From: Greg Kroah-Hartman Date: Thu, 13 Jul 2017 14:47:29 +0000 (+0200) Subject: 4.12-stable patches X-Git-Tag: v3.18.61~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fd7a8351607cf282a702fc07dc5daf9754f27a39;p=thirdparty%2Fkernel%2Fstable-queue.git 4.12-stable patches added patches: crypto-caam-fix-gfp-allocation-flags-part-i.patch crypto-rsa-pkcs1pad-use-constant-time-memory-comparison-for-macs.patch ext4-check-return-value-of-kstrtoull-correctly-in-reserved_clusters_store.patch staging-comedi-fix-clean-up-of-comedi_class-in-comedi_init.patch staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch x86-mm-pat-don-t-report-pat-on-cpus-that-don-t-support-it.patch --- diff --git a/queue-4.12/crypto-caam-fix-gfp-allocation-flags-part-i.patch b/queue-4.12/crypto-caam-fix-gfp-allocation-flags-part-i.patch new file mode 100644 index 00000000000..df6aabb5180 --- /dev/null +++ b/queue-4.12/crypto-caam-fix-gfp-allocation-flags-part-i.patch @@ -0,0 +1,48 @@ +From 42cfcafb91dabb0f9d9e08396c39824535948c67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Mon, 19 Jun 2017 11:44:45 +0300 +Subject: crypto: caam - fix gfp allocation flags (part I) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 42cfcafb91dabb0f9d9e08396c39824535948c67 upstream. + +Changes in the SW cts (ciphertext stealing) code in +commit 0605c41cc53ca ("crypto: cts - Convert to skcipher") +revealed a problem in the CAAM driver: +when cts(cbc(aes)) is executed and cts runs in SW, +cbc(aes) is offloaded in CAAM; cts encrypts the last block +in atomic context and CAAM incorrectly decides to use GFP_KERNEL +for memory allocation. + +Fix this by allowing GFP_KERNEL (sleeping) only when MAY_SLEEP flag is +set, i.e. remove MAY_BACKLOG flag. + +We split the fix in two parts - first is sent to -stable, while the +second is not (since there is no known failure case). + +Link: http://lkml.kernel.org/g/20170602122446.2427-1-david@sigma-star.at +Reported-by: David Gstir +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamalg.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/crypto/caam/caamalg.c ++++ b/drivers/crypto/caam/caamalg.c +@@ -1475,8 +1475,7 @@ static struct ablkcipher_edesc *ablkciph + struct crypto_ablkcipher *ablkcipher = crypto_ablkcipher_reqtfm(req); + struct caam_ctx *ctx = crypto_ablkcipher_ctx(ablkcipher); + struct device *jrdev = ctx->jrdev; +- gfp_t flags = (req->base.flags & (CRYPTO_TFM_REQ_MAY_BACKLOG | +- CRYPTO_TFM_REQ_MAY_SLEEP)) ? ++ gfp_t flags = (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ? + GFP_KERNEL : GFP_ATOMIC; + int src_nents, mapped_src_nents, dst_nents = 0, mapped_dst_nents = 0; + struct ablkcipher_edesc *edesc; diff --git a/queue-4.12/crypto-rsa-pkcs1pad-use-constant-time-memory-comparison-for-macs.patch b/queue-4.12/crypto-rsa-pkcs1pad-use-constant-time-memory-comparison-for-macs.patch new file mode 100644 index 00000000000..da8141bafb4 --- /dev/null +++ b/queue-4.12/crypto-rsa-pkcs1pad-use-constant-time-memory-comparison-for-macs.patch @@ -0,0 +1,36 @@ +From fec17cb2231733174e039ad9054fa16bb358e2ec Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 11 Jun 2017 23:20:23 +0200 +Subject: crypto: rsa-pkcs1pad - use constant time memory comparison for MACs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason A. Donenfeld + +commit fec17cb2231733174e039ad9054fa16bb358e2ec upstream. + +Otherwise, we enable all sorts of forgeries via timing attack. + +Signed-off-by: Jason A. Donenfeld +Suggested-by: Stephan Müller +Cc: Herbert Xu +Cc: linux-crypto@vger.kernel.org +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/rsa-pkcs1pad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/rsa-pkcs1pad.c ++++ b/crypto/rsa-pkcs1pad.c +@@ -496,7 +496,7 @@ static int pkcs1pad_verify_complete(stru + goto done; + pos++; + +- if (memcmp(out_buf + pos, digest_info->data, digest_info->size)) ++ if (crypto_memneq(out_buf + pos, digest_info->data, digest_info->size)) + goto done; + + pos += digest_info->size; diff --git a/queue-4.12/ext4-check-return-value-of-kstrtoull-correctly-in-reserved_clusters_store.patch b/queue-4.12/ext4-check-return-value-of-kstrtoull-correctly-in-reserved_clusters_store.patch new file mode 100644 index 00000000000..1c678fad0a4 --- /dev/null +++ b/queue-4.12/ext4-check-return-value-of-kstrtoull-correctly-in-reserved_clusters_store.patch @@ -0,0 +1,34 @@ +From 1ea1516fbbab2b30bf98c534ecaacba579a35208 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 23 Jun 2017 01:08:22 -0400 +Subject: ext4: check return value of kstrtoull correctly in reserved_clusters_store + +From: Chao Yu + +commit 1ea1516fbbab2b30bf98c534ecaacba579a35208 upstream. + +kstrtoull returns 0 on success, however, in reserved_clusters_store we +will return -EINVAL if kstrtoull returns 0, it makes us fail to update +reserved_clusters value through sysfs. + +Fixes: 76d33bca5581b1dd5c3157fa168db849a784ada4 +Signed-off-by: Chao Yu +Signed-off-by: Miao Xie +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/sysfs.c ++++ b/fs/ext4/sysfs.c +@@ -100,7 +100,7 @@ static ssize_t reserved_clusters_store(s + int ret; + + ret = kstrtoull(skip_spaces(buf), 0, &val); +- if (!ret || val >= clusters) ++ if (ret || val >= clusters) + return -EINVAL; + + atomic64_set(&sbi->s_resv_clusters, val); diff --git a/queue-4.12/series b/queue-4.12/series index c880714707f..c4d7ede29f7 100644 --- a/queue-4.12/series +++ b/queue-4.12/series @@ -2,3 +2,9 @@ mqueue-fix-a-use-after-free-in-sys_mq_notify.patch imx-serial-rx-dma-startup-latency.patch proc-fix-proc_sys_prune_dcache-to-hold-a-sb-reference.patch locking-rwsem-spinlock-fix-eintr-branch-in-__down_write_common.patch +staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch +staging-comedi-fix-clean-up-of-comedi_class-in-comedi_init.patch +crypto-caam-fix-gfp-allocation-flags-part-i.patch +crypto-rsa-pkcs1pad-use-constant-time-memory-comparison-for-macs.patch +ext4-check-return-value-of-kstrtoull-correctly-in-reserved_clusters_store.patch +x86-mm-pat-don-t-report-pat-on-cpus-that-don-t-support-it.patch diff --git a/queue-4.12/staging-comedi-fix-clean-up-of-comedi_class-in-comedi_init.patch b/queue-4.12/staging-comedi-fix-clean-up-of-comedi_class-in-comedi_init.patch new file mode 100644 index 00000000000..d0a27dd0477 --- /dev/null +++ b/queue-4.12/staging-comedi-fix-clean-up-of-comedi_class-in-comedi_init.patch @@ -0,0 +1,35 @@ +From a9332e9ad09c2644c99058fcf6ae2f355e93ce74 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 16 Jun 2017 19:35:34 +0100 +Subject: staging: comedi: fix clean-up of comedi_class in comedi_init() + +From: Ian Abbott + +commit a9332e9ad09c2644c99058fcf6ae2f355e93ce74 upstream. + +There is a clean-up bug in the core comedi module initialization +functions, `comedi_init()`. If the `comedi_num_legacy_minors` module +parameter is non-zero (and valid), it creates that many "legacy" devices +and registers them in SysFS. A failure causes the function to clean up +and return an error. Unfortunately, it fails to destroy the "comedi" +class that was created earlier. Fix it by adding a call to +`class_destroy(comedi_class)` at the appropriate place in the clean-up +sequence. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2915,6 +2915,7 @@ static int __init comedi_init(void) + dev = comedi_alloc_board_minor(NULL); + if (IS_ERR(dev)) { + comedi_cleanup_board_minors(); ++ class_destroy(comedi_class); + cdev_del(&comedi_cdev); + unregister_chrdev_region(MKDEV(COMEDI_MAJOR, 0), + COMEDI_NUM_MINORS); diff --git a/queue-4.12/staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch b/queue-4.12/staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch new file mode 100644 index 00000000000..f209ecad5a9 --- /dev/null +++ b/queue-4.12/staging-vt6556-vnt_start-fix-missing-call-to-vnt_key_init_table.patch @@ -0,0 +1,30 @@ +From dc32190f2cd41c7dba25363ea7d618d4f5172b4e Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Sat, 29 Apr 2017 13:03:44 +0100 +Subject: staging: vt6556: vnt_start Fix missing call to vnt_key_init_table. + +From: Malcolm Priestley + +commit dc32190f2cd41c7dba25363ea7d618d4f5172b4e upstream. + +The key table is not intialized correctly without this call. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/main_usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -513,6 +513,9 @@ static int vnt_start(struct ieee80211_hw + goto free_all; + } + ++ if (vnt_key_init_table(priv)) ++ goto free_all; ++ + priv->int_interval = 1; /* bInterval is set to 1 */ + + vnt_int_start_interrupt(priv); diff --git a/queue-4.12/x86-mm-pat-don-t-report-pat-on-cpus-that-don-t-support-it.patch b/queue-4.12/x86-mm-pat-don-t-report-pat-on-cpus-that-don-t-support-it.patch new file mode 100644 index 00000000000..db00aba2536 --- /dev/null +++ b/queue-4.12/x86-mm-pat-don-t-report-pat-on-cpus-that-don-t-support-it.patch @@ -0,0 +1,169 @@ +From 99c13b8c8896d7bcb92753bf0c63a8de4326e78d Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 4 Jul 2017 19:04:23 -0400 +Subject: x86/mm/pat: Don't report PAT on CPUs that don't support it + +From: Mikulas Patocka + +commit 99c13b8c8896d7bcb92753bf0c63a8de4326e78d upstream. + +The pat_enabled() logic is broken on CPUs which do not support PAT and +where the initialization code fails to call pat_init(). Due to that the +enabled flag stays true and pat_enabled() returns true wrongfully. + +As a consequence the mappings, e.g. for Xorg, are set up with the wrong +caching mode and the required MTRR setups are omitted. + +To cure this the following changes are required: + + 1) Make pat_enabled() return true only if PAT initialization was + invoked and successful. + + 2) Invoke init_cache_modes() unconditionally in setup_arch() and + remove the extra callsites in pat_disable() and the pat disabled + code path in pat_init(). + +Also rename __pat_enabled to pat_disabled to reflect the real purpose of +this variable. + +Fixes: 9cd25aac1f44 ("x86/mm/pat: Emulate PAT when it is disabled") +Signed-off-by: Mikulas Patocka +Signed-off-by: Thomas Gleixner +Cc: Bernhard Held +Cc: Denys Vlasenko +Cc: Peter Zijlstra +Cc: Brian Gerst +Cc: "Luis R. Rodriguez" +Cc: Borislav Petkov +Cc: Andy Lutomirski +Cc: Josh Poimboeuf +Cc: Andrew Morton +Cc: Linus Torvalds +Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1707041749300.3456@file01.intranet.prod.int.rdu2.redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pat.h | 1 + + arch/x86/kernel/setup.c | 7 +++++++ + arch/x86/mm/pat.c | 28 ++++++++++++---------------- + 3 files changed, 20 insertions(+), 16 deletions(-) + +--- a/arch/x86/include/asm/pat.h ++++ b/arch/x86/include/asm/pat.h +@@ -7,6 +7,7 @@ + bool pat_enabled(void); + void pat_disable(const char *reason); + extern void pat_init(void); ++extern void init_cache_modes(void); + + extern int reserve_memtype(u64 start, u64 end, + enum page_cache_mode req_pcm, enum page_cache_mode *ret_pcm); +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1076,6 +1076,13 @@ void __init setup_arch(char **cmdline_p) + max_possible_pfn = max_pfn; + + /* ++ * This call is required when the CPU does not support PAT. If ++ * mtrr_bp_init() invoked it already via pat_init() the call has no ++ * effect. ++ */ ++ init_cache_modes(); ++ ++ /* + * Define random base addresses for memory sections after max_pfn is + * defined and before each memory section base is used. + */ +--- a/arch/x86/mm/pat.c ++++ b/arch/x86/mm/pat.c +@@ -37,14 +37,14 @@ + #undef pr_fmt + #define pr_fmt(fmt) "" fmt + +-static bool boot_cpu_done; +- +-static int __read_mostly __pat_enabled = IS_ENABLED(CONFIG_X86_PAT); +-static void init_cache_modes(void); ++static bool __read_mostly boot_cpu_done; ++static bool __read_mostly pat_disabled = !IS_ENABLED(CONFIG_X86_PAT); ++static bool __read_mostly pat_initialized; ++static bool __read_mostly init_cm_done; + + void pat_disable(const char *reason) + { +- if (!__pat_enabled) ++ if (pat_disabled) + return; + + if (boot_cpu_done) { +@@ -52,10 +52,8 @@ void pat_disable(const char *reason) + return; + } + +- __pat_enabled = 0; ++ pat_disabled = true; + pr_info("x86/PAT: %s\n", reason); +- +- init_cache_modes(); + } + + static int __init nopat(char *str) +@@ -67,7 +65,7 @@ early_param("nopat", nopat); + + bool pat_enabled(void) + { +- return !!__pat_enabled; ++ return pat_initialized; + } + EXPORT_SYMBOL_GPL(pat_enabled); + +@@ -205,6 +203,8 @@ static void __init_cache_modes(u64 pat) + update_cache_mode_entry(i, cache); + } + pr_info("x86/PAT: Configuration [0-7]: %s\n", pat_msg); ++ ++ init_cm_done = true; + } + + #define PAT(x, y) ((u64)PAT_ ## y << ((x)*8)) +@@ -225,6 +225,7 @@ static void pat_bsp_init(u64 pat) + } + + wrmsrl(MSR_IA32_CR_PAT, pat); ++ pat_initialized = true; + + __init_cache_modes(pat); + } +@@ -242,10 +243,9 @@ static void pat_ap_init(u64 pat) + wrmsrl(MSR_IA32_CR_PAT, pat); + } + +-static void init_cache_modes(void) ++void init_cache_modes(void) + { + u64 pat = 0; +- static int init_cm_done; + + if (init_cm_done) + return; +@@ -287,8 +287,6 @@ static void init_cache_modes(void) + } + + __init_cache_modes(pat); +- +- init_cm_done = 1; + } + + /** +@@ -306,10 +304,8 @@ void pat_init(void) + u64 pat; + struct cpuinfo_x86 *c = &boot_cpu_data; + +- if (!pat_enabled()) { +- init_cache_modes(); ++ if (pat_disabled) + return; +- } + + if ((c->x86_vendor == X86_VENDOR_INTEL) && + (((c->x86 == 0x6) && (c->x86_model <= 0xd)) ||