--- /dev/null
+From b310c178e6d897f82abb9da3af1cd7c02b09f592 Mon Sep 17 00:00:00 2001
+From: Horia Geant? <horia.geanta@freescale.com>
+Date: Tue, 11 Aug 2015 20:19:20 +0300
+Subject: crypto: caam - fix memory corruption in ahash_final_ctx
+
+From: Horia Geant? <horia.geanta@freescale.com>
+
+commit b310c178e6d897f82abb9da3af1cd7c02b09f592 upstream.
+
+When doing pointer operation for accessing the HW S/G table,
+a value representing number of entries (and not number of bytes)
+must be used.
+
+Fixes: 045e36780f115 ("crypto: caam - ahash hmac support")
+Signed-off-by: Horia Geant? <horia.geanta@freescale.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamhash.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -900,13 +900,14 @@ static int ahash_final_ctx(struct ahash_
+ state->buflen_1;
+ u32 *sh_desc = ctx->sh_desc_fin, *desc;
+ dma_addr_t ptr = ctx->sh_desc_fin_dma;
+- int sec4_sg_bytes;
++ int sec4_sg_bytes, sec4_sg_src_index;
+ int digestsize = crypto_ahash_digestsize(ahash);
+ struct ahash_edesc *edesc;
+ int ret = 0;
+ int sh_len;
+
+- sec4_sg_bytes = (1 + (buflen ? 1 : 0)) * sizeof(struct sec4_sg_entry);
++ sec4_sg_src_index = 1 + (buflen ? 1 : 0);
++ sec4_sg_bytes = sec4_sg_src_index * sizeof(struct sec4_sg_entry);
+
+ /* allocate space for base edesc and hw desc commands, link tables */
+ edesc = kmalloc(sizeof(struct ahash_edesc) + DESC_JOB_IO_LEN +
+@@ -933,7 +934,7 @@ static int ahash_final_ctx(struct ahash_
+ state->buf_dma = try_buf_map_to_sec4_sg(jrdev, edesc->sec4_sg + 1,
+ buf, state->buf_dma, buflen,
+ last_buflen);
+- (edesc->sec4_sg + sec4_sg_bytes - 1)->len |= SEC4_SG_LEN_FIN;
++ (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= SEC4_SG_LEN_FIN;
+
+ append_seq_in_ptr(desc, edesc->sec4_sg_dma, ctx->ctx_len + buflen,
+ LDST_SGF);
--- /dev/null
+From f6979adeaab578f8ca14fdd32b06ddee0d9d3314 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Fri, 5 Jun 2015 14:20:46 -0700
+Subject: libfc: Fix fc_exch_recv_req() error path
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit f6979adeaab578f8ca14fdd32b06ddee0d9d3314 upstream.
+
+Due to patch "libfc: Do not invoke the response handler after
+fc_exch_done()" (commit ID 7030fd62) the lport_recv() call
+in fc_exch_recv_req() is passed a dangling pointer. Avoid this
+by moving the fc_frame_free() call from fc_invoke_resp() to its
+callers. This patch fixes the following crash:
+
+general protection fault: 0000 [#3] PREEMPT SMP
+RIP: fc_lport_recv_req+0x72/0x280 [libfc]
+Call Trace:
+ fc_exch_recv+0x642/0xde0 [libfc]
+ fcoe_percpu_receive_thread+0x46a/0x5ed [fcoe]
+ kthread+0x10a/0x120
+ ret_from_fork+0x42/0x70
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Vasu Dev <vasu.dev@intel.com>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libfc/fc_exch.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/libfc/fc_exch.c
++++ b/drivers/scsi/libfc/fc_exch.c
+@@ -733,8 +733,6 @@ static bool fc_invoke_resp(struct fc_exc
+ if (resp) {
+ resp(sp, fp, arg);
+ res = true;
+- } else if (!IS_ERR(fp)) {
+- fc_frame_free(fp);
+ }
+
+ spin_lock_bh(&ep->ex_lock);
+@@ -1596,7 +1594,8 @@ static void fc_exch_recv_seq_resp(struct
+ * If new exch resp handler is valid then call that
+ * first.
+ */
+- fc_invoke_resp(ep, sp, fp);
++ if (!fc_invoke_resp(ep, sp, fp))
++ fc_frame_free(fp);
+
+ fc_exch_release(ep);
+ return;
+@@ -1695,7 +1694,8 @@ static void fc_exch_abts_resp(struct fc_
+ fc_exch_hold(ep);
+ if (!rc)
+ fc_exch_delete(ep);
+- fc_invoke_resp(ep, sp, fp);
++ if (!fc_invoke_resp(ep, sp, fp))
++ fc_frame_free(fp);
+ if (has_rec)
+ fc_exch_timer_set(ep, ep->r_a_tov);
+ fc_exch_release(ep);
--- /dev/null
+From 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Fri, 5 Jun 2015 14:20:51 -0700
+Subject: libfc: Fix fc_fcp_cleanup_each_cmd()
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 upstream.
+
+Since fc_fcp_cleanup_cmd() can sleep this function must not
+be called while holding a spinlock. This patch avoids that
+fc_fcp_cleanup_each_cmd() triggers the following bug:
+
+BUG: scheduling while atomic: sg_reset/1512/0x00000202
+1 lock held by sg_reset/1512:
+ #0: (&(&fsp->scsi_pkt_lock)->rlock){+.-...}, at: [<ffffffffc0225cd5>] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
+Preemption disabled at:[<ffffffffc0225cd5>] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc]
+Call Trace:
+ [<ffffffff816c612c>] dump_stack+0x4f/0x7b
+ [<ffffffff810828bc>] __schedule_bug+0x6c/0xd0
+ [<ffffffff816c87aa>] __schedule+0x71a/0xa10
+ [<ffffffff816c8ad2>] schedule+0x32/0x80
+ [<ffffffffc0217eac>] fc_seq_set_resp+0xac/0x100 [libfc]
+ [<ffffffffc0218b11>] fc_exch_done+0x41/0x60 [libfc]
+ [<ffffffffc0225cff>] fc_fcp_cleanup_each_cmd.isra.21+0xcf/0x150 [libfc]
+ [<ffffffffc0225f43>] fc_eh_device_reset+0x1c3/0x270 [libfc]
+ [<ffffffff814a2cc9>] scsi_try_bus_device_reset+0x29/0x60
+ [<ffffffff814a3908>] scsi_ioctl_reset+0x258/0x2d0
+ [<ffffffff814a2650>] scsi_ioctl+0x150/0x440
+ [<ffffffff814b3a9d>] sd_ioctl+0xad/0x120
+ [<ffffffff8132f266>] blkdev_ioctl+0x1b6/0x810
+ [<ffffffff811da608>] block_ioctl+0x38/0x40
+ [<ffffffff811b4e08>] do_vfs_ioctl+0x2f8/0x530
+ [<ffffffff811b50c1>] SyS_ioctl+0x81/0xa0
+ [<ffffffff816cf8b2>] system_call_fastpath+0x16/0x7a
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Signed-off-by: Vasu Dev <vasu.dev@intel.com>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libfc/fc_fcp.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/libfc/fc_fcp.c
++++ b/drivers/scsi/libfc/fc_fcp.c
+@@ -1039,11 +1039,26 @@ restart:
+ fc_fcp_pkt_hold(fsp);
+ spin_unlock_irqrestore(&si->scsi_queue_lock, flags);
+
+- if (!fc_fcp_lock_pkt(fsp)) {
++ spin_lock_bh(&fsp->scsi_pkt_lock);
++ if (!(fsp->state & FC_SRB_COMPL)) {
++ fsp->state |= FC_SRB_COMPL;
++ /*
++ * TODO: dropping scsi_pkt_lock and then reacquiring
++ * again around fc_fcp_cleanup_cmd() is required,
++ * since fc_fcp_cleanup_cmd() calls into
++ * fc_seq_set_resp() and that func preempts cpu using
++ * schedule. May be schedule and related code should be
++ * removed instead of unlocking here to avoid scheduling
++ * while atomic bug.
++ */
++ spin_unlock_bh(&fsp->scsi_pkt_lock);
++
+ fc_fcp_cleanup_cmd(fsp, error);
++
++ spin_lock_bh(&fsp->scsi_pkt_lock);
+ fc_io_compl(fsp);
+- fc_fcp_unlock_pkt(fsp);
+ }
++ spin_unlock_bh(&fsp->scsi_pkt_lock);
+
+ fc_fcp_pkt_release(fsp);
+ spin_lock_irqsave(&si->scsi_queue_lock, flags);
--- /dev/null
+From 8ef9724bf9718af81cfc5132253372f79c71b7e2 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sun, 26 Jul 2015 21:34:50 -0700
+Subject: regmap: regcache-rbtree: Clean new present bits on present bitmap resize
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 8ef9724bf9718af81cfc5132253372f79c71b7e2 upstream.
+
+When inserting a new register into a block, the present bit map size is
+increased using krealloc. krealloc does not clear the additionally
+allocated memory, leaving it filled with random values. Result is that
+some registers are considered cached even though this is not the case.
+
+Fix the problem by clearing the additionally allocated memory. Also, if
+the bitmap size does not increase, do not reallocate the bitmap at all
+to reduce overhead.
+
+Fixes: 3f4ff561bc88 ("regmap: rbtree: Make cache_present bitmap per node")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/regmap/regcache-rbtree.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/base/regmap/regcache-rbtree.c
++++ b/drivers/base/regmap/regcache-rbtree.c
+@@ -302,11 +302,20 @@ static int regcache_rbtree_insert_to_blo
+ if (!blk)
+ return -ENOMEM;
+
+- present = krealloc(rbnode->cache_present,
+- BITS_TO_LONGS(blklen) * sizeof(*present), GFP_KERNEL);
+- if (!present) {
+- kfree(blk);
+- return -ENOMEM;
++ if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) {
++ present = krealloc(rbnode->cache_present,
++ BITS_TO_LONGS(blklen) * sizeof(*present),
++ GFP_KERNEL);
++ if (!present) {
++ kfree(blk);
++ return -ENOMEM;
++ }
++
++ memset(present + BITS_TO_LONGS(rbnode->blklen), 0,
++ (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen))
++ * sizeof(*present));
++ } else {
++ present = rbnode->cache_present;
+ }
+
+ /* insert the register value in the correct place in the rbnode block */
edac-ppc4xx-access-mci-csrows-array-elements-properly.patch
drm-radeon-add-new-oland-pci-id.patch
drm-vmwgfx-fix-execbuf-locking-issues.patch
+libfc-fix-fc_exch_recv_req-error-path.patch
+libfc-fix-fc_fcp_cleanup_each_cmd.patch
+regmap-regcache-rbtree-clean-new-present-bits-on-present-bitmap-resize.patch
+crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
