--- /dev/null
+From 8f36ebaf21fdae99c091c67e8b6fab33969f2667 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Wed, 25 Jan 2017 12:29:59 +0000
+Subject: arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 8f36ebaf21fdae99c091c67e8b6fab33969f2667 upstream.
+
+When we fault in a page, we flush it to the PoC (Point of Coherency)
+if the faulting vcpu has its own caches off, so that it can observe
+the page we just brought it.
+
+But if the vcpu has its caches on, we skip that step. Bad things
+happen when *another* vcpu tries to access that page with its own
+caches disabled. At that point, there is no garantee that the
+data has made it to the PoC, and we access stale data.
+
+The obvious fix is to always flush to PoC when a page is faulted
+in, no matter what the state of the vcpu is.
+
+Fixes: 2d58b733c876 ("arm64: KVM: force cache clean on page fault when caches are off")
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/kvm_mmu.h | 9 +--------
+ arch/arm64/include/asm/kvm_mmu.h | 3 +--
+ 2 files changed, 2 insertions(+), 10 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_mmu.h
++++ b/arch/arm/include/asm/kvm_mmu.h
+@@ -204,18 +204,12 @@ static inline void __coherent_cache_gues
+ * and iterate over the range.
+ */
+
+- bool need_flush = !vcpu_has_cache_enabled(vcpu) || ipa_uncached;
+-
+ VM_BUG_ON(size & ~PAGE_MASK);
+
+- if (!need_flush && !icache_is_pipt())
+- goto vipt_cache;
+-
+ while (size) {
+ void *va = kmap_atomic_pfn(pfn);
+
+- if (need_flush)
+- kvm_flush_dcache_to_poc(va, PAGE_SIZE);
++ kvm_flush_dcache_to_poc(va, PAGE_SIZE);
+
+ if (icache_is_pipt())
+ __cpuc_coherent_user_range((unsigned long)va,
+@@ -227,7 +221,6 @@ static inline void __coherent_cache_gues
+ kunmap_atomic(va);
+ }
+
+-vipt_cache:
+ if (!icache_is_pipt() && !icache_is_vivt_asid_tagged()) {
+ /* any kind of VIPT cache */
+ __flush_icache_all();
+--- a/arch/arm64/include/asm/kvm_mmu.h
++++ b/arch/arm64/include/asm/kvm_mmu.h
+@@ -236,8 +236,7 @@ static inline void __coherent_cache_gues
+ {
+ void *va = page_address(pfn_to_page(pfn));
+
+- if (!vcpu_has_cache_enabled(vcpu) || ipa_uncached)
+- kvm_flush_dcache_to_poc(va, size);
++ kvm_flush_dcache_to_poc(va, size);
+
+ if (!icache_is_aliasing()) { /* PIPT */
+ flush_icache_range((unsigned long)va,
--- /dev/null
+From 1c68bb0f62bf8de8bb30123ea840d5168f25abea Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Tue, 28 Feb 2017 14:07:25 -0800
+Subject: crypto: testmgr - Pad aes_ccm_enc_tv_template vector
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 1c68bb0f62bf8de8bb30123ea840d5168f25abea upstream.
+
+Running with KASAN and crypto tests currently gives
+
+ BUG: KASAN: global-out-of-bounds in __test_aead+0x9d9/0x2200 at addr ffffffff8212fca0
+ Read of size 16 by task cryptomgr_test/1107
+ Address belongs to variable 0xffffffff8212fca0
+ CPU: 0 PID: 1107 Comm: cryptomgr_test Not tainted 4.10.0+ #45
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.1-1.fc24 04/01/2014
+ Call Trace:
+ dump_stack+0x63/0x8a
+ kasan_report.part.1+0x4a7/0x4e0
+ ? __test_aead+0x9d9/0x2200
+ ? crypto_ccm_init_crypt+0x218/0x3c0 [ccm]
+ kasan_report+0x20/0x30
+ check_memory_region+0x13c/0x1a0
+ memcpy+0x23/0x50
+ __test_aead+0x9d9/0x2200
+ ? kasan_unpoison_shadow+0x35/0x50
+ ? alg_test_akcipher+0xf0/0xf0
+ ? crypto_skcipher_init_tfm+0x2e3/0x310
+ ? crypto_spawn_tfm2+0x37/0x60
+ ? crypto_ccm_init_tfm+0xa9/0xd0 [ccm]
+ ? crypto_aead_init_tfm+0x7b/0x90
+ ? crypto_alloc_tfm+0xc4/0x190
+ test_aead+0x28/0xc0
+ alg_test_aead+0x54/0xd0
+ alg_test+0x1eb/0x3d0
+ ? alg_find_test+0x90/0x90
+ ? __sched_text_start+0x8/0x8
+ ? __wake_up_common+0x70/0xb0
+ cryptomgr_test+0x4d/0x60
+ kthread+0x173/0x1c0
+ ? crypto_acomp_scomp_free_ctx+0x60/0x60
+ ? kthread_create_on_node+0xa0/0xa0
+ ret_from_fork+0x2c/0x40
+ Memory state around the buggy address:
+ ffffffff8212fb80: 00 00 00 00 01 fa fa fa fa fa fa fa 00 00 00 00
+ ffffffff8212fc00: 00 01 fa fa fa fa fa fa 00 00 00 00 01 fa fa fa
+ >ffffffff8212fc80: fa fa fa fa 00 05 fa fa fa fa fa fa 00 00 00 00
+ ^
+ ffffffff8212fd00: 01 fa fa fa fa fa fa fa 00 00 00 00 01 fa fa fa
+ ffffffff8212fd80: fa fa fa fa 00 00 00 00 00 05 fa fa fa fa fa fa
+
+This always happens on the same IV which is less than 16 bytes.
+
+Per Ard,
+
+"CCM IVs are 16 bytes, but due to the way they are constructed
+internally, the final couple of bytes of input IV are dont-cares.
+
+Apparently, we do read all 16 bytes, which triggers the KASAN errors."
+
+Fix this by padding the IV with null bytes to be at least 16 bytes.
+
+Fixes: 0bc5a6c5c79a ("crypto: testmgr - Disable rfc4309 test and convert test vectors")
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/testmgr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/testmgr.h
++++ b/crypto/testmgr.h
+@@ -21778,7 +21778,7 @@ static struct aead_testvec aes_ccm_enc_t
+ "\x09\x75\x9a\x9b\x3c\x9b\x27\x39",
+ .klen = 32,
+ .iv = "\x03\xf9\xd9\x4e\x63\xb5\x3d\x9d"
+- "\x43\xf6\x1e\x50",
++ "\x43\xf6\x1e\x50\0\0\0\0",
+ .assoc = "\x57\xf5\x6b\x8b\x57\x5c\x3d\x3b"
+ "\x13\x02\x01\x0c\x83\x4c\x96\x35"
+ "\x8e\xd6\x39\xcf\x7d\x14\x9b\x94"
--- /dev/null
+From 2e38bea99a80eab408adee27f873a188d57b76cb Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 22 Feb 2017 20:08:25 +0100
+Subject: fuse: add missing FR_FORCE
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 2e38bea99a80eab408adee27f873a188d57b76cb upstream.
+
+fuse_file_put() was missing the "force" flag for the RELEASE request when
+sending synchronously (fuseblk).
+
+If this flag is not set, then a sync request may be interrupted before it
+is dequeued by the userspace filesystem. In this case the OPEN won't be
+balanced with a RELEASE.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 5a18ec176c93 ("fuse: fix hang of single threaded fuseblk filesystem")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fuse/file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -100,6 +100,7 @@ static void fuse_file_put(struct fuse_fi
+ iput(req->misc.release.inode);
+ fuse_put_request(ff->fc, req);
+ } else if (sync) {
++ __set_bit(FR_FORCE, &req->flags);
+ __clear_bit(FR_BACKGROUND, &req->flags);
+ fuse_request_send(ff->fc, req);
+ iput(req->misc.release.inode);
ath5k-drop-bogus-warning-on-drv_set_key-with-unsupported-cipher.patch
ath9k-fix-race-condition-in-enabling-disabling-irqs.patch
ath9k-use-correct-otp-register-offsets-for-the-ar9340-and-ar9550.patch
+crypto-testmgr-pad-aes_ccm_enc_tv_template-vector.patch
+fuse-add-missing-fr_force.patch
+arm-arm64-kvm-enforce-unconditional-flush-to-poc-when-mapping-to-stage-2.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
