--- /dev/null
+From 10a2f0b311094ffd45463a529a410a51ca025f27 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 2 Oct 2020 17:55:22 +1000
+Subject: crypto: bcm - Verify GCM/CCM key length in setkey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 10a2f0b311094ffd45463a529a410a51ca025f27 upstream.
+
+The setkey function for GCM/CCM algorithms didn't verify the key
+length before copying the key and subtracting the salt length.
+
+This patch delays the copying of the key til after the verification
+has been done. It also adds checks on the key length to ensure
+that it's at least as long as the salt.
+
+Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
+Cc: <stable@vger.kernel.org>
+Reported-by: kiyin(尹亮) <kiyin@tencent.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/bcm/cipher.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/bcm/cipher.c
++++ b/drivers/crypto/bcm/cipher.c
+@@ -2980,7 +2980,6 @@ static int aead_gcm_ccm_setkey(struct cr
+
+ ctx->enckeylen = keylen;
+ ctx->authkeylen = 0;
+- memcpy(ctx->enckey, key, ctx->enckeylen);
+
+ switch (ctx->enckeylen) {
+ case AES_KEYSIZE_128:
+@@ -2996,6 +2995,8 @@ static int aead_gcm_ccm_setkey(struct cr
+ goto badkey;
+ }
+
++ memcpy(ctx->enckey, key, ctx->enckeylen);
++
+ flow_log(" enckeylen:%u authkeylen:%u\n", ctx->enckeylen,
+ ctx->authkeylen);
+ flow_dump(" enc: ", ctx->enckey, ctx->enckeylen);
+@@ -3056,6 +3057,10 @@ static int aead_gcm_esp_setkey(struct cr
+ struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher);
+
+ flow_log("%s\n", __func__);
++
++ if (keylen < GCM_ESP_SALT_SIZE)
++ return -EINVAL;
++
+ ctx->salt_len = GCM_ESP_SALT_SIZE;
+ ctx->salt_offset = GCM_ESP_SALT_OFFSET;
+ memcpy(ctx->salt, key + keylen - GCM_ESP_SALT_SIZE, GCM_ESP_SALT_SIZE);
+@@ -3084,6 +3089,10 @@ static int rfc4543_gcm_esp_setkey(struct
+ struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher);
+
+ flow_log("%s\n", __func__);
++
++ if (keylen < GCM_ESP_SALT_SIZE)
++ return -EINVAL;
++
+ ctx->salt_len = GCM_ESP_SALT_SIZE;
+ ctx->salt_offset = GCM_ESP_SALT_OFFSET;
+ memcpy(ctx->salt, key + keylen - GCM_ESP_SALT_SIZE, GCM_ESP_SALT_SIZE);
+@@ -3113,6 +3122,10 @@ static int aead_ccm_esp_setkey(struct cr
+ struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher);
+
+ flow_log("%s\n", __func__);
++
++ if (keylen < CCM_ESP_SALT_SIZE)
++ return -EINVAL;
++
+ ctx->salt_len = CCM_ESP_SALT_SIZE;
+ ctx->salt_offset = CCM_ESP_SALT_OFFSET;
+ memcpy(ctx->salt, key + keylen - CCM_ESP_SALT_SIZE, CCM_ESP_SALT_SIZE);
--- /dev/null
+From 45cb6653b0c355fc1445a8069ba78a4ce8720511 Mon Sep 17 00:00:00 2001
+From: Dominik Przychodni <dominik.przychodni@intel.com>
+Date: Mon, 31 Aug 2020 11:59:59 +0100
+Subject: crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA
+
+From: Dominik Przychodni <dominik.przychodni@intel.com>
+
+commit 45cb6653b0c355fc1445a8069ba78a4ce8720511 upstream.
+
+Return -EINVAL for authenc(hmac(sha1),cbc(aes)),
+authenc(hmac(sha256),cbc(aes)) and authenc(hmac(sha512),cbc(aes))
+if the cipher length is not multiple of the AES block.
+This is to prevent an undefined device behaviour.
+
+Fixes: d370cec32194 ("crypto: qat - Intel(R) QAT crypto interface")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dominik Przychodni <dominik.przychodni@intel.com>
+[giovanni.cabiddu@intel.com: reworded commit message]
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_common/qat_algs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/qat/qat_common/qat_algs.c
+@@ -828,6 +828,11 @@ static int qat_alg_aead_dec(struct aead_
+ struct icp_qat_fw_la_bulk_req *msg;
+ int digst_size = crypto_aead_authsize(aead_tfm);
+ int ret, ctr = 0;
++ u32 cipher_len;
++
++ cipher_len = areq->cryptlen - digst_size;
++ if (cipher_len % AES_BLOCK_SIZE != 0)
++ return -EINVAL;
+
+ ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req);
+ if (unlikely(ret))
+@@ -842,7 +847,7 @@ static int qat_alg_aead_dec(struct aead_
+ qat_req->req.comn_mid.src_data_addr = qat_req->buf.blp;
+ qat_req->req.comn_mid.dest_data_addr = qat_req->buf.bloutp;
+ cipher_param = (void *)&qat_req->req.serv_specif_rqpars;
+- cipher_param->cipher_length = areq->cryptlen - digst_size;
++ cipher_param->cipher_length = cipher_len;
+ cipher_param->cipher_offset = areq->assoclen;
+ memcpy(cipher_param->u.cipher_IV_array, areq->iv, AES_BLOCK_SIZE);
+ auth_param = (void *)((uint8_t *)cipher_param + sizeof(*cipher_param));
+@@ -871,6 +876,9 @@ static int qat_alg_aead_enc(struct aead_
+ uint8_t *iv = areq->iv;
+ int ret, ctr = 0;
+
++ if (areq->cryptlen % AES_BLOCK_SIZE != 0)
++ return -EINVAL;
++
+ ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req);
+ if (unlikely(ret))
+ return ret;
--- /dev/null
+From d934423ac26ed373dfe089734d505dca5ff679b6 Mon Sep 17 00:00:00 2001
+From: Arnaud Patard <arnaud.patard@rtp-net.org>
+Date: Fri, 2 Aug 2019 10:32:40 +0200
+Subject: drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case
+
+From: Arnaud Patard <arnaud.patard@rtp-net.org>
+
+commit d934423ac26ed373dfe089734d505dca5ff679b6 upstream.
+
+Orion5.x systems are still using machine files and not device-tree.
+Commit 96cb4342382290c9 ("net: mvmdio: allow up to three clocks to be
+specified for orion-mdio") has replaced devm_clk_get() with of_clk_get(),
+leading to a oops at boot and not working network, as reported in
+https://lists.debian.org/debian-arm/2019/07/msg00088.html and possibly in
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908712.
+
+Link: https://lists.debian.org/debian-arm/2019/07/msg00088.html
+Fixes: 96cb4342382290c9 ("net: mvmdio: allow up to three clocks to be specified for orion-mdio")
+Signed-off-by: Arnaud Patard <arnaud.patard@rtp-net.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/marvell/mvmdio.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvmdio.c
++++ b/drivers/net/ethernet/marvell/mvmdio.c
+@@ -319,15 +319,25 @@ static int orion_mdio_probe(struct platf
+
+ init_waitqueue_head(&dev->smi_busy_wait);
+
+- for (i = 0; i < ARRAY_SIZE(dev->clk); i++) {
+- dev->clk[i] = of_clk_get(pdev->dev.of_node, i);
+- if (PTR_ERR(dev->clk[i]) == -EPROBE_DEFER) {
++ if (pdev->dev.of_node) {
++ for (i = 0; i < ARRAY_SIZE(dev->clk); i++) {
++ dev->clk[i] = of_clk_get(pdev->dev.of_node, i);
++ if (PTR_ERR(dev->clk[i]) == -EPROBE_DEFER) {
++ ret = -EPROBE_DEFER;
++ goto out_clk;
++ }
++ if (IS_ERR(dev->clk[i]))
++ break;
++ clk_prepare_enable(dev->clk[i]);
++ }
++ } else {
++ dev->clk[0] = clk_get(&pdev->dev, NULL);
++ if (PTR_ERR(dev->clk[0]) == -EPROBE_DEFER) {
+ ret = -EPROBE_DEFER;
+ goto out_clk;
+ }
+- if (IS_ERR(dev->clk[i]))
+- break;
+- clk_prepare_enable(dev->clk[i]);
++ if (!IS_ERR(dev->clk[0]))
++ clk_prepare_enable(dev->clk[0]);
+ }
+
+ dev->err_interrupt = platform_get_irq(pdev, 0);
usb-serial-ftdi_sio-add-support-for-freecalypso-jtag-uart-adapters.patch
reiserfs-initialize-inode-keys-properly.patch
reiserfs-fix-oops-during-mount.patch
+drivers-net-ethernet-marvell-mvmdio.c-fix-non-of-case.patch
+crypto-bcm-verify-gcm-ccm-key-length-in-setkey.patch
+crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
