--- /dev/null
+From 93171ba6f1deffd82f381d36cb13177872d023f6 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Sun, 13 Jan 2019 19:31:43 +0100
+Subject: can: bcm: check timer values before ktime conversion
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 93171ba6f1deffd82f381d36cb13177872d023f6 upstream.
+
+Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup()
+when the conversion into ktime multiplies the given value with NSEC_PER_USEC
+(1000).
+
+Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2
+
+Add a check for the given tv_usec, so that the value stays below one second.
+Additionally limit the tv_sec value to a reasonable value for CAN related
+use-cases of 400 days and ensure all values to be positive.
+
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: linux-stable <stable@vger.kernel.org> # >= 2.6.26
+Tested-by: Kyungtae Kim <kt0755@gmail.com>
+Acked-by: Andre Naujoks <nautsch2@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/can/bcm.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -67,6 +67,9 @@
+ */
+ #define MAX_NFRAMES 256
+
++/* limit timers to 400 days for sending/timeouts */
++#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60)
++
+ /* use of last_frames[index].flags */
+ #define RX_RECV 0x40 /* received data for this element */
+ #define RX_THR 0x80 /* element not been sent due to throttle feature */
+@@ -142,6 +145,22 @@ static inline ktime_t bcm_timeval_to_kti
+ return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
+ }
+
++/* check limitations for timeval provided by user */
++static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
++{
++ if ((msg_head->ival1.tv_sec < 0) ||
++ (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
++ (msg_head->ival1.tv_usec < 0) ||
++ (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
++ (msg_head->ival2.tv_sec < 0) ||
++ (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
++ (msg_head->ival2.tv_usec < 0) ||
++ (msg_head->ival2.tv_usec >= USEC_PER_SEC))
++ return true;
++
++ return false;
++}
++
+ #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
+ #define OPSIZ sizeof(struct bcm_op)
+ #define MHSIZ sizeof(struct bcm_msg_head)
+@@ -884,6 +903,10 @@ static int bcm_tx_setup(struct bcm_msg_h
+ if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+ return -EINVAL;
+
++ /* check timeval limitations */
++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
++ return -EINVAL;
++
+ /* check the given can_id */
+ op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
+ if (op) {
+@@ -1063,6 +1086,10 @@ static int bcm_rx_setup(struct bcm_msg_h
+ (!(msg_head->can_id & CAN_RTR_FLAG))))
+ return -EINVAL;
+
++ /* check timeval limitations */
++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
++ return -EINVAL;
++
+ /* check the given can_id */
+ op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
+ if (op) {
--- /dev/null
+From 7b12c8189a3dc50638e7d53714c88007268d47ef Mon Sep 17 00:00:00 2001
+From: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+Date: Wed, 19 Dec 2018 19:39:58 +0100
+Subject: can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it
+
+From: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+
+commit 7b12c8189a3dc50638e7d53714c88007268d47ef upstream.
+
+This patch revert commit 7da11ba5c506
+("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
+
+After introduction of this change we encountered following new error
+message on various i.MX plattforms (flexcan):
+
+| flexcan 53fc8000.can can0: __can_get_echo_skb: BUG! Trying to echo non
+| existing skb: can_priv::echo_skb[0]
+
+The introduction of the message was a mistake because
+priv->echo_skb[idx] = NULL is a perfectly valid in following case: If
+CAN_RAW_LOOPBACK is disabled (setsockopt) in applications, the pkt_type
+of the tx skb's given to can_put_echo_skb is set to PACKET_LOOPBACK. In
+this case can_put_echo_skb will not set priv->echo_skb[idx]. It is
+therefore kept NULL.
+
+As additional argument for revert: The order of check and usage of idx
+was changed. idx is used to access an array element before checking it's
+boundaries.
+
+Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+Fixes: 7da11ba5c506 ("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -456,8 +456,6 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ struct can_priv *priv = netdev_priv(dev);
+- struct sk_buff *skb = priv->echo_skb[idx];
+- struct canfd_frame *cf;
+
+ if (idx >= priv->echo_skb_max) {
+ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+@@ -465,20 +463,21 @@ struct sk_buff *__can_get_echo_skb(struc
+ return NULL;
+ }
+
+- if (!skb) {
+- netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
+- __func__, idx);
+- return NULL;
+- }
++ if (priv->echo_skb[idx]) {
++ /* Using "struct canfd_frame::len" for the frame
++ * length is supported on both CAN and CANFD frames.
++ */
++ struct sk_buff *skb = priv->echo_skb[idx];
++ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
++ u8 len = cf->len;
+
+- /* Using "struct canfd_frame::len" for the frame
+- * length is supported on both CAN and CANFD frames.
+- */
+- cf = (struct canfd_frame *)skb->data;
+- *len_ptr = cf->len;
+- priv->echo_skb[idx] = NULL;
++ *len_ptr = len;
++ priv->echo_skb[idx] = NULL;
++
++ return skb;
++ }
+
+- return skb;
++ return NULL;
+ }
+
+ /*
kvm-x86-fix-single-step-debugging.patch
x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch
x86-kaslr-fix-incorrect-i8254-outb-parameters.patch
+can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch
+can-bcm-check-timer-values-before-ktime-conversion.patch
+vt-invoke-notifier-on-screen-size-change.patch
--- /dev/null
+From 0c9b1965faddad7534b6974b5b36c4ad37998f8e Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 8 Jan 2019 22:55:01 -0500
+Subject: vt: invoke notifier on screen size change
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream.
+
+User space using poll() on /dev/vcs devices are not awaken when a
+screen size change occurs. Let's fix that.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -956,6 +956,7 @@ static int vc_do_resize(struct tty_struc
+ if (con_is_visible(vc))
+ update_screen(vc);
+ vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num);
++ notify_update(vc);
+ return err;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
