From: Greg Kroah-Hartman Date: Mon, 28 Jan 2019 16:20:03 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.9.154~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34d0bc9e730f4fb55bbff277c44ab7ccadd5029c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: can-bcm-check-timer-values-before-ktime-conversion.patch can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch irqchip-gic-v3-its-align-pci-multi-msi-allocation-on-their-size.patch posix-cpu-timers-unbreak-timer-rearming.patch vt-invoke-notifier-on-screen-size-change.patch --- diff --git a/queue-4.14/can-bcm-check-timer-values-before-ktime-conversion.patch b/queue-4.14/can-bcm-check-timer-values-before-ktime-conversion.patch new file mode 100644 index 00000000000..9a32b063a37 --- /dev/null +++ b/queue-4.14/can-bcm-check-timer-values-before-ktime-conversion.patch @@ -0,0 +1,89 @@ +From 93171ba6f1deffd82f381d36cb13177872d023f6 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Sun, 13 Jan 2019 19:31:43 +0100 +Subject: can: bcm: check timer values before ktime conversion + +From: Oliver Hartkopp + +commit 93171ba6f1deffd82f381d36cb13177872d023f6 upstream. + +Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup() +when the conversion into ktime multiplies the given value with NSEC_PER_USEC +(1000). + +Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2 + +Add a check for the given tv_usec, so that the value stays below one second. +Additionally limit the tv_sec value to a reasonable value for CAN related +use-cases of 400 days and ensure all values to be positive. + +Reported-by: Kyungtae Kim +Tested-by: Oliver Hartkopp +Signed-off-by: Oliver Hartkopp +Cc: linux-stable # >= 2.6.26 +Tested-by: Kyungtae Kim +Acked-by: Andre Naujoks +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/bcm.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -67,6 +67,9 @@ + */ + #define MAX_NFRAMES 256 + ++/* limit timers to 400 days for sending/timeouts */ ++#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60) ++ + /* use of last_frames[index].flags */ + #define RX_RECV 0x40 /* received data for this element */ + #define RX_THR 0x80 /* element not been sent due to throttle feature */ +@@ -140,6 +143,22 @@ static inline ktime_t bcm_timeval_to_kti + return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC); + } + ++/* check limitations for timeval provided by user */ ++static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head) ++{ ++ if ((msg_head->ival1.tv_sec < 0) || ++ (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) || ++ (msg_head->ival1.tv_usec < 0) || ++ (msg_head->ival1.tv_usec >= USEC_PER_SEC) || ++ (msg_head->ival2.tv_sec < 0) || ++ (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) || ++ (msg_head->ival2.tv_usec < 0) || ++ (msg_head->ival2.tv_usec >= USEC_PER_SEC)) ++ return true; ++ ++ return false; ++} ++ + #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU) + #define OPSIZ sizeof(struct bcm_op) + #define MHSIZ sizeof(struct bcm_msg_head) +@@ -886,6 +905,10 @@ static int bcm_tx_setup(struct bcm_msg_h + if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES) + return -EINVAL; + ++ /* check timeval limitations */ ++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head)) ++ return -EINVAL; ++ + /* check the given can_id */ + op = bcm_find_op(&bo->tx_ops, msg_head, ifindex); + if (op) { +@@ -1065,6 +1088,10 @@ static int bcm_rx_setup(struct bcm_msg_h + (!(msg_head->can_id & CAN_RTR_FLAG)))) + return -EINVAL; + ++ /* check timeval limitations */ ++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head)) ++ return -EINVAL; ++ + /* check the given can_id */ + op = bcm_find_op(&bo->rx_ops, msg_head, ifindex); + if (op) { diff --git a/queue-4.14/can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch b/queue-4.14/can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch new file mode 100644 index 00000000000..647a2602eca --- /dev/null +++ b/queue-4.14/can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch @@ -0,0 +1,84 @@ +From 7b12c8189a3dc50638e7d53714c88007268d47ef Mon Sep 17 00:00:00 2001 +From: Manfred Schlaegl +Date: Wed, 19 Dec 2018 19:39:58 +0100 +Subject: can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it + +From: Manfred Schlaegl + +commit 7b12c8189a3dc50638e7d53714c88007268d47ef upstream. + +This patch revert commit 7da11ba5c506 +("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb") + +After introduction of this change we encountered following new error +message on various i.MX plattforms (flexcan): + +| flexcan 53fc8000.can can0: __can_get_echo_skb: BUG! Trying to echo non +| existing skb: can_priv::echo_skb[0] + +The introduction of the message was a mistake because +priv->echo_skb[idx] = NULL is a perfectly valid in following case: If +CAN_RAW_LOOPBACK is disabled (setsockopt) in applications, the pkt_type +of the tx skb's given to can_put_echo_skb is set to PACKET_LOOPBACK. In +this case can_put_echo_skb will not set priv->echo_skb[idx]. It is +therefore kept NULL. + +As additional argument for revert: The order of check and usage of idx +was changed. idx is used to access an array element before checking it's +boundaries. + +Signed-off-by: Manfred Schlaegl +Fixes: 7da11ba5c506 ("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -479,8 +479,6 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb); + struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr) + { + struct can_priv *priv = netdev_priv(dev); +- struct sk_buff *skb = priv->echo_skb[idx]; +- struct canfd_frame *cf; + + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", +@@ -488,20 +486,21 @@ struct sk_buff *__can_get_echo_skb(struc + return NULL; + } + +- if (!skb) { +- netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n", +- __func__, idx); +- return NULL; +- } ++ if (priv->echo_skb[idx]) { ++ /* Using "struct canfd_frame::len" for the frame ++ * length is supported on both CAN and CANFD frames. ++ */ ++ struct sk_buff *skb = priv->echo_skb[idx]; ++ struct canfd_frame *cf = (struct canfd_frame *)skb->data; ++ u8 len = cf->len; + +- /* Using "struct canfd_frame::len" for the frame +- * length is supported on both CAN and CANFD frames. +- */ +- cf = (struct canfd_frame *)skb->data; +- *len_ptr = cf->len; +- priv->echo_skb[idx] = NULL; ++ *len_ptr = len; ++ priv->echo_skb[idx] = NULL; ++ ++ return skb; ++ } + +- return skb; ++ return NULL; + } + + /* diff --git a/queue-4.14/irqchip-gic-v3-its-align-pci-multi-msi-allocation-on-their-size.patch b/queue-4.14/irqchip-gic-v3-its-align-pci-multi-msi-allocation-on-their-size.patch new file mode 100644 index 00000000000..592b1d851a6 --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-its-align-pci-multi-msi-allocation-on-their-size.patch @@ -0,0 +1,83 @@ +From 8208d1708b88b412ca97f50a6d951242c88cbbac Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 18 Jan 2019 14:08:59 +0000 +Subject: irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size + +From: Marc Zyngier + +commit 8208d1708b88b412ca97f50a6d951242c88cbbac upstream. + +The way we allocate events works fine in most cases, except +when multiple PCI devices share an ITS-visible DevID, and that +one of them is trying to use MultiMSI allocation. + +In that case, our allocation is not guaranteed to be zero-based +anymore, and we have to make sure we allocate it on a boundary +that is compatible with the PCI Multi-MSI constraints. + +Fix this by allocating the full region upfront instead of iterating +over the number of MSIs. MSI-X are always allocated one by one, +so this shouldn't change anything on that front. + +Fixes: b48ac83d6bbc2 ("irqchip: GICv3: ITS: MSI support") +Cc: stable@vger.kernel.org +Reported-by: Ard Biesheuvel +Tested-by: Ard Biesheuvel +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3-its.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -2086,13 +2086,14 @@ static void its_free_device(struct its_d + kfree(its_dev); + } + +-static int its_alloc_device_irq(struct its_device *dev, irq_hw_number_t *hwirq) ++static int its_alloc_device_irq(struct its_device *dev, int nvecs, irq_hw_number_t *hwirq) + { + int idx; + +- idx = find_first_zero_bit(dev->event_map.lpi_map, +- dev->event_map.nr_lpis); +- if (idx == dev->event_map.nr_lpis) ++ idx = bitmap_find_free_region(dev->event_map.lpi_map, ++ dev->event_map.nr_lpis, ++ get_count_order(nvecs)); ++ if (idx < 0) + return -ENOSPC; + + *hwirq = dev->event_map.lpi_base + idx; +@@ -2188,21 +2189,21 @@ static int its_irq_domain_alloc(struct i + int err; + int i; + +- for (i = 0; i < nr_irqs; i++) { +- err = its_alloc_device_irq(its_dev, &hwirq); +- if (err) +- return err; ++ err = its_alloc_device_irq(its_dev, nr_irqs, &hwirq); ++ if (err) ++ return err; + +- err = its_irq_gic_domain_alloc(domain, virq + i, hwirq); ++ for (i = 0; i < nr_irqs; i++) { ++ err = its_irq_gic_domain_alloc(domain, virq + i, hwirq + i); + if (err) + return err; + + irq_domain_set_hwirq_and_chip(domain, virq + i, +- hwirq, &its_irq_chip, its_dev); ++ hwirq + i, &its_irq_chip, its_dev); + irqd_set_single_target(irq_desc_get_irq_data(irq_to_desc(virq + i))); + pr_debug("ID:%d pID:%d vID:%d\n", +- (int)(hwirq - its_dev->event_map.lpi_base), +- (int) hwirq, virq + i); ++ (int)(hwirq + i - its_dev->event_map.lpi_base), ++ (int)(hwirq + i), virq + i); + } + + return 0; diff --git a/queue-4.14/posix-cpu-timers-unbreak-timer-rearming.patch b/queue-4.14/posix-cpu-timers-unbreak-timer-rearming.patch new file mode 100644 index 00000000000..a09fd72dd75 --- /dev/null +++ b/queue-4.14/posix-cpu-timers-unbreak-timer-rearming.patch @@ -0,0 +1,52 @@ +From 93ad0fc088c5b4631f796c995bdd27a082ef33a6 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 11 Jan 2019 14:33:16 +0100 +Subject: posix-cpu-timers: Unbreak timer rearming + +From: Thomas Gleixner + +commit 93ad0fc088c5b4631f796c995bdd27a082ef33a6 upstream. + +The recent commit which prevented a division by 0 issue in the alarm timer +code broke posix CPU timers as an unwanted side effect. + +The reason is that the common rearm code checks for timer->it_interval +being 0 now. What went unnoticed is that the posix cpu timer setup does not +initialize timer->it_interval as it stores the interval in CPU timer +specific storage. The reason for the separate storage is historical as the +posix CPU timers always had a 64bit nanoseconds representation internally +while timer->it_interval is type ktime_t which used to be a modified +timespec representation on 32bit machines. + +Instead of reverting the offending commit and fixing the alarmtimer issue +in the alarmtimer code, store the interval in timer->it_interval at CPU +timer setup time so the common code check works. This also repairs the +existing inconistency of the posix CPU timer code which kept a single shot +timer armed despite of the interval being 0. + +The separate storage can be removed in mainline, but that needs to be a +separate commit as the current one has to be backported to stable kernels. + +Fixes: 0e334db6bb4b ("posix-timers: Fix division by zero bug") +Reported-by: H.J. Lu +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Cc: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20190111133500.840117406@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/posix-cpu-timers.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -685,6 +685,7 @@ static int posix_cpu_timer_set(struct k_ + * set up the signal and overrun bookkeeping. + */ + timer->it.cpu.incr = timespec64_to_ns(&new->it_interval); ++ timer->it_interval = ns_to_ktime(timer->it.cpu.incr); + + /* + * This acts as a modification timestamp for the timer, diff --git a/queue-4.14/series b/queue-4.14/series index c60f2844e1e..2052ca27afc 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -42,3 +42,8 @@ kvm-x86-fix-single-step-debugging.patch x86-pkeys-properly-copy-pkey-state-at-fork.patch x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch x86-kaslr-fix-incorrect-i8254-outb-parameters.patch +posix-cpu-timers-unbreak-timer-rearming.patch +irqchip-gic-v3-its-align-pci-multi-msi-allocation-on-their-size.patch +can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch +can-bcm-check-timer-values-before-ktime-conversion.patch +vt-invoke-notifier-on-screen-size-change.patch diff --git a/queue-4.14/vt-invoke-notifier-on-screen-size-change.patch b/queue-4.14/vt-invoke-notifier-on-screen-size-change.patch new file mode 100644 index 00000000000..bb11b49f95b --- /dev/null +++ b/queue-4.14/vt-invoke-notifier-on-screen-size-change.patch @@ -0,0 +1,30 @@ +From 0c9b1965faddad7534b6974b5b36c4ad37998f8e Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Tue, 8 Jan 2019 22:55:01 -0500 +Subject: vt: invoke notifier on screen size change + +From: Nicolas Pitre + +commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream. + +User space using poll() on /dev/vcs devices are not awaken when a +screen size change occurs. Let's fix that. + +Signed-off-by: Nicolas Pitre +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -953,6 +953,7 @@ static int vc_do_resize(struct tty_struc + if (con_is_visible(vc)) + update_screen(vc); + vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num); ++ notify_update(vc); + return err; + } +