From: Greg Kroah-Hartman Date: Fri, 11 Sep 2015 06:21:32 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.10.88~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6ca47037115a783d2bf6fae9a024f0ce7177a85;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch libfc-fix-fc_exch_recv_req-error-path.patch libfc-fix-fc_fcp_cleanup_each_cmd.patch regmap-regcache-rbtree-clean-new-present-bits-on-present-bitmap-resize.patch --- diff --git a/queue-3.14/crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch b/queue-3.14/crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch new file mode 100644 index 00000000000..06feb719a51 --- /dev/null +++ b/queue-3.14/crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch @@ -0,0 +1,50 @@ +From b310c178e6d897f82abb9da3af1cd7c02b09f592 Mon Sep 17 00:00:00 2001 +From: Horia Geant? +Date: Tue, 11 Aug 2015 20:19:20 +0300 +Subject: crypto: caam - fix memory corruption in ahash_final_ctx + +From: Horia Geant? + +commit b310c178e6d897f82abb9da3af1cd7c02b09f592 upstream. + +When doing pointer operation for accessing the HW S/G table, +a value representing number of entries (and not number of bytes) +must be used. + +Fixes: 045e36780f115 ("crypto: caam - ahash hmac support") +Signed-off-by: Horia Geant? +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -900,13 +900,14 @@ static int ahash_final_ctx(struct ahash_ + state->buflen_1; + u32 *sh_desc = ctx->sh_desc_fin, *desc; + dma_addr_t ptr = ctx->sh_desc_fin_dma; +- int sec4_sg_bytes; ++ int sec4_sg_bytes, sec4_sg_src_index; + int digestsize = crypto_ahash_digestsize(ahash); + struct ahash_edesc *edesc; + int ret = 0; + int sh_len; + +- sec4_sg_bytes = (1 + (buflen ? 1 : 0)) * sizeof(struct sec4_sg_entry); ++ sec4_sg_src_index = 1 + (buflen ? 1 : 0); ++ sec4_sg_bytes = sec4_sg_src_index * sizeof(struct sec4_sg_entry); + + /* allocate space for base edesc and hw desc commands, link tables */ + edesc = kmalloc(sizeof(struct ahash_edesc) + DESC_JOB_IO_LEN + +@@ -933,7 +934,7 @@ static int ahash_final_ctx(struct ahash_ + state->buf_dma = try_buf_map_to_sec4_sg(jrdev, edesc->sec4_sg + 1, + buf, state->buf_dma, buflen, + last_buflen); +- (edesc->sec4_sg + sec4_sg_bytes - 1)->len |= SEC4_SG_LEN_FIN; ++ (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= SEC4_SG_LEN_FIN; + + append_seq_in_ptr(desc, edesc->sec4_sg_dma, ctx->ctx_len + buflen, + LDST_SGF); diff --git a/queue-3.14/libfc-fix-fc_exch_recv_req-error-path.patch b/queue-3.14/libfc-fix-fc_exch_recv_req-error-path.patch new file mode 100644 index 00000000000..75dbb825fdb --- /dev/null +++ b/queue-3.14/libfc-fix-fc_exch_recv_req-error-path.patch @@ -0,0 +1,63 @@ +From f6979adeaab578f8ca14fdd32b06ddee0d9d3314 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 5 Jun 2015 14:20:46 -0700 +Subject: libfc: Fix fc_exch_recv_req() error path + +From: Bart Van Assche + +commit f6979adeaab578f8ca14fdd32b06ddee0d9d3314 upstream. + +Due to patch "libfc: Do not invoke the response handler after +fc_exch_done()" (commit ID 7030fd62) the lport_recv() call +in fc_exch_recv_req() is passed a dangling pointer. Avoid this +by moving the fc_frame_free() call from fc_invoke_resp() to its +callers. This patch fixes the following crash: + +general protection fault: 0000 [#3] PREEMPT SMP +RIP: fc_lport_recv_req+0x72/0x280 [libfc] +Call Trace: + fc_exch_recv+0x642/0xde0 [libfc] + fcoe_percpu_receive_thread+0x46a/0x5ed [fcoe] + kthread+0x10a/0x120 + ret_from_fork+0x42/0x70 + +Signed-off-by: Bart Van Assche +Signed-off-by: Vasu Dev +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libfc/fc_exch.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/libfc/fc_exch.c ++++ b/drivers/scsi/libfc/fc_exch.c +@@ -733,8 +733,6 @@ static bool fc_invoke_resp(struct fc_exc + if (resp) { + resp(sp, fp, arg); + res = true; +- } else if (!IS_ERR(fp)) { +- fc_frame_free(fp); + } + + spin_lock_bh(&ep->ex_lock); +@@ -1596,7 +1594,8 @@ static void fc_exch_recv_seq_resp(struct + * If new exch resp handler is valid then call that + * first. + */ +- fc_invoke_resp(ep, sp, fp); ++ if (!fc_invoke_resp(ep, sp, fp)) ++ fc_frame_free(fp); + + fc_exch_release(ep); + return; +@@ -1695,7 +1694,8 @@ static void fc_exch_abts_resp(struct fc_ + fc_exch_hold(ep); + if (!rc) + fc_exch_delete(ep); +- fc_invoke_resp(ep, sp, fp); ++ if (!fc_invoke_resp(ep, sp, fp)) ++ fc_frame_free(fp); + if (has_rec) + fc_exch_timer_set(ep, ep->r_a_tov); + fc_exch_release(ep); diff --git a/queue-3.14/libfc-fix-fc_fcp_cleanup_each_cmd.patch b/queue-3.14/libfc-fix-fc_fcp_cleanup_each_cmd.patch new file mode 100644 index 00000000000..46715771bbd --- /dev/null +++ b/queue-3.14/libfc-fix-fc_fcp_cleanup_each_cmd.patch @@ -0,0 +1,76 @@ +From 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 5 Jun 2015 14:20:51 -0700 +Subject: libfc: Fix fc_fcp_cleanup_each_cmd() + +From: Bart Van Assche + +commit 8f2777f53e3d5ad8ef2a176a4463a5c8e1a16431 upstream. + +Since fc_fcp_cleanup_cmd() can sleep this function must not +be called while holding a spinlock. This patch avoids that +fc_fcp_cleanup_each_cmd() triggers the following bug: + +BUG: scheduling while atomic: sg_reset/1512/0x00000202 +1 lock held by sg_reset/1512: + #0: (&(&fsp->scsi_pkt_lock)->rlock){+.-...}, at: [] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc] +Preemption disabled at:[] fc_fcp_cleanup_each_cmd.isra.21+0xa5/0x150 [libfc] +Call Trace: + [] dump_stack+0x4f/0x7b + [] __schedule_bug+0x6c/0xd0 + [] __schedule+0x71a/0xa10 + [] schedule+0x32/0x80 + [] fc_seq_set_resp+0xac/0x100 [libfc] + [] fc_exch_done+0x41/0x60 [libfc] + [] fc_fcp_cleanup_each_cmd.isra.21+0xcf/0x150 [libfc] + [] fc_eh_device_reset+0x1c3/0x270 [libfc] + [] scsi_try_bus_device_reset+0x29/0x60 + [] scsi_ioctl_reset+0x258/0x2d0 + [] scsi_ioctl+0x150/0x440 + [] sd_ioctl+0xad/0x120 + [] blkdev_ioctl+0x1b6/0x810 + [] block_ioctl+0x38/0x40 + [] do_vfs_ioctl+0x2f8/0x530 + [] SyS_ioctl+0x81/0xa0 + [] system_call_fastpath+0x16/0x7a + +Signed-off-by: Bart Van Assche +Signed-off-by: Vasu Dev +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libfc/fc_fcp.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/libfc/fc_fcp.c ++++ b/drivers/scsi/libfc/fc_fcp.c +@@ -1039,11 +1039,26 @@ restart: + fc_fcp_pkt_hold(fsp); + spin_unlock_irqrestore(&si->scsi_queue_lock, flags); + +- if (!fc_fcp_lock_pkt(fsp)) { ++ spin_lock_bh(&fsp->scsi_pkt_lock); ++ if (!(fsp->state & FC_SRB_COMPL)) { ++ fsp->state |= FC_SRB_COMPL; ++ /* ++ * TODO: dropping scsi_pkt_lock and then reacquiring ++ * again around fc_fcp_cleanup_cmd() is required, ++ * since fc_fcp_cleanup_cmd() calls into ++ * fc_seq_set_resp() and that func preempts cpu using ++ * schedule. May be schedule and related code should be ++ * removed instead of unlocking here to avoid scheduling ++ * while atomic bug. ++ */ ++ spin_unlock_bh(&fsp->scsi_pkt_lock); ++ + fc_fcp_cleanup_cmd(fsp, error); ++ ++ spin_lock_bh(&fsp->scsi_pkt_lock); + fc_io_compl(fsp); +- fc_fcp_unlock_pkt(fsp); + } ++ spin_unlock_bh(&fsp->scsi_pkt_lock); + + fc_fcp_pkt_release(fsp); + spin_lock_irqsave(&si->scsi_queue_lock, flags); diff --git a/queue-3.14/regmap-regcache-rbtree-clean-new-present-bits-on-present-bitmap-resize.patch b/queue-3.14/regmap-regcache-rbtree-clean-new-present-bits-on-present-bitmap-resize.patch new file mode 100644 index 00000000000..15aea88166d --- /dev/null +++ b/queue-3.14/regmap-regcache-rbtree-clean-new-present-bits-on-present-bitmap-resize.patch @@ -0,0 +1,55 @@ +From 8ef9724bf9718af81cfc5132253372f79c71b7e2 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Sun, 26 Jul 2015 21:34:50 -0700 +Subject: regmap: regcache-rbtree: Clean new present bits on present bitmap resize + +From: Guenter Roeck + +commit 8ef9724bf9718af81cfc5132253372f79c71b7e2 upstream. + +When inserting a new register into a block, the present bit map size is +increased using krealloc. krealloc does not clear the additionally +allocated memory, leaving it filled with random values. Result is that +some registers are considered cached even though this is not the case. + +Fix the problem by clearing the additionally allocated memory. Also, if +the bitmap size does not increase, do not reallocate the bitmap at all +to reduce overhead. + +Fixes: 3f4ff561bc88 ("regmap: rbtree: Make cache_present bitmap per node") +Signed-off-by: Guenter Roeck +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regcache-rbtree.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/base/regmap/regcache-rbtree.c ++++ b/drivers/base/regmap/regcache-rbtree.c +@@ -302,11 +302,20 @@ static int regcache_rbtree_insert_to_blo + if (!blk) + return -ENOMEM; + +- present = krealloc(rbnode->cache_present, +- BITS_TO_LONGS(blklen) * sizeof(*present), GFP_KERNEL); +- if (!present) { +- kfree(blk); +- return -ENOMEM; ++ if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) { ++ present = krealloc(rbnode->cache_present, ++ BITS_TO_LONGS(blklen) * sizeof(*present), ++ GFP_KERNEL); ++ if (!present) { ++ kfree(blk); ++ return -ENOMEM; ++ } ++ ++ memset(present + BITS_TO_LONGS(rbnode->blklen), 0, ++ (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen)) ++ * sizeof(*present)); ++ } else { ++ present = rbnode->cache_present; + } + + /* insert the register value in the correct place in the rbnode block */ diff --git a/queue-3.14/series b/queue-3.14/series index 72614edbf1d..265f2733879 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -9,3 +9,7 @@ localmodconfig-use-kbuild-files-too.patch edac-ppc4xx-access-mci-csrows-array-elements-properly.patch drm-radeon-add-new-oland-pci-id.patch drm-vmwgfx-fix-execbuf-locking-issues.patch +libfc-fix-fc_exch_recv_req-error-path.patch +libfc-fix-fc_fcp_cleanup_each_cmd.patch +regmap-regcache-rbtree-clean-new-present-bits-on-present-bitmap-resize.patch +crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch