From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 16 Oct 2020 08:16:22 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v5.9.1~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c608e1fb2a06c63fb64b41682cb7bbdd0c195e44;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
	spi-unbinding-slave-before-calling-spi_destroy_queue.patch
---

diff --git a/queue-4.4/crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch b/queue-4.4/crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
new file mode 100644
index 00000000000..4dad67cf0e5
--- /dev/null
+++ b/queue-4.4/crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
@@ -0,0 +1,59 @@
+From 45cb6653b0c355fc1445a8069ba78a4ce8720511 Mon Sep 17 00:00:00 2001
+From: Dominik Przychodni <dominik.przychodni@intel.com>
+Date: Mon, 31 Aug 2020 11:59:59 +0100
+Subject: crypto: qat - check cipher length for aead AES-CBC-HMAC-SHA
+
+From: Dominik Przychodni <dominik.przychodni@intel.com>
+
+commit 45cb6653b0c355fc1445a8069ba78a4ce8720511 upstream.
+
+Return -EINVAL for authenc(hmac(sha1),cbc(aes)),
+authenc(hmac(sha256),cbc(aes)) and authenc(hmac(sha512),cbc(aes))
+if the cipher length is not multiple of the AES block.
+This is to prevent an undefined device behaviour.
+
+Fixes: d370cec32194 ("crypto: qat - Intel(R) QAT crypto interface")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dominik Przychodni <dominik.przychodni@intel.com>
+[giovanni.cabiddu@intel.com: reworded commit message]
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_common/qat_algs.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/qat/qat_common/qat_algs.c
+@@ -822,6 +822,11 @@ static int qat_alg_aead_dec(struct aead_
+ 	struct icp_qat_fw_la_bulk_req *msg;
+ 	int digst_size = crypto_aead_authsize(aead_tfm);
+ 	int ret, ctr = 0;
++	u32 cipher_len;
++
++	cipher_len = areq->cryptlen - digst_size;
++	if (cipher_len % AES_BLOCK_SIZE != 0)
++		return -EINVAL;
+ 
+ 	ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req);
+ 	if (unlikely(ret))
+@@ -836,7 +841,7 @@ static int qat_alg_aead_dec(struct aead_
+ 	qat_req->req.comn_mid.src_data_addr = qat_req->buf.blp;
+ 	qat_req->req.comn_mid.dest_data_addr = qat_req->buf.bloutp;
+ 	cipher_param = (void *)&qat_req->req.serv_specif_rqpars;
+-	cipher_param->cipher_length = areq->cryptlen - digst_size;
++	cipher_param->cipher_length = cipher_len;
+ 	cipher_param->cipher_offset = areq->assoclen;
+ 	memcpy(cipher_param->u.cipher_IV_array, areq->iv, AES_BLOCK_SIZE);
+ 	auth_param = (void *)((uint8_t *)cipher_param + sizeof(*cipher_param));
+@@ -865,6 +870,9 @@ static int qat_alg_aead_enc(struct aead_
+ 	uint8_t *iv = areq->iv;
+ 	int ret, ctr = 0;
+ 
++	if (areq->cryptlen % AES_BLOCK_SIZE != 0)
++		return -EINVAL;
++
+ 	ret = qat_alg_sgl_to_bufl(ctx->inst, areq->src, areq->dst, qat_req);
+ 	if (unlikely(ret))
+ 		return ret;
diff --git a/queue-4.4/series b/queue-4.4/series
index a93634ff3a3..6e1a09a0d76 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -12,3 +12,5 @@ usb-serial-pl2303-add-device-id-for-hp-gc-device.patch
 usb-serial-ftdi_sio-add-support-for-freecalypso-jtag-uart-adapters.patch
 reiserfs-initialize-inode-keys-properly.patch
 reiserfs-fix-oops-during-mount.patch
+spi-unbinding-slave-before-calling-spi_destroy_queue.patch
+crypto-qat-check-cipher-length-for-aead-aes-cbc-hmac-sha.patch
diff --git a/queue-4.4/spi-unbinding-slave-before-calling-spi_destroy_queue.patch b/queue-4.4/spi-unbinding-slave-before-calling-spi_destroy_queue.patch
new file mode 100644
index 00000000000..9ff9a41797b
--- /dev/null
+++ b/queue-4.4/spi-unbinding-slave-before-calling-spi_destroy_queue.patch
@@ -0,0 +1,38 @@
+From yangerkun@huawei.com  Fri Oct 16 10:01:26 2020
+From: yangerkun <yangerkun@huawei.com>
+Date: Thu, 15 Oct 2020 22:38:34 +0800
+Subject: spi: unbinding slave before calling spi_destroy_queue
+To: <sashal@kernel.org>, <gregkh@linuxfoundation.org>, <broonie@kernel.org>
+Cc: <linux-spi@vger.kernel.org>, <stable@vger.kernel.org>, <yangerkun@huawei.com>, <yi.zhang@huawei.com>, <chenwenyong2@huawei.com>
+Message-ID: <20201015143834.1136778-1-yangerkun@huawei.com>
+
+From: yangerkun <yangerkun@huawei.com>
+
+We make a mistake while backport 'commit 84855678add8 ("spi: Fix
+controller unregister order")'. What we should do is call __unreigster
+for each device before spi_destroy_queue. This problem exist in
+linux-4.4.y/linux-4.9.y.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+---
+ drivers/spi/spi.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1917,13 +1917,13 @@ static int __unregister(struct device *d
+  */
+ void spi_unregister_master(struct spi_master *master)
+ {
++	device_for_each_child(&master->dev, NULL, __unregister);
++
+ 	if (master->queued) {
+ 		if (spi_destroy_queue(master))
+ 			dev_err(&master->dev, "queue remove failed\n");
+ 	}
+ 
+-	device_for_each_child(&master->dev, NULL, __unregister);
+-
+ 	mutex_lock(&board_lock);
+ 	list_del(&master->list);
+ 	mutex_unlock(&board_lock);