From: Greg Kroah-Hartman Date: Wed, 3 Jun 2015 03:08:59 +0000 (+0900) Subject: 3.14-stable patches X-Git-Tag: v3.10.80~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c91ad08357aae0d4225826daf809494471913f6f;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: crypto-s390-ghash-fix-incorrect-ghash-icv-buffer-handling.patch gpio-gpio-kempld-fix-get_direction-return-value.patch mac80211-move-wep-tailroom-size-check.patch --- diff --git a/queue-3.14/crypto-s390-ghash-fix-incorrect-ghash-icv-buffer-handling.patch b/queue-3.14/crypto-s390-ghash-fix-incorrect-ghash-icv-buffer-handling.patch new file mode 100644 index 00000000000..c2b9731f1d9 --- /dev/null +++ b/queue-3.14/crypto-s390-ghash-fix-incorrect-ghash-icv-buffer-handling.patch @@ -0,0 +1,125 @@ +From a1cae34e23b1293eccbcc8ee9b39298039c3952a Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Thu, 21 May 2015 10:01:11 +0200 +Subject: crypto: s390/ghash - Fix incorrect ghash icv buffer handling. + +From: Harald Freudenberger + +commit a1cae34e23b1293eccbcc8ee9b39298039c3952a upstream. + +Multitheaded tests showed that the icv buffer in the current ghash +implementation is not handled correctly. A move of this working ghash +buffer value to the descriptor context fixed this. Code is tested and +verified with an multithreaded application via af_alg interface. + +Signed-off-by: Harald Freudenberger +Signed-off-by: Gerald Schaefer +Reported-by: Herbert Xu +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/crypto/ghash_s390.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/arch/s390/crypto/ghash_s390.c ++++ b/arch/s390/crypto/ghash_s390.c +@@ -16,11 +16,12 @@ + #define GHASH_DIGEST_SIZE 16 + + struct ghash_ctx { +- u8 icv[16]; +- u8 key[16]; ++ u8 key[GHASH_BLOCK_SIZE]; + }; + + struct ghash_desc_ctx { ++ u8 icv[GHASH_BLOCK_SIZE]; ++ u8 key[GHASH_BLOCK_SIZE]; + u8 buffer[GHASH_BLOCK_SIZE]; + u32 bytes; + }; +@@ -28,8 +29,10 @@ struct ghash_desc_ctx { + static int ghash_init(struct shash_desc *desc) + { + struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); ++ struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); + + memset(dctx, 0, sizeof(*dctx)); ++ memcpy(dctx->key, ctx->key, GHASH_BLOCK_SIZE); + + return 0; + } +@@ -45,7 +48,6 @@ static int ghash_setkey(struct crypto_sh + } + + memcpy(ctx->key, key, GHASH_BLOCK_SIZE); +- memset(ctx->icv, 0, GHASH_BLOCK_SIZE); + + return 0; + } +@@ -54,7 +56,6 @@ static int ghash_update(struct shash_des + const u8 *src, unsigned int srclen) + { + struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); +- struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); + unsigned int n; + u8 *buf = dctx->buffer; + int ret; +@@ -70,7 +71,7 @@ static int ghash_update(struct shash_des + src += n; + + if (!dctx->bytes) { +- ret = crypt_s390_kimd(KIMD_GHASH, ctx, buf, ++ ret = crypt_s390_kimd(KIMD_GHASH, dctx, buf, + GHASH_BLOCK_SIZE); + if (ret != GHASH_BLOCK_SIZE) + return -EIO; +@@ -79,7 +80,7 @@ static int ghash_update(struct shash_des + + n = srclen & ~(GHASH_BLOCK_SIZE - 1); + if (n) { +- ret = crypt_s390_kimd(KIMD_GHASH, ctx, src, n); ++ ret = crypt_s390_kimd(KIMD_GHASH, dctx, src, n); + if (ret != n) + return -EIO; + src += n; +@@ -94,7 +95,7 @@ static int ghash_update(struct shash_des + return 0; + } + +-static int ghash_flush(struct ghash_ctx *ctx, struct ghash_desc_ctx *dctx) ++static int ghash_flush(struct ghash_desc_ctx *dctx) + { + u8 *buf = dctx->buffer; + int ret; +@@ -104,24 +105,24 @@ static int ghash_flush(struct ghash_ctx + + memset(pos, 0, dctx->bytes); + +- ret = crypt_s390_kimd(KIMD_GHASH, ctx, buf, GHASH_BLOCK_SIZE); ++ ret = crypt_s390_kimd(KIMD_GHASH, dctx, buf, GHASH_BLOCK_SIZE); + if (ret != GHASH_BLOCK_SIZE) + return -EIO; ++ ++ dctx->bytes = 0; + } + +- dctx->bytes = 0; + return 0; + } + + static int ghash_final(struct shash_desc *desc, u8 *dst) + { + struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); +- struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); + int ret; + +- ret = ghash_flush(ctx, dctx); ++ ret = ghash_flush(dctx); + if (!ret) +- memcpy(dst, ctx->icv, GHASH_BLOCK_SIZE); ++ memcpy(dst, dctx->icv, GHASH_BLOCK_SIZE); + return ret; + } + diff --git a/queue-3.14/gpio-gpio-kempld-fix-get_direction-return-value.patch b/queue-3.14/gpio-gpio-kempld-fix-get_direction-return-value.patch new file mode 100644 index 00000000000..eb14fe39cac --- /dev/null +++ b/queue-3.14/gpio-gpio-kempld-fix-get_direction-return-value.patch @@ -0,0 +1,40 @@ +From f230e8ffc03f17bd9d6b90ea890b8252a8cc1821 Mon Sep 17 00:00:00 2001 +From: Michael Brunner +Date: Mon, 11 May 2015 12:46:49 +0200 +Subject: gpio: gpio-kempld: Fix get_direction return value + +From: Michael Brunner + +commit f230e8ffc03f17bd9d6b90ea890b8252a8cc1821 upstream. + +This patch fixes an inverted return value of the gpio get_direction +function. + +The wrong value causes the direction sysfs entry and GPIO debugfs file +to indicate incorrect GPIO direction settings. In some cases it also +prevents setting GPIO output values. + +The problem is also present in all other stable kernel versions since +linux-3.12. + +Reported-by: Jochen Henneberg +Signed-off-by: Michael Brunner +Reviewed-by: Guenter Roeck +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-kempld.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-kempld.c ++++ b/drivers/gpio/gpio-kempld.c +@@ -117,7 +117,7 @@ static int kempld_gpio_get_direction(str + = container_of(chip, struct kempld_gpio_data, chip); + struct kempld_device_data *pld = gpio->pld; + +- return kempld_gpio_get_bit(pld, KEMPLD_GPIO_DIR_NUM(offset), offset); ++ return !kempld_gpio_get_bit(pld, KEMPLD_GPIO_DIR_NUM(offset), offset); + } + + static int kempld_gpio_pincount(struct kempld_device_data *pld) diff --git a/queue-3.14/mac80211-move-wep-tailroom-size-check.patch b/queue-3.14/mac80211-move-wep-tailroom-size-check.patch new file mode 100644 index 00000000000..eb9a636866f --- /dev/null +++ b/queue-3.14/mac80211-move-wep-tailroom-size-check.patch @@ -0,0 +1,60 @@ +From 47b4e1fc4972cc43a19121bc2608a60aef3bf216 Mon Sep 17 00:00:00 2001 +From: Janusz Dziedzic +Date: Mon, 11 May 2015 11:31:15 +0200 +Subject: mac80211: move WEP tailroom size check + +From: Janusz Dziedzic + +commit 47b4e1fc4972cc43a19121bc2608a60aef3bf216 upstream. + +Remove checking tailroom when adding IV as it uses only +headroom, and move the check to the ICV generation that +actually needs the tailroom. + +In other case I hit such warning and datapath don't work, +when testing: +- IBSS + WEP +- ath9k with hw crypt enabled +- IPv6 data (ping6) + +WARNING: CPU: 3 PID: 13301 at net/mac80211/wep.c:102 ieee80211_wep_add_iv+0x129/0x190 [mac80211]() +[...] +Call Trace: +[] dump_stack+0x45/0x57 +[] warn_slowpath_common+0x8a/0xc0 +[] warn_slowpath_null+0x1a/0x20 +[] ieee80211_wep_add_iv+0x129/0x190 [mac80211] +[] ieee80211_crypto_wep_encrypt+0x6b/0xd0 [mac80211] +[] invoke_tx_handlers+0xc51/0xf30 [mac80211] +[...] + +Signed-off-by: Janusz Dziedzic +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/wep.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/mac80211/wep.c ++++ b/net/mac80211/wep.c +@@ -98,8 +98,7 @@ static u8 *ieee80211_wep_add_iv(struct i + + hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PROTECTED); + +- if (WARN_ON(skb_tailroom(skb) < IEEE80211_WEP_ICV_LEN || +- skb_headroom(skb) < IEEE80211_WEP_IV_LEN)) ++ if (WARN_ON(skb_headroom(skb) < IEEE80211_WEP_IV_LEN)) + return NULL; + + hdrlen = ieee80211_hdrlen(hdr->frame_control); +@@ -169,6 +168,9 @@ int ieee80211_wep_encrypt(struct ieee802 + size_t len; + u8 rc4key[3 + WLAN_KEY_LEN_WEP104]; + ++ if (WARN_ON(skb_tailroom(skb) < IEEE80211_WEP_ICV_LEN)) ++ return -1; ++ + iv = ieee80211_wep_add_iv(local, skb, keylen, keyidx); + if (!iv) + return -1; diff --git a/queue-3.14/series b/queue-3.14/series index 8140dbdc0e6..2c9e6ab89b8 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -41,3 +41,6 @@ jbd2-fix-r_count-overflows-leading-to-buffer-overflow-in-journal-recovery.patch libata-add-helper-to-determine-when-phy-events-should-be-ignored.patch libata-ignore-spurious-phy-event-on-lpm-policy-change.patch rt2x00-add-new-rt2800usb-device-dwa-130.patch +gpio-gpio-kempld-fix-get_direction-return-value.patch +crypto-s390-ghash-fix-incorrect-ghash-icv-buffer-handling.patch +mac80211-move-wep-tailroom-size-check.patch