From: Greg Kroah-Hartman Date: Thu, 5 Apr 2018 20:00:43 +0000 (+0200) Subject: 4.16-stable patches X-Git-Tag: v3.18.103~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3147abbef1d2e956b8ba25dbb24db3d2ffc4fe5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.16-stable patches added patches: crypto-ahash-fix-early-termination-in-hash-walk.patch crypto-arm-arm64-fix-random-regeneration-of-s_shipped.patch crypto-caam-fix-null-dereference-at-error-path.patch crypto-ccp-fill-the-result-buffer-only-on-digest-finup-and-final-ops.patch crypto-ccp-return-an-actual-key-size-from-rsa-max_size-callback.patch crypto-inside-secure-fix-clock-management.patch crypto-lrw-free-rctx-ext-with-kzfree.patch crypto-talitos-don-t-persistently-map-req_ctx-hw_context-and-req_ctx-buf.patch crypto-talitos-fix-ipsec-cipher-in-length.patch crypto-testmgr-fix-incorrect-values-in-pkcs-1-test-vector.patch crypto-x86-cast5-avx-fix-ecb-encryption-when-long-sg-follows-short-one.patch dev-mem-avoid-overwriting-err-in-read_mem.patch media-usbtv-prevent-double-free-in-error-case.patch mei-remove-dev_err-message-on-an-unsupported-ioctl.patch parport_pc-add-support-for-wch-ch382l-pci-e-single-parallel-port-card.patch serial-8250-add-nuvoton-npcm-uart.patch usb-serial-cp210x-add-eldat-easywave-rx09-id.patch usb-serial-ftdi_sio-add-rt-systems-vx-8-cable.patch usb-serial-ftdi_sio-add-support-for-harman-firmwarehubemulator.patch --- diff --git a/queue-4.16/crypto-ahash-fix-early-termination-in-hash-walk.patch b/queue-4.16/crypto-ahash-fix-early-termination-in-hash-walk.patch new file mode 100644 index 00000000000..0032a25b4af --- /dev/null +++ b/queue-4.16/crypto-ahash-fix-early-termination-in-hash-walk.patch @@ -0,0 +1,44 @@ +From 900a081f6912a8985dc15380ec912752cb66025a Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 26 Mar 2018 08:53:25 +0800 +Subject: crypto: ahash - Fix early termination in hash walk + +From: Herbert Xu + +commit 900a081f6912a8985dc15380ec912752cb66025a upstream. + +When we have an unaligned SG list entry where there is no leftover +aligned data, the hash walk code will incorrectly return zero as if +the entire SG list has been processed. + +This patch fixes it by moving onto the next page instead. + +Reported-by: Eli Cooper +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ahash.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/crypto/ahash.c ++++ b/crypto/ahash.c +@@ -92,13 +92,14 @@ int crypto_hash_walk_done(struct crypto_ + + if (nbytes && walk->offset & alignmask && !err) { + walk->offset = ALIGN(walk->offset, alignmask + 1); +- walk->data += walk->offset; +- + nbytes = min(nbytes, + ((unsigned int)(PAGE_SIZE)) - walk->offset); + walk->entrylen -= nbytes; + +- return nbytes; ++ if (nbytes) { ++ walk->data += walk->offset; ++ return nbytes; ++ } + } + + if (walk->flags & CRYPTO_ALG_ASYNC) diff --git a/queue-4.16/crypto-arm-arm64-fix-random-regeneration-of-s_shipped.patch b/queue-4.16/crypto-arm-arm64-fix-random-regeneration-of-s_shipped.patch new file mode 100644 index 00000000000..6952a7ae343 --- /dev/null +++ b/queue-4.16/crypto-arm-arm64-fix-random-regeneration-of-s_shipped.patch @@ -0,0 +1,69 @@ +From 6aaf49b495b446ff6eec0ac983f781ca0dc56a73 Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Tue, 13 Mar 2018 22:17:23 +0200 +Subject: crypto: arm,arm64 - Fix random regeneration of S_shipped + +From: Leonard Crestez + +commit 6aaf49b495b446ff6eec0ac983f781ca0dc56a73 upstream. + +The decision to rebuild .S_shipped is made based on the relative +timestamps of .S_shipped and .pl files but git makes this essentially +random. This means that the perl script might run anyway (usually at +most once per checkout), defeating the whole purpose of _shipped. + +Fix by skipping the rule unless explicit make variables are provided: +REGENERATE_ARM_CRYPTO or REGENERATE_ARM64_CRYPTO. + +This can produce nasty occasional build failures downstream, for example +for toolchains with broken perl. The solution is minimally intrusive to +make it easier to push into stable. + +Another report on a similar issue here: https://lkml.org/lkml/2018/3/8/1379 + +Signed-off-by: Leonard Crestez +Cc: +Reviewed-by: Masahiro Yamada +Acked-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/crypto/Makefile | 2 ++ + arch/arm64/crypto/Makefile | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/arch/arm/crypto/Makefile ++++ b/arch/arm/crypto/Makefile +@@ -54,6 +54,7 @@ crct10dif-arm-ce-y := crct10dif-ce-core. + crc32-arm-ce-y:= crc32-ce-core.o crc32-ce-glue.o + chacha20-neon-y := chacha20-neon-core.o chacha20-neon-glue.o + ++ifdef REGENERATE_ARM_CRYPTO + quiet_cmd_perl = PERL $@ + cmd_perl = $(PERL) $(<) > $(@) + +@@ -62,5 +63,6 @@ $(src)/sha256-core.S_shipped: $(src)/sha + + $(src)/sha512-core.S_shipped: $(src)/sha512-armv4.pl + $(call cmd,perl) ++endif + + .PRECIOUS: $(obj)/sha256-core.S $(obj)/sha512-core.S +--- a/arch/arm64/crypto/Makefile ++++ b/arch/arm64/crypto/Makefile +@@ -67,6 +67,7 @@ CFLAGS_aes-glue-ce.o := -DUSE_V8_CRYPTO_ + $(obj)/aes-glue-%.o: $(src)/aes-glue.c FORCE + $(call if_changed_rule,cc_o_c) + ++ifdef REGENERATE_ARM64_CRYPTO + quiet_cmd_perlasm = PERLASM $@ + cmd_perlasm = $(PERL) $(<) void $(@) + +@@ -75,5 +76,6 @@ $(src)/sha256-core.S_shipped: $(src)/sha + + $(src)/sha512-core.S_shipped: $(src)/sha512-armv8.pl + $(call cmd,perlasm) ++endif + + .PRECIOUS: $(obj)/sha256-core.S $(obj)/sha512-core.S diff --git a/queue-4.16/crypto-caam-fix-null-dereference-at-error-path.patch b/queue-4.16/crypto-caam-fix-null-dereference-at-error-path.patch new file mode 100644 index 00000000000..d2be9c98c52 --- /dev/null +++ b/queue-4.16/crypto-caam-fix-null-dereference-at-error-path.patch @@ -0,0 +1,48 @@ +From b85149f6f5d5a9279f29a73b2e95342f4d465e73 Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Thu, 22 Feb 2018 14:22:47 +0000 +Subject: crypto: caam - Fix null dereference at error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rui Miguel Silva + +commit b85149f6f5d5a9279f29a73b2e95342f4d465e73 upstream. + +caam_remove already removes the debugfs entry, so we need to remove the one +immediately before calling caam_remove. + +This fix a NULL dereference at error paths is caam_probe fail. + +Fixes: 67c2315def06 ("crypto: caam - add Queue Interface (QI) backend support") + +Tested-by: Ryan Harkin +Cc: "Horia Geantă" +Cc: Aymen Sghaier +Cc: Fabio Estevam +Cc: Peng Fan +Cc: "David S. Miller" +Cc: Lukas Auer +Cc: # 4.12+ +Reviewed-by: Horia Geantă +Signed-off-by: Rui Miguel Silva +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/ctrl.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/crypto/caam/ctrl.c ++++ b/drivers/crypto/caam/ctrl.c +@@ -815,9 +815,6 @@ static int caam_probe(struct platform_de + return 0; + + caam_remove: +-#ifdef CONFIG_DEBUG_FS +- debugfs_remove_recursive(ctrlpriv->dfs_root); +-#endif + caam_remove(pdev); + return ret; + diff --git a/queue-4.16/crypto-ccp-fill-the-result-buffer-only-on-digest-finup-and-final-ops.patch b/queue-4.16/crypto-ccp-fill-the-result-buffer-only-on-digest-finup-and-final-ops.patch new file mode 100644 index 00000000000..07266030920 --- /dev/null +++ b/queue-4.16/crypto-ccp-fill-the-result-buffer-only-on-digest-finup-and-final-ops.patch @@ -0,0 +1,46 @@ +From 0ee991be4cdd88587aedbf68cdacd1765f57236a Mon Sep 17 00:00:00 2001 +From: Gary R Hook +Date: Wed, 7 Mar 2018 11:37:42 -0600 +Subject: crypto: ccp - Fill the result buffer only on digest, finup, and final ops + +From: Gary R Hook + +commit 0ee991be4cdd88587aedbf68cdacd1765f57236a upstream. + +Any change to the result buffer should only happen on final, finup +and digest operations. Changes to the buffer for update, import, export, +etc, are not allowed. + +Fixes: 66d7b9f6175e ("crypto: testmgr - test misuse of result in ahash") +Signed-off-by: Gary R Hook +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 2 +- + drivers/crypto/ccp/ccp-crypto-sha.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -46,7 +46,7 @@ static int ccp_aes_cmac_complete(struct + } + + /* Update result area if supplied */ +- if (req->result) ++ if (req->result && rctx->final) + memcpy(req->result, rctx->iv, digest_size); + + e_free: +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -47,7 +47,7 @@ static int ccp_sha_complete(struct crypt + } + + /* Update result area if supplied */ +- if (req->result) ++ if (req->result && rctx->final) + memcpy(req->result, rctx->ctx, digest_size); + + e_free: diff --git a/queue-4.16/crypto-ccp-return-an-actual-key-size-from-rsa-max_size-callback.patch b/queue-4.16/crypto-ccp-return-an-actual-key-size-from-rsa-max_size-callback.patch new file mode 100644 index 00000000000..f6792853705 --- /dev/null +++ b/queue-4.16/crypto-ccp-return-an-actual-key-size-from-rsa-max_size-callback.patch @@ -0,0 +1,52 @@ +From 0a9eb80e643064266868bd2fb2cd608e669309b0 Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Sat, 24 Feb 2018 17:03:21 +0100 +Subject: crypto: ccp - return an actual key size from RSA max_size callback + +From: Maciej S. Szmigiero + +commit 0a9eb80e643064266868bd2fb2cd608e669309b0 upstream. + +rsa-pkcs1pad uses a value returned from a RSA implementation max_size +callback as a size of an input buffer passed to the RSA implementation for +encrypt and sign operations. + +CCP RSA implementation uses a hardware input buffer which size depends only +on the current RSA key length, so it should return this key length in +the max_size callback, too. +This also matches what the kernel software RSA implementation does. + +Previously, the value returned from this callback was always the maximum +RSA key size the CCP hardware supports. +This resulted in this huge buffer being passed by rsa-pkcs1pad to CCP even +for smaller key sizes and then in a buffer overflow when ccp_run_rsa_cmd() +tried to copy this large input buffer into a RSA key length-sized hardware +input buffer. + +Signed-off-by: Maciej S. Szmigiero +Fixes: ceeec0afd684 ("crypto: ccp - Add support for RSA on the CCP") +Cc: stable@vger.kernel.org +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-rsa.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/ccp/ccp-crypto-rsa.c ++++ b/drivers/crypto/ccp/ccp-crypto-rsa.c +@@ -60,10 +60,9 @@ static int ccp_rsa_complete(struct crypt + + static unsigned int ccp_rsa_maxsize(struct crypto_akcipher *tfm) + { +- if (ccp_version() > CCP_VERSION(3, 0)) +- return CCP5_RSA_MAXMOD; +- else +- return CCP_RSA_MAXMOD; ++ struct ccp_ctx *ctx = akcipher_tfm_ctx(tfm); ++ ++ return ctx->u.rsa.n_len; + } + + static int ccp_rsa_crypt(struct akcipher_request *req, bool encrypt) diff --git a/queue-4.16/crypto-inside-secure-fix-clock-management.patch b/queue-4.16/crypto-inside-secure-fix-clock-management.patch new file mode 100644 index 00000000000..38de34d717a --- /dev/null +++ b/queue-4.16/crypto-inside-secure-fix-clock-management.patch @@ -0,0 +1,37 @@ +From f962eb46e7a9b98a58d2483f5eb216e738fec732 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Tue, 13 Mar 2018 17:48:40 +0100 +Subject: crypto: inside-secure - fix clock management + +From: Gregory CLEMENT + +commit f962eb46e7a9b98a58d2483f5eb216e738fec732 upstream. + +In this driver the clock is got but never put when the driver is removed +or if there is an error in the probe. + +Using the managed version of clk_get() allows to let the kernel take care +of it. + +Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto +engine driver") +cc: stable@vger.kernel.org +Signed-off-by: Gregory CLEMENT +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/inside-secure/safexcel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/inside-secure/safexcel.c ++++ b/drivers/crypto/inside-secure/safexcel.c +@@ -894,7 +894,7 @@ static int safexcel_probe(struct platfor + return PTR_ERR(priv->base); + } + +- priv->clk = of_clk_get(dev->of_node, 0); ++ priv->clk = devm_clk_get(&pdev->dev, NULL); + if (!IS_ERR(priv->clk)) { + ret = clk_prepare_enable(priv->clk); + if (ret) { diff --git a/queue-4.16/crypto-lrw-free-rctx-ext-with-kzfree.patch b/queue-4.16/crypto-lrw-free-rctx-ext-with-kzfree.patch new file mode 100644 index 00000000000..3d3d76f3076 --- /dev/null +++ b/queue-4.16/crypto-lrw-free-rctx-ext-with-kzfree.patch @@ -0,0 +1,33 @@ +From 8c9bdab21289c211ca1ca6a5f9b7537b4a600a02 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 23 Mar 2018 08:14:44 +0800 +Subject: crypto: lrw - Free rctx->ext with kzfree + +From: Herbert Xu + +commit 8c9bdab21289c211ca1ca6a5f9b7537b4a600a02 upstream. + +The buffer rctx->ext contains potentially sensitive data and should +be freed with kzfree. + +Cc: +Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher") +Reported-by: Dan Carpenter +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/lrw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/lrw.c ++++ b/crypto/lrw.c +@@ -313,7 +313,7 @@ static void exit_crypt(struct skcipher_r + rctx->left = 0; + + if (rctx->ext) +- kfree(rctx->ext); ++ kzfree(rctx->ext); + } + + static int do_encrypt(struct skcipher_request *req, int err) diff --git a/queue-4.16/crypto-talitos-don-t-persistently-map-req_ctx-hw_context-and-req_ctx-buf.patch b/queue-4.16/crypto-talitos-don-t-persistently-map-req_ctx-hw_context-and-req_ctx-buf.patch new file mode 100644 index 00000000000..0eafdc177fb --- /dev/null +++ b/queue-4.16/crypto-talitos-don-t-persistently-map-req_ctx-hw_context-and-req_ctx-buf.patch @@ -0,0 +1,297 @@ +From ad4cd51fb8375109edb377712b5f9c0c31ece33e Mon Sep 17 00:00:00 2001 +From: LEROY Christophe +Date: Mon, 26 Feb 2018 17:40:04 +0100 +Subject: crypto: talitos - don't persistently map req_ctx->hw_context and req_ctx->buf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: LEROY Christophe + +commit ad4cd51fb8375109edb377712b5f9c0c31ece33e upstream. + +Commit 49f9783b0cea ("crypto: talitos - do hw_context DMA mapping +outside the requests") introduced a persistent dma mapping of +req_ctx->hw_context +Commit 37b5e8897eb5 ("crypto: talitos - chain in buffered data for ahash +on SEC1") introduced a persistent dma mapping of req_ctx->buf + +As there is no destructor for req_ctx (the request context), the +associated dma handlers where set in ctx (the tfm context). This is +wrong as several hash operations can run with the same ctx. + +This patch removes this persistent mapping. + +Reported-by: Horia Geanta +Cc: +Fixes: 49f9783b0cea ("crypto: talitos - do hw_context DMA mapping outside the requests") +Fixes: 37b5e8897eb5 ("crypto: talitos - chain in buffered data for ahash on SEC1") +Signed-off-by: Christophe Leroy +Tested-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/talitos.c | 132 +++++++++++++++-------------------------------- + 1 file changed, 44 insertions(+), 88 deletions(-) + +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -832,8 +832,6 @@ struct talitos_ctx { + unsigned int keylen; + unsigned int enckeylen; + unsigned int authkeylen; +- dma_addr_t dma_buf; +- dma_addr_t dma_hw_context; + }; + + #define HASH_MAX_BLOCK_SIZE SHA512_BLOCK_SIZE +@@ -1690,9 +1688,30 @@ static void common_nonsnoop_hash_unmap(s + struct ahash_request *areq) + { + struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq); ++ struct talitos_private *priv = dev_get_drvdata(dev); ++ bool is_sec1 = has_ftr_sec1(priv); ++ struct talitos_desc *desc = &edesc->desc; ++ struct talitos_desc *desc2 = desc + 1; ++ ++ unmap_single_talitos_ptr(dev, &edesc->desc.ptr[5], DMA_FROM_DEVICE); ++ if (desc->next_desc && ++ desc->ptr[5].ptr != desc2->ptr[5].ptr) ++ unmap_single_talitos_ptr(dev, &desc2->ptr[5], DMA_FROM_DEVICE); + + talitos_sg_unmap(dev, edesc, req_ctx->psrc, NULL, 0, 0); + ++ /* When using hashctx-in, must unmap it. */ ++ if (from_talitos_ptr_len(&edesc->desc.ptr[1], is_sec1)) ++ unmap_single_talitos_ptr(dev, &edesc->desc.ptr[1], ++ DMA_TO_DEVICE); ++ else if (desc->next_desc) ++ unmap_single_talitos_ptr(dev, &desc2->ptr[1], ++ DMA_TO_DEVICE); ++ ++ if (is_sec1 && req_ctx->nbuf) ++ unmap_single_talitos_ptr(dev, &desc->ptr[3], ++ DMA_TO_DEVICE); ++ + if (edesc->dma_len) + dma_unmap_single(dev, edesc->dma_link_tbl, edesc->dma_len, + DMA_BIDIRECTIONAL); +@@ -1766,8 +1785,10 @@ static int common_nonsnoop_hash(struct t + + /* hash context in */ + if (!req_ctx->first || req_ctx->swinit) { +- to_talitos_ptr(&desc->ptr[1], ctx->dma_hw_context, +- req_ctx->hw_context_size, is_sec1); ++ map_single_talitos_ptr(dev, &desc->ptr[1], ++ req_ctx->hw_context_size, ++ (char *)req_ctx->hw_context, ++ DMA_TO_DEVICE); + req_ctx->swinit = 0; + } + /* Indicate next op is not the first. */ +@@ -1793,10 +1814,9 @@ static int common_nonsnoop_hash(struct t + * data in + */ + if (is_sec1 && req_ctx->nbuf) { +- dma_addr_t dma_buf = ctx->dma_buf + req_ctx->buf_idx * +- HASH_MAX_BLOCK_SIZE; +- +- to_talitos_ptr(&desc->ptr[3], dma_buf, req_ctx->nbuf, is_sec1); ++ map_single_talitos_ptr(dev, &desc->ptr[3], req_ctx->nbuf, ++ req_ctx->buf[req_ctx->buf_idx], ++ DMA_TO_DEVICE); + } else { + sg_count = talitos_sg_map(dev, req_ctx->psrc, length, edesc, + &desc->ptr[3], sg_count, offset, 0); +@@ -1812,8 +1832,9 @@ static int common_nonsnoop_hash(struct t + crypto_ahash_digestsize(tfm), + areq->result, DMA_FROM_DEVICE); + else +- to_talitos_ptr(&desc->ptr[5], ctx->dma_hw_context, +- req_ctx->hw_context_size, is_sec1); ++ map_single_talitos_ptr(dev, &desc->ptr[5], ++ req_ctx->hw_context_size, ++ req_ctx->hw_context, DMA_FROM_DEVICE); + + /* last DWORD empty */ + +@@ -1832,9 +1853,14 @@ static int common_nonsnoop_hash(struct t + desc->hdr |= DESC_HDR_MODE0_MDEU_CONT; + desc->hdr &= ~DESC_HDR_DONE_NOTIFY; + +- to_talitos_ptr(&desc2->ptr[1], ctx->dma_hw_context, +- req_ctx->hw_context_size, is_sec1); +- ++ if (desc->ptr[1].ptr) ++ copy_talitos_ptr(&desc2->ptr[1], &desc->ptr[1], ++ is_sec1); ++ else ++ map_single_talitos_ptr(dev, &desc2->ptr[1], ++ req_ctx->hw_context_size, ++ req_ctx->hw_context, ++ DMA_TO_DEVICE); + copy_talitos_ptr(&desc2->ptr[2], &desc->ptr[2], is_sec1); + sg_count = talitos_sg_map(dev, req_ctx->psrc, length, edesc, + &desc2->ptr[3], sg_count, offset, 0); +@@ -1842,8 +1868,10 @@ static int common_nonsnoop_hash(struct t + sync_needed = true; + copy_talitos_ptr(&desc2->ptr[5], &desc->ptr[5], is_sec1); + if (req_ctx->last) +- to_talitos_ptr(&desc->ptr[5], ctx->dma_hw_context, +- req_ctx->hw_context_size, is_sec1); ++ map_single_talitos_ptr(dev, &desc->ptr[5], ++ req_ctx->hw_context_size, ++ req_ctx->hw_context, ++ DMA_FROM_DEVICE); + + next_desc = dma_map_single(dev, &desc2->hdr1, TALITOS_DESC_SIZE, + DMA_BIDIRECTIONAL); +@@ -1881,12 +1909,8 @@ static struct talitos_edesc *ahash_edesc + static int ahash_init(struct ahash_request *areq) + { + struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq); +- struct talitos_ctx *ctx = crypto_ahash_ctx(tfm); +- struct device *dev = ctx->dev; + struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq); + unsigned int size; +- struct talitos_private *priv = dev_get_drvdata(dev); +- bool is_sec1 = has_ftr_sec1(priv); + + /* Initialize the context */ + req_ctx->buf_idx = 0; +@@ -1898,18 +1922,6 @@ static int ahash_init(struct ahash_reque + : TALITOS_MDEU_CONTEXT_SIZE_SHA384_SHA512; + req_ctx->hw_context_size = size; + +- if (ctx->dma_hw_context) +- dma_unmap_single(dev, ctx->dma_hw_context, size, +- DMA_BIDIRECTIONAL); +- ctx->dma_hw_context = dma_map_single(dev, req_ctx->hw_context, size, +- DMA_BIDIRECTIONAL); +- if (ctx->dma_buf) +- dma_unmap_single(dev, ctx->dma_buf, sizeof(req_ctx->buf), +- DMA_TO_DEVICE); +- if (is_sec1) +- ctx->dma_buf = dma_map_single(dev, req_ctx->buf, +- sizeof(req_ctx->buf), +- DMA_TO_DEVICE); + return 0; + } + +@@ -1920,9 +1932,6 @@ static int ahash_init(struct ahash_reque + static int ahash_init_sha224_swinit(struct ahash_request *areq) + { + struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq); +- struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq); +- struct talitos_ctx *ctx = crypto_ahash_ctx(tfm); +- struct device *dev = ctx->dev; + + ahash_init(areq); + req_ctx->swinit = 1;/* prevent h/w initting context with sha256 values*/ +@@ -1940,9 +1949,6 @@ static int ahash_init_sha224_swinit(stru + req_ctx->hw_context[8] = 0; + req_ctx->hw_context[9] = 0; + +- dma_sync_single_for_device(dev, ctx->dma_hw_context, +- req_ctx->hw_context_size, DMA_TO_DEVICE); +- + return 0; + } + +@@ -2046,13 +2052,6 @@ static int ahash_process_req(struct ahas + /* request SEC to INIT hash. */ + if (req_ctx->first && !req_ctx->swinit) + edesc->desc.hdr |= DESC_HDR_MODE0_MDEU_INIT; +- if (is_sec1) { +- dma_addr_t dma_buf = ctx->dma_buf + req_ctx->buf_idx * +- HASH_MAX_BLOCK_SIZE; +- +- dma_sync_single_for_device(dev, dma_buf, +- req_ctx->nbuf, DMA_TO_DEVICE); +- } + + /* When the tfm context has a keylen, it's an HMAC. + * A first or last (ie. not middle) descriptor must request HMAC. +@@ -2106,12 +2105,7 @@ static int ahash_export(struct ahash_req + { + struct talitos_ahash_req_ctx *req_ctx = ahash_request_ctx(areq); + struct talitos_export_state *export = out; +- struct crypto_ahash *ahash = crypto_ahash_reqtfm(areq); +- struct talitos_ctx *ctx = crypto_ahash_ctx(ahash); +- struct device *dev = ctx->dev; + +- dma_sync_single_for_cpu(dev, ctx->dma_hw_context, +- req_ctx->hw_context_size, DMA_FROM_DEVICE); + memcpy(export->hw_context, req_ctx->hw_context, + req_ctx->hw_context_size); + memcpy(export->buf, req_ctx->buf[req_ctx->buf_idx], req_ctx->nbuf); +@@ -2130,31 +2124,14 @@ static int ahash_import(struct ahash_req + struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq); + const struct talitos_export_state *export = in; + unsigned int size; +- struct talitos_ctx *ctx = crypto_ahash_ctx(tfm); +- struct device *dev = ctx->dev; +- struct talitos_private *priv = dev_get_drvdata(dev); +- bool is_sec1 = has_ftr_sec1(priv); + + memset(req_ctx, 0, sizeof(*req_ctx)); + size = (crypto_ahash_digestsize(tfm) <= SHA256_DIGEST_SIZE) + ? TALITOS_MDEU_CONTEXT_SIZE_MD5_SHA1_SHA256 + : TALITOS_MDEU_CONTEXT_SIZE_SHA384_SHA512; + req_ctx->hw_context_size = size; +- if (ctx->dma_hw_context) +- dma_unmap_single(dev, ctx->dma_hw_context, size, +- DMA_BIDIRECTIONAL); +- + memcpy(req_ctx->hw_context, export->hw_context, size); +- ctx->dma_hw_context = dma_map_single(dev, req_ctx->hw_context, size, +- DMA_BIDIRECTIONAL); +- if (ctx->dma_buf) +- dma_unmap_single(dev, ctx->dma_buf, sizeof(req_ctx->buf), +- DMA_TO_DEVICE); + memcpy(req_ctx->buf[0], export->buf, export->nbuf); +- if (is_sec1) +- ctx->dma_buf = dma_map_single(dev, req_ctx->buf, +- sizeof(req_ctx->buf), +- DMA_TO_DEVICE); + req_ctx->swinit = export->swinit; + req_ctx->first = export->first; + req_ctx->last = export->last; +@@ -3064,27 +3041,6 @@ static void talitos_cra_exit(struct cryp + dma_unmap_single(dev, ctx->dma_key, ctx->keylen, DMA_TO_DEVICE); + } + +-static void talitos_cra_exit_ahash(struct crypto_tfm *tfm) +-{ +- struct talitos_ctx *ctx = crypto_tfm_ctx(tfm); +- struct device *dev = ctx->dev; +- unsigned int size; +- +- talitos_cra_exit(tfm); +- +- size = (crypto_ahash_digestsize(__crypto_ahash_cast(tfm)) <= +- SHA256_DIGEST_SIZE) +- ? TALITOS_MDEU_CONTEXT_SIZE_MD5_SHA1_SHA256 +- : TALITOS_MDEU_CONTEXT_SIZE_SHA384_SHA512; +- +- if (ctx->dma_hw_context) +- dma_unmap_single(dev, ctx->dma_hw_context, size, +- DMA_BIDIRECTIONAL); +- if (ctx->dma_buf) +- dma_unmap_single(dev, ctx->dma_buf, HASH_MAX_BLOCK_SIZE * 2, +- DMA_TO_DEVICE); +-} +- + /* + * given the alg's descriptor header template, determine whether descriptor + * type and primary/secondary execution units required match the hw +@@ -3183,7 +3139,7 @@ static struct talitos_crypto_alg *talito + case CRYPTO_ALG_TYPE_AHASH: + alg = &t_alg->algt.alg.hash.halg.base; + alg->cra_init = talitos_cra_init_ahash; +- alg->cra_exit = talitos_cra_exit_ahash; ++ alg->cra_exit = talitos_cra_exit; + alg->cra_type = &crypto_ahash_type; + t_alg->algt.alg.hash.init = ahash_init; + t_alg->algt.alg.hash.update = ahash_update; diff --git a/queue-4.16/crypto-talitos-fix-ipsec-cipher-in-length.patch b/queue-4.16/crypto-talitos-fix-ipsec-cipher-in-length.patch new file mode 100644 index 00000000000..4d94aac99ba --- /dev/null +++ b/queue-4.16/crypto-talitos-fix-ipsec-cipher-in-length.patch @@ -0,0 +1,109 @@ +From 2b1227301a8e4729409694e323b72c064c47cb6b Mon Sep 17 00:00:00 2001 +From: LEROY Christophe +Date: Thu, 22 Mar 2018 10:57:01 +0100 +Subject: crypto: talitos - fix IPsec cipher in length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: LEROY Christophe + +commit 2b1227301a8e4729409694e323b72c064c47cb6b upstream. + +For SEC 2.x+, cipher in length must contain only the ciphertext length. +In case of using hardware ICV checking, the ICV length is provided via +the "extent" field of the descriptor pointer. + +Cc: # 4.8+ +Fixes: 549bd8bc5987 ("crypto: talitos - Implement AEAD for SEC1 using HMAC_SNOOP_NO_AFEU") +Reported-by: Horia Geantă +Signed-off-by: Christophe Leroy +Tested-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/talitos.c | 36 ++++++++++++++++++++---------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +--- a/drivers/crypto/talitos.c ++++ b/drivers/crypto/talitos.c +@@ -1128,10 +1128,10 @@ next: + return count; + } + +-static int talitos_sg_map(struct device *dev, struct scatterlist *src, +- unsigned int len, struct talitos_edesc *edesc, +- struct talitos_ptr *ptr, +- int sg_count, unsigned int offset, int tbl_off) ++static int talitos_sg_map_ext(struct device *dev, struct scatterlist *src, ++ unsigned int len, struct talitos_edesc *edesc, ++ struct talitos_ptr *ptr, int sg_count, ++ unsigned int offset, int tbl_off, int elen) + { + struct talitos_private *priv = dev_get_drvdata(dev); + bool is_sec1 = has_ftr_sec1(priv); +@@ -1140,6 +1140,7 @@ static int talitos_sg_map(struct device + to_talitos_ptr(ptr, 0, 0, is_sec1); + return 1; + } ++ to_talitos_ptr_ext_set(ptr, elen, is_sec1); + if (sg_count == 1) { + to_talitos_ptr(ptr, sg_dma_address(src) + offset, len, is_sec1); + return sg_count; +@@ -1148,7 +1149,7 @@ static int talitos_sg_map(struct device + to_talitos_ptr(ptr, edesc->dma_link_tbl + offset, len, is_sec1); + return sg_count; + } +- sg_count = sg_to_link_tbl_offset(src, sg_count, offset, len, ++ sg_count = sg_to_link_tbl_offset(src, sg_count, offset, len + elen, + &edesc->link_tbl[tbl_off]); + if (sg_count == 1) { + /* Only one segment now, so no link tbl needed*/ +@@ -1162,6 +1163,15 @@ static int talitos_sg_map(struct device + return sg_count; + } + ++static int talitos_sg_map(struct device *dev, struct scatterlist *src, ++ unsigned int len, struct talitos_edesc *edesc, ++ struct talitos_ptr *ptr, int sg_count, ++ unsigned int offset, int tbl_off) ++{ ++ return talitos_sg_map_ext(dev, src, len, edesc, ptr, sg_count, offset, ++ tbl_off, 0); ++} ++ + /* + * fill in and submit ipsec_esp descriptor + */ +@@ -1179,7 +1189,7 @@ static int ipsec_esp(struct talitos_edes + unsigned int ivsize = crypto_aead_ivsize(aead); + int tbl_off = 0; + int sg_count, ret; +- int sg_link_tbl_len; ++ int elen = 0; + bool sync_needed = false; + struct talitos_private *priv = dev_get_drvdata(dev); + bool is_sec1 = has_ftr_sec1(priv); +@@ -1221,17 +1231,11 @@ static int ipsec_esp(struct talitos_edes + * extent is bytes of HMAC postpended to ciphertext, + * typically 12 for ipsec + */ +- sg_link_tbl_len = cryptlen; +- +- if (is_ipsec_esp) { +- to_talitos_ptr_ext_set(&desc->ptr[4], authsize, is_sec1); +- +- if (desc->hdr & DESC_HDR_MODE1_MDEU_CICV) +- sg_link_tbl_len += authsize; +- } ++ if (is_ipsec_esp && (desc->hdr & DESC_HDR_MODE1_MDEU_CICV)) ++ elen = authsize; + +- ret = talitos_sg_map(dev, areq->src, sg_link_tbl_len, edesc, +- &desc->ptr[4], sg_count, areq->assoclen, tbl_off); ++ ret = talitos_sg_map_ext(dev, areq->src, cryptlen, edesc, &desc->ptr[4], ++ sg_count, areq->assoclen, tbl_off, elen); + + if (ret > 1) { + tbl_off += ret; diff --git a/queue-4.16/crypto-testmgr-fix-incorrect-values-in-pkcs-1-test-vector.patch b/queue-4.16/crypto-testmgr-fix-incorrect-values-in-pkcs-1-test-vector.patch new file mode 100644 index 00000000000..65b561b2520 --- /dev/null +++ b/queue-4.16/crypto-testmgr-fix-incorrect-values-in-pkcs-1-test-vector.patch @@ -0,0 +1,51 @@ +From 333e18c5cc74438f8940c7f3a8b3573748a371f9 Mon Sep 17 00:00:00 2001 +From: Conor McLoughlin +Date: Tue, 13 Feb 2018 08:29:56 +0000 +Subject: crypto: testmgr - Fix incorrect values in PKCS#1 test vector + +From: Conor McLoughlin + +commit 333e18c5cc74438f8940c7f3a8b3573748a371f9 upstream. + +The RSA private key for the first form should have +version, prime1, prime2, exponent1, exponent2, coefficient +values 0. +With non-zero values for prime1,2, exponent 1,2 and coefficient +the Intel QAT driver will assume that values are provided for the +private key second form. This will result in signature verification +failures for modules where QAT device is present and the modules +are signed with rsa,sha256. + +Cc: +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Conor McLoughlin +Reviewed-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/testmgr.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -548,7 +548,7 @@ static const struct akcipher_testvec rsa + static const struct akcipher_testvec pkcs1pad_rsa_tv_template[] = { + { + .key = +- "\x30\x82\x03\x1f\x02\x01\x10\x02\x82\x01\x01\x00\xd7\x1e\x77\x82" ++ "\x30\x82\x03\x1f\x02\x01\x00\x02\x82\x01\x01\x00\xd7\x1e\x77\x82" + "\x8c\x92\x31\xe7\x69\x02\xa2\xd5\x5c\x78\xde\xa2\x0c\x8f\xfe\x28" + "\x59\x31\xdf\x40\x9c\x60\x61\x06\xb9\x2f\x62\x40\x80\x76\xcb\x67" + "\x4a\xb5\x59\x56\x69\x17\x07\xfa\xf9\x4c\xbd\x6c\x37\x7a\x46\x7d" +@@ -597,8 +597,8 @@ static const struct akcipher_testvec pkc + "\xfe\xf8\x27\x1b\xd6\x55\x60\x5e\x48\xb7\x6d\x9a\xa8\x37\xf9\x7a" + "\xde\x1b\xcd\x5d\x1a\x30\xd4\xe9\x9e\x5b\x3c\x15\xf8\x9c\x1f\xda" + "\xd1\x86\x48\x55\xce\x83\xee\x8e\x51\xc7\xde\x32\x12\x47\x7d\x46" +- "\xb8\x35\xdf\x41\x02\x01\x30\x02\x01\x30\x02\x01\x30\x02\x01\x30" +- "\x02\x01\x30", ++ "\xb8\x35\xdf\x41\x02\x01\x00\x02\x01\x00\x02\x01\x00\x02\x01\x00" ++ "\x02\x01\x00", + .key_len = 804, + /* + * m is SHA256 hash of following message: diff --git a/queue-4.16/crypto-x86-cast5-avx-fix-ecb-encryption-when-long-sg-follows-short-one.patch b/queue-4.16/crypto-x86-cast5-avx-fix-ecb-encryption-when-long-sg-follows-short-one.patch new file mode 100644 index 00000000000..3f433205e9f --- /dev/null +++ b/queue-4.16/crypto-x86-cast5-avx-fix-ecb-encryption-when-long-sg-follows-short-one.patch @@ -0,0 +1,43 @@ +From 8f461b1e02ed546fbd0f11611138da67fd85a30f Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 19 Feb 2018 23:48:12 -0800 +Subject: crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one + +From: Eric Biggers + +commit 8f461b1e02ed546fbd0f11611138da67fd85a30f upstream. + +With ecb-cast5-avx, if a 128+ byte scatterlist element followed a +shorter one, then the algorithm accidentally encrypted/decrypted only 8 +bytes instead of the expected 128 bytes. Fix it by setting the +encryption/decryption 'fn' correctly. + +Fixes: c12ab20b162c ("crypto: cast5/avx - avoid using temporary stack buffers") +Cc: # v3.8+ +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/cast5_avx_glue.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/crypto/cast5_avx_glue.c ++++ b/arch/x86/crypto/cast5_avx_glue.c +@@ -66,8 +66,6 @@ static int ecb_crypt(struct blkcipher_de + void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src); + int err; + +- fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; +- + err = blkcipher_walk_virt(desc, walk); + desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP; + +@@ -79,6 +77,7 @@ static int ecb_crypt(struct blkcipher_de + + /* Process multi-block batch */ + if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) { ++ fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; + do { + fn(ctx, wdst, wsrc); + diff --git a/queue-4.16/dev-mem-avoid-overwriting-err-in-read_mem.patch b/queue-4.16/dev-mem-avoid-overwriting-err-in-read_mem.patch new file mode 100644 index 00000000000..108139be843 --- /dev/null +++ b/queue-4.16/dev-mem-avoid-overwriting-err-in-read_mem.patch @@ -0,0 +1,45 @@ +From b5b38200ebe54879a7264cb6f33821f61c586a7e Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 27 Mar 2018 14:06:14 -0700 +Subject: /dev/mem: Avoid overwriting "err" in read_mem() + +From: Kees Cook + +commit b5b38200ebe54879a7264cb6f33821f61c586a7e upstream. + +Successes in probe_kernel_read() would mask failures in copy_to_user() +during read_mem(). + +Reported-by: Brad Spengler +Fixes: 22ec1a2aea73 ("/dev/mem: Add bounce buffer for copy-out") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/mem.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -137,7 +137,7 @@ static ssize_t read_mem(struct file *fil + + while (count > 0) { + unsigned long remaining; +- int allowed; ++ int allowed, probe; + + sz = size_inside_page(p, count); + +@@ -160,9 +160,9 @@ static ssize_t read_mem(struct file *fil + if (!ptr) + goto failed; + +- err = probe_kernel_read(bounce, ptr, sz); ++ probe = probe_kernel_read(bounce, ptr, sz); + unxlate_dev_mem_ptr(p, ptr); +- if (err) ++ if (probe) + goto failed; + + remaining = copy_to_user(buf, bounce, sz); diff --git a/queue-4.16/media-usbtv-prevent-double-free-in-error-case.patch b/queue-4.16/media-usbtv-prevent-double-free-in-error-case.patch new file mode 100644 index 00000000000..da65d708d48 --- /dev/null +++ b/queue-4.16/media-usbtv-prevent-double-free-in-error-case.patch @@ -0,0 +1,64 @@ +From 50e7044535537b2a54c7ab798cd34c7f6d900bd2 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Mon, 8 Jan 2018 09:21:07 -0500 +Subject: media: usbtv: prevent double free in error case + +From: Oliver Neukum + +commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2 upstream. + +Quoting the original report: + +It looks like there is a double-free vulnerability in Linux usbtv driver +on an error path of usbtv_probe function. When audio registration fails, +usbtv_video_free function ends up freeing usbtv data structure, which +gets freed the second time under usbtv_video_fail label. + +usbtv_audio_fail: + + usbtv_video_free(usbtv); => + + v4l2_device_put(&usbtv->v4l2_dev); + + => v4l2_device_put + + => kref_put + + => v4l2_device_release + + => usbtv_release (CALLBACK) + + => kfree(usbtv) (1st time) + +usbtv_video_fail: + + usb_set_intfdata(intf, NULL); + + usb_put_dev(usbtv->udev); + + kfree(usbtv); (2nd time) + +So, as we have refcounting, use it + +Reported-by: Yavuz, Tuba +Signed-off-by: Oliver Neukum +CC: stable@vger.kernel.org +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbtv/usbtv-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/usb/usbtv/usbtv-core.c ++++ b/drivers/media/usb/usbtv/usbtv-core.c +@@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interf + return 0; + + usbtv_audio_fail: ++ /* we must not free at this point */ ++ usb_get_dev(usbtv->udev); + usbtv_video_free(usbtv); + + usbtv_video_fail: diff --git a/queue-4.16/mei-remove-dev_err-message-on-an-unsupported-ioctl.patch b/queue-4.16/mei-remove-dev_err-message-on-an-unsupported-ioctl.patch new file mode 100644 index 00000000000..a47d80458bd --- /dev/null +++ b/queue-4.16/mei-remove-dev_err-message-on-an-unsupported-ioctl.patch @@ -0,0 +1,32 @@ +From bb0829a741792b56c908d7745bc0b2b540293bcc Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 27 Feb 2018 16:21:05 +0000 +Subject: mei: remove dev_err message on an unsupported ioctl + +From: Colin Ian King + +commit bb0829a741792b56c908d7745bc0b2b540293bcc upstream. + +Currently the driver spams the kernel log on unsupported ioctls which is +unnecessary as the ioctl returns -ENOIOCTLCMD to indicate this anyway. +I suspect this was originally for debugging purposes but it really is not +required so remove it. + +Signed-off-by: Colin Ian King +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/main.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/misc/mei/main.c ++++ b/drivers/misc/mei/main.c +@@ -507,7 +507,6 @@ static long mei_ioctl(struct file *file, + break; + + default: +- dev_err(dev->dev, ": unsupported ioctl %d.\n", cmd); + rets = -ENOIOCTLCMD; + } + diff --git a/queue-4.16/parport_pc-add-support-for-wch-ch382l-pci-e-single-parallel-port-card.patch b/queue-4.16/parport_pc-add-support-for-wch-ch382l-pci-e-single-parallel-port-card.patch new file mode 100644 index 00000000000..e15bc480c76 --- /dev/null +++ b/queue-4.16/parport_pc-add-support-for-wch-ch382l-pci-e-single-parallel-port-card.patch @@ -0,0 +1,48 @@ +From 823f7923833c6cc2b16e601546d607dcfb368004 Mon Sep 17 00:00:00 2001 +From: Alexander Gerasiov +Date: Sun, 4 Feb 2018 02:50:22 +0300 +Subject: parport_pc: Add support for WCH CH382L PCI-E single parallel port card. + +From: Alexander Gerasiov + +commit 823f7923833c6cc2b16e601546d607dcfb368004 upstream. + +WCH CH382L is a PCI-E adapter with 1 parallel port. It is similair to CH382 +but serial ports are not soldered on board. Detected as +Serial controller: Device 1c00:3050 (rev 10) (prog-if 05 [16850]) + +Signed-off-by: Alexander Gerasiov +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/parport/parport_pc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -2646,6 +2646,7 @@ enum parport_pc_pci_cards { + netmos_9901, + netmos_9865, + quatech_sppxp100, ++ wch_ch382l, + }; + + +@@ -2708,6 +2709,7 @@ static struct parport_pc_pci { + /* netmos_9901 */ { 1, { { 0, -1 }, } }, + /* netmos_9865 */ { 1, { { 0, -1 }, } }, + /* quatech_sppxp100 */ { 1, { { 0, 1 }, } }, ++ /* wch_ch382l */ { 1, { { 2, -1 }, } }, + }; + + static const struct pci_device_id parport_pc_pci_tbl[] = { +@@ -2797,6 +2799,8 @@ static const struct pci_device_id parpor + /* Quatech SPPXP-100 Parallel port PCI ExpressCard */ + { PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100, + PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 }, ++ /* WCH CH382L PCI-E single parallel port card */ ++ { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l }, + { 0, } /* terminate list */ + }; + MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl); diff --git a/queue-4.16/serial-8250-add-nuvoton-npcm-uart.patch b/queue-4.16/serial-8250-add-nuvoton-npcm-uart.patch new file mode 100644 index 00000000000..d47b365bc9a --- /dev/null +++ b/queue-4.16/serial-8250-add-nuvoton-npcm-uart.patch @@ -0,0 +1,127 @@ +From f597fbce38d230af95384f4a04e0a13a1d0ad45d Mon Sep 17 00:00:00 2001 +From: Joel Stanley +Date: Mon, 5 Mar 2018 22:17:38 +1030 +Subject: serial: 8250: Add Nuvoton NPCM UART + +From: Joel Stanley + +commit f597fbce38d230af95384f4a04e0a13a1d0ad45d upstream. + +The Nuvoton UART is almost compatible with the 8250 driver when probed +via the 8250_of driver, however it requires some extra configuration +at startup. + +Reviewed-by: Rob Herring +Signed-off-by: Joel Stanley +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/serial/8250.txt | 1 + drivers/tty/serial/8250/8250_of.c | 1 + drivers/tty/serial/8250/8250_port.c | 33 ++++++++++++++++++++++ + include/uapi/linux/serial_core.h | 3 ++ + 4 files changed, 38 insertions(+) + +--- a/Documentation/devicetree/bindings/serial/8250.txt ++++ b/Documentation/devicetree/bindings/serial/8250.txt +@@ -24,6 +24,7 @@ Required properties: + - "ti,da830-uart" + - "aspeed,ast2400-vuart" + - "aspeed,ast2500-vuart" ++ - "nuvoton,npcm750-uart" + - "serial" if the port type is unknown. + - reg : offset and length of the register set for the device. + - interrupts : should contain uart interrupt. +--- a/drivers/tty/serial/8250/8250_of.c ++++ b/drivers/tty/serial/8250/8250_of.c +@@ -316,6 +316,7 @@ static const struct of_device_id of_plat + { .compatible = "mrvl,mmp-uart", + .data = (void *)PORT_XSCALE, }, + { .compatible = "ti,da830-uart", .data = (void *)PORT_DA830, }, ++ { .compatible = "nuvoton,npcm750-uart", .data = (void *)PORT_NPCM, }, + { /* end of list */ }, + }; + MODULE_DEVICE_TABLE(of, of_platform_serial_table); +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -47,6 +47,10 @@ + #define UART_EXAR_SLEEP 0x8b /* Sleep mode */ + #define UART_EXAR_DVID 0x8d /* Device identification */ + ++/* Nuvoton NPCM timeout register */ ++#define UART_NPCM_TOR 7 ++#define UART_NPCM_TOIE BIT(7) /* Timeout Interrupt Enable */ ++ + /* + * Debugging. + */ +@@ -293,6 +297,15 @@ static const struct serial8250_config ua + UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT, + .flags = UART_CAP_FIFO, + }, ++ [PORT_NPCM] = { ++ .name = "Nuvoton 16550", ++ .fifo_size = 16, ++ .tx_loadsz = 16, ++ .fcr = UART_FCR_ENABLE_FIFO | UART_FCR_R_TRIG_10 | ++ UART_FCR_CLEAR_RCVR | UART_FCR_CLEAR_XMIT, ++ .rxtrig_bytes = {1, 4, 8, 14}, ++ .flags = UART_CAP_FIFO, ++ }, + }; + + /* Uart divisor latch read */ +@@ -2140,6 +2153,15 @@ int serial8250_do_startup(struct uart_po + UART_DA830_PWREMU_MGMT_FREE); + } + ++ if (port->type == PORT_NPCM) { ++ /* ++ * Nuvoton calls the scratch register 'UART_TOR' (timeout ++ * register). Enable it, and set TIOC (timeout interrupt ++ * comparator) to be 0x20 for correct operation. ++ */ ++ serial_port_out(port, UART_NPCM_TOR, UART_NPCM_TOIE | 0x20); ++ } ++ + #ifdef CONFIG_SERIAL_8250_RSA + /* + * If this is an RSA port, see if we can kick it up to the +@@ -2462,6 +2484,15 @@ static unsigned int xr17v35x_get_divisor + return quot_16 >> 4; + } + ++/* Nuvoton NPCM UARTs have a custom divisor calculation */ ++static unsigned int npcm_get_divisor(struct uart_8250_port *up, ++ unsigned int baud) ++{ ++ struct uart_port *port = &up->port; ++ ++ return DIV_ROUND_CLOSEST(port->uartclk, 16 * baud + 2) - 2; ++} ++ + static unsigned int serial8250_get_divisor(struct uart_8250_port *up, + unsigned int baud, + unsigned int *frac) +@@ -2482,6 +2513,8 @@ static unsigned int serial8250_get_divis + quot = 0x8002; + else if (up->port.type == PORT_XR17V35X) + quot = xr17v35x_get_divisor(up, baud, frac); ++ else if (up->port.type == PORT_NPCM) ++ quot = npcm_get_divisor(up, baud); + else + quot = uart_get_divisor(port, baud); + +--- a/include/uapi/linux/serial_core.h ++++ b/include/uapi/linux/serial_core.h +@@ -76,6 +76,9 @@ + #define PORT_SUNZILOG 38 + #define PORT_SUNSAB 39 + ++/* Nuvoton UART */ ++#define PORT_NPCM 40 ++ + /* Intel EG20 */ + #define PORT_PCH_8LINE 44 + #define PORT_PCH_2LINE 45 diff --git a/queue-4.16/series b/queue-4.16/series index ba9fdb3eae2..98f6f29a5ba 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -1 +1,20 @@ bitmap-fix-memset-optimization-on-big-endian-systems.patch +usb-serial-ftdi_sio-add-rt-systems-vx-8-cable.patch +usb-serial-ftdi_sio-add-support-for-harman-firmwarehubemulator.patch +usb-serial-cp210x-add-eldat-easywave-rx09-id.patch +serial-8250-add-nuvoton-npcm-uart.patch +mei-remove-dev_err-message-on-an-unsupported-ioctl.patch +dev-mem-avoid-overwriting-err-in-read_mem.patch +media-usbtv-prevent-double-free-in-error-case.patch +parport_pc-add-support-for-wch-ch382l-pci-e-single-parallel-port-card.patch +crypto-lrw-free-rctx-ext-with-kzfree.patch +crypto-ccp-fill-the-result-buffer-only-on-digest-finup-and-final-ops.patch +crypto-talitos-don-t-persistently-map-req_ctx-hw_context-and-req_ctx-buf.patch +crypto-inside-secure-fix-clock-management.patch +crypto-testmgr-fix-incorrect-values-in-pkcs-1-test-vector.patch +crypto-talitos-fix-ipsec-cipher-in-length.patch +crypto-ahash-fix-early-termination-in-hash-walk.patch +crypto-caam-fix-null-dereference-at-error-path.patch +crypto-ccp-return-an-actual-key-size-from-rsa-max_size-callback.patch +crypto-arm-arm64-fix-random-regeneration-of-s_shipped.patch +crypto-x86-cast5-avx-fix-ecb-encryption-when-long-sg-follows-short-one.patch diff --git a/queue-4.16/usb-serial-cp210x-add-eldat-easywave-rx09-id.patch b/queue-4.16/usb-serial-cp210x-add-eldat-easywave-rx09-id.patch new file mode 100644 index 00000000000..7025d89fad0 --- /dev/null +++ b/queue-4.16/usb-serial-cp210x-add-eldat-easywave-rx09-id.patch @@ -0,0 +1,30 @@ +From 1f1e82f74c0947e40144688c9e36abe4b3999f49 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 6 Mar 2018 09:32:43 +0100 +Subject: USB: serial: cp210x: add ELDAT Easywave RX09 id + +From: Johan Hovold + +commit 1f1e82f74c0947e40144688c9e36abe4b3999f49 upstream. + +Add device id for ELDAT Easywave RX09 tranceiver. + +Reported-by: Jan Jansen +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -155,6 +155,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */ + { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */ + { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */ ++ { USB_DEVICE(0x155A, 0x1006) }, /* ELDAT Easywave RX09 */ + { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */ + { USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC Interface */ + { USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface */ diff --git a/queue-4.16/usb-serial-ftdi_sio-add-rt-systems-vx-8-cable.patch b/queue-4.16/usb-serial-ftdi_sio-add-rt-systems-vx-8-cable.patch new file mode 100644 index 00000000000..f5317001c29 --- /dev/null +++ b/queue-4.16/usb-serial-ftdi_sio-add-rt-systems-vx-8-cable.patch @@ -0,0 +1,45 @@ +From 9608e5c0f079390473b484ef92334dfd3431bb89 Mon Sep 17 00:00:00 2001 +From: Major Hayden +Date: Fri, 23 Feb 2018 14:29:54 -0600 +Subject: USB: serial: ftdi_sio: add RT Systems VX-8 cable + +From: Major Hayden + +commit 9608e5c0f079390473b484ef92334dfd3431bb89 upstream. + +This patch adds a device ID for the RT Systems cable used to +program Yaesu VX-8R/VX-8DR handheld radios. It uses the main +FTDI VID instead of the common RT Systems VID. + +Signed-off-by: Major Hayden +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 3 +++ + 2 files changed, 4 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -769,6 +769,7 @@ static const struct usb_device_id id_tab + .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, + { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, + { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, ++ { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) }, + { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -923,6 +923,9 @@ + /* + * RT Systems programming cables for various ham radios + */ ++/* This device uses the VID of FTDI */ ++#define RTSYSTEMS_USB_VX8_PID 0x9e50 /* USB-VX8 USB to 7 pin modular plug for Yaesu VX-8 radio */ ++ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ + #define RTSYSTEMS_USB_S03_PID 0x9001 /* RTS-03 USB to Serial Adapter */ + #define RTSYSTEMS_USB_59_PID 0x9e50 /* USB-59 USB to 8 pin plug */ diff --git a/queue-4.16/usb-serial-ftdi_sio-add-support-for-harman-firmwarehubemulator.patch b/queue-4.16/usb-serial-ftdi_sio-add-support-for-harman-firmwarehubemulator.patch new file mode 100644 index 00000000000..d28b71bcf65 --- /dev/null +++ b/queue-4.16/usb-serial-ftdi_sio-add-support-for-harman-firmwarehubemulator.patch @@ -0,0 +1,47 @@ +From 6555ad13a01952c16485c82a52ad1f3e07e34b3a Mon Sep 17 00:00:00 2001 +From: Clemens Werther +Date: Fri, 16 Mar 2018 10:20:46 +0100 +Subject: USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator + +From: Clemens Werther + +commit 6555ad13a01952c16485c82a52ad1f3e07e34b3a upstream. + +Add device id for Harman FirmwareHubEmulator to make the device +auto-detectable by the driver. + +Signed-off-by: Clemens Werther +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -932,6 +932,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) }, + { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1445,6 +1445,12 @@ + #define FTDI_CINTERION_MC55I_PID 0xA951 + + /* ++ * Product: FirmwareHubEmulator ++ * Manufacturer: Harman Becker Automotive Systems ++ */ ++#define FTDI_FHE_PID 0xA9A0 ++ ++/* + * Product: Comet Caller ID decoder + * Manufacturer: Crucible Technologies + */