From: Greg Kroah-Hartman Date: Sun, 27 Jan 2019 15:53:30 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.154~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b2ccd035ec195bedd62aa20a667f2054a7e5164;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: tty-handle-problem-if-line-discipline-does-not-have-receive_buf.patch tty-n_hdlc-fix-__might_sleep-warning.patch uart-fix-crash-in-uart_write-and-uart_put_char.patch --- diff --git a/queue-4.9/series b/queue-4.9/series index 77a978687a1..4fb31e12857 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -16,3 +16,6 @@ s390-early-improve-machine-detection.patch s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan.patch char-mwave-fix-potential-spectre-v1-vulnerability.patch staging-rtl8188eu-add-device-code-for-d-link-dwa-121-rev-b1.patch +tty-handle-problem-if-line-discipline-does-not-have-receive_buf.patch +uart-fix-crash-in-uart_write-and-uart_put_char.patch +tty-n_hdlc-fix-__might_sleep-warning.patch diff --git a/queue-4.9/tty-handle-problem-if-line-discipline-does-not-have-receive_buf.patch b/queue-4.9/tty-handle-problem-if-line-discipline-does-not-have-receive_buf.patch new file mode 100644 index 00000000000..bda5486e653 --- /dev/null +++ b/queue-4.9/tty-handle-problem-if-line-discipline-does-not-have-receive_buf.patch @@ -0,0 +1,33 @@ +From 27cfb3a53be46a54ec5e0bd04e51995b74c90343 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 20 Jan 2019 10:46:58 +0100 +Subject: tty: Handle problem if line discipline does not have receive_buf + +From: Greg Kroah-Hartman + +commit 27cfb3a53be46a54ec5e0bd04e51995b74c90343 upstream. + +Some tty line disciplines do not have a receive buf callback, so +properly check for that before calling it. If they do not have this +callback, just eat the character quietly, as we can't fail this call. + +Reported-by: Jann Horn +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2324,7 +2324,8 @@ static int tiocsti(struct tty_struct *tt + ld = tty_ldisc_ref_wait(tty); + if (!ld) + return -EIO; +- ld->ops->receive_buf(tty, &ch, &mbz, 1); ++ if (ld->ops->receive_buf) ++ ld->ops->receive_buf(tty, &ch, &mbz, 1); + tty_ldisc_deref(ld); + return 0; + } diff --git a/queue-4.9/tty-n_hdlc-fix-__might_sleep-warning.patch b/queue-4.9/tty-n_hdlc-fix-__might_sleep-warning.patch new file mode 100644 index 00000000000..d643f20c223 --- /dev/null +++ b/queue-4.9/tty-n_hdlc-fix-__might_sleep-warning.patch @@ -0,0 +1,42 @@ +From fc01d8c61ce02c034e67378cd3e645734bc18c8c Mon Sep 17 00:00:00 2001 +From: Paul Fulghum +Date: Tue, 1 Jan 2019 12:28:53 -0800 +Subject: tty/n_hdlc: fix __might_sleep warning + +From: Paul Fulghum + +commit fc01d8c61ce02c034e67378cd3e645734bc18c8c upstream. + +Fix __might_sleep warning[1] in tty/n_hdlc.c read due to copy_to_user +call while current is TASK_INTERRUPTIBLE. This is a false positive +since the code path does not depend on current state remaining +TASK_INTERRUPTIBLE. The loop breaks out and sets TASK_RUNNING after +calling copy_to_user. + +This patch supresses the warning by setting TASK_RUNNING before calling +copy_to_user. + +[1] https://syzkaller.appspot.com/bug?id=17d5de7f1fcab794cb8c40032f893f52de899324 + +Signed-off-by: Paul Fulghum +Reported-by: syzbot +Cc: Tetsuo Handa +Cc: Alan Cox +Cc: stable +Acked-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_hdlc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/n_hdlc.c ++++ b/drivers/tty/n_hdlc.c +@@ -598,6 +598,7 @@ static ssize_t n_hdlc_tty_read(struct tt + /* too large for caller's buffer */ + ret = -EOVERFLOW; + } else { ++ __set_current_state(TASK_RUNNING); + if (copy_to_user(buf, rbuf->buf, rbuf->count)) + ret = -EFAULT; + else diff --git a/queue-4.9/uart-fix-crash-in-uart_write-and-uart_put_char.patch b/queue-4.9/uart-fix-crash-in-uart_write-and-uart_put_char.patch new file mode 100644 index 00000000000..84b8f77f2e2 --- /dev/null +++ b/queue-4.9/uart-fix-crash-in-uart_write-and-uart_put_char.patch @@ -0,0 +1,98 @@ +From aff9cf5955185d1f183227e46c5f8673fa483813 Mon Sep 17 00:00:00 2001 +From: Samir Virmani +Date: Wed, 16 Jan 2019 10:28:07 -0800 +Subject: uart: Fix crash in uart_write and uart_put_char + +From: Samir Virmani + +commit aff9cf5955185d1f183227e46c5f8673fa483813 upstream. + +We were experiencing a crash similar to the one reported as part of +commit:a5ba1d95e46e ("uart: fix race between uart_put_char() and +uart_shutdown()") in our testbed as well. We continue to observe the same +crash after integrating the commit a5ba1d95e46e ("uart: fix race between +uart_put_char() and uart_shutdown()") + +On reviewing the change, the port lock should be taken prior to checking for +if (!circ->buf) in fn. __uart_put_char and other fns. that update the buffer +uart_state->xmit. + +Traceback: + +[11/27/2018 06:24:32.4870] Unable to handle kernel NULL pointer dereference + at virtual address 0000003b + +[11/27/2018 06:24:32.4950] PC is at memcpy+0x48/0x180 +[11/27/2018 06:24:32.4950] LR is at uart_write+0x74/0x120 +[11/27/2018 06:24:32.4950] pc : [] + lr : [] pstate: 000001c5 +[11/27/2018 06:24:32.4950] sp : ffffffc076433d30 +[11/27/2018 06:24:32.4950] x29: ffffffc076433d30 x28: 0000000000000140 +[11/27/2018 06:24:32.4950] x27: ffffffc0009b9d5e x26: ffffffc07ce36580 +[11/27/2018 06:24:32.4950] x25: 0000000000000000 x24: 0000000000000140 +[11/27/2018 06:24:32.4950] x23: ffffffc000891200 x22: ffffffc01fc34000 +[11/27/2018 06:24:32.4950] x21: 0000000000000fff x20: 0000000000000076 +[11/27/2018 06:24:32.4950] x19: 0000000000000076 x18: 0000000000000000 +[11/27/2018 06:24:32.4950] x17: 000000000047cf08 x16: ffffffc000099e68 +[11/27/2018 06:24:32.4950] x15: 0000000000000018 x14: 776d726966205948 +[11/27/2018 06:24:32.4950] x13: 50203a6c6974755f x12: 74647075205d3333 +[11/27/2018 06:24:32.4950] x11: 3a35323a36203831 x10: 30322f37322f3131 +[11/27/2018 06:24:32.4950] x9 : 5b205d303638342e x8 : 746164206f742070 +[11/27/2018 06:24:32.4950] x7 : 7520736920657261 x6 : 000000000000003b +[11/27/2018 06:24:32.4950] x5 : 000000000000817a x4 : 0000000000000008 +[11/27/2018 06:24:32.4950] x3 : 2f37322f31312a5b x2 : 000000000000006e +[11/27/2018 06:24:32.4950] x1 : ffffffc0009b9cf0 x0 : 000000000000003b + +[11/27/2018 06:24:32.4950] CPU2: stopping +[11/27/2018 06:24:32.4950] CPU: 2 PID: 0 Comm: swapper/2 Tainted: P D O 4.1.51 #3 +[11/27/2018 06:24:32.4950] Hardware name: Broadcom-v8A (DT) +[11/27/2018 06:24:32.4950] Call trace: +[11/27/2018 06:24:32.4950] [] dump_backtrace+0x0/0x150 +[11/27/2018 06:24:32.4950] [] show_stack+0x14/0x20 +[11/27/2018 06:24:32.4950] [] dump_stack+0x90/0xb0 +[11/27/2018 06:24:32.4950] [] handle_IPI+0x18c/0x1a0 +[11/27/2018 06:24:32.4950] [] gic_handle_irq+0x88/0x90 + +Fixes: a5ba1d95e46e ("uart: fix race between uart_put_char() and uart_shutdown()") +Cc: stable +Signed-off-by: Samir Virmani +Acked-by: Tycho Andersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -540,10 +540,12 @@ static int uart_put_char(struct tty_stru + int ret = 0; + + circ = &state->xmit; +- if (!circ->buf) ++ port = uart_port_lock(state, flags); ++ if (!circ->buf) { ++ uart_port_unlock(port, flags); + return 0; ++ } + +- port = uart_port_lock(state, flags); + if (port && uart_circ_chars_free(circ) != 0) { + circ->buf[circ->head] = c; + circ->head = (circ->head + 1) & (UART_XMIT_SIZE - 1); +@@ -576,11 +578,13 @@ static int uart_write(struct tty_struct + return -EL3HLT; + } + ++ port = uart_port_lock(state, flags); + circ = &state->xmit; +- if (!circ->buf) ++ if (!circ->buf) { ++ uart_port_unlock(port, flags); + return 0; ++ } + +- port = uart_port_lock(state, flags); + while (port) { + c = CIRC_SPACE_TO_END(circ->head, circ->tail, UART_XMIT_SIZE); + if (count < c)