From: Greg Kroah-Hartman Date: Wed, 13 Feb 2019 10:20:41 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.157~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=09c61b4015f8b96571be4616d8e3d807b74b7e5a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: debugfs-fix-debugfs_rename-parameter-checking.patch iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch samples-mei-use-dev-mei0-instead-of-dev-mei.patch signal-always-notice-exiting-tasks.patch signal-better-detection-of-synchronous-signals.patch --- diff --git a/queue-4.9/debugfs-fix-debugfs_rename-parameter-checking.patch b/queue-4.9/debugfs-fix-debugfs_rename-parameter-checking.patch new file mode 100644 index 00000000000..255653e37c0 --- /dev/null +++ b/queue-4.9/debugfs-fix-debugfs_rename-parameter-checking.patch @@ -0,0 +1,39 @@ +From d88c93f090f708c18195553b352b9f205e65418f Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 23 Jan 2019 11:27:02 +0100 +Subject: debugfs: fix debugfs_rename parameter checking + +From: Greg Kroah-Hartman + +commit d88c93f090f708c18195553b352b9f205e65418f upstream. + +debugfs_rename() needs to check that the dentries passed into it really +are valid, as sometimes they are not (i.e. if the return value of +another debugfs call is passed into this one.) So fix this up by +properly checking if the two parent directories are errors (they are +allowed to be NULL), and if the dentry to rename is not NULL or an +error. + +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/debugfs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -732,6 +732,13 @@ struct dentry *debugfs_rename(struct den + struct dentry *dentry = NULL, *trap; + struct name_snapshot old_name; + ++ if (IS_ERR(old_dir)) ++ return old_dir; ++ if (IS_ERR(new_dir)) ++ return new_dir; ++ if (IS_ERR_OR_NULL(old_dentry)) ++ return old_dentry; ++ + trap = lock_rename(new_dir, old_dir); + /* Source or destination directories don't exist? */ + if (d_really_is_negative(old_dir) || d_really_is_negative(new_dir)) diff --git a/queue-4.9/iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch b/queue-4.9/iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch new file mode 100644 index 00000000000..ad677ab6afc --- /dev/null +++ b/queue-4.9/iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch @@ -0,0 +1,45 @@ +From 0808831dc62e90023ad14ff8da4804c7846e904b Mon Sep 17 00:00:00 2001 +From: Matt Ranostay +Date: Sun, 30 Dec 2018 19:07:01 -0800 +Subject: iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius + +From: Matt Ranostay + +commit 0808831dc62e90023ad14ff8da4804c7846e904b upstream. + +IIO_TEMP scale value for temperature was incorrect and not in millicelsius +as required by the ABI documentation. + +Signed-off-by: Matt Ranostay +Fixes: 27dec00ecf2d (iio: chemical: add Atlas pH-SM sensor support) +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/chemical/atlas-ph-sensor.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/iio/chemical/atlas-ph-sensor.c ++++ b/drivers/iio/chemical/atlas-ph-sensor.c +@@ -453,9 +453,8 @@ static int atlas_read_raw(struct iio_dev + case IIO_CHAN_INFO_SCALE: + switch (chan->type) { + case IIO_TEMP: +- *val = 1; /* 0.01 */ +- *val2 = 100; +- break; ++ *val = 10; ++ return IIO_VAL_INT; + case IIO_PH: + *val = 1; /* 0.001 */ + *val2 = 1000; +@@ -486,7 +485,7 @@ static int atlas_write_raw(struct iio_de + int val, int val2, long mask) + { + struct atlas_data *data = iio_priv(indio_dev); +- __be32 reg = cpu_to_be32(val); ++ __be32 reg = cpu_to_be32(val / 10); + + if (val2 != 0 || val < 0 || val > 20000) + return -EINVAL; diff --git a/queue-4.9/misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch b/queue-4.9/misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch new file mode 100644 index 00000000000..755ed66779a --- /dev/null +++ b/queue-4.9/misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch @@ -0,0 +1,35 @@ +From f8a70d8b889f180e6860cb1f85fed43d37844c5a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 3 Dec 2018 17:52:19 +0300 +Subject: misc: vexpress: Off by one in vexpress_syscfg_exec() + +From: Dan Carpenter + +commit f8a70d8b889f180e6860cb1f85fed43d37844c5a upstream. + +The > comparison should be >= to prevent reading beyond the end of the +func->template[] array. + +(The func->template array is allocated in vexpress_syscfg_regmap_init() +and it has func->num_templates elements.) + +Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells") +Signed-off-by: Dan Carpenter +Acked-by: Sudeep Holla +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vexpress-syscfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/vexpress-syscfg.c ++++ b/drivers/misc/vexpress-syscfg.c +@@ -61,7 +61,7 @@ static int vexpress_syscfg_exec(struct v + int tries; + long timeout; + +- if (WARN_ON(index > func->num_templates)) ++ if (WARN_ON(index >= func->num_templates)) + return -EINVAL; + + command = readl(syscfg->base + SYS_CFGCTRL); diff --git a/queue-4.9/mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch b/queue-4.9/mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch new file mode 100644 index 00000000000..13cc566c141 --- /dev/null +++ b/queue-4.9/mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch @@ -0,0 +1,86 @@ +From d5d27fd9826b59979b184ec288e4812abac0e988 Mon Sep 17 00:00:00 2001 +From: Martin Kepplinger +Date: Tue, 5 Feb 2019 16:52:51 +0100 +Subject: mtd: rawnand: gpmi: fix MX28 bus master lockup problem +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Kepplinger + +commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream. + +Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft +reset may cause bus master lock up") for MX28 too. It has the same +problem. + +Observed problem: once per 100,000+ MX28 reboots NAND read failed on +DMA timeout errors: +[ 1.770823] UBI: attaching mtd3 to ubi0 +[ 2.768088] gpmi_nand: DMA timeout, last DMA :1 +[ 3.958087] gpmi_nand: BCH timeout, last DMA :1 +[ 4.156033] gpmi_nand: Error in ECC-based read: -110 +[ 4.161136] UBI warning: ubi_io_read: error -110 while reading 64 +bytes from PEB 0:0, read only 0 bytes, retry +[ 4.171283] step 1 error +[ 4.173846] gpmi_nand: Chip: 0, Error -1 + +Without BCH soft reset we successfully executed 1,000,000 MX28 reboots. + +I have a quote from NXP regarding this problem, from July 18th 2016: + +"As the i.MX23 and i.MX28 are of the same generation, they share many +characteristics. Unfortunately, also the erratas may be shared. +In case of the documented erratas and the workarounds, you can also +apply the workaround solution of one device on the other one. This have +been reported, but I’m afraid that there are not an estimated date for +updating the Errata documents. +Please accept our apologies for any inconveniences this may cause." + +Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems") +Cc: stable@vger.kernel.org +Signed-off-by: Manfred Schlaegl +Signed-off-by: Martin Kepplinger +Reviewed-by: Miquel Raynal +Reviewed-by: Fabio Estevam +Acked-by: Han Xu +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/gpmi-nand/gpmi-lib.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/mtd/nand/gpmi-nand/gpmi-lib.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-lib.c +@@ -168,9 +168,10 @@ int gpmi_init(struct gpmi_nand_data *thi + + /* + * Reset BCH here, too. We got failures otherwise :( +- * See later BCH reset for explanation of MX23 handling ++ * See later BCH reset for explanation of MX23 and MX28 handling + */ +- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this)); ++ ret = gpmi_reset_block(r->bch_regs, ++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this)); + if (ret) + goto err_out; + +@@ -275,13 +276,11 @@ int bch_set_geometry(struct gpmi_nand_da + + /* + * Due to erratum #2847 of the MX23, the BCH cannot be soft reset on this +- * chip, otherwise it will lock up. So we skip resetting BCH on the MX23. +- * On the other hand, the MX28 needs the reset, because one case has been +- * seen where the BCH produced ECC errors constantly after 10000 +- * consecutive reboots. The latter case has not been seen on the MX23 +- * yet, still we don't know if it could happen there as well. ++ * chip, otherwise it will lock up. So we skip resetting BCH on the MX23 ++ * and MX28. + */ +- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this)); ++ ret = gpmi_reset_block(r->bch_regs, ++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this)); + if (ret) + goto err_out; + diff --git a/queue-4.9/samples-mei-use-dev-mei0-instead-of-dev-mei.patch b/queue-4.9/samples-mei-use-dev-mei0-instead-of-dev-mei.patch new file mode 100644 index 00000000000..d27003cd08b --- /dev/null +++ b/queue-4.9/samples-mei-use-dev-mei0-instead-of-dev-mei.patch @@ -0,0 +1,31 @@ +From c4a46acf1db3ce547d290c29e55b3476c78dd76c Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Thu, 24 Jan 2019 14:45:03 +0200 +Subject: samples: mei: use /dev/mei0 instead of /dev/mei + +From: Tomas Winkler + +commit c4a46acf1db3ce547d290c29e55b3476c78dd76c upstream. + +The device was moved from misc device to character devices +to support multiple mei devices. + +Cc: #v4.9+ +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + samples/mei/mei-amt-version.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/samples/mei/mei-amt-version.c ++++ b/samples/mei/mei-amt-version.c +@@ -117,7 +117,7 @@ static bool mei_init(struct mei *me, con + + me->verbose = verbose; + +- me->fd = open("/dev/mei", O_RDWR); ++ me->fd = open("/dev/mei0", O_RDWR); + if (me->fd == -1) { + mei_err(me, "Cannot establish a handle to the Intel MEI driver\n"); + goto err; diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..9eb4e59a70b --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,7 @@ +mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch +iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch +signal-always-notice-exiting-tasks.patch +signal-better-detection-of-synchronous-signals.patch +misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch +samples-mei-use-dev-mei0-instead-of-dev-mei.patch +debugfs-fix-debugfs_rename-parameter-checking.patch diff --git a/queue-4.9/signal-always-notice-exiting-tasks.patch b/queue-4.9/signal-always-notice-exiting-tasks.patch new file mode 100644 index 00000000000..ef61acaf5f0 --- /dev/null +++ b/queue-4.9/signal-always-notice-exiting-tasks.patch @@ -0,0 +1,65 @@ +From 35634ffa1751b6efd8cf75010b509dcb0263e29b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 6 Feb 2019 18:39:40 -0600 +Subject: signal: Always notice exiting tasks + +From: Eric W. Biederman + +commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream. + +Recently syzkaller was able to create unkillablle processes by +creating a timer that is delivered as a thread local signal on SIGHUP, +and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop +failing to deliver SIGHUP but always trying. + +Upon examination it turns out part of the problem is actually most of +the solution. Since 2.5 signal delivery has found all fatal signals, +marked the signal group for death, and queued SIGKILL in every threads +thread queue relying on signal->group_exit_code to preserve the +information of which was the actual fatal signal. + +The conversion of all fatal signals to SIGKILL results in the +synchronous signal heuristic in next_signal kicking in and preferring +SIGHUP to SIGKILL. Which is especially problematic as all +fatal signals have already been transformed into SIGKILL. + +Instead of dequeueing signals and depending upon SIGKILL to +be the first signal dequeued, first test if the signal group +has already been marked for death. This guarantees that +nothing in the signal queue can prevent a process that needs +to exit from exiting. + +Cc: stable@vger.kernel.org +Tested-by: Dmitry Vyukov +Reported-by: Dmitry Vyukov +Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2198,6 +2198,11 @@ relock: + goto relock; + } + ++ /* Has this task already been marked for death? */ ++ ksig->info.si_signo = signr = SIGKILL; ++ if (signal_group_exit(signal)) ++ goto fatal; ++ + for (;;) { + struct k_sigaction *ka; + +@@ -2293,6 +2298,7 @@ relock: + continue; + } + ++ fatal: + spin_unlock_irq(&sighand->siglock); + + /* diff --git a/queue-4.9/signal-better-detection-of-synchronous-signals.patch b/queue-4.9/signal-better-detection-of-synchronous-signals.patch new file mode 100644 index 00000000000..6e9ad271496 --- /dev/null +++ b/queue-4.9/signal-better-detection-of-synchronous-signals.patch @@ -0,0 +1,116 @@ +From 7146db3317c67b517258cb5e1b08af387da0618b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 6 Feb 2019 17:51:47 -0600 +Subject: signal: Better detection of synchronous signals + +From: Eric W. Biederman + +commit 7146db3317c67b517258cb5e1b08af387da0618b upstream. + +Recently syzkaller was able to create unkillablle processes by +creating a timer that is delivered as a thread local signal on SIGHUP, +and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing +to deliver SIGHUP but always trying. + +When the stack overflows delivery of SIGHUP fails and force_sigsegv is +called. Unfortunately because SIGSEGV is numerically higher than +SIGHUP next_signal tries again to deliver a SIGHUP. + +From a quality of implementation standpoint attempting to deliver the +timer SIGHUP signal is wrong. We should attempt to deliver the +synchronous SIGSEGV signal we just forced. + +We can make that happening in a fairly straight forward manner by +instead of just looking at the signal number we also look at the +si_code. In particular for exceptions (aka synchronous signals) the +si_code is always greater than 0. + +That still has the potential to pick up a number of asynchronous +signals as in a few cases the same si_codes that are used +for synchronous signals are also used for asynchronous signals, +and SI_KERNEL is also included in the list of possible si_codes. + +Still the heuristic is much better and timer signals are definitely +excluded. Which is enough to prevent all known ways for someone +sending a process signals fast enough to cause unexpected and +arguably incorrect behavior. + +Cc: stable@vger.kernel.org +Fixes: a27341cd5fcb ("Prioritize synchronous signals over 'normal' signals") +Tested-by: Dmitry Vyukov +Reported-by: Dmitry Vyukov +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 51 insertions(+), 1 deletion(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -696,6 +696,48 @@ static inline bool si_fromuser(const str + (!is_si_special(info) && SI_FROMUSER(info)); + } + ++static int dequeue_synchronous_signal(siginfo_t *info) ++{ ++ struct task_struct *tsk = current; ++ struct sigpending *pending = &tsk->pending; ++ struct sigqueue *q, *sync = NULL; ++ ++ /* ++ * Might a synchronous signal be in the queue? ++ */ ++ if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK)) ++ return 0; ++ ++ /* ++ * Return the first synchronous signal in the queue. ++ */ ++ list_for_each_entry(q, &pending->list, list) { ++ /* Synchronous signals have a postive si_code */ ++ if ((q->info.si_code > SI_USER) && ++ (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) { ++ sync = q; ++ goto next; ++ } ++ } ++ return 0; ++next: ++ /* ++ * Check if there is another siginfo for the same signal. ++ */ ++ list_for_each_entry_continue(q, &pending->list, list) { ++ if (q->info.si_signo == sync->info.si_signo) ++ goto still_pending; ++ } ++ ++ sigdelset(&pending->signal, sync->info.si_signo); ++ recalc_sigpending(); ++still_pending: ++ list_del_init(&sync->list); ++ copy_siginfo(info, &sync->info); ++ __sigqueue_free(sync); ++ return info->si_signo; ++} ++ + /* + * called with RCU read lock from check_kill_permission() + */ +@@ -2216,7 +2258,15 @@ relock: + goto relock; + } + +- signr = dequeue_signal(current, ¤t->blocked, &ksig->info); ++ /* ++ * Signals generated by the execution of an instruction ++ * need to be delivered before any other pending signals ++ * so that the instruction pointer in the signal stack ++ * frame points to the faulting instruction. ++ */ ++ signr = dequeue_synchronous_signal(&ksig->info); ++ if (!signr) ++ signr = dequeue_signal(current, ¤t->blocked, &ksig->info); + + if (!signr) + break; /* will return 0 */