Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

Pull crypto fixes from Herbert Xu:

 - Fix missed wake-up race in padata

 - Use crypto_memneq in ccp

 - Fix version check in ccp

 - Fix fuzz test failure in ccp

 - Fix potential double free in crypto4xx

 - Fix compile warning in stm32

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
  crypto: ccp - Fix SEV_VERSION_GREATER_OR_EQUAL
  crypto: ccp/gcm - use const time tag comparison.
  crypto: ccp - memset structure fields to zero before reuse
  crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
  crypto: stm32/hash - Fix incorrect printk modifier for size_t

5 files changed, 38 insertions, 11 deletions

diff --git a/drivers/crypto/amcc/crypto4xx_trng.c b/drivers/crypto/amcc/crypto4xx_trng.c
index 02a6bed3b062..f10a87e541ed 100644
--- a/drivers/crypto/amcc/crypto4xx_trng.c
+++ b/drivers/crypto/amcc/crypto4xx_trng.c
@@ -108,7 +108,6 @@ void ppc4xx_trng_probe(struct crypto4xx_core_device *core_dev)
         return;
 
 err_out:
-        of_node_put(trng);
         iounmap(dev->trng_base);
         kfree(rng);
         dev->trng_base = NULL;
diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index 866b2e05ca77..c69ed4bae2eb 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -622,6 +622,7 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
 
         unsigned long long *final;
         unsigned int dm_offset;
+        unsigned int jobid;
         unsigned int ilen;
         bool in_place = true; /* Default value */
         int ret;
@@ -660,9 +661,11 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
                 p_tag = scatterwalk_ffwd(sg_tag, p_inp, ilen);
         }
 
+        jobid = CCP_NEW_JOBID(cmd_q->ccp);
+
         memset(&op, 0, sizeof(op));
         op.cmd_q = cmd_q;
-        op.jobid = CCP_NEW_JOBID(cmd_q->ccp);
+        op.jobid = jobid;
         op.sb_key = cmd_q->sb_key; /* Pre-allocated */
         op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */
         op.init = 1;
@@ -813,6 +816,13 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
         final[0] = cpu_to_be64(aes->aad_len * 8);
         final[1] = cpu_to_be64(ilen * 8);
 
+        memset(&op, 0, sizeof(op));
+        op.cmd_q = cmd_q;
+        op.jobid = jobid;
+        op.sb_key = cmd_q->sb_key; /* Pre-allocated */
+        op.sb_ctx = cmd_q->sb_ctx; /* Pre-allocated */
+        op.init = 1;
+        op.u.aes.type = aes->type;
         op.u.aes.mode = CCP_AES_MODE_GHASH;
         op.u.aes.action = CCP_AES_GHASHFINAL;
         op.src.type = CCP_MEMTYPE_SYSTEM;
@@ -840,7 +850,8 @@ static int ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q,
                 if (ret)
                         goto e_tag;
 
-                ret = memcmp(tag.address, final_wa.address, AES_BLOCK_SIZE);
+                ret = crypto_memneq(tag.address, final_wa.address,
+                                    AES_BLOCK_SIZE) ? -EBADMSG : 0;
                 ccp_dm_free(&tag);
         }
 
diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index de5a8ca70d3d..6b17d179ef8a 100644
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -24,10 +24,6 @@
 #include "sp-dev.h"
 #include "psp-dev.h"
 
-#define SEV_VERSION_GREATER_OR_EQUAL(_maj, _min)        \
-                ((psp_master->api_major) >= _maj &&     \
-                 (psp_master->api_minor) >= _min)
-
 #define DEVICE_NAME             "sev"
 #define SEV_FW_FILE             "amd/sev.fw"
 #define SEV_FW_NAME_SIZE        64
@@ -47,6 +43,15 @@ MODULE_PARM_DESC(psp_probe_timeout, " default timeout value, in seconds, during
 static bool psp_dead;
 static int psp_timeout;
 
+static inline bool sev_version_greater_or_equal(u8 maj, u8 min)
+{
+        if (psp_master->api_major > maj)
+                return true;
+        if (psp_master->api_major == maj && psp_master->api_minor >= min)
+                return true;
+        return false;
+}
+
 static struct psp_device *psp_alloc_struct(struct sp_device *sp)
 {
         struct device *dev = sp->dev;
@@ -588,7 +593,7 @@ static int sev_ioctl_do_get_id2(struct sev_issue_cmd *argp)
         int ret;
 
         /* SEV GET_ID is available from SEV API v0.16 and up */
-        if (!SEV_VERSION_GREATER_OR_EQUAL(0, 16))
+        if (!sev_version_greater_or_equal(0, 16))
                 return -ENOTSUPP;
 
         if (copy_from_user(&input, (void __user *)argp->data, sizeof(input)))
@@ -651,7 +656,7 @@ static int sev_ioctl_do_get_id(struct sev_issue_cmd *argp)
         int ret;
 
         /* SEV GET_ID available from SEV API v0.16 and up */
-        if (!SEV_VERSION_GREATER_OR_EQUAL(0, 16))
+        if (!sev_version_greater_or_equal(0, 16))
                 return -ENOTSUPP;
 
         /* SEV FW expects the buffer it fills with the ID to be
@@ -1053,7 +1058,7 @@ void psp_pci_init(void)
                 psp_master->sev_state = SEV_STATE_UNINIT;
         }
 
-        if (SEV_VERSION_GREATER_OR_EQUAL(0, 15) &&
+        if (sev_version_greater_or_equal(0, 15) &&
             sev_update_firmware(psp_master->dev) == 0)
                 sev_get_api_version();
 
diff --git a/drivers/crypto/stm32/stm32-hash.c b/drivers/crypto/stm32/stm32-hash.c
index 23061f2bc74b..2b70d8796f25 100644
--- a/drivers/crypto/stm32/stm32-hash.c
+++ b/drivers/crypto/stm32/stm32-hash.c
@@ -338,7 +338,7 @@ static int stm32_hash_xmit_cpu(struct stm32_hash_dev *hdev,
 
         len32 = DIV_ROUND_UP(length, sizeof(u32));
 
-        dev_dbg(hdev->dev, "%s: length: %d, final: %x len32 %i\n",
+        dev_dbg(hdev->dev, "%s: length: %zd, final: %x len32 %i\n",
                 __func__, length, final, len32);
 
         hdev->flags |= HASH_FLAGS_CPU;
diff --git a/kernel/padata.c b/kernel/padata.c
index 2d2fddbb7a4c..15a8ad63f4ff 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -267,7 +267,12 @@ static void padata_reorder(struct parallel_data *pd)
          * The next object that needs serialization might have arrived to
          * the reorder queues in the meantime, we will be called again
          * from the timer function if no one else cares for it.
+         *
+         * Ensure reorder_objects is read after pd->lock is dropped so we see
+         * an increment from another task in padata_do_serial.  Pairs with
+         * smp_mb__after_atomic in padata_do_serial.
          */
+        smp_mb();
         if (atomic_read(&pd->reorder_objects)
                         && !(pinst->flags & PADATA_RESET))
                 mod_timer(&pd->timer, jiffies + HZ);
@@ -387,6 +392,13 @@ void padata_do_serial(struct padata_priv *padata)
         list_add_tail(&padata->list, &pqueue->reorder.list);
         spin_unlock(&pqueue->reorder.lock);
 
+        /*
+         * Ensure the atomic_inc of reorder_objects above is ordered correctly
+         * with the trylock of pd->lock in padata_reorder.  Pairs with smp_mb
+         * in padata_reorder.
+         */
+        smp_mb__after_atomic();
+
         put_cpu();
 
         /* If we're running on the wrong CPU, call padata_reorder() via a