From: Greg Kroah-Hartman Date: Fri, 18 Aug 2017 23:38:32 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v3.18.67~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a4aee34a5c4e5209a89f4f0471f347e2239be8e5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: audit-fix-use-after-free-in-audit_remove_watch_rule.patch crypto-x86-sha1-fix-reads-beyond-the-number-of-blocks-passed.patch input-elan_i2c-add-antoher-lenovo-acpi-id-for-upcoming-lenovo-nb.patch input-elan_i2c-add-elan0608-to-the-acpi-table.patch parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch --- diff --git a/queue-4.4/audit-fix-use-after-free-in-audit_remove_watch_rule.patch b/queue-4.4/audit-fix-use-after-free-in-audit_remove_watch_rule.patch new file mode 100644 index 00000000000..b4f0b16d7da --- /dev/null +++ b/queue-4.4/audit-fix-use-after-free-in-audit_remove_watch_rule.patch @@ -0,0 +1,56 @@ +From d76036ab47eafa6ce52b69482e91ca3ba337d6d6 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 15 Aug 2017 13:00:36 +0200 +Subject: audit: Fix use after free in audit_remove_watch_rule() + +From: Jan Kara + +commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream. + +audit_remove_watch_rule() drops watch's reference to parent but then +continues to work with it. That is not safe as parent can get freed once +we drop our reference. The following is a trivial reproducer: + +mount -o loop image /mnt +touch /mnt/file +auditctl -w /mnt/file -p wax +umount /mnt +auditctl -D + + +Grab our own reference in audit_remove_watch_rule() earlier to make sure +mark does not get freed under us. + +Reported-by: Tony Jones +Signed-off-by: Jan Kara +Tested-by: Tony Jones +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit_watch.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/kernel/audit_watch.c ++++ b/kernel/audit_watch.c +@@ -457,13 +457,15 @@ void audit_remove_watch_rule(struct audi + list_del(&krule->rlist); + + if (list_empty(&watch->rules)) { ++ /* ++ * audit_remove_watch() drops our reference to 'parent' which ++ * can get freed. Grab our own reference to be safe. ++ */ ++ audit_get_parent(parent); + audit_remove_watch(watch); +- +- if (list_empty(&parent->watches)) { +- audit_get_parent(parent); ++ if (list_empty(&parent->watches)) + fsnotify_destroy_mark(&parent->mark, audit_watch_group); +- audit_put_parent(parent); +- } ++ audit_put_parent(parent); + } + } + diff --git a/queue-4.4/crypto-x86-sha1-fix-reads-beyond-the-number-of-blocks-passed.patch b/queue-4.4/crypto-x86-sha1-fix-reads-beyond-the-number-of-blocks-passed.patch new file mode 100644 index 00000000000..c6173c6d726 --- /dev/null +++ b/queue-4.4/crypto-x86-sha1-fix-reads-beyond-the-number-of-blocks-passed.patch @@ -0,0 +1,208 @@ +From 8861249c740fc4af9ddc5aee321eafefb960d7c6 Mon Sep 17 00:00:00 2001 +From: "megha.dey@linux.intel.com" +Date: Wed, 2 Aug 2017 13:49:09 -0700 +Subject: crypto: x86/sha1 - Fix reads beyond the number of blocks passed + +From: megha.dey@linux.intel.com + +commit 8861249c740fc4af9ddc5aee321eafefb960d7c6 upstream. + +It was reported that the sha1 AVX2 function(sha1_transform_avx2) is +reading ahead beyond its intended data, and causing a crash if the next +block is beyond page boundary: +http://marc.info/?l=linux-crypto-vger&m=149373371023377 + +This patch makes sure that there is no overflow for any buffer length. + +It passes the tests written by Jan Stancek that revealed this problem: +https://github.com/jstancek/sha1-avx2-crash + +I have re-enabled sha1-avx2 by reverting commit +b82ce24426a4071da9529d726057e4e642948667 + +Fixes: b82ce24426a4 ("crypto: sha1-ssse3 - Disable avx2") +Originally-by: Ilya Albrekht +Tested-by: Jan Stancek +Signed-off-by: Megha Dey +Reported-by: Jan Stancek +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/sha1_avx2_x86_64_asm.S | 67 +++++++++++++++++---------------- + arch/x86/crypto/sha1_ssse3_glue.c | 2 + 2 files changed, 37 insertions(+), 32 deletions(-) + +--- a/arch/x86/crypto/sha1_avx2_x86_64_asm.S ++++ b/arch/x86/crypto/sha1_avx2_x86_64_asm.S +@@ -117,11 +117,10 @@ + .set T1, REG_T1 + .endm + +-#define K_BASE %r8 + #define HASH_PTR %r9 ++#define BLOCKS_CTR %r8 + #define BUFFER_PTR %r10 + #define BUFFER_PTR2 %r13 +-#define BUFFER_END %r11 + + #define PRECALC_BUF %r14 + #define WK_BUF %r15 +@@ -205,14 +204,14 @@ + * blended AVX2 and ALU instruction scheduling + * 1 vector iteration per 8 rounds + */ +- vmovdqu ((i * 2) + PRECALC_OFFSET)(BUFFER_PTR), W_TMP ++ vmovdqu (i * 2)(BUFFER_PTR), W_TMP + .elseif ((i & 7) == 1) +- vinsertf128 $1, (((i-1) * 2)+PRECALC_OFFSET)(BUFFER_PTR2),\ ++ vinsertf128 $1, ((i-1) * 2)(BUFFER_PTR2),\ + WY_TMP, WY_TMP + .elseif ((i & 7) == 2) + vpshufb YMM_SHUFB_BSWAP, WY_TMP, WY + .elseif ((i & 7) == 4) +- vpaddd K_XMM(K_BASE), WY, WY_TMP ++ vpaddd K_XMM + K_XMM_AR(%rip), WY, WY_TMP + .elseif ((i & 7) == 7) + vmovdqu WY_TMP, PRECALC_WK(i&~7) + +@@ -255,7 +254,7 @@ + vpxor WY, WY_TMP, WY_TMP + .elseif ((i & 7) == 7) + vpxor WY_TMP2, WY_TMP, WY +- vpaddd K_XMM(K_BASE), WY, WY_TMP ++ vpaddd K_XMM + K_XMM_AR(%rip), WY, WY_TMP + vmovdqu WY_TMP, PRECALC_WK(i&~7) + + PRECALC_ROTATE_WY +@@ -291,7 +290,7 @@ + vpsrld $30, WY, WY + vpor WY, WY_TMP, WY + .elseif ((i & 7) == 7) +- vpaddd K_XMM(K_BASE), WY, WY_TMP ++ vpaddd K_XMM + K_XMM_AR(%rip), WY, WY_TMP + vmovdqu WY_TMP, PRECALC_WK(i&~7) + + PRECALC_ROTATE_WY +@@ -446,6 +445,16 @@ + + .endm + ++/* Add constant only if (%2 > %3) condition met (uses RTA as temp) ++ * %1 + %2 >= %3 ? %4 : 0 ++ */ ++.macro ADD_IF_GE a, b, c, d ++ mov \a, RTA ++ add $\d, RTA ++ cmp $\c, \b ++ cmovge RTA, \a ++.endm ++ + /* + * macro implements 80 rounds of SHA-1, for multiple blocks with s/w pipelining + */ +@@ -463,13 +472,16 @@ + lea (2*4*80+32)(%rsp), WK_BUF + + # Precalc WK for first 2 blocks +- PRECALC_OFFSET = 0 ++ ADD_IF_GE BUFFER_PTR2, BLOCKS_CTR, 2, 64 + .set i, 0 + .rept 160 + PRECALC i + .set i, i + 1 + .endr +- PRECALC_OFFSET = 128 ++ ++ /* Go to next block if needed */ ++ ADD_IF_GE BUFFER_PTR, BLOCKS_CTR, 3, 128 ++ ADD_IF_GE BUFFER_PTR2, BLOCKS_CTR, 4, 128 + xchg WK_BUF, PRECALC_BUF + + .align 32 +@@ -479,8 +491,8 @@ _loop: + * we use K_BASE value as a signal of a last block, + * it is set below by: cmovae BUFFER_PTR, K_BASE + */ +- cmp K_BASE, BUFFER_PTR +- jne _begin ++ test BLOCKS_CTR, BLOCKS_CTR ++ jnz _begin + .align 32 + jmp _end + .align 32 +@@ -512,10 +524,10 @@ _loop0: + .set j, j+2 + .endr + +- add $(2*64), BUFFER_PTR /* move to next odd-64-byte block */ +- cmp BUFFER_END, BUFFER_PTR /* is current block the last one? */ +- cmovae K_BASE, BUFFER_PTR /* signal the last iteration smartly */ +- ++ /* Update Counter */ ++ sub $1, BLOCKS_CTR ++ /* Move to the next block only if needed*/ ++ ADD_IF_GE BUFFER_PTR, BLOCKS_CTR, 4, 128 + /* + * rounds + * 60,62,64,66,68 +@@ -532,8 +544,8 @@ _loop0: + UPDATE_HASH 12(HASH_PTR), D + UPDATE_HASH 16(HASH_PTR), E + +- cmp K_BASE, BUFFER_PTR /* is current block the last one? */ +- je _loop ++ test BLOCKS_CTR, BLOCKS_CTR ++ jz _loop + + mov TB, B + +@@ -575,10 +587,10 @@ _loop2: + .set j, j+2 + .endr + +- add $(2*64), BUFFER_PTR2 /* move to next even-64-byte block */ +- +- cmp BUFFER_END, BUFFER_PTR2 /* is current block the last one */ +- cmovae K_BASE, BUFFER_PTR /* signal the last iteration smartly */ ++ /* update counter */ ++ sub $1, BLOCKS_CTR ++ /* Move to the next block only if needed*/ ++ ADD_IF_GE BUFFER_PTR2, BLOCKS_CTR, 4, 128 + + jmp _loop3 + _loop3: +@@ -641,19 +653,12 @@ _loop3: + + avx2_zeroupper + +- lea K_XMM_AR(%rip), K_BASE +- ++ /* Setup initial values */ + mov CTX, HASH_PTR + mov BUF, BUFFER_PTR +- lea 64(BUF), BUFFER_PTR2 +- +- shl $6, CNT /* mul by 64 */ +- add BUF, CNT +- add $64, CNT +- mov CNT, BUFFER_END + +- cmp BUFFER_END, BUFFER_PTR2 +- cmovae K_BASE, BUFFER_PTR2 ++ mov BUF, BUFFER_PTR2 ++ mov CNT, BLOCKS_CTR + + xmm_mov BSWAP_SHUFB_CTL(%rip), YMM_SHUFB_BSWAP + +--- a/arch/x86/crypto/sha1_ssse3_glue.c ++++ b/arch/x86/crypto/sha1_ssse3_glue.c +@@ -201,7 +201,7 @@ asmlinkage void sha1_transform_avx2(u32 + + static bool avx2_usable(void) + { +- if (false && avx_usable() && boot_cpu_has(X86_FEATURE_AVX2) ++ if (avx_usable() && boot_cpu_has(X86_FEATURE_AVX2) + && boot_cpu_has(X86_FEATURE_BMI1) + && boot_cpu_has(X86_FEATURE_BMI2)) + return true; diff --git a/queue-4.4/input-elan_i2c-add-antoher-lenovo-acpi-id-for-upcoming-lenovo-nb.patch b/queue-4.4/input-elan_i2c-add-antoher-lenovo-acpi-id-for-upcoming-lenovo-nb.patch new file mode 100644 index 00000000000..d3fb9a04ee9 --- /dev/null +++ b/queue-4.4/input-elan_i2c-add-antoher-lenovo-acpi-id-for-upcoming-lenovo-nb.patch @@ -0,0 +1,32 @@ +From 76988690402dde2880bfe06ecccf381d48ba8e1c Mon Sep 17 00:00:00 2001 +From: KT Liao +Date: Mon, 14 Aug 2017 20:11:59 -0700 +Subject: Input: elan_i2c - Add antoher Lenovo ACPI ID for upcoming Lenovo NB + +From: KT Liao + +commit 76988690402dde2880bfe06ecccf381d48ba8e1c upstream. + +Add 2 new IDs (ELAN0609 and ELAN060B) to the list of ACPI IDs that should +be handled by the driver. + +Signed-off-by: KT Liao +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1236,6 +1236,9 @@ static const struct acpi_device_id elan_ + { "ELAN0600", 0 }, + { "ELAN0605", 0 }, + { "ELAN0608", 0 }, ++ { "ELAN0605", 0 }, ++ { "ELAN0609", 0 }, ++ { "ELAN060B", 0 }, + { "ELAN1000", 0 }, + { } + }; diff --git a/queue-4.4/input-elan_i2c-add-elan0608-to-the-acpi-table.patch b/queue-4.4/input-elan_i2c-add-elan0608-to-the-acpi-table.patch new file mode 100644 index 00000000000..43d177857b4 --- /dev/null +++ b/queue-4.4/input-elan_i2c-add-elan0608-to-the-acpi-table.patch @@ -0,0 +1,34 @@ +From 1874064eed0502bd9bef7be8023757b0c4f26883 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Mon, 14 Aug 2017 20:11:26 -0700 +Subject: Input: elan_i2c - add ELAN0608 to the ACPI table + +From: Kai-Heng Feng + +commit 1874064eed0502bd9bef7be8023757b0c4f26883 upstream. + +Similar to commit 722c5ac708b4f ("Input: elan_i2c - add ELAN0605 to the +ACPI table"), ELAN0608 should be handled by elan_i2c. + +This touchpad can be found in Lenovo ideapad 320-14IKB. + +BugLink: https://bugs.launchpad.net/bugs/1708852 + +Signed-off-by: Kai-Heng Feng +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1235,6 +1235,7 @@ static const struct acpi_device_id elan_ + { "ELAN0100", 0 }, + { "ELAN0600", 0 }, + { "ELAN0605", 0 }, ++ { "ELAN0608", 0 }, + { "ELAN1000", 0 }, + { } + }; diff --git a/queue-4.4/parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch b/queue-4.4/parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch new file mode 100644 index 00000000000..83169417995 --- /dev/null +++ b/queue-4.4/parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch @@ -0,0 +1,34 @@ +From 4098116039911e8870d84c975e2ec22dab65a909 Mon Sep 17 00:00:00 2001 +From: Thomas Bogendoerfer +Date: Sat, 12 Aug 2017 23:36:47 +0200 +Subject: parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo + +From: Thomas Bogendoerfer + +commit 4098116039911e8870d84c975e2ec22dab65a909 upstream. + +For 64bit kernels the lmmio_space_offset of the host bridge window +isn't set correctly on systems with dino/cujo PCI host bridges. +This leads to not assigned memory bars and failing drivers, which +need to use these bars. + +Signed-off-by: Thomas Bogendoerfer +Acked-by: Helge Deller +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/parisc/dino.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/parisc/dino.c ++++ b/drivers/parisc/dino.c +@@ -954,7 +954,7 @@ static int __init dino_probe(struct pari + + dino_dev->hba.dev = dev; + dino_dev->hba.base_addr = ioremap_nocache(hpa, 4096); +- dino_dev->hba.lmmio_space_offset = 0; /* CPU addrs == bus addrs */ ++ dino_dev->hba.lmmio_space_offset = PCI_F_EXTEND; + spin_lock_init(&dino_dev->dinosaur_pen); + dino_dev->hba.iommu = ccio_get_iommu(dev); + diff --git a/queue-4.4/series b/queue-4.4/series index 37e89266b24..1da3b896e46 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1 +1,6 @@ netfilter-nf_ct_ext-fix-possible-panic-after-nf_ct_extend_unregister.patch +audit-fix-use-after-free-in-audit_remove_watch_rule.patch +parisc-pci-memory-bar-assignment-fails-with-64bit-kernels-on-dino-cujo.patch +crypto-x86-sha1-fix-reads-beyond-the-number-of-blocks-passed.patch +input-elan_i2c-add-elan0608-to-the-acpi-table.patch +input-elan_i2c-add-antoher-lenovo-acpi-id-for-upcoming-lenovo-nb.patch