From: Greg Kroah-Hartman Date: Thu, 30 Jan 2020 14:44:54 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.5.1~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5136c3d9865fdf7a6e7f891c3862436250f7959f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch crypto-caam-do-not-reset-pointer-size-from-mcfgr-register.patch crypto-pcrypt-fix-user-after-free-on-module-unload.patch crypto-vmx-reject-xts-inputs-that-are-too-short.patch rsi-fix-memory-leak-on-failed-urb-submission.patch rsi-fix-non-atomic-allocation-in-completion-handler.patch rsi-fix-use-after-free-on-failed-probe-and-unbind.patch rsi-fix-use-after-free-on-probe-errors.patch --- diff --git a/queue-5.4/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch b/queue-5.4/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch new file mode 100644 index 00000000000..af6a61289b9 --- /dev/null +++ b/queue-5.4/crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch @@ -0,0 +1,43 @@ +From 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 5 Dec 2019 13:45:05 +0800 +Subject: crypto: af_alg - Use bh_lock_sock in sk_destruct + +From: Herbert Xu + +commit 37f96694cf73ba116993a9d2d99ad6a75fa7fdb0 upstream. + +As af_alg_release_parent may be called from BH context (most notably +due to an async request that only completes after socket closure, +or as reported here because of an RCU-delayed sk_destruct call), we +must use bh_lock_sock instead of lock_sock. + +Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com +Reported-by: Eric Dumazet +Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -134,11 +134,13 @@ void af_alg_release_parent(struct sock * + sk = ask->parent; + ask = alg_sk(sk); + +- lock_sock(sk); ++ local_bh_disable(); ++ bh_lock_sock(sk); + ask->nokey_refcnt -= nokey; + if (!last) + last = !--ask->refcnt; +- release_sock(sk); ++ bh_unlock_sock(sk); ++ local_bh_enable(); + + if (last) + sock_put(sk); diff --git a/queue-5.4/crypto-caam-do-not-reset-pointer-size-from-mcfgr-register.patch b/queue-5.4/crypto-caam-do-not-reset-pointer-size-from-mcfgr-register.patch new file mode 100644 index 00000000000..2e2150cbcf9 --- /dev/null +++ b/queue-5.4/crypto-caam-do-not-reset-pointer-size-from-mcfgr-register.patch @@ -0,0 +1,46 @@ +From 7278fa25aa0ebcc0e62c39b12071069df13f7e77 Mon Sep 17 00:00:00 2001 +From: Iuliana Prodan +Date: Wed, 27 Nov 2019 00:54:26 +0200 +Subject: crypto: caam - do not reset pointer size from MCFGR register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Iuliana Prodan + +commit 7278fa25aa0ebcc0e62c39b12071069df13f7e77 upstream. + +In commit 'a1cf573ee95 ("crypto: caam - select DMA address size at runtime")' +CAAM pointer size (caam_ptr_size) is changed from +sizeof(dma_addr_t) to runtime value computed from MCFGR register. +Therefore, do not reset MCFGR[PS]. + +Fixes: a1cf573ee95 ("crypto: caam - select DMA address size at runtime") +Signed-off-by: Iuliana Prodan +Cc: +Cc: Andrey Smirnov +Cc: Alison Wang +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/ctrl.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/caam/ctrl.c ++++ b/drivers/crypto/caam/ctrl.c +@@ -685,11 +685,9 @@ static int caam_probe(struct platform_de + of_node_put(np); + + if (!ctrlpriv->mc_en) +- clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK | MCFGR_LONG_PTR, ++ clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK, + MCFGR_AWCACHE_CACH | MCFGR_AWCACHE_BUFF | +- MCFGR_WDENABLE | MCFGR_LARGE_BURST | +- (sizeof(dma_addr_t) == sizeof(u64) ? +- MCFGR_LONG_PTR : 0)); ++ MCFGR_WDENABLE | MCFGR_LARGE_BURST); + + handle_imx6_err005766(&ctrl->mcr); + diff --git a/queue-5.4/crypto-pcrypt-fix-user-after-free-on-module-unload.patch b/queue-5.4/crypto-pcrypt-fix-user-after-free-on-module-unload.patch new file mode 100644 index 00000000000..eedf564d47c --- /dev/null +++ b/queue-5.4/crypto-pcrypt-fix-user-after-free-on-module-unload.patch @@ -0,0 +1,39 @@ +From 07bfd9bdf568a38d9440c607b72342036011f727 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 19 Nov 2019 17:41:31 +0800 +Subject: crypto: pcrypt - Fix user-after-free on module unload + +From: Herbert Xu + +commit 07bfd9bdf568a38d9440c607b72342036011f727 upstream. + +On module unload of pcrypt we must unregister the crypto algorithms +first and then tear down the padata structure. As otherwise the +crypto algorithms are still alive and can be used while the padata +structure is being freed. + +Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/pcrypt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -362,11 +362,12 @@ err: + + static void __exit pcrypt_exit(void) + { ++ crypto_unregister_template(&pcrypt_tmpl); ++ + pcrypt_fini_padata(pencrypt); + pcrypt_fini_padata(pdecrypt); + + kset_unregister(pcrypt_kset); +- crypto_unregister_template(&pcrypt_tmpl); + } + + subsys_initcall(pcrypt_init); diff --git a/queue-5.4/crypto-vmx-reject-xts-inputs-that-are-too-short.patch b/queue-5.4/crypto-vmx-reject-xts-inputs-that-are-too-short.patch new file mode 100644 index 00000000000..273c0531803 --- /dev/null +++ b/queue-5.4/crypto-vmx-reject-xts-inputs-that-are-too-short.patch @@ -0,0 +1,49 @@ +From 1372a51b88fa0d5a8ed2803e4975c98da3f08463 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Wed, 8 Jan 2020 16:06:46 +1100 +Subject: crypto: vmx - reject xts inputs that are too short + +From: Daniel Axtens + +commit 1372a51b88fa0d5a8ed2803e4975c98da3f08463 upstream. + +When the kernel XTS implementation was extended to deal with ciphertext +stealing in commit 8083b1bf8163 ("crypto: xts - add support for ciphertext +stealing"), a check was added to reject inputs that were too short. + +However, in the vmx enablement - commit 239668419349 ("crypto: vmx/xts - +use fallback for ciphertext stealing"), that check wasn't added to the +vmx implementation. This disparity leads to errors like the following: + +alg: skcipher: p8_aes_xts encryption unexpectedly succeeded on test vector "random: len=0 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_finup src_divs=[66.99%@+10, 33.1%@alignmask+1155]" + +Return -EINVAL if asked to operate with a cryptlen smaller than the AES +block size. This brings vmx in line with the generic implementation. + +Reported-by: Erhard Furtner +Link: https://bugzilla.kernel.org/show_bug.cgi?id=206049 +Fixes: 239668419349 ("crypto: vmx/xts - use fallback for ciphertext stealing") +Cc: Ard Biesheuvel +Cc: stable@vger.kernel.org # v5.4+ +Signed-off-by: Michael Ellerman +[dja: commit message] +Signed-off-by: Daniel Axtens +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/vmx/aes_xts.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/crypto/vmx/aes_xts.c ++++ b/drivers/crypto/vmx/aes_xts.c +@@ -84,6 +84,9 @@ static int p8_aes_xts_crypt(struct skcip + u8 tweak[AES_BLOCK_SIZE]; + int ret; + ++ if (req->cryptlen < AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (!crypto_simd_usable() || (req->cryptlen % XTS_BLOCK_SIZE) != 0) { + struct skcipher_request *subreq = skcipher_request_ctx(req); + diff --git a/queue-5.4/rsi-fix-memory-leak-on-failed-urb-submission.patch b/queue-5.4/rsi-fix-memory-leak-on-failed-urb-submission.patch new file mode 100644 index 00000000000..eb63d28b35f --- /dev/null +++ b/queue-5.4/rsi-fix-memory-leak-on-failed-urb-submission.patch @@ -0,0 +1,37 @@ +From 47768297481184932844ab01a86752ba31a38861 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 28 Nov 2019 18:22:02 +0100 +Subject: rsi: fix memory leak on failed URB submission + +From: Johan Hovold + +commit 47768297481184932844ab01a86752ba31a38861 upstream. + +Make sure to free the skb on failed receive-URB submission (e.g. on +disconnect or currently also due to a missing endpoint). + +Fixes: a1854fae1414 ("rsi: improve RX packet handling in USB interface") +Cc: stable # 4.17 +Cc: Prameela Rani Garnepudi +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -338,8 +338,10 @@ static int rsi_rx_urb_submit(struct rsi_ + rx_cb); + + status = usb_submit_urb(urb, GFP_KERNEL); +- if (status) ++ if (status) { + rsi_dbg(ERR_ZONE, "%s: Failed in urb submission\n", __func__); ++ dev_kfree_skb(skb); ++ } + + return status; + } diff --git a/queue-5.4/rsi-fix-non-atomic-allocation-in-completion-handler.patch b/queue-5.4/rsi-fix-non-atomic-allocation-in-completion-handler.patch new file mode 100644 index 00000000000..63cb2ed4fbf --- /dev/null +++ b/queue-5.4/rsi-fix-non-atomic-allocation-in-completion-handler.patch @@ -0,0 +1,84 @@ +From b9b9f9fea21830f85cf0148cd8dce001ae55ead1 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 28 Nov 2019 18:22:03 +0100 +Subject: rsi: fix non-atomic allocation in completion handler + +From: Johan Hovold + +commit b9b9f9fea21830f85cf0148cd8dce001ae55ead1 upstream. + +USB completion handlers are called in atomic context and must +specifically not allocate memory using GFP_KERNEL. + +Fixes: a1854fae1414 ("rsi: improve RX packet handling in USB interface") +Cc: stable # 4.17 +Cc: Prameela Rani Garnepudi +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -16,6 +16,7 @@ + */ + + #include ++#include + #include + #include "rsi_usb.h" + #include "rsi_hal.h" +@@ -29,7 +30,7 @@ MODULE_PARM_DESC(dev_oper_mode, + "9[Wi-Fi STA + BT LE], 13[Wi-Fi STA + BT classic + BT LE]\n" + "6[AP + BT classic], 14[AP + BT classic + BT LE]"); + +-static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num); ++static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num, gfp_t flags); + + /** + * rsi_usb_card_write() - This function writes to the USB Card. +@@ -285,7 +286,7 @@ static void rsi_rx_done_handler(struct u + status = 0; + + out: +- if (rsi_rx_urb_submit(dev->priv, rx_cb->ep_num)) ++ if (rsi_rx_urb_submit(dev->priv, rx_cb->ep_num, GFP_ATOMIC)) + rsi_dbg(ERR_ZONE, "%s: Failed in urb submission", __func__); + + if (status) +@@ -307,7 +308,7 @@ static void rsi_rx_urb_kill(struct rsi_h + * + * Return: 0 on success, a negative error code on failure. + */ +-static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) ++static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num, gfp_t mem_flags) + { + struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev; + struct rx_usb_ctrl_block *rx_cb = &dev->rx_cb[ep_num - 1]; +@@ -337,7 +338,7 @@ static int rsi_rx_urb_submit(struct rsi_ + rsi_rx_done_handler, + rx_cb); + +- status = usb_submit_urb(urb, GFP_KERNEL); ++ status = usb_submit_urb(urb, mem_flags); + if (status) { + rsi_dbg(ERR_ZONE, "%s: Failed in urb submission\n", __func__); + dev_kfree_skb(skb); +@@ -827,12 +828,12 @@ static int rsi_probe(struct usb_interfac + rsi_dbg(INIT_ZONE, "%s: Device Init Done\n", __func__); + } + +- status = rsi_rx_urb_submit(adapter, WLAN_EP); ++ status = rsi_rx_urb_submit(adapter, WLAN_EP, GFP_KERNEL); + if (status) + goto err1; + + if (adapter->priv->coex_mode > 1) { +- status = rsi_rx_urb_submit(adapter, BT_EP); ++ status = rsi_rx_urb_submit(adapter, BT_EP, GFP_KERNEL); + if (status) + goto err_kill_wlan_urb; + } diff --git a/queue-5.4/rsi-fix-use-after-free-on-failed-probe-and-unbind.patch b/queue-5.4/rsi-fix-use-after-free-on-failed-probe-and-unbind.patch new file mode 100644 index 00000000000..36562983ab3 --- /dev/null +++ b/queue-5.4/rsi-fix-use-after-free-on-failed-probe-and-unbind.patch @@ -0,0 +1,72 @@ +From e93cd35101b61e4c79149be2cfc927c4b28dc60c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 28 Nov 2019 18:22:00 +0100 +Subject: rsi: fix use-after-free on failed probe and unbind + +From: Johan Hovold + +commit e93cd35101b61e4c79149be2cfc927c4b28dc60c upstream. + +Make sure to stop both URBs before returning after failed probe as well +as on disconnect to avoid use-after-free in the completion handler. + +Reported-by: syzbot+b563b7f8dbe8223a51e8@syzkaller.appspotmail.com +Fixes: a4302bff28e2 ("rsi: add bluetooth rx endpoint") +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Cc: stable # 3.15 +Cc: Siva Rebbagondla +Cc: Prameela Rani Garnepudi +Cc: Amitkumar Karwar +Cc: Fariya Fatima +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -292,6 +292,15 @@ out: + dev_kfree_skb(rx_cb->rx_skb); + } + ++static void rsi_rx_urb_kill(struct rsi_hw *adapter, u8 ep_num) ++{ ++ struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)adapter->rsi_dev; ++ struct rx_usb_ctrl_block *rx_cb = &dev->rx_cb[ep_num - 1]; ++ struct urb *urb = rx_cb->rx_urb; ++ ++ usb_kill_urb(urb); ++} ++ + /** + * rsi_rx_urb_submit() - This function submits the given URB to the USB stack. + * @adapter: Pointer to the adapter structure. +@@ -823,10 +832,13 @@ static int rsi_probe(struct usb_interfac + if (adapter->priv->coex_mode > 1) { + status = rsi_rx_urb_submit(adapter, BT_EP); + if (status) +- goto err1; ++ goto err_kill_wlan_urb; + } + + return 0; ++ ++err_kill_wlan_urb: ++ rsi_rx_urb_kill(adapter, WLAN_EP); + err1: + rsi_deinit_usb_interface(adapter); + err: +@@ -857,6 +869,10 @@ static void rsi_disconnect(struct usb_in + adapter->priv->bt_adapter = NULL; + } + ++ if (adapter->priv->coex_mode > 1) ++ rsi_rx_urb_kill(adapter, BT_EP); ++ rsi_rx_urb_kill(adapter, WLAN_EP); ++ + rsi_reset_card(adapter); + rsi_deinit_usb_interface(adapter); + rsi_91x_deinit(adapter); diff --git a/queue-5.4/rsi-fix-use-after-free-on-probe-errors.patch b/queue-5.4/rsi-fix-use-after-free-on-probe-errors.patch new file mode 100644 index 00000000000..ac101a1fefa --- /dev/null +++ b/queue-5.4/rsi-fix-use-after-free-on-probe-errors.patch @@ -0,0 +1,73 @@ +From 92aafe77123ab478e5f5095878856ab0424910da Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 28 Nov 2019 18:22:01 +0100 +Subject: rsi: fix use-after-free on probe errors + +From: Johan Hovold + +commit 92aafe77123ab478e5f5095878856ab0424910da upstream. + +The driver would fail to stop the command timer in most error paths, +something which specifically could lead to the timer being freed while +still active on I/O errors during probe. + +Fix this by making sure that each function starting the timer also stops +it in all relevant error paths. + +Reported-by: syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com +Fixes: b78e91bcfb33 ("rsi: Add new firmware loading method") +Cc: stable # 4.12 +Cc: Prameela Rani Garnepudi +Cc: Amitkumar Karwar +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rsi/rsi_91x_hal.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_hal.c ++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c +@@ -622,6 +622,7 @@ static int bl_cmd(struct rsi_hw *adapter + bl_start_cmd_timer(adapter, timeout); + status = bl_write_cmd(adapter, cmd, exp_resp, ®out_val); + if (status < 0) { ++ bl_stop_cmd_timer(adapter); + rsi_dbg(ERR_ZONE, + "%s: Command %s (%0x) writing failed..\n", + __func__, str, cmd); +@@ -737,10 +738,9 @@ static int ping_pong_write(struct rsi_hw + } + + status = bl_cmd(adapter, cmd_req, cmd_resp, str); +- if (status) { +- bl_stop_cmd_timer(adapter); ++ if (status) + return status; +- } ++ + return 0; + } + +@@ -828,10 +828,9 @@ static int auto_fw_upgrade(struct rsi_hw + + status = bl_cmd(adapter, EOF_REACHED, FW_LOADING_SUCCESSFUL, + "EOF_REACHED"); +- if (status) { +- bl_stop_cmd_timer(adapter); ++ if (status) + return status; +- } ++ + rsi_dbg(INFO_ZONE, "FW loading is done and FW is running..\n"); + return 0; + } +@@ -849,6 +848,7 @@ static int rsi_hal_prepare_fwload(struct + ®out_val, + RSI_COMMON_REG_SIZE); + if (status < 0) { ++ bl_stop_cmd_timer(adapter); + rsi_dbg(ERR_ZONE, + "%s: REGOUT read failed\n", __func__); + return status; diff --git a/queue-5.4/series b/queue-5.4/series index da9b63fc781..addcc69790a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -97,3 +97,11 @@ alsa-hda-realtek-move-some-alc236-pintbls-to-fallbac.patch bluetooth-allow-combination-of-bdaddr_property-and-i.patch bluetooth-btbcm-use-the-bdaddr_property-quirk.patch bus-ti-sysc-fix-missing-force-mstandby-quirk-handlin.patch +rsi-fix-use-after-free-on-failed-probe-and-unbind.patch +rsi-fix-use-after-free-on-probe-errors.patch +rsi-fix-memory-leak-on-failed-urb-submission.patch +rsi-fix-non-atomic-allocation-in-completion-handler.patch +crypto-af_alg-use-bh_lock_sock-in-sk_destruct.patch +crypto-vmx-reject-xts-inputs-that-are-too-short.patch +crypto-caam-do-not-reset-pointer-size-from-mcfgr-register.patch +crypto-pcrypt-fix-user-after-free-on-module-unload.patch