--- /dev/null
+From eb71f8a5e33fa1066fb92f0111ab366a341e1f6c Mon Sep 17 00:00:00 2001
+From: honclo <honclo@imap.linux.ibm.com>
+Date: Thu, 12 Feb 2015 21:02:24 -0500
+Subject: Added Little Endian support to vtpm module
+
+From: honclo <honclo@imap.linux.ibm.com>
+
+commit eb71f8a5e33fa1066fb92f0111ab366a341e1f6c upstream.
+
+The tpm_ibmvtpm module is affected by an unaligned access problem.
+ibmvtpm_crq_get_version failed with rc=-4 during boot when vTPM is
+enabled in Power partition, which supports both little endian and
+big endian modes.
+
+We added little endian support to fix this problem:
+1) added cpu_to_be64 calls to ensure BE data is sent from an LE OS.
+2) added be16_to_cpu and be32_to_cpu calls to make sure data received
+ is in LE format on a LE OS.
+
+Signed-off-by: Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
+Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
+[phuewe: manually applied the patch :( ]
+Reviewed-by: Ashley Lai <ashley@ahsleylai.com>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_ibmvtpm.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/char/tpm/tpm_ibmvtpm.c
++++ b/drivers/char/tpm/tpm_ibmvtpm.c
+@@ -148,7 +148,8 @@ static int tpm_ibmvtpm_send(struct tpm_c
+ crq.len = (u16)count;
+ crq.data = ibmvtpm->rtce_dma_handle;
+
+- rc = ibmvtpm_send_crq(ibmvtpm->vdev, word[0], word[1]);
++ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(word[0]),
++ cpu_to_be64(word[1]));
+ if (rc != H_SUCCESS) {
+ dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc);
+ rc = 0;
+@@ -186,7 +187,8 @@ static int ibmvtpm_crq_get_rtce_size(str
+ crq.valid = (u8)IBMVTPM_VALID_CMD;
+ crq.msg = (u8)VTPM_GET_RTCE_BUFFER_SIZE;
+
+- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]);
++ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]),
++ cpu_to_be64(buf[1]));
+ if (rc != H_SUCCESS)
+ dev_err(ibmvtpm->dev,
+ "ibmvtpm_crq_get_rtce_size failed rc=%d\n", rc);
+@@ -212,7 +214,8 @@ static int ibmvtpm_crq_get_version(struc
+ crq.valid = (u8)IBMVTPM_VALID_CMD;
+ crq.msg = (u8)VTPM_GET_VERSION;
+
+- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]);
++ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]),
++ cpu_to_be64(buf[1]));
+ if (rc != H_SUCCESS)
+ dev_err(ibmvtpm->dev,
+ "ibmvtpm_crq_get_version failed rc=%d\n", rc);
+@@ -335,7 +338,8 @@ static int tpm_ibmvtpm_suspend(struct de
+ crq.valid = (u8)IBMVTPM_VALID_CMD;
+ crq.msg = (u8)VTPM_PREPARE_TO_SUSPEND;
+
+- rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]);
++ rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]),
++ cpu_to_be64(buf[1]));
+ if (rc != H_SUCCESS)
+ dev_err(ibmvtpm->dev,
+ "tpm_ibmvtpm_suspend failed rc=%d\n", rc);
+@@ -519,11 +523,11 @@ static void ibmvtpm_crq_process(struct i
+ case IBMVTPM_VALID_CMD:
+ switch (crq->msg) {
+ case VTPM_GET_RTCE_BUFFER_SIZE_RES:
+- if (crq->len <= 0) {
++ if (be16_to_cpu(crq->len) <= 0) {
+ dev_err(ibmvtpm->dev, "Invalid rtce size\n");
+ return;
+ }
+- ibmvtpm->rtce_size = crq->len;
++ ibmvtpm->rtce_size = be16_to_cpu(crq->len);
+ ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size,
+ GFP_KERNEL);
+ if (!ibmvtpm->rtce_buf) {
+@@ -544,11 +548,11 @@ static void ibmvtpm_crq_process(struct i
+
+ return;
+ case VTPM_GET_VERSION_RES:
+- ibmvtpm->vtpm_version = crq->data;
++ ibmvtpm->vtpm_version = be32_to_cpu(crq->data);
+ return;
+ case VTPM_TPM_COMMAND_RES:
+ /* len of the data in rtce buffer */
+- ibmvtpm->res_len = crq->len;
++ ibmvtpm->res_len = be16_to_cpu(crq->len);
+ wake_up_interruptible(&ibmvtpm->wq);
+ return;
+ default:
--- /dev/null
+From c6ce194325cef342313e3d27620411ce90a89c50 Mon Sep 17 00:00:00 2001
+From: Jeff Moyer <jmoyer@redhat.com>
+Date: Mon, 12 Jan 2015 15:21:01 -0500
+Subject: cfq-iosched: fix incorrect filing of rt async cfqq
+
+From: Jeff Moyer <jmoyer@redhat.com>
+
+commit c6ce194325cef342313e3d27620411ce90a89c50 upstream.
+
+Hi,
+
+If you can manage to submit an async write as the first async I/O from
+the context of a process with realtime scheduling priority, then a
+cfq_queue is allocated, but filed into the wrong async_cfqq bucket. It
+ends up in the best effort array, but actually has realtime I/O
+scheduling priority set in cfqq->ioprio.
+
+The reason is that cfq_get_queue assumes the default scheduling class and
+priority when there is no information present (i.e. when the async cfqq
+is created):
+
+static struct cfq_queue *
+cfq_get_queue(struct cfq_data *cfqd, bool is_sync, struct cfq_io_cq *cic,
+ struct bio *bio, gfp_t gfp_mask)
+{
+ const int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
+ const int ioprio = IOPRIO_PRIO_DATA(cic->ioprio);
+
+cic->ioprio starts out as 0, which is "invalid". So, class of 0
+(IOPRIO_CLASS_NONE) is passed to cfq_async_queue_prio like so:
+
+ async_cfqq = cfq_async_queue_prio(cfqd, ioprio_class, ioprio);
+
+static struct cfq_queue **
+cfq_async_queue_prio(struct cfq_data *cfqd, int ioprio_class, int ioprio)
+{
+ switch (ioprio_class) {
+ case IOPRIO_CLASS_RT:
+ return &cfqd->async_cfqq[0][ioprio];
+ case IOPRIO_CLASS_NONE:
+ ioprio = IOPRIO_NORM;
+ /* fall through */
+ case IOPRIO_CLASS_BE:
+ return &cfqd->async_cfqq[1][ioprio];
+ case IOPRIO_CLASS_IDLE:
+ return &cfqd->async_idle_cfqq;
+ default:
+ BUG();
+ }
+}
+
+Here, instead of returning a class mapped from the process' scheduling
+priority, we get back the bucket associated with IOPRIO_CLASS_BE.
+
+Now, there is no queue allocated there yet, so we create it:
+
+ cfqq = cfq_find_alloc_queue(cfqd, is_sync, cic, bio, gfp_mask);
+
+That function ends up doing this:
+
+ cfq_init_cfqq(cfqd, cfqq, current->pid, is_sync);
+ cfq_init_prio_data(cfqq, cic);
+
+cfq_init_cfqq marks the priority as having changed. Then, cfq_init_prio
+data does this:
+
+ ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
+ switch (ioprio_class) {
+ default:
+ printk(KERN_ERR "cfq: bad prio %x\n", ioprio_class);
+ case IOPRIO_CLASS_NONE:
+ /*
+ * no prio set, inherit CPU scheduling settings
+ */
+ cfqq->ioprio = task_nice_ioprio(tsk);
+ cfqq->ioprio_class = task_nice_ioclass(tsk);
+ break;
+
+So we basically have two code paths that treat IOPRIO_CLASS_NONE
+differently, which results in an RT async cfqq filed into a best effort
+bucket.
+
+Attached is a patch which fixes the problem. I'm not sure how to make
+it cleaner. Suggestions would be welcome.
+
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Tested-by: Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/cfq-iosched.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/block/cfq-iosched.c
++++ b/block/cfq-iosched.c
+@@ -3646,12 +3646,17 @@ static struct cfq_queue *
+ cfq_get_queue(struct cfq_data *cfqd, bool is_sync, struct cfq_io_cq *cic,
+ struct bio *bio, gfp_t gfp_mask)
+ {
+- const int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
+- const int ioprio = IOPRIO_PRIO_DATA(cic->ioprio);
++ int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
++ int ioprio = IOPRIO_PRIO_DATA(cic->ioprio);
+ struct cfq_queue **async_cfqq = NULL;
+ struct cfq_queue *cfqq = NULL;
+
+ if (!is_sync) {
++ if (!ioprio_valid(cic->ioprio)) {
++ struct task_struct *tsk = current;
++ ioprio = task_nice_ioprio(tsk);
++ ioprio_class = task_nice_ioclass(tsk);
++ }
+ async_cfqq = cfq_async_queue_prio(cfqd, ioprio_class, ioprio);
+ cfqq = *async_cfqq;
+ }
--- /dev/null
+From 69abaffec7d47a083739b79e3066cb3730eba72e Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Mon, 9 Feb 2015 16:42:49 +0300
+Subject: cfq-iosched: handle failure of cfq group allocation
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit 69abaffec7d47a083739b79e3066cb3730eba72e upstream.
+
+Cfq_lookup_create_cfqg() allocates struct blkcg_gq using GFP_ATOMIC.
+In cfq_find_alloc_queue() possible allocation failure is not handled.
+As a result kernel oopses on NULL pointer dereference when
+cfq_link_cfqq_cfqg() calls cfqg_get() for NULL pointer.
+
+Bug was introduced in v3.5 in commit cd1604fab4f9 ("blkcg: factor
+out blkio_group creation"). Prior to that commit cfq group lookup
+had returned pointer to root group as fallback.
+
+This patch handles this error using existing fallback oom_cfqq.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Tejun Heo <tj@kernel.org>
+Acked-by: Vivek Goyal <vgoyal@redhat.com>
+Fixes: cd1604fab4f9 ("blkcg: factor out blkio_group creation")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/cfq-iosched.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/block/cfq-iosched.c
++++ b/block/cfq-iosched.c
+@@ -3575,6 +3575,11 @@ retry:
+
+ blkcg = bio_blkcg(bio);
+ cfqg = cfq_lookup_create_cfqg(cfqd, blkcg);
++ if (!cfqg) {
++ cfqq = &cfqd->oom_cfqq;
++ goto out;
++ }
++
+ cfqq = cic_to_cfqq(cic, is_sync);
+
+ /*
+@@ -3611,7 +3616,7 @@ retry:
+ } else
+ cfqq = &cfqd->oom_cfqq;
+ }
+-
++out:
+ if (new_cfqq)
+ kmem_cache_free(cfq_pool, new_cfqq);
+
--- /dev/null
+From 3fd7b60f2c7418239d586e359e0c6d8503e10646 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 22 Jan 2015 00:56:53 -0800
+Subject: iscsi-target: Drop problematic active_ts_list usage
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit 3fd7b60f2c7418239d586e359e0c6d8503e10646 upstream.
+
+This patch drops legacy active_ts_list usage within iscsi_target_tq.c
+code. It was originally used to track the active thread sets during
+iscsi-target shutdown, and is no longer used by modern upstream code.
+
+Two people have reported list corruption using traditional iscsi-target
+and iser-target with the following backtrace, that appears to be related
+to iscsi_thread_set->ts_list being used across both active_ts_list and
+inactive_ts_list.
+
+[ 60.782534] ------------[ cut here ]------------
+[ 60.782543] WARNING: CPU: 0 PID: 9430 at lib/list_debug.c:53 __list_del_entry+0x63/0xd0()
+[ 60.782545] list_del corruption, ffff88045b00d180->next is LIST_POISON1 (dead000000100100)
+[ 60.782546] Modules linked in: ib_srpt tcm_qla2xxx qla2xxx tcm_loop tcm_fc libfc scsi_transport_fc scsi_tgt ib_isert rdma_cm iw_cm ib_addr iscsi_target_mod target_core_pscsi target_core_file target_core_iblock target_core_mod configfs ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables bridge stp llc autofs4 sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 ib_ipoib ib_cm ib_uverbs ib_umad mlx4_en mlx4_ib ib_sa ib_mad ib_core mlx4_core dm_mirror dm_region_hash dm_log dm_mod vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support microcode serio_raw pcspkr sb_edac edac_core sg i2c_i801 lpc_ich mfd_core mtip32xx igb i2c_algo_bit i2c_core ptp pps_core ioatdma dca wmi ext3(F) jbd(F) mbcache(F) sd_mod(F) crc_t10dif(F) crct10dif_common(F) ahci(F) libahci(F) isci(F) libsas(F) scsi_transport_sas(F) [last unloaded: speedstep_lib]
+[ 60.782597] CPU: 0 PID: 9430 Comm: iscsi_ttx Tainted: GF 3.12.19+ #2
+[ 60.782598] Hardware name: Supermicro X9DRX+-F/X9DRX+-F, BIOS 3.00 07/09/2013
+[ 60.782599] 0000000000000035 ffff88044de31d08 ffffffff81553ae7 0000000000000035
+[ 60.782602] ffff88044de31d58 ffff88044de31d48 ffffffff8104d1cc 0000000000000002
+[ 60.782605] ffff88045b00d180 ffff88045b00d0c0 ffff88045b00d0c0 ffff88044de31e58
+[ 60.782607] Call Trace:
+[ 60.782611] [<ffffffff81553ae7>] dump_stack+0x49/0x62
+[ 60.782615] [<ffffffff8104d1cc>] warn_slowpath_common+0x8c/0xc0
+[ 60.782618] [<ffffffff8104d2b6>] warn_slowpath_fmt+0x46/0x50
+[ 60.782620] [<ffffffff81280933>] __list_del_entry+0x63/0xd0
+[ 60.782622] [<ffffffff812809b1>] list_del+0x11/0x40
+[ 60.782630] [<ffffffffa06e7cf9>] iscsi_del_ts_from_active_list+0x29/0x50 [iscsi_target_mod]
+[ 60.782635] [<ffffffffa06e87b1>] iscsi_tx_thread_pre_handler+0xa1/0x180 [iscsi_target_mod]
+[ 60.782642] [<ffffffffa06fb9ae>] iscsi_target_tx_thread+0x4e/0x220 [iscsi_target_mod]
+[ 60.782647] [<ffffffffa06fb960>] ? iscsit_handle_snack+0x190/0x190 [iscsi_target_mod]
+[ 60.782652] [<ffffffffa06fb960>] ? iscsit_handle_snack+0x190/0x190 [iscsi_target_mod]
+[ 60.782655] [<ffffffff8106f99e>] kthread+0xce/0xe0
+[ 60.782657] [<ffffffff8106f8d0>] ? kthread_freezable_should_stop+0x70/0x70
+[ 60.782660] [<ffffffff8156026c>] ret_from_fork+0x7c/0xb0
+[ 60.782662] [<ffffffff8106f8d0>] ? kthread_freezable_should_stop+0x70/0x70
+[ 60.782663] ---[ end trace 9662f4a661d33965 ]---
+
+Since this code is no longer used, go ahead and drop the problematic usage
+all-together.
+
+Reported-by: Gavin Guo <gavin.guo@canonical.com>
+Reported-by: Moussa Ba <moussaba@micron.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_tq.c | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_tq.c
++++ b/drivers/target/iscsi/iscsi_target_tq.c
+@@ -26,36 +26,22 @@
+ #include "iscsi_target_tq.h"
+ #include "iscsi_target.h"
+
+-static LIST_HEAD(active_ts_list);
+ static LIST_HEAD(inactive_ts_list);
+-static DEFINE_SPINLOCK(active_ts_lock);
+ static DEFINE_SPINLOCK(inactive_ts_lock);
+ static DEFINE_SPINLOCK(ts_bitmap_lock);
+
+-static void iscsi_add_ts_to_active_list(struct iscsi_thread_set *ts)
+-{
+- spin_lock(&active_ts_lock);
+- list_add_tail(&ts->ts_list, &active_ts_list);
+- iscsit_global->active_ts++;
+- spin_unlock(&active_ts_lock);
+-}
+-
+ static void iscsi_add_ts_to_inactive_list(struct iscsi_thread_set *ts)
+ {
++ if (!list_empty(&ts->ts_list)) {
++ WARN_ON(1);
++ return;
++ }
+ spin_lock(&inactive_ts_lock);
+ list_add_tail(&ts->ts_list, &inactive_ts_list);
+ iscsit_global->inactive_ts++;
+ spin_unlock(&inactive_ts_lock);
+ }
+
+-static void iscsi_del_ts_from_active_list(struct iscsi_thread_set *ts)
+-{
+- spin_lock(&active_ts_lock);
+- list_del(&ts->ts_list);
+- iscsit_global->active_ts--;
+- spin_unlock(&active_ts_lock);
+-}
+-
+ static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void)
+ {
+ struct iscsi_thread_set *ts;
+@@ -68,7 +54,7 @@ static struct iscsi_thread_set *iscsi_ge
+
+ ts = list_first_entry(&inactive_ts_list, struct iscsi_thread_set, ts_list);
+
+- list_del(&ts->ts_list);
++ list_del_init(&ts->ts_list);
+ iscsit_global->inactive_ts--;
+ spin_unlock(&inactive_ts_lock);
+
+@@ -219,8 +205,6 @@ static void iscsi_deallocate_extra_threa
+
+ void iscsi_activate_thread_set(struct iscsi_conn *conn, struct iscsi_thread_set *ts)
+ {
+- iscsi_add_ts_to_active_list(ts);
+-
+ spin_lock_bh(&ts->ts_state_lock);
+ conn->thread_set = ts;
+ ts->conn = conn;
+@@ -423,7 +407,6 @@ struct iscsi_conn *iscsi_rx_thread_pre_h
+
+ if (ts->delay_inactive && (--ts->thread_count == 0)) {
+ spin_unlock_bh(&ts->ts_state_lock);
+- iscsi_del_ts_from_active_list(ts);
+
+ if (!iscsit_global->in_shutdown)
+ iscsi_deallocate_extra_thread_sets();
+@@ -476,7 +459,6 @@ struct iscsi_conn *iscsi_tx_thread_pre_h
+
+ if (ts->delay_inactive && (--ts->thread_count == 0)) {
+ spin_unlock_bh(&ts->ts_state_lock);
+- iscsi_del_ts_from_active_list(ts);
+
+ if (!iscsit_global->in_shutdown)
+ iscsi_deallocate_extra_thread_sets();
--- /dev/null
+From d8ba1f971497c19cf80da1ea5391a46a5f9fbd41 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Wed, 11 Feb 2015 17:27:55 -0500
+Subject: NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit d8ba1f971497c19cf80da1ea5391a46a5f9fbd41 upstream.
+
+If the call to decode_rc_list() fails due to a memory allocation error,
+then we need to truncate the array size to ensure that we only call
+kfree() on those pointer that were allocated.
+
+Reported-by: David Ramos <daramos@stanford.edu>
+Fixes: 4aece6a19cf7f ("nfs41: cb_sequence xdr implementation")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback_xdr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/callback_xdr.c
++++ b/fs/nfs/callback_xdr.c
+@@ -464,8 +464,10 @@ static __be32 decode_cb_sequence_args(st
+
+ for (i = 0; i < args->csa_nrclists; i++) {
+ status = decode_rc_list(xdr, &args->csa_rclists[i]);
+- if (status)
++ if (status) {
++ args->csa_nrclists = i;
+ goto out_free;
++ }
+ }
+ }
+ status = 0;
tracing-fix-unmapping-loop-in-tracing_mark_write.patch
arm-8284-1-sa1100-clear-rcsr_smr-on-resume.patch
tpm_tis-verify-interrupt-during-init.patch
+tpm-fix-null-return-in-tpm_ibmvtpm_get_desired_dma.patch
+tpm-tpm_i2c_stm_st33-fix-potential-bug-in-tpm_stm_i2c_send.patch
+added-little-endian-support-to-vtpm-module.patch
+nfsv4.1-fix-a-kfree-of-uninitialised-pointers-in-decode_cb_sequence_args.patch
+iscsi-target-drop-problematic-active_ts_list-usage.patch
+cfq-iosched-handle-failure-of-cfq-group-allocation.patch
+cfq-iosched-fix-incorrect-filing-of-rt-async-cfqq.patch
--- /dev/null
+From 84eb186bc37c0900b53077ca21cf6dd15823a232 Mon Sep 17 00:00:00 2001
+From: "Hon Ching (Vicky) Lo" <honclo@linux.vnet.ibm.com>
+Date: Sun, 30 Nov 2014 15:01:28 +0100
+Subject: tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma
+
+From: "Hon Ching (Vicky) Lo" <honclo@linux.vnet.ibm.com>
+
+commit 84eb186bc37c0900b53077ca21cf6dd15823a232 upstream.
+
+There was an oops in tpm_ibmvtpm_get_desired_dma, which caused
+kernel panic during boot when vTPM is enabled in Power partition
+configured in AMS mode.
+
+vio_bus_probe calls vio_cmo_bus_probe which calls
+tpm_ibmvtpm_get_desired_dma to get the size needed for DMA allocation.
+The problem is, vio_cmo_bus_probe is called before calling probe, which
+for vtpm is tpm_ibmvtpm_probe and it's this function that initializes
+and sets up vtpm's CRQ and gets required data values. Therefore,
+since this has not yet been done, NULL is returned in attempt to get
+the size for DMA allocation.
+
+We added a NULL check. In addition, a default buffer size will
+be set when NULL is returned.
+
+Signed-off-by: Hon Ching (Vicky) Lo <honclo@linux.vnet.ibm.com>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_ibmvtpm.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/char/tpm/tpm_ibmvtpm.c
++++ b/drivers/char/tpm/tpm_ibmvtpm.c
+@@ -307,6 +307,14 @@ static int tpm_ibmvtpm_remove(struct vio
+ static unsigned long tpm_ibmvtpm_get_desired_dma(struct vio_dev *vdev)
+ {
+ struct ibmvtpm_dev *ibmvtpm = ibmvtpm_get_data(&vdev->dev);
++
++ /* ibmvtpm initializes at probe time, so the data we are
++ * asking for may not be set yet. Estimate that 4K required
++ * for TCE-mapped buffer in addition to CRQ.
++ */
++ if (!ibmvtpm)
++ return CRQ_RES_BUF_SIZE + PAGE_SIZE;
++
+ return CRQ_RES_BUF_SIZE + ibmvtpm->rtce_size;
+ }
+
--- /dev/null
+From 1ba3b0b6f218072afe8372d12f1b6bf26a26008e Mon Sep 17 00:00:00 2001
+From: Christophe Ricard <christophe.ricard@gmail.com>
+Date: Mon, 1 Dec 2014 19:32:46 +0100
+Subject: tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send
+
+From: Christophe Ricard <christophe.ricard@gmail.com>
+
+commit 1ba3b0b6f218072afe8372d12f1b6bf26a26008e upstream.
+
+When sending data in tpm_stm_i2c_send, each loop iteration send buf.
+Send buf + i instead as the goal of this for loop is to send a number
+of byte from buf that fit in burstcnt. Once those byte are sent, we are
+supposed to send the next ones.
+
+The driver was working because the burstcount value returns always the maximum size for a TPM
+command or response. (0x800 for a command and 0x400 for a response).
+
+Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
+Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/tpm/tpm_i2c_stm_st33.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_i2c_stm_st33.c
++++ b/drivers/char/tpm/tpm_i2c_stm_st33.c
+@@ -488,7 +488,7 @@ static int tpm_stm_i2c_send(struct tpm_c
+ if (burstcnt < 0)
+ return burstcnt;
+ size = min_t(int, len - i - 1, burstcnt);
+- ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf, size);
++ ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf + i, size);
+ if (ret < 0)
+ goto out_err;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
