From cbdaeaaaf8d9a45d41ca700af68a1c8722b4e209 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 12 Dec 2016 16:53:28 -0800 Subject: [PATCH] 4.8-stable patches added patches: can-peak-fix-bad-memory-access-and-free-sequence.patch can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch crypto-caam-fix-pointer-size-for-aarch64-boot-loader-aarch32-kernel.patch crypto-marvell-don-t-copy-hash-operation-twice-into-the-sram.patch crypto-marvell-don-t-corrupt-state-of-an-std-req-for-re-stepped-ahash.patch crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch revert-acpi-execute-_pts-before-system-reboot.patch --- ...-bad-memory-access-and-free-sequence.patch | 53 ++++++++++++++ ...number-of-can_filter-that-can-be-set.patch | 46 ++++++++++++ ...r-aarch64-boot-loader-aarch32-kernel.patch | 41 +++++++++++ ...y-hash-operation-twice-into-the-sram.patch | 33 +++++++++ ...e-of-an-std-req-for-re-stepped-ahash.patch | 43 +++++++++++ ...heck-mcryptd-algorithm-compatibility.patch | 70 ++++++++++++++++++ ...pi-execute-_pts-before-system-reboot.patch | 73 +++++++++++++++++++ queue-4.8/series | 7 ++ 8 files changed, 366 insertions(+) create mode 100644 queue-4.8/can-peak-fix-bad-memory-access-and-free-sequence.patch create mode 100644 queue-4.8/can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch create mode 100644 queue-4.8/crypto-caam-fix-pointer-size-for-aarch64-boot-loader-aarch32-kernel.patch create mode 100644 queue-4.8/crypto-marvell-don-t-copy-hash-operation-twice-into-the-sram.patch create mode 100644 queue-4.8/crypto-marvell-don-t-corrupt-state-of-an-std-req-for-re-stepped-ahash.patch create mode 100644 queue-4.8/crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch create mode 100644 queue-4.8/revert-acpi-execute-_pts-before-system-reboot.patch diff --git a/queue-4.8/can-peak-fix-bad-memory-access-and-free-sequence.patch b/queue-4.8/can-peak-fix-bad-memory-access-and-free-sequence.patch new file mode 100644 index 00000000000..bc15699b6ad --- /dev/null +++ b/queue-4.8/can-peak-fix-bad-memory-access-and-free-sequence.patch @@ -0,0 +1,53 @@ +From b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=EC=B6=94=EC=A7=80=ED=98=B8?= +Date: Thu, 8 Dec 2016 12:01:13 +0000 +Subject: can: peak: fix bad memory access and free sequence + +From: 추지호 + +commit b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c upstream. + +Fix for bad memory access while disconnecting. netdev is freed before +private data free, and dev is accessed after freeing netdev. + +This makes a slub problem, and it raise kernel oops with slub debugger +config. + +Signed-off-by: Jiho Chu +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -872,23 +872,25 @@ lbl_free_candev: + static void peak_usb_disconnect(struct usb_interface *intf) + { + struct peak_usb_device *dev; ++ struct peak_usb_device *dev_prev_siblings; + + /* unregister as many netdev devices as siblings */ +- for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) { ++ for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) { + struct net_device *netdev = dev->netdev; + char name[IFNAMSIZ]; + ++ dev_prev_siblings = dev->prev_siblings; + dev->state &= ~PCAN_USB_STATE_CONNECTED; + strncpy(name, netdev->name, IFNAMSIZ); + + unregister_netdev(netdev); +- free_candev(netdev); + + kfree(dev->cmd_buf); + dev->next_siblings = NULL; + if (dev->adapter->dev_free) + dev->adapter->dev_free(dev); + ++ free_candev(netdev); + dev_info(&intf->dev, "%s removed\n", name); + } + diff --git a/queue-4.8/can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch b/queue-4.8/can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch new file mode 100644 index 00000000000..968ffba7647 --- /dev/null +++ b/queue-4.8/can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch @@ -0,0 +1,46 @@ +From 332b05ca7a438f857c61a3c21a88489a21532364 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 5 Dec 2016 11:44:23 +0100 +Subject: can: raw: raw_setsockopt: limit number of can_filter that can be set + +From: Marc Kleine-Budde + +commit 332b05ca7a438f857c61a3c21a88489a21532364 upstream. + +This patch adds a check to limit the number of can_filters that can be +set via setsockopt on CAN_RAW sockets. Otherwise allocations > MAX_ORDER +are not prevented resulting in a warning. + +Reference: https://lkml.org/lkml/2016/12/2/230 + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/can.h | 1 + + net/can/raw.c | 3 +++ + 2 files changed, 4 insertions(+) + +--- a/include/uapi/linux/can.h ++++ b/include/uapi/linux/can.h +@@ -196,5 +196,6 @@ struct can_filter { + }; + + #define CAN_INV_FILTER 0x20000000U /* to be set in can_filter.can_id */ ++#define CAN_RAW_FILTER_MAX 512 /* maximum number of can_filter set via setsockopt() */ + + #endif /* !_UAPI_CAN_H */ +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -499,6 +499,9 @@ static int raw_setsockopt(struct socket + if (optlen % sizeof(struct can_filter) != 0) + return -EINVAL; + ++ if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter)) ++ return -EINVAL; ++ + count = optlen / sizeof(struct can_filter); + + if (count > 1) { diff --git a/queue-4.8/crypto-caam-fix-pointer-size-for-aarch64-boot-loader-aarch32-kernel.patch b/queue-4.8/crypto-caam-fix-pointer-size-for-aarch64-boot-loader-aarch32-kernel.patch new file mode 100644 index 00000000000..a92560747e5 --- /dev/null +++ b/queue-4.8/crypto-caam-fix-pointer-size-for-aarch64-boot-loader-aarch32-kernel.patch @@ -0,0 +1,41 @@ +From 39eaf759466f4e3fbeaa39075512f4f345dffdc8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Horia=20Geant=C4=83?= +Date: Mon, 5 Dec 2016 11:06:58 +0200 +Subject: crypto: caam - fix pointer size for AArch64 boot loader, AArch32 kernel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +commit 39eaf759466f4e3fbeaa39075512f4f345dffdc8 upstream. + +Start with a clean slate before dealing with bit 16 (pointer size) +of Master Configuration Register. +This fixes the case of AArch64 boot loader + AArch32 kernel, when +the boot loader might set MCFGR[PS] and kernel would fail to clear it. + +Reported-by: Alison Wang +Signed-off-by: Horia Geantă +Reviewed-By: Alison Wang +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/ctrl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/caam/ctrl.c ++++ b/drivers/crypto/caam/ctrl.c +@@ -557,8 +557,9 @@ static int caam_probe(struct platform_de + * Enable DECO watchdogs and, if this is a PHYS_ADDR_T_64BIT kernel, + * long pointers in master configuration register + */ +- clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK, MCFGR_AWCACHE_CACH | +- MCFGR_AWCACHE_BUFF | MCFGR_WDENABLE | MCFGR_LARGE_BURST | ++ clrsetbits_32(&ctrl->mcr, MCFGR_AWCACHE_MASK | MCFGR_LONG_PTR, ++ MCFGR_AWCACHE_CACH | MCFGR_AWCACHE_BUFF | ++ MCFGR_WDENABLE | MCFGR_LARGE_BURST | + (sizeof(dma_addr_t) == sizeof(u64) ? MCFGR_LONG_PTR : 0)); + + /* diff --git a/queue-4.8/crypto-marvell-don-t-copy-hash-operation-twice-into-the-sram.patch b/queue-4.8/crypto-marvell-don-t-copy-hash-operation-twice-into-the-sram.patch new file mode 100644 index 00000000000..027fc5b880b --- /dev/null +++ b/queue-4.8/crypto-marvell-don-t-copy-hash-operation-twice-into-the-sram.patch @@ -0,0 +1,33 @@ +From 68c7f8c1c4e9b06e6b153fa3e9e0cda2ef5aaed8 Mon Sep 17 00:00:00 2001 +From: Romain Perier +Date: Mon, 5 Dec 2016 09:56:38 +0100 +Subject: crypto: marvell - Don't copy hash operation twice into the SRAM + +From: Romain Perier + +commit 68c7f8c1c4e9b06e6b153fa3e9e0cda2ef5aaed8 upstream. + +No need to copy the template of an hash operation twice into the SRAM +from the step function. + +Fixes: commit 85030c5168f1 ("crypto: marvell - Add support for chai...") +Signed-off-by: Romain Perier +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/marvell/hash.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/crypto/marvell/hash.c ++++ b/drivers/crypto/marvell/hash.c +@@ -172,9 +172,6 @@ static void mv_cesa_ahash_std_step(struc + for (i = 0; i < digsize / 4; i++) + writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i)); + +- mv_cesa_adjust_op(engine, &creq->op_tmpl); +- memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl)); +- + if (creq->cache_ptr) + memcpy_toio(engine->sram + CESA_SA_DATA_SRAM_OFFSET, + creq->cache, creq->cache_ptr); diff --git a/queue-4.8/crypto-marvell-don-t-corrupt-state-of-an-std-req-for-re-stepped-ahash.patch b/queue-4.8/crypto-marvell-don-t-corrupt-state-of-an-std-req-for-re-stepped-ahash.patch new file mode 100644 index 00000000000..b526768b2d3 --- /dev/null +++ b/queue-4.8/crypto-marvell-don-t-corrupt-state-of-an-std-req-for-re-stepped-ahash.patch @@ -0,0 +1,43 @@ +From 9e5f7a149e00d211177f6de8be427ebc72a1c363 Mon Sep 17 00:00:00 2001 +From: Romain Perier +Date: Mon, 5 Dec 2016 09:56:39 +0100 +Subject: crypto: marvell - Don't corrupt state of an STD req for re-stepped ahash + +From: Romain Perier + +commit 9e5f7a149e00d211177f6de8be427ebc72a1c363 upstream. + +mv_cesa_hash_std_step() copies the creq->state into the SRAM at each +step, but this is only required on the first one. By doing that, we +overwrite the engine state, and get erroneous results when the crypto +request is split in several chunks to fit in the internal SRAM. + +This commit changes the function to copy the state only on the first +step. + +Fixes: commit 2786cee8e50b ("crypto: marvell - Move SRAM I/O op...") +Signed-off-by: Romain Perier +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/marvell/hash.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/marvell/hash.c ++++ b/drivers/crypto/marvell/hash.c +@@ -168,9 +168,11 @@ static void mv_cesa_ahash_std_step(struc + mv_cesa_adjust_op(engine, &creq->op_tmpl); + memcpy_toio(engine->sram, &creq->op_tmpl, sizeof(creq->op_tmpl)); + +- digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req)); +- for (i = 0; i < digsize / 4; i++) +- writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i)); ++ if (!sreq->offset) { ++ digsize = crypto_ahash_digestsize(crypto_ahash_reqtfm(req)); ++ for (i = 0; i < digsize / 4; i++) ++ writel_relaxed(creq->state[i], engine->regs + CESA_IVDIG(i)); ++ } + + if (creq->cache_ptr) + memcpy_toio(engine->sram + CESA_SA_DATA_SRAM_OFFSET, diff --git a/queue-4.8/crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch b/queue-4.8/crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch new file mode 100644 index 00000000000..150502faead --- /dev/null +++ b/queue-4.8/crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch @@ -0,0 +1,70 @@ +From 48a992727d82cb7db076fa15d372178743b1f4cd Mon Sep 17 00:00:00 2001 +From: tim +Date: Mon, 5 Dec 2016 11:46:31 -0800 +Subject: crypto: mcryptd - Check mcryptd algorithm compatibility + +From: tim + +commit 48a992727d82cb7db076fa15d372178743b1f4cd upstream. + +Algorithms not compatible with mcryptd could be spawned by mcryptd +with a direct crypto_alloc_tfm invocation using a "mcryptd(alg)" name +construct. This causes mcryptd to crash the kernel if an arbitrary +"alg" is incompatible and not intended to be used with mcryptd. It is +an issue if AF_ALG tries to spawn mcryptd(alg) to expose it externally. +But such algorithms must be used internally and not be exposed. + +We added a check to enforce that only internal algorithms are allowed +with mcryptd at the time mcryptd is spawning an algorithm. + +Link: http://marc.info/?l=linux-crypto-vger&m=148063683310477&w=2 +Reported-by: Mikulas Patocka +Signed-off-by: Tim Chen +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/mcryptd.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/crypto/mcryptd.c ++++ b/crypto/mcryptd.c +@@ -254,18 +254,22 @@ out_free_inst: + goto out; + } + +-static inline void mcryptd_check_internal(struct rtattr **tb, u32 *type, ++static inline bool mcryptd_check_internal(struct rtattr **tb, u32 *type, + u32 *mask) + { + struct crypto_attr_type *algt; + + algt = crypto_get_attr_type(tb); + if (IS_ERR(algt)) +- return; +- if ((algt->type & CRYPTO_ALG_INTERNAL)) +- *type |= CRYPTO_ALG_INTERNAL; +- if ((algt->mask & CRYPTO_ALG_INTERNAL)) +- *mask |= CRYPTO_ALG_INTERNAL; ++ return false; ++ ++ *type |= algt->type & CRYPTO_ALG_INTERNAL; ++ *mask |= algt->mask & CRYPTO_ALG_INTERNAL; ++ ++ if (*type & *mask & CRYPTO_ALG_INTERNAL) ++ return true; ++ else ++ return false; + } + + static int mcryptd_hash_init_tfm(struct crypto_tfm *tfm) +@@ -492,7 +496,8 @@ static int mcryptd_create_hash(struct cr + u32 mask = 0; + int err; + +- mcryptd_check_internal(tb, &type, &mask); ++ if (!mcryptd_check_internal(tb, &type, &mask)) ++ return -EINVAL; + + halg = ahash_attr_alg(tb[1], type, mask); + if (IS_ERR(halg)) diff --git a/queue-4.8/revert-acpi-execute-_pts-before-system-reboot.patch b/queue-4.8/revert-acpi-execute-_pts-before-system-reboot.patch new file mode 100644 index 00000000000..1de0101a66c --- /dev/null +++ b/queue-4.8/revert-acpi-execute-_pts-before-system-reboot.patch @@ -0,0 +1,73 @@ +From 9713adc2a1a5488f4889c657a0c0ce0c16056d3c Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Mon, 21 Nov 2016 14:25:49 +0100 +Subject: Revert "ACPI: Execute _PTS before system reboot" + +From: Rafael J. Wysocki + +commit 9713adc2a1a5488f4889c657a0c0ce0c16056d3c upstream. + +Revert commit 2c85025c75df (ACPI: Execute _PTS before system reboot) +as it is reported to cause poweroff and reboot to hang on Dell +Latitude E7250. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=187061 +Reported-by: Gianpaolo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/sleep.c | 29 ++++++----------------------- + 1 file changed, 6 insertions(+), 23 deletions(-) + +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -47,32 +47,15 @@ static void acpi_sleep_tts_switch(u32 ac + } + } + +-static void acpi_sleep_pts_switch(u32 acpi_state) +-{ +- acpi_status status; +- +- status = acpi_execute_simple_method(NULL, "\\_PTS", acpi_state); +- if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) { +- /* +- * OS can't evaluate the _PTS object correctly. Some warning +- * message will be printed. But it won't break anything. +- */ +- printk(KERN_NOTICE "Failure in evaluating _PTS object\n"); +- } +-} +- +-static int sleep_notify_reboot(struct notifier_block *this, ++static int tts_notify_reboot(struct notifier_block *this, + unsigned long code, void *x) + { + acpi_sleep_tts_switch(ACPI_STATE_S5); +- +- acpi_sleep_pts_switch(ACPI_STATE_S5); +- + return NOTIFY_DONE; + } + +-static struct notifier_block sleep_notifier = { +- .notifier_call = sleep_notify_reboot, ++static struct notifier_block tts_notifier = { ++ .notifier_call = tts_notify_reboot, + .next = NULL, + .priority = 0, + }; +@@ -916,9 +899,9 @@ int __init acpi_sleep_init(void) + pr_info(PREFIX "(supports%s)\n", supported); + + /* +- * Register the sleep_notifier to reboot notifier list so that the _TTS +- * and _PTS object can also be evaluated when the system enters S5. ++ * Register the tts_notifier to reboot notifier list so that the _TTS ++ * object can also be evaluated when the system enters S5. + */ +- register_reboot_notifier(&sleep_notifier); ++ register_reboot_notifier(&tts_notifier); + return 0; + } diff --git a/queue-4.8/series b/queue-4.8/series index f77a8ac2507..0fda84c362b 100644 --- a/queue-4.8/series +++ b/queue-4.8/series @@ -17,3 +17,10 @@ acpi-nfit-fix-extended-status-translations-for-acpi-dsms.patch acpi-nfit-libnvdimm-fix-harden-ars_status-output-length-handling.patch acpi-nfit-validate-ars_status-output-buffer-size.patch acpi-nfit-fix-bus-vs-dimm-confusion-in-xlat_status.patch +crypto-marvell-don-t-copy-hash-operation-twice-into-the-sram.patch +crypto-caam-fix-pointer-size-for-aarch64-boot-loader-aarch32-kernel.patch +crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch +crypto-marvell-don-t-corrupt-state-of-an-std-req-for-re-stepped-ahash.patch +can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch +can-peak-fix-bad-memory-access-and-free-sequence.patch +revert-acpi-execute-_pts-before-system-reboot.patch -- 2.47.3