--- /dev/null
+From 5616f36713ea77f57ae908bf2fef641364403c9f Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Wed, 20 Apr 2016 13:34:31 +0000
+Subject: ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit 5616f36713ea77f57ae908bf2fef641364403c9f upstream.
+
+The secondary CPU starts up in ARM mode. When the kernel is compiled in
+thumb2 mode we have to explicitly compile the secondary startup
+trampoline in ARM mode, otherwise the CPU will go to Nirvana.
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Reported-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
+Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Dinh Nguyen <dinguyen@opensource.altera.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-socfpga/headsmp.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-socfpga/headsmp.S
++++ b/arch/arm/mach-socfpga/headsmp.S
+@@ -11,6 +11,7 @@
+ #include <linux/init.h>
+
+ .arch armv7-a
++ .arm
+
+ ENTRY(secondary_trampoline)
+ movw r2, #:lower16:cpu1start_addr
--- /dev/null
+From c78296665c3d81f040117432ab9e1cb125521b0c Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 26 Feb 2016 17:56:13 +0100
+Subject: batman-adv: Check skb size before using encapsulated ETH+VLAN header
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit c78296665c3d81f040117432ab9e1cb125521b0c upstream.
+
+The encapsulated ethernet and VLAN header may be outside the received
+ethernet frame. Thus the skb buffer size has to be checked before it can be
+parsed to find out if it encapsulates another batman-adv packet.
+
+Fixes: 420193573f11 ("batman-adv: softif bridge loop avoidance")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/soft-interface.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -356,11 +356,17 @@ void batadv_interface_rx(struct net_devi
+ */
+ nf_reset(skb);
+
++ if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
++ goto dropped;
++
+ vid = batadv_get_vid(skb, 0);
+ ethhdr = eth_hdr(skb);
+
+ switch (ntohs(ethhdr->h_proto)) {
+ case ETH_P_8021Q:
++ if (!pskb_may_pull(skb, VLAN_ETH_HLEN))
++ goto dropped;
++
+ vhdr = (struct vlan_ethhdr *)skb->data;
+
+ if (vhdr->h_vlan_encapsulated_proto != ethertype)
+@@ -372,8 +378,6 @@ void batadv_interface_rx(struct net_devi
+ }
+
+ /* skb->dev & skb->pkt_type are set here */
+- if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
+- goto dropped;
+ skb->protocol = eth_type_trans(skb, soft_iface);
+
+ /* should not be necessary anymore as we use skb_pull_rcsum()
--- /dev/null
+From c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
+Date: Fri, 11 Mar 2016 14:04:49 +0100
+Subject: batman-adv: Fix broadcast/ogm queue limit on a removed interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+commit c4fdb6cff2aa0ae740c5f19b6f745cbbe786d42f upstream.
+
+When removing a single interface while a broadcast or ogm packet is
+still pending then we will free the forward packet without releasing the
+queue slots again.
+
+This patch is supposed to fix this issue.
+
+Fixes: 6d5808d4ae1b ("batman-adv: Add missing hardif_free_ref in forw_packet_free")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+[sven@narfation.org: fix conflicts with current version]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/send.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/batman-adv/send.c
++++ b/net/batman-adv/send.c
+@@ -637,6 +637,12 @@ batadv_purge_outstanding_packets(struct
+
+ if (pending) {
+ hlist_del(&forw_packet->list);
++ if (!forw_packet->own)
++ atomic_inc(&bat_priv->bcast_queue_left);
++
++ if (!forw_packet->own)
++ atomic_inc(&bat_priv->batman_queue_left);
++
+ batadv_forw_packet_free(forw_packet);
+ }
+ }
--- /dev/null
+From d1a65f1741bfd9c69f9e4e2ad447a89b6810427d Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 20 Mar 2016 12:27:53 +0100
+Subject: batman-adv: Reduce refcnt of removed router when updating route
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit d1a65f1741bfd9c69f9e4e2ad447a89b6810427d upstream.
+
+_batadv_update_route rcu_derefences orig_ifinfo->router outside of a
+spinlock protected region to print some information messages to the debug
+log. But this pointer is not checked again when the new pointer is assigned
+in the spinlock protected region. Thus is can happen that the value of
+orig_ifinfo->router changed in the meantime and thus the reference counter
+of the wrong router gets reduced after the spinlock protected region.
+
+Just rcu_dereferencing the value of orig_ifinfo->router inside the spinlock
+protected region (which also set the new pointer) is enough to get the
+correct old router object.
+
+Fixes: e1a5382f978b ("batman-adv: Make orig_node->router an rcu protected pointer")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/routing.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -88,6 +88,15 @@ static void _batadv_update_route(struct
+ neigh_node = NULL;
+
+ spin_lock_bh(&orig_node->neigh_list_lock);
++ /* curr_router used earlier may not be the current orig_ifinfo->router
++ * anymore because it was dereferenced outside of the neigh_list_lock
++ * protected region. After the new best neighbor has replace the current
++ * best neighbor the reference counter needs to decrease. Consequently,
++ * the code needs to ensure the curr_router variable contains a pointer
++ * to the replaced best neighbor.
++ */
++ curr_router = rcu_dereference_protected(orig_ifinfo->router, true);
++
+ rcu_assign_pointer(orig_ifinfo->router, neigh_node);
+ spin_unlock_bh(&orig_node->neigh_list_lock);
+ batadv_orig_ifinfo_free_ref(orig_ifinfo);
--- /dev/null
+From 6984ab1ab35f422292b7781c65284038bcc0f6a6 Mon Sep 17 00:00:00 2001
+From: Knut Wohlrab <Knut.Wohlrab@de.bosch.com>
+Date: Mon, 25 Apr 2016 14:08:25 -0700
+Subject: Input: zforce_ts - fix dual touch recognition
+
+From: Knut Wohlrab <Knut.Wohlrab@de.bosch.com>
+
+commit 6984ab1ab35f422292b7781c65284038bcc0f6a6 upstream.
+
+A wrong decoding of the touch coordinate message causes a wrong touch
+ID. Touch ID for dual touch must be 0 or 1.
+
+According to the actual Neonode nine byte touch coordinate coding,
+the state is transported in the lower nibble and the touch ID in
+the higher nibble of payload byte five.
+
+Signed-off-by: Knut Wohlrab <Knut.Wohlrab@de.bosch.com>
+Signed-off-by: Oleksij Rempel <linux@rempel-privat.de>
+Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/zforce_ts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/touchscreen/zforce_ts.c
++++ b/drivers/input/touchscreen/zforce_ts.c
+@@ -350,8 +350,8 @@ static int zforce_touch_event(struct zfo
+ point.coord_x = point.coord_y = 0;
+ }
+
+- point.state = payload[9 * i + 5] & 0x03;
+- point.id = (payload[9 * i + 5] & 0xfc) >> 2;
++ point.state = payload[9 * i + 5] & 0x0f;
++ point.id = (payload[9 * i + 5] & 0xf0) >> 4;
+
+ /* determine touch major, minor and orientation */
+ point.area_major = max(payload[9 * i + 6],
--- /dev/null
+From 8148a73c9901a8794a50f950083c00ccf97d43b3 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Thu, 5 May 2016 16:22:26 -0700
+Subject: proc: prevent accessing /proc/<PID>/environ until it's ready
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 8148a73c9901a8794a50f950083c00ccf97d43b3 upstream.
+
+If /proc/<PID>/environ gets read before the envp[] array is fully set up
+in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
+read more bytes than are actually written, as env_start will already be
+set but env_end will still be zero, making the range calculation
+underflow, allowing to read beyond the end of what has been written.
+
+Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
+zero. It is, apparently, intentionally set last in create_*_tables().
+
+This bug was found by the PaX size_overflow plugin that detected the
+arithmetic underflow of 'this_len = env_end - (env_start + src)' when
+env_end is still zero.
+
+The expected consequence is that userland trying to access
+/proc/<PID>/environ of a not yet fully set up process may get
+inconsistent data as we're in the middle of copying in the environment
+variables.
+
+Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
+Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Emese Revfy <re.emese@gmail.com>
+Cc: Pax Team <pageexec@freemail.hu>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Mateusz Guzik <mguzik@redhat.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/proc/base.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -844,7 +844,8 @@ static ssize_t environ_read(struct file
+ int ret = 0;
+ struct mm_struct *mm = file->private_data;
+
+- if (!mm)
++ /* Ensure the process spawned far enough to have an environment. */
++ if (!mm || !mm->env_end)
+ return 0;
+
+ page = (char *)__get_free_page(GFP_TEMPORARY);
clk-versatile-sp810-support-reentrance.patch
lpfc-fix-misleading-indentation.patch
tracing-don-t-display-trigger-file-for-events-that-can-t-be-enabled.patch
+arm-socfpga-fix-secondary-cpu-startup-in-thumb2-kernel.patch
+input-zforce_ts-fix-dual-touch-recognition.patch
+proc-prevent-accessing-proc-pid-environ-until-it-s-ready.patch
+batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch
+batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch
+batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
