--- /dev/null
+From 73a0b6ee5d6269f92df43e1d09b3278a2886bf8a Mon Sep 17 00:00:00 2001
+From: Wang Kefeng <wangkefeng.wang@huawei.com>
+Date: Sun, 4 Dec 2022 04:46:20 +0100
+Subject: ARM: 9278/1: kfence: only handle translation faults
+
+From: Wang Kefeng <wangkefeng.wang@huawei.com>
+
+commit 73a0b6ee5d6269f92df43e1d09b3278a2886bf8a upstream.
+
+This is a similar fixup like arm64 does, only handle translation faults
+in case of unexpected kfence report when alignment faults on ARM, see
+more from commit 0bb1fbffc631 ("arm64: mm: kfence: only handle translation
+faults").
+
+Fixes: 75969686ec0d ("ARM: 9166/1: Support KFENCE for ARM")
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/fault.c | 18 ++++++++++++++++--
+ arch/arm/mm/fault.h | 9 ++++++---
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -105,6 +105,19 @@ static inline bool is_write_fault(unsign
+ return (fsr & FSR_WRITE) && !(fsr & FSR_CM);
+ }
+
++static inline bool is_translation_fault(unsigned int fsr)
++{
++ int fs = fsr_fs(fsr);
++#ifdef CONFIG_ARM_LPAE
++ if ((fs & FS_MMU_NOLL_MASK) == FS_TRANS_NOLL)
++ return true;
++#else
++ if (fs == FS_L1_TRANS || fs == FS_L2_TRANS)
++ return true;
++#endif
++ return false;
++}
++
+ static void die_kernel_fault(const char *msg, struct mm_struct *mm,
+ unsigned long addr, unsigned int fsr,
+ struct pt_regs *regs)
+@@ -140,7 +153,8 @@ __do_kernel_fault(struct mm_struct *mm,
+ if (addr < PAGE_SIZE) {
+ msg = "NULL pointer dereference";
+ } else {
+- if (kfence_handle_page_fault(addr, is_write_fault(fsr), regs))
++ if (is_translation_fault(fsr) &&
++ kfence_handle_page_fault(addr, is_write_fault(fsr), regs))
+ return;
+
+ msg = "paging request";
+@@ -208,7 +222,7 @@ static inline bool is_permission_fault(u
+ {
+ int fs = fsr_fs(fsr);
+ #ifdef CONFIG_ARM_LPAE
+- if ((fs & FS_PERM_NOLL_MASK) == FS_PERM_NOLL)
++ if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
+ return true;
+ #else
+ if (fs == FS_L1_PERM || fs == FS_L2_PERM)
+--- a/arch/arm/mm/fault.h
++++ b/arch/arm/mm/fault.h
+@@ -14,8 +14,9 @@
+
+ #ifdef CONFIG_ARM_LPAE
+ #define FSR_FS_AEA 17
++#define FS_TRANS_NOLL 0x4
+ #define FS_PERM_NOLL 0xC
+-#define FS_PERM_NOLL_MASK 0x3C
++#define FS_MMU_NOLL_MASK 0x3C
+
+ static inline int fsr_fs(unsigned int fsr)
+ {
+@@ -23,8 +24,10 @@ static inline int fsr_fs(unsigned int fs
+ }
+ #else
+ #define FSR_FS_AEA 22
+-#define FS_L1_PERM 0xD
+-#define FS_L2_PERM 0xF
++#define FS_L1_TRANS 0x5
++#define FS_L2_TRANS 0x7
++#define FS_L1_PERM 0xD
++#define FS_L2_PERM 0xF
+
+ static inline int fsr_fs(unsigned int fsr)
+ {
--- /dev/null
+From 0acc442309a0a1b01bcdaa135e56e6398a49439c Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Tue, 6 Dec 2022 21:12:59 +0100
+Subject: can: af_can: fix NULL pointer dereference in can_rcv_filter
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 0acc442309a0a1b01bcdaa135e56e6398a49439c upstream.
+
+Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer
+dereference in can_rx_register()") we need to check for a missing
+initialization of ml_priv in the receive path of CAN frames.
+
+Since commit 4e096a18867a ("net: introduce CAN specific pointer in the
+struct net_device") the check for dev->type to be ARPHRD_CAN is not
+sufficient anymore since bonding or tun netdevices claim to be CAN
+devices but do not initialize ml_priv accordingly.
+
+Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device")
+Reported-by: syzbot+2d7f58292cb5b29eb5ad@syzkaller.appspotmail.com
+Reported-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/all/20221206201259.3028-1-socketcan@hartkopp.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/af_can.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -680,7 +680,7 @@ static int can_rcv(struct sk_buff *skb,
+ {
+ struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
+
+- if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU)) {
++ if (unlikely(dev->type != ARPHRD_CAN || !can_get_ml_priv(dev) || skb->len != CAN_MTU)) {
+ pr_warn_once("PF_CAN: dropped non conform CAN skbuff: dev type %d, len %d\n",
+ dev->type, skb->len);
+ goto free_skb;
+@@ -706,7 +706,7 @@ static int canfd_rcv(struct sk_buff *skb
+ {
+ struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
+
+- if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU)) {
++ if (unlikely(dev->type != ARPHRD_CAN || !can_get_ml_priv(dev) || skb->len != CANFD_MTU)) {
+ pr_warn_once("PF_CAN: dropped non conform CAN FD skbuff: dev type %d, len %d\n",
+ dev->type, skb->len);
+ goto free_skb;
projects / thirdparty / kernel / stable-queue.git / commitdiff
