--- /dev/null
+From 3aaf33bebda8d4ffcc0fc8ef39e6c1ac68823b11 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Mon, 27 Nov 2017 11:22:42 +0000
+Subject: ARM: avoid faulting on qemu
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 3aaf33bebda8d4ffcc0fc8ef39e6c1ac68823b11 upstream.
+
+When qemu starts a kernel in a bare environment, the default SCR has
+the AW and FW bits clear, which means that the kernel can't modify
+the PSR A or PSR F bits, and means that FIQs and imprecise aborts are
+always masked.
+
+When running uboot under qemu, the AW and FW SCR bits are set, and the
+kernel functions normally - and this is how real hardware behaves.
+
+Fix this for qemu by ignoring the FIQ bit.
+
+Fixes: 8bafae202c82 ("ARM: BUG if jumping to usermode address in kernel mode")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: Alex Shi <alex.shi@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/entry-header.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/kernel/entry-header.S
++++ b/arch/arm/kernel/entry-header.S
+@@ -299,7 +299,7 @@
+ mov r2, sp
+ ldr r1, [r2, #\offset + S_PSR] @ get calling cpsr
+ ldr lr, [r2, #\offset + S_PC]! @ get pc
+- tst r1, #0xcf
++ tst r1, #PSR_I_BIT | 0x0f
+ bne 1f
+ msr spsr_cxsf, r1 @ save in spsr_svc
+ #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
+@@ -331,7 +331,7 @@
+ ldr r1, [sp, #\offset + S_PSR] @ get calling cpsr
+ ldr lr, [sp, #\offset + S_PC] @ get pc
+ add sp, sp, #\offset + S_SP
+- tst r1, #0xcf
++ tst r1, #PSR_I_BIT | 0x0f
+ bne 1f
+ msr spsr_cxsf, r1 @ save in spsr_svc
+
--- /dev/null
+From 8bafae202c82dc257f649ea3c275a0f35ee15113 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 24 Nov 2017 23:49:34 +0000
+Subject: ARM: BUG if jumping to usermode address in kernel mode
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 8bafae202c82dc257f649ea3c275a0f35ee15113 upstream.
+
+Detect if we are returning to usermode via the normal kernel exit paths
+but the saved PSR value indicates that we are in kernel mode. This
+could occur due to corrupted stack state, which has been observed with
+"ftracetest".
+
+This ensures that we catch the problem case before we get to user code.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: Alex Shi <alex.shi@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/assembler.h | 18 ++++++++++++++++++
+ arch/arm/kernel/entry-header.S | 6 ++++++
+ 2 files changed, 24 insertions(+)
+
+--- a/arch/arm/include/asm/assembler.h
++++ b/arch/arm/include/asm/assembler.h
+@@ -516,4 +516,22 @@ THUMB( orr \reg , \reg , #PSR_T_BIT )
+ #endif
+ .endm
+
++ .macro bug, msg, line
++#ifdef CONFIG_THUMB2_KERNEL
++1: .inst 0xde02
++#else
++1: .inst 0xe7f001f2
++#endif
++#ifdef CONFIG_DEBUG_BUGVERBOSE
++ .pushsection .rodata.str, "aMS", %progbits, 1
++2: .asciz "\msg"
++ .popsection
++ .pushsection __bug_table, "aw"
++ .align 2
++ .word 1b, 2b
++ .hword \line
++ .popsection
++#endif
++ .endm
++
+ #endif /* __ASM_ASSEMBLER_H__ */
+--- a/arch/arm/kernel/entry-header.S
++++ b/arch/arm/kernel/entry-header.S
+@@ -299,6 +299,8 @@
+ mov r2, sp
+ ldr r1, [r2, #\offset + S_PSR] @ get calling cpsr
+ ldr lr, [r2, #\offset + S_PC]! @ get pc
++ tst r1, #0xcf
++ bne 1f
+ msr spsr_cxsf, r1 @ save in spsr_svc
+ #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
+ @ We must avoid clrex due to Cortex-A15 erratum #830321
+@@ -313,6 +315,7 @@
+ @ after ldm {}^
+ add sp, sp, #\offset + PT_REGS_SIZE
+ movs pc, lr @ return & move spsr_svc into cpsr
++1: bug "Returning to usermode but unexpected PSR bits set?", \@
+ #elif defined(CONFIG_CPU_V7M)
+ @ V7M restore.
+ @ Note that we don't need to do clrex here as clearing the local
+@@ -328,6 +331,8 @@
+ ldr r1, [sp, #\offset + S_PSR] @ get calling cpsr
+ ldr lr, [sp, #\offset + S_PC] @ get pc
+ add sp, sp, #\offset + S_SP
++ tst r1, #0xcf
++ bne 1f
+ msr spsr_cxsf, r1 @ save in spsr_svc
+
+ @ We must avoid clrex due to Cortex-A15 erratum #830321
+@@ -340,6 +345,7 @@
+ .endif
+ add sp, sp, #PT_REGS_SIZE - S_SP
+ movs pc, lr @ return & move spsr_svc into cpsr
++1: bug "Returning to usermode but unexpected PSR bits set?", \@
+ #endif /* !CONFIG_THUMB2_KERNEL */
+ .endm
+
--- /dev/null
+From 6cda075aff67a1b9b5ba1b2818091dc939643b6c Mon Sep 17 00:00:00 2001
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Fri, 6 Oct 2017 15:04:39 +0200
+Subject: crypto: talitos - fix AEAD for sha224 on non sha224 capable chips
+
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+
+commit 6cda075aff67a1b9b5ba1b2818091dc939643b6c upstream.
+
+sha224 AEAD test fails with:
+
+[ 2.803125] talitos ff020000.crypto: DEUISR 0x00000000_00000000
+[ 2.808743] talitos ff020000.crypto: MDEUISR 0x80100000_00000000
+[ 2.814678] talitos ff020000.crypto: DESCBUF 0x20731f21_00000018
+[ 2.820616] talitos ff020000.crypto: DESCBUF 0x0628d64c_00000010
+[ 2.826554] talitos ff020000.crypto: DESCBUF 0x0631005c_00000018
+[ 2.832492] talitos ff020000.crypto: DESCBUF 0x0628d664_00000008
+[ 2.838430] talitos ff020000.crypto: DESCBUF 0x061b13a0_00000080
+[ 2.844369] talitos ff020000.crypto: DESCBUF 0x0631006c_00000080
+[ 2.850307] talitos ff020000.crypto: DESCBUF 0x0631006c_00000018
+[ 2.856245] talitos ff020000.crypto: DESCBUF 0x063100ec_00000000
+[ 2.884972] talitos ff020000.crypto: failed to reset channel 0
+[ 2.890503] talitos ff020000.crypto: done overflow, internal time out, or rngu error: ISR 0x20000000_00020000
+[ 2.900652] alg: aead: encryption failed on test 1 for authenc-hmac-sha224-cbc-3des-talitos: ret=22
+
+This is due to SHA224 not being supported by the HW. Allthough for
+hash we are able to init the hash context by SW, it is not
+possible for AEAD. Therefore SHA224 AEAD has to be deactivated.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -3068,6 +3068,11 @@ static struct talitos_crypto_alg *talito
+ t_alg->algt.alg.aead.setkey = aead_setkey;
+ t_alg->algt.alg.aead.encrypt = aead_encrypt;
+ t_alg->algt.alg.aead.decrypt = aead_decrypt;
++ if (!(priv->features & TALITOS_FTR_SHA224_HWINIT) &&
++ !strncmp(alg->cra_name, "authenc(hmac(sha224)", 20)) {
++ kfree(t_alg);
++ return ERR_PTR(-ENOTSUPP);
++ }
+ break;
+ case CRYPTO_ALG_TYPE_AHASH:
+ alg = &t_alg->algt.alg.hash.halg.base;
--- /dev/null
+From ec8c7d14acc0a477429d3a6fade5dab72c996c82 Mon Sep 17 00:00:00 2001
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Fri, 6 Oct 2017 15:04:33 +0200
+Subject: crypto: talitos - fix AEAD test failures
+
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+
+commit ec8c7d14acc0a477429d3a6fade5dab72c996c82 upstream.
+
+AEAD tests fail when destination SG list has more than 1 element.
+
+[ 2.058752] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
+[ 2.066965] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
+00000010: c0 43 ff 74 c0 43 ff e0 de 83 d1 20 de 84 8e 54
+00000020: de 83 d7 c4
+[ 2.082138] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
+[ 2.090435] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
+00000010: de 84 ea 58 c0 93 1a 24 de 84 e8 59 de 84 f1 20
+00000020: 00 00 00 00
+[ 2.105721] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-3des-talitos
+[ 2.114259] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
+00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
+00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
+00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
+00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
+00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
+00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
+00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
+00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
+00000090: c0 99 74 3c
+[ 2.166410] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-3des-talitos
+[ 2.174794] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
+00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
+00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
+00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
+00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
+00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
+00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
+00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
+00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
+00000090: c0 99 74 3c
+[ 2.226486] alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-talitos)
+[ 2.236459] alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-talitos)
+[ 2.247196] alg: aead: Test 1 failed on encryption for authenc-hmac-sha224-cbc-3des-talitos
+[ 2.255555] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
+00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
+00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
+00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
+00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
+00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
+00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
+00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
+00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
+00000090: c0 99 74 3c c0 96 e5 b8
+[ 2.309004] alg: aead: Test 1 failed on encryption for authenc-hmac-sha224-cbc-3des-talitos
+[ 2.317562] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
+00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
+00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
+00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
+00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
+00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
+00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
+00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
+00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
+00000090: c0 99 74 3c c0 96 e5 b8
+[ 2.370710] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-aes-talitos
+[ 2.379177] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
+00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
+00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
+[ 2.397863] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-aes-talitos
+[ 2.406134] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
+00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
+00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
+[ 2.424789] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-3des-talitos
+[ 2.433491] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
+00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
+00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
+00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
+00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
+00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
+00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
+00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
+00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
+00000090: c0 99 74 3c c0 96 e5 b8 c0 96 e9 20 c0 00 3d dc
+[ 2.488832] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-3des-talitos
+[ 2.497387] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
+00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
+00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
+00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
+00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
+00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
+00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
+00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
+00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
+00000090: c0 99 74 3c c0 96 e5 b8 c0 96 e9 20 c0 00 3d dc
+
+This patch fixes that.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1232,12 +1232,11 @@ static int ipsec_esp(struct talitos_edes
+ sg_link_tbl_len += authsize;
+ }
+
+- sg_count = talitos_sg_map(dev, areq->src, cryptlen, edesc,
+- &desc->ptr[4], sg_count, areq->assoclen,
+- tbl_off);
++ ret = talitos_sg_map(dev, areq->src, cryptlen, edesc, &desc->ptr[4],
++ sg_count, areq->assoclen, tbl_off);
+
+- if (sg_count > 1) {
+- tbl_off += sg_count;
++ if (ret > 1) {
++ tbl_off += ret;
+ sync_needed = true;
+ }
+
--- /dev/null
+From 70d355ccea899dad47dc22d3a4406998f55143fd Mon Sep 17 00:00:00 2001
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Fri, 6 Oct 2017 15:04:43 +0200
+Subject: crypto: talitos - fix ctr-aes-talitos
+
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+
+commit 70d355ccea899dad47dc22d3a4406998f55143fd upstream.
+
+ctr-aes-talitos test fails as follows on SEC2
+
+[ 0.837427] alg: skcipher: Test 1 failed (invalid result) on encryption for ctr-aes-talitos
+[ 0.845763] 00000000: 16 36 d5 ee 34 f8 06 25 d7 7f 8e 56 ca 88 43 45
+[ 0.852345] 00000010: f9 3f f7 17 2a b2 12 23 30 43 09 15 82 dd e1 97
+[ 0.858940] 00000020: a7 f7 32 b5 eb 25 06 13 9a ec f5 29 25 f8 4d 66
+[ 0.865366] 00000030: b0 03 5b 8e aa 9a 42 b6 19 33 8a e2 9d 65 96 95
+
+This patch fixes the descriptor type which is special for CTR AES
+
+Fixes: 5e75ae1b3cef6 ("crypto: talitos - add new crypto modes")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -2635,7 +2635,7 @@ static struct talitos_alg_template drive
+ .ivsize = AES_BLOCK_SIZE,
+ }
+ },
+- .desc_hdr_template = DESC_HDR_TYPE_COMMON_NONSNOOP_NO_AFEU |
++ .desc_hdr_template = DESC_HDR_TYPE_AESU_CTR_NONSNOOP |
+ DESC_HDR_SEL0_AESU |
+ DESC_HDR_MODE0_AESU_CTR,
+ },
--- /dev/null
+From e04a61bebc5da1535b6f194b464295b8d558e2fc Mon Sep 17 00:00:00 2001
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Fri, 6 Oct 2017 15:04:35 +0200
+Subject: crypto: talitos - fix memory corruption on SEC2
+
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+
+commit e04a61bebc5da1535b6f194b464295b8d558e2fc upstream.
+
+On SEC2, when using the old descriptors type (hmac snoop no afeu)
+for doing IPsec, the CICV out pointeur points out of the allocated
+memory.
+
+[ 2.502554] =============================================================================
+[ 2.510740] BUG dma-kmalloc-256 (Not tainted): Redzone overwritten
+[ 2.516907] -----------------------------------------------------------------------------
+[ 2.516907]
+[ 2.526535] Disabling lock debugging due to kernel taint
+[ 2.531845] INFO: 0xde858108-0xde85810b. First byte 0xf8 instead of 0xcc
+[ 2.538549] INFO: Allocated in 0x806181a9 age=0 cpu=0 pid=58
+[ 2.544229] __kmalloc+0x374/0x564
+[ 2.547649] talitos_edesc_alloc+0x17c/0x48c
+[ 2.551929] aead_edesc_alloc+0x80/0x154
+[ 2.555863] aead_encrypt+0x30/0xe0
+[ 2.559368] __test_aead+0x5a0/0x1f3c
+[ 2.563042] test_aead+0x2c/0x110
+[ 2.566371] alg_test_aead+0x5c/0xf4
+[ 2.569958] alg_test+0x1dc/0x5a0
+[ 2.573305] cryptomgr_test+0x50/0x70
+[ 2.576984] kthread+0xd8/0x134
+[ 2.580155] ret_from_kernel_thread+0x5c/0x64
+[ 2.584534] INFO: Freed in ipsec_esp_encrypt_done+0x130/0x240 age=6 cpu=0 pid=0
+[ 2.591839] ipsec_esp_encrypt_done+0x130/0x240
+[ 2.596395] flush_channel+0x1dc/0x488
+[ 2.600161] talitos2_done_4ch+0x30/0x200
+[ 2.604185] tasklet_action+0xa0/0x13c
+[ 2.607948] __do_softirq+0x148/0x6cc
+[ 2.611623] irq_exit+0xc0/0x124
+[ 2.614869] call_do_irq+0x24/0x3c
+[ 2.618292] do_IRQ+0x78/0x108
+[ 2.621369] ret_from_except+0x0/0x14
+[ 2.625055] finish_task_switch+0x58/0x350
+[ 2.629165] schedule+0x80/0x134
+[ 2.632409] schedule_preempt_disabled+0x38/0xc8
+[ 2.637042] cpu_startup_entry+0xe4/0x190
+[ 2.641074] start_kernel+0x3f4/0x408
+[ 2.644741] 0x3438
+[ 2.646857] INFO: Slab 0xdffbdb00 objects=9 used=1 fp=0xde8581c0 flags=0x0080
+[ 2.653978] INFO: Object 0xde858008 @offset=8 fp=0xca4395df
+[ 2.653978]
+[ 2.661032] Redzone de858000: cc cc cc cc cc cc cc cc ........
+[ 2.669029] Object de858008: 00 00 00 02 00 00 00 02 00 6b 6b 6b 1e 83 ea 28 .........kkk...(
+[ 2.677628] Object de858018: 00 00 00 70 1e 85 80 64 ff 73 1d 21 6b 6b 6b 6b ...p...d.s.!kkkk
+[ 2.686228] Object de858028: 00 20 00 00 1e 84 17 24 00 10 00 00 1e 85 70 00 . .....$......p.
+[ 2.694829] Object de858038: 00 18 00 00 1e 84 17 44 00 08 00 00 1e 83 ea 28 .......D.......(
+[ 2.703430] Object de858048: 00 80 00 00 1e 84 f0 00 00 80 00 00 1e 85 70 10 ..............p.
+[ 2.712030] Object de858058: 00 20 6b 00 1e 85 80 f4 6b 6b 6b 6b 00 80 02 00 . k.....kkkk....
+[ 2.720629] Object de858068: 1e 84 f0 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ....kkkkkkkkkkkk
+[ 2.729230] Object de858078: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+[ 2.737830] Object de858088: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+[ 2.746429] Object de858098: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+[ 2.755029] Object de8580a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+[ 2.763628] Object de8580b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+[ 2.772229] Object de8580c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+[ 2.780829] Object de8580d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+[ 2.789430] Object de8580e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 73 b0 ea 9f kkkkkkkkkkkks...
+[ 2.798030] Object de8580f8: e8 18 80 d6 56 38 44 c0 db e3 4f 71 f7 ce d1 d3 ....V8D...Oq....
+[ 2.806629] Redzone de858108: f8 bd 3e 4f ..>O
+[ 2.814279] Padding de8581b0: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+[ 2.822283] CPU: 0 PID: 0 Comm: swapper Tainted: G B 4.9.50-g995be12679 #179
+[ 2.831819] Call Trace:
+[ 2.834301] [dffefd20] [c01aa9a8] check_bytes_and_report+0x100/0x194 (unreliable)
+[ 2.841801] [dffefd50] [c01aac3c] check_object+0x200/0x530
+[ 2.847306] [dffefd80] [c01ae584] free_debug_processing+0x290/0x690
+[ 2.853585] [dffefde0] [c01aec8c] __slab_free+0x308/0x628
+[ 2.859000] [dffefe80] [c05057f4] ipsec_esp_encrypt_done+0x130/0x240
+[ 2.865378] [dffefeb0] [c05002c4] flush_channel+0x1dc/0x488
+[ 2.870968] [dffeff10] [c05007a8] talitos2_done_4ch+0x30/0x200
+[ 2.876814] [dffeff30] [c002fe38] tasklet_action+0xa0/0x13c
+[ 2.882399] [dffeff60] [c002f118] __do_softirq+0x148/0x6cc
+[ 2.887896] [dffeffd0] [c002f954] irq_exit+0xc0/0x124
+[ 2.892968] [dffefff0] [c0013adc] call_do_irq+0x24/0x3c
+[ 2.898213] [c0d4be00] [c000757c] do_IRQ+0x78/0x108
+[ 2.903113] [c0d4be30] [c0015c08] ret_from_except+0x0/0x14
+[ 2.908634] --- interrupt: 501 at finish_task_switch+0x70/0x350
+[ 2.908634] LR = finish_task_switch+0x58/0x350
+[ 2.919327] [c0d4bf20] [c085e1d4] schedule+0x80/0x134
+[ 2.924398] [c0d4bf50] [c085e2c0] schedule_preempt_disabled+0x38/0xc8
+[ 2.930853] [c0d4bf60] [c007f064] cpu_startup_entry+0xe4/0x190
+[ 2.936707] [c0d4bfb0] [c096c434] start_kernel+0x3f4/0x408
+[ 2.942198] [c0d4bff0] [00003438] 0x3438
+[ 2.946137] FIX dma-kmalloc-256: Restoring 0xde858108-0xde85810b=0xcc
+[ 2.946137]
+[ 2.954158] FIX dma-kmalloc-256: Object at 0xde858008 not freed
+
+This patch reworks the handling of the CICV out in order
+to properly handle all cases.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1247,14 +1247,15 @@ static int ipsec_esp(struct talitos_edes
+ dma_map_sg(dev, areq->dst, sg_count, DMA_FROM_DEVICE);
+ }
+
+- sg_count = talitos_sg_map(dev, areq->dst, cryptlen, edesc,
+- &desc->ptr[5], sg_count, areq->assoclen,
+- tbl_off);
++ ret = talitos_sg_map(dev, areq->dst, cryptlen, edesc, &desc->ptr[5],
++ sg_count, areq->assoclen, tbl_off);
+
+ if (desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)
+ to_talitos_ptr_ext_or(&desc->ptr[5], authsize, is_sec1);
+
+- if (sg_count > 1) {
++ /* ICV data */
++ if (ret > 1) {
++ tbl_off += ret;
+ edesc->icv_ool = true;
+ sync_needed = true;
+
+@@ -1264,9 +1265,7 @@ static int ipsec_esp(struct talitos_edes
+ sizeof(struct talitos_ptr) + authsize;
+
+ /* Add an entry to the link table for ICV data */
+- tbl_ptr += sg_count - 1;
+- to_talitos_ptr_ext_set(tbl_ptr, 0, is_sec1);
+- tbl_ptr++;
++ to_talitos_ptr_ext_set(tbl_ptr - 1, 0, is_sec1);
+ to_talitos_ptr_ext_set(tbl_ptr, DESC_PTR_LNKTBL_RETURN,
+ is_sec1);
+ to_talitos_ptr_len(tbl_ptr, authsize, is_sec1);
+@@ -1274,18 +1273,33 @@ static int ipsec_esp(struct talitos_edes
+ /* icv data follows link tables */
+ to_talitos_ptr(tbl_ptr, edesc->dma_link_tbl + offset,
+ is_sec1);
++ } else {
++ dma_addr_t addr = edesc->dma_link_tbl;
++
++ if (is_sec1)
++ addr += areq->assoclen + cryptlen;
++ else
++ addr += sizeof(struct talitos_ptr) * tbl_off;
++
++ to_talitos_ptr(&desc->ptr[6], addr, is_sec1);
++ to_talitos_ptr_len(&desc->ptr[6], authsize, is_sec1);
++ }
++ } else if (!(desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)) {
++ ret = talitos_sg_map(dev, areq->dst, authsize, edesc,
++ &desc->ptr[6], sg_count, areq->assoclen +
++ cryptlen,
++ tbl_off);
++ if (ret > 1) {
++ tbl_off += ret;
++ edesc->icv_ool = true;
++ sync_needed = true;
++ } else {
++ edesc->icv_ool = false;
+ }
+ } else {
+ edesc->icv_ool = false;
+ }
+
+- /* ICV data */
+- if (!(desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)) {
+- to_talitos_ptr_len(&desc->ptr[6], authsize, is_sec1);
+- to_talitos_ptr(&desc->ptr[6], edesc->dma_link_tbl +
+- areq->assoclen + cryptlen, is_sec1);
+- }
+-
+ /* iv out */
+ if (desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)
+ map_single_talitos_ptr(dev, &desc->ptr[6], ivsize, ctx->iv,
--- /dev/null
+From f384cdc4faf350fdb6ad93c5f26952b9ba7c7566 Mon Sep 17 00:00:00 2001
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Fri, 6 Oct 2017 15:04:37 +0200
+Subject: crypto: talitos - fix setkey to check key weakness
+
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+
+commit f384cdc4faf350fdb6ad93c5f26952b9ba7c7566 upstream.
+
+Crypto manager test report the following failures:
+[ 3.061081] alg: skcipher: setkey failed on test 5 for ecb-des-talitos: flags=100
+[ 3.069342] alg: skcipher-ddst: setkey failed on test 5 for ecb-des-talitos: flags=100
+[ 3.077754] alg: skcipher-ddst: setkey failed on test 5 for ecb-des-talitos: flags=100
+
+This is due to setkey being expected to detect weak keys.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1507,12 +1507,20 @@ static int ablkcipher_setkey(struct cryp
+ const u8 *key, unsigned int keylen)
+ {
+ struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
++ u32 tmp[DES_EXPKEY_WORDS];
+
+ if (keylen > TALITOS_MAX_KEY_SIZE) {
+ crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN);
+ return -EINVAL;
+ }
+
++ if (unlikely(crypto_ablkcipher_get_flags(cipher) &
++ CRYPTO_TFM_REQ_WEAK_KEY) &&
++ !des_ekey(tmp, key)) {
++ crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_WEAK_KEY);
++ return -EINVAL;
++ }
++
+ memcpy(&ctx->key, key, keylen);
+ ctx->keylen = keylen;
+
--- /dev/null
+From fbb22137c4d9bab536958b152d096fb3f98020ea Mon Sep 17 00:00:00 2001
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+Date: Fri, 6 Oct 2017 15:04:41 +0200
+Subject: crypto: talitos - fix use of sg_link_tbl_len
+
+From: LEROY Christophe <christophe.leroy@c-s.fr>
+
+commit fbb22137c4d9bab536958b152d096fb3f98020ea upstream.
+
+sg_link_tbl_len shall be used instead of cryptlen, otherwise
+SECs which perform HW CICV verification will fail.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1232,8 +1232,8 @@ static int ipsec_esp(struct talitos_edes
+ sg_link_tbl_len += authsize;
+ }
+
+- ret = talitos_sg_map(dev, areq->src, cryptlen, edesc, &desc->ptr[4],
+- sg_count, areq->assoclen, tbl_off);
++ ret = talitos_sg_map(dev, areq->src, sg_link_tbl_len, edesc,
++ &desc->ptr[4], sg_count, areq->assoclen, tbl_off);
+
+ if (ret > 1) {
+ tbl_off += ret;
--- /dev/null
+From c0c379e2931b05facef538e53bf3b21f283d9a0b Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Thu, 13 Apr 2017 14:56:23 -0700
+Subject: mm: drop unused pmdp_huge_get_and_clear_notify()
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit c0c379e2931b05facef538e53bf3b21f283d9a0b upstream.
+
+Dave noticed that after fixing MADV_DONTNEED vs numa balancing race the
+last pmdp_huge_get_and_clear_notify() user is gone.
+
+Let's drop the helper.
+
+Link: http://lkml.kernel.org/r/20170306112047.24809-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[jwang: adjust context for 4.9]
+Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mmu_notifier.h | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+--- a/include/linux/mmu_notifier.h
++++ b/include/linux/mmu_notifier.h
+@@ -381,18 +381,6 @@ static inline void mmu_notifier_mm_destr
+ ___pmd; \
+ })
+
+-#define pmdp_huge_get_and_clear_notify(__mm, __haddr, __pmd) \
+-({ \
+- unsigned long ___haddr = __haddr & HPAGE_PMD_MASK; \
+- pmd_t ___pmd; \
+- \
+- ___pmd = pmdp_huge_get_and_clear(__mm, __haddr, __pmd); \
+- mmu_notifier_invalidate_range(__mm, ___haddr, \
+- ___haddr + HPAGE_PMD_SIZE); \
+- \
+- ___pmd; \
+-})
+-
+ /*
+ * set_pte_at_notify() sets the pte _after_ running the notifier.
+ * This is safe to start by updating the secondary MMUs, because the primary MMU
+@@ -480,7 +468,6 @@ static inline void mmu_notifier_mm_destr
+ #define pmdp_clear_young_notify pmdp_test_and_clear_young
+ #define ptep_clear_flush_notify ptep_clear_flush
+ #define pmdp_huge_clear_flush_notify pmdp_huge_clear_flush
+-#define pmdp_huge_get_and_clear_notify pmdp_huge_get_and_clear
+ #define set_pte_at_notify set_pte_at
+
+ #endif /* CONFIG_MMU_NOTIFIER */
bus-arm-ccn-check-memory-allocation-failure.patch
bus-arm-ccn-fix-use-of-smp_processor_id-in-preemptible-context.patch
bus-arm-ccn-fix-module-unloading-error-removing-state-147-which-has-instances-left.patch
+crypto-talitos-fix-aead-test-failures.patch
+crypto-talitos-fix-memory-corruption-on-sec2.patch
+crypto-talitos-fix-setkey-to-check-key-weakness.patch
+crypto-talitos-fix-aead-for-sha224-on-non-sha224-capable-chips.patch
+crypto-talitos-fix-use-of-sg_link_tbl_len.patch
+crypto-talitos-fix-ctr-aes-talitos.patch
+usb-f_fs-force-reserved1-1-in-os_desc_ext_compat.patch
+arm-bug-if-jumping-to-usermode-address-in-kernel-mode.patch
+arm-avoid-faulting-on-qemu.patch
+thp-reduce-indentation-level-in-change_huge_pmd.patch
+thp-fix-madv_dontneed-vs.-numa-balancing-race.patch
+mm-drop-unused-pmdp_huge_get_and_clear_notify.patch
--- /dev/null
+From ced108037c2aa542b3ed8b7afd1576064ad1362a Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Thu, 13 Apr 2017 14:56:20 -0700
+Subject: thp: fix MADV_DONTNEED vs. numa balancing race
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit ced108037c2aa542b3ed8b7afd1576064ad1362a upstream.
+
+In case prot_numa, we are under down_read(mmap_sem). It's critical to
+not clear pmd intermittently to avoid race with MADV_DONTNEED which is
+also under down_read(mmap_sem):
+
+ CPU0: CPU1:
+ change_huge_pmd(prot_numa=1)
+ pmdp_huge_get_and_clear_notify()
+madvise_dontneed()
+ zap_pmd_range()
+ pmd_trans_huge(*pmd) == 0 (without ptl)
+ // skip the pmd
+ set_pmd_at();
+ // pmd is re-established
+
+The race makes MADV_DONTNEED miss the huge pmd and don't clear it
+which may break userspace.
+
+Found by code analysis, never saw triggered.
+
+Link: http://lkml.kernel.org/r/20170302151034.27829-3-kirill.shutemov@linux.intel.com
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[jwang: adjust context for 4.9 ]
+Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1531,7 +1531,39 @@ int change_huge_pmd(struct vm_area_struc
+ if (prot_numa && pmd_protnone(*pmd))
+ goto unlock;
+
+- entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd);
++ /*
++ * In case prot_numa, we are under down_read(mmap_sem). It's critical
++ * to not clear pmd intermittently to avoid race with MADV_DONTNEED
++ * which is also under down_read(mmap_sem):
++ *
++ * CPU0: CPU1:
++ * change_huge_pmd(prot_numa=1)
++ * pmdp_huge_get_and_clear_notify()
++ * madvise_dontneed()
++ * zap_pmd_range()
++ * pmd_trans_huge(*pmd) == 0 (without ptl)
++ * // skip the pmd
++ * set_pmd_at();
++ * // pmd is re-established
++ *
++ * The race makes MADV_DONTNEED miss the huge pmd and don't clear it
++ * which may break userspace.
++ *
++ * pmdp_invalidate() is required to make sure we don't miss
++ * dirty/young flags set by hardware.
++ */
++ entry = *pmd;
++ pmdp_invalidate(vma, addr, pmd);
++
++ /*
++ * Recover dirty/young flags. It relies on pmdp_invalidate to not
++ * corrupt them.
++ */
++ if (pmd_dirty(*pmd))
++ entry = pmd_mkdirty(entry);
++ if (pmd_young(*pmd))
++ entry = pmd_mkyoung(entry);
++
+ entry = pmd_modify(entry, newprot);
+ if (preserve_write)
+ entry = pmd_mkwrite(entry);
--- /dev/null
+From 0a85e51d37645e9ce57e5e1a30859e07810ed07c Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Thu, 13 Apr 2017 14:56:17 -0700
+Subject: thp: reduce indentation level in change_huge_pmd()
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 0a85e51d37645e9ce57e5e1a30859e07810ed07c upstream.
+
+Patch series "thp: fix few MADV_DONTNEED races"
+
+For MADV_DONTNEED to work properly with huge pages, it's critical to not
+clear pmd intermittently unless you hold down_write(mmap_sem).
+
+Otherwise MADV_DONTNEED can miss the THP which can lead to userspace
+breakage.
+
+See example of such race in commit message of patch 2/4.
+
+All these races are found by code inspection. I haven't seen them
+triggered. I don't think it's worth to apply them to stable@.
+
+This patch (of 4):
+
+Restructure code in preparation for a fix.
+
+Link: http://lkml.kernel.org/r/20170302151034.27829-2-kirill.shutemov@linux.intel.com
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[jwang: adjust context for 4.9]
+Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/huge_memory.c | 56 +++++++++++++++++++++++++++----------------------------
+ 1 file changed, 28 insertions(+), 28 deletions(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1509,37 +1509,37 @@ int change_huge_pmd(struct vm_area_struc
+ {
+ struct mm_struct *mm = vma->vm_mm;
+ spinlock_t *ptl;
+- int ret = 0;
++ pmd_t entry;
++ bool preserve_write;
++ int ret;
+
+ ptl = __pmd_trans_huge_lock(pmd, vma);
+- if (ptl) {
+- pmd_t entry;
+- bool preserve_write = prot_numa && pmd_write(*pmd);
+- ret = 1;
+-
+- /*
+- * Avoid trapping faults against the zero page. The read-only
+- * data is likely to be read-cached on the local CPU and
+- * local/remote hits to the zero page are not interesting.
+- */
+- if (prot_numa && is_huge_zero_pmd(*pmd)) {
+- spin_unlock(ptl);
+- return ret;
+- }
+-
+- if (!prot_numa || !pmd_protnone(*pmd)) {
+- entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd);
+- entry = pmd_modify(entry, newprot);
+- if (preserve_write)
+- entry = pmd_mkwrite(entry);
+- ret = HPAGE_PMD_NR;
+- set_pmd_at(mm, addr, pmd, entry);
+- BUG_ON(vma_is_anonymous(vma) && !preserve_write &&
+- pmd_write(entry));
+- }
+- spin_unlock(ptl);
+- }
++ if (!ptl)
++ return 0;
+
++ preserve_write = prot_numa && pmd_write(*pmd);
++ ret = 1;
++
++ /*
++ * Avoid trapping faults against the zero page. The read-only
++ * data is likely to be read-cached on the local CPU and
++ * local/remote hits to the zero page are not interesting.
++ */
++ if (prot_numa && is_huge_zero_pmd(*pmd))
++ goto unlock;
++
++ if (prot_numa && pmd_protnone(*pmd))
++ goto unlock;
++
++ entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd);
++ entry = pmd_modify(entry, newprot);
++ if (preserve_write)
++ entry = pmd_mkwrite(entry);
++ ret = HPAGE_PMD_NR;
++ set_pmd_at(mm, addr, pmd, entry);
++ BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry));
++unlock:
++ spin_unlock(ptl);
+ return ret;
+ }
+
--- /dev/null
+From a3acc696085e112733d191a77b106e67a4fa110b Mon Sep 17 00:00:00 2001
+From: John Keeping <john@metanate.com>
+Date: Mon, 27 Nov 2017 18:15:40 +0000
+Subject: usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT
+
+From: John Keeping <john@metanate.com>
+
+commit a3acc696085e112733d191a77b106e67a4fa110b upstream.
+
+The specification says that the Reserved1 field in OS_DESC_EXT_COMPAT
+must have the value "1", but when this feature was first implemented we
+rejected any non-zero values.
+
+This was adjusted to accept all non-zero values (while now rejecting
+zero) in commit 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on
+reserved1 of OS_DESC_EXT_COMPAT"), but that breaks any userspace
+programs that worked previously by returning EINVAL when Reserved1 == 0
+which was previously the only value that succeeded!
+
+If we just set the field to "1" ourselves, both old and new userspace
+programs continue to work correctly and, as a bonus, old programs are
+now compliant with the specification without having to fix anything
+themselves.
+
+Fixes: 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT")
+Signed-off-by: John Keeping <john@metanate.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2262,9 +2262,18 @@ static int __ffs_data_do_os_desc(enum ff
+ int i;
+
+ if (len < sizeof(*d) ||
+- d->bFirstInterfaceNumber >= ffs->interfaces_count ||
+- d->Reserved1)
++ d->bFirstInterfaceNumber >= ffs->interfaces_count)
+ return -EINVAL;
++ if (d->Reserved1 != 1) {
++ /*
++ * According to the spec, Reserved1 must be set to 1
++ * but older kernels incorrectly rejected non-zero
++ * values. We fix it here to avoid returning EINVAL
++ * in response to values we used to accept.
++ */
++ pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n");
++ d->Reserved1 = 1;
++ }
+ for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i)
+ if (d->Reserved2[i])
+ return -EINVAL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
