--- /dev/null
+From 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Sun, 8 Sep 2013 14:33:50 +1000
+Subject: crypto: api - Fix race condition in larval lookup
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa upstream.
+
+crypto_larval_lookup should only return a larval if it created one.
+Any larval created by another entity must be processed through
+crypto_larval_wait before being returned.
+
+Otherwise this will lead to a larval being killed twice, which
+will most likely lead to a crash.
+
+Reported-by: Kees Cook <keescook@chromium.org>
+Tested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/api.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -40,6 +40,8 @@ static inline struct crypto_alg *crypto_
+ return alg;
+ }
+
++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
++
+ struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
+ {
+ return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
+@@ -150,8 +152,11 @@ static struct crypto_alg *crypto_larval_
+ }
+ up_write(&crypto_alg_sem);
+
+- if (alg != &larval->alg)
++ if (alg != &larval->alg) {
+ kfree(larval);
++ if (crypto_is_larval(alg))
++ alg = crypto_larval_wait(alg);
++ }
+
+ return alg;
+ }
--- /dev/null
+From 230aef7a6a23b6166bd4003bfff5af23c9bd381f Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Wed, 7 Aug 2013 02:01:19 +1000
+Subject: powerpc: Handle unaligned ldbrx/stdbrx
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 230aef7a6a23b6166bd4003bfff5af23c9bd381f upstream.
+
+Normally when we haven't implemented an alignment handler for
+a load or store instruction the process will be terminated.
+
+The alignment handler uses the DSISR (or a pseudo one) to locate
+the right handler. Unfortunately ldbrx and stdbrx overlap lfs and
+stfs so we incorrectly think ldbrx is an lfs and stdbrx is an
+stfs.
+
+This bug is particularly nasty - instead of terminating the
+process we apply an incorrect fixup and continue on.
+
+With more and more overlapping instructions we should stop
+creating a pseudo DSISR and index using the instruction directly,
+but for now add a special case to catch ldbrx/stdbrx.
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/align.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/kernel/align.c
++++ b/arch/powerpc/kernel/align.c
+@@ -764,6 +764,16 @@ int fix_alignment(struct pt_regs *regs)
+ nb = aligninfo[instr].len;
+ flags = aligninfo[instr].flags;
+
++ /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */
++ if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) {
++ nb = 8;
++ flags = LD+SW;
++ } else if (IS_XFORM(instruction) &&
++ ((instruction >> 1) & 0x3ff) == 660) {
++ nb = 8;
++ flags = ST+SW;
++ }
++
+ /* Byteswap little endian loads and stores */
+ swiz = 0;
+ if (regs->msr & MSR_LE) {
--- /dev/null
+From 984f1733fcee3fbc78d47e26c5096921c5d9946a Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 6 Sep 2013 11:49:51 -0400
+Subject: SCSI: sd: Fix potential out-of-bounds access
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 984f1733fcee3fbc78d47e26c5096921c5d9946a upstream.
+
+This patch fixes an out-of-bounds error in sd_read_cache_type(), found
+by Google's AddressSanitizer tool. When the loop ends, we know that
+"offset" lies beyond the end of the data in the buffer, so no Caching
+mode page was found. In theory it may be present, but the buffer size
+is limited to 512 bytes.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2135,14 +2135,9 @@ sd_read_cache_type(struct scsi_disk *sdk
+ }
+ }
+
+- if (modepage == 0x3F) {
+- sd_printk(KERN_ERR, sdkp, "No Caching mode page "
+- "present\n");
+- goto defaults;
+- } else if ((buffer[offset] & 0x3f) != modepage) {
+- sd_printk(KERN_ERR, sdkp, "Got wrong page\n");
+- goto defaults;
+- }
++ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n");
++ goto defaults;
++
+ Page_found:
+ if (modepage == 8) {
+ sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0);
+scsi-sd-fix-potential-out-of-bounds-access.patch
+crypto-api-fix-race-condition-in-larval-lookup.patch
+powerpc-handle-unaligned-ldbrx-stdbrx.patch
+xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch
--- /dev/null
+From 5f338d9001094a56cf87bd8a280b4e7ff953bb59 Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Wed, 31 Jul 2013 17:00:42 +0200
+Subject: xen-gnt: prevent adding duplicate gnt callbacks
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 5f338d9001094a56cf87bd8a280b4e7ff953bb59 upstream.
+
+With the current implementation, the callback in the tail of the list
+can be added twice, because the check done in
+gnttab_request_free_callback is bogus, callback->next can be NULL if
+it is the last callback in the list. If we add the same callback twice
+we end up with an infinite loop, were callback == callback->next.
+
+Replace this check with a proper one that iterates over the list to
+see if the callback has already been added.
+
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Acked-by: Matt Wilson <msw@amazon.com>
+Reviewed-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/grant-table.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/grant-table.c
++++ b/drivers/xen/grant-table.c
+@@ -355,9 +355,18 @@ void gnttab_request_free_callback(struct
+ void (*fn)(void *), void *arg, u16 count)
+ {
+ unsigned long flags;
++ struct gnttab_free_callback *cb;
++
+ spin_lock_irqsave(&gnttab_list_lock, flags);
+- if (callback->next)
+- goto out;
++
++ /* Check if the callback is already on the list */
++ cb = gnttab_free_callback_list;
++ while (cb) {
++ if (cb == callback)
++ goto out;
++ cb = cb->next;
++ }
++
+ callback->fn = fn;
+ callback->arg = arg;
+ callback->count = count;
projects / thirdparty / kernel / stable-queue.git / commitdiff
