* refs/heads/tmp-73dc755e:
Linux 4.19.17
nbd: Use set_blocksize() to set device blocksize
media: vb2: be sure to unlock mutex on errors
selftests: Fix test errors related to lib.mk khdr target
drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
loop: drop caches if offset or block_size are changed
loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
loop: Get rid of 'nested' acquisition of loop_ctl_mutex
loop: Avoid circular locking dependency between loop_ctl_mutex and bd_mutex
loop: Fix deadlock when calling blkdev_reread_part()
loop: Move loop_reread_partitions() out of loop_ctl_mutex
loop: Move special partition reread handling in loop_clr_fd()
loop: Push loop_ctl_mutex down to loop_change_fd()
loop: Push loop_ctl_mutex down to loop_set_fd()
loop: Push loop_ctl_mutex down to loop_set_status()
loop: Push loop_ctl_mutex down to loop_get_status()
loop: Push loop_ctl_mutex down into loop_clr_fd()
loop: Split setting of lo_state from loop_clr_fd
loop: Push lo_ctl_mutex down into individual ioctls
loop: Get rid of loop_index_mutex
loop: Fold __loop_release into loop_release
block/loop: Use global lock for ioctl() operation.
block/loop: Don't grab "struct file" for vfs_getattr() operation.
tipc: fix uninit-value in tipc_nl_compat_doit
tipc: fix uninit-value in tipc_nl_compat_name_table_dump
tipc: fix uninit-value in tipc_nl_compat_link_set
tipc: fix uninit-value in tipc_nl_compat_bearer_enable
tipc: fix uninit-value in tipc_nl_compat_link_reset_stats
tipc: fix uninit-value in in tipc_conn_rcv_sub
sctp: allocate sctp_sockaddr_entry with kzalloc
blockdev: Fix livelocks on loop device
selinux: fix GPF on invalid policy
block: use rcu_work instead of call_rcu to avoid sleep in softirq
netfilter: ebtables: account ebt_table_info to kmemcg
sunrpc: handle ENOMEM in rpcb_getport_async
media: vb2: vb2_mmap: move lock up
LSM: Check for NULL cred-security on free
ipv6: make icmp6_send() robust against null skb->dev
bpf: in __bpf_redirect_no_mac pull mac only if present
media: vivid: set min width/height to a value > 0
media: vivid: fix error handling of kthread_run
omap2fb: Fix stack memory disclosure
fix int_sqrt64() for very large numbers
Disable MSI also when pcie-octeon.pcie_disable on
arm64: dts: marvell: armada-ap806: reserve PSCI area
arm64: kaslr: ensure randomized quantities are clean to the PoC
pstore/ram: Avoid allocation and leak of platform data
net: dsa: realtek-smi: fix OF child-node lookup
kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7
RDMA/vmw_pvrdma: Return the correct opcode when creating WR
RDMA/nldev: Don't expose unsafe global rkey to regular user
media: v4l: ioctl: Validate num_planes for debug messages
mfd: tps6586x: Handle interrupts on suspend
OF: properties: add missing of_node_put
drm/i915/gvt: Fix mmap range check
MIPS: lantiq: Fix IPI interrupt handling
MIPS: BCM47XX: Setup struct device for the SoC
mips: fix n32 compat_ipc_parse_version
scsi: sd: Fix cache_type_store()
scsi: core: Synchronize request queue PM status only on successful resume
Yama: Check for pid death before checking ancestry
btrfs: wait on ordered extents on abort cleanup
Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
xen: Fix x86 sched_clock() interface for xen
crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK
crypto: talitos - reorder code in talitos_edesc_alloc()
crypto: authenc - fix parsing key with misaligned rta_len
crypto: bcm - convert to use crypto_authenc_extractkeys()
crypto: ccree - convert to use crypto_authenc_extractkeys()
crypto: authencesn - Avoid twice completion call in decrypt path
crypto: caam - fix zero-length buffer DMA mapping
crypto: sm3 - fix undefined shift by >= width of value
r8169: load Realtek PHY driver module before r8169
ip: on queued skb use skb_header_pointer instead of pskb_may_pull
bonding: update nest level on unlink
r8169: don't try to read counters if chip is in a PCI power-save state
smc: move unhash as early as possible in smc_release()
lan743x: Remove phy_read from link status change function
tun: publish tfile after it's fully initialized
tcp: change txhash on SYN-data timeout
packet: Do not leak dev refcounts on error exit
net: bridge: fix a bug on using a neighbour cache entry without checking its state
ipv6: fix kernel-infoleak in ipv6_local_error()
arm64: Don't trap host pointer auth use to EL2
arm64/kvm: consistently handle host HCR_EL2 flags
scsi: target: iscsi: cxgbit: fix csk leak
scsi: target: iscsi: cxgbit: fix csk leak
Revert "scsi: target: iscsi: cxgbit: fix csk leak"
mmc: sdhci-msm: Disable CDR function on TX
netfilter: nf_conncount: fix argument order to find_next_bit
netfilter: nf_conncount: speculative garbage collection on empty lists
netfilter: nf_conncount: move all list iterations under spinlock
netfilter: nf_conncount: merge lookup and add functions
netfilter: nf_conncount: restart search when nodes have been erased
netfilter: nf_conncount: split gc in two phases
netfilter: nf_conncount: don't skip eviction when age is negative
netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
can: gw: ensure DLC boundaries after CAN frame modification
tty: Don't hold ldisc lock in tty_reopen() if ldisc present
tty: Simplify tty->count math in tty_reopen()
tty: Hold tty_ldisc_lock() during tty_reopen()
tty/ldsem: Wake up readers after timed out down_write()
UPSTREAM: zram: idle writeback fixes and cleanup
UPSTREAM: zram: writeback throttle
UPSTREAM: zram: add bd_stat statistics
UPSTREAM: zram: support idle/huge page writeback
UPSTREAM: zram: introduce ZRAM_IDLE flag
UPSTREAM: zram: refactor flags and writeback stuff
UPSTREAM: zram: fix lockdep warning of free block handling
ANDROID: cuttlefish_defconfig: Enable vsock options
ANDROID: mnt: Propagate remount correctly
UPSTREAM: loop: drop caches if offset or block_size are changed
UPSTREAM: crypto: adiantum - initialize crypto_spawn::inst
UPSTREAM: crypto: adiantum - fix leaking reference to hash algorithm
UPSTREAM: crypto: adiantum - adjust some comments to match latest paper
UPSTREAM: crypto: adiantum - propagate CRYPTO_ALG_ASYNC flag to instance
Conflicts:
drivers/mmc/host/sdhci-msm.c
drivers/scsi/scsi_pm.c
Change-Id: I536e9aa79ee729312fd91c29f703dd2b9b29bd2f
Signed-off-by: Ivaylo Georgiev <irgeorgiev@codeaurora.org>
In the quest to remove all stack VLA usage from the kernel[1], this
replaces struct crypto_skcipher and SKCIPHER_REQUEST_ON_STACK() usage
with struct crypto_sync_skcipher and SYNC_SKCIPHER_REQUEST_ON_STACK(),
which uses a fixed stack size.
[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
Change-Id: I9f879e0a86eb4a9ff08d65a2128d230ec06e0f4c
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-Commit: 8d605398425843c7ce3c0e9a0434d832d3bd54cc
Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org>
In crypto_authenc_esn_setkey we save pointers to the authenc keys
in a local variable of type struct crypto_authenc_keys and we don't
zeroize it after use. Fix this and don't leak pointers to the
authenc keys.
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Since commit 499a66e6b6 ("crypto: null - Remove default null
blkcipher"), crypto_get_default_null_skcipher2() and
crypto_put_default_null_skcipher2() are the same as their non-2
equivalents. So switch callers of the "2" versions over to the original
versions and remove the "2" versions.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
When authencesn is used together with digest_null a crash will
occur on the decrypt path. This is because normally we perform
a special setup to preserve the ESN, but this is skipped if there
is no authentication. However, on the post-authentication path
it always expects the preservation to be in place, thus causing
a crash when digest_null is used.
This patch fixes this by also skipping the post-processing when
there is no authentication.
Fixes: 104880a6b4 ("crypto: authencesn - Convert to new AEAD...")
Cc: <stable@vger.kernel.org>
Reported-by: Jan Tluka <jtluka@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Since commit 3a01d0ee2b ("crypto: skcipher - Remove top-level
givcipher interface"), crypto_spawn_skcipher2() and
crypto_spawn_skcipher() are equivalent. So switch callers of
crypto_spawn_skcipher2() to crypto_spawn_skcipher() and remove it.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Since commit 3a01d0ee2b ("crypto: skcipher - Remove top-level
givcipher interface"), crypto_grab_skcipher2() and
crypto_grab_skcipher() are equivalent. So switch callers of
crypto_grab_skcipher2() to crypto_grab_skcipher() and remove it.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch converts authencesn to use the new skcipher interface as
opposed to ablkcipher.
It also fixes a little bug where if a sync version of authencesn
is requested we may still end up using an async ahash. This should
have no effect as none of the authencesn users can request for a
sync authencesn.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
As it is, if you get an async ahash with a sync skcipher you'll
end up with a sync authenc, which is wrong.
This patch fixes it by considering the ASYNC bit from ahash as
well.
It also fixes a little bug where if a sync version of authenc
is requested we may still end up using an async ahash.
Neither of them should have any effect as none of the authenc
users can request for a sync authenc.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
The ESP code has been updated to generate a completely linear
AD SG list. This unfortunately broke authencesn which expects
the AD to be divided into at least three parts.
This patch fixes it to cope with the new format. Later we will
fix it properly to accept arbitrary input and not rely on the
input being linear as part of the AEAD conversion.
Fixes: 7021b2e1cd ("esp4: Switch to new AEAD interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch uses the crypto_aead_set_reqsize helper to avoid directly
touching the internals of aead.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This adds the module loading prefix "crypto-" to the template lookup
as well.
For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly
includes the "crypto-" prefix at every level, correctly rejecting "vfat":
net-pf-38
algif-hash
crypto-vfat(blowfish)
crypto-vfat(blowfish)-all
crypto-vfat
Reported-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Use the common helper function crypto_authenc_extractkeys() for key
parsing.
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Mathias Krause <mathias.krause@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
When comparing MAC hashes, AEAD authentication tags, or other hash
values in the context of authentication or integrity checking, it
is important not to leak timing information to a potential attacker,
i.e. when communication happens over a network.
Bytewise memory comparisons (such as memcmp) are usually optimized so
that they return a nonzero value as soon as a mismatch is found. E.g,
on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
and up to ~850 cyc for a full match (cold). This early-return behavior
can leak timing information as a side channel, allowing an attacker to
iteratively guess the correct result.
This patch adds a new method crypto_memneq ("memory not equal to each
other") to the crypto API that compares memory areas of the same length
in roughly "constant time" (cache misses could change the timing, but
since they don't reveal information about the content of the strings
being compared, they are effectively benign). Iow, best and worst case
behaviour take the same amount of time to complete (in contrast to
memcmp).
Note that crypto_memneq (unlike memcmp) can only be used to test for
equality or inequality, NOT for lexicographical order. This, however,
is not an issue for its use-cases within the crypto API.
We tried to locate all of the places in the crypto API where memcmp was
being used for authentication or integrity checking, and convert them
over to crypto_memneq.
crypto_memneq is declared noinline, placed in its own source file,
and compiled with optimizations that might increase code size disabled
("Os") because a smart compiler (or LTO) might notice that the return
value is always compared against zero/nonzero, and might then
reintroduce the same early-return optimization that we are trying to
avoid.
Using #pragma or __attribute__ optimization annotations of the code
for disabling optimization was avoided as it seems to be considered
broken or unmaintained for long time in GCC [1]. Therefore, we work
around that by specifying the compile flag for memneq.o directly in
the Makefile. We found that this seems to be most appropriate.
As we use ("Os"), this patch also provides a loop-free "fast-path" for
frequently used 16 byte digests. Similarly to kernel library string
functions, leave an option for future even further optimized architecture
specific assembler implementations.
This was a joint work of James Yonan and Daniel Borkmann. Also thanks
for feedback from Florian Weimer on this and earlier proposals [2].
[1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
[2] https://lkml.org/lkml/2013/2/10/131
Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Florian Weimer <fw@deneb.enyo.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Replace PTR_ERR followed by ERR_PTR by ERR_CAST, to be more concise.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression err,x;
@@
- err = PTR_ERR(x);
if (IS_ERR(x))
- return ERR_PTR(err);
+ return ERR_CAST(x);
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
ESP with separate encryption/authentication algorithms needs a special
treatment for the associated data. This patch add a new algorithm that
handles esp with extended sequence numbers.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>