From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 28 Oct 2016 17:58:54 +0000 (-0400)
Subject: 4.8-stable patches
X-Git-Tag: v4.4.29~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=922521b84d9ae3e358c6c4bc07ec7bfad93a3f8e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.8-stable patches

added patches:
	crypto-arm-ghash-ce-add-missing-async-import-export.patch
	crypto-ccp-fix-return-value-check-in-ccp_dmaengine_register.patch
	crypto-gcm-fix-iv-buffer-size-in-crypto_gcm_setkey.patch
	crypto-marvell-don-t-overwrite-default-creq-state-during-initialization.patch
	crypto-marvell-update-transformation-context-for-each-dequeued-req.patch
---

diff --git a/queue-4.8/crypto-arm-ghash-ce-add-missing-async-import-export.patch b/queue-4.8/crypto-arm-ghash-ce-add-missing-async-import-export.patch
new file mode 100644
index 00000000000..5253ef79642
--- /dev/null
+++ b/queue-4.8/crypto-arm-ghash-ce-add-missing-async-import-export.patch
@@ -0,0 +1,64 @@
+From ed4767d612fd2c39e2c4c69eba484c1219dcddb6 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 1 Sep 2016 14:25:42 +0100
+Subject: crypto: arm/ghash-ce - add missing async import/export
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit ed4767d612fd2c39e2c4c69eba484c1219dcddb6 upstream.
+
+Since commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero"),
+all ahash drivers are required to implement import()/export(), and must have
+a non-zero statesize. Fix this for the ARM Crypto Extensions GHASH
+implementation.
+
+Fixes: 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero")
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/crypto/ghash-ce-glue.c |   24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/arch/arm/crypto/ghash-ce-glue.c
++++ b/arch/arm/crypto/ghash-ce-glue.c
+@@ -220,6 +220,27 @@ static int ghash_async_digest(struct aha
+ 	}
+ }
+ 
++static int ghash_async_import(struct ahash_request *req, const void *in)
++{
++	struct ahash_request *cryptd_req = ahash_request_ctx(req);
++	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
++	struct ghash_async_ctx *ctx = crypto_ahash_ctx(tfm);
++	struct shash_desc *desc = cryptd_shash_desc(cryptd_req);
++
++	desc->tfm = cryptd_ahash_child(ctx->cryptd_tfm);
++	desc->flags = req->base.flags;
++
++	return crypto_shash_import(desc, in);
++}
++
++static int ghash_async_export(struct ahash_request *req, void *out)
++{
++	struct ahash_request *cryptd_req = ahash_request_ctx(req);
++	struct shash_desc *desc = cryptd_shash_desc(cryptd_req);
++
++	return crypto_shash_export(desc, out);
++}
++
+ static int ghash_async_setkey(struct crypto_ahash *tfm, const u8 *key,
+ 			      unsigned int keylen)
+ {
+@@ -268,7 +289,10 @@ static struct ahash_alg ghash_async_alg
+ 	.final			= ghash_async_final,
+ 	.setkey			= ghash_async_setkey,
+ 	.digest			= ghash_async_digest,
++	.import			= ghash_async_import,
++	.export			= ghash_async_export,
+ 	.halg.digestsize	= GHASH_DIGEST_SIZE,
++	.halg.statesize		= sizeof(struct ghash_desc_ctx),
+ 	.halg.base		= {
+ 		.cra_name	= "ghash",
+ 		.cra_driver_name = "ghash-ce",
diff --git a/queue-4.8/crypto-ccp-fix-return-value-check-in-ccp_dmaengine_register.patch b/queue-4.8/crypto-ccp-fix-return-value-check-in-ccp_dmaengine_register.patch
new file mode 100644
index 00000000000..2685ecb57b2
--- /dev/null
+++ b/queue-4.8/crypto-ccp-fix-return-value-check-in-ccp_dmaengine_register.patch
@@ -0,0 +1,33 @@
+From 7514e3688811e610640ec2201ca14dfebfe13442 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Sat, 17 Sep 2016 16:01:22 +0000
+Subject: crypto: ccp - Fix return value check in ccp_dmaengine_register()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 7514e3688811e610640ec2201ca14dfebfe13442 upstream.
+
+Fix the retrn value check which testing the wrong variable
+in ccp_dmaengine_register().
+
+Fixes: 58ea8abf4904 ("crypto: ccp - Register the CCP as a DMA resource")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-dmaengine.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccp/ccp-dmaengine.c
++++ b/drivers/crypto/ccp/ccp-dmaengine.c
+@@ -650,7 +650,7 @@ int ccp_dmaengine_register(struct ccp_de
+ 	dma_desc_cache_name = devm_kasprintf(ccp->dev, GFP_KERNEL,
+ 					     "%s-dmaengine-desc-cache",
+ 					     ccp->name);
+-	if (!dma_cmd_cache_name)
++	if (!dma_desc_cache_name)
+ 		return -ENOMEM;
+ 	ccp->dma_desc_cache = kmem_cache_create(dma_desc_cache_name,
+ 						sizeof(struct ccp_dma_desc),
diff --git a/queue-4.8/crypto-gcm-fix-iv-buffer-size-in-crypto_gcm_setkey.patch b/queue-4.8/crypto-gcm-fix-iv-buffer-size-in-crypto_gcm_setkey.patch
new file mode 100644
index 00000000000..7a66373f6a6
--- /dev/null
+++ b/queue-4.8/crypto-gcm-fix-iv-buffer-size-in-crypto_gcm_setkey.patch
@@ -0,0 +1,35 @@
+From 50d2e6dc1f83db0563c7d6603967bf9585ce934b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ondrej=20Mosn=C3=A1=C4=8Dek?= <omosnacek@gmail.com>
+Date: Fri, 23 Sep 2016 10:47:32 +0200
+Subject: crypto: gcm - Fix IV buffer size in crypto_gcm_setkey
+
+From: Ondrej MosnÃ¡Äek <omosnacek@gmail.com>
+
+commit 50d2e6dc1f83db0563c7d6603967bf9585ce934b upstream.
+
+The cipher block size for GCM is 16 bytes, and thus the CTR transform
+used in crypto_gcm_setkey() will also expect a 16-byte IV. However,
+the code currently reserves only 8 bytes for the IV, causing
+an out-of-bounds access in the CTR transform. This patch fixes
+the issue by setting the size of the IV buffer to 16 bytes.
+
+Fixes: 84c911523020 ("[CRYPTO] gcm: Add support for async ciphers")
+Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/gcm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -117,7 +117,7 @@ static int crypto_gcm_setkey(struct cryp
+ 	struct crypto_skcipher *ctr = ctx->ctr;
+ 	struct {
+ 		be128 hash;
+-		u8 iv[8];
++		u8 iv[16];
+ 
+ 		struct crypto_gcm_setkey_result result;
+ 
diff --git a/queue-4.8/crypto-marvell-don-t-overwrite-default-creq-state-during-initialization.patch b/queue-4.8/crypto-marvell-don-t-overwrite-default-creq-state-during-initialization.patch
new file mode 100644
index 00000000000..6d98c6f5738
--- /dev/null
+++ b/queue-4.8/crypto-marvell-don-t-overwrite-default-creq-state-during-initialization.patch
@@ -0,0 +1,80 @@
+From 57cfda1ac74e58767f6305bd1ea3449177425460 Mon Sep 17 00:00:00 2001
+From: Romain Perier <romain.perier@free-electrons.com>
+Date: Tue, 9 Aug 2016 11:03:19 +0200
+Subject: crypto: marvell - Don't overwrite default creq->state during initialization
+
+From: Romain Perier <romain.perier@free-electrons.com>
+
+commit 57cfda1ac74e58767f6305bd1ea3449177425460 upstream.
+
+Currently, in mv_cesa_{md5,sha1,sha256}_init creq->state is initialized
+before the call to mv_cesa_ahash_init. This is wrong because this
+function fills creq with zero by using memset, so its 'state' that
+contains the default DIGEST is overwritten. This commit fixes the issue
+by initializing creq->state just after the call to mv_cesa_ahash_init.
+
+Fixes: commit b0ef51067cb4 ("crypto: marvell/cesa - initialize hash...")
+Signed-off-by: Romain Perier <romain.perier@free-electrons.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/marvell/hash.c |   15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/marvell/hash.c
++++ b/drivers/crypto/marvell/hash.c
+@@ -805,13 +805,14 @@ static int mv_cesa_md5_init(struct ahash
+ 	struct mv_cesa_op_ctx tmpl = { };
+ 
+ 	mv_cesa_set_op_cfg(&tmpl, CESA_SA_DESC_CFG_MACM_MD5);
++
++	mv_cesa_ahash_init(req, &tmpl, true);
++
+ 	creq->state[0] = MD5_H0;
+ 	creq->state[1] = MD5_H1;
+ 	creq->state[2] = MD5_H2;
+ 	creq->state[3] = MD5_H3;
+ 
+-	mv_cesa_ahash_init(req, &tmpl, true);
+-
+ 	return 0;
+ }
+ 
+@@ -873,14 +874,15 @@ static int mv_cesa_sha1_init(struct ahas
+ 	struct mv_cesa_op_ctx tmpl = { };
+ 
+ 	mv_cesa_set_op_cfg(&tmpl, CESA_SA_DESC_CFG_MACM_SHA1);
++
++	mv_cesa_ahash_init(req, &tmpl, false);
++
+ 	creq->state[0] = SHA1_H0;
+ 	creq->state[1] = SHA1_H1;
+ 	creq->state[2] = SHA1_H2;
+ 	creq->state[3] = SHA1_H3;
+ 	creq->state[4] = SHA1_H4;
+ 
+-	mv_cesa_ahash_init(req, &tmpl, false);
+-
+ 	return 0;
+ }
+ 
+@@ -942,6 +944,9 @@ static int mv_cesa_sha256_init(struct ah
+ 	struct mv_cesa_op_ctx tmpl = { };
+ 
+ 	mv_cesa_set_op_cfg(&tmpl, CESA_SA_DESC_CFG_MACM_SHA256);
++
++	mv_cesa_ahash_init(req, &tmpl, false);
++
+ 	creq->state[0] = SHA256_H0;
+ 	creq->state[1] = SHA256_H1;
+ 	creq->state[2] = SHA256_H2;
+@@ -951,8 +956,6 @@ static int mv_cesa_sha256_init(struct ah
+ 	creq->state[6] = SHA256_H6;
+ 	creq->state[7] = SHA256_H7;
+ 
+-	mv_cesa_ahash_init(req, &tmpl, false);
+-
+ 	return 0;
+ }
+ 
diff --git a/queue-4.8/crypto-marvell-update-transformation-context-for-each-dequeued-req.patch b/queue-4.8/crypto-marvell-update-transformation-context-for-each-dequeued-req.patch
new file mode 100644
index 00000000000..18fb155e7b4
--- /dev/null
+++ b/queue-4.8/crypto-marvell-update-transformation-context-for-each-dequeued-req.patch
@@ -0,0 +1,40 @@
+From 09951d83fc58a6f772de09c08e370f6d9970dbb6 Mon Sep 17 00:00:00 2001
+From: Romain Perier <romain.perier@free-electrons.com>
+Date: Tue, 9 Aug 2016 11:03:18 +0200
+Subject: crypto: marvell - Update transformation context for each dequeued req
+
+From: Romain Perier <romain.perier@free-electrons.com>
+
+commit 09951d83fc58a6f772de09c08e370f6d9970dbb6 upstream.
+
+So far, sub part of mv_cesa_int was responsible of dequeuing complete
+requests, then call the 'cleanup' operation on these reqs and call the
+crypto api callback 'complete'. The problem is that the transformation
+context 'ctx' is retrieved only once before the while loop. Which means
+that the wrong 'cleanup' operation might be called on the wrong type of
+cesa requests, it can lead to memory corruptions with this message:
+
+marvell-cesa f1090000.crypto: dma_pool_free cesa_padding, 5a5a5a5a/5a5a5a5a (bad dma)
+
+This commit fixes the issue, by updating the transformation context for
+each dequeued cesa request.
+
+Fixes: commit 85030c5168f1 ("crypto: marvell - Add support for chai...")
+Signed-off-by: Romain Perier <romain.perier@free-electrons.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/marvell/cesa.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/marvell/cesa.c
++++ b/drivers/crypto/marvell/cesa.c
+@@ -166,6 +166,7 @@ static irqreturn_t mv_cesa_int(int irq,
+ 			if (!req)
+ 				break;
+ 
++			ctx = crypto_tfm_ctx(req->tfm);
+ 			mv_cesa_complete_req(ctx, req, 0);
+ 		}
+ 	}
diff --git a/queue-4.8/series b/queue-4.8/series
index 90f77e1146b..5e260dbebeb 100644
--- a/queue-4.8/series
+++ b/queue-4.8/series
@@ -52,3 +52,8 @@ ath10k-add-wmi_service_periodic_chan_stat_support-wmi-service.patch
 ath10k-fix-sending-frame-in-management-path-in-push-txq-logic.patch
 ath10k-fix-reporting-channel-survey-data.patch
 ath10k-fix-throughput-regression-in-multi-client-mode.patch
+crypto-marvell-don-t-overwrite-default-creq-state-during-initialization.patch
+crypto-gcm-fix-iv-buffer-size-in-crypto_gcm_setkey.patch
+crypto-marvell-update-transformation-context-for-each-dequeued-req.patch
+crypto-arm-ghash-ce-add-missing-async-import-export.patch
+crypto-ccp-fix-return-value-check-in-ccp_dmaengine_register.patch