From: Greg Kroah-Hartman Date: Fri, 11 Sep 2015 06:20:52 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.10.88~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=41a78255b2b710c81290b19237d03e8e7998a6fe;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch libfc-fix-fc_fcp_cleanup_each_cmd.patch --- diff --git a/queue-3.10/crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch b/queue-3.10/crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch new file mode 100644 index 00000000000..4ca419c2640 --- /dev/null +++ b/queue-3.10/crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch @@ -0,0 +1,50 @@ +From b310c178e6d897f82abb9da3af1cd7c02b09f592 Mon Sep 17 00:00:00 2001 +From: Horia Geant? +Date: Tue, 11 Aug 2015 20:19:20 +0300 +Subject: crypto: caam - fix memory corruption in ahash_final_ctx + +From: Horia Geant? + +commit b310c178e6d897f82abb9da3af1cd7c02b09f592 upstream. + +When doing pointer operation for accessing the HW S/G table, +a value representing number of entries (and not number of bytes) +must be used. + +Fixes: 045e36780f115 ("crypto: caam - ahash hmac support") +Signed-off-by: Horia Geant? +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -895,13 +895,14 @@ static int ahash_final_ctx(struct ahash_ + state->buflen_1; + u32 *sh_desc = ctx->sh_desc_fin, *desc; + dma_addr_t ptr = ctx->sh_desc_fin_dma; +- int sec4_sg_bytes; ++ int sec4_sg_bytes, sec4_sg_src_index; + int digestsize = crypto_ahash_digestsize(ahash); + struct ahash_edesc *edesc; + int ret = 0; + int sh_len; + +- sec4_sg_bytes = (1 + (buflen ? 1 : 0)) * sizeof(struct sec4_sg_entry); ++ sec4_sg_src_index = 1 + (buflen ? 1 : 0); ++ sec4_sg_bytes = sec4_sg_src_index * sizeof(struct sec4_sg_entry); + + /* allocate space for base edesc and hw desc commands, link tables */ + edesc = kmalloc(sizeof(struct ahash_edesc) + DESC_JOB_IO_LEN + +@@ -928,7 +929,7 @@ static int ahash_final_ctx(struct ahash_ + state->buf_dma = try_buf_map_to_sec4_sg(jrdev, edesc->sec4_sg + 1, + buf, state->buf_dma, buflen, + last_buflen); +- (edesc->sec4_sg + sec4_sg_bytes - 1)->len |= SEC4_SG_LEN_FIN; ++ (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= SEC4_SG_LEN_FIN; + + append_seq_in_ptr(desc, edesc->sec4_sg_dma, ctx->ctx_len + buflen, + LDST_SGF); diff --git a/queue-3.10/libfc-fix-fc_fcp_cleanup_each_cmd.patch b/queue-3.10/libfc-fix-fc_fcp_cleanup_each_cmd.patch new file mode 100644 index 00000000000..46715771bbd --- /dev/null +++ b/queue-3.10/libfc-fix-fc_fcp_cleanup_each_cmd.patch @@ -0,0 +1,76 @@ +From 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 5 Jun 2015 14:20:51 -0700 +Subject: libfc: Fix fc_fcp_cleanup_each_cmd() + +From: Bart Van Assche + +commit 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 upstream. + +Since fc_fcp_cleanup_cmd() can sleep this function must not +be called while holding a spinlock. This patch avoids that +fc_fcp_cleanup_each_cmd() triggers the following bug: + +BUG: scheduling while atomic: sg_reset/1512/0x00000202 +1 lock held by sg_reset/1512: + #0: (&(&fsp->scsi_pkt_lock)->rlock){+.-...}, at: [] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc] +Preemption disabled at:[] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc] +Call Trace: + [] dump_stack+0x4f/0x7b + [] __schedule_bug+0x6c/0xd0 + [] __schedule+0x71a/0xa10 + [] schedule+0x32/0x80 + [] fc_seq_set_resp+0xac/0x100 [libfc] + [] fc_exch_done+0x41/0x60 [libfc] + [] fc_fcp_cleanup_each_cmd.isra.21+0xcf/0x150 [libfc] + [] fc_eh_device_reset+0x1c3/0x270 [libfc] + [] scsi_try_bus_device_reset+0x29/0x60 + [] scsi_ioctl_reset+0x258/0x2d0 + [] scsi_ioctl+0x150/0x440 + [] sd_ioctl+0xad/0x120 + [] blkdev_ioctl+0x1b6/0x810 + [] block_ioctl+0x38/0x40 + [] do_vfs_ioctl+0x2f8/0x530 + [] SyS_ioctl+0x81/0xa0 + [] system_call_fastpath+0x16/0x7a + +Signed-off-by: Bart Van Assche +Signed-off-by: Vasu Dev +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libfc/fc_fcp.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/libfc/fc_fcp.c ++++ b/drivers/scsi/libfc/fc_fcp.c +@@ -1039,11 +1039,26 @@ restart: + fc_fcp_pkt_hold(fsp); + spin_unlock_irqrestore(&si->scsi_queue_lock, flags); + +- if (!fc_fcp_lock_pkt(fsp)) { ++ spin_lock_bh(&fsp->scsi_pkt_lock); ++ if (!(fsp->state & FC_SRB_COMPL)) { ++ fsp->state |= FC_SRB_COMPL; ++ /* ++ * TODO: dropping scsi_pkt_lock and then reacquiring ++ * again around fc_fcp_cleanup_cmd() is required, ++ * since fc_fcp_cleanup_cmd() calls into ++ * fc_seq_set_resp() and that func preempts cpu using ++ * schedule. May be schedule and related code should be ++ * removed instead of unlocking here to avoid scheduling ++ * while atomic bug. ++ */ ++ spin_unlock_bh(&fsp->scsi_pkt_lock); ++ + fc_fcp_cleanup_cmd(fsp, error); ++ ++ spin_lock_bh(&fsp->scsi_pkt_lock); + fc_io_compl(fsp); +- fc_fcp_unlock_pkt(fsp); + } ++ spin_unlock_bh(&fsp->scsi_pkt_lock); + + fc_fcp_pkt_release(fsp); + spin_lock_irqsave(&si->scsi_queue_lock, flags); diff --git a/queue-3.10/series b/queue-3.10/series index 8bcfebb5818..5ae30c521b8 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -6,3 +6,5 @@ dm-thin-metadata-delete-btrees-when-releasing-metadata-snapshot.patch localmodconfig-use-kbuild-files-too.patch edac-ppc4xx-access-mci-csrows-array-elements-properly.patch drm-radeon-add-new-oland-pci-id.patch +libfc-fix-fc_fcp_cleanup_each_cmd.patch +crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch