mirror of
https://github.com/torvalds/linux.git
synced 2026-06-07 14:04:54 +02:00
72dc50cd92
2396 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
26bf816608 |
This is the 4.19.18 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlxMGy0ACgkQONu9yGCS
aT5ppQ/8COjyZg1aTrCrd0ttMHYotw3Lb4B6E/SCf2ub4X38SxGz9irhQ7r2FKdK
w0ZXlLOF2ddqWe6BUnIfWago4Pk1GBpg3bgnp5XyYTjlJbfI2yZ9ggiO0iNYBPaL
fN2JwM9eze/7cDlpYbhwGpF4+Wz8wTrzh+NIputcvC6n3SQH/cTGmOUa9rlamQju
uukkvLanAYY3sqDCl4B415Ds44ROU4filqHYIkvZC81jc3Q0YZ8M7cTmpLcDQKGz
8Z+Veil07jEM9bF2W8iX79nwxMT+edFC62HMuRCoxJKq+1kccw1TVMWpQ8TWbv13
zeLOqXxNP6VcNaC251q3QzlInRDp1dtr8KtzA/OG0WFnZBTEDng/iChhiL8qZt0R
9+Sz7n9uZ5pMRK3tr03Ccjg3AneKWRqad2iaTB/kOwAdu7Uqxz8U9qUuRDFPV7OY
KTMCCfdS8XpMHl/S+Cvg2dqSNiBEkNmowYO6NvQClG0aoN4/6wH+m2TZ0hCl6PVq
pNFOTJmp7FOaztEZC4rqW8DoOGeGaNo5DP9A2XKKDR20F7EiAE437ApEQ4p5QGVk
ek4uslZkwJWU/UOzXRl/Hoz0OlI0ixsdZy1vw88HCl7SD1E7xHJpnRUkOjigTT1Q
nbCt0Nm/A2+c1tKbzU+PVW8FtIbutZhW1BtrqaIbbHr9NBTICR0=
=Yg+/
-----END PGP SIGNATURE-----
Merge 4.19.18 into android-4.19
Changes in 4.19.18
ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
mlxsw: spectrum: Disable lag port TX before removing it
mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
net: dsa: mv88x6xxx: mv88e6390 errata
net, skbuff: do not prefer skb allocation fails early
qmi_wwan: add MTU default to qmap network interface
r8169: Add support for new Realtek Ethernet
ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
net: clear skb->tstamp in bridge forwarding path
netfilter: ipset: Allow matching on destination MAC address for mac and ipmac sets
gpio: pl061: Move irq_chip definition inside struct pl061
drm/amd/display: Guard against null stream_state in set_crc_source
drm/amdkfd: fix interrupt spin lock
ixgbe: allow IPsec Tx offload in VEPA mode
platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey
e1000e: allow non-monotonic SYSTIM readings
usb: typec: tcpm: Do not disconnect link for self powered devices
selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
of: overlay: add missing of_node_put() after add new node to changeset
writeback: don't decrement wb->refcnt if !wb->bdi
serial: set suppress_bind_attrs flag only if builtin
bpf: Allow narrow loads with offset > 0
ALSA: oxfw: add support for APOGEE duet FireWire
x86/mce: Fix -Wmissing-prototypes warnings
MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
crypto: ecc - regularize scalar for scalar multiplication
arm64: perf: set suppress_bind_attrs flag to true
drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
samples: bpf: fix: error handling regarding kprobe_events
usb: gadget: udc: renesas_usb3: add a safety connection way for forced_b_device
fpga: altera-cvp: fix probing for multiple FPGAs on the bus
selinux: always allow mounting submounts
ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
scsi: qedi: Check for session online before getting iSCSI TLV data.
drm/amdgpu: Reorder uvd ring init before uvd resume
rxe: IB_WR_REG_MR does not capture MR's iova field
efi/libstub: Disable some warnings for x86{,_64}
jffs2: Fix use of uninitialized delayed_work, lockdep breakage
clk: imx: make mux parent strings const
pstore/ram: Do not treat empty buffers as valid
media: uvcvideo: Refactor teardown of uvc on USB disconnect
powerpc/xmon: Fix invocation inside lock region
powerpc/pseries/cpuidle: Fix preempt warning
media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
ASoC: use dma_ops of parent device for acp_audio_dma
media: venus: core: Set dma maximum segment size
staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
net: call sk_dst_reset when set SO_DONTROUTE
scsi: target: use consistent left-aligned ASCII INQUIRY data
scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long enough
selftests: do not macro-expand failed assertion expressions
arm64: kasan: Increase stack size for KASAN_EXTRA
clk: imx6q: reset exclusive gates on init
arm64: Fix minor issues with the dcache_by_line_op macro
bpf: relax verifier restriction on BPF_MOV | BPF_ALU
kconfig: fix file name and line number of warn_ignored_character()
kconfig: fix memory leak when EOF is encountered in quotation
mmc: atmel-mci: do not assume idle after atmci_request_end
btrfs: volumes: Make sure there is no overlap of dev extents at mount time
btrfs: alloc_chunk: fix more DUP stripe size handling
btrfs: fix use-after-free due to race between replace start and cancel
btrfs: improve error handling of btrfs_add_link
tty/serial: do not free trasnmit buffer page under port lock
perf intel-pt: Fix error with config term "pt=0"
perf tests ARM: Disable breakpoint tests 32-bit
perf svghelper: Fix unchecked usage of strncpy()
perf parse-events: Fix unchecked usage of strncpy()
perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
x86/topology: Use total_cpus for max logical packages calculation
dm crypt: use u64 instead of sector_t to store iv_offset
dm kcopyd: Fix bug causing workqueue stalls
perf stat: Avoid segfaults caused by negated options
tools lib subcmd: Don't add the kernel sources to the include path
dm snapshot: Fix excessive memory usage and workqueue stalls
perf cs-etm: Correct packets swapping in cs_etm__flush()
perf tools: Add missing sigqueue() prototype for systems lacking it
perf tools: Add missing open_memstream() prototype for systems lacking it
quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF} quotactls.
clocksource/drivers/integrator-ap: Add missing of_node_put()
dm: Check for device sector overflow if CONFIG_LBDAF is not set
Bluetooth: btusb: Add support for Intel bluetooth device 8087:0029
ALSA: bebob: fix model-id of unit for Apogee Ensemble
sysfs: Disable lockdep for driver bind/unbind files
IB/usnic: Fix potential deadlock
scsi: mpt3sas: fix memory ordering on 64bit writes
scsi: smartpqi: correct lun reset issues
ath10k: fix peer stats null pointer dereference
scsi: smartpqi: call pqi_free_interrupts() in pqi_shutdown()
scsi: megaraid: fix out-of-bound array accesses
iomap: don't search past page end in iomap_is_partially_uptodate
ocfs2: fix panic due to unrecovered local alloc
mm/page-writeback.c: don't break integrity writeback on ->writepage() error
mm/swap: use nr_node_ids for avail_lists in swap_info_struct
userfaultfd: clear flag if remap event not enabled
mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps
iwlwifi: mvm: Send LQ command as async when necessary
Bluetooth: Fix unnecessary error message for HCI request completion
ipmi: fix use-after-free of user->release_barrier.rda
ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
ipmi: Prevent use-after-free in deliver_response
ipmi:ssif: Fix handling of multi-part return messages
ipmi: Don't initialize anything in the core until something uses it
Linux 4.19.18
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Vitaly Chikunov
|
dbb97f7663 |
crypto: ecc - regularize scalar for scalar multiplication
[ Upstream commit
|
||
|
Greg Kroah-Hartman
|
73dc755ee0 |
This is the 4.19.17 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlxHf8cACgkQONu9yGCS aT71Mg/9FnDYja+AD9hj01kFsh6+C4K/QLZY69kLgzmNvr1htsWLRvxSta0dIKc0 In4rianKMhOHekGub6ufO0Ne1jPV9ZCF61cZ/oENISB5D/oVZJL+baR92zeodSg9 XFBPRu9eKPQV+UFPliyyKEJtyWEmLHvJMOQkKft0reduZgPy0xonkQ97K48QmF9G b/Ly6E8c/qfQThIqn0wfPQ2DUYET9cCE667iw8+Mwzr2HYuLoltyp9ODyMW2fuNT vyKve8s+IQ8wCKy1fkwyIJD7CjV0mJMJfUYx1Ax+ewU6MtBDrhEyfcfA9sJfsyRH k/BydK4aQJqcejp8ajOVQjZFZtGMnuTM38n3SpJnyNLWz6JvCTQr8dl2A5Y5/iph Q1FQH9BHKWCCJO8JVjfMYhCewvdo47mjE1gUfs9HyyW4SjJxhJCn07u2LU1YCRHW G9NqRb208UZw7O6prCsdZRlZPJjon1Fln7ym/esKjuMRyNNycV093ysPaqzhKrJq 2Dxgt+fYBaP63BawAZUC+kQ0iX4OcSja78F4txbVBeksqskNAPHreMbcd5PDid/h bN89kPVCIV0eFJa0AMuKHdrbljRH/I6wbKmz3KvyjoRgq8KGc2PvrSe4DTJfax3W gOEnESLn7r58oUQ0OmfSv7U4zU700tuH9wOpFZyb5vqVvdXcQzA= =NSqX -----END PGP SIGNATURE----- Merge 4.19.17 into android-4.19 Changes in 4.19.17 tty/ldsem: Wake up readers after timed out down_write() tty: Hold tty_ldisc_lock() during tty_reopen() tty: Simplify tty->count math in tty_reopen() tty: Don't hold ldisc lock in tty_reopen() if ldisc present can: gw: ensure DLC boundaries after CAN frame modification netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS netfilter: nf_conncount: don't skip eviction when age is negative netfilter: nf_conncount: split gc in two phases netfilter: nf_conncount: restart search when nodes have been erased netfilter: nf_conncount: merge lookup and add functions netfilter: nf_conncount: move all list iterations under spinlock netfilter: nf_conncount: speculative garbage collection on empty lists netfilter: nf_conncount: fix argument order to find_next_bit mmc: sdhci-msm: Disable CDR function on TX Revert "scsi: target: iscsi: cxgbit: fix csk leak" scsi: target: iscsi: cxgbit: fix csk leak scsi: target: iscsi: cxgbit: fix csk leak arm64/kvm: consistently handle host HCR_EL2 flags arm64: Don't trap host pointer auth use to EL2 ipv6: fix kernel-infoleak in ipv6_local_error() net: bridge: fix a bug on using a neighbour cache entry without checking its state packet: Do not leak dev refcounts on error exit tcp: change txhash on SYN-data timeout tun: publish tfile after it's fully initialized lan743x: Remove phy_read from link status change function smc: move unhash as early as possible in smc_release() r8169: don't try to read counters if chip is in a PCI power-save state bonding: update nest level on unlink ip: on queued skb use skb_header_pointer instead of pskb_may_pull r8169: load Realtek PHY driver module before r8169 crypto: sm3 - fix undefined shift by >= width of value crypto: caam - fix zero-length buffer DMA mapping crypto: authencesn - Avoid twice completion call in decrypt path crypto: ccree - convert to use crypto_authenc_extractkeys() crypto: bcm - convert to use crypto_authenc_extractkeys() crypto: authenc - fix parsing key with misaligned rta_len crypto: talitos - reorder code in talitos_edesc_alloc() crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK xen: Fix x86 sched_clock() interface for xen Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io" btrfs: wait on ordered extents on abort cleanup Yama: Check for pid death before checking ancestry scsi: core: Synchronize request queue PM status only on successful resume scsi: sd: Fix cache_type_store() mips: fix n32 compat_ipc_parse_version MIPS: BCM47XX: Setup struct device for the SoC MIPS: lantiq: Fix IPI interrupt handling drm/i915/gvt: Fix mmap range check OF: properties: add missing of_node_put mfd: tps6586x: Handle interrupts on suspend media: v4l: ioctl: Validate num_planes for debug messages RDMA/nldev: Don't expose unsafe global rkey to regular user RDMA/vmw_pvrdma: Return the correct opcode when creating WR kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7 net: dsa: realtek-smi: fix OF child-node lookup pstore/ram: Avoid allocation and leak of platform data arm64: kaslr: ensure randomized quantities are clean to the PoC arm64: dts: marvell: armada-ap806: reserve PSCI area Disable MSI also when pcie-octeon.pcie_disable on fix int_sqrt64() for very large numbers omap2fb: Fix stack memory disclosure media: vivid: fix error handling of kthread_run media: vivid: set min width/height to a value > 0 bpf: in __bpf_redirect_no_mac pull mac only if present ipv6: make icmp6_send() robust against null skb->dev LSM: Check for NULL cred-security on free media: vb2: vb2_mmap: move lock up sunrpc: handle ENOMEM in rpcb_getport_async netfilter: ebtables: account ebt_table_info to kmemcg block: use rcu_work instead of call_rcu to avoid sleep in softirq selinux: fix GPF on invalid policy blockdev: Fix livelocks on loop device sctp: allocate sctp_sockaddr_entry with kzalloc tipc: fix uninit-value in in tipc_conn_rcv_sub tipc: fix uninit-value in tipc_nl_compat_link_reset_stats tipc: fix uninit-value in tipc_nl_compat_bearer_enable tipc: fix uninit-value in tipc_nl_compat_link_set tipc: fix uninit-value in tipc_nl_compat_name_table_dump tipc: fix uninit-value in tipc_nl_compat_doit block/loop: Don't grab "struct file" for vfs_getattr() operation. block/loop: Use global lock for ioctl() operation. loop: Fold __loop_release into loop_release loop: Get rid of loop_index_mutex loop: Push lo_ctl_mutex down into individual ioctls loop: Split setting of lo_state from loop_clr_fd loop: Push loop_ctl_mutex down into loop_clr_fd() loop: Push loop_ctl_mutex down to loop_get_status() loop: Push loop_ctl_mutex down to loop_set_status() loop: Push loop_ctl_mutex down to loop_set_fd() loop: Push loop_ctl_mutex down to loop_change_fd() loop: Move special partition reread handling in loop_clr_fd() loop: Move loop_reread_partitions() out of loop_ctl_mutex loop: Fix deadlock when calling blkdev_reread_part() loop: Avoid circular locking dependency between loop_ctl_mutex and bd_mutex loop: Get rid of 'nested' acquisition of loop_ctl_mutex loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() loop: drop caches if offset or block_size are changed drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock selftests: Fix test errors related to lib.mk khdr target media: vb2: be sure to unlock mutex on errors nbd: Use set_blocksize() to set device blocksize Linux 4.19.17 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Eric Biggers
|
44c67402c3 |
crypto: authenc - fix parsing key with misaligned rta_len
commit |
||
|
Harsh Jain
|
6590803766 |
crypto: authencesn - Avoid twice completion call in decrypt path
commit |
||
|
Eric Biggers
|
68afc7c364 |
crypto: sm3 - fix undefined shift by >= width of value
commit |
||
|
Eric Biggers
|
7ae6788c68 |
UPSTREAM: crypto: adiantum - initialize crypto_spawn::inst
crypto_grab_*() doesn't set crypto_spawn::inst, so templates must set it
beforehand. Otherwise it will be left NULL, which causes a crash in
certain cases where algorithms are dynamically loaded/unloaded. E.g.
with CONFIG_CRYPTO_CHACHA20_X86_64=m, the following caused a crash:
insmod chacha-x86_64.ko
python -c 'import socket; socket.socket(socket.AF_ALG, 5, 0).bind(("skcipher", "adiantum(xchacha12,aes)"))'
rmmod chacha-x86_64.ko
python -c 'import socket; socket.socket(socket.AF_ALG, 5, 0).bind(("skcipher", "adiantum(xchacha12,aes)"))'
Fixes:
|
||
|
Eric Biggers
|
ce3045a60d |
UPSTREAM: crypto: adiantum - fix leaking reference to hash algorithm
crypto_alg_mod_lookup() takes a reference to the hash algorithm but crypto_init_shash_spawn() doesn't take ownership of it, hence the reference needs to be dropped in adiantum_create(). Fixes: |
||
|
Eric Biggers
|
188d82f4cc |
UPSTREAM: crypto: adiantum - adjust some comments to match latest paper
The 2018-11-28 revision of the Adiantum paper has revised some notation:
- 'M' was replaced with 'L' (meaning "Left", for the left-hand part of
the message) in the definition of Adiantum hashing, to avoid confusion
with the full message
- ε-almost-∆-universal is now abbreviated as ε-∆U instead of εA∆U
- "block" is now used only to mean block cipher and Poly1305 blocks
Also, Adiantum hashing was moved from the appendix to the main paper.
To avoid confusion, update relevant comments in the code to match.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
8a962db7eb |
UPSTREAM: crypto: adiantum - propagate CRYPTO_ALG_ASYNC flag to instance
If the stream cipher implementation is asynchronous, then the Adiantum instance must be flagged as asynchronous as well. Otherwise someone asking for a synchronous algorithm can get an asynchronous algorithm. There are no asynchronous xchacha12 or xchacha20 implementations yet which makes this largely a theoretical issue, but it should be fixed. Fixes: |
||
|
Greg Kroah-Hartman
|
8735c21738 |
This is the 4.19.14 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlw2Jd8ACgkQONu9yGCS aT5DIw//RlX7Djwh9VnEEgggVpPxzIDfO8BcIR5EvSpHoci2skeD6/M5a+xiKKLk HOuH/cqBobkifnCzHwHLQYP9rIbkRceW0wDU2tdaecTf6G82TPoa5rQzG0rMMTM4 HFrMlMXvQoWSlaALBi5xkGGa7AGOVcmiJBaIkbqNST4Ah8KMBRxEqDvnbh/ALXCe qLRc7lDf/WRoN9GBzoCJwuaF9EcDW/C3EyHowVroDkN3UobzfdFSmrjkteFbkIkp 9rMzoyIXmKAe762ggkQTk8hEaVHqs7YxWlq53cym6NBtiBgfjqIKtT6tEtGs5U3i sA+YK6PzCfwp4I0ffXVqUoFi3WfJ4Ist+co8e8Uu0+taRDzahBkxtxxmNb6URU64 1sosY0YyG7k72OYp9J4mYhCAbxUKC8S80TWjwPlyaVaUDWDHAbOQk5HDJ9wIERmN PltF9wQ7ZQrha4v4nafPYJn/FmQuDCfDA78vOJ09PEbNZoNBhqXbHJGx/GEShdDE /ZzoVigpN2tqIvXFM99rVPRDaTsWlCSiorOvn8vTyqv64EaGO2qZUDmvaReEbUxy i1jJ5YcQoPk4GbNI8hfShGOhT+eAtw/KW5pHwqHbEle6jyeK+7KIdBmzw5ZXQIM6 4tzDOgn7yIpkMc+qyj3n3WE1LqRLt/cbOoxMu85jHDf5LgrtF50= =Gqyx -----END PGP SIGNATURE----- Merge 4.19.14 into android-4.19 Changes in 4.19.14 ax25: fix a use-after-free in ax25_fillin_cb() gro_cell: add napi_disable in gro_cells_destroy ibmveth: fix DMA unmap error in ibmveth_xmit_start error path ieee802154: lowpan_header_create check must check daddr ip6mr: Fix potential Spectre v1 vulnerability ipv4: Fix potential Spectre v1 vulnerability ipv6: explicitly initialize udp6_addr in udp_sock_create6() ipv6: tunnels: fix two use-after-free ip: validate header length on virtual device xmit isdn: fix kernel-infoleak in capi_unlocked_ioctl net: clear skb->tstamp in forwarding paths net/hamradio/6pack: use mod_timer() to rearm timers net: ipv4: do not handle duplicate fragments as overlapping net: macb: restart tx after tx used bit read net: mvpp2: 10G modes aren't supported on all ports net: phy: Fix the issue that netif always links up after resuming netrom: fix locking in nr_find_socket() net/smc: fix TCP fallback socket release net: stmmac: Fix an error code in probe() net/tls: allocate tls context using GFP_ATOMIC net/wan: fix a double free in x25_asy_open_tty() packet: validate address length packet: validate address length if non-zero ptr_ring: wrap back ->producer in __ptr_ring_swap_queue() qmi_wwan: Added support for Fibocom NL668 series qmi_wwan: Added support for Telit LN940 series qmi_wwan: Add support for Fibocom NL678 series sctp: initialize sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event sock: Make sock->sk_stamp thread-safe tcp: fix a race in inet_diag_dump_icsk() tipc: check tsk->group in tipc_wait_for_cond() tipc: compare remote and local protocols in tipc_udp_enable() tipc: fix a double free in tipc_enable_bearer() tipc: fix a double kfree_skb() tipc: use lock_sock() in tipc_sk_reinit() vhost: make sure used idx is seen before log in vhost_add_used_n() VSOCK: Send reset control packet when socket is partially bound xen/netfront: tolerate frags with no data net/mlx5: Typo fix in del_sw_hw_rule tipc: check group dests after tipc_wait_for_cond() net/mlx5e: Remove the false indication of software timestamping support ipv6: frags: Fix bogus skb->sk in reassembled packets net/ipv6: Fix a test against 'ipv6_find_idev()' return value nfp: flower: ensure TCP flags can be placed in IPv6 frame ipv6: route: Fix return value of ip6_neigh_lookup() on neigh_create() error mscc: Configured MAC entries should be locked. net/mlx5e: Cancel DIM work on close SQ net/mlx5e: RX, Verify MPWQE stride size is in range net: mvpp2: fix the phylink mode validation qed: Fix command number mismatch between driver and the mfw mlxsw: core: Increase timeout during firmware flash process net/mlx5e: Remove unused UDP GSO remaining counter net/mlx5e: RX, Fix wrong early return in receive queue poll net: mvneta: fix operation for 64K PAGE_SIZE net: Use __kernel_clockid_t in uapi net_stamp.h r8169: fix WoL device wakeup enable IB/hfi1: Incorrect sizing of sge for PIO will OOPs ALSA: rme9652: Fix potential Spectre v1 vulnerability ALSA: emu10k1: Fix potential Spectre v1 vulnerabilities ALSA: pcm: Fix potential Spectre v1 vulnerability ALSA: emux: Fix potential Spectre v1 vulnerabilities powerpc/fsl: Fix spectre_v2 mitigations reporting mtd: atmel-quadspi: disallow building on ebsa110 mtd: rawnand: marvell: prevent timeouts on a loaded machine mtd: rawnand: omap2: Pass the parent of pdev to dma_request_chan() ALSA: hda: add mute LED support for HP EliteBook 840 G4 ALSA: hda/realtek: Enable audio jacks of ASUS UX391UA with ALC294 ALSA: fireface: fix for state to fetch PCM frames ALSA: firewire-lib: fix wrong handling payload_length as payload_quadlet ALSA: firewire-lib: fix wrong assignment for 'out_packet_without_header' tracepoint ALSA: firewire-lib: use the same print format for 'without_header' tracepoints ALSA: hda/realtek: Enable the headset mic auto detection for ASUS laptops ALSA: hda/tegra: clear pending irq handlers usb: dwc2: host: use hrtimer for NAK retries USB: serial: pl2303: add ids for Hewlett-Packard HP POS pole displays USB: serial: option: add Fibocom NL678 series usb: r8a66597: Fix a possible concurrency use-after-free bug in r8a66597_endpoint_disable() usb: dwc2: disable power_down on Amlogic devices Revert "usb: dwc3: pci: Use devm functions to get the phy GPIOs" usb: roles: Add a description for the class to Kconfig media: dvb-usb-v2: Fix incorrect use of transfer_flags URB_FREE_BUFFER staging: wilc1000: fix missing read_write setting when reading data ASoC: intel: cht_bsw_max98090_ti: Add pmc_plt_clk_0 quirk for Chromebook Clapper ASoC: intel: cht_bsw_max98090_ti: Add pmc_plt_clk_0 quirk for Chromebook Gnawty s390/pci: fix sleeping in atomic during hotplug Input: atmel_mxt_ts - don't try to free unallocated kernel memory Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G x86/speculation/l1tf: Drop the swap storage limit restriction when l1tf=off x86/mm: Drop usage of __flush_tlb_all() in kernel_physical_mapping_init() KVM: x86: Use jmp to invoke kvm_spurious_fault() from .fixup arm64: KVM: Make VHE Stage-2 TLB invalidation operations non-interruptible KVM: nVMX: Free the VMREAD/VMWRITE bitmaps if alloc_kvm_area() fails platform-msi: Free descriptors in platform_msi_domain_free() drm/v3d: Skip debugfs dumping GCA on platforms without GCA. DRM: UDL: get rid of useless vblank initialization clocksource/drivers/arc_timer: Utilize generic sched_clock perf machine: Record if a arch has a single user/kernel address space perf thread: Add fallback functions for cases where cpumode is insufficient perf tools: Use fallback for sample_addr_correlates_sym() cases perf script: Use fallbacks for branch stacks perf pmu: Suppress potential format-truncation warning perf env: Also consider env->arch == NULL as local operation ocxl: Fix endiannes bug in ocxl_link_update_pe() ocxl: Fix endiannes bug in read_afu_name() ext4: add ext4_sb_bread() to disambiguate ENOMEM cases ext4: fix possible use after free in ext4_quota_enable ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() ext4: fix EXT4_IOC_GROUP_ADD ioctl ext4: include terminating u32 in size of xattr entries when expanding inodes ext4: avoid declaring fs inconsistent due to invalid file handles ext4: force inode writes when nfsd calls commit_metadata() ext4: check for shutdown and r/o file system in ext4_write_inode() spi: bcm2835: Fix race on DMA termination spi: bcm2835: Fix book-keeping of DMA termination spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode clk: rockchip: fix typo in rk3188 spdif_frac parent clk: sunxi-ng: Use u64 for calculation of NM rate crypto: cavium/nitrox - fix a DMA pool free failure crypto: chcr - small packet Tx stalls the queue crypto: testmgr - add AES-CFB tests crypto: cfb - fix decryption cgroup: fix CSS_TASK_ITER_PROCS cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. btrfs: dev-replace: go back to suspended state if target device is missing btrfs: dev-replace: go back to suspend state if another EXCL_OP is running btrfs: skip file_extent generation check for free_space_inode in run_delalloc_nocow Btrfs: fix fsync of files with multiple hard links in new directories btrfs: run delayed items before dropping the snapshot Btrfs: send, fix race with transaction commits that create snapshots brcmfmac: fix roamoff=1 modparam brcmfmac: Fix out of bounds memory access during fw load powerpc/tm: Unset MSR[TS] if not recheckpointing dax: Don't access a freed inode dax: Use non-exclusive wait in wait_entry_unlocked() f2fs: read page index before freeing f2fs: fix validation of the block count in sanity_check_raw_super f2fs: sanity check of xattr entry size serial: uartps: Fix interrupt mask issue to handle the RX interrupts properly media: cec: keep track of outstanding transmits media: cec-pin: fix broken tx_ignore_nack_until_eom error injection media: rc: cec devices do not have a lirc chardev media: imx274: fix stack corruption in imx274_read_reg media: vivid: free bitmap_cap when updating std/timings/etc. media: vb2: check memory model for VIDIOC_CREATE_BUFS media: v4l2-tpg: array index could become negative tools lib traceevent: Fix processing of dereferenced args in bprintk events MIPS: math-emu: Write-protect delay slot emulation pages MIPS: c-r4k: Add r4k_blast_scache_node for Loongson-3 MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() MIPS: Align kernel load address to 64KB MIPS: Expand MIPS32 ASIDs to 64 bits MIPS: OCTEON: mark RGMII interface disabled on OCTEON III MIPS: Fix a R10000_LLSC_WAR logic in atomic.h CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem smb3: fix large reads on encrypted connections arm64: KVM: Avoid setting the upper 32 bits of VTCR_EL2 to 1 arm/arm64: KVM: vgic: Force VM halt when changing the active state of GICv3 PPIs/SGIs ARM: dts: exynos: Specify I2S assigned clocks in proper node rtc: m41t80: Correct alarm month range with RTC reads KVM: arm/arm64: vgic: Do not cond_resched_lock() with IRQs disabled KVM: arm/arm64: vgic: Cap SPIs to the VM-defined maximum KVM: arm/arm64: vgic-v2: Set active_source to 0 when restoring state KVM: arm/arm64: vgic: Fix off-by-one bug in vgic_get_irq() iommu/arm-smmu-v3: Fix big-endian CMD_SYNC writes arm64: compat: Avoid sending SIGILL for unallocated syscall numbers tpm: tpm_try_transmit() refactor error flow. tpm: tpm_i2c_nuvoton: use correct command duration for TPM 2.x spi: bcm2835: Unbreak the build of esoteric configs MIPS: Only include mmzone.h when CONFIG_NEED_MULTIPLE_NODES=y Linux 4.19.14 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Dmitry Eremin-Solenikov
|
99dcd45f27 |
crypto: cfb - fix decryption
commit
|
||
|
Dmitry Eremin-Solenikov
|
d8e4b24ffb |
crypto: testmgr - add AES-CFB tests
commit
|
||
|
Greg Kroah-Hartman
|
6f76e7945a |
This is the 4.19.9 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlwSFaoACgkQONu9yGCS
aT5hERAAjZZeV7+uFKY5UFTtiz3cBzGvHgl8IX3dx5so/NN6+d4K7qVPxzq7YFG6
MKIpr/ml6XmNcHe+ukzO2r5t9ty/RPrYojAifKZ0w7jJcL7SrdvjwltPNCL4QkPX
BUvRsP/iRdzaq7L4iryqVXRdIXux8YHz6RUxJbYEirT6aW8ral2fyRtET9dwpzJG
5zjtM0tLLJlAJ7gIT5SEajjvLeHbGT1EB+RwpNyHLKWpxvsAjJsNenT/kP74o4P8
2MBgf6YsKCJLzU0gCzvu4Fb/AVArIicEB+5eBkvoEmFB755ss7z9L4TvJn3k9LCm
XpWZCNIQbty5wXt4Px6TsISSkiBG4jEGXxDQlpZOoOIcBkUhT6QDfQLa0HNNvqCw
x/NFnsfy5wN+isGieYM6yMVLvG5voh9S60KY++/yif3fFWmfHJC/q9M1LktVCqcF
2sFPcOLmfHnoAirjTpg9ZPyIi3vUwedPOYj/x3Z/la8l8iHDAc/mZqdKWg1Am9WX
MGZkn2RLJ23os5OMoPzGqoCDXKlsheFxVgLSJnehYRU7UQjwWMLvcZNlsdjnau3E
26Uiuzw2ehsXSxT9ogUKKsdyfTI1BQI/OnokCXdyFQiCKniR5430jfzsC4FJ0hja
bIaFQdvMlHyB0tELH6fhEY6QENsiieN+xJ8LR/dW+7tY1ZSKgG4=
=pARS
-----END PGP SIGNATURE-----
Merge 4.19.9 into android-4.19
Changes in 4.19.9
media: vicodec: lower minimum height to 360
media: cec: check for non-OK/NACK conditions while claiming a LA
media: omap3isp: Unregister media device as first
media: ipu3-cio2: Unregister device nodes first, then release resources
iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
brcmutil: really fix decoding channel info for 160 MHz bandwidth
mt76: fix building without CONFIG_LEDS_CLASS
iommu/ipmmu-vmsa: Fix crash on early domain free
scsi: ufs: Fix hynix ufs bug with quirk on hi36xx SoC
can: ucan: remove set but not used variable 'udev'
can: rcar_can: Fix erroneous registration
test_firmware: fix error return getting clobbered
HID: input: Ignore battery reported by Symbol DS4308
batman-adv: Use explicit tvlv padding for ELP packets
batman-adv: Expand merged fragment buffer for full packet
amd/iommu: Fix Guest Virtual APIC Log Tail Address Register
bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
qed: Fix PTT leak in qed_drain()
qed: Fix overriding offload_tc by protocols without APP TLV
qed: Fix rdma_info structure allocation
qed: Fix reading wrong value in loop condition
usb: dwc2: pci: Fix an error code in probe
Revert "usb: gadget: ffs: Fix BUG when userland exits with submitted AIO transfers"
s390/ism: clear dmbe_mask bit before SMC IRQ handling
nvme-fc: resolve io failures during connect
bnxt_en: Fix filling time in bnxt_fill_coredump_record()
drm/amdgpu: Add amdgpu "max bpc" connector property (v2)
drm/amd/display: Support amdgpu "max bpc" connector property (v2)
net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
net/mlx4_core: Fix uninitialized variable compilation warning
net/mlx4: Fix UBSAN warning of signed integer overflow
drivers/net/ethernet/qlogic/qed/qed_rdma.h: fix typo
gpio: pxa: fix legacy non pinctrl aware builds again
gpio: mockup: fix indicated direction
tc-testing: tdc.py: ignore errors when decoding stdout/stderr
tc-testing: tdc.py: Guard against lack of returncode in executed command
mtd: rawnand: qcom: Namespace prefix some commands
cpufreq: ti-cpufreq: Only register platform_device when supported
Revert "HID: uhid: use strlcpy() instead of strncpy()"
HID: multitouch: Add pointstick support for Cirque Touchpad
mtd: spi-nor: Fix Cadence QSPI page fault kernel panic
net: ena: fix crash during failed resume from hibernation
NFSv4: Fix a NFSv4 state manager deadlock
qed: Fix bitmap_weight() check
qed: Fix QM getters to always return a valid pq
net/ibmnvic: Fix deadlock problem in reset
riscv: fix warning in arch/riscv/include/asm/module.h
net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts
iommu/vt-d: Use memunmap to free memremap
NFSv4.2 copy do not allocate memory under the lock
flexfiles: use per-mirror specified stateid for IO
ibmvnic: Fix RX queue buffer cleanup
ibmvnic: Update driver queues after change in ring size support
team: no need to do team_notify_peers or team_mcast_rejoin when disabling port
net: amd: add missing of_node_put()
usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
usb: appledisplay: Add 27" Apple Cinema Display
USB: check usb_get_extra_descriptor for proper size
USB: serial: console: fix reported terminal settings
ALSA: usb-audio: Add SMSL D1 to quirks for native DSD support
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
ALSA: hda: Add support for AMD Stoney Ridge
ALSA: pcm: Fix starvation on down_write_nonblock()
ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
ALSA: pcm: Fix interval evaluation with openmin/max
ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570
ALSA: hda/realtek: ALC286 mic and headset-mode fixups for Acer Aspire U27-880
ALSA: hda/realtek - Add support for Acer Aspire C24-860 headset mic
ALSA: hda/realtek: Fix mic issue on Acer AIO Veriton Z4660G
ALSA: hda/realtek: Fix mic issue on Acer AIO Veriton Z4860G/Z6860G
media: gspca: fix frame overflow error
media: vicodec: fix memchr() kernel oops
media: dvb-pll: fix tuner frequency ranges
media: dvb-pll: don't re-validate tuner frequencies
Revert "mfd: cros_ec: Use devm_kzalloc for private data"
parisc: Enable -ffunction-sections for modules on 32-bit kernel
virtio/s390: avoid race on vcdev->config
virtio/s390: fix race in ccw_io_helper()
vhost/vsock: fix use-after-free in network stack callers
arm64: hibernate: Avoid sending cross-calling with interrupts disabled
SUNRPC: Fix leak of krb5p encode pages
dmaengine: dw: Fix FIFO size for Intel Merrifield
Revert "dmaengine: imx-sdma: Use GFP_NOWAIT for dma allocations"
Revert "dmaengine: imx-sdma: alloclate bd memory from dma pool"
dmaengine: imx-sdma: implement channel termination via worker
dmaengine: imx-sdma: use GFP_NOWAIT for dma descriptor allocations
dmaengine: cppi41: delete channel from pending list when stop channel
ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE
xhci: workaround CSS timeout on AMD SNPS 3.0 xHC
xhci: Prevent U1/U2 link pm states if exit latency is too long
arm64: dts: rockchip: remove vdd_log from rock960 to fix a stability issues
Revert "x86/e820: put !E820_TYPE_RAM regions into memblock.reserved"
cifs: Fix separator when building path from dentry
staging: rtl8712: Fix possible buffer overrun
Revert commit
|
||
|
Pan Bian
|
2f94605195 |
crypto: do not free algorithm before using
commit |
||
|
Greg Kroah-Hartman
|
635c56d224 |
This is the 4.19.6 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlwCSE8ACgkQONu9yGCS aT58lg//YXiTDY8JuG+LX8PJyL28s5gIQZyq7a8aEuxGFXbTfmym0TecN74F2gFM 7YBJ9j4u/W5xp/u/29VUOUE9OUiRdMa+GJz73ncgslHApp7r3Z5r9PJFJHtW07Xu IElCg2GvQLR0pzyNlsa+Nv738pldDr0d9xZDmsOp1Cs0aCfJQAbU1y9P5WNN8j3y rHQP19/2+HF0j6LqYxIRmgioSrmeHrEN/nWIDlFpW74+QPyI7d/6aJpr1Tfdy64u 6BE/48OunHjOPbO6fWcNjFm0FUlTYDKd8jtzkaIHmFKgXpDFb+3yN4AiMd4/ucPS SNqVqvzTfU8aKWEtIabTTG1m3AwuqJUrExYUQZwNe32zOhEMIE+rMpmgafSN3SjE k0cER70OS1rJ5rs/cqBY8UpqhPxqfTFSwEwHGqn66PeuYgCpjoXHIBVyn/s+I3CZ Be8udYwi3KXBYrMGppzFp5PklwkqrUIFFouF2ijtPBjKfZpte9/ZOGWxvZMux6Ev rqFaq/zf9DjvQ3BSwHh2QuQKK5WnGQVuwjDWHR/vso4bApErHFhDWvGAIFyFxRsK W70DUeUxSScNjNKDgyxzRUV18VF0IN8zMXfh4hCMtoq6+XzDG/DUBt6fBFXaZCun kWyCTZk+9sMkGVlL8kAB2UPbAjfuDRAijouwC+u0j0VRMXlsAWM= =ju/p -----END PGP SIGNATURE----- Merge 4.19.6 into android-4.19 Changes in 4.19.6 HID: steam: remove input device when a hid client is running. efi/libstub: arm: support building with clang usb: core: Fix hub port connection events lost usb: dwc3: gadget: fix ISOC TRB type on unaligned transfers usb: dwc3: gadget: Properly check last unaligned/zero chain TRB usb: dwc3: core: Clean up ULPI device usb: dwc3: Fix NULL pointer exception in dwc3_pci_remove() xhci: Fix leaking USB3 shared_hcd at xhci removal xhci: handle port status events for removed USB3 hcd xhci: Add check for invalid byte size error when UAS devices are connected. usb: xhci: fix uninitialized completion when USB3 port got wrong status usb: xhci: fix timeout for transition from RExit to U0 xhci: Add quirk to workaround the errata seen on Cavium Thunder-X2 Soc usb: xhci: Prevent bus suspend if a port connect change or polling state is detected ALSA: oss: Use kvzalloc() for local buffer allocations MAINTAINERS: Add Sasha as a stable branch maintainer Documentation/security-bugs: Clarify treatment of embargoed information Documentation/security-bugs: Postpone fix publication in exceptional cases mmc: sdhci-pci: Try "cd" for card-detect lookup before using NULL mmc: sdhci-pci: Workaround GLK firmware failing to restore the tuning value gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path iwlwifi: fix wrong WGDS_WIFI_DATA_SIZE iwlwifi: mvm: support sta_statistics() even on older firmware iwlwifi: mvm: fix regulatory domain update when the firmware starts iwlwifi: mvm: don't use SAR Geo if basic SAR is not used brcmfmac: fix reporting support for 160 MHz channels opp: ti-opp-supply: Dynamically update u_volt_min opp: ti-opp-supply: Correct the supply in _get_optimal_vdd_voltage call tools/power/cpupower: fix compilation with STATIC=true v9fs_dir_readdir: fix double-free on p9stat_read error selinux: Add __GFP_NOWARN to allocation at str_read() Input: synaptics - avoid using uninitialized variable when probing bfs: add sanity check at bfs_fill_super() sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd llc: do not use sk_eat_skb() mm: don't warn about large allocations for slab mm/memory.c: recheck page table entry with page table lock held tcp: do not release socket ownership in tcp_close() drm/fb-helper: Blacklist writeback when adding connectors to fbdev drm/amdgpu: Add missing firmware entry for HAINAN drm/vc4: Set ->legacy_cursor_update to false when doing non-async updates drm/amdgpu: Fix oops when pp_funcs->switch_power_profile is unset drm/i915: Disable LP3 watermarks on all SNB machines drm/ast: change resolution may cause screen blurred drm/ast: fixed cursor may disappear sometimes drm/ast: Remove existing framebuffers before loading driver can: flexcan: Unlock the MB unconditionally can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions can: rx-offload: rename can_rx_offload_irq_queue_err_skb() to can_rx_offload_queue_tail() can: flexcan: use can_rx_offload_queue_sorted() for flexcan_irq_bus_*() can: flexcan: handle tx-complete CAN frames via rx-offload infrastructure can: raw: check for CAN FD capable netdev in raw_sendmsg() can: hi311x: Use level-triggered interrupt can: flexcan: Always use last mailbox for TX can: flexcan: remove not needed struct flexcan_priv::tx_mb and struct flexcan_priv::tx_mb_idx ACPICA: AML interpreter: add region addresses in global list during initialization IB/hfi1: Eliminate races in the SDMA send error path fsnotify: generalize handling of extra event flags fanotify: fix handling of events on child sub-directory pinctrl: meson: fix pinconf bias disable pinctrl: meson: fix gxbb ao pull register bits pinctrl: meson: fix gxl ao pull register bits pinctrl: meson: fix meson8 ao pull register bits pinctrl: meson: fix meson8b ao pull register bits tools/testing/nvdimm: Fix the array size for dimm devices. scsi: lpfc: fix remoteport access scsi: hisi_sas: Remove set but not used variable 'dq_list' KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE cpufreq: imx6q: add return value check for voltage scale rtc: cmos: Do not export alarm rtc_ops when we do not support alarms rtc: pcf2127: fix a kmemleak caused in pcf2127_i2c_gather_write crypto: simd - correctly take reqsize of wrapped skcipher into account floppy: fix race condition in __floppy_read_block_0() powerpc/io: Fix the IO workarounds code to work with Radix sched/fair: Fix cpu_util_wake() for 'execl' type workloads perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs block: copy ioprio in __bio_clone_fast() and bounce SUNRPC: Fix a bogus get/put in generic_key_to_expire() riscv: add missing vdso_install target RISC-V: Silence some module warnings on 32-bit drm/amdgpu: fix bug with IH ring setup kdb: Use strscpy with destination buffer size NFSv4: Fix an Oops during delegation callbacks powerpc/numa: Suppress "VPHN is not supported" messages efi/arm: Revert deferred unmap of early memmap mapping z3fold: fix possible reclaim races mm, memory_hotplug: check zone_movable in has_unmovable_pages tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset mm, page_alloc: check for max order in hot path dax: Avoid losing wakeup in dax_lock_mapping_entry include/linux/pfn_t.h: force '~' to be parsed as an unary operator tty: wipe buffer. tty: wipe buffer if not echoing data gfs2: Fix iomap buffer head reference counting bug rcu: Make need_resched() respond to urgent RCU-QS needs media: ov5640: Re-work MIPI startup sequence media: ov5640: Fix timings setup code media: ov5640: fix exposure regression media: ov5640: fix auto gain & exposure when changing mode media: ov5640: fix wrong binning value in exposure calculation media: ov5640: fix auto controls values when switching to manual mode Linux 4.19.6 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Eric Biggers
|
f467c4ad23 |
BACKPORT, FROMGIT: crypto: adiantum - add Adiantum support
Add support for the Adiantum encryption mode. Adiantum was designed by
Paul Crowley and is specified by our paper:
Adiantum: length-preserving encryption for entry-level processors
(https://eprint.iacr.org/2018/720.pdf)
See our paper for full details; this patch only provides an overview.
Adiantum is a tweakable, length-preserving encryption mode designed for
fast and secure disk encryption, especially on CPUs without dedicated
crypto instructions. Adiantum encrypts each sector using the XChaCha12
stream cipher, two passes of an ε-almost-∆-universal (εA∆U) hash
function, and an invocation of the AES-256 block cipher on a single
16-byte block. On CPUs without AES instructions, Adiantum is much
faster than AES-XTS; for example, on ARM Cortex-A7, on 4096-byte sectors
Adiantum encryption is about 4 times faster than AES-256-XTS encryption,
and decryption about 5 times faster.
Adiantum is a specialization of the more general HBSH construction. Our
earlier proposal, HPolyC, was also a HBSH specialization, but it used a
different εA∆U hash function, one based on Poly1305 only. Adiantum's
εA∆U hash function, which is based primarily on the "NH" hash function
like that used in UMAC (RFC4418), is about twice as fast as HPolyC's;
consequently, Adiantum is about 20% faster than HPolyC.
This speed comes with no loss of security: Adiantum is provably just as
secure as HPolyC, in fact slightly *more* secure. Like HPolyC,
Adiantum's security is reducible to that of XChaCha12 and AES-256,
subject to a security bound. XChaCha12 itself has a security reduction
to ChaCha12. Therefore, one need not "trust" Adiantum; one need only
trust ChaCha12 and AES-256. Note that the εA∆U hash function is only
used for its proven combinatorical properties so cannot be "broken".
Adiantum is also a true wide-block encryption mode, so flipping any
plaintext bit in the sector scrambles the entire ciphertext, and vice
versa. No other such mode is available in the kernel currently; doing
the same with XTS scrambles only 16 bytes. Adiantum also supports
arbitrary-length tweaks and naturally supports any length input >= 16
bytes without needing "ciphertext stealing".
For the stream cipher, Adiantum uses XChaCha12 rather than XChaCha20 in
order to make encryption feasible on the widest range of devices.
Although the 20-round variant is quite popular, the best known attacks
on ChaCha are on only 7 rounds, so ChaCha12 still has a substantial
security margin; in fact, larger than AES-256's. 12-round Salsa20 is
also the eSTREAM recommendation. For the block cipher, Adiantum uses
AES-256, despite it having a lower security margin than XChaCha12 and
needing table lookups, due to AES's extensive adoption and analysis
making it the obvious first choice. Nevertheless, for flexibility this
patch also permits the "adiantum" template to be instantiated with
XChaCha20 and/or with an alternate block cipher.
We need Adiantum support in the kernel for use in dm-crypt and fscrypt,
where currently the only other suitable options are block cipher modes
such as AES-XTS. A big problem with this is that many low-end mobile
devices (e.g. Android Go phones sold primarily in developing countries,
as well as some smartwatches) still have CPUs that lack AES
instructions, e.g. ARM Cortex-A7. Sadly, AES-XTS encryption is much too
slow to be viable on these devices. We did find that some "lightweight"
block ciphers are fast enough, but these suffer from problems such as
not having much cryptanalysis or being too controversial.
The ChaCha stream cipher has excellent performance but is insecure to
use directly for disk encryption, since each sector's IV is reused each
time it is overwritten. Even restricting the threat model to offline
attacks only isn't enough, since modern flash storage devices don't
guarantee that "overwrites" are really overwrites, due to wear-leveling.
Adiantum avoids this problem by constructing a
"tweakable super-pseudorandom permutation"; this is the strongest
possible security model for length-preserving encryption.
Of course, storing random nonces along with the ciphertext would be the
ideal solution. But doing that with existing hardware and filesystems
runs into major practical problems; in most cases it would require data
journaling (like dm-integrity) which severely degrades performance.
Thus, for now length-preserving encryption is still needed.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
79ef30f702 |
FROMGIT: crypto: nhpoly1305 - add NHPoly1305 support
Add a generic implementation of NHPoly1305, an ε-almost-∆-universal hash
function used in the Adiantum encryption mode.
CONFIG_NHPOLY1305 is not selectable by itself since there won't be any
real reason to enable it without also enabling Adiantum support.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
d58e9722fb |
FROMGIT: crypto: poly1305 - add Poly1305 core API
Expose a low-level Poly1305 API which implements the
ε-almost-∆-universal (εA∆U) hash function underlying the Poly1305 MAC
and supports block-aligned inputs only.
This is needed for Adiantum hashing, which builds an εA∆U hash function
from NH and a polynomial evaluation in GF(2^{130}-5); this polynomial
evaluation is identical to the one the Poly1305 MAC does. However, the
crypto_shash Poly1305 API isn't very appropriate for this because its
calling convention assumes it is used as a MAC, with a 32-byte "one-time
key" provided for every digest.
But by design, in Adiantum hashing the performance of the polynomial
evaluation isn't nearly as critical as NH. So it suffices to just have
some C helper functions. Thus, this patch adds such functions.
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
9d4eee316a |
FROMGIT: crypto: poly1305 - use structures for key and accumulator
In preparation for exposing a low-level Poly1305 API which implements
the ε-almost-∆-universal (εA∆U) hash function underlying the Poly1305
MAC and supports block-aligned inputs only, create structures
poly1305_key and poly1305_state which hold the limbs of the Poly1305
"r" key and accumulator, respectively.
These structures could actually have the same type (e.g. poly1305_val),
but different types are preferable, to prevent misuse.
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
8eee8e5f44 |
FROMGIT: crypto: chacha - add XChaCha12 support
Now that the generic implementation of ChaCha20 has been refactored to
allow varying the number of rounds, add support for XChaCha12, which is
the XSalsa construction applied to ChaCha12. ChaCha12 is one of the
three ciphers specified by the original ChaCha paper
(https://cr.yp.to/chacha/chacha-20080128.pdf: "ChaCha, a variant of
Salsa20"), alongside ChaCha8 and ChaCha20. ChaCha12 is faster than
ChaCha20 but has a lower, but still large, security margin.
We need XChaCha12 support so that it can be used in the Adiantum
encryption mode, which enables disk/file encryption on low-end mobile
devices where AES-XTS is too slow as the CPUs lack AES instructions.
We'd prefer XChaCha20 (the more popular variant), but it's too slow on
some of our target devices, so at least in some cases we do need the
XChaCha12-based version. In more detail, the problem is that Adiantum
is still much slower than we're happy with, and encryption still has a
quite noticeable effect on the feel of low-end devices. Users and
vendors push back hard against encryption that degrades the user
experience, which always risks encryption being disabled entirely. So
we need to choose the fastest option that gives us a solid margin of
security, and here that's XChaCha12. The best known attack on ChaCha
breaks only 7 rounds and has 2^235 time complexity, so ChaCha12's
security margin is still better than AES-256's. Much has been learned
about cryptanalysis of ARX ciphers since Salsa20 was originally designed
in 2005, and it now seems we can be comfortable with a smaller number of
rounds. The eSTREAM project also suggests the 12-round version of
Salsa20 as providing the best balance among the different variants:
combining very good performance with a "comfortable margin of security".
Note that it would be trivial to add vanilla ChaCha12 in addition to
XChaCha12. However, it's unneeded for now and therefore is omitted.
As discussed in the patch that introduced XChaCha20 support, I
considered splitting the code into separate chacha-common, chacha20,
xchacha20, and xchacha12 modules, so that these algorithms could be
enabled/disabled independently. However, since nearly all the code is
shared anyway, I ultimately decided there would have been little benefit
to the added complexity.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
f816abd103 |
BACKPORT, FROMGIT: crypto: chacha20-generic - refactor to allow varying number of rounds
In preparation for adding XChaCha12 support, rename/refactor
chacha20-generic to support different numbers of rounds. The
justification for needing XChaCha12 support is explained in more detail
in the patch "crypto: chacha - add XChaCha12 support".
The only difference between ChaCha{8,12,20} are the number of rounds
itself; all other parts of the algorithm are the same. Therefore,
remove the "20" from all definitions, structures, functions, files, etc.
that will be shared by all ChaCha versions.
Also make ->setkey() store the round count in the chacha_ctx (previously
chacha20_ctx). The generic code then passes the round count through to
chacha_block(). There will be a ->setkey() function for each explicitly
allowed round count; the encrypt/decrypt functions will be the same. I
decided not to do it the opposite way (same ->setkey() function for all
round counts, with different encrypt/decrypt functions) because that
would have required more boilerplate code in architecture-specific
implementations of ChaCha and XChaCha.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
74fd3f7ed6 |
FROMGIT: crypto: chacha20-generic - add XChaCha20 support
Add support for the XChaCha20 stream cipher. XChaCha20 is the
application of the XSalsa20 construction
(https://cr.yp.to/snuffle/xsalsa-20081128.pdf) to ChaCha20 rather than
to Salsa20. XChaCha20 extends ChaCha20's nonce length from 64 bits (or
96 bits, depending on convention) to 192 bits, while provably retaining
ChaCha20's security. XChaCha20 uses the ChaCha20 permutation to map the
key and first 128 nonce bits to a 256-bit subkey. Then, it does the
ChaCha20 stream cipher with the subkey and remaining 64 bits of nonce.
We need XChaCha support in order to add support for the Adiantum
encryption mode. Note that to meet our performance requirements, we
actually plan to primarily use the variant XChaCha12. But we believe
it's wise to first add XChaCha20 as a baseline with a higher security
margin, in case there are any situations where it can be used.
Supporting both variants is straightforward.
Since XChaCha20's subkey differs for each request, XChaCha20 can't be a
template that wraps ChaCha20; that would require re-keying the
underlying ChaCha20 for every request, which wouldn't be thread-safe.
Instead, we make XChaCha20 its own top-level algorithm which calls the
ChaCha20 streaming implementation internally.
Similar to the existing ChaCha20 implementation, we define the IV to be
the nonce and stream position concatenated together. This allows users
to seek to any position in the stream.
I considered splitting the code into separate chacha20-common, chacha20,
and xchacha20 modules, so that chacha20 and xchacha20 could be
enabled/disabled independently. However, since nearly all the code is
shared anyway, I ultimately decided there would have been little benefit
to the added complexity of separate modules.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
e9320e4375 |
FROMGIT: crypto: chacha20-generic - don't unnecessarily use atomic walk
chacha20-generic doesn't use SIMD instructions or otherwise disable
preemption, so passing atomic=true to skcipher_walk_virt() is
unnecessary.
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
a80f702696 |
FROMGIT: crypto: arm/aes - add some hardening against cache-timing attacks
Make the ARM scalar AES implementation closer to constant-time by
disabling interrupts and prefetching the tables into L1 cache. This is
feasible because due to ARM's "free" rotations, the main tables are only
1024 bytes instead of the usual 4096 used by most AES implementations.
On ARM Cortex-A7, the speed loss is only about 5%. The resulting code
is still over twice as fast as aes_ti.c. Responsiveness is potentially
a concern, but interrupts are only disabled for a single AES block.
Note that even after these changes, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software. But it's valuable to make such attacks more difficult.
Much of this patch is based on patches suggested by Ard Biesheuvel.
Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit
|
||
|
Eric Biggers
|
8e2d31a6e3 |
UPSTREAM: crypto: chacha20 - Fix chacha20_block() keystream alignment (again)
In commit |
||
|
Ard Biesheuvel
|
c587ba480e |
crypto: simd - correctly take reqsize of wrapped skcipher into account
[ Upstream commit
|
||
|
Eric Biggers
|
a0f044f025 |
crypto: user - fix leaking uninitialized memory to userspace
commit |
||
|
Jason A. Donenfeld
|
3252b60cf8 |
crypto: speck - remove Speck
commit
|
||
|
Ard Biesheuvel
|
4f1f952246 |
crypto: aegis/generic - fix for big endian systems
commit |
||
|
Ard Biesheuvel
|
964f374b3b |
crypto: morus/generic - fix for big endian systems
commit |
||
|
Horia Geantă
|
94c7bb6598 |
crypto: tcrypt - fix ghash-generic speed test
commit |
||
|
Ondrej Mosnacek
|
c2ff394968 |
crypto: lrw - Fix out-of bounds access on counter overflow
commit |
||
|
Karsten Graul
|
fd54c188b3 |
Revert "net: simplify sock_poll_wait"
[ Upstream commit |
||
|
Linus Torvalds
|
13bf2cf9e2 |
DMAengine updates for v4.19-rc1
This round brings couple of framework changes, a new driver and usual driver
updates:
- New managed helper for dmaengine framework registration
- Split dmaengine pause capability to pause and resume and allow drivers to
report that individually
- Update dma_request_chan_by_mask() to handle deferred probing
- Move imx-sdma to use virt-dma
- New driver for Actions Semi Owl family S900 controller
- Minor updates to intel, renesas, mv_xor, pl330 etc
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJbdsctAAoJEHwUBw8lI4NHZrIP/3/HrNSUKApt1KdOcG5UA7nu
7O3BcvkAahmM285Hw3a/zLEnSm2sJ/6EI0lN1sz+VYi8IECG7nbCyHQh3Bd1Mxi1
XLHafdTGcI5b7rpicNtRS1BHCPtNrgOypFxs8b/bTatbzc/aWM8K8WFLX27sqGZT
1Sb2nNKKrVbQDVqJ+1ZEQ4q86w61tPHmmRH0icl1DAQREfsvbu/bRMdol5H7/orx
A+ZGH39Ig3FI8/Ri8KccqShvG0VM1yCVJca+0j30IL1x4JNZ36uG+NQbtkBIkOJC
kk9qfCu3ugm4NOtfKGOtkmmOwE9/GirRh+QMPpSmi6oQu4vdOVxyQyYpKukHIer1
vxwpvo2b+3POMfHi1kuqDJhcGIEPak6tH2Oyd01l7nA7Lyww9iC2AyiL89knw+i6
aUK4oHIhf2fFLUN6/ck4JbBqQ3MrDNraZfLJcnmQPtpTftW9Yqd2yqs7Cf1gcBC9
jyLAekJENiUmaNJsL5nJUMDVGG0lIiOnfwtPNfPZJuWu+4doKb2pM4+Ljcyfn2g0
ub4fPfXp0wcFaVarjpQr6T0tdZVMpmrPSTPGS5BdVZbWntrNOpiHmmPVEOLNz3zb
ibIMFn478/RYYB5pcNtHkUaOF4tu0w46fSqRp1ixkey+FIHKlj8/B+YeaAJF0nJh
fc4XaTTJgLufzc1F0ztU
=kbCC
-----END PGP SIGNATURE-----
Merge tag 'dmaengine-4.19-rc1' of git://git.infradead.org/users/vkoul/slave-dma
Pull DMAengine updates from Vinod Koul:
"This round brings couple of framework changes, a new driver and usual
driver updates:
- new managed helper for dmaengine framework registration
- split dmaengine pause capability to pause and resume and allow
drivers to report that individually
- update dma_request_chan_by_mask() to handle deferred probing
- move imx-sdma to use virt-dma
- new driver for Actions Semi Owl family S900 controller
- minor updates to intel, renesas, mv_xor, pl330 etc"
* tag 'dmaengine-4.19-rc1' of git://git.infradead.org/users/vkoul/slave-dma: (46 commits)
dmaengine: Add Actions Semi Owl family S900 DMA driver
dt-bindings: dmaengine: Add binding for Actions Semi Owl SoCs
dmaengine: sh: rcar-dmac: Should not stop the DMAC by rcar_dmac_sync_tcr()
dmaengine: mic_x100_dma: use the new helper to simplify the code
dmaengine: add a new helper dmaenginem_async_device_register
dmaengine: imx-sdma: add memcpy interface
dmaengine: imx-sdma: add SDMA_BD_MAX_CNT to replace '0xffff'
dmaengine: dma_request_chan_by_mask() to handle deferred probing
dmaengine: pl330: fix irq race with terminate_all
dmaengine: Revert "dmaengine: mv_xor_v2: enable COMPILE_TEST"
dmaengine: mv_xor_v2: use {lower,upper}_32_bits to configure HW descriptor address
dmaengine: mv_xor_v2: enable COMPILE_TEST
dmaengine: mv_xor_v2: move unmap to before callback
dmaengine: mv_xor_v2: convert callback to helper function
dmaengine: mv_xor_v2: kill the tasklets upon exit
dmaengine: mv_xor_v2: explicitly freeup irq
dmaengine: sh: rcar-dmac: Add dma_pause operation
dmaengine: sh: rcar-dmac: add a new function to clear CHCR.DE with barrier
dmaengine: idma64: Support dmaengine_terminate_sync()
dmaengine: hsu: Support dmaengine_terminate_sync()
...
|
||
|
Yannik Sembritzki
|
817aef2600 |
Replace magic for trusting the secondary keyring with #define
Replace the use of a magic number that indicates that verify_*_signature() should use the secondary keyring with a symbol. Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me> Signed-off-by: David Howells <dhowells@redhat.com> Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Linus Torvalds
|
f91e654474 |
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull integrity updates from James Morris: "This adds support for EVM signatures based on larger digests, contains a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the IMA policy rules from the IMA-audit messages, addresses two deadlocks due to either loading or searching for crypto algorithms, and cleans up the audit messages" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: EVM: fix return value check in evm_write_xattrs() integrity: prevent deadlock during digsig verification. evm: Allow non-SHA1 digital signatures evm: Don't deadlock if a crypto algorithm is unavailable integrity: silence warning when CONFIG_SECURITYFS is not enabled ima: Differentiate auditing policy rules from "audit" actions ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set ima: Use audit_log_format() rather than audit_log_string() ima: Call audit_log_string() rather than logging it untrusted |
||
|
Linus Torvalds
|
dafa5f6577 |
Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto updates from Herbert Xu: "API: - Fix dcache flushing crash in skcipher. - Add hash finup self-tests. - Reschedule during speed tests. Algorithms: - Remove insecure vmac and replace it with vmac64. - Add public key verification for DH/ECDH. Drivers: - Decrease priority of sha-mb on x86. - Improve NEON latency/throughput on ARM64. - Add md5/sha384/sha512/des/3des to inside-secure. - Support eip197d in inside-secure. - Only register algorithms supported by the host in virtio. - Add cts and remove incompatible cts1 from ccree. - Add hisilicon SEC security accelerator driver. - Replace msm hwrng driver with qcom pseudo rng driver. Misc: - Centralize CRC polynomials" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (121 commits) crypto: arm64/ghash-ce - implement 4-way aggregation crypto: arm64/ghash-ce - replace NEON yield check with block limit crypto: hisilicon - sec_send_request() can be static lib/mpi: remove redundant variable esign crypto: arm64/aes-ce-gcm - don't reload key schedule if avoidable crypto: arm64/aes-ce-gcm - implement 2-way aggregation crypto: arm64/aes-ce-gcm - operate on two input blocks at a time crypto: dh - make crypto_dh_encode_key() make robust crypto: dh - fix calculating encoded key size crypto: ccp - Check for NULL PSP pointer at module unload crypto: arm/chacha20 - always use vrev for 16-bit rotates crypto: ccree - allow bigger than sector XTS op crypto: ccree - zero all of request ctx before use crypto: ccree - remove cipher ivgen left overs crypto: ccree - drop useless type flag during reg crypto: ablkcipher - fix crash flushing dcache in error path crypto: blkcipher - fix crash flushing dcache in error path crypto: skcipher - fix crash flushing dcache in error path crypto: skcipher - remove unnecessary setting of walk->nbytes crypto: scatterwalk - remove scatterwalk_samebuf() ... |
||
|
Eric Biggers
|
d6e43798b3 |
crypto: dh - make crypto_dh_encode_key() make robust
Make it return -EINVAL if crypto_dh_key_len() is incorrect rather than overflowing the buffer. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
35f7d5225f |
crypto: dh - fix calculating encoded key size
It was forgotten to increase DH_KPP_SECRET_MIN_SIZE to include 'q_size',
causing an out-of-bounds write of 4 bytes in crypto_dh_encode_key(), and
an out-of-bounds read of 4 bytes in crypto_dh_decode_key(). Fix it, and
fix the lengths of the test vectors to match this.
Reported-by: syzbot+6d38d558c25b53b8f4ed@syzkaller.appspotmail.com
Fixes:
|
||
|
Eric Biggers
|
318abdfbe7 |
crypto: ablkcipher - fix crash flushing dcache in error path
Like the skcipher_walk and blkcipher_walk cases:
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
ablkcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing ablkcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes:
|
||
|
Eric Biggers
|
0868def3e4 |
crypto: blkcipher - fix crash flushing dcache in error path
Like the skcipher_walk case:
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
blkcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing blkcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
This bug was found by syzkaller fuzzing.
Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "ecb(aes-generic)",
};
char buffer[4096] __attribute__((aligned(4096))) = { 0 };
int fd;
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
fd = accept(fd, NULL, NULL);
write(fd, buffer, 15);
read(fd, buffer, 15);
}
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes:
|
||
|
Eric Biggers
|
8088d3dd4d |
crypto: skcipher - fix crash flushing dcache in error path
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
skcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing skcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
This bug was found by syzkaller fuzzing.
Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "cbc(aes-generic)",
};
char buffer[4096] __attribute__((aligned(4096))) = { 0 };
int fd;
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
fd = accept(fd, NULL, NULL);
write(fd, buffer, 15);
read(fd, buffer, 15);
}
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes:
|
||
|
Eric Biggers
|
2a57c0be22 |
crypto: skcipher - remove unnecessary setting of walk->nbytes
Setting 'walk->nbytes = walk->total' in skcipher_walk_first() doesn't make sense because actually walk->nbytes needs to be set to the length of the first step in the walk, which may be less than walk->total. This is done by skcipher_walk_next() which is called immediately afterwards. Also walk->nbytes was already set to 0 in skcipher_walk_skcipher(), which is a better default value in case it's forgotten to be set later. Therefore, remove the unnecessary assignment to walk->nbytes. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
8c30fbe63e |
crypto: scatterwalk - remove 'chain' argument from scatterwalk_crypto_chain()
All callers pass chain=0 to scatterwalk_crypto_chain(). Remove this unneeded parameter. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
0567fc9e90 |
crypto: skcipher - fix aligning block size in skcipher_copy_iv()
The ALIGN() macro needs to be passed the alignment, not the alignmask
(which is the alignment minus 1).
Fixes:
|
||
|
Horia Geantă
|
2af632996b |
crypto: tcrypt - reschedule during speed tests
Avoid RCU stalls in the case of non-preemptible kernel and lengthy speed tests by rescheduling when advancing from one block size to another. Signed-off-by: Horia Geantă <horia.geanta@nxp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Stephan Müller
|
43490e8046 |
crypto: drbg - in-place cipher operation for CTR
The cipher implementations of the kernel crypto API favor in-place
cipher operations. Thus, switch the CTR cipher operation in the DRBG to
perform in-place operations. This is implemented by using the output
buffer as input buffer and zeroizing it before the cipher operation to
implement a CTR encryption of a NULL buffer.
The speed improvement is quite visibile with the following comparison
using the LRNG implementation.
Without the patch set:
16 bytes| 12.267661 MB/s| 61338304 bytes | 5000000213 ns
32 bytes| 23.603770 MB/s| 118018848 bytes | 5000000073 ns
64 bytes| 46.732262 MB/s| 233661312 bytes | 5000000241 ns
128 bytes| 90.038042 MB/s| 450190208 bytes | 5000000244 ns
256 bytes| 160.399616 MB/s| 801998080 bytes | 5000000393 ns
512 bytes| 259.878400 MB/s| 1299392000 bytes | 5000001675 ns
1024 bytes| 386.050662 MB/s| 1930253312 bytes | 5000001661 ns
2048 bytes| 493.641728 MB/s| 2468208640 bytes | 5000001598 ns
4096 bytes| 581.835981 MB/s| 2909179904 bytes | 5000003426 ns
With the patch set:
16 bytes | 17.051142 MB/s | 85255712 bytes | 5000000854 ns
32 bytes | 32.695898 MB/s | 163479488 bytes | 5000000544 ns
64 bytes | 64.490739 MB/s | 322453696 bytes | 5000000954 ns
128 bytes | 123.285043 MB/s | 616425216 bytes | 5000000201 ns
256 bytes | 233.434573 MB/s | 1167172864 bytes | 5000000573 ns
512 bytes | 384.405197 MB/s | 1922025984 bytes | 5000000671 ns
1024 bytes | 566.313370 MB/s | 2831566848 bytes | 5000001080 ns
2048 bytes | 744.518042 MB/s | 3722590208 bytes | 5000000926 ns
4096 bytes | 867.501670 MB/s | 4337508352 bytes | 5000002181 ns
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||
|
Herbert Xu
|
c5f5aeef9b |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux
Merge mainline to pick up
|
||
|
Christoph Hellwig
|
dd979b4df8 |
net: simplify sock_poll_wait
The wait_address argument is always directly derived from the filp argument, so remove it. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net> |