From: Greg Kroah-Hartman Date: Thu, 16 Aug 2018 17:01:19 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v3.18.119~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9b68cb68952a9f5558188c2cacdb93f9ceac5522;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: acpi-apei-remove-ghes_ioremap_area.patch asoc-intel-cht_bsw_max98090_ti-fix-jack-initialization.patch asoc-msm8916-wcd-digital-fix-rx2-mix1-and-rx3-mix1.patch asoc-rsnd-fix-adg-flags.patch block-bfq-fix-wrong-init-of-saved-start-time-for-weight-raising.patch bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch clk-sunxi-ng-fix-missing-clk_set_rate_parent-in-ccu-sun4i-a10.c.patch crypto-ablkcipher-fix-crash-flushing-dcache-in-error-path.patch crypto-blkcipher-fix-crash-flushing-dcache-in-error-path.patch crypto-skcipher-fix-aligning-block-size-in-skcipher_copy_iv.patch crypto-skcipher-fix-crash-flushing-dcache-in-error-path.patch crypto-vmac-require-a-block-cipher-with-128-bit-block-size.patch crypto-vmac-separate-tfm-and-request-context.patch crypto-x86-sha256-mb-fix-digest-copy-in-sha256_mb_mgr_get_comp_job_avx2.patch fw_cfg-fix-driver-remove.patch ioremap-update-pgtable-free-interfaces-with-addr.patch kbuild-verify-that-depmod-is-installed.patch sched-debug-fix-task-state-recording-printout.patch x86-mm-add-tlb-purge-to-free-pmd-pte-page-interfaces.patch --- diff --git a/queue-4.14/acpi-apei-remove-ghes_ioremap_area.patch b/queue-4.14/acpi-apei-remove-ghes_ioremap_area.patch new file mode 100644 index 00000000000..57ddbb64905 --- /dev/null +++ b/queue-4.14/acpi-apei-remove-ghes_ioremap_area.patch @@ -0,0 +1,94 @@ +From 520e18a5080d2c444a03280d99c8a35cb667d321 Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 6 Nov 2017 18:44:25 +0000 +Subject: ACPI / APEI: Remove ghes_ioremap_area + +From: James Morse + +commit 520e18a5080d2c444a03280d99c8a35cb667d321 upstream. + +Now that nothing is using the ghes_ioremap_area pages, rip them out. + +Signed-off-by: James Morse +Reviewed-by: Borislav Petkov +Tested-by: Tyler Baicar +Signed-off-by: Rafael J. Wysocki +Cc: All applicable +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/apei/ghes.c | 39 ++------------------------------------- + 1 file changed, 2 insertions(+), 37 deletions(-) + +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -114,19 +114,7 @@ static DEFINE_MUTEX(ghes_list_mutex); + * from BIOS to Linux can be determined only in NMI, IRQ or timer + * handler, but general ioremap can not be used in atomic context, so + * the fixmap is used instead. +- */ +- +-/* +- * Two virtual pages are used, one for IRQ/PROCESS context, the other for +- * NMI context (optionally). +- */ +-#define GHES_IOREMAP_PAGES 2 +-#define GHES_IOREMAP_IRQ_PAGE(base) (base) +-#define GHES_IOREMAP_NMI_PAGE(base) ((base) + PAGE_SIZE) +- +-/* virtual memory area for atomic ioremap */ +-static struct vm_struct *ghes_ioremap_area; +-/* ++ * + * These 2 spinlocks are used to prevent the fixmap entries from being used + * simultaneously. + */ +@@ -141,23 +129,6 @@ static atomic_t ghes_estatus_cache_alloc + + static int ghes_panic_timeout __read_mostly = 30; + +-static int ghes_ioremap_init(void) +-{ +- ghes_ioremap_area = __get_vm_area(PAGE_SIZE * GHES_IOREMAP_PAGES, +- VM_IOREMAP, VMALLOC_START, VMALLOC_END); +- if (!ghes_ioremap_area) { +- pr_err(GHES_PFX "Failed to allocate virtual memory area for atomic ioremap.\n"); +- return -ENOMEM; +- } +- +- return 0; +-} +- +-static void ghes_ioremap_exit(void) +-{ +- free_vm_area(ghes_ioremap_area); +-} +- + static void __iomem *ghes_ioremap_pfn_nmi(u64 pfn) + { + phys_addr_t paddr; +@@ -1247,13 +1218,9 @@ static int __init ghes_init(void) + + ghes_nmi_init_cxt(); + +- rc = ghes_ioremap_init(); +- if (rc) +- goto err; +- + rc = ghes_estatus_pool_init(); + if (rc) +- goto err_ioremap_exit; ++ goto err; + + rc = ghes_estatus_pool_expand(GHES_ESTATUS_CACHE_AVG_SIZE * + GHES_ESTATUS_CACHE_ALLOCED_MAX); +@@ -1277,8 +1244,6 @@ static int __init ghes_init(void) + return 0; + err_pool_exit: + ghes_estatus_pool_exit(); +-err_ioremap_exit: +- ghes_ioremap_exit(); + err: + return rc; + } diff --git a/queue-4.14/asoc-intel-cht_bsw_max98090_ti-fix-jack-initialization.patch b/queue-4.14/asoc-intel-cht_bsw_max98090_ti-fix-jack-initialization.patch new file mode 100644 index 00000000000..c69e5537cd9 --- /dev/null +++ b/queue-4.14/asoc-intel-cht_bsw_max98090_ti-fix-jack-initialization.patch @@ -0,0 +1,95 @@ +From 3bbda5a38601f7675a214be2044e41d7749e6c7b Mon Sep 17 00:00:00 2001 +From: Thierry Escande +Date: Fri, 8 Sep 2017 00:13:08 -0500 +Subject: ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization + +From: Thierry Escande + +commit 3bbda5a38601f7675a214be2044e41d7749e6c7b upstream. + +If the ts3a227e audio accessory detection hardware is present and its +driver probed, the jack needs to be created before enabling jack +detection in the ts3a227e driver. With this patch, the jack is +instantiated in the max98090 headset init function if the ts3a227e is +present. This fixes a null pointer dereference as the jack detection +enabling function in the ts3a driver was called before the jack is +created. + +[minor correction to keep error handling on jack creation the same +as before by Pierre Bossart] + +Signed-off-by: Thierry Escande +Signed-off-by: Pierre-Louis Bossart +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/boards/cht_bsw_max98090_ti.c | 45 ++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 14 deletions(-) + +--- a/sound/soc/intel/boards/cht_bsw_max98090_ti.c ++++ b/sound/soc/intel/boards/cht_bsw_max98090_ti.c +@@ -116,23 +116,19 @@ static int cht_codec_init(struct snd_soc + struct cht_mc_private *ctx = snd_soc_card_get_drvdata(runtime->card); + struct snd_soc_jack *jack = &ctx->jack; + +- /** +- * TI supports 4 butons headset detection +- * KEY_MEDIA +- * KEY_VOICECOMMAND +- * KEY_VOLUMEUP +- * KEY_VOLUMEDOWN +- */ +- if (ctx->ts3a227e_present) +- jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE | +- SND_JACK_BTN_0 | SND_JACK_BTN_1 | +- SND_JACK_BTN_2 | SND_JACK_BTN_3; +- else +- jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE; ++ if (ctx->ts3a227e_present) { ++ /* ++ * The jack has already been created in the ++ * cht_max98090_headset_init() function. ++ */ ++ snd_soc_jack_notifier_register(jack, &cht_jack_nb); ++ return 0; ++ } ++ ++ jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE; + + ret = snd_soc_card_jack_new(runtime->card, "Headset Jack", + jack_type, jack, NULL, 0); +- + if (ret) { + dev_err(runtime->dev, "Headset Jack creation failed %d\n", ret); + return ret; +@@ -188,6 +184,27 @@ static int cht_max98090_headset_init(str + { + struct snd_soc_card *card = component->card; + struct cht_mc_private *ctx = snd_soc_card_get_drvdata(card); ++ struct snd_soc_jack *jack = &ctx->jack; ++ int jack_type; ++ int ret; ++ ++ /* ++ * TI supports 4 butons headset detection ++ * KEY_MEDIA ++ * KEY_VOICECOMMAND ++ * KEY_VOLUMEUP ++ * KEY_VOLUMEDOWN ++ */ ++ jack_type = SND_JACK_HEADPHONE | SND_JACK_MICROPHONE | ++ SND_JACK_BTN_0 | SND_JACK_BTN_1 | ++ SND_JACK_BTN_2 | SND_JACK_BTN_3; ++ ++ ret = snd_soc_card_jack_new(card, "Headset Jack", jack_type, ++ jack, NULL, 0); ++ if (ret) { ++ dev_err(card->dev, "Headset Jack creation failed %d\n", ret); ++ return ret; ++ } + + return ts3a227e_enable_jack_detect(component, &ctx->jack); + } diff --git a/queue-4.14/asoc-msm8916-wcd-digital-fix-rx2-mix1-and-rx3-mix1.patch b/queue-4.14/asoc-msm8916-wcd-digital-fix-rx2-mix1-and-rx3-mix1.patch new file mode 100644 index 00000000000..4bdcbfdb893 --- /dev/null +++ b/queue-4.14/asoc-msm8916-wcd-digital-fix-rx2-mix1-and-rx3-mix1.patch @@ -0,0 +1,45 @@ +From f53ee247ad546183fc13739adafc5579b9f0ebc0 Mon Sep 17 00:00:00 2001 +From: Jean-François Têtu +Date: Fri, 22 Sep 2017 17:44:28 -0400 +Subject: ASoC: msm8916-wcd-digital: fix RX2 MIX1 and RX3 MIX1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jean-François Têtu + +commit f53ee247ad546183fc13739adafc5579b9f0ebc0 upstream. + +The kcontrol for the third input (rxN_mix1_inp3) of both RX2 +and RX3 mixers are not using the correct control register. This simple +patch fixes this. + +Signed-off-by: Jean-François Têtu +Signed-off-by: Mark Brown +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/msm8916-wcd-digital.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/msm8916-wcd-digital.c ++++ b/sound/soc/codecs/msm8916-wcd-digital.c +@@ -238,7 +238,7 @@ static const struct soc_enum rx_mix2_inp + static const struct soc_enum rx2_mix1_inp_enum[] = { + SOC_ENUM_SINGLE(LPASS_CDC_CONN_RX2_B1_CTL, 0, 6, rx_mix1_text), + SOC_ENUM_SINGLE(LPASS_CDC_CONN_RX2_B1_CTL, 3, 6, rx_mix1_text), +- SOC_ENUM_SINGLE(LPASS_CDC_CONN_RX2_B1_CTL, 0, 6, rx_mix1_text), ++ SOC_ENUM_SINGLE(LPASS_CDC_CONN_RX2_B2_CTL, 0, 6, rx_mix1_text), + }; + + /* RX2 MIX2 */ +@@ -249,7 +249,7 @@ static const struct soc_enum rx2_mix2_in + static const struct soc_enum rx3_mix1_inp_enum[] = { + SOC_ENUM_SINGLE(LPASS_CDC_CONN_RX3_B1_CTL, 0, 6, rx_mix1_text), + SOC_ENUM_SINGLE(LPASS_CDC_CONN_RX3_B1_CTL, 3, 6, rx_mix1_text), +- SOC_ENUM_SINGLE(LPASS_CDC_CONN_RX3_B1_CTL, 0, 6, rx_mix1_text), ++ SOC_ENUM_SINGLE(LPASS_CDC_CONN_RX3_B2_CTL, 0, 6, rx_mix1_text), + }; + + /* DEC */ diff --git a/queue-4.14/asoc-rsnd-fix-adg-flags.patch b/queue-4.14/asoc-rsnd-fix-adg-flags.patch new file mode 100644 index 00000000000..cc432ec0eb4 --- /dev/null +++ b/queue-4.14/asoc-rsnd-fix-adg-flags.patch @@ -0,0 +1,36 @@ +From b7165d26bf730567ab081bb9383aff82cd43d9ea Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto +Date: Mon, 11 Sep 2017 04:17:26 +0000 +Subject: ASoC: rsnd: fix ADG flags + +From: Kuninori Morimoto + +commit b7165d26bf730567ab081bb9383aff82cd43d9ea upstream. + +Current ADG driver is over-writing flags. This patch fixes it. + +Reported-by: Hiroyuki Yokoyama +Signed-off-by: Kuninori Morimoto +Signed-off-by: Mark Brown +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sh/rcar/adg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/sh/rcar/adg.c ++++ b/sound/soc/sh/rcar/adg.c +@@ -479,10 +479,10 @@ static void rsnd_adg_get_clkout(struct r + } + + if (req_rate[0] % 48000 == 0) +- adg->flags = AUDIO_OUT_48; ++ adg->flags |= AUDIO_OUT_48; + + if (of_get_property(np, "clkout-lr-asynchronous", NULL)) +- adg->flags = LRCLK_ASYNC; ++ adg->flags |= LRCLK_ASYNC; + + /* + * This driver is assuming that AUDIO_CLKA/AUDIO_CLKB/AUDIO_CLKC diff --git a/queue-4.14/block-bfq-fix-wrong-init-of-saved-start-time-for-weight-raising.patch b/queue-4.14/block-bfq-fix-wrong-init-of-saved-start-time-for-weight-raising.patch new file mode 100644 index 00000000000..16f948daed0 --- /dev/null +++ b/queue-4.14/block-bfq-fix-wrong-init-of-saved-start-time-for-weight-raising.patch @@ -0,0 +1,147 @@ +From 4baa8bb13f41307f3eb62fe91f93a1a798ebef53 Mon Sep 17 00:00:00 2001 +From: Paolo Valente +Date: Thu, 21 Sep 2017 11:04:00 +0200 +Subject: block, bfq: fix wrong init of saved start time for weight raising + +From: Paolo Valente + +commit 4baa8bb13f41307f3eb62fe91f93a1a798ebef53 upstream. + +This commit fixes a bug that causes bfq to fail to guarantee a high +responsiveness on some drives, if there is heavy random read+write I/O +in the background. More precisely, such a failure allowed this bug to +be found [1], but the bug may well cause other yet unreported +anomalies. + +BFQ raises the weight of the bfq_queues associated with soft real-time +applications, to privilege the I/O, and thus reduce latency, for these +applications. This mechanism is named soft-real-time weight raising in +BFQ. A soft real-time period may happen to be nested into an +interactive weight raising period, i.e., it may happen that, when a +bfq_queue switches to a soft real-time weight-raised state, the +bfq_queue is already being weight-raised because deemed interactive +too. In this case, BFQ saves in a special variable +wr_start_at_switch_to_srt, the time instant when the interactive +weight-raising period started for the bfq_queue, i.e., the time +instant when BFQ started to deem the bfq_queue interactive. This value +is then used to check whether the interactive weight-raising period +would still be in progress when the soft real-time weight-raising +period ends. If so, interactive weight raising is restored for the +bfq_queue. This restore is useful, in particular, because it prevents +bfq_queues from losing their interactive weight raising prematurely, +as a consequence of spurious, short-lived soft real-time +weight-raising periods caused by wrong detections as soft real-time. + +If, instead, a bfq_queue switches to soft-real-time weight raising +while it *is not* already in an interactive weight-raising period, +then the variable wr_start_at_switch_to_srt has no meaning during the +following soft real-time weight-raising period. Unfortunately the +handling of this case is wrong in BFQ: not only the variable is not +flagged somehow as meaningless, but it is also set to the time when +the switch to soft real-time weight-raising occurs. This may cause an +interactive weight-raising period to be considered mistakenly as still +in progress, and thus a spurious interactive weight-raising period to +start for the bfq_queue, at the end of the soft-real-time +weight-raising period. In particular the spurious interactive +weight-raising period will be considered as still in progress, if the +soft-real-time weight-raising period does not last very long. The +bfq_queue will then be wrongly privileged and, if I/O bound, will +unjustly steal bandwidth to truly interactive or soft real-time +bfq_queues, harming responsiveness and low latency. + +This commit fixes this issue by just setting wr_start_at_switch_to_srt +to minus infinity (farthest past time instant according to jiffies +macros): when the soft-real-time weight-raising period ends, certainly +no interactive weight-raising period will be considered as still in +progress. + +[1] Background I/O Type: Random - Background I/O mix: Reads and writes +- Application to start: LibreOffice Writer in +http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.13-IO-Laptop + +Signed-off-by: Paolo Valente +Signed-off-by: Angelo Ruocco +Tested-by: Oleksandr Natalenko +Tested-by: Lee Tibbert +Tested-by: Mirko Montanari +Signed-off-by: Jens Axboe +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + block/bfq-iosched.c | 50 +++++++++++++++++++++++++++++++------------------- + 1 file changed, 31 insertions(+), 19 deletions(-) + +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -1203,6 +1203,24 @@ static unsigned int bfq_wr_duration(stru + return dur; + } + ++/* ++ * Return the farthest future time instant according to jiffies ++ * macros. ++ */ ++static unsigned long bfq_greatest_from_now(void) ++{ ++ return jiffies + MAX_JIFFY_OFFSET; ++} ++ ++/* ++ * Return the farthest past time instant according to jiffies ++ * macros. ++ */ ++static unsigned long bfq_smallest_from_now(void) ++{ ++ return jiffies - MAX_JIFFY_OFFSET; ++} ++ + static void bfq_update_bfqq_wr_on_rq_arrival(struct bfq_data *bfqd, + struct bfq_queue *bfqq, + unsigned int old_wr_coeff, +@@ -1217,7 +1235,19 @@ static void bfq_update_bfqq_wr_on_rq_arr + bfqq->wr_coeff = bfqd->bfq_wr_coeff; + bfqq->wr_cur_max_time = bfq_wr_duration(bfqd); + } else { +- bfqq->wr_start_at_switch_to_srt = jiffies; ++ /* ++ * No interactive weight raising in progress ++ * here: assign minus infinity to ++ * wr_start_at_switch_to_srt, to make sure ++ * that, at the end of the soft-real-time ++ * weight raising periods that is starting ++ * now, no interactive weight-raising period ++ * may be wrongly considered as still in ++ * progress (and thus actually started by ++ * mistake). ++ */ ++ bfqq->wr_start_at_switch_to_srt = ++ bfq_smallest_from_now(); + bfqq->wr_coeff = bfqd->bfq_wr_coeff * + BFQ_SOFTRT_WEIGHT_FACTOR; + bfqq->wr_cur_max_time = +@@ -2896,24 +2926,6 @@ static unsigned long bfq_bfqq_softrt_nex + jiffies + nsecs_to_jiffies(bfqq->bfqd->bfq_slice_idle) + 4); + } + +-/* +- * Return the farthest future time instant according to jiffies +- * macros. +- */ +-static unsigned long bfq_greatest_from_now(void) +-{ +- return jiffies + MAX_JIFFY_OFFSET; +-} +- +-/* +- * Return the farthest past time instant according to jiffies +- * macros. +- */ +-static unsigned long bfq_smallest_from_now(void) +-{ +- return jiffies - MAX_JIFFY_OFFSET; +-} +- + /** + * bfq_bfqq_expire - expire a queue. + * @bfqd: device owning the queue. diff --git a/queue-4.14/bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch b/queue-4.14/bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch new file mode 100644 index 00000000000..35f48bd906d --- /dev/null +++ b/queue-4.14/bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch @@ -0,0 +1,50 @@ +From 7992c18810e568b95c869b227137a2215702a805 Mon Sep 17 00:00:00 2001 +From: Mark Salyzyn +Date: Tue, 31 Jul 2018 15:02:13 -0700 +Subject: Bluetooth: hidp: buffer overflow in hidp_process_report + +From: Mark Salyzyn + +commit 7992c18810e568b95c869b227137a2215702a805 upstream. + +CVE-2018-9363 + +The buffer length is unsigned at all layers, but gets cast to int and +checked in hidp_process_report and can lead to a buffer overflow. +Switch len parameter to unsigned int to resolve issue. + +This affects 3.18 and newer kernels. + +Signed-off-by: Mark Salyzyn +Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough") +Cc: Marcel Holtmann +Cc: Johan Hedberg +Cc: "David S. Miller" +Cc: Kees Cook +Cc: Benjamin Tissoires +Cc: linux-bluetooth@vger.kernel.org +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: security@kernel.org +Cc: kernel-team@android.com +Acked-by: Kees Cook +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hidp/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -431,8 +431,8 @@ static void hidp_del_timer(struct hidp_s + del_timer(&session->timer); + } + +-static void hidp_process_report(struct hidp_session *session, +- int type, const u8 *data, int len, int intr) ++static void hidp_process_report(struct hidp_session *session, int type, ++ const u8 *data, unsigned int len, int intr) + { + if (len > HID_MAX_BUFFER_SIZE) + len = HID_MAX_BUFFER_SIZE; diff --git a/queue-4.14/clk-sunxi-ng-fix-missing-clk_set_rate_parent-in-ccu-sun4i-a10.c.patch b/queue-4.14/clk-sunxi-ng-fix-missing-clk_set_rate_parent-in-ccu-sun4i-a10.c.patch new file mode 100644 index 00000000000..d08704cd85b --- /dev/null +++ b/queue-4.14/clk-sunxi-ng-fix-missing-clk_set_rate_parent-in-ccu-sun4i-a10.c.patch @@ -0,0 +1,38 @@ +From a894990ac994a53bc5a0cc694eb12f3c064c18c5 Mon Sep 17 00:00:00 2001 +From: Alexander Syring +Date: Thu, 14 Sep 2017 14:05:19 +0200 +Subject: clk: sunxi-ng: Fix missing CLK_SET_RATE_PARENT in ccu-sun4i-a10.c + +From: Alexander Syring + +commit a894990ac994a53bc5a0cc694eb12f3c064c18c5 upstream. + +When using cpufreq-dt with default govenor other than "performance" +system freezes while booting. +Adding CLK_SET_RATE_PARENT | CLK_IS_CRITICAL to clk_cpu fixes the +problem. + +Tested on Cubietruck (A20). + +Fixes: c84f5683f6E ("clk: sunxi-ng: Add sun4i/sun7i CCU driver") +Acked-by: Chen-Yu Tsai +Signed-off-by: Alexander Syring +Signed-off-by: Maxime Ripard +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/sunxi-ng/ccu-sun4i-a10.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/sunxi-ng/ccu-sun4i-a10.c ++++ b/drivers/clk/sunxi-ng/ccu-sun4i-a10.c +@@ -223,7 +223,7 @@ static struct ccu_mux cpu_clk = { + .hw.init = CLK_HW_INIT_PARENTS("cpu", + cpu_parents, + &ccu_mux_ops, +- CLK_IS_CRITICAL), ++ CLK_SET_RATE_PARENT | CLK_IS_CRITICAL), + } + }; + diff --git a/queue-4.14/crypto-ablkcipher-fix-crash-flushing-dcache-in-error-path.patch b/queue-4.14/crypto-ablkcipher-fix-crash-flushing-dcache-in-error-path.patch new file mode 100644 index 00000000000..a0b94567df7 --- /dev/null +++ b/queue-4.14/crypto-ablkcipher-fix-crash-flushing-dcache-in-error-path.patch @@ -0,0 +1,133 @@ +From 318abdfbe708aaaa652c79fb500e9bd60521f9dc Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 23 Jul 2018 10:54:58 -0700 +Subject: crypto: ablkcipher - fix crash flushing dcache in error path + +From: Eric Biggers + +commit 318abdfbe708aaaa652c79fb500e9bd60521f9dc upstream. + +Like the skcipher_walk and blkcipher_walk cases: + +scatterwalk_done() is only meant to be called after a nonzero number of +bytes have been processed, since scatterwalk_pagedone() will flush the +dcache of the *previous* page. But in the error case of +ablkcipher_walk_done(), e.g. if the input wasn't an integer number of +blocks, scatterwalk_done() was actually called after advancing 0 bytes. +This caused a crash ("BUG: unable to handle kernel paging request") +during '!PageSlab(page)' on architectures like arm and arm64 that define +ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was +page-aligned as in that case walk->offset == 0. + +Fix it by reorganizing ablkcipher_walk_done() to skip the +scatterwalk_advance() and scatterwalk_done() if an error has occurred. + +Reported-by: Liu Chao +Fixes: bf06099db18a ("crypto: skcipher - Add ablkcipher_walk interfaces") +Cc: # v2.6.35+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ablkcipher.c | 57 +++++++++++++++++++++++----------------------------- + 1 file changed, 26 insertions(+), 31 deletions(-) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -71,11 +71,9 @@ static inline u8 *ablkcipher_get_spot(u8 + return max(start, end_page); + } + +-static inline unsigned int ablkcipher_done_slow(struct ablkcipher_walk *walk, +- unsigned int bsize) ++static inline void ablkcipher_done_slow(struct ablkcipher_walk *walk, ++ unsigned int n) + { +- unsigned int n = bsize; +- + for (;;) { + unsigned int len_this_page = scatterwalk_pagelen(&walk->out); + +@@ -87,17 +85,13 @@ static inline unsigned int ablkcipher_do + n -= len_this_page; + scatterwalk_start(&walk->out, sg_next(walk->out.sg)); + } +- +- return bsize; + } + +-static inline unsigned int ablkcipher_done_fast(struct ablkcipher_walk *walk, +- unsigned int n) ++static inline void ablkcipher_done_fast(struct ablkcipher_walk *walk, ++ unsigned int n) + { + scatterwalk_advance(&walk->in, n); + scatterwalk_advance(&walk->out, n); +- +- return n; + } + + static int ablkcipher_walk_next(struct ablkcipher_request *req, +@@ -107,39 +101,40 @@ int ablkcipher_walk_done(struct ablkciph + struct ablkcipher_walk *walk, int err) + { + struct crypto_tfm *tfm = req->base.tfm; +- unsigned int nbytes = 0; ++ unsigned int n; /* bytes processed */ ++ bool more; + +- if (likely(err >= 0)) { +- unsigned int n = walk->nbytes - err; ++ if (unlikely(err < 0)) ++ goto finish; + +- if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW))) +- n = ablkcipher_done_fast(walk, n); +- else if (WARN_ON(err)) { ++ n = walk->nbytes - err; ++ walk->total -= n; ++ more = (walk->total != 0); ++ ++ if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW))) { ++ ablkcipher_done_fast(walk, n); ++ } else { ++ if (WARN_ON(err)) { ++ /* unexpected case; didn't process all bytes */ + err = -EINVAL; +- goto err; +- } else +- n = ablkcipher_done_slow(walk, n); +- +- nbytes = walk->total - n; +- err = 0; ++ goto finish; ++ } ++ ablkcipher_done_slow(walk, n); + } + +- scatterwalk_done(&walk->in, 0, nbytes); +- scatterwalk_done(&walk->out, 1, nbytes); ++ scatterwalk_done(&walk->in, 0, more); ++ scatterwalk_done(&walk->out, 1, more); + +-err: +- walk->total = nbytes; +- walk->nbytes = nbytes; +- +- if (nbytes) { ++ if (more) { + crypto_yield(req->base.flags); + return ablkcipher_walk_next(req, walk); + } +- ++ err = 0; ++finish: ++ walk->nbytes = 0; + if (walk->iv != req->info) + memcpy(req->info, walk->iv, tfm->crt_ablkcipher.ivsize); + kfree(walk->iv_buffer); +- + return err; + } + EXPORT_SYMBOL_GPL(ablkcipher_walk_done); diff --git a/queue-4.14/crypto-blkcipher-fix-crash-flushing-dcache-in-error-path.patch b/queue-4.14/crypto-blkcipher-fix-crash-flushing-dcache-in-error-path.patch new file mode 100644 index 00000000000..f2b3ac4a703 --- /dev/null +++ b/queue-4.14/crypto-blkcipher-fix-crash-flushing-dcache-in-error-path.patch @@ -0,0 +1,158 @@ +From 0868def3e4100591e7a1fdbf3eed1439cc8f7ca3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 23 Jul 2018 10:54:57 -0700 +Subject: crypto: blkcipher - fix crash flushing dcache in error path + +From: Eric Biggers + +commit 0868def3e4100591e7a1fdbf3eed1439cc8f7ca3 upstream. + +Like the skcipher_walk case: + +scatterwalk_done() is only meant to be called after a nonzero number of +bytes have been processed, since scatterwalk_pagedone() will flush the +dcache of the *previous* page. But in the error case of +blkcipher_walk_done(), e.g. if the input wasn't an integer number of +blocks, scatterwalk_done() was actually called after advancing 0 bytes. +This caused a crash ("BUG: unable to handle kernel paging request") +during '!PageSlab(page)' on architectures like arm and arm64 that define +ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was +page-aligned as in that case walk->offset == 0. + +Fix it by reorganizing blkcipher_walk_done() to skip the +scatterwalk_advance() and scatterwalk_done() if an error has occurred. + +This bug was found by syzkaller fuzzing. + +Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE: + + #include + #include + #include + + int main() + { + struct sockaddr_alg addr = { + .salg_type = "skcipher", + .salg_name = "ecb(aes-generic)", + }; + char buffer[4096] __attribute__((aligned(4096))) = { 0 }; + int fd; + + fd = socket(AF_ALG, SOCK_SEQPACKET, 0); + bind(fd, (void *)&addr, sizeof(addr)); + setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16); + fd = accept(fd, NULL, NULL); + write(fd, buffer, 15); + read(fd, buffer, 15); + } + +Reported-by: Liu Chao +Fixes: 5cde0af2a982 ("[CRYPTO] cipher: Added block cipher type") +Cc: # v2.6.19+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/blkcipher.c | 54 +++++++++++++++++++++++++---------------------------- + 1 file changed, 26 insertions(+), 28 deletions(-) + +--- a/crypto/blkcipher.c ++++ b/crypto/blkcipher.c +@@ -71,19 +71,18 @@ static inline u8 *blkcipher_get_spot(u8 + return max(start, end_page); + } + +-static inline unsigned int blkcipher_done_slow(struct blkcipher_walk *walk, +- unsigned int bsize) ++static inline void blkcipher_done_slow(struct blkcipher_walk *walk, ++ unsigned int bsize) + { + u8 *addr; + + addr = (u8 *)ALIGN((unsigned long)walk->buffer, walk->alignmask + 1); + addr = blkcipher_get_spot(addr, bsize); + scatterwalk_copychunks(addr, &walk->out, bsize, 1); +- return bsize; + } + +-static inline unsigned int blkcipher_done_fast(struct blkcipher_walk *walk, +- unsigned int n) ++static inline void blkcipher_done_fast(struct blkcipher_walk *walk, ++ unsigned int n) + { + if (walk->flags & BLKCIPHER_WALK_COPY) { + blkcipher_map_dst(walk); +@@ -97,49 +96,48 @@ static inline unsigned int blkcipher_don + + scatterwalk_advance(&walk->in, n); + scatterwalk_advance(&walk->out, n); +- +- return n; + } + + int blkcipher_walk_done(struct blkcipher_desc *desc, + struct blkcipher_walk *walk, int err) + { +- unsigned int nbytes = 0; ++ unsigned int n; /* bytes processed */ ++ bool more; + +- if (likely(err >= 0)) { +- unsigned int n = walk->nbytes - err; ++ if (unlikely(err < 0)) ++ goto finish; + +- if (likely(!(walk->flags & BLKCIPHER_WALK_SLOW))) +- n = blkcipher_done_fast(walk, n); +- else if (WARN_ON(err)) { ++ n = walk->nbytes - err; ++ walk->total -= n; ++ more = (walk->total != 0); ++ ++ if (likely(!(walk->flags & BLKCIPHER_WALK_SLOW))) { ++ blkcipher_done_fast(walk, n); ++ } else { ++ if (WARN_ON(err)) { ++ /* unexpected case; didn't process all bytes */ + err = -EINVAL; +- goto err; +- } else +- n = blkcipher_done_slow(walk, n); +- +- nbytes = walk->total - n; +- err = 0; ++ goto finish; ++ } ++ blkcipher_done_slow(walk, n); + } + +- scatterwalk_done(&walk->in, 0, nbytes); +- scatterwalk_done(&walk->out, 1, nbytes); +- +-err: +- walk->total = nbytes; +- walk->nbytes = nbytes; ++ scatterwalk_done(&walk->in, 0, more); ++ scatterwalk_done(&walk->out, 1, more); + +- if (nbytes) { ++ if (more) { + crypto_yield(desc->flags); + return blkcipher_walk_next(desc, walk); + } +- ++ err = 0; ++finish: ++ walk->nbytes = 0; + if (walk->iv != desc->info) + memcpy(desc->info, walk->iv, walk->ivsize); + if (walk->buffer != walk->page) + kfree(walk->buffer); + if (walk->page) + free_page((unsigned long)walk->page); +- + return err; + } + EXPORT_SYMBOL_GPL(blkcipher_walk_done); diff --git a/queue-4.14/crypto-skcipher-fix-aligning-block-size-in-skcipher_copy_iv.patch b/queue-4.14/crypto-skcipher-fix-aligning-block-size-in-skcipher_copy_iv.patch new file mode 100644 index 00000000000..fa14ae240e4 --- /dev/null +++ b/queue-4.14/crypto-skcipher-fix-aligning-block-size-in-skcipher_copy_iv.patch @@ -0,0 +1,33 @@ +From 0567fc9e90b9b1c8dbce8a5468758e6206744d4a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 23 Jul 2018 09:57:50 -0700 +Subject: crypto: skcipher - fix aligning block size in skcipher_copy_iv() + +From: Eric Biggers + +commit 0567fc9e90b9b1c8dbce8a5468758e6206744d4a upstream. + +The ALIGN() macro needs to be passed the alignment, not the alignmask +(which is the alignment minus 1). + +Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface") +Cc: # v4.10+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/skcipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -399,7 +399,7 @@ static int skcipher_copy_iv(struct skcip + unsigned size; + u8 *iv; + +- aligned_bs = ALIGN(bs, alignmask); ++ aligned_bs = ALIGN(bs, alignmask + 1); + + /* Minimum size to align buffer by alignmask. */ + size = alignmask & ~a; diff --git a/queue-4.14/crypto-skcipher-fix-crash-flushing-dcache-in-error-path.patch b/queue-4.14/crypto-skcipher-fix-crash-flushing-dcache-in-error-path.patch new file mode 100644 index 00000000000..06d08de3297 --- /dev/null +++ b/queue-4.14/crypto-skcipher-fix-crash-flushing-dcache-in-error-path.patch @@ -0,0 +1,146 @@ +From 8088d3dd4d7c6933a65aa169393b5d88d8065672 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 23 Jul 2018 10:54:56 -0700 +Subject: crypto: skcipher - fix crash flushing dcache in error path + +From: Eric Biggers + +commit 8088d3dd4d7c6933a65aa169393b5d88d8065672 upstream. + +scatterwalk_done() is only meant to be called after a nonzero number of +bytes have been processed, since scatterwalk_pagedone() will flush the +dcache of the *previous* page. But in the error case of +skcipher_walk_done(), e.g. if the input wasn't an integer number of +blocks, scatterwalk_done() was actually called after advancing 0 bytes. +This caused a crash ("BUG: unable to handle kernel paging request") +during '!PageSlab(page)' on architectures like arm and arm64 that define +ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was +page-aligned as in that case walk->offset == 0. + +Fix it by reorganizing skcipher_walk_done() to skip the +scatterwalk_advance() and scatterwalk_done() if an error has occurred. + +This bug was found by syzkaller fuzzing. + +Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE: + + #include + #include + #include + + int main() + { + struct sockaddr_alg addr = { + .salg_type = "skcipher", + .salg_name = "cbc(aes-generic)", + }; + char buffer[4096] __attribute__((aligned(4096))) = { 0 }; + int fd; + + fd = socket(AF_ALG, SOCK_SEQPACKET, 0); + bind(fd, (void *)&addr, sizeof(addr)); + setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16); + fd = accept(fd, NULL, NULL); + write(fd, buffer, 15); + read(fd, buffer, 15); + } + +Reported-by: Liu Chao +Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface") +Cc: # v4.10+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/skcipher.c | 49 +++++++++++++++++++++++++------------------------ + 1 file changed, 25 insertions(+), 24 deletions(-) + +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -95,7 +95,7 @@ static inline u8 *skcipher_get_spot(u8 * + return max(start, end_page); + } + +-static int skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize) ++static void skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize) + { + u8 *addr; + +@@ -103,23 +103,24 @@ static int skcipher_done_slow(struct skc + addr = skcipher_get_spot(addr, bsize); + scatterwalk_copychunks(addr, &walk->out, bsize, + (walk->flags & SKCIPHER_WALK_PHYS) ? 2 : 1); +- return 0; + } + + int skcipher_walk_done(struct skcipher_walk *walk, int err) + { +- unsigned int n = walk->nbytes - err; +- unsigned int nbytes; ++ unsigned int n; /* bytes processed */ ++ bool more; + +- nbytes = walk->total - n; ++ if (unlikely(err < 0)) ++ goto finish; + +- if (unlikely(err < 0)) { +- nbytes = 0; +- n = 0; +- } else if (likely(!(walk->flags & (SKCIPHER_WALK_PHYS | +- SKCIPHER_WALK_SLOW | +- SKCIPHER_WALK_COPY | +- SKCIPHER_WALK_DIFF)))) { ++ n = walk->nbytes - err; ++ walk->total -= n; ++ more = (walk->total != 0); ++ ++ if (likely(!(walk->flags & (SKCIPHER_WALK_PHYS | ++ SKCIPHER_WALK_SLOW | ++ SKCIPHER_WALK_COPY | ++ SKCIPHER_WALK_DIFF)))) { + unmap_src: + skcipher_unmap_src(walk); + } else if (walk->flags & SKCIPHER_WALK_DIFF) { +@@ -131,28 +132,28 @@ unmap_src: + skcipher_unmap_dst(walk); + } else if (unlikely(walk->flags & SKCIPHER_WALK_SLOW)) { + if (WARN_ON(err)) { ++ /* unexpected case; didn't process all bytes */ + err = -EINVAL; +- nbytes = 0; +- } else +- n = skcipher_done_slow(walk, n); ++ goto finish; ++ } ++ skcipher_done_slow(walk, n); ++ goto already_advanced; + } + +- if (err > 0) +- err = 0; +- +- walk->total = nbytes; +- walk->nbytes = nbytes; +- + scatterwalk_advance(&walk->in, n); + scatterwalk_advance(&walk->out, n); +- scatterwalk_done(&walk->in, 0, nbytes); +- scatterwalk_done(&walk->out, 1, nbytes); ++already_advanced: ++ scatterwalk_done(&walk->in, 0, more); ++ scatterwalk_done(&walk->out, 1, more); + +- if (nbytes) { ++ if (more) { + crypto_yield(walk->flags & SKCIPHER_WALK_SLEEP ? + CRYPTO_TFM_REQ_MAY_SLEEP : 0); + return skcipher_walk_next(walk); + } ++ err = 0; ++finish: ++ walk->nbytes = 0; + + /* Short-circuit for the common/fast path. */ + if (!((unsigned long)walk->buffer | (unsigned long)walk->page)) diff --git a/queue-4.14/crypto-vmac-require-a-block-cipher-with-128-bit-block-size.patch b/queue-4.14/crypto-vmac-require-a-block-cipher-with-128-bit-block-size.patch new file mode 100644 index 00000000000..9d82287a34c --- /dev/null +++ b/queue-4.14/crypto-vmac-require-a-block-cipher-with-128-bit-block-size.patch @@ -0,0 +1,39 @@ +From 73bf20ef3df262026c3470241ae4ac8196943ffa Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 18 Jun 2018 10:22:37 -0700 +Subject: crypto: vmac - require a block cipher with 128-bit block size + +From: Eric Biggers + +commit 73bf20ef3df262026c3470241ae4ac8196943ffa upstream. + +The VMAC template assumes the block cipher has a 128-bit block size, but +it failed to check for that. Thus it was possible to instantiate it +using a 64-bit block size cipher, e.g. "vmac(cast5)", causing +uninitialized memory to be used. + +Add the needed check when instantiating the template. + +Fixes: f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support") +Cc: # v2.6.32+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/vmac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/crypto/vmac.c ++++ b/crypto/vmac.c +@@ -655,6 +655,10 @@ static int vmac_create(struct crypto_tem + if (IS_ERR(alg)) + return PTR_ERR(alg); + ++ err = -EINVAL; ++ if (alg->cra_blocksize != 16) ++ goto out_put_alg; ++ + inst = shash_alloc_instance("vmac", alg); + err = PTR_ERR(inst); + if (IS_ERR(inst)) diff --git a/queue-4.14/crypto-vmac-separate-tfm-and-request-context.patch b/queue-4.14/crypto-vmac-separate-tfm-and-request-context.patch new file mode 100644 index 00000000000..f45e976e3e8 --- /dev/null +++ b/queue-4.14/crypto-vmac-separate-tfm-and-request-context.patch @@ -0,0 +1,653 @@ +From bb29648102335586e9a66289a1d98a0cb392b6e5 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 18 Jun 2018 10:22:38 -0700 +Subject: crypto: vmac - separate tfm and request context + +From: Eric Biggers + +commit bb29648102335586e9a66289a1d98a0cb392b6e5 upstream. + +syzbot reported a crash in vmac_final() when multiple threads +concurrently use the same "vmac(aes)" transform through AF_ALG. The bug +is pretty fundamental: the VMAC template doesn't separate per-request +state from per-tfm (per-key) state like the other hash algorithms do, +but rather stores it all in the tfm context. That's wrong. + +Also, vmac_final() incorrectly zeroes most of the state including the +derived keys and cached pseudorandom pad. Therefore, only the first +VMAC invocation with a given key calculates the correct digest. + +Fix these bugs by splitting the per-tfm state from the per-request state +and using the proper init/update/final sequencing for requests. + +Reproducer for the crash: + + #include + #include + #include + + int main() + { + int fd; + struct sockaddr_alg addr = { + .salg_type = "hash", + .salg_name = "vmac(aes)", + }; + char buf[256] = { 0 }; + + fd = socket(AF_ALG, SOCK_SEQPACKET, 0); + bind(fd, (void *)&addr, sizeof(addr)); + setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16); + fork(); + fd = accept(fd, NULL, NULL); + for (;;) + write(fd, buf, 256); + } + +The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds +VMAC_NHBYTES, causing vmac_final() to memset() a negative length. + +Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com +Fixes: f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support") +Cc: # v2.6.32+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/vmac.c | 414 ++++++++++++++++++++++---------------------------- + include/crypto/vmac.h | 63 ------- + 2 files changed, 184 insertions(+), 293 deletions(-) + +--- a/crypto/vmac.c ++++ b/crypto/vmac.c +@@ -1,6 +1,10 @@ + /* +- * Modified to interface to the Linux kernel ++ * VMAC: Message Authentication Code using Universal Hashing ++ * ++ * Reference: https://tools.ietf.org/html/draft-krovetz-vmac-01 ++ * + * Copyright (c) 2009, Intel Corporation. ++ * Copyright (c) 2018, Google Inc. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms and conditions of the GNU General Public License, +@@ -16,14 +20,15 @@ + * Place - Suite 330, Boston, MA 02111-1307 USA. + */ + +-/* -------------------------------------------------------------------------- +- * VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai. +- * This implementation is herby placed in the public domain. +- * The authors offers no warranty. Use at your own risk. +- * Please send bug reports to the authors. +- * Last modified: 17 APR 08, 1700 PDT +- * ----------------------------------------------------------------------- */ ++/* ++ * Derived from: ++ * VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai. ++ * This implementation is herby placed in the public domain. ++ * The authors offers no warranty. Use at your own risk. ++ * Last modified: 17 APR 08, 1700 PDT ++ */ + ++#include + #include + #include + #include +@@ -31,10 +36,36 @@ + #include + #include + #include +-#include + #include + + /* ++ * User definable settings. ++ */ ++#define VMAC_TAG_LEN 64 ++#define VMAC_KEY_SIZE 128/* Must be 128, 192 or 256 */ ++#define VMAC_KEY_LEN (VMAC_KEY_SIZE/8) ++#define VMAC_NHBYTES 128/* Must 2^i for any 3 < i < 13 Standard = 128*/ ++ ++/* per-transform (per-key) context */ ++struct vmac_tfm_ctx { ++ struct crypto_cipher *cipher; ++ u64 nhkey[(VMAC_NHBYTES/8)+2*(VMAC_TAG_LEN/64-1)]; ++ u64 polykey[2*VMAC_TAG_LEN/64]; ++ u64 l3key[2*VMAC_TAG_LEN/64]; ++}; ++ ++/* per-request context */ ++struct vmac_desc_ctx { ++ union { ++ u8 partial[VMAC_NHBYTES]; /* partial block */ ++ __le64 partial_words[VMAC_NHBYTES / 8]; ++ }; ++ unsigned int partial_size; /* size of the partial block */ ++ bool first_block_processed; ++ u64 polytmp[2*VMAC_TAG_LEN/64]; /* running total of L2-hash */ ++}; ++ ++/* + * Constants and masks + */ + #define UINT64_C(x) x##ULL +@@ -318,13 +349,6 @@ static void poly_step_func(u64 *ahi, u64 + } while (0) + #endif + +-static void vhash_abort(struct vmac_ctx *ctx) +-{ +- ctx->polytmp[0] = ctx->polykey[0] ; +- ctx->polytmp[1] = ctx->polykey[1] ; +- ctx->first_block_processed = 0; +-} +- + static u64 l3hash(u64 p1, u64 p2, u64 k1, u64 k2, u64 len) + { + u64 rh, rl, t, z = 0; +@@ -364,280 +388,209 @@ static u64 l3hash(u64 p1, u64 p2, u64 k1 + return rl; + } + +-static void vhash_update(const unsigned char *m, +- unsigned int mbytes, /* Pos multiple of VMAC_NHBYTES */ +- struct vmac_ctx *ctx) +-{ +- u64 rh, rl, *mptr; +- const u64 *kptr = (u64 *)ctx->nhkey; +- int i; +- u64 ch, cl; +- u64 pkh = ctx->polykey[0]; +- u64 pkl = ctx->polykey[1]; +- +- if (!mbytes) +- return; +- +- BUG_ON(mbytes % VMAC_NHBYTES); ++/* L1 and L2-hash one or more VMAC_NHBYTES-byte blocks */ ++static void vhash_blocks(const struct vmac_tfm_ctx *tctx, ++ struct vmac_desc_ctx *dctx, ++ const __le64 *mptr, unsigned int blocks) ++{ ++ const u64 *kptr = tctx->nhkey; ++ const u64 pkh = tctx->polykey[0]; ++ const u64 pkl = tctx->polykey[1]; ++ u64 ch = dctx->polytmp[0]; ++ u64 cl = dctx->polytmp[1]; ++ u64 rh, rl; + +- mptr = (u64 *)m; +- i = mbytes / VMAC_NHBYTES; /* Must be non-zero */ +- +- ch = ctx->polytmp[0]; +- cl = ctx->polytmp[1]; +- +- if (!ctx->first_block_processed) { +- ctx->first_block_processed = 1; ++ if (!dctx->first_block_processed) { ++ dctx->first_block_processed = true; + nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl); + rh &= m62; + ADD128(ch, cl, rh, rl); + mptr += (VMAC_NHBYTES/sizeof(u64)); +- i--; ++ blocks--; + } + +- while (i--) { ++ while (blocks--) { + nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl); + rh &= m62; + poly_step(ch, cl, pkh, pkl, rh, rl); + mptr += (VMAC_NHBYTES/sizeof(u64)); + } + +- ctx->polytmp[0] = ch; +- ctx->polytmp[1] = cl; ++ dctx->polytmp[0] = ch; ++ dctx->polytmp[1] = cl; + } + +-static u64 vhash(unsigned char m[], unsigned int mbytes, +- u64 *tagl, struct vmac_ctx *ctx) ++static int vmac_setkey(struct crypto_shash *tfm, ++ const u8 *key, unsigned int keylen) + { +- u64 rh, rl, *mptr; +- const u64 *kptr = (u64 *)ctx->nhkey; +- int i, remaining; +- u64 ch, cl; +- u64 pkh = ctx->polykey[0]; +- u64 pkl = ctx->polykey[1]; +- +- mptr = (u64 *)m; +- i = mbytes / VMAC_NHBYTES; +- remaining = mbytes % VMAC_NHBYTES; +- +- if (ctx->first_block_processed) { +- ch = ctx->polytmp[0]; +- cl = ctx->polytmp[1]; +- } else if (i) { +- nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, ch, cl); +- ch &= m62; +- ADD128(ch, cl, pkh, pkl); +- mptr += (VMAC_NHBYTES/sizeof(u64)); +- i--; +- } else if (remaining) { +- nh_16(mptr, kptr, 2*((remaining+15)/16), ch, cl); +- ch &= m62; +- ADD128(ch, cl, pkh, pkl); +- mptr += (VMAC_NHBYTES/sizeof(u64)); +- goto do_l3; +- } else {/* Empty String */ +- ch = pkh; cl = pkl; +- goto do_l3; +- } +- +- while (i--) { +- nh_vmac_nhbytes(mptr, kptr, VMAC_NHBYTES/8, rh, rl); +- rh &= m62; +- poly_step(ch, cl, pkh, pkl, rh, rl); +- mptr += (VMAC_NHBYTES/sizeof(u64)); +- } +- if (remaining) { +- nh_16(mptr, kptr, 2*((remaining+15)/16), rh, rl); +- rh &= m62; +- poly_step(ch, cl, pkh, pkl, rh, rl); +- } +- +-do_l3: +- vhash_abort(ctx); +- remaining *= 8; +- return l3hash(ch, cl, ctx->l3key[0], ctx->l3key[1], remaining); +-} +- +-static u64 vmac(unsigned char m[], unsigned int mbytes, +- const unsigned char n[16], u64 *tagl, +- struct vmac_ctx_t *ctx) +-{ +- u64 *in_n, *out_p; +- u64 p, h; +- int i; +- +- in_n = ctx->__vmac_ctx.cached_nonce; +- out_p = ctx->__vmac_ctx.cached_aes; +- +- i = n[15] & 1; +- if ((*(u64 *)(n+8) != in_n[1]) || (*(u64 *)(n) != in_n[0])) { +- in_n[0] = *(u64 *)(n); +- in_n[1] = *(u64 *)(n+8); +- ((unsigned char *)in_n)[15] &= 0xFE; +- crypto_cipher_encrypt_one(ctx->child, +- (unsigned char *)out_p, (unsigned char *)in_n); ++ struct vmac_tfm_ctx *tctx = crypto_shash_ctx(tfm); ++ __be64 out[2]; ++ u8 in[16] = { 0 }; ++ unsigned int i; ++ int err; + +- ((unsigned char *)in_n)[15] |= (unsigned char)(1-i); ++ if (keylen != VMAC_KEY_LEN) { ++ crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); ++ return -EINVAL; + } +- p = be64_to_cpup(out_p + i); +- h = vhash(m, mbytes, (u64 *)0, &ctx->__vmac_ctx); +- return le64_to_cpu(p + h); +-} +- +-static int vmac_set_key(unsigned char user_key[], struct vmac_ctx_t *ctx) +-{ +- u64 in[2] = {0}, out[2]; +- unsigned i; +- int err = 0; + +- err = crypto_cipher_setkey(ctx->child, user_key, VMAC_KEY_LEN); ++ err = crypto_cipher_setkey(tctx->cipher, key, keylen); + if (err) + return err; + + /* Fill nh key */ +- ((unsigned char *)in)[0] = 0x80; +- for (i = 0; i < sizeof(ctx->__vmac_ctx.nhkey)/8; i += 2) { +- crypto_cipher_encrypt_one(ctx->child, +- (unsigned char *)out, (unsigned char *)in); +- ctx->__vmac_ctx.nhkey[i] = be64_to_cpup(out); +- ctx->__vmac_ctx.nhkey[i+1] = be64_to_cpup(out+1); +- ((unsigned char *)in)[15] += 1; ++ in[0] = 0x80; ++ for (i = 0; i < ARRAY_SIZE(tctx->nhkey); i += 2) { ++ crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in); ++ tctx->nhkey[i] = be64_to_cpu(out[0]); ++ tctx->nhkey[i+1] = be64_to_cpu(out[1]); ++ in[15]++; + } + + /* Fill poly key */ +- ((unsigned char *)in)[0] = 0xC0; +- in[1] = 0; +- for (i = 0; i < sizeof(ctx->__vmac_ctx.polykey)/8; i += 2) { +- crypto_cipher_encrypt_one(ctx->child, +- (unsigned char *)out, (unsigned char *)in); +- ctx->__vmac_ctx.polytmp[i] = +- ctx->__vmac_ctx.polykey[i] = +- be64_to_cpup(out) & mpoly; +- ctx->__vmac_ctx.polytmp[i+1] = +- ctx->__vmac_ctx.polykey[i+1] = +- be64_to_cpup(out+1) & mpoly; +- ((unsigned char *)in)[15] += 1; ++ in[0] = 0xC0; ++ in[15] = 0; ++ for (i = 0; i < ARRAY_SIZE(tctx->polykey); i += 2) { ++ crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in); ++ tctx->polykey[i] = be64_to_cpu(out[0]) & mpoly; ++ tctx->polykey[i+1] = be64_to_cpu(out[1]) & mpoly; ++ in[15]++; + } + + /* Fill ip key */ +- ((unsigned char *)in)[0] = 0xE0; +- in[1] = 0; +- for (i = 0; i < sizeof(ctx->__vmac_ctx.l3key)/8; i += 2) { ++ in[0] = 0xE0; ++ in[15] = 0; ++ for (i = 0; i < ARRAY_SIZE(tctx->l3key); i += 2) { + do { +- crypto_cipher_encrypt_one(ctx->child, +- (unsigned char *)out, (unsigned char *)in); +- ctx->__vmac_ctx.l3key[i] = be64_to_cpup(out); +- ctx->__vmac_ctx.l3key[i+1] = be64_to_cpup(out+1); +- ((unsigned char *)in)[15] += 1; +- } while (ctx->__vmac_ctx.l3key[i] >= p64 +- || ctx->__vmac_ctx.l3key[i+1] >= p64); ++ crypto_cipher_encrypt_one(tctx->cipher, (u8 *)out, in); ++ tctx->l3key[i] = be64_to_cpu(out[0]); ++ tctx->l3key[i+1] = be64_to_cpu(out[1]); ++ in[15]++; ++ } while (tctx->l3key[i] >= p64 || tctx->l3key[i+1] >= p64); + } + +- /* Invalidate nonce/aes cache and reset other elements */ +- ctx->__vmac_ctx.cached_nonce[0] = (u64)-1; /* Ensure illegal nonce */ +- ctx->__vmac_ctx.cached_nonce[1] = (u64)0; /* Ensure illegal nonce */ +- ctx->__vmac_ctx.first_block_processed = 0; +- +- return err; ++ return 0; + } + +-static int vmac_setkey(struct crypto_shash *parent, +- const u8 *key, unsigned int keylen) ++static int vmac_init(struct shash_desc *desc) + { +- struct vmac_ctx_t *ctx = crypto_shash_ctx(parent); ++ const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); ++ struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); + +- if (keylen != VMAC_KEY_LEN) { +- crypto_shash_set_flags(parent, CRYPTO_TFM_RES_BAD_KEY_LEN); +- return -EINVAL; +- } +- +- return vmac_set_key((u8 *)key, ctx); +-} +- +-static int vmac_init(struct shash_desc *pdesc) +-{ ++ dctx->partial_size = 0; ++ dctx->first_block_processed = false; ++ memcpy(dctx->polytmp, tctx->polykey, sizeof(dctx->polytmp)); + return 0; + } + +-static int vmac_update(struct shash_desc *pdesc, const u8 *p, +- unsigned int len) ++static int vmac_update(struct shash_desc *desc, const u8 *p, unsigned int len) + { +- struct crypto_shash *parent = pdesc->tfm; +- struct vmac_ctx_t *ctx = crypto_shash_ctx(parent); +- int expand; +- int min; +- +- expand = VMAC_NHBYTES - ctx->partial_size > 0 ? +- VMAC_NHBYTES - ctx->partial_size : 0; +- +- min = len < expand ? len : expand; +- +- memcpy(ctx->partial + ctx->partial_size, p, min); +- ctx->partial_size += min; +- +- if (len < expand) +- return 0; +- +- vhash_update(ctx->partial, VMAC_NHBYTES, &ctx->__vmac_ctx); +- ctx->partial_size = 0; +- +- len -= expand; +- p += expand; +- +- if (len % VMAC_NHBYTES) { +- memcpy(ctx->partial, p + len - (len % VMAC_NHBYTES), +- len % VMAC_NHBYTES); +- ctx->partial_size = len % VMAC_NHBYTES; ++ const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); ++ struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); ++ unsigned int n; ++ ++ if (dctx->partial_size) { ++ n = min(len, VMAC_NHBYTES - dctx->partial_size); ++ memcpy(&dctx->partial[dctx->partial_size], p, n); ++ dctx->partial_size += n; ++ p += n; ++ len -= n; ++ if (dctx->partial_size == VMAC_NHBYTES) { ++ vhash_blocks(tctx, dctx, dctx->partial_words, 1); ++ dctx->partial_size = 0; ++ } ++ } ++ ++ if (len >= VMAC_NHBYTES) { ++ n = round_down(len, VMAC_NHBYTES); ++ /* TODO: 'p' may be misaligned here */ ++ vhash_blocks(tctx, dctx, (const __le64 *)p, n / VMAC_NHBYTES); ++ p += n; ++ len -= n; ++ } ++ ++ if (len) { ++ memcpy(dctx->partial, p, len); ++ dctx->partial_size = len; + } + +- vhash_update(p, len - len % VMAC_NHBYTES, &ctx->__vmac_ctx); +- + return 0; + } + +-static int vmac_final(struct shash_desc *pdesc, u8 *out) ++static u64 vhash_final(const struct vmac_tfm_ctx *tctx, ++ struct vmac_desc_ctx *dctx) + { +- struct crypto_shash *parent = pdesc->tfm; +- struct vmac_ctx_t *ctx = crypto_shash_ctx(parent); +- vmac_t mac; +- u8 nonce[16] = {}; +- +- /* vmac() ends up accessing outside the array bounds that +- * we specify. In appears to access up to the next 2-word +- * boundary. We'll just be uber cautious and zero the +- * unwritten bytes in the buffer. +- */ +- if (ctx->partial_size) { +- memset(ctx->partial + ctx->partial_size, 0, +- VMAC_NHBYTES - ctx->partial_size); +- } +- mac = vmac(ctx->partial, ctx->partial_size, nonce, NULL, ctx); +- memcpy(out, &mac, sizeof(vmac_t)); +- memzero_explicit(&mac, sizeof(vmac_t)); +- memset(&ctx->__vmac_ctx, 0, sizeof(struct vmac_ctx)); +- ctx->partial_size = 0; ++ unsigned int partial = dctx->partial_size; ++ u64 ch = dctx->polytmp[0]; ++ u64 cl = dctx->polytmp[1]; ++ ++ /* L1 and L2-hash the final block if needed */ ++ if (partial) { ++ /* Zero-pad to next 128-bit boundary */ ++ unsigned int n = round_up(partial, 16); ++ u64 rh, rl; ++ ++ memset(&dctx->partial[partial], 0, n - partial); ++ nh_16(dctx->partial_words, tctx->nhkey, n / 8, rh, rl); ++ rh &= m62; ++ if (dctx->first_block_processed) ++ poly_step(ch, cl, tctx->polykey[0], tctx->polykey[1], ++ rh, rl); ++ else ++ ADD128(ch, cl, rh, rl); ++ } ++ ++ /* L3-hash the 128-bit output of L2-hash */ ++ return l3hash(ch, cl, tctx->l3key[0], tctx->l3key[1], partial * 8); ++} ++ ++static int vmac_final(struct shash_desc *desc, u8 *out) ++{ ++ const struct vmac_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm); ++ struct vmac_desc_ctx *dctx = shash_desc_ctx(desc); ++ static const u8 nonce[16] = {}; /* TODO: this is insecure */ ++ union { ++ u8 bytes[16]; ++ __be64 pads[2]; ++ } block; ++ int index; ++ u64 hash, pad; ++ ++ /* Finish calculating the VHASH of the message */ ++ hash = vhash_final(tctx, dctx); ++ ++ /* Generate pseudorandom pad by encrypting the nonce */ ++ memcpy(&block, nonce, 16); ++ index = block.bytes[15] & 1; ++ block.bytes[15] &= ~1; ++ crypto_cipher_encrypt_one(tctx->cipher, block.bytes, block.bytes); ++ pad = be64_to_cpu(block.pads[index]); ++ ++ /* The VMAC is the sum of VHASH and the pseudorandom pad */ ++ put_unaligned_le64(hash + pad, out); + return 0; + } + + static int vmac_init_tfm(struct crypto_tfm *tfm) + { +- struct crypto_cipher *cipher; +- struct crypto_instance *inst = (void *)tfm->__crt_alg; ++ struct crypto_instance *inst = crypto_tfm_alg_instance(tfm); + struct crypto_spawn *spawn = crypto_instance_ctx(inst); +- struct vmac_ctx_t *ctx = crypto_tfm_ctx(tfm); ++ struct vmac_tfm_ctx *tctx = crypto_tfm_ctx(tfm); ++ struct crypto_cipher *cipher; + + cipher = crypto_spawn_cipher(spawn); + if (IS_ERR(cipher)) + return PTR_ERR(cipher); + +- ctx->child = cipher; ++ tctx->cipher = cipher; + return 0; + } + + static void vmac_exit_tfm(struct crypto_tfm *tfm) + { +- struct vmac_ctx_t *ctx = crypto_tfm_ctx(tfm); +- crypto_free_cipher(ctx->child); ++ struct vmac_tfm_ctx *tctx = crypto_tfm_ctx(tfm); ++ ++ crypto_free_cipher(tctx->cipher); + } + + static int vmac_create(struct crypto_template *tmpl, struct rtattr **tb) +@@ -674,11 +627,12 @@ static int vmac_create(struct crypto_tem + inst->alg.base.cra_blocksize = alg->cra_blocksize; + inst->alg.base.cra_alignmask = alg->cra_alignmask; + +- inst->alg.digestsize = sizeof(vmac_t); +- inst->alg.base.cra_ctxsize = sizeof(struct vmac_ctx_t); ++ inst->alg.base.cra_ctxsize = sizeof(struct vmac_tfm_ctx); + inst->alg.base.cra_init = vmac_init_tfm; + inst->alg.base.cra_exit = vmac_exit_tfm; + ++ inst->alg.descsize = sizeof(struct vmac_desc_ctx); ++ inst->alg.digestsize = VMAC_TAG_LEN / 8; + inst->alg.init = vmac_init; + inst->alg.update = vmac_update; + inst->alg.final = vmac_final; +--- a/include/crypto/vmac.h ++++ /dev/null +@@ -1,63 +0,0 @@ +-/* +- * Modified to interface to the Linux kernel +- * Copyright (c) 2009, Intel Corporation. +- * +- * This program is free software; you can redistribute it and/or modify it +- * under the terms and conditions of the GNU General Public License, +- * version 2, as published by the Free Software Foundation. +- * +- * This program is distributed in the hope it will be useful, but WITHOUT +- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +- * more details. +- * +- * You should have received a copy of the GNU General Public License along with +- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple +- * Place - Suite 330, Boston, MA 02111-1307 USA. +- */ +- +-#ifndef __CRYPTO_VMAC_H +-#define __CRYPTO_VMAC_H +- +-/* -------------------------------------------------------------------------- +- * VMAC and VHASH Implementation by Ted Krovetz (tdk@acm.org) and Wei Dai. +- * This implementation is herby placed in the public domain. +- * The authors offers no warranty. Use at your own risk. +- * Please send bug reports to the authors. +- * Last modified: 17 APR 08, 1700 PDT +- * ----------------------------------------------------------------------- */ +- +-/* +- * User definable settings. +- */ +-#define VMAC_TAG_LEN 64 +-#define VMAC_KEY_SIZE 128/* Must be 128, 192 or 256 */ +-#define VMAC_KEY_LEN (VMAC_KEY_SIZE/8) +-#define VMAC_NHBYTES 128/* Must 2^i for any 3 < i < 13 Standard = 128*/ +- +-/* +- * This implementation uses u32 and u64 as names for unsigned 32- +- * and 64-bit integer types. These are defined in C99 stdint.h. The +- * following may need adaptation if you are not running a C99 or +- * Microsoft C environment. +- */ +-struct vmac_ctx { +- u64 nhkey[(VMAC_NHBYTES/8)+2*(VMAC_TAG_LEN/64-1)]; +- u64 polykey[2*VMAC_TAG_LEN/64]; +- u64 l3key[2*VMAC_TAG_LEN/64]; +- u64 polytmp[2*VMAC_TAG_LEN/64]; +- u64 cached_nonce[2]; +- u64 cached_aes[2]; +- int first_block_processed; +-}; +- +-typedef u64 vmac_t; +- +-struct vmac_ctx_t { +- struct crypto_cipher *child; +- struct vmac_ctx __vmac_ctx; +- u8 partial[VMAC_NHBYTES]; /* partial block */ +- int partial_size; /* size of the partial block */ +-}; +- +-#endif /* __CRYPTO_VMAC_H */ diff --git a/queue-4.14/crypto-x86-sha256-mb-fix-digest-copy-in-sha256_mb_mgr_get_comp_job_avx2.patch b/queue-4.14/crypto-x86-sha256-mb-fix-digest-copy-in-sha256_mb_mgr_get_comp_job_avx2.patch new file mode 100644 index 00000000000..f0dff58a517 --- /dev/null +++ b/queue-4.14/crypto-x86-sha256-mb-fix-digest-copy-in-sha256_mb_mgr_get_comp_job_avx2.patch @@ -0,0 +1,81 @@ +From af839b4e546613aed1fbd64def73956aa98631e7 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Fri, 29 Jun 2018 14:14:35 -0700 +Subject: crypto: x86/sha256-mb - fix digest copy in sha256_mb_mgr_get_comp_job_avx2() + +From: Eric Biggers + +commit af839b4e546613aed1fbd64def73956aa98631e7 upstream. + +There is a copy-paste error where sha256_mb_mgr_get_comp_job_avx2() +copies the SHA-256 digest state from sha256_mb_mgr::args::digest to +job_sha256::result_digest. Consequently, the sha256_mb algorithm +sometimes calculates the wrong digest. Fix it. + +Reproducer using AF_ALG: + + #include + #include + #include + #include + #include + #include + + static const __u8 expected[32] = + "\xad\x7f\xac\xb2\x58\x6f\xc6\xe9\x66\xc0\x04\xd7\xd1\xd1\x6b\x02" + "\x4f\x58\x05\xff\x7c\xb4\x7c\x7a\x85\xda\xbd\x8b\x48\x89\x2c\xa7"; + + int main() + { + int fd; + struct sockaddr_alg addr = { + .salg_type = "hash", + .salg_name = "sha256_mb", + }; + __u8 data[4096] = { 0 }; + __u8 digest[32]; + int ret; + int i; + + fd = socket(AF_ALG, SOCK_SEQPACKET, 0); + bind(fd, (void *)&addr, sizeof(addr)); + fork(); + fd = accept(fd, 0, 0); + do { + ret = write(fd, data, 4096); + assert(ret == 4096); + ret = read(fd, digest, 32); + assert(ret == 32); + } while (memcmp(digest, expected, 32) == 0); + + printf("wrong digest: "); + for (i = 0; i < 32; i++) + printf("%02x", digest[i]); + printf("\n"); + } + +Output was: + + wrong digest: ad7facb2000000000000000000000000ffffffef7cb47c7a85dabd8b48892ca7 + +Fixes: 172b1d6b5a93 ("crypto: sha256-mb - fix ctx pointer and digest copy") +Cc: # v4.8+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/sha256-mb/sha256_mb_mgr_flush_avx2.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/crypto/sha256-mb/sha256_mb_mgr_flush_avx2.S ++++ b/arch/x86/crypto/sha256-mb/sha256_mb_mgr_flush_avx2.S +@@ -265,7 +265,7 @@ ENTRY(sha256_mb_mgr_get_comp_job_avx2) + vpinsrd $1, _args_digest+1*32(state, idx, 4), %xmm0, %xmm0 + vpinsrd $2, _args_digest+2*32(state, idx, 4), %xmm0, %xmm0 + vpinsrd $3, _args_digest+3*32(state, idx, 4), %xmm0, %xmm0 +- vmovd _args_digest(state , idx, 4) , %xmm0 ++ vmovd _args_digest+4*32(state, idx, 4), %xmm1 + vpinsrd $1, _args_digest+5*32(state, idx, 4), %xmm1, %xmm1 + vpinsrd $2, _args_digest+6*32(state, idx, 4), %xmm1, %xmm1 + vpinsrd $3, _args_digest+7*32(state, idx, 4), %xmm1, %xmm1 diff --git a/queue-4.14/fw_cfg-fix-driver-remove.patch b/queue-4.14/fw_cfg-fix-driver-remove.patch new file mode 100644 index 00000000000..37a9094d53f --- /dev/null +++ b/queue-4.14/fw_cfg-fix-driver-remove.patch @@ -0,0 +1,40 @@ +From 23f1b8d938c861ee0bbb786162f7ce0685f722ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 20 Nov 2017 10:55:15 +0100 +Subject: fw_cfg: fix driver remove +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc-André Lureau + +commit 23f1b8d938c861ee0bbb786162f7ce0685f722ec upstream. + +On driver remove(), all objects created during probe() should be +removed, but sysfs qemu_fw_cfg/rev file was left. Also reorder +functions to match probe() error cleanup code. + +Cc: stable@vger.kernel.org +Signed-off-by: Marc-André Lureau +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/qemu_fw_cfg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -582,9 +582,10 @@ static int fw_cfg_sysfs_remove(struct pl + { + pr_debug("fw_cfg: unloading.\n"); + fw_cfg_sysfs_cache_cleanup(); ++ sysfs_remove_file(fw_cfg_top_ko, &fw_cfg_rev_attr.attr); ++ fw_cfg_io_cleanup(); + fw_cfg_kset_unregister_recursive(fw_cfg_fname_kset); + fw_cfg_kobj_cleanup(fw_cfg_sel_ko); +- fw_cfg_io_cleanup(); + return 0; + } + diff --git a/queue-4.14/ioremap-update-pgtable-free-interfaces-with-addr.patch b/queue-4.14/ioremap-update-pgtable-free-interfaces-with-addr.patch new file mode 100644 index 00000000000..d81326c61db --- /dev/null +++ b/queue-4.14/ioremap-update-pgtable-free-interfaces-with-addr.patch @@ -0,0 +1,177 @@ +From 785a19f9d1dd8a4ab2d0633be4656653bd3de1fc Mon Sep 17 00:00:00 2001 +From: Chintan Pandya +Date: Wed, 27 Jun 2018 08:13:47 -0600 +Subject: ioremap: Update pgtable free interfaces with addr + +From: Chintan Pandya + +commit 785a19f9d1dd8a4ab2d0633be4656653bd3de1fc upstream. + +The following kernel panic was observed on ARM64 platform due to a stale +TLB entry. + + 1. ioremap with 4K size, a valid pte page table is set. + 2. iounmap it, its pte entry is set to 0. + 3. ioremap the same address with 2M size, update its pmd entry with + a new value. + 4. CPU may hit an exception because the old pmd entry is still in TLB, + which leads to a kernel panic. + +Commit b6bdb7517c3d ("mm/vmalloc: add interfaces to free unmapped page +table") has addressed this panic by falling to pte mappings in the above +case on ARM64. + +To support pmd mappings in all cases, TLB purge needs to be performed +in this case on ARM64. + +Add a new arg, 'addr', to pud_free_pmd_page() and pmd_free_pte_page() +so that TLB purge can be added later in seprate patches. + +[toshi.kani@hpe.com: merge changes, rewrite patch description] +Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") +Signed-off-by: Chintan Pandya +Signed-off-by: Toshi Kani +Signed-off-by: Thomas Gleixner +Cc: mhocko@suse.com +Cc: akpm@linux-foundation.org +Cc: hpa@zytor.com +Cc: linux-mm@kvack.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: Will Deacon +Cc: Joerg Roedel +Cc: stable@vger.kernel.org +Cc: Andrew Morton +Cc: Michal Hocko +Cc: "H. Peter Anvin" +Cc: +Link: https://lkml.kernel.org/r/20180627141348.21777-3-toshi.kani@hpe.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/mmu.c | 4 ++-- + arch/x86/mm/pgtable.c | 12 +++++++----- + include/asm-generic/pgtable.h | 8 ++++---- + lib/ioremap.c | 4 ++-- + 4 files changed, 15 insertions(+), 13 deletions(-) + +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -938,12 +938,12 @@ int pmd_clear_huge(pmd_t *pmd) + return 1; + } + +-int pud_free_pmd_page(pud_t *pud) ++int pud_free_pmd_page(pud_t *pud, unsigned long addr) + { + return pud_none(*pud); + } + +-int pmd_free_pte_page(pmd_t *pmd) ++int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) + { + return pmd_none(*pmd); + } +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -716,11 +716,12 @@ int pmd_clear_huge(pmd_t *pmd) + /** + * pud_free_pmd_page - Clear pud entry and free pmd page. + * @pud: Pointer to a PUD. ++ * @addr: Virtual address associated with pud. + * + * Context: The pud range has been unmaped and TLB purged. + * Return: 1 if clearing the entry succeeded. 0 otherwise. + */ +-int pud_free_pmd_page(pud_t *pud) ++int pud_free_pmd_page(pud_t *pud, unsigned long addr) + { + pmd_t *pmd; + int i; +@@ -731,7 +732,7 @@ int pud_free_pmd_page(pud_t *pud) + pmd = (pmd_t *)pud_page_vaddr(*pud); + + for (i = 0; i < PTRS_PER_PMD; i++) +- if (!pmd_free_pte_page(&pmd[i])) ++ if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) + return 0; + + pud_clear(pud); +@@ -743,11 +744,12 @@ int pud_free_pmd_page(pud_t *pud) + /** + * pmd_free_pte_page - Clear pmd entry and free pte page. + * @pmd: Pointer to a PMD. ++ * @addr: Virtual address associated with pmd. + * + * Context: The pmd range has been unmaped and TLB purged. + * Return: 1 if clearing the entry succeeded. 0 otherwise. + */ +-int pmd_free_pte_page(pmd_t *pmd) ++int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) + { + pte_t *pte; + +@@ -763,7 +765,7 @@ int pmd_free_pte_page(pmd_t *pmd) + + #else /* !CONFIG_X86_64 */ + +-int pud_free_pmd_page(pud_t *pud) ++int pud_free_pmd_page(pud_t *pud, unsigned long addr) + { + return pud_none(*pud); + } +@@ -772,7 +774,7 @@ int pud_free_pmd_page(pud_t *pud) + * Disable free page handling on x86-PAE. This assures that ioremap() + * does not update sync'd pmd entries. See vmalloc_sync_one(). + */ +-int pmd_free_pte_page(pmd_t *pmd) ++int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) + { + return pmd_none(*pmd); + } +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -991,8 +991,8 @@ int pud_set_huge(pud_t *pud, phys_addr_t + int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot); + int pud_clear_huge(pud_t *pud); + int pmd_clear_huge(pmd_t *pmd); +-int pud_free_pmd_page(pud_t *pud); +-int pmd_free_pte_page(pmd_t *pmd); ++int pud_free_pmd_page(pud_t *pud, unsigned long addr); ++int pmd_free_pte_page(pmd_t *pmd, unsigned long addr); + #else /* !CONFIG_HAVE_ARCH_HUGE_VMAP */ + static inline int p4d_set_huge(p4d_t *p4d, phys_addr_t addr, pgprot_t prot) + { +@@ -1018,11 +1018,11 @@ static inline int pmd_clear_huge(pmd_t * + { + return 0; + } +-static inline int pud_free_pmd_page(pud_t *pud) ++static inline int pud_free_pmd_page(pud_t *pud, unsigned long addr) + { + return 0; + } +-static inline int pmd_free_pte_page(pmd_t *pmd) ++static inline int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) + { + return 0; + } +--- a/lib/ioremap.c ++++ b/lib/ioremap.c +@@ -92,7 +92,7 @@ static inline int ioremap_pmd_range(pud_ + if (ioremap_pmd_enabled() && + ((next - addr) == PMD_SIZE) && + IS_ALIGNED(phys_addr + addr, PMD_SIZE) && +- pmd_free_pte_page(pmd)) { ++ pmd_free_pte_page(pmd, addr)) { + if (pmd_set_huge(pmd, phys_addr + addr, prot)) + continue; + } +@@ -119,7 +119,7 @@ static inline int ioremap_pud_range(p4d_ + if (ioremap_pud_enabled() && + ((next - addr) == PUD_SIZE) && + IS_ALIGNED(phys_addr + addr, PUD_SIZE) && +- pud_free_pmd_page(pud)) { ++ pud_free_pmd_page(pud, addr)) { + if (pud_set_huge(pud, phys_addr + addr, prot)) + continue; + } diff --git a/queue-4.14/kbuild-verify-that-depmod-is-installed.patch b/queue-4.14/kbuild-verify-that-depmod-is-installed.patch new file mode 100644 index 00000000000..c85fdc3d6c8 --- /dev/null +++ b/queue-4.14/kbuild-verify-that-depmod-is-installed.patch @@ -0,0 +1,101 @@ +From 934193a654c1f4d0643ddbf4b2529b508cae926e Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Sun, 1 Jul 2018 19:46:06 -0700 +Subject: kbuild: verify that $DEPMOD is installed + +From: Randy Dunlap + +commit 934193a654c1f4d0643ddbf4b2529b508cae926e upstream. + +Verify that 'depmod' ($DEPMOD) is installed. +This is a partial revert of commit 620c231c7a7f +("kbuild: do not check for ancient modutils tools"). + +Also update Documentation/process/changes.rst to refer to +kmod instead of module-init-tools. + +Fixes kernel bugzilla #198965: +https://bugzilla.kernel.org/show_bug.cgi?id=198965 + +Signed-off-by: Randy Dunlap +Cc: Lucas De Marchi +Cc: Lucas De Marchi +Cc: Michal Marek +Cc: Jessica Yu +Cc: Chih-Wei Huang +Cc: stable@vger.kernel.org # any kernel since 2012 +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/process/changes.rst | 19 +++++++------------ + scripts/depmod.sh | 8 +++++++- + 2 files changed, 14 insertions(+), 13 deletions(-) + +--- a/Documentation/process/changes.rst ++++ b/Documentation/process/changes.rst +@@ -33,7 +33,7 @@ GNU C 3.2 + GNU make 3.81 make --version + binutils 2.20 ld -v + util-linux 2.10o fdformat --version +-module-init-tools 0.9.10 depmod -V ++kmod 13 depmod -V + e2fsprogs 1.41.4 e2fsck -V + jfsutils 1.1.3 fsck.jfs -V + reiserfsprogs 3.6.3 reiserfsck -V +@@ -141,12 +141,6 @@ is not build with ``CONFIG_KALLSYMS`` an + reproduce the Oops with that option, then you can still decode that Oops + with ksymoops. + +-Module-Init-Tools +------------------ +- +-A new module loader is now in the kernel that requires ``module-init-tools`` +-to use. It is backward compatible with the 2.4.x series kernels. +- + Mkinitrd + -------- + +@@ -346,16 +340,17 @@ Util-linux + + - + ++Kmod ++---- ++ ++- ++- ++ + Ksymoops + -------- + + - + +-Module-Init-Tools +------------------ +- +-- +- + Mkinitrd + -------- + +--- a/scripts/depmod.sh ++++ b/scripts/depmod.sh +@@ -11,10 +11,16 @@ DEPMOD=$1 + KERNELRELEASE=$2 + SYMBOL_PREFIX=$3 + +-if ! test -r System.map -a -x "$DEPMOD"; then ++if ! test -r System.map ; then + exit 0 + fi + ++if [ -z $(command -v $DEPMOD) ]; then ++ echo "'make modules_install' requires $DEPMOD. Please install it." >&2 ++ echo "This is probably in the kmod package." >&2 ++ exit 1 ++fi ++ + # older versions of depmod don't support -P + # support was added in module-init-tools 3.13 + if test -n "$SYMBOL_PREFIX"; then diff --git a/queue-4.14/sched-debug-fix-task-state-recording-printout.patch b/queue-4.14/sched-debug-fix-task-state-recording-printout.patch new file mode 100644 index 00000000000..ac2bc23a0eb --- /dev/null +++ b/queue-4.14/sched-debug-fix-task-state-recording-printout.patch @@ -0,0 +1,58 @@ +From 3f5fe9fef5b2da06b6319fab8123056da5217c3f Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 22 Nov 2017 13:05:48 +0100 +Subject: sched/debug: Fix task state recording/printout + +From: Thomas Gleixner + +commit 3f5fe9fef5b2da06b6319fab8123056da5217c3f upstream. + +The recent conversion of the task state recording to use task_state_index() +broke the sched_switch tracepoint task state output. + +task_state_index() returns surprisingly an index (0-7) which is then +printed with __print_flags() applying bitmasks. Not really working and +resulting in weird states like 'prev_state=t' instead of 'prev_state=I'. + +Use TASK_REPORT_MAX instead of TASK_STATE_MAX to report preemption. Build a +bitmask from the return value of task_state_index() and store it in +entry->prev_state, which makes __print_flags() work as expected. + +Signed-off-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: stable@vger.kernel.org +Fixes: efb40f588b43 ("sched/tracing: Fix trace_sched_switch task-state printing") +Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1711221304180.1751@nanos +Signed-off-by: Ingo Molnar +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/sched.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/trace/events/sched.h ++++ b/include/trace/events/sched.h +@@ -116,9 +116,9 @@ static inline long __trace_sched_switch_ + * RUNNING (we will not have dequeued if state != RUNNING). + */ + if (preempt) +- return TASK_STATE_MAX; ++ return TASK_REPORT_MAX; + +- return __get_task_state(p); ++ return 1 << __get_task_state(p); + } + #endif /* CREATE_TRACE_POINTS */ + +@@ -164,7 +164,7 @@ TRACE_EVENT(sched_switch, + { 0x40, "P" }, { 0x80, "I" }) : + "R", + +- __entry->prev_state & TASK_STATE_MAX ? "+" : "", ++ __entry->prev_state & TASK_REPORT_MAX ? "+" : "", + __entry->next_comm, __entry->next_pid, __entry->next_prio) + ); + diff --git a/queue-4.14/series b/queue-4.14/series index 1ecc038ab29..c32cac56695 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,3 +1,22 @@ x86-l1tf-fix-build-error-seen-if-config_kvm_intel-is-disabled.patch x86-i8259-add-missing-include-file.patch x86-mm-disable-ioremap-free-page-handling-on-x86-pae.patch +kbuild-verify-that-depmod-is-installed.patch +crypto-x86-sha256-mb-fix-digest-copy-in-sha256_mb_mgr_get_comp_job_avx2.patch +crypto-vmac-require-a-block-cipher-with-128-bit-block-size.patch +crypto-vmac-separate-tfm-and-request-context.patch +crypto-blkcipher-fix-crash-flushing-dcache-in-error-path.patch +crypto-ablkcipher-fix-crash-flushing-dcache-in-error-path.patch +crypto-skcipher-fix-aligning-block-size-in-skcipher_copy_iv.patch +crypto-skcipher-fix-crash-flushing-dcache-in-error-path.patch +acpi-apei-remove-ghes_ioremap_area.patch +sched-debug-fix-task-state-recording-printout.patch +fw_cfg-fix-driver-remove.patch +asoc-rsnd-fix-adg-flags.patch +clk-sunxi-ng-fix-missing-clk_set_rate_parent-in-ccu-sun4i-a10.c.patch +block-bfq-fix-wrong-init-of-saved-start-time-for-weight-raising.patch +asoc-msm8916-wcd-digital-fix-rx2-mix1-and-rx3-mix1.patch +asoc-intel-cht_bsw_max98090_ti-fix-jack-initialization.patch +bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch +ioremap-update-pgtable-free-interfaces-with-addr.patch +x86-mm-add-tlb-purge-to-free-pmd-pte-page-interfaces.patch diff --git a/queue-4.14/x86-mm-add-tlb-purge-to-free-pmd-pte-page-interfaces.patch b/queue-4.14/x86-mm-add-tlb-purge-to-free-pmd-pte-page-interfaces.patch new file mode 100644 index 00000000000..91edb99203a --- /dev/null +++ b/queue-4.14/x86-mm-add-tlb-purge-to-free-pmd-pte-page-interfaces.patch @@ -0,0 +1,124 @@ +From 5e0fb5df2ee871b841f96f9cb6a7f2784e96aa4e Mon Sep 17 00:00:00 2001 +From: Toshi Kani +Date: Wed, 27 Jun 2018 08:13:48 -0600 +Subject: x86/mm: Add TLB purge to free pmd/pte page interfaces + +From: Toshi Kani + +commit 5e0fb5df2ee871b841f96f9cb6a7f2784e96aa4e upstream. + +ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates +a pud / pmd map. The following preconditions are met at their entry. + - All pte entries for a target pud/pmd address range have been cleared. + - System-wide TLB purges have been peformed for a target pud/pmd address + range. + +The preconditions assure that there is no stale TLB entry for the range. +Speculation may not cache TLB entries since it requires all levels of page +entries, including ptes, to have P & A-bits set for an associated address. +However, speculation may cache pud/pmd entries (paging-structure caches) +when they have P-bit set. + +Add a system-wide TLB purge (INVLPG) to a single page after clearing +pud/pmd entry's P-bit. + +SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches, +states that: + INVLPG invalidates all paging-structure caches associated with the + current PCID regardless of the liner addresses to which they correspond. + +Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") +Signed-off-by: Toshi Kani +Signed-off-by: Thomas Gleixner +Cc: mhocko@suse.com +Cc: akpm@linux-foundation.org +Cc: hpa@zytor.com +Cc: cpandya@codeaurora.org +Cc: linux-mm@kvack.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: Joerg Roedel +Cc: stable@vger.kernel.org +Cc: Andrew Morton +Cc: Michal Hocko +Cc: "H. Peter Anvin" +Cc: +Link: https://lkml.kernel.org/r/20180627141348.21777-4-toshi.kani@hpe.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/pgtable.c | 38 +++++++++++++++++++++++++++++++------- + 1 file changed, 31 insertions(+), 7 deletions(-) + +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -718,24 +718,44 @@ int pmd_clear_huge(pmd_t *pmd) + * @pud: Pointer to a PUD. + * @addr: Virtual address associated with pud. + * +- * Context: The pud range has been unmaped and TLB purged. ++ * Context: The pud range has been unmapped and TLB purged. + * Return: 1 if clearing the entry succeeded. 0 otherwise. ++ * ++ * NOTE: Callers must allow a single page allocation. + */ + int pud_free_pmd_page(pud_t *pud, unsigned long addr) + { +- pmd_t *pmd; ++ pmd_t *pmd, *pmd_sv; ++ pte_t *pte; + int i; + + if (pud_none(*pud)) + return 1; + + pmd = (pmd_t *)pud_page_vaddr(*pud); +- +- for (i = 0; i < PTRS_PER_PMD; i++) +- if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) +- return 0; ++ pmd_sv = (pmd_t *)__get_free_page(GFP_KERNEL); ++ if (!pmd_sv) ++ return 0; ++ ++ for (i = 0; i < PTRS_PER_PMD; i++) { ++ pmd_sv[i] = pmd[i]; ++ if (!pmd_none(pmd[i])) ++ pmd_clear(&pmd[i]); ++ } + + pud_clear(pud); ++ ++ /* INVLPG to clear all paging-structure caches */ ++ flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); ++ ++ for (i = 0; i < PTRS_PER_PMD; i++) { ++ if (!pmd_none(pmd_sv[i])) { ++ pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]); ++ free_page((unsigned long)pte); ++ } ++ } ++ ++ free_page((unsigned long)pmd_sv); + free_page((unsigned long)pmd); + + return 1; +@@ -746,7 +766,7 @@ int pud_free_pmd_page(pud_t *pud, unsign + * @pmd: Pointer to a PMD. + * @addr: Virtual address associated with pmd. + * +- * Context: The pmd range has been unmaped and TLB purged. ++ * Context: The pmd range has been unmapped and TLB purged. + * Return: 1 if clearing the entry succeeded. 0 otherwise. + */ + int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) +@@ -758,6 +778,10 @@ int pmd_free_pte_page(pmd_t *pmd, unsign + + pte = (pte_t *)pmd_page_vaddr(*pmd); + pmd_clear(pmd); ++ ++ /* INVLPG to clear all paging-structure caches */ ++ flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); ++ + free_page((unsigned long)pte); + + return 1;