From ab6793e0731db6b937c47faf2ad95c5d9ef9ff86 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 9 Dec 2019 21:02:52 +0100 Subject: [PATCH] 4.14-stable patches added patches: crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch crypto-ccp-fix-uninitialized-list-head.patch crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch crypto-user-fix-memory-leak-in-crypto_report.patch drm-i810-prevent-underflow-in-ioctl.patch kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch spi-atmel-fix-cs-high-support.patch --- ...g-cast-ki_complete-ternary-op-to-int.patch | 47 +++++ ...ypto-ccp-fix-uninitialized-list-head.patch | 87 +++++++++ ...double-free-in-crypto4xx_destroy_sdr.patch | 43 +++++ ...dh-fix-big-endian-bug-in-ecc-library.patch | 42 ++++ ...tch-to-skcipher-for-cbc-aes-fallback.patch | 179 ++++++++++++++++++ ...ser-fix-memory-leak-in-crypto_report.patch | 36 ++++ .../drm-i810-prevent-underflow-in-ioctl.patch | 43 +++++ ...on-t-rely-on-the-wrong-pending-table.patch | 54 ++++++ ...ot-modify-masked-bits-of-shared-msrs.patch | 51 +++++ ...-of-tsx-feature-in-arch_capabilities.patch | 44 +++++ queue-4.14/series | 11 ++ .../spi-atmel-fix-cs-high-support.patch | 50 +++++ 12 files changed, 687 insertions(+) create mode 100644 queue-4.14/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch create mode 100644 queue-4.14/crypto-ccp-fix-uninitialized-list-head.patch create mode 100644 queue-4.14/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch create mode 100644 queue-4.14/crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch create mode 100644 queue-4.14/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch create mode 100644 queue-4.14/crypto-user-fix-memory-leak-in-crypto_report.patch create mode 100644 queue-4.14/drm-i810-prevent-underflow-in-ioctl.patch create mode 100644 queue-4.14/kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch create mode 100644 queue-4.14/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch create mode 100644 queue-4.14/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch create mode 100644 queue-4.14/spi-atmel-fix-cs-high-support.patch diff --git a/queue-4.14/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch b/queue-4.14/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch new file mode 100644 index 00000000000..53b088cf428 --- /dev/null +++ b/queue-4.14/crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch @@ -0,0 +1,47 @@ +From 64e7f852c47ce99f6c324c46d6a299a5a7ebead9 Mon Sep 17 00:00:00 2001 +From: Ayush Sawal +Date: Fri, 4 Oct 2019 10:50:58 -0700 +Subject: crypto: af_alg - cast ki_complete ternary op to int + +From: Ayush Sawal + +commit 64e7f852c47ce99f6c324c46d6a299a5a7ebead9 upstream. + +when libkcapi test is executed using HW accelerator, cipher operation +return -74.Since af_alg_async_cb->ki_complete treat err as unsigned int, +libkcapi receive 429467222 even though it expect -ve value. + +Hence its required to cast resultlen to int so that proper +error is returned to libkcapi. + +AEAD one shot non-aligned test 2(libkcapi test) +./../bin/kcapi -x 10 -c "gcm(aes)" -i 7815d4b06ae50c9c56e87bd7 +-k ea38ac0c9b9998c80e28fb496a2b88d9 -a +"853f98a750098bec1aa7497e979e78098155c877879556bb51ddeb6374cbaefc" +-t "c4ce58985b7203094be1d134c1b8ab0b" -q +"b03692f86d1b8b39baf2abb255197c98" + +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Cc: +Signed-off-by: Ayush Sawal +Signed-off-by: Atul Gupta +Signed-off-by: Herbert Xu +Signed-off-by: Ayush Sawal +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1086,7 +1086,7 @@ void af_alg_async_cb(struct crypto_async + af_alg_free_resources(areq); + sock_put(sk); + +- iocb->ki_complete(iocb, err ? err : resultlen, 0); ++ iocb->ki_complete(iocb, err ? err : (int)resultlen, 0); + } + EXPORT_SYMBOL_GPL(af_alg_async_cb); + diff --git a/queue-4.14/crypto-ccp-fix-uninitialized-list-head.patch b/queue-4.14/crypto-ccp-fix-uninitialized-list-head.patch new file mode 100644 index 00000000000..dde7e1e39ea --- /dev/null +++ b/queue-4.14/crypto-ccp-fix-uninitialized-list-head.patch @@ -0,0 +1,87 @@ +From 691505a803a7f223b2af621848d581259c61f77d Mon Sep 17 00:00:00 2001 +From: Mark Salter +Date: Mon, 21 Oct 2019 11:29:49 -0400 +Subject: crypto: ccp - fix uninitialized list head + +From: Mark Salter + +commit 691505a803a7f223b2af621848d581259c61f77d upstream. + +A NULL-pointer dereference was reported in fedora bz#1762199 while +reshaping a raid6 array after adding a fifth drive to an existing +array. + +[ 47.343549] md/raid:md0: raid level 6 active with 3 out of 5 devices, algorithm 2 +[ 47.804017] md0: detected capacity change from 0 to 7885289422848 +[ 47.822083] Unable to handle kernel read from unreadable memory at virtual address 0000000000000000 +... +[ 47.940477] CPU: 1 PID: 14210 Comm: md0_raid6 Tainted: G W 5.2.18-200.fc30.aarch64 #1 +[ 47.949594] Hardware name: AMD Overdrive/Supercharger/To be filled by O.E.M., BIOS ROD1002C 04/08/2016 +[ 47.958886] pstate: 00400085 (nzcv daIf +PAN -UAO) +[ 47.963668] pc : __list_del_entry_valid+0x2c/0xa8 +[ 47.968366] lr : ccp_tx_submit+0x84/0x168 [ccp] +[ 47.972882] sp : ffff00001369b970 +[ 47.976184] x29: ffff00001369b970 x28: ffff00001369bdb8 +[ 47.981483] x27: 00000000ffffffff x26: ffff8003b758af70 +[ 47.986782] x25: ffff8003b758b2d8 x24: ffff8003e6245818 +[ 47.992080] x23: 0000000000000000 x22: ffff8003e62450c0 +[ 47.997379] x21: ffff8003dfd6add8 x20: 0000000000000003 +[ 48.002678] x19: ffff8003e6245100 x18: 0000000000000000 +[ 48.007976] x17: 0000000000000000 x16: 0000000000000000 +[ 48.013274] x15: 0000000000000000 x14: 0000000000000000 +[ 48.018572] x13: ffff7e000ef83a00 x12: 0000000000000001 +[ 48.023870] x11: ffff000010eff998 x10: 00000000000019a0 +[ 48.029169] x9 : 0000000000000000 x8 : ffff8003e6245180 +[ 48.034467] x7 : 0000000000000000 x6 : 000000000000003f +[ 48.039766] x5 : 0000000000000040 x4 : ffff8003e0145080 +[ 48.045064] x3 : dead000000000200 x2 : 0000000000000000 +[ 48.050362] x1 : 0000000000000000 x0 : ffff8003e62450c0 +[ 48.055660] Call trace: +[ 48.058095] __list_del_entry_valid+0x2c/0xa8 +[ 48.062442] ccp_tx_submit+0x84/0x168 [ccp] +[ 48.066615] async_tx_submit+0x224/0x368 [async_tx] +[ 48.071480] async_trigger_callback+0x68/0xfc [async_tx] +[ 48.076784] ops_run_biofill+0x178/0x1e8 [raid456] +[ 48.081566] raid_run_ops+0x248/0x818 [raid456] +[ 48.086086] handle_stripe+0x864/0x1208 [raid456] +[ 48.090781] handle_active_stripes.isra.0+0xb0/0x278 [raid456] +[ 48.096604] raid5d+0x378/0x618 [raid456] +[ 48.100602] md_thread+0xa0/0x150 +[ 48.103905] kthread+0x104/0x130 +[ 48.107122] ret_from_fork+0x10/0x18 +[ 48.110686] Code: d2804003 f2fbd5a3 eb03003f 54000320 (f9400021) +[ 48.116766] ---[ end trace 23f390a527f7ad77 ]--- + +ccp_tx_submit is passed a dma_async_tx_descriptor which is contained in +a ccp_dma_desc and adds it to a ccp channel's pending list: + + list_del(&desc->entry); + list_add_tail(&desc->entry, &chan->pending); + +The problem is that desc->entry may be uninitialized in the +async_trigger_callback path where the descriptor was gotten +from ccp_prep_dma_interrupt which got it from ccp_alloc_dma_desc +which doesn't initialize the desc->entry list head. So, just +initialize the list head to avoid the problem. + +Cc: +Reported-by: Sahaj Sarup +Signed-off-by: Mark Salter +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-dmaengine.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -341,6 +341,7 @@ static struct ccp_dma_desc *ccp_alloc_dm + desc->tx_desc.flags = flags; + desc->tx_desc.tx_submit = ccp_tx_submit; + desc->ccp = chan->ccp; ++ INIT_LIST_HEAD(&desc->entry); + INIT_LIST_HEAD(&desc->pending); + INIT_LIST_HEAD(&desc->active); + desc->status = DMA_IN_PROGRESS; diff --git a/queue-4.14/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch b/queue-4.14/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch new file mode 100644 index 00000000000..056e20bae43 --- /dev/null +++ b/queue-4.14/crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch @@ -0,0 +1,43 @@ +From 746c908c4d72e49068ab216c3926d2720d71a90d Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Thu, 31 Oct 2019 17:14:38 +0100 +Subject: crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr + +From: Christian Lamparter + +commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream. + +This patch fixes a crash that can happen during probe +when the available dma memory is not enough (this can +happen if the crypto4xx is built as a module). + +The descriptor window mapping would end up being free'd +twice, once in crypto4xx_build_pdr() and the second time +in crypto4xx_destroy_sdr(). + +Fixes: 5d59ad6eea82 ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak") +Cc: +Signed-off-by: Christian Lamparter +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/amcc/crypto4xx_core.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -399,12 +399,8 @@ static u32 crypto4xx_build_sdr(struct cr + dma_alloc_coherent(dev->core_dev->device, + dev->scatter_buffer_size * PPC4XX_NUM_SD, + &dev->scatter_buffer_pa, GFP_ATOMIC); +- if (!dev->scatter_buffer_va) { +- dma_free_coherent(dev->core_dev->device, +- sizeof(struct ce_sd) * PPC4XX_NUM_SD, +- dev->sdr, dev->sdr_pa); ++ if (!dev->scatter_buffer_va) + return -ENOMEM; +- } + + sd_array = dev->sdr; + diff --git a/queue-4.14/crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch b/queue-4.14/crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch new file mode 100644 index 00000000000..c728f3dc9cc --- /dev/null +++ b/queue-4.14/crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch @@ -0,0 +1,42 @@ +From f398243e9fd6a3a059c1ea7b380c40628dbf0c61 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 23 Oct 2019 11:50:44 +0200 +Subject: crypto: ecdh - fix big endian bug in ECC library + +From: Ard Biesheuvel + +commit f398243e9fd6a3a059c1ea7b380c40628dbf0c61 upstream. + +The elliptic curve arithmetic library used by the EC-DH KPP implementation +assumes big endian byte order, and unconditionally reverses the byte +and word order of multi-limb quantities. On big endian systems, the byte +reordering is not necessary, while the word ordering needs to be retained. + +So replace the __swab64() invocation with a call to be64_to_cpu() which +should do the right thing for both little and big endian builds. + +Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support") +Cc: # v4.9+ +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ecc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/ecc.c ++++ b/crypto/ecc.c +@@ -898,10 +898,11 @@ static void ecc_point_mult(struct ecc_po + static inline void ecc_swap_digits(const u64 *in, u64 *out, + unsigned int ndigits) + { ++ const __be64 *src = (__force __be64 *)in; + int i; + + for (i = 0; i < ndigits; i++) +- out[i] = __swab64(in[ndigits - 1 - i]); ++ out[i] = be64_to_cpu(src[ndigits - 1 - i]); + } + + static int __ecc_is_key_valid(const struct ecc_curve *curve, diff --git a/queue-4.14/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch b/queue-4.14/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch new file mode 100644 index 00000000000..bf6025b4849 --- /dev/null +++ b/queue-4.14/crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch @@ -0,0 +1,179 @@ +From 504582e8e40b90b8f8c58783e2d1e4f6a2b71a3a Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sat, 5 Oct 2019 11:11:10 +0200 +Subject: crypto: geode-aes - switch to skcipher for cbc(aes) fallback + +From: Ard Biesheuvel + +commit 504582e8e40b90b8f8c58783e2d1e4f6a2b71a3a upstream. + +Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated +the generic CBC template wrapper from a blkcipher to a skcipher algo, +to get away from the deprecated blkcipher interface. However, as a side +effect, drivers that instantiate CBC transforms using the blkcipher as +a fallback no longer work, since skciphers can wrap blkciphers but not +the other way around. This broke the geode-aes driver. + +So let's fix it by moving to the sync skcipher interface when allocating +the fallback. At the same time, align with the generic API for ECB and +CBC by rejecting inputs that are not a multiple of the AES block size. + +Fixes: 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") +Cc: # v4.20+ ONLY +Signed-off-by: Ard Biesheuvel +Signed-off-by: Florian Bezdeka +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/geode-aes.c | 57 ++++++++++++++++++++++++++------------------- + drivers/crypto/geode-aes.h | 2 - + 2 files changed, 34 insertions(+), 25 deletions(-) + +--- a/drivers/crypto/geode-aes.c ++++ b/drivers/crypto/geode-aes.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -170,13 +171,15 @@ static int geode_setkey_blk(struct crypt + /* + * The requested key size is not supported by HW, do a fallback + */ +- op->fallback.blk->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK; +- op->fallback.blk->base.crt_flags |= (tfm->crt_flags & CRYPTO_TFM_REQ_MASK); ++ crypto_sync_skcipher_clear_flags(op->fallback.blk, CRYPTO_TFM_REQ_MASK); ++ crypto_sync_skcipher_set_flags(op->fallback.blk, ++ tfm->crt_flags & CRYPTO_TFM_REQ_MASK); + +- ret = crypto_blkcipher_setkey(op->fallback.blk, key, len); ++ ret = crypto_sync_skcipher_setkey(op->fallback.blk, key, len); + if (ret) { + tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK; +- tfm->crt_flags |= (op->fallback.blk->base.crt_flags & CRYPTO_TFM_RES_MASK); ++ tfm->crt_flags |= crypto_sync_skcipher_get_flags(op->fallback.blk) & ++ CRYPTO_TFM_RES_MASK; + } + return ret; + } +@@ -185,33 +188,28 @@ static int fallback_blk_dec(struct blkci + struct scatterlist *dst, struct scatterlist *src, + unsigned int nbytes) + { +- unsigned int ret; +- struct crypto_blkcipher *tfm; + struct geode_aes_op *op = crypto_blkcipher_ctx(desc->tfm); ++ SYNC_SKCIPHER_REQUEST_ON_STACK(req, op->fallback.blk); + +- tfm = desc->tfm; +- desc->tfm = op->fallback.blk; +- +- ret = crypto_blkcipher_decrypt_iv(desc, dst, src, nbytes); ++ skcipher_request_set_sync_tfm(req, op->fallback.blk); ++ skcipher_request_set_callback(req, 0, NULL, NULL); ++ skcipher_request_set_crypt(req, src, dst, nbytes, desc->info); + +- desc->tfm = tfm; +- return ret; ++ return crypto_skcipher_decrypt(req); + } ++ + static int fallback_blk_enc(struct blkcipher_desc *desc, + struct scatterlist *dst, struct scatterlist *src, + unsigned int nbytes) + { +- unsigned int ret; +- struct crypto_blkcipher *tfm; + struct geode_aes_op *op = crypto_blkcipher_ctx(desc->tfm); ++ SYNC_SKCIPHER_REQUEST_ON_STACK(req, op->fallback.blk); + +- tfm = desc->tfm; +- desc->tfm = op->fallback.blk; +- +- ret = crypto_blkcipher_encrypt_iv(desc, dst, src, nbytes); ++ skcipher_request_set_sync_tfm(req, op->fallback.blk); ++ skcipher_request_set_callback(req, 0, NULL, NULL); ++ skcipher_request_set_crypt(req, src, dst, nbytes, desc->info); + +- desc->tfm = tfm; +- return ret; ++ return crypto_skcipher_encrypt(req); + } + + static void +@@ -311,6 +309,9 @@ geode_cbc_decrypt(struct blkcipher_desc + struct blkcipher_walk walk; + int err, ret; + ++ if (nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (unlikely(op->keylen != AES_KEYSIZE_128)) + return fallback_blk_dec(desc, dst, src, nbytes); + +@@ -343,6 +344,9 @@ geode_cbc_encrypt(struct blkcipher_desc + struct blkcipher_walk walk; + int err, ret; + ++ if (nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (unlikely(op->keylen != AES_KEYSIZE_128)) + return fallback_blk_enc(desc, dst, src, nbytes); + +@@ -370,9 +374,8 @@ static int fallback_init_blk(struct cryp + const char *name = crypto_tfm_alg_name(tfm); + struct geode_aes_op *op = crypto_tfm_ctx(tfm); + +- op->fallback.blk = crypto_alloc_blkcipher(name, 0, +- CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK); +- ++ op->fallback.blk = crypto_alloc_sync_skcipher(name, 0, ++ CRYPTO_ALG_NEED_FALLBACK); + if (IS_ERR(op->fallback.blk)) { + printk(KERN_ERR "Error allocating fallback algo %s\n", name); + return PTR_ERR(op->fallback.blk); +@@ -385,7 +388,7 @@ static void fallback_exit_blk(struct cry + { + struct geode_aes_op *op = crypto_tfm_ctx(tfm); + +- crypto_free_blkcipher(op->fallback.blk); ++ crypto_free_sync_skcipher(op->fallback.blk); + op->fallback.blk = NULL; + } + +@@ -424,6 +427,9 @@ geode_ecb_decrypt(struct blkcipher_desc + struct blkcipher_walk walk; + int err, ret; + ++ if (nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (unlikely(op->keylen != AES_KEYSIZE_128)) + return fallback_blk_dec(desc, dst, src, nbytes); + +@@ -454,6 +460,9 @@ geode_ecb_encrypt(struct blkcipher_desc + struct blkcipher_walk walk; + int err, ret; + ++ if (nbytes % AES_BLOCK_SIZE) ++ return -EINVAL; ++ + if (unlikely(op->keylen != AES_KEYSIZE_128)) + return fallback_blk_enc(desc, dst, src, nbytes); + +--- a/drivers/crypto/geode-aes.h ++++ b/drivers/crypto/geode-aes.h +@@ -64,7 +64,7 @@ struct geode_aes_op { + u8 *iv; + + union { +- struct crypto_blkcipher *blk; ++ struct crypto_sync_skcipher *blk; + struct crypto_cipher *cip; + } fallback; + u32 keylen; diff --git a/queue-4.14/crypto-user-fix-memory-leak-in-crypto_report.patch b/queue-4.14/crypto-user-fix-memory-leak-in-crypto_report.patch new file mode 100644 index 00000000000..87c9e17ad48 --- /dev/null +++ b/queue-4.14/crypto-user-fix-memory-leak-in-crypto_report.patch @@ -0,0 +1,36 @@ +From ffdde5932042600c6807d46c1550b28b0db6a3bc Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 4 Oct 2019 14:29:16 -0500 +Subject: crypto: user - fix memory leak in crypto_report + +From: Navid Emamdoost + +commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream. + +In crypto_report, a new skb is created via nlmsg_new(). This skb should +be released if crypto_report_alg() fails. + +Fixes: a38f7907b926 ("crypto: Add userspace configuration API") +Cc: +Signed-off-by: Navid Emamdoost +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/crypto_user.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/crypto_user.c ++++ b/crypto/crypto_user.c +@@ -288,8 +288,10 @@ static int crypto_report(struct sk_buff + drop_alg: + crypto_mod_put(alg); + +- if (err) ++ if (err) { ++ kfree_skb(skb); + return err; ++ } + + return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid); + } diff --git a/queue-4.14/drm-i810-prevent-underflow-in-ioctl.patch b/queue-4.14/drm-i810-prevent-underflow-in-ioctl.patch new file mode 100644 index 00000000000..377155116e7 --- /dev/null +++ b/queue-4.14/drm-i810-prevent-underflow-in-ioctl.patch @@ -0,0 +1,43 @@ +From 4f69851fbaa26b155330be35ce8ac393e93e7442 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 4 Oct 2019 13:22:51 +0300 +Subject: drm/i810: Prevent underflow in ioctl + +From: Dan Carpenter + +commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream. + +The "used" variables here come from the user in the ioctl and it can be +negative. It could result in an out of bounds write. + +Signed-off-by: Dan Carpenter +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i810/i810_dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i810/i810_dma.c ++++ b/drivers/gpu/drm/i810/i810_dma.c +@@ -721,7 +721,7 @@ static void i810_dma_dispatch_vertex(str + if (nbox > I810_NR_SAREA_CLIPRECTS) + nbox = I810_NR_SAREA_CLIPRECTS; + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + if (sarea_priv->dirty) +@@ -1041,7 +1041,7 @@ static void i810_dma_dispatch_mc(struct + if (u != I810_BUF_CLIENT) + DRM_DEBUG("MC found buffer that isn't mine!\n"); + +- if (used > 4 * 1024) ++ if (used < 0 || used > 4 * 1024) + used = 0; + + sarea_priv->dirty = 0x7f; diff --git a/queue-4.14/kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch b/queue-4.14/kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch new file mode 100644 index 00000000000..cfd82ad0b80 --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch @@ -0,0 +1,54 @@ +From ca185b260951d3b55108c0b95e188682d8a507b7 Mon Sep 17 00:00:00 2001 +From: Zenghui Yu +Date: Tue, 29 Oct 2019 15:19:19 +0800 +Subject: KVM: arm/arm64: vgic: Don't rely on the wrong pending table + +From: Zenghui Yu + +commit ca185b260951d3b55108c0b95e188682d8a507b7 upstream. + +It's possible that two LPIs locate in the same "byte_offset" but target +two different vcpus, where their pending status are indicated by two +different pending tables. In such a scenario, using last_byte_offset +optimization will lead KVM relying on the wrong pending table entry. +Let us use last_ptr instead, which can be treated as a byte index into +a pending table and also, can be vcpu specific. + +Fixes: 280771252c1b ("KVM: arm64: vgic-v3: KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES") +Cc: stable@vger.kernel.org +Signed-off-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Acked-by: Eric Auger +Link: https://lore.kernel.org/r/20191029071919.177-4-yuzenghui@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic-v3.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/virt/kvm/arm/vgic/vgic-v3.c ++++ b/virt/kvm/arm/vgic/vgic-v3.c +@@ -331,8 +331,8 @@ retry: + int vgic_v3_save_pending_tables(struct kvm *kvm) + { + struct vgic_dist *dist = &kvm->arch.vgic; +- int last_byte_offset = -1; + struct vgic_irq *irq; ++ gpa_t last_ptr = ~(gpa_t)0; + int ret; + u8 val; + +@@ -352,11 +352,11 @@ int vgic_v3_save_pending_tables(struct k + bit_nr = irq->intid % BITS_PER_BYTE; + ptr = pendbase + byte_offset; + +- if (byte_offset != last_byte_offset) { ++ if (ptr != last_ptr) { + ret = kvm_read_guest_lock(kvm, ptr, &val, 1); + if (ret) + return ret; +- last_byte_offset = byte_offset; ++ last_ptr = ptr; + } + + stored = val & (1U << bit_nr); diff --git a/queue-4.14/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch b/queue-4.14/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch new file mode 100644 index 00000000000..a308a4289f7 --- /dev/null +++ b/queue-4.14/kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch @@ -0,0 +1,51 @@ +From de1fca5d6e0105c9d33924e1247e2f386efc3ece Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 18 Nov 2019 12:23:00 -0500 +Subject: KVM: x86: do not modify masked bits of shared MSRs + +From: Paolo Bonzini + +commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream. + +"Shared MSRs" are guest MSRs that are written to the host MSRs but +keep their value until the next return to userspace. They support +a mask, so that some bits keep the host value, but this mask is +only used to skip an unnecessary MSR write and the value written +to the MSR is always the guest MSR. + +Fix this and, while at it, do not update smsr->values[slot].curr if +for whatever reason the wrmsr fails. This should only happen due to +reserved bits, so the value written to smsr->values[slot].curr +will not match when the user-return notifier and the host value will +always be restored. However, it is untidy and in rare cases this +can actually avoid spurious WRMSRs on return to userspace. + +Cc: stable@vger.kernel.org +Reviewed-by: Jim Mattson +Tested-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -276,13 +276,14 @@ int kvm_set_shared_msr(unsigned slot, u6 + struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu); + int err; + +- if (((value ^ smsr->values[slot].curr) & mask) == 0) ++ value = (value & mask) | (smsr->values[slot].host & ~mask); ++ if (value == smsr->values[slot].curr) + return 0; +- smsr->values[slot].curr = value; + err = wrmsrl_safe(shared_msrs_global.msrs[slot], value); + if (err) + return 1; + ++ smsr->values[slot].curr = value; + if (!smsr->registered) { + smsr->urn.on_user_return = kvm_on_user_return; + user_return_notifier_register(&smsr->urn); diff --git a/queue-4.14/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch b/queue-4.14/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch new file mode 100644 index 00000000000..f7590cac9ce --- /dev/null +++ b/queue-4.14/kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch @@ -0,0 +1,44 @@ +From cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 18 Nov 2019 18:58:26 +0100 +Subject: KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES + +From: Paolo Bonzini + +commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream. + +KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented +to the guests. It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR && +!RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not +hidden (it actually was), yet the value says that TSX is not vulnerable +to microarchitectural data sampling. Fix both. + +Cc: stable@vger.kernel.org +Tested-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1113,10 +1113,15 @@ u64 kvm_get_arch_capabilities(void) + * If TSX is disabled on the system, guests are also mitigated against + * TAA and clear CPU buffer mitigation is not required for guests. + */ +- if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) && +- (data & ARCH_CAP_TSX_CTRL_MSR)) ++ if (!boot_cpu_has(X86_FEATURE_RTM)) ++ data &= ~ARCH_CAP_TAA_NO; ++ else if (!boot_cpu_has_bug(X86_BUG_TAA)) ++ data |= ARCH_CAP_TAA_NO; ++ else if (data & ARCH_CAP_TSX_CTRL_MSR) + data &= ~ARCH_CAP_MDS_NO; + ++ /* KVM does not emulate MSR_IA32_TSX_CTRL. */ ++ data &= ~ARCH_CAP_TSX_CTRL_MSR; + return data; + } + diff --git a/queue-4.14/series b/queue-4.14/series index 9bbdb89ad66..140207ed533 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -137,3 +137,14 @@ tty-vt-keyboard-reject-invalid-keycodes.patch can-slcan-fix-use-after-free-read-in-slcan_open.patch kernfs-fix-ino-wrap-around-detection.patch jbd2-fix-possible-overflow-in-jbd2_log_space_left.patch +drm-i810-prevent-underflow-in-ioctl.patch +kvm-arm-arm64-vgic-don-t-rely-on-the-wrong-pending-table.patch +kvm-x86-do-not-modify-masked-bits-of-shared-msrs.patch +kvm-x86-fix-presentation-of-tsx-feature-in-arch_capabilities.patch +crypto-crypto4xx-fix-double-free-in-crypto4xx_destroy_sdr.patch +crypto-af_alg-cast-ki_complete-ternary-op-to-int.patch +crypto-geode-aes-switch-to-skcipher-for-cbc-aes-fallback.patch +crypto-ccp-fix-uninitialized-list-head.patch +crypto-ecdh-fix-big-endian-bug-in-ecc-library.patch +crypto-user-fix-memory-leak-in-crypto_report.patch +spi-atmel-fix-cs-high-support.patch diff --git a/queue-4.14/spi-atmel-fix-cs-high-support.patch b/queue-4.14/spi-atmel-fix-cs-high-support.patch new file mode 100644 index 00000000000..94c3e1d4c26 --- /dev/null +++ b/queue-4.14/spi-atmel-fix-cs-high-support.patch @@ -0,0 +1,50 @@ +From 7cbb16b2122c09f2ae393a1542fed628505b9da6 Mon Sep 17 00:00:00 2001 +From: Gregory CLEMENT +Date: Thu, 17 Oct 2019 16:18:41 +0200 +Subject: spi: atmel: Fix CS high support + +From: Gregory CLEMENT + +commit 7cbb16b2122c09f2ae393a1542fed628505b9da6 upstream. + +Until a few years ago, this driver was only used with CS GPIO. The +only exception is CS0 on AT91RM9200 which has to use internal CS. A +limitation of the internal CS is that they don't support CS High. + +So by using the CS GPIO the CS high configuration was available except +for the particular case CS0 on RM9200. + +When the support for the internal chip-select was added, the check of +the CS high support was not updated. Due to this the driver accepts +this configuration for all the SPI controller v2 (used by all SoCs +excepting the AT91RM9200) whereas the hardware doesn't support it for +infernal CS. + +This patch fixes the test to match the hardware capabilities. + +Fixes: 4820303480a1 ("spi: atmel: add support for the internal chip-select of the spi controller") +Cc: +Signed-off-by: Gregory CLEMENT +Link: https://lore.kernel.org/r/20191017141846.7523-3-gregory.clement@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-atmel.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-atmel.c ++++ b/drivers/spi/spi-atmel.c +@@ -1150,10 +1150,8 @@ static int atmel_spi_setup(struct spi_de + as = spi_master_get_devdata(spi->master); + + /* see notes above re chipselect */ +- if (!atmel_spi_is_v2(as) +- && spi->chip_select == 0 +- && (spi->mode & SPI_CS_HIGH)) { +- dev_dbg(&spi->dev, "setup: can't be active-high\n"); ++ if (!as->use_cs_gpios && (spi->mode & SPI_CS_HIGH)) { ++ dev_warn(&spi->dev, "setup: non GPIO CS can't be active-high\n"); + return -EINVAL; + } + -- 2.47.3