The 'nr_pages' attribute of the 'msc' subdevices parses a comma-separated
list of window sizes, passed from userspace. However, there is a bug in
the string parsing logic wherein it doesn't exclude the comma character
from the range of characters as it consumes them. This leads to an
out-of-bounds access given a sufficiently long list. For example:
> # echo 8,8,8,8 > /sys/bus/intel_th/devices/0-msc0/nr_pages
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memchr+0x1e/0x40
> Read of size 1 at addr ffff8803ffcebcd1 by task sh/825
>
> CPU: 3 PID: 825 Comm: npktest.sh Tainted: G W 4.20.0-rc1+
> Call Trace:
> dump_stack+0x7c/0xc0
> print_address_description+0x6c/0x23c
> ? memchr+0x1e/0x40
> kasan_report.cold.5+0x241/0x308
> memchr+0x1e/0x40
> nr_pages_store+0x203/0xd00 [intel_th_msu]
Fix this by accounting for the comma character.
Signed-off-by: Alexander Shishkin <alexander.shishkin(a)linux.intel.com>
Fixes: ba82664c134ef ("intel_th: Add Memory Storage Unit driver")
Cc: stable(a)vger.kernel.org # v4.4+
---
drivers/hwtracing/intel_th/msu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c
index d293e55553bd..ba7aaf421f36 100644
--- a/drivers/hwtracing/intel_th/msu.c
+++ b/drivers/hwtracing/intel_th/msu.c
@@ -1423,7 +1423,8 @@ nr_pages_store(struct device *dev, struct device_attribute *attr,
if (!end)
break;
- len -= end - p;
+ /* consume the number and the following comma, hence +1 */
+ len -= end - p + 1;
p = end + 1;
} while (len);
--
2.19.2
This is the start of the stable review cycle for the 4.19.11 release.
There are 44 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu Dec 20 16:39:02 UTC 2018.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.11-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 4.19.11-rc1
Masahiro Yamada <yamada.masahiro(a)socionext.com>
x86/build: Fix compiler support check for CONFIG_RETPOLINE
Damien Le Moal <damien.lemoal(a)wdc.com>
dm zoned: Fix target BIO completion handling
Junwei Zhang <Jerry.Zhang(a)amd.com>
drm/amdgpu: update SMC firmware image for polaris10 variants
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu: update smu firmware images for VI variants (v2)
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdgpu: add some additional vega10 pci ids
Alex Deucher <alexander.deucher(a)amd.com>
drm/amdkfd: add new vega10 pci ids
Kenneth Feng <kenneth.feng(a)amd.com>
drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI
Chris Wilson <chris(a)chris-wilson.co.uk>
drm/i915/execlists: Apply a full mb before execution for Braswell
Tina Zhang <tina.zhang(a)intel.com>
drm/i915/gvt: Fix tiled memory decoding bug on BDW
Brian Norris <briannorris(a)chromium.org>
Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec"
Ben Skeggs <bskeggs(a)redhat.com>
drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer
Lyude Paul <lyude(a)redhat.com>
drm/nouveau/kms: Fix memory leak in nv50_mstm_del()
Benjamin Herrenschmidt <benh(a)kernel.crashing.org>
powerpc: Look for "stdout-path" when setting up legacy consoles
Radu Rendec <radu.rendec(a)gmail.com>
powerpc/msi: Fix NULL pointer access in teardown code
Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed
Steven Rostedt (VMware) <rostedt(a)goodmis.org>
tracing: Fix memory leak of instance function hash filters
Steven Rostedt (VMware) <rostedt(a)goodmis.org>
tracing: Fix memory leak in set_trigger_filter()
Steven Rostedt (VMware) <rostedt(a)goodmis.org>
tracing: Fix memory leak in create_filter()
Mike Snitzer <snitzer(a)redhat.com>
dm: call blk_queue_split() to impose device limits on bios
Mike Snitzer <snitzer(a)redhat.com>
dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty()
Mike Snitzer <snitzer(a)redhat.com>
dm thin: send event about thin-pool state change _after_ making it
Stefan Wahren <stefan.wahren(a)i2se.com>
ARM: dts: bcm2837: Fix polarity of wifi reset GPIOs
Lubomir Rintel <lkundrak(a)v3.sk>
ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt
Chad Austin <chadaustin(a)fb.com>
fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS
Alek Du <alek.du(a)intel.com>
mmc: sdhci: fix the timeout check window for clock and reset
Faiz Abbas <faiz_abbas(a)ti.com>
mmc: sdhci-omap: Fix DCRC error handling during tuning
Wolfram Sang <wsa+renesas(a)sang-engineering.com>
mmc: core: use mrq->sbc when sending CMD23 for RPMB
Aaro Koskinen <aaro.koskinen(a)iki.fi>
MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310
Amir Goldstein <amir73il(a)gmail.com>
ovl: fix missing override creds in link of a metacopy upper
Amir Goldstein <amir73il(a)gmail.com>
ovl: fix decode of dir file handle with multi lower layers
Keith Busch <keith.busch(a)intel.com>
block/bio: Do not zero user pages
Robin Murphy <robin.murphy(a)arm.com>
arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing
Andrea Arcangeli <aarcange(a)redhat.com>
userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
Piotr Jaroszynski <pjaroszynski(a)nvidia.com>
fs/iomap.c: get/put the page in iomap_page_create/release()
Thierry Reding <treding(a)nvidia.com>
scripts/spdxcheck.py: always open files in binary mode
Jeff Moyer <jmoyer(a)redhat.com>
aio: fix spectre gadget in lookup_ioctx
Chen-Yu Tsai <wens(a)csie.org>
pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11
Arnd Bergmann <arnd(a)arndb.de>
drm/msm: fix address space warning
Arnd Bergmann <arnd(a)arndb.de>
ARM: dts: qcom-apq8064-arrow-sd-600eval fix graph_endpoint warning
Arnd Bergmann <arnd(a)arndb.de>
i2c: aspeed: fix build warning
Arnd Bergmann <arnd(a)arndb.de>
slimbus: ngd: mark PM functions as __maybe_unused
Lubomir Rintel <lkundrak(a)v3.sk>
staging: olpc_dcon: add a missing dependency
Arnd Bergmann <arnd(a)arndb.de>
scsi: raid_attrs: fix unused variable warning
Vincent Guittot <vincent.guittot(a)linaro.org>
sched/pelt: Fix warning and clean up IRQ PELT config
-------------
Diffstat:
Makefile | 4 +-
arch/arm/boot/dts/bcm2837-rpi-3-b-plus.dts | 2 +-
arch/arm/boot/dts/bcm2837-rpi-3-b.dts | 2 +-
.../arm/boot/dts/qcom-apq8064-arrow-sd-600eval.dts | 5 +
arch/arm/mach-mmp/cputype.h | 6 +-
arch/arm64/mm/dma-mapping.c | 2 +-
arch/powerpc/kernel/legacy_serial.c | 6 +-
arch/powerpc/kernel/msi.c | 7 +-
arch/x86/Makefile | 10 +-
block/bio.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 36 +++++-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 6 +
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 +
drivers/gpu/drm/amd/powerplay/inc/smu7_ppsmc.h | 2 +
.../drm/amd/powerplay/smumgr/polaris10_smumgr.c | 6 +
drivers/gpu/drm/amd/powerplay/smumgr/smumgr.c | 3 +
drivers/gpu/drm/i915/gvt/fb_decoder.c | 2 +-
drivers/gpu/drm/i915/intel_lrc.c | 7 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_dbg.c | 8 +-
drivers/gpu/drm/nouveau/dispnv50/disp.c | 30 +++--
drivers/gpu/drm/rockchip/rockchip_drm_drv.c | 6 -
drivers/i2c/busses/i2c-aspeed.c | 4 +-
drivers/md/dm-cache-metadata.c | 4 +
drivers/md/dm-thin.c | 68 ++++++------
drivers/md/dm-zoned-target.c | 122 +++++++--------------
drivers/md/dm.c | 2 +
drivers/media/common/videobuf2/videobuf2-core.c | 4 +-
drivers/mmc/core/block.c | 15 ++-
drivers/mmc/host/omap.c | 11 +-
drivers/mmc/host/sdhci-omap.c | 12 +-
drivers/mmc/host/sdhci.c | 18 ++-
drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 2 +-
drivers/scsi/raid_class.c | 4 +-
drivers/slimbus/qcom-ngd-ctrl.c | 6 +-
drivers/staging/olpc_dcon/Kconfig | 1 +
fs/aio.c | 2 +
fs/fuse/dir.c | 2 +-
fs/fuse/file.c | 21 ++--
fs/fuse/fuse_i.h | 2 +-
fs/iomap.c | 7 ++
fs/overlayfs/dir.c | 14 ++-
fs/overlayfs/export.c | 6 +-
fs/userfaultfd.c | 3 +-
init/Kconfig | 5 +
kernel/sched/core.c | 7 +-
kernel/sched/fair.c | 2 +-
kernel/sched/pelt.c | 2 +-
kernel/sched/pelt.h | 2 +-
kernel/sched/sched.h | 5 +-
kernel/trace/ftrace.c | 1 +
kernel/trace/trace_events_filter.c | 5 +-
kernel/trace/trace_events_trigger.c | 6 +-
scripts/spdxcheck.py | 6 +-
53 files changed, 311 insertions(+), 219 deletions(-)
This is a note to let you know that I've just added the patch titled
usb: r8a66597: Fix a possible concurrency use-after-free bug in
to my usb git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
in the usb-next branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will also be merged in the next major kernel release
during the merge window.
If you have any questions about this process, please let me know.
>From c85400f886e3d41e69966470879f635a2b50084c Mon Sep 17 00:00:00 2001
From: Jia-Ju Bai <baijiaju1990(a)gmail.com>
Date: Tue, 18 Dec 2018 20:04:25 +0800
Subject: usb: r8a66597: Fix a possible concurrency use-after-free bug in
r8a66597_endpoint_disable()
The function r8a66597_endpoint_disable() and r8a66597_urb_enqueue() may
be concurrently executed.
The two functions both access a possible shared variable "hep->hcpriv".
This shared variable is freed by r8a66597_endpoint_disable() via the
call path:
r8a66597_endpoint_disable
kfree(hep->hcpriv) (line 1995 in Linux-4.19)
This variable is read by r8a66597_urb_enqueue() via the call path:
r8a66597_urb_enqueue
spin_lock_irqsave(&r8a66597->lock)
init_pipe_info
enable_r8a66597_pipe
pipe = hep->hcpriv (line 802 in Linux-4.19)
The read operation is protected by a spinlock, but the free operation
is not protected by this spinlock, thus a concurrency use-after-free bug
may occur.
To fix this bug, the spin-lock and spin-unlock function calls in
r8a66597_endpoint_disable() are moved to protect the free operation.
Signed-off-by: Jia-Ju Bai <baijiaju1990(a)gmail.com>
Cc: stable <stable(a)vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/usb/host/r8a66597-hcd.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c
index 984892dd72f5..42668aeca57c 100644
--- a/drivers/usb/host/r8a66597-hcd.c
+++ b/drivers/usb/host/r8a66597-hcd.c
@@ -1979,6 +1979,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb,
static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
struct usb_host_endpoint *hep)
+__acquires(r8a66597->lock)
+__releases(r8a66597->lock)
{
struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd);
struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv;
@@ -1991,13 +1993,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
return;
pipenum = pipe->info.pipenum;
+ spin_lock_irqsave(&r8a66597->lock, flags);
if (pipenum == 0) {
kfree(hep->hcpriv);
hep->hcpriv = NULL;
+ spin_unlock_irqrestore(&r8a66597->lock, flags);
return;
}
- spin_lock_irqsave(&r8a66597->lock, flags);
pipe_stop(r8a66597, pipe);
pipe_irq_disable(r8a66597, pipenum);
disable_irq_empty(r8a66597, pipenum);
--
2.20.1
This is a note to let you know that I've just added the patch titled
driver core: Add missing dev->bus->need_parent_lock checks
to my driver-core git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git
in the driver-core-next branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will also be merged in the next major kernel release
during the merge window.
If you have any questions about this process, please let me know.
>From e121a833745b4708b660e3fe6776129c2956b041 Mon Sep 17 00:00:00 2001
From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com>
Date: Thu, 13 Dec 2018 19:27:47 +0100
Subject: driver core: Add missing dev->bus->need_parent_lock checks
__device_release_driver() has to check dev->bus->need_parent_lock
before dropping the parent lock and acquiring it again as it may
attempt to drop a lock that hasn't been acquired or lock a device
that shouldn't be locked and create a lock imbalance.
Fixes: 8c97a46af04b (driver core: hold dev's parent lock when needed)
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com>
Cc: stable <stable(a)vger.kernel.org>
Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/base/dd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/base/dd.c b/drivers/base/dd.c
index 88713f182086..8ac10af17c00 100644
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -933,11 +933,11 @@ static void __device_release_driver(struct device *dev, struct device *parent)
if (drv) {
while (device_links_busy(dev)) {
device_unlock(dev);
- if (parent)
+ if (parent && dev->bus->need_parent_lock)
device_unlock(parent);
device_links_unbind_consumers(dev);
- if (parent)
+ if (parent && dev->bus->need_parent_lock)
device_lock(parent);
device_lock(dev);
--
2.20.1
Hi Marc,
This is wrong: commit 6022fcc0e87a0eb5e9a72b15ed70dd29ebcb7343
The above is not my original patch and it should not be tagged for stable,
as it introduces the same kind of bug I intended to fix:
array_index_nospec() can now return kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS
and this is not what you want. So, in this case the following line of code
is just fine as it is:
intid = array_index_nospec(intid, kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS);
As the commit log says, my patch fixes:
commit 41b87599c74300027f305d7b34368ec558978ff2
not both:
commit 41b87599c74300027f305d7b34368ec558978ff2
and
commit bea2ef803ade3359026d5d357348842bca9edcf1
If you want to apply the fix on top of bea2ef803ade3359026d5d357348842bca9edcf1
then you should apply this instead:
diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c
index bb1a83345741..e607547c7bb0 100644
--- a/virt/kvm/arm/vgic/vgic.c
+++ b/virt/kvm/arm/vgic/vgic.c
@@ -103,7 +103,7 @@ struct vgic_irq *vgic_get_irq(struct kvm *kvm, struct kvm_vcpu *vcpu,
{
/* SGIs and PPIs */
if (intid <= VGIC_MAX_PRIVATE) {
- intid = array_index_nospec(intid, VGIC_MAX_PRIVATE);
+ intid = array_index_nospec(intid, VGIC_MAX_PRIVATE + 1);
return &vcpu->arch.vgic_cpu.private_irqs[intid];
}
The commit log should remain the same.
Thanks
--
Gustavo
As part of my work for the Civil Infrastructure Platform, I've been
tracking security issues in the kernel and trying to ensure that the
fixes are applied to stable branches as necessary.
The "kernel-sec" repository at
<https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec> contains
information about known issues and scripts to aid in maintaining and
viewing that information. Issues are identified by CVE ID and their
status is recorded for mainline and all live stable branches.
I import most of the information from distribution security trackers,
and from upstream commit references in stable branch commit messages.
Manual editing is needed mostly to correct errors in these sources, or
where the commits fixing an issue in a stable branch don't correspond
exactly to the commits fixing it in mainline.
I recently added a local web application that allows browsing the
status of all branches and issues, complete with links to references
and related commits. There is also a simple reporting script that
lists open issues for each branch.
If you're interested in security support for stable branches, please
take a look at this.
I would welcome merge requests to add to the issue data or to improve
the scripts.
Ben.
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
This is a note to let you know that I've just added the patch titled
binder: fix use-after-free due to ksys_close() during fdget()
to my char-misc git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
in the char-misc-next branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will also be merged in the next major kernel release
during the merge window.
If you have any questions about this process, please let me know.
>From 80cd795630d6526ba729a089a435bf74a57af927 Mon Sep 17 00:00:00 2001
From: Todd Kjos <tkjos(a)android.com>
Date: Fri, 14 Dec 2018 15:58:21 -0800
Subject: binder: fix use-after-free due to ksys_close() during fdget()
44d8047f1d8 ("binder: use standard functions to allocate fds")
exposed a pre-existing issue in the binder driver.
fdget() is used in ksys_ioctl() as a performance optimization.
One of the rules associated with fdget() is that ksys_close() must
not be called between the fdget() and the fdput(). There is a case
where this requirement is not met in the binder driver which results
in the reference count dropping to 0 when the device is still in
use. This can result in use-after-free or other issues.
If userpace has passed a file-descriptor for the binder driver using
a BINDER_TYPE_FDA object, then kys_close() is called on it when
handling a binder_ioctl(BC_FREE_BUFFER) command. This violates
the assumptions for using fdget().
The problem is fixed by deferring the close using task_work_add(). A
new variant of __close_fd() was created that returns a struct file
with a reference. The fput() is deferred instead of using ksys_close().
Fixes: 44d8047f1d87a ("binder: use standard functions to allocate fds")
Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk>
Signed-off-by: Todd Kjos <tkjos(a)google.com>
Cc: stable <stable(a)vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/android/binder.c | 63 ++++++++++++++++++++++++++++++++++++++--
fs/file.c | 29 ++++++++++++++++++
include/linux/fdtable.h | 1 +
3 files changed, 91 insertions(+), 2 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index d653e8a474fc..210940bd0457 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -72,6 +72,7 @@
#include <linux/spinlock.h>
#include <linux/ratelimit.h>
#include <linux/syscalls.h>
+#include <linux/task_work.h>
#include <uapi/linux/android/binder.h>
@@ -2170,6 +2171,64 @@ static bool binder_validate_fixup(struct binder_buffer *b,
return (fixup_offset >= last_min_offset);
}
+/**
+ * struct binder_task_work_cb - for deferred close
+ *
+ * @twork: callback_head for task work
+ * @fd: fd to close
+ *
+ * Structure to pass task work to be handled after
+ * returning from binder_ioctl() via task_work_add().
+ */
+struct binder_task_work_cb {
+ struct callback_head twork;
+ struct file *file;
+};
+
+/**
+ * binder_do_fd_close() - close list of file descriptors
+ * @twork: callback head for task work
+ *
+ * It is not safe to call ksys_close() during the binder_ioctl()
+ * function if there is a chance that binder's own file descriptor
+ * might be closed. This is to meet the requirements for using
+ * fdget() (see comments for __fget_light()). Therefore use
+ * task_work_add() to schedule the close operation once we have
+ * returned from binder_ioctl(). This function is a callback
+ * for that mechanism and does the actual ksys_close() on the
+ * given file descriptor.
+ */
+static void binder_do_fd_close(struct callback_head *twork)
+{
+ struct binder_task_work_cb *twcb = container_of(twork,
+ struct binder_task_work_cb, twork);
+
+ fput(twcb->file);
+ kfree(twcb);
+}
+
+/**
+ * binder_deferred_fd_close() - schedule a close for the given file-descriptor
+ * @fd: file-descriptor to close
+ *
+ * See comments in binder_do_fd_close(). This function is used to schedule
+ * a file-descriptor to be closed after returning from binder_ioctl().
+ */
+static void binder_deferred_fd_close(int fd)
+{
+ struct binder_task_work_cb *twcb;
+
+ twcb = kzalloc(sizeof(*twcb), GFP_KERNEL);
+ if (!twcb)
+ return;
+ init_task_work(&twcb->twork, binder_do_fd_close);
+ __close_fd_get_file(fd, &twcb->file);
+ if (twcb->file)
+ task_work_add(current, &twcb->twork, true);
+ else
+ kfree(twcb);
+}
+
static void binder_transaction_buffer_release(struct binder_proc *proc,
struct binder_buffer *buffer,
binder_size_t *failed_at)
@@ -2309,7 +2368,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
}
fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset);
for (fd_index = 0; fd_index < fda->num_fds; fd_index++)
- ksys_close(fd_array[fd_index]);
+ binder_deferred_fd_close(fd_array[fd_index]);
} break;
default:
pr_err("transaction release %d bad object type %x\n",
@@ -3928,7 +3987,7 @@ static int binder_apply_fd_fixups(struct binder_transaction *t)
} else if (ret) {
u32 *fdp = (u32 *)(t->buffer->data + fixup->offset);
- ksys_close(*fdp);
+ binder_deferred_fd_close(*fdp);
}
list_del(&fixup->fixup_entry);
kfree(fixup);
diff --git a/fs/file.c b/fs/file.c
index 7ffd6e9d103d..8d059d8973e9 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -640,6 +640,35 @@ int __close_fd(struct files_struct *files, unsigned fd)
}
EXPORT_SYMBOL(__close_fd); /* for ksys_close() */
+/*
+ * variant of __close_fd that gets a ref on the file for later fput
+ */
+int __close_fd_get_file(unsigned int fd, struct file **res)
+{
+ struct files_struct *files = current->files;
+ struct file *file;
+ struct fdtable *fdt;
+
+ spin_lock(&files->file_lock);
+ fdt = files_fdtable(files);
+ if (fd >= fdt->max_fds)
+ goto out_unlock;
+ file = fdt->fd[fd];
+ if (!file)
+ goto out_unlock;
+ rcu_assign_pointer(fdt->fd[fd], NULL);
+ __put_unused_fd(files, fd);
+ spin_unlock(&files->file_lock);
+ get_file(file);
+ *res = file;
+ return filp_close(file, files);
+
+out_unlock:
+ spin_unlock(&files->file_lock);
+ *res = NULL;
+ return -ENOENT;
+}
+
void do_close_on_exec(struct files_struct *files)
{
unsigned i;
diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
index 41615f38bcff..f07c55ea0c22 100644
--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -121,6 +121,7 @@ extern void __fd_install(struct files_struct *files,
unsigned int fd, struct file *file);
extern int __close_fd(struct files_struct *files,
unsigned int fd);
+extern int __close_fd_get_file(unsigned int fd, struct file **res);
extern struct kmem_cache *files_cachep;
--
2.20.1
On Tue, 18 Dec 2018 at 21:41, Sasha Levin <sashal(a)kernel.org> wrote:
>
> Hi,
>
> [This is an automated email]
>
> This commit has been processed because it contains a -stable tag.
> The stable tag indicates that it's relevant for the following trees: all
>
> The bot has tested the following trees: v4.19.10, v4.14.89, v4.9.146, v4.4.168, v3.18.130,
>
Please disregard this patch for -stable until we decide how we are
going to fix the 32-bit array packing issue.
> v4.19.10: Build OK!
> v4.14.89: Build OK!
> v4.9.146: Failed to apply! Possible dependencies:
> 2f74f09bce4f ("efi: parse ARM processor error")
> 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API")
> bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure")
> c0020756315e ("efi: switch to use new generic UUID API")
>
> v4.4.168: Failed to apply! Possible dependencies:
> 2c23b73c2d02 ("x86/efi: Prepare GOP handling code for reuse as generic code")
> 2f74f09bce4f ("efi: parse ARM processor error")
> 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API")
> ba7e34b1bbd2 ("include/linux/efi.h: redefine type, constant, macro from generic code")
> bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure")
> c0020756315e ("efi: switch to use new generic UUID API")
>
> v3.18.130: Failed to apply! Possible dependencies:
> 1bd0abb0c924 ("arm64/efi: set EFI_ALLOC_ALIGN to 64 KB")
> 23a0d4e8fa6d ("efi: Disable interrupts around EFI calls, not in the epilog/prolog calls")
> 2c23b73c2d02 ("x86/efi: Prepare GOP handling code for reuse as generic code")
> 2f74f09bce4f ("efi: parse ARM processor error")
> 4c62360d7562 ("efi: Handle memory error structures produced based on old versions of standard")
> 4ee20980812b ("arm64: fix data type for physical address")
> 5b53696a30d5 ("ACPI / APEI: Switch to use new generic UUID API")
> 60305db98845 ("arm64/efi: move virtmap init to early initcall")
> 744937b0b12a ("efi: Clean up the efi_call_phys_[prolog|epilog]() save/restore interaction")
> 790a2ee24278 ("Merge tag 'efi-next' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into core/efi")
> 8a53554e12e9 ("x86/efi: Fix multiple GOP device support")
> 8ce837cee8f5 ("arm64/mm: add create_pgd_mapping() to create private page tables")
> 9679be103108 ("arm64/efi: remove idmap manipulations from UEFI code")
> a352ea3e197b ("arm64/efi: set PE/COFF file alignment to 512 bytes")
> b05b9f5f9dcf ("x86, mirror: x86 enabling - find mirrored memory ranges")
> ba7e34b1bbd2 ("include/linux/efi.h: redefine type, constant, macro from generic code")
> bbcc2e7b642e ("ras: acpi/apei: cper: add support for generic data v3 structure")
> c0020756315e ("efi: switch to use new generic UUID API")
> d1ae8c005792 ("arm64: dmi: Add SMBIOS/DMI support")
> da141706aea5 ("arm64: add better page protections to arm64")
> e1e1fddae74b ("arm64/mm: add explicit struct_mm argument to __create_mapping()")
> ea6bc80d1819 ("arm64/efi: set PE/COFF section alignment to 4 KB")
> f3cdfd239da5 ("arm64/efi: move SetVirtualAddressMap() to UEFI stub")
>
>
> How should we proceed with this patch?
>
> --
> Thanks,
> Sasha