From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 13 Dec 2016 00:53:03 +0000 (-0800)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.39~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e60b527225e1a72f7925a9f5dccab1cf2bf963c;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	arm64-futex.h-add-missing-pan-toggling.patch
	can-peak-fix-bad-memory-access-and-free-sequence.patch
	can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch
	crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch
---

diff --git a/queue-4.4/arm64-futex.h-add-missing-pan-toggling.patch b/queue-4.4/arm64-futex.h-add-missing-pan-toggling.patch
new file mode 100644
index 00000000000..9209533fe3c
--- /dev/null
+++ b/queue-4.4/arm64-futex.h-add-missing-pan-toggling.patch
@@ -0,0 +1,41 @@
+From 811d61e384e24759372bb3f01772f3744b0a8327 Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Tue, 2 Feb 2016 15:53:59 +0000
+Subject: arm64: futex.h: Add missing PAN toggling
+
+From: James Morse <james.morse@arm.com>
+
+commit 811d61e384e24759372bb3f01772f3744b0a8327 upstream.
+
+futex.h's futex_atomic_cmpxchg_inatomic() does not use the
+__futex_atomic_op() macro and needs its own PAN toggling. This was missed
+when the feature was implemented.
+
+Fixes: 338d4f49d6f ("arm64: kernel: Add support for Privileged Access Never")
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Cc: Mian Yousaf Kaukab <yousaf.kaukab@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/futex.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/include/asm/futex.h
++++ b/arch/arm64/include/asm/futex.h
+@@ -121,6 +121,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval,
+ 		return -EFAULT;
+ 
+ 	asm volatile("// futex_atomic_cmpxchg_inatomic\n"
++ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, CONFIG_ARM64_PAN)
+ "	prfm	pstl1strm, %2\n"
+ "1:	ldxr	%w1, %2\n"
+ "	sub	%w3, %w1, %w4\n"
+@@ -137,6 +138,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval,
+ "	.align	3\n"
+ "	.quad	1b, 4b, 2b, 4b\n"
+ "	.popsection\n"
++ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN, CONFIG_ARM64_PAN)
+ 	: "+r" (ret), "=&r" (val), "+Q" (*uaddr), "=&r" (tmp)
+ 	: "r" (oldval), "r" (newval), "Ir" (-EFAULT)
+ 	: "memory");
diff --git a/queue-4.4/can-peak-fix-bad-memory-access-and-free-sequence.patch b/queue-4.4/can-peak-fix-bad-memory-access-and-free-sequence.patch
new file mode 100644
index 00000000000..bc15699b6ad
--- /dev/null
+++ b/queue-4.4/can-peak-fix-bad-memory-access-and-free-sequence.patch
@@ -0,0 +1,53 @@
+From b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=EC=B6=94=EC=A7=80=ED=98=B8?= <jiho.chu@samsung.com>
+Date: Thu, 8 Dec 2016 12:01:13 +0000
+Subject: can: peak: fix bad memory access and free sequence
+
+From: 추지호 <jiho.chu@samsung.com>
+
+commit b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c upstream.
+
+Fix for bad memory access while disconnecting. netdev is freed before
+private data free, and dev is accessed after freeing netdev.
+
+This makes a slub problem, and it raise kernel oops with slub debugger
+config.
+
+Signed-off-by: Jiho Chu <jiho.chu@samsung.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -872,23 +872,25 @@ lbl_free_candev:
+ static void peak_usb_disconnect(struct usb_interface *intf)
+ {
+ 	struct peak_usb_device *dev;
++	struct peak_usb_device *dev_prev_siblings;
+ 
+ 	/* unregister as many netdev devices as siblings */
+-	for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
++	for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
+ 		struct net_device *netdev = dev->netdev;
+ 		char name[IFNAMSIZ];
+ 
++		dev_prev_siblings = dev->prev_siblings;
+ 		dev->state &= ~PCAN_USB_STATE_CONNECTED;
+ 		strncpy(name, netdev->name, IFNAMSIZ);
+ 
+ 		unregister_netdev(netdev);
+-		free_candev(netdev);
+ 
+ 		kfree(dev->cmd_buf);
+ 		dev->next_siblings = NULL;
+ 		if (dev->adapter->dev_free)
+ 			dev->adapter->dev_free(dev);
+ 
++		free_candev(netdev);
+ 		dev_info(&intf->dev, "%s removed\n", name);
+ 	}
+ 
diff --git a/queue-4.4/can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch b/queue-4.4/can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch
new file mode 100644
index 00000000000..968ffba7647
--- /dev/null
+++ b/queue-4.4/can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch
@@ -0,0 +1,46 @@
+From 332b05ca7a438f857c61a3c21a88489a21532364 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 5 Dec 2016 11:44:23 +0100
+Subject: can: raw: raw_setsockopt: limit number of can_filter that can be set
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 332b05ca7a438f857c61a3c21a88489a21532364 upstream.
+
+This patch adds a check to limit the number of can_filters that can be
+set via setsockopt on CAN_RAW sockets. Otherwise allocations > MAX_ORDER
+are not prevented resulting in a warning.
+
+Reference: https://lkml.org/lkml/2016/12/2/230
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/can.h |    1 +
+ net/can/raw.c            |    3 +++
+ 2 files changed, 4 insertions(+)
+
+--- a/include/uapi/linux/can.h
++++ b/include/uapi/linux/can.h
+@@ -196,5 +196,6 @@ struct can_filter {
+ };
+ 
+ #define CAN_INV_FILTER 0x20000000U /* to be set in can_filter.can_id */
++#define CAN_RAW_FILTER_MAX 512 /* maximum number of can_filter set via setsockopt() */
+ 
+ #endif /* !_UAPI_CAN_H */
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -499,6 +499,9 @@ static int raw_setsockopt(struct socket
+ 		if (optlen % sizeof(struct can_filter) != 0)
+ 			return -EINVAL;
+ 
++		if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter))
++			return -EINVAL;
++
+ 		count = optlen / sizeof(struct can_filter);
+ 
+ 		if (count > 1) {
diff --git a/queue-4.4/crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch b/queue-4.4/crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch
new file mode 100644
index 00000000000..655893e8c1e
--- /dev/null
+++ b/queue-4.4/crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch
@@ -0,0 +1,70 @@
+From 48a992727d82cb7db076fa15d372178743b1f4cd Mon Sep 17 00:00:00 2001
+From: tim <tim.c.chen@linux.intel.com>
+Date: Mon, 5 Dec 2016 11:46:31 -0800
+Subject: crypto: mcryptd - Check mcryptd algorithm compatibility
+
+From: tim <tim.c.chen@linux.intel.com>
+
+commit 48a992727d82cb7db076fa15d372178743b1f4cd upstream.
+
+Algorithms not compatible with mcryptd could be spawned by mcryptd
+with a direct crypto_alloc_tfm invocation using a "mcryptd(alg)" name
+construct.  This causes mcryptd to crash the kernel if an arbitrary
+"alg" is incompatible and not intended to be used with mcryptd.  It is
+an issue if AF_ALG tries to spawn mcryptd(alg) to expose it externally.
+But such algorithms must be used internally and not be exposed.
+
+We added a check to enforce that only internal algorithms are allowed
+with mcryptd at the time mcryptd is spawning an algorithm.
+
+Link: http://marc.info/?l=linux-crypto-vger&m=148063683310477&w=2
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/mcryptd.c |   19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/crypto/mcryptd.c
++++ b/crypto/mcryptd.c
+@@ -258,18 +258,22 @@ out_free_inst:
+ 	goto out;
+ }
+ 
+-static inline void mcryptd_check_internal(struct rtattr **tb, u32 *type,
++static inline bool mcryptd_check_internal(struct rtattr **tb, u32 *type,
+ 					  u32 *mask)
+ {
+ 	struct crypto_attr_type *algt;
+ 
+ 	algt = crypto_get_attr_type(tb);
+ 	if (IS_ERR(algt))
+-		return;
+-	if ((algt->type & CRYPTO_ALG_INTERNAL))
+-		*type |= CRYPTO_ALG_INTERNAL;
+-	if ((algt->mask & CRYPTO_ALG_INTERNAL))
+-		*mask |= CRYPTO_ALG_INTERNAL;
++		return false;
++
++	*type |= algt->type & CRYPTO_ALG_INTERNAL;
++	*mask |= algt->mask & CRYPTO_ALG_INTERNAL;
++
++	if (*type & *mask & CRYPTO_ALG_INTERNAL)
++		return true;
++	else
++		return false;
+ }
+ 
+ static int mcryptd_hash_init_tfm(struct crypto_tfm *tfm)
+@@ -498,7 +502,8 @@ static int mcryptd_create_hash(struct cr
+ 	u32 mask = 0;
+ 	int err;
+ 
+-	mcryptd_check_internal(tb, &type, &mask);
++	if (!mcryptd_check_internal(tb, &type, &mask))
++		return -EINVAL;
+ 
+ 	salg = shash_attr_alg(tb[1], type, mask);
+ 	if (IS_ERR(salg))
diff --git a/queue-4.4/series b/queue-4.4/series
index b5edb1cd8dd..c573d57268a 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -6,3 +6,7 @@ zram-restrict-add-remove-attributes-to-root-only.patch
 locking-rtmutex-prevent-dequeue-vs.-unlock-race.patch
 locking-rtmutex-use-read_once-in-rt_mutex_owner.patch
 perf-x86-fix-full-width-counter-counter-overflow.patch
+crypto-mcryptd-check-mcryptd-algorithm-compatibility.patch
+can-raw-raw_setsockopt-limit-number-of-can_filter-that-can-be-set.patch
+can-peak-fix-bad-memory-access-and-free-sequence.patch
+arm64-futex.h-add-missing-pan-toggling.patch