Merge 4.4.138 into android-4.4

Changes in 4.4.138
	x86/fpu: Fix early FPU command-line parsing
	x86: Remove unused function cpu_has_ht_siblings()
	x86/cpufeature: Remove unused and seldomly used cpu_has_xx macros
	x86/fpu: Disable MPX when eagerfpu is off
	x86/fpu: Disable AVX when eagerfpu is off
	x86/fpu: Default eagerfpu=on on all CPUs
	x86/fpu: Fix 'no387' regression
	x86/fpu: Revert ("x86/fpu: Disable AVX when eagerfpu is off")
	x86/fpu: Fix eager-FPU handling on legacy FPU machines
	x86/fpu: Hard-disable lazy FPU mode
	x86/fpu: Fix FNSAVE usage in eagerfpu mode
	x86/fpu: Fix math emulation in eager fpu mode
	af_key: Always verify length of provided sadb_key
	x86/crypto, x86/fpu: Remove X86_FEATURE_EAGER_FPU #ifdef from the crc32c code
	gpio: No NULL owner
	Clarify (and fix) MAX_LFS_FILESIZE macros
	KVM: x86: introduce linear_{read,write}_system
	KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system
	serial: samsung: fix maxburst parameter for DMA transactions
	vmw_balloon: fixing double free when batching mode is off
	kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access
	Input: goodix - add new ACPI id for GPD Win 2 touch screen
	Input: elan_i2c - add ELAN0612 (Lenovo v330 14IKB) ACPI ID
	crypto: vmx - Remove overly verbose printk from AES init routines
	Linux 4.4.138

Change-Id: I443664406b736e16c77c99d83e9bdf02f4511ee4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

1 files changed, 35 insertions, 10 deletions

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 15150b412930..3ba903ff2bb0 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -437,6 +437,24 @@ static int verify_address_len(const void *p)
 	return 0;
 }
 
+static inline int sadb_key_len(const struct sadb_key *key)
+{
+	int key_bytes = DIV_ROUND_UP(key->sadb_key_bits, 8);
+
+	return DIV_ROUND_UP(sizeof(struct sadb_key) + key_bytes,
+			    sizeof(uint64_t));
+}
+
+static int verify_key_len(const void *p)
+{
+	const struct sadb_key *key = p;
+
+	if (sadb_key_len(key) > key->sadb_key_len)
+		return -EINVAL;
+
+	return 0;
+}
+
 static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx)
 {
 	return DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) +
@@ -533,16 +551,25 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void *
 				return -EINVAL;
 			if (ext_hdrs[ext_type-1] != NULL)
 				return -EINVAL;
-			if (ext_type == SADB_EXT_ADDRESS_SRC ||
-			    ext_type == SADB_EXT_ADDRESS_DST ||
-			    ext_type == SADB_EXT_ADDRESS_PROXY ||
-			    ext_type == SADB_X_EXT_NAT_T_OA) {
+			switch (ext_type) {
+			case SADB_EXT_ADDRESS_SRC:
+			case SADB_EXT_ADDRESS_DST:
+			case SADB_EXT_ADDRESS_PROXY:
+			case SADB_X_EXT_NAT_T_OA:
 				if (verify_address_len(p))
 					return -EINVAL;
-			}
-			if (ext_type == SADB_X_EXT_SEC_CTX) {
+				break;
+			case SADB_X_EXT_SEC_CTX:
 				if (verify_sec_ctx_len(p))
 					return -EINVAL;
+				break;
+			case SADB_EXT_KEY_AUTH:
+			case SADB_EXT_KEY_ENCRYPT:
+				if (verify_key_len(p))
+					return -EINVAL;
+				break;
+			default:
+				break;
 			}
 			ext_hdrs[ext_type-1] = (void *) p;
 		}
@@ -1111,14 +1138,12 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
 	key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
 	if (key != NULL &&
 	    sa->sadb_sa_auth != SADB_X_AALG_NULL &&
-	    ((key->sadb_key_bits+7) / 8 == 0 ||
-	     (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
+	    key->sadb_key_bits == 0)
 		return ERR_PTR(-EINVAL);
 	key = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
 	if (key != NULL &&
 	    sa->sadb_sa_encrypt != SADB_EALG_NULL &&
-	    ((key->sadb_key_bits+7) / 8 == 0 ||
-	     (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
+	    key->sadb_key_bits == 0)
 		return ERR_PTR(-EINVAL);
 
 	x = xfrm_state_alloc(net);