From d04ed8164d4f17844eaf8a84d9da8bafd7b96997 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 14 Apr 2020 16:43:15 +0200 Subject: [PATCH] 5.5-stable patches added patches: crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch --- ...x-scatterlist-linearization-for-hash.patch | 113 ++++++++++++++++++ ...-refcounting-bug-in-crypto_rng_reset.patch | 43 +++++++ queue-5.5/series | 2 + 3 files changed, 158 insertions(+) create mode 100644 queue-5.5/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch create mode 100644 queue-5.5/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch diff --git a/queue-5.5/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch b/queue-5.5/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch new file mode 100644 index 00000000000..ebc28f4c1e9 --- /dev/null +++ b/queue-5.5/crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch @@ -0,0 +1,113 @@ +From fa03481b6e2e82355c46644147b614f18c7a8161 Mon Sep 17 00:00:00 2001 +From: Rosioru Dragos +Date: Tue, 25 Feb 2020 17:05:52 +0200 +Subject: crypto: mxs-dcp - fix scatterlist linearization for hash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rosioru Dragos + +commit fa03481b6e2e82355c46644147b614f18c7a8161 upstream. + +The incorrect traversal of the scatterlist, during the linearization phase +lead to computing the hash value of the wrong input buffer. +New implementation uses scatterwalk_map_and_copy() +to address this issue. + +Cc: +Fixes: 15b59e7c3733 ("crypto: mxs - Add Freescale MXS DCP driver") +Signed-off-by: Rosioru Dragos +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/mxs-dcp.c | 54 ++++++++++++++++++++++------------------------- + 1 file changed, 26 insertions(+), 28 deletions(-) + +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + #define DCP_MAX_CHANS 4 + #define DCP_BUF_SZ PAGE_SIZE +@@ -621,49 +622,46 @@ static int dcp_sha_req_to_buf(struct cry + struct dcp_async_ctx *actx = crypto_ahash_ctx(tfm); + struct dcp_sha_req_ctx *rctx = ahash_request_ctx(req); + struct hash_alg_common *halg = crypto_hash_alg_common(tfm); +- const int nents = sg_nents(req->src); + + uint8_t *in_buf = sdcp->coh->sha_in_buf; + uint8_t *out_buf = sdcp->coh->sha_out_buf; + +- uint8_t *src_buf; +- + struct scatterlist *src; + +- unsigned int i, len, clen; ++ unsigned int i, len, clen, oft = 0; + int ret; + + int fin = rctx->fini; + if (fin) + rctx->fini = 0; + +- for_each_sg(req->src, src, nents, i) { +- src_buf = sg_virt(src); +- len = sg_dma_len(src); ++ src = req->src; ++ len = req->nbytes; + +- do { +- if (actx->fill + len > DCP_BUF_SZ) +- clen = DCP_BUF_SZ - actx->fill; +- else +- clen = len; ++ while (len) { ++ if (actx->fill + len > DCP_BUF_SZ) ++ clen = DCP_BUF_SZ - actx->fill; ++ else ++ clen = len; + +- memcpy(in_buf + actx->fill, src_buf, clen); +- len -= clen; +- src_buf += clen; +- actx->fill += clen; ++ scatterwalk_map_and_copy(in_buf + actx->fill, src, oft, clen, ++ 0); + +- /* +- * If we filled the buffer and still have some +- * more data, submit the buffer. +- */ +- if (len && actx->fill == DCP_BUF_SZ) { +- ret = mxs_dcp_run_sha(req); +- if (ret) +- return ret; +- actx->fill = 0; +- rctx->init = 0; +- } +- } while (len); ++ len -= clen; ++ oft += clen; ++ actx->fill += clen; ++ ++ /* ++ * If we filled the buffer and still have some ++ * more data, submit the buffer. ++ */ ++ if (len && actx->fill == DCP_BUF_SZ) { ++ ret = mxs_dcp_run_sha(req); ++ if (ret) ++ return ret; ++ actx->fill = 0; ++ rctx->init = 0; ++ } + } + + if (fin) { diff --git a/queue-5.5/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch b/queue-5.5/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch new file mode 100644 index 00000000000..48a048d94dd --- /dev/null +++ b/queue-5.5/crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch @@ -0,0 +1,43 @@ +From eed74b3eba9eda36d155c11a12b2b4b50c67c1d8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 20 Jan 2020 17:38:04 +0300 +Subject: crypto: rng - Fix a refcounting bug in crypto_rng_reset() + +From: Dan Carpenter + +commit eed74b3eba9eda36d155c11a12b2b4b50c67c1d8 upstream. + +We need to decrement this refcounter on these error paths. + +Fixes: f7d76e05d058 ("crypto: user - fix use_after_free of struct xxx_request") +Cc: +Signed-off-by: Dan Carpenter +Acked-by: Neil Horman +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/rng.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/crypto/rng.c ++++ b/crypto/rng.c +@@ -37,12 +37,16 @@ int crypto_rng_reset(struct crypto_rng * + crypto_stats_get(alg); + if (!seed && slen) { + buf = kmalloc(slen, GFP_KERNEL); +- if (!buf) ++ if (!buf) { ++ crypto_alg_put(alg); + return -ENOMEM; ++ } + + err = get_random_bytes_wait(buf, slen); +- if (err) ++ if (err) { ++ crypto_alg_put(alg); + goto out; ++ } + seed = buf; + } + diff --git a/queue-5.5/series b/queue-5.5/series index 0518c6d6793..e546311cbbd 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -168,3 +168,5 @@ btrfs-use-nofs-allocations-for-running-delayed-items.patch remoteproc-qcom_q6v5_mss-don-t-reassign-mpss-region-on-shutdown.patch remoteproc-qcom_q6v5_mss-reload-the-mba-region-on-coredump.patch remoteproc-fix-null-pointer-dereference-in-rproc_virtio_notify.patch +crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch +crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch -- 2.47.3