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
+new value to skb_shinfo(SKB)->nr_frags by ev->type.
+
+This patch is to fix it by checking nlh->nlmsg_len properly there to
+avoid over accessing sk_buff.
+
+Reported-by: ChunYu Wang <chunwang@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Chris Leech <cleech@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_transport_iscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -3693,7 +3693,7 @@ iscsi_if_rx(struct sk_buff *skb)
+ uint32_t group;
+
+ nlh = nlmsg_hdr(skb);
+- if (nlh->nlmsg_len < sizeof(*nlh) ||
++ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
+ skb->len < nlh->nlmsg_len) {
+ break;
+ }
cifs-release-cifs-root_cred-after-exit_cifs.patch
cifs-release-auth_key.response-for-reconnect.patch
mac80211-flush-hw_roc_start-work-before-cancelling-the-roc.patch
+kvm-ppc-book3s-fix-race-and-leak-in-kvm_vm_ioctl_create_spapr_tce.patch
+tracing-fix-trace_pipe-behavior-for-instance-traces.patch
+tracing-erase-irqsoff-trace-with-empty-write.patch
+scsi-scsi_transport_iscsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+crypto-talitos-fix-sha224.patch
--- /dev/null
+From 8dd33bcb7050dd6f8c1432732f930932c9d3a33e Mon Sep 17 00:00:00 2001
+From: Bo Yan <byan@nvidia.com>
+Date: Mon, 18 Sep 2017 10:03:35 -0700
+Subject: tracing: Erase irqsoff trace with empty write
+
+From: Bo Yan <byan@nvidia.com>
+
+commit 8dd33bcb7050dd6f8c1432732f930932c9d3a33e upstream.
+
+One convenient way to erase trace is "echo > trace". However, this
+is currently broken if the current tracer is irqsoff tracer. This
+is because irqsoff tracer use max_buffer as the default trace
+buffer.
+
+Set the max_buffer as the one to be cleared when it's the trace
+buffer currently in use.
+
+Link: http://lkml.kernel.org/r/1505754215-29411-1-git-send-email-byan@nvidia.com
+
+Cc: <mingo@redhat.com>
+Fixes: 4acd4d00f ("tracing: give easy way to clear trace buffer")
+Signed-off-by: Bo Yan <byan@nvidia.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -3168,11 +3168,17 @@ static int tracing_open(struct inode *in
+ /* If this file was open for write, then erase contents */
+ if ((file->f_mode & FMODE_WRITE) && (file->f_flags & O_TRUNC)) {
+ int cpu = tracing_get_cpu(inode);
++ struct trace_buffer *trace_buf = &tr->trace_buffer;
++
++#ifdef CONFIG_TRACER_MAX_TRACE
++ if (tr->current_trace->print_max)
++ trace_buf = &tr->max_buffer;
++#endif
+
+ if (cpu == RING_BUFFER_ALL_CPUS)
+- tracing_reset_online_cpus(&tr->trace_buffer);
++ tracing_reset_online_cpus(trace_buf);
+ else
+- tracing_reset(&tr->trace_buffer, cpu);
++ tracing_reset(trace_buf, cpu);
+ }
+
+ if (file->f_mode & FMODE_READ) {
--- /dev/null
+From 75df6e688ccd517e339a7c422ef7ad73045b18a2 Mon Sep 17 00:00:00 2001
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Sun, 17 Sep 2017 03:23:48 -0700
+Subject: tracing: Fix trace_pipe behavior for instance traces
+
+From: Tahsin Erdogan <tahsin@google.com>
+
+commit 75df6e688ccd517e339a7c422ef7ad73045b18a2 upstream.
+
+When reading data from trace_pipe, tracing_wait_pipe() performs a
+check to see if tracing has been turned off after some data was read.
+Currently, this check always looks at global trace state, but it
+should be checking the trace instance where trace_pipe is located at.
+
+Because of this bug, cat instances/i1/trace_pipe in the following
+script will immediately exit instead of waiting for data:
+
+cd /sys/kernel/debug/tracing
+echo 0 > tracing_on
+mkdir -p instances/i1
+echo 1 > instances/i1/tracing_on
+echo 1 > instances/i1/events/sched/sched_process_exec/enable
+cat instances/i1/trace_pipe
+
+Link: http://lkml.kernel.org/r/20170917102348.1615-1-tahsin@google.com
+
+Fixes: 10246fa35d4f ("tracing: give easy way to clear trace buffer")
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4430,7 +4430,7 @@ static int tracing_wait_pipe(struct file
+ *
+ * iter->pos will be 0 if we haven't read anything.
+ */
+- if (!tracing_is_on() && iter->pos)
++ if (!tracer_tracing_is_on(iter->tr) && iter->pos)
+ break;
+
+ mutex_unlock(&iter->mutex);
projects / thirdparty / kernel / stable-queue.git / commitdiff
