From: Greg Kroah-Hartman Date: Fri, 10 Mar 2017 07:50:48 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.53~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d525d41539353f552b4b35909ce79f58c612c9d2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-arm64-kvm-enforce-unconditional-flush-to-poc-when-mapping-to-stage-2.patch crypto-testmgr-pad-aes_ccm_enc_tv_template-vector.patch fuse-add-missing-fr_force.patch --- diff --git a/queue-4.4/arm-arm64-kvm-enforce-unconditional-flush-to-poc-when-mapping-to-stage-2.patch b/queue-4.4/arm-arm64-kvm-enforce-unconditional-flush-to-poc-when-mapping-to-stage-2.patch new file mode 100644 index 00000000000..95213f38f5d --- /dev/null +++ b/queue-4.4/arm-arm64-kvm-enforce-unconditional-flush-to-poc-when-mapping-to-stage-2.patch @@ -0,0 +1,73 @@ +From 8f36ebaf21fdae99c091c67e8b6fab33969f2667 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Wed, 25 Jan 2017 12:29:59 +0000 +Subject: arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2 + +From: Marc Zyngier + +commit 8f36ebaf21fdae99c091c67e8b6fab33969f2667 upstream. + +When we fault in a page, we flush it to the PoC (Point of Coherency) +if the faulting vcpu has its own caches off, so that it can observe +the page we just brought it. + +But if the vcpu has its caches on, we skip that step. Bad things +happen when *another* vcpu tries to access that page with its own +caches disabled. At that point, there is no garantee that the +data has made it to the PoC, and we access stale data. + +The obvious fix is to always flush to PoC when a page is faulted +in, no matter what the state of the vcpu is. + +Fixes: 2d58b733c876 ("arm64: KVM: force cache clean on page fault when caches are off") +Reviewed-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/kvm_mmu.h | 9 +-------- + arch/arm64/include/asm/kvm_mmu.h | 3 +-- + 2 files changed, 2 insertions(+), 10 deletions(-) + +--- a/arch/arm/include/asm/kvm_mmu.h ++++ b/arch/arm/include/asm/kvm_mmu.h +@@ -204,18 +204,12 @@ static inline void __coherent_cache_gues + * and iterate over the range. + */ + +- bool need_flush = !vcpu_has_cache_enabled(vcpu) || ipa_uncached; +- + VM_BUG_ON(size & ~PAGE_MASK); + +- if (!need_flush && !icache_is_pipt()) +- goto vipt_cache; +- + while (size) { + void *va = kmap_atomic_pfn(pfn); + +- if (need_flush) +- kvm_flush_dcache_to_poc(va, PAGE_SIZE); ++ kvm_flush_dcache_to_poc(va, PAGE_SIZE); + + if (icache_is_pipt()) + __cpuc_coherent_user_range((unsigned long)va, +@@ -227,7 +221,6 @@ static inline void __coherent_cache_gues + kunmap_atomic(va); + } + +-vipt_cache: + if (!icache_is_pipt() && !icache_is_vivt_asid_tagged()) { + /* any kind of VIPT cache */ + __flush_icache_all(); +--- a/arch/arm64/include/asm/kvm_mmu.h ++++ b/arch/arm64/include/asm/kvm_mmu.h +@@ -236,8 +236,7 @@ static inline void __coherent_cache_gues + { + void *va = page_address(pfn_to_page(pfn)); + +- if (!vcpu_has_cache_enabled(vcpu) || ipa_uncached) +- kvm_flush_dcache_to_poc(va, size); ++ kvm_flush_dcache_to_poc(va, size); + + if (!icache_is_aliasing()) { /* PIPT */ + flush_icache_range((unsigned long)va, diff --git a/queue-4.4/crypto-testmgr-pad-aes_ccm_enc_tv_template-vector.patch b/queue-4.4/crypto-testmgr-pad-aes_ccm_enc_tv_template-vector.patch new file mode 100644 index 00000000000..bf8118e59a8 --- /dev/null +++ b/queue-4.4/crypto-testmgr-pad-aes_ccm_enc_tv_template-vector.patch @@ -0,0 +1,83 @@ +From 1c68bb0f62bf8de8bb30123ea840d5168f25abea Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Tue, 28 Feb 2017 14:07:25 -0800 +Subject: crypto: testmgr - Pad aes_ccm_enc_tv_template vector + +From: Laura Abbott + +commit 1c68bb0f62bf8de8bb30123ea840d5168f25abea upstream. + +Running with KASAN and crypto tests currently gives + + BUG: KASAN: global-out-of-bounds in __test_aead+0x9d9/0x2200 at addr ffffffff8212fca0 + Read of size 16 by task cryptomgr_test/1107 + Address belongs to variable 0xffffffff8212fca0 + CPU: 0 PID: 1107 Comm: cryptomgr_test Not tainted 4.10.0+ #45 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.1-1.fc24 04/01/2014 + Call Trace: + dump_stack+0x63/0x8a + kasan_report.part.1+0x4a7/0x4e0 + ? __test_aead+0x9d9/0x2200 + ? crypto_ccm_init_crypt+0x218/0x3c0 [ccm] + kasan_report+0x20/0x30 + check_memory_region+0x13c/0x1a0 + memcpy+0x23/0x50 + __test_aead+0x9d9/0x2200 + ? kasan_unpoison_shadow+0x35/0x50 + ? alg_test_akcipher+0xf0/0xf0 + ? crypto_skcipher_init_tfm+0x2e3/0x310 + ? crypto_spawn_tfm2+0x37/0x60 + ? crypto_ccm_init_tfm+0xa9/0xd0 [ccm] + ? crypto_aead_init_tfm+0x7b/0x90 + ? crypto_alloc_tfm+0xc4/0x190 + test_aead+0x28/0xc0 + alg_test_aead+0x54/0xd0 + alg_test+0x1eb/0x3d0 + ? alg_find_test+0x90/0x90 + ? __sched_text_start+0x8/0x8 + ? __wake_up_common+0x70/0xb0 + cryptomgr_test+0x4d/0x60 + kthread+0x173/0x1c0 + ? crypto_acomp_scomp_free_ctx+0x60/0x60 + ? kthread_create_on_node+0xa0/0xa0 + ret_from_fork+0x2c/0x40 + Memory state around the buggy address: + ffffffff8212fb80: 00 00 00 00 01 fa fa fa fa fa fa fa 00 00 00 00 + ffffffff8212fc00: 00 01 fa fa fa fa fa fa 00 00 00 00 01 fa fa fa + >ffffffff8212fc80: fa fa fa fa 00 05 fa fa fa fa fa fa 00 00 00 00 + ^ + ffffffff8212fd00: 01 fa fa fa fa fa fa fa 00 00 00 00 01 fa fa fa + ffffffff8212fd80: fa fa fa fa 00 00 00 00 00 05 fa fa fa fa fa fa + +This always happens on the same IV which is less than 16 bytes. + +Per Ard, + +"CCM IVs are 16 bytes, but due to the way they are constructed +internally, the final couple of bytes of input IV are dont-cares. + +Apparently, we do read all 16 bytes, which triggers the KASAN errors." + +Fix this by padding the IV with null bytes to be at least 16 bytes. + +Fixes: 0bc5a6c5c79a ("crypto: testmgr - Disable rfc4309 test and convert test vectors") +Acked-by: Ard Biesheuvel +Signed-off-by: Laura Abbott +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/testmgr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -21778,7 +21778,7 @@ static struct aead_testvec aes_ccm_enc_t + "\x09\x75\x9a\x9b\x3c\x9b\x27\x39", + .klen = 32, + .iv = "\x03\xf9\xd9\x4e\x63\xb5\x3d\x9d" +- "\x43\xf6\x1e\x50", ++ "\x43\xf6\x1e\x50\0\0\0\0", + .assoc = "\x57\xf5\x6b\x8b\x57\x5c\x3d\x3b" + "\x13\x02\x01\x0c\x83\x4c\x96\x35" + "\x8e\xd6\x39\xcf\x7d\x14\x9b\x94" diff --git a/queue-4.4/fuse-add-missing-fr_force.patch b/queue-4.4/fuse-add-missing-fr_force.patch new file mode 100644 index 00000000000..0683b89b65a --- /dev/null +++ b/queue-4.4/fuse-add-missing-fr_force.patch @@ -0,0 +1,34 @@ +From 2e38bea99a80eab408adee27f873a188d57b76cb Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 22 Feb 2017 20:08:25 +0100 +Subject: fuse: add missing FR_FORCE + +From: Miklos Szeredi + +commit 2e38bea99a80eab408adee27f873a188d57b76cb upstream. + +fuse_file_put() was missing the "force" flag for the RELEASE request when +sending synchronously (fuseblk). + +If this flag is not set, then a sync request may be interrupted before it +is dequeued by the userspace filesystem. In this case the OPEN won't be +balanced with a RELEASE. + +Signed-off-by: Miklos Szeredi +Fixes: 5a18ec176c93 ("fuse: fix hang of single threaded fuseblk filesystem") +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -100,6 +100,7 @@ static void fuse_file_put(struct fuse_fi + iput(req->misc.release.inode); + fuse_put_request(ff->fc, req); + } else if (sync) { ++ __set_bit(FR_FORCE, &req->flags); + __clear_bit(FR_BACKGROUND, &req->flags); + fuse_request_send(ff->fc, req); + iput(req->misc.release.inode); diff --git a/queue-4.4/series b/queue-4.4/series index 73cf50d3d2b..b38d67619ff 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -54,3 +54,6 @@ target-fix-multi-session-dynamic-se_node_acl-double-free-oops.patch ath5k-drop-bogus-warning-on-drv_set_key-with-unsupported-cipher.patch ath9k-fix-race-condition-in-enabling-disabling-irqs.patch ath9k-use-correct-otp-register-offsets-for-the-ar9340-and-ar9550.patch +crypto-testmgr-pad-aes_ccm_enc_tv_template-vector.patch +fuse-add-missing-fr_force.patch +arm-arm64-kvm-enforce-unconditional-flush-to-poc-when-mapping-to-stage-2.patch