--- /dev/null
+From 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 5 Dec 2019 13:45:05 +0800
+Subject: crypto: af_alg - Use bh_lock_sock in sk_destruct
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream.
+
+As af_alg_release_parent may be called from BH context (most notably
+due to an async request that only completes after socket closure,
+or as reported here because of an RCU-delayed sk_destruct call), we
+must use bh_lock_sock instead of lock_sock.
+
+Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/af_alg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -134,11 +134,13 @@ void af_alg_release_parent(struct sock *
+ sk = ask->parent;
+ ask = alg_sk(sk);
+
+- lock_sock(sk);
++ local_bh_disable();
++ bh_lock_sock(sk);
+ ask->nokey_refcnt -= nokey;
+ if (!last)
+ last = !--ask->refcnt;
+- release_sock(sk);
++ bh_unlock_sock(sk);
++ local_bh_enable();
+
+ if (last)
+ sock_put(sk);
--- /dev/null
+From 7278fa25aa0ebcc0e62c39b12071069df13f7e77 Mon Sep 17 00:00:00 2001
+From: Iuliana Prodan <iuliana.prodan@nxp.com>
+Date: Wed, 27 Nov 2019 00:54:26 +0200
+Subject: crypto: caam - do not reset pointer size from MCFGR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Iuliana Prodan <iuliana.prodan@nxp.com>
+
+commit 7278fa25aa0ebcc0e62c39b12071069df13f7e77 upstream.
+
+In commit 'a1cf573ee95 ("crypto: caam - select DMA address size at runtime")'
+CAAM pointer size (caam_ptr_size) is changed from
+sizeof(dma_addr_t) to runtime value computed from MCFGR register.
+Therefore, do not reset MCFGR[PS].
+
+Fixes: a1cf573ee95 ("crypto: caam - select DMA address size at runtime")
+Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
+Cc: <stable@vger.kernel.org>
+Cc: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: Alison Wang <alison.wang@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/caam/ctrl.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/caam/ctrl.c
++++ b/drivers/crypto/caam/ctrl.c
+@@ -685,11 +685,9 @@ static int caam_probe(struct platform_de
+ of_node_put(np);
+
+ if (!ctrlpriv->mc_en)
+- clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK | MCFGR_LONG_PTR,
++ clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK,
+ MCFGR_AWCACHE_CACH | MCFGR_AWCACHE_BUFF |
+- MCFGR_WDENABLE | MCFGR_LARGE_BURST |
+- (sizeof(dma_addr_t) == sizeof(u64) ?
+- MCFGR_LONG_PTR : 0));
++ MCFGR_WDENABLE | MCFGR_LARGE_BURST);
+
+ handle_imx6_err005766(&ctrl->mcr);
+
--- /dev/null
+From 07bfd9bdf568a38d9440c607b72342036011f727 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 19 Nov 2019 17:41:31 +0800
+Subject: crypto: pcrypt - Fix user-after-free on module unload
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 07bfd9bdf568a38d9440c607b72342036011f727 upstream.
+
+On module unload of pcrypt we must unregister the crypto algorithms
+first and then tear down the padata structure. As otherwise the
+crypto algorithms are still alive and can be used while the padata
+structure is being freed.
+
+Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/pcrypt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -362,11 +362,12 @@ err:
+
+ static void __exit pcrypt_exit(void)
+ {
++ crypto_unregister_template(&pcrypt_tmpl);
++
+ pcrypt_fini_padata(pencrypt);
+ pcrypt_fini_padata(pdecrypt);
+
+ kset_unregister(pcrypt_kset);
+- crypto_unregister_template(&pcrypt_tmpl);
+ }
+
+ subsys_initcall(pcrypt_init);
--- /dev/null
+From 1372a51b88fa0d5a8ed2803e4975c98da3f08463 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Wed, 8 Jan 2020 16:06:46 +1100
+Subject: crypto: vmx - reject xts inputs that are too short
+
+From: Daniel Axtens <dja@axtens.net>
+
+commit 1372a51b88fa0d5a8ed2803e4975c98da3f08463 upstream.
+
+When the kernel XTS implementation was extended to deal with ciphertext
+stealing in commit 8083b1bf8163 ("crypto: xts - add support for ciphertext
+stealing"), a check was added to reject inputs that were too short.
+
+However, in the vmx enablement - commit 239668419349 ("crypto: vmx/xts -
+use fallback for ciphertext stealing"), that check wasn't added to the
+vmx implementation. This disparity leads to errors like the following:
+
+alg: skcipher: p8_aes_xts encryption unexpectedly succeeded on test vector "random: len=0 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_finup src_divs=[<flush>66.99%@+10, 33.1%@alignmask+1155]"
+
+Return -EINVAL if asked to operate with a cryptlen smaller than the AES
+block size. This brings vmx in line with the generic implementation.
+
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=206049
+Fixes: 239668419349 ("crypto: vmx/xts - use fallback for ciphertext stealing")
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+[dja: commit message]
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/vmx/aes_xts.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/crypto/vmx/aes_xts.c
++++ b/drivers/crypto/vmx/aes_xts.c
+@@ -84,6 +84,9 @@ static int p8_aes_xts_crypt(struct skcip
+ u8 tweak[AES_BLOCK_SIZE];
+ int ret;
+
++ if (req->cryptlen < AES_BLOCK_SIZE)
++ return -EINVAL;
++
+ if (!crypto_simd_usable() || (req->cryptlen % XTS_BLOCK_SIZE) != 0) {
+ struct skcipher_request *subreq = skcipher_request_ctx(req);
+
--- /dev/null
+From 47768297481184932844ab01a86752ba31a38861 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 28 Nov 2019 18:22:02 +0100
+Subject: rsi: fix memory leak on failed URB submission
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 47768297481184932844ab01a86752ba31a38861 upstream.
+
+Make sure to free the skb on failed receive-URB submission (e.g. on
+disconnect or currently also due to a missing endpoint).
+
+Fixes: a1854fae1414 ("rsi: improve RX packet handling in USB interface")
+Cc: stable <stable@vger.kernel.org> # 4.17
+Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -338,8 +338,10 @@ static int rsi_rx_urb_submit(struct rsi_
+ rx_cb);
+
+ status = usb_submit_urb(urb, GFP_KERNEL);
+- if (status)
++ if (status) {
+ rsi_dbg(ERR_ZONE, "%s: Failed in urb submission\n", __func__);
++ dev_kfree_skb(skb);
++ }
+
+ return status;
+ }
--- /dev/null
+From b9b9f9fea21830f85cf0148cd8dce001ae55ead1 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 28 Nov 2019 18:22:03 +0100
+Subject: rsi: fix non-atomic allocation in completion handler
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b9b9f9fea21830f85cf0148cd8dce001ae55ead1 upstream.
+
+USB completion handlers are called in atomic context and must
+specifically not allocate memory using GFP_KERNEL.
+
+Fixes: a1854fae1414 ("rsi: improve RX packet handling in USB interface")
+Cc: stable <stable@vger.kernel.org> # 4.17
+Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -16,6 +16,7 @@
+ */
+
+ #include <linux/module.h>
++#include <linux/types.h>
+ #include <net/rsi_91x.h>
+ #include "rsi_usb.h"
+ #include "rsi_hal.h"
+@@ -29,7 +30,7 @@ MODULE_PARM_DESC(dev_oper_mode,
+ "9[Wi-Fi STA + BT LE], 13[Wi-Fi STA + BT classic + BT LE]\n"
+ "6[AP + BT classic], 14[AP + BT classic + BT LE]");
+
+-static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num);
++static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num, gfp_t flags);
+
+ /**
+ * rsi_usb_card_write() - This function writes to the USB Card.
+@@ -285,7 +286,7 @@ static void rsi_rx_done_handler(struct u
+ status = 0;
+
+ out:
+- if (rsi_rx_urb_submit(dev->priv, rx_cb->ep_num))
++ if (rsi_rx_urb_submit(dev->priv, rx_cb->ep_num, GFP_ATOMIC))
+ rsi_dbg(ERR_ZONE, "%s: Failed in urb submission", __func__);
+
+ if (status)
+@@ -307,7 +308,7 @@ static void rsi_rx_urb_kill(struct rsi_h
+ *
+ * Return: 0 on success, a negative error code on failure.
+ */
+-static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num)
++static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num, gfp_t mem_flags)
+ {
+ struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev;
+ struct rx_usb_ctrl_block *rx_cb = &dev->rx_cb[ep_num - 1];
+@@ -337,7 +338,7 @@ static int rsi_rx_urb_submit(struct rsi_
+ rsi_rx_done_handler,
+ rx_cb);
+
+- status = usb_submit_urb(urb, GFP_KERNEL);
++ status = usb_submit_urb(urb, mem_flags);
+ if (status) {
+ rsi_dbg(ERR_ZONE, "%s: Failed in urb submission\n", __func__);
+ dev_kfree_skb(skb);
+@@ -827,12 +828,12 @@ static int rsi_probe(struct usb_interfac
+ rsi_dbg(INIT_ZONE, "%s: Device Init Done\n", __func__);
+ }
+
+- status = rsi_rx_urb_submit(adapter, WLAN_EP);
++ status = rsi_rx_urb_submit(adapter, WLAN_EP, GFP_KERNEL);
+ if (status)
+ goto err1;
+
+ if (adapter->priv->coex_mode > 1) {
+- status = rsi_rx_urb_submit(adapter, BT_EP);
++ status = rsi_rx_urb_submit(adapter, BT_EP, GFP_KERNEL);
+ if (status)
+ goto err_kill_wlan_urb;
+ }
--- /dev/null
+From e93cd35101b61e4c79149be2cfc927c4b28dc60c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 28 Nov 2019 18:22:00 +0100
+Subject: rsi: fix use-after-free on failed probe and unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e93cd35101b61e4c79149be2cfc927c4b28dc60c upstream.
+
+Make sure to stop both URBs before returning after failed probe as well
+as on disconnect to avoid use-after-free in the completion handler.
+
+Reported-by: syzbot+b563b7f8dbe8223a51e8@syzkaller.appspotmail.com
+Fixes: a4302bff28e2 ("rsi: add bluetooth rx endpoint")
+Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
+Cc: stable <stable@vger.kernel.org> # 3.15
+Cc: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
+Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
+Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+Cc: Fariya Fatima <fariyaf@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -292,6 +292,15 @@ out:
+ dev_kfree_skb(rx_cb->rx_skb);
+ }
+
++static void rsi_rx_urb_kill(struct rsi_hw *adapter, u8 ep_num)
++{
++ struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev;
++ struct rx_usb_ctrl_block *rx_cb = &dev->rx_cb[ep_num - 1];
++ struct urb *urb = rx_cb->rx_urb;
++
++ usb_kill_urb(urb);
++}
++
+ /**
+ * rsi_rx_urb_submit() - This function submits the given URB to the USB stack.
+ * @adapter: Pointer to the adapter structure.
+@@ -823,10 +832,13 @@ static int rsi_probe(struct usb_interfac
+ if (adapter->priv->coex_mode > 1) {
+ status = rsi_rx_urb_submit(adapter, BT_EP);
+ if (status)
+- goto err1;
++ goto err_kill_wlan_urb;
+ }
+
+ return 0;
++
++err_kill_wlan_urb:
++ rsi_rx_urb_kill(adapter, WLAN_EP);
+ err1:
+ rsi_deinit_usb_interface(adapter);
+ err:
+@@ -857,6 +869,10 @@ static void rsi_disconnect(struct usb_in
+ adapter->priv->bt_adapter = NULL;
+ }
+
++ if (adapter->priv->coex_mode > 1)
++ rsi_rx_urb_kill(adapter, BT_EP);
++ rsi_rx_urb_kill(adapter, WLAN_EP);
++
+ rsi_reset_card(adapter);
+ rsi_deinit_usb_interface(adapter);
+ rsi_91x_deinit(adapter);
--- /dev/null
+From 92aafe77123ab478e5f5095878856ab0424910da Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 28 Nov 2019 18:22:01 +0100
+Subject: rsi: fix use-after-free on probe errors
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 92aafe77123ab478e5f5095878856ab0424910da upstream.
+
+The driver would fail to stop the command timer in most error paths,
+something which specifically could lead to the timer being freed while
+still active on I/O errors during probe.
+
+Fix this by making sure that each function starting the timer also stops
+it in all relevant error paths.
+
+Reported-by: syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com
+Fixes: b78e91bcfb33 ("rsi: Add new firmware loading method")
+Cc: stable <stable@vger.kernel.org> # 4.12
+Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
+Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_hal.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
+@@ -622,6 +622,7 @@ static int bl_cmd(struct rsi_hw *adapter
+ bl_start_cmd_timer(adapter, timeout);
+ status = bl_write_cmd(adapter, cmd, exp_resp, ®out_val);
+ if (status < 0) {
++ bl_stop_cmd_timer(adapter);
+ rsi_dbg(ERR_ZONE,
+ "%s: Command %s (%0x) writing failed..\n",
+ __func__, str, cmd);
+@@ -737,10 +738,9 @@ static int ping_pong_write(struct rsi_hw
+ }
+
+ status = bl_cmd(adapter, cmd_req, cmd_resp, str);
+- if (status) {
+- bl_stop_cmd_timer(adapter);
++ if (status)
+ return status;
+- }
++
+ return 0;
+ }
+
+@@ -828,10 +828,9 @@ static int auto_fw_upgrade(struct rsi_hw
+
+ status = bl_cmd(adapter, EOF_REACHED, FW_LOADING_SUCCESSFUL,
+ "EOF_REACHED");
+- if (status) {
+- bl_stop_cmd_timer(adapter);
++ if (status)
+ return status;
+- }
++
+ rsi_dbg(INFO_ZONE, "FW loading is done and FW is running..\n");
+ return 0;
+ }
+@@ -849,6 +848,7 @@ static int rsi_hal_prepare_fwload(struct
+ ®out_val,
+ RSI_COMMON_REG_SIZE);
+ if (status < 0) {
++ bl_stop_cmd_timer(adapter);
+ rsi_dbg(ERR_ZONE,
+ "%s: REGOUT read failed\n", __func__);
+ return status;
bluetooth-allow-combination-of-bdaddr_property-and-i.patch
bluetooth-btbcm-use-the-bdaddr_property-quirk.patch
bus-ti-sysc-fix-missing-force-mstandby-quirk-handlin.patch
+rsi-fix-use-after-free-on-failed-probe-and-unbind.patch
+rsi-fix-use-after-free-on-probe-errors.patch
+rsi-fix-memory-leak-on-failed-urb-submission.patch
+rsi-fix-non-atomic-allocation-in-completion-handler.patch
+crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch
+crypto-vmx-reject-xts-inputs-that-are-too-short.patch
+crypto-caam-do-not-reset-pointer-size-from-mcfgr-register.patch
+crypto-pcrypt-fix-user-after-free-on-module-unload.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
