Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

250 participants
124076 discussions

[PATCH 4.14 000/100] 4.14.85-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.85 release. There are 100 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Dec 1 14:00:29 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.85-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.85-rc1 Mimi Zohar <zohar(a)linux.vnet.ibm.com> ima: re-initialize iint->atomic_flags Dmitry Kasatkin <dmitry.kasatkin(a)gmail.com> ima: re-introduce own integrity cache lock Matthew Garrett <mjg59(a)google.com> EVM: Add support for portable signature format Mimi Zohar <zohar(a)linux.vnet.ibm.com> ima: always measure and audit files in policy Alexander Aring <aring(a)mojatatu.com> net: ieee802154: 6lowpan: fix frag reassembly Paul E. McKenney <paulmck(a)linux.vnet.ibm.com> rcu: Make need_resched() respond to urgent RCU-QS needs Janosch Frank <frankja(a)linux.ibm.com> s390/mm: Check for valid vma before zapping in gmap_discard Phil Elwell <phil(a)raspberrypi.org> lan78xx: Read MAC address from DT if present Salvatore Mesoraca <s.mesoraca16(a)gmail.com> namei: allow restricted O_CREAT of FIFOs and regular files Aaron Ma <aaron.ma(a)canonical.com> usb: xhci: fix uninitialized completion when USB3 port got wrong status Greg Kroah-Hartman <greg(a)kroah.com> tty: wipe buffer if not echoing data Linus Torvalds <torvalds(a)linux-foundation.org> tty: wipe buffer. Sebastien Boisvert <sebhtml(a)videotron.qc.ca> include/linux/pfn_t.h: force '~' to be parsed as an unary operator Jeffy Chen <jeffy.chen(a)rock-chips.com> driver core: Move device_links_purge() after bus_remove_device() Krzysztof Kozlowski <krzk(a)kernel.org> ARM: dts: exynos: Fix invalid node referenced by i2c20 alias in Peach Pit and Pi Marek Szyprowski <m.szyprowski(a)samsung.com> clk: samsung: exynos5250: Add missing clocks for FIMC LITE SYSMMU devices Alexandre Belloni <alexandre.belloni(a)free-electrons.com> rtc: omap: fix error path when pinctrl_register fails Mustafa Ismail <mustafa.ismail(a)intel.com> i40iw: Fix memory leak in error path of create QP Eran Ben Elisha <eranbe(a)mellanox.com> net/mlx4_core: Fix wrong calculation of free counters Niklas Cassel <niklas.cassel(a)axis.com> PCI: endpoint: Populate func_no before calling pci_epc_add_epf() Stefan Agner <stefan(a)agner.ch> kbuild: allow to use GCC toolchain not in Clang search path Matt Chen <matt.chen(a)intel.com> iwlwifi: fix wrong WGDS_WIFI_DATA_SIZE Ramses Ramírez <ramzeto(a)gmail.com> Input: xpad - add support for Xbox1 PDP Camo series gamepad Marcus Folkesson <marcus.folkesson(a)gmail.com> Input: xpad - avoid using __set_bit() for capabilities Leo Sperling <leosperling97(a)gmail.com> Input: xpad - fix some coding style issues Francis Therien <frtherien(a)gmail.com> Input: xpad - add PDP device id 0x02a4 Richard Weinberger <richard(a)nod.at> ubi: fastmap: Check each mapping only once Johan Hovold <johan(a)kernel.org> mtd: rawnand: atmel: fix OF child-node lookup Cherian, George <George.Cherian(a)cavium.com> xhci: Add quirk to workaround the errata seen on Cavium Thunder-X2 Soc Marc Zyngier <marc.zyngier(a)arm.com> xhci: Allow more than 32 quirks Greg Hackmann <ghackmann(a)android.com> arm64: remove no-op -p linker flag Johan Hovold <johan(a)kernel.org> power: supply: twl4030-charger: fix OF sibling-node lookup Johan Hovold <johan(a)kernel.org> drm/mediatek: fix OF sibling-node lookup Johan Hovold <johan(a)kernel.org> net: bcmgenet: fix OF child-node lookup Johan Hovold <johan(a)kernel.org> NFC: nfcmrvl_uart: fix OF child-node lookup Johan Hovold <johan(a)kernel.org> of: add helper to lookup compatible child node Michal Hocko <mhocko(a)suse.com> mm, page_alloc: check for max order in hot path Yufen Yu <yuyufen(a)huawei.com> tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset Vitaly Wool <vitalywool(a)gmail.com> z3fold: fix possible reclaim races Ard Biesheuvel <ard.biesheuvel(a)linaro.org> efi/arm: Revert deferred unmap of early memmap mapping Satheesh Rajendran <sathnaga(a)linux.vnet.ibm.com> powerpc/numa: Suppress "VPHN is not supported" messages Prarit Bhargava <prarit(a)redhat.com> kdb: Use strscpy with destination buffer size Trond Myklebust <trond.myklebust(a)hammerspace.com> SUNRPC: Fix a bogus get/put in generic_key_to_expire() Russell King <rmk+kernel(a)armlinux.org.uk> ARM: spectre-v2: per-CPU vtables to work around big.Little systems Russell King <rmk+kernel(a)armlinux.org.uk> ARM: add PROC_VTABLE and PROC_TABLE macros Russell King <rmk+kernel(a)armlinux.org.uk> ARM: clean up per-processor check_bugs method call Russell King <rmk+kernel(a)armlinux.org.uk> ARM: make lookup_processor_type() non-__init Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs Michael Ellerman <mpe(a)ellerman.id.au> powerpc/io: Fix the IO workarounds code to work with Radix Jens Axboe <axboe(a)kernel.dk> floppy: fix race condition in __floppy_read_block_0() Ard Biesheuvel <ard.biesheuvel(a)linaro.org> crypto: simd - correctly take reqsize of wrapped skcipher into account Xulin Sun <xulin.sun(a)windriver.com> rtc: pcf2127: fix a kmemleak caused in pcf2127_i2c_gather_write Anson Huang <anson.huang(a)nxp.com> cpufreq: imx6q: add return value check for voltage scale Scott Wood <oss(a)buserror.net> KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE Jerome Brunet <jbrunet(a)baylibre.com> pinctrl: meson: fix pinconf bias disable Michael J. Ruhl <michael.j.ruhl(a)intel.com> IB/hfi1: Eliminate races in the SDMA send error path Erik Schmauss <erik.schmauss(a)intel.com> ACPICA: AML interpreter: add region addresses in global list during initialization Lukas Wunner <lukas(a)wunner.de> can: hi311x: Use level-triggered interrupt Oliver Hartkopp <socketcan(a)hartkopp.net> can: raw: check for CAN FD capable netdev in raw_sendmsg() Oleksij Rempel <o.rempel(a)pengutronix.de> can: rx-offload: rename can_rx_offload_irq_queue_err_skb() to can_rx_offload_queue_tail() Oleksij Rempel <o.rempel(a)pengutronix.de> can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions Marc Kleine-Budde <mkl(a)pengutronix.de> can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb Marc Kleine-Budde <mkl(a)pengutronix.de> can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds Marc Kleine-Budde <mkl(a)pengutronix.de> can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length Marc Kleine-Budde <mkl(a)pengutronix.de> can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Remove existing framebuffers before loading driver Y.C. Chen <yc_chen(a)aspeedtech.com> drm/ast: fixed cursor may disappear sometimes Y.C. Chen <yc_chen(a)aspeedtech.com> drm/ast: change resolution may cause screen blurred Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: xhci: Prevent bus suspend if a port connect change or polling state is detected Parav Pandit <parav(a)mellanox.com> IB/core: Perform modify QP on real one Eric Dumazet <edumazet(a)google.com> tcp: do not release socket ownership in tcp_close() Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> mm/memory.c: recheck page table entry with page table lock held Dmitry Vyukov <dvyukov(a)google.com> mm: don't warn about large allocations for slab Eric Dumazet <edumazet(a)google.com> llc: do not use sk_eat_skb() Andrew Price <anprice(a)redhat.com> gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd Xin Long <lucien.xin(a)gmail.com> sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bfs: add sanity check at bfs_fill_super() Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - avoid using uninitialized variable when probing Tetsuo Handa <penguin-kernel(a)i-love.sakura.ne.jp> selinux: Add __GFP_NOWARN to allocation at str_read() Dominique Martinet <dominique.martinet(a)cea.fr> v9fs_dir_readdir: fix double-free on p9stat_read error Konstantin Khlebnikov <khlebnikov(a)yandex-team.ru> tools/power/cpupower: fix compilation with STATIC=true Rafał Miłecki <rafal(a)milecki.pl> brcmfmac: fix reporting support for 160 MHz channels Luca Coelho <luciano.coelho(a)intel.com> iwlwifi: mvm: don't use SAR Geo if basic SAR is not used Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> iwlwifi: mvm: fix regulatory domain update when the firmware starts Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> iwlwifi: mvm: support sta_statistics() even on older firmware Vladimir Zapolskiy <vz(a)mleia.com> gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path Rajat Jain <rajatja(a)google.com> mmc: sdhci-pci: Try "cd" for card-detect lookup before using NULL Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> MAINTAINERS: Add Sasha as a stable branch maintainer Takashi Iwai <tiwai(a)suse.de> ALSA: oss: Use kvzalloc() for local buffer allocations Aaron Ma <aaron.ma(a)canonical.com> usb: xhci: fix timeout for transition from RExit to U0 Sandeep Singh <sandeep.singh(a)amd.com> xhci: Add check for invalid byte size error when UAS devices are connected. Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: dwc3: core: Clean up ULPI device Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: dwc3: gadget: Properly check last unaligned/zero chain TRB Felipe Balbi <felipe.balbi(a)linux.intel.com> usb: dwc3: gadget: fix ISOC TRB type on unaligned transfers Dennis Wassenberg <dennis.wassenberg(a)secunet.com> usb: core: Fix hub port connection events lost Stefan Agner <stefan(a)agner.ch> ARM: trusted_foundations: do not use naked function Stefan Agner <stefan(a)agner.ch> bus: arm-cci: remove unnecessary unreachable() Stefan Agner <stefan(a)agner.ch> ARM: 8767/1: add support for building ARM kernel with clang Stefan Agner <stefan(a)agner.ch> ARM: 8766/1: drop no-thumb-interwork in EABI mode Alistair Strachan <astrachan(a)google.com> efi/libstub: arm: support building with clang ------------- Diffstat: .../devicetree/bindings/net/can/holt_hi311x.txt | 2 +- Documentation/sysctl/fs.txt | 36 +++++++ MAINTAINERS | 1 + Makefile | 12 ++- arch/arm/Makefile | 2 +- arch/arm/boot/compressed/Makefile | 2 +- arch/arm/boot/dts/exynos5420-peach-pit.dts | 4 +- arch/arm/boot/dts/exynos5800-peach-pi.dts | 4 +- arch/arm/firmware/trusted_foundations.c | 14 ++- arch/arm/include/asm/proc-fns.h | 61 ++++++++--- arch/arm/kernel/bugs.c | 4 +- arch/arm/kernel/head-common.S | 6 +- arch/arm/kernel/setup.c | 9 +- arch/arm/kernel/smp.c | 31 ++++++ arch/arm/mm/proc-v7-bugs.c | 17 +-- arch/arm64/Makefile | 2 +- arch/powerpc/include/asm/io.h | 20 ++-- arch/powerpc/kvm/trace.h | 8 +- arch/powerpc/kvm/trace_booke.h | 9 +- arch/powerpc/kvm/trace_hv.h | 9 +- arch/powerpc/kvm/trace_pr.h | 9 +- arch/powerpc/mm/numa.c | 2 +- arch/s390/mm/gmap.c | 2 + arch/x86/events/intel/uncore_snb.c | 115 ++++++++++++++++++++- crypto/simd.c | 5 +- drivers/acpi/acpica/dsopcode.c | 4 + drivers/base/core.c | 2 +- drivers/block/floppy.c | 3 +- drivers/bus/arm-cci.c | 2 - drivers/clk/samsung/clk-exynos5250.c | 6 ++ drivers/cpufreq/imx6q-cpufreq.c | 7 +- drivers/firmware/efi/arm-init.c | 4 + drivers/firmware/efi/arm-runtime.c | 2 +- drivers/firmware/efi/libstub/Makefile | 3 +- drivers/firmware/efi/memmap.c | 3 + drivers/gpio/gpiolib.c | 5 +- drivers/gpu/drm/ast/ast_drv.c | 21 ++++ drivers/gpu/drm/ast/ast_mode.c | 3 +- drivers/gpu/drm/mediatek/mtk_hdmi.c | 5 +- drivers/infiniband/core/verbs.c | 5 +- drivers/infiniband/hw/hfi1/user_sdma.c | 87 +++++++--------- drivers/infiniband/hw/hfi1/user_sdma.h | 3 - drivers/infiniband/hw/i40iw/i40iw_verbs.c | 2 +- drivers/input/joystick/xpad.c | 45 +++++--- drivers/input/mouse/synaptics.c | 4 +- drivers/mmc/host/sdhci-pci-core.c | 7 +- drivers/mtd/nand/atmel/nand-controller.c | 11 +- drivers/mtd/ubi/build.c | 1 + drivers/mtd/ubi/eba.c | 4 + drivers/mtd/ubi/fastmap.c | 20 ++++ drivers/mtd/ubi/ubi.h | 11 ++ drivers/mtd/ubi/vmt.c | 1 + drivers/mtd/ubi/vtbl.c | 16 ++- drivers/net/can/dev.c | 48 ++++++--- drivers/net/can/flexcan.c | 4 +- drivers/net/can/rx-offload.c | 51 ++++++++- drivers/net/can/spi/hi311x.c | 2 +- drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +- .../net/ethernet/mellanox/mlx4/resource_tracker.c | 1 - drivers/net/usb/lan78xx.c | 42 ++++---- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 40 +++++-- drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 12 +-- drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 5 +- drivers/nfc/nfcmrvl/uart.c | 5 +- drivers/of/base.c | 25 +++++ drivers/pci/endpoint/pci-ep-cfs.c | 14 ++- drivers/pinctrl/meson/pinctrl-meson.c | 2 +- drivers/power/supply/twl4030_charger.c | 5 +- drivers/rtc/rtc-omap.c | 3 +- drivers/rtc/rtc-pcf2127.c | 3 + drivers/tty/n_tty.c | 20 +++- drivers/tty/tty_buffer.c | 6 +- drivers/usb/core/hub.c | 4 +- drivers/usb/dwc3/core.c | 1 + drivers/usb/dwc3/gadget.c | 8 +- drivers/usb/host/xhci-hub.c | 66 +++++++++--- drivers/usb/host/xhci-pci.c | 5 + drivers/usb/host/xhci-ring.c | 38 ++++++- drivers/usb/host/xhci.c | 6 +- drivers/usb/host/xhci.h | 67 ++++++------ fs/9p/vfs_dir.c | 11 -- fs/bfs/inode.c | 9 +- fs/gfs2/ops_fstype.c | 2 +- fs/namei.c | 53 +++++++++- include/linux/can/dev.h | 1 + include/linux/can/rx-offload.h | 7 +- include/linux/fs.h | 2 + include/linux/integrity.h | 1 + include/linux/of.h | 8 ++ include/linux/pfn_t.h | 2 +- include/net/sock.h | 1 + kernel/debug/kdb/kdb_io.c | 15 +-- kernel/debug/kdb/kdb_private.h | 2 +- kernel/debug/kdb/kdb_support.c | 10 +- kernel/rcu/tree.c | 9 ++ kernel/sysctl.c | 18 ++++ mm/memory.c | 34 +++++- mm/page_alloc.c | 20 ++-- mm/shmem.c | 4 +- mm/slab.c | 4 + mm/slab_common.c | 12 +-- mm/z3fold.c | 101 +++++++++++------- net/can/raw.c | 15 +-- net/core/sock.c | 2 +- net/ieee802154/6lowpan/6lowpan_i.h | 4 +- net/ieee802154/6lowpan/reassembly.c | 14 +-- net/ipv4/tcp.c | 11 +- net/llc/af_llc.c | 11 +- net/sctp/associola.c | 10 +- net/sunrpc/auth_generic.c | 8 +- security/integrity/evm/evm.h | 2 +- security/integrity/evm/evm_crypto.c | 75 ++++++++++++-- security/integrity/evm/evm_main.c | 29 ++++-- security/integrity/iint.c | 3 + security/integrity/ima/ima_api.c | 67 +++++++----- security/integrity/ima/ima_appraise.c | 31 +++--- security/integrity/ima/ima_crypto.c | 10 ++ security/integrity/ima/ima_main.c | 77 +++++++++----- security/integrity/integrity.h | 18 +++- security/selinux/ss/policydb.c | 2 +- sound/core/oss/pcm_oss.c | 6 +- sound/core/oss/pcm_plugin.c | 6 +- tools/power/cpupower/bench/Makefile | 2 +- tools/power/cpupower/lib/cpufreq.c | 2 +- tools/power/cpupower/lib/cpuidle.c | 2 +- tools/power/cpupower/lib/cpupower.c | 4 +- tools/power/cpupower/lib/cpupower_intern.h | 2 +- 128 files changed, 1351 insertions(+), 549 deletions(-)

7 years, 1 month

FAILED: patch "[PATCH] ASoC: intel: cht_bsw_max98090_ti: Add quirk for boards using" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From a182ecd3809c8d5a2da80c520f3602e301c5317e Mon Sep 17 00:00:00 2001 From: Hans de Goede <hdegoede(a)redhat.com> Date: Wed, 31 Oct 2018 15:22:25 +0100 Subject: [PATCH] ASoC: intel: cht_bsw_max98090_ti: Add quirk for boards using pmc_plt_clk_0 Some boards such as the Swanky model Chromebooks use pmc_plt_clk_0 for the mclk instead of pmc_plt_clk_3. This commit adds a DMI based quirk for this. This fixing audio no longer working on these devices after commit 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") that commit fixes us unnecessary keeping unused clocks on, but in case of the Swanky that was breaking audio support since we were not using the right clock in the cht_bsw_max98090_ti machine driver. Cc: stable(a)vger.kernel.org Fixes: 648e921888ad ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL") Reported-and-tested-by: Dean Wallace <duffydack73(a)gmail.com> Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/intel/boards/cht_bsw_max98090_ti.c b/sound/soc/intel/boards/cht_bsw_max98090_ti.c index db6976f4ddaa..9d9f6e41d81c 100644 --- a/sound/soc/intel/boards/cht_bsw_max98090_ti.c +++ b/sound/soc/intel/boards/cht_bsw_max98090_ti.c @@ -19,6 +19,7 @@ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */ +#include <linux/dmi.h> #include <linux/module.h> #include <linux/platform_device.h> #include <linux/slab.h> @@ -35,6 +36,8 @@ #define CHT_PLAT_CLK_3_HZ 19200000 #define CHT_CODEC_DAI "HiFi" +#define QUIRK_PMC_PLT_CLK_0 0x01 + struct cht_mc_private { struct clk *mclk; struct snd_soc_jack jack; @@ -385,11 +388,29 @@ static struct snd_soc_card snd_soc_card_cht = { .num_controls = ARRAY_SIZE(cht_mc_controls), }; +static const struct dmi_system_id cht_max98090_quirk_table[] = { + { + /* Swanky model Chromebook (Toshiba Chromebook 2) */ + .matches = { + DMI_MATCH(DMI_PRODUCT_NAME, "Swanky"), + }, + .driver_data = (void *)QUIRK_PMC_PLT_CLK_0, + }, + {} +}; + static int snd_cht_mc_probe(struct platform_device *pdev) { + const struct dmi_system_id *dmi_id; struct device *dev = &pdev->dev; int ret_val = 0; struct cht_mc_private *drv; + const char *mclk_name; + int quirks = 0; + + dmi_id = dmi_first_match(cht_max98090_quirk_table); + if (dmi_id) + quirks = (unsigned long)dmi_id->driver_data; drv = devm_kzalloc(&pdev->dev, sizeof(*drv), GFP_KERNEL); if (!drv) @@ -411,11 +432,16 @@ static int snd_cht_mc_probe(struct platform_device *pdev) snd_soc_card_cht.dev = &pdev->dev; snd_soc_card_set_drvdata(&snd_soc_card_cht, drv); - drv->mclk = devm_clk_get(&pdev->dev, "pmc_plt_clk_3"); + if (quirks & QUIRK_PMC_PLT_CLK_0) + mclk_name = "pmc_plt_clk_0"; + else + mclk_name = "pmc_plt_clk_3"; + + drv->mclk = devm_clk_get(&pdev->dev, mclk_name); if (IS_ERR(drv->mclk)) { dev_err(&pdev->dev, - "Failed to get MCLK from pmc_plt_clk_3: %ld\n", - PTR_ERR(drv->mclk)); + "Failed to get MCLK from %s: %ld\n", + mclk_name, PTR_ERR(drv->mclk)); return PTR_ERR(drv->mclk); }

7 years, 1 month

FAILED: patch "[PATCH] binder: fix race that allows malicious free of live buffer" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 7bada55ab50697861eee6bb7d60b41e68a961a9c Mon Sep 17 00:00:00 2001 From: Todd Kjos <tkjos(a)android.com> Date: Tue, 6 Nov 2018 15:55:32 -0800 Subject: [PATCH] binder: fix race that allows malicious free of live buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Malicious code can attempt to free buffers using the BC_FREE_BUFFER ioctl to binder. There are protections against a user freeing a buffer while in use by the kernel, however there was a window where BC_FREE_BUFFER could be used to free a recently allocated buffer that was not completely initialized. This resulted in a use-after-free detected by KASAN with a malicious test program. This window is closed by setting the buffer's allow_user_free attribute to 0 when the buffer is allocated or when the user has previously freed it instead of waiting for the caller to set it. The problem was that when the struct buffer was recycled, allow_user_free was stale and set to 1 allowing a free to go through. Signed-off-by: Todd Kjos <tkjos(a)google.com> Acked-by: Arve Hjønnevåg <arve(a)android.com> Cc: stable <stable(a)vger.kernel.org> # 4.14 Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/android/binder.c b/drivers/android/binder.c index cb30a524d16d..9f1000d2a40c 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2974,7 +2974,6 @@ static void binder_transaction(struct binder_proc *proc, t->buffer = NULL; goto err_binder_alloc_buf_failed; } - t->buffer->allow_user_free = 0; t->buffer->debug_id = t->debug_id; t->buffer->transaction = t; t->buffer->target_node = target_node; @@ -3510,14 +3509,18 @@ static int binder_thread_write(struct binder_proc *proc, buffer = binder_alloc_prepare_to_free(&proc->alloc, data_ptr); - if (buffer == NULL) { - binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n", - proc->pid, thread->pid, (u64)data_ptr); - break; - } - if (!buffer->allow_user_free) { - binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n", - proc->pid, thread->pid, (u64)data_ptr); + if (IS_ERR_OR_NULL(buffer)) { + if (PTR_ERR(buffer) == -EPERM) { + binder_user_error( + "%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n", + proc->pid, thread->pid, + (u64)data_ptr); + } else { + binder_user_error( + "%d:%d BC_FREE_BUFFER u%016llx no match\n", + proc->pid, thread->pid, + (u64)data_ptr); + } break; } binder_debug(BINDER_DEBUG_FREE_BUFFER, diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index 64fd96eada31..030c98f35cca 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -151,16 +151,12 @@ static struct binder_buffer *binder_alloc_prepare_to_free_locked( else { /* * Guard against user threads attempting to - * free the buffer twice + * free the buffer when in use by kernel or + * after it's already been freed. */ - if (buffer->free_in_progress) { - binder_alloc_debug(BINDER_DEBUG_USER_ERROR, - "%d:%d FREE_BUFFER u%016llx user freed buffer twice\n", - alloc->pid, current->pid, - (u64)user_ptr); - return NULL; - } - buffer->free_in_progress = 1; + if (!buffer->allow_user_free) + return ERR_PTR(-EPERM); + buffer->allow_user_free = 0; return buffer; } } @@ -500,7 +496,7 @@ static struct binder_buffer *binder_alloc_new_buf_locked( rb_erase(best_fit, &alloc->free_buffers); buffer->free = 0; - buffer->free_in_progress = 0; + buffer->allow_user_free = 0; binder_insert_allocated_buffer_locked(alloc, buffer); binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC, "%d: binder_alloc_buf size %zd got %pK\n", diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h index 9ef64e563856..fb3238c74c8a 100644 --- a/drivers/android/binder_alloc.h +++ b/drivers/android/binder_alloc.h @@ -50,8 +50,7 @@ struct binder_buffer { unsigned free:1; unsigned allow_user_free:1; unsigned async_transaction:1; - unsigned free_in_progress:1; - unsigned debug_id:28; + unsigned debug_id:29; struct binder_transaction *transaction;

7 years, 1 month

FAILED: patch "[PATCH] function_graph: Reverse the order of pushing the ret_stack" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

7 years, 1 month

FAILED: patch "[PATCH] function_graph: Move return callback before update of" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

7 years, 1 month

FAILED: patch "[PATCH] function_graph: Have profiler use curr_ret_stack and not" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

7 years, 1 month

FAILED: patch "[PATCH] function_graph: Use new curr_ret_depth to manage depth" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 39eb456dacb543de90d3bc6a8e0ac5cf51ac475e Mon Sep 17 00:00:00 2001 From: "Steven Rostedt (VMware)" <rostedt(a)goodmis.org> Date: Mon, 19 Nov 2018 08:07:12 -0500 Subject: [PATCH] function_graph: Use new curr_ret_depth to manage depth instead of curr_ret_stack Currently, the depth of the ret_stack is determined by curr_ret_stack index. The issue is that there's a race between setting of the curr_ret_stack and calling of the callback attached to the return of the function. Commit 03274a3ffb44 ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") moved the calling of the callback to after the setting of the curr_ret_stack, even stating that it was safe to do so, when in fact, it was the reason there was a barrier() there (yes, I should have commented that barrier()). Not only does the curr_ret_stack keep track of the current call graph depth, it also keeps the ret_stack content from being overwritten by new data. The function profiler, uses the "subtime" variable of ret_stack structure and by moving the curr_ret_stack, it allows for interrupts to use the same structure it was using, corrupting the data, and breaking the profiler. To fix this, there needs to be two variables to handle the call stack depth and the pointer to where the ret_stack is being used, as they need to change at two different locations. Cc: stable(a)kernel.org Fixes: 03274a3ffb449 ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by: Masami Hiramatsu <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> diff --git a/include/linux/sched.h b/include/linux/sched.h index a51c13c2b1a0..d6183a55e8eb 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1116,6 +1116,7 @@ struct task_struct { #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack; + int curr_ret_depth; /* Stack of return addresses for return function tracing: */ struct ftrace_ret_stack *ret_stack; diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index f536f601bd46..48513954713c 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -6814,6 +6814,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list) atomic_set(&t->tracing_graph_pause, 0); atomic_set(&t->trace_overrun, 0); t->curr_ret_stack = -1; + t->curr_ret_depth = -1; /* Make sure the tasks see the -1 first: */ smp_wmb(); t->ret_stack = ret_stack_list[start++]; @@ -7038,6 +7039,7 @@ graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack) void ftrace_graph_init_idle_task(struct task_struct *t, int cpu) { t->curr_ret_stack = -1; + t->curr_ret_depth = -1; /* * The idle task has no parent, it either has its own * stack or no stack at all. @@ -7068,6 +7070,7 @@ void ftrace_graph_init_task(struct task_struct *t) /* Make sure we do not use the parent ret_stack */ t->ret_stack = NULL; t->curr_ret_stack = -1; + t->curr_ret_depth = -1; if (ftrace_graph_active) { struct ftrace_ret_stack *ret_stack; diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c index 88ca787a1cdc..02d4081a7f5a 100644 --- a/kernel/trace/trace_functions_graph.c +++ b/kernel/trace/trace_functions_graph.c @@ -119,7 +119,7 @@ print_graph_duration(struct trace_array *tr, unsigned long long duration, /* Add a function return address to the trace stack on thread info.*/ static int -ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth, +ftrace_push_return_trace(unsigned long ret, unsigned long func, unsigned long frame_pointer, unsigned long *retp) { unsigned long long calltime; @@ -177,8 +177,6 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth, #ifdef HAVE_FUNCTION_GRAPH_RET_ADDR_PTR current->ret_stack[index].retp = retp; #endif - *depth = current->curr_ret_stack; - return 0; } @@ -188,14 +186,20 @@ int function_graph_enter(unsigned long ret, unsigned long func, struct ftrace_graph_ent trace; trace.func = func; - trace.depth = current->curr_ret_stack + 1; + trace.depth = ++current->curr_ret_depth; /* Only trace if the calling function expects to */ if (!ftrace_graph_entry(&trace)) - return -EBUSY; + goto out; - return ftrace_push_return_trace(ret, func, &trace.depth, - frame_pointer, retp); + if (ftrace_push_return_trace(ret, func, + frame_pointer, retp)) + goto out; + + return 0; + out: + current->curr_ret_depth--; + return -EBUSY; } /* Retrieve a function return address to the trace stack on thread info.*/ @@ -257,7 +261,7 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret, trace->func = current->ret_stack[index].func; trace->calltime = current->ret_stack[index].calltime; trace->overrun = atomic_read(&current->trace_overrun); - trace->depth = index; + trace->depth = current->curr_ret_depth; } /* @@ -273,6 +277,7 @@ unsigned long ftrace_return_to_handler(unsigned long frame_pointer) trace.rettime = trace_clock_local(); barrier(); current->curr_ret_stack--; + current->curr_ret_depth--; /* * The curr_ret_stack can be less than -1 only if it was * filtered out and it's about to return from the function.

7 years, 1 month

FAILED: patch "[PATCH] MIPS: function_graph: Simplify with function_graph_enter()" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

7 years, 1 month

FAILED: patch "[PATCH] MIPS: function_graph: Simplify with function_graph_enter()" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 8712b27c5723c26400a2b350faf1d6d9fd7ffaad Mon Sep 17 00:00:00 2001 From: "Steven Rostedt (VMware)" <rostedt(a)goodmis.org> Date: Sun, 18 Nov 2018 17:25:18 -0500 Subject: [PATCH] MIPS: function_graph: Simplify with function_graph_enter() The function_graph_enter() function does the work of calling the function graph hook function and the management of the shadow stack, simplifying the work done in the architecture dependent prepare_ftrace_return(). Have MIPS use the new code, and remove the shadow stack management as well as having to set up the trace structure. This is needed to prepare for a fix of a design bug on how the curr_ret_stack is used. Cc: Ralf Baechle <ralf(a)linux-mips.org> Cc: Paul Burton <paul.burton(a)mips.com> Cc: James Hogan <jhogan(a)kernel.org> Cc: linux-mips(a)linux-mips.org Cc: stable(a)kernel.org Fixes: 03274a3ffb449 ("tracing/fgraph: Adjust fgraph depth before calling trace return callback") Reviewed-by: Masami Hiramatsu <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> diff --git a/arch/mips/kernel/ftrace.c b/arch/mips/kernel/ftrace.c index 7f3dfdbc3657..b122cbb4aad1 100644 --- a/arch/mips/kernel/ftrace.c +++ b/arch/mips/kernel/ftrace.c @@ -322,7 +322,6 @@ void prepare_ftrace_return(unsigned long *parent_ra_addr, unsigned long self_ra, unsigned long fp) { unsigned long old_parent_ra; - struct ftrace_graph_ent trace; unsigned long return_hooker = (unsigned long) &return_to_handler; int faulted, insns; @@ -369,12 +368,6 @@ void prepare_ftrace_return(unsigned long *parent_ra_addr, unsigned long self_ra, if (unlikely(faulted)) goto out; - if (ftrace_push_return_trace(old_parent_ra, self_ra, &trace.depth, fp, - NULL) == -EBUSY) { - *parent_ra_addr = old_parent_ra; - return; - } - /* * Get the recorded ip of the current mcount calling site in the * __mcount_loc section, which will be used to filter the function @@ -382,13 +375,10 @@ void prepare_ftrace_return(unsigned long *parent_ra_addr, unsigned long self_ra, */ insns = core_kernel_text(self_ra) ? 2 : MCOUNT_OFFSET_INSNS + 1; - trace.func = self_ra - (MCOUNT_INSN_SIZE * insns); + self_ra -= (MCOUNT_INSN_SIZE * insns); - /* Only trace if the calling function expects to */ - if (!ftrace_graph_entry(&trace)) { - current->curr_ret_stack--; + if (function_graph_enter(old_parent_ra, self_ra, fp, NULL)) *parent_ra_addr = old_parent_ra; - } return; out: ftrace_graph_stop();

7 years, 1 month

FAILED: patch "[PATCH] arm64: function_graph: Simplify with function_graph_enter()" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

7 years, 1 month

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror