From: Greg Kroah-Hartman Date: Tue, 19 Mar 2019 18:31:31 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v3.18.137~87 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eedc26968aadafe6148c799f68fc66096133b3d8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: 9p-net-fix-memory-leak-in-p9_client_create.patch 9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch asoc-codecs-pcm186x-fix-energysense-sleep-bit.patch asoc-codecs-pcm186x-fix-wrong-usage-of-declare_tlv_db_scale.patch asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch crypto-ahash-fix-another-early-termination-in-hash-walk.patch crypto-caam-fix-dma-mapping-of-stack-memory.patch crypto-caam-fix-hash-context-dma-unmap-size.patch crypto-caam-fixed-handling-of-sg-list.patch crypto-ccree-don-t-copy-zero-size-ciphertext.patch crypto-ccree-fix-free-of-unallocated-mlli-buffer.patch crypto-ccree-fix-missing-break-in-switch-statement.patch crypto-ccree-unmap-buffer-before-copying-iv.patch crypto-cfb-add-missing-chunksize-property.patch crypto-cfb-remove-bogus-memcpy-with-src-dest.patch crypto-rockchip-fix-scatterlist-nents-error.patch crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch iio-adc-exynos-adc-fix-null-pointer-exception-on-unbind.patch mei-bus-move-hw-module-get-put-to-probe-release.patch mei-hbm-clean-the-feature-flags-on-link-reset.patch stm-class-fix-an-endless-loop-in-channel-allocation.patch --- diff --git a/queue-4.19/9p-net-fix-memory-leak-in-p9_client_create.patch b/queue-4.19/9p-net-fix-memory-leak-in-p9_client_create.patch new file mode 100644 index 00000000000..2eb6474e4b7 --- /dev/null +++ b/queue-4.19/9p-net-fix-memory-leak-in-p9_client_create.patch @@ -0,0 +1,35 @@ +From bb06c388fa20ae24cfe80c52488de718a7e3a53f Mon Sep 17 00:00:00 2001 +From: zhengbin +Date: Wed, 13 Mar 2019 16:01:37 +0800 +Subject: 9p/net: fix memory leak in p9_client_create + +From: zhengbin + +commit bb06c388fa20ae24cfe80c52488de718a7e3a53f upstream. + +If msize is less than 4096, we should close and put trans, destroy +tagpool, not just free client. This patch fixes that. + +Link: http://lkml.kernel.org/m/1552464097-142659-1-git-send-email-zhengbin13@huawei.com +Cc: stable@vger.kernel.org +Fixes: 574d356b7a02 ("9p/net: put a lower bound on msize") +Reported-by: Hulk Robot +Signed-off-by: zhengbin +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1073,7 +1073,7 @@ struct p9_client *p9_client_create(const + p9_debug(P9_DEBUG_ERROR, + "Please specify a msize of at least 4k\n"); + err = -EINVAL; +- goto free_client; ++ goto close_trans; + } + + err = p9_client_version(clnt); diff --git a/queue-4.19/9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch b/queue-4.19/9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch new file mode 100644 index 00000000000..b1cdfa1f0a3 --- /dev/null +++ b/queue-4.19/9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch @@ -0,0 +1,318 @@ +From 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Thu, 24 Jan 2019 14:35:13 +0800 +Subject: 9p: use inode->i_lock to protect i_size_write() under 32-bit + +From: Hou Tao + +commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream. + +Use inode->i_lock to protect i_size_write(), else i_size_read() in +generic_fillattr() may loop infinitely in read_seqcount_begin() when +multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl() +simultaneously under 32-bit SMP environment, and a soft lockup will be +triggered as show below: + + watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217] + Modules linked in: + CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4 + Hardware name: Generic DT based system + PC is at generic_fillattr+0x104/0x108 + LR is at 0xec497f00 + pc : [<802b8898>] lr : [] psr: 200c0013 + sp : ec497e20 ip : ed608030 fp : ec497e3c + r10: 00000000 r9 : ec497f00 r8 : ed608030 + r7 : ec497ebc r6 : ec497f00 r5 : ee5c1550 r4 : ee005780 + r3 : 0000052d r2 : 00000000 r1 : ec497f00 r0 : ed608030 + Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none + Control: 10c5387d Table: ac48006a DAC: 00000051 + CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-00005-g7f702faf5a9e #4 + Hardware name: Generic DT based system + Backtrace: + [<8010d974>] (dump_backtrace) from [<8010dc88>] (show_stack+0x20/0x24) + [<8010dc68>] (show_stack) from [<80a1d194>] (dump_stack+0xb0/0xdc) + [<80a1d0e4>] (dump_stack) from [<80109f34>] (show_regs+0x1c/0x20) + [<80109f18>] (show_regs) from [<801d0a80>] (watchdog_timer_fn+0x280/0x2f8) + [<801d0800>] (watchdog_timer_fn) from [<80198658>] (__hrtimer_run_queues+0x18c/0x380) + [<801984cc>] (__hrtimer_run_queues) from [<80198e60>] (hrtimer_run_queues+0xb8/0xf0) + [<80198da8>] (hrtimer_run_queues) from [<801973e8>] (run_local_timers+0x28/0x64) + [<801973c0>] (run_local_timers) from [<80197460>] (update_process_times+0x3c/0x6c) + [<80197424>] (update_process_times) from [<801ab2b8>] (tick_nohz_handler+0xe0/0x1bc) + [<801ab1d8>] (tick_nohz_handler) from [<80843050>] (arch_timer_handler_virt+0x38/0x48) + [<80843018>] (arch_timer_handler_virt) from [<80180a64>] (handle_percpu_devid_irq+0x8c/0x240) + [<801809d8>] (handle_percpu_devid_irq) from [<8017ac20>] (generic_handle_irq+0x34/0x44) + [<8017abec>] (generic_handle_irq) from [<8017b344>] (__handle_domain_irq+0x6c/0xc4) + [<8017b2d8>] (__handle_domain_irq) from [<801022e0>] (gic_handle_irq+0x4c/0x88) + [<80102294>] (gic_handle_irq) from [<80101a30>] (__irq_svc+0x70/0x98) + [<802b8794>] (generic_fillattr) from [<8056b284>] (v9fs_vfs_getattr_dotl+0x74/0xa4) + [<8056b210>] (v9fs_vfs_getattr_dotl) from [<802b8904>] (vfs_getattr_nosec+0x68/0x7c) + [<802b889c>] (vfs_getattr_nosec) from [<802b895c>] (vfs_getattr+0x44/0x48) + [<802b8918>] (vfs_getattr) from [<802b8a74>] (vfs_statx+0x9c/0xec) + [<802b89d8>] (vfs_statx) from [<802b9428>] (sys_lstat64+0x48/0x78) + [<802b93e0>] (sys_lstat64) from [<80101000>] (ret_fast_syscall+0x0/0x28) + +[dominique.martinet@cea.fr: updated comment to not refer to a function +in another subsystem] +Link: http://lkml.kernel.org/r/20190124063514.8571-2-houtao1@huawei.com +Cc: stable@vger.kernel.org +Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode->i_size directly.") +Reported-by: Xing Gaopeng +Signed-off-by: Hou Tao +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/v9fs_vfs.h | 23 +++++++++++++++++++++-- + fs/9p/vfs_file.c | 6 +++++- + fs/9p/vfs_inode.c | 23 +++++++++++------------ + fs/9p/vfs_inode_dotl.c | 27 ++++++++++++++------------- + fs/9p/vfs_super.c | 4 ++-- + 5 files changed, 53 insertions(+), 30 deletions(-) + +--- a/fs/9p/v9fs_vfs.h ++++ b/fs/9p/v9fs_vfs.h +@@ -40,6 +40,9 @@ + */ + #define P9_LOCK_TIMEOUT (30*HZ) + ++/* flags for v9fs_stat2inode() & v9fs_stat2inode_dotl() */ ++#define V9FS_STAT2INODE_KEEP_ISIZE 1 ++ + extern struct file_system_type v9fs_fs_type; + extern const struct address_space_operations v9fs_addr_operations; + extern const struct file_operations v9fs_file_operations; +@@ -61,8 +64,10 @@ int v9fs_init_inode(struct v9fs_session_ + struct inode *inode, umode_t mode, dev_t); + void v9fs_evict_inode(struct inode *inode); + ino_t v9fs_qid2ino(struct p9_qid *qid); +-void v9fs_stat2inode(struct p9_wstat *, struct inode *, struct super_block *); +-void v9fs_stat2inode_dotl(struct p9_stat_dotl *, struct inode *); ++void v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode, ++ struct super_block *sb, unsigned int flags); ++void v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode, ++ unsigned int flags); + int v9fs_dir_release(struct inode *inode, struct file *filp); + int v9fs_file_open(struct inode *inode, struct file *file); + void v9fs_inode2stat(struct inode *inode, struct p9_wstat *stat); +@@ -83,4 +88,18 @@ static inline void v9fs_invalidate_inode + } + + int v9fs_open_to_dotl_flags(int flags); ++ ++static inline void v9fs_i_size_write(struct inode *inode, loff_t i_size) ++{ ++ /* ++ * 32-bit need the lock, concurrent updates could break the ++ * sequences and make i_size_read() loop forever. ++ * 64-bit updates are atomic and can skip the locking. ++ */ ++ if (sizeof(i_size) > sizeof(long)) ++ spin_lock(&inode->i_lock); ++ i_size_write(inode, i_size); ++ if (sizeof(i_size) > sizeof(long)) ++ spin_unlock(&inode->i_lock); ++} + #endif +--- a/fs/9p/vfs_file.c ++++ b/fs/9p/vfs_file.c +@@ -442,7 +442,11 @@ v9fs_file_write_iter(struct kiocb *iocb, + i_size = i_size_read(inode); + if (iocb->ki_pos > i_size) { + inode_add_bytes(inode, iocb->ki_pos - i_size); +- i_size_write(inode, iocb->ki_pos); ++ /* ++ * Need to serialize against i_size_write() in ++ * v9fs_stat2inode() ++ */ ++ v9fs_i_size_write(inode, iocb->ki_pos); + } + return retval; + } +--- a/fs/9p/vfs_inode.c ++++ b/fs/9p/vfs_inode.c +@@ -538,7 +538,7 @@ static struct inode *v9fs_qid_iget(struc + if (retval) + goto error; + +- v9fs_stat2inode(st, inode, sb); ++ v9fs_stat2inode(st, inode, sb, 0); + v9fs_cache_inode_get_cookie(inode); + unlock_new_inode(inode); + return inode; +@@ -1092,7 +1092,7 @@ v9fs_vfs_getattr(const struct path *path + if (IS_ERR(st)) + return PTR_ERR(st); + +- v9fs_stat2inode(st, d_inode(dentry), dentry->d_sb); ++ v9fs_stat2inode(st, d_inode(dentry), dentry->d_sb, 0); + generic_fillattr(d_inode(dentry), stat); + + p9stat_free(st); +@@ -1170,12 +1170,13 @@ static int v9fs_vfs_setattr(struct dentr + * @stat: Plan 9 metadata (mistat) structure + * @inode: inode to populate + * @sb: superblock of filesystem ++ * @flags: control flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE) + * + */ + + void + v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode, +- struct super_block *sb) ++ struct super_block *sb, unsigned int flags) + { + umode_t mode; + char ext[32]; +@@ -1216,10 +1217,11 @@ v9fs_stat2inode(struct p9_wstat *stat, s + mode = p9mode2perm(v9ses, stat); + mode |= inode->i_mode & ~S_IALLUGO; + inode->i_mode = mode; +- i_size_write(inode, stat->length); + ++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE)) ++ v9fs_i_size_write(inode, stat->length); + /* not real number of blocks, but 512 byte ones ... */ +- inode->i_blocks = (i_size_read(inode) + 512 - 1) >> 9; ++ inode->i_blocks = (stat->length + 512 - 1) >> 9; + v9inode->cache_validity &= ~V9FS_INO_INVALID_ATTR; + } + +@@ -1416,9 +1418,9 @@ int v9fs_refresh_inode(struct p9_fid *fi + { + int umode; + dev_t rdev; +- loff_t i_size; + struct p9_wstat *st; + struct v9fs_session_info *v9ses; ++ unsigned int flags; + + v9ses = v9fs_inode2v9ses(inode); + st = p9_client_stat(fid); +@@ -1431,16 +1433,13 @@ int v9fs_refresh_inode(struct p9_fid *fi + if ((inode->i_mode & S_IFMT) != (umode & S_IFMT)) + goto out; + +- spin_lock(&inode->i_lock); + /* + * We don't want to refresh inode->i_size, + * because we may have cached data + */ +- i_size = inode->i_size; +- v9fs_stat2inode(st, inode, inode->i_sb); +- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) +- inode->i_size = i_size; +- spin_unlock(&inode->i_lock); ++ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ? ++ V9FS_STAT2INODE_KEEP_ISIZE : 0; ++ v9fs_stat2inode(st, inode, inode->i_sb, flags); + out: + p9stat_free(st); + kfree(st); +--- a/fs/9p/vfs_inode_dotl.c ++++ b/fs/9p/vfs_inode_dotl.c +@@ -143,7 +143,7 @@ static struct inode *v9fs_qid_iget_dotl( + if (retval) + goto error; + +- v9fs_stat2inode_dotl(st, inode); ++ v9fs_stat2inode_dotl(st, inode, 0); + v9fs_cache_inode_get_cookie(inode); + retval = v9fs_get_acl(inode, fid); + if (retval) +@@ -496,7 +496,7 @@ v9fs_vfs_getattr_dotl(const struct path + if (IS_ERR(st)) + return PTR_ERR(st); + +- v9fs_stat2inode_dotl(st, d_inode(dentry)); ++ v9fs_stat2inode_dotl(st, d_inode(dentry), 0); + generic_fillattr(d_inode(dentry), stat); + /* Change block size to what the server returned */ + stat->blksize = st->st_blksize; +@@ -607,11 +607,13 @@ int v9fs_vfs_setattr_dotl(struct dentry + * v9fs_stat2inode_dotl - populate an inode structure with stat info + * @stat: stat structure + * @inode: inode to populate ++ * @flags: ctrl flags (e.g. V9FS_STAT2INODE_KEEP_ISIZE) + * + */ + + void +-v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode) ++v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode, ++ unsigned int flags) + { + umode_t mode; + struct v9fs_inode *v9inode = V9FS_I(inode); +@@ -631,7 +633,8 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl + mode |= inode->i_mode & ~S_IALLUGO; + inode->i_mode = mode; + +- i_size_write(inode, stat->st_size); ++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE)) ++ v9fs_i_size_write(inode, stat->st_size); + inode->i_blocks = stat->st_blocks; + } else { + if (stat->st_result_mask & P9_STATS_ATIME) { +@@ -661,8 +664,9 @@ v9fs_stat2inode_dotl(struct p9_stat_dotl + } + if (stat->st_result_mask & P9_STATS_RDEV) + inode->i_rdev = new_decode_dev(stat->st_rdev); +- if (stat->st_result_mask & P9_STATS_SIZE) +- i_size_write(inode, stat->st_size); ++ if (!(flags & V9FS_STAT2INODE_KEEP_ISIZE) && ++ stat->st_result_mask & P9_STATS_SIZE) ++ v9fs_i_size_write(inode, stat->st_size); + if (stat->st_result_mask & P9_STATS_BLOCKS) + inode->i_blocks = stat->st_blocks; + } +@@ -928,9 +932,9 @@ v9fs_vfs_get_link_dotl(struct dentry *de + + int v9fs_refresh_inode_dotl(struct p9_fid *fid, struct inode *inode) + { +- loff_t i_size; + struct p9_stat_dotl *st; + struct v9fs_session_info *v9ses; ++ unsigned int flags; + + v9ses = v9fs_inode2v9ses(inode); + st = p9_client_getattr_dotl(fid, P9_STATS_ALL); +@@ -942,16 +946,13 @@ int v9fs_refresh_inode_dotl(struct p9_fi + if ((inode->i_mode & S_IFMT) != (st->st_mode & S_IFMT)) + goto out; + +- spin_lock(&inode->i_lock); + /* + * We don't want to refresh inode->i_size, + * because we may have cached data + */ +- i_size = inode->i_size; +- v9fs_stat2inode_dotl(st, inode); +- if (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) +- inode->i_size = i_size; +- spin_unlock(&inode->i_lock); ++ flags = (v9ses->cache == CACHE_LOOSE || v9ses->cache == CACHE_FSCACHE) ? ++ V9FS_STAT2INODE_KEEP_ISIZE : 0; ++ v9fs_stat2inode_dotl(st, inode, flags); + out: + kfree(st); + return 0; +--- a/fs/9p/vfs_super.c ++++ b/fs/9p/vfs_super.c +@@ -172,7 +172,7 @@ static struct dentry *v9fs_mount(struct + goto release_sb; + } + d_inode(root)->i_ino = v9fs_qid2ino(&st->qid); +- v9fs_stat2inode_dotl(st, d_inode(root)); ++ v9fs_stat2inode_dotl(st, d_inode(root), 0); + kfree(st); + } else { + struct p9_wstat *st = NULL; +@@ -183,7 +183,7 @@ static struct dentry *v9fs_mount(struct + } + + d_inode(root)->i_ino = v9fs_qid2ino(&st->qid); +- v9fs_stat2inode(st, d_inode(root), sb); ++ v9fs_stat2inode(st, d_inode(root), sb, 0); + + p9stat_free(st); + kfree(st); diff --git a/queue-4.19/asoc-codecs-pcm186x-fix-energysense-sleep-bit.patch b/queue-4.19/asoc-codecs-pcm186x-fix-energysense-sleep-bit.patch new file mode 100644 index 00000000000..4924f6bb7b4 --- /dev/null +++ b/queue-4.19/asoc-codecs-pcm186x-fix-energysense-sleep-bit.patch @@ -0,0 +1,45 @@ +From 05bd7fcdd06b19a10f069af1bea3ad9abac038d7 Mon Sep 17 00:00:00 2001 +From: Codrin Ciubotariu +Date: Tue, 19 Feb 2019 16:29:28 +0000 +Subject: ASoC: codecs: pcm186x: Fix energysense SLEEP bit + +From: Codrin Ciubotariu + +commit 05bd7fcdd06b19a10f069af1bea3ad9abac038d7 upstream. + +The ADCs are sleeping when the SLEEP bit is set and running when it's +cleared, so the bit should be inverted. +Tested on pcm1863. + +Signed-off-by: Codrin Ciubotariu +Acked-by: Andrew F. Davis +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/pcm186x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/pcm186x.c ++++ b/sound/soc/codecs/pcm186x.c +@@ -158,7 +158,7 @@ static const struct snd_soc_dapm_widget + * Put the codec into SLEEP mode when not in use, allowing the + * Energysense mechanism to operate. + */ +- SND_SOC_DAPM_ADC("ADC", "HiFi Capture", PCM186X_POWER_CTRL, 1, 0), ++ SND_SOC_DAPM_ADC("ADC", "HiFi Capture", PCM186X_POWER_CTRL, 1, 1), + }; + + static const struct snd_soc_dapm_widget pcm1865_dapm_widgets[] = { +@@ -184,8 +184,8 @@ static const struct snd_soc_dapm_widget + * Put the codec into SLEEP mode when not in use, allowing the + * Energysense mechanism to operate. + */ +- SND_SOC_DAPM_ADC("ADC1", "HiFi Capture 1", PCM186X_POWER_CTRL, 1, 0), +- SND_SOC_DAPM_ADC("ADC2", "HiFi Capture 2", PCM186X_POWER_CTRL, 1, 0), ++ SND_SOC_DAPM_ADC("ADC1", "HiFi Capture 1", PCM186X_POWER_CTRL, 1, 1), ++ SND_SOC_DAPM_ADC("ADC2", "HiFi Capture 2", PCM186X_POWER_CTRL, 1, 1), + }; + + static const struct snd_soc_dapm_route pcm1863_dapm_routes[] = { diff --git a/queue-4.19/asoc-codecs-pcm186x-fix-wrong-usage-of-declare_tlv_db_scale.patch b/queue-4.19/asoc-codecs-pcm186x-fix-wrong-usage-of-declare_tlv_db_scale.patch new file mode 100644 index 00000000000..460d1e7956a --- /dev/null +++ b/queue-4.19/asoc-codecs-pcm186x-fix-wrong-usage-of-declare_tlv_db_scale.patch @@ -0,0 +1,33 @@ +From fcf4daabf08079e6d09958a2992e7446ef8d0438 Mon Sep 17 00:00:00 2001 +From: Codrin Ciubotariu +Date: Tue, 19 Feb 2019 16:29:12 +0000 +Subject: ASoC: codecs: pcm186x: fix wrong usage of DECLARE_TLV_DB_SCALE() + +From: Codrin Ciubotariu + +commit fcf4daabf08079e6d09958a2992e7446ef8d0438 upstream. + +According to DS, the gain is between -12 dB and 40 dB, with a 0.5 dB step. +Tested on pcm1863. + +Signed-off-by: Codrin Ciubotariu +Acked-by: Andrew F. Davis +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/pcm186x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/pcm186x.c ++++ b/sound/soc/codecs/pcm186x.c +@@ -42,7 +42,7 @@ struct pcm186x_priv { + bool is_master_mode; + }; + +-static const DECLARE_TLV_DB_SCALE(pcm186x_pga_tlv, -1200, 4000, 50); ++static const DECLARE_TLV_DB_SCALE(pcm186x_pga_tlv, -1200, 50, 0); + + static const struct snd_kcontrol_new pcm1863_snd_controls[] = { + SOC_DOUBLE_R_S_TLV("ADC Capture Volume", PCM186X_PGA_VAL_CH1_L, diff --git a/queue-4.19/asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch b/queue-4.19/asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch new file mode 100644 index 00000000000..068bef2095c --- /dev/null +++ b/queue-4.19/asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch @@ -0,0 +1,51 @@ +From cc29ea007347f39f4c5a4d27b0b555955a0277f9 Mon Sep 17 00:00:00 2001 +From: "S.j. Wang" +Date: Mon, 18 Feb 2019 08:29:11 +0000 +Subject: ASoC: fsl_esai: fix register setting issue in RIGHT_J mode + +From: S.j. Wang + +commit cc29ea007347f39f4c5a4d27b0b555955a0277f9 upstream. + +The ESAI_xCR_xWA is xCR's bit, not the xCCR's bit, driver set it to +wrong register, correct it. + +Fixes 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver") +Cc: +Signed-off-by: Shengjiu Wang +Reviewed-by: Fabio Estevam +Ackedy-by: Nicolin Chen +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/fsl/fsl_esai.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -398,7 +398,8 @@ static int fsl_esai_set_dai_fmt(struct s + break; + case SND_SOC_DAIFMT_RIGHT_J: + /* Data on rising edge of bclk, frame high, right aligned */ +- xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCR_xWA; ++ xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP; ++ xcr |= ESAI_xCR_xWA; + break; + case SND_SOC_DAIFMT_DSP_A: + /* Data on rising edge of bclk, frame high, 1clk before data */ +@@ -455,12 +456,12 @@ static int fsl_esai_set_dai_fmt(struct s + return -EINVAL; + } + +- mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR; ++ mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR | ESAI_xCR_xWA; + regmap_update_bits(esai_priv->regmap, REG_ESAI_TCR, mask, xcr); + regmap_update_bits(esai_priv->regmap, REG_ESAI_RCR, mask, xcr); + + mask = ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCCR_xFSP | +- ESAI_xCCR_xFSD | ESAI_xCCR_xCKD | ESAI_xCR_xWA; ++ ESAI_xCCR_xFSD | ESAI_xCCR_xCKD; + regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, mask, xccr); + regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, mask, xccr); + diff --git a/queue-4.19/crypto-ahash-fix-another-early-termination-in-hash-walk.patch b/queue-4.19/crypto-ahash-fix-another-early-termination-in-hash-walk.patch new file mode 100644 index 00000000000..68b6e29755b --- /dev/null +++ b/queue-4.19/crypto-ahash-fix-another-early-termination-in-hash-walk.patch @@ -0,0 +1,63 @@ +From 77568e535af7c4f97eaef1e555bf0af83772456c Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 31 Jan 2019 23:51:41 -0800 +Subject: crypto: ahash - fix another early termination in hash walk + +From: Eric Biggers + +commit 77568e535af7c4f97eaef1e555bf0af83772456c upstream. + +Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and +"michael_mic", fail the improved hash tests because they sometimes +produce the wrong digest. The bug is that in the case where a +scatterlist element crosses pages, not all the data is actually hashed +because the scatterlist walk terminates too early. This happens because +the 'nbytes' variable in crypto_hash_walk_done() is assigned the number +of bytes remaining in the page, then later interpreted as the number of +bytes remaining in the scatterlist element. Fix it. + +Fixes: 900a081f6912 ("crypto: ahash - Fix early termination in hash walk") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ahash.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -86,17 +86,17 @@ static int hash_walk_new_entry(struct cr + int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err) + { + unsigned int alignmask = walk->alignmask; +- unsigned int nbytes = walk->entrylen; + + walk->data -= walk->offset; + +- if (nbytes && walk->offset & alignmask && !err) { +- walk->offset = ALIGN(walk->offset, alignmask + 1); +- nbytes = min(nbytes, +- ((unsigned int)(PAGE_SIZE)) - walk->offset); +- walk->entrylen -= nbytes; ++ if (walk->entrylen && (walk->offset & alignmask) && !err) { ++ unsigned int nbytes; + ++ walk->offset = ALIGN(walk->offset, alignmask + 1); ++ nbytes = min(walk->entrylen, ++ (unsigned int)(PAGE_SIZE - walk->offset)); + if (nbytes) { ++ walk->entrylen -= nbytes; + walk->data += walk->offset; + return nbytes; + } +@@ -116,7 +116,7 @@ int crypto_hash_walk_done(struct crypto_ + if (err) + return err; + +- if (nbytes) { ++ if (walk->entrylen) { + walk->offset = 0; + walk->pg++; + return hash_walk_next(walk); diff --git a/queue-4.19/crypto-caam-fix-dma-mapping-of-stack-memory.patch b/queue-4.19/crypto-caam-fix-dma-mapping-of-stack-memory.patch new file mode 100644 index 00000000000..42c5679905d --- /dev/null +++ b/queue-4.19/crypto-caam-fix-dma-mapping-of-stack-memory.patch @@ -0,0 +1,319 @@ +From c19650d6ea99bcd903d3e55dd61860026c701339 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Sat, 26 Jan 2019 20:02:15 +0200 +Subject: crypto: caam - fix DMA mapping of stack memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit c19650d6ea99bcd903d3e55dd61860026c701339 upstream. + +Roland reports the following issue and provides a root cause analysis: + +"On a v4.19 i.MX6 system with IMA and CONFIG_DMA_API_DEBUG enabled, a +warning is generated when accessing files on a filesystem for which IMA +measurement is enabled: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 1 at kernel/dma/debug.c:1181 check_for_stack.part.9+0xd0/0x120 + caam_jr 2101000.jr0: DMA-API: device driver maps memory from stack [addr=b668049e] + Modules linked in: + CPU: 0 PID: 1 Comm: switch_root Not tainted 4.19.0-20181214-1 #2 + Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) + Backtrace: + [] (dump_backtrace) from [] (show_stack+0x20/0x24) + [] (show_stack) from [] (dump_stack+0xa0/0xcc) + [] (dump_stack) from [] (__warn+0xf0/0x108) + [] (__warn) from [] (warn_slowpath_fmt+0x58/0x74) + [] (warn_slowpath_fmt) from [] (check_for_stack.part.9+0xd0/0x120) + [] (check_for_stack.part.9) from [] (debug_dma_map_page+0x144/0x174) + [] (debug_dma_map_page) from [] (ahash_final_ctx+0x5b4/0xcf0) + [] (ahash_final_ctx) from [] (ahash_final+0x1c/0x20) + [] (ahash_final) from [] (crypto_ahash_op+0x38/0x80) + [] (crypto_ahash_op) from [] (crypto_ahash_final+0x20/0x24) + [] (crypto_ahash_final) from [] (ima_calc_file_hash+0x29c/0xa40) + [] (ima_calc_file_hash) from [] (ima_collect_measurement+0x1dc/0x240) + [] (ima_collect_measurement) from [] (process_measurement+0x4c4/0x6b8) + [] (process_measurement) from [] (ima_file_check+0x88/0xa4) + [] (ima_file_check) from [] (path_openat+0x5d8/0x1364) + [] (path_openat) from [] (do_filp_open+0x84/0xf0) + [] (do_filp_open) from [] (do_open_execat+0x84/0x1b0) + [] (do_open_execat) from [] (__do_execve_file+0x43c/0x890) + [] (__do_execve_file) from [] (sys_execve+0x44/0x4c) + [] (sys_execve) from [] (ret_fast_syscall+0x0/0x28) + ---[ end trace 3455789a10e3aefd ]--- + +The cause is that the struct ahash_request *req is created as a +stack-local variable up in the stack (presumably somewhere in the IMA +implementation), then passed down into the CAAM driver, which tries to +dma_single_map the req->result (indirectly via map_seq_out_ptr_result) +in order to make that buffer available for the CAAM to store the result +of the following hash operation. + +The calling code doesn't know how req will be used by the CAAM driver, +and there could be other such occurrences where stack memory is passed +down to the CAAM driver. Therefore we should rather fix this issue in +the CAAM driver where the requirements are known." + +Fix this problem by: +-instructing the crypto engine to write the final hash in state->caam_ctx +-subsequently memcpy-ing the final hash into req->result + +Cc: # v4.19+ +Reported-by: Roland Hieber +Signed-off-by: Horia Geantă +Tested-by: Roland Hieber +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 85 ++++++++++------------------------------- + 1 file changed, 21 insertions(+), 64 deletions(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -185,18 +185,6 @@ static inline int map_seq_out_ptr_ctx(u3 + return 0; + } + +-/* Map req->result, and append seq_out_ptr command that points to it */ +-static inline dma_addr_t map_seq_out_ptr_result(u32 *desc, struct device *jrdev, +- u8 *result, int digestsize) +-{ +- dma_addr_t dst_dma; +- +- dst_dma = dma_map_single(jrdev, result, digestsize, DMA_FROM_DEVICE); +- append_seq_out_ptr(desc, dst_dma, digestsize, 0); +- +- return dst_dma; +-} +- + /* Map current buffer in state (if length > 0) and put it in link table */ + static inline int buf_map_to_sec4_sg(struct device *jrdev, + struct sec4_sg_entry *sec4_sg, +@@ -488,7 +476,6 @@ static int ahash_setkey(struct crypto_ah + + /* + * ahash_edesc - s/w-extended ahash descriptor +- * @dst_dma: physical mapped address of req->result + * @sec4_sg_dma: physical mapped address of h/w link table + * @src_nents: number of segments in input scatterlist + * @sec4_sg_bytes: length of dma mapped sec4_sg space +@@ -496,7 +483,6 @@ static int ahash_setkey(struct crypto_ah + * @sec4_sg: h/w link table + */ + struct ahash_edesc { +- dma_addr_t dst_dma; + dma_addr_t sec4_sg_dma; + int src_nents; + int sec4_sg_bytes; +@@ -512,8 +498,6 @@ static inline void ahash_unmap(struct de + + if (edesc->src_nents) + dma_unmap_sg(dev, req->src, edesc->src_nents, DMA_TO_DEVICE); +- if (edesc->dst_dma) +- dma_unmap_single(dev, edesc->dst_dma, dst_len, DMA_FROM_DEVICE); + + if (edesc->sec4_sg_bytes) + dma_unmap_single(dev, edesc->sec4_sg_dma, +@@ -546,9 +530,9 @@ static void ahash_done(struct device *jr + struct ahash_edesc *edesc; + struct crypto_ahash *ahash = crypto_ahash_reqtfm(req); + int digestsize = crypto_ahash_digestsize(ahash); ++ struct caam_hash_state *state = ahash_request_ctx(req); + #ifdef DEBUG + struct caam_hash_ctx *ctx = crypto_ahash_ctx(ahash); +- struct caam_hash_state *state = ahash_request_ctx(req); + + dev_err(jrdev, "%s %d: err 0x%x\n", __func__, __LINE__, err); + #endif +@@ -557,17 +541,14 @@ static void ahash_done(struct device *jr + if (err) + caam_jr_strstatus(jrdev, err); + +- ahash_unmap(jrdev, edesc, req, digestsize); ++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE); ++ memcpy(req->result, state->caam_ctx, digestsize); + kfree(edesc); + + #ifdef DEBUG + print_hex_dump(KERN_ERR, "ctx@"__stringify(__LINE__)": ", + DUMP_PREFIX_ADDRESS, 16, 4, state->caam_ctx, + ctx->ctx_len, 1); +- if (req->result) +- print_hex_dump(KERN_ERR, "result@"__stringify(__LINE__)": ", +- DUMP_PREFIX_ADDRESS, 16, 4, req->result, +- digestsize, 1); + #endif + + req->base.complete(&req->base, err); +@@ -615,9 +596,9 @@ static void ahash_done_ctx_src(struct de + struct ahash_edesc *edesc; + struct crypto_ahash *ahash = crypto_ahash_reqtfm(req); + int digestsize = crypto_ahash_digestsize(ahash); ++ struct caam_hash_state *state = ahash_request_ctx(req); + #ifdef DEBUG + struct caam_hash_ctx *ctx = crypto_ahash_ctx(ahash); +- struct caam_hash_state *state = ahash_request_ctx(req); + + dev_err(jrdev, "%s %d: err 0x%x\n", __func__, __LINE__, err); + #endif +@@ -626,17 +607,14 @@ static void ahash_done_ctx_src(struct de + if (err) + caam_jr_strstatus(jrdev, err); + +- ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_TO_DEVICE); ++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_BIDIRECTIONAL); ++ memcpy(req->result, state->caam_ctx, digestsize); + kfree(edesc); + + #ifdef DEBUG + print_hex_dump(KERN_ERR, "ctx@"__stringify(__LINE__)": ", + DUMP_PREFIX_ADDRESS, 16, 4, state->caam_ctx, + ctx->ctx_len, 1); +- if (req->result) +- print_hex_dump(KERN_ERR, "result@"__stringify(__LINE__)": ", +- DUMP_PREFIX_ADDRESS, 16, 4, req->result, +- digestsize, 1); + #endif + + req->base.complete(&req->base, err); +@@ -897,7 +875,7 @@ static int ahash_final_ctx(struct ahash_ + edesc->sec4_sg_bytes = sec4_sg_bytes; + + ret = ctx_map_to_sec4_sg(jrdev, state, ctx->ctx_len, +- edesc->sec4_sg, DMA_TO_DEVICE); ++ edesc->sec4_sg, DMA_BIDIRECTIONAL); + if (ret) + goto unmap_ctx; + +@@ -917,14 +895,7 @@ static int ahash_final_ctx(struct ahash_ + + append_seq_in_ptr(desc, edesc->sec4_sg_dma, ctx->ctx_len + buflen, + LDST_SGF); +- +- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result, +- digestsize); +- if (dma_mapping_error(jrdev, edesc->dst_dma)) { +- dev_err(jrdev, "unable to map dst\n"); +- ret = -ENOMEM; +- goto unmap_ctx; +- } ++ append_seq_out_ptr(desc, state->ctx_dma, digestsize, 0); + + #ifdef DEBUG + print_hex_dump(KERN_ERR, "jobdesc@"__stringify(__LINE__)": ", +@@ -937,7 +908,7 @@ static int ahash_final_ctx(struct ahash_ + + return -EINPROGRESS; + unmap_ctx: +- ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE); ++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_BIDIRECTIONAL); + kfree(edesc); + return ret; + } +@@ -991,7 +962,7 @@ static int ahash_finup_ctx(struct ahash_ + edesc->src_nents = src_nents; + + ret = ctx_map_to_sec4_sg(jrdev, state, ctx->ctx_len, +- edesc->sec4_sg, DMA_TO_DEVICE); ++ edesc->sec4_sg, DMA_BIDIRECTIONAL); + if (ret) + goto unmap_ctx; + +@@ -1005,13 +976,7 @@ static int ahash_finup_ctx(struct ahash_ + if (ret) + goto unmap_ctx; + +- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result, +- digestsize); +- if (dma_mapping_error(jrdev, edesc->dst_dma)) { +- dev_err(jrdev, "unable to map dst\n"); +- ret = -ENOMEM; +- goto unmap_ctx; +- } ++ append_seq_out_ptr(desc, state->ctx_dma, digestsize, 0); + + #ifdef DEBUG + print_hex_dump(KERN_ERR, "jobdesc@"__stringify(__LINE__)": ", +@@ -1024,7 +989,7 @@ static int ahash_finup_ctx(struct ahash_ + + return -EINPROGRESS; + unmap_ctx: +- ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE); ++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_BIDIRECTIONAL); + kfree(edesc); + return ret; + } +@@ -1083,10 +1048,8 @@ static int ahash_digest(struct ahash_req + + desc = edesc->hw_desc; + +- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result, +- digestsize); +- if (dma_mapping_error(jrdev, edesc->dst_dma)) { +- dev_err(jrdev, "unable to map dst\n"); ++ ret = map_seq_out_ptr_ctx(desc, jrdev, state, digestsize); ++ if (ret) { + ahash_unmap(jrdev, edesc, req, digestsize); + kfree(edesc); + return -ENOMEM; +@@ -1101,7 +1064,7 @@ static int ahash_digest(struct ahash_req + if (!ret) { + ret = -EINPROGRESS; + } else { +- ahash_unmap(jrdev, edesc, req, digestsize); ++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE); + kfree(edesc); + } + +@@ -1143,12 +1106,9 @@ static int ahash_final_no_ctx(struct aha + append_seq_in_ptr(desc, state->buf_dma, buflen, 0); + } + +- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result, +- digestsize); +- if (dma_mapping_error(jrdev, edesc->dst_dma)) { +- dev_err(jrdev, "unable to map dst\n"); ++ ret = map_seq_out_ptr_ctx(desc, jrdev, state, digestsize); ++ if (ret) + goto unmap; +- } + + #ifdef DEBUG + print_hex_dump(KERN_ERR, "jobdesc@"__stringify(__LINE__)": ", +@@ -1159,7 +1119,7 @@ static int ahash_final_no_ctx(struct aha + if (!ret) { + ret = -EINPROGRESS; + } else { +- ahash_unmap(jrdev, edesc, req, digestsize); ++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE); + kfree(edesc); + } + +@@ -1358,12 +1318,9 @@ static int ahash_finup_no_ctx(struct aha + goto unmap; + } + +- edesc->dst_dma = map_seq_out_ptr_result(desc, jrdev, req->result, +- digestsize); +- if (dma_mapping_error(jrdev, edesc->dst_dma)) { +- dev_err(jrdev, "unable to map dst\n"); ++ ret = map_seq_out_ptr_ctx(desc, jrdev, state, digestsize); ++ if (ret) + goto unmap; +- } + + #ifdef DEBUG + print_hex_dump(KERN_ERR, "jobdesc@"__stringify(__LINE__)": ", +@@ -1374,7 +1331,7 @@ static int ahash_finup_no_ctx(struct aha + if (!ret) { + ret = -EINPROGRESS; + } else { +- ahash_unmap(jrdev, edesc, req, digestsize); ++ ahash_unmap_ctx(jrdev, edesc, req, digestsize, DMA_FROM_DEVICE); + kfree(edesc); + } + diff --git a/queue-4.19/crypto-caam-fix-hash-context-dma-unmap-size.patch b/queue-4.19/crypto-caam-fix-hash-context-dma-unmap-size.patch new file mode 100644 index 00000000000..e7b2b5cc2af --- /dev/null +++ b/queue-4.19/crypto-caam-fix-hash-context-dma-unmap-size.patch @@ -0,0 +1,75 @@ +From 65055e2108847af5e577cc7ce6bde45ea136d29a Mon Sep 17 00:00:00 2001 +From: Franck LENORMAND +Date: Tue, 19 Feb 2019 16:56:55 +0200 +Subject: crypto: caam - fix hash context DMA unmap size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Franck LENORMAND + +commit 65055e2108847af5e577cc7ce6bde45ea136d29a upstream. + +When driver started using state->caam_ctxt for storing both running hash +and final hash, it was not updated to handle different DMA unmap +lengths. + +Cc: # v4.19+ +Fixes: c19650d6ea99 ("crypto: caam - fix DMA mapping of stack memory") +Signed-off-by: Franck LENORMAND +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -118,6 +118,7 @@ struct caam_hash_ctx { + struct caam_hash_state { + dma_addr_t buf_dma; + dma_addr_t ctx_dma; ++ int ctx_dma_len; + u8 buf_0[CAAM_MAX_HASH_BLOCK_SIZE] ____cacheline_aligned; + int buflen_0; + u8 buf_1[CAAM_MAX_HASH_BLOCK_SIZE] ____cacheline_aligned; +@@ -170,6 +171,7 @@ static inline int map_seq_out_ptr_ctx(u3 + struct caam_hash_state *state, + int ctx_len) + { ++ state->ctx_dma_len = ctx_len; + state->ctx_dma = dma_map_single(jrdev, state->caam_ctx, + ctx_len, DMA_FROM_DEVICE); + if (dma_mapping_error(jrdev, state->ctx_dma)) { +@@ -223,6 +225,7 @@ static inline int ctx_map_to_sec4_sg(str + struct caam_hash_state *state, int ctx_len, + struct sec4_sg_entry *sec4_sg, u32 flag) + { ++ state->ctx_dma_len = ctx_len; + state->ctx_dma = dma_map_single(jrdev, state->caam_ctx, ctx_len, flag); + if (dma_mapping_error(jrdev, state->ctx_dma)) { + dev_err(jrdev, "unable to map ctx\n"); +@@ -527,12 +530,10 @@ static inline void ahash_unmap_ctx(struc + struct ahash_edesc *edesc, + struct ahash_request *req, int dst_len, u32 flag) + { +- struct crypto_ahash *ahash = crypto_ahash_reqtfm(req); +- struct caam_hash_ctx *ctx = crypto_ahash_ctx(ahash); + struct caam_hash_state *state = ahash_request_ctx(req); + + if (state->ctx_dma) { +- dma_unmap_single(dev, state->ctx_dma, ctx->ctx_len, flag); ++ dma_unmap_single(dev, state->ctx_dma, state->ctx_dma_len, flag); + state->ctx_dma = 0; + } + ahash_unmap(dev, edesc, req, dst_len); +@@ -1505,6 +1506,7 @@ static int ahash_init(struct ahash_reque + state->final = ahash_final_no_ctx; + + state->ctx_dma = 0; ++ state->ctx_dma_len = 0; + state->current_buf = 0; + state->buf_dma = 0; + state->buflen_0 = 0; diff --git a/queue-4.19/crypto-caam-fixed-handling-of-sg-list.patch b/queue-4.19/crypto-caam-fixed-handling-of-sg-list.patch new file mode 100644 index 00000000000..90135a984c5 --- /dev/null +++ b/queue-4.19/crypto-caam-fixed-handling-of-sg-list.patch @@ -0,0 +1,35 @@ +From 42e95d1f10dcf8b18b1d7f52f7068985b3dc5b79 Mon Sep 17 00:00:00 2001 +From: Pankaj Gupta +Date: Fri, 1 Feb 2019 07:18:20 +0000 +Subject: crypto: caam - fixed handling of sg list + +From: Pankaj Gupta + +commit 42e95d1f10dcf8b18b1d7f52f7068985b3dc5b79 upstream. + +when the source sg contains more than 1 fragment and +destination sg contains 1 fragment, the caam driver +mishandle the buffers to be sent to caam. + +Fixes: f2147b88b2b1 ("crypto: caam - Convert GCM to new AEAD interface") +Cc: # 4.2+ +Signed-off-by: Pankaj Gupta +Signed-off-by: Arun Pathak +Reviewed-by: Horia Geanta +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamalg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/caam/caamalg.c ++++ b/drivers/crypto/caam/caamalg.c +@@ -1005,6 +1005,7 @@ static void init_aead_job(struct aead_re + if (unlikely(req->src != req->dst)) { + if (edesc->dst_nents == 1) { + dst_dma = sg_dma_address(req->dst); ++ out_options = 0; + } else { + dst_dma = edesc->sec4_sg_dma + + sec4_sg_index * diff --git a/queue-4.19/crypto-ccree-don-t-copy-zero-size-ciphertext.patch b/queue-4.19/crypto-ccree-don-t-copy-zero-size-ciphertext.patch new file mode 100644 index 00000000000..35beb0c60cb --- /dev/null +++ b/queue-4.19/crypto-ccree-don-t-copy-zero-size-ciphertext.patch @@ -0,0 +1,37 @@ +From 2b5ac17463dcb2411fed506edcf259a89bb538ba Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Tue, 15 Jan 2019 15:43:17 +0200 +Subject: crypto: ccree - don't copy zero size ciphertext + +From: Gilad Ben-Yossef + +commit 2b5ac17463dcb2411fed506edcf259a89bb538ba upstream. + +For decryption in CBC mode we need to save the last ciphertext block +for use as the next IV. However, we were trying to do this also with +zero sized ciphertext resulting in a panic. + +Fix this by only doing the copy if the ciphertext length is at least +of IV size. + +Signed-off-by: Gilad Ben-Yossef +Cc: stable@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccree/cc_cipher.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/ccree/cc_cipher.c ++++ b/drivers/crypto/ccree/cc_cipher.c +@@ -783,7 +783,8 @@ static int cc_cipher_decrypt(struct skci + + memset(req_ctx, 0, sizeof(*req_ctx)); + +- if (ctx_p->cipher_mode == DRV_CIPHER_CBC) { ++ if ((ctx_p->cipher_mode == DRV_CIPHER_CBC) && ++ (req->cryptlen >= ivsize)) { + + /* Allocate and save the last IV sized bytes of the source, + * which will be lost in case of in-place decryption. diff --git a/queue-4.19/crypto-ccree-fix-free-of-unallocated-mlli-buffer.patch b/queue-4.19/crypto-ccree-fix-free-of-unallocated-mlli-buffer.patch new file mode 100644 index 00000000000..d66cb920e0f --- /dev/null +++ b/queue-4.19/crypto-ccree-fix-free-of-unallocated-mlli-buffer.patch @@ -0,0 +1,41 @@ +From a49411959ea6d4915a9fd2a7eb5ba220e6284e9a Mon Sep 17 00:00:00 2001 +From: Hadar Gat +Date: Tue, 15 Jan 2019 15:43:13 +0200 +Subject: crypto: ccree - fix free of unallocated mlli buffer + +From: Hadar Gat + +commit a49411959ea6d4915a9fd2a7eb5ba220e6284e9a upstream. + +In cc_unmap_aead_request(), call dma_pool_free() for mlli buffer only +if an item is allocated from the pool and not always if there is a +pool allocated. +This fixes a kernel panic when trying to free a non-allocated item. + +Cc: stable@vger.kernel.org +Signed-off-by: Hadar Gat +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccree/cc_buffer_mgr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/ccree/cc_buffer_mgr.c ++++ b/drivers/crypto/ccree/cc_buffer_mgr.c +@@ -614,10 +614,10 @@ void cc_unmap_aead_request(struct device + hw_iv_size, DMA_BIDIRECTIONAL); + } + +- /*In case a pool was set, a table was +- *allocated and should be released +- */ +- if (areq_ctx->mlli_params.curr_pool) { ++ /* Release pool */ ++ if ((areq_ctx->assoc_buff_type == CC_DMA_BUF_MLLI || ++ areq_ctx->data_buff_type == CC_DMA_BUF_MLLI) && ++ (areq_ctx->mlli_params.mlli_virt_addr)) { + dev_dbg(dev, "free MLLI buffer: dma=%pad virt=%pK\n", + &areq_ctx->mlli_params.mlli_dma_addr, + areq_ctx->mlli_params.mlli_virt_addr); diff --git a/queue-4.19/crypto-ccree-fix-missing-break-in-switch-statement.patch b/queue-4.19/crypto-ccree-fix-missing-break-in-switch-statement.patch new file mode 100644 index 00000000000..6ddf5cdd19d --- /dev/null +++ b/queue-4.19/crypto-ccree-fix-missing-break-in-switch-statement.patch @@ -0,0 +1,35 @@ +From b5be853181a8d4a6e20f2073ccd273d6280cad88 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 11 Feb 2019 12:31:31 -0600 +Subject: crypto: ccree - fix missing break in switch statement + +From: Gustavo A. R. Silva + +commit b5be853181a8d4a6e20f2073ccd273d6280cad88 upstream. + +Add missing break statement in order to prevent the code from falling +through to case S_DIN_to_DES. + +This bug was found thanks to the ongoing efforts to enable +-Wimplicit-fallthrough. + +Fixes: 63ee04c8b491 ("crypto: ccree - add skcipher support") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccree/cc_cipher.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/ccree/cc_cipher.c ++++ b/drivers/crypto/ccree/cc_cipher.c +@@ -79,6 +79,7 @@ static int validate_keys_sizes(struct cc + default: + break; + } ++ break; + case S_DIN_to_DES: + if (size == DES3_EDE_KEY_SIZE || size == DES_KEY_SIZE) + return 0; diff --git a/queue-4.19/crypto-ccree-unmap-buffer-before-copying-iv.patch b/queue-4.19/crypto-ccree-unmap-buffer-before-copying-iv.patch new file mode 100644 index 00000000000..b131d5fe2bc --- /dev/null +++ b/queue-4.19/crypto-ccree-unmap-buffer-before-copying-iv.patch @@ -0,0 +1,45 @@ +From c139c72e2beb3e3db5148910b3962b7322e24374 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Tue, 15 Jan 2019 15:43:15 +0200 +Subject: crypto: ccree - unmap buffer before copying IV + +From: Gilad Ben-Yossef + +commit c139c72e2beb3e3db5148910b3962b7322e24374 upstream. + +We were copying the last ciphertext block into the IV field +for CBC before removing the DMA mapping of the output buffer +with the result of the buffer sometime being out-of-sync cache +wise and were getting intermittent cases of bad output IV. + +Fix it by moving the DMA buffer unmapping before the copy. + +Signed-off-by: Gilad Ben-Yossef +Fixes: 00904aa0cd59 ("crypto: ccree - fix iv handling") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccree/cc_cipher.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/ccree/cc_cipher.c ++++ b/drivers/crypto/ccree/cc_cipher.c +@@ -635,6 +635,8 @@ static void cc_cipher_complete(struct de + unsigned int ivsize = crypto_skcipher_ivsize(sk_tfm); + unsigned int len; + ++ cc_unmap_cipher_request(dev, req_ctx, ivsize, src, dst); ++ + switch (ctx_p->cipher_mode) { + case DRV_CIPHER_CBC: + /* +@@ -664,7 +666,6 @@ static void cc_cipher_complete(struct de + break; + } + +- cc_unmap_cipher_request(dev, req_ctx, ivsize, src, dst); + kzfree(req_ctx->iv); + + skcipher_request_complete(req, err); diff --git a/queue-4.19/crypto-cfb-add-missing-chunksize-property.patch b/queue-4.19/crypto-cfb-add-missing-chunksize-property.patch new file mode 100644 index 00000000000..69a75c0ca4d --- /dev/null +++ b/queue-4.19/crypto-cfb-add-missing-chunksize-property.patch @@ -0,0 +1,81 @@ +From 394a9e044702e6a8958a5e89d2a291605a587a2a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 3 Jan 2019 20:16:10 -0800 +Subject: crypto: cfb - add missing 'chunksize' property + +From: Eric Biggers + +commit 394a9e044702e6a8958a5e89d2a291605a587a2a upstream. + +Like some other block cipher mode implementations, the CFB +implementation assumes that while walking through the scatterlist, a +partial block does not occur until the end. But the walk is incorrectly +being done with a blocksize of 1, as 'cra_blocksize' is set to 1 (since +CFB is a stream cipher) but no 'chunksize' is set. This bug causes +incorrect encryption/decryption for some scatterlist layouts. + +Fix it by setting the 'chunksize'. Also extend the CFB test vectors to +cover this bug as well as cases where the message length is not a +multiple of the block size. + +Fixes: a7d85e06ed80 ("crypto: cfb - add support for Cipher FeedBack mode") +Cc: # v4.17+ +Cc: James Bottomley +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/cfb.c | 6 ++++++ + crypto/testmgr.h | 25 +++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +--- a/crypto/cfb.c ++++ b/crypto/cfb.c +@@ -298,6 +298,12 @@ static int crypto_cfb_create(struct cryp + inst->alg.base.cra_blocksize = 1; + inst->alg.base.cra_alignmask = alg->cra_alignmask; + ++ /* ++ * To simplify the implementation, configure the skcipher walk to only ++ * give a partial block at the very end, never earlier. ++ */ ++ inst->alg.chunksize = alg->cra_blocksize; ++ + inst->alg.ivsize = alg->cra_blocksize; + inst->alg.min_keysize = alg->cra_cipher.cia_min_keysize; + inst->alg.max_keysize = alg->cra_cipher.cia_max_keysize; +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -11416,6 +11416,31 @@ static const struct cipher_testvec aes_c + "\x75\xa3\x85\x74\x1a\xb9\xce\xf8" + "\x20\x31\x62\x3d\x55\xb1\xe4\x71", + .len = 64, ++ .also_non_np = 1, ++ .np = 2, ++ .tap = { 31, 33 }, ++ }, { /* > 16 bytes, not a multiple of 16 bytes */ ++ .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" ++ "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", ++ .klen = 16, ++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", ++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" ++ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" ++ "\xae", ++ .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20" ++ "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a" ++ "\xc8", ++ .len = 17, ++ }, { /* < 16 bytes */ ++ .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" ++ "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", ++ .klen = 16, ++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", ++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f", ++ .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad", ++ .len = 7, + }, + }; + diff --git a/queue-4.19/crypto-cfb-remove-bogus-memcpy-with-src-dest.patch b/queue-4.19/crypto-cfb-remove-bogus-memcpy-with-src-dest.patch new file mode 100644 index 00000000000..f52956a4395 --- /dev/null +++ b/queue-4.19/crypto-cfb-remove-bogus-memcpy-with-src-dest.patch @@ -0,0 +1,68 @@ +From 6c2e322b3621dc8be72e5c86d4fdb587434ba625 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 3 Jan 2019 20:16:11 -0800 +Subject: crypto: cfb - remove bogus memcpy() with src == dest + +From: Eric Biggers + +commit 6c2e322b3621dc8be72e5c86d4fdb587434ba625 upstream. + +The memcpy() in crypto_cfb_decrypt_inplace() uses walk->iv as both the +source and destination, which has undefined behavior. It is unneeded +because walk->iv is already used to hold the previous ciphertext block; +thus, walk->iv is already updated to its final value. So, remove it. + +Also, note that in-place decryption is the only case where the previous +ciphertext block is not directly available. Therefore, as a related +cleanup I also updated crypto_cfb_encrypt_segment() to directly use the +previous ciphertext block rather than save it into walk->iv. This makes +it consistent with in-place encryption and out-of-place decryption; now +only in-place decryption is different, because it has to be. + +Fixes: a7d85e06ed80 ("crypto: cfb - add support for Cipher FeedBack mode") +Cc: # v4.17+ +Cc: James Bottomley +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/cfb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/crypto/cfb.c ++++ b/crypto/cfb.c +@@ -77,12 +77,14 @@ static int crypto_cfb_encrypt_segment(st + do { + crypto_cfb_encrypt_one(tfm, iv, dst); + crypto_xor(dst, src, bsize); +- memcpy(iv, dst, bsize); ++ iv = dst; + + src += bsize; + dst += bsize; + } while ((nbytes -= bsize) >= bsize); + ++ memcpy(walk->iv, iv, bsize); ++ + return nbytes; + } + +@@ -162,7 +164,7 @@ static int crypto_cfb_decrypt_inplace(st + const unsigned int bsize = crypto_cfb_bsize(tfm); + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + u8 tmp[MAX_CIPHER_BLOCKSIZE]; + + do { +@@ -172,8 +174,6 @@ static int crypto_cfb_decrypt_inplace(st + src += bsize; + } while ((nbytes -= bsize) >= bsize); + +- memcpy(walk->iv, iv, bsize); +- + return nbytes; + } + diff --git a/queue-4.19/crypto-rockchip-fix-scatterlist-nents-error.patch b/queue-4.19/crypto-rockchip-fix-scatterlist-nents-error.patch new file mode 100644 index 00000000000..2bd2579a0f1 --- /dev/null +++ b/queue-4.19/crypto-rockchip-fix-scatterlist-nents-error.patch @@ -0,0 +1,83 @@ +From 4359669a087633132203c52d67dd8c31e09e7b2e Mon Sep 17 00:00:00 2001 +From: Zhang Zhijie +Date: Wed, 13 Feb 2019 16:24:38 +0800 +Subject: crypto: rockchip - fix scatterlist nents error + +From: Zhang Zhijie + +commit 4359669a087633132203c52d67dd8c31e09e7b2e upstream. + +In some cases, the nents of src scatterlist is different from +dst scatterlist. So two variables are used to handle the nents +of src&dst scatterlist. + +Reported-by: Eric Biggers +Fixes: 433cd2c617bf ("crypto: rockchip - add crypto driver for rk3288") +Cc: # v4.5+ +Signed-off-by: Zhang Zhijie +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/rockchip/rk3288_crypto.c | 2 +- + drivers/crypto/rockchip/rk3288_crypto.h | 3 ++- + drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c | 5 +++-- + drivers/crypto/rockchip/rk3288_crypto_ahash.c | 2 +- + 4 files changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/crypto/rockchip/rk3288_crypto.c ++++ b/drivers/crypto/rockchip/rk3288_crypto.c +@@ -119,7 +119,7 @@ static int rk_load_data(struct rk_crypto + count = (dev->left_bytes > PAGE_SIZE) ? + PAGE_SIZE : dev->left_bytes; + +- if (!sg_pcopy_to_buffer(dev->first, dev->nents, ++ if (!sg_pcopy_to_buffer(dev->first, dev->src_nents, + dev->addr_vir, count, + dev->total - dev->left_bytes)) { + dev_err(dev->dev, "[%s:%d] pcopy err\n", +--- a/drivers/crypto/rockchip/rk3288_crypto.h ++++ b/drivers/crypto/rockchip/rk3288_crypto.h +@@ -207,7 +207,8 @@ struct rk_crypto_info { + void *addr_vir; + int aligned; + int align_size; +- size_t nents; ++ size_t src_nents; ++ size_t dst_nents; + unsigned int total; + unsigned int count; + dma_addr_t addr_in; +--- a/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c ++++ b/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c +@@ -260,8 +260,9 @@ static int rk_ablk_start(struct rk_crypt + dev->total = req->nbytes; + dev->sg_src = req->src; + dev->first = req->src; +- dev->nents = sg_nents(req->src); ++ dev->src_nents = sg_nents(req->src); + dev->sg_dst = req->dst; ++ dev->dst_nents = sg_nents(req->dst); + dev->aligned = 1; + + spin_lock_irqsave(&dev->lock, flags); +@@ -297,7 +298,7 @@ static int rk_ablk_rx(struct rk_crypto_i + + dev->unload_data(dev); + if (!dev->aligned) { +- if (!sg_pcopy_from_buffer(req->dst, dev->nents, ++ if (!sg_pcopy_from_buffer(req->dst, dev->dst_nents, + dev->addr_vir, dev->count, + dev->total - dev->left_bytes - + dev->count)) { +--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c ++++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c +@@ -206,7 +206,7 @@ static int rk_ahash_start(struct rk_cryp + dev->sg_dst = NULL; + dev->sg_src = req->src; + dev->first = req->src; +- dev->nents = sg_nents(req->src); ++ dev->src_nents = sg_nents(req->src); + rctx = ahash_request_ctx(req); + rctx->mode = 0; + diff --git a/queue-4.19/crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch b/queue-4.19/crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch new file mode 100644 index 00000000000..1bc855f3b23 --- /dev/null +++ b/queue-4.19/crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch @@ -0,0 +1,92 @@ +From c1c214adcb56d36433480c8fedf772498e7e539c Mon Sep 17 00:00:00 2001 +From: Zhang Zhijie +Date: Wed, 13 Feb 2019 16:24:39 +0800 +Subject: crypto: rockchip - update new iv to device in multiple operations + +From: Zhang Zhijie + +commit c1c214adcb56d36433480c8fedf772498e7e539c upstream. + +For chain mode in cipher(eg. AES-CBC/DES-CBC), the iv is continuously +updated in the operation. The new iv value should be written to device +register by software. + +Reported-by: Eric Biggers +Fixes: 433cd2c617bf ("crypto: rockchip - add crypto driver for rk3288") +Cc: # v4.5+ +Signed-off-by: Zhang Zhijie +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/rockchip/rk3288_crypto.h | 1 + drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c | 34 +++++++++++++++++++++ + 2 files changed, 35 insertions(+) + +--- a/drivers/crypto/rockchip/rk3288_crypto.h ++++ b/drivers/crypto/rockchip/rk3288_crypto.h +@@ -245,6 +245,7 @@ struct rk_cipher_ctx { + struct rk_crypto_info *dev; + unsigned int keylen; + u32 mode; ++ u8 iv[AES_BLOCK_SIZE]; + }; + + enum alg_type { +--- a/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c ++++ b/drivers/crypto/rockchip/rk3288_crypto_ablkcipher.c +@@ -242,6 +242,17 @@ static void crypto_dma_start(struct rk_c + static int rk_set_data_start(struct rk_crypto_info *dev) + { + int err; ++ struct ablkcipher_request *req = ++ ablkcipher_request_cast(dev->async_req); ++ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req); ++ struct rk_cipher_ctx *ctx = crypto_ablkcipher_ctx(tfm); ++ u32 ivsize = crypto_ablkcipher_ivsize(tfm); ++ u8 *src_last_blk = page_address(sg_page(dev->sg_src)) + ++ dev->sg_src->offset + dev->sg_src->length - ivsize; ++ ++ /* store the iv that need to be updated in chain mode */ ++ if (ctx->mode & RK_CRYPTO_DEC) ++ memcpy(ctx->iv, src_last_blk, ivsize); + + err = dev->load_data(dev, dev->sg_src, dev->sg_dst); + if (!err) +@@ -286,6 +297,28 @@ static void rk_iv_copyback(struct rk_cry + memcpy_fromio(req->info, dev->reg + RK_CRYPTO_AES_IV_0, ivsize); + } + ++static void rk_update_iv(struct rk_crypto_info *dev) ++{ ++ struct ablkcipher_request *req = ++ ablkcipher_request_cast(dev->async_req); ++ struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req); ++ struct rk_cipher_ctx *ctx = crypto_ablkcipher_ctx(tfm); ++ u32 ivsize = crypto_ablkcipher_ivsize(tfm); ++ u8 *new_iv = NULL; ++ ++ if (ctx->mode & RK_CRYPTO_DEC) { ++ new_iv = ctx->iv; ++ } else { ++ new_iv = page_address(sg_page(dev->sg_dst)) + ++ dev->sg_dst->offset + dev->sg_dst->length - ivsize; ++ } ++ ++ if (ivsize == DES_BLOCK_SIZE) ++ memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, new_iv, ivsize); ++ else if (ivsize == AES_BLOCK_SIZE) ++ memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, new_iv, ivsize); ++} ++ + /* return: + * true some err was occurred + * fault no err, continue +@@ -307,6 +340,7 @@ static int rk_ablk_rx(struct rk_crypto_i + } + } + if (dev->left_bytes) { ++ rk_update_iv(dev); + if (dev->aligned) { + if (sg_is_last(dev->sg_src)) { + dev_err(dev->dev, "[%s:%d] Lack of data\n", diff --git a/queue-4.19/iio-adc-exynos-adc-fix-null-pointer-exception-on-unbind.patch b/queue-4.19/iio-adc-exynos-adc-fix-null-pointer-exception-on-unbind.patch new file mode 100644 index 00000000000..54bf2688d29 --- /dev/null +++ b/queue-4.19/iio-adc-exynos-adc-fix-null-pointer-exception-on-unbind.patch @@ -0,0 +1,48 @@ +From 2ea8bab4dd2a9014e723b28091831fa850b82d83 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 9 Feb 2019 00:39:27 +0100 +Subject: iio: adc: exynos-adc: Fix NULL pointer exception on unbind + +From: Krzysztof Kozlowski + +commit 2ea8bab4dd2a9014e723b28091831fa850b82d83 upstream. + +Fix NULL pointer exception on device unbind when device tree does not +contain "has-touchscreen" property. In such case the input device is +not registered so it should not be unregistered. + + $ echo "12d10000.adc" > /sys/bus/platform/drivers/exynos-adc/unbind + + Unable to handle kernel NULL pointer dereference at virtual address 00000474 + ... + (input_unregister_device) from [] (exynos_adc_remove+0x20/0x80) + (exynos_adc_remove) from [] (platform_drv_remove+0x20/0x40) + (platform_drv_remove) from [] (device_release_driver_internal+0xdc/0x1ac) + (device_release_driver_internal) from [] (unbind_store+0x60/0xd4) + (unbind_store) from [] (kernfs_fop_write+0x100/0x1e0) + (kernfs_fop_write) from [] (__vfs_write+0x2c/0x17c) + (__vfs_write) from [] (vfs_write+0xa4/0x184) + (vfs_write) from [] (ksys_write+0x4c/0xac) + (ksys_write) from [] (ret_fast_syscall+0x0/0x28) + +Fixes: 2bb8ad9b44c5 ("iio: exynos-adc: add experimental touchscreen support") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/exynos_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/exynos_adc.c ++++ b/drivers/iio/adc/exynos_adc.c +@@ -915,7 +915,7 @@ static int exynos_adc_remove(struct plat + struct iio_dev *indio_dev = platform_get_drvdata(pdev); + struct exynos_adc *info = iio_priv(indio_dev); + +- if (IS_REACHABLE(CONFIG_INPUT)) { ++ if (IS_REACHABLE(CONFIG_INPUT) && info->input) { + free_irq(info->tsirq, info); + input_unregister_device(info->input); + } diff --git a/queue-4.19/mei-bus-move-hw-module-get-put-to-probe-release.patch b/queue-4.19/mei-bus-move-hw-module-get-put-to-probe-release.patch new file mode 100644 index 00000000000..86db68c7abf --- /dev/null +++ b/queue-4.19/mei-bus-move-hw-module-get-put-to-probe-release.patch @@ -0,0 +1,82 @@ +From b5958faa34e2f99f3475ad89c52d98dfea079d33 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Mon, 25 Feb 2019 11:09:28 +0200 +Subject: mei: bus: move hw module get/put to probe/release + +From: Alexander Usyskin + +commit b5958faa34e2f99f3475ad89c52d98dfea079d33 upstream. + +Fix unbalanced module reference counting during internal reset, which +prevents the drivers unloading. +Tracking mei_me/txe modules on mei client bus via +mei_cldev_enable/disable is error prone due to possible internal +reset flow, where clients are disconnected underneath. +Moving reference counting to probe and release of mei bus client +driver solves this issue in simplest way, as each client provides only +a single connection to a client bus driver. + +Cc: +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/bus.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/drivers/misc/mei/bus.c ++++ b/drivers/misc/mei/bus.c +@@ -541,17 +541,9 @@ int mei_cldev_enable(struct mei_cl_devic + goto out; + } + +- if (!mei_cl_bus_module_get(cldev)) { +- dev_err(&cldev->dev, "get hw module failed"); +- ret = -ENODEV; +- goto out; +- } +- + ret = mei_cl_connect(cl, cldev->me_cl, NULL); +- if (ret < 0) { ++ if (ret < 0) + dev_err(&cldev->dev, "cannot connect\n"); +- mei_cl_bus_module_put(cldev); +- } + + out: + mutex_unlock(&bus->device_lock); +@@ -614,7 +606,6 @@ int mei_cldev_disable(struct mei_cl_devi + if (err < 0) + dev_err(bus->dev, "Could not disconnect from the ME client\n"); + +- mei_cl_bus_module_put(cldev); + out: + /* Flush queues and remove any pending read */ + mei_cl_flush_queues(cl, NULL); +@@ -725,9 +716,16 @@ static int mei_cl_device_probe(struct de + if (!id) + return -ENODEV; + ++ if (!mei_cl_bus_module_get(cldev)) { ++ dev_err(&cldev->dev, "get hw module failed"); ++ return -ENODEV; ++ } ++ + ret = cldrv->probe(cldev, id); +- if (ret) ++ if (ret) { ++ mei_cl_bus_module_put(cldev); + return ret; ++ } + + __module_get(THIS_MODULE); + return 0; +@@ -755,6 +753,7 @@ static int mei_cl_device_remove(struct d + + mei_cldev_unregister_callbacks(cldev); + ++ mei_cl_bus_module_put(cldev); + module_put(THIS_MODULE); + dev->driver = NULL; + return ret; diff --git a/queue-4.19/mei-hbm-clean-the-feature-flags-on-link-reset.patch b/queue-4.19/mei-hbm-clean-the-feature-flags-on-link-reset.patch new file mode 100644 index 00000000000..7123cf8a77d --- /dev/null +++ b/queue-4.19/mei-hbm-clean-the-feature-flags-on-link-reset.patch @@ -0,0 +1,61 @@ +From 37fd0b623023484ef6df79ed46f21f06ecc611ff Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Wed, 20 Feb 2019 16:55:37 +0200 +Subject: mei: hbm: clean the feature flags on link reset + +From: Alexander Usyskin + +commit 37fd0b623023484ef6df79ed46f21f06ecc611ff upstream. + +The list of supported functions can be altered upon link reset, +clean the flags to allow correct selections of supported +features. + +Cc: v4.19+ +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hbm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/misc/mei/hbm.c ++++ b/drivers/misc/mei/hbm.c +@@ -986,29 +986,36 @@ static void mei_hbm_config_features(stru + dev->version.minor_version >= HBM_MINOR_VERSION_PGI) + dev->hbm_f_pg_supported = 1; + ++ dev->hbm_f_dc_supported = 0; + if (dev->version.major_version >= HBM_MAJOR_VERSION_DC) + dev->hbm_f_dc_supported = 1; + ++ dev->hbm_f_ie_supported = 0; + if (dev->version.major_version >= HBM_MAJOR_VERSION_IE) + dev->hbm_f_ie_supported = 1; + + /* disconnect on connect timeout instead of link reset */ ++ dev->hbm_f_dot_supported = 0; + if (dev->version.major_version >= HBM_MAJOR_VERSION_DOT) + dev->hbm_f_dot_supported = 1; + + /* Notification Event Support */ ++ dev->hbm_f_ev_supported = 0; + if (dev->version.major_version >= HBM_MAJOR_VERSION_EV) + dev->hbm_f_ev_supported = 1; + + /* Fixed Address Client Support */ ++ dev->hbm_f_fa_supported = 0; + if (dev->version.major_version >= HBM_MAJOR_VERSION_FA) + dev->hbm_f_fa_supported = 1; + + /* OS ver message Support */ ++ dev->hbm_f_os_supported = 0; + if (dev->version.major_version >= HBM_MAJOR_VERSION_OS) + dev->hbm_f_os_supported = 1; + + /* DMA Ring Support */ ++ dev->hbm_f_dr_supported = 0; + if (dev->version.major_version > HBM_MAJOR_VERSION_DR || + (dev->version.major_version == HBM_MAJOR_VERSION_DR && + dev->version.minor_version >= HBM_MINOR_VERSION_DR)) diff --git a/queue-4.19/series b/queue-4.19/series index 3d87219b539..cba1302a227 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1 +1,22 @@ media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch +9p-use-inode-i_lock-to-protect-i_size_write-under-32-bit.patch +9p-net-fix-memory-leak-in-p9_client_create.patch +asoc-fsl_esai-fix-register-setting-issue-in-right_j-mode.patch +asoc-codecs-pcm186x-fix-wrong-usage-of-declare_tlv_db_scale.patch +asoc-codecs-pcm186x-fix-energysense-sleep-bit.patch +iio-adc-exynos-adc-fix-null-pointer-exception-on-unbind.patch +mei-hbm-clean-the-feature-flags-on-link-reset.patch +mei-bus-move-hw-module-get-put-to-probe-release.patch +stm-class-fix-an-endless-loop-in-channel-allocation.patch +crypto-caam-fix-hash-context-dma-unmap-size.patch +crypto-ccree-fix-missing-break-in-switch-statement.patch +crypto-caam-fixed-handling-of-sg-list.patch +crypto-caam-fix-dma-mapping-of-stack-memory.patch +crypto-ccree-fix-free-of-unallocated-mlli-buffer.patch +crypto-ccree-unmap-buffer-before-copying-iv.patch +crypto-ccree-don-t-copy-zero-size-ciphertext.patch +crypto-cfb-add-missing-chunksize-property.patch +crypto-cfb-remove-bogus-memcpy-with-src-dest.patch +crypto-ahash-fix-another-early-termination-in-hash-walk.patch +crypto-rockchip-fix-scatterlist-nents-error.patch +crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch diff --git a/queue-4.19/stm-class-fix-an-endless-loop-in-channel-allocation.patch b/queue-4.19/stm-class-fix-an-endless-loop-in-channel-allocation.patch new file mode 100644 index 00000000000..807645cbc45 --- /dev/null +++ b/queue-4.19/stm-class-fix-an-endless-loop-in-channel-allocation.patch @@ -0,0 +1,41 @@ +From a1d75dad3a2c689e70a1c4e0214cca9de741d0aa Mon Sep 17 00:00:00 2001 +From: Zhi Jin +Date: Thu, 6 Sep 2018 15:22:10 +0800 +Subject: stm class: Fix an endless loop in channel allocation + +From: Zhi Jin + +commit a1d75dad3a2c689e70a1c4e0214cca9de741d0aa upstream. + +There is a bug in the channel allocation logic that leads to an endless +loop when looking for a contiguous range of channels in a range with a +mixture of free and occupied channels. For example, opening three +consequtive channels, closing the first two and requesting 4 channels in +a row will trigger this soft lockup. The bug is that the search loop +forgets to skip over the range once it detects that one channel in that +range is occupied. + +Restore the original intent to the logic by fixing the omission. + +Signed-off-by: Zhi Jin +Signed-off-by: Alexander Shishkin +Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices") +CC: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -244,6 +244,9 @@ static int find_free_channels(unsigned l + ; + if (i == width) + return pos; ++ ++ /* step over [pos..pos+i) to continue search */ ++ pos += i; + } + + return -1;