--- /dev/null
+From fa03481b6e2e82355c46644147b614f18c7a8161 Mon Sep 17 00:00:00 2001
+From: Rosioru Dragos <dragos.rosioru@nxp.com>
+Date: Tue, 25 Feb 2020 17:05:52 +0200
+Subject: crypto: mxs-dcp - fix scatterlist linearization for hash
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rosioru Dragos <dragos.rosioru@nxp.com>
+
+commit fa03481b6e2e82355c46644147b614f18c7a8161 upstream.
+
+The incorrect traversal of the scatterlist, during the linearization phase
+lead to computing the hash value of the wrong input buffer.
+New implementation uses scatterwalk_map_and_copy()
+to address this issue.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 15b59e7c3733 ("crypto: mxs - Add Freescale MXS DCP driver")
+Signed-off-by: Rosioru Dragos <dragos.rosioru@nxp.com>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/mxs-dcp.c | 54 ++++++++++++++++++++++-------------------------
+ 1 file changed, 26 insertions(+), 28 deletions(-)
+
+--- a/drivers/crypto/mxs-dcp.c
++++ b/drivers/crypto/mxs-dcp.c
+@@ -20,6 +20,7 @@
+ #include <crypto/sha.h>
+ #include <crypto/internal/hash.h>
+ #include <crypto/internal/skcipher.h>
++#include <crypto/scatterwalk.h>
+
+ #define DCP_MAX_CHANS 4
+ #define DCP_BUF_SZ PAGE_SIZE
+@@ -611,49 +612,46 @@ static int dcp_sha_req_to_buf(struct cry
+ struct dcp_async_ctx *actx = crypto_ahash_ctx(tfm);
+ struct dcp_sha_req_ctx *rctx = ahash_request_ctx(req);
+ struct hash_alg_common *halg = crypto_hash_alg_common(tfm);
+- const int nents = sg_nents(req->src);
+
+ uint8_t *in_buf = sdcp->coh->sha_in_buf;
+ uint8_t *out_buf = sdcp->coh->sha_out_buf;
+
+- uint8_t *src_buf;
+-
+ struct scatterlist *src;
+
+- unsigned int i, len, clen;
++ unsigned int i, len, clen, oft = 0;
+ int ret;
+
+ int fin = rctx->fini;
+ if (fin)
+ rctx->fini = 0;
+
+- for_each_sg(req->src, src, nents, i) {
+- src_buf = sg_virt(src);
+- len = sg_dma_len(src);
++ src = req->src;
++ len = req->nbytes;
+
+- do {
+- if (actx->fill + len > DCP_BUF_SZ)
+- clen = DCP_BUF_SZ - actx->fill;
+- else
+- clen = len;
++ while (len) {
++ if (actx->fill + len > DCP_BUF_SZ)
++ clen = DCP_BUF_SZ - actx->fill;
++ else
++ clen = len;
+
+- memcpy(in_buf + actx->fill, src_buf, clen);
+- len -= clen;
+- src_buf += clen;
+- actx->fill += clen;
++ scatterwalk_map_and_copy(in_buf + actx->fill, src, oft, clen,
++ 0);
+
+- /*
+- * If we filled the buffer and still have some
+- * more data, submit the buffer.
+- */
+- if (len && actx->fill == DCP_BUF_SZ) {
+- ret = mxs_dcp_run_sha(req);
+- if (ret)
+- return ret;
+- actx->fill = 0;
+- rctx->init = 0;
+- }
+- } while (len);
++ len -= clen;
++ oft += clen;
++ actx->fill += clen;
++
++ /*
++ * If we filled the buffer and still have some
++ * more data, submit the buffer.
++ */
++ if (len && actx->fill == DCP_BUF_SZ) {
++ ret = mxs_dcp_run_sha(req);
++ if (ret)
++ return ret;
++ actx->fill = 0;
++ rctx->init = 0;
++ }
+ }
+
+ if (fin) {
--- /dev/null
+From eed74b3eba9eda36d155c11a12b2b4b50c67c1d8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 20 Jan 2020 17:38:04 +0300
+Subject: crypto: rng - Fix a refcounting bug in crypto_rng_reset()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit eed74b3eba9eda36d155c11a12b2b4b50c67c1d8 upstream.
+
+We need to decrement this refcounter on these error paths.
+
+Fixes: f7d76e05d058 ("crypto: user - fix use_after_free of struct xxx_request")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/rng.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/crypto/rng.c
++++ b/crypto/rng.c
+@@ -37,12 +37,16 @@ int crypto_rng_reset(struct crypto_rng *
+ crypto_stats_get(alg);
+ if (!seed && slen) {
+ buf = kmalloc(slen, GFP_KERNEL);
+- if (!buf)
++ if (!buf) {
++ crypto_alg_put(alg);
+ return -ENOMEM;
++ }
+
+ err = get_random_bytes_wait(buf, slen);
+- if (err)
++ if (err) {
++ crypto_alg_put(alg);
+ goto out;
++ }
+ seed = buf;
+ }
+
remoteproc-qcom_q6v5_mss-don-t-reassign-mpss-region-on-shutdown.patch
remoteproc-qcom_q6v5_mss-reload-the-mba-region-on-coredump.patch
remoteproc-fix-null-pointer-dereference-in-rproc_virtio_notify.patch
+time-namespace-fix-time_for_children-symlink.patch
+time-namespace-add-max_time_namespaces-ucount.patch
+crypto-rng-fix-a-refcounting-bug-in-crypto_rng_reset.patch
+crypto-mxs-dcp-fix-scatterlist-linearization-for-hash.patch
--- /dev/null
+From eeec26d5da8248ea4e240b8795bb4364213d3247 Mon Sep 17 00:00:00 2001
+From: Dmitry Safonov <dima@arista.com>
+Date: Mon, 6 Apr 2020 18:13:42 +0100
+Subject: time/namespace: Add max_time_namespaces ucount
+
+From: Dmitry Safonov <dima@arista.com>
+
+commit eeec26d5da8248ea4e240b8795bb4364213d3247 upstream.
+
+Michael noticed that userns limit for number of time namespaces is missing.
+
+Furthermore, time namespace introduced UCOUNT_TIME_NAMESPACES, but didn't
+introduce an array member in user_table[]. It would make array's
+initialisation OOB write, but by luck the user_table array has an excessive
+empty member (all accesses to the array are limited with UCOUNT_COUNTS - so
+it silently reuses the last free member.
+
+Fixes user-visible regression: max_inotify_instances by reason of the
+missing UCOUNT_ENTRY() has limited max number of namespaces instead of the
+number of inotify instances.
+
+Fixes: 769071ac9f20 ("ns: Introduce Time Namespace")
+Reported-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
+Signed-off-by: Dmitry Safonov <dima@arista.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Andrei Vagin <avagin@gmail.com>
+Acked-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: stable@kernel.org
+Link: https://lkml.kernel.org/r/20200406171342.128733-1-dima@arista.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/admin-guide/sysctl/user.rst | 6 ++++++
+ kernel/ucount.c | 1 +
+ 2 files changed, 7 insertions(+)
+
+--- a/Documentation/admin-guide/sysctl/user.rst
++++ b/Documentation/admin-guide/sysctl/user.rst
+@@ -65,6 +65,12 @@ max_pid_namespaces
+ The maximum number of pid namespaces that any user in the current
+ user namespace may create.
+
++max_time_namespaces
++===================
++
++ The maximum number of time namespaces that any user in the current
++ user namespace may create.
++
+ max_user_namespaces
+ ===================
+
+--- a/kernel/ucount.c
++++ b/kernel/ucount.c
+@@ -69,6 +69,7 @@ static struct ctl_table user_table[] = {
+ UCOUNT_ENTRY("max_net_namespaces"),
+ UCOUNT_ENTRY("max_mnt_namespaces"),
+ UCOUNT_ENTRY("max_cgroup_namespaces"),
++ UCOUNT_ENTRY("max_time_namespaces"),
+ #ifdef CONFIG_INOTIFY_USER
+ UCOUNT_ENTRY("max_inotify_instances"),
+ UCOUNT_ENTRY("max_inotify_watches"),
--- /dev/null
+From b801f1e22c23c259d6a2c955efddd20370de19a6 Mon Sep 17 00:00:00 2001
+From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
+Date: Fri, 3 Apr 2020 14:11:39 +0200
+Subject: time/namespace: Fix time_for_children symlink
+
+From: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
+
+commit b801f1e22c23c259d6a2c955efddd20370de19a6 upstream.
+
+Looking at the contents of the /proc/PID/ns/time_for_children symlink shows
+an anomaly:
+
+$ ls -l /proc/self/ns/* |awk '{print $9, $10, $11}'
+...
+/proc/self/ns/pid -> pid:[4026531836]
+/proc/self/ns/pid_for_children -> pid:[4026531836]
+/proc/self/ns/time -> time:[4026531834]
+/proc/self/ns/time_for_children -> time_for_children:[4026531834]
+/proc/self/ns/user -> user:[4026531837]
+...
+
+The reference for 'time_for_children' should be a 'time' namespace, just as
+the reference for 'pid_for_children' is a 'pid' namespace. In other words,
+the above time_for_children link should read:
+
+/proc/self/ns/time_for_children -> time:[4026531834]
+
+Fixes: 769071ac9f20 ("ns: Introduce Time Namespace")
+Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Dmitry Safonov <dima@arista.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Andrei Vagin <avagin@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/a2418c48-ed80-3afe-116e-6611cb799557@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/namespace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/time/namespace.c
++++ b/kernel/time/namespace.c
+@@ -446,6 +446,7 @@ const struct proc_ns_operations timens_o
+
+ const struct proc_ns_operations timens_for_children_operations = {
+ .name = "time_for_children",
++ .real_ns_name = "time",
+ .type = CLONE_NEWTIME,
+ .get = timens_for_children_get,
+ .put = timens_put,
projects / thirdparty / kernel / stable-queue.git / commitdiff
