--- /dev/null
+From 445a582738de6802669aeed9c33ca406c23c3b1f Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Wed, 16 Aug 2017 11:56:24 +0200
+Subject: crypto: algif_skcipher - only call put_page on referenced and used pages
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream.
+
+For asynchronous operation, SGs are allocated without a page mapped to
+them or with a page that is not used (ref-counted). If the SGL is freed,
+the code must only call put_page for an SG if there was a page assigned
+and ref-counted in the first place.
+
+This fixes a kernel crash when using io_submit with more than one iocb
+using the sendmsg and sendpage (vmsplice/splice) interface.
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_skcipher.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -86,8 +86,13 @@ static void skcipher_free_async_sgls(str
+ }
+ sgl = sreq->tsg;
+ n = sg_nents(sgl);
+- for_each_sg(sgl, sg, n, i)
+- put_page(sg_page(sg));
++ for_each_sg(sgl, sg, n, i) {
++ struct page *page = sg_page(sg);
++
++ /* some SGs may not have a page mapped */
++ if (page && page_ref_count(page))
++ put_page(page);
++ }
+
+ kfree(sreq->tsg);
+ }
--- /dev/null
+From b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 Mon Sep 17 00:00:00 2001
+From: Stephen Douthit <stephend@adiengineering.com>
+Date: Mon, 7 Aug 2017 17:10:59 -0400
+Subject: i2c: ismt: Don't duplicate the receive length for block reads
+
+From: Stephen Douthit <stephend@adiengineering.com>
+
+commit b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 upstream.
+
+According to Table 15-14 of the C2000 EDS (Intel doc #510524) the
+rx data pointed to by the descriptor dptr contains the byte count.
+
+desc->rxbytes reports all bytes read on the wire, including the
+"byte count" byte. So if a device sends 4 bytes in response to a
+block read, on the wire and in the DMA buffer we see:
+
+count data1 data2 data3 data4
+ 0x04 0xde 0xad 0xbe 0xef
+
+That's what we want to return in data->block to the next level.
+
+Instead we were actually prefixing that with desc->rxbytes:
+
+bad
+count count data1 data2 data3 data4
+ 0x05 0x04 0xde 0xad 0xbe 0xef
+
+This was discovered while developing a BMC solution relying on the
+ipmi_ssif.c driver which was trying to interpret the bogus length
+field as part of the IPMI response.
+
+Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
+Tested-by: Dan Priamo <danp@adiengineering.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -339,8 +339,8 @@ static int ismt_process_desc(const struc
+ break;
+ case I2C_SMBUS_BLOCK_DATA:
+ case I2C_SMBUS_I2C_BLOCK_DATA:
+- memcpy(&data->block[1], dma_buffer, desc->rxbytes);
+- data->block[0] = desc->rxbytes;
++ memcpy(data->block, dma_buffer, desc->rxbytes);
++ data->block[0] = desc->rxbytes - 1;
+ break;
+ }
+ return 0;
--- /dev/null
+From ba201c4f5ebe13d7819081756378777d8153f23e Mon Sep 17 00:00:00 2001
+From: Stephen Douthit <stephend@adiengineering.com>
+Date: Mon, 7 Aug 2017 17:11:00 -0400
+Subject: i2c: ismt: Return EMSGSIZE for block reads with bogus length
+
+From: Stephen Douthit <stephend@adiengineering.com>
+
+commit ba201c4f5ebe13d7819081756378777d8153f23e upstream.
+
+Compare the number of bytes actually seen on the wire to the byte
+count field returned by the slave device.
+
+Previously we just overwrote the byte count returned by the slave
+with the real byte count and let the caller figure out if the
+message was sane.
+
+Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
+Tested-by: Dan Priamo <danp@adiengineering.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -339,8 +339,10 @@ static int ismt_process_desc(const struc
+ break;
+ case I2C_SMBUS_BLOCK_DATA:
+ case I2C_SMBUS_I2C_BLOCK_DATA:
++ if (desc->rxbytes != dma_buffer[0] + 1)
++ return -EMSGSIZE;
++
+ memcpy(data->block, dma_buffer, desc->rxbytes);
+- data->block[0] = desc->rxbytes - 1;
+ break;
+ }
+ return 0;
--- /dev/null
+From 2c0e8382386f618c85d20cb05e7cf7df8cdd382c Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Sat, 12 Aug 2017 21:36:09 -0700
+Subject: irqchip: mips-gic: SYNC after enabling GIC region
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 2c0e8382386f618c85d20cb05e7cf7df8cdd382c upstream.
+
+A SYNC is required between enabling the GIC region and actually trying
+to use it, even if the first access is a read, otherwise its possible
+depending on the timing (and in my case depending on the precise
+alignment of certain kernel code) to hit CM bus errors on that first
+access.
+
+Add the SYNC straight after setting the GIC base.
+
+[paul.burton@imgtec.com:
+ Changes later in this series increase our likelihood of hitting this
+ by reducing the amount of code that runs between enabling the GIC &
+ accessing it.]
+
+Fixes: a7057270c280 ("irqchip: mips-gic: Add device-tree support")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/17019/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-mips-gic.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-mips-gic.c
++++ b/drivers/irqchip/irq-mips-gic.c
+@@ -915,8 +915,11 @@ static int __init gic_of_init(struct dev
+ gic_len = resource_size(&res);
+ }
+
+- if (mips_cm_present())
++ if (mips_cm_present()) {
+ write_gcr_gic_base(gic_base | CM_GCR_GIC_BASE_GICEN_MSK);
++ /* Ensure GIC region is enabled before trying to access it */
++ __sync();
++ }
+ gic_present = true;
+
+ __gic_init(gic_base, gic_len, cpu_vec, 0, node);
irqchip-mips-gic-sync-after-enabling-gic-region.patch
+i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
+i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
+crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
