From: Greg Kroah-Hartman Date: Tue, 23 May 2017 14:44:38 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.55~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a19c45d4b3af94888df23e469c2b99bf34e3f4c5;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch arm64-documentation-document-tagged-pointer-stack-constraints.patch arm64-uaccess-ensure-extension-of-access_ok-addr.patch metag-uaccess-check-access_ok-in-strncpy_from_user.patch metag-uaccess-fix-access_ok.patch mm-huge_memory.c-respect-foll_force-foll_cow-for-thp.patch powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch uwb-fix-device-quirk-on-big-endian-hosts.patch xc2028-fix-use-after-free-bug-properly.patch --- diff --git a/queue-3.18/arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch b/queue-3.18/arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch new file mode 100644 index 00000000000..6b387bb87a7 --- /dev/null +++ b/queue-3.18/arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch @@ -0,0 +1,31 @@ +From 9cdd31e5913c1f86dce7e201b086155b3f24896b Mon Sep 17 00:00:00 2001 +From: Ludovic Desroches +Date: Mon, 10 Apr 2017 10:25:16 +0200 +Subject: ARM: dts: at91: sama5d3_xplained: fix ADC vref + +From: Ludovic Desroches + +commit 9cdd31e5913c1f86dce7e201b086155b3f24896b upstream. + +The voltage reference for the ADC is not 3V but 3.3V since it is connected to +VDDANA. + +Signed-off-by: Ludovic Desroches +Acked-by: Nicolas Ferre +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/at91-sama5d3_xplained.dts | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts ++++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts +@@ -143,6 +143,7 @@ + }; + + adc0: adc@f8018000 { ++ atmel,adc-vref = <3300>; + pinctrl-0 = < + &pinctrl_adc0_adtrg + &pinctrl_adc0_ad0 diff --git a/queue-3.18/arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch b/queue-3.18/arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch new file mode 100644 index 00000000000..06b92084f54 --- /dev/null +++ b/queue-3.18/arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch @@ -0,0 +1,43 @@ +From d3df1ec06353e51fc44563d2e7e18d42811af290 Mon Sep 17 00:00:00 2001 +From: Ludovic Desroches +Date: Mon, 10 Apr 2017 10:25:17 +0200 +Subject: ARM: dts: at91: sama5d3_xplained: not all ADC channels are available + +From: Ludovic Desroches + +commit d3df1ec06353e51fc44563d2e7e18d42811af290 upstream. + +Remove ADC channels that are not available by default on the sama5d3_xplained +board (resistor not populated) in order to not create confusion. + +Signed-off-by: Ludovic Desroches +Acked-by: Nicolas Ferre +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/at91-sama5d3_xplained.dts | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts ++++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts +@@ -144,9 +144,9 @@ + + adc0: adc@f8018000 { + atmel,adc-vref = <3300>; ++ atmel,adc-channels-used = <0xfe>; + pinctrl-0 = < + &pinctrl_adc0_adtrg +- &pinctrl_adc0_ad0 + &pinctrl_adc0_ad1 + &pinctrl_adc0_ad2 + &pinctrl_adc0_ad3 +@@ -154,8 +154,6 @@ + &pinctrl_adc0_ad5 + &pinctrl_adc0_ad6 + &pinctrl_adc0_ad7 +- &pinctrl_adc0_ad8 +- &pinctrl_adc0_ad9 + >; + status = "okay"; + }; diff --git a/queue-3.18/arm64-documentation-document-tagged-pointer-stack-constraints.patch b/queue-3.18/arm64-documentation-document-tagged-pointer-stack-constraints.patch new file mode 100644 index 00000000000..b44fa590b4f --- /dev/null +++ b/queue-3.18/arm64-documentation-document-tagged-pointer-stack-constraints.patch @@ -0,0 +1,113 @@ +From f0e421b1bf7af97f026e1bb8bfe4c5a7a8c08f42 Mon Sep 17 00:00:00 2001 +From: Kristina Martsenko +Date: Wed, 3 May 2017 16:37:48 +0100 +Subject: arm64: documentation: document tagged pointer stack constraints + +From: Kristina Martsenko + +commit f0e421b1bf7af97f026e1bb8bfe4c5a7a8c08f42 upstream. + +Some kernel features don't currently work if a task puts a non-zero +address tag in its stack pointer, frame pointer, or frame record entries +(FP, LR). + +For example, with a tagged stack pointer, the kernel can't deliver +signals to the process, and the task is killed instead. As another +example, with a tagged frame pointer or frame records, perf fails to +generate call graphs or resolve symbols. + +For now, just document these limitations, instead of finding and fixing +everything that doesn't work, as it's not known if anyone needs to use +tags in these places anyway. + +In addition, as requested by Dave Martin, generalize the limitations +into a general kernel address tag policy, and refactor +tagged-pointers.txt to include it. + +Fixes: d50240a5f6ce ("arm64: mm: permit use of tagged pointers at EL0") +Reviewed-by: Dave Martin +Acked-by: Will Deacon +Signed-off-by: Kristina Martsenko +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/arm64/tagged-pointers.txt | 66 +++++++++++++++++++++++--------- + 1 file changed, 49 insertions(+), 17 deletions(-) + +--- a/Documentation/arm64/tagged-pointers.txt ++++ b/Documentation/arm64/tagged-pointers.txt +@@ -11,24 +11,56 @@ in AArch64 Linux. + The kernel configures the translation tables so that translations made + via TTBR0 (i.e. userspace mappings) have the top byte (bits 63:56) of + the virtual address ignored by the translation hardware. This frees up +-this byte for application use, with the following caveats: ++this byte for application use. + +- (1) The kernel requires that all user addresses passed to EL1 +- are tagged with tag 0x00. This means that any syscall +- parameters containing user virtual addresses *must* have +- their top byte cleared before trapping to the kernel. +- +- (2) Non-zero tags are not preserved when delivering signals. +- This means that signal handlers in applications making use +- of tags cannot rely on the tag information for user virtual +- addresses being maintained for fields inside siginfo_t. +- One exception to this rule is for signals raised in response +- to watchpoint debug exceptions, where the tag information +- will be preserved. +- +- (3) Special care should be taken when using tagged pointers, +- since it is likely that C compilers will not hazard two +- virtual addresses differing only in the upper byte. ++ ++Passing tagged addresses to the kernel ++-------------------------------------- ++ ++All interpretation of userspace memory addresses by the kernel assumes ++an address tag of 0x00. ++ ++This includes, but is not limited to, addresses found in: ++ ++ - pointer arguments to system calls, including pointers in structures ++ passed to system calls, ++ ++ - the stack pointer (sp), e.g. when interpreting it to deliver a ++ signal, ++ ++ - the frame pointer (x29) and frame records, e.g. when interpreting ++ them to generate a backtrace or call graph. ++ ++Using non-zero address tags in any of these locations may result in an ++error code being returned, a (fatal) signal being raised, or other modes ++of failure. ++ ++For these reasons, passing non-zero address tags to the kernel via ++system calls is forbidden, and using a non-zero address tag for sp is ++strongly discouraged. ++ ++Programs maintaining a frame pointer and frame records that use non-zero ++address tags may suffer impaired or inaccurate debug and profiling ++visibility. ++ ++ ++Preserving tags ++--------------- ++ ++Non-zero tags are not preserved when delivering signals. This means that ++signal handlers in applications making use of tags cannot rely on the ++tag information for user virtual addresses being maintained for fields ++inside siginfo_t. One exception to this rule is for signals raised in ++response to watchpoint debug exceptions, where the tag information will ++be preserved. + + The architecture prevents the use of a tagged PC, so the upper byte will + be set to a sign-extension of bit 55 on exception return. ++ ++ ++Other considerations ++-------------------- ++ ++Special care should be taken when using tagged pointers, since it is ++likely that C compilers will not hazard two virtual addresses differing ++only in the upper byte. diff --git a/queue-3.18/arm64-uaccess-ensure-extension-of-access_ok-addr.patch b/queue-3.18/arm64-uaccess-ensure-extension-of-access_ok-addr.patch new file mode 100644 index 00000000000..35250b0ebb3 --- /dev/null +++ b/queue-3.18/arm64-uaccess-ensure-extension-of-access_ok-addr.patch @@ -0,0 +1,48 @@ +From a06040d7a791a9177581dcf7293941bd92400856 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Wed, 3 May 2017 16:09:35 +0100 +Subject: arm64: uaccess: ensure extension of access_ok() addr + +From: Mark Rutland + +commit a06040d7a791a9177581dcf7293941bd92400856 upstream. + +Our access_ok() simply hands its arguments over to __range_ok(), which +implicitly assummes that the addr parameter is 64 bits wide. This isn't +necessarily true for compat code, which might pass down a 32-bit address +parameter. + +In these cases, we don't have a guarantee that the address has been zero +extended to 64 bits, and the upper bits of the register may contain +unknown values, potentially resulting in a suprious failure. + +Avoid this by explicitly casting the addr parameter to an unsigned long +(as is done on other architectures), ensuring that the parameter is +widened appropriately. + +Fixes: 0aea86a2176c ("arm64: User access library functions") +Acked-by: Will Deacon +Signed-off-by: Mark Rutland +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/uaccess.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/uaccess.h ++++ b/arch/arm64/include/asm/uaccess.h +@@ -89,11 +89,12 @@ static inline void set_fs(mm_segment_t f + */ + #define __range_ok(addr, size) \ + ({ \ ++ unsigned long __addr = (unsigned long __force)(addr); \ + unsigned long flag, roksum; \ + __chk_user_ptr(addr); \ + asm("adds %1, %1, %3; ccmp %1, %4, #2, cc; cset %0, ls" \ + : "=&r" (flag), "=&r" (roksum) \ +- : "1" (addr), "Ir" (size), \ ++ : "1" (__addr), "Ir" (size), \ + "r" (current_thread_info()->addr_limit) \ + : "cc"); \ + flag; \ diff --git a/queue-3.18/metag-uaccess-check-access_ok-in-strncpy_from_user.patch b/queue-3.18/metag-uaccess-check-access_ok-in-strncpy_from_user.patch new file mode 100644 index 00000000000..6fbb3bd90e6 --- /dev/null +++ b/queue-3.18/metag-uaccess-check-access_ok-in-strncpy_from_user.patch @@ -0,0 +1,45 @@ +From 3a158a62da0673db918b53ac1440845a5b64fd90 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 2 May 2017 19:41:06 +0100 +Subject: metag/uaccess: Check access_ok in strncpy_from_user + +From: James Hogan + +commit 3a158a62da0673db918b53ac1440845a5b64fd90 upstream. + +The metag implementation of strncpy_from_user() doesn't validate the src +pointer, which could allow reading of arbitrary kernel memory. Add a +short access_ok() check to prevent that. + +Its still possible for it to read across the user/kernel boundary, but +it will invariably reach a NUL character after only 9 bytes, leaking +only a static kernel address being loaded into D0Re0 at the beginning of +__start, which is acceptable for the immediate fix. + +Reported-by: Al Viro +Signed-off-by: James Hogan +Cc: linux-metag@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/uaccess.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/metag/include/asm/uaccess.h ++++ b/arch/metag/include/asm/uaccess.h +@@ -189,8 +189,13 @@ do { + extern long __must_check __strncpy_from_user(char *dst, const char __user *src, + long count); + +-#define strncpy_from_user(dst, src, count) __strncpy_from_user(dst, src, count) +- ++static inline long ++strncpy_from_user(char *dst, const char __user *src, long count) ++{ ++ if (!access_ok(VERIFY_READ, src, 1)) ++ return -EFAULT; ++ return __strncpy_from_user(dst, src, count); ++} + /* + * Return the size of a string (including the ending 0) + * diff --git a/queue-3.18/metag-uaccess-fix-access_ok.patch b/queue-3.18/metag-uaccess-fix-access_ok.patch new file mode 100644 index 00000000000..9e87cb8eccf --- /dev/null +++ b/queue-3.18/metag-uaccess-fix-access_ok.patch @@ -0,0 +1,109 @@ +From 8a8b56638bcac4e64cccc88bf95a0f9f4b19a2fb Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 28 Apr 2017 10:50:26 +0100 +Subject: metag/uaccess: Fix access_ok() + +From: James Hogan + +commit 8a8b56638bcac4e64cccc88bf95a0f9f4b19a2fb upstream. + +The __user_bad() macro used by access_ok() has a few corner cases +noticed by Al Viro where it doesn't behave correctly: + + - The kernel range check has off by 1 errors which permit access to the + first and last byte of the kernel mapped range. + + - The kernel range check ends at LINCORE_BASE rather than + META_MEMORY_LIMIT, which is ineffective when the kernel is in global + space (an extremely uncommon configuration). + +There are a couple of other shortcomings here too: + + - Access to the whole of the other address space is permitted (i.e. the + global half of the address space when the kernel is in local space). + This isn't ideal as it could theoretically still contain privileged + mappings set up by the bootloader. + + - The size argument is unused, permitting user copies which start on + valid pages at the end of the user address range and cross the + boundary into the kernel address space (e.g. addr = 0x3ffffff0, size + > 0x10). + +It isn't very convenient to add size checks when disallowing certain +regions, and it seems far safer to be sure and explicit about what +userland is able to access, so invert the logic to allow certain regions +instead, and fix the off by 1 errors and missing size checks. This also +allows the get_fs() == KERNEL_DS check to be more easily optimised into +the user address range case. + +We now have 3 such allowed regions: + + - The user address range (incorporating the get_fs() == KERNEL_DS + check). + + - NULL (some kernel code expects this to work, and we'll always catch + the fault anyway). + + - The core code memory region. + +Fixes: 373cd784d0fc ("metag: Memory handling") +Reported-by: Al Viro +Signed-off-by: James Hogan +Cc: linux-metag@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/uaccess.h | 40 +++++++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 16 deletions(-) + +--- a/arch/metag/include/asm/uaccess.h ++++ b/arch/metag/include/asm/uaccess.h +@@ -28,24 +28,32 @@ + + #define segment_eq(a, b) ((a).seg == (b).seg) + +-#define __kernel_ok (segment_eq(get_fs(), KERNEL_DS)) +-/* +- * Explicitly allow NULL pointers here. Parts of the kernel such +- * as readv/writev use access_ok to validate pointers, but want +- * to allow NULL pointers for various reasons. NULL pointers are +- * safe to allow through because the first page is not mappable on +- * Meta. +- * +- * We also wish to avoid letting user code access the system area +- * and the kernel half of the address space. +- */ +-#define __user_bad(addr, size) (((addr) > 0 && (addr) < META_MEMORY_BASE) || \ +- ((addr) > PAGE_OFFSET && \ +- (addr) < LINCORE_BASE)) +- + static inline int __access_ok(unsigned long addr, unsigned long size) + { +- return __kernel_ok || !__user_bad(addr, size); ++ /* ++ * Allow access to the user mapped memory area, but not the system area ++ * before it. The check extends to the top of the address space when ++ * kernel access is allowed (there's no real reason to user copy to the ++ * system area in any case). ++ */ ++ if (likely(addr >= META_MEMORY_BASE && addr < get_fs().seg && ++ size <= get_fs().seg - addr)) ++ return true; ++ /* ++ * Explicitly allow NULL pointers here. Parts of the kernel such ++ * as readv/writev use access_ok to validate pointers, but want ++ * to allow NULL pointers for various reasons. NULL pointers are ++ * safe to allow through because the first page is not mappable on ++ * Meta. ++ */ ++ if (!addr) ++ return true; ++ /* Allow access to core code memory area... */ ++ if (addr >= LINCORE_CODE_BASE && addr <= LINCORE_CODE_LIMIT && ++ size <= LINCORE_CODE_LIMIT + 1 - addr) ++ return true; ++ /* ... but no other areas. */ ++ return false; + } + + #define access_ok(type, addr, size) __access_ok((unsigned long)(addr), \ diff --git a/queue-3.18/mm-huge_memory.c-respect-foll_force-foll_cow-for-thp.patch b/queue-3.18/mm-huge_memory.c-respect-foll_force-foll_cow-for-thp.patch new file mode 100644 index 00000000000..6fc2e87f952 --- /dev/null +++ b/queue-3.18/mm-huge_memory.c-respect-foll_force-foll_cow-for-thp.patch @@ -0,0 +1,117 @@ +From 8310d48b125d19fcd9521d83b8293e63eb1646aa Mon Sep 17 00:00:00 2001 +From: Keno Fischer +Date: Tue, 24 Jan 2017 15:17:48 -0800 +Subject: mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp + +From: Keno Fischer + +commit 8310d48b125d19fcd9521d83b8293e63eb1646aa upstream. + +In commit 19be0eaffa3a ("mm: remove gup_flags FOLL_WRITE games from +__get_user_pages()"), the mm code was changed from unsetting FOLL_WRITE +after a COW was resolved to setting the (newly introduced) FOLL_COW +instead. Simultaneously, the check in gup.c was updated to still allow +writes with FOLL_FORCE set if FOLL_COW had also been set. + +However, a similar check in huge_memory.c was forgotten. As a result, +remote memory writes to ro regions of memory backed by transparent huge +pages cause an infinite loop in the kernel (handle_mm_fault sets +FOLL_COW and returns 0 causing a retry, but follow_trans_huge_pmd bails +out immidiately because `(flags & FOLL_WRITE) && !pmd_write(*pmd)` is +true. + +While in this state the process is stil SIGKILLable, but little else +works (e.g. no ptrace attach, no other signals). This is easily +reproduced with the following code (assuming thp are set to always): + + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + #define TEST_SIZE 5 * 1024 * 1024 + + int main(void) { + int status; + pid_t child; + int fd = open("/proc/self/mem", O_RDWR); + void *addr = mmap(NULL, TEST_SIZE, PROT_READ, + MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); + assert(addr != MAP_FAILED); + pid_t parent_pid = getpid(); + if ((child = fork()) == 0) { + void *addr2 = mmap(NULL, TEST_SIZE, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); + assert(addr2 != MAP_FAILED); + memset(addr2, 'a', TEST_SIZE); + pwrite(fd, addr2, TEST_SIZE, (uintptr_t)addr); + return 0; + } + assert(child == waitpid(child, &status, 0)); + assert(WIFEXITED(status) && WEXITSTATUS(status) == 0); + return 0; + } + +Fix this by updating follow_trans_huge_pmd in huge_memory.c analogously +to the update in gup.c in the original commit. The same pattern exists +in follow_devmap_pmd. However, we should not be able to reach that +check with FOLL_COW set, so add WARN_ONCE to make sure we notice if we +ever do. + +[akpm@linux-foundation.org: coding-style fixes] +Link: http://lkml.kernel.org/r/20170106015025.GA38411@juliacomputing.com +Signed-off-by: Keno Fischer +Acked-by: Kirill A. Shutemov +Cc: Greg Thelen +Cc: Nicholas Piggin +Cc: Willy Tarreau +Cc: Oleg Nesterov +Cc: Kees Cook +Cc: Andy Lutomirski +Cc: Michal Hocko +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[AmitP: Minor refactoring of upstream changes for linux-3.18.y, + where follow_devmap_pmd() doesn't exist.] +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1205,6 +1205,16 @@ out_unlock: + return ret; + } + ++/* ++ * FOLL_FORCE can write to even unwritable pmd's, but only ++ * after we've gone through a COW cycle and they are dirty. ++ */ ++static inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags) ++{ ++ return pmd_write(pmd) || ++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd)); ++} ++ + struct page *follow_trans_huge_pmd(struct vm_area_struct *vma, + unsigned long addr, + pmd_t *pmd, +@@ -1215,7 +1225,7 @@ struct page *follow_trans_huge_pmd(struc + + assert_spin_locked(pmd_lockptr(mm, pmd)); + +- if (flags & FOLL_WRITE && !pmd_write(*pmd)) ++ if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, flags)) + goto out; + + /* Avoid dumping huge zero page */ diff --git a/queue-3.18/powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch b/queue-3.18/powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch new file mode 100644 index 00000000000..6024d70dc44 --- /dev/null +++ b/queue-3.18/powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch @@ -0,0 +1,58 @@ +From 68baf692c435339e6295cb470ea5545cbc28160e Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Mon, 17 Apr 2017 20:21:40 -0400 +Subject: powerpc/pseries: Fix of_node_put() underflow during DLPAR remove + +From: Tyrel Datwyler + +commit 68baf692c435339e6295cb470ea5545cbc28160e upstream. + +Historically struct device_node references were tracked using a kref embedded as +a struct field. Commit 75b57ecf9d1d ("of: Make device nodes kobjects so they +show up in sysfs") (Mar 2014) refactored device_nodes to be kobjects such that +the device tree could by more simply exposed to userspace using sysfs. + +Commit 0829f6d1f69e ("of: device_node kobject lifecycle fixes") (Mar 2014) +followed up these changes to better control the kobject lifecycle and in +particular the referecne counting via of_node_get(), of_node_put(), and +of_node_init(). + +A result of this second commit was that it introduced an of_node_put() call when +a dynamic node is detached, in of_node_remove(), that removes the initial kobj +reference created by of_node_init(). + +Traditionally as the original dynamic device node user the pseries code had +assumed responsibilty for releasing this final reference in its platform +specific DLPAR detach code. + +This patch fixes a refcount underflow introduced by commit 0829f6d1f6, and +recently exposed by the upstreaming of the recount API. + +Messages like the following are no longer seen in the kernel log with this +patch following DLPAR remove operations of cpus and pci devices. + + rpadlpar_io: slot PHB 72 removed + refcount_t: underflow; use-after-free. + ------------[ cut here ]------------ + WARNING: CPU: 5 PID: 3335 at lib/refcount.c:128 refcount_sub_and_test+0xf4/0x110 + +Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes") +Signed-off-by: Tyrel Datwyler +[mpe: Make change log commit references more verbose] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/dlpar.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -299,7 +299,6 @@ int dlpar_detach_node(struct device_node + if (rc) + return rc; + +- of_node_put(dn); /* Must decrement the refcount */ + return 0; + } + diff --git a/queue-3.18/series b/queue-3.18/series index a98c23ddd4c..c16a7fe807b 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -40,3 +40,14 @@ dib0700-fix-null-deref-at-probe.patch zr364xx-enforce-minimum-size-when-reading-header.patch cx231xx-cards-fix-null-deref-at-probe.patch cx231xx-audio-fix-null-deref-at-probe.patch +powerpc-pseries-fix-of_node_put-underflow-during-dlpar-remove.patch +arm-dts-at91-sama5d3_xplained-fix-adc-vref.patch +arm-dts-at91-sama5d3_xplained-not-all-adc-channels-are-available.patch +arm64-uaccess-ensure-extension-of-access_ok-addr.patch +arm64-documentation-document-tagged-pointer-stack-constraints.patch +xc2028-fix-use-after-free-bug-properly.patch +mm-huge_memory.c-respect-foll_force-foll_cow-for-thp.patch +metag-uaccess-fix-access_ok.patch +metag-uaccess-check-access_ok-in-strncpy_from_user.patch +stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch +uwb-fix-device-quirk-on-big-endian-hosts.patch diff --git a/queue-3.18/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch b/queue-3.18/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch new file mode 100644 index 00000000000..dfa14b379aa --- /dev/null +++ b/queue-3.18/stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch @@ -0,0 +1,40 @@ +From 5ea30e4e58040cfd6434c2f33dc3ea76e2c15b05 Mon Sep 17 00:00:00 2001 +From: Daniel Micay +Date: Thu, 4 May 2017 09:32:09 -0400 +Subject: stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms + +From: Daniel Micay + +commit 5ea30e4e58040cfd6434c2f33dc3ea76e2c15b05 upstream. + +The stack canary is an 'unsigned long' and should be fully initialized to +random data rather than only 32 bits of random data. + +Signed-off-by: Daniel Micay +Acked-by: Arjan van de Ven +Acked-by: Rik van Riel +Acked-by: Kees Cook +Cc: Arjan van Ven +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kernel-hardening@lists.openwall.com +Link: http://lkml.kernel.org/r/20170504133209.3053-1-danielmicay@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -338,7 +338,7 @@ static struct task_struct *dup_task_stru + set_task_stack_end_magic(tsk); + + #ifdef CONFIG_CC_STACKPROTECTOR +- tsk->stack_canary = get_random_int(); ++ tsk->stack_canary = get_random_long(); + #endif + + /* diff --git a/queue-3.18/uwb-fix-device-quirk-on-big-endian-hosts.patch b/queue-3.18/uwb-fix-device-quirk-on-big-endian-hosts.patch new file mode 100644 index 00000000000..594da98f617 --- /dev/null +++ b/queue-3.18/uwb-fix-device-quirk-on-big-endian-hosts.patch @@ -0,0 +1,41 @@ +From 41318a2b82f5d5fe1fb408f6d6e0b22aa557111d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 12 May 2017 12:06:32 +0200 +Subject: uwb: fix device quirk on big-endian hosts + +From: Johan Hovold + +commit 41318a2b82f5d5fe1fb408f6d6e0b22aa557111d upstream. + +Add missing endianness conversion when using the USB device-descriptor +idProduct field to apply a hardware quirk. + +Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/i1480/dfu/usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/uwb/i1480/dfu/usb.c ++++ b/drivers/uwb/i1480/dfu/usb.c +@@ -341,6 +341,7 @@ error_submit_ep1: + static + int i1480_usb_probe(struct usb_interface *iface, const struct usb_device_id *id) + { ++ struct usb_device *udev = interface_to_usbdev(iface); + struct i1480_usb *i1480_usb; + struct i1480 *i1480; + struct device *dev = &iface->dev; +@@ -352,8 +353,8 @@ int i1480_usb_probe(struct usb_interface + iface->cur_altsetting->desc.bInterfaceNumber); + goto error; + } +- if (iface->num_altsetting > 1 +- && interface_to_usbdev(iface)->descriptor.idProduct == 0xbabe) { ++ if (iface->num_altsetting > 1 && ++ le16_to_cpu(udev->descriptor.idProduct) == 0xbabe) { + /* Need altsetting #1 [HW QUIRK] or EP1 won't work */ + result = usb_set_interface(interface_to_usbdev(iface), 0, 1); + if (result < 0) diff --git a/queue-3.18/xc2028-fix-use-after-free-bug-properly.patch b/queue-3.18/xc2028-fix-use-after-free-bug-properly.patch new file mode 100644 index 00000000000..2d24180b909 --- /dev/null +++ b/queue-3.18/xc2028-fix-use-after-free-bug-properly.patch @@ -0,0 +1,130 @@ +From 22a1e7783e173ab3d86018eb590107d68df46c11 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 17 Nov 2016 10:49:31 +0100 +Subject: xc2028: Fix use-after-free bug properly + +From: Takashi Iwai + +commit 22a1e7783e173ab3d86018eb590107d68df46c11 upstream. + +The commit 8dfbcc4351a0 ("[media] xc2028: avoid use after free") tried +to address the reported use-after-free by clearing the reference. + +However, it's clearing the wrong pointer; it sets NULL to +priv->ctrl.fname, but it's anyway overwritten by the next line +memcpy(&priv->ctrl, p, sizeof(priv->ctrl)). + +OTOH, the actual code accessing the freed string is the strcmp() call +with priv->fname: + if (!firmware_name[0] && p->fname && + priv->fname && strcmp(p->fname, priv->fname)) + free_firmware(priv); + +where priv->fname points to the previous file name, and this was +already freed by kfree(). + +For fixing the bug properly, this patch does the following: + +- Keep the copy of firmware file name in only priv->fname, + priv->ctrl.fname isn't changed; +- The allocation is done only when the firmware gets loaded; +- The kfree() is called in free_firmware() commonly + +Fixes: commit 8dfbcc4351a0 ('[media] xc2028: avoid use after free') +Signed-off-by: Takashi Iwai +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/tuners/tuner-xc2028.c | 37 +++++++++++++++--------------------- + 1 file changed, 16 insertions(+), 21 deletions(-) + +--- a/drivers/media/tuners/tuner-xc2028.c ++++ b/drivers/media/tuners/tuner-xc2028.c +@@ -281,6 +281,14 @@ static void free_firmware(struct xc2028_ + int i; + tuner_dbg("%s called\n", __func__); + ++ /* free allocated f/w string */ ++ if (priv->fname != firmware_name) ++ kfree(priv->fname); ++ priv->fname = NULL; ++ ++ priv->state = XC2028_NO_FIRMWARE; ++ memset(&priv->cur_fw, 0, sizeof(priv->cur_fw)); ++ + if (!priv->firm) + return; + +@@ -291,9 +299,6 @@ static void free_firmware(struct xc2028_ + + priv->firm = NULL; + priv->firm_size = 0; +- priv->state = XC2028_NO_FIRMWARE; +- +- memset(&priv->cur_fw, 0, sizeof(priv->cur_fw)); + } + + static int load_all_firmwares(struct dvb_frontend *fe, +@@ -884,9 +889,8 @@ read_not_reliable: + return 0; + + fail: +- priv->state = XC2028_NO_FIRMWARE; ++ free_firmware(priv); + +- memset(&priv->cur_fw, 0, sizeof(priv->cur_fw)); + if (retry_count < 8) { + msleep(50); + retry_count++; +@@ -1332,11 +1336,8 @@ static int xc2028_dvb_release(struct dvb + mutex_lock(&xc2028_list_mutex); + + /* only perform final cleanup if this is the last instance */ +- if (hybrid_tuner_report_instance_count(priv) == 1) { ++ if (hybrid_tuner_report_instance_count(priv) == 1) + free_firmware(priv); +- kfree(priv->ctrl.fname); +- priv->ctrl.fname = NULL; +- } + + if (priv) + hybrid_tuner_release_state(priv); +@@ -1399,19 +1400,8 @@ static int xc2028_set_config(struct dvb_ + + /* + * Copy the config data. +- * For the firmware name, keep a local copy of the string, +- * in order to avoid troubles during device release. + */ +- kfree(priv->ctrl.fname); +- priv->ctrl.fname = NULL; + memcpy(&priv->ctrl, p, sizeof(priv->ctrl)); +- if (p->fname) { +- priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL); +- if (priv->ctrl.fname == NULL) { +- rc = -ENOMEM; +- goto unlock; +- } +- } + + /* + * If firmware name changed, frees firmware. As free_firmware will +@@ -1426,10 +1416,15 @@ static int xc2028_set_config(struct dvb_ + + if (priv->state == XC2028_NO_FIRMWARE) { + if (!firmware_name[0]) +- priv->fname = priv->ctrl.fname; ++ priv->fname = kstrdup(p->fname, GFP_KERNEL); + else + priv->fname = firmware_name; + ++ if (!priv->fname) { ++ rc = -ENOMEM; ++ goto unlock; ++ } ++ + rc = request_firmware_nowait(THIS_MODULE, 1, + priv->fname, + priv->i2c_props.adap->dev.parent,