From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Jan 2019 16:19:12 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.154~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ff115ff4ba52a8b04b1a0a35357f11944bf12c26;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	can-bcm-check-timer-values-before-ktime-conversion.patch
	can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch
	vt-invoke-notifier-on-screen-size-change.patch
---

diff --git a/queue-4.9/can-bcm-check-timer-values-before-ktime-conversion.patch b/queue-4.9/can-bcm-check-timer-values-before-ktime-conversion.patch
new file mode 100644
index 00000000000..159a5cb553a
--- /dev/null
+++ b/queue-4.9/can-bcm-check-timer-values-before-ktime-conversion.patch
@@ -0,0 +1,89 @@
+From 93171ba6f1deffd82f381d36cb13177872d023f6 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Sun, 13 Jan 2019 19:31:43 +0100
+Subject: can: bcm: check timer values before ktime conversion
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 93171ba6f1deffd82f381d36cb13177872d023f6 upstream.
+
+Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup()
+when the conversion into ktime multiplies the given value with NSEC_PER_USEC
+(1000).
+
+Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2
+
+Add a check for the given tv_usec, so that the value stays below one second.
+Additionally limit the tv_sec value to a reasonable value for CAN related
+use-cases of 400 days and ensure all values to be positive.
+
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: linux-stable <stable@vger.kernel.org> # >= 2.6.26
+Tested-by: Kyungtae Kim <kt0755@gmail.com>
+Acked-by: Andre Naujoks <nautsch2@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/can/bcm.c |   27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -67,6 +67,9 @@
+  */
+ #define MAX_NFRAMES 256
+ 
++/* limit timers to 400 days for sending/timeouts */
++#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60)
++
+ /* use of last_frames[index].flags */
+ #define RX_RECV    0x40 /* received data for this element */
+ #define RX_THR     0x80 /* element not been sent due to throttle feature */
+@@ -142,6 +145,22 @@ static inline ktime_t bcm_timeval_to_kti
+ 	return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
+ }
+ 
++/* check limitations for timeval provided by user */
++static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
++{
++	if ((msg_head->ival1.tv_sec < 0) ||
++	    (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
++	    (msg_head->ival1.tv_usec < 0) ||
++	    (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
++	    (msg_head->ival2.tv_sec < 0) ||
++	    (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
++	    (msg_head->ival2.tv_usec < 0) ||
++	    (msg_head->ival2.tv_usec >= USEC_PER_SEC))
++		return true;
++
++	return false;
++}
++
+ #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
+ #define OPSIZ sizeof(struct bcm_op)
+ #define MHSIZ sizeof(struct bcm_msg_head)
+@@ -884,6 +903,10 @@ static int bcm_tx_setup(struct bcm_msg_h
+ 	if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+ 		return -EINVAL;
+ 
++	/* check timeval limitations */
++	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
++		return -EINVAL;
++
+ 	/* check the given can_id */
+ 	op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
+ 	if (op) {
+@@ -1063,6 +1086,10 @@ static int bcm_rx_setup(struct bcm_msg_h
+ 	     (!(msg_head->can_id & CAN_RTR_FLAG))))
+ 		return -EINVAL;
+ 
++	/* check timeval limitations */
++	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
++		return -EINVAL;
++
+ 	/* check the given can_id */
+ 	op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
+ 	if (op) {
diff --git a/queue-4.9/can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch b/queue-4.9/can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch
new file mode 100644
index 00000000000..ab8406f33d9
--- /dev/null
+++ b/queue-4.9/can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch
@@ -0,0 +1,84 @@
+From 7b12c8189a3dc50638e7d53714c88007268d47ef Mon Sep 17 00:00:00 2001
+From: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+Date: Wed, 19 Dec 2018 19:39:58 +0100
+Subject: can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it
+
+From: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+
+commit 7b12c8189a3dc50638e7d53714c88007268d47ef upstream.
+
+This patch revert commit 7da11ba5c506
+("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
+
+After introduction of this change we encountered following new error
+message on various i.MX plattforms (flexcan):
+
+| flexcan 53fc8000.can can0: __can_get_echo_skb: BUG! Trying to echo non
+| existing skb: can_priv::echo_skb[0]
+
+The introduction of the message was a mistake because
+priv->echo_skb[idx] = NULL is a perfectly valid in following case: If
+CAN_RAW_LOOPBACK is disabled (setsockopt) in applications, the pkt_type
+of the tx skb's given to can_put_echo_skb is set to PACKET_LOOPBACK. In
+this case can_put_echo_skb will not set priv->echo_skb[idx]. It is
+therefore kept NULL.
+
+As additional argument for revert: The order of check and usage of idx
+was changed. idx is used to access an array element before checking it's
+boundaries.
+
+Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+Fixes: 7da11ba5c506 ("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/dev.c |   27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -456,8 +456,6 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ 	struct can_priv *priv = netdev_priv(dev);
+-	struct sk_buff *skb = priv->echo_skb[idx];
+-	struct canfd_frame *cf;
+ 
+ 	if (idx >= priv->echo_skb_max) {
+ 		netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+@@ -465,20 +463,21 @@ struct sk_buff *__can_get_echo_skb(struc
+ 		return NULL;
+ 	}
+ 
+-	if (!skb) {
+-		netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
+-			   __func__, idx);
+-		return NULL;
+-	}
++	if (priv->echo_skb[idx]) {
++		/* Using "struct canfd_frame::len" for the frame
++		 * length is supported on both CAN and CANFD frames.
++		 */
++		struct sk_buff *skb = priv->echo_skb[idx];
++		struct canfd_frame *cf = (struct canfd_frame *)skb->data;
++		u8 len = cf->len;
+ 
+-	/* Using "struct canfd_frame::len" for the frame
+-	 * length is supported on both CAN and CANFD frames.
+-	 */
+-	cf = (struct canfd_frame *)skb->data;
+-	*len_ptr = cf->len;
+-	priv->echo_skb[idx] = NULL;
++		*len_ptr = len;
++		priv->echo_skb[idx] = NULL;
++
++		return skb;
++	}
+ 
+-	return skb;
++	return NULL;
+ }
+ 
+ /*
diff --git a/queue-4.9/series b/queue-4.9/series
index 3e47f43e87a..a99cc18239b 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -30,3 +30,6 @@ dm-thin-fix-passdown_double_checking_shared_status.patch
 kvm-x86-fix-single-step-debugging.patch
 x86-selftests-pkeys-fork-to-check-for-state-being-preserved.patch
 x86-kaslr-fix-incorrect-i8254-outb-parameters.patch
+can-dev-__can_get_echo_skb-fix-bogous-check-for-non-existing-skb-by-removing-it.patch
+can-bcm-check-timer-values-before-ktime-conversion.patch
+vt-invoke-notifier-on-screen-size-change.patch
diff --git a/queue-4.9/vt-invoke-notifier-on-screen-size-change.patch b/queue-4.9/vt-invoke-notifier-on-screen-size-change.patch
new file mode 100644
index 00000000000..e6c1b5fb914
--- /dev/null
+++ b/queue-4.9/vt-invoke-notifier-on-screen-size-change.patch
@@ -0,0 +1,30 @@
+From 0c9b1965faddad7534b6974b5b36c4ad37998f8e Mon Sep 17 00:00:00 2001
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 8 Jan 2019 22:55:01 -0500
+Subject: vt: invoke notifier on screen size change
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream.
+
+User space using poll() on /dev/vcs devices are not awaken when a
+screen size change occurs. Let's fix that.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -956,6 +956,7 @@ static int vc_do_resize(struct tty_struc
+ 	if (con_is_visible(vc))
+ 		update_screen(vc);
+ 	vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num);
++	notify_update(vc);
+ 	return err;
+ }
+