--- /dev/null
+From fe09786178f9df713a4b2dd6b93c0a722346bf5e Mon Sep 17 00:00:00 2001
+From: "Wang, Rui Y" <rui.y.wang@intel.com>
+Date: Wed, 27 Jan 2016 17:08:37 +0800
+Subject: crypto: algif_hash - wait for crypto_ahash_init() to complete
+
+From: Wang, Rui Y <rui.y.wang@intel.com>
+
+commit fe09786178f9df713a4b2dd6b93c0a722346bf5e upstream.
+
+hash_sendmsg/sendpage() need to wait for the completion
+of crypto_ahash_init() otherwise it can cause panic.
+
+Signed-off-by: Rui Wang <rui.y.wang@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algif_hash.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -51,7 +51,8 @@ static int hash_sendmsg(struct kiocb *un
+
+ lock_sock(sk);
+ if (!ctx->more) {
+- err = crypto_ahash_init(&ctx->req);
++ err = af_alg_wait_for_completion(crypto_ahash_init(&ctx->req),
++ &ctx->completion);
+ if (err)
+ goto unlock;
+ }
+@@ -131,6 +132,7 @@ static ssize_t hash_sendpage(struct sock
+ } else {
+ if (!ctx->more) {
+ err = crypto_ahash_init(&ctx->req);
++ err = af_alg_wait_for_completion(err, &ctx->completion);
+ if (err)
+ goto unlock;
+ }
--- /dev/null
+From 63e41ebc6630f39422d87f8a4bade1e793f37a01 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 1 Feb 2016 14:27:30 +0100
+Subject: crypto: user - lock crypto_alg_list on alg dump
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 63e41ebc6630f39422d87f8a4bade1e793f37a01 upstream.
+
+We miss to take the crypto_alg_sem semaphore when traversing the
+crypto_alg_list for CRYPTO_MSG_GETALG dumps. This allows a race with
+crypto_unregister_alg() removing algorithms from the list while we're
+still traversing it, thereby leading to a use-after-free as show below:
+
+[ 3482.071639] general protection fault: 0000 [#1] SMP
+[ 3482.075639] Modules linked in: aes_x86_64 glue_helper lrw ablk_helper cryptd gf128mul ipv6 pcspkr serio_raw virtio_net microcode virtio_pci virtio_ring virtio sr_mod cdrom [last unloaded: aesni_intel]
+[ 3482.075639] CPU: 1 PID: 11065 Comm: crconf Not tainted 4.3.4-grsec+ #126
+[ 3482.075639] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+[ 3482.075639] task: ffff88001cd41a40 ti: ffff88001cd422c8 task.ti: ffff88001cd422c8
+[ 3482.075639] RIP: 0010:[<ffffffff93722bd3>] [<ffffffff93722bd3>] strncpy+0x13/0x30
+[ 3482.075639] RSP: 0018:ffff88001f713b60 EFLAGS: 00010202
+[ 3482.075639] RAX: ffff88001f6c4430 RBX: ffff88001f6c43a0 RCX: ffff88001f6c4430
+[ 3482.075639] RDX: 0000000000000040 RSI: fefefefefefeff16 RDI: ffff88001f6c4430
+[ 3482.075639] RBP: ffff88001f713b60 R08: ffff88001f6c4470 R09: ffff88001f6c4480
+[ 3482.075639] R10: 0000000000000002 R11: 0000000000000246 R12: ffff88001ce2aa28
+[ 3482.075639] R13: ffff880000093700 R14: ffff88001f5e4bf8 R15: 0000000000003b20
+[ 3482.075639] FS: 0000033826fa2700(0000) GS:ffff88001e900000(0000) knlGS:0000000000000000
+[ 3482.075639] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3482.075639] CR2: ffffffffff600400 CR3: 00000000139ec000 CR4: 00000000001606f0
+[ 3482.075639] Stack:
+[ 3482.075639] ffff88001f713bd8 ffffffff936ccd00 ffff88001e5c4200 ffff880000093700
+[ 3482.075639] ffff88001f713bd0 ffffffff938ef4bf 0000000000000000 0000000000003b20
+[ 3482.075639] ffff88001f5e4bf8 ffff88001f5e4848 0000000000000000 0000000000003b20
+[ 3482.075639] Call Trace:
+[ 3482.075639] [<ffffffff936ccd00>] crypto_report_alg+0xc0/0x3e0
+[ 3482.075639] [<ffffffff938ef4bf>] ? __alloc_skb+0x16f/0x300
+[ 3482.075639] [<ffffffff936cd08a>] crypto_dump_report+0x6a/0x90
+[ 3482.075639] [<ffffffff93935707>] netlink_dump+0x147/0x2e0
+[ 3482.075639] [<ffffffff93935f99>] __netlink_dump_start+0x159/0x190
+[ 3482.075639] [<ffffffff936ccb13>] crypto_user_rcv_msg+0xc3/0x130
+[ 3482.075639] [<ffffffff936cd020>] ? crypto_report_alg+0x3e0/0x3e0
+[ 3482.075639] [<ffffffff936cc4b0>] ? alg_test_crc32c+0x120/0x120
+[ 3482.075639] [<ffffffff93933145>] ? __netlink_lookup+0xd5/0x120
+[ 3482.075639] [<ffffffff936cca50>] ? crypto_add_alg+0x1d0/0x1d0
+[ 3482.075639] [<ffffffff93938141>] netlink_rcv_skb+0xe1/0x130
+[ 3482.075639] [<ffffffff936cc4f8>] crypto_netlink_rcv+0x28/0x40
+[ 3482.075639] [<ffffffff939375a8>] netlink_unicast+0x108/0x180
+[ 3482.075639] [<ffffffff93937c21>] netlink_sendmsg+0x541/0x770
+[ 3482.075639] [<ffffffff938e31e1>] sock_sendmsg+0x21/0x40
+[ 3482.075639] [<ffffffff938e4763>] SyS_sendto+0xf3/0x130
+[ 3482.075639] [<ffffffff93444203>] ? bad_area_nosemaphore+0x13/0x20
+[ 3482.075639] [<ffffffff93444470>] ? __do_page_fault+0x80/0x3a0
+[ 3482.075639] [<ffffffff939d80cb>] entry_SYSCALL_64_fastpath+0x12/0x6e
+[ 3482.075639] Code: 88 4a ff 75 ed 5d 48 0f ba 2c 24 3f c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 85 d2 48 89 f8 48 89 f9 4c 8d 04 17 48 89 e5 74 15 <0f> b6 16 80 fa 01 88 11 48 83 de ff 48 83 c1 01 4c 39 c1 75 eb
+[ 3482.075639] RIP [<ffffffff93722bd3>] strncpy+0x13/0x30
+
+To trigger the race run the following loops simultaneously for a while:
+ $ while : ; do modprobe aesni-intel; rmmod aesni-intel; done
+ $ while : ; do crconf show all > /dev/null; done
+
+Fix the race by taking the crypto_alg_sem read lock, thereby preventing
+crypto_unregister_alg() from modifying the algorithm list during the
+dump.
+
+This bug has been detected by the PaX memory sanitize feature.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: PaX Team <pageexec@freemail.hu>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/crypto_user.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/crypto/crypto_user.c
++++ b/crypto/crypto_user.c
+@@ -477,6 +477,7 @@ static int crypto_user_rcv_msg(struct sk
+ if (link->dump == NULL)
+ return -EINVAL;
+
++ down_read(&crypto_alg_sem);
+ list_for_each_entry(alg, &crypto_alg_list, cra_list)
+ dump_alloc += CRYPTO_REPORT_MAXSIZE;
+
+@@ -486,8 +487,11 @@ static int crypto_user_rcv_msg(struct sk
+ .done = link->done,
+ .min_dump_alloc = dump_alloc,
+ };
+- return netlink_dump_start(crypto_nlsk, skb, nlh, &c);
++ err = netlink_dump_start(crypto_nlsk, skb, nlh, &c);
+ }
++ up_read(&crypto_alg_sem);
++
++ return err;
+ }
+
+ err = nlmsg_parse(nlh, crypto_msg_min[type], attrs, CRYPTOCFGA_MAX,
--- /dev/null
+From 613317bd212c585c20796c10afe5daaa95d4b0a1 Mon Sep 17 00:00:00 2001
+From: Ryan Ware <ware@linux.intel.com>
+Date: Thu, 11 Feb 2016 15:58:44 -0800
+Subject: EVM: Use crypto_memneq() for digest comparisons
+
+From: Ryan Ware <ware@linux.intel.com>
+
+commit 613317bd212c585c20796c10afe5daaa95d4b0a1 upstream.
+
+This patch fixes vulnerability CVE-2016-2085. The problem exists
+because the vm_verify_hmac() function includes a use of memcmp().
+Unfortunately, this allows timing side channel attacks; specifically
+a MAC forgery complexity drop from 2^128 to 2^12. This patch changes
+the memcmp() to the cryptographically safe crypto_memneq().
+
+Reported-by: Xiaofei Rex Guo <xiaofei.rex.guo@intel.com>
+Signed-off-by: Ryan Ware <ware@linux.intel.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -22,6 +22,7 @@
+ #include <linux/evm.h>
+ #include <linux/magic.h>
+ #include <crypto/hash.h>
++#include <crypto/algapi.h>
+ #include "evm.h"
+
+ int evm_initialized;
+@@ -133,7 +134,7 @@ static enum integrity_status evm_verify_
+ xattr_value_len, calc.digest);
+ if (rc)
+ break;
+- rc = memcmp(xattr_data->digest, calc.digest,
++ rc = crypto_memneq(xattr_data->digest, calc.digest,
+ sizeof(calc.digest));
+ if (rc)
+ rc = -EINVAL;
--- /dev/null
+From b130ed5998e62879a66bad08931a2b5e832da95c Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Wed, 4 Nov 2015 15:20:24 +0000
+Subject: FS-Cache: Don't override netfs's primary_index if registering failed
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit b130ed5998e62879a66bad08931a2b5e832da95c upstream.
+
+Only override netfs->primary_index when registering success.
+
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fscache/netfs.c | 37 ++++++++++++++++++-------------------
+ 1 file changed, 18 insertions(+), 19 deletions(-)
+
+--- a/fs/fscache/netfs.c
++++ b/fs/fscache/netfs.c
+@@ -22,6 +22,7 @@ static LIST_HEAD(fscache_netfs_list);
+ int __fscache_register_netfs(struct fscache_netfs *netfs)
+ {
+ struct fscache_netfs *ptr;
++ struct fscache_cookie *cookie;
+ int ret;
+
+ _enter("{%s}", netfs->name);
+@@ -29,26 +30,25 @@ int __fscache_register_netfs(struct fsca
+ INIT_LIST_HEAD(&netfs->link);
+
+ /* allocate a cookie for the primary index */
+- netfs->primary_index =
+- kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL);
++ cookie = kmem_cache_zalloc(fscache_cookie_jar, GFP_KERNEL);
+
+- if (!netfs->primary_index) {
++ if (!cookie) {
+ _leave(" = -ENOMEM");
+ return -ENOMEM;
+ }
+
+ /* initialise the primary index cookie */
+- atomic_set(&netfs->primary_index->usage, 1);
+- atomic_set(&netfs->primary_index->n_children, 0);
+- atomic_set(&netfs->primary_index->n_active, 1);
+-
+- netfs->primary_index->def = &fscache_fsdef_netfs_def;
+- netfs->primary_index->parent = &fscache_fsdef_index;
+- netfs->primary_index->netfs_data = netfs;
+- netfs->primary_index->flags = 1 << FSCACHE_COOKIE_ENABLED;
++ atomic_set(&cookie->usage, 1);
++ atomic_set(&cookie->n_children, 0);
++ atomic_set(&cookie->n_active, 1);
++
++ cookie->def = &fscache_fsdef_netfs_def;
++ cookie->parent = &fscache_fsdef_index;
++ cookie->netfs_data = netfs;
++ cookie->flags = 1 << FSCACHE_COOKIE_ENABLED;
+
+- spin_lock_init(&netfs->primary_index->lock);
+- INIT_HLIST_HEAD(&netfs->primary_index->backing_objects);
++ spin_lock_init(&cookie->lock);
++ INIT_HLIST_HEAD(&cookie->backing_objects);
+
+ /* check the netfs type is not already present */
+ down_write(&fscache_addremove_sem);
+@@ -59,9 +59,10 @@ int __fscache_register_netfs(struct fsca
+ goto already_registered;
+ }
+
+- atomic_inc(&netfs->primary_index->parent->usage);
+- atomic_inc(&netfs->primary_index->parent->n_children);
++ atomic_inc(&cookie->parent->usage);
++ atomic_inc(&cookie->parent->n_children);
+
++ netfs->primary_index = cookie;
+ list_add(&netfs->link, &fscache_netfs_list);
+ ret = 0;
+
+@@ -71,10 +72,8 @@ int __fscache_register_netfs(struct fsca
+ already_registered:
+ up_write(&fscache_addremove_sem);
+
+- if (ret < 0) {
+- kmem_cache_free(fscache_cookie_jar, netfs->primary_index);
+- netfs->primary_index = NULL;
+- }
++ if (ret < 0)
++ kmem_cache_free(fscache_cookie_jar, cookie);
+
+ _leave(" = %d", ret);
+ return ret;
--- /dev/null
+From 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 Mon Sep 17 00:00:00 2001
+From: Kinglong Mee <kinglongmee@gmail.com>
+Date: Wed, 4 Nov 2015 15:20:15 +0000
+Subject: FS-Cache: Increase reference of parent after registering, netfs success
+
+From: Kinglong Mee <kinglongmee@gmail.com>
+
+commit 86108c2e34a26e4bec3c6ddb23390bf8cedcf391 upstream.
+
+If netfs exist, fscache should not increase the reference of parent's
+usage and n_children, otherwise, never be decreased.
+
+v2: thanks David's suggest,
+ move increasing reference of parent if success
+ use kmem_cache_free() freeing primary_index directly
+
+v3: don't move "netfs->primary_index->parent = &fscache_fsdef_index;"
+
+Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fscache/netfs.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/fscache/netfs.c
++++ b/fs/fscache/netfs.c
+@@ -47,9 +47,6 @@ int __fscache_register_netfs(struct fsca
+ netfs->primary_index->netfs_data = netfs;
+ netfs->primary_index->flags = 1 << FSCACHE_COOKIE_ENABLED;
+
+- atomic_inc(&netfs->primary_index->parent->usage);
+- atomic_inc(&netfs->primary_index->parent->n_children);
+-
+ spin_lock_init(&netfs->primary_index->lock);
+ INIT_HLIST_HEAD(&netfs->primary_index->backing_objects);
+
+@@ -62,6 +59,9 @@ int __fscache_register_netfs(struct fsca
+ goto already_registered;
+ }
+
++ atomic_inc(&netfs->primary_index->parent->usage);
++ atomic_inc(&netfs->primary_index->parent->n_children);
++
+ list_add(&netfs->link, &fscache_netfs_list);
+ ret = 0;
+
+@@ -72,8 +72,7 @@ already_registered:
+ up_write(&fscache_addremove_sem);
+
+ if (ret < 0) {
+- netfs->primary_index->parent = NULL;
+- __fscache_cookie_put(netfs->primary_index);
++ kmem_cache_free(fscache_cookie_jar, netfs->primary_index);
+ netfs->primary_index = NULL;
+ }
+
ahci-fix-softreset-failed-issue-of-port-multiplier.patch
libata-disable-forced-ports_impl-for-ahci-1.3.patch
ahci-intel-dnv-device-ids-sata.patch
+crypto-algif_hash-wait-for-crypto_ahash_init-to-complete.patch
+evm-use-crypto_memneq-for-digest-comparisons.patch
+crypto-user-lock-crypto_alg_list-on-alg-dump.patch
+fs-cache-increase-reference-of-parent-after-registering-netfs-success.patch
+fs-cache-don-t-override-netfs-s-primary_index-if-registering-failed.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
