1. 22 Apr, 2020 2 commits
  2. 20 Apr, 2020 2 commits
  3. 16 Apr, 2020 24 commits
    • Christophe JAILLET's avatar
      crypto: marvell/octeontx - Add missing '\n' in log messages · 0a8f5989
      Christophe JAILLET authored
      Message logged by 'dev_xxx()' or 'pr_xxx()' should end with a '\n'.
      
      While at it, I've introduced a few pr_cont that looked logical to me.
      
      Fixes: 10b4f094 ("crypto: marvell - add the Virtual Function driver for CPT")
      Fixes: d9110b0b ("crypto: marvell - add support for OCTEON TX CPT engine")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0a8f5989
    • Herbert Xu's avatar
      crypto: api - Fix use-after-free and race in crypto_spawn_alg · 6603523b
      Herbert Xu authored
      There are two problems in crypto_spawn_alg.  First of all it may
      return spawn->alg even if spawn->dead is set.  This results in a
      double-free as detected by syzbot.
      
      Secondly the setting of the DYING flag is racy because we hold
      the read-lock instead of the write-lock.  We should instead call
      crypto_shoot_alg in a safe manner by gaining a refcount, dropping
      the lock, and then releasing the refcount.
      
      This patch fixes both problems.
      
      Reported-by: syzbot+fc0674cde00b66844470@syzkaller.appspotmail.com
      Fixes: 4f87ee11 ("crypto: api - Do not zap spawn->alg")
      Fixes: 73669cc5 ("crypto: api - Fix race condition in...")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6603523b
    • Arnd Bergmann's avatar
      crypto: ccp -- don't "select" CONFIG_DMADEVICES · eebac678
      Arnd Bergmann authored
      DMADEVICES is the top-level option for the slave DMA
      subsystem, and should not be selected by device drivers,
      as this can cause circular dependencies such as:
      
      drivers/net/ethernet/freescale/Kconfig:6:error: recursive dependency detected!
      drivers/net/ethernet/freescale/Kconfig:6:	symbol NET_VENDOR_FREESCALE depends on PPC_BESTCOMM
      drivers/dma/bestcomm/Kconfig:6:	symbol PPC_BESTCOMM depends on DMADEVICES
      drivers/dma/Kconfig:6:	symbol DMADEVICES is selected by CRYPTO_DEV_SP_CCP
      drivers/crypto/ccp/Kconfig:10:	symbol CRYPTO_DEV_SP_CCP depends on CRYPTO
      crypto/Kconfig:16:	symbol CRYPTO is selected by LIBCRC32C
      lib/Kconfig:222:	symbol LIBCRC32C is selected by LIQUIDIO
      drivers/net/ethernet/cavium/Kconfig:65:	symbol LIQUIDIO depends on PTP_1588_CLOCK
      drivers/ptp/Kconfig:8:	symbol PTP_1588_CLOCK is implied by FEC
      drivers/net/ethernet/freescale/Kconfig:23:	symbol FEC depends on NET_VENDOR_FREESCALE
      
      The LIQUIDIO driver causing this problem is addressed in a
      separate patch, but this change is needed to prevent it from
      happening again.
      
      Using "depends on DMADEVICES" is what we do for all other
      implementations of slave DMA controllers as well.
      
      Fixes: b3c2fee5 ("crypto: ccp - Ensure all dependencies are specified")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      eebac678
    • Eric Biggers's avatar
      crypto: algapi - Avoid spurious modprobe on LOADED · beeb460c
      Eric Biggers authored
      Currently after any algorithm is registered and tested, there's an
      unnecessary request_module("cryptomgr") even if it's already loaded.
      Also, CRYPTO_MSG_ALG_LOADED is sent twice, and thus if the algorithm is
      "crct10dif", lib/crc-t10dif.c replaces the tfm twice rather than once.
      
      This occurs because CRYPTO_MSG_ALG_LOADED is sent using
      crypto_probing_notify(), which tries to load "cryptomgr" if the
      notification is not handled (NOTIFY_DONE).  This doesn't make sense
      because "cryptomgr" doesn't handle this notification.
      
      Fix this by using crypto_notify() instead of crypto_probing_notify().
      
      Fixes: dd8b083f ("crypto: api - Introduce notifier for new crypto algorithms")
      Cc: <stable@vger.kernel.org> # v4.20+
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      beeb460c
    • Markus Elfring's avatar
      crypto: sun8i-ss - Delete an error message in sun8i_ss_probe() · 56b80bde
      Markus Elfring authored
      The function “platform_get_irq” can log an error already.
      Thus omit a redundant message for the exception handling in the
      calling function.
      
      This issue was detected by using the Coccinelle software.
      Signed-off-by: default avatarMarkus Elfring <elfring@users.sourceforge.net>
      Acked-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      56b80bde
    • Markus Elfring's avatar
      hwrng: xgene - Delete an error message in xgene_rng_probe() · f72fed86
      Markus Elfring authored
      The function “platform_get_irq” can log an error already.
      Thus omit a redundant message for the exception handling in the
      calling function.
      
      This issue was detected by using the Coccinelle software.
      Signed-off-by: default avatarMarkus Elfring <elfring@users.sourceforge.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f72fed86
    • Markus Elfring's avatar
      hwrng: omap - Delete an error message in of_get_omap_rng_device_details() · b111418a
      Markus Elfring authored
      The function “platform_get_irq” can log an error already.
      Thus omit a redundant message for the exception handling in the
      calling function.
      
      This issue was detected by using the Coccinelle software.
      Signed-off-by: default avatarMarkus Elfring <elfring@users.sourceforge.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      b111418a
    • Tang Bin's avatar
      crypto: amlogic - Delete duplicate dev_err in meson_crypto_probe() · 56e0b627
      Tang Bin authored
      When something goes wrong, platform_get_irq() will print an error message,
      so in order to avoid the situation of repeat output,we should remove
      dev_err here.
      Signed-off-by: default avatarTang Bin <tangbin@cmss.chinamobile.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      56e0b627
    • Yang Shen's avatar
      crypto: hisilicon/qm - stop qp by judging sq and cq tail · f037fc5f
      Yang Shen authored
      It is not working well to determine whether the queue is empty based on
      whether the used count is 0. It is more stable to get if the queue is
      stopping by checking if the tail pointer of the send queue and the
      completion queue are equal.
      Signed-off-by: default avatarYang Shen <shenyang39@huawei.com>
      Signed-off-by: default avatarShukun Tan <tanshukun1@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Reviewed-by: default avatarZaibo Xu <xuzaibo@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f037fc5f
    • Yang Shen's avatar
      crypto: hisilicon/sec2 - add controller reset support for SEC2 · 141876c2
      Yang Shen authored
      Add support for controller reset in SEC driver.
      Signed-off-by: default avatarYang Shen <shenyang39@huawei.com>
      Signed-off-by: default avatarShukun Tan <tanshukun1@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Reviewed-by: default avatarZaibo Xu <xuzaibo@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      141876c2
    • Hui Tang's avatar
      crypto: hisilicon/hpre - add controller reset support for HPRE · 1f5c9f34
      Hui Tang authored
      Add support for the controller reset in HPRE driver.
      Signed-off-by: default avatarHui Tang <tanghui20@huawei.com>
      Signed-off-by: default avatarShukun Tan <tanshukun1@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Reviewed-by: default avatarZaibo Xu <xuzaibo@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1f5c9f34
    • Shukun Tan's avatar
      crypto: hisilicon/zip - add controller reset support for zip · 84c9b780
      Shukun Tan authored
      Register controller reset handle with PCIe AER.
      Signed-off-by: default avatarShukun Tan <tanshukun1@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Reviewed-by: default avatarZaibo Xu <xuzaibo@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      84c9b780
    • Shukun Tan's avatar
      crypto: hisilicon/qm - add controller reset interface · 6c6dd580
      Shukun Tan authored
      Add the main implementation of the controller reset interface, which is
      roughly divided into three parts, stop, reset, and reinitialization.
      Signed-off-by: default avatarShukun Tan <tanshukun1@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Reviewed-by: default avatarZaibo Xu <xuzaibo@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6c6dd580
    • Hao Fang's avatar
      crypto: hisilicon - add vfs_num module parameter for hpre/sec · 35ee280f
      Hao Fang authored
      The vfs_num module parameter has been used in zip driver, this patch adds
      this for HPRE and SEC driver.
      Signed-off-by: default avatarHao Fang <fanghao11@huawei.com>
      Signed-off-by: default avatarShukun Tan <tanshukun1@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Reviewed-by: default avatarZaibo Xu <xuzaibo@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      35ee280f
    • Shukun Tan's avatar
      crypto: hisilicon - unify SR-IOV related codes into QM · cd1b7ae3
      Shukun Tan authored
      Clean the duplicate SR-IOV related codes, put all into qm.c.
      Signed-off-by: default avatarShukun Tan <tanshukun1@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Reviewed-by: default avatarZaibo Xu <xuzaibo@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      cd1b7ae3
    • Shukun Tan's avatar
      crypto: hisilicon - put vfs_num into struct hisi_qm · 619e464a
      Shukun Tan authored
      We plan to move vfs_num related code into qm.c, put the param
      vfs_num into struct hisi_qm first.
      Signed-off-by: default avatarShukun Tan <tanshukun1@huawei.com>
      Reviewed-by: default avatarZhou Wang <wangzhou1@hisilicon.com>
      Reviewed-by: default avatarZaibo Xu <xuzaibo@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      619e464a
    • Hadar Gat's avatar
      MAINTAINERS: add HG as cctrng maintainer · 3c8e0bd1
      Hadar Gat authored
      I work for Arm on maintaining the TrustZone CryptoCell TRNG driver.
      Signed-off-by: default avatarHadar Gat <hadar.gat@arm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3c8e0bd1
    • Hadar Gat's avatar
      hwrng: cctrng - introduce Arm CryptoCell driver · a583ed31
      Hadar Gat authored
      Introduce low level Arm CryptoCell TRNG HW support.
      Signed-off-by: default avatarHadar Gat <hadar.gat@arm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a583ed31
    • Hadar Gat's avatar
      dt-bindings: add device tree binding for Arm CryptoCell trng engine · ffb57daa
      Hadar Gat authored
      The Arm CryptoCell is a hardware security engine. This patch adds DT
      bindings for its TRNG (True Random Number Generator) engine.
      Signed-off-by: default avatarHadar Gat <hadar.gat@arm.com>
      Reviewed-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ffb57daa
    • Iuliana Prodan's avatar
      crypto: caam - fix the address of the last entry of S/G · 55b3209a
      Iuliana Prodan authored
      For skcipher algorithms, the input, output HW S/G tables
      look like this: [IV, src][dst, IV]
      Now, we can have 2 conditions here:
      - there is no IV;
      - src and dst are equal (in-place encryption) and scattered
      and the error is an "off-by-one" in the HW S/G table.
      
      This issue was seen with KASAN:
      BUG: KASAN: slab-out-of-bounds in skcipher_edesc_alloc+0x95c/0x1018
      
      Read of size 4 at addr ffff000022a02958 by task cryptomgr_test/321
      
      CPU: 2 PID: 321 Comm: cryptomgr_test Not tainted
      5.6.0-rc1-00165-ge4ef8383-dirty #4
      Hardware name: LS1046A RDB Board (DT)
      Call trace:
       dump_backtrace+0x0/0x260
       show_stack+0x14/0x20
       dump_stack+0xe8/0x144
       print_address_description.isra.11+0x64/0x348
       __kasan_report+0x11c/0x230
       kasan_report+0xc/0x18
       __asan_load4+0x90/0xb0
       skcipher_edesc_alloc+0x95c/0x1018
       skcipher_encrypt+0x84/0x150
       crypto_skcipher_encrypt+0x50/0x68
       test_skcipher_vec_cfg+0x4d4/0xc10
       test_skcipher_vec+0x178/0x1d8
       alg_test_skcipher+0xec/0x230
       alg_test.part.44+0x114/0x4a0
       alg_test+0x1c/0x60
       cryptomgr_test+0x34/0x58
       kthread+0x1b8/0x1c0
       ret_from_fork+0x10/0x18
      
      Allocated by task 321:
       save_stack+0x24/0xb0
       __kasan_kmalloc.isra.10+0xc4/0xe0
       kasan_kmalloc+0xc/0x18
       __kmalloc+0x178/0x2b8
       skcipher_edesc_alloc+0x21c/0x1018
       skcipher_encrypt+0x84/0x150
       crypto_skcipher_encrypt+0x50/0x68
       test_skcipher_vec_cfg+0x4d4/0xc10
       test_skcipher_vec+0x178/0x1d8
       alg_test_skcipher+0xec/0x230
       alg_test.part.44+0x114/0x4a0
       alg_test+0x1c/0x60
       cryptomgr_test+0x34/0x58
       kthread+0x1b8/0x1c0
       ret_from_fork+0x10/0x18
      
      Freed by task 0:
      (stack is not available)
      
      The buggy address belongs to the object at ffff000022a02800
       which belongs to the cache dma-kmalloc-512 of size 512
      The buggy address is located 344 bytes inside of
       512-byte region [ffff000022a02800, ffff000022a02a00)
      The buggy address belongs to the page:
      page:fffffe00006a8000 refcount:1 mapcount:0 mapping:ffff00093200c400
      index:0x0 compound_mapcount: 0
      flags: 0xffff00000010200(slab|head)
      raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c400
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff000022a02800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffff000022a02880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff000022a02900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
                                                          ^
       ffff000022a02980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff000022a02a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: 334d37c9 ("crypto: caam - update IV using HW support")
      Cc: <stable@vger.kernel.org> # v5.3+
      Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      55b3209a
    • Iuliana Prodan's avatar
      crypto: caam - fix use-after-free KASAN issue for RSA algorithms · 80994e3f
      Iuliana Prodan authored
      Here's the KASAN report:
      BUG: KASAN: use-after-free in rsa_pub_done+0x70/0xe8
      Read of size 1 at addr ffff000023082014 by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc1-00162-gfcb90d51 #60
      Hardware name: LS1046A RDB Board (DT)
      Call trace:
       dump_backtrace+0x0/0x260
       show_stack+0x14/0x20
       dump_stack+0xe8/0x144
       print_address_description.isra.11+0x64/0x348
       __kasan_report+0x11c/0x230
       kasan_report+0xc/0x18
       __asan_load1+0x5c/0x68
       rsa_pub_done+0x70/0xe8
       caam_jr_dequeue+0x390/0x608
       tasklet_action_common.isra.13+0x1ec/0x230
       tasklet_action+0x24/0x30
       efi_header_end+0x1a4/0x370
       irq_exit+0x114/0x128
       __handle_domain_irq+0x80/0xe0
       gic_handle_irq+0x50/0xa0
       el1_irq+0xb8/0x180
       cpuidle_enter_state+0xa4/0x490
       cpuidle_enter+0x48/0x70
       call_cpuidle+0x44/0x70
       do_idle+0x304/0x338
       cpu_startup_entry+0x24/0x40
       rest_init+0xf8/0x10c
       arch_call_rest_init+0xc/0x14
       start_kernel+0x774/0x7b4
      
      Allocated by task 263:
       save_stack+0x24/0xb0
       __kasan_kmalloc.isra.10+0xc4/0xe0
       kasan_kmalloc+0xc/0x18
       __kmalloc+0x178/0x2b8
       rsa_edesc_alloc+0x2cc/0xe10
       caam_rsa_enc+0x9c/0x5f0
       test_akcipher_one+0x78c/0x968
       alg_test_akcipher+0x78/0xf8
       alg_test.part.44+0x114/0x4a0
       alg_test+0x1c/0x60
       cryptomgr_test+0x34/0x58
       kthread+0x1b8/0x1c0
       ret_from_fork+0x10/0x18
      
      Freed by task 0:
       save_stack+0x24/0xb0
       __kasan_slab_free+0x10c/0x188
       kasan_slab_free+0x10/0x18
       kfree+0x7c/0x298
       rsa_pub_done+0x68/0xe8
       caam_jr_dequeue+0x390/0x608
       tasklet_action_common.isra.13+0x1ec/0x230
       tasklet_action+0x24/0x30
       efi_header_end+0x1a4/0x370
      
      The buggy address belongs to the object at ffff000023082000
       which belongs to the cache dma-kmalloc-256 of size 256
      The buggy address is located 20 bytes inside of
       256-byte region [ffff000023082000, ffff000023082100)
      The buggy address belongs to the page:
      page:fffffe00006c2080 refcount:1 mapcount:0 mapping:ffff00093200c200 index:0x0 compound_mapcount: 0
      flags: 0xffff00000010200(slab|head)
      raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c200
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff000023081f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff000023081f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff000023082000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
       ffff000023082080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff000023082100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: bf537950 ("crypto: caam - add crypto_engine support for RSA algorithms")
      Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      80994e3f
    • Iuliana Prodan's avatar
      crypto: caam - fix use-after-free KASAN issue for HASH algorithms · 63db32e6
      Iuliana Prodan authored
      Here's the KASAN report:
      BUG: KASAN: use-after-free in ahash_done+0xdc/0x3b8
      Read of size 1 at addr ffff00002303f010 by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc1-00162-gfcb90d51 #59
      Hardware name: LS1046A RDB Board (DT)
      Call trace:
       dump_backtrace+0x0/0x260
       show_stack+0x14/0x20
       dump_stack+0xe8/0x144
       print_address_description.isra.11+0x64/0x348
       __kasan_report+0x11c/0x230
       kasan_report+0xc/0x18
       __asan_load1+0x5c/0x68
       ahash_done+0xdc/0x3b8
       caam_jr_dequeue+0x390/0x608
       tasklet_action_common.isra.13+0x1ec/0x230
       tasklet_action+0x24/0x30
       efi_header_end+0x1a4/0x370
       irq_exit+0x114/0x128
       __handle_domain_irq+0x80/0xe0
       gic_handle_irq+0x50/0xa0
       el1_irq+0xb8/0x180
       cpuidle_enter_state+0xa4/0x490
       cpuidle_enter+0x48/0x70
       call_cpuidle+0x44/0x70
       do_idle+0x304/0x338
       cpu_startup_entry+0x24/0x40
       rest_init+0xf8/0x10c
       arch_call_rest_init+0xc/0x14
       start_kernel+0x774/0x7b4
      
      Allocated by task 263:
       save_stack+0x24/0xb0
       __kasan_kmalloc.isra.10+0xc4/0xe0
       kasan_kmalloc+0xc/0x18
       __kmalloc+0x178/0x2b8
       ahash_edesc_alloc+0x58/0x1f8
       ahash_final_no_ctx+0x94/0x6e8
       ahash_final+0x24/0x30
       crypto_ahash_op+0x58/0xb0
       crypto_ahash_final+0x30/0x40
       do_ahash_op+0x2c/0xa0
       test_ahash_vec_cfg+0x894/0x9e0
       test_hash_vec_cfg+0x6c/0x88
       test_hash_vec+0xfc/0x1e0
       __alg_test_hash+0x1ac/0x368
       alg_test_hash+0xf8/0x1c8
       alg_test.part.44+0x114/0x4a0
       alg_test+0x1c/0x60
       cryptomgr_test+0x34/0x58
       kthread+0x1b8/0x1c0
       ret_from_fork+0x10/0x18
      
      Freed by task 0:
       save_stack+0x24/0xb0
       __kasan_slab_free+0x10c/0x188
       kasan_slab_free+0x10/0x18
       kfree+0x7c/0x298
       ahash_done+0xd4/0x3b8
       caam_jr_dequeue+0x390/0x608
       tasklet_action_common.isra.13+0x1ec/0x230
       tasklet_action+0x24/0x30
       efi_header_end+0x1a4/0x370
      
      The buggy address belongs to the object at ffff00002303f000
       which belongs to the cache dma-kmalloc-128 of size 128
      The buggy address is located 16 bytes inside of
       128-byte region [ffff00002303f000, ffff00002303f080)
      The buggy address belongs to the page:
      page:fffffe00006c0fc0 refcount:1 mapcount:0 mapping:ffff00093200c000 index:0x0
      flags: 0xffff00000000200(slab)
      raw: 0ffff00000000200 dead000000000100 dead000000000122 ffff00093200c000
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff00002303ef00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff00002303ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff00002303f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
       ffff00002303f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff00002303f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: 21b014f0 ("crypto: caam - add crypto_engine support for HASH algorithms")
      Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      63db32e6
    • Iuliana Prodan's avatar
      crypto: caam - fix use-after-free KASAN issue for AEAD algorithms · 5ed1e8b8
      Iuliana Prodan authored
      Here's the KASAN report:
      BUG: KASAN: use-after-free in aead_crypt_done+0x60/0xd8
      Read of size 1 at addr ffff00002303f014 by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc1-00162-gfcb90d51 #58
      Hardware name: LS1046A RDB Board (DT)
      Call trace:
       dump_backtrace+0x0/0x260
       show_stack+0x14/0x20
       dump_stack+0xe8/0x144
       print_address_description.isra.11+0x64/0x348
       __kasan_report+0x11c/0x230
       kasan_report+0xc/0x18
       __asan_load1+0x5c/0x68
       aead_crypt_done+0x60/0xd8
       caam_jr_dequeue+0x390/0x608
       tasklet_action_common.isra.13+0x1ec/0x230
       tasklet_action+0x24/0x30
       efi_header_end+0x1a4/0x370
       irq_exit+0x114/0x128
       __handle_domain_irq+0x80/0xe0
       gic_handle_irq+0x50/0xa0
       el1_irq+0xb8/0x180
       _raw_spin_unlock_irq+0x2c/0x78
       finish_task_switch+0xa4/0x2f8
       __schedule+0x3a4/0x890
       schedule_idle+0x28/0x50
       do_idle+0x22c/0x338
       cpu_startup_entry+0x24/0x40
       rest_init+0xf8/0x10c
       arch_call_rest_init+0xc/0x14
       start_kernel+0x774/0x7b4
      
      Allocated by task 263:
       save_stack+0x24/0xb0
       __kasan_kmalloc.isra.10+0xc4/0xe0
       kasan_kmalloc+0xc/0x18
       __kmalloc+0x178/0x2b8
       aead_edesc_alloc+0x1b4/0xbf0
       ipsec_gcm_encrypt+0xd4/0x140
       crypto_aead_encrypt+0x50/0x68
       test_aead_vec_cfg+0x498/0xec0
       test_aead_vec+0x110/0x200
       alg_test_aead+0xfc/0x680
       alg_test.part.44+0x114/0x4a0
       alg_test+0x1c/0x60
       cryptomgr_test+0x34/0x58
       kthread+0x1b8/0x1c0
       ret_from_fork+0x10/0x18
      
      Freed by task 0:
       save_stack+0x24/0xb0
       __kasan_slab_free+0x10c/0x188
       kasan_slab_free+0x10/0x18
       kfree+0x7c/0x298
       aead_crypt_done+0x58/0xd8
       caam_jr_dequeue+0x390/0x608
       tasklet_action_common.isra.13+0x1ec/0x230
       tasklet_action+0x24/0x30
       efi_header_end+0x1a4/0x370
      
      The buggy address belongs to the object at ffff00002303f000
       which belongs to the cache dma-kmalloc-128 of size 128
      The buggy address is located 20 bytes inside of
       128-byte region [ffff00002303f000, ffff00002303f080)
      The buggy address belongs to the page:
      page:fffffe00006c0fc0 refcount:1 mapcount:0 mapping:ffff00093200c000 index:0x0
      flags: 0xffff00000000200(slab)
      raw: 0ffff00000000200 dead000000000100 dead000000000122 ffff00093200c000
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff00002303ef00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff00002303ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff00002303f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
       ffff00002303f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff00002303f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: 1c240226 ("crypto: caam - add crypto_engine support for AEAD algorithms")
      Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5ed1e8b8
    • Iuliana Prodan's avatar
      crypto: caam - fix use-after-free KASAN issue for SKCIPHER algorithms · 5af4e8d4
      Iuliana Prodan authored
      Here's the KASAN report:
      BUG: KASAN: use-after-free in skcipher_crypt_done+0xe8/0x1a8
      Read of size 1 at addr ffff00002304001c by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc1-00162-gfcb90d51 #57
      Hardware name: LS1046A RDB Board (DT)
      Call trace:
       dump_backtrace+0x0/0x260
       show_stack+0x14/0x20
       dump_stack+0xe8/0x144
       print_address_description.isra.11+0x64/0x348
       __kasan_report+0x11c/0x230
       kasan_report+0xc/0x18
       __asan_load1+0x5c/0x68
       skcipher_crypt_done+0xe8/0x1a8
       caam_jr_dequeue+0x390/0x608
       tasklet_action_common.isra.13+0x1ec/0x230
       tasklet_action+0x24/0x30
       efi_header_end+0x1a4/0x370
       irq_exit+0x114/0x128
       __handle_domain_irq+0x80/0xe0
       gic_handle_irq+0x50/0xa0
       el1_irq+0xb8/0x180
       _raw_spin_unlock_irq+0x2c/0x78
       finish_task_switch+0xa4/0x2f8
       __schedule+0x3a4/0x890
       schedule_idle+0x28/0x50
       do_idle+0x22c/0x338
       cpu_startup_entry+0x24/0x40
       rest_init+0xf8/0x10c
       arch_call_rest_init+0xc/0x14
       start_kernel+0x774/0x7b4
      
      Allocated by task 263:
       save_stack+0x24/0xb0
       __kasan_kmalloc.isra.10+0xc4/0xe0
       kasan_kmalloc+0xc/0x18
       __kmalloc+0x178/0x2b8
       skcipher_edesc_alloc+0x21c/0x1018
       skcipher_encrypt+0x84/0x150
       crypto_skcipher_encrypt+0x50/0x68
       test_skcipher_vec_cfg+0x4d4/0xc10
       test_skcipher_vec+0xf8/0x1d8
       alg_test_skcipher+0xec/0x230
       alg_test.part.44+0x114/0x4a0
       alg_test+0x1c/0x60
       cryptomgr_test+0x34/0x58
       kthread+0x1b8/0x1c0
       ret_from_fork+0x10/0x18
      
      Freed by task 0:
       save_stack+0x24/0xb0
       __kasan_slab_free+0x10c/0x188
       kasan_slab_free+0x10/0x18
       kfree+0x7c/0x298
       skcipher_crypt_done+0xe0/0x1a8
       caam_jr_dequeue+0x390/0x608
       tasklet_action_common.isra.13+0x1ec/0x230
       tasklet_action+0x24/0x30
       efi_header_end+0x1a4/0x370
      
      The buggy address belongs to the object at ffff000023040000
       which belongs to the cache dma-kmalloc-512 of size 512
      The buggy address is located 28 bytes inside of
       512-byte region [ffff000023040000, ffff000023040200)
      The buggy address belongs to the page:
      page:fffffe00006c1000 refcount:1 mapcount:0 mapping:ffff00093200c400 index:0x0 compound_mapcount: 0
      flags: 0xffff00000010200(slab|head)
      raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c400
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff00002303ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff00002303ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff000023040000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
       ffff000023040080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff000023040100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: ee38767f ("crypto: caam - support crypto_engine framework for SKCIPHER algorithms")
      Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5af4e8d4
  4. 12 Apr, 2020 10 commits
    • Linus Torvalds's avatar
      Linux 5.7-rc1 · 8f3d9f35
      Linus Torvalds authored
      8f3d9f35
    • Linus Torvalds's avatar
      MAINTAINERS: sort field names for all entries · 3b50142d
      Linus Torvalds authored
      This sorts the actual field names too, potentially causing even more
      chaos and confusion at merge time if you have edited the MAINTAINERS
      file.  But the end result is a more consistent layout, and hopefully
      it's a one-time pain minimized by doing this just before the -rc1
      release.
      
      This was entirely scripted:
      
        ./scripts/parse-maintainers.pl --input=MAINTAINERS --output=MAINTAINERS --order
      Requested-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3b50142d
    • Linus Torvalds's avatar
      MAINTAINERS: sort entries by entry name · 4400b7d6
      Linus Torvalds authored
      They are all supposed to be sorted, but people who add new entries don't
      always know the alphabet.  Plus sometimes the entry names get edited,
      and people don't then re-order the entry.
      
      Let's see how painful this will be for merging purposes (the MAINTAINERS
      file is often edited in various different trees), but Joe claims there's
      relatively few patches in -next that touch this, and doing it just
      before -rc1 is likely the best time.  Fingers crossed.
      
      This was scripted with
      
        /scripts/parse-maintainers.pl --input=MAINTAINERS --output=MAINTAINERS
      
      but then I also ended up manually upper-casing a few entry names that
      stood out when looking at the end result.
      Requested-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      4400b7d6
    • Linus Torvalds's avatar
      Merge tag 'x86-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4f8a3cc1
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "A set of three patches to fix the fallout of the newly added split
        lock detection feature.
      
        It addressed the case where a KVM guest triggers a split lock #AC and
        KVM reinjects it into the guest which is not prepared to handle it.
      
        Add proper sanity checks which prevent the unconditional injection
        into the guest and handles the #AC on the host side in the same way as
        user space detections are handled. Depending on the detection mode it
        either warns and disables detection for the task or kills the task if
        the mode is set to fatal"
      
      * tag 'x86-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        KVM: VMX: Extend VMXs #AC interceptor to handle split lock #AC in guest
        KVM: x86: Emulate split-lock access as a write in emulator
        x86/split_lock: Provide handle_guest_split_lock()
      4f8a3cc1
    • Linus Torvalds's avatar
      Merge tag 'timers-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0785249f
      Linus Torvalds authored
      Pull time(keeping) updates from Thomas Gleixner:
      
       - Fix the time_for_children symlink in /proc/$PID/ so it properly
         reflects that it part of the 'time' namespace
      
       - Add the missing userns limit for the allowed number of time
         namespaces, which was half defined but the actual array member was
         not added. This went unnoticed as the array has an exessive empty
         member at the end but introduced a user visible regression as the
         output was corrupted.
      
       - Prevent further silent ucount corruption by adding a BUILD_BUG_ON()
         to catch half updated data.
      
      * tag 'timers-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        ucount: Make sure ucounts in /proc/sys/user don't regress again
        time/namespace: Add max_time_namespaces ucount
        time/namespace: Fix time_for_children symlink
      0785249f
    • Linus Torvalds's avatar
      Merge tag 'sched-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 590680d1
      Linus Torvalds authored
      Pull scheduler fixes/updates from Thomas Gleixner:
      
       - Deduplicate the average computations in the scheduler core and the
         fair class code.
      
       - Fix a raise between runtime distribution and assignement which can
         cause exceeding the quota by up to 70%.
      
       - Prevent negative results in the imbalanace calculation
      
       - Remove a stale warning in the workqueue code which can be triggered
         since the call site was moved out of preempt disabled code. It's a
         false positive.
      
       - Deduplicate the print macros for procfs
      
       - Add the ucmap values to the SCHED_DEBUG procfs output for completness
      
      * tag 'sched-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/debug: Add task uclamp values to SCHED_DEBUG procfs
        sched/debug: Factor out printing formats into common macros
        sched/debug: Remove redundant macro define
        sched/core: Remove unused rq::last_load_update_tick
        workqueue: Remove the warning in wq_worker_sleeping()
        sched/fair: Fix negative imbalance in imbalance calculation
        sched/fair: Fix race between runtime distribution and assignment
        sched/fair: Align rq->avg_idle and rq->avg_scan_cost
      590680d1
    • Linus Torvalds's avatar
      Merge tag 'perf-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 20e2aa81
      Linus Torvalds authored
      Pull perf fixes from Thomas Gleixner:
       "Three fixes/updates for perf:
      
         - Fix the perf event cgroup tracking which tries to track the cgroup
           even for disabled events.
      
         - Add Ice Lake server support for uncore events
      
         - Disable pagefaults when retrieving the physical address in the
           sampling code"
      
      * tag 'perf-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/core: Disable page faults when getting phys address
        perf/x86/intel/uncore: Add Ice Lake server uncore support
        perf/cgroup: Correct indirection in perf_less_group_idx()
        perf/core: Fix event cgroup tracking
      20e2aa81
    • Linus Torvalds's avatar
      Merge tag 'locking-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 652fa53c
      Linus Torvalds authored
      Pull locking fixes from Thomas Gleixner:
       "Three small fixes/updates for the locking core code:
      
         - Plug a task struct reference leak in the percpu rswem
           implementation.
      
         - Document the refcount interaction with PID_MAX_LIMIT
      
         - Improve the 'invalid wait context' data dump in lockdep so it
           contains all information which is required to decode the problem"
      
      * tag 'locking-urgent-2020-04-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        locking/lockdep: Improve 'invalid wait context' splat
        locking/refcount: Document interaction with PID_MAX_LIMIT
        locking/percpu-rwsem: Fix a task_struct refcount
      652fa53c
    • Linus Torvalds's avatar
      Merge tag '5.7-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6 · 4119bf9f
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Ten cifs/smb fixes:
      
         - five RDMA (smbdirect) related fixes
      
         - add experimental support for swap over SMB3 mounts
      
         - also a fix which improves performance of signed connections"
      
      * tag '5.7-rc-smb3-fixes-part2' of git://git.samba.org/sfrench/cifs-2.6:
        smb3: enable swap on SMB3 mounts
        smb3: change noisy error message to FYI
        smb3: smbdirect support can be configured by default
        cifs: smbd: Do not schedule work to send immediate packet on every receive
        cifs: smbd: Properly process errors on ib_post_send
        cifs: Allocate crypto structures on the fly for calculating signatures of incoming packets
        cifs: smbd: Update receive credits before sending and deal with credits roll back on failure before sending
        cifs: smbd: Check send queue size before posting a send
        cifs: smbd: Merge code to track pending packets
        cifs: ignore cached share root handle closing errors
      4119bf9f
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.7-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · 50bda5fa
      Linus Torvalds authored
      Pull NFS client bugfix from Trond Myklebust:
       "Fix an RCU read lock leakage in pnfs_alloc_ds_commits_list()"
      
      * tag 'nfs-for-5.7-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        pNFS: Fix RCU lock leakage
      50bda5fa
  5. 11 Apr, 2020 2 commits