<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/can, branch linux-3.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>slcan: not call free_netdev before rtnl_unlock in slcan_open</title>
<updated>2020-06-11T18:05:35+00:00</updated>
<author>
<name>Oliver Hartkopp</name>
<email>socketcan@hartkopp.net</email>
</author>
<published>2020-03-21T13:08:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8262bc14b32853532c2fba0649524afa951c983b'/>
<id>8262bc14b32853532c2fba0649524afa951c983b</id>
<content type='text'>
commit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 upstream.

As the description before netdev_run_todo, we cannot call free_netdev
before rtnl_unlock, fix it by reorder the code.

This patch is a 1:1 copy of upstream slip.c commit f596c87005f7
("slip: not call free_netdev before rtnl_unlock in slip_open").

Reported-by: yangerkun &lt;yangerkun@huawei.com&gt;
Signed-off-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 upstream.

As the description before netdev_run_todo, we cannot call free_netdev
before rtnl_unlock, fix it by reorder the code.

This patch is a 1:1 copy of upstream slip.c commit f596c87005f7
("slip: not call free_netdev before rtnl_unlock in slip_open").

Reported-by: yangerkun &lt;yangerkun@huawei.com&gt;
Signed-off-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: slcan: Fix use-after-free Read in slcan_open</title>
<updated>2020-06-11T18:05:35+00:00</updated>
<author>
<name>Jouni Hogander</name>
<email>jouni.hogander@unikie.com</email>
</author>
<published>2019-11-27T06:40:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fc32a080b625b4e9f997468eafbacc537229c7ef'/>
<id>fc32a080b625b4e9f997468eafbacc537229c7ef</id>
<content type='text'>
commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.

Slcan_open doesn't clean-up device which registration failed from the
slcan_devs device list. On next open this list is iterated and freed
device is accessed. Fix this by calling slc_free_netdev in error path.

Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
trace from the Syzbot slip report:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Acked-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
[bwh: Backported to 3.16: slc_free_netdev() calls free_netdev() here, so
 delete the direct call to free_netdev()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.

Slcan_open doesn't clean-up device which registration failed from the
slcan_devs device list. On next open this list is iterated and freed
device is accessed. Fix this by calling slc_free_netdev in error path.

Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
trace from the Syzbot slip report:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
sl_sync drivers/net/slip/slip.c:725 [inline]
slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
tiocsetd drivers/tty/tty_io.c:2334 [inline]
tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: David Miller &lt;davem@davemloft.net&gt;
Cc: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Acked-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
[bwh: Backported to 3.16: slc_free_netdev() calls free_netdev() here, so
 delete the direct call to free_netdev()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>slcan: Fix memory leak in error path</title>
<updated>2020-06-11T18:05:35+00:00</updated>
<author>
<name>Jouni Hogander</name>
<email>jouni.hogander@unikie.com</email>
</author>
<published>2019-11-13T10:08:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ff41ac4dd357b10010949dc50e640c9eb5d5f052'/>
<id>ff41ac4dd357b10010949dc50e640c9eb5d5f052</id>
<content type='text'>
commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.

This patch is fixing memory leak reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
  hex dump (first 32 bytes):
    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [&lt;00000000a06eec0d&gt;] __kmalloc+0x18b/0x2c0
    [&lt;0000000083306e66&gt;] kvmalloc_node+0x3a/0xc0
    [&lt;000000006ac27f87&gt;] alloc_netdev_mqs+0x17a/0x1080
    [&lt;0000000061a996c9&gt;] slcan_open+0x3ae/0x9a0
    [&lt;000000001226f0f9&gt;] tty_ldisc_open.isra.1+0x76/0xc0
    [&lt;0000000019289631&gt;] tty_set_ldisc+0x28c/0x5f0
    [&lt;000000004de5a617&gt;] tty_ioctl+0x48d/0x1590
    [&lt;00000000daef496f&gt;] do_vfs_ioctl+0x1c7/0x1510
    [&lt;0000000059068dbc&gt;] ksys_ioctl+0x99/0xb0
    [&lt;000000009a6eb334&gt;] __x64_sys_ioctl+0x78/0xb0
    [&lt;0000000053d0332e&gt;] do_syscall_64+0x16f/0x580
    [&lt;0000000021b83b99&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [&lt;000000008ea75434&gt;] 0xffffffffffffffff

Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed upstream.

This patch is fixing memory leak reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
  hex dump (first 32 bytes):
    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [&lt;00000000a06eec0d&gt;] __kmalloc+0x18b/0x2c0
    [&lt;0000000083306e66&gt;] kvmalloc_node+0x3a/0xc0
    [&lt;000000006ac27f87&gt;] alloc_netdev_mqs+0x17a/0x1080
    [&lt;0000000061a996c9&gt;] slcan_open+0x3ae/0x9a0
    [&lt;000000001226f0f9&gt;] tty_ldisc_open.isra.1+0x76/0xc0
    [&lt;0000000019289631&gt;] tty_set_ldisc+0x28c/0x5f0
    [&lt;000000004de5a617&gt;] tty_ioctl+0x48d/0x1590
    [&lt;00000000daef496f&gt;] do_vfs_ioctl+0x1c7/0x1510
    [&lt;0000000059068dbc&gt;] ksys_ioctl+0x99/0xb0
    [&lt;000000009a6eb334&gt;] __x64_sys_ioctl+0x78/0xb0
    [&lt;0000000053d0332e&gt;] do_syscall_64+0x16f/0x580
    [&lt;0000000021b83b99&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [&lt;000000008ea75434&gt;] 0xffffffffffffffff

Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: Lukas Bulwahn &lt;lukas.bulwahn@gmail.com&gt;
Signed-off-by: Jouni Hogander &lt;jouni.hogander@unikie.com&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>slcan: Don't transmit uninitialized stack data in padding</title>
<updated>2020-04-28T18:03:51+00:00</updated>
<author>
<name>Richard Palethorpe</name>
<email>rpalethorpe@suse.com</email>
</author>
<published>2020-04-01T10:06:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=08fadc32ce6239dc75fd5e869590e29bc62bbc28'/>
<id>08fadc32ce6239dc75fd5e869590e29bc62bbc28</id>
<content type='text'>
commit b9258a2cece4ec1f020715fe3554bc2e360f6264 upstream.

struct can_frame contains some padding which is not explicitly zeroed in
slc_bump. This uninitialized data will then be transmitted if the stack
initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL).

This commit just zeroes the whole struct including the padding.

Signed-off-by: Richard Palethorpe &lt;rpalethorpe@suse.com&gt;
Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters")
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: linux-can@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: security@kernel.org
Cc: wg@grandegger.com
Cc: mkl@pengutronix.de
Cc: davem@davemloft.net
Acked-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b9258a2cece4ec1f020715fe3554bc2e360f6264 upstream.

struct can_frame contains some padding which is not explicitly zeroed in
slc_bump. This uninitialized data will then be transmitted if the stack
initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL).

This commit just zeroes the whole struct including the padding.

Signed-off-by: Richard Palethorpe &lt;rpalethorpe@suse.com&gt;
Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters")
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Cc: linux-can@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: security@kernel.org
Cc: wg@grandegger.com
Cc: mkl@pengutronix.de
Cc: davem@davemloft.net
Acked-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can, slip: Protect tty-&gt;disc_data in write_wakeup and close with RCU</title>
<updated>2020-04-28T18:03:33+00:00</updated>
<author>
<name>Richard Palethorpe</name>
<email>rpalethorpe@suse.com</email>
</author>
<published>2020-01-21T13:42:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=10912babe0dff14eea532492a6b9c55f1471fd75'/>
<id>10912babe0dff14eea532492a6b9c55f1471fd75</id>
<content type='text'>
commit 0ace17d56824165c7f4c68785d6b58971db954dd upstream.

write_wakeup can happen in parallel with close/hangup where tty-&gt;disc_data
is set to NULL and the netdevice is freed thus also freeing
disc_data. write_wakeup accesses disc_data so we must prevent close from
freeing the netdev while write_wakeup has a non-NULL view of
tty-&gt;disc_data.

We also need to make sure that accesses to disc_data are atomic. Which can
all be done with RCU.

This problem was found by Syzkaller on SLCAN, but the same issue is
reproducible with the SLIP line discipline using an LTP test based on the
Syzkaller reproducer.

A fix which didn't use RCU was posted by Hillf Danton.

Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup")
Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip")
Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
Signed-off-by: Richard Palethorpe &lt;rpalethorpe@suse.com&gt;
Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: Tyler Hall &lt;tylerwhall@gmail.com&gt;
Cc: linux-can@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0ace17d56824165c7f4c68785d6b58971db954dd upstream.

write_wakeup can happen in parallel with close/hangup where tty-&gt;disc_data
is set to NULL and the netdevice is freed thus also freeing
disc_data. write_wakeup accesses disc_data so we must prevent close from
freeing the netdev while write_wakeup has a non-NULL view of
tty-&gt;disc_data.

We also need to make sure that accesses to disc_data are atomic. Which can
all be done with RCU.

This problem was found by Syzkaller on SLCAN, but the same issue is
reproducible with the SLIP line discipline using an LTP test based on the
Syzkaller reproducer.

A fix which didn't use RCU was posted by Hillf Danton.

Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup")
Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip")
Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
Signed-off-by: Richard Palethorpe &lt;rpalethorpe@suse.com&gt;
Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Cc: "David S. Miller" &lt;davem@davemloft.net&gt;
Cc: Tyler Hall &lt;tylerwhall@gmail.com&gt;
Cc: linux-can@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode</title>
<updated>2020-04-28T18:03:13+00:00</updated>
<author>
<name>Florian Faber</name>
<email>faber@faberman.de</email>
</author>
<published>2019-12-26T18:51:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7403ef766208bcf94b55318945f28c9ecf0db28b'/>
<id>7403ef766208bcf94b55318945f28c9ecf0db28b</id>
<content type='text'>
commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream.

Under load, the RX side of the mscan driver can get stuck while TX still
works. Restarting the interface locks up the system. This behaviour
could be reproduced reliably on a MPC5121e based system.

The patch fixes the return value of the NAPI polling function (should be
the number of processed packets, not constant 1) and the condition under
which IRQs are enabled again after polling is finished.

With this patch, no more lockups were observed over a test period of ten
days.

Fixes: afa17a500a36 ("net/can: add driver for mscan family &amp; mpc52xx_mscan")
Signed-off-by: Florian Faber &lt;faber@faberman.de&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream.

Under load, the RX side of the mscan driver can get stuck while TX still
works. Restarting the interface locks up the system. This behaviour
could be reproduced reliably on a MPC5121e based system.

The patch fixes the return value of the NAPI polling function (should be
the number of processed packets, not constant 1) and the condition under
which IRQs are enabled again after polling is finished.

With this patch, no more lockups were observed over a test period of ten
days.

Fixes: afa17a500a36 ("net/can: add driver for mscan family &amp; mpc52xx_mscan")
Signed-off-by: Florian Faber &lt;faber@faberman.de&gt;
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: gs_usb: gs_usb_probe(): use descriptors of current altsetting</title>
<updated>2020-04-28T18:03:12+00:00</updated>
<author>
<name>Johan Hovold</name>
<email>johan@kernel.org</email>
</author>
<published>2019-12-10T11:32:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=03c63ebadf1ed706b77cd9c4868184068aea2f87'/>
<id>03c63ebadf1ed706b77cd9c4868184068aea2f87</id>
<content type='text'>
commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream.

Make sure to always use the descriptors of the current alternate setting
to avoid future issues when accessing fields that may differ between
settings.

Signed-off-by: Johan Hovold &lt;johan@kernel.org&gt;
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream.

Make sure to always use the descriptors of the current alternate setting
to avoid future issues when accessing fields that may differ between
settings.

Signed-off-by: Johan Hovold &lt;johan@kernel.org&gt;
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices</title>
<updated>2020-01-11T02:05:05+00:00</updated>
<author>
<name>Xiaolong Huang</name>
<email>butterflyhuangxx@gmail.com</email>
</author>
<published>2019-12-07T14:40:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=57087b5fae7189f036388760dd21e7a99ced313e'/>
<id>57087b5fae7189f036388760dd21e7a99ced313e</id>
<content type='text'>
commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream.

Uninitialized Kernel memory can leak to USB devices.

Fix this by using kzalloc() instead of kmalloc().

Signed-off-by: Xiaolong Huang &lt;butterflyhuangxx@gmail.com&gt;
Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c")
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream.

Uninitialized Kernel memory can leak to USB devices.

Fix this by using kzalloc() instead of kmalloc().

Signed-off-by: Xiaolong Huang &lt;butterflyhuangxx@gmail.com&gt;
Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c")
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: c_can: c_can_poll(): only read status register after status IRQ</title>
<updated>2019-12-19T15:58:56+00:00</updated>
<author>
<name>Kurt Van Dijck</name>
<email>dev.kurt@vandijck-laurijssen.be</email>
</author>
<published>2019-10-01T07:40:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=20d30a0297179eac38a3490b9f07901060af006c'/>
<id>20d30a0297179eac38a3490b9f07901060af006c</id>
<content type='text'>
commit 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 upstream.

When the status register is read without the status IRQ pending, the
chip may not raise the interrupt line for an upcoming status interrupt
and the driver may miss a status interrupt.

It is critical that the BUSOFF status interrupt is forwarded to the
higher layers, since no more interrupts will follow without
intervention.

Thanks to Wolfgang and Joe for bringing up the first idea.

Signed-off-by: Kurt Van Dijck &lt;dev.kurt@vandijck-laurijssen.be&gt;
Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Joe Burmeister &lt;joe.burmeister@devtank.co.uk&gt;
Fixes: fa39b54ccf28 ("can: c_can: Get rid of pointless interrupts")
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3cb3eaac52c0f145d895f4b6c22834d5f02b8569 upstream.

When the status register is read without the status IRQ pending, the
chip may not raise the interrupt line for an upcoming status interrupt
and the driver may miss a status interrupt.

It is critical that the BUSOFF status interrupt is forwarded to the
higher layers, since no more interrupts will follow without
intervention.

Thanks to Wolfgang and Joe for bringing up the first idea.

Signed-off-by: Kurt Van Dijck &lt;dev.kurt@vandijck-laurijssen.be&gt;
Cc: Wolfgang Grandegger &lt;wg@grandegger.com&gt;
Cc: Joe Burmeister &lt;joe.burmeister@devtank.co.uk&gt;
Fixes: fa39b54ccf28 ("can: c_can: Get rid of pointless interrupts")
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>can: peak_usb: fix a potential out-of-sync while decoding packets</title>
<updated>2019-12-19T15:58:56+00:00</updated>
<author>
<name>Stephane Grosjean</name>
<email>s.grosjean@peak-system.com</email>
</author>
<published>2019-10-08T08:35:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fa2012d3cc938812d53bc0b0f84c4afbcacfa9b9'/>
<id>fa2012d3cc938812d53bc0b0f84c4afbcacfa9b9</id>
<content type='text'>
commit de280f403f2996679e2607384980703710576fed upstream.

When decoding a buffer received from PCAN-USB, the first timestamp read in
a packet is a 16-bit coded time base, and the next ones are an 8-bit
offset to this base, regardless of the type of packet read.

This patch corrects a potential loss of synchronization by using a
timestamp index read from the buffer, rather than an index of received
data packets, to determine on the sizeof the timestamp to be read from the
packet being decoded.

Signed-off-by: Stephane Grosjean &lt;s.grosjean@peak-system.com&gt;
Fixes: 46be265d3388 ("can: usb: PEAK-System Technik PCAN-USB specific part")
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit de280f403f2996679e2607384980703710576fed upstream.

When decoding a buffer received from PCAN-USB, the first timestamp read in
a packet is a 16-bit coded time base, and the next ones are an 8-bit
offset to this base, regardless of the type of packet read.

This patch corrects a potential loss of synchronization by using a
timestamp index read from the buffer, rather than an index of received
data packets, to determine on the sizeof the timestamp to be read from the
packet being decoded.

Signed-off-by: Stephane Grosjean &lt;s.grosjean@peak-system.com&gt;
Fixes: 46be265d3388 ("can: usb: PEAK-System Technik PCAN-USB specific part")
Signed-off-by: Marc Kleine-Budde &lt;mkl@pengutronix.de&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
