--- /dev/null
+From b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=EC=B6=94=EC=A7=80=ED=98=B8?= <jiho.chu@samsung.com>
+Date: Thu, 8 Dec 2016 12:01:13 +0000
+Subject: can: peak: fix bad memory access and free sequence
+
+From: 추지호 <jiho.chu@samsung.com>
+
+commit b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c upstream.
+
+Fix for bad memory access while disconnecting. netdev is freed before
+private data free, and dev is accessed after freeing netdev.
+
+This makes a slub problem, and it raise kernel oops with slub debugger
+config.
+
+Signed-off-by: Jiho Chu <jiho.chu@samsung.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -872,23 +872,25 @@ lbl_free_candev:
+ static void peak_usb_disconnect(struct usb_interface *intf)
+ {
+ struct peak_usb_device *dev;
++ struct peak_usb_device *dev_prev_siblings;
+
+ /* unregister as many netdev devices as siblings */
+- for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
++ for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
+ struct net_device *netdev = dev->netdev;
+ char name[IFNAMSIZ];
+
++ dev_prev_siblings = dev->prev_siblings;
+ dev->state &= ~PCAN_USB_STATE_CONNECTED;
+ strncpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_netdev(netdev);
+- free_candev(netdev);
+
+ kfree(dev->cmd_buf);
+ dev->next_siblings = NULL;
+ if (dev->adapter->dev_free)
+ dev->adapter->dev_free(dev);
+
++ free_candev(netdev);
+ dev_info(&intf->dev, "%s removed\n", name);
+ }
+
--- /dev/null
+From 332b05ca7a438f857c61a3c21a88489a21532364 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 5 Dec 2016 11:44:23 +0100
+Subject: can: raw: raw_setsockopt: limit number of can_filter that can be set
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 332b05ca7a438f857c61a3c21a88489a21532364 upstream.
+
+This patch adds a check to limit the number of can_filters that can be
+set via setsockopt on CAN_RAW sockets. Otherwise allocations > MAX_ORDER
+are not prevented resulting in a warning.
+
+Reference: https://lkml.org/lkml/2016/12/2/230
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/can.h | 1 +
+ net/can/raw.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+--- a/include/uapi/linux/can.h
++++ b/include/uapi/linux/can.h
+@@ -196,5 +196,6 @@ struct can_filter {
+ };
+
+ #define CAN_INV_FILTER 0x20000000U /* to be set in can_filter.can_id */
++#define CAN_RAW_FILTER_MAX 512 /* maximum number of can_filter set via setsockopt() */
+
+ #endif /* !_UAPI_CAN_H */
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -499,6 +499,9 @@ static int raw_setsockopt(struct socket
+ if (optlen % sizeof(struct can_filter) != 0)
+ return -EINVAL;
+
++ if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter))
++ return -EINVAL;
++
+ count = optlen / sizeof(struct can_filter);
+
+ if (count > 1) {
--- /dev/null
+From 39eaf759466f4e3fbeaa39075512f4f345dffdc8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Mon, 5 Dec 2016 11:06:58 +0200
+Subject: crypto: caam - fix pointer size for AArch64 boot loader, AArch32 kernel
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit 39eaf759466f4e3fbeaa39075512f4f345dffdc8 upstream.
+
+Start with a clean slate before dealing with bit 16 (pointer size)
+of Master Configuration Register.
+This fixes the case of AArch64 boot loader + AArch32 kernel, when
+the boot loader might set MCFGR[PS] and kernel would fail to clear it.
+
+Reported-by: Alison Wang <alison.wang@nxp.com>
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Reviewed-By: Alison Wang <Alison.wang@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/ctrl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/caam/ctrl.c
++++ b/drivers/crypto/caam/ctrl.c
+@@ -557,8 +557,9 @@ static int caam_probe(struct platform_de
+ * Enable DECO watchdogs and, if this is a PHYS_ADDR_T_64BIT kernel,
+ * long pointers in master configuration register
+ */
+- clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK, MCFGR_AWCACHE_CACH |
+- MCFGR_AWCACHE_BUFF | MCFGR_WDENABLE | MCFGR_LARGE_BURST |
++ clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK | MCFGR_LONG_PTR,
++ MCFGR_AWCACHE_CACH | MCFGR_AWCACHE_BUFF |
++ MCFGR_WDENABLE | MCFGR_LARGE_BURST |
+ (sizeof(dma_addr_t) == sizeof(u64) ? MCFGR_LONG_PTR : 0));
+
+ /*
--- /dev/null
+From 68c7f8c1c4e9b06e6b153fa3e9e0cda2ef5aaed8 Mon Sep 17 00:00:00 2001
+From: Romain Perier <romain.perier@free-electrons.com>
+Date: Mon, 5 Dec 2016 09:56:38 +0100
+Subject: crypto: marvell - Don't copy hash operation twice into the SRAM
+
+From: Romain Perier <romain.perier@free-electrons.com>
+
+commit 68c7f8c1c4e9b06e6b153fa3e9e0cda2ef5aaed8 upstream.
+
+No need to copy the template of an hash operation twice into the SRAM
+from the step function.
+
+Fixes: commit 85030c5168f1 ("crypto: marvell - Add support for chai...")
+Signed-off-by: Romain Perier <romain.perier@free-electrons.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/marvell/hash.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/crypto/marvell/hash.c
++++ b/drivers/crypto/marvell/hash.c
+@@ -172,9 +172,6 @@ static void mv_cesa_ahash_std_step(struc
+ for (i = 0; i < digsize / 4; i++)
+ writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
+
+- mv_cesa_adjust_op(engine, &creq->op_tmpl);
+- memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl));
+-
+ if (creq->cache_ptr)
+ memcpy_toio(engine->sram + CESA_SA_DATA_SRAM_OFFSET,
+ creq->cache, creq->cache_ptr);
--- /dev/null
+From 9e5f7a149e00d211177f6de8be427ebc72a1c363 Mon Sep 17 00:00:00 2001
+From: Romain Perier <romain.perier@free-electrons.com>
+Date: Mon, 5 Dec 2016 09:56:39 +0100
+Subject: crypto: marvell - Don't corrupt state of an STD req for re-stepped ahash
+
+From: Romain Perier <romain.perier@free-electrons.com>
+
+commit 9e5f7a149e00d211177f6de8be427ebc72a1c363 upstream.
+
+mv_cesa_hash_std_step() copies the creq->state into the SRAM at each
+step, but this is only required on the first one. By doing that, we
+overwrite the engine state, and get erroneous results when the crypto
+request is split in several chunks to fit in the internal SRAM.
+
+This commit changes the function to copy the state only on the first
+step.
+
+Fixes: commit 2786cee8e50b ("crypto: marvell - Move SRAM I/O op...")
+Signed-off-by: Romain Perier <romain.perier@free-electrons.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/marvell/hash.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/marvell/hash.c
++++ b/drivers/crypto/marvell/hash.c
+@@ -168,9 +168,11 @@ static void mv_cesa_ahash_std_step(struc
+ mv_cesa_adjust_op(engine, &creq->op_tmpl);
+ memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl));
+
+- digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req));
+- for (i = 0; i < digsize / 4; i++)
+- writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
++ if (!sreq->offset) {
++ digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req));
++ for (i = 0; i < digsize / 4; i++)
++ writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i));
++ }
+
+ if (creq->cache_ptr)
+ memcpy_toio(engine->sram + CESA_SA_DATA_SRAM_OFFSET,
--- /dev/null
+From 48a992727d82cb7db076fa15d372178743b1f4cd Mon Sep 17 00:00:00 2001
+From: tim <tim.c.chen@linux.intel.com>
+Date: Mon, 5 Dec 2016 11:46:31 -0800
+Subject: crypto: mcryptd - Check mcryptd algorithm compatibility
+
+From: tim <tim.c.chen@linux.intel.com>
+
+commit 48a992727d82cb7db076fa15d372178743b1f4cd upstream.
+
+Algorithms not compatible with mcryptd could be spawned by mcryptd
+with a direct crypto_alloc_tfm invocation using a "mcryptd(alg)" name
+construct. This causes mcryptd to crash the kernel if an arbitrary
+"alg" is incompatible and not intended to be used with mcryptd. It is
+an issue if AF_ALG tries to spawn mcryptd(alg) to expose it externally.
+But such algorithms must be used internally and not be exposed.
+
+We added a check to enforce that only internal algorithms are allowed
+with mcryptd at the time mcryptd is spawning an algorithm.
+
+Link: http://marc.info/?l=linux-crypto-vger&m=148063683310477&w=2
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/mcryptd.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/crypto/mcryptd.c
++++ b/crypto/mcryptd.c
+@@ -254,18 +254,22 @@ out_free_inst:
+ goto out;
+ }
+
+-static inline void mcryptd_check_internal(struct rtattr **tb, u32 *type,
++static inline bool mcryptd_check_internal(struct rtattr **tb, u32 *type,
+ u32 *mask)
+ {
+ struct crypto_attr_type *algt;
+
+ algt = crypto_get_attr_type(tb);
+ if (IS_ERR(algt))
+- return;
+- if ((algt->type & CRYPTO_ALG_INTERNAL))
+- *type |= CRYPTO_ALG_INTERNAL;
+- if ((algt->mask & CRYPTO_ALG_INTERNAL))
+- *mask |= CRYPTO_ALG_INTERNAL;
++ return false;
++
++ *type |= algt->type & CRYPTO_ALG_INTERNAL;
++ *mask |= algt->mask & CRYPTO_ALG_INTERNAL;
++
++ if (*type & *mask & CRYPTO_ALG_INTERNAL)
++ return true;
++ else
++ return false;
+ }
+
+ static int mcryptd_hash_init_tfm(struct crypto_tfm *tfm)
+@@ -492,7 +496,8 @@ static int mcryptd_create_hash(struct cr
+ u32 mask = 0;
+ int err;
+
+- mcryptd_check_internal(tb, &type, &mask);
++ if (!mcryptd_check_internal(tb, &type, &mask))
++ return -EINVAL;
+
+ halg = ahash_attr_alg(tb[1], type, mask);
+ if (IS_ERR(halg))
--- /dev/null
+From 9713adc2a1a5488f4889c657a0c0ce0c16056d3c Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Mon, 21 Nov 2016 14:25:49 +0100
+Subject: Revert "ACPI: Execute _PTS before system reboot"
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 9713adc2a1a5488f4889c657a0c0ce0c16056d3c upstream.
+
+Revert commit 2c85025c75df (ACPI: Execute _PTS before system reboot)
+as it is reported to cause poweroff and reboot to hang on Dell
+Latitude E7250.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=187061
+Reported-by: Gianpaolo <gianpaoloc@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/sleep.c | 29 ++++++-----------------------
+ 1 file changed, 6 insertions(+), 23 deletions(-)
+
+--- a/drivers/acpi/sleep.c
++++ b/drivers/acpi/sleep.c
+@@ -47,32 +47,15 @@ static void acpi_sleep_tts_switch(u32 ac
+ }
+ }
+
+-static void acpi_sleep_pts_switch(u32 acpi_state)
+-{
+- acpi_status status;
+-
+- status = acpi_execute_simple_method(NULL, "\\_PTS", acpi_state);
+- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) {
+- /*
+- * OS can't evaluate the _PTS object correctly. Some warning
+- * message will be printed. But it won't break anything.
+- */
+- printk(KERN_NOTICE "Failure in evaluating _PTS object\n");
+- }
+-}
+-
+-static int sleep_notify_reboot(struct notifier_block *this,
++static int tts_notify_reboot(struct notifier_block *this,
+ unsigned long code, void *x)
+ {
+ acpi_sleep_tts_switch(ACPI_STATE_S5);
+-
+- acpi_sleep_pts_switch(ACPI_STATE_S5);
+-
+ return NOTIFY_DONE;
+ }
+
+-static struct notifier_block sleep_notifier = {
+- .notifier_call = sleep_notify_reboot,
++static struct notifier_block tts_notifier = {
++ .notifier_call = tts_notify_reboot,
+ .next = NULL,
+ .priority = 0,
+ };
+@@ -916,9 +899,9 @@ int __init acpi_sleep_init(void)
+ pr_info(PREFIX "(supports%s)\n", supported);
+
+ /*
+- * Register the sleep_notifier to reboot notifier list so that the _TTS
+- * and _PTS object can also be evaluated when the system enters S5.
++ * Register the tts_notifier to reboot notifier list so that the _TTS
++ * object can also be evaluated when the system enters S5.
+ */
+- register_reboot_notifier(&sleep_notifier);
++ register_reboot_notifier(&tts_notifier);
+ return 0;
+ }
acpi-nfit-libnvdimm-fix-harden-ars_status-output-length-handling.patch
acpi-nfit-validate-ars_status-output-buffer-size.patch
acpi-nfit-fix-bus-vs-dimm-confusion-in-xlat_status.patch
+crypto-marvell-don-t-copy-hash-operation-twice-into-the-sram.patch
+crypto-caam-fix-pointer-size-for-aarch64-boot-loader-aarch32-kernel.patch
+crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch
+crypto-marvell-don-t-corrupt-state-of-an-std-req-for-re-stepped-ahash.patch
+can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch
+can-peak-fix-bad-memory-access-and-free-sequence.patch
+revert-acpi-execute-_pts-before-system-reboot.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
