From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Sep 2017 09:43:48 +0000 (+0200)
Subject: 4.12-stable patches
X-Git-Tag: v3.18.70~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b7982ff2aecbf3a4310fc5ef1528ed612b0d16ed;p=thirdparty%2Fkernel%2Fstable-queue.git

4.12-stable patches

added patches:
	crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
	i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
	i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
---

diff --git a/queue-4.12/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch b/queue-4.12/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
new file mode 100644
index 00000000000..a1bf4db3a0b
--- /dev/null
+++ b/queue-4.12/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
@@ -0,0 +1,43 @@
+From 445a582738de6802669aeed9c33ca406c23c3b1f Mon Sep 17 00:00:00 2001
+From: Stephan Mueller <smueller@chronox.de>
+Date: Wed, 16 Aug 2017 11:56:24 +0200
+Subject: crypto: algif_skcipher - only call put_page on referenced and used pages
+
+From: Stephan Mueller <smueller@chronox.de>
+
+commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream.
+
+For asynchronous operation, SGs are allocated without a page mapped to
+them or with a page that is not used (ref-counted). If the SGL is freed,
+the code must only call put_page for an SG if there was a page assigned
+and ref-counted in the first place.
+
+This fixes a kernel crash when using io_submit with more than one iocb
+using the sendmsg and sendpage (vmsplice/splice) interface.
+
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_skcipher.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -87,8 +87,13 @@ static void skcipher_free_async_sgls(str
+ 	}
+ 	sgl = sreq->tsg;
+ 	n = sg_nents(sgl);
+-	for_each_sg(sgl, sg, n, i)
+-		put_page(sg_page(sg));
++	for_each_sg(sgl, sg, n, i) {
++		struct page *page = sg_page(sg);
++
++		/* some SGs may not have a page mapped */
++		if (page && page_ref_count(page))
++			put_page(page);
++	}
+ 
+ 	kfree(sreq->tsg);
+ }
diff --git a/queue-4.12/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch b/queue-4.12/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
new file mode 100644
index 00000000000..30542da1297
--- /dev/null
+++ b/queue-4.12/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
@@ -0,0 +1,54 @@
+From b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 Mon Sep 17 00:00:00 2001
+From: Stephen Douthit <stephend@adiengineering.com>
+Date: Mon, 7 Aug 2017 17:10:59 -0400
+Subject: i2c: ismt: Don't duplicate the receive length for block reads
+
+From: Stephen Douthit <stephend@adiengineering.com>
+
+commit b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 upstream.
+
+According to Table 15-14 of the C2000 EDS (Intel doc #510524) the
+rx data pointed to by the descriptor dptr contains the byte count.
+
+desc->rxbytes reports all bytes read on the wire, including the
+"byte count" byte.  So if a device sends 4 bytes in response to a
+block read, on the wire and in the DMA buffer we see:
+
+count data1 data2 data3 data4
+ 0x04  0xde  0xad  0xbe  0xef
+
+That's what we want to return in data->block to the next level.
+
+Instead we were actually prefixing that with desc->rxbytes:
+
+bad
+count count data1 data2 data3 data4
+ 0x05  0x04  0xde  0xad  0xbe  0xef
+
+This was discovered while developing a BMC solution relying on the
+ipmi_ssif.c driver which was trying to interpret the bogus length
+field as part of the IPMI response.
+
+Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
+Tested-by: Dan Priamo <danp@adiengineering.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -341,8 +341,8 @@ static int ismt_process_desc(const struc
+ 			break;
+ 		case I2C_SMBUS_BLOCK_DATA:
+ 		case I2C_SMBUS_I2C_BLOCK_DATA:
+-			memcpy(&data->block[1], dma_buffer, desc->rxbytes);
+-			data->block[0] = desc->rxbytes;
++			memcpy(data->block, dma_buffer, desc->rxbytes);
++			data->block[0] = desc->rxbytes - 1;
+ 			break;
+ 		}
+ 		return 0;
diff --git a/queue-4.12/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch b/queue-4.12/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
new file mode 100644
index 00000000000..c5d01ff8d66
--- /dev/null
+++ b/queue-4.12/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
@@ -0,0 +1,40 @@
+From ba201c4f5ebe13d7819081756378777d8153f23e Mon Sep 17 00:00:00 2001
+From: Stephen Douthit <stephend@adiengineering.com>
+Date: Mon, 7 Aug 2017 17:11:00 -0400
+Subject: i2c: ismt: Return EMSGSIZE for block reads with bogus length
+
+From: Stephen Douthit <stephend@adiengineering.com>
+
+commit ba201c4f5ebe13d7819081756378777d8153f23e upstream.
+
+Compare the number of bytes actually seen on the wire to the byte
+count field returned by the slave device.
+
+Previously we just overwrote the byte count returned by the slave
+with the real byte count and let the caller figure out if the
+message was sane.
+
+Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
+Tested-by: Dan Priamo <danp@adiengineering.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -341,8 +341,10 @@ static int ismt_process_desc(const struc
+ 			break;
+ 		case I2C_SMBUS_BLOCK_DATA:
+ 		case I2C_SMBUS_I2C_BLOCK_DATA:
++			if (desc->rxbytes != dma_buffer[0] + 1)
++				return -EMSGSIZE;
++
+ 			memcpy(data->block, dma_buffer, desc->rxbytes);
+-			data->block[0] = desc->rxbytes - 1;
+ 			break;
+ 		}
+ 		return 0;
diff --git a/queue-4.12/series b/queue-4.12/series
index b62b68a2ee3..b81065223f8 100644
--- a/queue-4.12/series
+++ b/queue-4.12/series
@@ -4,3 +4,6 @@ irqchip-mips-gic-sync-after-enabling-gic-region.patch
 input-synaptics-fix-device-info-appearing-different-on-reconnect.patch
 input-xpad-fix-powera-init-quirk-for-some-gamepad-models.patch
 crypto-chacha20-fix-handling-of-chunked-input.patch
+i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
+i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
+crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch