From 2ca142471db96ca381f1bf152fef529ad7ba0c81 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Sep 2017 11:44:28 +0200 Subject: [PATCH] 4.9-stable patches added patches: crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch irqchip-mips-gic-sync-after-enabling-gic-region.patch --- ...ut_page-on-referenced-and-used-pages.patch | 43 +++++++++++++++ ...e-the-receive-length-for-block-reads.patch | 54 +++++++++++++++++++ ...ze-for-block-reads-with-bogus-length.patch | 40 ++++++++++++++ ...s-gic-sync-after-enabling-gic-region.patch | 54 +++++++++++++++++++ queue-4.9/series | 3 ++ 5 files changed, 194 insertions(+) create mode 100644 queue-4.9/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch create mode 100644 queue-4.9/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch create mode 100644 queue-4.9/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch create mode 100644 queue-4.9/irqchip-mips-gic-sync-after-enabling-gic-region.patch diff --git a/queue-4.9/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch b/queue-4.9/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch new file mode 100644 index 00000000000..4dc5e1cfb2a --- /dev/null +++ b/queue-4.9/crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch @@ -0,0 +1,43 @@ +From 445a582738de6802669aeed9c33ca406c23c3b1f Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Wed, 16 Aug 2017 11:56:24 +0200 +Subject: crypto: algif_skcipher - only call put_page on referenced and used pages + +From: Stephan Mueller + +commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream. + +For asynchronous operation, SGs are allocated without a page mapped to +them or with a page that is not used (ref-counted). If the SGL is freed, +the code must only call put_page for an SG if there was a page assigned +and ref-counted in the first place. + +This fixes a kernel crash when using io_submit with more than one iocb +using the sendmsg and sendpage (vmsplice/splice) interface. + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algif_skcipher.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -86,8 +86,13 @@ static void skcipher_free_async_sgls(str + } + sgl = sreq->tsg; + n = sg_nents(sgl); +- for_each_sg(sgl, sg, n, i) +- put_page(sg_page(sg)); ++ for_each_sg(sgl, sg, n, i) { ++ struct page *page = sg_page(sg); ++ ++ /* some SGs may not have a page mapped */ ++ if (page && page_ref_count(page)) ++ put_page(page); ++ } + + kfree(sreq->tsg); + } diff --git a/queue-4.9/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch b/queue-4.9/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch new file mode 100644 index 00000000000..30542da1297 --- /dev/null +++ b/queue-4.9/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch @@ -0,0 +1,54 @@ +From b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 Mon Sep 17 00:00:00 2001 +From: Stephen Douthit +Date: Mon, 7 Aug 2017 17:10:59 -0400 +Subject: i2c: ismt: Don't duplicate the receive length for block reads + +From: Stephen Douthit + +commit b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 upstream. + +According to Table 15-14 of the C2000 EDS (Intel doc #510524) the +rx data pointed to by the descriptor dptr contains the byte count. + +desc->rxbytes reports all bytes read on the wire, including the +"byte count" byte. So if a device sends 4 bytes in response to a +block read, on the wire and in the DMA buffer we see: + +count data1 data2 data3 data4 + 0x04 0xde 0xad 0xbe 0xef + +That's what we want to return in data->block to the next level. + +Instead we were actually prefixing that with desc->rxbytes: + +bad +count count data1 data2 data3 data4 + 0x05 0x04 0xde 0xad 0xbe 0xef + +This was discovered while developing a BMC solution relying on the +ipmi_ssif.c driver which was trying to interpret the bogus length +field as part of the IPMI response. + +Signed-off-by: Stephen Douthit +Tested-by: Dan Priamo +Acked-by: Neil Horman +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-ismt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -341,8 +341,8 @@ static int ismt_process_desc(const struc + break; + case I2C_SMBUS_BLOCK_DATA: + case I2C_SMBUS_I2C_BLOCK_DATA: +- memcpy(&data->block[1], dma_buffer, desc->rxbytes); +- data->block[0] = desc->rxbytes; ++ memcpy(data->block, dma_buffer, desc->rxbytes); ++ data->block[0] = desc->rxbytes - 1; + break; + } + return 0; diff --git a/queue-4.9/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch b/queue-4.9/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch new file mode 100644 index 00000000000..c5d01ff8d66 --- /dev/null +++ b/queue-4.9/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch @@ -0,0 +1,40 @@ +From ba201c4f5ebe13d7819081756378777d8153f23e Mon Sep 17 00:00:00 2001 +From: Stephen Douthit +Date: Mon, 7 Aug 2017 17:11:00 -0400 +Subject: i2c: ismt: Return EMSGSIZE for block reads with bogus length + +From: Stephen Douthit + +commit ba201c4f5ebe13d7819081756378777d8153f23e upstream. + +Compare the number of bytes actually seen on the wire to the byte +count field returned by the slave device. + +Previously we just overwrote the byte count returned by the slave +with the real byte count and let the caller figure out if the +message was sane. + +Signed-off-by: Stephen Douthit +Tested-by: Dan Priamo +Acked-by: Neil Horman +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-ismt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -341,8 +341,10 @@ static int ismt_process_desc(const struc + break; + case I2C_SMBUS_BLOCK_DATA: + case I2C_SMBUS_I2C_BLOCK_DATA: ++ if (desc->rxbytes != dma_buffer[0] + 1) ++ return -EMSGSIZE; ++ + memcpy(data->block, dma_buffer, desc->rxbytes); +- data->block[0] = desc->rxbytes - 1; + break; + } + return 0; diff --git a/queue-4.9/irqchip-mips-gic-sync-after-enabling-gic-region.patch b/queue-4.9/irqchip-mips-gic-sync-after-enabling-gic-region.patch new file mode 100644 index 00000000000..429c1ea1eba --- /dev/null +++ b/queue-4.9/irqchip-mips-gic-sync-after-enabling-gic-region.patch @@ -0,0 +1,54 @@ +From 2c0e8382386f618c85d20cb05e7cf7df8cdd382c Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Sat, 12 Aug 2017 21:36:09 -0700 +Subject: irqchip: mips-gic: SYNC after enabling GIC region + +From: James Hogan + +commit 2c0e8382386f618c85d20cb05e7cf7df8cdd382c upstream. + +A SYNC is required between enabling the GIC region and actually trying +to use it, even if the first access is a read, otherwise its possible +depending on the timing (and in my case depending on the precise +alignment of certain kernel code) to hit CM bus errors on that first +access. + +Add the SYNC straight after setting the GIC base. + +[paul.burton@imgtec.com: + Changes later in this series increase our likelihood of hitting this + by reducing the amount of code that runs between enabling the GIC & + accessing it.] + +Fixes: a7057270c280 ("irqchip: mips-gic: Add device-tree support") +Signed-off-by: James Hogan +Signed-off-by: Paul Burton +Acked-by: Marc Zyngier +Cc: Thomas Gleixner +Cc: Jason Cooper +Cc: James Hogan +Cc: linux-kernel@vger.kernel.org +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17019/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-mips-gic.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-mips-gic.c ++++ b/drivers/irqchip/irq-mips-gic.c +@@ -1115,8 +1115,11 @@ static int __init gic_of_init(struct dev + gic_len = resource_size(&res); + } + +- if (mips_cm_present()) ++ if (mips_cm_present()) { + write_gcr_gic_base(gic_base | CM_GCR_GIC_BASE_GICEN_MSK); ++ /* Ensure GIC region is enabled before trying to access it */ ++ __sync(); ++ } + gic_present = true; + + __gic_init(gic_base, gic_len, cpu_vec, 0, node); diff --git a/queue-4.9/series b/queue-4.9/series index bd2f86fb213..0cb55669aa9 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,4 @@ irqchip-mips-gic-sync-after-enabling-gic-region.patch +i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch +i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch +crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch -- 2.47.3