Merge 4.4.98 into android-4.4

Changes in 4.4.98
	adv7604: Initialize drive strength to default when using DT
	video: fbdev: pmag-ba-fb: Remove bad `__init' annotation
	PCI: mvebu: Handle changes to the bridge windows while enabled
	xen/netback: set default upper limit of tx/rx queues to 8
	drm: drm_minor_register(): Clean up debugfs on failure
	KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
	iommu/arm-smmu-v3: Clear prior settings when updating STEs
	powerpc/corenet: explicitly disable the SDHC controller on kmcoge4
	ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6
	crypto: vmx - disable preemption to enable vsx in aes_ctr.c
	iio: trigger: free trigger resource correctly
	phy: increase size of MII_BUS_ID_SIZE and bus_id
	serial: sh-sci: Fix register offsets for the IRDA serial port
	usb: hcd: initialize hcd->flags to 0 when rm hcd
	netfilter: nft_meta: deal with PACKET_LOOPBACK in netdev family
	IPsec: do not ignore crypto err in ah4 input
	Input: mpr121 - handle multiple bits change of status register
	Input: mpr121 - set missing event capability
	IB/ipoib: Change list_del to list_del_init in the tx object
	s390/qeth: issue STARTLAN as first IPA command
	net: dsa: select NET_SWITCHDEV
	platform/x86: hp-wmi: Fix detection for dock and tablet mode
	cdc_ncm: Set NTB format again after altsetting switch for Huawei devices
	KEYS: trusted: sanitize all key material
	KEYS: trusted: fix writing past end of buffer in trusted_read()
	platform/x86: hp-wmi: Fix error value for hp_wmi_tablet_state
	platform/x86: hp-wmi: Do not shadow error values
	x86/uaccess, sched/preempt: Verify access_ok() context
	workqueue: Fix NULL pointer dereference
	crypto: x86/sha1-mb - fix panic due to unaligned access
	KEYS: fix NULL pointer dereference during ASN.1 parsing [ver #2]
	ARM: 8720/1: ensure dump_instr() checks addr_limit
	ALSA: seq: Fix OSS sysex delivery in OSS emulation
	ALSA: seq: Avoid invalid lockdep class warning
	MIPS: microMIPS: Fix incorrect mask in insn_table_MM
	MIPS: Fix CM region target definitions
	MIPS: SMP: Use a completion event to signal CPU up
	MIPS: Fix race on setting and getting cpu_online_mask
	MIPS: SMP: Fix deadlock & online race
	test: firmware_class: report errors properly on failure
	selftests: firmware: add empty string and async tests
	selftests: firmware: send expected errors to /dev/null
	tools: firmware: check for distro fallback udev cancel rule
	MIPS: AR7: Defer registration of GPIO
	MIPS: AR7: Ensure that serial ports are properly set up
	Input: elan_i2c - add ELAN060C to the ACPI table
	drm/vmwgfx: Fix Ubuntu 17.10 Wayland black screen issue
	rbd: use GFP_NOIO for parent stat and data requests
	can: sun4i: handle overrun in RX FIFO
	can: c_can: don't indicate triple sampling support for D_CAN
	x86/oprofile/ppro: Do not use __this_cpu*() in preemptible context
	PKCS#7: fix unitialized boolean 'want'
	Linux 4.4.98

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

1 files changed, 33 insertions, 38 deletions

diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 509aedcf8310..214ae2dc7f64 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -69,7 +69,7 @@ static int TSS_sha1(const unsigned char *data, unsigned int datalen,
 	}
 
 	ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
-	kfree(sdesc);
+	kzfree(sdesc);
 	return ret;
 }
 
@@ -113,7 +113,7 @@ static int TSS_rawhmac(unsigned char *digest, const unsigned char *key,
 	if (!ret)
 		ret = crypto_shash_final(&sdesc->shash, digest);
 out:
-	kfree(sdesc);
+	kzfree(sdesc);
 	return ret;
 }
 
@@ -164,7 +164,7 @@ static int TSS_authhmac(unsigned char *digest, const unsigned char *key,
 				  paramdigest, TPM_NONCE_SIZE, h1,
 				  TPM_NONCE_SIZE, h2, 1, &c, 0, 0);
 out:
-	kfree(sdesc);
+	kzfree(sdesc);
 	return ret;
 }
 
@@ -245,7 +245,7 @@ static int TSS_checkhmac1(unsigned char *buffer,
 	if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
 		ret = -EINVAL;
 out:
-	kfree(sdesc);
+	kzfree(sdesc);
 	return ret;
 }
 
@@ -346,7 +346,7 @@ static int TSS_checkhmac2(unsigned char *buffer,
 	if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
 		ret = -EINVAL;
 out:
-	kfree(sdesc);
+	kzfree(sdesc);
 	return ret;
 }
 
@@ -563,7 +563,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
 		*bloblen = storedsize;
 	}
 out:
-	kfree(td);
+	kzfree(td);
 	return ret;
 }
 
@@ -677,7 +677,7 @@ static int key_seal(struct trusted_key_payload *p,
 	if (ret < 0)
 		pr_info("trusted_key: srkseal failed (%d)\n", ret);
 
-	kfree(tb);
+	kzfree(tb);
 	return ret;
 }
 
@@ -702,7 +702,7 @@ static int key_unseal(struct trusted_key_payload *p,
 		/* pull migratable flag out of sealed key */
 		p->migratable = p->key[--p->key_len];
 
-	kfree(tb);
+	kzfree(tb);
 	return ret;
 }
 
@@ -984,12 +984,12 @@ static int trusted_instantiate(struct key *key,
 	if (!ret && options->pcrlock)
 		ret = pcrlock(options->pcrlock);
 out:
-	kfree(datablob);
-	kfree(options);
+	kzfree(datablob);
+	kzfree(options);
 	if (!ret)
 		rcu_assign_keypointer(key, payload);
 	else
-		kfree(payload);
+		kzfree(payload);
 	return ret;
 }
 
@@ -998,8 +998,7 @@ static void trusted_rcu_free(struct rcu_head *rcu)
 	struct trusted_key_payload *p;
 
 	p = container_of(rcu, struct trusted_key_payload, rcu);
-	memset(p->key, 0, p->key_len);
-	kfree(p);
+	kzfree(p);
 }
 
 /*
@@ -1041,13 +1040,13 @@ static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 	ret = datablob_parse(datablob, new_p, new_o);
 	if (ret != Opt_update) {
 		ret = -EINVAL;
-		kfree(new_p);
+		kzfree(new_p);
 		goto out;
 	}
 
 	if (!new_o->keyhandle) {
 		ret = -EINVAL;
-		kfree(new_p);
+		kzfree(new_p);
 		goto out;
 	}
 
@@ -1061,22 +1060,22 @@ static int trusted_update(struct key *key, struct key_preparsed_payload *prep)
 	ret = key_seal(new_p, new_o);
 	if (ret < 0) {
 		pr_info("trusted_key: key_seal failed (%d)\n", ret);
-		kfree(new_p);
+		kzfree(new_p);
 		goto out;
 	}
 	if (new_o->pcrlock) {
 		ret = pcrlock(new_o->pcrlock);
 		if (ret < 0) {
 			pr_info("trusted_key: pcrlock failed (%d)\n", ret);
-			kfree(new_p);
+			kzfree(new_p);
 			goto out;
 		}
 	}
 	rcu_assign_keypointer(key, new_p);
 	call_rcu(&p->rcu, trusted_rcu_free);
 out:
-	kfree(datablob);
-	kfree(new_o);
+	kzfree(datablob);
+	kzfree(new_o);
 	return ret;
 }
 
@@ -1095,34 +1094,30 @@ static long trusted_read(const struct key *key, char __user *buffer,
 	p = rcu_dereference_key(key);
 	if (!p)
 		return -EINVAL;
-	if (!buffer || buflen <= 0)
-		return 2 * p->blob_len;
-	ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
-	if (!ascii_buf)
-		return -ENOMEM;
 
-	bufp = ascii_buf;
-	for (i = 0; i < p->blob_len; i++)
-		bufp = hex_byte_pack(bufp, p->blob[i]);
-	if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
-		kfree(ascii_buf);
-		return -EFAULT;
+	if (buffer && buflen >= 2 * p->blob_len) {
+		ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
+		if (!ascii_buf)
+			return -ENOMEM;
+
+		bufp = ascii_buf;
+		for (i = 0; i < p->blob_len; i++)
+			bufp = hex_byte_pack(bufp, p->blob[i]);
+		if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
+			kzfree(ascii_buf);
+			return -EFAULT;
+		}
+		kzfree(ascii_buf);
 	}
-	kfree(ascii_buf);
 	return 2 * p->blob_len;
 }
 
 /*
- * trusted_destroy - before freeing the key, clear the decrypted data
+ * trusted_destroy - clear and free the key's payload
  */
 static void trusted_destroy(struct key *key)
 {
-	struct trusted_key_payload *p = key->payload.data[0];
-
-	if (!p)
-		return;
-	memset(p->key, 0, p->key_len);
-	kfree(key->payload.data[0]);
+	kzfree(key->payload.data[0]);
 }
 
 struct key_type key_type_trusted = {