From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 16 Oct 2020 08:20:29 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v5.9.1~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3fbedfbf24184be4b43afc9bde33db7af55e99bc;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	crypto-bcm-verify-gcm-ccm-key-length-in-setkey.patch
	crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
	xen-events-don-t-use-chip_data-for-legacy-irqs.patch
---

diff --git a/queue-5.4/crypto-bcm-verify-gcm-ccm-key-length-in-setkey.patch b/queue-5.4/crypto-bcm-verify-gcm-ccm-key-length-in-setkey.patch
new file mode 100644
index 00000000000..31af2b808e1
--- /dev/null
+++ b/queue-5.4/crypto-bcm-verify-gcm-ccm-key-length-in-setkey.patch
@@ -0,0 +1,81 @@
+From 10a2f0b311094ffd45463a529a410a51ca025f27 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 2 Oct 2020 17:55:22 +1000
+Subject: crypto: bcm - Verify GCM/CCM key length in setkey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 10a2f0b311094ffd45463a529a410a51ca025f27 upstream.
+
+The setkey function for GCM/CCM algorithms didn't verify the key
+length before copying the key and subtracting the salt length.
+
+This patch delays the copying of the key til after the verification
+has been done.  It also adds checks on the key length to ensure
+that it's at least as long as the salt.
+
+Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
+Cc: <stable@vger.kernel.org>
+Reported-by: kiyin(尹亮) <kiyin@tencent.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/bcm/cipher.c |   15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/bcm/cipher.c
++++ b/drivers/crypto/bcm/cipher.c
+@@ -2937,7 +2937,6 @@ static int aead_gcm_ccm_setkey(struct cr
+ 
+ 	ctx->enckeylen = keylen;
+ 	ctx->authkeylen = 0;
+-	memcpy(ctx->enckey, key, ctx->enckeylen);
+ 
+ 	switch (ctx->enckeylen) {
+ 	case AES_KEYSIZE_128:
+@@ -2953,6 +2952,8 @@ static int aead_gcm_ccm_setkey(struct cr
+ 		goto badkey;
+ 	}
+ 
++	memcpy(ctx->enckey, key, ctx->enckeylen);
++
+ 	flow_log("  enckeylen:%u authkeylen:%u\n", ctx->enckeylen,
+ 		 ctx->authkeylen);
+ 	flow_dump("  enc: ", ctx->enckey, ctx->enckeylen);
+@@ -3013,6 +3014,10 @@ static int aead_gcm_esp_setkey(struct cr
+ 	struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher);
+ 
+ 	flow_log("%s\n", __func__);
++
++	if (keylen < GCM_ESP_SALT_SIZE)
++		return -EINVAL;
++
+ 	ctx->salt_len = GCM_ESP_SALT_SIZE;
+ 	ctx->salt_offset = GCM_ESP_SALT_OFFSET;
+ 	memcpy(ctx->salt, key + keylen - GCM_ESP_SALT_SIZE, GCM_ESP_SALT_SIZE);
+@@ -3041,6 +3046,10 @@ static int rfc4543_gcm_esp_setkey(struct
+ 	struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher);
+ 
+ 	flow_log("%s\n", __func__);
++
++	if (keylen < GCM_ESP_SALT_SIZE)
++		return -EINVAL;
++
+ 	ctx->salt_len = GCM_ESP_SALT_SIZE;
+ 	ctx->salt_offset = GCM_ESP_SALT_OFFSET;
+ 	memcpy(ctx->salt, key + keylen - GCM_ESP_SALT_SIZE, GCM_ESP_SALT_SIZE);
+@@ -3070,6 +3079,10 @@ static int aead_ccm_esp_setkey(struct cr
+ 	struct iproc_ctx_s *ctx = crypto_aead_ctx(cipher);
+ 
+ 	flow_log("%s\n", __func__);
++
++	if (keylen < CCM_ESP_SALT_SIZE)
++		return -EINVAL;
++
+ 	ctx->salt_len = CCM_ESP_SALT_SIZE;
+ 	ctx->salt_offset = CCM_ESP_SALT_OFFSET;
+ 	memcpy(ctx->salt, key + keylen - CCM_ESP_SALT_SIZE, CCM_ESP_SALT_SIZE);
diff --git a/queue-5.4/crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch b/queue-5.4/crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
new file mode 100644
index 00000000000..a2686d4732b
--- /dev/null
+++ b/queue-5.4/crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
@@ -0,0 +1,59 @@
+From 45cb6653b0c355fc1445a8069ba78a4ce8720511 Mon Sep 17 00:00:00 2001
+From: Dominik Przychodni <dominik.przychodni@intel.com>
+Date: Mon, 31 Aug 2020 11:59:59 +0100
+Subject: crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA
+
+From: Dominik Przychodni <dominik.przychodni@intel.com>
+
+commit 45cb6653b0c355fc1445a8069ba78a4ce8720511 upstream.
+
+Return -EINVAL for authenc(hmac(sha1),cbc(aes)),
+authenc(hmac(sha256),cbc(aes)) and authenc(hmac(sha512),cbc(aes))
+if the cipher length is not multiple of the AES block.
+This is to prevent an undefined device behaviour.
+
+Fixes: d370cec32194 ("crypto: qat - Intel(R) QAT crypto interface")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dominik Przychodni <dominik.przychodni@intel.com>
+[giovanni.cabiddu@intel.com: reworded commit message]
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_common/qat_algs.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/qat/qat_common/qat_algs.c
+@@ -873,6 +873,11 @@ static int qat_alg_aead_dec(struct aead_
+ 	struct icp_qat_fw_la_bulk_req *msg;
+ 	int digst_size = crypto_aead_authsize(aead_tfm);
+ 	int ret, ctr = 0;
++	u32 cipher_len;
++
++	cipher_len = areq->cryptlen - digst_size;
++	if (cipher_len % AES_BLOCK_SIZE != 0)
++		return -EINVAL;
+ 
+ 	ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req);
+ 	if (unlikely(ret))
+@@ -887,7 +892,7 @@ static int qat_alg_aead_dec(struct aead_
+ 	qat_req->req.comn_mid.src_data_addr = qat_req->buf.blp;
+ 	qat_req->req.comn_mid.dest_data_addr = qat_req->buf.bloutp;
+ 	cipher_param = (void *)&qat_req->req.serv_specif_rqpars;
+-	cipher_param->cipher_length = areq->cryptlen - digst_size;
++	cipher_param->cipher_length = cipher_len;
+ 	cipher_param->cipher_offset = areq->assoclen;
+ 	memcpy(cipher_param->u.cipher_IV_array, areq->iv, AES_BLOCK_SIZE);
+ 	auth_param = (void *)((uint8_t *)cipher_param + sizeof(*cipher_param));
+@@ -916,6 +921,9 @@ static int qat_alg_aead_enc(struct aead_
+ 	uint8_t *iv = areq->iv;
+ 	int ret, ctr = 0;
+ 
++	if (areq->cryptlen % AES_BLOCK_SIZE != 0)
++		return -EINVAL;
++
+ 	ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req);
+ 	if (unlikely(ret))
+ 		return ret;
diff --git a/queue-5.4/series b/queue-5.4/series
index 51105248063..282893ee428 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -17,3 +17,6 @@ usb-serial-pl2303-add-device-id-for-hp-gc-device.patch
 usb-serial-ftdi_sio-add-support-for-freecalypso-jtag-uart-adapters.patch
 reiserfs-initialize-inode-keys-properly.patch
 reiserfs-fix-oops-during-mount.patch
+xen-events-don-t-use-chip_data-for-legacy-irqs.patch
+crypto-bcm-verify-gcm-ccm-key-length-in-setkey.patch
+crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
diff --git a/queue-5.4/xen-events-don-t-use-chip_data-for-legacy-irqs.patch b/queue-5.4/xen-events-don-t-use-chip_data-for-legacy-irqs.patch
new file mode 100644
index 00000000000..f204fbfd14e
--- /dev/null
+++ b/queue-5.4/xen-events-don-t-use-chip_data-for-legacy-irqs.patch
@@ -0,0 +1,123 @@
+From 0891fb39ba67bd7ae023ea0d367297ffff010781 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Wed, 30 Sep 2020 11:16:14 +0200
+Subject: xen/events: don't use chip_data for legacy IRQs
+
+From: Juergen Gross <jgross@suse.com>
+
+commit 0891fb39ba67bd7ae023ea0d367297ffff010781 upstream.
+
+Since commit c330fb1ddc0a ("XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information.")
+Xen is using the chip_data pointer for storing IRQ specific data. When
+running as a HVM domain this can result in problems for legacy IRQs, as
+those might use chip_data for their own purposes.
+
+Use a local array for this purpose in case of legacy IRQs, avoiding the
+double use.
+
+Cc: stable@vger.kernel.org
+Fixes: c330fb1ddc0a ("XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information.")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Stefan Bader <stefan.bader@canonical.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20200930091614.13660-1-jgross@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/events/events_base.c |   29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -91,6 +91,8 @@ static bool (*pirq_needs_eoi)(unsigned i
+ /* Xen will never allocate port zero for any purpose. */
+ #define VALID_EVTCHN(chn)	((chn) != 0)
+ 
++static struct irq_info *legacy_info_ptrs[NR_IRQS_LEGACY];
++
+ static struct irq_chip xen_dynamic_chip;
+ static struct irq_chip xen_percpu_chip;
+ static struct irq_chip xen_pirq_chip;
+@@ -155,7 +157,18 @@ int get_evtchn_to_irq(unsigned evtchn)
+ /* Get info for IRQ */
+ struct irq_info *info_for_irq(unsigned irq)
+ {
+-	return irq_get_chip_data(irq);
++	if (irq < nr_legacy_irqs())
++		return legacy_info_ptrs[irq];
++	else
++		return irq_get_chip_data(irq);
++}
++
++static void set_info_for_irq(unsigned int irq, struct irq_info *info)
++{
++	if (irq < nr_legacy_irqs())
++		legacy_info_ptrs[irq] = info;
++	else
++		irq_set_chip_data(irq, info);
+ }
+ 
+ /* Constructors for packed IRQ information. */
+@@ -376,7 +389,7 @@ static void xen_irq_init(unsigned irq)
+ 	info->type = IRQT_UNBOUND;
+ 	info->refcnt = -1;
+ 
+-	irq_set_chip_data(irq, info);
++	set_info_for_irq(irq, info);
+ 
+ 	list_add_tail(&info->list, &xen_irq_list_head);
+ }
+@@ -425,14 +438,14 @@ static int __must_check xen_allocate_irq
+ 
+ static void xen_free_irq(unsigned irq)
+ {
+-	struct irq_info *info = irq_get_chip_data(irq);
++	struct irq_info *info = info_for_irq(irq);
+ 
+ 	if (WARN_ON(!info))
+ 		return;
+ 
+ 	list_del(&info->list);
+ 
+-	irq_set_chip_data(irq, NULL);
++	set_info_for_irq(irq, NULL);
+ 
+ 	WARN_ON(info->refcnt > 0);
+ 
+@@ -602,7 +615,7 @@ EXPORT_SYMBOL_GPL(xen_irq_from_gsi);
+ static void __unbind_from_irq(unsigned int irq)
+ {
+ 	int evtchn = evtchn_from_irq(irq);
+-	struct irq_info *info = irq_get_chip_data(irq);
++	struct irq_info *info = info_for_irq(irq);
+ 
+ 	if (info->refcnt > 0) {
+ 		info->refcnt--;
+@@ -1106,7 +1119,7 @@ int bind_ipi_to_irqhandler(enum ipi_vect
+ 
+ void unbind_from_irqhandler(unsigned int irq, void *dev_id)
+ {
+-	struct irq_info *info = irq_get_chip_data(irq);
++	struct irq_info *info = info_for_irq(irq);
+ 
+ 	if (WARN_ON(!info))
+ 		return;
+@@ -1140,7 +1153,7 @@ int evtchn_make_refcounted(unsigned int
+ 	if (irq == -1)
+ 		return -ENOENT;
+ 
+-	info = irq_get_chip_data(irq);
++	info = info_for_irq(irq);
+ 
+ 	if (!info)
+ 		return -ENOENT;
+@@ -1168,7 +1181,7 @@ int evtchn_get(unsigned int evtchn)
+ 	if (irq == -1)
+ 		goto done;
+ 
+-	info = irq_get_chip_data(irq);
++	info = info_for_irq(irq);
+ 
+ 	if (!info)
+ 		goto done;