From: Greg Kroah-Hartman Date: Tue, 17 Sep 2019 12:03:43 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.14.145~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d8054c52625813dd723b6882cf1d4d40d76c59f0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch --- diff --git a/queue-4.4/clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch b/queue-4.4/clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch new file mode 100644 index 00000000000..488fbfb5dd9 --- /dev/null +++ b/queue-4.4/clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch @@ -0,0 +1,48 @@ +From 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Fri, 3 May 2019 14:22:08 -0700 +Subject: clk: rockchip: Don't yell about bad mmc phases when getting + +From: Douglas Anderson + +commit 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 upstream. + +At boot time, my rk3288-veyron devices yell with 8 lines that look +like this: + [ 0.000000] rockchip_mmc_get_phase: invalid clk rate + +This is because the clock framework at clk_register() time tries to +get the phase but we don't have a parent yet. + +While the errors appear to be harmless they are still ugly and, in +general, we don't want yells like this in the log unless they are +important. + +There's no real reason to be yelling here. We can still return +-EINVAL to indicate that the phase makes no sense without a parent. +If someone really tries to do tuning and the clock is reported as 0 +then we'll see the yells in rockchip_mmc_set_phase(). + +Fixes: 4bf59902b500 ("clk: rockchip: Prevent calculating mmc phase if clock rate is zero") +Signed-off-by: Douglas Anderson +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/rockchip/clk-mmc-phase.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/clk/rockchip/clk-mmc-phase.c ++++ b/drivers/clk/rockchip/clk-mmc-phase.c +@@ -61,10 +61,8 @@ static int rockchip_mmc_get_phase(struct + u32 delay_num = 0; + + /* See the comment for rockchip_mmc_set_phase below */ +- if (!rate) { +- pr_err("%s: invalid clk rate\n", __func__); ++ if (!rate) + return -EINVAL; +- } + + raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); + diff --git a/queue-4.4/driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch b/queue-4.4/driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch new file mode 100644 index 00000000000..03052ca33f0 --- /dev/null +++ b/queue-4.4/driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch @@ -0,0 +1,171 @@ +From ac43432cb1f5c2950408534987e57c2071e24d8f Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Sat, 27 Jul 2019 11:21:22 +0800 +Subject: driver core: Fix use-after-free and double free on glue directory + +From: Muchun Song + +commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream. + +There is a race condition between removing glue directory and adding a new +device under the glue dir. It can be reproduced in following test: + +CPU1: CPU2: + +device_add() + get_device_parent() + class_dir_create_and_add() + kobject_add_internal() + create_dir() // create glue_dir + + device_add() + get_device_parent() + kobject_get() // get glue_dir + +device_del() + cleanup_glue_dir() + kobject_del(glue_dir) + + kobject_add() + kobject_add_internal() + create_dir() // in glue_dir + sysfs_create_dir_ns() + kernfs_create_dir_ns(sd) + + sysfs_remove_dir() // glue_dir->sd=NULL + sysfs_put() // free glue_dir->sd + + // sd is freed + kernfs_new_node(sd) + kernfs_get(glue_dir) + kernfs_add_one() + kernfs_put() + +Before CPU1 remove last child device under glue dir, if CPU2 add a new +device under glue dir, the glue_dir kobject reference count will be +increase to 2 via kobject_get() in get_device_parent(). And CPU2 has +been called kernfs_create_dir_ns(), but not call kernfs_new_node(). +Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in +glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call +kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase +it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next +call kernfs_add_one() by CPU2 will fail(This is also use-after-free) +and call kernfs_put() to decrease reference count. Because the reference +count is decremented to 0, it will also call kmem_cache_free() to free +the glue_dir->sd again. This will result in double free. + +In order to avoid this happening, we also should make sure that kernfs_node +for glue_dir is released in CPU1 only when refcount for glue_dir kobj is +1 to fix this race. + +The following calltrace is captured in kernel 4.14 with the following patch +applied: + +commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") + +-------------------------------------------------------------------------- +[ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494 + Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get(). +.... +[ 3.633986] Call trace: +[ 3.633991] kernfs_create_dir_ns+0xa8/0xb0 +[ 3.633994] sysfs_create_dir_ns+0x54/0xe8 +[ 3.634001] kobject_add_internal+0x22c/0x3f0 +[ 3.634005] kobject_add+0xe4/0x118 +[ 3.634011] device_add+0x200/0x870 +[ 3.634017] _request_firmware+0x958/0xc38 +[ 3.634020] request_firmware_into_buf+0x4c/0x70 +.... +[ 3.634064] kernel BUG at .../mm/slub.c:294! + Here is BUG_ON(object == fp) in set_freepointer(). +.... +[ 3.634346] Call trace: +[ 3.634351] kmem_cache_free+0x504/0x6b8 +[ 3.634355] kernfs_put+0x14c/0x1d8 +[ 3.634359] kernfs_create_dir_ns+0x88/0xb0 +[ 3.634362] sysfs_create_dir_ns+0x54/0xe8 +[ 3.634366] kobject_add_internal+0x22c/0x3f0 +[ 3.634370] kobject_add+0xe4/0x118 +[ 3.634374] device_add+0x200/0x870 +[ 3.634378] _request_firmware+0x958/0xc38 +[ 3.634381] request_firmware_into_buf+0x4c/0x70 +-------------------------------------------------------------------------- + +Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier") +Signed-off-by: Muchun Song +Reviewed-by: Mukesh Ojha +Signed-off-by: Prateek Sood +Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/core.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 52 insertions(+), 1 deletion(-) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -857,12 +857,63 @@ static inline struct kobject *get_glue_d + */ + static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir) + { ++ unsigned int ref; ++ + /* see if we live in a "glue" directory */ + if (!live_in_glue_dir(glue_dir, dev)) + return; + + mutex_lock(&gdp_mutex); +- if (!kobject_has_children(glue_dir)) ++ /** ++ * There is a race condition between removing glue directory ++ * and adding a new device under the glue directory. ++ * ++ * CPU1: CPU2: ++ * ++ * device_add() ++ * get_device_parent() ++ * class_dir_create_and_add() ++ * kobject_add_internal() ++ * create_dir() // create glue_dir ++ * ++ * device_add() ++ * get_device_parent() ++ * kobject_get() // get glue_dir ++ * ++ * device_del() ++ * cleanup_glue_dir() ++ * kobject_del(glue_dir) ++ * ++ * kobject_add() ++ * kobject_add_internal() ++ * create_dir() // in glue_dir ++ * sysfs_create_dir_ns() ++ * kernfs_create_dir_ns(sd) ++ * ++ * sysfs_remove_dir() // glue_dir->sd=NULL ++ * sysfs_put() // free glue_dir->sd ++ * ++ * // sd is freed ++ * kernfs_new_node(sd) ++ * kernfs_get(glue_dir) ++ * kernfs_add_one() ++ * kernfs_put() ++ * ++ * Before CPU1 remove last child device under glue dir, if CPU2 add ++ * a new device under glue dir, the glue_dir kobject reference count ++ * will be increase to 2 in kobject_get(k). And CPU2 has been called ++ * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir() ++ * and sysfs_put(). This result in glue_dir->sd is freed. ++ * ++ * Then the CPU2 will see a stale "empty" but still potentially used ++ * glue dir around in kernfs_new_node(). ++ * ++ * In order to avoid this happening, we also should make sure that ++ * kernfs_node for glue_dir is released in CPU1 only when refcount ++ * for glue_dir kobj is 1. ++ */ ++ ref = kref_read(&glue_dir->kref); ++ if (!kobject_has_children(glue_dir) && !--ref) + kobject_del(glue_dir); + kobject_put(glue_dir); + mutex_unlock(&gdp_mutex); diff --git a/queue-4.4/series b/queue-4.4/series index b77eeeb447e..f3433b7d2b0 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -17,3 +17,5 @@ kvm-x86-work-around-leak-of-uninitialized-stack-contents.patch kvm-nvmx-handle-page-fault-in-vmread.patch mips-vdso-prevent-use-of-smp_processor_id.patch mips-vdso-use-same-m-float-cflag-as-the-kernel-proper.patch +clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch +driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch