From: Greg Kroah-Hartman Date: Thu, 1 Feb 2018 12:37:10 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.115~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd074e97287eb700908b7858b4de9b89cea2bff6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: crypto-aesni-handle-zero-length-dst-buffer.patch crypto-af_alg-whitelist-mask-and-type.patch gpio-ath79-add-missing-module_description-license.patch gpio-iop-add-missing-module_description-author-license.patch igb-free-irqs-when-device-is-hotplugged.patch mtd-nand-denali_pci-add-missing-module_description-author-license.patch power-reset-zx-reboot-add-missing-module_description-author-license.patch --- diff --git a/queue-4.4/crypto-aesni-handle-zero-length-dst-buffer.patch b/queue-4.4/crypto-aesni-handle-zero-length-dst-buffer.patch new file mode 100644 index 00000000000..db7fc03de6d --- /dev/null +++ b/queue-4.4/crypto-aesni-handle-zero-length-dst-buffer.patch @@ -0,0 +1,42 @@ +From 9c674e1e2f9e24fa4392167efe343749008338e0 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Thu, 18 Jan 2018 20:41:09 +0100 +Subject: crypto: aesni - handle zero length dst buffer + +From: Stephan Mueller + +commit 9c674e1e2f9e24fa4392167efe343749008338e0 upstream. + +GCM can be invoked with a zero destination buffer. This is possible if +the AAD and the ciphertext have zero lengths and only the tag exists in +the source buffer (i.e. a source buffer cannot be zero). In this case, +the GCM cipher only performs the authentication and no decryption +operation. + +When the destination buffer has zero length, it is possible that no page +is mapped to the SG pointing to the destination. In this case, +sg_page(req->dst) is an invalid access. Therefore, page accesses should +only be allowed if the req->dst->length is non-zero which is the +indicator that a page must exist. + +This fixes a crash that can be triggered by user space via AF_ALG. + +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/aesni-intel_glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -965,7 +965,7 @@ static int helper_rfc4106_encrypt(struct + + if (sg_is_last(req->src) && + req->src->offset + req->src->length <= PAGE_SIZE && +- sg_is_last(req->dst) && ++ sg_is_last(req->dst) && req->dst->length && + req->dst->offset + req->dst->length <= PAGE_SIZE) { + one_entry_in_sg = 1; + scatterwalk_start(&src_sg_walk, req->src); diff --git a/queue-4.4/crypto-af_alg-whitelist-mask-and-type.patch b/queue-4.4/crypto-af_alg-whitelist-mask-and-type.patch new file mode 100644 index 00000000000..8253175407b --- /dev/null +++ b/queue-4.4/crypto-af_alg-whitelist-mask-and-type.patch @@ -0,0 +1,58 @@ +From bb30b8848c85e18ca7e371d0a869e94b3e383bdf Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Tue, 2 Jan 2018 08:55:25 +0100 +Subject: crypto: af_alg - whitelist mask and type + +From: Stephan Mueller + +commit bb30b8848c85e18ca7e371d0a869e94b3e383bdf upstream. + +The user space interface allows specifying the type and mask field used +to allocate the cipher. Only a subset of the possible flags are intended +for user space. Therefore, white-list the allowed flags. + +In case the user space caller uses at least one non-allowed flag, EINVAL +is returned. + +Reported-by: syzbot +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -149,7 +149,7 @@ EXPORT_SYMBOL_GPL(af_alg_release_parent) + + static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + { +- const u32 forbidden = CRYPTO_ALG_INTERNAL; ++ const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY; + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + struct sockaddr_alg *sa = (void *)uaddr; +@@ -157,6 +157,10 @@ static int alg_bind(struct socket *sock, + void *private; + int err; + ++ /* If caller uses non-allowed flag, return error. */ ++ if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) ++ return -EINVAL; ++ + if (sock->state == SS_CONNECTED) + return -EINVAL; + +@@ -175,9 +179,7 @@ static int alg_bind(struct socket *sock, + if (IS_ERR(type)) + return PTR_ERR(type); + +- private = type->bind(sa->salg_name, +- sa->salg_feat & ~forbidden, +- sa->salg_mask & ~forbidden); ++ private = type->bind(sa->salg_name, sa->salg_feat, sa->salg_mask); + if (IS_ERR(private)) { + module_put(type->owner); + return PTR_ERR(private); diff --git a/queue-4.4/gpio-ath79-add-missing-module_description-license.patch b/queue-4.4/gpio-ath79-add-missing-module_description-license.patch new file mode 100644 index 00000000000..f40c46eb7f9 --- /dev/null +++ b/queue-4.4/gpio-ath79-add-missing-module_description-license.patch @@ -0,0 +1,37 @@ +From 539340f37e6d6ed4cd93e8e18c9b2e4eafd4b842 Mon Sep 17 00:00:00 2001 +From: Jesse Chan +Date: Mon, 20 Nov 2017 12:54:26 -0800 +Subject: gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE + +From: Jesse Chan + +commit 539340f37e6d6ed4cd93e8e18c9b2e4eafd4b842 upstream. + +This change resolves a new compile-time warning +when built as a loadable module: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/gpio/gpio-ath79.o +see include/linux/module.h for more information + +This adds the license as "GPL v2", which matches the header of the file. + +MODULE_DESCRIPTION is also added. + +Signed-off-by: Jesse Chan +Acked-by: Alban Bedel +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-ath79.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpio/gpio-ath79.c ++++ b/drivers/gpio/gpio-ath79.c +@@ -203,3 +203,6 @@ static struct platform_driver ath79_gpio + }; + + module_platform_driver(ath79_gpio_driver); ++ ++MODULE_DESCRIPTION("Atheros AR71XX/AR724X/AR913X GPIO API support"); ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.4/gpio-iop-add-missing-module_description-author-license.patch b/queue-4.4/gpio-iop-add-missing-module_description-author-license.patch new file mode 100644 index 00000000000..d6c0c629216 --- /dev/null +++ b/queue-4.4/gpio-iop-add-missing-module_description-author-license.patch @@ -0,0 +1,37 @@ +From 97b03136e1b637d7a9d2274c099e44ecf23f1103 Mon Sep 17 00:00:00 2001 +From: Jesse Chan +Date: Mon, 20 Nov 2017 12:54:52 -0800 +Subject: gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE + +From: Jesse Chan + +commit 97b03136e1b637d7a9d2274c099e44ecf23f1103 upstream. + +This change resolves a new compile-time warning +when built as a loadable module: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/gpio/gpio-iop.o +see include/linux/module.h for more information + +This adds the license as "GPL", which matches the header of the file. + +MODULE_DESCRIPTION and MODULE_AUTHOR are also added. + +Signed-off-by: Jesse Chan +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-iop.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpio/gpio-iop.c ++++ b/drivers/gpio/gpio-iop.c +@@ -129,3 +129,7 @@ static int __init iop3xx_gpio_init(void) + return platform_driver_register(&iop3xx_gpio_driver); + } + arch_initcall(iop3xx_gpio_init); ++ ++MODULE_DESCRIPTION("GPIO handling for Intel IOP3xx processors"); ++MODULE_AUTHOR("Lennert Buytenhek "); ++MODULE_LICENSE("GPL"); diff --git a/queue-4.4/igb-free-irqs-when-device-is-hotplugged.patch b/queue-4.4/igb-free-irqs-when-device-is-hotplugged.patch new file mode 100644 index 00000000000..941b3cbef21 --- /dev/null +++ b/queue-4.4/igb-free-irqs-when-device-is-hotplugged.patch @@ -0,0 +1,90 @@ +From 888f22931478a05bc81ceb7295c626e1292bf0ed Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Tue, 12 Dec 2017 14:31:30 -0500 +Subject: igb: Free IRQs when device is hotplugged + +From: Lyude Paul + +commit 888f22931478a05bc81ceb7295c626e1292bf0ed upstream. + +Recently I got a Caldigit TS3 Thunderbolt 3 dock, and noticed that upon +hotplugging my kernel would immediately crash due to igb: + +[ 680.825801] kernel BUG at drivers/pci/msi.c:352! +[ 680.828388] invalid opcode: 0000 [#1] SMP +[ 680.829194] Modules linked in: igb(O) thunderbolt i2c_algo_bit joydev vfat fat btusb btrtl btbcm btintel bluetooth ecdh_generic hp_wmi sparse_keymap rfkill wmi_bmof iTCO_wdt intel_rapl x86_pkg_temp_thermal coretemp crc32_pclmul snd_pcm rtsx_pci_ms mei_me snd_timer memstick snd pcspkr mei soundcore i2c_i801 tpm_tis psmouse shpchp wmi tpm_tis_core tpm video hp_wireless acpi_pad rtsx_pci_sdmmc mmc_core crc32c_intel serio_raw rtsx_pci mfd_core xhci_pci xhci_hcd i2c_hid i2c_core [last unloaded: igb] +[ 680.831085] CPU: 1 PID: 78 Comm: kworker/u16:1 Tainted: G O 4.15.0-rc3Lyude-Test+ #6 +[ 680.831596] Hardware name: HP HP ZBook Studio G4/826B, BIOS P71 Ver. 01.03 06/09/2017 +[ 680.832168] Workqueue: kacpi_hotplug acpi_hotplug_work_fn +[ 680.832687] RIP: 0010:free_msi_irqs+0x180/0x1b0 +[ 680.833271] RSP: 0018:ffffc9000030fbf0 EFLAGS: 00010286 +[ 680.833761] RAX: ffff8803405f9c00 RBX: ffff88033e3d2e40 RCX: 000000000000002c +[ 680.834278] RDX: 0000000000000000 RSI: 00000000000000ac RDI: ffff880340be2178 +[ 680.834832] RBP: 0000000000000000 R08: ffff880340be1ff0 R09: ffff8803405f9c00 +[ 680.835342] R10: 0000000000000000 R11: 0000000000000040 R12: ffff88033d63a298 +[ 680.835822] R13: ffff88033d63a000 R14: 0000000000000060 R15: ffff880341959000 +[ 680.836332] FS: 0000000000000000(0000) GS:ffff88034f440000(0000) knlGS:0000000000000000 +[ 680.836817] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 680.837360] CR2: 000055e64044afdf CR3: 0000000001c09002 CR4: 00000000003606e0 +[ 680.837954] Call Trace: +[ 680.838853] pci_disable_msix+0xce/0xf0 +[ 680.839616] igb_reset_interrupt_capability+0x5d/0x60 [igb] +[ 680.840278] igb_remove+0x9d/0x110 [igb] +[ 680.840764] pci_device_remove+0x36/0xb0 +[ 680.841279] device_release_driver_internal+0x157/0x220 +[ 680.841739] pci_stop_bus_device+0x7d/0xa0 +[ 680.842255] pci_stop_bus_device+0x2b/0xa0 +[ 680.842722] pci_stop_bus_device+0x3d/0xa0 +[ 680.843189] pci_stop_and_remove_bus_device+0xe/0x20 +[ 680.843627] trim_stale_devices+0xf3/0x140 +[ 680.844086] trim_stale_devices+0x94/0x140 +[ 680.844532] trim_stale_devices+0xa6/0x140 +[ 680.845031] ? get_slot_status+0x90/0xc0 +[ 680.845536] acpiphp_check_bridge.part.5+0xfe/0x140 +[ 680.846021] acpiphp_hotplug_notify+0x175/0x200 +[ 680.846581] ? free_bridge+0x100/0x100 +[ 680.847113] acpi_device_hotplug+0x8a/0x490 +[ 680.847535] acpi_hotplug_work_fn+0x1a/0x30 +[ 680.848076] process_one_work+0x182/0x3a0 +[ 680.848543] worker_thread+0x2e/0x380 +[ 680.848963] ? process_one_work+0x3a0/0x3a0 +[ 680.849373] kthread+0x111/0x130 +[ 680.849776] ? kthread_create_worker_on_cpu+0x50/0x50 +[ 680.850188] ret_from_fork+0x1f/0x30 +[ 680.850601] Code: 43 14 85 c0 0f 84 d5 fe ff ff 31 ed eb 0f 83 c5 01 39 6b 14 0f 86 c5 fe ff ff 8b 7b 10 01 ef e8 b7 e4 d2 ff 48 83 78 70 00 74 e3 <0f> 0b 49 8d b5 a0 00 00 00 e8 62 6f d3 ff e9 c7 fe ff ff 48 8b +[ 680.851497] RIP: free_msi_irqs+0x180/0x1b0 RSP: ffffc9000030fbf0 + +As it turns out, normally the freeing of IRQs that would fix this is called +inside of the scope of __igb_close(). However, since the device is +already gone by the point we try to unregister the netdevice from the +driver due to a hotplug we end up seeing that the netif isn't present +and thus, forget to free any of the device IRQs. + +So: make sure that if we're in the process of dismantling the netdev, we +always allow __igb_close() to be called so that IRQs may be freed +normally. Additionally, only allow igb_close() to be called from +__igb_close() if it hasn't already been called for the given adapter. + +Signed-off-by: Lyude Paul +Fixes: 9474933caf21 ("igb: close/suspend race in netif_device_detach") +Cc: Todd Fujinaka +Cc: Stephen Hemminger +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -3174,7 +3174,7 @@ static int __igb_close(struct net_device + + static int igb_close(struct net_device *netdev) + { +- if (netif_device_present(netdev)) ++ if (netif_device_present(netdev) || netdev->dismantle) + return __igb_close(netdev, false); + return 0; + } diff --git a/queue-4.4/mtd-nand-denali_pci-add-missing-module_description-author-license.patch b/queue-4.4/mtd-nand-denali_pci-add-missing-module_description-author-license.patch new file mode 100644 index 00000000000..e3789dc3449 --- /dev/null +++ b/queue-4.4/mtd-nand-denali_pci-add-missing-module_description-author-license.patch @@ -0,0 +1,38 @@ +From d822401d1c6898a4a4ee03977b78b8cec402e88a Mon Sep 17 00:00:00 2001 +From: Jesse Chan +Date: Mon, 20 Nov 2017 12:57:13 -0800 +Subject: mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE + +From: Jesse Chan + +commit d822401d1c6898a4a4ee03977b78b8cec402e88a upstream. + +This change resolves a new compile-time warning +when built as a loadable module: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/mtd/nand/denali_pci.o +see include/linux/module.h for more information + +This adds the license as "GPL v2", which matches the header of the file. + +MODULE_DESCRIPTION and MODULE_AUTHOR are also added. + +Signed-off-by: Jesse Chan +Acked-by: Masahiro Yamada +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/denali_pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/nand/denali_pci.c ++++ b/drivers/mtd/nand/denali_pci.c +@@ -119,3 +119,7 @@ static struct pci_driver denali_pci_driv + }; + + module_pci_driver(denali_pci_driver); ++ ++MODULE_DESCRIPTION("PCI driver for Denali NAND controller"); ++MODULE_AUTHOR("Intel Corporation and its suppliers"); ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.4/power-reset-zx-reboot-add-missing-module_description-author-license.patch b/queue-4.4/power-reset-zx-reboot-add-missing-module_description-author-license.patch new file mode 100644 index 00000000000..85a36b78c99 --- /dev/null +++ b/queue-4.4/power-reset-zx-reboot-add-missing-module_description-author-license.patch @@ -0,0 +1,37 @@ +From 348c7cf5fcbcb68838255759d4cb45d039af36d2 Mon Sep 17 00:00:00 2001 +From: Jesse Chan +Date: Mon, 20 Nov 2017 12:58:27 -0800 +Subject: power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE + +From: Jesse Chan + +commit 348c7cf5fcbcb68838255759d4cb45d039af36d2 upstream. + +This change resolves a new compile-time warning +when built as a loadable module: + +WARNING: modpost: missing MODULE_LICENSE() in drivers/power/reset/zx-reboot.o +see include/linux/module.h for more information + +This adds the license as "GPL v2", which matches the header of the file. + +MODULE_DESCRIPTION and MODULE_AUTHOR are also added. + +Signed-off-by: Jesse Chan +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/reset/zx-reboot.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/power/reset/zx-reboot.c ++++ b/drivers/power/reset/zx-reboot.c +@@ -78,3 +78,7 @@ static struct platform_driver zx_reboot_ + }, + }; + module_platform_driver(zx_reboot_driver); ++ ++MODULE_DESCRIPTION("ZTE SoCs reset driver"); ++MODULE_AUTHOR("Jun Nie "); ++MODULE_LICENSE("GPL v2"); diff --git a/queue-4.4/series b/queue-4.4/series index a2d7810ed47..cb087b36e8d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -11,3 +11,10 @@ bpf-reject-stores-into-ctx-via-st-and-xadd.patch x86-pti-make-unpoison-of-pgd-for-trusted-boot-work-for-real.patch kaiser-fix-intel_bts-perf-crashes.patch alsa-seq-make-ioctls-race-free.patch +crypto-aesni-handle-zero-length-dst-buffer.patch +crypto-af_alg-whitelist-mask-and-type.patch +power-reset-zx-reboot-add-missing-module_description-author-license.patch +gpio-iop-add-missing-module_description-author-license.patch +gpio-ath79-add-missing-module_description-license.patch +mtd-nand-denali_pci-add-missing-module_description-author-license.patch +igb-free-irqs-when-device-is-hotplugged.patch