From: Greg Kroah-Hartman Date: Thu, 22 Mar 2018 11:20:41 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.102~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9428af14418fd192fc4cbcf5a5c424fa479b9280;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: led-core-clear-led_blink_sw-flag-in-led_blink_set.patch revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch --- diff --git a/queue-4.9/led-core-clear-led_blink_sw-flag-in-led_blink_set.patch b/queue-4.9/led-core-clear-led_blink_sw-flag-in-led_blink_set.patch new file mode 100644 index 00000000000..d01ea6d2edc --- /dev/null +++ b/queue-4.9/led-core-clear-led_blink_sw-flag-in-led_blink_set.patch @@ -0,0 +1,33 @@ +From jacek.anaszewski@gmail.com Thu Mar 22 11:57:33 2018 +From: Jacek Anaszewski +Date: Mon, 19 Mar 2018 20:23:19 +0100 +Subject: led: core: Clear LED_BLINK_SW flag in led_blink_set() +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linux-kernel@vger.kernel.org, linux-leds@vger.kernel.org, pavel@ucw.cz, jacek.anaszewski@gmail.com, Matthieu CASTET +Message-ID: <1521487399-10447-3-git-send-email-jacek.anaszewski@gmail.com> + +From: Jacek Anaszewski + +[Only needed in 4.9.y due to other fixes in mainline - gregkh] + +With the current code, the following sequence won't work : +echo timer > trigger + +echo 0 > delay_off +* at this point we call +** led_delay_off_store +** led_blink_set +--- + drivers/leds/led-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/leds/led-core.c ++++ b/drivers/leds/led-core.c +@@ -188,6 +188,7 @@ void led_blink_set(struct led_classdev * + { + del_timer_sync(&led_cdev->blink_timer); + ++ led_cdev->flags &= ~LED_BLINK_SW; + led_cdev->flags &= ~LED_BLINK_ONESHOT; + led_cdev->flags &= ~LED_BLINK_ONESHOT_STOP; + diff --git a/queue-4.9/revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch b/queue-4.9/revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch new file mode 100644 index 00000000000..c7d369114a7 --- /dev/null +++ b/queue-4.9/revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch @@ -0,0 +1,37 @@ +From jacek.anaszewski@gmail.com Thu Mar 22 11:56:58 2018 +From: Jacek Anaszewski +Date: Mon, 19 Mar 2018 20:23:18 +0100 +Subject: Revert "led: core: Fix brightness setting when setting delay_off=0" +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: linux-kernel@vger.kernel.org, linux-leds@vger.kernel.org, pavel@ucw.cz, jacek.anaszewski@gmail.com +Message-ID: <1521487399-10447-2-git-send-email-jacek.anaszewski@gmail.com> + +From: Jacek Anaszewski + +This reverts commit 86b9fa2190907f4f550d9d6bf490c5f89ca33836 which was +commit 2b83ff96f51d0b039c4561b9f95c824d7bddb85c upstream. + +The commit being reverted has two flaws: + - it introduces a regression, fixed in the upstream + commit 7b6af2c53192f1766892ef40c8f48a413509ed72. + - it has truncated commit message + +Reported-by: Sasha Levin +Reported-by: Matthias Schiffer +Signed-off-by: Jacek Anaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/led-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/leds/led-core.c ++++ b/drivers/leds/led-core.c +@@ -186,7 +186,7 @@ void led_blink_set(struct led_classdev * + unsigned long *delay_on, + unsigned long *delay_off) + { +- led_stop_software_blink(led_cdev); ++ del_timer_sync(&led_cdev->blink_timer); + + led_cdev->flags &= ~LED_BLINK_ONESHOT; + led_cdev->flags &= ~LED_BLINK_ONESHOT_STOP; diff --git a/queue-4.9/series b/queue-4.9/series index 1f28b4104c2..00749c859ae 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -2,3 +2,6 @@ tpm-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch asoc-rsnd-check-src-mod-pointer-for-rsnd_mod_id.patch smb3-validate-negotiate-request-must-always-be-signed.patch cifs-enable-encryption-during-session-setup-phase.patch +staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch +revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch +led-core-clear-led_blink_sw-flag-in-led_blink_set.patch diff --git a/queue-4.9/staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch b/queue-4.9/staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch new file mode 100644 index 00000000000..b077a5ab65b --- /dev/null +++ b/queue-4.9/staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch @@ -0,0 +1,56 @@ +From 740a5759bf222332fbb5eda42f89aa25ba38f9b2 Mon Sep 17 00:00:00 2001 +From: Yisheng Xie +Date: Wed, 28 Feb 2018 14:59:22 +0800 +Subject: staging: android: ashmem: Fix possible deadlock in ashmem_ioctl + +From: Yisheng Xie + +commit 740a5759bf222332fbb5eda42f89aa25ba38f9b2 upstream. + +ashmem_mutex may create a chain of dependencies like: + +CPU0 CPU1 + mmap syscall ioctl syscall + -> mmap_sem (acquired) -> ashmem_ioctl + -> ashmem_mmap -> ashmem_mutex (acquired) + -> ashmem_mutex (try to acquire) -> copy_from_user + -> mmap_sem (try to acquire) + +There is a lock odering problem between mmap_sem and ashmem_mutex causing +a lockdep splat[1] during a syzcaller test. This patch fixes the problem +by move copy_from_user out of ashmem_mutex. + +[1] https://www.spinics.net/lists/kernel/msg2733200.html + +Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls) +Reported-by: syzbot+d7a918a7a8e1c952bc36@syzkaller.appspotmail.com +Signed-off-by: Yisheng Xie +Cc: "Joel Fernandes (Google)" +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -718,16 +718,14 @@ static int ashmem_pin_unpin(struct ashme + size_t pgstart, pgend; + int ret = -EINVAL; + ++ if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) ++ return -EFAULT; ++ + mutex_lock(&ashmem_mutex); + + if (unlikely(!asma->file)) + goto out_unlock; + +- if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { +- ret = -EFAULT; +- goto out_unlock; +- } +- + /* per custom, you can pass zero for len to mean "everything onward" */ + if (!pin.len) + pin.len = PAGE_ALIGN(asma->size) - pin.offset;