5.5-stable patches

added patches:
	crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
	crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch

diff --git a/queue-5.5/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch b/queue-5.5/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
new file mode 100644 (file)
index 0000000..ebc28f4
--- /dev/null
+++ b/queue-5.5/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
@@ -0,0 +1,113 @@
+From fa03481b6e2e82355c46644147b614f18c7a8161 Mon Sep 17 00:00:00 2001
+From: Rosioru Dragos <dragos.rosioru@nxp.com>
+Date: Tue, 25 Feb 2020 17:05:52 +0200
+Subject: crypto: mxs-dcp - fix scatterlist linearization for hash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rosioru Dragos <dragos.rosioru@nxp.com>
+
+commit fa03481b6e2e82355c46644147b614f18c7a8161 upstream.
+
+The incorrect traversal of the scatterlist, during the linearization phase
+lead to computing the hash value of the wrong input buffer.
+New implementation uses scatterwalk_map_and_copy()
+to address this issue.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 15b59e7c3733 ("crypto: mxs - Add Freescale MXS DCP driver")
+Signed-off-by: Rosioru Dragos <dragos.rosioru@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/mxs-dcp.c |   54 ++++++++++++++++++++++-------------------------
+ 1 file changed, 26 insertions(+), 28 deletions(-)
+
+--- a/drivers/crypto/mxs-dcp.c
++++ b/drivers/crypto/mxs-dcp.c
+@@ -20,6 +20,7 @@
+ #include <crypto/sha.h>
+ #include <crypto/internal/hash.h>
+ #include <crypto/internal/skcipher.h>
++#include <crypto/scatterwalk.h>
+ 
+ #define DCP_MAX_CHANS 4
+ #define DCP_BUF_SZ    PAGE_SIZE
+@@ -621,49 +622,46 @@ static int dcp_sha_req_to_buf(struct cry
+       struct dcp_async_ctx *actx = crypto_ahash_ctx(tfm);
+       struct dcp_sha_req_ctx *rctx = ahash_request_ctx(req);
+       struct hash_alg_common *halg = crypto_hash_alg_common(tfm);
+-      const int nents = sg_nents(req->src);
+ 
+       uint8_t *in_buf = sdcp->coh->sha_in_buf;
+       uint8_t *out_buf = sdcp->coh->sha_out_buf;
+ 
+-      uint8_t *src_buf;
+-
+       struct scatterlist *src;
+ 
+-      unsigned int i, len, clen;
++      unsigned int i, len, clen, oft = 0;
+       int ret;
+ 
+       int fin = rctx->fini;
+       if (fin)
+               rctx->fini = 0;
+ 
+-      for_each_sg(req->src, src, nents, i) {
+-              src_buf = sg_virt(src);
+-              len = sg_dma_len(src);
++      src = req->src;
++      len = req->nbytes;
+ 
+-              do {
+-                      if (actx->fill + len > DCP_BUF_SZ)
+-                              clen = DCP_BUF_SZ - actx->fill;
+-                      else
+-                              clen = len;
++      while (len) {
++              if (actx->fill + len > DCP_BUF_SZ)
++                      clen = DCP_BUF_SZ - actx->fill;
++              else
++                      clen = len;
+ 
+-                      memcpy(in_buf + actx->fill, src_buf, clen);
+-                      len -= clen;
+-                      src_buf += clen;
+-                      actx->fill += clen;
++              scatterwalk_map_and_copy(in_buf + actx->fill, src, oft, clen,
++                                       0);
+ 
+-                      /*
+-                       * If we filled the buffer and still have some
+-                       * more data, submit the buffer.
+-                       */
+-                      if (len && actx->fill == DCP_BUF_SZ) {
+-                              ret = mxs_dcp_run_sha(req);
+-                              if (ret)
+-                                      return ret;
+-                              actx->fill = 0;
+-                              rctx->init = 0;
+-                      }
+-              } while (len);
++              len -= clen;
++              oft += clen;
++              actx->fill += clen;
++
++              /*
++               * If we filled the buffer and still have some
++               * more data, submit the buffer.
++               */
++              if (len && actx->fill == DCP_BUF_SZ) {
++                      ret = mxs_dcp_run_sha(req);
++                      if (ret)
++                              return ret;
++                      actx->fill = 0;
++                      rctx->init = 0;
++              }
+       }
+ 
+       if (fin) {

diff --git a/queue-5.5/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch b/queue-5.5/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
new file mode 100644 (file)
index 0000000..48a048d
--- /dev/null
+++ b/queue-5.5/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
@@ -0,0 +1,43 @@
+From eed74b3eba9eda36d155c11a12b2b4b50c67c1d8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 20 Jan 2020 17:38:04 +0300
+Subject: crypto: rng - Fix a refcounting bug in crypto_rng_reset()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit eed74b3eba9eda36d155c11a12b2b4b50c67c1d8 upstream.
+
+We need to decrement this refcounter on these error paths.
+
+Fixes: f7d76e05d058 ("crypto: user - fix use_after_free of struct xxx_request")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/rng.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/crypto/rng.c
++++ b/crypto/rng.c
+@@ -37,12 +37,16 @@ int crypto_rng_reset(struct crypto_rng *
+       crypto_stats_get(alg);
+       if (!seed && slen) {
+               buf = kmalloc(slen, GFP_KERNEL);
+-              if (!buf)
++              if (!buf) {
++                      crypto_alg_put(alg);
+                       return -ENOMEM;
++              }
+ 
+               err = get_random_bytes_wait(buf, slen);
+-              if (err)
++              if (err) {
++                      crypto_alg_put(alg);
+                       goto out;
++              }
+               seed = buf;
+       }
+ 

diff --git a/queue-5.5/series b/queue-5.5/series
index 0518c6d679346d5ee4d98068c826a89a1bd84899..e546311cbbd967fe44740f17ba3bddedb6643b87 100644 (file)
--- a/queue-5.5/series
+++ b/queue-5.5/series
@@ -168,3 +168,5 @@ btrfs-use-nofs-allocations-for-running-delayed-items.patch
 remoteproc-qcom_q6v5_mss-don-t-reassign-mpss-region-on-shutdown.patch
 remoteproc-qcom_q6v5_mss-reload-the-mba-region-on-coredump.patch
 remoteproc-fix-null-pointer-dereference-in-rproc_virtio_notify.patch
+crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
+crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch