From 7d5d33df31e3e987665fdcbdef94f59db0e96e78 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 14 Apr 2020 16:43:31 +0200
Subject: [PATCH] 5.6-stable patches

added patches:
	crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
	crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
	time-namespace-add-max_time_namespaces-ucount.patch
	time-namespace-fix-time_for_children-symlink.patch
---
 ...x-scatterlist-linearization-for-hash.patch | 113 ++++++++++++++++++
 ...-refcounting-bug-in-crypto_rng_reset.patch |  43 +++++++
 queue-5.6/series                              |   4 +
 ...space-add-max_time_namespaces-ucount.patch |  61 ++++++++++
 ...espace-fix-time_for_children-symlink.patch |  51 ++++++++
 5 files changed, 272 insertions(+)
 create mode 100644 queue-5.6/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
 create mode 100644 queue-5.6/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
 create mode 100644 queue-5.6/time-namespace-add-max_time_namespaces-ucount.patch
 create mode 100644 queue-5.6/time-namespace-fix-time_for_children-symlink.patch

diff --git a/queue-5.6/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch b/queue-5.6/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
new file mode 100644
index 00000000000..4a835ddf6f5
--- /dev/null
+++ b/queue-5.6/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
@@ -0,0 +1,113 @@
+From fa03481b6e2e82355c46644147b614f18c7a8161 Mon Sep 17 00:00:00 2001
+From: Rosioru Dragos <dragos.rosioru@nxp.com>
+Date: Tue, 25 Feb 2020 17:05:52 +0200
+Subject: crypto: mxs-dcp - fix scatterlist linearization for hash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rosioru Dragos <dragos.rosioru@nxp.com>
+
+commit fa03481b6e2e82355c46644147b614f18c7a8161 upstream.
+
+The incorrect traversal of the scatterlist, during the linearization phase
+lead to computing the hash value of the wrong input buffer.
+New implementation uses scatterwalk_map_and_copy()
+to address this issue.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 15b59e7c3733 ("crypto: mxs - Add Freescale MXS DCP driver")
+Signed-off-by: Rosioru Dragos <dragos.rosioru@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/mxs-dcp.c |   54 ++++++++++++++++++++++-------------------------
+ 1 file changed, 26 insertions(+), 28 deletions(-)
+
+--- a/drivers/crypto/mxs-dcp.c
++++ b/drivers/crypto/mxs-dcp.c
+@@ -20,6 +20,7 @@
+ #include <crypto/sha.h>
+ #include <crypto/internal/hash.h>
+ #include <crypto/internal/skcipher.h>
++#include <crypto/scatterwalk.h>
+ 
+ #define DCP_MAX_CHANS	4
+ #define DCP_BUF_SZ	PAGE_SIZE
+@@ -611,49 +612,46 @@ static int dcp_sha_req_to_buf(struct cry
+ 	struct dcp_async_ctx *actx = crypto_ahash_ctx(tfm);
+ 	struct dcp_sha_req_ctx *rctx = ahash_request_ctx(req);
+ 	struct hash_alg_common *halg = crypto_hash_alg_common(tfm);
+-	const int nents = sg_nents(req->src);
+ 
+ 	uint8_t *in_buf = sdcp->coh->sha_in_buf;
+ 	uint8_t *out_buf = sdcp->coh->sha_out_buf;
+ 
+-	uint8_t *src_buf;
+-
+ 	struct scatterlist *src;
+ 
+-	unsigned int i, len, clen;
++	unsigned int i, len, clen, oft = 0;
+ 	int ret;
+ 
+ 	int fin = rctx->fini;
+ 	if (fin)
+ 		rctx->fini = 0;
+ 
+-	for_each_sg(req->src, src, nents, i) {
+-		src_buf = sg_virt(src);
+-		len = sg_dma_len(src);
++	src = req->src;
++	len = req->nbytes;
+ 
+-		do {
+-			if (actx->fill + len > DCP_BUF_SZ)
+-				clen = DCP_BUF_SZ - actx->fill;
+-			else
+-				clen = len;
++	while (len) {
++		if (actx->fill + len > DCP_BUF_SZ)
++			clen = DCP_BUF_SZ - actx->fill;
++		else
++			clen = len;
+ 
+-			memcpy(in_buf + actx->fill, src_buf, clen);
+-			len -= clen;
+-			src_buf += clen;
+-			actx->fill += clen;
++		scatterwalk_map_and_copy(in_buf + actx->fill, src, oft, clen,
++					 0);
+ 
+-			/*
+-			 * If we filled the buffer and still have some
+-			 * more data, submit the buffer.
+-			 */
+-			if (len && actx->fill == DCP_BUF_SZ) {
+-				ret = mxs_dcp_run_sha(req);
+-				if (ret)
+-					return ret;
+-				actx->fill = 0;
+-				rctx->init = 0;
+-			}
+-		} while (len);
++		len -= clen;
++		oft += clen;
++		actx->fill += clen;
++
++		/*
++		 * If we filled the buffer and still have some
++		 * more data, submit the buffer.
++		 */
++		if (len && actx->fill == DCP_BUF_SZ) {
++			ret = mxs_dcp_run_sha(req);
++			if (ret)
++				return ret;
++			actx->fill = 0;
++			rctx->init = 0;
++		}
+ 	}
+ 
+ 	if (fin) {
diff --git a/queue-5.6/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch b/queue-5.6/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
new file mode 100644
index 00000000000..48a048d94dd
--- /dev/null
+++ b/queue-5.6/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
@@ -0,0 +1,43 @@
+From eed74b3eba9eda36d155c11a12b2b4b50c67c1d8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 20 Jan 2020 17:38:04 +0300
+Subject: crypto: rng - Fix a refcounting bug in crypto_rng_reset()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit eed74b3eba9eda36d155c11a12b2b4b50c67c1d8 upstream.
+
+We need to decrement this refcounter on these error paths.
+
+Fixes: f7d76e05d058 ("crypto: user - fix use_after_free of struct xxx_request")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/rng.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/crypto/rng.c
++++ b/crypto/rng.c
+@@ -37,12 +37,16 @@ int crypto_rng_reset(struct crypto_rng *
+ 	crypto_stats_get(alg);
+ 	if (!seed && slen) {
+ 		buf = kmalloc(slen, GFP_KERNEL);
+-		if (!buf)
++		if (!buf) {
++			crypto_alg_put(alg);
+ 			return -ENOMEM;
++		}
+ 
+ 		err = get_random_bytes_wait(buf, slen);
+-		if (err)
++		if (err) {
++			crypto_alg_put(alg);
+ 			goto out;
++		}
+ 		seed = buf;
+ 	}
+ 
diff --git a/queue-5.6/series b/queue-5.6/series
index b3452b966de..46143a50856 100644
--- a/queue-5.6/series
+++ b/queue-5.6/series
@@ -159,3 +159,7 @@ btrfs-use-nofs-allocations-for-running-delayed-items.patch
 remoteproc-qcom_q6v5_mss-don-t-reassign-mpss-region-on-shutdown.patch
 remoteproc-qcom_q6v5_mss-reload-the-mba-region-on-coredump.patch
 remoteproc-fix-null-pointer-dereference-in-rproc_virtio_notify.patch
+time-namespace-fix-time_for_children-symlink.patch
+time-namespace-add-max_time_namespaces-ucount.patch
+crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
+crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
diff --git a/queue-5.6/time-namespace-add-max_time_namespaces-ucount.patch b/queue-5.6/time-namespace-add-max_time_namespaces-ucount.patch
new file mode 100644
index 00000000000..460fd665306
--- /dev/null
+++ b/queue-5.6/time-namespace-add-max_time_namespaces-ucount.patch
@@ -0,0 +1,61 @@
+From eeec26d5da8248ea4e240b8795bb4364213d3247 Mon Sep 17 00:00:00 2001
+From: Dmitry Safonov <dima@arista.com>
+Date: Mon, 6 Apr 2020 18:13:42 +0100
+Subject: time/namespace: Add max_time_namespaces ucount
+
+From: Dmitry Safonov <dima@arista.com>
+
+commit eeec26d5da8248ea4e240b8795bb4364213d3247 upstream.
+
+Michael noticed that userns limit for number of time namespaces is missing.
+
+Furthermore, time namespace introduced UCOUNT_TIME_NAMESPACES, but didn't
+introduce an array member in user_table[]. It would make array's
+initialisation OOB write, but by luck the user_table array has an excessive
+empty member (all accesses to the array are limited with UCOUNT_COUNTS - so
+it silently reuses the last free member.
+
+Fixes user-visible regression: max_inotify_instances by reason of the
+missing UCOUNT_ENTRY() has limited max number of namespaces instead of the
+number of inotify instances.
+
+Fixes: 769071ac9f20 ("ns: Introduce Time Namespace")
+Reported-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
+Signed-off-by: Dmitry Safonov <dima@arista.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Andrei Vagin <avagin@gmail.com>
+Acked-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: stable@kernel.org
+Link: https://lkml.kernel.org/r/20200406171342.128733-1-dima@arista.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/admin-guide/sysctl/user.rst |    6 ++++++
+ kernel/ucount.c                           |    1 +
+ 2 files changed, 7 insertions(+)
+
+--- a/Documentation/admin-guide/sysctl/user.rst
++++ b/Documentation/admin-guide/sysctl/user.rst
+@@ -65,6 +65,12 @@ max_pid_namespaces
+   The maximum number of pid namespaces that any user in the current
+   user namespace may create.
+ 
++max_time_namespaces
++===================
++
++  The maximum number of time namespaces that any user in the current
++  user namespace may create.
++
+ max_user_namespaces
+ ===================
+ 
+--- a/kernel/ucount.c
++++ b/kernel/ucount.c
+@@ -69,6 +69,7 @@ static struct ctl_table user_table[] = {
+ 	UCOUNT_ENTRY("max_net_namespaces"),
+ 	UCOUNT_ENTRY("max_mnt_namespaces"),
+ 	UCOUNT_ENTRY("max_cgroup_namespaces"),
++	UCOUNT_ENTRY("max_time_namespaces"),
+ #ifdef CONFIG_INOTIFY_USER
+ 	UCOUNT_ENTRY("max_inotify_instances"),
+ 	UCOUNT_ENTRY("max_inotify_watches"),
diff --git a/queue-5.6/time-namespace-fix-time_for_children-symlink.patch b/queue-5.6/time-namespace-fix-time_for_children-symlink.patch
new file mode 100644
index 00000000000..58b7e9b3482
--- /dev/null
+++ b/queue-5.6/time-namespace-fix-time_for_children-symlink.patch
@@ -0,0 +1,51 @@
+From b801f1e22c23c259d6a2c955efddd20370de19a6 Mon Sep 17 00:00:00 2001
+From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
+Date: Fri, 3 Apr 2020 14:11:39 +0200
+Subject: time/namespace: Fix time_for_children symlink
+
+From: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
+
+commit b801f1e22c23c259d6a2c955efddd20370de19a6 upstream.
+
+Looking at the contents of the /proc/PID/ns/time_for_children symlink shows
+an anomaly:
+
+$ ls -l /proc/self/ns/* |awk '{print $9, $10, $11}'
+...
+/proc/self/ns/pid -> pid:[4026531836]
+/proc/self/ns/pid_for_children -> pid:[4026531836]
+/proc/self/ns/time -> time:[4026531834]
+/proc/self/ns/time_for_children -> time_for_children:[4026531834]
+/proc/self/ns/user -> user:[4026531837]
+...
+
+The reference for 'time_for_children' should be a 'time' namespace, just as
+the reference for 'pid_for_children' is a 'pid' namespace.  In other words,
+the above time_for_children link should read:
+
+/proc/self/ns/time_for_children -> time:[4026531834]
+
+Fixes: 769071ac9f20 ("ns: Introduce Time Namespace")
+Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Dmitry Safonov <dima@arista.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Andrei Vagin <avagin@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/a2418c48-ed80-3afe-116e-6611cb799557@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/namespace.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/time/namespace.c
++++ b/kernel/time/namespace.c
+@@ -446,6 +446,7 @@ const struct proc_ns_operations timens_o
+ 
+ const struct proc_ns_operations timens_for_children_operations = {
+ 	.name		= "time_for_children",
++	.real_ns_name	= "time",
+ 	.type		= CLONE_NEWTIME,
+ 	.get		= timens_for_children_get,
+ 	.put		= timens_put,
-- 
2.47.3