From ac8305c64115972143cc1c26d78fa31bfc8ae297 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 Mar 2019 06:31:55 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	crypto-arm64-aes-neonbs-fix-returning-final-keystream-block.patch
---
 ...-fix-returning-final-keystream-block.patch | 51 +++++++++++++++++++
 queue-4.14/series                             |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 queue-4.14/crypto-arm64-aes-neonbs-fix-returning-final-keystream-block.patch

diff --git a/queue-4.14/crypto-arm64-aes-neonbs-fix-returning-final-keystream-block.patch b/queue-4.14/crypto-arm64-aes-neonbs-fix-returning-final-keystream-block.patch
new file mode 100644
index 00000000000..d33f68b02b3
--- /dev/null
+++ b/queue-4.14/crypto-arm64-aes-neonbs-fix-returning-final-keystream-block.patch
@@ -0,0 +1,51 @@
+From 12455e320e19e9cc7ad97f4ab89c280fe297387c Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 31 Jan 2019 23:51:42 -0800
+Subject: crypto: arm64/aes-neonbs - fix returning final keystream block
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 12455e320e19e9cc7ad97f4ab89c280fe297387c upstream.
+
+The arm64 NEON bit-sliced implementation of AES-CTR fails the improved
+skcipher tests because it sometimes produces the wrong ciphertext.  The
+bug is that the final keystream block isn't returned from the assembly
+code when the number of non-final blocks is zero.  This can happen if
+the input data ends a few bytes after a page boundary.  In this case the
+last bytes get "encrypted" by XOR'ing them with uninitialized memory.
+
+Fix the assembly code to return the final keystream block when needed.
+
+Fixes: 88a3f582bea9 ("crypto: arm64/aes - don't use IV buffer to return final keystream block")
+Cc: <stable@vger.kernel.org> # v4.11+
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/arm64/crypto/aes-neonbs-core.S |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/crypto/aes-neonbs-core.S
++++ b/arch/arm64/crypto/aes-neonbs-core.S
+@@ -940,7 +940,7 @@ CPU_LE(	rev		x8, x8		)
+ 8:	next_ctr	v0
+ 	cbnz		x4, 99b
+ 
+-0:	st1		{v0.16b}, [x5]
++	st1		{v0.16b}, [x5]
+ 	ldp		x29, x30, [sp], #16
+ 	ret
+ 
+@@ -948,6 +948,9 @@ CPU_LE(	rev		x8, x8		)
+ 	 * If we are handling the tail of the input (x6 != NULL), return the
+ 	 * final keystream block back to the caller.
+ 	 */
++0:	cbz		x6, 8b
++	st1		{v0.16b}, [x6]
++	b		8b
+ 1:	cbz		x6, 8b
+ 	st1		{v1.16b}, [x6]
+ 	b		8b
diff --git a/queue-4.14/series b/queue-4.14/series
index 7e1c5ea5525..42c6f45b3fc 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -126,3 +126,4 @@ device-property-fix-the-length-used-in-property_entry_string.patch
 intel_th-don-t-reference-unassigned-outputs.patch
 parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch
 i2c-tegra-fix-maximum-transfer-size.patch
+crypto-arm64-aes-neonbs-fix-returning-final-keystream-block.patch
-- 
2.47.2