--- /dev/null
+From 445a582738de6802669aeed9c33ca406c23c3b1f Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Wed, 16 Aug 2017 11:56:24 +0200
+Subject: crypto: algif_skcipher - only call put_page on referenced and used pages
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream.
+
+For asynchronous operation, SGs are allocated without a page mapped to
+them or with a page that is not used (ref-counted). If the SGL is freed,
+the code must only call put_page for an SG if there was a page assigned
+and ref-counted in the first place.
+
+This fixes a kernel crash when using io_submit with more than one iocb
+using the sendmsg and sendpage (vmsplice/splice) interface.
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_skcipher.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -87,8 +87,13 @@ static void skcipher_free_async_sgls(str
+ }
+ sgl = sreq->tsg;
+ n = sg_nents(sgl);
+- for_each_sg(sgl, sg, n, i)
+- put_page(sg_page(sg));
++ for_each_sg(sgl, sg, n, i) {
++ struct page *page = sg_page(sg);
++
++ /* some SGs may not have a page mapped */
++ if (page && page_ref_count(page))
++ put_page(page);
++ }
+
+ kfree(sreq->tsg);
+ }
--- /dev/null
+From b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 Mon Sep 17 00:00:00 2001
+From: Stephen Douthit <stephend@adiengineering.com>
+Date: Mon, 7 Aug 2017 17:10:59 -0400
+Subject: i2c: ismt: Don't duplicate the receive length for block reads
+
+From: Stephen Douthit <stephend@adiengineering.com>
+
+commit b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 upstream.
+
+According to Table 15-14 of the C2000 EDS (Intel doc #510524) the
+rx data pointed to by the descriptor dptr contains the byte count.
+
+desc->rxbytes reports all bytes read on the wire, including the
+"byte count" byte. So if a device sends 4 bytes in response to a
+block read, on the wire and in the DMA buffer we see:
+
+count data1 data2 data3 data4
+ 0x04 0xde 0xad 0xbe 0xef
+
+That's what we want to return in data->block to the next level.
+
+Instead we were actually prefixing that with desc->rxbytes:
+
+bad
+count count data1 data2 data3 data4
+ 0x05 0x04 0xde 0xad 0xbe 0xef
+
+This was discovered while developing a BMC solution relying on the
+ipmi_ssif.c driver which was trying to interpret the bogus length
+field as part of the IPMI response.
+
+Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
+Tested-by: Dan Priamo <danp@adiengineering.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -341,8 +341,8 @@ static int ismt_process_desc(const struc
+ break;
+ case I2C_SMBUS_BLOCK_DATA:
+ case I2C_SMBUS_I2C_BLOCK_DATA:
+- memcpy(&data->block[1], dma_buffer, desc->rxbytes);
+- data->block[0] = desc->rxbytes;
++ memcpy(data->block, dma_buffer, desc->rxbytes);
++ data->block[0] = desc->rxbytes - 1;
+ break;
+ }
+ return 0;
--- /dev/null
+From ba201c4f5ebe13d7819081756378777d8153f23e Mon Sep 17 00:00:00 2001
+From: Stephen Douthit <stephend@adiengineering.com>
+Date: Mon, 7 Aug 2017 17:11:00 -0400
+Subject: i2c: ismt: Return EMSGSIZE for block reads with bogus length
+
+From: Stephen Douthit <stephend@adiengineering.com>
+
+commit ba201c4f5ebe13d7819081756378777d8153f23e upstream.
+
+Compare the number of bytes actually seen on the wire to the byte
+count field returned by the slave device.
+
+Previously we just overwrote the byte count returned by the slave
+with the real byte count and let the caller figure out if the
+message was sane.
+
+Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
+Tested-by: Dan Priamo <danp@adiengineering.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -341,8 +341,10 @@ static int ismt_process_desc(const struc
+ break;
+ case I2C_SMBUS_BLOCK_DATA:
+ case I2C_SMBUS_I2C_BLOCK_DATA:
++ if (desc->rxbytes != dma_buffer[0] + 1)
++ return -EMSGSIZE;
++
+ memcpy(data->block, dma_buffer, desc->rxbytes);
+- data->block[0] = desc->rxbytes - 1;
+ break;
+ }
+ return 0;
input-synaptics-fix-device-info-appearing-different-on-reconnect.patch
input-xpad-fix-powera-init-quirk-for-some-gamepad-models.patch
crypto-chacha20-fix-handling-of-chunked-input.patch
+i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
+i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
+crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
