--- /dev/null
+From a1cae34e23b1293eccbcc8ee9b39298039c3952a Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.vnet.ibm.com>
+Date: Thu, 21 May 2015 10:01:11 +0200
+Subject: crypto: s390/ghash - Fix incorrect ghash icv buffer handling.
+
+From: Harald Freudenberger <freude@linux.vnet.ibm.com>
+
+commit a1cae34e23b1293eccbcc8ee9b39298039c3952a upstream.
+
+Multitheaded tests showed that the icv buffer in the current ghash
+implementation is not handled correctly. A move of this working ghash
+buffer value to the descriptor context fixed this. Code is tested and
+verified with an multithreaded application via af_alg interface.
+
+Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+Signed-off-by: Gerald Schaefer <geraldsc@linux.vnet.ibm.com>
+Reported-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/crypto/ghash_s390.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/arch/s390/crypto/ghash_s390.c
++++ b/arch/s390/crypto/ghash_s390.c
+@@ -16,11 +16,12 @@
+ #define GHASH_DIGEST_SIZE 16
+
+ struct ghash_ctx {
+- u8 icv[16];
+- u8 key[16];
++ u8 key[GHASH_BLOCK_SIZE];
+ };
+
+ struct ghash_desc_ctx {
++ u8 icv[GHASH_BLOCK_SIZE];
++ u8 key[GHASH_BLOCK_SIZE];
+ u8 buffer[GHASH_BLOCK_SIZE];
+ u32 bytes;
+ };
+@@ -28,8 +29,10 @@ struct ghash_desc_ctx {
+ static int ghash_init(struct shash_desc *desc)
+ {
+ struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
++ struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
+
+ memset(dctx, 0, sizeof(*dctx));
++ memcpy(dctx->key, ctx->key, GHASH_BLOCK_SIZE);
+
+ return 0;
+ }
+@@ -45,7 +48,6 @@ static int ghash_setkey(struct crypto_sh
+ }
+
+ memcpy(ctx->key, key, GHASH_BLOCK_SIZE);
+- memset(ctx->icv, 0, GHASH_BLOCK_SIZE);
+
+ return 0;
+ }
+@@ -54,7 +56,6 @@ static int ghash_update(struct shash_des
+ const u8 *src, unsigned int srclen)
+ {
+ struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+- struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
+ unsigned int n;
+ u8 *buf = dctx->buffer;
+ int ret;
+@@ -70,7 +71,7 @@ static int ghash_update(struct shash_des
+ src += n;
+
+ if (!dctx->bytes) {
+- ret = crypt_s390_kimd(KIMD_GHASH, ctx, buf,
++ ret = crypt_s390_kimd(KIMD_GHASH, dctx, buf,
+ GHASH_BLOCK_SIZE);
+ if (ret != GHASH_BLOCK_SIZE)
+ return -EIO;
+@@ -79,7 +80,7 @@ static int ghash_update(struct shash_des
+
+ n = srclen & ~(GHASH_BLOCK_SIZE - 1);
+ if (n) {
+- ret = crypt_s390_kimd(KIMD_GHASH, ctx, src, n);
++ ret = crypt_s390_kimd(KIMD_GHASH, dctx, src, n);
+ if (ret != n)
+ return -EIO;
+ src += n;
+@@ -94,7 +95,7 @@ static int ghash_update(struct shash_des
+ return 0;
+ }
+
+-static int ghash_flush(struct ghash_ctx *ctx, struct ghash_desc_ctx *dctx)
++static int ghash_flush(struct ghash_desc_ctx *dctx)
+ {
+ u8 *buf = dctx->buffer;
+ int ret;
+@@ -104,24 +105,24 @@ static int ghash_flush(struct ghash_ctx
+
+ memset(pos, 0, dctx->bytes);
+
+- ret = crypt_s390_kimd(KIMD_GHASH, ctx, buf, GHASH_BLOCK_SIZE);
++ ret = crypt_s390_kimd(KIMD_GHASH, dctx, buf, GHASH_BLOCK_SIZE);
+ if (ret != GHASH_BLOCK_SIZE)
+ return -EIO;
++
++ dctx->bytes = 0;
+ }
+
+- dctx->bytes = 0;
+ return 0;
+ }
+
+ static int ghash_final(struct shash_desc *desc, u8 *dst)
+ {
+ struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+- struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
+ int ret;
+
+- ret = ghash_flush(ctx, dctx);
++ ret = ghash_flush(dctx);
+ if (!ret)
+- memcpy(dst, ctx->icv, GHASH_BLOCK_SIZE);
++ memcpy(dst, dctx->icv, GHASH_BLOCK_SIZE);
+ return ret;
+ }
+
--- /dev/null
+From f230e8ffc03f17bd9d6b90ea890b8252a8cc1821 Mon Sep 17 00:00:00 2001
+From: Michael Brunner <mibru@gmx.de>
+Date: Mon, 11 May 2015 12:46:49 +0200
+Subject: gpio: gpio-kempld: Fix get_direction return value
+
+From: Michael Brunner <mibru@gmx.de>
+
+commit f230e8ffc03f17bd9d6b90ea890b8252a8cc1821 upstream.
+
+This patch fixes an inverted return value of the gpio get_direction
+function.
+
+The wrong value causes the direction sysfs entry and GPIO debugfs file
+to indicate incorrect GPIO direction settings. In some cases it also
+prevents setting GPIO output values.
+
+The problem is also present in all other stable kernel versions since
+linux-3.12.
+
+Reported-by: Jochen Henneberg <jh@henneberg-systemdesign.com>
+Signed-off-by: Michael Brunner <michael.brunner@kontron.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-kempld.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-kempld.c
++++ b/drivers/gpio/gpio-kempld.c
+@@ -117,7 +117,7 @@ static int kempld_gpio_get_direction(str
+ = container_of(chip, struct kempld_gpio_data, chip);
+ struct kempld_device_data *pld = gpio->pld;
+
+- return kempld_gpio_get_bit(pld, KEMPLD_GPIO_DIR_NUM(offset), offset);
++ return !kempld_gpio_get_bit(pld, KEMPLD_GPIO_DIR_NUM(offset), offset);
+ }
+
+ static int kempld_gpio_pincount(struct kempld_device_data *pld)
--- /dev/null
+From 47b4e1fc4972cc43a19121bc2608a60aef3bf216 Mon Sep 17 00:00:00 2001
+From: Janusz Dziedzic <janusz.dziedzic@tieto.com>
+Date: Mon, 11 May 2015 11:31:15 +0200
+Subject: mac80211: move WEP tailroom size check
+
+From: Janusz Dziedzic <janusz.dziedzic@tieto.com>
+
+commit 47b4e1fc4972cc43a19121bc2608a60aef3bf216 upstream.
+
+Remove checking tailroom when adding IV as it uses only
+headroom, and move the check to the ICV generation that
+actually needs the tailroom.
+
+In other case I hit such warning and datapath don't work,
+when testing:
+- IBSS + WEP
+- ath9k with hw crypt enabled
+- IPv6 data (ping6)
+
+WARNING: CPU: 3 PID: 13301 at net/mac80211/wep.c:102 ieee80211_wep_add_iv+0x129/0x190 [mac80211]()
+[...]
+Call Trace:
+[<ffffffff817bf491>] dump_stack+0x45/0x57
+[<ffffffff8107746a>] warn_slowpath_common+0x8a/0xc0
+[<ffffffff8107755a>] warn_slowpath_null+0x1a/0x20
+[<ffffffffc09ae109>] ieee80211_wep_add_iv+0x129/0x190 [mac80211]
+[<ffffffffc09ae7ab>] ieee80211_crypto_wep_encrypt+0x6b/0xd0 [mac80211]
+[<ffffffffc09d3fb1>] invoke_tx_handlers+0xc51/0xf30 [mac80211]
+[...]
+
+Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/wep.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/wep.c
++++ b/net/mac80211/wep.c
+@@ -98,8 +98,7 @@ static u8 *ieee80211_wep_add_iv(struct i
+
+ hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
+
+- if (WARN_ON(skb_tailroom(skb) < IEEE80211_WEP_ICV_LEN ||
+- skb_headroom(skb) < IEEE80211_WEP_IV_LEN))
++ if (WARN_ON(skb_headroom(skb) < IEEE80211_WEP_IV_LEN))
+ return NULL;
+
+ hdrlen = ieee80211_hdrlen(hdr->frame_control);
+@@ -169,6 +168,9 @@ int ieee80211_wep_encrypt(struct ieee802
+ size_t len;
+ u8 rc4key[3 + WLAN_KEY_LEN_WEP104];
+
++ if (WARN_ON(skb_tailroom(skb) < IEEE80211_WEP_ICV_LEN))
++ return -1;
++
+ iv = ieee80211_wep_add_iv(local, skb, keylen, keyidx);
+ if (!iv)
+ return -1;
projects / thirdparty / kernel / stable-queue.git / commitdiff
