--- /dev/null
+From 93171ba6f1deffd82f381d36cb13177872d023f6 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Sun, 13 Jan 2019 19:31:43 +0100
+Subject: can: bcm: check timer values before ktime conversion
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 93171ba6f1deffd82f381d36cb13177872d023f6 upstream.
+
+Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup()
+when the conversion into ktime multiplies the given value with NSEC_PER_USEC
+(1000).
+
+Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2
+
+Add a check for the given tv_usec, so that the value stays below one second.
+Additionally limit the tv_sec value to a reasonable value for CAN related
+use-cases of 400 days and ensure all values to be positive.
+
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: linux-stable <stable@vger.kernel.org> # >= 2.6.26
+Tested-by: Kyungtae Kim <kt0755@gmail.com>
+Acked-by: Andre Naujoks <nautsch2@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/can/bcm.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -67,6 +67,9 @@
+ */
+ #define MAX_NFRAMES 256
+
++/* limit timers to 400 days for sending/timeouts */
++#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60)
++
+ /* use of last_frames[index].flags */
+ #define RX_RECV 0x40 /* received data for this element */
+ #define RX_THR 0x80 /* element not been sent due to throttle feature */
+@@ -140,6 +143,22 @@ static inline ktime_t bcm_timeval_to_kti
+ return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
+ }
+
++/* check limitations for timeval provided by user */
++static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
++{
++ if ((msg_head->ival1.tv_sec < 0) ||
++ (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
++ (msg_head->ival1.tv_usec < 0) ||
++ (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
++ (msg_head->ival2.tv_sec < 0) ||
++ (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
++ (msg_head->ival2.tv_usec < 0) ||
++ (msg_head->ival2.tv_usec >= USEC_PER_SEC))
++ return true;
++
++ return false;
++}
++
+ #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
+ #define OPSIZ sizeof(struct bcm_op)
+ #define MHSIZ sizeof(struct bcm_msg_head)
+@@ -886,6 +905,10 @@ static int bcm_tx_setup(struct bcm_msg_h
+ if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+ return -EINVAL;
+
++ /* check timeval limitations */
++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
++ return -EINVAL;
++
+ /* check the given can_id */
+ op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
+ if (op) {
+@@ -1065,6 +1088,10 @@ static int bcm_rx_setup(struct bcm_msg_h
+ (!(msg_head->can_id & CAN_RTR_FLAG))))
+ return -EINVAL;
+
++ /* check timeval limitations */
++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
++ return -EINVAL;
++
+ /* check the given can_id */
+ op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
+ if (op) {
--- /dev/null
+From 7b12c8189a3dc50638e7d53714c88007268d47ef Mon Sep 17 00:00:00 2001
+From: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+Date: Wed, 19 Dec 2018 19:39:58 +0100
+Subject: can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it
+
+From: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+
+commit 7b12c8189a3dc50638e7d53714c88007268d47ef upstream.
+
+This patch revert commit 7da11ba5c506
+("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
+
+After introduction of this change we encountered following new error
+message on various i.MX plattforms (flexcan):
+
+| flexcan 53fc8000.can can0: __can_get_echo_skb: BUG! Trying to echo non
+| existing skb: can_priv::echo_skb[0]
+
+The introduction of the message was a mistake because
+priv->echo_skb[idx] = NULL is a perfectly valid in following case: If
+CAN_RAW_LOOPBACK is disabled (setsockopt) in applications, the pkt_type
+of the tx skb's given to can_put_echo_skb is set to PACKET_LOOPBACK. In
+this case can_put_echo_skb will not set priv->echo_skb[idx]. It is
+therefore kept NULL.
+
+As additional argument for revert: The order of check and usage of idx
+was changed. idx is used to access an array element before checking it's
+boundaries.
+
+Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+Fixes: 7da11ba5c506 ("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -479,8 +479,6 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ struct can_priv *priv = netdev_priv(dev);
+- struct sk_buff *skb = priv->echo_skb[idx];
+- struct canfd_frame *cf;
+
+ if (idx >= priv->echo_skb_max) {
+ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+@@ -488,20 +486,21 @@ struct sk_buff *__can_get_echo_skb(struc
+ return NULL;
+ }
+
+- if (!skb) {
+- netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
+- __func__, idx);
+- return NULL;
+- }
++ if (priv->echo_skb[idx]) {
++ /* Using "struct canfd_frame::len" for the frame
++ * length is supported on both CAN and CANFD frames.
++ */
++ struct sk_buff *skb = priv->echo_skb[idx];
++ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
++ u8 len = cf->len;
+
+- /* Using "struct canfd_frame::len" for the frame
+- * length is supported on both CAN and CANFD frames.
+- */
+- cf = (struct canfd_frame *)skb->data;
+- *len_ptr = cf->len;
+- priv->echo_skb[idx] = NULL;
++ *len_ptr = len;
++ priv->echo_skb[idx] = NULL;
++
++ return skb;
++ }
+
+- return skb;
++ return NULL;
+ }
+
+ /*
--- /dev/null
+From 8208d1708b88b412ca97f50a6d951242c88cbbac Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Fri, 18 Jan 2019 14:08:59 +0000
+Subject: irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 8208d1708b88b412ca97f50a6d951242c88cbbac upstream.
+
+The way we allocate events works fine in most cases, except
+when multiple PCI devices share an ITS-visible DevID, and that
+one of them is trying to use MultiMSI allocation.
+
+In that case, our allocation is not guaranteed to be zero-based
+anymore, and we have to make sure we allocate it on a boundary
+that is compatible with the PCI Multi-MSI constraints.
+
+Fix this by allocating the full region upfront instead of iterating
+over the number of MSIs. MSI-X are always allocated one by one,
+so this shouldn't change anything on that front.
+
+Fixes: b48ac83d6bbc2 ("irqchip: GICv3: ITS: MSI support")
+Cc: stable@vger.kernel.org
+Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3-its.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -2086,13 +2086,14 @@ static void its_free_device(struct its_d
+ kfree(its_dev);
+ }
+
+-static int its_alloc_device_irq(struct its_device *dev, irq_hw_number_t *hwirq)
++static int its_alloc_device_irq(struct its_device *dev, int nvecs, irq_hw_number_t *hwirq)
+ {
+ int idx;
+
+- idx = find_first_zero_bit(dev->event_map.lpi_map,
+- dev->event_map.nr_lpis);
+- if (idx == dev->event_map.nr_lpis)
++ idx = bitmap_find_free_region(dev->event_map.lpi_map,
++ dev->event_map.nr_lpis,
++ get_count_order(nvecs));
++ if (idx < 0)
+ return -ENOSPC;
+
+ *hwirq = dev->event_map.lpi_base + idx;
+@@ -2188,21 +2189,21 @@ static int its_irq_domain_alloc(struct i
+ int err;
+ int i;
+
+- for (i = 0; i < nr_irqs; i++) {
+- err = its_alloc_device_irq(its_dev, &hwirq);
+- if (err)
+- return err;
++ err = its_alloc_device_irq(its_dev, nr_irqs, &hwirq);
++ if (err)
++ return err;
+
+- err = its_irq_gic_domain_alloc(domain, virq + i, hwirq);
++ for (i = 0; i < nr_irqs; i++) {
++ err = its_irq_gic_domain_alloc(domain, virq + i, hwirq + i);
+ if (err)
+ return err;
+
+ irq_domain_set_hwirq_and_chip(domain, virq + i,
+- hwirq, &its_irq_chip, its_dev);
++ hwirq + i, &its_irq_chip, its_dev);
+ irqd_set_single_target(irq_desc_get_irq_data(irq_to_desc(virq + i)));
+ pr_debug("ID:%d pID:%d vID:%d\n",
+- (int)(hwirq - its_dev->event_map.lpi_base),
+- (int) hwirq, virq + i);
++ (int)(hwirq + i - its_dev->event_map.lpi_base),
++ (int)(hwirq + i), virq + i);
+ }
+
+ return 0;
--- /dev/null
+From 93ad0fc088c5b4631f796c995bdd27a082ef33a6 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 11 Jan 2019 14:33:16 +0100
+Subject: posix-cpu-timers: Unbreak timer rearming
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 93ad0fc088c5b4631f796c995bdd27a082ef33a6 upstream.
+
+The recent commit which prevented a division by 0 issue in the alarm timer
+code broke posix CPU timers as an unwanted side effect.
+
+The reason is that the common rearm code checks for timer->it_interval
+being 0 now. What went unnoticed is that the posix cpu timer setup does not
+initialize timer->it_interval as it stores the interval in CPU timer
+specific storage. The reason for the separate storage is historical as the
+posix CPU timers always had a 64bit nanoseconds representation internally
+while timer->it_interval is type ktime_t which used to be a modified
+timespec representation on 32bit machines.
+
+Instead of reverting the offending commit and fixing the alarmtimer issue
+in the alarmtimer code, store the interval in timer->it_interval at CPU
+timer setup time so the common code check works. This also repairs the
+existing inconistency of the posix CPU timer code which kept a single shot
+timer armed despite of the interval being 0.
+
+The separate storage can be removed in mainline, but that needs to be a
+separate commit as the current one has to be backported to stable kernels.
+
+Fixes: 0e334db6bb4b ("posix-timers: Fix division by zero bug")
+Reported-by: H.J. Lu <hjl.tools@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190111133500.840117406@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/posix-cpu-timers.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -685,6 +685,7 @@ static int posix_cpu_timer_set(struct k_
+ * set up the signal and overrun bookkeeping.
+ */
+ timer->it.cpu.incr = timespec64_to_ns(&new->it_interval);
++ timer->it_interval = ns_to_ktime(timer->it.cpu.incr);
+
+ /*
+ * This acts as a modification timestamp for the timer,
x86-pkeys-properly-copy-pkey-state-at-fork.patch
x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch
x86-kaslr-fix-incorrect-i8254-outb-parameters.patch
+posix-cpu-timers-unbreak-timer-rearming.patch
+irqchip-gic-v3-its-align-pci-multi-msi-allocation-on-their-size.patch
+can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch
+can-bcm-check-timer-values-before-ktime-conversion.patch
+vt-invoke-notifier-on-screen-size-change.patch
--- /dev/null
+From 0c9b1965faddad7534b6974b5b36c4ad37998f8e Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 8 Jan 2019 22:55:01 -0500
+Subject: vt: invoke notifier on screen size change
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream.
+
+User space using poll() on /dev/vcs devices are not awaken when a
+screen size change occurs. Let's fix that.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -953,6 +953,7 @@ static int vc_do_resize(struct tty_struc
+ if (con_is_visible(vc))
+ update_screen(vc);
+ vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num);
++ notify_update(vc);
+ return err;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
