From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Nov 2021 10:41:14 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v5.4.160~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b6e4f995a36d20e6150a119c59b8bc0e2a884061;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	crypto-api-do-not-create-test-larvals-if-manager-is-disabled.patch
	crypto-api-export-crypto_boot_test_finished.patch
	media-vidtv-move-kfree-dvb-to-vidtv_bridge_dev_release.patch
---

diff --git a/queue-5.15/crypto-api-do-not-create-test-larvals-if-manager-is-disabled.patch b/queue-5.15/crypto-api-do-not-create-test-larvals-if-manager-is-disabled.patch
new file mode 100644
index 00000000000..c78406c96ff
--- /dev/null
+++ b/queue-5.15/crypto-api-do-not-create-test-larvals-if-manager-is-disabled.patch
@@ -0,0 +1,149 @@
+From cad439fc040efe5f4381e3a7d583c5c200dbc186 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 19 Oct 2021 21:28:02 +0800
+Subject: crypto: api - Do not create test larvals if manager is disabled
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit cad439fc040efe5f4381e3a7d583c5c200dbc186 upstream.
+
+The delayed boot-time testing patch created a dependency loop
+between api.c and algapi.c because it added a crypto_alg_tested
+call to the former when the crypto manager is disabled.
+
+We could instead avoid creating the test larvals if the crypto
+manager is disabled.  This avoids the dependency loop as well
+as saving some unnecessary work, albeit in a very unlikely case.
+
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/algapi.c |   56 ++++++++++++++++++++++++++++++++++++--------------------
+ crypto/api.c    |    7 ++-----
+ 2 files changed, 38 insertions(+), 25 deletions(-)
+
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -216,6 +216,32 @@ void crypto_remove_spawns(struct crypto_
+ }
+ EXPORT_SYMBOL_GPL(crypto_remove_spawns);
+ 
++static struct crypto_larval *crypto_alloc_test_larval(struct crypto_alg *alg)
++{
++	struct crypto_larval *larval;
++
++	if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER))
++		return NULL;
++
++	larval = crypto_larval_alloc(alg->cra_name,
++				     alg->cra_flags | CRYPTO_ALG_TESTED, 0);
++	if (IS_ERR(larval))
++		return larval;
++
++	larval->adult = crypto_mod_get(alg);
++	if (!larval->adult) {
++		kfree(larval);
++		return ERR_PTR(-ENOENT);
++	}
++
++	refcount_set(&larval->alg.cra_refcnt, 1);
++	memcpy(larval->alg.cra_driver_name, alg->cra_driver_name,
++	       CRYPTO_MAX_ALG_NAME);
++	larval->alg.cra_priority = alg->cra_priority;
++
++	return larval;
++}
++
+ static struct crypto_larval *__crypto_register_alg(struct crypto_alg *alg)
+ {
+ 	struct crypto_alg *q;
+@@ -250,31 +276,20 @@ static struct crypto_larval *__crypto_re
+ 			goto err;
+ 	}
+ 
+-	larval = crypto_larval_alloc(alg->cra_name,
+-				     alg->cra_flags | CRYPTO_ALG_TESTED, 0);
++	larval = crypto_alloc_test_larval(alg);
+ 	if (IS_ERR(larval))
+ 		goto out;
+ 
+-	ret = -ENOENT;
+-	larval->adult = crypto_mod_get(alg);
+-	if (!larval->adult)
+-		goto free_larval;
+-
+-	refcount_set(&larval->alg.cra_refcnt, 1);
+-	memcpy(larval->alg.cra_driver_name, alg->cra_driver_name,
+-	       CRYPTO_MAX_ALG_NAME);
+-	larval->alg.cra_priority = alg->cra_priority;
+-
+ 	list_add(&alg->cra_list, &crypto_alg_list);
+-	list_add(&larval->alg.cra_list, &crypto_alg_list);
++
++	if (larval)
++		list_add(&larval->alg.cra_list, &crypto_alg_list);
+ 
+ 	crypto_stats_init(alg);
+ 
+ out:
+ 	return larval;
+ 
+-free_larval:
+-	kfree(larval);
+ err:
+ 	larval = ERR_PTR(ret);
+ 	goto out;
+@@ -403,10 +418,11 @@ int crypto_register_alg(struct crypto_al
+ 	down_write(&crypto_alg_sem);
+ 	larval = __crypto_register_alg(alg);
+ 	test_started = static_key_enabled(&crypto_boot_test_finished);
+-	larval->test_started = test_started;
++	if (!IS_ERR_OR_NULL(larval))
++		larval->test_started = test_started;
+ 	up_write(&crypto_alg_sem);
+ 
+-	if (IS_ERR(larval))
++	if (IS_ERR_OR_NULL(larval))
+ 		return PTR_ERR(larval);
+ 
+ 	if (test_started)
+@@ -616,8 +632,8 @@ int crypto_register_instance(struct cryp
+ 	larval = __crypto_register_alg(&inst->alg);
+ 	if (IS_ERR(larval))
+ 		goto unlock;
+-
+-	larval->test_started = true;
++	else if (larval)
++		larval->test_started = true;
+ 
+ 	hlist_add_head(&inst->list, &tmpl->instances);
+ 	inst->tmpl = tmpl;
+@@ -626,7 +642,7 @@ unlock:
+ 	up_write(&crypto_alg_sem);
+ 
+ 	err = PTR_ERR(larval);
+-	if (IS_ERR(larval))
++	if (IS_ERR_OR_NULL(larval))
+ 		goto err;
+ 
+ 	crypto_wait_for_test(larval);
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -167,11 +167,8 @@ void crypto_wait_for_test(struct crypto_
+ 	int err;
+ 
+ 	err = crypto_probing_notify(CRYPTO_MSG_ALG_REGISTER, larval->adult);
+-	if (err != NOTIFY_STOP) {
+-		if (WARN_ON(err != NOTIFY_DONE))
+-			goto out;
+-		crypto_alg_tested(larval->alg.cra_driver_name, 0);
+-	}
++	if (WARN_ON_ONCE(err != NOTIFY_STOP))
++		goto out;
+ 
+ 	err = wait_for_completion_killable(&larval->completion);
+ 	WARN_ON(err);
diff --git a/queue-5.15/crypto-api-export-crypto_boot_test_finished.patch b/queue-5.15/crypto-api-export-crypto_boot_test_finished.patch
new file mode 100644
index 00000000000..8d52344483a
--- /dev/null
+++ b/queue-5.15/crypto-api-export-crypto_boot_test_finished.patch
@@ -0,0 +1,32 @@
+From e42dff467ee688fe6b5a083f1837d06e3b27d8c0 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 27 Sep 2021 19:23:42 +0800
+Subject: crypto: api - Export crypto_boot_test_finished
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit e42dff467ee688fe6b5a083f1837d06e3b27d8c0 upstream.
+
+We need to export crypto_boot_test_finished in case api.c is
+built-in while algapi.c is built as a module.
+
+Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Stephen Rothwell <sfr@canb.auug.org.au> # ppc32 build
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/api.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -32,6 +32,7 @@ BLOCKING_NOTIFIER_HEAD(crypto_chain);
+ EXPORT_SYMBOL_GPL(crypto_chain);
+ 
+ DEFINE_STATIC_KEY_FALSE(crypto_boot_test_finished);
++EXPORT_SYMBOL_GPL(crypto_boot_test_finished);
+ 
+ static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
+ 
diff --git a/queue-5.15/media-vidtv-move-kfree-dvb-to-vidtv_bridge_dev_release.patch b/queue-5.15/media-vidtv-move-kfree-dvb-to-vidtv_bridge_dev_release.patch
new file mode 100644
index 00000000000..af1f244251e
--- /dev/null
+++ b/queue-5.15/media-vidtv-move-kfree-dvb-to-vidtv_bridge_dev_release.patch
@@ -0,0 +1,45 @@
+From 112024a3b6dcfc62ec36ea0cf58b897f2ce54c59 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Tue, 14 Sep 2021 08:21:25 +0100
+Subject: media: vidtv: move kfree(dvb) to vidtv_bridge_dev_release()
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 112024a3b6dcfc62ec36ea0cf58b897f2ce54c59 upstream.
+
+Adding kfree(dvb) to vidtv_bridge_remove() will remove the memory
+too soon: if an application still has an open filehandle to the device
+when the driver is unloaded, then when that filehandle is closed, a
+use-after-free access takes place to the freed memory.
+
+Move the kfree(dvb) to vidtv_bridge_dev_release() instead.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 76e21bb8be4f ("media: vidtv: Fix memory leak in remove")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_bridge.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+@@ -557,7 +557,6 @@ static int vidtv_bridge_remove(struct pl
+ 	dvb_dmxdev_release(&dvb->dmx_dev);
+ 	dvb_dmx_release(&dvb->demux);
+ 	dvb_unregister_adapter(&dvb->adapter);
+-	kfree(dvb);
+ 	dev_info(&pdev->dev, "Successfully removed vidtv\n");
+ 
+ 	return 0;
+@@ -565,6 +564,10 @@ static int vidtv_bridge_remove(struct pl
+ 
+ static void vidtv_bridge_dev_release(struct device *dev)
+ {
++	struct vidtv_dvb *dvb;
++
++	dvb = dev_get_drvdata(dev);
++	kfree(dvb);
+ }
+ 
+ static struct platform_device vidtv_bridge_dev = {
diff --git a/queue-5.15/series b/queue-5.15/series
index 04cba6e08cb..2105ba80a3e 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -913,3 +913,6 @@ pci-add-pci_exp_devctl_payload_-macros.patch
 pci-aardvark-fix-pcie-max-payload-size-setting.patch
 sunrpc-partial-revert-of-commit-6f9f17287e78.patch
 drm-amd-display-look-at-firmware-version-to-determine-using-dmub-on-dcn21.patch
+crypto-api-export-crypto_boot_test_finished.patch
+crypto-api-do-not-create-test-larvals-if-manager-is-disabled.patch
+media-vidtv-move-kfree-dvb-to-vidtv_bridge_dev_release.patch