--- /dev/null
+From bb06c388fa20ae24cfe80c52488de718a7e3a53f Mon Sep 17 00:00:00 2001
+From: zhengbin <zhengbin13@huawei.com>
+Date: Wed, 13 Mar 2019 16:01:37 +0800
+Subject: 9p/net: fix memory leak in p9_client_create
+
+From: zhengbin <zhengbin13@huawei.com>
+
+commit bb06c388fa20ae24cfe80c52488de718a7e3a53f upstream.
+
+If msize is less than 4096, we should close and put trans, destroy
+tagpool, not just free client. This patch fixes that.
+
+Link: http://lkml.kernel.org/m/1552464097-142659-1-git-send-email-zhengbin13@huawei.com
+Cc: stable@vger.kernel.org
+Fixes: 574d356b7a02 ("9p/net: put a lower bound on msize")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: zhengbin <zhengbin13@huawei.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -1073,7 +1073,7 @@ struct p9_client *p9_client_create(const
+ p9_debug(P9_DEBUG_ERROR,
+ "Please specify a msize of at least 4k\n");
+ err = -EINVAL;
+- goto free_client;
++ goto close_trans;
+ }
+
+ err = p9_client_version(clnt);
--- /dev/null
+From 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Thu, 24 Jan 2019 14:35:13 +0800
+Subject: 9p: use inode->i_lock to protect i_size_write() under 32-bit
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream.
+
+Use inode->i_lock to protect i_size_write(), else i_size_read() in
+generic_fillattr() may loop infinitely in read_seqcount_begin() when
+multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl()
+simultaneously under 32-bit SMP environment, and a soft lockup will be
+triggered as show below:
+
+ watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217]
+ Modules linked in:
+ CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
+ Hardware name: Generic DT based system
+ PC is at generic_fillattr+0x104/0x108
+ LR is at 0xec497f00
+ pc : [<802b8898>] lr : [<ec497f00>] psr: 200c0013
+ sp : ec497e20 ip : ed608030 fp : ec497e3c
+ r10: 00000000 r9 : ec497f00 r8 : ed608030
+ r7 : ec497ebc r6 : ec497f00 r5 : ee5c1550 r4 : ee005780
+ r3 : 0000052d r2 : 00000000 r1 : ec497f00 r0 : ed608030
+ Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 10c5387d Table: ac48006a DAC: 00000051
+ CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4
+ Hardware name: Generic DT based system
+ Backtrace:
+ [<8010d974>] (dump_backtrace) from [<8010dc88>] (show_stack+0x20/0x24)
+ [<8010dc68>] (show_stack) from [<80a1d194>] (dump_stack+0xb0/0xdc)
+ [<80a1d0e4>] (dump_stack) from [<80109f34>] (show_regs+0x1c/0x20)
+ [<80109f18>] (show_regs) from [<801d0a80>] (watchdog_timer_fn+0x280/0x2f8)
+ [<801d0800>] (watchdog_timer_fn) from [<80198658>] (__hrtimer_run_queues+0x18c/0x380)
+ [<801984cc>] (__hrtimer_run_queues) from [<80198e60>] (hrtimer_run_queues+0xb8/0xf0)
+ [<80198da8>] (hrtimer_run_queues) from [<801973e8>] (run_local_timers+0x28/0x64)
+ [<801973c0>] (run_local_timers) from [<80197460>] (update_process_times+0x3c/0x6c)
+ [<80197424>] (update_process_times) from [<801ab2b8>] (tick_nohz_handler+0xe0/0x1bc)
+ [<801ab1d8>] (tick_nohz_handler) from [<80843050>] (arch_timer_handler_virt+0x38/0x48)
+ [<80843018>] (arch_timer_handler_virt) from [<80180a64>] (handle_percpu_devid_irq+0x8c/0x240)
+ [<801809d8>] (handle_percpu_devid_irq) from [<8017ac20>] (generic_handle_irq+0x34/0x44)
+ [<8017abec>] (generic_handle_irq) from [<8017b344>] (__handle_domain_irq+0x6c/0xc4)
+ [<8017b2d8>] (__handle_domain_irq) from [<801022e0>] (gic_handle_irq+0x4c/0x88)
+ [<80102294>] (gic_handle_irq) from [<80101a30>] (__irq_svc+0x70/0x98)
+ [<802b8794>] (generic_fillattr) from [<8056b284>] (v9fs_vfs_getattr_dotl+0x74/0xa4)
+ [<8056b210>] (v9fs_vfs_getattr_dotl) from [<802b8904>] (vfs_getattr_nosec+0x68/0x7c)
+ [<802b889c>] (vfs_getattr_nosec) from [<802b895c>] (vfs_getattr+0x44/0x48)
+ [<802b8918>] (vfs_getattr) from [<802b8a74>] (vfs_statx+0x9c/0xec)
+ [<802b89d8>] (vfs_statx) from [<802b9428>] (sys_lstat64+0x48/0x78)
+ [<802b93e0>] (sys_lstat64) from [<80101000>] (ret_fast_syscall+0x0/0x28)
+
+[dominique.martinet@cea.fr: updated comment to not refer to a function
+in another subsystem]
+Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com
+Cc: stable@vger.kernel.org
+Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode->i_size directly.")
+Reported-by: Xing Gaopeng <xingaopeng@huawei.com>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/v9fs_vfs.h | 23 +++++++++++++++++++++--
+ fs/9p/vfs_file.c | 6 +++++-
+ fs/9p/vfs_inode.c | 23 +++++++++++------------
+ fs/9p/vfs_inode_dotl.c | 27 ++++++++++++++-------------
+ fs/9p/vfs_super.c | 4 ++--
+ 5 files changed, 53 insertions(+), 30 deletions(-)
+
+--- a/fs/9p/v9fs_vfs.h
++++ b/fs/9p/v9fs_vfs.h
+@@ -40,6 +40,9 @@
+ */
+ #define P9_LOCK_TIMEOUT (30*HZ)
+
++/* flags for v9fs_stat2inode() & v9fs_stat2inode_dotl() */
++#define V9FS_STAT2INODE_KEEP_ISIZE 1
++
+ extern struct file_system_type v9fs_fs_type;
+ extern const struct address_space_operations v9fs_addr_operations;
+ extern const struct file_operations v9fs_file_operations;
+@@ -61,8 +64,10 @@ int v9fs_init_inode(struct v9fs_session_
+ struct inode *inode, umode_t mode, dev_t);
+ void v9fs_evict_inode(struct inode *inode);
+ ino_t v9fs_qid2ino(struct p9_qid *qid);
+-void v9fs_stat2inode(struct p9_wstat *, struct inode *, struct super_block *);
+-void v9fs_stat2inode_dotl(struct p9_stat_dotl *, struct inode *);
++void v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode,
++ struct super_block *sb, unsigned int flags);
++void v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode,
++ unsigned int flags);
+ int v9fs_dir_release(struct inode *inode, struct file *filp);
+ int v9fs_file_open(struct inode *inode, struct file *file);
+ void v9fs_inode2stat(struct inode *inode, struct p9_wstat *stat);
+@@ -83,4 +88,18 @@ static inline void v9fs_invalidate_inode
+ }
+
+ int v9fs_open_to_dotl_flags(int flags);
++
++static inline void v9fs_i_size_write(struct inode *inode, loff_t i_size)
++{
++ /*
++ * 32-bit need the lock, concurrent updates could break the
++ * sequences and make i_size_read() loop forever.
++ * 64-bit updates are atomic and can skip the locking.
++ */
++ if (sizeof(i_size) > sizeof(long))
++ spin_lock(&inode->i_lock);
++ i_size_write(inode, i_size);
++ if (sizeof(i_size) > sizeof(long))
++ spin_unlock(&inode->i_lock);
++}
+ #endif
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -442,7 +442,11 @@ v9fs_file_write_iter(struct kiocb *iocb,
+ i_size = i_size_read(inode);
+ if (iocb->ki_pos > i_size) {
+ inode_add_bytes(inode, iocb->ki_pos - i_size);
+- i_size_write(inode, iocb->ki_pos);
++ /*
++ * Need to serialize against i_size_write() in
++ * v9fs_stat2inode()
++ */
++ v9fs_i_size_write(inode, iocb->ki_pos);
+ }
+ return retval;
+ }
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -538,7 +538,7 @@ static struct inode *v9fs_qid_iget(struc
+ if (retval)
+ goto error;
+
+- v9fs_stat2inode(st, inode, sb);
++ v9fs_stat2inode(st, inode, sb, 0);
+ v9fs_cache_inode_get_cookie(inode);
+ unlock_new_inode(inode);
+ return inode;
+@@ -1092,7 +1092,7 @@ v9fs_vfs_getattr(const struct path *path
+ if (IS_ERR(st))
+ return PTR_ERR(st);
+
+- v9fs_stat2inode(st, d_inode(dentry), dentry->d_sb);
++ v9fs_stat2inode(st, d_inode(dentry), dentry->d_sb, 0);
+ generic_fillattr(d_inode(dentry), stat);
+
+ p9stat_free(st);
+@@ -1170,12 +1170,13 @@ static int v9fs_vfs_setattr(struct dentr
+ * @stat: Plan 9 metadata (mistat) structure
+ * @inode: inode to populate
+ * @sb: superblock of filesystem
++ * @flags: control flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE)
+ *
+ */
+
+ void
+ v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode,
+- struct super_block *sb)
++ struct super_block *sb, unsigned int flags)
+ {
+ umode_t mode;
+ char ext[32];
+@@ -1216,10 +1217,11 @@ v9fs_stat2inode(struct p9_wstat *stat, s
+ mode = p9mode2perm(v9ses, stat);
+ mode |= inode->i_mode & ~S_IALLUGO;
+ inode->i_mode = mode;
+- i_size_write(inode, stat->length);
+
++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE))
++ v9fs_i_size_write(inode, stat->length);
+ /* not real number of blocks, but 512 byte ones ... */
+- inode->i_blocks = (i_size_read(inode) + 512 - 1) >> 9;
++ inode->i_blocks = (stat->length + 512 - 1) >> 9;
+ v9inode->cache_validity &= ~V9FS_INO_INVALID_ATTR;
+ }
+
+@@ -1416,9 +1418,9 @@ int v9fs_refresh_inode(struct p9_fid *fi
+ {
+ int umode;
+ dev_t rdev;
+- loff_t i_size;
+ struct p9_wstat *st;
+ struct v9fs_session_info *v9ses;
++ unsigned int flags;
+
+ v9ses = v9fs_inode2v9ses(inode);
+ st = p9_client_stat(fid);
+@@ -1431,16 +1433,13 @@ int v9fs_refresh_inode(struct p9_fid *fi
+ if ((inode->i_mode & S_IFMT) != (umode & S_IFMT))
+ goto out;
+
+- spin_lock(&inode->i_lock);
+ /*
+ * We don't want to refresh inode->i_size,
+ * because we may have cached data
+ */
+- i_size = inode->i_size;
+- v9fs_stat2inode(st, inode, inode->i_sb);
+- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE)
+- inode->i_size = i_size;
+- spin_unlock(&inode->i_lock);
++ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ?
++ V9FS_STAT2INODE_KEEP_ISIZE : 0;
++ v9fs_stat2inode(st, inode, inode->i_sb, flags);
+ out:
+ p9stat_free(st);
+ kfree(st);
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -143,7 +143,7 @@ static struct inode *v9fs_qid_iget_dotl(
+ if (retval)
+ goto error;
+
+- v9fs_stat2inode_dotl(st, inode);
++ v9fs_stat2inode_dotl(st, inode, 0);
+ v9fs_cache_inode_get_cookie(inode);
+ retval = v9fs_get_acl(inode, fid);
+ if (retval)
+@@ -496,7 +496,7 @@ v9fs_vfs_getattr_dotl(const struct path
+ if (IS_ERR(st))
+ return PTR_ERR(st);
+
+- v9fs_stat2inode_dotl(st, d_inode(dentry));
++ v9fs_stat2inode_dotl(st, d_inode(dentry), 0);
+ generic_fillattr(d_inode(dentry), stat);
+ /* Change block size to what the server returned */
+ stat->blksize = st->st_blksize;
+@@ -607,11 +607,13 @@ int v9fs_vfs_setattr_dotl(struct dentry
+ * v9fs_stat2inode_dotl - populate an inode structure with stat info
+ * @stat: stat structure
+ * @inode: inode to populate
++ * @flags: ctrl flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE)
+ *
+ */
+
+ void
+-v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode)
++v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode,
++ unsigned int flags)
+ {
+ umode_t mode;
+ struct v9fs_inode *v9inode = V9FS_I(inode);
+@@ -631,7 +633,8 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl
+ mode |= inode->i_mode & ~S_IALLUGO;
+ inode->i_mode = mode;
+
+- i_size_write(inode, stat->st_size);
++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE))
++ v9fs_i_size_write(inode, stat->st_size);
+ inode->i_blocks = stat->st_blocks;
+ } else {
+ if (stat->st_result_mask & P9_STATS_ATIME) {
+@@ -661,8 +664,9 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl
+ }
+ if (stat->st_result_mask & P9_STATS_RDEV)
+ inode->i_rdev = new_decode_dev(stat->st_rdev);
+- if (stat->st_result_mask & P9_STATS_SIZE)
+- i_size_write(inode, stat->st_size);
++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE) &&
++ stat->st_result_mask & P9_STATS_SIZE)
++ v9fs_i_size_write(inode, stat->st_size);
+ if (stat->st_result_mask & P9_STATS_BLOCKS)
+ inode->i_blocks = stat->st_blocks;
+ }
+@@ -928,9 +932,9 @@ v9fs_vfs_get_link_dotl(struct dentry *de
+
+ int v9fs_refresh_inode_dotl(struct p9_fid *fid, struct inode *inode)
+ {
+- loff_t i_size;
+ struct p9_stat_dotl *st;
+ struct v9fs_session_info *v9ses;
++ unsigned int flags;
+
+ v9ses = v9fs_inode2v9ses(inode);
+ st = p9_client_getattr_dotl(fid, P9_STATS_ALL);
+@@ -942,16 +946,13 @@ int v9fs_refresh_inode_dotl(struct p9_fi
+ if ((inode->i_mode & S_IFMT) != (st->st_mode & S_IFMT))
+ goto out;
+
+- spin_lock(&inode->i_lock);
+ /*
+ * We don't want to refresh inode->i_size,
+ * because we may have cached data
+ */
+- i_size = inode->i_size;
+- v9fs_stat2inode_dotl(st, inode);
+- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE)
+- inode->i_size = i_size;
+- spin_unlock(&inode->i_lock);
++ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ?
++ V9FS_STAT2INODE_KEEP_ISIZE : 0;
++ v9fs_stat2inode_dotl(st, inode, flags);
+ out:
+ kfree(st);
+ return 0;
+--- a/fs/9p/vfs_super.c
++++ b/fs/9p/vfs_super.c
+@@ -172,7 +172,7 @@ static struct dentry *v9fs_mount(struct
+ goto release_sb;
+ }
+ d_inode(root)->i_ino = v9fs_qid2ino(&st->qid);
+- v9fs_stat2inode_dotl(st, d_inode(root));
++ v9fs_stat2inode_dotl(st, d_inode(root), 0);
+ kfree(st);
+ } else {
+ struct p9_wstat *st = NULL;
+@@ -183,7 +183,7 @@ static struct dentry *v9fs_mount(struct
+ }
+
+ d_inode(root)->i_ino = v9fs_qid2ino(&st->qid);
+- v9fs_stat2inode(st, d_inode(root), sb);
++ v9fs_stat2inode(st, d_inode(root), sb, 0);
+
+ p9stat_free(st);
+ kfree(st);
--- /dev/null
+From 05bd7fcdd06b19a10f069af1bea3ad9abac038d7 Mon Sep 17 00:00:00 2001
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Date: Tue, 19 Feb 2019 16:29:28 +0000
+Subject: ASoC: codecs: pcm186x: Fix energysense SLEEP bit
+
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+
+commit 05bd7fcdd06b19a10f069af1bea3ad9abac038d7 upstream.
+
+The ADCs are sleeping when the SLEEP bit is set and running when it's
+cleared, so the bit should be inverted.
+Tested on pcm1863.
+
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Acked-by: Andrew F. Davis <afd@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/pcm186x.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/codecs/pcm186x.c
++++ b/sound/soc/codecs/pcm186x.c
+@@ -158,7 +158,7 @@ static const struct snd_soc_dapm_widget
+ * Put the codec into SLEEP mode when not in use, allowing the
+ * Energysense mechanism to operate.
+ */
+- SND_SOC_DAPM_ADC("ADC", "HiFi Capture", PCM186X_POWER_CTRL, 1, 0),
++ SND_SOC_DAPM_ADC("ADC", "HiFi Capture", PCM186X_POWER_CTRL, 1, 1),
+ };
+
+ static const struct snd_soc_dapm_widget pcm1865_dapm_widgets[] = {
+@@ -184,8 +184,8 @@ static const struct snd_soc_dapm_widget
+ * Put the codec into SLEEP mode when not in use, allowing the
+ * Energysense mechanism to operate.
+ */
+- SND_SOC_DAPM_ADC("ADC1", "HiFi Capture 1", PCM186X_POWER_CTRL, 1, 0),
+- SND_SOC_DAPM_ADC("ADC2", "HiFi Capture 2", PCM186X_POWER_CTRL, 1, 0),
++ SND_SOC_DAPM_ADC("ADC1", "HiFi Capture 1", PCM186X_POWER_CTRL, 1, 1),
++ SND_SOC_DAPM_ADC("ADC2", "HiFi Capture 2", PCM186X_POWER_CTRL, 1, 1),
+ };
+
+ static const struct snd_soc_dapm_route pcm1863_dapm_routes[] = {
--- /dev/null
+From fcf4daabf08079e6d09958a2992e7446ef8d0438 Mon Sep 17 00:00:00 2001
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Date: Tue, 19 Feb 2019 16:29:12 +0000
+Subject: ASoC: codecs: pcm186x: fix wrong usage of DECLARE_TLV_DB_SCALE()
+
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+
+commit fcf4daabf08079e6d09958a2992e7446ef8d0438 upstream.
+
+According to DS, the gain is between -12 dB and 40 dB, with a 0.5 dB step.
+Tested on pcm1863.
+
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Acked-by: Andrew F. Davis <afd@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/pcm186x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/pcm186x.c
++++ b/sound/soc/codecs/pcm186x.c
+@@ -42,7 +42,7 @@ struct pcm186x_priv {
+ bool is_master_mode;
+ };
+
+-static const DECLARE_TLV_DB_SCALE(pcm186x_pga_tlv, -1200, 4000, 50);
++static const DECLARE_TLV_DB_SCALE(pcm186x_pga_tlv, -1200, 50, 0);
+
+ static const struct snd_kcontrol_new pcm1863_snd_controls[] = {
+ SOC_DOUBLE_R_S_TLV("ADC Capture Volume", PCM186X_PGA_VAL_CH1_L,
--- /dev/null
+From cc29ea007347f39f4c5a4d27b0b555955a0277f9 Mon Sep 17 00:00:00 2001
+From: "S.j. Wang" <shengjiu.wang@nxp.com>
+Date: Mon, 18 Feb 2019 08:29:11 +0000
+Subject: ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
+
+From: S.j. Wang <shengjiu.wang@nxp.com>
+
+commit cc29ea007347f39f4c5a4d27b0b555955a0277f9 upstream.
+
+The ESAI_xCR_xWA is xCR's bit, not the xCCR's bit, driver set it to
+wrong register, correct it.
+
+Fixes 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Ackedy-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/fsl/fsl_esai.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/sound/soc/fsl/fsl_esai.c
++++ b/sound/soc/fsl/fsl_esai.c
+@@ -398,7 +398,8 @@ static int fsl_esai_set_dai_fmt(struct s
+ break;
+ case SND_SOC_DAIFMT_RIGHT_J:
+ /* Data on rising edge of bclk, frame high, right aligned */
+- xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCR_xWA;
++ xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP;
++ xcr |= ESAI_xCR_xWA;
+ break;
+ case SND_SOC_DAIFMT_DSP_A:
+ /* Data on rising edge of bclk, frame high, 1clk before data */
+@@ -455,12 +456,12 @@ static int fsl_esai_set_dai_fmt(struct s
+ return -EINVAL;
+ }
+
+- mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR;
++ mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR | ESAI_xCR_xWA;
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_TCR, mask, xcr);
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_RCR, mask, xcr);
+
+ mask = ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCCR_xFSP |
+- ESAI_xCCR_xFSD | ESAI_xCCR_xCKD | ESAI_xCR_xWA;
++ ESAI_xCCR_xFSD | ESAI_xCCR_xCKD;
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, mask, xccr);
+ regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, mask, xccr);
+
--- /dev/null
+From 77568e535af7c4f97eaef1e555bf0af83772456c Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 31 Jan 2019 23:51:41 -0800
+Subject: crypto: ahash - fix another early termination in hash walk
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 77568e535af7c4f97eaef1e555bf0af83772456c upstream.
+
+Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and
+"michael_mic", fail the improved hash tests because they sometimes
+produce the wrong digest. The bug is that in the case where a
+scatterlist element crosses pages, not all the data is actually hashed
+because the scatterlist walk terminates too early. This happens because
+the 'nbytes' variable in crypto_hash_walk_done() is assigned the number
+of bytes remaining in the page, then later interpreted as the number of
+bytes remaining in the scatterlist element. Fix it.
+
+Fixes: 900a081f6912 ("crypto: ahash - Fix early termination in hash walk")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ahash.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -86,17 +86,17 @@ static int hash_walk_new_entry(struct cr
+ int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err)
+ {
+ unsigned int alignmask = walk->alignmask;
+- unsigned int nbytes = walk->entrylen;
+
+ walk->data -= walk->offset;
+
+- if (nbytes && walk->offset & alignmask && !err) {
+- walk->offset = ALIGN(walk->offset, alignmask + 1);
+- nbytes = min(nbytes,
+- ((unsigned int)(PAGE_SIZE)) - walk->offset);
+- walk->entrylen -= nbytes;
++ if (walk->entrylen && (walk->offset & alignmask) && !err) {
++ unsigned int nbytes;
+
++ walk->offset = ALIGN(walk->offset, alignmask + 1);
++ nbytes = min(walk->entrylen,
++ (unsigned int)(PAGE_SIZE - walk->offset));
+ if (nbytes) {
++ walk->entrylen -= nbytes;
+ walk->data += walk->offset;
+ return nbytes;
+ }
+@@ -116,7 +116,7 @@ int crypto_hash_walk_done(struct crypto_
+ if (err)
+ return err;
+
+- if (nbytes) {
++ if (walk->entrylen) {
+ walk->offset = 0;
+ walk->pg++;
+ return hash_walk_next(walk);
--- /dev/null
+From c19650d6ea99bcd903d3e55dd61860026c701339 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Sat, 26 Jan 2019 20:02:15 +0200
+Subject: crypto: caam - fix DMA mapping of stack memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+commit c19650d6ea99bcd903d3e55dd61860026c701339 upstream.
+
+Roland reports the following issue and provides a root cause analysis:
+
+"On a v4.19 i.MX6 system with IMA and CONFIG_DMA_API_DEBUG enabled, a
+warning is generated when accessing files on a filesystem for which IMA
+measurement is enabled:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 1 at kernel/dma/debug.c:1181 check_for_stack.part.9+0xd0/0x120
+ caam_jr 2101000.jr0: DMA-API: device driver maps memory from stack [addr=b668049e]
+ Modules linked in:
+ CPU: 0 PID: 1 Comm: switch_root Not tainted 4.19.0-20181214-1 #2
+ Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+ Backtrace:
+ [<c010efb8>] (dump_backtrace) from [<c010f2d0>] (show_stack+0x20/0x24)
+ [<c010f2b0>] (show_stack) from [<c08b04f4>] (dump_stack+0xa0/0xcc)
+ [<c08b0454>] (dump_stack) from [<c012b610>] (__warn+0xf0/0x108)
+ [<c012b520>] (__warn) from [<c012b680>] (warn_slowpath_fmt+0x58/0x74)
+ [<c012b62c>] (warn_slowpath_fmt) from [<c0199acc>] (check_for_stack.part.9+0xd0/0x120)
+ [<c01999fc>] (check_for_stack.part.9) from [<c019a040>] (debug_dma_map_page+0x144/0x174)
+ [<c0199efc>] (debug_dma_map_page) from [<c065f7f4>] (ahash_final_ctx+0x5b4/0xcf0)
+ [<c065f240>] (ahash_final_ctx) from [<c065b3c4>] (ahash_final+0x1c/0x20)
+ [<c065b3a8>] (ahash_final) from [<c03fe278>] (crypto_ahash_op+0x38/0x80)
+ [<c03fe240>] (crypto_ahash_op) from [<c03fe2e0>] (crypto_ahash_final+0x20/0x24)
+ [<c03fe2c0>] (crypto_ahash_final) from [<c03f19a8>] (ima_calc_file_hash+0x29c/0xa40)
+ [<c03f170c>] (ima_calc_file_hash) from [<c03f2b24>] (ima_collect_measurement+0x1dc/0x240)
+ [<c03f2948>] (ima_collect_measurement) from [<c03f0a60>] (process_measurement+0x4c4/0x6b8)
+ [<c03f059c>] (process_measurement) from [<c03f0cdc>] (ima_file_check+0x88/0xa4)
+ [<c03f0c54>] (ima_file_check) from [<c02d8adc>] (path_openat+0x5d8/0x1364)
+ [<c02d8504>] (path_openat) from [<c02dad24>] (do_filp_open+0x84/0xf0)
+ [<c02daca0>] (do_filp_open) from [<c02cf50c>] (do_open_execat+0x84/0x1b0)
+ [<c02cf488>] (do_open_execat) from [<c02d1058>] (__do_execve_file+0x43c/0x890)
+ [<c02d0c1c>] (__do_execve_file) from [<c02d1770>] (sys_execve+0x44/0x4c)
+ [<c02d172c>] (sys_execve) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+ ---[ end trace 3455789a10e3aefd ]---
+
+The cause is that the struct ahash_request *req is created as a
+stack-local variable up in the stack (presumably somewhere in the IMA
+implementation), then passed down into the CAAM driver, which tries to
+dma_single_map the req->result (indirectly via map_seq_out_ptr_result)
+in order to make that buffer available for the CAAM to store the result
+of the following hash operation.
+
+The calling code doesn't know how req will be used by the CAAM driver,
+and there could be other such occurrences where stack memory is passed
+down to the CAAM driver. Therefore we should rather fix this issue in
+the CAAM driver where the requirements are known."
+
+Fix this problem by:
+-instructing the crypto engine to write the final hash in state->caam_ctx
+-subsequently memcpy-ing the final hash into req->result
+
+Cc: <stable@vger.kernel.org> # v4.19+
+Reported-by: Roland Hieber <rhi@pengutronix.de>
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Tested-by: Roland Hieber <rhi@pengutronix.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamhash.c | 85 ++++++++++-------------------------------
+ 1 file changed, 21 insertions(+), 64 deletions(-)
+
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -185,18 +185,6 @@ static inline int map_seq_out_ptr_ctx(u3
+ return 0;
+ }
+
+-/* Map req->result, and append seq_out_ptr command that points to it */
+-static inline dma_addr_t map_seq_out_ptr_result(u32 *desc, struct device *jrdev,
+- u8 *result, int digestsize)
+-{
+- dma_addr_t dst_dma;
+-
+- dst_dma = dma_map_single(jrdev, result, digestsize, DMA_FROM_DEVICE);
+- append_seq_out_ptr(desc, dst_dma, digestsize, 0);
+-
+- return dst_dma;
+-}
+-
+ /* Map current buffer in state (if length > 0) and put it in link table */
+ static inline int buf_map_to_sec4_sg(struct device *jrdev,
+ struct sec4_sg_entry *sec4_sg,
+@@ -488,7 +476,6 @@ static int ahash_setkey(struct crypto_ah
+
+ /*
+ * ahash_edesc - s/w-extended ahash descriptor
+- * @dst_dma: physical mapped address of req->result
+ * @sec4_sg_dma: physical mapped address of h/w link table
+ * @src_nents: number of segments in input scatterlist
+ * @sec4_sg_bytes: length of dma mapped sec4_sg space
+@@ -496,7 +483,6 @@ static int ahash_setkey(struct crypto_ah
+ * @sec4_sg: h/w link table
+ */
+ struct ahash_edesc {
+- dma_addr_t dst_dma;
+ dma_addr_t sec4_sg_dma;
+ int src_nents;
+ int sec4_sg_bytes;
+@@ -512,8 +498,6 @@ static inline void ahash_unmap(struct de
+
+ if (edesc->src_nents)
+ dma_unmap_sg(dev, req->src, edesc->src_nents, DMA_TO_DEVICE);
+- if (edesc->dst_dma)
+- dma_unmap_single(dev, edesc->dst_dma, dst_len, DMA_FROM_DEVICE);
+
+ if (edesc->sec4_sg_bytes)
+ dma_unmap_single(dev, edesc->sec4_sg_dma,
+@@ -546,9 +530,9 @@ static void ahash_done(struct device *jr
+ struct ahash_edesc *edesc;
+ struct crypto_ahash *ahash = crypto_ahash_reqtfm(req);
+ int digestsize = crypto_ahash_digestsize(ahash);
++ struct caam_hash_state *state = ahash_request_ctx(req);
+ #ifdef DEBUG
+ struct caam_hash_ctx *ctx = crypto_ahash_ctx(ahash);
+- struct caam_hash_state *state = ahash_request_ctx(req);
+
+ dev_err(jrdev, "%s %d: err 0x%x\n", __func__, __LINE__, err);
+ #endif
+@@ -557,17 +541,14 @@ static void ahash_done(struct device *jr
+ if (err)
+ caam_jr_strstatus(jrdev, err);
+
+- ahash_unmap(jrdev, edesc, req, digestsize);
++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE);
++ memcpy(req->result, state->caam_ctx, digestsize);
+ kfree(edesc);
+
+ #ifdef DEBUG
+ print_hex_dump(KERN_ERR, "ctx@"__stringify(__LINE__)": ",
+ DUMP_PREFIX_ADDRESS, 16, 4, state->caam_ctx,
+ ctx->ctx_len, 1);
+- if (req->result)
+- print_hex_dump(KERN_ERR, "result@"__stringify(__LINE__)": ",
+- DUMP_PREFIX_ADDRESS, 16, 4, req->result,
+- digestsize, 1);
+ #endif
+
+ req->base.complete(&req->base, err);
+@@ -615,9 +596,9 @@ static void ahash_done_ctx_src(struct de
+ struct ahash_edesc *edesc;
+ struct crypto_ahash *ahash = crypto_ahash_reqtfm(req);
+ int digestsize = crypto_ahash_digestsize(ahash);
++ struct caam_hash_state *state = ahash_request_ctx(req);
+ #ifdef DEBUG
+ struct caam_hash_ctx *ctx = crypto_ahash_ctx(ahash);
+- struct caam_hash_state *state = ahash_request_ctx(req);
+
+ dev_err(jrdev, "%s %d: err 0x%x\n", __func__, __LINE__, err);
+ #endif
+@@ -626,17 +607,14 @@ static void ahash_done_ctx_src(struct de
+ if (err)
+ caam_jr_strstatus(jrdev, err);
+
+- ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_TO_DEVICE);
++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_BIDIRECTIONAL);
++ memcpy(req->result, state->caam_ctx, digestsize);
+ kfree(edesc);
+
+ #ifdef DEBUG
+ print_hex_dump(KERN_ERR, "ctx@"__stringify(__LINE__)": ",
+ DUMP_PREFIX_ADDRESS, 16, 4, state->caam_ctx,
+ ctx->ctx_len, 1);
+- if (req->result)
+- print_hex_dump(KERN_ERR, "result@"__stringify(__LINE__)": ",
+- DUMP_PREFIX_ADDRESS, 16, 4, req->result,
+- digestsize, 1);
+ #endif
+
+ req->base.complete(&req->base, err);
+@@ -897,7 +875,7 @@ static int ahash_final_ctx(struct ahash_
+ edesc->sec4_sg_bytes = sec4_sg_bytes;
+
+ ret = ctx_map_to_sec4_sg(jrdev, state, ctx->ctx_len,
+- edesc->sec4_sg, DMA_TO_DEVICE);
++ edesc->sec4_sg, DMA_BIDIRECTIONAL);
+ if (ret)
+ goto unmap_ctx;
+
+@@ -917,14 +895,7 @@ static int ahash_final_ctx(struct ahash_
+
+ append_seq_in_ptr(desc, edesc->sec4_sg_dma, ctx->ctx_len + buflen,
+ LDST_SGF);
+-
+- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result,
+- digestsize);
+- if (dma_mapping_error(jrdev, edesc->dst_dma)) {
+- dev_err(jrdev, "unable to map dst\n");
+- ret = -ENOMEM;
+- goto unmap_ctx;
+- }
++ append_seq_out_ptr(desc, state->ctx_dma, digestsize, 0);
+
+ #ifdef DEBUG
+ print_hex_dump(KERN_ERR, "jobdesc@"__stringify(__LINE__)": ",
+@@ -937,7 +908,7 @@ static int ahash_final_ctx(struct ahash_
+
+ return -EINPROGRESS;
+ unmap_ctx:
+- ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE);
++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_BIDIRECTIONAL);
+ kfree(edesc);
+ return ret;
+ }
+@@ -991,7 +962,7 @@ static int ahash_finup_ctx(struct ahash_
+ edesc->src_nents = src_nents;
+
+ ret = ctx_map_to_sec4_sg(jrdev, state, ctx->ctx_len,
+- edesc->sec4_sg, DMA_TO_DEVICE);
++ edesc->sec4_sg, DMA_BIDIRECTIONAL);
+ if (ret)
+ goto unmap_ctx;
+
+@@ -1005,13 +976,7 @@ static int ahash_finup_ctx(struct ahash_
+ if (ret)
+ goto unmap_ctx;
+
+- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result,
+- digestsize);
+- if (dma_mapping_error(jrdev, edesc->dst_dma)) {
+- dev_err(jrdev, "unable to map dst\n");
+- ret = -ENOMEM;
+- goto unmap_ctx;
+- }
++ append_seq_out_ptr(desc, state->ctx_dma, digestsize, 0);
+
+ #ifdef DEBUG
+ print_hex_dump(KERN_ERR, "jobdesc@"__stringify(__LINE__)": ",
+@@ -1024,7 +989,7 @@ static int ahash_finup_ctx(struct ahash_
+
+ return -EINPROGRESS;
+ unmap_ctx:
+- ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE);
++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_BIDIRECTIONAL);
+ kfree(edesc);
+ return ret;
+ }
+@@ -1083,10 +1048,8 @@ static int ahash_digest(struct ahash_req
+
+ desc = edesc->hw_desc;
+
+- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result,
+- digestsize);
+- if (dma_mapping_error(jrdev, edesc->dst_dma)) {
+- dev_err(jrdev, "unable to map dst\n");
++ ret = map_seq_out_ptr_ctx(desc, jrdev, state, digestsize);
++ if (ret) {
+ ahash_unmap(jrdev, edesc, req, digestsize);
+ kfree(edesc);
+ return -ENOMEM;
+@@ -1101,7 +1064,7 @@ static int ahash_digest(struct ahash_req
+ if (!ret) {
+ ret = -EINPROGRESS;
+ } else {
+- ahash_unmap(jrdev, edesc, req, digestsize);
++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE);
+ kfree(edesc);
+ }
+
+@@ -1143,12 +1106,9 @@ static int ahash_final_no_ctx(struct aha
+ append_seq_in_ptr(desc, state->buf_dma, buflen, 0);
+ }
+
+- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result,
+- digestsize);
+- if (dma_mapping_error(jrdev, edesc->dst_dma)) {
+- dev_err(jrdev, "unable to map dst\n");
++ ret = map_seq_out_ptr_ctx(desc, jrdev, state, digestsize);
++ if (ret)
+ goto unmap;
+- }
+
+ #ifdef DEBUG
+ print_hex_dump(KERN_ERR, "jobdesc@"__stringify(__LINE__)": ",
+@@ -1159,7 +1119,7 @@ static int ahash_final_no_ctx(struct aha
+ if (!ret) {
+ ret = -EINPROGRESS;
+ } else {
+- ahash_unmap(jrdev, edesc, req, digestsize);
++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE);
+ kfree(edesc);
+ }
+
+@@ -1358,12 +1318,9 @@ static int ahash_finup_no_ctx(struct aha
+ goto unmap;
+ }
+
+- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result,
+- digestsize);
+- if (dma_mapping_error(jrdev, edesc->dst_dma)) {
+- dev_err(jrdev, "unable to map dst\n");
++ ret = map_seq_out_ptr_ctx(desc, jrdev, state, digestsize);
++ if (ret)
+ goto unmap;
+- }
+
+ #ifdef DEBUG
+ print_hex_dump(KERN_ERR, "jobdesc@"__stringify(__LINE__)": ",
+@@ -1374,7 +1331,7 @@ static int ahash_finup_no_ctx(struct aha
+ if (!ret) {
+ ret = -EINPROGRESS;
+ } else {
+- ahash_unmap(jrdev, edesc, req, digestsize);
++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE);
+ kfree(edesc);
+ }
+
--- /dev/null
+From 65055e2108847af5e577cc7ce6bde45ea136d29a Mon Sep 17 00:00:00 2001
+From: Franck LENORMAND <franck.lenormand@nxp.com>
+Date: Tue, 19 Feb 2019 16:56:55 +0200
+Subject: crypto: caam - fix hash context DMA unmap size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Franck LENORMAND <franck.lenormand@nxp.com>
+
+commit 65055e2108847af5e577cc7ce6bde45ea136d29a upstream.
+
+When driver started using state->caam_ctxt for storing both running hash
+and final hash, it was not updated to handle different DMA unmap
+lengths.
+
+Cc: <stable@vger.kernel.org> # v4.19+
+Fixes: c19650d6ea99 ("crypto: caam - fix DMA mapping of stack memory")
+Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamhash.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -118,6 +118,7 @@ struct caam_hash_ctx {
+ struct caam_hash_state {
+ dma_addr_t buf_dma;
+ dma_addr_t ctx_dma;
++ int ctx_dma_len;
+ u8 buf_0[CAAM_MAX_HASH_BLOCK_SIZE] ____cacheline_aligned;
+ int buflen_0;
+ u8 buf_1[CAAM_MAX_HASH_BLOCK_SIZE] ____cacheline_aligned;
+@@ -170,6 +171,7 @@ static inline int map_seq_out_ptr_ctx(u3
+ struct caam_hash_state *state,
+ int ctx_len)
+ {
++ state->ctx_dma_len = ctx_len;
+ state->ctx_dma = dma_map_single(jrdev, state->caam_ctx,
+ ctx_len, DMA_FROM_DEVICE);
+ if (dma_mapping_error(jrdev, state->ctx_dma)) {
+@@ -223,6 +225,7 @@ static inline int ctx_map_to_sec4_sg(str
+ struct caam_hash_state *state, int ctx_len,
+ struct sec4_sg_entry *sec4_sg, u32 flag)
+ {
++ state->ctx_dma_len = ctx_len;
+ state->ctx_dma = dma_map_single(jrdev, state->caam_ctx, ctx_len, flag);
+ if (dma_mapping_error(jrdev, state->ctx_dma)) {
+ dev_err(jrdev, "unable to map ctx\n");
+@@ -527,12 +530,10 @@ static inline void ahash_unmap_ctx(struc
+ struct ahash_edesc *edesc,
+ struct ahash_request *req, int dst_len, u32 flag)
+ {
+- struct crypto_ahash *ahash = crypto_ahash_reqtfm(req);
+- struct caam_hash_ctx *ctx = crypto_ahash_ctx(ahash);
+ struct caam_hash_state *state = ahash_request_ctx(req);
+
+ if (state->ctx_dma) {
+- dma_unmap_single(dev, state->ctx_dma, ctx->ctx_len, flag);
++ dma_unmap_single(dev, state->ctx_dma, state->ctx_dma_len, flag);
+ state->ctx_dma = 0;
+ }
+ ahash_unmap(dev, edesc, req, dst_len);
+@@ -1505,6 +1506,7 @@ static int ahash_init(struct ahash_reque
+ state->final = ahash_final_no_ctx;
+
+ state->ctx_dma = 0;
++ state->ctx_dma_len = 0;
+ state->current_buf = 0;
+ state->buf_dma = 0;
+ state->buflen_0 = 0;
--- /dev/null
+From 42e95d1f10dcf8b18b1d7f52f7068985b3dc5b79 Mon Sep 17 00:00:00 2001
+From: Pankaj Gupta <pankaj.gupta@nxp.com>
+Date: Fri, 1 Feb 2019 07:18:20 +0000
+Subject: crypto: caam - fixed handling of sg list
+
+From: Pankaj Gupta <pankaj.gupta@nxp.com>
+
+commit 42e95d1f10dcf8b18b1d7f52f7068985b3dc5b79 upstream.
+
+when the source sg contains more than 1 fragment and
+destination sg contains 1 fragment, the caam driver
+mishandle the buffers to be sent to caam.
+
+Fixes: f2147b88b2b1 ("crypto: caam - Convert GCM to new AEAD interface")
+Cc: <stable@vger.kernel.org> # 4.2+
+Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
+Signed-off-by: Arun Pathak <arun.pathak@nxp.com>
+Reviewed-by: Horia Geanta <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/caamalg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/caam/caamalg.c
++++ b/drivers/crypto/caam/caamalg.c
+@@ -1005,6 +1005,7 @@ static void init_aead_job(struct aead_re
+ if (unlikely(req->src != req->dst)) {
+ if (edesc->dst_nents == 1) {
+ dst_dma = sg_dma_address(req->dst);
++ out_options = 0;
+ } else {
+ dst_dma = edesc->sec4_sg_dma +
+ sec4_sg_index *
--- /dev/null
+From 2b5ac17463dcb2411fed506edcf259a89bb538ba Mon Sep 17 00:00:00 2001
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+Date: Tue, 15 Jan 2019 15:43:17 +0200
+Subject: crypto: ccree - don't copy zero size ciphertext
+
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+
+commit 2b5ac17463dcb2411fed506edcf259a89bb538ba upstream.
+
+For decryption in CBC mode we need to save the last ciphertext block
+for use as the next IV. However, we were trying to do this also with
+zero sized ciphertext resulting in a panic.
+
+Fix this by only doing the copy if the ciphertext length is at least
+of IV size.
+
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccree/cc_cipher.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccree/cc_cipher.c
++++ b/drivers/crypto/ccree/cc_cipher.c
+@@ -783,7 +783,8 @@ static int cc_cipher_decrypt(struct skci
+
+ memset(req_ctx, 0, sizeof(*req_ctx));
+
+- if (ctx_p->cipher_mode == DRV_CIPHER_CBC) {
++ if ((ctx_p->cipher_mode == DRV_CIPHER_CBC) &&
++ (req->cryptlen >= ivsize)) {
+
+ /* Allocate and save the last IV sized bytes of the source,
+ * which will be lost in case of in-place decryption.
--- /dev/null
+From a49411959ea6d4915a9fd2a7eb5ba220e6284e9a Mon Sep 17 00:00:00 2001
+From: Hadar Gat <hadar.gat@arm.com>
+Date: Tue, 15 Jan 2019 15:43:13 +0200
+Subject: crypto: ccree - fix free of unallocated mlli buffer
+
+From: Hadar Gat <hadar.gat@arm.com>
+
+commit a49411959ea6d4915a9fd2a7eb5ba220e6284e9a upstream.
+
+In cc_unmap_aead_request(), call dma_pool_free() for mlli buffer only
+if an item is allocated from the pool and not always if there is a
+pool allocated.
+This fixes a kernel panic when trying to free a non-allocated item.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hadar Gat <hadar.gat@arm.com>
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccree/cc_buffer_mgr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/ccree/cc_buffer_mgr.c
++++ b/drivers/crypto/ccree/cc_buffer_mgr.c
+@@ -614,10 +614,10 @@ void cc_unmap_aead_request(struct device
+ hw_iv_size, DMA_BIDIRECTIONAL);
+ }
+
+- /*In case a pool was set, a table was
+- *allocated and should be released
+- */
+- if (areq_ctx->mlli_params.curr_pool) {
++ /* Release pool */
++ if ((areq_ctx->assoc_buff_type == CC_DMA_BUF_MLLI ||
++ areq_ctx->data_buff_type == CC_DMA_BUF_MLLI) &&
++ (areq_ctx->mlli_params.mlli_virt_addr)) {
+ dev_dbg(dev, "free MLLI buffer: dma=%pad virt=%pK\n",
+ &areq_ctx->mlli_params.mlli_dma_addr,
+ areq_ctx->mlli_params.mlli_virt_addr);
--- /dev/null
+From b5be853181a8d4a6e20f2073ccd273d6280cad88 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 11 Feb 2019 12:31:31 -0600
+Subject: crypto: ccree - fix missing break in switch statement
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit b5be853181a8d4a6e20f2073ccd273d6280cad88 upstream.
+
+Add missing break statement in order to prevent the code from falling
+through to case S_DIN_to_DES.
+
+This bug was found thanks to the ongoing efforts to enable
+-Wimplicit-fallthrough.
+
+Fixes: 63ee04c8b491 ("crypto: ccree - add skcipher support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccree/cc_cipher.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/ccree/cc_cipher.c
++++ b/drivers/crypto/ccree/cc_cipher.c
+@@ -79,6 +79,7 @@ static int validate_keys_sizes(struct cc
+ default:
+ break;
+ }
++ break;
+ case S_DIN_to_DES:
+ if (size == DES3_EDE_KEY_SIZE || size == DES_KEY_SIZE)
+ return 0;
--- /dev/null
+From c139c72e2beb3e3db5148910b3962b7322e24374 Mon Sep 17 00:00:00 2001
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+Date: Tue, 15 Jan 2019 15:43:15 +0200
+Subject: crypto: ccree - unmap buffer before copying IV
+
+From: Gilad Ben-Yossef <gilad@benyossef.com>
+
+commit c139c72e2beb3e3db5148910b3962b7322e24374 upstream.
+
+We were copying the last ciphertext block into the IV field
+for CBC before removing the DMA mapping of the output buffer
+with the result of the buffer sometime being out-of-sync cache
+wise and were getting intermittent cases of bad output IV.
+
+Fix it by moving the DMA buffer unmapping before the copy.
+
+Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
+Fixes: 00904aa0cd59 ("crypto: ccree - fix iv handling")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccree/cc_cipher.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccree/cc_cipher.c
++++ b/drivers/crypto/ccree/cc_cipher.c
+@@ -635,6 +635,8 @@ static void cc_cipher_complete(struct de
+ unsigned int ivsize = crypto_skcipher_ivsize(sk_tfm);
+ unsigned int len;
+
++ cc_unmap_cipher_request(dev, req_ctx, ivsize, src, dst);
++
+ switch (ctx_p->cipher_mode) {
+ case DRV_CIPHER_CBC:
+ /*
+@@ -664,7 +666,6 @@ static void cc_cipher_complete(struct de
+ break;
+ }
+
+- cc_unmap_cipher_request(dev, req_ctx, ivsize, src, dst);
+ kzfree(req_ctx->iv);
+
+ skcipher_request_complete(req, err);
--- /dev/null
+From 394a9e044702e6a8958a5e89d2a291605a587a2a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 3 Jan 2019 20:16:10 -0800
+Subject: crypto: cfb - add missing 'chunksize' property
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 394a9e044702e6a8958a5e89d2a291605a587a2a upstream.
+
+Like some other block cipher mode implementations, the CFB
+implementation assumes that while walking through the scatterlist, a
+partial block does not occur until the end. But the walk is incorrectly
+being done with a blocksize of 1, as 'cra_blocksize' is set to 1 (since
+CFB is a stream cipher) but no 'chunksize' is set. This bug causes
+incorrect encryption/decryption for some scatterlist layouts.
+
+Fix it by setting the 'chunksize'. Also extend the CFB test vectors to
+cover this bug as well as cases where the message length is not a
+multiple of the block size.
+
+Fixes: a7d85e06ed80 ("crypto: cfb - add support for Cipher FeedBack mode")
+Cc: <stable@vger.kernel.org> # v4.17+
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/cfb.c | 6 ++++++
+ crypto/testmgr.h | 25 +++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+
+--- a/crypto/cfb.c
++++ b/crypto/cfb.c
+@@ -298,6 +298,12 @@ static int crypto_cfb_create(struct cryp
+ inst->alg.base.cra_blocksize = 1;
+ inst->alg.base.cra_alignmask = alg->cra_alignmask;
+
++ /*
++ * To simplify the implementation, configure the skcipher walk to only
++ * give a partial block at the very end, never earlier.
++ */
++ inst->alg.chunksize = alg->cra_blocksize;
++
+ inst->alg.ivsize = alg->cra_blocksize;
+ inst->alg.min_keysize = alg->cra_cipher.cia_min_keysize;
+ inst->alg.max_keysize = alg->cra_cipher.cia_max_keysize;
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -11416,6 +11416,31 @@ static const struct cipher_testvec aes_c
+ "\x75\xa3\x85\x74\x1a\xb9\xce\xf8"
+ "\x20\x31\x62\x3d\x55\xb1\xe4\x71",
+ .len = 64,
++ .also_non_np = 1,
++ .np = 2,
++ .tap = { 31, 33 },
++ }, { /* > 16 bytes, not a multiple of 16 bytes */
++ .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
++ "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
++ .klen = 16,
++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
++ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
++ "\xae",
++ .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20"
++ "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a"
++ "\xc8",
++ .len = 17,
++ }, { /* < 16 bytes */
++ .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
++ "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
++ .klen = 16,
++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f",
++ .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad",
++ .len = 7,
+ },
+ };
+
--- /dev/null
+From 6c2e322b3621dc8be72e5c86d4fdb587434ba625 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 3 Jan 2019 20:16:11 -0800
+Subject: crypto: cfb - remove bogus memcpy() with src == dest
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 6c2e322b3621dc8be72e5c86d4fdb587434ba625 upstream.
+
+The memcpy() in crypto_cfb_decrypt_inplace() uses walk->iv as both the
+source and destination, which has undefined behavior. It is unneeded
+because walk->iv is already used to hold the previous ciphertext block;
+thus, walk->iv is already updated to its final value. So, remove it.
+
+Also, note that in-place decryption is the only case where the previous
+ciphertext block is not directly available. Therefore, as a related
+cleanup I also updated crypto_cfb_encrypt_segment() to directly use the
+previous ciphertext block rather than save it into walk->iv. This makes
+it consistent with in-place encryption and out-of-place decryption; now
+only in-place decryption is different, because it has to be.
+
+Fixes: a7d85e06ed80 ("crypto: cfb - add support for Cipher FeedBack mode")
+Cc: <stable@vger.kernel.org> # v4.17+
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/cfb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/crypto/cfb.c
++++ b/crypto/cfb.c
+@@ -77,12 +77,14 @@ static int crypto_cfb_encrypt_segment(st
+ do {
+ crypto_cfb_encrypt_one(tfm, iv, dst);
+ crypto_xor(dst, src, bsize);
+- memcpy(iv, dst, bsize);
++ iv = dst;
+
+ src += bsize;
+ dst += bsize;
+ } while ((nbytes -= bsize) >= bsize);
+
++ memcpy(walk->iv, iv, bsize);
++
+ return nbytes;
+ }
+
+@@ -162,7 +164,7 @@ static int crypto_cfb_decrypt_inplace(st
+ const unsigned int bsize = crypto_cfb_bsize(tfm);
+ unsigned int nbytes = walk->nbytes;
+ u8 *src = walk->src.virt.addr;
+- u8 *iv = walk->iv;
++ u8 * const iv = walk->iv;
+ u8 tmp[MAX_CIPHER_BLOCKSIZE];
+
+ do {
+@@ -172,8 +174,6 @@ static int crypto_cfb_decrypt_inplace(st
+ src += bsize;
+ } while ((nbytes -= bsize) >= bsize);
+
+- memcpy(walk->iv, iv, bsize);
+-
+ return nbytes;
+ }
+
--- /dev/null
+From 4359669a087633132203c52d67dd8c31e09e7b2e Mon Sep 17 00:00:00 2001
+From: Zhang Zhijie <zhangzj@rock-chips.com>
+Date: Wed, 13 Feb 2019 16:24:38 +0800
+Subject: crypto: rockchip - fix scatterlist nents error
+
+From: Zhang Zhijie <zhangzj@rock-chips.com>
+
+commit 4359669a087633132203c52d67dd8c31e09e7b2e upstream.
+
+In some cases, the nents of src scatterlist is different from
+dst scatterlist. So two variables are used to handle the nents
+of src&dst scatterlist.
+
+Reported-by: Eric Biggers <ebiggers@google.com>
+Fixes: 433cd2c617bf ("crypto: rockchip - add crypto driver for rk3288")
+Cc: <stable@vger.kernel.org> # v4.5+
+Signed-off-by: Zhang Zhijie <zhangzj@rock-chips.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/rockchip/rk3288_crypto.c | 2 +-
+ drivers/crypto/rockchip/rk3288_crypto.h | 3 ++-
+ drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c | 5 +++--
+ drivers/crypto/rockchip/rk3288_crypto_ahash.c | 2 +-
+ 4 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/rockchip/rk3288_crypto.c
++++ b/drivers/crypto/rockchip/rk3288_crypto.c
+@@ -119,7 +119,7 @@ static int rk_load_data(struct rk_crypto
+ count = (dev->left_bytes > PAGE_SIZE) ?
+ PAGE_SIZE : dev->left_bytes;
+
+- if (!sg_pcopy_to_buffer(dev->first, dev->nents,
++ if (!sg_pcopy_to_buffer(dev->first, dev->src_nents,
+ dev->addr_vir, count,
+ dev->total - dev->left_bytes)) {
+ dev_err(dev->dev, "[%s:%d] pcopy err\n",
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -207,7 +207,8 @@ struct rk_crypto_info {
+ void *addr_vir;
+ int aligned;
+ int align_size;
+- size_t nents;
++ size_t src_nents;
++ size_t dst_nents;
+ unsigned int total;
+ unsigned int count;
+ dma_addr_t addr_in;
+--- a/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c
+@@ -260,8 +260,9 @@ static int rk_ablk_start(struct rk_crypt
+ dev->total = req->nbytes;
+ dev->sg_src = req->src;
+ dev->first = req->src;
+- dev->nents = sg_nents(req->src);
++ dev->src_nents = sg_nents(req->src);
+ dev->sg_dst = req->dst;
++ dev->dst_nents = sg_nents(req->dst);
+ dev->aligned = 1;
+
+ spin_lock_irqsave(&dev->lock, flags);
+@@ -297,7 +298,7 @@ static int rk_ablk_rx(struct rk_crypto_i
+
+ dev->unload_data(dev);
+ if (!dev->aligned) {
+- if (!sg_pcopy_from_buffer(req->dst, dev->nents,
++ if (!sg_pcopy_from_buffer(req->dst, dev->dst_nents,
+ dev->addr_vir, dev->count,
+ dev->total - dev->left_bytes -
+ dev->count)) {
+--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+@@ -206,7 +206,7 @@ static int rk_ahash_start(struct rk_cryp
+ dev->sg_dst = NULL;
+ dev->sg_src = req->src;
+ dev->first = req->src;
+- dev->nents = sg_nents(req->src);
++ dev->src_nents = sg_nents(req->src);
+ rctx = ahash_request_ctx(req);
+ rctx->mode = 0;
+
--- /dev/null
+From c1c214adcb56d36433480c8fedf772498e7e539c Mon Sep 17 00:00:00 2001
+From: Zhang Zhijie <zhangzj@rock-chips.com>
+Date: Wed, 13 Feb 2019 16:24:39 +0800
+Subject: crypto: rockchip - update new iv to device in multiple operations
+
+From: Zhang Zhijie <zhangzj@rock-chips.com>
+
+commit c1c214adcb56d36433480c8fedf772498e7e539c upstream.
+
+For chain mode in cipher(eg. AES-CBC/DES-CBC), the iv is continuously
+updated in the operation. The new iv value should be written to device
+register by software.
+
+Reported-by: Eric Biggers <ebiggers@google.com>
+Fixes: 433cd2c617bf ("crypto: rockchip - add crypto driver for rk3288")
+Cc: <stable@vger.kernel.org> # v4.5+
+Signed-off-by: Zhang Zhijie <zhangzj@rock-chips.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/rockchip/rk3288_crypto.h | 1
+ drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c | 34 +++++++++++++++++++++
+ 2 files changed, 35 insertions(+)
+
+--- a/drivers/crypto/rockchip/rk3288_crypto.h
++++ b/drivers/crypto/rockchip/rk3288_crypto.h
+@@ -245,6 +245,7 @@ struct rk_cipher_ctx {
+ struct rk_crypto_info *dev;
+ unsigned int keylen;
+ u32 mode;
++ u8 iv[AES_BLOCK_SIZE];
+ };
+
+ enum alg_type {
+--- a/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c
++++ b/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c
+@@ -242,6 +242,17 @@ static void crypto_dma_start(struct rk_c
+ static int rk_set_data_start(struct rk_crypto_info *dev)
+ {
+ int err;
++ struct ablkcipher_request *req =
++ ablkcipher_request_cast(dev->async_req);
++ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
++ struct rk_cipher_ctx *ctx = crypto_ablkcipher_ctx(tfm);
++ u32 ivsize = crypto_ablkcipher_ivsize(tfm);
++ u8 *src_last_blk = page_address(sg_page(dev->sg_src)) +
++ dev->sg_src->offset + dev->sg_src->length - ivsize;
++
++ /* store the iv that need to be updated in chain mode */
++ if (ctx->mode & RK_CRYPTO_DEC)
++ memcpy(ctx->iv, src_last_blk, ivsize);
+
+ err = dev->load_data(dev, dev->sg_src, dev->sg_dst);
+ if (!err)
+@@ -286,6 +297,28 @@ static void rk_iv_copyback(struct rk_cry
+ memcpy_fromio(req->info, dev->reg + RK_CRYPTO_AES_IV_0, ivsize);
+ }
+
++static void rk_update_iv(struct rk_crypto_info *dev)
++{
++ struct ablkcipher_request *req =
++ ablkcipher_request_cast(dev->async_req);
++ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
++ struct rk_cipher_ctx *ctx = crypto_ablkcipher_ctx(tfm);
++ u32 ivsize = crypto_ablkcipher_ivsize(tfm);
++ u8 *new_iv = NULL;
++
++ if (ctx->mode & RK_CRYPTO_DEC) {
++ new_iv = ctx->iv;
++ } else {
++ new_iv = page_address(sg_page(dev->sg_dst)) +
++ dev->sg_dst->offset + dev->sg_dst->length - ivsize;
++ }
++
++ if (ivsize == DES_BLOCK_SIZE)
++ memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, new_iv, ivsize);
++ else if (ivsize == AES_BLOCK_SIZE)
++ memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, new_iv, ivsize);
++}
++
+ /* return:
+ * true some err was occurred
+ * fault no err, continue
+@@ -307,6 +340,7 @@ static int rk_ablk_rx(struct rk_crypto_i
+ }
+ }
+ if (dev->left_bytes) {
++ rk_update_iv(dev);
+ if (dev->aligned) {
+ if (sg_is_last(dev->sg_src)) {
+ dev_err(dev->dev, "[%s:%d] Lack of data\n",
--- /dev/null
+From 2ea8bab4dd2a9014e723b28091831fa850b82d83 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sat, 9 Feb 2019 00:39:27 +0100
+Subject: iio: adc: exynos-adc: Fix NULL pointer exception on unbind
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 2ea8bab4dd2a9014e723b28091831fa850b82d83 upstream.
+
+Fix NULL pointer exception on device unbind when device tree does not
+contain "has-touchscreen" property. In such case the input device is
+not registered so it should not be unregistered.
+
+ $ echo "12d10000.adc" > /sys/bus/platform/drivers/exynos-adc/unbind
+
+ Unable to handle kernel NULL pointer dereference at virtual address 00000474
+ ...
+ (input_unregister_device) from [<c0772060>] (exynos_adc_remove+0x20/0x80)
+ (exynos_adc_remove) from [<c0587d5c>] (platform_drv_remove+0x20/0x40)
+ (platform_drv_remove) from [<c05860f0>] (device_release_driver_internal+0xdc/0x1ac)
+ (device_release_driver_internal) from [<c0583ecc>] (unbind_store+0x60/0xd4)
+ (unbind_store) from [<c031b89c>] (kernfs_fop_write+0x100/0x1e0)
+ (kernfs_fop_write) from [<c029709c>] (__vfs_write+0x2c/0x17c)
+ (__vfs_write) from [<c0297374>] (vfs_write+0xa4/0x184)
+ (vfs_write) from [<c0297594>] (ksys_write+0x4c/0xac)
+ (ksys_write) from [<c0101000>] (ret_fast_syscall+0x0/0x28)
+
+Fixes: 2bb8ad9b44c5 ("iio: exynos-adc: add experimental touchscreen support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/exynos_adc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/exynos_adc.c
++++ b/drivers/iio/adc/exynos_adc.c
+@@ -915,7 +915,7 @@ static int exynos_adc_remove(struct plat
+ struct iio_dev *indio_dev = platform_get_drvdata(pdev);
+ struct exynos_adc *info = iio_priv(indio_dev);
+
+- if (IS_REACHABLE(CONFIG_INPUT)) {
++ if (IS_REACHABLE(CONFIG_INPUT) && info->input) {
+ free_irq(info->tsirq, info);
+ input_unregister_device(info->input);
+ }
--- /dev/null
+From b5958faa34e2f99f3475ad89c52d98dfea079d33 Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Mon, 25 Feb 2019 11:09:28 +0200
+Subject: mei: bus: move hw module get/put to probe/release
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit b5958faa34e2f99f3475ad89c52d98dfea079d33 upstream.
+
+Fix unbalanced module reference counting during internal reset, which
+prevents the drivers unloading.
+Tracking mei_me/txe modules on mei client bus via
+mei_cldev_enable/disable is error prone due to possible internal
+reset flow, where clients are disconnected underneath.
+Moving reference counting to probe and release of mei bus client
+driver solves this issue in simplest way, as each client provides only
+a single connection to a client bus driver.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/bus.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/drivers/misc/mei/bus.c
++++ b/drivers/misc/mei/bus.c
+@@ -541,17 +541,9 @@ int mei_cldev_enable(struct mei_cl_devic
+ goto out;
+ }
+
+- if (!mei_cl_bus_module_get(cldev)) {
+- dev_err(&cldev->dev, "get hw module failed");
+- ret = -ENODEV;
+- goto out;
+- }
+-
+ ret = mei_cl_connect(cl, cldev->me_cl, NULL);
+- if (ret < 0) {
++ if (ret < 0)
+ dev_err(&cldev->dev, "cannot connect\n");
+- mei_cl_bus_module_put(cldev);
+- }
+
+ out:
+ mutex_unlock(&bus->device_lock);
+@@ -614,7 +606,6 @@ int mei_cldev_disable(struct mei_cl_devi
+ if (err < 0)
+ dev_err(bus->dev, "Could not disconnect from the ME client\n");
+
+- mei_cl_bus_module_put(cldev);
+ out:
+ /* Flush queues and remove any pending read */
+ mei_cl_flush_queues(cl, NULL);
+@@ -725,9 +716,16 @@ static int mei_cl_device_probe(struct de
+ if (!id)
+ return -ENODEV;
+
++ if (!mei_cl_bus_module_get(cldev)) {
++ dev_err(&cldev->dev, "get hw module failed");
++ return -ENODEV;
++ }
++
+ ret = cldrv->probe(cldev, id);
+- if (ret)
++ if (ret) {
++ mei_cl_bus_module_put(cldev);
+ return ret;
++ }
+
+ __module_get(THIS_MODULE);
+ return 0;
+@@ -755,6 +753,7 @@ static int mei_cl_device_remove(struct d
+
+ mei_cldev_unregister_callbacks(cldev);
+
++ mei_cl_bus_module_put(cldev);
+ module_put(THIS_MODULE);
+ dev->driver = NULL;
+ return ret;
--- /dev/null
+From 37fd0b623023484ef6df79ed46f21f06ecc611ff Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Wed, 20 Feb 2019 16:55:37 +0200
+Subject: mei: hbm: clean the feature flags on link reset
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 37fd0b623023484ef6df79ed46f21f06ecc611ff upstream.
+
+The list of supported functions can be altered upon link reset,
+clean the flags to allow correct selections of supported
+features.
+
+Cc: <stable@vger.kernel.org> v4.19+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hbm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/misc/mei/hbm.c
++++ b/drivers/misc/mei/hbm.c
+@@ -986,29 +986,36 @@ static void mei_hbm_config_features(stru
+ dev->version.minor_version >= HBM_MINOR_VERSION_PGI)
+ dev->hbm_f_pg_supported = 1;
+
++ dev->hbm_f_dc_supported = 0;
+ if (dev->version.major_version >= HBM_MAJOR_VERSION_DC)
+ dev->hbm_f_dc_supported = 1;
+
++ dev->hbm_f_ie_supported = 0;
+ if (dev->version.major_version >= HBM_MAJOR_VERSION_IE)
+ dev->hbm_f_ie_supported = 1;
+
+ /* disconnect on connect timeout instead of link reset */
++ dev->hbm_f_dot_supported = 0;
+ if (dev->version.major_version >= HBM_MAJOR_VERSION_DOT)
+ dev->hbm_f_dot_supported = 1;
+
+ /* Notification Event Support */
++ dev->hbm_f_ev_supported = 0;
+ if (dev->version.major_version >= HBM_MAJOR_VERSION_EV)
+ dev->hbm_f_ev_supported = 1;
+
+ /* Fixed Address Client Support */
++ dev->hbm_f_fa_supported = 0;
+ if (dev->version.major_version >= HBM_MAJOR_VERSION_FA)
+ dev->hbm_f_fa_supported = 1;
+
+ /* OS ver message Support */
++ dev->hbm_f_os_supported = 0;
+ if (dev->version.major_version >= HBM_MAJOR_VERSION_OS)
+ dev->hbm_f_os_supported = 1;
+
+ /* DMA Ring Support */
++ dev->hbm_f_dr_supported = 0;
+ if (dev->version.major_version > HBM_MAJOR_VERSION_DR ||
+ (dev->version.major_version == HBM_MAJOR_VERSION_DR &&
+ dev->version.minor_version >= HBM_MINOR_VERSION_DR))
media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch
+9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch
+9p-net-fix-memory-leak-in-p9_client_create.patch
+asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch
+asoc-codecs-pcm186x-fix-wrong-usage-of-declare_tlv_db_scale.patch
+asoc-codecs-pcm186x-fix-energysense-sleep-bit.patch
+iio-adc-exynos-adc-fix-null-pointer-exception-on-unbind.patch
+mei-hbm-clean-the-feature-flags-on-link-reset.patch
+mei-bus-move-hw-module-get-put-to-probe-release.patch
+stm-class-fix-an-endless-loop-in-channel-allocation.patch
+crypto-caam-fix-hash-context-dma-unmap-size.patch
+crypto-ccree-fix-missing-break-in-switch-statement.patch
+crypto-caam-fixed-handling-of-sg-list.patch
+crypto-caam-fix-dma-mapping-of-stack-memory.patch
+crypto-ccree-fix-free-of-unallocated-mlli-buffer.patch
+crypto-ccree-unmap-buffer-before-copying-iv.patch
+crypto-ccree-don-t-copy-zero-size-ciphertext.patch
+crypto-cfb-add-missing-chunksize-property.patch
+crypto-cfb-remove-bogus-memcpy-with-src-dest.patch
+crypto-ahash-fix-another-early-termination-in-hash-walk.patch
+crypto-rockchip-fix-scatterlist-nents-error.patch
+crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch
--- /dev/null
+From a1d75dad3a2c689e70a1c4e0214cca9de741d0aa Mon Sep 17 00:00:00 2001
+From: Zhi Jin <zhi.jin@intel.com>
+Date: Thu, 6 Sep 2018 15:22:10 +0800
+Subject: stm class: Fix an endless loop in channel allocation
+
+From: Zhi Jin <zhi.jin@intel.com>
+
+commit a1d75dad3a2c689e70a1c4e0214cca9de741d0aa upstream.
+
+There is a bug in the channel allocation logic that leads to an endless
+loop when looking for a contiguous range of channels in a range with a
+mixture of free and occupied channels. For example, opening three
+consequtive channels, closing the first two and requesting 4 channels in
+a row will trigger this soft lockup. The bug is that the search loop
+forgets to skip over the range once it detects that one channel in that
+range is occupied.
+
+Restore the original intent to the logic by fixing the omission.
+
+Signed-off-by: Zhi Jin <zhi.jin@intel.com>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+CC: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -244,6 +244,9 @@ static int find_free_channels(unsigned l
+ ;
+ if (i == width)
+ return pos;
++
++ /* step over [pos..pos+i) to continue search */
++ pos += i;
+ }
+
+ return -1;
projects / thirdparty / kernel / stable-queue.git / commitdiff
