--- /dev/null
+From f709b45ec461b548c41a00044dba1f1b572783bf Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Wed, 13 Apr 2016 10:52:25 -0500
+Subject: crypto: ccp - Prevent information leakage on export
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit f709b45ec461b548c41a00044dba1f1b572783bf upstream.
+
+Prevent information from leaking to userspace by doing a memset to 0 of
+the export state structure before setting the structure values and copying
+it. This prevents un-initialized padding areas from being copied into the
+export area.
+
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 3 +++
+ drivers/crypto/ccp/ccp-crypto-sha.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
+@@ -206,6 +206,9 @@ static int ccp_aes_cmac_export(struct ah
+ struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
+ struct ccp_aes_cmac_exp_ctx state;
+
++ /* Don't let anything leak to 'out' */
++ memset(&state, 0, sizeof(state));
++
+ state.null_msg = rctx->null_msg;
+ memcpy(state.iv, rctx->iv, sizeof(state.iv));
+ state.buf_count = rctx->buf_count;
+--- a/drivers/crypto/ccp/ccp-crypto-sha.c
++++ b/drivers/crypto/ccp/ccp-crypto-sha.c
+@@ -262,6 +262,9 @@ static int ccp_sha_export(struct ahash_r
+ struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
+ struct ccp_sha_exp_ctx state;
+
++ /* Don't let anything leak to 'out' */
++ memset(&state, 0, sizeof(state));
++
+ state.type = rctx->type;
+ state.msg_bits = rctx->msg_bits;
+ state.first = rctx->first;
--- /dev/null
+From herbert@gondor.apana.org.au Sun May 1 15:39:20 2016
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 18 Mar 2016 22:42:40 +0800
+Subject: crypto: gcm - Fix rfc4543 decryption crash
+To: stable@vger.kernel.org, Linux Crypto Mailing List <linux-crypto@vger.kernel.org>, Jussi Kivilinna <jussi.kivilinna@iki.fi>, patrick.meyer@vasgard.com
+Message-ID: <20160318144240.GA20816@gondor.apana.org.au>
+Content-Disposition: inline
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+This bug has already bee fixed upstream since 4.2. However, it
+was fixed during the AEAD conversion so no fix was backported to
+the older kernels.
+
+When we do an RFC 4543 decryption, we will end up writing the
+ICV beyond the end of the dst buffer. This should lead to a
+crash but for some reason it was never noticed.
+
+This patch fixes it by only writing back the ICV for encryption.
+
+Fixes: d733ac90f9fe ("crypto: gcm - fix rfc4543 to handle async...")
+Reported-by: Patrick Meyer <patrick.meyer@vasgard.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/gcm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -1173,6 +1173,9 @@ static struct aead_request *crypto_rfc45
+ aead_request_set_tfm(subreq, ctx->child);
+ aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done,
+ req);
++ if (!enc)
++ aead_request_set_callback(subreq, req->base.flags,
++ req->base.complete, req->base.data);
+ aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
+ aead_request_set_assoc(subreq, assoc, assoclen);
+
--- /dev/null
+From 162f98dea487206d9ab79fc12ed64700667a894d Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Thu, 31 Mar 2016 10:53:42 -0700
+Subject: Input: gtco - fix crash on detecting device without endpoints
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit 162f98dea487206d9ab79fc12ed64700667a894d upstream.
+
+The gtco driver expects at least one valid endpoint. If given malicious
+descriptors that specify 0 for the number of endpoints, it will crash in
+the probe function. Ensure there is at least one endpoint on the interface
+before using it.
+
+Also let's fix a minor coding style issue.
+
+The full correct report of this issue can be found in the public
+Red Hat Bugzilla:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1283385
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/gtco.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -868,6 +868,14 @@ static int gtco_probe(struct usb_interfa
+ goto err_free_buf;
+ }
+
++ /* Sanity check that a device has an endpoint */
++ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++ dev_err(&usbinterface->dev,
++ "Invalid number of endpoints\n");
++ error = -EINVAL;
++ goto err_free_urb;
++ }
++
+ /*
+ * The endpoint is always altsetting 0, we know this since we know
+ * this device only has one interrupt endpoint
+@@ -889,7 +897,7 @@ static int gtco_probe(struct usb_interfa
+ * HID report descriptor
+ */
+ if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
+- HID_DEVICE_TYPE, &hid_desc) != 0){
++ HID_DEVICE_TYPE, &hid_desc) != 0) {
+ dev_err(&usbinterface->dev,
+ "Can't retrieve exta USB descriptor to get hid report descriptor length\n");
+ error = -EIO;
--- /dev/null
+From 8f815cdde3e550e10c2736990d791f60c2ce43eb Mon Sep 17 00:00:00 2001
+From: Dmitry Ivanov <dmitrijs.ivanovs@ubnt.com>
+Date: Wed, 6 Apr 2016 17:23:18 +0300
+Subject: nl80211: check netlink protocol in socket release notification
+
+From: Dmitry Ivanov <dmitrijs.ivanovs@ubnt.com>
+
+commit 8f815cdde3e550e10c2736990d791f60c2ce43eb upstream.
+
+A non-privileged user can create a netlink socket with the same port_id as
+used by an existing open nl80211 netlink socket (e.g. as used by a hostapd
+process) with a different protocol number.
+
+Closing this socket will then lead to the notification going to nl80211's
+socket release notification handler, and possibly cause an action such as
+removing a virtual interface.
+
+Fix this issue by checking that the netlink protocol is NETLINK_GENERIC.
+Since generic netlink has no notifier chain of its own, we can't fix the
+problem more generically.
+
+Fixes: 026331c4d9b5 ("cfg80211/mac80211: allow registering for and sending action frames")
+Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
+[rewrite commit message]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -11522,7 +11522,7 @@ static int nl80211_netlink_notify(struct
+ struct wireless_dev *wdev;
+ struct cfg80211_beacon_registration *reg, *tmp;
+
+- if (state != NETLINK_URELEASE)
++ if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
+ return NOTIFY_DONE;
+
+ rcu_read_lock();
--- /dev/null
+From 56b367c0cd67d4c3006738e7dc9dda9273fd2bfe Mon Sep 17 00:00:00 2001
+From: Keerthy <j-keerthy@ti.com>
+Date: Thu, 14 Apr 2016 10:29:16 +0530
+Subject: pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs
+
+From: Keerthy <j-keerthy@ti.com>
+
+commit 56b367c0cd67d4c3006738e7dc9dda9273fd2bfe upstream.
+
+pcs_parse_bits_in_pinctrl_entry uses ffs which gives bit indices
+ranging from 1 to MAX. This leads to a corner case where we try to request
+the pin number = MAX and fails.
+
+bit_pos value is being calculted using ffs. pin_num_from_lsb uses
+bit_pos value. pins array is populated with:
+
+pin + pin_num_from_lsb.
+
+The above is 1 more than usual bit indices as bit_pos uses ffs to compute
+first set bit. Hence the last of the pins array is populated with the MAX
+value and not MAX - 1 which causes error when we call pin_request.
+
+mask_pos is rightly calculated as ((pcs->fmask) << (bit_pos - 1))
+Consequently val_pos and submask are correct.
+
+Hence use __ffs which gives (ffs(x) - 1) as the first bit set.
+
+fixes: 4e7e8017a8 ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-single.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1313,9 +1313,9 @@ static int pcs_parse_bits_in_pinctrl_ent
+
+ /* Parse pins in each row from LSB */
+ while (mask) {
+- bit_pos = ffs(mask);
++ bit_pos = __ffs(mask);
+ pin_num_from_lsb = bit_pos / pcs->bits_per_pin;
+- mask_pos = ((pcs->fmask) << (bit_pos - 1));
++ mask_pos = ((pcs->fmask) << bit_pos);
+ val_pos = val & mask_pos;
+ submask = mask & mask_pos;
+
+@@ -1892,7 +1892,7 @@ static int pcs_probe(struct platform_dev
+ ret = of_property_read_u32(np, "pinctrl-single,function-mask",
+ &pcs->fmask);
+ if (!ret) {
+- pcs->fshift = ffs(pcs->fmask) - 1;
++ pcs->fshift = __ffs(pcs->fmask);
+ pcs->fmax = pcs->fmask >> pcs->fshift;
+ } else {
+ /* If mask property doesn't exist, function mux is invalid. */
x86-iopl-64-properly-context-switch-iopl-on-xen-pv.patch
futex-acknowledge-a-new-waiter-in-counter-before-plist.patch
drm-qxl-fix-cursor-position-with-non-zero-hotspot.patch
+crypto-ccp-prevent-information-leakage-on-export.patch
+crypto-gcm-fix-rfc4543-decryption-crash.patch
+nl80211-check-netlink-protocol-in-socket-release-notification.patch
+input-gtco-fix-crash-on-detecting-device-without-endpoints.patch
+pinctrl-single-fix-pcs_parse_bits_in_pinctrl_entry-to-use-__ffs-than-ffs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
