From: Greg Kroah-Hartman Date: Sat, 9 Apr 2016 23:54:10 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v4.5.1~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=443980ed1219e6dfcfb4b65b0371749ae1a4bb0e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: crypto-atmel-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch crypto-ccp-add-hash-state-import-and-export-support.patch crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch crypto-ccp-limit-the-amount-of-information-exported.patch crypto-ccp-memset-request-context-to-zero-during-import.patch crypto-keywrap-memzero-the-correct-memory.patch crypto-marvell-cesa-forward-devm_ioremap_resource-error-code.patch crypto-ux500-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch mei-bus-check-if-the-device-is-enabled-before-data-transfer.patch x.509-fix-leap-year-handling-again.patch --- diff --git a/queue-4.4/crypto-atmel-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch b/queue-4.4/crypto-atmel-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch new file mode 100644 index 00000000000..647b245f79c --- /dev/null +++ b/queue-4.4/crypto-atmel-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch @@ -0,0 +1,68 @@ +From 9b52d55f4f0e2bb9a34abbcf99e05e17f1b3b281 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Sun, 6 Mar 2016 03:21:52 +0200 +Subject: crypto: atmel - fix checks of error code returned by devm_ioremap_resource() + +From: Vladimir Zapolskiy + +commit 9b52d55f4f0e2bb9a34abbcf99e05e17f1b3b281 upstream. + +The change fixes potential oops while accessing iomem on invalid +address, if devm_ioremap_resource() fails due to some reason. + +The devm_ioremap_resource() function returns ERR_PTR() and never +returns NULL, which makes useless a following check for NULL. + +Signed-off-by: Vladimir Zapolskiy +Fixes: b0e8b3417a62 ("crypto: atmel - use devm_xxx() managed function") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/atmel-aes.c | 4 ++-- + drivers/crypto/atmel-sha.c | 4 ++-- + drivers/crypto/atmel-tdes.c | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/atmel-aes.c ++++ b/drivers/crypto/atmel-aes.c +@@ -1396,9 +1396,9 @@ static int atmel_aes_probe(struct platfo + } + + aes_dd->io_base = devm_ioremap_resource(&pdev->dev, aes_res); +- if (!aes_dd->io_base) { ++ if (IS_ERR(aes_dd->io_base)) { + dev_err(dev, "can't ioremap\n"); +- err = -ENOMEM; ++ err = PTR_ERR(aes_dd->io_base); + goto res_err; + } + +--- a/drivers/crypto/atmel-sha.c ++++ b/drivers/crypto/atmel-sha.c +@@ -1405,9 +1405,9 @@ static int atmel_sha_probe(struct platfo + } + + sha_dd->io_base = devm_ioremap_resource(&pdev->dev, sha_res); +- if (!sha_dd->io_base) { ++ if (IS_ERR(sha_dd->io_base)) { + dev_err(dev, "can't ioremap\n"); +- err = -ENOMEM; ++ err = PTR_ERR(sha_dd->io_base); + goto res_err; + } + +--- a/drivers/crypto/atmel-tdes.c ++++ b/drivers/crypto/atmel-tdes.c +@@ -1417,9 +1417,9 @@ static int atmel_tdes_probe(struct platf + } + + tdes_dd->io_base = devm_ioremap_resource(&pdev->dev, tdes_res); +- if (!tdes_dd->io_base) { ++ if (IS_ERR(tdes_dd->io_base)) { + dev_err(dev, "can't ioremap\n"); +- err = -ENOMEM; ++ err = PTR_ERR(tdes_dd->io_base); + goto res_err; + } + diff --git a/queue-4.4/crypto-ccp-add-hash-state-import-and-export-support.patch b/queue-4.4/crypto-ccp-add-hash-state-import-and-export-support.patch new file mode 100644 index 00000000000..32541deb662 --- /dev/null +++ b/queue-4.4/crypto-ccp-add-hash-state-import-and-export-support.patch @@ -0,0 +1,114 @@ +From 952bce9792e6bf36fda09c2e5718abb5d9327369 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Tue, 12 Jan 2016 11:17:38 -0600 +Subject: crypto: ccp - Add hash state import and export support + +From: Tom Lendacky + +commit 952bce9792e6bf36fda09c2e5718abb5d9327369 upstream. + +Commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero") +added a check to prevent ahash algorithms from successfully registering +if the import and export functions were not implemented. This prevents +an oops in the hash_accept function of algif_hash. This commit causes +the ccp-crypto module SHA support and AES CMAC support from successfully +registering and causing the ccp-crypto module load to fail because the +ahash import and export functions are not implemented. + +Update the CCP Crypto API support to provide import and export support +for ahash algorithms. + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 23 +++++++++++++++++++++++ + drivers/crypto/ccp/ccp-crypto-sha.c | 23 +++++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -220,6 +220,26 @@ static int ccp_aes_cmac_digest(struct ah + return ccp_aes_cmac_finup(req); + } + ++static int ccp_aes_cmac_export(struct ahash_request *req, void *out) ++{ ++ struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); ++ struct ccp_aes_cmac_req_ctx *state = out; ++ ++ *state = *rctx; ++ ++ return 0; ++} ++ ++static int ccp_aes_cmac_import(struct ahash_request *req, const void *in) ++{ ++ struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); ++ const struct ccp_aes_cmac_req_ctx *state = in; ++ ++ *rctx = *state; ++ ++ return 0; ++} ++ + static int ccp_aes_cmac_setkey(struct crypto_ahash *tfm, const u8 *key, + unsigned int key_len) + { +@@ -352,10 +372,13 @@ int ccp_register_aes_cmac_algs(struct li + alg->final = ccp_aes_cmac_final; + alg->finup = ccp_aes_cmac_finup; + alg->digest = ccp_aes_cmac_digest; ++ alg->export = ccp_aes_cmac_export; ++ alg->import = ccp_aes_cmac_import; + alg->setkey = ccp_aes_cmac_setkey; + + halg = &alg->halg; + halg->digestsize = AES_BLOCK_SIZE; ++ halg->statesize = sizeof(struct ccp_aes_cmac_req_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "cmac(aes)"); +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -207,6 +207,26 @@ static int ccp_sha_digest(struct ahash_r + return ccp_sha_finup(req); + } + ++static int ccp_sha_export(struct ahash_request *req, void *out) ++{ ++ struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); ++ struct ccp_sha_req_ctx *state = out; ++ ++ *state = *rctx; ++ ++ return 0; ++} ++ ++static int ccp_sha_import(struct ahash_request *req, const void *in) ++{ ++ struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); ++ const struct ccp_sha_req_ctx *state = in; ++ ++ *rctx = *state; ++ ++ return 0; ++} ++ + static int ccp_sha_setkey(struct crypto_ahash *tfm, const u8 *key, + unsigned int key_len) + { +@@ -403,9 +423,12 @@ static int ccp_register_sha_alg(struct l + alg->final = ccp_sha_final; + alg->finup = ccp_sha_finup; + alg->digest = ccp_sha_digest; ++ alg->export = ccp_sha_export; ++ alg->import = ccp_sha_import; + + halg = &alg->halg; + halg->digestsize = def->digest_size; ++ halg->statesize = sizeof(struct ccp_sha_req_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name); diff --git a/queue-4.4/crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch b/queue-4.4/crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch new file mode 100644 index 00000000000..96648074164 --- /dev/null +++ b/queue-4.4/crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch @@ -0,0 +1,121 @@ +From b31dde2a5cb1bf764282abf934266b7193c2bc7c Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Tue, 2 Feb 2016 11:38:21 -0600 +Subject: crypto: ccp - Don't assume export/import areas are aligned + +From: Tom Lendacky + +commit b31dde2a5cb1bf764282abf934266b7193c2bc7c upstream. + +Use a local variable for the exported and imported state so that +alignment is not an issue. On export, set a local variable from the +request context and then memcpy the contents of the local variable to +the export memory area. On import, memcpy the import memory area into +a local variable and then use the local variable to set the request +context. + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 26 ++++++++++++++--------- + drivers/crypto/ccp/ccp-crypto-sha.c | 34 ++++++++++++++++++------------- + 2 files changed, 36 insertions(+), 24 deletions(-) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -223,12 +223,15 @@ static int ccp_aes_cmac_digest(struct ah + static int ccp_aes_cmac_export(struct ahash_request *req, void *out) + { + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); +- struct ccp_aes_cmac_exp_ctx *state = out; ++ struct ccp_aes_cmac_exp_ctx state; + +- state->null_msg = rctx->null_msg; +- memcpy(state->iv, rctx->iv, sizeof(state->iv)); +- state->buf_count = rctx->buf_count; +- memcpy(state->buf, rctx->buf, sizeof(state->buf)); ++ state.null_msg = rctx->null_msg; ++ memcpy(state.iv, rctx->iv, sizeof(state.iv)); ++ state.buf_count = rctx->buf_count; ++ memcpy(state.buf, rctx->buf, sizeof(state.buf)); ++ ++ /* 'out' may not be aligned so memcpy from local variable */ ++ memcpy(out, &state, sizeof(state)); + + return 0; + } +@@ -236,12 +239,15 @@ static int ccp_aes_cmac_export(struct ah + static int ccp_aes_cmac_import(struct ahash_request *req, const void *in) + { + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); +- const struct ccp_aes_cmac_exp_ctx *state = in; ++ struct ccp_aes_cmac_exp_ctx state; ++ ++ /* 'in' may not be aligned so memcpy to local variable */ ++ memcpy(&state, in, sizeof(state)); + +- rctx->null_msg = state->null_msg; +- memcpy(rctx->iv, state->iv, sizeof(rctx->iv)); +- rctx->buf_count = state->buf_count; +- memcpy(rctx->buf, state->buf, sizeof(rctx->buf)); ++ rctx->null_msg = state.null_msg; ++ memcpy(rctx->iv, state.iv, sizeof(rctx->iv)); ++ rctx->buf_count = state.buf_count; ++ memcpy(rctx->buf, state.buf, sizeof(rctx->buf)); + + return 0; + } +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r + static int ccp_sha_export(struct ahash_request *req, void *out) + { + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); +- struct ccp_sha_exp_ctx *state = out; ++ struct ccp_sha_exp_ctx state; + +- state->type = rctx->type; +- state->msg_bits = rctx->msg_bits; +- state->first = rctx->first; +- memcpy(state->ctx, rctx->ctx, sizeof(state->ctx)); +- state->buf_count = rctx->buf_count; +- memcpy(state->buf, rctx->buf, sizeof(state->buf)); ++ state.type = rctx->type; ++ state.msg_bits = rctx->msg_bits; ++ state.first = rctx->first; ++ memcpy(state.ctx, rctx->ctx, sizeof(state.ctx)); ++ state.buf_count = rctx->buf_count; ++ memcpy(state.buf, rctx->buf, sizeof(state.buf)); ++ ++ /* 'out' may not be aligned so memcpy from local variable */ ++ memcpy(out, &state, sizeof(state)); + + return 0; + } +@@ -225,14 +228,17 @@ static int ccp_sha_export(struct ahash_r + static int ccp_sha_import(struct ahash_request *req, const void *in) + { + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); +- const struct ccp_sha_exp_ctx *state = in; ++ struct ccp_sha_exp_ctx state; ++ ++ /* 'in' may not be aligned so memcpy to local variable */ ++ memcpy(&state, in, sizeof(state)); + +- rctx->type = state->type; +- rctx->msg_bits = state->msg_bits; +- rctx->first = state->first; +- memcpy(rctx->ctx, state->ctx, sizeof(rctx->ctx)); +- rctx->buf_count = state->buf_count; +- memcpy(rctx->buf, state->buf, sizeof(rctx->buf)); ++ rctx->type = state.type; ++ rctx->msg_bits = state.msg_bits; ++ rctx->first = state.first; ++ memcpy(rctx->ctx, state.ctx, sizeof(rctx->ctx)); ++ rctx->buf_count = state.buf_count; ++ memcpy(rctx->buf, state.buf, sizeof(rctx->buf)); + + return 0; + } diff --git a/queue-4.4/crypto-ccp-limit-the-amount-of-information-exported.patch b/queue-4.4/crypto-ccp-limit-the-amount-of-information-exported.patch new file mode 100644 index 00000000000..c5db192df10 --- /dev/null +++ b/queue-4.4/crypto-ccp-limit-the-amount-of-information-exported.patch @@ -0,0 +1,147 @@ +From d1662165ae612ec8b5f94a6b07e65ea58b6dce34 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 29 Jan 2016 12:45:14 -0600 +Subject: crypto: ccp - Limit the amount of information exported + +From: Tom Lendacky + +commit d1662165ae612ec8b5f94a6b07e65ea58b6dce34 upstream. + +Since the exported information can be exposed to user-space, instead of +exporting the entire request context only export the minimum information +needed. + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 16 +++++++++++----- + drivers/crypto/ccp/ccp-crypto-sha.c | 20 +++++++++++++++----- + drivers/crypto/ccp/ccp-crypto.h | 22 ++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 10 deletions(-) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -223,9 +223,12 @@ static int ccp_aes_cmac_digest(struct ah + static int ccp_aes_cmac_export(struct ahash_request *req, void *out) + { + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); +- struct ccp_aes_cmac_req_ctx *state = out; ++ struct ccp_aes_cmac_exp_ctx *state = out; + +- *state = *rctx; ++ state->null_msg = rctx->null_msg; ++ memcpy(state->iv, rctx->iv, sizeof(state->iv)); ++ state->buf_count = rctx->buf_count; ++ memcpy(state->buf, rctx->buf, sizeof(state->buf)); + + return 0; + } +@@ -233,9 +236,12 @@ static int ccp_aes_cmac_export(struct ah + static int ccp_aes_cmac_import(struct ahash_request *req, const void *in) + { + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); +- const struct ccp_aes_cmac_req_ctx *state = in; ++ const struct ccp_aes_cmac_exp_ctx *state = in; + +- *rctx = *state; ++ rctx->null_msg = state->null_msg; ++ memcpy(rctx->iv, state->iv, sizeof(rctx->iv)); ++ rctx->buf_count = state->buf_count; ++ memcpy(rctx->buf, state->buf, sizeof(rctx->buf)); + + return 0; + } +@@ -378,7 +384,7 @@ int ccp_register_aes_cmac_algs(struct li + + halg = &alg->halg; + halg->digestsize = AES_BLOCK_SIZE; +- halg->statesize = sizeof(struct ccp_aes_cmac_req_ctx); ++ halg->statesize = sizeof(struct ccp_aes_cmac_exp_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "cmac(aes)"); +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -210,9 +210,14 @@ static int ccp_sha_digest(struct ahash_r + static int ccp_sha_export(struct ahash_request *req, void *out) + { + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); +- struct ccp_sha_req_ctx *state = out; ++ struct ccp_sha_exp_ctx *state = out; + +- *state = *rctx; ++ state->type = rctx->type; ++ state->msg_bits = rctx->msg_bits; ++ state->first = rctx->first; ++ memcpy(state->ctx, rctx->ctx, sizeof(state->ctx)); ++ state->buf_count = rctx->buf_count; ++ memcpy(state->buf, rctx->buf, sizeof(state->buf)); + + return 0; + } +@@ -220,9 +225,14 @@ static int ccp_sha_export(struct ahash_r + static int ccp_sha_import(struct ahash_request *req, const void *in) + { + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); +- const struct ccp_sha_req_ctx *state = in; ++ const struct ccp_sha_exp_ctx *state = in; + +- *rctx = *state; ++ rctx->type = state->type; ++ rctx->msg_bits = state->msg_bits; ++ rctx->first = state->first; ++ memcpy(rctx->ctx, state->ctx, sizeof(rctx->ctx)); ++ rctx->buf_count = state->buf_count; ++ memcpy(rctx->buf, state->buf, sizeof(rctx->buf)); + + return 0; + } +@@ -428,7 +438,7 @@ static int ccp_register_sha_alg(struct l + + halg = &alg->halg; + halg->digestsize = def->digest_size; +- halg->statesize = sizeof(struct ccp_sha_req_ctx); ++ halg->statesize = sizeof(struct ccp_sha_exp_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name); +--- a/drivers/crypto/ccp/ccp-crypto.h ++++ b/drivers/crypto/ccp/ccp-crypto.h +@@ -129,6 +129,15 @@ struct ccp_aes_cmac_req_ctx { + struct ccp_cmd cmd; + }; + ++struct ccp_aes_cmac_exp_ctx { ++ unsigned int null_msg; ++ ++ u8 iv[AES_BLOCK_SIZE]; ++ ++ unsigned int buf_count; ++ u8 buf[AES_BLOCK_SIZE]; ++}; ++ + /***** SHA related defines *****/ + #define MAX_SHA_CONTEXT_SIZE SHA256_DIGEST_SIZE + #define MAX_SHA_BLOCK_SIZE SHA256_BLOCK_SIZE +@@ -171,6 +180,19 @@ struct ccp_sha_req_ctx { + struct ccp_cmd cmd; + }; + ++struct ccp_sha_exp_ctx { ++ enum ccp_sha_type type; ++ ++ u64 msg_bits; ++ ++ unsigned int first; ++ ++ u8 ctx[MAX_SHA_CONTEXT_SIZE]; ++ ++ unsigned int buf_count; ++ u8 buf[MAX_SHA_BLOCK_SIZE]; ++}; ++ + /***** Common Context Structure *****/ + struct ccp_ctx { + int (*complete)(struct crypto_async_request *req, int ret); diff --git a/queue-4.4/crypto-ccp-memset-request-context-to-zero-during-import.patch b/queue-4.4/crypto-ccp-memset-request-context-to-zero-during-import.patch new file mode 100644 index 00000000000..db70c130ce8 --- /dev/null +++ b/queue-4.4/crypto-ccp-memset-request-context-to-zero-during-import.patch @@ -0,0 +1,43 @@ +From ce0ae266feaf35930394bd770c69778e4ef03ba9 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Thu, 25 Feb 2016 16:48:13 -0600 +Subject: crypto: ccp - memset request context to zero during import + +From: Tom Lendacky + +commit ce0ae266feaf35930394bd770c69778e4ef03ba9 upstream. + +Since a crypto_ahash_import() can be called against a request context +that has not had a crypto_ahash_init() performed, the request context +needs to be cleared to insure there is no random data present. If not, +the random data can result in a kernel oops during crypto_ahash_update(). + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 1 + + drivers/crypto/ccp/ccp-crypto-sha.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -244,6 +244,7 @@ static int ccp_aes_cmac_import(struct ah + /* 'in' may not be aligned so memcpy to local variable */ + memcpy(&state, in, sizeof(state)); + ++ memset(rctx, 0, sizeof(*rctx)); + rctx->null_msg = state.null_msg; + memcpy(rctx->iv, state.iv, sizeof(rctx->iv)); + rctx->buf_count = state.buf_count; +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -233,6 +233,7 @@ static int ccp_sha_import(struct ahash_r + /* 'in' may not be aligned so memcpy to local variable */ + memcpy(&state, in, sizeof(state)); + ++ memset(rctx, 0, sizeof(*rctx)); + rctx->type = state.type; + rctx->msg_bits = state.msg_bits; + rctx->first = state.first; diff --git a/queue-4.4/crypto-keywrap-memzero-the-correct-memory.patch b/queue-4.4/crypto-keywrap-memzero-the-correct-memory.patch new file mode 100644 index 00000000000..bf7665d36b1 --- /dev/null +++ b/queue-4.4/crypto-keywrap-memzero-the-correct-memory.patch @@ -0,0 +1,43 @@ +From 2b8b28fd232233c22fb61009dd8b0587390d2875 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 30 Jan 2016 17:38:28 +0300 +Subject: crypto: keywrap - memzero the correct memory + +From: Dan Carpenter + +commit 2b8b28fd232233c22fb61009dd8b0587390d2875 upstream. + +We're clearing the wrong memory. The memory corruption is likely +harmless because we weren't going to use that stack memory again but not +zeroing is a potential information leak. + +Fixes: e28facde3c39 ('crypto: keywrap - add key wrapping block chaining mode') +Signed-off-by: Dan Carpenter +Acked-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/keywrap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/crypto/keywrap.c ++++ b/crypto/keywrap.c +@@ -212,7 +212,7 @@ static int crypto_kw_decrypt(struct blkc + SEMIBSIZE)) + ret = -EBADMSG; + +- memzero_explicit(&block, sizeof(struct crypto_kw_block)); ++ memzero_explicit(block, sizeof(struct crypto_kw_block)); + + return ret; + } +@@ -297,7 +297,7 @@ static int crypto_kw_encrypt(struct blkc + /* establish the IV for the caller to pick up */ + memcpy(desc->info, block->A, SEMIBSIZE); + +- memzero_explicit(&block, sizeof(struct crypto_kw_block)); ++ memzero_explicit(block, sizeof(struct crypto_kw_block)); + + return 0; + } diff --git a/queue-4.4/crypto-marvell-cesa-forward-devm_ioremap_resource-error-code.patch b/queue-4.4/crypto-marvell-cesa-forward-devm_ioremap_resource-error-code.patch new file mode 100644 index 00000000000..8f3229b5146 --- /dev/null +++ b/queue-4.4/crypto-marvell-cesa-forward-devm_ioremap_resource-error-code.patch @@ -0,0 +1,33 @@ +From dfe97ad30e8c038261663a18b9e04b8b5bc07bea Mon Sep 17 00:00:00 2001 +From: Boris BREZILLON +Date: Thu, 17 Mar 2016 10:47:10 +0100 +Subject: crypto: marvell/cesa - forward devm_ioremap_resource() error code + +From: Boris BREZILLON + +commit dfe97ad30e8c038261663a18b9e04b8b5bc07bea upstream. + +Forward devm_ioremap_resource() error code instead of returning +-ENOMEM. + +Signed-off-by: Boris Brezillon +Reported-by: Russell King - ARM Linux +Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/marvell/cesa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/marvell/cesa.c ++++ b/drivers/crypto/marvell/cesa.c +@@ -420,7 +420,7 @@ static int mv_cesa_probe(struct platform + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "regs"); + cesa->regs = devm_ioremap_resource(dev, res); + if (IS_ERR(cesa->regs)) +- return -ENOMEM; ++ return PTR_ERR(cesa->regs); + + ret = mv_cesa_dev_dma_init(cesa); + if (ret) diff --git a/queue-4.4/crypto-ux500-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch b/queue-4.4/crypto-ux500-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch new file mode 100644 index 00000000000..e7f217c74c4 --- /dev/null +++ b/queue-4.4/crypto-ux500-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch @@ -0,0 +1,53 @@ +From b62917a2622ebcb03a500ef20da47be80d8c8951 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Sun, 6 Mar 2016 03:22:04 +0200 +Subject: crypto: ux500 - fix checks of error code returned by devm_ioremap_resource() + +From: Vladimir Zapolskiy + +commit b62917a2622ebcb03a500ef20da47be80d8c8951 upstream. + +The change fixes potential oops while accessing iomem on invalid +address, if devm_ioremap_resource() fails due to some reason. + +The devm_ioremap_resource() function returns ERR_PTR() and never +returns NULL, which makes useless a following check for NULL. + +Signed-off-by: Vladimir Zapolskiy +Fixes: 5a4eea2658c93 ("crypto: ux500 - Use devm_xxx() managed function") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ux500/cryp/cryp_core.c | 4 ++-- + drivers/crypto/ux500/hash/hash_core.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/ux500/cryp/cryp_core.c ++++ b/drivers/crypto/ux500/cryp/cryp_core.c +@@ -1440,9 +1440,9 @@ static int ux500_cryp_probe(struct platf + + device_data->phybase = res->start; + device_data->base = devm_ioremap_resource(dev, res); +- if (!device_data->base) { ++ if (IS_ERR(device_data->base)) { + dev_err(dev, "[%s]: ioremap failed!", __func__); +- ret = -ENOMEM; ++ ret = PTR_ERR(device_data->base); + goto out; + } + +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -1675,9 +1675,9 @@ static int ux500_hash_probe(struct platf + + device_data->phybase = res->start; + device_data->base = devm_ioremap_resource(dev, res); +- if (!device_data->base) { ++ if (IS_ERR(device_data->base)) { + dev_err(dev, "%s: ioremap() failed!\n", __func__); +- ret = -ENOMEM; ++ ret = PTR_ERR(device_data->base); + goto out; + } + spin_lock_init(&device_data->ctx_lock); diff --git a/queue-4.4/mei-bus-check-if-the-device-is-enabled-before-data-transfer.patch b/queue-4.4/mei-bus-check-if-the-device-is-enabled-before-data-transfer.patch new file mode 100644 index 00000000000..5760950fb3d --- /dev/null +++ b/queue-4.4/mei-bus-check-if-the-device-is-enabled-before-data-transfer.patch @@ -0,0 +1,45 @@ +From 15c13dfcad883a1e76b714480fb27be96247fd82 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 7 Feb 2016 23:35:32 +0200 +Subject: mei: bus: check if the device is enabled before data transfer + +From: Alexander Usyskin + +commit 15c13dfcad883a1e76b714480fb27be96247fd82 upstream. + +The bus data transfer interface was missing the check if the device is +in enabled state, this may lead to stack corruption during link reset. + +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/bus.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/misc/mei/bus.c ++++ b/drivers/misc/mei/bus.c +@@ -53,6 +53,11 @@ ssize_t __mei_cl_send(struct mei_cl *cl, + bus = cl->dev; + + mutex_lock(&bus->device_lock); ++ if (bus->dev_state != MEI_DEV_ENABLED) { ++ rets = -ENODEV; ++ goto out; ++ } ++ + if (!mei_cl_is_connected(cl)) { + rets = -ENODEV; + goto out; +@@ -109,6 +114,10 @@ ssize_t __mei_cl_recv(struct mei_cl *cl, + bus = cl->dev; + + mutex_lock(&bus->device_lock); ++ if (bus->dev_state != MEI_DEV_ENABLED) { ++ rets = -ENODEV; ++ goto out; ++ } + + cb = mei_cl_read_cb(cl, NULL); + if (cb) diff --git a/queue-4.4/series b/queue-4.4/series index 7777d24df47..53b9e154e77 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -71,3 +71,13 @@ alsa-usb-audio-fix-double-free-in-error-paths-after-snd_usb_add_audio_stream-cal bluetooth-btusb-add-new-ar3012-id-13d3-3395.patch bluetooth-btusb-add-a-new-ar3012-id-04ca-3014.patch bluetooth-btusb-add-a-new-ar3012-id-13d3-3472.patch +crypto-ccp-add-hash-state-import-and-export-support.patch +crypto-ccp-limit-the-amount-of-information-exported.patch +crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch +crypto-ccp-memset-request-context-to-zero-during-import.patch +crypto-keywrap-memzero-the-correct-memory.patch +crypto-atmel-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch +crypto-ux500-fix-checks-of-error-code-returned-by-devm_ioremap_resource.patch +crypto-marvell-cesa-forward-devm_ioremap_resource-error-code.patch +x.509-fix-leap-year-handling-again.patch +mei-bus-check-if-the-device-is-enabled-before-data-transfer.patch diff --git a/queue-4.4/x.509-fix-leap-year-handling-again.patch b/queue-4.4/x.509-fix-leap-year-handling-again.patch new file mode 100644 index 00000000000..3d7b4a2a8f7 --- /dev/null +++ b/queue-4.4/x.509-fix-leap-year-handling-again.patch @@ -0,0 +1,62 @@ +From ac4cbedfdf55455b4c447f17f0fa027dbf02b2a6 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 24 Feb 2016 14:37:15 +0000 +Subject: X.509: Fix leap year handling again + +From: David Howells + +commit ac4cbedfdf55455b4c447f17f0fa027dbf02b2a6 upstream. + +There are still a couple of minor issues in the X.509 leap year handling: + + (1) To avoid doing a modulus-by-400 in addition to a modulus-by-100 when + determining whether the year is a leap year or not, I divided the year + by 100 after doing the modulus-by-100, thereby letting the compiler do + one instruction for both, and then did a modulus-by-4. + + Unfortunately, I then passed the now-modified year value to mktime64() + to construct a time value. + + Since this isn't a fast path and since mktime64() does a bunch of + divisions, just condense down to "% 400". It's also easier to read. + + (2) The default month length for any February where the year doesn't + divide by four exactly is obtained from the month_length[] array where + the value is 29, not 28. + + This is fixed by altering the table. + +Reported-by: Rudolf Polzer +Signed-off-by: David Howells +Acked-by: David Woodhouse +Acked-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/x509_cert_parser.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/crypto/asymmetric_keys/x509_cert_parser.c ++++ b/crypto/asymmetric_keys/x509_cert_parser.c +@@ -494,7 +494,7 @@ int x509_decode_time(time64_t *_t, size + unsigned char tag, + const unsigned char *value, size_t vlen) + { +- static const unsigned char month_lengths[] = { 31, 29, 31, 30, 31, 30, ++ static const unsigned char month_lengths[] = { 31, 28, 31, 30, 31, 30, + 31, 31, 30, 31, 30, 31 }; + const unsigned char *p = value; + unsigned year, mon, day, hour, min, sec, mon_len; +@@ -540,9 +540,9 @@ int x509_decode_time(time64_t *_t, size + if (year % 4 == 0) { + mon_len = 29; + if (year % 100 == 0) { +- year /= 100; +- if (year % 4 != 0) +- mon_len = 28; ++ mon_len = 28; ++ if (year % 400 == 0) ++ mon_len = 29; + } + } + }