Recreate RHEL 6.12.0-211.29.1 from CS10/upstream backports
This commit is contained in:
parent
674503c679
commit
1cd3d0ece2
@ -0,0 +1,110 @@
|
||||
From a10f13521226dba6ce396abb8b1b91570f5b61ec Mon Sep 17 00:00:00 2001
|
||||
From: Jaroslav Kysela <jkysela@redhat.com>
|
||||
Date: Mon, 20 Apr 2026 14:32:13 +0200
|
||||
Subject: [PATCH] ALSA: usb-audio: Add sanity check for OOB writes at silencing
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-168082
|
||||
|
||||
commit fba2105a157fffcf19825e4eea498346738c9948
|
||||
Author: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Mon Feb 16 15:12:07 2026 +0100
|
||||
|
||||
ALSA: usb-audio: Add sanity check for OOB writes at silencing
|
||||
|
||||
At silencing the playback URB packets in the implicit fb mode before
|
||||
the actual playback, we blindly assume that the received packets fit
|
||||
with the buffer size. But when the setup in the capture stream
|
||||
differs from the playback stream (e.g. due to the USB core limitation
|
||||
of max packet size), such an inconsistency may lead to OOB writes to
|
||||
the buffer, resulting in a crash.
|
||||
|
||||
For addressing it, add a sanity check of the transfer buffer size at
|
||||
prepare_silent_urb(), and stop the data copy if the received data
|
||||
overflows. Also, report back the transfer error properly from there,
|
||||
too.
|
||||
|
||||
Note that this doesn't fix the root cause of the playback error
|
||||
itself, but this merely covers the kernel Oops.
|
||||
|
||||
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221076
|
||||
Link: https://patch.msgid.link/20260216141209.1849200-4-tiwai@suse.de
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
|
||||
Signed-off-by: Jaroslav Kysela <jkysela@redhat.com>
|
||||
|
||||
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
|
||||
index 08cc2ee5707d..6e443f762de8 100644
|
||||
--- a/sound/usb/endpoint.c
|
||||
+++ b/sound/usb/endpoint.c
|
||||
@@ -275,8 +275,8 @@ static inline bool has_tx_length_quirk(struct snd_usb_audio *chip)
|
||||
return chip->quirk_flags & QUIRK_FLAG_TX_LENGTH;
|
||||
}
|
||||
|
||||
-static void prepare_silent_urb(struct snd_usb_endpoint *ep,
|
||||
- struct snd_urb_ctx *ctx)
|
||||
+static int prepare_silent_urb(struct snd_usb_endpoint *ep,
|
||||
+ struct snd_urb_ctx *ctx)
|
||||
{
|
||||
struct urb *urb = ctx->urb;
|
||||
unsigned int offs = 0;
|
||||
@@ -289,28 +289,34 @@ static void prepare_silent_urb(struct snd_usb_endpoint *ep,
|
||||
extra = sizeof(packet_length);
|
||||
|
||||
for (i = 0; i < ctx->packets; ++i) {
|
||||
- unsigned int offset;
|
||||
- unsigned int length;
|
||||
- int counts;
|
||||
-
|
||||
- counts = snd_usb_endpoint_next_packet_size(ep, ctx, i, 0);
|
||||
- length = counts * ep->stride; /* number of silent bytes */
|
||||
- offset = offs * ep->stride + extra * i;
|
||||
- urb->iso_frame_desc[i].offset = offset;
|
||||
+ int length;
|
||||
+
|
||||
+ length = snd_usb_endpoint_next_packet_size(ep, ctx, i, 0);
|
||||
+ if (length < 0)
|
||||
+ return length;
|
||||
+ length *= ep->stride; /* number of silent bytes */
|
||||
+ if (offs + length + extra > ctx->buffer_size)
|
||||
+ break;
|
||||
+ urb->iso_frame_desc[i].offset = offs;
|
||||
urb->iso_frame_desc[i].length = length + extra;
|
||||
if (extra) {
|
||||
packet_length = cpu_to_le32(length);
|
||||
- memcpy(urb->transfer_buffer + offset,
|
||||
+ memcpy(urb->transfer_buffer + offs,
|
||||
&packet_length, sizeof(packet_length));
|
||||
+ offs += extra;
|
||||
}
|
||||
- memset(urb->transfer_buffer + offset + extra,
|
||||
+ memset(urb->transfer_buffer + offs,
|
||||
ep->silence_value, length);
|
||||
- offs += counts;
|
||||
+ offs += length;
|
||||
}
|
||||
|
||||
- urb->number_of_packets = ctx->packets;
|
||||
- urb->transfer_buffer_length = offs * ep->stride + ctx->packets * extra;
|
||||
+ if (!offs)
|
||||
+ return -EPIPE;
|
||||
+
|
||||
+ urb->number_of_packets = i;
|
||||
+ urb->transfer_buffer_length = offs;
|
||||
ctx->queued = 0;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -332,8 +338,7 @@ static int prepare_outbound_urb(struct snd_usb_endpoint *ep,
|
||||
if (data_subs && ep->prepare_data_urb)
|
||||
return ep->prepare_data_urb(data_subs, urb, in_stream_lock);
|
||||
/* no data provider, so send silence */
|
||||
- prepare_silent_urb(ep, ctx);
|
||||
- break;
|
||||
+ return prepare_silent_urb(ep, ctx);
|
||||
|
||||
case SND_USB_ENDPOINT_TYPE_SYNC:
|
||||
if (snd_usb_get_speed(ep->chip->dev) >= USB_SPEED_HIGH) {
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,137 @@
|
||||
From aef881da47f3c07173c5357b36a45fc4b754eb55 Mon Sep 17 00:00:00 2001
|
||||
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
||||
Date: Wed, 27 May 2026 17:21:48 +0000
|
||||
Subject: [PATCH] ALSA: aloop: Fix peer runtime UAF during format-change stop
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-179311
|
||||
CVE: CVE-2026-46090
|
||||
Backported from tree(s): linux
|
||||
|
||||
commit e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff
|
||||
Author: Cássio Gabriel <cassiogabrielcontato@gmail.com>
|
||||
Date: Fri Apr 24 09:48:41 2026 -0300
|
||||
|
||||
ALSA: aloop: Fix peer runtime UAF during format-change stop
|
||||
|
||||
loopback_check_format() may stop the capture side when playback starts
|
||||
with parameters that no longer match a running capture stream. Commit
|
||||
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
|
||||
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
|
||||
runs after dropping that lock.
|
||||
|
||||
A concurrent close can clear the capture entry from cable->streams[] and
|
||||
detach or free its runtime while the playback trigger path still holds a
|
||||
stale peer substream pointer.
|
||||
|
||||
Keep a per-cable count of in-flight peer stops before dropping
|
||||
cable->lock, and make free_cable() wait for those stops before
|
||||
detaching the runtime. This preserves the existing behavior while
|
||||
making the peer runtime lifetime explicit.
|
||||
|
||||
Reported-by: syzbot+8fa95c41eafbc9d2ff6f@syzkaller.appspotmail.com
|
||||
Closes: https://syzkaller.appspot.com/bug?extid=8fa95c41eafbc9d2ff6f
|
||||
Fixes: 597603d615d2 ("ALSA: introduce the snd-aloop module for the PCM loopback")
|
||||
Cc: stable@vger.kernel.org
|
||||
Suggested-by: Takashi Iwai <tiwai@suse.com>
|
||||
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
|
||||
Link: https://patch.msgid.link/20260424-alsa-aloop-peer-stop-uaf-v2-1-94e68101db8a@gmail.com
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
|
||||
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
||||
|
||||
diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c
|
||||
index aa0d2fcb1a18..a37a1695f51c 100644
|
||||
--- a/sound/drivers/aloop.c
|
||||
+++ b/sound/drivers/aloop.c
|
||||
@@ -99,6 +99,9 @@ struct loopback_ops {
|
||||
struct loopback_cable {
|
||||
spinlock_t lock;
|
||||
struct loopback_pcm *streams[2];
|
||||
+ /* in-flight peer stops running outside cable->lock */
|
||||
+ atomic_t stop_count;
|
||||
+ wait_queue_head_t stop_wait;
|
||||
struct snd_pcm_hardware hw;
|
||||
/* flags */
|
||||
unsigned int valid;
|
||||
@@ -366,8 +369,11 @@ static int loopback_check_format(struct loopback_cable *cable, int stream)
|
||||
return 0;
|
||||
if (stream == SNDRV_PCM_STREAM_CAPTURE)
|
||||
return -EIO;
|
||||
- else if (cruntime->state == SNDRV_PCM_STATE_RUNNING)
|
||||
+ else if (cruntime->state == SNDRV_PCM_STATE_RUNNING) {
|
||||
+ /* close must not free the peer runtime below */
|
||||
+ atomic_inc(&cable->stop_count);
|
||||
stop_capture = true;
|
||||
+ }
|
||||
}
|
||||
|
||||
setup = get_setup(dpcm_play);
|
||||
@@ -396,8 +402,11 @@ static int loopback_check_format(struct loopback_cable *cable, int stream)
|
||||
}
|
||||
}
|
||||
|
||||
- if (stop_capture)
|
||||
+ if (stop_capture) {
|
||||
snd_pcm_stop(dpcm_capt->substream, SNDRV_PCM_STATE_DRAINING);
|
||||
+ if (atomic_dec_and_test(&cable->stop_count))
|
||||
+ wake_up(&cable->stop_wait);
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1049,23 +1058,29 @@ static void free_cable(struct snd_pcm_substream *substream)
|
||||
struct loopback *loopback = substream->private_data;
|
||||
int dev = get_cable_index(substream);
|
||||
struct loopback_cable *cable;
|
||||
+ struct loopback_pcm *dpcm;
|
||||
+ bool other_alive;
|
||||
|
||||
cable = loopback->cables[substream->number][dev];
|
||||
if (!cable)
|
||||
return;
|
||||
- if (cable->streams[!substream->stream]) {
|
||||
- /* other stream is still alive */
|
||||
- guard(spinlock_irq)(&cable->lock);
|
||||
- cable->streams[substream->stream] = NULL;
|
||||
- } else {
|
||||
- struct loopback_pcm *dpcm = substream->runtime->private_data;
|
||||
|
||||
- if (cable->ops && cable->ops->close_cable && dpcm)
|
||||
- cable->ops->close_cable(dpcm);
|
||||
- /* free the cable */
|
||||
- loopback->cables[substream->number][dev] = NULL;
|
||||
- kfree(cable);
|
||||
+ scoped_guard(spinlock_irq, &cable->lock) {
|
||||
+ cable->streams[substream->stream] = NULL;
|
||||
+ other_alive = cable->streams[!substream->stream];
|
||||
}
|
||||
+
|
||||
+ /* Pair with the stop_count increment in loopback_check_format(). */
|
||||
+ wait_event(cable->stop_wait, !atomic_read(&cable->stop_count));
|
||||
+ if (other_alive)
|
||||
+ return;
|
||||
+
|
||||
+ dpcm = substream->runtime->private_data;
|
||||
+ if (cable->ops && cable->ops->close_cable && dpcm)
|
||||
+ cable->ops->close_cable(dpcm);
|
||||
+ /* free the cable */
|
||||
+ loopback->cables[substream->number][dev] = NULL;
|
||||
+ kfree(cable);
|
||||
}
|
||||
|
||||
static int loopback_jiffies_timer_open(struct loopback_pcm *dpcm)
|
||||
@@ -1260,6 +1275,8 @@ static int loopback_open(struct snd_pcm_substream *substream)
|
||||
goto unlock;
|
||||
}
|
||||
spin_lock_init(&cable->lock);
|
||||
+ atomic_set(&cable->stop_count, 0);
|
||||
+ init_waitqueue_head(&cable->stop_wait);
|
||||
cable->hw = loopback_pcm_hardware;
|
||||
if (loopback->timer_source)
|
||||
cable->ops = &loopback_snd_timer_ops;
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,34 @@
|
||||
From 45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0 Mon Sep 17 00:00:00 2001
|
||||
From: Jason Gunthorpe <jgg@nvidia.com>
|
||||
Date: Tue, 28 Apr 2026 13:17:43 -0300
|
||||
Subject: [PATCH] RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext()
|
||||
error path
|
||||
|
||||
commit e38e86995df27f1f854063dab1f0c6a513db3faf upstream.
|
||||
|
||||
Sashiko points out that pvrdma_uar_free() is already called within
|
||||
pvrdma_dealloc_ucontext(), so calling it before triggers a double free.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver")
|
||||
Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg%40nvidia.com?part=4
|
||||
Link: https://patch.msgid.link/r/10-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com
|
||||
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
|
||||
index 9f54aa90a35a..dde1910dd8b1 100644
|
||||
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
|
||||
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.c
|
||||
@@ -350,7 +350,7 @@ int pvrdma_alloc_ucontext(struct ib_ucontext *uctx, struct ib_udata *udata)
|
||||
uresp.qp_tab_size = vdev->dsr->caps.max_qp;
|
||||
ret = ib_copy_to_udata(udata, &uresp, sizeof(uresp));
|
||||
if (ret) {
|
||||
- pvrdma_uar_free(vdev, &context->uar);
|
||||
+ /* pvrdma_dealloc_ucontext() also frees the UAR */
|
||||
pvrdma_dealloc_ucontext(&context->ibucontext);
|
||||
return -EFAULT;
|
||||
}
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
166
1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch
Normal file
166
1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch
Normal file
@ -0,0 +1,166 @@
|
||||
From 93e4b63cd923391c972220739a5fcc7bc01a4cb7 Mon Sep 17 00:00:00 2001
|
||||
From: Nilesh Javali <njavali@redhat.com>
|
||||
Date: Thu, 19 Mar 2026 15:01:53 +0530
|
||||
Subject: [PATCH] scsi: qla2xxx: Add support to report MPI FW state
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-157286
|
||||
|
||||
Upstream Status: git://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git
|
||||
|
||||
commit 0e124af675ebabddacfeb0958abd443265dddf13
|
||||
Author: Nilesh Javali <njavali@marvell.com>
|
||||
Date: Thu Mar 5 15:03:37 2026 +0530
|
||||
|
||||
scsi: qla2xxx: Add support to report MPI FW state
|
||||
|
||||
MPI firmware state was returned as 0. Get MPI FW state to proceed with
|
||||
flash image validation.
|
||||
|
||||
A new sysfs node 'mpi_fw_state' is added to report MPI firmware state:
|
||||
|
||||
/sys/class/scsi_host/hostXX/mpi_fw_state
|
||||
|
||||
Fixes: d74181ca110e ("scsi: qla2xxx: Add bsg interface to support firmware img validation")
|
||||
Signed-off-by: Nilesh Javali <njavali@marvell.com>
|
||||
Link: https://patch.msgid.link/20260305093337.2007205-1-njavali@marvell.com
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
|
||||
Signed-off-by: Nilesh Javali <njavali@redhat.com>
|
||||
|
||||
diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
|
||||
index 2e584a8bf66b..6a05ce195aa0 100644
|
||||
--- a/drivers/scsi/qla2xxx/qla_attr.c
|
||||
+++ b/drivers/scsi/qla2xxx/qla_attr.c
|
||||
@@ -1638,7 +1638,7 @@ qla2x00_fw_state_show(struct device *dev, struct device_attribute *attr,
|
||||
{
|
||||
scsi_qla_host_t *vha = shost_priv(class_to_shost(dev));
|
||||
int rval = QLA_FUNCTION_FAILED;
|
||||
- uint16_t state[6];
|
||||
+ uint16_t state[16];
|
||||
uint32_t pstate;
|
||||
|
||||
if (IS_QLAFX00(vha->hw)) {
|
||||
@@ -2402,6 +2402,63 @@ qla2x00_dport_diagnostics_show(struct device *dev,
|
||||
vha->dport_data[0], vha->dport_data[1],
|
||||
vha->dport_data[2], vha->dport_data[3]);
|
||||
}
|
||||
+
|
||||
+static ssize_t
|
||||
+qla2x00_mpi_fw_state_show(struct device *dev, struct device_attribute *attr,
|
||||
+ char *buf)
|
||||
+{
|
||||
+ scsi_qla_host_t *vha = shost_priv(class_to_shost(dev));
|
||||
+ int rval = QLA_FUNCTION_FAILED;
|
||||
+ u16 state[16];
|
||||
+ u16 mpi_state;
|
||||
+ struct qla_hw_data *ha = vha->hw;
|
||||
+
|
||||
+ if (!(IS_QLA27XX(ha) || IS_QLA28XX(ha)))
|
||||
+ return scnprintf(buf, PAGE_SIZE,
|
||||
+ "MPI state reporting is not supported for this HBA.\n");
|
||||
+
|
||||
+ memset(state, 0, sizeof(state));
|
||||
+
|
||||
+ mutex_lock(&vha->hw->optrom_mutex);
|
||||
+ if (qla2x00_chip_is_down(vha)) {
|
||||
+ mutex_unlock(&vha->hw->optrom_mutex);
|
||||
+ ql_dbg(ql_dbg_user, vha, 0x70df,
|
||||
+ "ISP reset is in progress, failing mpi_fw_state.\n");
|
||||
+ return -EBUSY;
|
||||
+ } else if (vha->hw->flags.eeh_busy) {
|
||||
+ mutex_unlock(&vha->hw->optrom_mutex);
|
||||
+ ql_dbg(ql_dbg_user, vha, 0x70ea,
|
||||
+ "HBA in PCI error state, failing mpi_fw_state.\n");
|
||||
+ return -EBUSY;
|
||||
+ }
|
||||
+
|
||||
+ rval = qla2x00_get_firmware_state(vha, state);
|
||||
+ mutex_unlock(&vha->hw->optrom_mutex);
|
||||
+ if (rval != QLA_SUCCESS) {
|
||||
+ ql_dbg(ql_dbg_user, vha, 0x70eb,
|
||||
+ "MB Command to retrieve MPI state failed (%d), failing mpi_fw_state.\n",
|
||||
+ rval);
|
||||
+ return -EIO;
|
||||
+ }
|
||||
+
|
||||
+ mpi_state = state[11];
|
||||
+
|
||||
+ if (!(mpi_state & BIT_15))
|
||||
+ return scnprintf(buf, PAGE_SIZE,
|
||||
+ "MPI firmware state reporting is not supported by this firmware. (0x%02x)\n",
|
||||
+ mpi_state);
|
||||
+
|
||||
+ if (!(mpi_state & BIT_8))
|
||||
+ return scnprintf(buf, PAGE_SIZE,
|
||||
+ "MPI firmware is disabled. (0x%02x)\n",
|
||||
+ mpi_state);
|
||||
+
|
||||
+ return scnprintf(buf, PAGE_SIZE,
|
||||
+ "MPI firmware is enabled, state is %s. (0x%02x)\n",
|
||||
+ mpi_state & BIT_9 ? "active" : "inactive",
|
||||
+ mpi_state);
|
||||
+}
|
||||
+
|
||||
static DEVICE_ATTR(dport_diagnostics, 0444,
|
||||
qla2x00_dport_diagnostics_show, NULL);
|
||||
|
||||
@@ -2469,6 +2526,8 @@ static DEVICE_ATTR(port_speed, 0644, qla2x00_port_speed_show,
|
||||
qla2x00_port_speed_store);
|
||||
static DEVICE_ATTR(port_no, 0444, qla2x00_port_no_show, NULL);
|
||||
static DEVICE_ATTR(fw_attr, 0444, qla2x00_fw_attr_show, NULL);
|
||||
+static DEVICE_ATTR(mpi_fw_state, 0444, qla2x00_mpi_fw_state_show, NULL);
|
||||
+
|
||||
|
||||
static struct attribute *qla2x00_host_attrs[] = {
|
||||
&dev_attr_driver_version.attr.attr,
|
||||
@@ -2517,6 +2576,7 @@ static struct attribute *qla2x00_host_attrs[] = {
|
||||
&dev_attr_qlini_mode.attr,
|
||||
&dev_attr_ql2xiniexchg.attr,
|
||||
&dev_attr_ql2xexchoffld.attr,
|
||||
+ &dev_attr_mpi_fw_state.attr,
|
||||
NULL,
|
||||
};
|
||||
|
||||
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
|
||||
index 93ca7319bd6a..bee76b8d9e35 100644
|
||||
--- a/drivers/scsi/qla2xxx/qla_init.c
|
||||
+++ b/drivers/scsi/qla2xxx/qla_init.c
|
||||
@@ -4916,7 +4916,7 @@ qla2x00_fw_ready(scsi_qla_host_t *vha)
|
||||
unsigned long wtime, mtime, cs84xx_time;
|
||||
uint16_t min_wait; /* Minimum wait time if loop is down */
|
||||
uint16_t wait_time; /* Wait time if loop is coming ready */
|
||||
- uint16_t state[6];
|
||||
+ uint16_t state[16];
|
||||
struct qla_hw_data *ha = vha->hw;
|
||||
|
||||
if (IS_QLAFX00(vha->hw))
|
||||
diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
|
||||
index d0f09f0a2459..e3ee26058901 100644
|
||||
--- a/drivers/scsi/qla2xxx/qla_mbx.c
|
||||
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
|
||||
@@ -2266,6 +2266,13 @@ qla2x00_get_firmware_state(scsi_qla_host_t *vha, uint16_t *states)
|
||||
mcp->in_mb = MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1|MBX_0;
|
||||
else
|
||||
mcp->in_mb = MBX_1|MBX_0;
|
||||
+
|
||||
+ if (IS_QLA27XX(ha) || IS_QLA28XX(ha)) {
|
||||
+ mcp->mb[12] = 0;
|
||||
+ mcp->out_mb |= MBX_12;
|
||||
+ mcp->in_mb |= MBX_12;
|
||||
+ }
|
||||
+
|
||||
mcp->tov = MBX_TOV_SECONDS;
|
||||
mcp->flags = 0;
|
||||
rval = qla2x00_mailbox_command(vha, mcp);
|
||||
@@ -2278,6 +2285,8 @@ qla2x00_get_firmware_state(scsi_qla_host_t *vha, uint16_t *states)
|
||||
states[3] = mcp->mb[4];
|
||||
states[4] = mcp->mb[5];
|
||||
states[5] = mcp->mb[6]; /* DPORT status */
|
||||
+ if (IS_QLA27XX(ha) || IS_QLA28XX(ha))
|
||||
+ states[11] = mcp->mb[12]; /* MPI state. */
|
||||
}
|
||||
|
||||
if (rval != QLA_SUCCESS) {
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,46 @@
|
||||
From 2f96df36f51ba409638b0111c4b1d7b30a88008c Mon Sep 17 00:00:00 2001
|
||||
From: Vladislav Dronov <vdronov@redhat.com>
|
||||
Date: Sun, 7 Jun 2026 23:23:19 +0200
|
||||
Subject: [PATCH] crypto: tegra - remove unneeded crypto_engine_stop() call
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
|
||||
Upstream Status: merged into the upstream linux.git
|
||||
|
||||
commit 6ef46fec4171433fd9a3162b88ec2ce808676193
|
||||
Author: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
|
||||
Date: Sun Oct 20 22:25:31 2024 +0300
|
||||
|
||||
crypto: tegra - remove unneeded crypto_engine_stop() call
|
||||
|
||||
The explicit crypto_engine_stop() call is not needed, as it is already
|
||||
called internally by crypto_engine_exit().
|
||||
|
||||
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
|
||||
Acked-by: Thierry Reding <treding@nvidia.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c
|
||||
index db5890c7f098..15ed363d09c9 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-main.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-main.c
|
||||
@@ -320,7 +320,6 @@ static int tegra_se_probe(struct platform_device *pdev)
|
||||
|
||||
ret = tegra_se_host1x_register(se);
|
||||
if (ret) {
|
||||
- crypto_engine_stop(se->engine);
|
||||
crypto_engine_exit(se->engine);
|
||||
return dev_err_probe(dev, ret, "failed to init host1x params\n");
|
||||
}
|
||||
@@ -332,7 +331,6 @@ static void tegra_se_remove(struct platform_device *pdev)
|
||||
{
|
||||
struct tegra_se *se = platform_get_drvdata(pdev);
|
||||
|
||||
- crypto_engine_stop(se->engine);
|
||||
crypto_engine_exit(se->engine);
|
||||
host1x_client_unregister(&se->client);
|
||||
}
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,131 @@
|
||||
From 219a1eb51634836cdf22208c1b6589c3533f89fd Mon Sep 17 00:00:00 2001
|
||||
From: Vladislav Dronov <vdronov@redhat.com>
|
||||
Date: Sun, 7 Jun 2026 23:23:19 +0200
|
||||
Subject: [PATCH] crypto: tegra - use API helpers to setup fallback request
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
|
||||
Upstream Status: merged into the upstream linux.git
|
||||
|
||||
commit c1024581ff2c34db4fdfe857b29f606e5117eb12
|
||||
Author: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
|
||||
Date: Mon Apr 7 15:36:04 2025 +0300
|
||||
|
||||
crypto: tegra - use API helpers to setup fallback request
|
||||
|
||||
Rather than setting up the fallback request by hand, use
|
||||
ahash_request_set_callback() and ahash_request_set_crypt() API helpers
|
||||
to properly setup the new request.
|
||||
|
||||
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c
|
||||
index 90bf34eb3578..e3fe5911a324 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-hash.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-hash.c
|
||||
@@ -118,8 +118,9 @@ static int tegra_sha_fallback_init(struct ahash_request *req)
|
||||
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
|
||||
|
||||
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
|
||||
- rctx->fallback_req.base.flags = req->base.flags &
|
||||
- CRYPTO_TFM_REQ_MAY_SLEEP;
|
||||
+ ahash_request_set_callback(&rctx->fallback_req,
|
||||
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
|
||||
+ req->base.complete, req->base.data);
|
||||
|
||||
return crypto_ahash_init(&rctx->fallback_req);
|
||||
}
|
||||
@@ -131,10 +132,10 @@ static int tegra_sha_fallback_update(struct ahash_request *req)
|
||||
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
|
||||
|
||||
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
|
||||
- rctx->fallback_req.base.flags = req->base.flags &
|
||||
- CRYPTO_TFM_REQ_MAY_SLEEP;
|
||||
- rctx->fallback_req.nbytes = req->nbytes;
|
||||
- rctx->fallback_req.src = req->src;
|
||||
+ ahash_request_set_callback(&rctx->fallback_req,
|
||||
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
|
||||
+ req->base.complete, req->base.data);
|
||||
+ ahash_request_set_crypt(&rctx->fallback_req, req->src, NULL, req->nbytes);
|
||||
|
||||
return crypto_ahash_update(&rctx->fallback_req);
|
||||
}
|
||||
@@ -146,9 +147,10 @@ static int tegra_sha_fallback_final(struct ahash_request *req)
|
||||
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
|
||||
|
||||
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
|
||||
- rctx->fallback_req.base.flags = req->base.flags &
|
||||
- CRYPTO_TFM_REQ_MAY_SLEEP;
|
||||
- rctx->fallback_req.result = req->result;
|
||||
+ ahash_request_set_callback(&rctx->fallback_req,
|
||||
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
|
||||
+ req->base.complete, req->base.data);
|
||||
+ ahash_request_set_crypt(&rctx->fallback_req, NULL, req->result, 0);
|
||||
|
||||
return crypto_ahash_final(&rctx->fallback_req);
|
||||
}
|
||||
@@ -160,12 +162,11 @@ static int tegra_sha_fallback_finup(struct ahash_request *req)
|
||||
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
|
||||
|
||||
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
|
||||
- rctx->fallback_req.base.flags = req->base.flags &
|
||||
- CRYPTO_TFM_REQ_MAY_SLEEP;
|
||||
-
|
||||
- rctx->fallback_req.nbytes = req->nbytes;
|
||||
- rctx->fallback_req.src = req->src;
|
||||
- rctx->fallback_req.result = req->result;
|
||||
+ ahash_request_set_callback(&rctx->fallback_req,
|
||||
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
|
||||
+ req->base.complete, req->base.data);
|
||||
+ ahash_request_set_crypt(&rctx->fallback_req, req->src, req->result,
|
||||
+ req->nbytes);
|
||||
|
||||
return crypto_ahash_finup(&rctx->fallback_req);
|
||||
}
|
||||
@@ -177,12 +178,11 @@ static int tegra_sha_fallback_digest(struct ahash_request *req)
|
||||
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
|
||||
|
||||
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
|
||||
- rctx->fallback_req.base.flags = req->base.flags &
|
||||
- CRYPTO_TFM_REQ_MAY_SLEEP;
|
||||
-
|
||||
- rctx->fallback_req.nbytes = req->nbytes;
|
||||
- rctx->fallback_req.src = req->src;
|
||||
- rctx->fallback_req.result = req->result;
|
||||
+ ahash_request_set_callback(&rctx->fallback_req,
|
||||
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
|
||||
+ req->base.complete, req->base.data);
|
||||
+ ahash_request_set_crypt(&rctx->fallback_req, req->src, req->result,
|
||||
+ req->nbytes);
|
||||
|
||||
return crypto_ahash_digest(&rctx->fallback_req);
|
||||
}
|
||||
@@ -194,8 +194,9 @@ static int tegra_sha_fallback_import(struct ahash_request *req, const void *in)
|
||||
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
|
||||
|
||||
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
|
||||
- rctx->fallback_req.base.flags = req->base.flags &
|
||||
- CRYPTO_TFM_REQ_MAY_SLEEP;
|
||||
+ ahash_request_set_callback(&rctx->fallback_req,
|
||||
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
|
||||
+ req->base.complete, req->base.data);
|
||||
|
||||
return crypto_ahash_import(&rctx->fallback_req, in);
|
||||
}
|
||||
@@ -207,8 +208,9 @@ static int tegra_sha_fallback_export(struct ahash_request *req, void *out)
|
||||
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(tfm);
|
||||
|
||||
ahash_request_set_tfm(&rctx->fallback_req, ctx->fallback_tfm);
|
||||
- rctx->fallback_req.base.flags = req->base.flags &
|
||||
- CRYPTO_TFM_REQ_MAY_SLEEP;
|
||||
+ ahash_request_set_callback(&rctx->fallback_req,
|
||||
+ req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP,
|
||||
+ req->base.complete, req->base.data);
|
||||
|
||||
return crypto_ahash_export(&rctx->fallback_req, out);
|
||||
}
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
46
1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch
Normal file
46
1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From d7e26cf1c6ec1ec012332f9b1ef126087c968d13 Mon Sep 17 00:00:00 2001
|
||||
From: Vladislav Dronov <vdronov@redhat.com>
|
||||
Date: Sun, 7 Jun 2026 23:23:19 +0200
|
||||
Subject: [PATCH] crypto: tegra - Remove the use of dev_err_probe()
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
|
||||
Upstream Status: merged into the upstream linux.git
|
||||
|
||||
commit 8595bcb09b05a6c712c35f03ef701e7785895b51
|
||||
Author: Liao Yuanhong <liaoyuanhong@vivo.com>
|
||||
Date: Wed Aug 20 20:37:52 2025 +0800
|
||||
|
||||
crypto: tegra - Remove the use of dev_err_probe()
|
||||
|
||||
Logging messages that show some type of "out of memory" error are generally
|
||||
unnecessary as there is a generic message and a stack dump done by the
|
||||
memory subsystem. These messages generally increase kernel size without
|
||||
much added value[1].
|
||||
|
||||
The dev_err_probe() doesn't do anything when error is '-ENOMEM'. Therefore,
|
||||
remove the useless call to dev_err_probe(), and just return the value
|
||||
instead.
|
||||
|
||||
[1]: https://lore.kernel.org/lkml/1402419340.30479.18.camel@joe-AO725/
|
||||
|
||||
Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c
|
||||
index 15ed363d09c9..4e7115b247e7 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-main.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-main.c
|
||||
@@ -310,7 +310,7 @@ static int tegra_se_probe(struct platform_device *pdev)
|
||||
|
||||
se->engine = crypto_engine_alloc_init(dev, 0);
|
||||
if (!se->engine)
|
||||
- return dev_err_probe(dev, -ENOMEM, "failed to init crypto engine\n");
|
||||
+ return -ENOMEM;
|
||||
|
||||
ret = crypto_engine_start(se->engine);
|
||||
if (ret) {
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,43 @@
|
||||
From a1d28aa82ab3b030bc0df6b55781f5b0f6d621cc Mon Sep 17 00:00:00 2001
|
||||
From: Vladislav Dronov <vdronov@redhat.com>
|
||||
Date: Sun, 7 Jun 2026 23:23:19 +0200
|
||||
Subject: [PATCH] crypto: tegra - Use int type to store negative error codes
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
|
||||
Upstream Status: merged into the upstream linux.git
|
||||
|
||||
commit a710a71cd8ad294937e03b352cd71deb7ad08700
|
||||
Author: Qianfeng Rong <rongqianfeng@vivo.com>
|
||||
Date: Wed Sep 3 21:25:37 2025 +0800
|
||||
|
||||
crypto: tegra - Use int type to store negative error codes
|
||||
|
||||
Change the 'ret' variable in tegra_sha_do_update() from unsigned int to
|
||||
int, as it needs to store either negative error codes or zero returned
|
||||
by tegra_se_host1x_submit().
|
||||
|
||||
No effect on runtime.
|
||||
|
||||
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c
|
||||
index e3fe5911a324..79f1e5c9b729 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-hash.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-hash.c
|
||||
@@ -401,8 +401,9 @@ static int tegra_sha_do_update(struct ahash_request *req)
|
||||
struct tegra_sha_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(req));
|
||||
struct tegra_sha_reqctx *rctx = ahash_request_ctx(req);
|
||||
struct tegra_se *se = ctx->se;
|
||||
- unsigned int nblks, nresidue, size, ret;
|
||||
+ unsigned int nblks, nresidue, size;
|
||||
u32 *cpuvaddr = se->cmdbuf->addr;
|
||||
+ int ret;
|
||||
|
||||
nresidue = (req->nbytes + rctx->residue.size) % rctx->blk_size;
|
||||
nblks = (req->nbytes + rctx->residue.size) / rctx->blk_size;
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
224
1394-crypto-tegra-add-missing-crypto-alg-async.patch
Normal file
224
1394-crypto-tegra-add-missing-crypto-alg-async.patch
Normal file
@ -0,0 +1,224 @@
|
||||
From cc5bf4cbc38613252229691b5e3a5a4c5aea92af Mon Sep 17 00:00:00 2001
|
||||
From: Vladislav Dronov <vdronov@redhat.com>
|
||||
Date: Sun, 7 Jun 2026 23:23:19 +0200
|
||||
Subject: [PATCH] crypto: tegra - Add missing CRYPTO_ALG_ASYNC
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
|
||||
Upstream Status: merged into the upstream linux.git
|
||||
CVE: CVE-2026-31739
|
||||
|
||||
commit 4b56770d345524fc2acc143a2b85539cf7d74bc1
|
||||
Author: Eric Biggers <ebiggers@kernel.org>
|
||||
Date: Mon Mar 16 13:21:19 2026 -0700
|
||||
|
||||
crypto: tegra - Add missing CRYPTO_ALG_ASYNC
|
||||
|
||||
The tegra crypto driver failed to set the CRYPTO_ALG_ASYNC on its
|
||||
asynchronous algorithms, causing the crypto API to select them for users
|
||||
that request only synchronous algorithms. This causes crashes (at
|
||||
least). Fix this by adding the flag like what the other drivers do.
|
||||
Also remove the unnecessary CRYPTO_ALG_TYPE_* flags, since those just
|
||||
get ignored and overridden by the registration function anyway.
|
||||
|
||||
Reported-by: Zorro Lang <zlang@redhat.com>
|
||||
Closes: https://lore.kernel.org/r/20260314080937.pghb4aa7d4je3mhh@dell-per750-06-vm-08.rhts.eng.pek2.redhat.com
|
||||
Fixes: 0880bb3b00c8 ("crypto: tegra - Add Tegra Security Engine driver")
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Akhil R <akhilrajeev@nvidia.com>
|
||||
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
|
||||
index 8b91f00b9c31..30c78afe3dea 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-aes.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-aes.c
|
||||
@@ -532,7 +532,7 @@ static struct tegra_se_alg tegra_aes_algs[] = {
|
||||
.cra_name = "cbc(aes)",
|
||||
.cra_driver_name = "cbc-aes-tegra",
|
||||
.cra_priority = 500,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = AES_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_aes_ctx),
|
||||
.cra_alignmask = 0xf,
|
||||
@@ -553,7 +553,7 @@ static struct tegra_se_alg tegra_aes_algs[] = {
|
||||
.cra_name = "ecb(aes)",
|
||||
.cra_driver_name = "ecb-aes-tegra",
|
||||
.cra_priority = 500,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = AES_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_aes_ctx),
|
||||
.cra_alignmask = 0xf,
|
||||
@@ -575,7 +575,7 @@ static struct tegra_se_alg tegra_aes_algs[] = {
|
||||
.cra_name = "ctr(aes)",
|
||||
.cra_driver_name = "ctr-aes-tegra",
|
||||
.cra_priority = 500,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_SKCIPHER | CRYPTO_ALG_ASYNC,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = 1,
|
||||
.cra_ctxsize = sizeof(struct tegra_aes_ctx),
|
||||
.cra_alignmask = 0xf,
|
||||
@@ -597,6 +597,7 @@ static struct tegra_se_alg tegra_aes_algs[] = {
|
||||
.cra_name = "xts(aes)",
|
||||
.cra_driver_name = "xts-aes-tegra",
|
||||
.cra_priority = 500,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = AES_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_aes_ctx),
|
||||
.cra_alignmask = (__alignof__(u64) - 1),
|
||||
@@ -1931,6 +1932,7 @@ static struct tegra_se_alg tegra_aead_algs[] = {
|
||||
.cra_name = "gcm(aes)",
|
||||
.cra_driver_name = "gcm-aes-tegra",
|
||||
.cra_priority = 500,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = 1,
|
||||
.cra_ctxsize = sizeof(struct tegra_aead_ctx),
|
||||
.cra_alignmask = 0xf,
|
||||
@@ -1953,6 +1955,7 @@ static struct tegra_se_alg tegra_aead_algs[] = {
|
||||
.cra_name = "ccm(aes)",
|
||||
.cra_driver_name = "ccm-aes-tegra",
|
||||
.cra_priority = 500,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = 1,
|
||||
.cra_ctxsize = sizeof(struct tegra_aead_ctx),
|
||||
.cra_alignmask = 0xf,
|
||||
@@ -1980,7 +1983,7 @@ static struct tegra_se_alg tegra_cmac_algs[] = {
|
||||
.cra_name = "cmac(aes)",
|
||||
.cra_driver_name = "tegra-se-cmac",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = AES_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_cmac_ctx),
|
||||
.cra_alignmask = 0,
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-hash.c b/drivers/crypto/tegra/tegra-se-hash.c
|
||||
index 79f1e5c9b729..23d549801612 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-hash.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-hash.c
|
||||
@@ -764,7 +764,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha1",
|
||||
.cra_driver_name = "tegra-se-sha1",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA1_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -789,7 +789,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha224",
|
||||
.cra_driver_name = "tegra-se-sha224",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA224_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -814,7 +814,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha256",
|
||||
.cra_driver_name = "tegra-se-sha256",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA256_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -839,7 +839,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha384",
|
||||
.cra_driver_name = "tegra-se-sha384",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA384_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -864,7 +864,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha512",
|
||||
.cra_driver_name = "tegra-se-sha512",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA512_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -889,7 +889,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha3-224",
|
||||
.cra_driver_name = "tegra-se-sha3-224",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA3_224_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -914,7 +914,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha3-256",
|
||||
.cra_driver_name = "tegra-se-sha3-256",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA3_256_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -939,7 +939,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha3-384",
|
||||
.cra_driver_name = "tegra-se-sha3-384",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA3_384_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -964,7 +964,7 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "sha3-512",
|
||||
.cra_driver_name = "tegra-se-sha3-512",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC,
|
||||
.cra_blocksize = SHA3_512_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -991,7 +991,8 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "hmac(sha224)",
|
||||
.cra_driver_name = "tegra-se-hmac-sha224",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC |
|
||||
+ CRYPTO_ALG_NEED_FALLBACK,
|
||||
.cra_blocksize = SHA224_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -1018,7 +1019,8 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "hmac(sha256)",
|
||||
.cra_driver_name = "tegra-se-hmac-sha256",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC |
|
||||
+ CRYPTO_ALG_NEED_FALLBACK,
|
||||
.cra_blocksize = SHA256_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -1045,7 +1047,8 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "hmac(sha384)",
|
||||
.cra_driver_name = "tegra-se-hmac-sha384",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC |
|
||||
+ CRYPTO_ALG_NEED_FALLBACK,
|
||||
.cra_blocksize = SHA384_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
@@ -1072,7 +1075,8 @@ static struct tegra_se_alg tegra_hash_algs[] = {
|
||||
.cra_name = "hmac(sha512)",
|
||||
.cra_driver_name = "tegra-se-hmac-sha512",
|
||||
.cra_priority = 300,
|
||||
- .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_NEED_FALLBACK,
|
||||
+ .cra_flags = CRYPTO_ALG_ASYNC |
|
||||
+ CRYPTO_ALG_NEED_FALLBACK,
|
||||
.cra_blocksize = SHA512_BLOCK_SIZE,
|
||||
.cra_ctxsize = sizeof(struct tegra_sha_ctx),
|
||||
.cra_alignmask = 0,
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,48 @@
|
||||
From c5fe58117093d6c4612c61902602e27df0ebe69a Mon Sep 17 00:00:00 2001
|
||||
From: Vladislav Dronov <vdronov@redhat.com>
|
||||
Date: Sun, 7 Jun 2026 23:23:19 +0200
|
||||
Subject: [PATCH] crypto: tegra - Don't touch bo refcount in host1x bo
|
||||
pin/unpin
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
|
||||
Upstream Status: merged into the upstream linux.git
|
||||
|
||||
commit f8c9c57d750346abd213ffed2ae3cacb0268e9f1
|
||||
Author: Mikko Perttunen <mperttunen@nvidia.com>
|
||||
Date: Fri May 15 11:34:52 2026 +0900
|
||||
|
||||
crypto: tegra - Don't touch bo refcount in host1x bo pin/unpin
|
||||
|
||||
Since commit "gpu: host1x: Allow entries in BO caches to be freed",
|
||||
host1x_bo_pin() and host1x_bo_unpin() handle the bo's refcount
|
||||
themselves. .pin/.unpin callbacks should not adjust it.
|
||||
|
||||
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-main.c b/drivers/crypto/tegra/tegra-se-main.c
|
||||
index 4e7115b247e7..f0b6c4f0548f 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-main.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-main.c
|
||||
@@ -52,7 +52,7 @@ tegra_se_cmdbuf_pin(struct device *dev, struct host1x_bo *bo, enum dma_data_dire
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
kref_init(&map->ref);
|
||||
- map->bo = host1x_bo_get(bo);
|
||||
+ map->bo = bo;
|
||||
map->direction = direction;
|
||||
map->dev = dev;
|
||||
|
||||
@@ -93,7 +93,6 @@ static void tegra_se_cmdbuf_unpin(struct host1x_bo_mapping *map)
|
||||
dma_unmap_sgtable(map->dev, map->sgt, map->direction, 0);
|
||||
sg_free_table(map->sgt);
|
||||
kfree(map->sgt);
|
||||
- host1x_bo_put(map->bo);
|
||||
|
||||
kfree(map);
|
||||
}
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
127
1396-crypto-tegra-fix-dma-free-coherent-size-error.patch
Normal file
127
1396-crypto-tegra-fix-dma-free-coherent-size-error.patch
Normal file
@ -0,0 +1,127 @@
|
||||
From 5a7dc49ebe22d776913e8fd4fd3c835d1ac57db8 Mon Sep 17 00:00:00 2001
|
||||
From: Vladislav Dronov <vdronov@redhat.com>
|
||||
Date: Sun, 7 Jun 2026 23:23:19 +0200
|
||||
Subject: [PATCH] crypto: tegra - Fix dma_free_coherent size error
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
|
||||
Upstream Status: merged into herbert/crypto-2.6.git
|
||||
|
||||
commit 03215b8457784540acc741e6331e355b62c6c8ab
|
||||
Author: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Date: Tue May 19 12:22:18 2026 +0800
|
||||
|
||||
crypto: tegra - Fix dma_free_coherent size error
|
||||
|
||||
When freeing a coherent DMA buffer, the size must match the value
|
||||
that was used during the allocation.
|
||||
|
||||
Unfortunately the size field in the tegra driver gets overwritten
|
||||
by this point so it no longer matches and creates a warning.
|
||||
|
||||
Fix this by saving a copy of the size on the stack.
|
||||
|
||||
Note that the ccm function actually mixes up the inbuf and outbuf
|
||||
sizes, but it doesn't matter because the two sizes are actually
|
||||
equal.
|
||||
|
||||
Fixes: 1cb328da4e8f ("crypto: tegra - Do not use fixed size buffers")
|
||||
Reporeted-by: Patrick Talbert <ptalbert@redhat.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Reviewed-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
|
||||
index 30c78afe3dea..5086e7f140c3 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-aes.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-aes.c
|
||||
@@ -1201,6 +1201,7 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
|
||||
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
|
||||
struct tegra_aead_ctx *ctx = crypto_aead_ctx(tfm);
|
||||
struct tegra_se *se = ctx->se;
|
||||
+ unsigned int bufsize;
|
||||
int ret;
|
||||
|
||||
ret = tegra_ccm_crypt_init(req, se, rctx);
|
||||
@@ -1210,14 +1211,15 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
|
||||
rctx->key_id = ctx->key_id;
|
||||
|
||||
/* Allocate buffers required */
|
||||
- rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
|
||||
- rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size,
|
||||
+ bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
|
||||
+ rctx->inbuf.size = bufsize;
|
||||
+ rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
|
||||
&rctx->inbuf.addr, GFP_KERNEL);
|
||||
if (!rctx->inbuf.buf)
|
||||
goto out_finalize;
|
||||
|
||||
- rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen + 100;
|
||||
- rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size,
|
||||
+ rctx->outbuf.size = bufsize;
|
||||
+ rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
|
||||
&rctx->outbuf.addr, GFP_KERNEL);
|
||||
if (!rctx->outbuf.buf) {
|
||||
ret = -ENOMEM;
|
||||
@@ -1254,11 +1256,11 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
|
||||
}
|
||||
|
||||
out:
|
||||
- dma_free_coherent(ctx->se->dev, rctx->inbuf.size,
|
||||
+ dma_free_coherent(ctx->se->dev, bufsize,
|
||||
rctx->outbuf.buf, rctx->outbuf.addr);
|
||||
|
||||
out_free_inbuf:
|
||||
- dma_free_coherent(ctx->se->dev, rctx->outbuf.size,
|
||||
+ dma_free_coherent(ctx->se->dev, bufsize,
|
||||
rctx->inbuf.buf, rctx->inbuf.addr);
|
||||
|
||||
if (tegra_key_is_reserved(rctx->key_id))
|
||||
@@ -1278,6 +1280,7 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
|
||||
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
|
||||
struct tegra_aead_ctx *ctx = crypto_aead_ctx(tfm);
|
||||
struct tegra_aead_reqctx *rctx = aead_request_ctx(req);
|
||||
+ unsigned int bufsize;
|
||||
int ret;
|
||||
|
||||
rctx->src_sg = req->src;
|
||||
@@ -1296,16 +1299,17 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
|
||||
rctx->key_id = ctx->key_id;
|
||||
|
||||
/* Allocate buffers required */
|
||||
- rctx->inbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen;
|
||||
- rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->inbuf.size,
|
||||
+ bufsize = rctx->assoclen + rctx->authsize + rctx->cryptlen;
|
||||
+ rctx->inbuf.size = bufsize;
|
||||
+ rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
|
||||
&rctx->inbuf.addr, GFP_KERNEL);
|
||||
if (!rctx->inbuf.buf) {
|
||||
ret = -ENOMEM;
|
||||
goto out_finalize;
|
||||
}
|
||||
|
||||
- rctx->outbuf.size = rctx->assoclen + rctx->authsize + rctx->cryptlen;
|
||||
- rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, rctx->outbuf.size,
|
||||
+ rctx->outbuf.size = bufsize;
|
||||
+ rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
|
||||
&rctx->outbuf.addr, GFP_KERNEL);
|
||||
if (!rctx->outbuf.buf) {
|
||||
ret = -ENOMEM;
|
||||
@@ -1342,11 +1346,11 @@ static int tegra_gcm_do_one_req(struct crypto_engine *engine, void *areq)
|
||||
ret = tegra_gcm_do_verify(ctx->se, rctx);
|
||||
|
||||
out:
|
||||
- dma_free_coherent(ctx->se->dev, rctx->outbuf.size,
|
||||
+ dma_free_coherent(ctx->se->dev, bufsize,
|
||||
rctx->outbuf.buf, rctx->outbuf.addr);
|
||||
|
||||
out_free_inbuf:
|
||||
- dma_free_coherent(ctx->se->dev, rctx->inbuf.size,
|
||||
+ dma_free_coherent(ctx->se->dev, bufsize,
|
||||
rctx->inbuf.buf, rctx->inbuf.addr);
|
||||
|
||||
if (tegra_key_is_reserved(rctx->key_id))
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,52 @@
|
||||
From c6c84318cd97fe4fdbc511248e126bf2d5eaceba Mon Sep 17 00:00:00 2001
|
||||
From: Vladislav Dronov <vdronov@redhat.com>
|
||||
Date: Sun, 7 Jun 2026 23:23:19 +0200
|
||||
Subject: [PATCH] crypto: tegra - Return ENOMEM when input buffer allocation
|
||||
fails for ccm
|
||||
|
||||
JIRA: https://redhat.atlassian.net/browse/RHEL-176465
|
||||
Upstream Status: merged into herbert/crypto-2.6.git
|
||||
|
||||
commit 690a5f9e5c972a580565ce544ed1627ccf1e84de
|
||||
Author: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Date: Wed May 20 10:51:14 2026 +0800
|
||||
|
||||
crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm
|
||||
|
||||
Ensure the ENOMEM error value is set when the input buffer allocation
|
||||
fails in tegra_ccm_do_one_req.
|
||||
|
||||
Fixes: 1e245948ca0c ("crypto: tegra - finalize crypto req on error")
|
||||
Reported-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Reviewed-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
|
||||
Signed-off-by: Vladislav Dronov <vdronov@redhat.com>
|
||||
|
||||
diff --git a/drivers/crypto/tegra/tegra-se-aes.c b/drivers/crypto/tegra/tegra-se-aes.c
|
||||
index 5086e7f140c3..9094c03e991f 100644
|
||||
--- a/drivers/crypto/tegra/tegra-se-aes.c
|
||||
+++ b/drivers/crypto/tegra/tegra-se-aes.c
|
||||
@@ -1215,16 +1215,15 @@ static int tegra_ccm_do_one_req(struct crypto_engine *engine, void *areq)
|
||||
rctx->inbuf.size = bufsize;
|
||||
rctx->inbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
|
||||
&rctx->inbuf.addr, GFP_KERNEL);
|
||||
+ ret = -ENOMEM;
|
||||
if (!rctx->inbuf.buf)
|
||||
goto out_finalize;
|
||||
|
||||
rctx->outbuf.size = bufsize;
|
||||
rctx->outbuf.buf = dma_alloc_coherent(ctx->se->dev, bufsize,
|
||||
&rctx->outbuf.addr, GFP_KERNEL);
|
||||
- if (!rctx->outbuf.buf) {
|
||||
- ret = -ENOMEM;
|
||||
+ if (!rctx->outbuf.buf)
|
||||
goto out_free_inbuf;
|
||||
- }
|
||||
|
||||
if (!ctx->key_id) {
|
||||
ret = tegra_key_submit_reserved_aes(ctx->se, ctx->key,
|
||||
--
|
||||
2.50.1 (Apple Git-155)
|
||||
|
||||
@ -0,0 +1,41 @@
|
||||
From bc2cf5935b4665172235341163315905197ae91d Mon Sep 17 00:00:00 2001
|
||||
From: Junrui Luo <moonafterrain@outlook.com>
|
||||
Date: Fri, 24 Apr 2026 13:51:02 +0800
|
||||
Subject: [PATCH] RDMA/mlx5: Fix error path fall-through in
|
||||
mlx5_ib_dev_res_srq_init()
|
||||
|
||||
commit c488df06bd552bb8b6e14fa0cfd5ad986c6e9525 upstream.
|
||||
|
||||
mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
|
||||
ib_create_srq() fails for s1, the error branch destroys s0 but falls
|
||||
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
|
||||
devr->s0 and devr->s1.
|
||||
|
||||
This leads to several problems: the lock-free fast path checks
|
||||
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
|
||||
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
|
||||
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
|
||||
the ERR_PTR and double-frees s0 on teardown.
|
||||
|
||||
Fix by adding the same `goto unlock` in the s1 failure path.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 5895e70f2e6e ("IB/mlx5: Allocate resources just before first QP/SRQ is created")
|
||||
Link: https://patch.msgid.link/r/SYBPR01MB7881E1E0970268BD69C0BA75AF2B2@SYBPR01MB7881.ausprd01.prod.outlook.com
|
||||
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
|
||||
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
|
||||
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
|
||||
index 4077815..082a7e9 100644
|
||||
--- a/drivers/infiniband/hw/mlx5/main.c
|
||||
+++ b/drivers/infiniband/hw/mlx5/main.c
|
||||
@@ -3121,6 +3121,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev)
|
||||
"Couldn't create SRQ 1 for res init, err=%pe\n",
|
||||
s1);
|
||||
ib_destroy_srq(s0);
|
||||
+ goto unlock;
|
||||
}
|
||||
|
||||
devr->s0 = s0;
|
||||
50
kernel.spec
50
kernel.spec
@ -176,13 +176,13 @@ Summary: The Linux kernel
|
||||
%define specrpmversion 6.12.0
|
||||
%define specversion 6.12.0
|
||||
%define patchversion 6.12
|
||||
%define pkgrelease 211.28.2
|
||||
%define pkgrelease 211.29.1
|
||||
%define kversion 6
|
||||
%define tarfile_release 6.12.0-211.7.1.el10_2
|
||||
# This is needed to do merge window version magic
|
||||
%define patchlevel 12
|
||||
# This allows pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 211.28.2%{?buildid}%{?dist}
|
||||
%define specrelease 211.29.1%{?buildid}%{?dist}
|
||||
# This defines the kabi tarball version
|
||||
%define kabiversion 6.12.0-211.7.1.el10_2
|
||||
|
||||
@ -1420,6 +1420,19 @@ Patch1382: 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch
|
||||
Patch1383: 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch
|
||||
Patch1384: 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch
|
||||
Patch1385: 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
|
||||
Patch1386: 1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch
|
||||
Patch1387: 1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch
|
||||
Patch1388: 1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch
|
||||
Patch1389: 1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch
|
||||
Patch1390: 1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch
|
||||
Patch1391: 1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch
|
||||
Patch1392: 1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch
|
||||
Patch1393: 1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch
|
||||
Patch1394: 1394-crypto-tegra-add-missing-crypto-alg-async.patch
|
||||
Patch1395: 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch
|
||||
Patch1396: 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch
|
||||
Patch1397: 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch
|
||||
Patch1398: 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%description
|
||||
@ -2562,6 +2575,19 @@ ApplyPatch 1382-tcp-fix-potential-race-in-tcp-v6-syn-recv-sock.patch
|
||||
ApplyPatch 1383-selinux-rhel-only-hotfix-for-execmem-regression.patch
|
||||
ApplyPatch 1384-ipv4-account-for-fraggap-on-the-paged-allocation-path.patch
|
||||
ApplyPatch 1385-ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
|
||||
ApplyPatch 1386-alsa-usb-audio-add-sanity-check-for-oob-writes-at-silencing.patch
|
||||
ApplyPatch 1387-alsa-aloop-fix-peer-runtime-uaf-during-format-change-stop.patch
|
||||
ApplyPatch 1388-rdma-vmw-pvrdma-fix-double-free-on-pvrdma-alloc-ucontext-err.patch
|
||||
ApplyPatch 1389-scsi-qla2xxx-add-support-to-report-mpi-fw-state.patch
|
||||
ApplyPatch 1390-crypto-tegra-remove-unneeded-crypto-engine-stop-call.patch
|
||||
ApplyPatch 1391-crypto-tegra-use-api-helpers-to-setup-fallback-request.patch
|
||||
ApplyPatch 1392-crypto-tegra-remove-the-use-of-dev-err-probe.patch
|
||||
ApplyPatch 1393-crypto-tegra-use-int-type-to-store-negative-error-codes.patch
|
||||
ApplyPatch 1394-crypto-tegra-add-missing-crypto-alg-async.patch
|
||||
ApplyPatch 1395-crypto-tegra-don-t-touch-bo-refcount-in-host1x-bo-pin-unpin.patch
|
||||
ApplyPatch 1396-crypto-tegra-fix-dma-free-coherent-size-error.patch
|
||||
ApplyPatch 1397-crypto-tegra-return-enomem-when-input-buffer-allocation-fail.patch
|
||||
ApplyPatch 1398-rdma-mlx5-fix-error-path-fall-through-in-mlx5-ib-dev-res-srq.patch
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
# Any further pre-build tree manipulations happen here.
|
||||
@ -5066,6 +5092,26 @@ fi\
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jul 01 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.29.1
|
||||
- Recreate RHEL 6.12.0-211.29.1 from CentOS Stream 10 and upstream stable backports (1386-1398)
|
||||
- Retain AlmaLinux ahead-of-RHEL fixes: CVE-2026-46316 (1374), ipv4/ipv6 fraggap (1384-1385)
|
||||
- RHEL changelog for 211.29.1 follows:
|
||||
|
||||
* Mon Jun 29 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-211.29.1.el10_2]
|
||||
- RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() (CKI Backport Bot) [RHEL-180001] {CVE-2026-46176}
|
||||
- crypto: tegra - Return ENOMEM when input buffer allocation fails for ccm (Vladislav Dronov) [RHEL-182759]
|
||||
- crypto: tegra - Fix dma_free_coherent size error (Vladislav Dronov) [RHEL-182759]
|
||||
- crypto: tegra - Don't touch bo refcount in host1x bo pin/unpin (Vladislav Dronov) [RHEL-182759]
|
||||
- crypto: tegra - Add missing CRYPTO_ALG_ASYNC (Vladislav Dronov) [RHEL-182759] {CVE-2026-31739}
|
||||
- crypto: tegra - Use int type to store negative error codes (Vladislav Dronov) [RHEL-182759]
|
||||
- crypto: tegra - Remove the use of dev_err_probe() (Vladislav Dronov) [RHEL-182759]
|
||||
- crypto: tegra - use API helpers to setup fallback request (Vladislav Dronov) [RHEL-182759]
|
||||
- crypto: tegra - remove unneeded crypto_engine_stop() call (Vladislav Dronov) [RHEL-182759]
|
||||
- scsi: qla2xxx: Add support to report MPI FW state (Ewan D. Milne) [RHEL-181887]
|
||||
- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path (CKI Backport Bot) [RHEL-179965] {CVE-2026-46189}
|
||||
- ALSA: aloop: Fix peer runtime UAF during format-change stop (CKI Backport Bot) [RHEL-179317] {CVE-2026-46090}
|
||||
- ALSA: usb-audio: Add sanity check for OOB writes at silencing (CKI Backport Bot) [RHEL-173937] {CVE-2026-43279}
|
||||
|
||||
* Tue Jun 30 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.28.2
|
||||
- Add upstream ipv4/ipv6 fraggap paged-allocation fixes (1384-1385)
|
||||
eca856950f7c ipv4: account for fraggap on the paged allocation path
|
||||
|
||||
Loading…
Reference in New Issue
Block a user