From 9d6aeb57854fc292f5cbfc24d1429c87344ceb7f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Dec 2022 11:05:54 +0100
Subject: [PATCH] 6.0-stable patches

added patches:
	arm-9278-1-kfence-only-handle-translation-faults.patch
	can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch
---
 ...fence-only-handle-translation-faults.patch | 90 +++++++++++++++++++
 ...ointer-dereference-in-can_rcv_filter.patch | 50 +++++++++++
 queue-6.0/series                              |  2 +
 3 files changed, 142 insertions(+)
 create mode 100644 queue-6.0/arm-9278-1-kfence-only-handle-translation-faults.patch
 create mode 100644 queue-6.0/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch

diff --git a/queue-6.0/arm-9278-1-kfence-only-handle-translation-faults.patch b/queue-6.0/arm-9278-1-kfence-only-handle-translation-faults.patch
new file mode 100644
index 00000000000..653e395f20c
--- /dev/null
+++ b/queue-6.0/arm-9278-1-kfence-only-handle-translation-faults.patch
@@ -0,0 +1,90 @@
+From 73a0b6ee5d6269f92df43e1d09b3278a2886bf8a Mon Sep 17 00:00:00 2001
+From: Wang Kefeng <wangkefeng.wang@huawei.com>
+Date: Sun, 4 Dec 2022 04:46:20 +0100
+Subject: ARM: 9278/1: kfence: only handle translation faults
+
+From: Wang Kefeng <wangkefeng.wang@huawei.com>
+
+commit 73a0b6ee5d6269f92df43e1d09b3278a2886bf8a upstream.
+
+This is a similar fixup like arm64 does, only handle translation faults
+in case of unexpected kfence report when alignment faults on ARM, see
+more from commit 0bb1fbffc631 ("arm64: mm: kfence: only handle translation
+faults").
+
+Fixes: 75969686ec0d ("ARM: 9166/1: Support KFENCE for ARM")
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/fault.c |   18 ++++++++++++++++--
+ arch/arm/mm/fault.h |    9 ++++++---
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/mm/fault.c
++++ b/arch/arm/mm/fault.c
+@@ -105,6 +105,19 @@ static inline bool is_write_fault(unsign
+ 	return (fsr & FSR_WRITE) && !(fsr & FSR_CM);
+ }
+ 
++static inline bool is_translation_fault(unsigned int fsr)
++{
++	int fs = fsr_fs(fsr);
++#ifdef CONFIG_ARM_LPAE
++	if ((fs & FS_MMU_NOLL_MASK) == FS_TRANS_NOLL)
++		return true;
++#else
++	if (fs == FS_L1_TRANS || fs == FS_L2_TRANS)
++		return true;
++#endif
++	return false;
++}
++
+ static void die_kernel_fault(const char *msg, struct mm_struct *mm,
+ 			     unsigned long addr, unsigned int fsr,
+ 			     struct pt_regs *regs)
+@@ -140,7 +153,8 @@ __do_kernel_fault(struct mm_struct *mm,
+ 	if (addr < PAGE_SIZE) {
+ 		msg = "NULL pointer dereference";
+ 	} else {
+-		if (kfence_handle_page_fault(addr, is_write_fault(fsr), regs))
++		if (is_translation_fault(fsr) &&
++		    kfence_handle_page_fault(addr, is_write_fault(fsr), regs))
+ 			return;
+ 
+ 		msg = "paging request";
+@@ -208,7 +222,7 @@ static inline bool is_permission_fault(u
+ {
+ 	int fs = fsr_fs(fsr);
+ #ifdef CONFIG_ARM_LPAE
+-	if ((fs & FS_PERM_NOLL_MASK) == FS_PERM_NOLL)
++	if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
+ 		return true;
+ #else
+ 	if (fs == FS_L1_PERM || fs == FS_L2_PERM)
+--- a/arch/arm/mm/fault.h
++++ b/arch/arm/mm/fault.h
+@@ -14,8 +14,9 @@
+ 
+ #ifdef CONFIG_ARM_LPAE
+ #define FSR_FS_AEA		17
++#define FS_TRANS_NOLL		0x4
+ #define FS_PERM_NOLL		0xC
+-#define FS_PERM_NOLL_MASK	0x3C
++#define FS_MMU_NOLL_MASK	0x3C
+ 
+ static inline int fsr_fs(unsigned int fsr)
+ {
+@@ -23,8 +24,10 @@ static inline int fsr_fs(unsigned int fs
+ }
+ #else
+ #define FSR_FS_AEA		22
+-#define FS_L1_PERM             0xD
+-#define FS_L2_PERM             0xF
++#define FS_L1_TRANS		0x5
++#define FS_L2_TRANS		0x7
++#define FS_L1_PERM		0xD
++#define FS_L2_PERM		0xF
+ 
+ static inline int fsr_fs(unsigned int fsr)
+ {
diff --git a/queue-6.0/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch b/queue-6.0/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch
new file mode 100644
index 00000000000..6c63d6951c6
--- /dev/null
+++ b/queue-6.0/can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch
@@ -0,0 +1,50 @@
+From 0acc442309a0a1b01bcdaa135e56e6398a49439c Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Tue, 6 Dec 2022 21:12:59 +0100
+Subject: can: af_can: fix NULL pointer dereference in can_rcv_filter
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 0acc442309a0a1b01bcdaa135e56e6398a49439c upstream.
+
+Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer
+dereference in can_rx_register()") we need to check for a missing
+initialization of ml_priv in the receive path of CAN frames.
+
+Since commit 4e096a18867a ("net: introduce CAN specific pointer in the
+struct net_device") the check for dev->type to be ARPHRD_CAN is not
+sufficient anymore since bonding or tun netdevices claim to be CAN
+devices but do not initialize ml_priv accordingly.
+
+Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device")
+Reported-by: syzbot+2d7f58292cb5b29eb5ad@syzkaller.appspotmail.com
+Reported-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/all/20221206201259.3028-1-socketcan@hartkopp.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/af_can.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -680,7 +680,7 @@ static int can_rcv(struct sk_buff *skb,
+ {
+ 	struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
+ 
+-	if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU)) {
++	if (unlikely(dev->type != ARPHRD_CAN || !can_get_ml_priv(dev) || skb->len != CAN_MTU)) {
+ 		pr_warn_once("PF_CAN: dropped non conform CAN skbuff: dev type %d, len %d\n",
+ 			     dev->type, skb->len);
+ 		goto free_skb;
+@@ -706,7 +706,7 @@ static int canfd_rcv(struct sk_buff *skb
+ {
+ 	struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
+ 
+-	if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU)) {
++	if (unlikely(dev->type != ARPHRD_CAN || !can_get_ml_priv(dev) || skb->len != CANFD_MTU)) {
+ 		pr_warn_once("PF_CAN: dropped non conform CAN FD skbuff: dev type %d, len %d\n",
+ 			     dev->type, skb->len);
+ 		goto free_skb;
diff --git a/queue-6.0/series b/queue-6.0/series
index efc2541fabe..1f342552cc4 100644
--- a/queue-6.0/series
+++ b/queue-6.0/series
@@ -82,3 +82,5 @@ hid-uclogic-add-hid_quirk_hidinput_force-quirk.patch
 hid-hid-lg4ff-add-check-for-empty-lbuf.patch
 hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
 hid-ite-enable-quirk_touchpad_on_off_report-on-acer-aspire-switch-v-10.patch
+arm-9278-1-kfence-only-handle-translation-faults.patch
+can-af_can-fix-null-pointer-dereference-in-can_rcv_filter.patch
-- 
2.47.3