From 9c55a72d1c38d31f954d4459ee9c07f6183d3f4d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 23 Jul 2019 11:00:25 +0200 Subject: [PATCH] 4.14-stable patches added patches: crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch crypto-ccp-gcm-use-const-time-tag-comparison.patch crypto-ccp-memset-structure-fields-to-zero-before-reuse.patch crypto-ccp-validate-the-the-error-value-used-to-index-error-messages.patch crypto-chacha20poly1305-fix-atomic-sleep-when-using-async-algorithm.patch crypto-crypto4xx-fix-a-potential-double-free-in-ppc4xx_trng_probe.patch crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch revert-scsi-ncr5380-increase-register-polling-limit.patch scsi-core-fix-race-on-creating-sense-cache.patch scsi-mac_scsi-fix-pseudo-dma-implementation-take-2.patch scsi-mac_scsi-increase-pio-pdma-transfer-length-threshold.patch scsi-megaraid_sas-fix-calculation-of-target-id.patch scsi-ncr5380-always-re-enable-reselection-interrupt.patch scsi-ncr5380-reduce-goto-statements-in-ncr5380_select.patch --- ...rrect-digest-for-empty-data-in-finup.patch | 41 ++ ...rrect-digest-for-empty-data-in-finup.patch | 41 ++ ...cp-gcm-use-const-time-tag-comparison.patch | 34 ++ ...tructure-fields-to-zero-before-reuse.patch | 62 +++ ...r-value-used-to-index-error-messages.patch | 146 ++++++ ...mic-sleep-when-using-async-algorithm.patch | 195 +++++++ ...ial-double-free-in-ppc4xx_trng_probe.patch | 52 ++ ...ligned-memory-access-in-ghash_setkey.patch | 57 +++ ...5380-increase-register-polling-limit.patch | 43 ++ ...ore-fix-race-on-creating-sense-cache.patch | 55 ++ ...fix-pseudo-dma-implementation-take-2.patch | 484 ++++++++++++++++++ ...e-pio-pdma-transfer-length-threshold.patch | 62 +++ ...aid_sas-fix-calculation-of-target-id.patch | 39 ++ ...ways-re-enable-reselection-interrupt.patch | 93 ++++ ...ce-goto-statements-in-ncr5380_select.patch | 73 +++ queue-4.14/series | 15 + 16 files changed, 1492 insertions(+) create mode 100644 queue-4.14/crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch create mode 100644 queue-4.14/crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch create mode 100644 queue-4.14/crypto-ccp-gcm-use-const-time-tag-comparison.patch create mode 100644 queue-4.14/crypto-ccp-memset-structure-fields-to-zero-before-reuse.patch create mode 100644 queue-4.14/crypto-ccp-validate-the-the-error-value-used-to-index-error-messages.patch create mode 100644 queue-4.14/crypto-chacha20poly1305-fix-atomic-sleep-when-using-async-algorithm.patch create mode 100644 queue-4.14/crypto-crypto4xx-fix-a-potential-double-free-in-ppc4xx_trng_probe.patch create mode 100644 queue-4.14/crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch create mode 100644 queue-4.14/revert-scsi-ncr5380-increase-register-polling-limit.patch create mode 100644 queue-4.14/scsi-core-fix-race-on-creating-sense-cache.patch create mode 100644 queue-4.14/scsi-mac_scsi-fix-pseudo-dma-implementation-take-2.patch create mode 100644 queue-4.14/scsi-mac_scsi-increase-pio-pdma-transfer-length-threshold.patch create mode 100644 queue-4.14/scsi-megaraid_sas-fix-calculation-of-target-id.patch create mode 100644 queue-4.14/scsi-ncr5380-always-re-enable-reselection-interrupt.patch create mode 100644 queue-4.14/scsi-ncr5380-reduce-goto-statements-in-ncr5380_select.patch diff --git a/queue-4.14/crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch b/queue-4.14/crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch new file mode 100644 index 00000000000..1e200f56131 --- /dev/null +++ b/queue-4.14/crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch @@ -0,0 +1,41 @@ +From 1d4aaf16defa86d2665ae7db0259d6cb07e2091f Mon Sep 17 00:00:00 2001 +From: Elena Petrova +Date: Tue, 28 May 2019 13:41:52 +0100 +Subject: crypto: arm64/sha1-ce - correct digest for empty data in finup + +From: Elena Petrova + +commit 1d4aaf16defa86d2665ae7db0259d6cb07e2091f upstream. + +The sha1-ce finup implementation for ARM64 produces wrong digest +for empty input (len=0). Expected: da39a3ee..., result: 67452301... +(initial value of SHA internal state). The error is in sha1_ce_finup: +for empty data `finalize` will be 1, so the code is relying on +sha1_ce_transform to make the final round. However, in +sha1_base_do_update, the block function will not be called when +len == 0. + +Fix it by setting finalize to 0 if data is empty. + +Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer") +Cc: stable@vger.kernel.org +Signed-off-by: Elena Petrova +Reviewed-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/crypto/sha1-ce-glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/crypto/sha1-ce-glue.c ++++ b/arch/arm64/crypto/sha1-ce-glue.c +@@ -54,7 +54,7 @@ static int sha1_ce_finup(struct shash_de + unsigned int len, u8 *out) + { + struct sha1_ce_state *sctx = shash_desc_ctx(desc); +- bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE); ++ bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len; + + if (!may_use_simd()) + return crypto_sha1_finup(desc, data, len, out); diff --git a/queue-4.14/crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch b/queue-4.14/crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch new file mode 100644 index 00000000000..407c07cdc37 --- /dev/null +++ b/queue-4.14/crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch @@ -0,0 +1,41 @@ +From 6bd934de1e393466b319d29c4427598fda096c57 Mon Sep 17 00:00:00 2001 +From: Elena Petrova +Date: Tue, 28 May 2019 15:35:06 +0100 +Subject: crypto: arm64/sha2-ce - correct digest for empty data in finup + +From: Elena Petrova + +commit 6bd934de1e393466b319d29c4427598fda096c57 upstream. + +The sha256-ce finup implementation for ARM64 produces wrong digest +for empty input (len=0). Expected: the actual digest, result: initial +value of SHA internal state. The error is in sha256_ce_finup: +for empty data `finalize` will be 1, so the code is relying on +sha2_ce_transform to make the final round. However, in +sha256_base_do_update, the block function will not be called when +len == 0. + +Fix it by setting finalize to 0 if data is empty. + +Fixes: 03802f6a80b3a ("crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer") +Cc: stable@vger.kernel.org +Signed-off-by: Elena Petrova +Reviewed-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/crypto/sha2-ce-glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/crypto/sha2-ce-glue.c ++++ b/arch/arm64/crypto/sha2-ce-glue.c +@@ -59,7 +59,7 @@ static int sha256_ce_finup(struct shash_ + unsigned int len, u8 *out) + { + struct sha256_ce_state *sctx = shash_desc_ctx(desc); +- bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE); ++ bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE) && len; + + if (!may_use_simd()) { + if (len) diff --git a/queue-4.14/crypto-ccp-gcm-use-const-time-tag-comparison.patch b/queue-4.14/crypto-ccp-gcm-use-const-time-tag-comparison.patch new file mode 100644 index 00000000000..e8c898a8fc6 --- /dev/null +++ b/queue-4.14/crypto-ccp-gcm-use-const-time-tag-comparison.patch @@ -0,0 +1,34 @@ +From 538a5a072e6ef04377b180ee9b3ce5bae0a85da4 Mon Sep 17 00:00:00 2001 +From: Cfir Cohen +Date: Tue, 2 Jul 2019 10:32:56 -0700 +Subject: crypto: ccp/gcm - use const time tag comparison. + +From: Cfir Cohen + +commit 538a5a072e6ef04377b180ee9b3ce5bae0a85da4 upstream. + +Avoid leaking GCM tag through timing side channel. + +Fixes: 36cf515b9bbe ("crypto: ccp - Enable support for AES GCM on v5 CCPs") +Cc: # v4.12+ +Signed-off-by: Cfir Cohen +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -832,7 +832,8 @@ static int ccp_run_aes_gcm_cmd(struct cc + goto e_tag; + ccp_set_dm_area(&tag, 0, p_tag, 0, AES_BLOCK_SIZE); + +- ret = memcmp(tag.address, final_wa.address, AES_BLOCK_SIZE); ++ ret = crypto_memneq(tag.address, final_wa.address, ++ AES_BLOCK_SIZE) ? -EBADMSG : 0; + ccp_dm_free(&tag); + } + diff --git a/queue-4.14/crypto-ccp-memset-structure-fields-to-zero-before-reuse.patch b/queue-4.14/crypto-ccp-memset-structure-fields-to-zero-before-reuse.patch new file mode 100644 index 00000000000..5b7c6909ac1 --- /dev/null +++ b/queue-4.14/crypto-ccp-memset-structure-fields-to-zero-before-reuse.patch @@ -0,0 +1,62 @@ +From 20e833dc36355ed642d00067641a679c618303fa Mon Sep 17 00:00:00 2001 +From: "Hook, Gary" +Date: Wed, 10 Jul 2019 00:09:22 +0000 +Subject: crypto: ccp - memset structure fields to zero before reuse + +From: Hook, Gary + +commit 20e833dc36355ed642d00067641a679c618303fa upstream. + +The AES GCM function reuses an 'op' data structure, which members +contain values that must be cleared for each (re)use. + +This fix resolves a crypto self-test failure: +alg: aead: gcm-aes-ccp encryption test failed (wrong result) on test vector 2, cfg="two even aligned splits" + +Fixes: 36cf515b9bbe ("crypto: ccp - Enable support for AES GCM on v5 CCPs") +Cc: +Signed-off-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-ops.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -612,6 +612,7 @@ static int ccp_run_aes_gcm_cmd(struct cc + + unsigned long long *final; + unsigned int dm_offset; ++ unsigned int jobid; + unsigned int ilen; + bool in_place = true; /* Default value */ + int ret; +@@ -650,9 +651,11 @@ static int ccp_run_aes_gcm_cmd(struct cc + p_tag = scatterwalk_ffwd(sg_tag, p_inp, ilen); + } + ++ jobid = CCP_NEW_JOBID(cmd_q->ccp); ++ + memset(&op, 0, sizeof(op)); + op.cmd_q = cmd_q; +- op.jobid = CCP_NEW_JOBID(cmd_q->ccp); ++ op.jobid = jobid; + op.sb_key = cmd_q->sb_key; /* Pre-allocated */ + op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */ + op.init = 1; +@@ -797,6 +800,13 @@ static int ccp_run_aes_gcm_cmd(struct cc + final[0] = cpu_to_be64(aes->aad_len * 8); + final[1] = cpu_to_be64(ilen * 8); + ++ memset(&op, 0, sizeof(op)); ++ op.cmd_q = cmd_q; ++ op.jobid = jobid; ++ op.sb_key = cmd_q->sb_key; /* Pre-allocated */ ++ op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */ ++ op.init = 1; ++ op.u.aes.type = aes->type; + op.u.aes.mode = CCP_AES_MODE_GHASH; + op.u.aes.action = CCP_AES_GHASHFINAL; + op.src.type = CCP_MEMTYPE_SYSTEM; diff --git a/queue-4.14/crypto-ccp-validate-the-the-error-value-used-to-index-error-messages.patch b/queue-4.14/crypto-ccp-validate-the-the-error-value-used-to-index-error-messages.patch new file mode 100644 index 00000000000..d565b1429e9 --- /dev/null +++ b/queue-4.14/crypto-ccp-validate-the-the-error-value-used-to-index-error-messages.patch @@ -0,0 +1,146 @@ +From 52393d617af7b554f03531e6756facf2ea687d2e Mon Sep 17 00:00:00 2001 +From: "Hook, Gary" +Date: Thu, 27 Jun 2019 16:16:23 +0000 +Subject: crypto: ccp - Validate the the error value used to index error messages + +From: Hook, Gary + +commit 52393d617af7b554f03531e6756facf2ea687d2e upstream. + +The error code read from the queue status register is only 6 bits wide, +but we need to verify its value is within range before indexing the error +messages. + +Fixes: 81422badb3907 ("crypto: ccp - Make syslog errors human-readable") +Cc: +Reported-by: Cfir Cohen +Signed-off-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-dev.c | 96 ++++++++++++++++++++++--------------------- + drivers/crypto/ccp/ccp-dev.h | 2 + 2 files changed, 52 insertions(+), 46 deletions(-) + +--- a/drivers/crypto/ccp/ccp-dev.c ++++ b/drivers/crypto/ccp/ccp-dev.c +@@ -35,56 +35,62 @@ struct ccp_tasklet_data { + }; + + /* Human-readable error strings */ ++#define CCP_MAX_ERROR_CODE 64 + static char *ccp_error_codes[] = { + "", +- "ERR 01: ILLEGAL_ENGINE", +- "ERR 02: ILLEGAL_KEY_ID", +- "ERR 03: ILLEGAL_FUNCTION_TYPE", +- "ERR 04: ILLEGAL_FUNCTION_MODE", +- "ERR 05: ILLEGAL_FUNCTION_ENCRYPT", +- "ERR 06: ILLEGAL_FUNCTION_SIZE", +- "ERR 07: Zlib_MISSING_INIT_EOM", +- "ERR 08: ILLEGAL_FUNCTION_RSVD", +- "ERR 09: ILLEGAL_BUFFER_LENGTH", +- "ERR 10: VLSB_FAULT", +- "ERR 11: ILLEGAL_MEM_ADDR", +- "ERR 12: ILLEGAL_MEM_SEL", +- "ERR 13: ILLEGAL_CONTEXT_ID", +- "ERR 14: ILLEGAL_KEY_ADDR", +- "ERR 15: 0xF Reserved", +- "ERR 16: Zlib_ILLEGAL_MULTI_QUEUE", +- "ERR 17: Zlib_ILLEGAL_JOBID_CHANGE", +- "ERR 18: CMD_TIMEOUT", +- "ERR 19: IDMA0_AXI_SLVERR", +- "ERR 20: IDMA0_AXI_DECERR", +- "ERR 21: 0x15 Reserved", +- "ERR 22: IDMA1_AXI_SLAVE_FAULT", +- "ERR 23: IDMA1_AIXI_DECERR", +- "ERR 24: 0x18 Reserved", +- "ERR 25: ZLIBVHB_AXI_SLVERR", +- "ERR 26: ZLIBVHB_AXI_DECERR", +- "ERR 27: 0x1B Reserved", +- "ERR 27: ZLIB_UNEXPECTED_EOM", +- "ERR 27: ZLIB_EXTRA_DATA", +- "ERR 30: ZLIB_BTYPE", +- "ERR 31: ZLIB_UNDEFINED_SYMBOL", +- "ERR 32: ZLIB_UNDEFINED_DISTANCE_S", +- "ERR 33: ZLIB_CODE_LENGTH_SYMBOL", +- "ERR 34: ZLIB _VHB_ILLEGAL_FETCH", +- "ERR 35: ZLIB_UNCOMPRESSED_LEN", +- "ERR 36: ZLIB_LIMIT_REACHED", +- "ERR 37: ZLIB_CHECKSUM_MISMATCH0", +- "ERR 38: ODMA0_AXI_SLVERR", +- "ERR 39: ODMA0_AXI_DECERR", +- "ERR 40: 0x28 Reserved", +- "ERR 41: ODMA1_AXI_SLVERR", +- "ERR 42: ODMA1_AXI_DECERR", +- "ERR 43: LSB_PARITY_ERR", ++ "ILLEGAL_ENGINE", ++ "ILLEGAL_KEY_ID", ++ "ILLEGAL_FUNCTION_TYPE", ++ "ILLEGAL_FUNCTION_MODE", ++ "ILLEGAL_FUNCTION_ENCRYPT", ++ "ILLEGAL_FUNCTION_SIZE", ++ "Zlib_MISSING_INIT_EOM", ++ "ILLEGAL_FUNCTION_RSVD", ++ "ILLEGAL_BUFFER_LENGTH", ++ "VLSB_FAULT", ++ "ILLEGAL_MEM_ADDR", ++ "ILLEGAL_MEM_SEL", ++ "ILLEGAL_CONTEXT_ID", ++ "ILLEGAL_KEY_ADDR", ++ "0xF Reserved", ++ "Zlib_ILLEGAL_MULTI_QUEUE", ++ "Zlib_ILLEGAL_JOBID_CHANGE", ++ "CMD_TIMEOUT", ++ "IDMA0_AXI_SLVERR", ++ "IDMA0_AXI_DECERR", ++ "0x15 Reserved", ++ "IDMA1_AXI_SLAVE_FAULT", ++ "IDMA1_AIXI_DECERR", ++ "0x18 Reserved", ++ "ZLIBVHB_AXI_SLVERR", ++ "ZLIBVHB_AXI_DECERR", ++ "0x1B Reserved", ++ "ZLIB_UNEXPECTED_EOM", ++ "ZLIB_EXTRA_DATA", ++ "ZLIB_BTYPE", ++ "ZLIB_UNDEFINED_SYMBOL", ++ "ZLIB_UNDEFINED_DISTANCE_S", ++ "ZLIB_CODE_LENGTH_SYMBOL", ++ "ZLIB _VHB_ILLEGAL_FETCH", ++ "ZLIB_UNCOMPRESSED_LEN", ++ "ZLIB_LIMIT_REACHED", ++ "ZLIB_CHECKSUM_MISMATCH0", ++ "ODMA0_AXI_SLVERR", ++ "ODMA0_AXI_DECERR", ++ "0x28 Reserved", ++ "ODMA1_AXI_SLVERR", ++ "ODMA1_AXI_DECERR", + }; + +-void ccp_log_error(struct ccp_device *d, int e) ++void ccp_log_error(struct ccp_device *d, unsigned int e) + { +- dev_err(d->dev, "CCP error: %s (0x%x)\n", ccp_error_codes[e], e); ++ if (WARN_ON(e >= CCP_MAX_ERROR_CODE)) ++ return; ++ ++ if (e < ARRAY_SIZE(ccp_error_codes)) ++ dev_err(d->dev, "CCP error %d: %s\n", e, ccp_error_codes[e]); ++ else ++ dev_err(d->dev, "CCP error %d: Unknown Error\n", e); + } + + /* List of CCPs, CCP count, read-write access lock, and access functions +--- a/drivers/crypto/ccp/ccp-dev.h ++++ b/drivers/crypto/ccp/ccp-dev.h +@@ -632,7 +632,7 @@ struct ccp5_desc { + void ccp_add_device(struct ccp_device *ccp); + void ccp_del_device(struct ccp_device *ccp); + +-extern void ccp_log_error(struct ccp_device *, int); ++extern void ccp_log_error(struct ccp_device *, unsigned int); + + struct ccp_device *ccp_alloc_struct(struct sp_device *sp); + bool ccp_queues_suspended(struct ccp_device *ccp); diff --git a/queue-4.14/crypto-chacha20poly1305-fix-atomic-sleep-when-using-async-algorithm.patch b/queue-4.14/crypto-chacha20poly1305-fix-atomic-sleep-when-using-async-algorithm.patch new file mode 100644 index 00000000000..2cce6b76029 --- /dev/null +++ b/queue-4.14/crypto-chacha20poly1305-fix-atomic-sleep-when-using-async-algorithm.patch @@ -0,0 +1,195 @@ +From 7545b6c2087f4ef0287c8c9b7eba6a728c67ff8e Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 31 May 2019 11:12:30 -0700 +Subject: crypto: chacha20poly1305 - fix atomic sleep when using async algorithm + +From: Eric Biggers + +commit 7545b6c2087f4ef0287c8c9b7eba6a728c67ff8e upstream. + +Clear the CRYPTO_TFM_REQ_MAY_SLEEP flag when the chacha20poly1305 +operation is being continued from an async completion callback, since +sleeping may not be allowed in that context. + +This is basically the same bug that was recently fixed in the xts and +lrw templates. But, it's always been broken in chacha20poly1305 too. +This was found using syzkaller in combination with the updated crypto +self-tests which actually test the MAY_SLEEP flag now. + +Reproducer: + + python -c 'import socket; socket.socket(socket.AF_ALG, 5, 0).bind( + ("aead", "rfc7539(cryptd(chacha20-generic),poly1305-generic)"))' + +Kernel output: + + BUG: sleeping function called from invalid context at include/crypto/algapi.h:426 + in_atomic(): 1, irqs_disabled(): 0, pid: 1001, name: kworker/2:2 + [...] + CPU: 2 PID: 1001 Comm: kworker/2:2 Not tainted 5.2.0-rc2 #5 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014 + Workqueue: crypto cryptd_queue_worker + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x4d/0x6a lib/dump_stack.c:113 + ___might_sleep kernel/sched/core.c:6138 [inline] + ___might_sleep.cold.19+0x8e/0x9f kernel/sched/core.c:6095 + crypto_yield include/crypto/algapi.h:426 [inline] + crypto_hash_walk_done+0xd6/0x100 crypto/ahash.c:113 + shash_ahash_update+0x41/0x60 crypto/shash.c:251 + shash_async_update+0xd/0x10 crypto/shash.c:260 + crypto_ahash_update include/crypto/hash.h:539 [inline] + poly_setkey+0xf6/0x130 crypto/chacha20poly1305.c:337 + poly_init+0x51/0x60 crypto/chacha20poly1305.c:364 + async_done_continue crypto/chacha20poly1305.c:78 [inline] + poly_genkey_done+0x15/0x30 crypto/chacha20poly1305.c:369 + cryptd_skcipher_complete+0x29/0x70 crypto/cryptd.c:279 + cryptd_skcipher_decrypt+0xcd/0x110 crypto/cryptd.c:339 + cryptd_queue_worker+0x70/0xa0 crypto/cryptd.c:184 + process_one_work+0x1ed/0x420 kernel/workqueue.c:2269 + worker_thread+0x3e/0x3a0 kernel/workqueue.c:2415 + kthread+0x11f/0x140 kernel/kthread.c:255 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 + +Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539") +Cc: # v4.2+ +Cc: Martin Willi +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/chacha20poly1305.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +--- a/crypto/chacha20poly1305.c ++++ b/crypto/chacha20poly1305.c +@@ -67,6 +67,8 @@ struct chachapoly_req_ctx { + unsigned int cryptlen; + /* Actual AD, excluding IV */ + unsigned int assoclen; ++ /* request flags, with MAY_SLEEP cleared if needed */ ++ u32 flags; + union { + struct poly_req poly; + struct chacha_req chacha; +@@ -76,8 +78,12 @@ struct chachapoly_req_ctx { + static inline void async_done_continue(struct aead_request *req, int err, + int (*cont)(struct aead_request *)) + { +- if (!err) ++ if (!err) { ++ struct chachapoly_req_ctx *rctx = aead_request_ctx(req); ++ ++ rctx->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; + err = cont(req); ++ } + + if (err != -EINPROGRESS && err != -EBUSY) + aead_request_complete(req, err); +@@ -144,7 +150,7 @@ static int chacha_decrypt(struct aead_re + dst = scatterwalk_ffwd(rctx->dst, req->dst, req->assoclen); + } + +- skcipher_request_set_callback(&creq->req, aead_request_flags(req), ++ skcipher_request_set_callback(&creq->req, rctx->flags, + chacha_decrypt_done, req); + skcipher_request_set_tfm(&creq->req, ctx->chacha); + skcipher_request_set_crypt(&creq->req, src, dst, +@@ -188,7 +194,7 @@ static int poly_tail(struct aead_request + memcpy(&preq->tail.cryptlen, &len, sizeof(len)); + sg_set_buf(preq->src, &preq->tail, sizeof(preq->tail)); + +- ahash_request_set_callback(&preq->req, aead_request_flags(req), ++ ahash_request_set_callback(&preq->req, rctx->flags, + poly_tail_done, req); + ahash_request_set_tfm(&preq->req, ctx->poly); + ahash_request_set_crypt(&preq->req, preq->src, +@@ -219,7 +225,7 @@ static int poly_cipherpad(struct aead_re + sg_init_table(preq->src, 1); + sg_set_buf(preq->src, &preq->pad, padlen); + +- ahash_request_set_callback(&preq->req, aead_request_flags(req), ++ ahash_request_set_callback(&preq->req, rctx->flags, + poly_cipherpad_done, req); + ahash_request_set_tfm(&preq->req, ctx->poly); + ahash_request_set_crypt(&preq->req, preq->src, NULL, padlen); +@@ -250,7 +256,7 @@ static int poly_cipher(struct aead_reque + sg_init_table(rctx->src, 2); + crypt = scatterwalk_ffwd(rctx->src, crypt, req->assoclen); + +- ahash_request_set_callback(&preq->req, aead_request_flags(req), ++ ahash_request_set_callback(&preq->req, rctx->flags, + poly_cipher_done, req); + ahash_request_set_tfm(&preq->req, ctx->poly); + ahash_request_set_crypt(&preq->req, crypt, NULL, rctx->cryptlen); +@@ -280,7 +286,7 @@ static int poly_adpad(struct aead_reques + sg_init_table(preq->src, 1); + sg_set_buf(preq->src, preq->pad, padlen); + +- ahash_request_set_callback(&preq->req, aead_request_flags(req), ++ ahash_request_set_callback(&preq->req, rctx->flags, + poly_adpad_done, req); + ahash_request_set_tfm(&preq->req, ctx->poly); + ahash_request_set_crypt(&preq->req, preq->src, NULL, padlen); +@@ -304,7 +310,7 @@ static int poly_ad(struct aead_request * + struct poly_req *preq = &rctx->u.poly; + int err; + +- ahash_request_set_callback(&preq->req, aead_request_flags(req), ++ ahash_request_set_callback(&preq->req, rctx->flags, + poly_ad_done, req); + ahash_request_set_tfm(&preq->req, ctx->poly); + ahash_request_set_crypt(&preq->req, req->src, NULL, rctx->assoclen); +@@ -331,7 +337,7 @@ static int poly_setkey(struct aead_reque + sg_init_table(preq->src, 1); + sg_set_buf(preq->src, rctx->key, sizeof(rctx->key)); + +- ahash_request_set_callback(&preq->req, aead_request_flags(req), ++ ahash_request_set_callback(&preq->req, rctx->flags, + poly_setkey_done, req); + ahash_request_set_tfm(&preq->req, ctx->poly); + ahash_request_set_crypt(&preq->req, preq->src, NULL, sizeof(rctx->key)); +@@ -355,7 +361,7 @@ static int poly_init(struct aead_request + struct poly_req *preq = &rctx->u.poly; + int err; + +- ahash_request_set_callback(&preq->req, aead_request_flags(req), ++ ahash_request_set_callback(&preq->req, rctx->flags, + poly_init_done, req); + ahash_request_set_tfm(&preq->req, ctx->poly); + +@@ -393,7 +399,7 @@ static int poly_genkey(struct aead_reque + + chacha_iv(creq->iv, req, 0); + +- skcipher_request_set_callback(&creq->req, aead_request_flags(req), ++ skcipher_request_set_callback(&creq->req, rctx->flags, + poly_genkey_done, req); + skcipher_request_set_tfm(&creq->req, ctx->chacha); + skcipher_request_set_crypt(&creq->req, creq->src, creq->src, +@@ -433,7 +439,7 @@ static int chacha_encrypt(struct aead_re + dst = scatterwalk_ffwd(rctx->dst, req->dst, req->assoclen); + } + +- skcipher_request_set_callback(&creq->req, aead_request_flags(req), ++ skcipher_request_set_callback(&creq->req, rctx->flags, + chacha_encrypt_done, req); + skcipher_request_set_tfm(&creq->req, ctx->chacha); + skcipher_request_set_crypt(&creq->req, src, dst, +@@ -451,6 +457,7 @@ static int chachapoly_encrypt(struct aea + struct chachapoly_req_ctx *rctx = aead_request_ctx(req); + + rctx->cryptlen = req->cryptlen; ++ rctx->flags = aead_request_flags(req); + + /* encrypt call chain: + * - chacha_encrypt/done() +@@ -472,6 +479,7 @@ static int chachapoly_decrypt(struct aea + struct chachapoly_req_ctx *rctx = aead_request_ctx(req); + + rctx->cryptlen = req->cryptlen - POLY1305_DIGEST_SIZE; ++ rctx->flags = aead_request_flags(req); + + /* decrypt call chain: + * - poly_genkey/done() diff --git a/queue-4.14/crypto-crypto4xx-fix-a-potential-double-free-in-ppc4xx_trng_probe.patch b/queue-4.14/crypto-crypto4xx-fix-a-potential-double-free-in-ppc4xx_trng_probe.patch new file mode 100644 index 00000000000..af6e3b5108b --- /dev/null +++ b/queue-4.14/crypto-crypto4xx-fix-a-potential-double-free-in-ppc4xx_trng_probe.patch @@ -0,0 +1,52 @@ +From 95566aa75cd6b3b404502c06f66956b5481194b3 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Mon, 8 Jul 2019 14:19:03 +0800 +Subject: crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe + +From: Wen Yang + +commit 95566aa75cd6b3b404502c06f66956b5481194b3 upstream. + +There is a possible double free issue in ppc4xx_trng_probe(): + +85: dev->trng_base = of_iomap(trng, 0); +86: of_node_put(trng); ---> released here +87: if (!dev->trng_base) +88: goto err_out; +... +110: ierr_out: +111: of_node_put(trng); ---> double released here +... + +This issue was detected by using the Coccinelle software. +We fix it by removing the unnecessary of_node_put(). + +Fixes: 5343e674f32f ("crypto4xx: integrate ppc4xx-rng into crypto4xx") +Signed-off-by: Wen Yang +Cc: +Cc: "David S. Miller" +Cc: Thomas Gleixner +Cc: Greg Kroah-Hartman +Cc: Allison Randal +Cc: Armijn Hemel +Cc: Julia Lawall +Cc: linux-crypto@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Acked-by: Julia Lawall +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/amcc/crypto4xx_trng.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/crypto/amcc/crypto4xx_trng.c ++++ b/drivers/crypto/amcc/crypto4xx_trng.c +@@ -111,7 +111,6 @@ void ppc4xx_trng_probe(struct crypto4xx_ + return; + + err_out: +- of_node_put(trng); + iounmap(dev->trng_base); + kfree(rng); + dev->trng_base = NULL; diff --git a/queue-4.14/crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch b/queue-4.14/crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch new file mode 100644 index 00000000000..0305b7f393d --- /dev/null +++ b/queue-4.14/crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch @@ -0,0 +1,57 @@ +From 5c6bc4dfa515738149998bb0db2481a4fdead979 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 30 May 2019 10:50:39 -0700 +Subject: crypto: ghash - fix unaligned memory access in ghash_setkey() + +From: Eric Biggers + +commit 5c6bc4dfa515738149998bb0db2481a4fdead979 upstream. + +Changing ghash_mod_init() to be subsys_initcall made it start running +before the alignment fault handler has been installed on ARM. In kernel +builds where the keys in the ghash test vectors happened to be +misaligned in the kernel image, this exposed the longstanding bug that +ghash_setkey() is incorrectly casting the key buffer (which can have any +alignment) to be128 for passing to gf128mul_init_4k_lle(). + +Fix this by memcpy()ing the key to a temporary buffer. + +Don't fix it by setting an alignmask on the algorithm instead because +that would unnecessarily force alignment of the data too. + +Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM") +Reported-by: Peter Robinson +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Tested-by: Peter Robinson +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ghash-generic.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/crypto/ghash-generic.c ++++ b/crypto/ghash-generic.c +@@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_sh + const u8 *key, unsigned int keylen) + { + struct ghash_ctx *ctx = crypto_shash_ctx(tfm); ++ be128 k; + + if (keylen != GHASH_BLOCK_SIZE) { + crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); +@@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_sh + + if (ctx->gf128) + gf128mul_free_4k(ctx->gf128); +- ctx->gf128 = gf128mul_init_4k_lle((be128 *)key); ++ ++ BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); ++ memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ ++ ctx->gf128 = gf128mul_init_4k_lle(&k); ++ memzero_explicit(&k, GHASH_BLOCK_SIZE); ++ + if (!ctx->gf128) + return -ENOMEM; + diff --git a/queue-4.14/revert-scsi-ncr5380-increase-register-polling-limit.patch b/queue-4.14/revert-scsi-ncr5380-increase-register-polling-limit.patch new file mode 100644 index 00000000000..38ec9c3a938 --- /dev/null +++ b/queue-4.14/revert-scsi-ncr5380-increase-register-polling-limit.patch @@ -0,0 +1,43 @@ +From 25fcf94a2fa89dd3e73e965ebb0b38a2a4f72aa4 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Sun, 9 Jun 2019 11:19:11 +1000 +Subject: Revert "scsi: ncr5380: Increase register polling limit" + +From: Finn Thain + +commit 25fcf94a2fa89dd3e73e965ebb0b38a2a4f72aa4 upstream. + +This reverts commit 4822827a69d7cd3bc5a07b7637484ebd2cf88db6. + +The purpose of that commit was to suppress a timeout warning message which +appeared to be caused by target latency. But suppressing the warning is +undesirable as the warning may indicate a messed up transfer count. + +Another problem with that commit is that 15 ms is too long to keep +interrupts disabled as interrupt latency can cause system clock drift and +other problems. + +Cc: Michael Schmitz +Cc: stable@vger.kernel.org +Fixes: 4822827a69d7 ("scsi: ncr5380: Increase register polling limit") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Tested-by: Michael Schmitz +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/NCR5380.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/NCR5380.h ++++ b/drivers/scsi/NCR5380.h +@@ -235,7 +235,7 @@ struct NCR5380_cmd { + #define NCR5380_PIO_CHUNK_SIZE 256 + + /* Time limit (ms) to poll registers when IRQs are disabled, e.g. during PDMA */ +-#define NCR5380_REG_POLL_TIME 15 ++#define NCR5380_REG_POLL_TIME 10 + + static inline struct scsi_cmnd *NCR5380_to_scmd(struct NCR5380_cmd *ncmd_ptr) + { diff --git a/queue-4.14/scsi-core-fix-race-on-creating-sense-cache.patch b/queue-4.14/scsi-core-fix-race-on-creating-sense-cache.patch new file mode 100644 index 00000000000..9974501a574 --- /dev/null +++ b/queue-4.14/scsi-core-fix-race-on-creating-sense-cache.patch @@ -0,0 +1,55 @@ +From f9b0530fa02e0c73f31a49ef743e8f44eb8e32cc Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 12 Jul 2019 10:08:19 +0800 +Subject: scsi: core: Fix race on creating sense cache + +From: Ming Lei + +commit f9b0530fa02e0c73f31a49ef743e8f44eb8e32cc upstream. + +When scsi_init_sense_cache(host) is called concurrently from different +hosts, each code path may find that no cache has been created and +allocate a new one. The lack of locking can lead to potentially +overriding a cache allocated by a different host. + +Fix the issue by moving 'mutex_lock(&scsi_sense_cache_mutex)' before +scsi_select_sense_cache(). + +Fixes: 0a6ac4ee7c21 ("scsi: respect unchecked_isa_dma for blk-mq") +Cc: Stable +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: Ewan D. Milne +Signed-off-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_lib.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -71,11 +71,11 @@ int scsi_init_sense_cache(struct Scsi_Ho + struct kmem_cache *cache; + int ret = 0; + ++ mutex_lock(&scsi_sense_cache_mutex); + cache = scsi_select_sense_cache(shost->unchecked_isa_dma); + if (cache) +- return 0; ++ goto exit; + +- mutex_lock(&scsi_sense_cache_mutex); + if (shost->unchecked_isa_dma) { + scsi_sense_isadma_cache = + kmem_cache_create("scsi_sense_cache(DMA)", +@@ -90,7 +90,7 @@ int scsi_init_sense_cache(struct Scsi_Ho + if (!scsi_sense_cache) + ret = -ENOMEM; + } +- ++ exit: + mutex_unlock(&scsi_sense_cache_mutex); + return ret; + } diff --git a/queue-4.14/scsi-mac_scsi-fix-pseudo-dma-implementation-take-2.patch b/queue-4.14/scsi-mac_scsi-fix-pseudo-dma-implementation-take-2.patch new file mode 100644 index 00000000000..89a88bf7df8 --- /dev/null +++ b/queue-4.14/scsi-mac_scsi-fix-pseudo-dma-implementation-take-2.patch @@ -0,0 +1,484 @@ +From 78ff751f8e6a9446e9fb26b2bff0b8d3f8974cbd Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Sun, 9 Jun 2019 11:19:11 +1000 +Subject: scsi: mac_scsi: Fix pseudo DMA implementation, take 2 + +From: Finn Thain + +commit 78ff751f8e6a9446e9fb26b2bff0b8d3f8974cbd upstream. + +A system bus error during a PDMA transfer can mess up the calculation of +the transfer residual (the PDMA handshaking hardware lacks a byte +counter). This results in data corruption. + +The algorithm in this patch anticipates a bus error by starting each +transfer with a MOVE.B instruction. If a bus error is caught the transfer +will be retried. If a bus error is caught later in the transfer (for a +MOVE.W instruction) the transfer gets failed and subsequent requests for +that target will use PIO instead of PDMA. + +This avoids the "!REQ and !ACK" error so the severity level of that message +is reduced to KERN_DEBUG. + +Cc: Michael Schmitz +Cc: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v4.14+ +Fixes: 3a0f64bfa907 ("mac_scsi: Fix pseudo DMA implementation") +Signed-off-by: Finn Thain +Reported-by: Chris Jones +Tested-by: Stan Johnson +Tested-by: Michael Schmitz +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mac_scsi.c | 369 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 217 insertions(+), 152 deletions(-) + +--- a/drivers/scsi/mac_scsi.c ++++ b/drivers/scsi/mac_scsi.c +@@ -3,6 +3,8 @@ + * + * Copyright 1998, Michael Schmitz + * ++ * Copyright 2019 Finn Thain ++ * + * derived in part from: + */ + /* +@@ -11,6 +13,7 @@ + * Copyright 1995, Russell King + */ + ++#include + #include + #include + #include +@@ -89,101 +92,217 @@ static int __init mac_scsi_setup(char *s + __setup("mac5380=", mac_scsi_setup); + #endif /* !MODULE */ + +-/* Pseudo DMA asm originally by Ove Edlund */ ++/* ++ * According to "Inside Macintosh: Devices", Mac OS requires disk drivers to ++ * specify the number of bytes between the delays expected from a SCSI target. ++ * This allows the operating system to "prevent bus errors when a target fails ++ * to deliver the next byte within the processor bus error timeout period." ++ * Linux SCSI drivers lack knowledge of the timing behaviour of SCSI targets ++ * so bus errors are unavoidable. ++ * ++ * If a MOVE.B instruction faults, we assume that zero bytes were transferred ++ * and simply retry. That assumption probably depends on target behaviour but ++ * seems to hold up okay. The NOP provides synchronization: without it the ++ * fault can sometimes occur after the program counter has moved past the ++ * offending instruction. Post-increment addressing can't be used. ++ */ ++ ++#define MOVE_BYTE(operands) \ ++ asm volatile ( \ ++ "1: moveb " operands " \n" \ ++ "11: nop \n" \ ++ " addq #1,%0 \n" \ ++ " subq #1,%1 \n" \ ++ "40: \n" \ ++ " \n" \ ++ ".section .fixup,\"ax\" \n" \ ++ ".even \n" \ ++ "90: movel #1, %2 \n" \ ++ " jra 40b \n" \ ++ ".previous \n" \ ++ " \n" \ ++ ".section __ex_table,\"a\" \n" \ ++ ".align 4 \n" \ ++ ".long 1b,90b \n" \ ++ ".long 11b,90b \n" \ ++ ".previous \n" \ ++ : "+a" (addr), "+r" (n), "+r" (result) : "a" (io)) + +-#define CP_IO_TO_MEM(s,d,n) \ +-__asm__ __volatile__ \ +- (" cmp.w #4,%2\n" \ +- " bls 8f\n" \ +- " move.w %1,%%d0\n" \ +- " neg.b %%d0\n" \ +- " and.w #3,%%d0\n" \ +- " sub.w %%d0,%2\n" \ +- " bra 2f\n" \ +- " 1: move.b (%0),(%1)+\n" \ +- " 2: dbf %%d0,1b\n" \ +- " move.w %2,%%d0\n" \ +- " lsr.w #5,%%d0\n" \ +- " bra 4f\n" \ +- " 3: move.l (%0),(%1)+\n" \ +- "31: move.l (%0),(%1)+\n" \ +- "32: move.l (%0),(%1)+\n" \ +- "33: move.l (%0),(%1)+\n" \ +- "34: move.l (%0),(%1)+\n" \ +- "35: move.l (%0),(%1)+\n" \ +- "36: move.l (%0),(%1)+\n" \ +- "37: move.l (%0),(%1)+\n" \ +- " 4: dbf %%d0,3b\n" \ +- " move.w %2,%%d0\n" \ +- " lsr.w #2,%%d0\n" \ +- " and.w #7,%%d0\n" \ +- " bra 6f\n" \ +- " 5: move.l (%0),(%1)+\n" \ +- " 6: dbf %%d0,5b\n" \ +- " and.w #3,%2\n" \ +- " bra 8f\n" \ +- " 7: move.b (%0),(%1)+\n" \ +- " 8: dbf %2,7b\n" \ +- " moveq.l #0, %2\n" \ +- " 9: \n" \ +- ".section .fixup,\"ax\"\n" \ +- " .even\n" \ +- "91: moveq.l #1, %2\n" \ +- " jra 9b\n" \ +- "94: moveq.l #4, %2\n" \ +- " jra 9b\n" \ +- ".previous\n" \ +- ".section __ex_table,\"a\"\n" \ +- " .align 4\n" \ +- " .long 1b,91b\n" \ +- " .long 3b,94b\n" \ +- " .long 31b,94b\n" \ +- " .long 32b,94b\n" \ +- " .long 33b,94b\n" \ +- " .long 34b,94b\n" \ +- " .long 35b,94b\n" \ +- " .long 36b,94b\n" \ +- " .long 37b,94b\n" \ +- " .long 5b,94b\n" \ +- " .long 7b,91b\n" \ +- ".previous" \ +- : "=a"(s), "=a"(d), "=d"(n) \ +- : "0"(s), "1"(d), "2"(n) \ +- : "d0") ++/* ++ * If a MOVE.W (or MOVE.L) instruction faults, it cannot be retried because ++ * the residual byte count would be uncertain. In that situation the MOVE_WORD ++ * macro clears n in the fixup section to abort the transfer. ++ */ ++ ++#define MOVE_WORD(operands) \ ++ asm volatile ( \ ++ "1: movew " operands " \n" \ ++ "11: nop \n" \ ++ " subq #2,%1 \n" \ ++ "40: \n" \ ++ " \n" \ ++ ".section .fixup,\"ax\" \n" \ ++ ".even \n" \ ++ "90: movel #0, %1 \n" \ ++ " movel #2, %2 \n" \ ++ " jra 40b \n" \ ++ ".previous \n" \ ++ " \n" \ ++ ".section __ex_table,\"a\" \n" \ ++ ".align 4 \n" \ ++ ".long 1b,90b \n" \ ++ ".long 11b,90b \n" \ ++ ".previous \n" \ ++ : "+a" (addr), "+r" (n), "+r" (result) : "a" (io)) ++ ++#define MOVE_16_WORDS(operands) \ ++ asm volatile ( \ ++ "1: movew " operands " \n" \ ++ "2: movew " operands " \n" \ ++ "3: movew " operands " \n" \ ++ "4: movew " operands " \n" \ ++ "5: movew " operands " \n" \ ++ "6: movew " operands " \n" \ ++ "7: movew " operands " \n" \ ++ "8: movew " operands " \n" \ ++ "9: movew " operands " \n" \ ++ "10: movew " operands " \n" \ ++ "11: movew " operands " \n" \ ++ "12: movew " operands " \n" \ ++ "13: movew " operands " \n" \ ++ "14: movew " operands " \n" \ ++ "15: movew " operands " \n" \ ++ "16: movew " operands " \n" \ ++ "17: nop \n" \ ++ " subl #32,%1 \n" \ ++ "40: \n" \ ++ " \n" \ ++ ".section .fixup,\"ax\" \n" \ ++ ".even \n" \ ++ "90: movel #0, %1 \n" \ ++ " movel #2, %2 \n" \ ++ " jra 40b \n" \ ++ ".previous \n" \ ++ " \n" \ ++ ".section __ex_table,\"a\" \n" \ ++ ".align 4 \n" \ ++ ".long 1b,90b \n" \ ++ ".long 2b,90b \n" \ ++ ".long 3b,90b \n" \ ++ ".long 4b,90b \n" \ ++ ".long 5b,90b \n" \ ++ ".long 6b,90b \n" \ ++ ".long 7b,90b \n" \ ++ ".long 8b,90b \n" \ ++ ".long 9b,90b \n" \ ++ ".long 10b,90b \n" \ ++ ".long 11b,90b \n" \ ++ ".long 12b,90b \n" \ ++ ".long 13b,90b \n" \ ++ ".long 14b,90b \n" \ ++ ".long 15b,90b \n" \ ++ ".long 16b,90b \n" \ ++ ".long 17b,90b \n" \ ++ ".previous \n" \ ++ : "+a" (addr), "+r" (n), "+r" (result) : "a" (io)) ++ ++#define MAC_PDMA_DELAY 32 ++ ++static inline int mac_pdma_recv(void __iomem *io, unsigned char *start, int n) ++{ ++ unsigned char *addr = start; ++ int result = 0; ++ ++ if (n >= 1) { ++ MOVE_BYTE("%3@,%0@"); ++ if (result) ++ goto out; ++ } ++ if (n >= 1 && ((unsigned long)addr & 1)) { ++ MOVE_BYTE("%3@,%0@"); ++ if (result) ++ goto out; ++ } ++ while (n >= 32) ++ MOVE_16_WORDS("%3@,%0@+"); ++ while (n >= 2) ++ MOVE_WORD("%3@,%0@+"); ++ if (result) ++ return start - addr; /* Negated to indicate uncertain length */ ++ if (n == 1) ++ MOVE_BYTE("%3@,%0@"); ++out: ++ return addr - start; ++} ++ ++static inline int mac_pdma_send(unsigned char *start, void __iomem *io, int n) ++{ ++ unsigned char *addr = start; ++ int result = 0; ++ ++ if (n >= 1) { ++ MOVE_BYTE("%0@,%3@"); ++ if (result) ++ goto out; ++ } ++ if (n >= 1 && ((unsigned long)addr & 1)) { ++ MOVE_BYTE("%0@,%3@"); ++ if (result) ++ goto out; ++ } ++ while (n >= 32) ++ MOVE_16_WORDS("%0@+,%3@"); ++ while (n >= 2) ++ MOVE_WORD("%0@+,%3@"); ++ if (result) ++ return start - addr; /* Negated to indicate uncertain length */ ++ if (n == 1) ++ MOVE_BYTE("%0@,%3@"); ++out: ++ return addr - start; ++} + + static inline int macscsi_pread(struct NCR5380_hostdata *hostdata, + unsigned char *dst, int len) + { + u8 __iomem *s = hostdata->pdma_io + (INPUT_DATA_REG << 4); + unsigned char *d = dst; +- int n = len; +- int transferred; ++ ++ hostdata->pdma_residual = len; + + while (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG, + BASR_DRQ | BASR_PHASE_MATCH, + BASR_DRQ | BASR_PHASE_MATCH, HZ / 64)) { +- CP_IO_TO_MEM(s, d, n); ++ int bytes; ++ ++ bytes = mac_pdma_recv(s, d, min(hostdata->pdma_residual, 512)); + +- transferred = d - dst - n; +- hostdata->pdma_residual = len - transferred; ++ if (bytes > 0) { ++ d += bytes; ++ hostdata->pdma_residual -= bytes; ++ } + +- /* No bus error. */ +- if (n == 0) ++ if (hostdata->pdma_residual == 0) + return 0; + +- /* Target changed phase early? */ + if (NCR5380_poll_politely2(hostdata, STATUS_REG, SR_REQ, SR_REQ, +- BUS_AND_STATUS_REG, BASR_ACK, BASR_ACK, HZ / 64) < 0) +- scmd_printk(KERN_ERR, hostdata->connected, ++ BUS_AND_STATUS_REG, BASR_ACK, ++ BASR_ACK, HZ / 64) < 0) ++ scmd_printk(KERN_DEBUG, hostdata->connected, + "%s: !REQ and !ACK\n", __func__); + if (!(NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) + return 0; + ++ if (bytes == 0) ++ udelay(MAC_PDMA_DELAY); ++ ++ if (bytes >= 0) ++ continue; ++ + dsprintk(NDEBUG_PSEUDO_DMA, hostdata->host, +- "%s: bus error (%d/%d)\n", __func__, transferred, len); ++ "%s: bus error (%d/%d)\n", __func__, d - dst, len); + NCR5380_dprint(NDEBUG_PSEUDO_DMA, hostdata->host); +- d = dst + transferred; +- n = len - transferred; ++ return -1; + } + + scmd_printk(KERN_ERR, hostdata->connected, +@@ -192,93 +311,27 @@ static inline int macscsi_pread(struct N + return -1; + } + +- +-#define CP_MEM_TO_IO(s,d,n) \ +-__asm__ __volatile__ \ +- (" cmp.w #4,%2\n" \ +- " bls 8f\n" \ +- " move.w %0,%%d0\n" \ +- " neg.b %%d0\n" \ +- " and.w #3,%%d0\n" \ +- " sub.w %%d0,%2\n" \ +- " bra 2f\n" \ +- " 1: move.b (%0)+,(%1)\n" \ +- " 2: dbf %%d0,1b\n" \ +- " move.w %2,%%d0\n" \ +- " lsr.w #5,%%d0\n" \ +- " bra 4f\n" \ +- " 3: move.l (%0)+,(%1)\n" \ +- "31: move.l (%0)+,(%1)\n" \ +- "32: move.l (%0)+,(%1)\n" \ +- "33: move.l (%0)+,(%1)\n" \ +- "34: move.l (%0)+,(%1)\n" \ +- "35: move.l (%0)+,(%1)\n" \ +- "36: move.l (%0)+,(%1)\n" \ +- "37: move.l (%0)+,(%1)\n" \ +- " 4: dbf %%d0,3b\n" \ +- " move.w %2,%%d0\n" \ +- " lsr.w #2,%%d0\n" \ +- " and.w #7,%%d0\n" \ +- " bra 6f\n" \ +- " 5: move.l (%0)+,(%1)\n" \ +- " 6: dbf %%d0,5b\n" \ +- " and.w #3,%2\n" \ +- " bra 8f\n" \ +- " 7: move.b (%0)+,(%1)\n" \ +- " 8: dbf %2,7b\n" \ +- " moveq.l #0, %2\n" \ +- " 9: \n" \ +- ".section .fixup,\"ax\"\n" \ +- " .even\n" \ +- "91: moveq.l #1, %2\n" \ +- " jra 9b\n" \ +- "94: moveq.l #4, %2\n" \ +- " jra 9b\n" \ +- ".previous\n" \ +- ".section __ex_table,\"a\"\n" \ +- " .align 4\n" \ +- " .long 1b,91b\n" \ +- " .long 3b,94b\n" \ +- " .long 31b,94b\n" \ +- " .long 32b,94b\n" \ +- " .long 33b,94b\n" \ +- " .long 34b,94b\n" \ +- " .long 35b,94b\n" \ +- " .long 36b,94b\n" \ +- " .long 37b,94b\n" \ +- " .long 5b,94b\n" \ +- " .long 7b,91b\n" \ +- ".previous" \ +- : "=a"(s), "=a"(d), "=d"(n) \ +- : "0"(s), "1"(d), "2"(n) \ +- : "d0") +- + static inline int macscsi_pwrite(struct NCR5380_hostdata *hostdata, + unsigned char *src, int len) + { + unsigned char *s = src; + u8 __iomem *d = hostdata->pdma_io + (OUTPUT_DATA_REG << 4); +- int n = len; +- int transferred; ++ ++ hostdata->pdma_residual = len; + + while (!NCR5380_poll_politely(hostdata, BUS_AND_STATUS_REG, + BASR_DRQ | BASR_PHASE_MATCH, + BASR_DRQ | BASR_PHASE_MATCH, HZ / 64)) { +- CP_MEM_TO_IO(s, d, n); ++ int bytes; + +- transferred = s - src - n; +- hostdata->pdma_residual = len - transferred; ++ bytes = mac_pdma_send(s, d, min(hostdata->pdma_residual, 512)); + +- /* Target changed phase early? */ +- if (NCR5380_poll_politely2(hostdata, STATUS_REG, SR_REQ, SR_REQ, +- BUS_AND_STATUS_REG, BASR_ACK, BASR_ACK, HZ / 64) < 0) +- scmd_printk(KERN_ERR, hostdata->connected, +- "%s: !REQ and !ACK\n", __func__); +- if (!(NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) +- return 0; ++ if (bytes > 0) { ++ s += bytes; ++ hostdata->pdma_residual -= bytes; ++ } + +- /* No bus error. */ +- if (n == 0) { ++ if (hostdata->pdma_residual == 0) { + if (NCR5380_poll_politely(hostdata, TARGET_COMMAND_REG, + TCR_LAST_BYTE_SENT, + TCR_LAST_BYTE_SENT, HZ / 64) < 0) +@@ -287,17 +340,29 @@ static inline int macscsi_pwrite(struct + return 0; + } + ++ if (NCR5380_poll_politely2(hostdata, STATUS_REG, SR_REQ, SR_REQ, ++ BUS_AND_STATUS_REG, BASR_ACK, ++ BASR_ACK, HZ / 64) < 0) ++ scmd_printk(KERN_DEBUG, hostdata->connected, ++ "%s: !REQ and !ACK\n", __func__); ++ if (!(NCR5380_read(BUS_AND_STATUS_REG) & BASR_PHASE_MATCH)) ++ return 0; ++ ++ if (bytes == 0) ++ udelay(MAC_PDMA_DELAY); ++ ++ if (bytes >= 0) ++ continue; ++ + dsprintk(NDEBUG_PSEUDO_DMA, hostdata->host, +- "%s: bus error (%d/%d)\n", __func__, transferred, len); ++ "%s: bus error (%d/%d)\n", __func__, s - src, len); + NCR5380_dprint(NDEBUG_PSEUDO_DMA, hostdata->host); +- s = src + transferred; +- n = len - transferred; ++ return -1; + } + + scmd_printk(KERN_ERR, hostdata->connected, + "%s: phase mismatch or !DRQ\n", __func__); + NCR5380_dprint(NDEBUG_PSEUDO_DMA, hostdata->host); +- + return -1; + } + diff --git a/queue-4.14/scsi-mac_scsi-increase-pio-pdma-transfer-length-threshold.patch b/queue-4.14/scsi-mac_scsi-increase-pio-pdma-transfer-length-threshold.patch new file mode 100644 index 00000000000..8ec146b685a --- /dev/null +++ b/queue-4.14/scsi-mac_scsi-increase-pio-pdma-transfer-length-threshold.patch @@ -0,0 +1,62 @@ +From 7398cee4c3e6aea1ba07a6449e5533ecd0b92cdd Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Sun, 9 Jun 2019 11:19:11 +1000 +Subject: scsi: mac_scsi: Increase PIO/PDMA transfer length threshold + +From: Finn Thain + +commit 7398cee4c3e6aea1ba07a6449e5533ecd0b92cdd upstream. + +Some targets introduce delays when handshaking the response to certain +commands. For example, a disk may send a 96-byte response to an INQUIRY +command (or a 24-byte response to a MODE SENSE command) too slowly. + +Apparently the first 12 or 14 bytes are handshaked okay but then the system +bus error timeout is reached while transferring the next word. + +Since the scsi bus phase hasn't changed, the driver then sets the target +borken flag to prevent further PDMA transfers. The driver also logs the +warning, "switching to slow handshake". + +Raise the PDMA threshold to 512 bytes so that PIO transfers will be used +for these commands. This default is sufficiently low that PDMA will still +be used for READ and WRITE commands. + +The existing threshold (16 bytes) was chosen more or less at random. +However, best performance requires the threshold to be as low as possible. +Those systems that don't need the PIO workaround at all may benefit from +mac_scsi.setup_use_pdma=1 + +Cc: Michael Schmitz +Cc: stable@vger.kernel.org # v4.14+ +Fixes: 3a0f64bfa907 ("mac_scsi: Fix pseudo DMA implementation") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Tested-by: Michael Schmitz +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mac_scsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/mac_scsi.c ++++ b/drivers/scsi/mac_scsi.c +@@ -52,7 +52,7 @@ static int setup_cmd_per_lun = -1; + module_param(setup_cmd_per_lun, int, 0); + static int setup_sg_tablesize = -1; + module_param(setup_sg_tablesize, int, 0); +-static int setup_use_pdma = -1; ++static int setup_use_pdma = 512; + module_param(setup_use_pdma, int, 0); + static int setup_hostid = -1; + module_param(setup_hostid, int, 0); +@@ -305,7 +305,7 @@ static int macscsi_dma_xfer_len(struct N + struct scsi_cmnd *cmd) + { + if (hostdata->flags & FLAG_NO_PSEUDO_DMA || +- cmd->SCp.this_residual < 16) ++ cmd->SCp.this_residual < setup_use_pdma) + return 0; + + return cmd->SCp.this_residual; diff --git a/queue-4.14/scsi-megaraid_sas-fix-calculation-of-target-id.patch b/queue-4.14/scsi-megaraid_sas-fix-calculation-of-target-id.patch new file mode 100644 index 00000000000..cef9bd258ef --- /dev/null +++ b/queue-4.14/scsi-megaraid_sas-fix-calculation-of-target-id.patch @@ -0,0 +1,39 @@ +From c8f96df5b8e633056b7ebf5d52a9d6fb1b156ce3 Mon Sep 17 00:00:00 2001 +From: Shivasharan S +Date: Fri, 28 Jun 2019 18:02:12 -0700 +Subject: scsi: megaraid_sas: Fix calculation of target ID + +From: Shivasharan S + +commit c8f96df5b8e633056b7ebf5d52a9d6fb1b156ce3 upstream. + +In megasas_get_target_prop(), driver is incorrectly calculating the target +ID for devices with channel 1 and 3. Due to this, firmware will either +fail the command (if there is no device with the target id sent from +driver) or could return the properties for a target which was not +intended. Devices could end up with the wrong queue depth due to this. + +Fix target id calculation for channel 1 and 3. + +Fixes: 96188a89cc6d ("scsi: megaraid_sas: NVME interface target prop added") +Cc: stable@vger.kernel.org +Signed-off-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -5806,7 +5806,8 @@ megasas_get_target_prop(struct megasas_i + int ret; + struct megasas_cmd *cmd; + struct megasas_dcmd_frame *dcmd; +- u16 targetId = (sdev->channel % 2) + sdev->id; ++ u16 targetId = ((sdev->channel % 2) * MEGASAS_MAX_DEV_PER_CHANNEL) + ++ sdev->id; + + cmd = megasas_get_cmd(instance); + diff --git a/queue-4.14/scsi-ncr5380-always-re-enable-reselection-interrupt.patch b/queue-4.14/scsi-ncr5380-always-re-enable-reselection-interrupt.patch new file mode 100644 index 00000000000..2d5dbdb6ace --- /dev/null +++ b/queue-4.14/scsi-ncr5380-always-re-enable-reselection-interrupt.patch @@ -0,0 +1,93 @@ +From 57f31326518e98ee4cabf9a04efe00ed57c54147 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Sun, 9 Jun 2019 11:19:11 +1000 +Subject: scsi: NCR5380: Always re-enable reselection interrupt + +From: Finn Thain + +commit 57f31326518e98ee4cabf9a04efe00ed57c54147 upstream. + +The reselection interrupt gets disabled during selection and must be +re-enabled when hostdata->connected becomes NULL. If it isn't re-enabled a +disconnected command may time-out or the target may wedge the bus while +trying to reselect the host. This can happen after a command is aborted. + +Fix this by enabling the reselection interrupt in NCR5380_main() after +calls to NCR5380_select() and NCR5380_information_transfer() return. + +Cc: Michael Schmitz +Cc: stable@vger.kernel.org # v4.9+ +Fixes: 8b00c3d5d40d ("ncr5380: Implement new eh_abort_handler") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Tested-by: Michael Schmitz +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/NCR5380.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/drivers/scsi/NCR5380.c ++++ b/drivers/scsi/NCR5380.c +@@ -710,6 +710,8 @@ static void NCR5380_main(struct work_str + NCR5380_information_transfer(instance); + done = 0; + } ++ if (!hostdata->connected) ++ NCR5380_write(SELECT_ENABLE_REG, hostdata->id_mask); + spin_unlock_irq(&hostdata->lock); + if (!done) + cond_resched(); +@@ -1106,8 +1108,6 @@ static struct scsi_cmnd *NCR5380_select( + spin_lock_irq(&hostdata->lock); + NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); + NCR5380_reselect(instance); +- if (!hostdata->connected) +- NCR5380_write(SELECT_ENABLE_REG, hostdata->id_mask); + shost_printk(KERN_ERR, instance, "reselection after won arbitration?\n"); + goto out; + } +@@ -1115,7 +1115,6 @@ static struct scsi_cmnd *NCR5380_select( + if (err < 0) { + spin_lock_irq(&hostdata->lock); + NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); +- NCR5380_write(SELECT_ENABLE_REG, hostdata->id_mask); + + /* Can't touch cmd if it has been reclaimed by the scsi ML */ + if (!hostdata->selecting) +@@ -1153,7 +1152,6 @@ static struct scsi_cmnd *NCR5380_select( + if (err < 0) { + shost_printk(KERN_ERR, instance, "select: REQ timeout\n"); + NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); +- NCR5380_write(SELECT_ENABLE_REG, hostdata->id_mask); + goto out; + } + if (!hostdata->selecting) { +@@ -1820,9 +1818,6 @@ static void NCR5380_information_transfer + */ + NCR5380_write(TARGET_COMMAND_REG, 0); + +- /* Enable reselect interrupts */ +- NCR5380_write(SELECT_ENABLE_REG, hostdata->id_mask); +- + maybe_release_dma_irq(instance); + return; + case MESSAGE_REJECT: +@@ -1854,8 +1849,6 @@ static void NCR5380_information_transfer + */ + NCR5380_write(TARGET_COMMAND_REG, 0); + +- /* Enable reselect interrupts */ +- NCR5380_write(SELECT_ENABLE_REG, hostdata->id_mask); + #ifdef SUN3_SCSI_VME + dregs->csr |= CSR_DMA_ENABLE; + #endif +@@ -1963,7 +1956,6 @@ static void NCR5380_information_transfer + cmd->result = DID_ERROR << 16; + complete_cmd(instance, cmd); + maybe_release_dma_irq(instance); +- NCR5380_write(SELECT_ENABLE_REG, hostdata->id_mask); + return; + } + msgout = NOP; diff --git a/queue-4.14/scsi-ncr5380-reduce-goto-statements-in-ncr5380_select.patch b/queue-4.14/scsi-ncr5380-reduce-goto-statements-in-ncr5380_select.patch new file mode 100644 index 00000000000..7be19bfc619 --- /dev/null +++ b/queue-4.14/scsi-ncr5380-reduce-goto-statements-in-ncr5380_select.patch @@ -0,0 +1,73 @@ +From 6a162836997c10bbefb7c7ca772201cc45c0e4a6 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Thu, 27 Sep 2018 11:17:11 +1000 +Subject: scsi: NCR5380: Reduce goto statements in NCR5380_select() + +From: Finn Thain + +commit 6a162836997c10bbefb7c7ca772201cc45c0e4a6 upstream. + +Replace a 'goto' statement with a simple 'return' where possible. This +improves readability. No functional change. + +Tested-by: Michael Schmitz +Signed-off-by: Finn Thain +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/NCR5380.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/scsi/NCR5380.c ++++ b/drivers/scsi/NCR5380.c +@@ -984,7 +984,7 @@ static struct scsi_cmnd *NCR5380_select( + if (!hostdata->selecting) { + /* Command was aborted */ + NCR5380_write(MODE_REG, MR_BASE); +- goto out; ++ return NULL; + } + if (err < 0) { + NCR5380_write(MODE_REG, MR_BASE); +@@ -1033,7 +1033,7 @@ static struct scsi_cmnd *NCR5380_select( + if (!hostdata->selecting) { + NCR5380_write(MODE_REG, MR_BASE); + NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); +- goto out; ++ return NULL; + } + + dsprintk(NDEBUG_ARBITRATION, instance, "won arbitration\n"); +@@ -1116,13 +1116,16 @@ static struct scsi_cmnd *NCR5380_select( + spin_lock_irq(&hostdata->lock); + NCR5380_write(INITIATOR_COMMAND_REG, ICR_BASE); + NCR5380_write(SELECT_ENABLE_REG, hostdata->id_mask); ++ + /* Can't touch cmd if it has been reclaimed by the scsi ML */ +- if (hostdata->selecting) { +- cmd->result = DID_BAD_TARGET << 16; +- complete_cmd(instance, cmd); +- dsprintk(NDEBUG_SELECTION, instance, "target did not respond within 250ms\n"); +- cmd = NULL; +- } ++ if (!hostdata->selecting) ++ return NULL; ++ ++ cmd->result = DID_BAD_TARGET << 16; ++ complete_cmd(instance, cmd); ++ dsprintk(NDEBUG_SELECTION, instance, ++ "target did not respond within 250ms\n"); ++ cmd = NULL; + goto out; + } + +@@ -1155,7 +1158,7 @@ static struct scsi_cmnd *NCR5380_select( + } + if (!hostdata->selecting) { + do_abort(instance); +- goto out; ++ return NULL; + } + + dsprintk(NDEBUG_SELECTION, instance, "target %d selected, going into MESSAGE OUT phase.\n", diff --git a/queue-4.14/series b/queue-4.14/series index 4e245a137fd..d5e81fa2aee 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -110,3 +110,18 @@ floppy-fix-out-of-bounds-read-in-next_valid_format.patch floppy-fix-invalid-pointer-dereference-in-drive_name.patch floppy-fix-out-of-bounds-read-in-copy_buffer.patch xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch +scsi-ncr5380-reduce-goto-statements-in-ncr5380_select.patch +scsi-ncr5380-always-re-enable-reselection-interrupt.patch +revert-scsi-ncr5380-increase-register-polling-limit.patch +scsi-core-fix-race-on-creating-sense-cache.patch +scsi-megaraid_sas-fix-calculation-of-target-id.patch +scsi-mac_scsi-increase-pio-pdma-transfer-length-threshold.patch +scsi-mac_scsi-fix-pseudo-dma-implementation-take-2.patch +crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch +crypto-ccp-validate-the-the-error-value-used-to-index-error-messages.patch +crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch +crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch +crypto-chacha20poly1305-fix-atomic-sleep-when-using-async-algorithm.patch +crypto-ccp-memset-structure-fields-to-zero-before-reuse.patch +crypto-ccp-gcm-use-const-time-tag-comparison.patch +crypto-crypto4xx-fix-a-potential-double-free-in-ppc4xx_trng_probe.patch -- 2.47.2