From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 23 Oct 2015 14:19:11 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.14.56~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28266983632ce2886945b1deba6d14f78cb49771;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	arm64-errata-use-kbuild_cflags_module-for-erratum-843419.patch
	btrfs-fix-use-after-free-iterating-extrefs.patch
	crypto-ahash-ensure-statesize-is-non-zero.patch
	crypto-sparc-initialize-blkcipher.ivsize.patch
---

diff --git a/queue-3.14/arm64-errata-use-kbuild_cflags_module-for-erratum-843419.patch b/queue-3.14/arm64-errata-use-kbuild_cflags_module-for-erratum-843419.patch
new file mode 100644
index 00000000000..63b6fdf9a76
--- /dev/null
+++ b/queue-3.14/arm64-errata-use-kbuild_cflags_module-for-erratum-843419.patch
@@ -0,0 +1,39 @@
+From b6dd8e0719c0d2d01429639a11b7bc2677de240c Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Thu, 8 Oct 2015 11:11:17 +0100
+Subject: arm64: errata: use KBUILD_CFLAGS_MODULE for erratum #843419
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit b6dd8e0719c0d2d01429639a11b7bc2677de240c upstream.
+
+Commit df057cc7b4fa ("arm64: errata: add module build workaround for
+erratum #843419") sets CFLAGS_MODULE to ensure that the large memory
+model is used by the compiler when building kernel modules.
+
+However, CFLAGS_MODULE is an environment variable and intended to be
+overridden on the command line, which appears to be the case with the
+Ubuntu kernel packaging system, so use KBUILD_CFLAGS_MODULE instead.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Fixes: df057cc7b4fa ("arm64: errata: add module build workaround for erratum #843419")
+Reported-by: Dann Frazier <dann.frazier@canonical.com>
+Tested-by: Dann Frazier <dann.frazier@canonical.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/Makefile |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -35,7 +35,7 @@ comma = ,
+ CHECKFLAGS	+= -D__aarch64__
+ 
+ ifeq ($(CONFIG_ARM64_ERRATUM_843419), y)
+-CFLAGS_MODULE	+= -mcmodel=large
++KBUILD_CFLAGS_MODULE	+= -mcmodel=large
+ endif
+ 
+ # Default value
diff --git a/queue-3.14/btrfs-fix-use-after-free-iterating-extrefs.patch b/queue-3.14/btrfs-fix-use-after-free-iterating-extrefs.patch
new file mode 100644
index 00000000000..52b839b7ae1
--- /dev/null
+++ b/queue-3.14/btrfs-fix-use-after-free-iterating-extrefs.patch
@@ -0,0 +1,61 @@
+From dc6c5fb3b514221f2e9d21ee626a9d95d3418dff Mon Sep 17 00:00:00 2001
+From: Chris Mason <clm@fb.com>
+Date: Tue, 13 Oct 2015 14:06:48 -0400
+Subject: btrfs: fix use after free iterating extrefs
+
+From: Chris Mason <clm@fb.com>
+
+commit dc6c5fb3b514221f2e9d21ee626a9d95d3418dff upstream.
+
+The code for btrfs inode-resolve has never worked properly for
+files with enough hard links to trigger extrefs.  It was trying to
+get the leaf out of a path after freeing the path:
+
+	btrfs_release_path(path);
+	leaf = path->nodes[0];
+	item_size = btrfs_item_size_nr(leaf, slot);
+
+The fix here is to use the extent buffer we cloned just a little higher
+up to avoid deadlocks caused by using the leaf in the path.
+
+Signed-off-by: Chris Mason <clm@fb.com>
+cc: Mark Fasheh <mfasheh@suse.de>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Mark Fasheh <mfasheh@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/backref.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -1692,7 +1692,6 @@ static int iterate_inode_extrefs(u64 inu
+ 	int found = 0;
+ 	struct extent_buffer *eb;
+ 	struct btrfs_inode_extref *extref;
+-	struct extent_buffer *leaf;
+ 	u32 item_size;
+ 	u32 cur_offset;
+ 	unsigned long ptr;
+@@ -1720,9 +1719,8 @@ static int iterate_inode_extrefs(u64 inu
+ 		btrfs_set_lock_blocking_rw(eb, BTRFS_READ_LOCK);
+ 		btrfs_release_path(path);
+ 
+-		leaf = path->nodes[0];
+-		item_size = btrfs_item_size_nr(leaf, slot);
+-		ptr = btrfs_item_ptr_offset(leaf, slot);
++		item_size = btrfs_item_size_nr(eb, slot);
++		ptr = btrfs_item_ptr_offset(eb, slot);
+ 		cur_offset = 0;
+ 
+ 		while (cur_offset < item_size) {
+@@ -1736,7 +1734,7 @@ static int iterate_inode_extrefs(u64 inu
+ 			if (ret)
+ 				break;
+ 
+-			cur_offset += btrfs_inode_extref_name_len(leaf, extref);
++			cur_offset += btrfs_inode_extref_name_len(eb, extref);
+ 			cur_offset += sizeof(*extref);
+ 		}
+ 		btrfs_tree_read_unlock_blocking(eb);
diff --git a/queue-3.14/crypto-ahash-ensure-statesize-is-non-zero.patch b/queue-3.14/crypto-ahash-ensure-statesize-is-non-zero.patch
new file mode 100644
index 00000000000..583bc195567
--- /dev/null
+++ b/queue-3.14/crypto-ahash-ensure-statesize-is-non-zero.patch
@@ -0,0 +1,37 @@
+From 8996eafdcbad149ac0f772fb1649fbb75c482a6a Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Fri, 9 Oct 2015 20:43:33 +0100
+Subject: crypto: ahash - ensure statesize is non-zero
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit 8996eafdcbad149ac0f772fb1649fbb75c482a6a upstream.
+
+Unlike shash algorithms, ahash drivers must implement export
+and import as their descriptors may contain hardware state and
+cannot be exported as is.  Unfortunately some ahash drivers did
+not provide them and end up causing crashes with algif_hash.
+
+This patch adds a check to prevent these drivers from registering
+ahash algorithms until they are fixed.
+
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ahash.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -465,7 +465,8 @@ static int ahash_prepare_alg(struct ahas
+ 	struct crypto_alg *base = &alg->halg.base;
+ 
+ 	if (alg->halg.digestsize > PAGE_SIZE / 8 ||
+-	    alg->halg.statesize > PAGE_SIZE / 8)
++	    alg->halg.statesize > PAGE_SIZE / 8 ||
++	    alg->halg.statesize == 0)
+ 		return -EINVAL;
+ 
+ 	base->cra_type = &crypto_ahash_type;
diff --git a/queue-3.14/crypto-sparc-initialize-blkcipher.ivsize.patch b/queue-3.14/crypto-sparc-initialize-blkcipher.ivsize.patch
new file mode 100644
index 00000000000..da4afaa8137
--- /dev/null
+++ b/queue-3.14/crypto-sparc-initialize-blkcipher.ivsize.patch
@@ -0,0 +1,68 @@
+From a66d7f724a96d6fd279bfbd2ee488def6b081bea Mon Sep 17 00:00:00 2001
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Mon, 5 Oct 2015 10:08:51 -0500
+Subject: crypto: sparc - initialize blkcipher.ivsize
+
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+
+commit a66d7f724a96d6fd279bfbd2ee488def6b081bea upstream.
+
+Some of the crypto algorithms write to the initialization vector,
+but no space has been allocated for it. This clobbers adjacent memory.
+
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sparc/crypto/aes_glue.c      |    2 ++
+ arch/sparc/crypto/camellia_glue.c |    1 +
+ arch/sparc/crypto/des_glue.c      |    2 ++
+ 3 files changed, 5 insertions(+)
+
+--- a/arch/sparc/crypto/aes_glue.c
++++ b/arch/sparc/crypto/aes_glue.c
+@@ -433,6 +433,7 @@ static struct crypto_alg algs[] = { {
+ 		.blkcipher = {
+ 			.min_keysize	= AES_MIN_KEY_SIZE,
+ 			.max_keysize	= AES_MAX_KEY_SIZE,
++			.ivsize		= AES_BLOCK_SIZE,
+ 			.setkey		= aes_set_key,
+ 			.encrypt	= cbc_encrypt,
+ 			.decrypt	= cbc_decrypt,
+@@ -452,6 +453,7 @@ static struct crypto_alg algs[] = { {
+ 		.blkcipher = {
+ 			.min_keysize	= AES_MIN_KEY_SIZE,
+ 			.max_keysize	= AES_MAX_KEY_SIZE,
++			.ivsize		= AES_BLOCK_SIZE,
+ 			.setkey		= aes_set_key,
+ 			.encrypt	= ctr_crypt,
+ 			.decrypt	= ctr_crypt,
+--- a/arch/sparc/crypto/camellia_glue.c
++++ b/arch/sparc/crypto/camellia_glue.c
+@@ -274,6 +274,7 @@ static struct crypto_alg algs[] = { {
+ 		.blkcipher = {
+ 			.min_keysize	= CAMELLIA_MIN_KEY_SIZE,
+ 			.max_keysize	= CAMELLIA_MAX_KEY_SIZE,
++			.ivsize		= CAMELLIA_BLOCK_SIZE,
+ 			.setkey		= camellia_set_key,
+ 			.encrypt	= cbc_encrypt,
+ 			.decrypt	= cbc_decrypt,
+--- a/arch/sparc/crypto/des_glue.c
++++ b/arch/sparc/crypto/des_glue.c
+@@ -429,6 +429,7 @@ static struct crypto_alg algs[] = { {
+ 		.blkcipher = {
+ 			.min_keysize	= DES_KEY_SIZE,
+ 			.max_keysize	= DES_KEY_SIZE,
++			.ivsize		= DES_BLOCK_SIZE,
+ 			.setkey		= des_set_key,
+ 			.encrypt	= cbc_encrypt,
+ 			.decrypt	= cbc_decrypt,
+@@ -485,6 +486,7 @@ static struct crypto_alg algs[] = { {
+ 		.blkcipher = {
+ 			.min_keysize	= DES3_EDE_KEY_SIZE,
+ 			.max_keysize	= DES3_EDE_KEY_SIZE,
++			.ivsize		= DES3_EDE_BLOCK_SIZE,
+ 			.setkey		= des3_ede_set_key,
+ 			.encrypt	= cbc3_encrypt,
+ 			.decrypt	= cbc3_decrypt,
diff --git a/queue-3.14/series b/queue-3.14/series
index 45cc72e6dd6..2da2216230b 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -9,3 +9,7 @@ ppp-don-t-override-sk-sk_state-in-pppoe_flush_dev.patch
 ethtool-use-kcalloc-instead-of-kmalloc-for-ethtool_get_strings.patch
 asix-don-t-reset-phy-on-if_up-for-asix-88772.patch
 asix-do-full-reset-during-ax88772_bind.patch
+crypto-sparc-initialize-blkcipher.ivsize.patch
+crypto-ahash-ensure-statesize-is-non-zero.patch
+btrfs-fix-use-after-free-iterating-extrefs.patch
+arm64-errata-use-kbuild_cflags_module-for-erratum-843419.patch