--
2.12.2
-From 3a19419c50c6ee386ca6d22a23acc2df51583d3d Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Sat, 15 Oct 2016 09:48:50 -0400
-Subject: [PATCH 097/251] fscrypto: lock inode while setting encryption policy
-Content-Length: 1807
-Lines: 62
-
-commit 8906a8223ad4909b391c5628f7991ebceda30e52 upstream.
-
-i_rwsem needs to be acquired while setting an encryption policy so that
-concurrent calls to FS_IOC_SET_ENCRYPTION_POLICY are correctly
-serialized (especially the ->get_context() + ->set_context() pair), and
-so that new files cannot be created in the directory during or after the
-->empty_dir() check.
-
-Signed-off-by: Eric Biggers <ebiggers@google.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Reviewed-by: Richard Weinberger <richard@nod.at>
-Cc: stable@vger.kernel.org
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/ioctl.c | 4 ++++
- fs/f2fs/file.c | 9 ++++++++-
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
-index 1fb12f9c97a6..789e2d6724a9 100644
---- a/fs/ext4/ioctl.c
-+++ b/fs/ext4/ioctl.c
-@@ -633,8 +633,12 @@ resizefs_out:
- if (err)
- goto encryption_policy_out;
-
-+ mutex_lock(&inode->i_mutex);
-+
- err = ext4_process_policy(&policy, inode);
-
-+ mutex_unlock(&inode->i_mutex);
-+
- mnt_drop_write_file(filp);
- encryption_policy_out:
- return err;
-diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
-index a197215ad52b..4b449d263333 100644
---- a/fs/f2fs/file.c
-+++ b/fs/f2fs/file.c
-@@ -1535,12 +1535,19 @@ static int f2fs_ioc_set_encryption_policy(struct file *filp, unsigned long arg)
- #ifdef CONFIG_F2FS_FS_ENCRYPTION
- struct f2fs_encryption_policy policy;
- struct inode *inode = file_inode(filp);
-+ int err;
-
- if (copy_from_user(&policy, (struct f2fs_encryption_policy __user *)arg,
- sizeof(policy)))
- return -EFAULT;
-
-- return f2fs_process_policy(&policy, inode);
-+ mutex_lock(&inode->i_mutex);
-+
-+ err = f2fs_process_policy(&policy, inode);
-+
-+ mutex_unlock(&inode->i_mutex);
-+
-+ return err;
- #else
- return -EOPNOTSUPP;
- #endif
---
-2.12.2
-
From 8e0ec20539f8c626463ae43fcaeb218e3b2b5dc4 Mon Sep 17 00:00:00 2001
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date: Mon, 13 Mar 2017 19:33:37 +0300
--
2.12.2
-From 44854c191e2cb62d369eb9927e6b6683c11d6b04 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Sat, 4 Mar 2017 10:27:18 +0100
-Subject: [PATCH 100/251] futex: Fix potential use-after-free in
- FUTEX_REQUEUE_PI
-Content-Length: 2788
-Lines: 81
-
-commit c236c8e95a3d395b0494e7108f0d41cf36ec107c upstream.
-
-While working on the futex code, I stumbled over this potential
-use-after-free scenario. Dmitry triggered it later with syzkaller.
-
-pi_mutex is a pointer into pi_state, which we drop the reference on in
-unqueue_me_pi(). So any access to that pointer after that is bad.
-
-Since other sites already do rt_mutex_unlock() with hb->lock held, see
-for example futex_lock_pi(), simply move the unlock before
-unqueue_me_pi().
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Reviewed-by: Darren Hart <dvhart@linux.intel.com>
-Cc: juri.lelli@arm.com
-Cc: bigeasy@linutronix.de
-Cc: xlpang@redhat.com
-Cc: rostedt@goodmis.org
-Cc: mathieu.desnoyers@efficios.com
-Cc: jdesfossez@efficios.com
-Cc: dvhart@infradead.org
-Cc: bristot@redhat.com
-Link: http://lkml.kernel.org/r/20170304093558.801744246@infradead.org
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/futex.c | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/kernel/futex.c b/kernel/futex.c
-index 9d251dc3ec40..45170163a0b3 100644
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -2690,7 +2690,6 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
- {
- struct hrtimer_sleeper timeout, *to = NULL;
- struct rt_mutex_waiter rt_waiter;
-- struct rt_mutex *pi_mutex = NULL;
- struct futex_hash_bucket *hb;
- union futex_key key2 = FUTEX_KEY_INIT;
- struct futex_q q = futex_q_init;
-@@ -2782,6 +2781,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
- spin_unlock(q.lock_ptr);
- }
- } else {
-+ struct rt_mutex *pi_mutex;
-+
- /*
- * We have been woken up by futex_unlock_pi(), a timeout, or a
- * signal. futex_unlock_pi() will not destroy the lock_ptr nor
-@@ -2805,18 +2806,19 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
- if (res)
- ret = (res < 0) ? res : 0;
-
-+ /*
-+ * If fixup_pi_state_owner() faulted and was unable to handle
-+ * the fault, unlock the rt_mutex and return the fault to
-+ * userspace.
-+ */
-+ if (ret && rt_mutex_owner(pi_mutex) == current)
-+ rt_mutex_unlock(pi_mutex);
-+
- /* Unqueue and drop the lock. */
- unqueue_me_pi(&q);
- }
-
-- /*
-- * If fixup_pi_state_owner() faulted and was unable to handle the
-- * fault, unlock the rt_mutex and return the fault to userspace.
-- */
-- if (ret == -EFAULT) {
-- if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
-- rt_mutex_unlock(pi_mutex);
-- } else if (ret == -EINTR) {
-+ if (ret == -EINTR) {
- /*
- * We've already been requeued, but cannot restart by calling
- * futex_lock_pi() directly. We could restart this syscall, but
---
-2.12.2
-
-From 99d403faba47e5adeb11dbf1094972fc78c29a75 Mon Sep 17 00:00:00 2001
-From: Peter Zijlstra <peterz@infradead.org>
-Date: Sat, 4 Mar 2017 10:27:19 +0100
-Subject: [PATCH 101/251] futex: Add missing error handling to FUTEX_REQUEUE_PI
-Content-Length: 1361
-Lines: 38
-
-commit 9bbb25afeb182502ca4f2c4f3f88af0681b34cae upstream.
-
-Thomas spotted that fixup_pi_state_owner() can return errors and we
-fail to unlock the rt_mutex in that case.
-
-Reported-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
-Reviewed-by: Darren Hart <dvhart@linux.intel.com>
-Cc: juri.lelli@arm.com
-Cc: bigeasy@linutronix.de
-Cc: xlpang@redhat.com
-Cc: rostedt@goodmis.org
-Cc: mathieu.desnoyers@efficios.com
-Cc: jdesfossez@efficios.com
-Cc: dvhart@infradead.org
-Cc: bristot@redhat.com
-Link: http://lkml.kernel.org/r/20170304093558.867401760@infradead.org
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/futex.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/kernel/futex.c b/kernel/futex.c
-index 45170163a0b3..3057dabf726f 100644
---- a/kernel/futex.c
-+++ b/kernel/futex.c
-@@ -2773,6 +2773,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
- if (q.pi_state && (q.pi_state->owner != current)) {
- spin_lock(q.lock_ptr);
- ret = fixup_pi_state_owner(uaddr2, &q, current);
-+ if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current)
-+ rt_mutex_unlock(&q.pi_state->pi_mutex);
- /*
- * Drop the reference to the pi state which
- * the requeue_pi() code acquired for us.
---
-2.12.2
-
From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 Mar 2017 12:17:51 +0100
--
2.12.2
-From c78c3376ec6707f4e2177906928b12cb6cd8c5a9 Mon Sep 17 00:00:00 2001
-From: "Wang, Rui Y" <rui.y.wang@intel.com>
-Date: Sun, 29 Nov 2015 22:45:33 +0800
-Subject: [PATCH 105/251] crypto: ghash-clmulni - Fix load failure
-Content-Length: 2363
-Lines: 69
-
-commit 3a020a723c65eb8ffa7c237faca26521a024e582 upstream.
-
-ghash_clmulni_intel fails to load on Linux 4.3+ with the following message:
-"modprobe: ERROR: could not insert 'ghash_clmulni_intel': Invalid argument"
-
-After 8996eafdc ("crypto: ahash - ensure statesize is non-zero") all ahash
-drivers are required to implement import()/export(), and must have a non-
-zero statesize.
-
-This patch has been tested with the algif_hash interface. The calculated
-digest values, after several rounds of import()s and export()s, match those
-calculated by tcrypt.
-
-Signed-off-by: Rui Wang <rui.y.wang@intel.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/crypto/ghash-clmulni-intel_glue.c | 26 ++++++++++++++++++++++++++
- 1 file changed, 26 insertions(+)
-
-diff --git a/arch/x86/crypto/ghash-clmulni-intel_glue.c b/arch/x86/crypto/ghash-clmulni-intel_glue.c
-index 440df0c7a2ee..a69321a77783 100644
---- a/arch/x86/crypto/ghash-clmulni-intel_glue.c
-+++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c
-@@ -219,6 +219,29 @@ static int ghash_async_final(struct ahash_request *req)
- }
- }
-
-+static int ghash_async_import(struct ahash_request *req, const void *in)
-+{
-+ struct ahash_request *cryptd_req = ahash_request_ctx(req);
-+ struct shash_desc *desc = cryptd_shash_desc(cryptd_req);
-+ struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
-+
-+ ghash_async_init(req);
-+ memcpy(dctx, in, sizeof(*dctx));
-+ return 0;
-+
-+}
-+
-+static int ghash_async_export(struct ahash_request *req, void *out)
-+{
-+ struct ahash_request *cryptd_req = ahash_request_ctx(req);
-+ struct shash_desc *desc = cryptd_shash_desc(cryptd_req);
-+ struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
-+
-+ memcpy(out, dctx, sizeof(*dctx));
-+ return 0;
-+
-+}
-+
- static int ghash_async_digest(struct ahash_request *req)
- {
- struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
-@@ -288,8 +311,11 @@ static struct ahash_alg ghash_async_alg = {
- .final = ghash_async_final,
- .setkey = ghash_async_setkey,
- .digest = ghash_async_digest,
-+ .export = ghash_async_export,
-+ .import = ghash_async_import,
- .halg = {
- .digestsize = GHASH_DIGEST_SIZE,
-+ .statesize = sizeof(struct ghash_desc_ctx),
- .base = {
- .cra_name = "ghash",
- .cra_driver_name = "ghash-clmulni",
---
-2.12.2
-
-From 10659b8f5c600e642d0f1cadbbf83c739ac0c739 Mon Sep 17 00:00:00 2001
-From: "Wang, Rui Y" <rui.y.wang@intel.com>
-Date: Sun, 29 Nov 2015 22:45:34 +0800
-Subject: [PATCH 106/251] crypto: cryptd - Assign statesize properly
-Content-Length: 1078
-Lines: 30
-
-commit 1a07834024dfca5c4bed5de8f8714306e0a11836 upstream.
-
-cryptd_create_hash() fails by returning -EINVAL. It is because after
-8996eafdc ("crypto: ahash - ensure statesize is non-zero") all ahash
-drivers must have a non-zero statesize.
-
-This patch fixes the problem by properly assigning the statesize.
-
-Signed-off-by: Rui Wang <rui.y.wang@intel.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- crypto/cryptd.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/crypto/cryptd.c b/crypto/cryptd.c
-index e7aa904cb20b..26a504db3f53 100644
---- a/crypto/cryptd.c
-+++ b/crypto/cryptd.c
-@@ -642,6 +642,7 @@ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
- inst->alg.halg.base.cra_flags = type;
-
- inst->alg.halg.digestsize = salg->digestsize;
-+ inst->alg.halg.statesize = salg->statesize;
- inst->alg.halg.base.cra_ctxsize = sizeof(struct cryptd_hash_ctx);
-
- inst->alg.halg.base.cra_init = cryptd_hash_init_tfm;
---
-2.12.2
-
-From f8c07cbc2e72a7e26bff8c5823f6e045eeeb4e16 Mon Sep 17 00:00:00 2001
-From: "Wang, Rui Y" <rui.y.wang@intel.com>
-Date: Wed, 27 Jan 2016 17:08:36 +0800
-Subject: [PATCH 107/251] crypto: mcryptd - Fix load failure
-Content-Length: 994
-Lines: 28
-
-commit ddef482420b1ba8ec45e6123a7e8d3f67b21e5e3 upstream.
-
-mcryptd_create_hash() fails by returning -EINVAL, causing any
-driver using mcryptd to fail to load. It is because it needs
-to set its statesize properly.
-
-Signed-off-by: Rui Wang <rui.y.wang@intel.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- crypto/mcryptd.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/crypto/mcryptd.c b/crypto/mcryptd.c
-index a0ceb41d5ccc..b4f3930266b1 100644
---- a/crypto/mcryptd.c
-+++ b/crypto/mcryptd.c
-@@ -531,6 +531,7 @@ static int mcryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
- inst->alg.halg.base.cra_flags = type;
-
- inst->alg.halg.digestsize = salg->digestsize;
-+ inst->alg.halg.statesize = salg->statesize;
- inst->alg.halg.base.cra_ctxsize = sizeof(struct mcryptd_hash_ctx);
-
- inst->alg.halg.base.cra_init = mcryptd_hash_init_tfm;
---
-2.12.2
-
From 12e1a3cd11ea373143e957cf9698a26a4e43f4a6 Mon Sep 17 00:00:00 2001
From: "Manoj N. Kumar" <manoj@linux.vnet.ibm.com>
Date: Fri, 4 Mar 2016 15:55:20 -0600
--
2.12.2
-From f8a62dbc790239d9cb8bb8757f43a9d2e09f747c Mon Sep 17 00:00:00 2001
-From: Jiri Slaby <jslaby@suse.cz>
-Date: Thu, 15 Dec 2016 14:31:01 +0100
-Subject: [PATCH 208/251] crypto: algif_hash - avoid zero-sized array
-Content-Length: 2519
-Lines: 67
-
-commit 6207119444595d287b1e9e83a2066c17209698f3 upstream.
-
-With this reproducer:
- struct sockaddr_alg alg = {
- .salg_family = 0x26,
- .salg_type = "hash",
- .salg_feat = 0xf,
- .salg_mask = 0x5,
- .salg_name = "digest_null",
- };
- int sock, sock2;
-
- sock = socket(AF_ALG, SOCK_SEQPACKET, 0);
- bind(sock, (struct sockaddr *)&alg, sizeof(alg));
- sock2 = accept(sock, NULL, NULL);
- setsockopt(sock, SOL_ALG, ALG_SET_KEY, "\x9b\xca", 2);
- accept(sock2, NULL, NULL);
-
-==== 8< ======== 8< ======== 8< ======== 8< ====
-
-one can immediatelly see an UBSAN warning:
-UBSAN: Undefined behaviour in crypto/algif_hash.c:187:7
-variable length array bound value 0 <= 0
-CPU: 0 PID: 15949 Comm: syz-executor Tainted: G E 4.4.30-0-default #1
-...
-Call Trace:
-...
- [<ffffffff81d598fd>] ? __ubsan_handle_vla_bound_not_positive+0x13d/0x188
- [<ffffffff81d597c0>] ? __ubsan_handle_out_of_bounds+0x1bc/0x1bc
- [<ffffffffa0e2204d>] ? hash_accept+0x5bd/0x7d0 [algif_hash]
- [<ffffffffa0e2293f>] ? hash_accept_nokey+0x3f/0x51 [algif_hash]
- [<ffffffffa0e206b0>] ? hash_accept_parent_nokey+0x4a0/0x4a0 [algif_hash]
- [<ffffffff8235c42b>] ? SyS_accept+0x2b/0x40
-
-It is a correct warning, as hash state is propagated to accept as zero,
-but creating a zero-length variable array is not allowed in C.
-
-Fix this as proposed by Herbert -- do "?: 1" on that site. No sizeof or
-similar happens in the code there, so we just allocate one byte even
-though we do not use the array.
-
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Cc: Herbert Xu <herbert@gondor.apana.org.au>
-Cc: "David S. Miller" <davem@davemloft.net> (maintainer:CRYPTO API)
-Reported-by: Sasha Levin <sasha.levin@oracle.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Cc: Arnd Bergmann <arnd@arndb.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- crypto/algif_hash.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
-index 68a5ceaa04c8..8d8b3eeba725 100644
---- a/crypto/algif_hash.c
-+++ b/crypto/algif_hash.c
-@@ -184,7 +184,7 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags)
- struct alg_sock *ask = alg_sk(sk);
- struct hash_ctx *ctx = ask->private;
- struct ahash_request *req = &ctx->req;
-- char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req))];
-+ char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req)) ? : 1];
- struct sock *sk2;
- struct alg_sock *ask2;
- struct hash_ctx *ctx2;
---
-2.12.2
-
From 0a5766a6a73b1eb6a0dfa74adc40272e555ac2f0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 30 Mar 2017 09:36:33 +0200
projects / thirdparty / kernel / stable-queue.git / commitdiff
