From: Greg Kroah-Hartman Date: Sat, 4 Feb 2017 09:16:19 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.48~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d2dc3143aadea7f734bae40721ecddec68038956;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: crypto-api-clear-crypto_alg_dead-bit-before-registering-an-alg.patch crypto-arm64-aes-blk-honour-iv_out-requirement-in-cbc-and-ctr-modes.patch drm-nouveau-disp-gt215-fix-hda-eld-handling-thus-hdmi-audio-on-gt215.patch drm-nouveau-nv1a-nv1f-disp-fix-memory-clock-rate-retrieval.patch ext4-validate-s_first_meta_bg-at-mount-time.patch pci-aspm-handle-pci-to-pcie-bridges-as-roots-of-pcie-hierarchies.patch --- diff --git a/queue-4.4/crypto-api-clear-crypto_alg_dead-bit-before-registering-an-alg.patch b/queue-4.4/crypto-api-clear-crypto_alg_dead-bit-before-registering-an-alg.patch new file mode 100644 index 00000000000..6a809ba4767 --- /dev/null +++ b/queue-4.4/crypto-api-clear-crypto_alg_dead-bit-before-registering-an-alg.patch @@ -0,0 +1,31 @@ +From d6040764adcb5cb6de1489422411d701c158bb69 Mon Sep 17 00:00:00 2001 +From: Salvatore Benedetto +Date: Fri, 13 Jan 2017 11:54:08 +0000 +Subject: crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg + +From: Salvatore Benedetto + +commit d6040764adcb5cb6de1489422411d701c158bb69 upstream. + +Make sure CRYPTO_ALG_DEAD bit is cleared before proceeding with +the algorithm registration. This fixes qat-dh registration when +driver is restarted + +Signed-off-by: Salvatore Benedetto +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algapi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -357,6 +357,7 @@ int crypto_register_alg(struct crypto_al + struct crypto_larval *larval; + int err; + ++ alg->cra_flags &= ~CRYPTO_ALG_DEAD; + err = crypto_check_alg(alg); + if (err) + return err; diff --git a/queue-4.4/crypto-arm64-aes-blk-honour-iv_out-requirement-in-cbc-and-ctr-modes.patch b/queue-4.4/crypto-arm64-aes-blk-honour-iv_out-requirement-in-cbc-and-ctr-modes.patch new file mode 100644 index 00000000000..157b9d7b525 --- /dev/null +++ b/queue-4.4/crypto-arm64-aes-blk-honour-iv_out-requirement-in-cbc-and-ctr-modes.patch @@ -0,0 +1,202 @@ +From 11e3b725cfc282efe9d4a354153e99d86a16af08 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 17 Jan 2017 13:46:29 +0000 +Subject: crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes + +From: Ard Biesheuvel + +commit 11e3b725cfc282efe9d4a354153e99d86a16af08 upstream. + +Update the ARMv8 Crypto Extensions and the plain NEON AES implementations +in CBC and CTR modes to return the next IV back to the skcipher API client. +This is necessary for chaining to work correctly. + +Note that for CTR, this is only done if the request is a round multiple of +the block size, since otherwise, chaining is impossible anyway. + +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/crypto/aes-modes.S | 88 ++++++++++++++++++++---------------------- + 1 file changed, 42 insertions(+), 46 deletions(-) + +--- a/arch/arm64/crypto/aes-modes.S ++++ b/arch/arm64/crypto/aes-modes.S +@@ -193,15 +193,16 @@ AES_ENTRY(aes_cbc_encrypt) + cbz w6, .Lcbcencloop + + ld1 {v0.16b}, [x5] /* get iv */ +- enc_prepare w3, x2, x5 ++ enc_prepare w3, x2, x6 + + .Lcbcencloop: + ld1 {v1.16b}, [x1], #16 /* get next pt block */ + eor v0.16b, v0.16b, v1.16b /* ..and xor with iv */ +- encrypt_block v0, w3, x2, x5, w6 ++ encrypt_block v0, w3, x2, x6, w7 + st1 {v0.16b}, [x0], #16 + subs w4, w4, #1 + bne .Lcbcencloop ++ st1 {v0.16b}, [x5] /* return iv */ + ret + AES_ENDPROC(aes_cbc_encrypt) + +@@ -211,7 +212,7 @@ AES_ENTRY(aes_cbc_decrypt) + cbz w6, .LcbcdecloopNx + + ld1 {v7.16b}, [x5] /* get iv */ +- dec_prepare w3, x2, x5 ++ dec_prepare w3, x2, x6 + + .LcbcdecloopNx: + #if INTERLEAVE >= 2 +@@ -248,7 +249,7 @@ AES_ENTRY(aes_cbc_decrypt) + .Lcbcdecloop: + ld1 {v1.16b}, [x1], #16 /* get next ct block */ + mov v0.16b, v1.16b /* ...and copy to v0 */ +- decrypt_block v0, w3, x2, x5, w6 ++ decrypt_block v0, w3, x2, x6, w7 + eor v0.16b, v0.16b, v7.16b /* xor with iv => pt */ + mov v7.16b, v1.16b /* ct is next iv */ + st1 {v0.16b}, [x0], #16 +@@ -256,6 +257,7 @@ AES_ENTRY(aes_cbc_decrypt) + bne .Lcbcdecloop + .Lcbcdecout: + FRAME_POP ++ st1 {v7.16b}, [x5] /* return iv */ + ret + AES_ENDPROC(aes_cbc_decrypt) + +@@ -267,24 +269,15 @@ AES_ENDPROC(aes_cbc_decrypt) + + AES_ENTRY(aes_ctr_encrypt) + FRAME_PUSH +- cbnz w6, .Lctrfirst /* 1st time around? */ +- umov x5, v4.d[1] /* keep swabbed ctr in reg */ +- rev x5, x5 +-#if INTERLEAVE >= 2 +- cmn w5, w4 /* 32 bit overflow? */ +- bcs .Lctrinc +- add x5, x5, #1 /* increment BE ctr */ +- b .LctrincNx +-#else +- b .Lctrinc +-#endif +-.Lctrfirst: ++ cbz w6, .Lctrnotfirst /* 1st time around? */ + enc_prepare w3, x2, x6 + ld1 {v4.16b}, [x5] +- umov x5, v4.d[1] /* keep swabbed ctr in reg */ +- rev x5, x5 ++ ++.Lctrnotfirst: ++ umov x8, v4.d[1] /* keep swabbed ctr in reg */ ++ rev x8, x8 + #if INTERLEAVE >= 2 +- cmn w5, w4 /* 32 bit overflow? */ ++ cmn w8, w4 /* 32 bit overflow? */ + bcs .Lctrloop + .LctrloopNx: + subs w4, w4, #INTERLEAVE +@@ -292,11 +285,11 @@ AES_ENTRY(aes_ctr_encrypt) + #if INTERLEAVE == 2 + mov v0.8b, v4.8b + mov v1.8b, v4.8b +- rev x7, x5 +- add x5, x5, #1 ++ rev x7, x8 ++ add x8, x8, #1 + ins v0.d[1], x7 +- rev x7, x5 +- add x5, x5, #1 ++ rev x7, x8 ++ add x8, x8, #1 + ins v1.d[1], x7 + ld1 {v2.16b-v3.16b}, [x1], #32 /* get 2 input blocks */ + do_encrypt_block2x +@@ -305,7 +298,7 @@ AES_ENTRY(aes_ctr_encrypt) + st1 {v0.16b-v1.16b}, [x0], #32 + #else + ldr q8, =0x30000000200000001 /* addends 1,2,3[,0] */ +- dup v7.4s, w5 ++ dup v7.4s, w8 + mov v0.16b, v4.16b + add v7.4s, v7.4s, v8.4s + mov v1.16b, v4.16b +@@ -323,18 +316,12 @@ AES_ENTRY(aes_ctr_encrypt) + eor v2.16b, v7.16b, v2.16b + eor v3.16b, v5.16b, v3.16b + st1 {v0.16b-v3.16b}, [x0], #64 +- add x5, x5, #INTERLEAVE ++ add x8, x8, #INTERLEAVE + #endif +- cbz w4, .LctroutNx +-.LctrincNx: +- rev x7, x5 ++ rev x7, x8 + ins v4.d[1], x7 ++ cbz w4, .Lctrout + b .LctrloopNx +-.LctroutNx: +- sub x5, x5, #1 +- rev x7, x5 +- ins v4.d[1], x7 +- b .Lctrout + .Lctr1x: + adds w4, w4, #INTERLEAVE + beq .Lctrout +@@ -342,30 +329,39 @@ AES_ENTRY(aes_ctr_encrypt) + .Lctrloop: + mov v0.16b, v4.16b + encrypt_block v0, w3, x2, x6, w7 ++ ++ adds x8, x8, #1 /* increment BE ctr */ ++ rev x7, x8 ++ ins v4.d[1], x7 ++ bcs .Lctrcarry /* overflow? */ ++ ++.Lctrcarrydone: + subs w4, w4, #1 + bmi .Lctrhalfblock /* blocks < 0 means 1/2 block */ + ld1 {v3.16b}, [x1], #16 + eor v3.16b, v0.16b, v3.16b + st1 {v3.16b}, [x0], #16 +- beq .Lctrout +-.Lctrinc: +- adds x5, x5, #1 /* increment BE ctr */ +- rev x7, x5 +- ins v4.d[1], x7 +- bcc .Lctrloop /* no overflow? */ +- umov x7, v4.d[0] /* load upper word of ctr */ +- rev x7, x7 /* ... to handle the carry */ +- add x7, x7, #1 +- rev x7, x7 +- ins v4.d[0], x7 +- b .Lctrloop ++ bne .Lctrloop ++ ++.Lctrout: ++ st1 {v4.16b}, [x5] /* return next CTR value */ ++ FRAME_POP ++ ret ++ + .Lctrhalfblock: + ld1 {v3.8b}, [x1] + eor v3.8b, v0.8b, v3.8b + st1 {v3.8b}, [x0] +-.Lctrout: + FRAME_POP + ret ++ ++.Lctrcarry: ++ umov x7, v4.d[0] /* load upper word of ctr */ ++ rev x7, x7 /* ... to handle the carry */ ++ add x7, x7, #1 ++ rev x7, x7 ++ ins v4.d[0], x7 ++ b .Lctrcarrydone + AES_ENDPROC(aes_ctr_encrypt) + .ltorg + diff --git a/queue-4.4/drm-nouveau-disp-gt215-fix-hda-eld-handling-thus-hdmi-audio-on-gt215.patch b/queue-4.4/drm-nouveau-disp-gt215-fix-hda-eld-handling-thus-hdmi-audio-on-gt215.patch new file mode 100644 index 00000000000..e0cfaf60e08 --- /dev/null +++ b/queue-4.4/drm-nouveau-disp-gt215-fix-hda-eld-handling-thus-hdmi-audio-on-gt215.patch @@ -0,0 +1,33 @@ +From d347583a39e2df609a9e40c835f72d3614665b53 Mon Sep 17 00:00:00 2001 +From: Alastair Bridgewater +Date: Wed, 11 Jan 2017 15:47:18 -0500 +Subject: drm/nouveau/disp/gt215: Fix HDA ELD handling (thus, HDMI audio) on gt215 + +From: Alastair Bridgewater + +commit d347583a39e2df609a9e40c835f72d3614665b53 upstream. + +Store the ELD correctly, not just enough copies of the first byte +to pad out the given ELD size. + +Signed-off-by: Alastair Bridgewater +Fixes: 120b0c39c756 ("drm/nv50-/disp: audit and version SOR_HDA_ELD method") +Reviewed-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/hdagt215.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/hdagt215.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/hdagt215.c +@@ -59,7 +59,7 @@ gt215_hda_eld(NV50_DISP_MTHD_V1) + ); + } + for (i = 0; i < size; i++) +- nvkm_wr32(device, 0x61c440 + soff, (i << 8) | args->v0.data[0]); ++ nvkm_wr32(device, 0x61c440 + soff, (i << 8) | args->v0.data[i]); + for (; i < 0x60; i++) + nvkm_wr32(device, 0x61c440 + soff, (i << 8)); + nvkm_mask(device, 0x61c448 + soff, 0x80000003, 0x80000003); diff --git a/queue-4.4/drm-nouveau-nv1a-nv1f-disp-fix-memory-clock-rate-retrieval.patch b/queue-4.4/drm-nouveau-nv1a-nv1f-disp-fix-memory-clock-rate-retrieval.patch new file mode 100644 index 00000000000..ec06f5e79ca --- /dev/null +++ b/queue-4.4/drm-nouveau-nv1a-nv1f-disp-fix-memory-clock-rate-retrieval.patch @@ -0,0 +1,42 @@ +From 24bf7ae359b8cca165bb30742d2b1c03a1eb23af Mon Sep 17 00:00:00 2001 +From: Ilia Mirkin +Date: Thu, 19 Jan 2017 22:56:30 -0500 +Subject: drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval + +From: Ilia Mirkin + +commit 24bf7ae359b8cca165bb30742d2b1c03a1eb23af upstream. + +Based on the xf86-video-nv code, NFORCE (NV1A) and NFORCE2 (NV1F) have a +different way of retrieving clocks. See the +nv_hw.c:nForceUpdateArbitrationSettings function in the original code +for how these clocks were accessed. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=54587 +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/dispnv04/hw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/dispnv04/hw.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/hw.c +@@ -222,6 +222,7 @@ nouveau_hw_get_clock(struct drm_device * + uint32_t mpllP; + + pci_read_config_dword(pci_get_bus_and_slot(0, 3), 0x6c, &mpllP); ++ mpllP = (mpllP >> 8) & 0xf; + if (!mpllP) + mpllP = 4; + +@@ -232,7 +233,7 @@ nouveau_hw_get_clock(struct drm_device * + uint32_t clock; + + pci_read_config_dword(pci_get_bus_and_slot(0, 5), 0x4c, &clock); +- return clock; ++ return clock / 1000; + } + + ret = nouveau_hw_get_pllvals(dev, plltype, &pllvals); diff --git a/queue-4.4/ext4-validate-s_first_meta_bg-at-mount-time.patch b/queue-4.4/ext4-validate-s_first_meta_bg-at-mount-time.patch new file mode 100644 index 00000000000..495f1255c9f --- /dev/null +++ b/queue-4.4/ext4-validate-s_first_meta_bg-at-mount-time.patch @@ -0,0 +1,68 @@ +From 3a4b77cd47bb837b8557595ec7425f281f2ca1fe Mon Sep 17 00:00:00 2001 +From: Eryu Guan +Date: Thu, 1 Dec 2016 15:08:37 -0500 +Subject: ext4: validate s_first_meta_bg at mount time + +From: Eryu Guan + +commit 3a4b77cd47bb837b8557595ec7425f281f2ca1fe upstream. + +Ralf Spenneberg reported that he hit a kernel crash when mounting a +modified ext4 image. And it turns out that kernel crashed when +calculating fs overhead (ext4_calculate_overhead()), this is because +the image has very large s_first_meta_bg (debug code shows it's +842150400), and ext4 overruns the memory in count_overhead() when +setting bitmap buffer, which is PAGE_SIZE. + +ext4_calculate_overhead(): + buf = get_zeroed_page(GFP_NOFS); <=== PAGE_SIZE buffer + blks = count_overhead(sb, i, buf); + +count_overhead(): + for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400 + ext4_set_bit(EXT4_B2C(sbi, s++), buf); <=== buffer overrun + count++; + } + +This can be reproduced easily for me by this script: + + #!/bin/bash + rm -f fs.img + mkdir -p /mnt/ext4 + fallocate -l 16M fs.img + mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img + debugfs -w -R "ssv first_meta_bg 842150400" fs.img + mount -o loop fs.img /mnt/ext4 + +Fix it by validating s_first_meta_bg first at mount time, and +refusing to mount if its value exceeds the largest possible meta_bg +number. + +Reported-by: Ralf Spenneberg +Signed-off-by: Eryu Guan +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3663,6 +3663,15 @@ static int ext4_fill_super(struct super_ + (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb))); + db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) / + EXT4_DESC_PER_BLOCK(sb); ++ if (ext4_has_feature_meta_bg(sb)) { ++ if (le32_to_cpu(es->s_first_meta_bg) >= db_count) { ++ ext4_msg(sb, KERN_WARNING, ++ "first meta block group too large: %u " ++ "(group descriptor block count %u)", ++ le32_to_cpu(es->s_first_meta_bg), db_count); ++ goto failed_mount; ++ } ++ } + sbi->s_group_desc = ext4_kvmalloc(db_count * + sizeof(struct buffer_head *), + GFP_KERNEL); diff --git a/queue-4.4/pci-aspm-handle-pci-to-pcie-bridges-as-roots-of-pcie-hierarchies.patch b/queue-4.4/pci-aspm-handle-pci-to-pcie-bridges-as-roots-of-pcie-hierarchies.patch new file mode 100644 index 00000000000..98c5537b41c --- /dev/null +++ b/queue-4.4/pci-aspm-handle-pci-to-pcie-bridges-as-roots-of-pcie-hierarchies.patch @@ -0,0 +1,79 @@ +From 030305d69fc6963c16003f50d7e8d74b02d0a143 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Fri, 27 Jan 2017 15:00:45 -0600 +Subject: PCI/ASPM: Handle PCI-to-PCIe bridges as roots of PCIe hierarchies + +From: Bjorn Helgaas + +commit 030305d69fc6963c16003f50d7e8d74b02d0a143 upstream. + +In a struct pcie_link_state, link->root points to the pcie_link_state of +the root of the PCIe hierarchy. For the topmost link, this points to +itself (link->root = link). For others, we copy the pointer from the +parent (link->root = link->parent->root). + +Previously we recognized that Root Ports originated PCIe hierarchies, but +we treated PCI/PCI-X to PCIe Bridges as being in the middle of the +hierarchy, and when we tried to copy the pointer from link->parent->root, +there was no parent, and we dereferenced a NULL pointer: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 + IP: [] pcie_aspm_init_link_state+0x170/0x820 + +Recognize that PCI/PCI-X to PCIe Bridges originate PCIe hierarchies just +like Root Ports do, so link->root for these devices should also point to +itself. + +Fixes: 51ebfc92b72b ("PCI: Enumerate switches below PCI-to-PCIe bridges") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=193411 +Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1022181 +Tested-by: lists@ssl-mail.com +Tested-by: Jayachandran C. +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pcie/aspm.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -518,25 +518,32 @@ static struct pcie_link_state *alloc_pci + link = kzalloc(sizeof(*link), GFP_KERNEL); + if (!link) + return NULL; ++ + INIT_LIST_HEAD(&link->sibling); + INIT_LIST_HEAD(&link->children); + INIT_LIST_HEAD(&link->link); + link->pdev = pdev; +- if (pci_pcie_type(pdev) != PCI_EXP_TYPE_ROOT_PORT) { ++ ++ /* ++ * Root Ports and PCI/PCI-X to PCIe Bridges are roots of PCIe ++ * hierarchies. ++ */ ++ if (pci_pcie_type(pdev) == PCI_EXP_TYPE_ROOT_PORT || ++ pci_pcie_type(pdev) == PCI_EXP_TYPE_PCIE_BRIDGE) { ++ link->root = link; ++ } else { + struct pcie_link_state *parent; ++ + parent = pdev->bus->parent->self->link_state; + if (!parent) { + kfree(link); + return NULL; + } ++ + link->parent = parent; ++ link->root = link->parent->root; + list_add(&link->link, &parent->children); + } +- /* Setup a pointer to the root port link */ +- if (!link->parent) +- link->root = link; +- else +- link->root = link->parent->root; + + list_add(&link->sibling, &link_list); + pdev->link_state = link; diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..e038dc002f6 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,6 @@ +pci-aspm-handle-pci-to-pcie-bridges-as-roots-of-pcie-hierarchies.patch +ext4-validate-s_first_meta_bg-at-mount-time.patch +drm-nouveau-disp-gt215-fix-hda-eld-handling-thus-hdmi-audio-on-gt215.patch +drm-nouveau-nv1a-nv1f-disp-fix-memory-clock-rate-retrieval.patch +crypto-api-clear-crypto_alg_dead-bit-before-registering-an-alg.patch +crypto-arm64-aes-blk-honour-iv_out-requirement-in-cbc-and-ctr-modes.patch diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..a571b54bd51 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,13 @@ +pci-aspm-handle-pci-to-pcie-bridges-as-roots-of-pcie-hierarchies.patch +ext4-validate-s_first_meta_bg-at-mount-time.patch +x86-efi-always-map-the-first-physical-page-into-the-efi-pagetables.patch +efi-fdt-avoid-fdt-manipulation-after-exitbootservices.patch +xtensa-fix-nommu-build-on-cores-with-mmu.patch +hid-cp2112-fix-sleep-while-atomic.patch +hid-cp2112-fix-gpio-callback-error-handling.patch +pinctrl-baytrail-add-missing-spinlock-usage-in-byt_gpio_irq_handler.patch +drm-amdgpu-si-fix-crash-on-headless-asics.patch +drm-nouveau-disp-gt215-fix-hda-eld-handling-thus-hdmi-audio-on-gt215.patch +drm-nouveau-nv1a-nv1f-disp-fix-memory-clock-rate-retrieval.patch +crypto-api-clear-crypto_alg_dead-bit-before-registering-an-alg.patch +crypto-arm64-aes-blk-honour-iv_out-requirement-in-cbc-and-ctr-modes.patch