From: Sasha Levin Date: Tue, 16 Jun 2020 01:55:38 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.4.47~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d44bd1866d940a6afd0b18b71cd893d6b53b34c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/crypto-virtio-fix-dest-length-calculation-in-__virti.patch b/queue-5.4/crypto-virtio-fix-dest-length-calculation-in-__virti.patch new file mode 100644 index 00000000000..95e80ebd418 --- /dev/null +++ b/queue-5.4/crypto-virtio-fix-dest-length-calculation-in-__virti.patch @@ -0,0 +1,56 @@ +From 2836462eb4c77d19b48c8ee04a0c0fb9fc91976f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 15:05:01 +0800 +Subject: crypto: virtio: Fix dest length calculation in + __virtio_crypto_skcipher_do_req() + +From: Longpeng(Mike) + +[ Upstream commit d90ca42012db2863a9a30b564a2ace6016594bda ] + +The src/dst length is not aligned with AES_BLOCK_SIZE(which is 16) in some +testcases in tcrypto.ko. + +For example, the src/dst length of one of cts(cbc(aes))'s testcase is 17, the +crypto_virtio driver will set @src_data_len=16 but @dst_data_len=17 in this +case and get a wrong at then end. + + SRC: pp pp pp pp pp pp pp pp pp pp pp pp pp pp pp pp pp (17 bytes) + EXP: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc pp (17 bytes) + DST: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 00 (pollute the last bytes) + (pp: plaintext cc:ciphertext) + +Fix this issue by limit the length of dest buffer. + +Fixes: dbaf0624ffa5 ("crypto: add virtio-crypto driver") +Cc: Gonglei +Cc: Herbert Xu +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: "David S. Miller" +Cc: virtualization@lists.linux-foundation.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Longpeng(Mike) +Link: https://lore.kernel.org/r/20200602070501.2023-4-longpeng2@huawei.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/virtio_crypto_algs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c +index 3b37d0150814..ac420b201dd8 100644 +--- a/drivers/crypto/virtio/virtio_crypto_algs.c ++++ b/drivers/crypto/virtio/virtio_crypto_algs.c +@@ -410,6 +410,7 @@ __virtio_crypto_ablkcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, + goto free; + } + ++ dst_len = min_t(unsigned int, req->nbytes, dst_len); + pr_debug("virtio_crypto: src_len: %u, dst_len: %llu\n", + req->nbytes, dst_len); + +-- +2.25.1 + diff --git a/queue-5.4/crypto-virtio-fix-src-dst-scatterlist-calculation-in.patch b/queue-5.4/crypto-virtio-fix-src-dst-scatterlist-calculation-in.patch new file mode 100644 index 00000000000..b36f9d5db07 --- /dev/null +++ b/queue-5.4/crypto-virtio-fix-src-dst-scatterlist-calculation-in.patch @@ -0,0 +1,81 @@ +From 03a37ef7951fd02e872474641d6c511276d55afb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 15:04:59 +0800 +Subject: crypto: virtio: Fix src/dst scatterlist calculation in + __virtio_crypto_skcipher_do_req() + +From: Longpeng(Mike) + +[ Upstream commit b02989f37fc5e865ceeee9070907e4493b3a21e2 ] + +The system will crash when the users insmod crypto/tcrypt.ko with mode=38 +( testing "cts(cbc(aes))" ). + +Usually the next entry of one sg will be @sg@ + 1, but if this sg element +is part of a chained scatterlist, it could jump to the start of a new +scatterlist array. Fix it by sg_next() on calculation of src/dst +scatterlist. + +Fixes: dbaf0624ffa5 ("crypto: add virtio-crypto driver") +Reported-by: LABBE Corentin +Cc: Herbert Xu +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: "David S. Miller" +Cc: virtualization@lists.linux-foundation.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200123101000.GB24255@Red +Signed-off-by: Gonglei +Signed-off-by: Longpeng(Mike) +Link: https://lore.kernel.org/r/20200602070501.2023-2-longpeng2@huawei.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/virtio_crypto_algs.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c +index fea55b5da8b5..3b37d0150814 100644 +--- a/drivers/crypto/virtio/virtio_crypto_algs.c ++++ b/drivers/crypto/virtio/virtio_crypto_algs.c +@@ -353,13 +353,18 @@ __virtio_crypto_ablkcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, + int err; + unsigned long flags; + struct scatterlist outhdr, iv_sg, status_sg, **sgs; +- int i; + u64 dst_len; + unsigned int num_out = 0, num_in = 0; + int sg_total; + uint8_t *iv; ++ struct scatterlist *sg; + + src_nents = sg_nents_for_len(req->src, req->nbytes); ++ if (src_nents < 0) { ++ pr_err("Invalid number of src SG.\n"); ++ return src_nents; ++ } ++ + dst_nents = sg_nents(req->dst); + + pr_debug("virtio_crypto: Number of sgs (src_nents: %d, dst_nents: %d)\n", +@@ -445,12 +450,12 @@ __virtio_crypto_ablkcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, + vc_sym_req->iv = iv; + + /* Source data */ +- for (i = 0; i < src_nents; i++) +- sgs[num_out++] = &req->src[i]; ++ for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--) ++ sgs[num_out++] = sg; + + /* Destination data */ +- for (i = 0; i < dst_nents; i++) +- sgs[num_out + num_in++] = &req->dst[i]; ++ for (sg = req->dst; sg; sg = sg_next(sg)) ++ sgs[num_out + num_in++] = sg; + + /* Status */ + sg_init_one(&status_sg, &vc_req->status, sizeof(vc_req->status)); +-- +2.25.1 + diff --git a/queue-5.4/crypto-virtio-fix-use-after-free-in-virtio_crypto_sk.patch b/queue-5.4/crypto-virtio-fix-use-after-free-in-virtio_crypto_sk.patch new file mode 100644 index 00000000000..84c8661224d --- /dev/null +++ b/queue-5.4/crypto-virtio-fix-use-after-free-in-virtio_crypto_sk.patch @@ -0,0 +1,76 @@ +From a7dd034e5851c20d2f4d0a35cba94ba3f117981f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2020 15:05:00 +0800 +Subject: crypto: virtio: Fix use-after-free in + virtio_crypto_skcipher_finalize_req() + +From: Longpeng(Mike) + +[ Upstream commit 8c855f0720ff006d75d0a2512c7f6c4f60ff60ee ] + +The system'll crash when the users insmod crypto/tcrypto.ko with mode=155 +( testing "authenc(hmac(sha1),cbc(aes))" ). It's caused by reuse the memory +of request structure. + +In crypto_authenc_init_tfm(), the reqsize is set to: + [PART 1] sizeof(authenc_request_ctx) + + [PART 2] ictx->reqoff + + [PART 3] MAX(ahash part, skcipher part) +and the 'PART 3' is used by both ahash and skcipher in turn. + +When the virtio_crypto driver finish skcipher req, it'll call ->complete +callback(in crypto_finalize_skcipher_request) and then free its +resources whose pointers are recorded in 'skcipher parts'. + +However, the ->complete is 'crypto_authenc_encrypt_done' in this case, +it will use the 'ahash part' of the request and change its content, +so virtio_crypto driver will get the wrong pointer after ->complete +finish and mistakenly free some other's memory. So the system will crash +when these memory will be used again. + +The resources which need to be cleaned up are not used any more. But the +pointers of these resources may be changed in the function +"crypto_finalize_skcipher_request". Thus release specific resources before +calling this function. + +Fixes: dbaf0624ffa5 ("crypto: add virtio-crypto driver") +Reported-by: LABBE Corentin +Cc: Gonglei +Cc: Herbert Xu +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: "David S. Miller" +Cc: virtualization@lists.linux-foundation.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20200123101000.GB24255@Red +Acked-by: Gonglei +Signed-off-by: Longpeng(Mike) +Link: https://lore.kernel.org/r/20200602070501.2023-3-longpeng2@huawei.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/crypto/virtio/virtio_crypto_algs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c +index 82b316b2f537..fea55b5da8b5 100644 +--- a/drivers/crypto/virtio/virtio_crypto_algs.c ++++ b/drivers/crypto/virtio/virtio_crypto_algs.c +@@ -580,10 +580,11 @@ static void virtio_crypto_ablkcipher_finalize_req( + scatterwalk_map_and_copy(req->info, req->dst, + req->nbytes - AES_BLOCK_SIZE, + AES_BLOCK_SIZE, 0); +- crypto_finalize_ablkcipher_request(vc_sym_req->base.dataq->engine, +- req, err); + kzfree(vc_sym_req->iv); + virtcrypto_clear_request(&vc_sym_req->base); ++ ++ crypto_finalize_ablkcipher_request(vc_sym_req->base.dataq->engine, ++ req, err); + } + + static struct virtio_crypto_algo virtio_crypto_algs[] = { { +-- +2.25.1 + diff --git a/queue-5.4/firmware-imx-scu-fix-corruption-of-header.patch b/queue-5.4/firmware-imx-scu-fix-corruption-of-header.patch new file mode 100644 index 00000000000..0e606bc8f4a --- /dev/null +++ b/queue-5.4/firmware-imx-scu-fix-corruption-of-header.patch @@ -0,0 +1,72 @@ +From 524094f92c4c64d01ab4b571665dbcd8333172b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Mar 2020 00:00:05 +0200 +Subject: firmware: imx: scu: Fix corruption of header + +From: Franck LENORMAND + +[ Upstream commit f5f27b79eab80de0287c243a22169e4876b08d5e ] + +The header of the message to send can be changed if the +response is longer than the request: + - 1st word, the header is sent + - the remaining words of the message are sent + - the response is received asynchronously during the + execution of the loop, changing the size field in + the header + - the for loop test the termination condition using + the corrupted header + +It is the case for the API build_info which has just a +header as request but 3 words in response. + +This issue is fixed storing the header locally instead of +using a pointer on it. + +Fixes: edbee095fafb (firmware: imx: add SCU firmware driver support) + +Signed-off-by: Franck LENORMAND +Reviewed-by: Leonard Crestez +Signed-off-by: Leonard Crestez +Cc: stable@vger.kernel.org +Reviewed-by: Dong Aisheng +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/firmware/imx/imx-scu.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firmware/imx/imx-scu.c b/drivers/firmware/imx/imx-scu.c +index a92adb9fdad6..e48d971ffb61 100644 +--- a/drivers/firmware/imx/imx-scu.c ++++ b/drivers/firmware/imx/imx-scu.c +@@ -158,7 +158,7 @@ static void imx_scu_rx_callback(struct mbox_client *c, void *msg) + + static int imx_scu_ipc_write(struct imx_sc_ipc *sc_ipc, void *msg) + { +- struct imx_sc_rpc_msg *hdr = msg; ++ struct imx_sc_rpc_msg hdr = *(struct imx_sc_rpc_msg *)msg; + struct imx_sc_chan *sc_chan; + u32 *data = msg; + int ret; +@@ -166,13 +166,13 @@ static int imx_scu_ipc_write(struct imx_sc_ipc *sc_ipc, void *msg) + int i; + + /* Check size */ +- if (hdr->size > IMX_SC_RPC_MAX_MSG) ++ if (hdr.size > IMX_SC_RPC_MAX_MSG) + return -EINVAL; + +- dev_dbg(sc_ipc->dev, "RPC SVC %u FUNC %u SIZE %u\n", hdr->svc, +- hdr->func, hdr->size); ++ dev_dbg(sc_ipc->dev, "RPC SVC %u FUNC %u SIZE %u\n", hdr.svc, ++ hdr.func, hdr.size); + +- size = sc_ipc->fast_ipc ? 1 : hdr->size; ++ size = sc_ipc->fast_ipc ? 1 : hdr.size; + for (i = 0; i < size; i++) { + sc_chan = &sc_ipc->chans[i % 4]; + +-- +2.25.1 + diff --git a/queue-5.4/firmware-imx-scu-support-one-tx-and-one-rx.patch b/queue-5.4/firmware-imx-scu-support-one-tx-and-one-rx.patch new file mode 100644 index 00000000000..d63856929e9 --- /dev/null +++ b/queue-5.4/firmware-imx-scu-support-one-tx-and-one-rx.patch @@ -0,0 +1,151 @@ +From def98b8df194628866ed44b665dbf4f9fcfe05ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 15:49:53 +0800 +Subject: firmware: imx-scu: Support one TX and one RX + +From: Peng Fan + +[ Upstream commit f25a066d1a07affb7bea4e5d9c179c3338338e23 ] + +Current imx-scu requires four TX and four RX to communicate with +SCU. This is low efficient and causes lots of mailbox interrupts. + +With imx-mailbox driver could support one TX to use all four transmit +registers and one RX to use all four receive registers, imx-scu +could use one TX and one RX. + +Signed-off-by: Peng Fan +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/firmware/imx/imx-scu.c | 54 +++++++++++++++++++++++++++------- + 1 file changed, 43 insertions(+), 11 deletions(-) + +diff --git a/drivers/firmware/imx/imx-scu.c b/drivers/firmware/imx/imx-scu.c +index 6c6ac47d3c64..a92adb9fdad6 100644 +--- a/drivers/firmware/imx/imx-scu.c ++++ b/drivers/firmware/imx/imx-scu.c +@@ -38,6 +38,7 @@ struct imx_sc_ipc { + struct device *dev; + struct mutex lock; + struct completion done; ++ bool fast_ipc; + + /* temporarily store the SCU msg */ + u32 *msg; +@@ -115,6 +116,7 @@ static void imx_scu_rx_callback(struct mbox_client *c, void *msg) + struct imx_sc_ipc *sc_ipc = sc_chan->sc_ipc; + struct imx_sc_rpc_msg *hdr; + u32 *data = msg; ++ int i; + + if (!sc_ipc->msg) { + dev_warn(sc_ipc->dev, "unexpected rx idx %d 0x%08x, ignore!\n", +@@ -122,6 +124,19 @@ static void imx_scu_rx_callback(struct mbox_client *c, void *msg) + return; + } + ++ if (sc_ipc->fast_ipc) { ++ hdr = msg; ++ sc_ipc->rx_size = hdr->size; ++ sc_ipc->msg[0] = *data++; ++ ++ for (i = 1; i < sc_ipc->rx_size; i++) ++ sc_ipc->msg[i] = *data++; ++ ++ complete(&sc_ipc->done); ++ ++ return; ++ } ++ + if (sc_chan->idx == 0) { + hdr = msg; + sc_ipc->rx_size = hdr->size; +@@ -147,6 +162,7 @@ static int imx_scu_ipc_write(struct imx_sc_ipc *sc_ipc, void *msg) + struct imx_sc_chan *sc_chan; + u32 *data = msg; + int ret; ++ int size; + int i; + + /* Check size */ +@@ -156,7 +172,8 @@ static int imx_scu_ipc_write(struct imx_sc_ipc *sc_ipc, void *msg) + dev_dbg(sc_ipc->dev, "RPC SVC %u FUNC %u SIZE %u\n", hdr->svc, + hdr->func, hdr->size); + +- for (i = 0; i < hdr->size; i++) { ++ size = sc_ipc->fast_ipc ? 1 : hdr->size; ++ for (i = 0; i < size; i++) { + sc_chan = &sc_ipc->chans[i % 4]; + + /* +@@ -168,8 +185,10 @@ static int imx_scu_ipc_write(struct imx_sc_ipc *sc_ipc, void *msg) + * Wait for tx_done before every send to ensure that no + * queueing happens at the mailbox channel level. + */ +- wait_for_completion(&sc_chan->tx_done); +- reinit_completion(&sc_chan->tx_done); ++ if (!sc_ipc->fast_ipc) { ++ wait_for_completion(&sc_chan->tx_done); ++ reinit_completion(&sc_chan->tx_done); ++ } + + ret = mbox_send_message(sc_chan->ch, &data[i]); + if (ret < 0) +@@ -232,6 +251,8 @@ static int imx_scu_probe(struct platform_device *pdev) + struct imx_sc_chan *sc_chan; + struct mbox_client *cl; + char *chan_name; ++ struct of_phandle_args args; ++ int num_channel; + int ret; + int i; + +@@ -239,11 +260,20 @@ static int imx_scu_probe(struct platform_device *pdev) + if (!sc_ipc) + return -ENOMEM; + +- for (i = 0; i < SCU_MU_CHAN_NUM; i++) { +- if (i < 4) ++ ret = of_parse_phandle_with_args(pdev->dev.of_node, "mboxes", ++ "#mbox-cells", 0, &args); ++ if (ret) ++ return ret; ++ ++ sc_ipc->fast_ipc = of_device_is_compatible(args.np, "fsl,imx8-mu-scu"); ++ ++ num_channel = sc_ipc->fast_ipc ? 2 : SCU_MU_CHAN_NUM; ++ for (i = 0; i < num_channel; i++) { ++ if (i < num_channel / 2) + chan_name = kasprintf(GFP_KERNEL, "tx%d", i); + else +- chan_name = kasprintf(GFP_KERNEL, "rx%d", i - 4); ++ chan_name = kasprintf(GFP_KERNEL, "rx%d", ++ i - num_channel / 2); + + if (!chan_name) + return -ENOMEM; +@@ -255,13 +285,15 @@ static int imx_scu_probe(struct platform_device *pdev) + cl->knows_txdone = true; + cl->rx_callback = imx_scu_rx_callback; + +- /* Initial tx_done completion as "done" */ +- cl->tx_done = imx_scu_tx_done; +- init_completion(&sc_chan->tx_done); +- complete(&sc_chan->tx_done); ++ if (!sc_ipc->fast_ipc) { ++ /* Initial tx_done completion as "done" */ ++ cl->tx_done = imx_scu_tx_done; ++ init_completion(&sc_chan->tx_done); ++ complete(&sc_chan->tx_done); ++ } + + sc_chan->sc_ipc = sc_ipc; +- sc_chan->idx = i % 4; ++ sc_chan->idx = i % (num_channel / 2); + sc_chan->ch = mbox_request_channel_byname(cl, chan_name); + if (IS_ERR(sc_chan->ch)) { + ret = PTR_ERR(sc_chan->ch); +-- +2.25.1 + diff --git a/queue-5.4/firmware-imx-warn-on-unexpected-rx.patch b/queue-5.4/firmware-imx-warn-on-unexpected-rx.patch new file mode 100644 index 00000000000..ecc968a2e3c --- /dev/null +++ b/queue-5.4/firmware-imx-warn-on-unexpected-rx.patch @@ -0,0 +1,69 @@ +From 850b26dc9752a50ef764b44911fee2c7fe5b177f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2019 10:54:58 +0300 +Subject: firmware: imx: warn on unexpected RX + +From: Leonard Crestez + +[ Upstream commit cf0fd404455ce13850cc15423a3c2958933de384 ] + +The imx_scu_call_rpc function returns the result inside the +same "msg" struct containing the transmitted message. This is +implemented by holding a pointer to msg (which is usually on the stack) +in sc_imx_rpc and writing to it from imx_scu_rx_callback. + +This means that if the have_resp parameter is incorrect or SCU sends an +unexpected response for any reason the most likely result is kernel stack +corruption. + +Fix this by only setting sc_imx_rpc.msg for the duration of the +imx_scu_call_rpc call and warning in imx_scu_rx_callback if unset. + +Print the unexpected response data to help debugging. + +Signed-off-by: Leonard Crestez +Acked-by: Anson Huang +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + drivers/firmware/imx/imx-scu.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/imx/imx-scu.c b/drivers/firmware/imx/imx-scu.c +index 35a5f8f8eea5..6c6ac47d3c64 100644 +--- a/drivers/firmware/imx/imx-scu.c ++++ b/drivers/firmware/imx/imx-scu.c +@@ -116,6 +116,12 @@ static void imx_scu_rx_callback(struct mbox_client *c, void *msg) + struct imx_sc_rpc_msg *hdr; + u32 *data = msg; + ++ if (!sc_ipc->msg) { ++ dev_warn(sc_ipc->dev, "unexpected rx idx %d 0x%08x, ignore!\n", ++ sc_chan->idx, *data); ++ return; ++ } ++ + if (sc_chan->idx == 0) { + hdr = msg; + sc_ipc->rx_size = hdr->size; +@@ -187,7 +193,8 @@ int imx_scu_call_rpc(struct imx_sc_ipc *sc_ipc, void *msg, bool have_resp) + mutex_lock(&sc_ipc->lock); + reinit_completion(&sc_ipc->done); + +- sc_ipc->msg = msg; ++ if (have_resp) ++ sc_ipc->msg = msg; + sc_ipc->count = 0; + ret = imx_scu_ipc_write(sc_ipc, msg); + if (ret < 0) { +@@ -209,6 +216,7 @@ int imx_scu_call_rpc(struct imx_sc_ipc *sc_ipc, void *msg, bool have_resp) + } + + out: ++ sc_ipc->msg = NULL; + mutex_unlock(&sc_ipc->lock); + + dev_dbg(sc_ipc->dev, "RPC SVC done\n"); +-- +2.25.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 23094ca8637..19bf75804b7 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -80,3 +80,9 @@ crypto-cavium-nitrox-fix-nitrox_get_first_device-when-ndevlist-is-fully-iterated crypto-algapi-avoid-spurious-modprobe-on-loaded.patch crypto-drbg-fix-error-return-code-in-drbg_alloc_state.patch x86-mce-mm-unmap-the-entire-page-if-the-whole-page-is-affected-and-poisoned.patch +firmware-imx-warn-on-unexpected-rx.patch +firmware-imx-scu-support-one-tx-and-one-rx.patch +firmware-imx-scu-fix-corruption-of-header.patch +crypto-virtio-fix-use-after-free-in-virtio_crypto_sk.patch +crypto-virtio-fix-src-dst-scatterlist-calculation-in.patch +crypto-virtio-fix-dest-length-calculation-in-__virti.patch