5183d3514ae6e8257386cc2d1384438d3da170b5
471 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Eric Biggers
|
0414c6a4a7 |
Remove the old inline encryption implementation
Remove all the inline encryption / ICE code, since we're replacing it with a new implementation based on the new blk-crypto framework from android-4.19 (and proposed upstream). Bug: 147259927 Change-Id: Iff9a304ff92cbf87e3fb838878c235c2f518e8e8 |
||
|
Prerna Kalla
|
650400b459 |
msm: ice: check for crypto engine state before processing request
Crypto engine can be put to suspend by host controller after workqueue is scheduled. Also shutdown sequence can be ongoing while workqueue is scheduled/executing. The request passed to crypto driver in these cases can be invalidated by host device driver. So check for crypto engine state before processing the pending requests. Change-Id: I4aa2a211e439a876c8525ab062a7cb917b4e2d7e Signed-off-by: Prerna Kalla <prernak@codeaurora.org> |
||
|
Gaurav Kashyap
|
e2c6b3a39b |
security: Add ICE support for UFS card
Add ICE support for the new UFS card by handling the ice device appropriately in PFK. Change-Id: I69f8d7b3560f854929f043d3f6f694cc28ff3dac Signed-off-by: Gaurav Kashyap <gaurkash@codeaurora.org> |
||
|
Zhen Kong
|
28cfbbcf6e |
qseecom: Add qseecom driver snapshot for kona
Add snapshot for qseecom from msm-4.14 commit 5d002609242c
("qseecom: listener unregister and register optimization").
Change-Id: I756d218259be9be328c863181059b67099dc1955
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
|
||
|
Rishabh Bhatnagar
|
4ac13bd161 |
Merge remote-tracking branch 'origin_4.19/tmp-0567d2f' into msm-4.19
* origin_4.19/tmp-0567d2f:
Linux 4.19.9
HID: quirks: fix RetroUSB.com devices
mac80211: ignore NullFunc frames in the duplicate detection
mac80211: fix reordering of buffered broadcast packets
mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
mac80211: Clear beacon_int in ieee80211_do_stop
mac80211: fix GFP_KERNEL under tasklet context
mac80211_hwsim: Timer should be initialized before device registered
cfg80211: Fix busy loop regression in ieee80211_ie_split_ric()
libnvdimm, pfn: Pad pfn namespaces relative to other regions
kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
gnss: sirf: fix activation retry handling
tty: do not set TTY_IO_ERROR flag if console port
tty: serial: 8250_mtk: always resume the device in probe.
Drivers: hv: vmbus: Offload the handling of channels to two workqueues
x86/efi: Allocate e820 buffer before calling efi_exit_boot_service
kprobes/x86: Fix instruction patching corruption when copying more than one RIP-relative instruction
drm/i915: Downgrade Gen9 Plane WM latency error
drm/amdgpu/gmc8: always load MC firmware in the driver
drm/amdgpu/gmc8: update MC firmware for polaris
drm/msm: Move fence put to where failure occurs
drm/lease: Send a distinct uevent
drm/amdgpu: update mc firmware image for polaris12 variants
crypto: do not free algorithm before using
Revert commit
|
||
|
Eric Biggers
|
79ef30f702 |
FROMGIT: crypto: nhpoly1305 - add NHPoly1305 support
Add a generic implementation of NHPoly1305, an ε-almost-∆-universal hash function used in the Adiantum encryption mode. CONFIG_NHPOLY1305 is not selectable by itself since there won't be any real reason to enable it without also enabling Adiantum support. Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 26609a21a9460145e37d90947ad957b358a05288 https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master) Bug: 112008522 Test: As series, see Ic61c13b53facfd2173065be715a7ee5f3af8760b Change-Id: If6f00c01fab530fc2458c44ca111f84604cb85c1 Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|
Eric Biggers
|
d58e9722fb |
FROMGIT: crypto: poly1305 - add Poly1305 core API
Expose a low-level Poly1305 API which implements the
ε-almost-∆-universal (εA∆U) hash function underlying the Poly1305 MAC
and supports block-aligned inputs only.
This is needed for Adiantum hashing, which builds an εA∆U hash function
from NH and a polynomial evaluation in GF(2^{130}-5); this polynomial
evaluation is identical to the one the Poly1305 MAC does. However, the
crypto_shash Poly1305 API isn't very appropriate for this because its
calling convention assumes it is used as a MAC, with a 32-byte "one-time
key" provided for every digest.
But by design, in Adiantum hashing the performance of the polynomial
evaluation isn't nearly as critical as NH. So it suffices to just have
some C helper functions. Thus, this patch adds such functions.
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 1b6fd3d5d18bbc1b1abf3b0cbc4b95a9a63d407b
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master)
Bug: 112008522
Test: As series, see Ic61c13b53facfd2173065be715a7ee5f3af8760b
Change-Id: I5c7da7832b84dfe29c300e117a158740d3e39069
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
||
|
Eric Biggers
|
9d4eee316a |
FROMGIT: crypto: poly1305 - use structures for key and accumulator
In preparation for exposing a low-level Poly1305 API which implements the ε-almost-∆-universal (εA∆U) hash function underlying the Poly1305 MAC and supports block-aligned inputs only, create structures poly1305_key and poly1305_state which hold the limbs of the Poly1305 "r" key and accumulator, respectively. These structures could actually have the same type (e.g. poly1305_val), but different types are preferable, to prevent misuse. Acked-by: Martin Willi <martin@strongswan.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 878afc35cd28bcd93cd3c5e1985ef39a104a4d45 https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master) Bug: 112008522 Test: As series, see Ic61c13b53facfd2173065be715a7ee5f3af8760b Change-Id: If20a0f9d29d8ba1efd43a5eb3fafce7720afe565 Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|
Eric Biggers
|
8eee8e5f44 |
FROMGIT: crypto: chacha - add XChaCha12 support
Now that the generic implementation of ChaCha20 has been refactored to allow varying the number of rounds, add support for XChaCha12, which is the XSalsa construction applied to ChaCha12. ChaCha12 is one of the three ciphers specified by the original ChaCha paper (https://cr.yp.to/chacha/chacha-20080128.pdf: "ChaCha, a variant of Salsa20"), alongside ChaCha8 and ChaCha20. ChaCha12 is faster than ChaCha20 but has a lower, but still large, security margin. We need XChaCha12 support so that it can be used in the Adiantum encryption mode, which enables disk/file encryption on low-end mobile devices where AES-XTS is too slow as the CPUs lack AES instructions. We'd prefer XChaCha20 (the more popular variant), but it's too slow on some of our target devices, so at least in some cases we do need the XChaCha12-based version. In more detail, the problem is that Adiantum is still much slower than we're happy with, and encryption still has a quite noticeable effect on the feel of low-end devices. Users and vendors push back hard against encryption that degrades the user experience, which always risks encryption being disabled entirely. So we need to choose the fastest option that gives us a solid margin of security, and here that's XChaCha12. The best known attack on ChaCha breaks only 7 rounds and has 2^235 time complexity, so ChaCha12's security margin is still better than AES-256's. Much has been learned about cryptanalysis of ARX ciphers since Salsa20 was originally designed in 2005, and it now seems we can be comfortable with a smaller number of rounds. The eSTREAM project also suggests the 12-round version of Salsa20 as providing the best balance among the different variants: combining very good performance with a "comfortable margin of security". Note that it would be trivial to add vanilla ChaCha12 in addition to XChaCha12. However, it's unneeded for now and therefore is omitted. As discussed in the patch that introduced XChaCha20 support, I considered splitting the code into separate chacha-common, chacha20, xchacha20, and xchacha12 modules, so that these algorithms could be enabled/disabled independently. However, since nearly all the code is shared anyway, I ultimately decided there would have been little benefit to the added complexity. Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Martin Willi <martin@strongswan.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit aa7624093cb7fbf4fea95e612580d8d29a819f67 https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master) Bug: 112008522 Test: As series, see Ic61c13b53facfd2173065be715a7ee5f3af8760b Change-Id: I876a5be92e9f583effcd35a4b66a36608ac581f0 Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|
Eric Biggers
|
f816abd103 |
BACKPORT, FROMGIT: crypto: chacha20-generic - refactor to allow varying number of rounds
In preparation for adding XChaCha12 support, rename/refactor
chacha20-generic to support different numbers of rounds. The
justification for needing XChaCha12 support is explained in more detail
in the patch "crypto: chacha - add XChaCha12 support".
The only difference between ChaCha{8,12,20} are the number of rounds
itself; all other parts of the algorithm are the same. Therefore,
remove the "20" from all definitions, structures, functions, files, etc.
that will be shared by all ChaCha versions.
Also make ->setkey() store the round count in the chacha_ctx (previously
chacha20_ctx). The generic code then passes the round count through to
chacha_block(). There will be a ->setkey() function for each explicitly
allowed round count; the encrypt/decrypt functions will be the same. I
decided not to do it the opposite way (same ->setkey() function for all
round counts, with different encrypt/decrypt functions) because that
would have required more boilerplate code in architecture-specific
implementations of ChaCha and XChaCha.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 1ca1b917940c24ca3d1f490118c5474168622953
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master)
Conflicts:
arch/x86/crypto/chacha20_glue.c
drivers/crypto/caam/caamalg.c
drivers/crypto/caam/caamalg_qi2.c
drivers/crypto/caam/compat.h
include/crypto/chacha20.h
Bug: 112008522
Test: As series, see Ic61c13b53facfd2173065be715a7ee5f3af8760b
Change-Id: I7fa203ddc7095ce8675a32f49b8a5230cd0cf5f6
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
||
|
Eric Biggers
|
74fd3f7ed6 |
FROMGIT: crypto: chacha20-generic - add XChaCha20 support
Add support for the XChaCha20 stream cipher. XChaCha20 is the application of the XSalsa20 construction (https://cr.yp.to/snuffle/xsalsa-20081128.pdf) to ChaCha20 rather than to Salsa20. XChaCha20 extends ChaCha20's nonce length from 64 bits (or 96 bits, depending on convention) to 192 bits, while provably retaining ChaCha20's security. XChaCha20 uses the ChaCha20 permutation to map the key and first 128 nonce bits to a 256-bit subkey. Then, it does the ChaCha20 stream cipher with the subkey and remaining 64 bits of nonce. We need XChaCha support in order to add support for the Adiantum encryption mode. Note that to meet our performance requirements, we actually plan to primarily use the variant XChaCha12. But we believe it's wise to first add XChaCha20 as a baseline with a higher security margin, in case there are any situations where it can be used. Supporting both variants is straightforward. Since XChaCha20's subkey differs for each request, XChaCha20 can't be a template that wraps ChaCha20; that would require re-keying the underlying ChaCha20 for every request, which wouldn't be thread-safe. Instead, we make XChaCha20 its own top-level algorithm which calls the ChaCha20 streaming implementation internally. Similar to the existing ChaCha20 implementation, we define the IV to be the nonce and stream position concatenated together. This allows users to seek to any position in the stream. I considered splitting the code into separate chacha20-common, chacha20, and xchacha20 modules, so that chacha20 and xchacha20 could be enabled/disabled independently. However, since nearly all the code is shared anyway, I ultimately decided there would have been little benefit to the added complexity of separate modules. Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Martin Willi <martin@strongswan.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit de61d7ae5d3789dcba3749a418f76613fbee8414 https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master) Bug: 112008522 Test: As series, see Ic61c13b53facfd2173065be715a7ee5f3af8760b Change-Id: I5c878e1d6577abda11d7b737cbb650baf16b6886 Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|
Eric Biggers
|
2148650c6a |
FROMGIT: crypto: chacha20-generic - add HChaCha20 library function
Refactor the unkeyed permutation part of chacha20_block() into its own function, then add hchacha20_block() which is the ChaCha equivalent of HSalsa20 and is an intermediate step towards XChaCha20 (see https://cr.yp.to/snuffle/xsalsa-20081128.pdf). HChaCha20 skips the final addition of the initial state, and outputs only certain words of the state. It should not be used for streaming directly. Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Martin Willi <martin@strongswan.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit dd333449d0fb667c5250c42488a7e90470e16c77 https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master) Bug: 112008522 Test: As series, see Ic61c13b53facfd2173065be715a7ee5f3af8760b Change-Id: I5b7e92b39ada49343cbdf21e4c6d7c1aa1adf183 Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
|
Eric Biggers
|
8e2d31a6e3 |
UPSTREAM: crypto: chacha20 - Fix chacha20_block() keystream alignment (again)
In commit
|
||
|
Blagovest Kolenichev
|
7fe1c1db80 |
Merge LTS tag v4.19.2 into msm-kona
* refs/heads/tmp-7950eb3:
Revert "scsi: ufs: Schedule clk gating work on correct queue"
Linux 4.19.2
MD: fix invalid stored role for a disk - try2
vga_switcheroo: Fix missing gpu_bound call at audio client registration
bpf: wait for running BPF programs when updating map-in-map
userns: also map extents in the reverse map to kernel IDs
vt: fix broken display when running aptitude
net: sched: Remove TCA_OPTIONS from policy
Btrfs: fix use-after-free when dumping free space
Btrfs: fix use-after-free during inode eviction
btrfs: move the dio_sem higher up the callchain
btrfs: don't run delayed_iputs in commit
btrfs: fix insert_reserved error handling
btrfs: only free reserved extent if we didn't insert it
btrfs: don't use ctl->free_space for max_extent_size
btrfs: set max_extent_size properly
btrfs: reset max_extent_size properly
Btrfs: fix deadlock when writing out free space caches
Btrfs: fix assertion on fsync of regular file when using no-holes feature
Btrfs: fix null pointer dereference on compressed write path error
btrfs: qgroup: Dirty all qgroups before rescan
Btrfs: fix wrong dentries after fsync of file that got its parent replaced
Btrfs: fix warning when replaying log after fsync of a tmpfile
btrfs: make sure we create all new block groups
btrfs: reset max_extent_size on clear in a bitmap
btrfs: protect space cache inode alloc with GFP_NOFS
btrfs: release metadata before running delayed refs
Btrfs: don't clean dirty pages during buffered writes
btrfs: wait on caching when putting the bg cache
btrfs: keep trim from interfering with transaction commits
btrfs: don't attempt to trim devices that don't support it
btrfs: iterate all devices during trim, instead of fs_devices::alloc_list
btrfs: Ensure btrfs_trim_fs can trim the whole filesystem
btrfs: Enhance btrfs_trim_fs function to handle error better
btrfs: fix error handling in btrfs_dev_replace_start
btrfs: fix error handling in free_log_tree
btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock
btrfs: Handle owner mismatch gracefully when walking up tree
btrfs: qgroup: Avoid calling qgroup functions if qgroup is not enabled
tracing: Return -ENOENT if there is no target synthetic event
selftests/powerpc: Fix ptrace tm failure
selftests/ftrace: Fix synthetic event test to delete event correctly
soc/tegra: pmc: Fix child-node lookup
soc: qcom: rmtfs-mem: Validate that scm is available
arm64: dts: stratix10: Correct System Manager register size
ARM: dts: socfpga: Fix SDRAM node address for Arria10
Cramfs: fix abad comparison when wrap-arounds occur
rpmsg: smd: fix memory leak on channel create
arm64: lse: remove -fcall-used-x0 flag
media: hdmi.h: rename ADOBE_RGB to OPRGB and ADOBE_YCC to OPYCC
media: replace ADOBERGB by OPRGB
media: media colorspaces*.rst: rename AdobeRGB to opRGB
drm/mediatek: fix OF sibling-node lookup
media: adv7842: when the EDID is cleared, unconfigure CEC as well
media: adv7604: when the EDID is cleared, unconfigure CEC as well
media: em28xx: fix handler for vidioc_s_input()
media: em28xx: make v4l2-compliance happier by starting sequence on zero
media: em28xx: fix input name for Terratec AV 350
media: tvp5150: avoid going past array on v4l2_querymenu()
media: em28xx: use a default format if TRY_FMT fails
media: cec: forgot to cancel delayed work
media: cec: fix the Signal Free Time calculation
media: cec: add new tx/rx status bits to detect aborts/timeouts
xen-blkfront: fix kernel panic with negotiate_mq error path
xen: remove size limit of privcmd-buf mapping interface
xen: fix xen_qlock_wait()
media: cec: integrate cec_validate_phys_addr() in cec-api.c
media: cec: make cec_get_edid_spa_location() an inline function
remoteproc: qcom: q6v5: Propagate EPROBE_DEFER
kgdboc: Passing ekgdboc to command line causes panic
Revert "media: dvbsky: use just one mutex for serializing device R/W ops"
media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD
net: bcmgenet: fix OF child-node lookup
TC: Set DMA masks for devices
iommu/arm-smmu: Ensure that page-table updates are visible before TLBI
ocxl: Fix access to the AFU Descriptor Data
power: supply: twl4030-charger: fix OF sibling-node lookup
rtc: cmos: Remove the `use_acpi_alarm' module parameter for !ACPI
rtc: cmos: Fix non-ACPI undefined reference to `hpet_rtc_interrupt'
rtc: ds1307: fix ds1339 wakealarm support
MIPS: OCTEON: fix out of bounds array access on CN68XX
powerpc/64s/hash: Do not use PPC_INVALIDATE_ERAT on CPUs before POWER9
powerpc/tm: Fix HFSCR bit for no suspend case
powerpc/msi: Fix compile error on mpc83xx
powerpc64/module elfv1: Set opd addresses after module relocation
fsnotify: Fix busy inodes during unmount
media: ov7670: make "xclk" clock optional
dm zoned: fix various dmz_get_mblock() issues
dm zoned: fix metadata block ref counting
dm ioctl: harden copy_params()'s copy_from_user() from malicious users
lockd: fix access beyond unterminated strings in prints
nfsd: Fix an Oops in free_session()
nfsd: correctly decrement odstate refcount in error path
nfs: Fix a missed page unlock after pg_doio()
NFSv4.1: Fix the r/wsize checking
NFC: nfcmrvl_uart: fix OF child-node lookup
tpm: fix response size validation in tpm_get_random()
genirq: Fix race on spurious interrupt detection
printk: Fix panic caused by passing log_buf_len to command line
smb3: on kerberos mount if server doesn't specify auth type use krb5
smb3: do not attempt cifs operation in smb3 query info error path
smb3: allow stats which track session and share reconnects to be reset
w1: omap-hdq: fix missing bus unregister at removal
iio: adc: at91: fix wrong channel number in triggered buffer mode
iio: adc: at91: fix acking DRDY irq on simple conversions
iio: adc: imx25-gcq: Fix leak of device_node in mx25_gcq_setup_cfgs()
iio: ad5064: Fix regulator handling
kbuild: fix kernel/bounds.c 'W=1' warning
KVM: arm64: Fix caching of host MDCR_EL2 value
KVM: arm/arm64: Ensure only THP is candidate for adjustment
mm/hmm: fix race between hmm_mirror_unregister() and mmu_notifier callback
mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly
hugetlbfs: dirty pages as they are added to pagecache
ima: open a new file instance if no read permissions
ima: fix showing large 'violations' or 'runtime_measurements_count'
userfaultfd: disable irqs when taking the waitqueue lock
mm: /proc/pid/smaps_rollup: fix NULL pointer deref in smaps_pte_range()
crypto: speck - remove Speck
crypto: aegis/generic - fix for big endian systems
crypto: morus/generic - fix for big endian systems
crypto: aesni - don't use GFP_ATOMIC allocation if the request doesn't cross a page in gcm
crypto: tcrypt - fix ghash-generic speed test
crypto: lrw - Fix out-of bounds access on counter overflow
signal: Guard against negative signal numbers in copy_siginfo_from_user32
signal/GenWQE: Fix sending of SIGKILL
PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
PCI/ASPM: Fix link_state teardown on device removal
ARM: dts: dra7: Fix up unaligned access setting for PCIe EP
EDAC, skx_edac: Fix logical channel intermediate decoding
EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting
EDAC, amd64: Add Family 17h, models 10h-2fh support
HID: hiddev: fix potential Spectre v1
HID: wacom: Work around HID descriptor bug in DTK-2451 and DTH-2452
selinux: fix mounting of cgroup2 under older policies
ext4: fix use-after-free race in ext4_remount()'s error path
ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR
ext4: fix setattr project check in fssetxattr ioctl
ext4: initialize retries variable in ext4_da_write_inline_data_begin()
ext4: fix EXT4_IOC_SWAP_BOOT
gfs2_meta: ->mount() can get NULL dev_name
jbd2: fix use after free in jbd2_log_do_checkpoint()
IB/rxe: Revise the ib_wr_opcode enum
IB/mlx5: Fix MR cache initialization
ASoC: sta32x: set ->component pointer in private struct
ASoC: intel: skylake: Add missing break in skl_tplg_get_token()
libnvdimm, pmem: Fix badblocks population for 'raw' namespaces
libnvdimm, region: Fail badblocks listing for inactive regions
libnvdimm: Hold reference on parent while scheduling async init
scsi: target: Fix target_wait_for_sess_cmds breakage with active signals
scsi: sched/wait: Add wait_event_lock_irq_timeout for TASK_UNINTERRUPTIBLE usage
dmaengine: ppc4xx: fix off-by-one build failure
net/ipv4: defensive cipso option parsing
iwlwifi: mvm: check return value of rs_rate_from_ucode_rate()
mt76: mt76x2: fix multi-interface beacon configuration
usb: gadget: udc: renesas_usb3: Fix b-device mode for "workaround"
usb: typec: tcpm: Fix APDO PPS order checking to be based on voltage
usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten
libertas: don't set URB_ZERO_PACKET on IN USB transfer
xen/pvh: don't try to unplug emulated devices
xen/pvh: increase early stack size
xen: make xen_qlock_wait() nestable
xen: fix race in xen_qlock_wait()
xen/balloon: Support xend-based toolstack
xen/blkfront: avoid NULL blkfront_info dereference on device removal
tpm: Restore functionality to xen vtpm driver.
xen-swiotlb: use actually allocated size on check physical continuous
ARM: dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250
ARM: dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings
OPP: Free OPP table properly on performance state irregularities
f2fs: fix to account IO correctly
f2fs: fix to recover cold bit of inode block during POR
f2fs: fix missing up_read
Revert "f2fs: fix to clear PG_checked flag in set_page_dirty()"
cpupower: Fix AMD Family 0x17 msr_pstate size
ALSA: hda: Check the non-cached stream buffers more explicitly
IB/rxe: fix for duplicate request processing and ack psns
dmaengine: dma-jz4780: Return error if not probed from DT
mfd: menelaus: Fix possible race condition and leak
f2fs: fix to flush all dirty inodes recovered in readonly fs
signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init
f2fs: report error if quota off error during umount
f2fs: avoid sleeping under spin_lock
scsi: lpfc: Correct race with abort on completion path
scsi: lpfc: Correct soft lockup when running mds diagnostics
uio: ensure class is registered before devices
IB/mlx5: Allow transition of DCI QP to reset
IB/ipoib: Use dev_port to expose network interface port numbers
firmware: coreboot: Unmap ioregion after device population
ASoC: AMD: Fix capture unstable in beginning for some runs
driver/dma/ioat: Call del_timer_sync() without holding prep_lock
Smack: ptrace capability use fixes
usb: chipidea: Prevent unbalanced IRQ disable
crypto: caam - fix implicit casts in endianness helpers
PCI: dwc: pci-dra7xx: Enable errata i870 for both EP and RC mode
coresight: etb10: Fix handling of perf mode
PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice
f2fs: fix to recover inode's i_flags during POR
f2fs: fix to recover inode's crtime during POR
scsi: qla2xxx: Fix recursive mailbox timeout
xhci: Avoid USB autosuspend when resuming USB2 ports.
nvmem: check the return value of nvmem_add_cells()
PCI: cadence: Correct probe behaviour when failing to get PHY
MD: fix invalid stored role for a disk
ext4: fix argument checking in EXT4_IOC_MOVE_EXT
usb: gadget: udc: atmel: handle at91sam9rl PMC
usb: dwc2: fix a race with external vbus supply
usb: dwc2: fix call to vbus supply exit routine, call it unlocked
irqchip/pdc: Setup all edge interrupts as rising edge at GIC
xprtrdma: Reset credit grant properly after a disconnect
PCI / ACPI: Enable wake automatically for power managed bridges
VMCI: Resource wildcard match fixed
Drivers: hv: vmbus: Use cpumask_var_t for on-stack cpu mask
f2fs: clear PageError on the read path
tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated
usb: typec: tcpm: Report back negotiated PPS voltage and current
PCI: cadence: Use AXI region 0 to signal interrupts from EP
PCI: mediatek: Fix mtk_pcie_find_port() endpoint/port matching logic
usb: host: ohci-at91: fix request of irq for optional gpio
RDMA/bnxt_re: Fix recursive lock warning in debug kernel
RDMA/bnxt_re: Avoid accessing nq->bar_reg_iomem in failure case
IB/ipoib: Clear IPCB before icmp_send
RDMA/cm: Respect returned status of cm_init_av_by_path
RDMA/core: Do not expose unsupported counters
scsi: megaraid_sas: fix a missing-check bug
KVM: nVMX: Clear reserved bits of #DB exit qualification
UAPI: ndctl: Fix g++-unsupported initialisation in headers
scsi: ufs: Schedule clk gating work on correct queue
scsi: esp_scsi: Track residual for PIO transfers
of: Add missing exports of node name compare functions
md: fix memleak for mempool
MD: Memory leak when flush bio size is zero
f2fs: fix to account IO correctly for cgroup writeback
net: stmmac: dwmac-sun8i: fix OF child-node lookup
cgroup, netclassid: add a preemption point to write_classid
cifs: fix a credits leak for compund commands
thermal: da9062/61: Prevent hardware access during system suspend
thermal: rcar_thermal: Prevent doing work after unbind
libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9
ath10k: schedule hardware restart if WMI command times out
wil6210: fix RX buffers release and unmap
ixgbevf: VF2VF TCP RSS
ixgbe: disallow IPsec Tx offload when in SR-IOV mode
gpio: brcmstb: allow 0 width GPIO banks
iwlwifi: mvm: fix BAR seq ctrl reporting
libertas_tf: prevent underflow in process_cmdrequest()
rsi: fix memory alignment issue in ARM32 platforms
mt76x2u: run device cleanup routine if resume fails
net: dsa: mv88e6xxx: Fix writing to a PHY page.
net: hns3: Fix for vf vlan delete failed problem
net: hns3: Fix ping exited problem when doing lp selftest
net: hns3: Preserve vlan 0 in hardware table
pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant
pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant
perf tests: Fix record+probe_libc_inet_pton.sh without ping's debuginfo
failover: Add missing check to validate 'slave_dev' in net_failover_slave_unregister
bpf/verifier: fix verifier instability
pinctrl: qcom: spmi-mpp: Fix drive strength setting
ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers
spi: gpio: No MISO does not imply no RX
kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()
arm64: entry: Allow handling of undefined instructions from EL1
block, bfq: correctly charge and reset entity service in all cases
net: phy: phylink: ensure the carrier is off when starting phylink
net: hns3: Set STATE_DOWN bit of hdev state when stopping net
net: hns3: Check hdev state when getting link status
brcmfmac: fix for proper support of 160MHz bandwidth
pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux
pinctrl: sunxi: fix 'pctrl->functions' allocation in sunxi_pinctrl_build_state
net: hns3: Fix ets validate issue
net: hns3: Add nic state check before calling netif_tx_wake_queue
x86: boot: Fix EFI stub alignment
efi/x86: Call efi_parse_options() from efi_main()
Bluetooth: hci_qca: Remove hdev dereference in qca_close().
Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth
net: hns3: Fix for packet buffer setting bug
ice: update fw version check logic
ice: fix changing of ring descriptor size (ethtool -G)
signal: Introduce COMPAT_SIGMINSTKSZ for use in compat_sys_sigaltstack
ath10k: fix tx status flag setting for management frames
nvme: call nvme_complete_rq when nvmf_check_ready fails for mpath I/O
mtd: rawnand: atmel: Fix potential NULL pointer dereference
x86/intel_rdt: Show missing resctrl mount options
cpufreq: dt: Try freeing static OPPs only if we have added them
ACPI / processor: Fix the return value of acpi_processor_ids_walk()
ACPI / PM: LPIT: Register sysfs attributes based on FADT
ACPI/PPTT: Handle architecturally unknown cache types
wlcore: Fix BUG with clear completion on timeout
x86/olpc: Indicate that legacy PC XO-1 platform should not register RTC
iwlwifi: mvm: check for n_profiles validity in EWRD ACPI
iwlwifi: mvm: clear HW_RESTART_REQUESTED when stopping the interface
iwlwifi: pcie: avoid empty free RB queue
mtd: rawnand: denali: set SPARE_AREA_SKIP_BYTES register to 8 if unset
sdhci: acpi: add free_slot callback
mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01
bcache: Populate writeback_rate_minimum attribute
cpupower: Fix coredump on VMWare
perf strbuf: Match va_{add,copy} with va_end
perf tools: Free 'printk' string in parse_ftrace_printk()
perf tools: Cleanup trace-event-info 'tdata' leak
perf tools: Free temporary 'sys' string in read_event_files()
spi: spi-ep93xx: Use dma_data_direction for ep93xx_spi_dma_{finish,prepare}
lightnvm: pblk: fix race condition on metadata I/O
lightnvm: pblk: fix two sleep-in-atomic-context bugs
lightnvm: pblk: fix race on sysfs line state
hwmon: (pwm-fan) Set fan speed to 0 on suspend
s390/sthyi: Fix machine name validity indication
tun: Consistently configure generic netdev params via rtnetlink
nfp: devlink port split support for 1x100G CXP NIC
hv_netvsc: fix vf serial matching with pci slot info
arm64: cpufeature: ctr: Fix cpu capability check for late CPUs
swim: fix cleanup on setup error
ataflop: fix error handling during setup
netfilter: xt_nat: fix DNAT target for shifted portmap ranges
locking/lockdep: Fix debug_locks off performance problem
net: loopback: clear skb->tstamp before netif_rx()
net: socionext: Reset tx queue in ndo_stop
ARM: dts: exynos: Disable pull control for MAX8997 interrupts on Origen
x86/numa_emulation: Fix uniform-split numa emulation
x86/mm/pat: Disable preemption around __flush_tlb_all()
x86/kvm/nVMX: allow bare VMXON state migration
x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided
x86/xen: Fix boot loader version reported for PVH guests
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
ALSA: hda - Fix incorrect clearance of thinkpad_acpi hooks
ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
ALSA: hda: Add 2 more models to the power_save blacklist
ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
ALSA: hda/realtek - Fix the problem of the front MIC on the Lenovo M715
ALSA: hda - Fix headphone pin config for ASUS G751
ALSA: hda - Add quirk for ASUS G751 laptop
parisc: Fix exported address of os_hpmc handler
parisc: Fix map_pages() to not overwrite existing pte entries
parisc: Fix address in HPMC IVA
mailbox: PCC: handle parse error
ipmi: Fix timer race with module unload
kprobes/x86: Use preempt_enable() in optimized_callback()
acpi, nfit: Fix Address Range Scrub completion tracking
ACPICA: AML Parser: fix parse loop to correctly skip erroneous extended opcodes
ACPICA: AML interpreter: add region addresses in global list during initialization
ACPI / OSL: Use 'jiffies' as the time bassis for acpi_os_get_timer()
pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
dma-mapping: fix panic caused by passing empty cma command line argument
cpufreq: conservative: Take limits changes into account properly
block: make sure writesame bio is aligned with logical block size
block: make sure discard bio is aligned with logical block size
block: setup bounce bio_sets properly
jffs2: free jffs2_sb_info through jffs2_kill_sb()
hwmon: (pmbus) Fix page count auto-detection.
bcache: fix miss key refill->end in writeback
bcache: correct dirty data statistics
bcache: fix ioctl in flash device
bcache: trace missed reading by cache_missed
spi: bcm-qspi: fix calculation of address length
spi: bcm-qspi: switch back to reading flash using smaller chunks
spi: spi-mem: Adjust op len based on message/transfer size limitations
mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus
mtd: spi-nor: intel-spi: Add support for Intel Ice Lake SPI serial flash
mtd: spi-nor: fsl-quadspi: fix read error for flash size larger than 16MB
mtd: maps: gpio-addr-flash: Fix ioremapped size
mtd: rawnand: marvell: fix the IRQ handler complete() condition
gpio: mxs: Get rid of external API call
MIPS: VDSO: Reduce VDSO_RANDOMIZE_SIZE to 64MB for 64bit
bpf: fix partial copy of map_ptr when dst is scalar
Conflicts:
drivers/iommu/arm-smmu.c
Change-Id: Iff6f46fb6932b2a41a7a3df5f2a18f1eddfb9d66
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
|
||
|
Jason A. Donenfeld
|
3252b60cf8 |
crypto: speck - remove Speck
commit 578bdaabd015b9b164842c3e8ace9802f38e7ecc upstream. These are unused, undesired, and have never actually been used by anybody. The original authors of this code have changed their mind about its inclusion. While originally proposed for disk encryption on low-end devices, the idea was discarded [1] in favor of something else before that could really get going. Therefore, this patch removes Speck. [1] https://marc.info/?l=linux-crypto-vger&m=153359499015659 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Eric Biggers <ebiggers@google.com> Cc: stable@vger.kernel.org Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Kees Cook
|
e9594a54a3 |
crypto: skcipher - Remove SKCIPHER_REQUEST_ON_STACK()
Now that all the users of the VLA-generating SKCIPHER_REQUEST_ON_STACK() macro have been moved to SYNC_SKCIPHER_REQUEST_ON_STACK(), we can remove the former. Change-Id: I28988ad863bfcc215b329c5410e6a6bf9ab7442e Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Git-Commit: a9cbfe4c784436368790f0c59674f99ba97ae21e Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org> |
||
|
Kees Cook
|
02c739c52d |
crypto: cbc - Remove VLA usage
In the quest to remove all stack VLA usage from the kernel[1], this uses the upper bounds on blocksize. Since this is always a cipher blocksize, use the existing cipher max blocksize. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Change-Id: Icd5510d1b12860ffcf91f3c981a7b87515c83c34 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Git-Commit: d73d67fbcb94409e0a92952750f162d4eb696e96 Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org> |
||
|
Kees Cook
|
064e99d396 |
crypto: null - Remove VLA usage of skcipher
In the quest to remove all stack VLA usage from the kernel[1], this replaces struct crypto_skcipher and SKCIPHER_REQUEST_ON_STACK() usage with struct crypto_sync_skcipher and SYNC_SKCIPHER_REQUEST_ON_STACK(), which uses a fixed stack size. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Change-Id: I9f879e0a86eb4a9ff08d65a2128d230ec06e0f4c Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Git-Commit: 8d605398425843c7ce3c0e9a0434d832d3bd54cc Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org> |
||
|
Kees Cook
|
69e69705c0 |
crypto: skcipher - Introduce crypto_sync_skcipher
In preparation for removal of VLAs due to skcipher requests on the stack via SKCIPHER_REQUEST_ON_STACK() usage, this introduces the infrastructure for the "sync skcipher" tfm, which is for handling the on-stack cases of skcipher, which are always non-ASYNC and have a known limited request size. The crypto API additions: struct crypto_sync_skcipher (wrapper for struct crypto_skcipher) crypto_alloc_sync_skcipher() crypto_free_sync_skcipher() crypto_sync_skcipher_setkey() crypto_sync_skcipher_get_flags() crypto_sync_skcipher_set_flags() crypto_sync_skcipher_clear_flags() crypto_sync_skcipher_blocksize() crypto_sync_skcipher_ivsize() crypto_sync_skcipher_reqtfm() skcipher_request_set_sync_tfm() SYNC_SKCIPHER_REQUEST_ON_STACK() (with tfm type check) Change-Id: I9e6df0b1b97a9fde1ca8407793bdc9f4008db1c1 Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Git-Commit: b350bee5ea0f4db75d4c6191a2e95db16f40c278 Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org> |
||
|
Kees Cook
|
6dae78106a |
crypto: hash - Remove VLA usage
In the quest to remove all stack VLA usage from the kernel[1], this removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize()) by using the maximum allowable size (which is now more clearly captured in a macro), along with a few other cases. Similar limits are turned into macros as well. A review of existing sizes shows that SHA512_DIGEST_SIZE (64) is the largest digest size and that sizeof(struct sha3_state) (360) is the largest descriptor size. The corresponding maximums are reduced. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Change-Id: I5281cc251f49e9c7d9761f7ec7217dd08588c26d Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Git-Commit: b68a7ec1e9a3efac53ae26a1658a553825a2375c Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org> |
||
|
Kees Cook
|
69aafa11ff |
crypto: api - Introduce generic max blocksize and alignmask
In the quest to remove all stack VLA usage from the kernel[1], this exposes a new general upper bound on crypto blocksize and alignmask (higher than for the existing cipher limits) for VLA removal, and introduces new checks. At present, the highest cra_alignmask in the kernel is 63. The highest cra_blocksize is 144 (SHA3_224_BLOCK_SIZE, 18 8-byte words). For the new blocksize limit, I went with 160 (20 8-byte words). [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Change-Id: Icee27c45f542a9de25310b193c5bd08bc236996e Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Git-Commit: a9f7f88a12f1494deca1fd9e173c7ae886d14f91 Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org> |
||
|
Eric Biggers
|
3dd8cc00c3 |
crypto: scatterwalk - remove scatterwalk_samebuf()
scatterwalk_samebuf() is never used. Remove it. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
8c30fbe63e |
crypto: scatterwalk - remove 'chain' argument from scatterwalk_crypto_chain()
All callers pass chain=0 to scatterwalk_crypto_chain(). Remove this unneeded parameter. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Stephan Müller
|
43490e8046 |
crypto: drbg - in-place cipher operation for CTR
The cipher implementations of the kernel crypto API favor in-place
cipher operations. Thus, switch the CTR cipher operation in the DRBG to
perform in-place operations. This is implemented by using the output
buffer as input buffer and zeroizing it before the cipher operation to
implement a CTR encryption of a NULL buffer.
The speed improvement is quite visibile with the following comparison
using the LRNG implementation.
Without the patch set:
16 bytes| 12.267661 MB/s| 61338304 bytes | 5000000213 ns
32 bytes| 23.603770 MB/s| 118018848 bytes | 5000000073 ns
64 bytes| 46.732262 MB/s| 233661312 bytes | 5000000241 ns
128 bytes| 90.038042 MB/s| 450190208 bytes | 5000000244 ns
256 bytes| 160.399616 MB/s| 801998080 bytes | 5000000393 ns
512 bytes| 259.878400 MB/s| 1299392000 bytes | 5000001675 ns
1024 bytes| 386.050662 MB/s| 1930253312 bytes | 5000001661 ns
2048 bytes| 493.641728 MB/s| 2468208640 bytes | 5000001598 ns
4096 bytes| 581.835981 MB/s| 2909179904 bytes | 5000003426 ns
With the patch set:
16 bytes | 17.051142 MB/s | 85255712 bytes | 5000000854 ns
32 bytes | 32.695898 MB/s | 163479488 bytes | 5000000544 ns
64 bytes | 64.490739 MB/s | 322453696 bytes | 5000000954 ns
128 bytes | 123.285043 MB/s | 616425216 bytes | 5000000201 ns
256 bytes | 233.434573 MB/s | 1167172864 bytes | 5000000573 ns
512 bytes | 384.405197 MB/s | 1922025984 bytes | 5000000671 ns
1024 bytes | 566.313370 MB/s | 2831566848 bytes | 5000001080 ns
2048 bytes | 744.518042 MB/s | 3722590208 bytes | 5000000926 ns
4096 bytes | 867.501670 MB/s | 4337508352 bytes | 5000002181 ns
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||
|
Herbert Xu
|
c5f5aeef9b |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux
Merge mainline to pick up
|
||
|
Stephan Mueller
|
cf862cbc83 |
crypto: drbg - eliminate constant reinitialization of SGL
The CTR DRBG requires two SGLs pointing to input/output buffers for the CTR AES operation. The used SGLs always have only one entry. Thus, the SGL can be initialized during allocation time, preventing a re-initialization of the SGLs during each call. The performance is increased by about 1 to 3 percent depending on the size of the requested buffer size. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Stephan Mueller
|
e3fe0ae129 |
crypto: dh - add public key verification test
According to SP800-56A section 5.6.2.1, the public key to be processed for the DH operation shall be checked for appropriateness. The check shall covers the full verification test in case the domain parameter Q is provided as defined in SP800-56A section 5.6.2.3.1. If Q is not provided, the partial check according to SP800-56A section 5.6.2.3.2 is performed. The full verification test requires the presence of the domain parameter Q. Thus, the patch adds the support to handle Q. It is permissible to not provide the Q value as part of the domain parameters. This implies that the interface is still backwards-compatible where so far only P and G are to be provided. However, if Q is provided, it is imported. Without the test, the NIST ACVP testing fails. After adding this check, the NIST ACVP testing passes. Testing without providing the Q domain parameter has been performed to verify the interface has not changed. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
bb29648102 |
crypto: vmac - separate tfm and request context
syzbot reported a crash in vmac_final() when multiple threads
concurrently use the same "vmac(aes)" transform through AF_ALG. The bug
is pretty fundamental: the VMAC template doesn't separate per-request
state from per-tfm (per-key) state like the other hash algorithms do,
but rather stores it all in the tfm context. That's wrong.
Also, vmac_final() incorrectly zeroes most of the state including the
derived keys and cached pseudorandom pad. Therefore, only the first
VMAC invocation with a given key calculates the correct digest.
Fix these bugs by splitting the per-tfm state from the per-request state
and using the proper init/update/final sequencing for requests.
Reproducer for the crash:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int fd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "vmac(aes)",
};
char buf[256] = { 0 };
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
fork();
fd = accept(fd, NULL, NULL);
for (;;)
write(fd, buf, 256);
}
The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
VMAC_NHBYTES, causing vmac_final() to memset() a negative length.
Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
Fixes:
|
||
|
Linus Torvalds
|
a11e1d432b |
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
The poll() changes were not well thought out, and completely unexplained. They also caused a huge performance regression, because "->poll()" was no longer a trivial file operation that just called down to the underlying file operations, but instead did at least two indirect calls. Indirect calls are sadly slow now with the Spectre mitigation, but the performance problem could at least be largely mitigated by changing the "->get_poll_head()" operation to just have a per-file-descriptor pointer to the poll head instead. That gets rid of one of the new indirections. But that doesn't fix the new complexity that is completely unwarranted for the regular case. The (undocumented) reason for the poll() changes was some alleged AIO poll race fixing, but we don't make the common case slower and more complex for some uncommon special case, so this all really needs way more explanations and most likely a fundamental redesign. [ This revert is a revert of about 30 different commits, not reverted individually because that would just be unnecessarily messy - Linus ] Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Antoine Tenart
|
26f7120b86 |
crypto: sha512_generic - add a sha384 0-length pre-computed hash
This patch adds the sha384 pre-computed 0-length hash so that device drivers can use it when an hardware engine does not support computing a hash from a 0 length input. Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Antoine Tenart
|
30c217ef64 |
crypto: sha512_generic - add a sha512 0-length pre-computed hash
This patch adds the sha512 pre-computed 0-length hash so that device drivers can use it when an hardware engine does not support computing a hash from a 0 length input. Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Linus Torvalds
|
3e1a29b3bf |
Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto updates from Herbert Xu:
"API:
- Decryption test vectors are now automatically generated from
encryption test vectors.
Algorithms:
- Fix unaligned access issues in crc32/crc32c.
- Add zstd compression algorithm.
- Add AEGIS.
- Add MORUS.
Drivers:
- Add accelerated AEGIS/MORUS on x86.
- Add accelerated SM4 on arm64.
- Removed x86 assembly salsa implementation as it is slower than C.
- Add authenc(hmac(sha*), cbc(aes)) support in inside-secure.
- Add ctr(aes) support in crypto4xx.
- Add hardware key support in ccree.
- Add support for new Centaur CPU in via-rng"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (112 commits)
crypto: chtls - free beyond end rspq_skb_cache
crypto: chtls - kbuild warnings
crypto: chtls - dereference null variable
crypto: chtls - wait for memory sendmsg, sendpage
crypto: chtls - key len correction
crypto: salsa20 - Revert "crypto: salsa20 - export generic helpers"
crypto: x86/salsa20 - remove x86 salsa20 implementations
crypto: ccp - Add GET_ID SEV command
crypto: ccp - Add DOWNLOAD_FIRMWARE SEV command
crypto: qat - Add MODULE_FIRMWARE for all qat drivers
crypto: ccree - silence debug prints
crypto: ccree - better clock handling
crypto: ccree - correct host regs offset
crypto: chelsio - Remove separate buffer used for DMA map B0 block in CCM
crypt: chelsio - Send IV as Immediate for cipher algo
crypto: chelsio - Return -ENOSPC for transient busy indication.
crypto: caam/qi - fix warning in init_cgr()
crypto: caam - fix rfc4543 descriptors
crypto: caam - fix MC firmware detection
crypto: clarify licensing of OpenSSL asm code
...
|
||
|
Eric Biggers
|
015a03704d |
crypto: salsa20 - Revert "crypto: salsa20 - export generic helpers"
This reverts commit
|
||
|
Christoph Hellwig
|
b28fc82267 |
crypto: af_alg: convert to ->poll_mask
Signed-off-by: Christoph Hellwig <hch@lst.de> |
||
|
Ondrej Mosnacek
|
56e8e57fc3 |
crypto: morus - Add common SIMD glue code for MORUS
This patch adds a common glue code for optimized implementations of MORUS AEAD algorithms. Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Ondrej Mosnacek
|
396be41f16 |
crypto: morus - Add generic MORUS AEAD implementations
This patch adds the generic implementation of the MORUS family of AEAD algorithms (MORUS-640 and MORUS-1280). The original authors of MORUS are Hongjun Wu and Tao Huang. At the time of writing, MORUS is one of the finalists in CAESAR, an open competition intended to select a portfolio of alternatives to the problematic AES-GCM: https://competitions.cr.yp.to/caesar-submissions.html https://competitions.cr.yp.to/round3/morusv2.pdf Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Ard Biesheuvel
|
8da02bf1a2 |
crypto: sm4 - export encrypt/decrypt routines to other drivers
In preparation of adding support for the SIMD based arm64 implementation of arm64, which requires a fallback to non-SIMD code when invoked in certain contexts, expose the generic SM4 encrypt and decrypt routines to other drivers. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Gilad Ben-Yossef <gilad@benyossef.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Salvatore Mesoraca
|
13c935bb09 |
crypto: api - laying defines and checks for statically allocated buffers
In preparation for the removal of VLAs[1] from crypto code. We create 2 new compile-time constants: all ciphers implemented in Linux have a block size less than or equal to 16 bytes and the most demanding hw require 16 bytes alignment for the block buffer. We also enforce these limits in crypto_check_alg when a new cipher is registered. [1] http://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Herbert Xu
|
4989d4f07a |
crypto: api - Remove unused crypto_type lookup function
The lookup function in crypto_type was only used for the implicit IV generators which have been completely removed from the crypto API. This patch removes the lookup function as it is now useless. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Kamil Konieczny
|
3d053d53fc |
crypto: hash - Prevent use of req->result in ahash update
Prevent improper use of req->result field in ahash update, init, export and import functions in drivers code. A driver should use ahash request context if it needs to save internal state. Signed-off-by: Kamil Konieczny <k.konieczny@partner.samsung.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Gilad Ben-Yossef
|
747c8ce4e7 |
crypto: sm4 - introduce SM4 symmetric cipher algorithm
Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016). SM4 (GBT.32907-2016) is a cryptographic standard issued by the Organization of State Commercial Administration of China (OSCCA) as an authorized cryptographic algorithms for the use within China. SMS4 was originally created for use in protecting wireless networks, and is mandated in the Chinese National Standard for Wireless LAN WAPI (Wired Authentication and Privacy Infrastructure) (GB.15629.11-2003). Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
0e145b477d |
crypto: ablk_helper - remove ablk_helper
All users of ablk_helper have been converted over to crypto_simd, so remove ablk_helper. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
217afccf65 |
crypto: lrw - remove lrw_crypt()
Now that all users of lrw_crypt() have been removed in favor of the LRW template wrapping an ECB mode algorithm, remove lrw_crypt(). Also remove crypto/lrw.h as that is no longer needed either; and fold 'struct lrw_table_ctx' into 'struct priv', lrw_init_table() into setkey(), and lrw_free_table() into exit_tfm(). Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
eb66ecd561 |
crypto: xts - remove xts_crypt()
Now that all users of xts_crypt() have been removed in favor of the XTS template wrapping an ECB mode algorithm, remove xts_crypt(). Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
d14f0a1fc4 |
crypto: simd - allow registering multiple algorithms at once
Add a function to crypto_simd that registers an array of skcipher algorithms, then allocates and registers the simd wrapper algorithms for them. It assumes the naming scheme where the names of the underlying algorithms are prefixed with two underscores. Also add the corresponding 'unregister' function. Most of the x86 crypto modules will be able to use these. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
c8c36413ca |
crypto: speck - export common helpers
Export the Speck constants and transform context and the ->setkey(), ->encrypt(), and ->decrypt() functions so that they can be reused by the ARM NEON implementation of Speck-XTS. The generic key expansion code will be reused because it is not performance-critical and is not vectorizable, while the generic encryption and decryption functions are needed as fallbacks and for the XTS tweak encryption. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Corentin LABBE
|
218d1cc186 |
crypto: engine - Permit to enqueue all async requests
The crypto engine could actually only enqueue hash and ablkcipher request. This patch permit it to enqueue any type of crypto_async_request. Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com> Tested-by: Fabien Dessenne <fabien.dessenne@st.com> Tested-by: Fabien Dessenne <fabien.dessenne@st.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
|
Eric Biggers
|
edbd1ecbd8 |
crypto: mcryptd - remove pointless wrapper functions
There is no need for ahash_mcryptd_{update,final,finup,digest}(); we
should just call crypto_ahash_*() directly.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||
|
Linus Torvalds
|
a103950e0d |
Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto updates from Herbert Xu:
"API:
- Enforce the setting of keys for keyed aead/hash/skcipher
algorithms.
- Add multibuf speed tests in tcrypt.
Algorithms:
- Improve performance of sha3-generic.
- Add native sha512 support on arm64.
- Add v8.2 Crypto Extentions version of sha3/sm3 on arm64.
- Avoid hmac nesting by requiring underlying algorithm to be unkeyed.
- Add cryptd_max_cpu_qlen module parameter to cryptd.
Drivers:
- Add support for EIP97 engine in inside-secure.
- Add inline IPsec support to chelsio.
- Add RevB core support to crypto4xx.
- Fix AEAD ICV check in crypto4xx.
- Add stm32 crypto driver.
- Add support for BCM63xx platforms in bcm2835 and remove bcm63xx.
- Add Derived Key Protocol (DKP) support in caam.
- Add Samsung Exynos True RNG driver.
- Add support for Exynos5250+ SoCs in exynos PRNG driver"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (166 commits)
crypto: picoxcell - Fix error handling in spacc_probe()
crypto: arm64/sha512 - fix/improve new v8.2 Crypto Extensions code
crypto: arm64/sm3 - new v8.2 Crypto Extensions implementation
crypto: arm64/sha3 - new v8.2 Crypto Extensions implementation
crypto: testmgr - add new testcases for sha3
crypto: sha3-generic - export init/update/final routines
crypto: sha3-generic - simplify code
crypto: sha3-generic - rewrite KECCAK transform to help the compiler optimize
crypto: sha3-generic - fixes for alignment and big endian operation
crypto: aesni - handle zero length dst buffer
crypto: artpec6 - remove select on non-existing CRYPTO_SHA384
hwrng: bcm2835 - Remove redundant dev_err call in bcm2835_rng_probe()
crypto: stm32 - remove redundant dev_err call in stm32_cryp_probe()
crypto: axis - remove unnecessary platform_get_resource() error check
crypto: testmgr - test misuse of result in ahash
crypto: inside-secure - make function safexcel_try_push_requests static
crypto: aes-generic - fix aes-generic regression on powerpc
crypto: chelsio - Fix indentation warning
crypto: arm64/sha1-ce - get rid of literal pool
crypto: arm64/sha2-ce - move the round constant table to .rodata section
...
|
||
|
Linus Torvalds
|
168fe32a07 |
Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull poll annotations from Al Viro: "This introduces a __bitwise type for POLL### bitmap, and propagates the annotations through the tree. Most of that stuff is as simple as 'make ->poll() instances return __poll_t and do the same to local variables used to hold the future return value'. Some of the obvious brainos found in process are fixed (e.g. POLLIN misspelled as POLL_IN). At that point the amount of sparse warnings is low and most of them are for genuine bugs - e.g. ->poll() instance deciding to return -EINVAL instead of a bitmap. I hadn't touched those in this series - it's large enough as it is. Another problem it has caught was eventpoll() ABI mess; select.c and eventpoll.c assumed that corresponding POLL### and EPOLL### were equal. That's true for some, but not all of them - EPOLL### are arch-independent, but POLL### are not. The last commit in this series separates userland POLL### values from the (now arch-independent) kernel-side ones, converting between them in the few places where they are copied to/from userland. AFAICS, this is the least disruptive fix preserving poll(2) ABI and making epoll() work on all architectures. As it is, it's simply broken on sparc - try to give it EPOLLWRNORM and it will trigger only on what would've triggered EPOLLWRBAND on other architectures. EPOLLWRBAND and EPOLLRDHUP, OTOH, are never triggered at all on sparc. With this patch they should work consistently on all architectures" * 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (37 commits) make kernel-side POLL... arch-independent eventpoll: no need to mask the result of epi_item_poll() again eventpoll: constify struct epoll_event pointers debugging printk in sg_poll() uses %x to print POLL... bitmap annotate poll(2) guts 9p: untangle ->poll() mess ->si_band gets POLL... bitmap stored into a user-visible long field ring_buffer_poll_wait() return value used as return value of ->poll() the rest of drivers/*: annotate ->poll() instances media: annotate ->poll() instances fs: annotate ->poll() instances ipc, kernel, mm: annotate ->poll() instances net: annotate ->poll() instances apparmor: annotate ->poll() instances tomoyo: annotate ->poll() instances sound: annotate ->poll() instances acpi: annotate ->poll() instances crypto: annotate ->poll() instances block: annotate ->poll() instances x86: annotate ->poll() instances ... |