--- /dev/null
+From 74d5d229b1bf60f93bff244b2dfc0eb21ec32a07 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 21 Nov 2018 14:05:45 -0500
+Subject: btrfs: wait on ordered extents on abort cleanup
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 74d5d229b1bf60f93bff244b2dfc0eb21ec32a07 upstream.
+
+If we flip read-only before we initiate writeback on all dirty pages for
+ordered extents we've created then we'll have ordered extents left over
+on umount, which results in all sorts of bad things happening. Fix this
+by making sure we wait on ordered extents if we have to do the aborted
+transaction cleanup stuff.
+
+generic/475 can produce this warning:
+
+ [ 8531.177332] WARNING: CPU: 2 PID: 11997 at fs/btrfs/disk-io.c:3856 btrfs_free_fs_root+0x95/0xa0 [btrfs]
+ [ 8531.183282] CPU: 2 PID: 11997 Comm: umount Tainted: G W 5.0.0-rc1-default+ #394
+ [ 8531.185164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),BIOS rel-1.11.2-0-gf9626cc-prebuilt.qemu-project.org 04/01/2014
+ [ 8531.187851] RIP: 0010:btrfs_free_fs_root+0x95/0xa0 [btrfs]
+ [ 8531.193082] RSP: 0018:ffffb1ab86163d98 EFLAGS: 00010286
+ [ 8531.194198] RAX: ffff9f3449494d18 RBX: ffff9f34a2695000 RCX:0000000000000000
+ [ 8531.195629] RDX: 0000000000000002 RSI: 0000000000000001 RDI:0000000000000000
+ [ 8531.197315] RBP: ffff9f344e930000 R08: 0000000000000001 R09:0000000000000000
+ [ 8531.199095] R10: 0000000000000000 R11: ffff9f34494d4ff8 R12:ffffb1ab86163dc0
+ [ 8531.200870] R13: ffff9f344e9300b0 R14: ffffb1ab86163db8 R15:0000000000000000
+ [ 8531.202707] FS: 00007fc68e949fc0(0000) GS:ffff9f34bd800000(0000)knlGS:0000000000000000
+ [ 8531.204851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 8531.205942] CR2: 00007ffde8114dd8 CR3: 000000002dfbd000 CR4:00000000000006e0
+ [ 8531.207516] Call Trace:
+ [ 8531.208175] btrfs_free_fs_roots+0xdb/0x170 [btrfs]
+ [ 8531.210209] ? wait_for_completion+0x5b/0x190
+ [ 8531.211303] close_ctree+0x157/0x350 [btrfs]
+ [ 8531.212412] generic_shutdown_super+0x64/0x100
+ [ 8531.213485] kill_anon_super+0x14/0x30
+ [ 8531.214430] btrfs_kill_super+0x12/0xa0 [btrfs]
+ [ 8531.215539] deactivate_locked_super+0x29/0x60
+ [ 8531.216633] cleanup_mnt+0x3b/0x70
+ [ 8531.217497] task_work_run+0x98/0xc0
+ [ 8531.218397] exit_to_usermode_loop+0x83/0x90
+ [ 8531.219324] do_syscall_64+0x15b/0x180
+ [ 8531.220192] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [ 8531.221286] RIP: 0033:0x7fc68e5e4d07
+ [ 8531.225621] RSP: 002b:00007ffde8116608 EFLAGS: 00000246 ORIG_RAX:00000000000000a6
+ [ 8531.227512] RAX: 0000000000000000 RBX: 00005580c2175970 RCX:00007fc68e5e4d07
+ [ 8531.229098] RDX: 0000000000000001 RSI: 0000000000000000 RDI:00005580c2175b80
+ [ 8531.230730] RBP: 0000000000000000 R08: 00005580c2175ba0 R09:00007ffde8114e80
+ [ 8531.232269] R10: 0000000000000000 R11: 0000000000000246 R12:00005580c2175b80
+ [ 8531.233839] R13: 00007fc68eac61c4 R14: 00005580c2175a68 R15:0000000000000000
+
+Leaving a tree in the rb-tree:
+
+3853 void btrfs_free_fs_root(struct btrfs_root *root)
+3854 {
+3855 iput(root->ino_cache_inode);
+3856 WARN_ON(!RB_EMPTY_ROOT(&root->inode_tree));
+
+CC: stable@vger.kernel.org
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+[ add stacktrace ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4155,6 +4155,14 @@ static void btrfs_destroy_all_ordered_ex
+ spin_lock(&fs_info->ordered_root_lock);
+ }
+ spin_unlock(&fs_info->ordered_root_lock);
++
++ /*
++ * We need this here because if we've been flipped read-only we won't
++ * get sync() from the umount, so we need to make sure any ordered
++ * extents that haven't had their dirty pages IO start writeout yet
++ * actually get run and error out properly.
++ */
++ btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1);
+ }
+
+ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
--- /dev/null
+From 8f9c469348487844328e162db57112f7d347c49f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 16 Dec 2018 23:23:22 -0800
+Subject: crypto: authenc - fix parsing key with misaligned rta_len
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 8f9c469348487844328e162db57112f7d347c49f upstream.
+
+Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
+'enckeylen', followed by an authentication key and an encryption key.
+crypto_authenc_extractkeys() parses the key to find the inner keys.
+
+However, it fails to consider the case where the rtattr's payload is
+longer than 4 bytes but not 4-byte aligned, and where the key ends
+before the next 4-byte aligned boundary. In this case, 'keylen -=
+RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This
+causes a buffer overread and crash during crypto_ahash_setkey().
+
+Fix it by restricting the rtattr payload to the expected size.
+
+Reproducer using AF_ALG:
+
+ #include <linux/if_alg.h>
+ #include <linux/rtnetlink.h>
+ #include <sys/socket.h>
+
+ int main()
+ {
+ int fd;
+ struct sockaddr_alg addr = {
+ .salg_type = "aead",
+ .salg_name = "authenc(hmac(sha256),cbc(aes))",
+ };
+ struct {
+ struct rtattr attr;
+ __be32 enckeylen;
+ char keys[1];
+ } __attribute__((packed)) key = {
+ .attr.rta_len = sizeof(key),
+ .attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
+ };
+
+ fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ bind(fd, (void *)&addr, sizeof(addr));
+ setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
+ }
+
+It caused:
+
+ BUG: unable to handle kernel paging request at ffff88007ffdc000
+ PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
+ Oops: 0000 [#1] SMP
+ CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
+ RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
+ [...]
+ Call Trace:
+ sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
+ crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
+ shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
+ crypto_shash_digest+0x24/0x40 crypto/shash.c:202
+ hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
+ crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
+ shash_async_setkey+0x10/0x20 crypto/shash.c:223
+ crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
+ crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
+ crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
+ aead_setkey+0xc/0x10 crypto/algif_aead.c:526
+ alg_setkey crypto/af_alg.c:223 [inline]
+ alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
+ __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
+ __do_sys_setsockopt net/socket.c:1913 [inline]
+ __se_sys_setsockopt net/socket.c:1910 [inline]
+ __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
+ do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: e236d4a89a2f ("[CRYPTO] authenc: Move enckeylen into key itself")
+Cc: <stable@vger.kernel.org> # v2.6.25+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/authenc.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct cr
+ return -EINVAL;
+ if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
+ return -EINVAL;
+- if (RTA_PAYLOAD(rta) < sizeof(*param))
++
++ /*
++ * RTA_OK() didn't align the rtattr's payload when validating that it
++ * fits in the buffer. Yet, the keys should start on the next 4-byte
++ * aligned boundary. To avoid confusion, require that the rtattr
++ * payload be exactly the param struct, which has a 4-byte aligned size.
++ */
++ if (RTA_PAYLOAD(rta) != sizeof(*param))
+ return -EINVAL;
++ BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
+
+ param = RTA_DATA(rta);
+ keys->enckeylen = be32_to_cpu(param->enckeylen);
+
+- key += RTA_ALIGN(rta->rta_len);
+- keylen -= RTA_ALIGN(rta->rta_len);
++ key += rta->rta_len;
++ keylen -= rta->rta_len;
+
+ if (keylen < keys->enckeylen)
+ return -EINVAL;
--- /dev/null
+From a7773363624b034ab198c738661253d20a8055c2 Mon Sep 17 00:00:00 2001
+From: Harsh Jain <harsh@chelsio.com>
+Date: Thu, 3 Jan 2019 14:21:05 +0530
+Subject: crypto: authencesn - Avoid twice completion call in decrypt path
+
+From: Harsh Jain <harsh@chelsio.com>
+
+commit a7773363624b034ab198c738661253d20a8055c2 upstream.
+
+Authencesn template in decrypt path unconditionally calls aead_request_complete
+after ahash_verify which leads to following kernel panic in after decryption.
+
+[ 338.539800] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
+[ 338.548372] PGD 0 P4D 0
+[ 338.551157] Oops: 0000 [#1] SMP PTI
+[ 338.554919] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Tainted: G W I 4.19.7+ #13
+[ 338.564431] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0 07/29/10
+[ 338.572212] RIP: 0010:esp_input_done2+0x350/0x410 [esp4]
+[ 338.578030] Code: ff 0f b6 68 10 48 8b 83 c8 00 00 00 e9 8e fe ff ff 8b 04 25 04 00 00 00 83 e8 01 48 98 48 8b 3c c5 10 00 00 00 e9 f7 fd ff ff <8b> 04 25 04 00 00 00 83 e8 01 48 98 4c 8b 24 c5 10 00 00 00 e9 3b
+[ 338.598547] RSP: 0018:ffff911c97803c00 EFLAGS: 00010246
+[ 338.604268] RAX: 0000000000000002 RBX: ffff911c4469ee00 RCX: 0000000000000000
+[ 338.612090] RDX: 0000000000000000 RSI: 0000000000000130 RDI: ffff911b87c20400
+[ 338.619874] RBP: 0000000000000000 R08: ffff911b87c20498 R09: 000000000000000a
+[ 338.627610] R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000
+[ 338.635402] R13: ffff911c89590000 R14: ffff911c91730000 R15: 0000000000000000
+[ 338.643234] FS: 0000000000000000(0000) GS:ffff911c97800000(0000) knlGS:0000000000000000
+[ 338.652047] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 338.658299] CR2: 0000000000000004 CR3: 00000001ec20a000 CR4: 00000000000006f0
+[ 338.666382] Call Trace:
+[ 338.669051] <IRQ>
+[ 338.671254] esp_input_done+0x12/0x20 [esp4]
+[ 338.675922] chcr_handle_resp+0x3b5/0x790 [chcr]
+[ 338.680949] cpl_fw6_pld_handler+0x37/0x60 [chcr]
+[ 338.686080] chcr_uld_rx_handler+0x22/0x50 [chcr]
+[ 338.691233] uldrx_handler+0x8c/0xc0 [cxgb4]
+[ 338.695923] process_responses+0x2f0/0x5d0 [cxgb4]
+[ 338.701177] ? bitmap_find_next_zero_area_off+0x3a/0x90
+[ 338.706882] ? matrix_alloc_area.constprop.7+0x60/0x90
+[ 338.712517] ? apic_update_irq_cfg+0x82/0xf0
+[ 338.717177] napi_rx_handler+0x14/0xe0 [cxgb4]
+[ 338.722015] net_rx_action+0x2aa/0x3e0
+[ 338.726136] __do_softirq+0xcb/0x280
+[ 338.730054] irq_exit+0xde/0xf0
+[ 338.733504] do_IRQ+0x54/0xd0
+[ 338.736745] common_interrupt+0xf/0xf
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD...")
+Signed-off-by: Harsh Jain <harsh@chelsio.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/authencesn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -279,7 +279,7 @@ static void authenc_esn_verify_ahash_don
+ struct aead_request *req = areq->data;
+
+ err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
+- aead_request_complete(req, err);
++ authenc_esn_request_complete(req, err);
+ }
+
+ static int crypto_authenc_esn_decrypt(struct aead_request *req)
--- /dev/null
+From ab57b33525c3221afaebd391458fa0cbcd56903d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 16 Dec 2018 23:23:23 -0800
+Subject: crypto: bcm - convert to use crypto_authenc_extractkeys()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit ab57b33525c3221afaebd391458fa0cbcd56903d upstream.
+
+Convert the bcm crypto driver to use crypto_authenc_extractkeys() so
+that it picks up the fix for broken validation of rtattr::rta_len.
+
+This also fixes the DES weak key check to actually be done on the right
+key. (It was checking the authentication key, not the encryption key...)
+
+Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
+Cc: <stable@vger.kernel.org> # v4.11+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/Kconfig | 1 +
+ drivers/crypto/bcm/cipher.c | 44 +++++++++++++-------------------------------
+ 2 files changed, 14 insertions(+), 31 deletions(-)
+
+--- a/drivers/crypto/Kconfig
++++ b/drivers/crypto/Kconfig
+@@ -681,6 +681,7 @@ config CRYPTO_DEV_BCM_SPU
+ depends on ARCH_BCM_IPROC
+ depends on MAILBOX
+ default m
++ select CRYPTO_AUTHENC
+ select CRYPTO_DES
+ select CRYPTO_MD5
+ select CRYPTO_SHA1
+--- a/drivers/crypto/bcm/cipher.c
++++ b/drivers/crypto/bcm/cipher.c
+@@ -2845,44 +2845,28 @@ static int aead_authenc_setkey(struct cr
+ struct spu_hw *spu = &iproc_priv.spu;
+ struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher);
+ struct crypto_tfm *tfm = crypto_aead_tfm(cipher);
+- struct rtattr *rta = (void *)key;
+- struct crypto_authenc_key_param *param;
+- const u8 *origkey = key;
+- const unsigned int origkeylen = keylen;
+-
+- int ret = 0;
++ struct crypto_authenc_keys keys;
++ int ret;
+
+ flow_log("%s() aead:%p key:%p keylen:%u\n", __func__, cipher, key,
+ keylen);
+ flow_dump(" key: ", key, keylen);
+
+- if (!RTA_OK(rta, keylen))
+- goto badkey;
+- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
++ ret = crypto_authenc_extractkeys(&keys, key, keylen);
++ if (ret)
+ goto badkey;
+- if (RTA_PAYLOAD(rta) < sizeof(*param))
+- goto badkey;
+-
+- param = RTA_DATA(rta);
+- ctx->enckeylen = be32_to_cpu(param->enckeylen);
+
+- key += RTA_ALIGN(rta->rta_len);
+- keylen -= RTA_ALIGN(rta->rta_len);
+-
+- if (keylen < ctx->enckeylen)
+- goto badkey;
+- if (ctx->enckeylen > MAX_KEY_SIZE)
++ if (keys.enckeylen > MAX_KEY_SIZE ||
++ keys.authkeylen > MAX_KEY_SIZE)
+ goto badkey;
+
+- ctx->authkeylen = keylen - ctx->enckeylen;
+-
+- if (ctx->authkeylen > MAX_KEY_SIZE)
+- goto badkey;
++ ctx->enckeylen = keys.enckeylen;
++ ctx->authkeylen = keys.authkeylen;
+
+- memcpy(ctx->enckey, key + ctx->authkeylen, ctx->enckeylen);
++ memcpy(ctx->enckey, keys.enckey, keys.enckeylen);
+ /* May end up padding auth key. So make sure it's zeroed. */
+ memset(ctx->authkey, 0, sizeof(ctx->authkey));
+- memcpy(ctx->authkey, key, ctx->authkeylen);
++ memcpy(ctx->authkey, keys.authkey, keys.authkeylen);
+
+ switch (ctx->alg->cipher_info.alg) {
+ case CIPHER_ALG_DES:
+@@ -2890,7 +2874,7 @@ static int aead_authenc_setkey(struct cr
+ u32 tmp[DES_EXPKEY_WORDS];
+ u32 flags = CRYPTO_TFM_RES_WEAK_KEY;
+
+- if (des_ekey(tmp, key) == 0) {
++ if (des_ekey(tmp, keys.enckey) == 0) {
+ if (crypto_aead_get_flags(cipher) &
+ CRYPTO_TFM_REQ_WEAK_KEY) {
+ crypto_aead_set_flags(cipher, flags);
+@@ -2905,7 +2889,7 @@ static int aead_authenc_setkey(struct cr
+ break;
+ case CIPHER_ALG_3DES:
+ if (ctx->enckeylen == (DES_KEY_SIZE * 3)) {
+- const u32 *K = (const u32 *)key;
++ const u32 *K = (const u32 *)keys.enckey;
+ u32 flags = CRYPTO_TFM_RES_BAD_KEY_SCHED;
+
+ if (!((K[0] ^ K[2]) | (K[1] ^ K[3])) ||
+@@ -2956,9 +2940,7 @@ static int aead_authenc_setkey(struct cr
+ ctx->fallback_cipher->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK;
+ ctx->fallback_cipher->base.crt_flags |=
+ tfm->crt_flags & CRYPTO_TFM_REQ_MASK;
+- ret =
+- crypto_aead_setkey(ctx->fallback_cipher, origkey,
+- origkeylen);
++ ret = crypto_aead_setkey(ctx->fallback_cipher, key, keylen);
+ if (ret) {
+ flow_log(" fallback setkey() returned:%d\n", ret);
+ tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK;
--- /dev/null
+From 04e6d25c5bb244c1a37eb9fe0b604cc11a04e8c5 Mon Sep 17 00:00:00 2001
+From: Aymen Sghaier <aymen.sghaier@nxp.com>
+Date: Wed, 19 Dec 2018 16:36:44 +0200
+Subject: crypto: caam - fix zero-length buffer DMA mapping
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Aymen Sghaier <aymen.sghaier@nxp.com>
+
+commit 04e6d25c5bb244c1a37eb9fe0b604cc11a04e8c5 upstream.
+
+Recent changes - probably DMA API related (generic and/or arm64-specific) -
+exposed a case where driver maps a zero-length buffer:
+ahash_init()->ahash_update()->ahash_final() with a zero-length string to
+hash
+
+kernel BUG at kernel/dma/swiotlb.c:475!
+Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 2 PID: 1823 Comm: cryptomgr_test Not tainted 4.20.0-rc1-00108-g00c9fe37a7f2 #1
+Hardware name: LS1046A RDB Board (DT)
+pstate: 80000005 (Nzcv daif -PAN -UAO)
+pc : swiotlb_tbl_map_single+0x170/0x2b8
+lr : swiotlb_map_page+0x134/0x1f8
+sp : ffff00000f79b8f0
+x29: ffff00000f79b8f0 x28: 0000000000000000
+x27: ffff0000093d0000 x26: 0000000000000000
+x25: 00000000001f3ffe x24: 0000000000200000
+x23: 0000000000000000 x22: 00000009f2c538c0
+x21: ffff800970aeb410 x20: 0000000000000001
+x19: ffff800970aeb410 x18: 0000000000000007
+x17: 000000000000000e x16: 0000000000000001
+x15: 0000000000000019 x14: c32cb8218a167fe8
+x13: ffffffff00000000 x12: ffff80097fdae348
+x11: 0000800976bca000 x10: 0000000000000010
+x9 : 0000000000000000 x8 : ffff0000091fd6c8
+x7 : 0000000000000000 x6 : 00000009f2c538bf
+x5 : 0000000000000000 x4 : 0000000000000001
+x3 : 0000000000000000 x2 : 00000009f2c538c0
+x1 : 00000000f9fff000 x0 : 0000000000000000
+Process cryptomgr_test (pid: 1823, stack limit = 0x(____ptrval____))
+Call trace:
+ swiotlb_tbl_map_single+0x170/0x2b8
+ swiotlb_map_page+0x134/0x1f8
+ ahash_final_no_ctx+0xc4/0x6cc
+ ahash_final+0x10/0x18
+ crypto_ahash_op+0x30/0x84
+ crypto_ahash_final+0x14/0x1c
+ __test_hash+0x574/0xe0c
+ test_hash+0x28/0x80
+ __alg_test_hash+0x84/0xd0
+ alg_test_hash+0x78/0x144
+ alg_test.part.30+0x12c/0x2b4
+ alg_test+0x3c/0x68
+ cryptomgr_test+0x44/0x4c
+ kthread+0xfc/0x128
+ ret_from_fork+0x10/0x18
+Code: d34bfc18 2a1a03f7 1a9f8694 35fff89a (d4210000)
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Aymen Sghaier <aymen.sghaier@nxp.com>
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamhash.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -1131,13 +1131,16 @@ static int ahash_final_no_ctx(struct aha
+
+ desc = edesc->hw_desc;
+
+- state->buf_dma = dma_map_single(jrdev, buf, buflen, DMA_TO_DEVICE);
+- if (dma_mapping_error(jrdev, state->buf_dma)) {
+- dev_err(jrdev, "unable to map src\n");
+- goto unmap;
+- }
++ if (buflen) {
++ state->buf_dma = dma_map_single(jrdev, buf, buflen,
++ DMA_TO_DEVICE);
++ if (dma_mapping_error(jrdev, state->buf_dma)) {
++ dev_err(jrdev, "unable to map src\n");
++ goto unmap;
++ }
+
+- append_seq_in_ptr(desc, state->buf_dma, buflen, 0);
++ append_seq_in_ptr(desc, state->buf_dma, buflen, 0);
++ }
+
+ edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result,
+ digestsize);
--- /dev/null
+From dc95b5350a8f07d73d6bde3a79ef87289698451d Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 16 Dec 2018 23:23:24 -0800
+Subject: crypto: ccree - convert to use crypto_authenc_extractkeys()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit dc95b5350a8f07d73d6bde3a79ef87289698451d upstream.
+
+Convert the ccree crypto driver to use crypto_authenc_extractkeys() so
+that it picks up the fix for broken validation of rtattr::rta_len.
+
+Fixes: ff27e85a85bb ("crypto: ccree - add AEAD support")
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccree/cc_aead.c | 40 +++++++++++++++++++---------------------
+ 1 file changed, 19 insertions(+), 21 deletions(-)
+
+--- a/drivers/crypto/ccree/cc_aead.c
++++ b/drivers/crypto/ccree/cc_aead.c
+@@ -540,13 +540,12 @@ static int cc_aead_setkey(struct crypto_
+ unsigned int keylen)
+ {
+ struct cc_aead_ctx *ctx = crypto_aead_ctx(tfm);
+- struct rtattr *rta = (struct rtattr *)key;
+ struct cc_crypto_req cc_req = {};
+- struct crypto_authenc_key_param *param;
+ struct cc_hw_desc desc[MAX_AEAD_SETKEY_SEQ];
+- int rc = -EINVAL;
+ unsigned int seq_len = 0;
+ struct device *dev = drvdata_to_dev(ctx->drvdata);
++ const u8 *enckey, *authkey;
++ int rc;
+
+ dev_dbg(dev, "Setting key in context @%p for %s. key=%p keylen=%u\n",
+ ctx, crypto_tfm_alg_name(crypto_aead_tfm(tfm)), key, keylen);
+@@ -554,35 +553,33 @@ static int cc_aead_setkey(struct crypto_
+ /* STAT_PHASE_0: Init and sanity checks */
+
+ if (ctx->auth_mode != DRV_HASH_NULL) { /* authenc() alg. */
+- if (!RTA_OK(rta, keylen))
+- goto badkey;
+- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
+- goto badkey;
+- if (RTA_PAYLOAD(rta) < sizeof(*param))
+- goto badkey;
+- param = RTA_DATA(rta);
+- ctx->enc_keylen = be32_to_cpu(param->enckeylen);
+- key += RTA_ALIGN(rta->rta_len);
+- keylen -= RTA_ALIGN(rta->rta_len);
+- if (keylen < ctx->enc_keylen)
++ struct crypto_authenc_keys keys;
++
++ rc = crypto_authenc_extractkeys(&keys, key, keylen);
++ if (rc)
+ goto badkey;
+- ctx->auth_keylen = keylen - ctx->enc_keylen;
++ enckey = keys.enckey;
++ authkey = keys.authkey;
++ ctx->enc_keylen = keys.enckeylen;
++ ctx->auth_keylen = keys.authkeylen;
+
+ if (ctx->cipher_mode == DRV_CIPHER_CTR) {
+ /* the nonce is stored in bytes at end of key */
++ rc = -EINVAL;
+ if (ctx->enc_keylen <
+ (AES_MIN_KEY_SIZE + CTR_RFC3686_NONCE_SIZE))
+ goto badkey;
+ /* Copy nonce from last 4 bytes in CTR key to
+ * first 4 bytes in CTR IV
+ */
+- memcpy(ctx->ctr_nonce, key + ctx->auth_keylen +
+- ctx->enc_keylen - CTR_RFC3686_NONCE_SIZE,
+- CTR_RFC3686_NONCE_SIZE);
++ memcpy(ctx->ctr_nonce, enckey + ctx->enc_keylen -
++ CTR_RFC3686_NONCE_SIZE, CTR_RFC3686_NONCE_SIZE);
+ /* Set CTR key size */
+ ctx->enc_keylen -= CTR_RFC3686_NONCE_SIZE;
+ }
+ } else { /* non-authenc - has just one key */
++ enckey = key;
++ authkey = NULL;
+ ctx->enc_keylen = keylen;
+ ctx->auth_keylen = 0;
+ }
+@@ -594,13 +591,14 @@ static int cc_aead_setkey(struct crypto_
+ /* STAT_PHASE_1: Copy key to ctx */
+
+ /* Get key material */
+- memcpy(ctx->enckey, key + ctx->auth_keylen, ctx->enc_keylen);
++ memcpy(ctx->enckey, enckey, ctx->enc_keylen);
+ if (ctx->enc_keylen == 24)
+ memset(ctx->enckey + 24, 0, CC_AES_KEY_SIZE_MAX - 24);
+ if (ctx->auth_mode == DRV_HASH_XCBC_MAC) {
+- memcpy(ctx->auth_state.xcbc.xcbc_keys, key, ctx->auth_keylen);
++ memcpy(ctx->auth_state.xcbc.xcbc_keys, authkey,
++ ctx->auth_keylen);
+ } else if (ctx->auth_mode != DRV_HASH_NULL) { /* HMAC */
+- rc = cc_get_plain_hmac_key(tfm, key, ctx->auth_keylen);
++ rc = cc_get_plain_hmac_key(tfm, authkey, ctx->auth_keylen);
+ if (rc)
+ goto badkey;
+ }
--- /dev/null
+From d45a90cb5d061fa7d411b974b950fe0b8bc5f265 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 8 Jan 2019 22:12:41 -0800
+Subject: crypto: sm3 - fix undefined shift by >= width of value
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit d45a90cb5d061fa7d411b974b950fe0b8bc5f265 upstream.
+
+sm3_compress() calls rol32() with shift >= 32, which causes undefined
+behavior. This is easily detected by enabling CONFIG_UBSAN.
+
+Explicitly AND with 31 to make the behavior well defined.
+
+Fixes: 4f0fc1600edb ("crypto: sm3 - add OSCCA SM3 secure hash")
+Cc: <stable@vger.kernel.org> # v4.15+
+Cc: Gilad Ben-Yossef <gilad@benyossef.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/sm3_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/sm3_generic.c
++++ b/crypto/sm3_generic.c
+@@ -100,7 +100,7 @@ static void sm3_compress(u32 *w, u32 *wt
+
+ for (i = 0; i <= 63; i++) {
+
+- ss1 = rol32((rol32(a, 12) + e + rol32(t(i), i)), 7);
++ ss1 = rol32((rol32(a, 12) + e + rol32(t(i), i & 31)), 7);
+
+ ss2 = ss1 ^ rol32(a, 12);
+
--- /dev/null
+From 1bea445b0a022ee126ca328b3705cd4df18ebc14 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 8 Jan 2019 06:56:48 +0000
+Subject: crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 1bea445b0a022ee126ca328b3705cd4df18ebc14 upstream.
+
+[ 2.364486] WARNING: CPU: 0 PID: 60 at ./arch/powerpc/include/asm/io.h:837 dma_nommu_map_page+0x44/0xd4
+[ 2.373579] CPU: 0 PID: 60 Comm: cryptomgr_test Tainted: G W 4.20.0-rc5-00560-g6bfb52e23a00-dirty #531
+[ 2.384740] NIP: c000c540 LR: c000c584 CTR: 00000000
+[ 2.389743] REGS: c95abab0 TRAP: 0700 Tainted: G W (4.20.0-rc5-00560-g6bfb52e23a00-dirty)
+[ 2.400042] MSR: 00029032 <EE,ME,IR,DR,RI> CR: 24042204 XER: 00000000
+[ 2.406669]
+[ 2.406669] GPR00: c02f2244 c95abb60 c6262990 c95abd80 0000256a 00000001 00000001 00000001
+[ 2.406669] GPR08: 00000000 00002000 00000010 00000010 24042202 00000000 00000100 c95abd88
+[ 2.406669] GPR16: 00000000 c05569d4 00000001 00000010 c95abc88 c0615664 00000004 00000000
+[ 2.406669] GPR24: 00000010 c95abc88 c95abc88 00000000 c61ae210 c7ff6d40 c61ae210 00003d68
+[ 2.441559] NIP [c000c540] dma_nommu_map_page+0x44/0xd4
+[ 2.446720] LR [c000c584] dma_nommu_map_page+0x88/0xd4
+[ 2.451762] Call Trace:
+[ 2.454195] [c95abb60] [82000808] 0x82000808 (unreliable)
+[ 2.459572] [c95abb80] [c02f2244] talitos_edesc_alloc+0xbc/0x3c8
+[ 2.465493] [c95abbb0] [c02f2600] ablkcipher_edesc_alloc+0x4c/0x5c
+[ 2.471606] [c95abbd0] [c02f4ed0] ablkcipher_encrypt+0x20/0x64
+[ 2.477389] [c95abbe0] [c02023b0] __test_skcipher+0x4bc/0xa08
+[ 2.483049] [c95abe00] [c0204b60] test_skcipher+0x2c/0xcc
+[ 2.488385] [c95abe20] [c0204c48] alg_test_skcipher+0x48/0xbc
+[ 2.494064] [c95abe40] [c0205cec] alg_test+0x164/0x2e8
+[ 2.499142] [c95abf00] [c0200dec] cryptomgr_test+0x48/0x50
+[ 2.504558] [c95abf10] [c0039ff4] kthread+0xe4/0x110
+[ 2.509471] [c95abf40] [c000e1d0] ret_from_kernel_thread+0x14/0x1c
+[ 2.515532] Instruction dump:
+[ 2.518468] 7c7e1b78 7c9d2378 7cbf2b78 41820054 3d20c076 8089c200 3d20c076 7c84e850
+[ 2.526127] 8129c204 7c842e70 7f844840 419c0008 <0fe00000> 2f9e0000 54847022 7c84fa14
+[ 2.533960] ---[ end trace bf78d94af73fe3b8 ]---
+[ 2.539123] talitos ff020000.crypto: master data transfer error
+[ 2.544775] talitos ff020000.crypto: TEA error: ISR 0x20000000_00000040
+[ 2.551625] alg: skcipher: encryption failed on test 1 for ecb-aes-talitos: ret=22
+
+IV cannot be on stack when CONFIG_VMAP_STACK is selected because the stack
+cannot be DMA mapped anymore.
+
+This patch copies the IV into the extended descriptor.
+
+Fixes: 4de9d0b547b9 ("crypto: talitos - Add ablkcipher algorithms")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1416,12 +1416,15 @@ static struct talitos_edesc *talitos_ede
+ /* if its a ahash, add space for a second desc next to the first one */
+ if (is_sec1 && !dst)
+ alloc_len += sizeof(struct talitos_desc);
++ alloc_len += ivsize;
+
+ edesc = kmalloc(alloc_len, GFP_DMA | flags);
+ if (!edesc)
+ return ERR_PTR(-ENOMEM);
+- if (ivsize)
++ if (ivsize) {
++ iv = memcpy(((u8 *)edesc) + alloc_len - ivsize, iv, ivsize);
+ iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE);
++ }
+ memset(&edesc->desc, 0, sizeof(edesc->desc));
+
+ edesc->src_nents = src_nents;
--- /dev/null
+From c56c2e173773097a248fd3bace91ac8f6fc5386d Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Tue, 8 Jan 2019 06:56:46 +0000
+Subject: crypto: talitos - reorder code in talitos_edesc_alloc()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit c56c2e173773097a248fd3bace91ac8f6fc5386d upstream.
+
+This patch moves the mapping of IV after the kmalloc(). This
+avoids having to unmap in case kmalloc() fails.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 25 +++++++------------------
+ 1 file changed, 7 insertions(+), 18 deletions(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -1361,23 +1361,18 @@ static struct talitos_edesc *talitos_ede
+ struct talitos_private *priv = dev_get_drvdata(dev);
+ bool is_sec1 = has_ftr_sec1(priv);
+ int max_len = is_sec1 ? TALITOS1_MAX_DATA_LEN : TALITOS2_MAX_DATA_LEN;
+- void *err;
+
+ if (cryptlen + authsize > max_len) {
+ dev_err(dev, "length exceeds h/w max limit\n");
+ return ERR_PTR(-EINVAL);
+ }
+
+- if (ivsize)
+- iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE);
+-
+ if (!dst || dst == src) {
+ src_len = assoclen + cryptlen + authsize;
+ src_nents = sg_nents_for_len(src, src_len);
+ if (src_nents < 0) {
+ dev_err(dev, "Invalid number of src SG.\n");
+- err = ERR_PTR(-EINVAL);
+- goto error_sg;
++ return ERR_PTR(-EINVAL);
+ }
+ src_nents = (src_nents == 1) ? 0 : src_nents;
+ dst_nents = dst ? src_nents : 0;
+@@ -1387,16 +1382,14 @@ static struct talitos_edesc *talitos_ede
+ src_nents = sg_nents_for_len(src, src_len);
+ if (src_nents < 0) {
+ dev_err(dev, "Invalid number of src SG.\n");
+- err = ERR_PTR(-EINVAL);
+- goto error_sg;
++ return ERR_PTR(-EINVAL);
+ }
+ src_nents = (src_nents == 1) ? 0 : src_nents;
+ dst_len = assoclen + cryptlen + (encrypt ? authsize : 0);
+ dst_nents = sg_nents_for_len(dst, dst_len);
+ if (dst_nents < 0) {
+ dev_err(dev, "Invalid number of dst SG.\n");
+- err = ERR_PTR(-EINVAL);
+- goto error_sg;
++ return ERR_PTR(-EINVAL);
+ }
+ dst_nents = (dst_nents == 1) ? 0 : dst_nents;
+ }
+@@ -1425,10 +1418,10 @@ static struct talitos_edesc *talitos_ede
+ alloc_len += sizeof(struct talitos_desc);
+
+ edesc = kmalloc(alloc_len, GFP_DMA | flags);
+- if (!edesc) {
+- err = ERR_PTR(-ENOMEM);
+- goto error_sg;
+- }
++ if (!edesc)
++ return ERR_PTR(-ENOMEM);
++ if (ivsize)
++ iv_dma = dma_map_single(dev, iv, ivsize, DMA_TO_DEVICE);
+ memset(&edesc->desc, 0, sizeof(edesc->desc));
+
+ edesc->src_nents = src_nents;
+@@ -1445,10 +1438,6 @@ static struct talitos_edesc *talitos_ede
+ DMA_BIDIRECTIONAL);
+ }
+ return edesc;
+-error_sg:
+- if (iv_dma)
+- dma_unmap_single(dev, iv_dma, ivsize, DMA_TO_DEVICE);
+- return err;
+ }
+
+ static struct talitos_edesc *aead_edesc_alloc(struct aead_request *areq, u8 *iv,
--- /dev/null
+From 77b7aad195099e7c6da11e94b7fa6ef5e6fb0025 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.com>
+Date: Wed, 9 Jan 2019 15:02:23 +0100
+Subject: Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
+
+From: David Sterba <dsterba@suse.com>
+
+commit 77b7aad195099e7c6da11e94b7fa6ef5e6fb0025 upstream.
+
+This reverts commit e73e81b6d0114d4a303205a952ab2e87c44bd279.
+
+This patch causes a few problems:
+
+- adds latency to btrfs_finish_ordered_io
+- as btrfs_finish_ordered_io is used for free space cache, generating
+ more work from btrfs_btree_balance_dirty_nodelay could end up in the
+ same workque, effectively deadlocking
+
+12260 kworker/u96:16+btrfs-freespace-write D
+[<0>] balance_dirty_pages+0x6e6/0x7ad
+[<0>] balance_dirty_pages_ratelimited+0x6bb/0xa90
+[<0>] btrfs_finish_ordered_io+0x3da/0x770
+[<0>] normal_work_helper+0x1c5/0x5a0
+[<0>] process_one_work+0x1ee/0x5a0
+[<0>] worker_thread+0x46/0x3d0
+[<0>] kthread+0xf5/0x130
+[<0>] ret_from_fork+0x24/0x30
+[<0>] 0xffffffffffffffff
+
+Transaction commit will wait on the freespace cache:
+
+838 btrfs-transacti D
+[<0>] btrfs_start_ordered_extent+0x154/0x1e0
+[<0>] btrfs_wait_ordered_range+0xbd/0x110
+[<0>] __btrfs_wait_cache_io+0x49/0x1a0
+[<0>] btrfs_write_dirty_block_groups+0x10b/0x3b0
+[<0>] commit_cowonly_roots+0x215/0x2b0
+[<0>] btrfs_commit_transaction+0x37e/0x910
+[<0>] transaction_kthread+0x14d/0x180
+[<0>] kthread+0xf5/0x130
+[<0>] ret_from_fork+0x24/0x30
+[<0>] 0xffffffffffffffff
+
+And then writepages ends up waiting on transaction commit:
+
+9520 kworker/u96:13+flush-btrfs-1 D
+[<0>] wait_current_trans+0xac/0xe0
+[<0>] start_transaction+0x21b/0x4b0
+[<0>] cow_file_range_inline+0x10b/0x6b0
+[<0>] cow_file_range.isra.69+0x329/0x4a0
+[<0>] run_delalloc_range+0x105/0x3c0
+[<0>] writepage_delalloc+0x119/0x180
+[<0>] __extent_writepage+0x10c/0x390
+[<0>] extent_write_cache_pages+0x26f/0x3d0
+[<0>] extent_writepages+0x4f/0x80
+[<0>] do_writepages+0x17/0x60
+[<0>] __writeback_single_inode+0x59/0x690
+[<0>] writeback_sb_inodes+0x291/0x4e0
+[<0>] __writeback_inodes_wb+0x87/0xb0
+[<0>] wb_writeback+0x3bb/0x500
+[<0>] wb_workfn+0x40d/0x610
+[<0>] process_one_work+0x1ee/0x5a0
+[<0>] worker_thread+0x1e0/0x3d0
+[<0>] kthread+0xf5/0x130
+[<0>] ret_from_fork+0x24/0x30
+[<0>] 0xffffffffffffffff
+
+Eventually, we have every process in the system waiting on
+balance_dirty_pages(), and nobody is able to make progress on page
+writeback.
+
+The original patch tried to fix an OOM condition, that happened on 4.4 but no
+success reproducing that on later kernels (4.19 and 4.20). This is more likely
+a problem in OOM itself.
+
+Link: https://lore.kernel.org/linux-btrfs/20180528054821.9092-1-ethanlien@synology.com/
+Reported-by: Chris Mason <clm@fb.com>
+CC: stable@vger.kernel.org # 4.18+
+CC: ethanlien <ethanlien@synology.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -3151,9 +3151,6 @@ out:
+ /* once for the tree */
+ btrfs_put_ordered_extent(ordered_extent);
+
+- /* Try to release some metadata so we don't get an OOM but don't wait */
+- btrfs_btree_balance_dirty_nodelay(fs_info);
+-
+ return ret;
+ }
+
--- /dev/null
+From 3f7e62bba0003f9c68f599f5997c4647ef5b4f4e Mon Sep 17 00:00:00 2001
+From: Stanley Chu <stanley.chu@mediatek.com>
+Date: Thu, 3 Jan 2019 22:08:05 +0800
+Subject: scsi: core: Synchronize request queue PM status only on successful resume
+
+From: Stanley Chu <stanley.chu@mediatek.com>
+
+commit 3f7e62bba0003f9c68f599f5997c4647ef5b4f4e upstream.
+
+The commit 356fd2663cff ("scsi: Set request queue runtime PM status back to
+active on resume") fixed up the inconsistent RPM status between request
+queue and device. However changing request queue RPM status shall be done
+only on successful resume, otherwise status may be still inconsistent as
+below,
+
+Request queue: RPM_ACTIVE
+Device: RPM_SUSPENDED
+
+This ends up soft lockup because requests can be submitted to underlying
+devices but those devices and their required resource are not resumed.
+
+For example,
+
+After above inconsistent status happens, IO request can be submitted to UFS
+device driver but required resource (like clock) is not resumed yet thus
+lead to warning as below call stack,
+
+WARN_ON(hba->clk_gating.state != CLKS_ON);
+ufshcd_queuecommand
+scsi_dispatch_cmd
+scsi_request_fn
+__blk_run_queue
+cfq_insert_request
+__elv_add_request
+blk_flush_plug_list
+blk_finish_plug
+jbd2_journal_commit_transaction
+kjournald2
+
+We may see all behind IO requests hang because of no response from storage
+host or device and then soft lockup happens in system. In the end, system
+may crash in many ways.
+
+Fixes: 356fd2663cff (scsi: Set request queue runtime PM status back to active on resume)
+Cc: stable@vger.kernel.org
+Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_pm.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/scsi_pm.c
++++ b/drivers/scsi/scsi_pm.c
+@@ -79,8 +79,22 @@ static int scsi_dev_type_resume(struct d
+
+ if (err == 0) {
+ pm_runtime_disable(dev);
+- pm_runtime_set_active(dev);
++ err = pm_runtime_set_active(dev);
+ pm_runtime_enable(dev);
++
++ /*
++ * Forcibly set runtime PM status of request queue to "active"
++ * to make sure we can again get requests from the queue
++ * (see also blk_pm_peek_request()).
++ *
++ * The resume hook will correct runtime PM status of the disk.
++ */
++ if (!err && scsi_is_sdev_device(dev)) {
++ struct scsi_device *sdev = to_scsi_device(dev);
++
++ if (sdev->request_queue->dev)
++ blk_set_runtime_active(sdev->request_queue);
++ }
+ }
+
+ return err;
+@@ -139,16 +153,6 @@ static int scsi_bus_resume_common(struct
+ else
+ fn = NULL;
+
+- /*
+- * Forcibly set runtime PM status of request queue to "active" to
+- * make sure we can again get requests from the queue (see also
+- * blk_pm_peek_request()).
+- *
+- * The resume hook will correct runtime PM status of the disk.
+- */
+- if (scsi_is_sdev_device(dev) && pm_runtime_suspended(dev))
+- blk_set_runtime_active(to_scsi_device(dev)->request_queue);
+-
+ if (fn) {
+ async_schedule_domain(fn, dev, &scsi_sd_pm_domain);
+
--- /dev/null
+From 44759979a49bfd2d20d789add7fa81a21eb1a4ab Mon Sep 17 00:00:00 2001
+From: Ivan Mironov <mironov.ivan@gmail.com>
+Date: Sun, 23 Dec 2018 12:41:58 +0500
+Subject: scsi: sd: Fix cache_type_store()
+
+From: Ivan Mironov <mironov.ivan@gmail.com>
+
+commit 44759979a49bfd2d20d789add7fa81a21eb1a4ab upstream.
+
+Changing of caching mode via /sys/devices/.../scsi_disk/.../cache_type may
+fail if device responds to MODE SENSE command with DPOFUA flag set, and
+then checks this flag to be not set on MODE SELECT command.
+
+In this scenario, when trying to change cache_type, write always fails:
+
+ # echo "none" >cache_type
+ bash: echo: write error: Invalid argument
+
+And following appears in dmesg:
+
+ [13007.865745] sd 1:0:1:0: [sda] Sense Key : Illegal Request [current]
+ [13007.865753] sd 1:0:1:0: [sda] Add. Sense: Invalid field in parameter list
+
+From SBC-4 r15, 6.5.1 "Mode pages overview", description of DEVICE-SPECIFIC
+PARAMETER field in the mode parameter header:
+ ...
+ The write protect (WP) bit for mode data sent with a MODE SELECT
+ command shall be ignored by the device server.
+ ...
+ The DPOFUA bit is reserved for mode data sent with a MODE SELECT
+ command.
+ ...
+
+The remaining bits in the DEVICE-SPECIFIC PARAMETER byte are also reserved
+and shall be set to zero.
+
+[mkp: shuffled commentary to commit description]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -205,6 +205,12 @@ cache_type_store(struct device *dev, str
+ sp = buffer_data[0] & 0x80 ? 1 : 0;
+ buffer_data[0] &= ~0x80;
+
++ /*
++ * Ensure WP, DPOFUA, and RESERVED fields are cleared in
++ * received mode parameter buffer before doing MODE SELECT.
++ */
++ data.device_specific = 0;
++
+ if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT,
+ SD_MAX_RETRIES, &data, &sshdr)) {
+ if (scsi_sense_valid(&sshdr))
bonding-update-nest-level-on-unlink.patch
ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch
r8169-load-realtek-phy-driver-module-before-r8169.patch
+crypto-sm3-fix-undefined-shift-by-width-of-value.patch
+crypto-caam-fix-zero-length-buffer-dma-mapping.patch
+crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch
+crypto-ccree-convert-to-use-crypto_authenc_extractkeys.patch
+crypto-bcm-convert-to-use-crypto_authenc_extractkeys.patch
+crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch
+crypto-talitos-reorder-code-in-talitos_edesc_alloc.patch
+crypto-talitos-fix-ablkcipher-for-config_vmap_stack.patch
+xen-fix-x86-sched_clock-interface-for-xen.patch
+revert-btrfs-balance-dirty-metadata-pages-in-btrfs_finish_ordered_io.patch
+btrfs-wait-on-ordered-extents-on-abort-cleanup.patch
+yama-check-for-pid-death-before-checking-ancestry.patch
+scsi-core-synchronize-request-queue-pm-status-only-on-successful-resume.patch
+scsi-sd-fix-cache_type_store.patch
--- /dev/null
+From 867cefb4cb1012f42cada1c7d1f35ac8dd276071 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 14 Jan 2019 13:44:13 +0100
+Subject: xen: Fix x86 sched_clock() interface for xen
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 867cefb4cb1012f42cada1c7d1f35ac8dd276071 upstream.
+
+Commit f94c8d11699759 ("sched/clock, x86/tsc: Rework the x86 'unstable'
+sched_clock() interface") broke Xen guest time handling across
+migration:
+
+[ 187.249951] Freezing user space processes ... (elapsed 0.001 seconds) done.
+[ 187.251137] OOM killer disabled.
+[ 187.251137] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
+[ 187.252299] suspending xenstore...
+[ 187.266987] xen:grant_table: Grant tables using version 1 layout
+[18446743811.706476] OOM killer enabled.
+[18446743811.706478] Restarting tasks ... done.
+[18446743811.720505] Setting capacity to 16777216
+
+Fix that by setting xen_sched_clock_offset at resume time to ensure a
+monotonic clock value.
+
+[boris: replaced pr_info() with pr_info_once() in xen_callback_vector()
+ to avoid printing with incorrect timestamp during resume (as we
+ haven't re-adjusted the clock yet)]
+
+Fixes: f94c8d11699759 ("sched/clock, x86/tsc: Rework the x86 'unstable' sched_clock() interface")
+Cc: <stable@vger.kernel.org> # 4.11
+Reported-by: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/time.c | 12 +++++++++---
+ drivers/xen/events/events_base.c | 2 +-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/xen/time.c
++++ b/arch/x86/xen/time.c
+@@ -361,8 +361,6 @@ void xen_timer_resume(void)
+ {
+ int cpu;
+
+- pvclock_resume();
+-
+ if (xen_clockevent != &xen_vcpuop_clockevent)
+ return;
+
+@@ -379,12 +377,15 @@ static const struct pv_time_ops xen_time
+ };
+
+ static struct pvclock_vsyscall_time_info *xen_clock __read_mostly;
++static u64 xen_clock_value_saved;
+
+ void xen_save_time_memory_area(void)
+ {
+ struct vcpu_register_time_memory_area t;
+ int ret;
+
++ xen_clock_value_saved = xen_clocksource_read() - xen_sched_clock_offset;
++
+ if (!xen_clock)
+ return;
+
+@@ -404,7 +405,7 @@ void xen_restore_time_memory_area(void)
+ int ret;
+
+ if (!xen_clock)
+- return;
++ goto out;
+
+ t.addr.v = &xen_clock->pvti;
+
+@@ -421,6 +422,11 @@ void xen_restore_time_memory_area(void)
+ if (ret != 0)
+ pr_notice("Cannot restore secondary vcpu_time_info (err %d)",
+ ret);
++
++out:
++ /* Need pvclock_resume() before using xen_clocksource_read(). */
++ pvclock_resume();
++ xen_sched_clock_offset = xen_clocksource_read() - xen_clock_value_saved;
+ }
+
+ static void xen_setup_vsyscall_time_info(void)
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -1650,7 +1650,7 @@ void xen_callback_vector(void)
+ xen_have_vector_callback = 0;
+ return;
+ }
+- pr_info("Xen HVM callback vector for event delivery is enabled\n");
++ pr_info_once("Xen HVM callback vector for event delivery is enabled\n");
+ alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR,
+ xen_hvm_callback_vector);
+ }
--- /dev/null
+From 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 16 Jan 2019 10:31:09 -0800
+Subject: Yama: Check for pid death before checking ancestry
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream.
+
+It's possible that a pid has died before we take the rcu lock, in which
+case we can't walk the ancestry list as it may be detached. Instead, check
+for death first before doing the walk.
+
+Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
+Fixes: 2d514487faf1 ("security: Yama LSM")
+Cc: stable@vger.kernel.org
+Suggested-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/yama/yama_lsm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -368,7 +368,9 @@ static int yama_ptrace_access_check(stru
+ break;
+ case YAMA_SCOPE_RELATIONAL:
+ rcu_read_lock();
+- if (!task_is_descendant(current, child) &&
++ if (!pid_alive(child))
++ rc = -EPERM;
++ if (!rc && !task_is_descendant(current, child) &&
+ !ptracer_exception_found(current, child) &&
+ !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
+ rc = -EPERM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
