--- /dev/null
+From 811d61e384e24759372bb3f01772f3744b0a8327 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Tue, 2 Feb 2016 15:53:59 +0000
+Subject: arm64: futex.h: Add missing PAN toggling
+
+From: James Morse <james.morse@arm.com>
+
+commit 811d61e384e24759372bb3f01772f3744b0a8327 upstream.
+
+futex.h's futex_atomic_cmpxchg_inatomic() does not use the
+__futex_atomic_op() macro and needs its own PAN toggling. This was missed
+when the feature was implemented.
+
+Fixes: 338d4f49d6f ("arm64: kernel: Add support for Privileged Access Never")
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Cc: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/futex.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/include/asm/futex.h
++++ b/arch/arm64/include/asm/futex.h
+@@ -121,6 +121,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval,
+ return -EFAULT;
+
+ asm volatile("// futex_atomic_cmpxchg_inatomic\n"
++ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, CONFIG_ARM64_PAN)
+ " prfm pstl1strm, %2\n"
+ "1: ldxr %w1, %2\n"
+ " sub %w3, %w1, %w4\n"
+@@ -137,6 +138,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval,
+ " .align 3\n"
+ " .quad 1b, 4b, 2b, 4b\n"
+ " .popsection\n"
++ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN, CONFIG_ARM64_PAN)
+ : "+r" (ret), "=&r" (val), "+Q" (*uaddr), "=&r" (tmp)
+ : "r" (oldval), "r" (newval), "Ir" (-EFAULT)
+ : "memory");
--- /dev/null
+From b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=EC=B6=94=EC=A7=80=ED=98=B8?= <jiho.chu@samsung.com>
+Date: Thu, 8 Dec 2016 12:01:13 +0000
+Subject: can: peak: fix bad memory access and free sequence
+
+From: 추지호 <jiho.chu@samsung.com>
+
+commit b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c upstream.
+
+Fix for bad memory access while disconnecting. netdev is freed before
+private data free, and dev is accessed after freeing netdev.
+
+This makes a slub problem, and it raise kernel oops with slub debugger
+config.
+
+Signed-off-by: Jiho Chu <jiho.chu@samsung.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -872,23 +872,25 @@ lbl_free_candev:
+ static void peak_usb_disconnect(struct usb_interface *intf)
+ {
+ struct peak_usb_device *dev;
++ struct peak_usb_device *dev_prev_siblings;
+
+ /* unregister as many netdev devices as siblings */
+- for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
++ for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
+ struct net_device *netdev = dev->netdev;
+ char name[IFNAMSIZ];
+
++ dev_prev_siblings = dev->prev_siblings;
+ dev->state &= ~PCAN_USB_STATE_CONNECTED;
+ strncpy(name, netdev->name, IFNAMSIZ);
+
+ unregister_netdev(netdev);
+- free_candev(netdev);
+
+ kfree(dev->cmd_buf);
+ dev->next_siblings = NULL;
+ if (dev->adapter->dev_free)
+ dev->adapter->dev_free(dev);
+
++ free_candev(netdev);
+ dev_info(&intf->dev, "%s removed\n", name);
+ }
+
--- /dev/null
+From 332b05ca7a438f857c61a3c21a88489a21532364 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 5 Dec 2016 11:44:23 +0100
+Subject: can: raw: raw_setsockopt: limit number of can_filter that can be set
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 332b05ca7a438f857c61a3c21a88489a21532364 upstream.
+
+This patch adds a check to limit the number of can_filters that can be
+set via setsockopt on CAN_RAW sockets. Otherwise allocations > MAX_ORDER
+are not prevented resulting in a warning.
+
+Reference: https://lkml.org/lkml/2016/12/2/230
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/can.h | 1 +
+ net/can/raw.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+--- a/include/uapi/linux/can.h
++++ b/include/uapi/linux/can.h
+@@ -196,5 +196,6 @@ struct can_filter {
+ };
+
+ #define CAN_INV_FILTER 0x20000000U /* to be set in can_filter.can_id */
++#define CAN_RAW_FILTER_MAX 512 /* maximum number of can_filter set via setsockopt() */
+
+ #endif /* !_UAPI_CAN_H */
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -499,6 +499,9 @@ static int raw_setsockopt(struct socket
+ if (optlen % sizeof(struct can_filter) != 0)
+ return -EINVAL;
+
++ if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter))
++ return -EINVAL;
++
+ count = optlen / sizeof(struct can_filter);
+
+ if (count > 1) {
--- /dev/null
+From 48a992727d82cb7db076fa15d372178743b1f4cd Mon Sep 17 00:00:00 2001
+From: tim <tim.c.chen@linux.intel.com>
+Date: Mon, 5 Dec 2016 11:46:31 -0800
+Subject: crypto: mcryptd - Check mcryptd algorithm compatibility
+
+From: tim <tim.c.chen@linux.intel.com>
+
+commit 48a992727d82cb7db076fa15d372178743b1f4cd upstream.
+
+Algorithms not compatible with mcryptd could be spawned by mcryptd
+with a direct crypto_alloc_tfm invocation using a "mcryptd(alg)" name
+construct. This causes mcryptd to crash the kernel if an arbitrary
+"alg" is incompatible and not intended to be used with mcryptd. It is
+an issue if AF_ALG tries to spawn mcryptd(alg) to expose it externally.
+But such algorithms must be used internally and not be exposed.
+
+We added a check to enforce that only internal algorithms are allowed
+with mcryptd at the time mcryptd is spawning an algorithm.
+
+Link: http://marc.info/?l=linux-crypto-vger&m=148063683310477&w=2
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/mcryptd.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/crypto/mcryptd.c
++++ b/crypto/mcryptd.c
+@@ -258,18 +258,22 @@ out_free_inst:
+ goto out;
+ }
+
+-static inline void mcryptd_check_internal(struct rtattr **tb, u32 *type,
++static inline bool mcryptd_check_internal(struct rtattr **tb, u32 *type,
+ u32 *mask)
+ {
+ struct crypto_attr_type *algt;
+
+ algt = crypto_get_attr_type(tb);
+ if (IS_ERR(algt))
+- return;
+- if ((algt->type & CRYPTO_ALG_INTERNAL))
+- *type |= CRYPTO_ALG_INTERNAL;
+- if ((algt->mask & CRYPTO_ALG_INTERNAL))
+- *mask |= CRYPTO_ALG_INTERNAL;
++ return false;
++
++ *type |= algt->type & CRYPTO_ALG_INTERNAL;
++ *mask |= algt->mask & CRYPTO_ALG_INTERNAL;
++
++ if (*type & *mask & CRYPTO_ALG_INTERNAL)
++ return true;
++ else
++ return false;
+ }
+
+ static int mcryptd_hash_init_tfm(struct crypto_tfm *tfm)
+@@ -498,7 +502,8 @@ static int mcryptd_create_hash(struct cr
+ u32 mask = 0;
+ int err;
+
+- mcryptd_check_internal(tb, &type, &mask);
++ if (!mcryptd_check_internal(tb, &type, &mask))
++ return -EINVAL;
+
+ salg = shash_attr_alg(tb[1], type, mask);
+ if (IS_ERR(salg))
locking-rtmutex-prevent-dequeue-vs.-unlock-race.patch
locking-rtmutex-use-read_once-in-rt_mutex_owner.patch
perf-x86-fix-full-width-counter-counter-overflow.patch
+crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch
+can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch
+can-peak-fix-bad-memory-access-and-free-sequence.patch
+arm64-futex.h-add-missing-pan-toggling.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
