1. 22 May, 2019 40 commits
    • Gilad Ben-Yossef's avatar
      crypto: ccree - remove special handling of chained sg · 5109c133
      Gilad Ben-Yossef authored
      commit c4b22bf5 upstream.
      
      We were handling chained scattergather lists with specialized code
      needlessly as the regular sg APIs handle them just fine. The code
      handling this also had an (unused) code path with a use-before-init
      error, flagged by Coverity.
      
      Remove all special handling of chained sg and leave their handling
      to the regular sg APIs.
      Signed-off-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5109c133
    • Daniel Borkmann's avatar
      bpf: fix out of bounds backwards jmps due to dead code removal · 0e643cb0
      Daniel Borkmann authored
      commit af959b18 upstream.
      
      systemtap folks reported the following splat recently:
      
        [ 7790.862212] WARNING: CPU: 3 PID: 26759 at arch/x86/kernel/kprobes/core.c:1022 kprobe_fault_handler+0xec/0xf0
        [...]
        [ 7790.864113] CPU: 3 PID: 26759 Comm: sshd Not tainted 5.1.0-0.rc7.git1.1.fc31.x86_64 #1
        [ 7790.864198] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS[...]
        [ 7790.864314] RIP: 0010:kprobe_fault_handler+0xec/0xf0
        [ 7790.864375] Code: 48 8b 50 [...]
        [ 7790.864714] RSP: 0018:ffffc06800bdbb48 EFLAGS: 00010082
        [ 7790.864812] RAX: ffff9e2b75a16320 RBX: 0000000000000000 RCX: 0000000000000000
        [ 7790.865306] RDX: ffffffffffffffff RSI: 000000000000000e RDI: ffffc06800bdbbf8
        [ 7790.865514] RBP: ffffc06800bdbbf8 R08: 0000000000000000 R09: 0000000000000000
        [ 7790.865960] R10: 0000000000000000 R11: 0000000000000000 R12: ffffc06800bdbbf8
        [ 7790.866037] R13: ffff9e2ab56a0418 R14: ffff9e2b6d0bb400 R15: ffff9e2b6d268000
        [ 7790.866114] FS:  00007fde49937d80(0000) GS:ffff9e2b75a00000(0000) knlGS:0000000000000000
        [ 7790.866193] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        [ 7790.866318] CR2: 0000000000000000 CR3: 000000012f312000 CR4: 00000000000006e0
        [ 7790.866419] Call Trace:
        [ 7790.866677]  do_user_addr_fault+0x64/0x480
        [ 7790.867513]  do_page_fault+0x33/0x210
        [ 7790.868002]  async_page_fault+0x1e/0x30
        [ 7790.868071] RIP: 0010:          (null)
        [ 7790.868144] Code: Bad RIP value.
        [ 7790.868229] RSP: 0018:ffffc06800bdbca8 EFLAGS: 00010282
        [ 7790.868362] RAX: ffff9e2b598b60f8 RBX: ffffc06800bdbe48 RCX: 0000000000000004
        [ 7790.868629] RDX: 0000000000000004 RSI: ffffc06800bdbc6c RDI: ffff9e2b598b60f0
        [ 7790.868834] RBP: ffffc06800bdbcf8 R08: 0000000000000000 R09: 0000000000000004
        [ 7790.870432] R10: 00000000ff6f7a03 R11: 0000000000000000 R12: 0000000000000001
        [ 7790.871859] R13: ffffc06800bdbcb8 R14: 0000000000000000 R15: ffff9e2acd0a5310
        [ 7790.873455]  ? vfs_read+0x5/0x170
        [ 7790.874639]  ? vfs_read+0x1/0x170
        [ 7790.875834]  ? trace_call_bpf+0xf6/0x260
        [ 7790.877044]  ? vfs_read+0x1/0x170
        [ 7790.878208]  ? vfs_read+0x5/0x170
        [ 7790.879345]  ? kprobe_perf_func+0x233/0x260
        [ 7790.880503]  ? vfs_read+0x1/0x170
        [ 7790.881632]  ? vfs_read+0x5/0x170
        [ 7790.882751]  ? kprobe_ftrace_handler+0x92/0xf0
        [ 7790.883926]  ? __vfs_read+0x30/0x30
        [ 7790.885050]  ? ftrace_ops_assist_func+0x94/0x100
        [ 7790.886183]  ? vfs_read+0x1/0x170
        [ 7790.887283]  ? vfs_read+0x5/0x170
        [ 7790.888348]  ? ksys_read+0x5a/0xe0
        [ 7790.889389]  ? do_syscall_64+0x5c/0xa0
        [ 7790.890401]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      After some debugging, turns out that the logic in 2cbd95a5
      ("bpf: change parameters of call/branch offset adjustment") has
      a bug that is exposed after 52875a04 ("bpf: verifier: remove
      dead code") in that we miss some of the jump offset adjustments
      after code patching when we remove dead code, more concretely,
      upon backward jump spanning over the area that is being removed.
      
      BPF insns of a case that was hit pre 52875a04:
      
        [...]
        676: (85) call bpf_perf_event_output#-47616
        677: (05) goto pc-636
        678: (62) *(u32 *)(r10 -64) = 0
        679: (bf) r7 = r10
        680: (07) r7 += -64
        681: (05) goto pc-44
        682: (05) goto pc-1
        683: (05) goto pc-1
      
      BPF insns afterwards:
      
        [...]
        618: (85) call bpf_perf_event_output#-47616
        619: (05) goto pc-638
        620: (62) *(u32 *)(r10 -64) = 0
        621: (bf) r7 = r10
        622: (07) r7 += -64
        623: (05) goto pc-44
      
      To illustrate the bug, situation looks as follows:
           ____
        0 |    | <-- foo: [...]
        1 |____|
        2 |____| <-- pos / end_new  ^
        3 |    |                    |
        4 |    |                    |  len
        5 |____|                    |  (remove region)
        6 |    | <-- end_old        v
        7 |    |
        8 |    | <-- curr  (jmp foo)
        9 |____|
      
      The condition curr >= end_new && curr + off + 1 < end_new in the
      branch delta adjustments is never hit because curr + off + 1 <
      end_new is compared as unsigned and therefore curr + off + 1 >
      end_new in unsigned realm as curr + off + 1 becomes negative
      since the insns are memmove()'d before the offset adjustments.
      
      Correct BPF insns after this fix:
      
        [...]
        618: (85) call bpf_perf_event_output#-47216
        619: (05) goto pc-578
        620: (62) *(u32 *)(r10 -64) = 0
        621: (bf) r7 = r10
        622: (07) r7 += -64
        623: (05) goto pc-44
      
      Note that unprivileged case is not affected from this.
      
      Fixes: 52875a04 ("bpf: verifier: remove dead code")
      Fixes: 2cbd95a5 ("bpf: change parameters of call/branch offset adjustment")
      Reported-by: default avatarFrank Ch. Eigler <fche@redhat.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0e643cb0
    • Daniel Borkmann's avatar
      bpf, arm64: remove prefetch insn in xadd mapping · f413abcc
      Daniel Borkmann authored
      commit 8968c67a upstream.
      
      Prefetch-with-intent-to-write is currently part of the XADD mapping in
      the AArch64 JIT and follows the kernel's implementation of atomic_add.
      This may interfere with other threads executing the LDXR/STXR loop,
      leading to potential starvation and fairness issues. Drop the optional
      prefetch instruction.
      
      Fixes: 85f68fe8 ("bpf, arm64: implement jiting of BPF_XADD")
      Reported-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJean-Philippe Brucker <jean-philippe.brucker@arm.com>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f413abcc
    • Libin Yang's avatar
      ASoC: codec: hdac_hdmi add device_link to card device · 828016b0
      Libin Yang authored
      commit 01c83276 upstream.
      
      In resume from S3, HDAC HDMI codec driver dapm event callback may be
      operated before HDMI codec driver turns on the display audio power
      domain because of the contest between display driver and hdmi codec driver.
      
      This patch adds the device_link between soc card device (consumer) and
      hdmi codec device (supplier) to make sure the sequence is always correct.
      Signed-off-by: default avatarLibin Yang <libin.yang@intel.com>
      Reviewed-by: default avatarTakashi Iwai <tiwai@suse.de>
      Acked-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      828016b0
    • S.j. Wang's avatar
      ASoC: fsl_esai: Fix missing break in switch statement · 14ba4564
      S.j. Wang authored
      commit 903c220b upstream.
      
      case ESAI_HCKT_EXTAL and case ESAI_HCKR_EXTAL should be
      independent of each other, so replace fall-through with break.
      
      Fixes: 43d24e76 ("ASoC: fsl_esai: Add ESAI CPU DAI driver")
      Signed-off-by: default avatarShengjiu Wang <shengjiu.wang@nxp.com>
      Acked-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14ba4564
    • Curtis Malainey's avatar
      ASoC: RT5677-SPI: Disable 16Bit SPI Transfers · 4acbe6f5
      Curtis Malainey authored
      commit a46eb523 upstream.
      
      The current algorithm allows 3 types of transfers, 16bit, 32bit and
      burst. According to Realtek, 16bit transfers have a special restriction
      in that it is restricted to the memory region of
      0x18020000 ~ 0x18021000. This region is the memory location of the I2C
      registers. The current algorithm does not uphold this restriction and
      therefore fails to complete writes.
      
      Since this has been broken for some time it likely no one is using it.
      Better to simply disable the 16 bit writes. This will allow users to
      properly load firmware over SPI without data corruption.
      Signed-off-by: default avatarCurtis Malainey <cujomalainey@chromium.org>
      Reviewed-by: default avatarBen Zhang <benzh@chromium.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4acbe6f5
    • Jon Hunter's avatar
      ASoC: max98090: Fix restore of DAPM Muxes · a3514ce3
      Jon Hunter authored
      commit ecb2795c upstream.
      
      The max98090 driver defines 3 DAPM muxes; one for the right line output
      (LINMOD Mux), one for the left headphone mixer source (MIXHPLSEL Mux)
      and one for the right headphone mixer source (MIXHPRSEL Mux). The same
      bit is used for the mux as well as the DAPM enable, and although the mux
      can be correctly configured, after playback has completed, the mux will
      be reset during the disable phase. This is preventing the state of these
      muxes from being saved and restored correctly on system reboot. Fix this
      by marking these muxes as SND_SOC_NOPM.
      
      Note this has been verified this on the Tegra124 Nyan Big which features
      the MAX98090 codec.
      Signed-off-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a3514ce3
    • Jeremy Soller's avatar
      ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14) · 9e7b5cf1
      Jeremy Soller authored
      commit 80a5052d upstream.
      
      On the System76 Gazelle (gaze14), there is a headset microphone input
      attached to 0x1a that does not have a jack detect. In order to get it
      working, the pin configuration needs to be set correctly, and the
      ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC fixup needs to be applied. This is
      identical to the patch already applied for the System76 Darter Pro
      (darp5).
      Signed-off-by: default avatarJeremy Soller <jeremy@system76.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9e7b5cf1
    • Kailang Yang's avatar
      ALSA: hda/realtek - EAPD turn on later · 7d2e0a8c
      Kailang Yang authored
      commit 607ca3bd upstream.
      
      Let EAPD turn on after set pin output.
      
      [ NOTE: This change is supposed to reduce the possible click noises at
        (runtime) PM resume.  The functionality should be same (i.e. the
        verbs are executed correctly) no matter which order is, so this
        should be safe to apply for all codecs -- tiwai ]
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d2e0a8c
    • Hui Wang's avatar
      ALSA: hda/hdmi - Consider eld_valid when reporting jack event · 127f4cbf
      Hui Wang authored
      commit 7f641e26 upstream.
      
      On the machines with AMD GPU or Nvidia GPU, we often meet this issue:
      after s3, there are 4 HDMI/DP audio devices in the gnome-sound-setting
      even there is no any monitors plugged.
      
      When this problem happens, we check the /proc/asound/cardX/eld#N.M, we
      will find the monitor_present=1, eld_valid=0.
      
      The root cause is BIOS or GPU driver makes the PRESENCE valid even no
      monitor plugged, and of course the driver will not get the valid
      eld_data subsequently.
      
      In this situation, we should not report the jack_plugged event, to do
      so, let us change the function hdmi_present_sense_via_verbs(). In this
      function, it reads the pin_sense via snd_hda_pin_sense(), after
      calling this function, the jack_dirty is 0, and before exiting
      via_verbs(), we change the shadow pin_sense according to both
      monitor_present and eld_valid, then in the snd_hda_jack_report_sync(),
      since the jack_dirty is still 0, it will report jack event according
      to this modified shadow pin_sense.
      
      After this change, the driver will not report Jack_is_plugged event
      through hdmi_present_sense_via_verbs() if monitor_present is 1 and
      eld_valid is 0.
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      127f4cbf
    • Hui Wang's avatar
      ALSA: hda/hdmi - Read the pin sense from register when repolling · c13e27dc
      Hui Wang authored
      commit 8c2e6728 upstream.
      
      The driver will check the monitor presence when resuming from suspend,
      starting poll or interrupt triggers. In these 3 situations, the
      jack_dirty will be set to 1 first, then the hda_jack.c reads the
      pin_sense from register, after reading the register, the jack_dirty
      will be set to 0. But hdmi_repoll_work() is enabled in these 3
      situations, It will read the pin_sense a couple of times subsequently,
      since the jack_dirty is 0 now, It does not read the register anymore,
      instead it uses the shadow pin_sense which is read at the first time.
      
      It is meaningless to check the shadow pin_sense a couple of times,
      we need to read the register to check the real plugging state, so
      we set the jack_dirty to 1 in the hdmi_repoll_work().
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c13e27dc
    • Wenwen Wang's avatar
      ALSA: usb-audio: Fix a memory leak bug · 5d981f0b
      Wenwen Wang authored
      commit cb517359 upstream.
      
      In parse_audio_selector_unit(), the string array 'namelist' is allocated
      through kmalloc_array(), and each string pointer in this array, i.e.,
      'namelist[]', is allocated through kmalloc() in the following for loop.
      Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If
      an error occurs during the creation process, the string array 'namelist',
      including all string pointers in the array 'namelist[]', should be freed,
      before the error code ENOMEM is returned. However, the current code does
      not free 'namelist[]', resulting in memory leaks.
      
      To fix the above issue, free all string pointers 'namelist[]' in a loop.
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5d981f0b
    • Takashi Iwai's avatar
      ALSA: line6: toneport: Fix broken usage of timer for delayed execution · 2c37e50c
      Takashi Iwai authored
      commit 7f84ff68 upstream.
      
      The line6 toneport driver has code for some delayed initialization,
      and this hits the kernel Oops because mutex and other sleepable
      functions are used in the timer callback.  Fix the abuse by a delayed
      work instead so that everything works gracefully.
      
      Reported-by: syzbot+a07d0142e74fdd595cfb@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c37e50c
    • Adrian Hunter's avatar
      mmc: sdhci-pci: Fix BYT OCP setting · 06f26edf
      Adrian Hunter authored
      commit 0a49a619 upstream.
      
      Some time ago, a fix was done for the sdhci-acpi driver, refer
      commit 6e1c7d61 ("mmc: sdhci-acpi: Reduce Baytrail eMMC/SD/SDIO
      hangs"). The same issue was not expected to affect the sdhci-pci driver,
      but there have been reports to the contrary, so make the same hardware
      setting change.
      
      This patch applies to v5.0+ but before that backports will be required.
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      06f26edf
    • Raul E Rangel's avatar
      mmc: core: Fix tag set memory leak · 370ac7e1
      Raul E Rangel authored
      commit 43d8dabb upstream.
      
      The tag set is allocated in mmc_init_queue but never freed. This results
      in a memory leak. This change makes sure we free the tag set when the
      queue is also freed.
      Signed-off-by: default avatarRaul E Rangel <rrangel@chromium.org>
      Reviewed-by: default avatarJens Axboe <axboe@kernel.dk>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Fixes: 81196976 ("mmc: block: Add blk-mq support")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      370ac7e1
    • Sowjanya Komatineni's avatar
      mmc: tegra: fix ddr signaling for non-ddr modes · dba538e5
      Sowjanya Komatineni authored
      commit 92cd1667 upstream.
      
      ddr_signaling is set to true for DDR50 and DDR52 modes but is
      not set back to false for other modes. This programs incorrect
      host clock when mode change happens from DDR52/DDR50 to other
      SDR or HS modes like incase of mmc_retune where it switches
      from HS400 to HS DDR and then from HS DDR to HS mode and then
      to HS200.
      
      This patch fixes the ddr_signaling to set properly for non DDR
      modes.
      Tested-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Signed-off-by: default avatarSowjanya Komatineni <skomatineni@nvidia.com>
      Cc: stable@vger.kernel.org # v4.20 +
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dba538e5
    • Christoph Muellner's avatar
      dt-bindings: mmc: Add disable-cqe-dcmd property. · c625191a
      Christoph Muellner authored
      commit 28f22fb7 upstream.
      
      Add disable-cqe-dcmd as optional property for MMC hosts.
      This property allows to disable or not enable the direct command
      features of the command queue engine.
      Signed-off-by: default avatarChristoph Muellner <christoph.muellner@theobroma-systems.com>
      Signed-off-by: default avatarPhilipp Tomsich <philipp.tomsich@theobroma-systems.com>
      Fixes: 84362d79 ("mmc: sdhci-of-arasan: Add CQHCI support for arasan,sdhci-5.1")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c625191a
    • Aneesh Kumar K.V's avatar
      drivers/dax: Allow to include DEV_DAX_PMEM as builtin · bf857bc5
      Aneesh Kumar K.V authored
      commit 67476656 upstream.
      
      This move the dependency to DEV_DAX_PMEM_COMPAT such that only
      if DEV_DAX_PMEM is built as module we can allow the compat support.
      
      This allows to test the new code easily in a emulation setup where we
      often build things without module support.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 730926c3 ("device-dax: Add /sys/class/dax backwards compatibility")
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bf857bc5
    • Eric Biggers's avatar
      crypto: arm64/aes-neonbs - don't access already-freed walk.iv · 7ea9b157
      Eric Biggers authored
      commit 4a8108b7 upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected
      by this despite unconditionally accessing walk.iv.  However this is more
      subtle than desired, and unconditionally accessing walk.iv has caused a
      real problem in other algorithms.  Thus, update xts-aes-neonbs to start
      checking the return value of skcipher_walk_virt().
      
      Fixes: 1abee99e ("crypto: arm64/aes - reimplement bit-sliced ARM/NEON implementation for arm64")
      Cc: <stable@vger.kernel.org> # v4.11+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ea9b157
    • Eric Biggers's avatar
      crypto: arm/aes-neonbs - don't access already-freed walk.iv · ce28ca41
      Eric Biggers authored
      commit 767f015e upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't
      affected by this despite unconditionally accessing walk.iv.  However
      this is more subtle than desired, and it was actually broken prior to
      the alignmask being removed by commit cc477bf6 ("crypto: arm/aes -
      replace bit-sliced OpenSSL NEON code").  Thus, update xts-aes-neonbs to
      start checking the return value of skcipher_walk_virt().
      
      Fixes: e4e7f10b ("ARM: add support for bit sliced AES using NEON instructions")
      Cc: <stable@vger.kernel.org> # v3.13+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce28ca41
    • Horia Geantă's avatar
      crypto: caam/qi2 - generate hash keys in-place · 47062877
      Horia Geantă authored
      commit 418cd20e upstream.
      
      Commit 30724445 ("crypto: caam - generate hash keys in-place")
      fixed ahash implementation in caam/jr driver such that user-provided key
      buffer is not DMA mapped, since it's not guaranteed to be DMAable.
      
      Apply a similar fix for caam/qi2 driver.
      
      Cc: <stable@vger.kernel.org> # v4.20+
      Fixes: 3f16f6c9 ("crypto: caam/qi2 - add support for ahash algorithms")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47062877
    • Horia Geantă's avatar
      crypto: caam/qi2 - fix DMA mapping of stack memory · 89d8cab7
      Horia Geantă authored
      commit 5965dc74 upstream.
      
      Commits c19650d6 ("crypto: caam - fix DMA mapping of stack memory")
      and 65055e21 ("crypto: caam - fix hash context DMA unmap size")
      fixed the ahash implementation in caam/jr driver such that req->result
      is not DMA-mapped (since it's not guaranteed to be DMA-able).
      
      Apply a similar fix for ahash implementation in caam/qi2 driver.
      
      Cc: <stable@vger.kernel.org> # v4.20+
      Fixes: 3f16f6c9 ("crypto: caam/qi2 - add support for ahash algorithms")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      89d8cab7
    • Horia Geantă's avatar
      crypto: caam/qi2 - fix zero-length buffer DMA mapping · 9ee4c5f2
      Horia Geantă authored
      commit 07586d3d upstream.
      
      Commit 04e6d25c ("crypto: caam - fix zero-length buffer DMA mapping")
      fixed an issue in caam/jr driver where ahash implementation was
      DMA mapping a zero-length buffer.
      
      Current commit applies a similar fix for caam/qi2 driver.
      
      Cc: <stable@vger.kernel.org> # v4.20+
      Fixes: 3f16f6c9 ("crypto: caam/qi2 - add support for ahash algorithms")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ee4c5f2
    • Zhang Zhijie's avatar
      crypto: rockchip - update IV buffer to contain the next IV · af25d405
      Zhang Zhijie authored
      commit f0cfd57b upstream.
      
      The Kernel Crypto API request output the next IV data to
      IV buffer for CBC implementation. So the last block data of
      ciphertext should be copid into assigned IV buffer.
      Reported-by: default avatarEric Biggers <ebiggers@google.com>
      Fixes: 433cd2c6 ("crypto: rockchip - add crypto driver for rk3288")
      Cc: <stable@vger.kernel.org> # v4.5+
      Signed-off-by: default avatarZhang Zhijie <zhangzj@rock-chips.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af25d405
    • Eric Biggers's avatar
      crypto: gcm - fix incompatibility between "gcm" and "gcm_base" · 587c47ae
      Eric Biggers authored
      commit f699594d upstream.
      
      GCM instances can be created by either the "gcm" template, which only
      allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base",
      which allows choosing the ctr and ghash implementations, e.g.
      "gcm_base(ctr(aes-generic),ghash-generic)".
      
      However, a "gcm_base" instance prevents a "gcm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "gcm".  This can be used as a denial of service.
      Moreover, "gcm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "gcm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "gcm_base" instances set the same cra_name as "gcm" instances, e.g.
      "gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)".
      
      This requires extracting the block cipher name from the name of the ctr
      algorithm.  It also requires starting to verify that the algorithms are
      really ctr and ghash, not something else entirely.  But it would be
      bizarre if anyone were actually using non-gcm-compatible algorithms with
      gcm_base, so this shouldn't break anyone in practice.
      
      Fixes: d00aa19b ("[CRYPTO] gcm: Allow block cipher parameter")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      587c47ae
    • Eric Biggers's avatar
      crypto: arm64/gcm-aes-ce - fix no-NEON fallback code · 2cd208cf
      Eric Biggers authored
      commit 580e2951 upstream.
      
      The arm64 gcm-aes-ce algorithm is failing the extra crypto self-tests
      following my patches to test the !may_use_simd() code paths, which
      previously were untested.  The problem is that in the !may_use_simd()
      case, an odd number of AES blocks can be processed within each step of
      the skcipher_walk.  However, the skcipher_walk is being done with a
      "stride" of 2 blocks and is advanced by an even number of blocks after
      each step.  This causes the encryption to produce the wrong ciphertext
      and authentication tag, and causes the decryption to incorrectly fail.
      
      Fix it by only processing an even number of blocks per step.
      
      Fixes: c2b24c36 ("crypto: arm64/aes-gcm-ce - fix scatterwalk API violation")
      Fixes: 71e52c27 ("crypto: arm64/aes-ce-gcm - operate on two input blocks at a time")
      Cc: <stable@vger.kernel.org> # v4.19+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2cd208cf
    • Eric Biggers's avatar
      crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest() · 3e95cd3d
      Eric Biggers authored
      commit dec3d0b1 upstream.
      
      The ->digest() method of crct10dif-pclmul reads the current CRC value
      from the shash_desc context.  But this value is uninitialized, causing
      crypto_shash_digest() to compute the wrong result.  Fix it.
      
      Probably this wasn't noticed before because lib/crc-t10dif.c only uses
      crypto_shash_update(), not crypto_shash_digest().  Likewise,
      crypto_shash_digest() is not yet tested by the crypto self-tests because
      those only test the ahash API which only uses shash init/update/final.
      
      Fixes: 0b95a7f8 ("crypto: crct10dif - Glue code to cast accelerated CRCT10DIF assembly as a crypto transform")
      Cc: <stable@vger.kernel.org> # v3.11+
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e95cd3d
    • Eric Biggers's avatar
      crypto: crct10dif-generic - fix use via crypto_shash_digest() · b841777e
      Eric Biggers authored
      commit 307508d1 upstream.
      
      The ->digest() method of crct10dif-generic reads the current CRC value
      from the shash_desc context.  But this value is uninitialized, causing
      crypto_shash_digest() to compute the wrong result.  Fix it.
      
      Probably this wasn't noticed before because lib/crc-t10dif.c only uses
      crypto_shash_update(), not crypto_shash_digest().  Likewise,
      crypto_shash_digest() is not yet tested by the crypto self-tests because
      those only test the ahash API which only uses shash init/update/final.
      
      This bug was detected by my patches that improve testmgr to fuzz
      algorithms against their generic implementation.
      
      Fixes: 2d31e518 ("crypto: crct10dif - Wrap crc_t10dif function all to use crypto transform framework")
      Cc: <stable@vger.kernel.org> # v3.11+
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b841777e
    • Eric Biggers's avatar
      crypto: skcipher - don't WARN on unprocessed data after slow walk step · 8b178be3
      Eric Biggers authored
      commit dcaca01a upstream.
      
      skcipher_walk_done() assumes it's a bug if, after the "slow" path is
      executed where the next chunk of data is processed via a bounce buffer,
      the algorithm says it didn't process all bytes.  Thus it WARNs on this.
      
      However, this can happen legitimately when the message needs to be
      evenly divisible into "blocks" but isn't, and the algorithm has a
      'walksize' greater than the block size.  For example, ecb-aes-neonbs
      sets 'walksize' to 128 bytes and only supports messages evenly divisible
      into 16-byte blocks.  If, say, 17 message bytes remain but they straddle
      scatterlist elements, the skcipher_walk code will take the "slow" path
      and pass the algorithm all 17 bytes in the bounce buffer.  But the
      algorithm will only be able to process 16 bytes, triggering the WARN.
      
      Fix this by just removing the WARN_ON().  Returning -EINVAL, as the code
      already does, is the right behavior.
      
      This bug was detected by my patches that improve testmgr to fuzz
      algorithms against their generic implementation.
      
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8b178be3
    • Daniel Axtens's avatar
      crypto: vmx - fix copy-paste error in CTR mode · 8f513499
      Daniel Axtens authored
      commit dcf7b482 upstream.
      
      The original assembly imported from OpenSSL has two copy-paste
      errors in handling CTR mode. When dealing with a 2 or 3 block tail,
      the code branches to the CBC decryption exit path, rather than to
      the CTR exit path.
      
      This leads to corruption of the IV, which leads to subsequent blocks
      being corrupted.
      
      This can be detected with libkcapi test suite, which is available at
      https://github.com/smuellerDD/libkcapiReported-by: default avatarOndrej Mosnáček <omosnacek@gmail.com>
      Fixes: 5c380d62 ("crypto: vmx - Add support for VMS instructions by ASM")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Tested-by: default avatarOndrej Mosnacek <omosnacek@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f513499
    • Singh, Brijesh's avatar
      crypto: ccp - Do not free psp_master when PLATFORM_INIT fails · f050cbe7
      Singh, Brijesh authored
      commit f5a2aeb8 upstream.
      
      Currently, we free the psp_master if the PLATFORM_INIT fails during the
      SEV FW probe. If psp_master is freed then driver does not invoke the PSP
      FW. As per SEV FW spec, there are several commands (PLATFORM_RESET,
      PLATFORM_STATUS, GET_ID etc) which can be executed in the UNINIT state
      We should not free the psp_master when PLATFORM_INIT fails.
      
      Fixes: 200664d5 ("crypto: ccp: Add SEV support")
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Gary Hook <gary.hook@amd.com>
      Cc: stable@vger.kernel.org # 4.19.y
      Signed-off-by: default avatarBrijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f050cbe7
    • Eric Biggers's avatar
      crypto: ccm - fix incompatibility between "ccm" and "ccm_base" · 9e98a28a
      Eric Biggers authored
      commit 6a1faa4a upstream.
      
      CCM instances can be created by either the "ccm" template, which only
      allows choosing the block cipher, e.g. "ccm(aes)"; or by "ccm_base",
      which allows choosing the ctr and cbcmac implementations, e.g.
      "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      However, a "ccm_base" instance prevents a "ccm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "ccm".  This can be used as a denial of service.
      Moreover, "ccm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "ccm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "ccm_base" instances set the same cra_name as "ccm" instances, e.g.
      "ccm(aes)" instead of "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      This requires extracting the block cipher name from the name of the ctr
      and cbcmac algorithms.  It also requires starting to verify that the
      algorithms are really ctr and cbcmac using the same block cipher, not
      something else entirely.  But it would be bizarre if anyone were
      actually using non-ccm-compatible algorithms with ccm_base, so this
      shouldn't break anyone in practice.
      
      Fixes: 4a49b499 ("[CRYPTO] ccm: Added CCM mode")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9e98a28a
    • Eric Biggers's avatar
      crypto: chacha20poly1305 - set cra_name correctly · ac74e674
      Eric Biggers authored
      commit 5e27f38f upstream.
      
      If the rfc7539 template is instantiated with specific implementations,
      e.g. "rfc7539(chacha20-generic,poly1305-generic)" rather than
      "rfc7539(chacha20,poly1305)", then the implementation names end up
      included in the instance's cra_name.  This is incorrect because it then
      prevents all users from allocating "rfc7539(chacha20,poly1305)", if the
      highest priority implementations of chacha20 and poly1305 were selected.
      Also, the self-tests aren't run on an instance allocated in this way.
      
      Fix it by setting the instance's cra_name from the underlying
      algorithms' actual cra_names, rather than from the requested names.
      This matches what other templates do.
      
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Cc: <stable@vger.kernel.org> # v4.2+
      Cc: Martin Willi <martin@strongswan.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac74e674
    • Eric Biggers's avatar
      crypto: chacha-generic - fix use as arm64 no-NEON fallback · 713d486a
      Eric Biggers authored
      commit 7aceaaef upstream.
      
      The arm64 implementations of ChaCha and XChaCha are failing the extra
      crypto self-tests following my patches to test the !may_use_simd() code
      paths, which previously were untested.  The problem is as follows:
      
      When !may_use_simd(), the arm64 NEON implementations fall back to the
      generic implementation, which uses the skcipher_walk API to iterate
      through the src/dst scatterlists.  Due to how the skcipher_walk API
      works, walk.stride is set from the skcipher_alg actually being used,
      which in this case is the arm64 NEON algorithm.  Thus walk.stride is
      5*CHACHA_BLOCK_SIZE, not CHACHA_BLOCK_SIZE.
      
      This unnecessarily large stride shouldn't cause an actual problem.
      However, the generic implementation computes round_down(nbytes,
      walk.stride).  round_down() assumes the round amount is a power of 2,
      which 5*CHACHA_BLOCK_SIZE is not, so it gives the wrong result.
      
      This causes the following case in skcipher_walk_done() to be hit,
      causing a WARN() and failing the encryption operation:
      
      	if (WARN_ON(err)) {
      		/* unexpected case; didn't process all bytes */
      		err = -EINVAL;
      		goto finish;
      	}
      
      Fix it by rounding down to CHACHA_BLOCK_SIZE instead of walk.stride.
      
      (Or we could replace round_down() with rounddown(), but that would add a
      slow division operation every time, which I think we should avoid.)
      
      Fixes: 2fe55987 ("crypto: arm64/chacha - use combined SIMD/ALU routine for more speed")
      Cc: <stable@vger.kernel.org> # v5.0+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      713d486a
    • Eric Biggers's avatar
      crypto: lrw - don't access already-freed walk.iv · 8c07b960
      Eric Biggers authored
      commit aec286cd upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      Fix this in the LRW template by checking the return value of
      skcipher_walk_virt().
      
      This bug was detected by my patches that improve testmgr to fuzz
      algorithms against their generic implementation.  When the extra
      self-tests were run on a KASAN-enabled kernel, a KASAN use-after-free
      splat occured during lrw(aes) testing.
      
      Fixes: c778f96b ("crypto: lrw - Optimize tweak computation")
      Cc: <stable@vger.kernel.org> # v4.20+
      Cc: Ondrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c07b960
    • Eric Biggers's avatar
      crypto: salsa20 - don't access already-freed walk.iv · d31e54a9
      Eric Biggers authored
      commit edaf28e9 upstream.
      
      If the user-provided IV needs to be aligned to the algorithm's
      alignmask, then skcipher_walk_virt() copies the IV into a new aligned
      buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
      if the caller unconditionally accesses walk.iv, it's a use-after-free.
      
      salsa20-generic doesn't set an alignmask, so currently it isn't affected
      by this despite unconditionally accessing walk.iv.  However this is more
      subtle than desired, and it was actually broken prior to the alignmask
      being removed by commit b62b3db7 ("crypto: salsa20-generic - cleanup
      and convert to skcipher API").
      
      Since salsa20-generic does not update the IV and does not need any IV
      alignment, update it to use req->iv instead of walk.iv.
      
      Fixes: 2407d608 ("[CRYPTO] salsa20: Salsa20 stream cipher")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d31e54a9
    • Christian Lamparter's avatar
      crypto: crypto4xx - fix cfb and ofb "overran dst buffer" issues · 83ee7650
      Christian Lamparter authored
      commit 7e92e171 upstream.
      
      Currently, crypto4xx CFB and OFB AES ciphers are
      failing testmgr's test vectors.
      
      |cfb-aes-ppc4xx encryption overran dst buffer on test vector 3, cfg="in-place"
      |ofb-aes-ppc4xx encryption overran dst buffer on test vector 1, cfg="in-place"
      
      This is because of a very subtile "bug" in the hardware that
      gets indirectly mentioned in 18.1.3.5 Encryption/Decryption
      of the hardware spec:
      
      the OFB and CFB modes for AES are listed there as operation
      modes for >>> "Block ciphers" <<<. Which kind of makes sense,
      but we would like them to be considered as stream ciphers just
      like the CTR mode.
      
      To workaround this issue and stop the hardware from causing
      "overran dst buffer" on crypttexts that are not a multiple
      of 16 (AES_BLOCK_SIZE), we force the driver to use the scatter
      buffers as the go-between.
      
      As a bonus this patch also kills redundant pd_uinfo->num_gd
      and pd_uinfo->num_sd setters since the value has already been
      set before.
      
      Cc: stable@vger.kernel.org
      Fixes: f2a13e7c ("crypto: crypto4xx - enable AES RFC3686, ECB, CFB and OFB offloads")
      Signed-off-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      83ee7650
    • Christian Lamparter's avatar
      crypto: crypto4xx - fix ctr-aes missing output IV · 0b2f2b9c
      Christian Lamparter authored
      commit 25baaf8e upstream.
      
      Commit 8efd972e ("crypto: testmgr - support checking skcipher output IV")
      caused the crypto4xx driver to produce the following error:
      
      | ctr-aes-ppc4xx encryption test failed (wrong output IV)
      | on test vector 0, cfg="in-place"
      
      This patch fixes this by reworking the crypto4xx_setkey_aes()
      function to:
      
       - not save the iv for ECB (as per 18.2.38 CRYP0_SA_CMD_0:
         "This bit mut be cleared for DES ECB mode or AES ECB mode,
         when no IV is used.")
      
       - instruct the hardware to save the generated IV for all
         other modes of operations that have IV and then supply
         it back to the callee in pretty much the same way as we
         do it for cbc-aes already.
      
       - make it clear that the DIR_(IN|OUT)BOUND is the important
         bit that tells the hardware to encrypt or decrypt the data.
         (this is cosmetic - but it hopefully prevents me from
          getting confused again).
      
       - don't load any bogus hash when we don't use any hash
         operation to begin with.
      
      Cc: stable@vger.kernel.org
      Fixes: f2a13e7c ("crypto: crypto4xx - enable AES RFC3686, ECB, CFB and OFB offloads")
      Signed-off-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b2f2b9c
    • Yazen Ghannam's avatar
      x86/MCE/AMD: Don't report L1 BTB MCA errors on some family 17h models · a6ec7461
      Yazen Ghannam authored
      commit 71a84402 upstream.
      
      AMD family 17h Models 10h-2Fh may report a high number of L1 BTB MCA
      errors under certain conditions. The errors are benign and can safely be
      ignored. However, the high error rate may cause the MCA threshold
      counter to overflow causing a high rate of thresholding interrupts.
      
      In addition, users may see the errors reported through the AMD MCE
      decoder module, even with the interrupt disabled, due to MCA polling.
      
      Clear the "Counter Present" bit in the Instruction Fetch bank's
      MCA_MISC0 register. This will prevent enabling MCA thresholding on this
      bank which will prevent the high interrupt rate due to this error.
      
      Define an AMD-specific function to filter these errors from the MCE
      event pool so that they don't get reported during early boot.
      
      Rename filter function in EDAC/mce_amd to avoid a naming conflict, while
      at it.
      
       [ bp: Move function prototype to the internal header and
         massage/cleanup, fix typos. ]
      Reported-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Signed-off-by: default avatarYazen Ghannam <yazen.ghannam@amd.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: "clemej@gmail.com" <clemej@gmail.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Morse <james.morse@arm.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
      Cc: Pu Wen <puwen@hygon.cn>
      Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
      Cc: Shirish S <Shirish.S@amd.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Vishal Verma <vishal.l.verma@intel.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: x86-ml <x86@kernel.org>
      Cc: <stable@vger.kernel.org> # 5.0.x: c95b323d: x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models
      Cc: <stable@vger.kernel.org> # 5.0.x: 30aa3d26: x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk
      Cc: <stable@vger.kernel.org> # 5.0.x: 9308fd40: x86/MCE: Group AMD function prototypes in <asm/mce.h>
      Cc: <stable@vger.kernel.org> # 5.0.x
      Link: https://lkml.kernel.org/r/20190325163410.171021-2-Yazen.Ghannam@amd.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6ec7461
    • Yazen Ghannam's avatar
      x86/MCE: Add an MCE-record filtering function · 927d2cb2
      Yazen Ghannam authored
      commit 45d4b7b9 upstream.
      
      Some systems may report spurious MCA errors. In general, spurious MCA
      errors may be disabled by clearing a particular bit in MCA_CTL. However,
      clearing a bit in MCA_CTL may not be recommended for some errors, so the
      only option is to ignore them.
      
      An MCA error is printed and handled after it has been added to the MCE
      event pool. So an MCA error can be ignored by not adding it to that pool
      in the first place.
      
      Add such a filtering function.
      
       [ bp: Move function prototype to the internal header and massage. ]
      Signed-off-by: default avatarYazen Ghannam <yazen.ghannam@amd.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: "clemej@gmail.com" <clemej@gmail.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Pu Wen <puwen@hygon.cn>
      Cc: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
      Cc: "rafal@milecki.pl" <rafal@milecki.pl>
      Cc: Shirish S <Shirish.S@amd.com>
      Cc: <stable@vger.kernel.org> # 5.0.x
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Vishal Verma <vishal.l.verma@intel.com>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20190325163410.171021-1-Yazen.Ghannam@amd.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      927d2cb2